Re: [SOGo] SSL issues SOGo web access and ActiveSync

[DJ Lucas]

On 06/01/2016 09:21 AM, "[DATABEILLE] Julien PAQUIT" 
(jul...@databeille.com) wrote:

I only have android 4.4 (cyanogenmod) phones, all are showing errors
with built in connector and self generated certs. Happy it works with
newer versions.

As andreas.gebetsroit...@sps.at said, letsencrypt works perfectly.
I personaly use this piece of software to renew my SOGo certs :
https://github.com/lukas2511/letsencrypt.sh
It works like a charm.



FYI, StartCom (www.startssl.com) also offers free certs for 
non-commercial use, up to five hosts for UCC as well, supported in 
default certificate chain in every browser I've seen, lasts a year.


--DJ

--
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] SSL issues SOGo web access and ActiveSync

["[DATABEILLE] Julien PAQUIT"]

I only have android 4.4 (cyanogenmod) phones, all are showing errors 
with built in connector and self generated certs. Happy it works with 
newer versions.


As andreas.gebetsroit...@sps.at said, letsencrypt works perfectly.
I personaly use this piece of software to renew my SOGo certs :
https://github.com/lukas2511/letsencrypt.sh
It works like a charm.

Cheers,

Julien PAQUIT // +33 (0)7 82 455 855
DATABEILLE, Votre Architecte de Données
www.databeille.com

Le 01/06/2016 11:26, "T.B." (t.b.mailingli...@igeno-fat.de) a écrit :


Am 31.05.2016 um 09:36 schrieb "[DATABEILLE] Julien PAQUIT" 
(jul...@databeille.com):

Please, note that ActiveSync will not work with self-generated certs.


That's at least not completely true:  ActiveSync on Android 5 and 6 
works perfectly with my self-generated certs.


--
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] SSL issues SOGo web access and ActiveSync

[Andreas Gebetsroither]

You can also get a cert from "lets encrypt". It's official and supported 
by the most browsers and android only Thunderbird don´t know it at the 
moment.


The only thing is you need to renew it every 3 month but there are good 
guides where you can have a look at.


Mit freundlichen Grüßen
Best Regards

*Andreas Gebetsroither*

***SP**S**- Technik GmbH**
*Gewerbepark 7
A-4300 St.Valentin

Tel.: +43 7435 54048 403
Fax: +43 7435 54048 20
Mobil: +43 699 12670530
andreas.gebetsroit...@sps.at 
www.sps.at 

Am 01.06.2016 um 11:26 schrieb "T.B." (t.b.mailingli...@igeno-fat.de):


Am 31.05.2016 um 09:36 schrieb "[DATABEILLE] Julien PAQUIT" 
(jul...@databeille.com):

Please, note that ActiveSync will not work with self-generated certs.


That's at least not completely true:  ActiveSync on Android 5 and 6 
works perfectly with my self-generated certs.


--
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] SSL issues SOGo web access and ActiveSync

["T.B."]

Am 31.05.2016 um 09:36 schrieb "[DATABEILLE] Julien PAQUIT" 
(jul...@databeille.com):

Please, note that ActiveSync will not work with self-generated certs.


That's at least not completely true:  ActiveSync on Android 5 and 6 
works perfectly with my self-generated certs.

--
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] SSL issues SOGo web access and ActiveSync

["[DATABEILLE] Julien PAQUIT"]

I use successfully what Francis describes for more than one year now :

RequestHeader set "x-webobjects-server-port" "443"
RequestHeader set "x-webobjects-server-name" "mail.whatever.com"
RequestHeader set "x-webobjects-server-url" "https://mail.whatever.com;

Please, note that ActiveSync will not work with self-generated certs.

Julien PAQUIT // +33 (0)7 82 455 855
DATABEILLE, Votre Architecte de Données
www.databeille.com

Le 25/05/2016 14:19, Francis Lachapelle (flachape...@inverse.ca) a écrit :

Hi Chris


On May 24, 2016, at 3:31 PM, Chris Burke (burkech...@yahoo.com)  
wrote:

I'm having a problem getting SSL to work with SOGo web access and ActiveSync.


In Apache I redirect everything to SSL in 000-default.conf:


ServerName mail.mydomain.com
Redirect permanent / https://mail.mydomain.com/


This works great for everything, except when accessing SOGo.

When I go to https://[mail.mydomain.com]/SOGo the  login page loads https correctly, but 
as soon as I click "connect", I get redirected to http and the page doesn't 
load properly because of mixed http and https calls.

After getting redirected to http I can I can force "https:" in the URL bar, 
then it will load correctly.

I think the problem may be the http ProxyPass statements in the Apache 
SOGo.conf file:

ProxyPass /Microsoft-Server-ActiveSync \
  http://127.0.0.1:2/SOGo/Microsoft-Server-ActiveSync \
  retry=60 connectiontimeout=5 timeout=3540

ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0

I have tried changing these ProxyPass statements to https (and turning on 
SSLProxyEngine).
This failed.
I have also changed 127.0.0.1 to mail.mydomain.com (which resolves locally to 127.0.0.1) 
and this still fails with "internal server error".

Any ideas how I can stop SOGo from redirecting to http?

Also is there a way to force ActiveSync to use SSL?

You must set the x-webobjects headers. See the documentation:

http://sogo.nu/files/docs/SOGoInstallationGuide.html#_apache_configuration


Francis


--
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] SSL issues SOGo web access and ActiveSync

[Zhang Huangbin]

> On May 26, 2016, at 3:23 AM, Chris Burke (burkech...@yahoo.com) 
>  wrote:
> 
> You must set the x-webobjects headers. See the documentation:
> http://sogo.nu/files/docs/SOGoInstallationGuide.html#_apache_configuration

Suggestions to default Apache SOGo config file (source file 'Apache/SOGo.conf'):

*) Set and enable "x-webobjects-server-*" with Apache env variable 'HTTP_HOST', 
there're 2 advantages with this change:

1: no change required to be made by sys admin.
2: supports multiple web hosts. With url hard-coded in x-webobjects-server-url, 
no matter end user access host 'https://abc.com/SOGo' or 'https://xyz/SOGo', 
they will be redirected to url 'https:///SOGo', this is not 
good.


RequestHeader set "x-webobjects-server-port" "443"
RequestHeader set "x-webobjects-server-name" "%{HTTP_HOST}e" env=HTTP_HOST
RequestHeader set "x-webobjects-server-url" "https://%{HTTP_HOST}e; 
env=HTTP_HOST


*) Always redirect http traffic to https:


RewriteRule /SOGo(.*) https://%{HTTP_HOST}%{REQUEST_URI}



Zhang Huangbin, founder of iRedMail project: http://www.iredmail.org/
Time zone: GMT+8 (China/Beijing).

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] SSL issues SOGo web access and ActiveSync

[Chris Burke]

Hi- Thanks so much for the response.
I made the changes to the x-webobjects headers according to the documentation, 
restarted apache and sogo, but the issue is still happening.
In happens in both Chrome and IE. Even though Apache should be redirecting 
everything to https, after logging in it is still makes calls to http. 
The SOGo web access loads but the fonts & layout are messed up. Using Chrome 
developer tools I can see the fonts are requested via http and therefore not 
loading:
"Font from origin 'https://mail.mydomain.com' has been blocked from loading by 
Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header 
is present on the requested resource. Origin 'http://mail.mydomain.com' is 
therefore not allowed access."

If I go up to the URL bar and make it "https" and reload the page, all is fine 
again.
I'm just not sure what is happening on authentication, why the user gets 
redirected to http.
Below is a snip from my Apache SOGo.conf which shows the values for 
RequestHeader.
I'm going to experiment with moving the ProxyPass statements to my 
default-ssl.conf instead of leaving them in SOGo.conf to see if that makes a 
difference.
 http://127.0.0.1:2/SOGo>## adjust the following to your 
configuration## and do not forget to enable the headers module  RequestHeader set "x-webobjects-server-port" "443"  
RequestHeader set "x-webobjects-server-name" "mail.mydomain.com"  RequestHeader 
set "x-webobjects-server-url" "https://mail.mydomain.com;
## When using proxy-side autentication, you need to uncomment and## adjust the 
following line:  RequestHeader unset "x-webobjects-remote-user"#  RequestHeader 
set "x-webobjects-remote-user" "%{REMOTE_USER}e" env=REMOTE_USER  RequestHeader 
set "x-webobjects-server-protocol" "HTTP/1.0" 
  AddDefaultCharset UTF-8  Order allow,deny  Allow from all

-Chris


  From: Francis Lachapelle <users@sogo.nu>
 To: users@sogo.nu 
 Sent: Wednesday, May 25, 2016 8:19 AM
 Subject: Re: [SOGo] SSL issues SOGo web access and ActiveSync
   
Hi Chris

> On May 24, 2016, at 3:31 PM, Chris Burke (burkech...@yahoo.com) 
> <users@sogo.nu> wrote:
> 
> I'm having a problem getting SSL to work with SOGo web access and ActiveSync.
> 
> 
> In Apache I redirect everything to SSL in 000-default.conf:
> 
> 
> ServerName mail.mydomain.com
> Redirect permanent / https://mail.mydomain.com/
> 
> 
> This works great for everything, except when accessing SOGo.
> 
> When I go to https://[mail.mydomain.com]/SOGo the  login page loads https 
> correctly, but as soon as I click "connect", I get redirected to http and the 
> page doesn't load properly because of mixed http and https calls.
> 
> After getting redirected to http I can I can force "https:" in the URL bar, 
> then it will load correctly.
> 
> I think the problem may be the http ProxyPass statements in the Apache 
> SOGo.conf file:
> 
> ProxyPass /Microsoft-Server-ActiveSync \
>  http://127.0.0.1:2/SOGo/Microsoft-Server-ActiveSync \
>  retry=60 connectiontimeout=5 timeout=3540
> 
> ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0
> 
> I have tried changing these ProxyPass statements to https (and turning on 
> SSLProxyEngine).
> This failed.
> I have also changed 127.0.0.1 to mail.mydomain.com (which resolves locally to 
> 127.0.0.1) and this still fails with "internal server error".
> 
> Any ideas how I can stop SOGo from redirecting to http?
> 
> Also is there a way to force ActiveSync to use SSL?

You must set the x-webobjects headers. See the documentation:

http://sogo.nu/files/docs/SOGoInstallationGuide.html#_apache_configuration


Francis
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

  
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] SSL issues SOGo web access and ActiveSync - FIXED

[Chris Burke]

Just wanted to update that I fixed this issue.
I moved the two ProxyPass statements below to the default-ssl.conf inside my 
 container for the server, and everything is always forced 
to https now and loads properly.
Thanks


ProxyPass /Microsoft-Server-ActiveSync \
 http://127.0.0.1:2/SOGo/Microsoft-Server-ActiveSync \
 retry=60 connectiontimeout=5 timeout=3540

ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0



  From: Chris Burke <burkech...@yahoo.com>
 To: "users@sogo.nu" <users@sogo.nu> 
 Sent: Wednesday, May 25, 2016 3:23 PM
 Subject: Re: [SOGo] SSL issues SOGo web access and ActiveSync
   
Hi- Thanks so much for the response.
I made the changes to the x-webobjects headers according to the documentation, 
restarted apache and sogo, but the issue is still happening.
In happens in both Chrome and IE. Even though Apache should be redirecting 
everything to https, after logging in it is still makes calls to http. 
The SOGo web access loads but the fonts & layout are messed up. Using Chrome 
developer tools I can see the fonts are requested via http and therefore not 
loading:
"Font from origin 'https://mail.mydomain.com' has been blocked from loading by 
Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header 
is present on the requested resource. Origin 'http://mail.mydomain.com' is 
therefore not allowed access."

If I go up to the URL bar and make it "https" and reload the page, all is fine 
again.
I'm just not sure what is happening on authentication, why the user gets 
redirected to http.
Below is a snip from my Apache SOGo.conf which shows the values for 
RequestHeader.
I'm going to experiment with moving the ProxyPass statements to my 
default-ssl.conf instead of leaving them in SOGo.conf to see if that makes a 
difference.
 http://127.0.0.1:2/SOGo>## adjust the following to your 
configuration## and do not forget to enable the headers module  RequestHeader set "x-webobjects-server-port" "443"  
RequestHeader set "x-webobjects-server-name" "mail.mydomain.com"  RequestHeader 
set "x-webobjects-server-url" "https://mail.mydomain.com;
## When using proxy-side autentication, you need to uncomment and## adjust the 
following line:  RequestHeader unset "x-webobjects-remote-user"#  RequestHeader 
set "x-webobjects-remote-user" "%{REMOTE_USER}e" env=REMOTE_USER  RequestHeader 
set "x-webobjects-server-protocol" "HTTP/1.0" 
  AddDefaultCharset UTF-8  Order allow,deny  Allow from all

-Chris


  From: Francis Lachapelle <users@sogo.nu>
 To: users@sogo.nu 
 Sent: Wednesday, May 25, 2016 8:19 AM
 Subject: Re: [SOGo] SSL issues SOGo web access and ActiveSync
  
Hi Chris

> On May 24, 2016, at 3:31 PM, Chris Burke (burkech...@yahoo.com) 
> <users@sogo.nu> wrote:
> 
> I'm having a problem getting SSL to work with SOGo web access and ActiveSync.
> 
> 
> In Apache I redirect everything to SSL in 000-default.conf:
> 
> 
> ServerName mail.mydomain.com
> Redirect permanent / https://mail.mydomain.com/
> 
> 
> This works great for everything, except when accessing SOGo.
> 
> When I go to https://[mail.mydomain.com]/SOGo the  login page loads https 
> correctly, but as soon as I click "connect", I get redirected to http and the 
> page doesn't load properly because of mixed http and https calls.
> 
> After getting redirected to http I can I can force "https:" in the URL bar, 
> then it will load correctly.
> 
> I think the problem may be the http ProxyPass statements in the Apache 
> SOGo.conf file:
> 
> ProxyPass /Microsoft-Server-ActiveSync \
>  http://127.0.0.1:2/SOGo/Microsoft-Server-ActiveSync \
>  retry=60 connectiontimeout=5 timeout=3540
> 
> ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0
> 
> I have tried changing these ProxyPass statements to https (and turning on 
> SSLProxyEngine).
> This failed.
> I have also changed 127.0.0.1 to mail.mydomain.com (which resolves locally to 
> 127.0.0.1) and this still fails with "internal server error".
> 
> Any ideas how I can stop SOGo from redirecting to http?
> 
> Also is there a way to force ActiveSync to use SSL?

You must set the x-webobjects headers. See the documentation:

http://sogo.nu/files/docs/SOGoInstallationGuide.html#_apache_configuration


Francis
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

   

  
-- 
users@sogo.nu
https://inverse.ca/sogo/lists