On 13-03-28 4:32 PM, lloydsystems wrote:
Dear SOGo Group,
Hi Stephen,

I am having difficulty getting SOGo/OpenChange to work with Outlook 2010.  SOGo
itself works through its web interface, but email with Outlook does not.  I
have been messing around with it for days without success, so I thought I would
ask for some help.

Setup:  Server is running CentOS 6.4 with Postfix 2.6 and Cyrus-IMAP 2.4.  The
email system was setup and tested before starting with SOGo.  I also had Samba4
from the SOGo repo already installed and AD setup and tested.

DNS:  Here I will call the server domain example.local, so AD is setup with
domain EXAMPLE, realm example.local.  The server is also hosting a real world
domain example.com, so there is a split DNS setup.  The example.local is
managed by Samba using BIND with DLZ plugin, and example.com has traditional
BIND zone files.  All setup and tested.

The users are in Samba4 AD, but will have u...@example.com as their email
address.  Postfix is setup with example.com as a virtual mailbox domain and
delivers mail to Cyrus-IMAP.  I used Cyrus-IMAP because, being a sealed system
makes it well suited to virtual domains.  It authenticates users by SASL
(saslauthd) configured for PAM.  The /etc/pam.d/imap file uses pam_krb5 to
authenticate email users by Kerberos against AD.  All works.

I installed SOGo following the guide with MySQL database backend.  For LDAP
authentication I used the template in the Outlook configuration guide.
I would recommend using the nightly builds (or waiting for 2.0.5) to test the outlook compatibility.
We've fixed quite a few bugs after 2.0.4.


Side note:  I read somewhere that the SOGo configuration is being changed to a
proper “sogo.conf” file rather than using that awful “defaults” method,
but maybe it was only for Debian.  Can this be done for RHEL/CentOS?  I got so
sick of it I actually wrote a script to do the config.  Is anyone aware that
running ‘defaults –u sogo’ blows away the existing file?        I learned that
the hard way.
Yes, this sucks...

sogo.conf can be used on rhel or debian, it doesn't matter.
Simply create /etc/sogo/sogo.conf with the appropriate content.
You can use sogo-tool dump-defaults to convert from GNUstepDefaults.


When finished I started SOGo and could login from the web interface with my
EXAMPLE\testuser AD account.  Calendar, contacts and email (as
testu...@example.com) all worked perfectly.

I then followed the Outlook configuration guide to install and configure the
SOGo/OpenChange packages.  The only part I did not follow initially was under
the IMAP trust section.  It reads like a couple of lines thrown in there as an
afterthought, and with no example to follow, so it did not make sense at the
time.  I will come back to this.

All steps appeared to work OK.  Adding testuser to OpenChange initially failed
with “not found”.  I discovered from the code that it only looks in
CN=Users, but my users are under OU=People in order to apply group policy.
When I moved testuser it worked OK and I could see the extended attributes.  I
assume that, after this step, users could be moved back to an OU without any
issues?  I left testuser in CN=Users for now.
CN=Users is hardcoded in a few places in openchange,in the provision scripts and in ocsmanager, so, for now you should keep your users under this OU.


At the end the services start OK and I login as testuser from a VM client
joined to the EXAMPLE domain.  I create the Outlook profile and start Outlook.
It appears to work – Outlook says it is connected to Exchange, but there is
no mail folder creation and no email visible.  However, the calendar and
contact items are there.

Eventually Outlook says it is disconnected, and Samba is rather unhappy and
appears to have stopped working and must be restarted.

If I run the “Test Email AutoConfiguration” utility it fails.  The Apache
logs show requests for “autodiscover” returning 401 or 502 errors.      But I
had setup DNS for autodiscover.  In DNS Manager I tried both methods – using
a SRV entry and adding a CNAME alias.  I also added an alias to the example.com
DNS just in case.

In the maillog I see cyrus-imap errors for badlogin, SASL(-13), authentication
failure.  This, with the 401 error, suggests SOGo/OpenChange will not connect
to Cyrus-IMAP.  

I revisited the IMAP trust section and attempted to use ‘sasl_pwcheck_method
= alwaystrue’.  However, I found that on EL this is not available because the
option is not enabled at compile.  So I downloaded the cyrus-sasl source RPM,
rebuilt it with ‘--enable-alwaystrue’ and installed it.  I could now use
the ‘imtest’ utility to authenticate as testuser with any password.  Seems
OK.  I setup ‘cyrus.conf’ with separate imap services, one bound to
127.0.0.1 and the other to the server IP, using different ‘imapd.conf’
files.  The only difference being one has ‘sasl_pwcheck_method = saslauthd’
and the other ‘sasl_pwcheck_method = alwaystrue’.
You can also acheive the same effect by using the '-N' flag for imapd (in cyrus.conf)

I tried again with Outlook, but this time it hangs at the splash screen.  It
will not open at all.  There is no information in the logs to tell me what is
happening.  Only in the maillog shows testuser successfully logged in from
127.0.0.1, and then connection closed, but the messages appear together only
when I cancel Outlook.

At that point, your outlook is probably messed up because of the non working imap access. I pushed a fix for this last month. (outlook would tell you right away that it can't access the mailstore).
The outlook profile would be hosed nonetheless...

To cleanup the profile, run the openchange_cleanup.py script that is shipped with sogo (or get it here: https://raw.github.com/inverse-inc/sogo/master/Scripts/openchange_cleanup.py)

Then create a new profile in outlook.

I also realised that the guide talks about Cyrus-IMAP 2.4, but the packaged EL
version is 2.3, so I found a stable 2.4 source RPM, built it and upgraded, but
nothing changed.  It works from SOGo web but not Outlook/OpenChange.
indeed, 2.4 is required. (outlook support requires QRESYNC and MODSEC)

I am really at a loss.  I am considering swapping Cyrus-IMAP for Dovecot, but
would rather not.  Yes, the Cyrus documentation woeful, which is probably why
people consider it difficult to use, but I think it’s solid and well suited
to virtual hosting.  Compared to Dovecot with its labyrinth of config files and
nested calls it doesn’t seem too bad to me.  But I don’t want to go to the
trouble of installing Dovecot and then find I have the same problem.

You don't need dovecot, cyrus should work just fine.

So, you should try this:

  - upgrade to the nightly packages (this will fix the paster 100% CPU issue)
  - Cleanup your user profiles with openchange_cleanup.py
  - create a new profile in outlook

You should also watch the logs for all components, that is:
  /var/log/samba/log.samba
  /var/log/ocsmanager/ocsmanager.log
  /var/log/https/error.log  (rpcproxy - if you use rpc over http)

If anyone has an explanation for this problem, or an example of a working setup
with Cyrus-IMAP, I would appreciate their help.

Regards,

Stephen Jones


Hope this helps.

--
Jean Raby
jr...@inverse.ca  ::  +1.514.447.4918 (x120) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
--
users@sogo.nu
https://inverse.ca/sogo/lists

Reply via email to