eBox for Network Administrators

eBox 1.4 for Network AdministratorsR EVISION 1.4

E B OX

P LATFORM - T RAINING

http://www.ebox-technologies.com/S TUDENT G UIDE

eBox 1.4 for Network Administrators

This document is distributed under Creative Commons Attribution-Share Alike license version 2.5 ( http://creativecommons.org/licenses/by-sa/2.5/ )

This document uses images from Tango Desktop Project also distributed under Creative Commons Attribution-Share Alike license version 2.5.

http://tango.freedesktop.org/

Contents

1 eBox Platform: unied server for SMEs 1.1 1.2 1.3 Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1 1.3.1 1.3.2 1.3.3 1.4 1.5 eBox Platform installer . . . . . . . . . . . . . . . . . . . . . . . . . . . Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Applying conguration changes . . . . . . . . . . . . . . . . . . . . . . . Modules status conguration . . . . . . . . . . . . . . . . . . . . . . . . Administration web interface . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 1 4 5 12 13 16 18 18 20 20 21 24 31 31 32 37 38 39 43 43 46 47 47 49 50 53

How does eBox Platform work? . . . . . . . . . . . . . . . . . . . . . . . . . . . Location within the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.1 1.5.2 1.5.3 Local network conguration . . . . . . . . . . . . . . . . . . . . . . . . . Network conguration with eBox Platform . . . . . . . . . . . . . . . . . . Network diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2 eBox Infrastructure 2.1 2.2 Network conguration service (DHCP) . . . . . . . . . . . . . . . . . . . . . . . 2.1.1 2.2.1 2.2.2 2.3 2.3.1 2.3.2 2.3.3 2.3.4 2.4 2.4.1 DHCP server conguration with eBox . . . . . . . . . . . . . . . . . . . . DNS cache server conguration with eBox . . . . . . . . . . . . . . . . . Name resolution service (DNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS server conguration with eBox . . . . . . . . . . . . . . . . . . . . . Hyper Text Transfer Protocol . . . . . . . . . . . . . . . . . . . . . . . . The Apache Web server . . . . . . . . . . . . . . . . . . . . . . . . . . Virtual domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTP server conguration with eBox . . . . . . . . . . . . . . . . . . . . NTP server conguration with eBox . . . . . . . . . . . . . . . . . . . . .

Web data publication service (HTTP) . . . . . . . . . . . . . . . . . . . . . . . .

Time synchronization service (NTP)

3 eBox Gateway

i

3.1

High-level eBox network abstractions . . . . . . . . . . . . . . . . . . . . . . . . 3.1.1 3.1.2 Network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The rewall in GNU/Linux: Netlter . . . . . . . . . . . . . . . . . . . . . eBox security model . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routing tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multirouter rules and load balancing . . . . . . . . . . . . . . . . . . . . . WAN Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

53 53 55 58 58 58 63 63 69 71 73 73 74 76 77 78 79 80 81 82 82 89 89 90 97 97 98 98 98 101 104 106 107 110 111 117 117

3.2

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.1 3.2.2

3.3

Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.1 3.3.2 3.3.3

3.4

Trafc shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4.1 3.4.2 Quality of Service (QoS) . . . . . . . . . . . . . . . . . . . . . . . . . . QoS conguration in eBox . . . . . . . . . . . . . . . . . . . . . . . . .

3.5

RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5.1 3.5.2 RADIUS server conguration with eBox . . . . . . . . . . . . . . . . . . . Access Point (AP) conguration . . . . . . . . . . . . . . . . . . . . . . . Access policy conguration . . . . . . . . . . . . . . . . . . . . . . . . . Client connection to the proxy and transparent mode Web content lter . . . . . . . . . . . . Cache parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3.6

HTTP Proxy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.6.1 3.6.2 3.6.3 3.6.4

4 eBox Ofce 4.1 4.2 Directory service (LDAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.1 4.2.1 4.2.2 4.2.3 4.2.4 4.2.5 4.2.6 4.2.7 4.3 4.4 Users and groups File sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . File sharing service and remote authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SMB/CIFS and its Linux Samba implementation . . . . . . . . . . . . . . . Primary Domain Controller (PDC) . . . . . . . . . . . . . . . . . . . . . . eBox as le server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SMB/CIFS clients conguration . . . . . . . . . . . . . . . . . . . . . . . eBox as an authentication server . . . . . . . . . . . . . . . . . . . . . . PDC Client Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Printers sharing service Groupware Service 4.4.1

Groupware service settings with eBox . . . . . . . . . . . . . . . . . . . .

5 eBox Unied Communications 5.1 Electronic Mail Service (SMTP/POP3-IMAP4) . . . . . . . . . . . . . . . . . . . .

ii

5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.2 5.3 5.2.1 5.3.1 5.3.2 5.3.3 5.3.4 5.4 5.4.1 5.4.2 5.4.3 5.4.4 5.4.5 5.4.6 5.4.7

How electronic mail works through the Internet

. . . . . . . . . . . . . . .

118 120 120 127 127 128 128 130 131 132 133 134 140 143 144 144 145 146 149 151 156 157 159 159 160 168 168 170 170 171 172 174 174 174 176 180 189

SMTP/POP3-IMAP4 server conguration with eBox . . . . . . . . . . . . . Receiving and relaying mail . . . . . . . . . . . . . . . . . . . . . . . . . SMTP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . POP3 parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IMAP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ManageSieve client parameters . . . . . . . . . . . . . . . . . . . . . . . Conguring a webmail in eBox . . . . . . . . . . . . . . . . . . . . . . . Conguring a Jabber/XMPP server with eBox . . . . . . . . . . . . . . . . Setting up a Jabber client . . . . . . . . . . . . . . . . . . . . . . . . . . Setting up Jabber MUC (Multi User Chat) rooms . . . . . . . . . . . . . . . Practical example Protocols Codecs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

WebMail service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Instant Messaging (IM) Service (Jabber/XMPP) . . . . . . . . . . . . . . . . . . .

Voice over IP service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Asterisk server conguration with eBox . . . . . . . . . . . . . . . . . . . Conguring a softphone to work with eBox . . . . . . . . . . . . . . . . . Using eBox VoIP features . . . . . . . . . . . . . . . . . . . . . . . . . . Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6 eBox Unied Threat Manager 6.1 Mail Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.1 6.1.2 6.1.3 6.2 6.2.1 6.2.2 6.2.3 6.3 6.3.1 6.3.2 6.3.3 6.3.4 6.4 Mail lter schema in eBox . . . . . . . . . . . . . . . . . . . . . . . . . . External connection control lists . . . . . . . . . . . . . . . . . . . . . . Transparent proxy for POP3 mailboxes . . . . . . . . . . . . . . . . . . . Group based ltering . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group-based ltering for objects . . . . . . . . . . . . . . . . . . . . . . Filter proles conguration . . . . . . . . . . . . . . . . . . . . . . . . . Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . .

HTTP Proxy advanced conguration . . . . . . . . . . . . . . . . . . . . . . . .

Secure interconnection between local networks . . . . . . . . . . . . . . . . . . . Public Key Infrastructure (PKI) with a Certication Authority (CA) . . . . . . . Certication Authority conguration with eBox . . . . . . . . . . . . . . . . Conguring a VPN with eBox . . . . . . . . . . . . . . . . . . . . . . . .

Intrusion Detection System (IDS) . . . . . . . . . . . . . . . . . . . . . . . . . .

iii

6.4.1 6.4.2 7 eBox Core 7.1 7.2

Setting up an IDS with eBox

. . . . . . . . . . . . . . . . . . . . . . . .

190 191 193 193 196 198 199 203 204 206 207 207 208 213 215 217 217 218 220 220 221 222

IDS Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.1 7.2.1 7.2.2 Logs conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practical Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The backup system design . . . . . . . . . . . . . . . . . . . . . . . . . Backup conguration with eBox . . . . . . . . . . . . . . . . . . . . . . . How to recover on a disaster . . . . . . . . . . . . . . . . . . . . . . . . Conguration backups . . . . . . . . . . . . . . . . . . . . . . . . . . . Management of eBox components . . . . . . . . . . . . . . . . . . . . . System Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Subscribing eBox to the Control Center . . . . . . . . . . . . . . . . . . . Conguration backup to the Control Center . . . . . . . . . . . . . . . . .

7.3 7.4

Events and alerts 7.3.1 Backup 7.4.1 7.4.2 7.4.3 7.4.4

7.5

Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.5.1 7.5.2 7.5.3

7.6

Control Center Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.6.1 7.6.2

iv

Chapter 1 eBox Platform: unied server for SMEs

1.1

PresentationeBox Platform () is a unied network server that offers easy and efcient computer network management for small and medium enterprises (SMEs). eBox Platform can act as a Network Gateway, a Unied Threat Manager (UTM) 1 , an Ofce Server, an Infrastructure Manager, a Unied Communications Server or a combination of them. This manual is written for the 1.4 version of eBox Platform. All these functionalities are fully integrated and therefore automate most tasks, prevent manual errors and save time for system administrators. This wide range of network services is managed through an easy and intuitive web interface. As eBox Platform has a modular design, you can install in each server only the necessary modules and easily extend the functionality according to your needs. Besides, eBox Platform is released under a free software license (GPL) 2 . The main features are: Unied and efcient management of the services: Task automation. Service integration. Easy and intuitive interface.UTM (Unied Threat Management): Term that groups a series of functionalities related to computer network security: rewall, intrusion detection, antivirus, etc. 2 GPL (GNU General Public License): Software license that allows free redistribution, adaptation, use and creation of derivative works with the same license.1

1


Extensible and adaptable to specic needs. Hardware independent. Open source software. The services currently offered are: Network management: Firewall and router * Trafc ltering * NAT and port redirection * Virtual local networks (VLAN 802.1Q) * Support for multiple gateways, load balancing and self-adaptation in case of loss of connectivity * Trafc shaping (with application-level ltering support) * Trafc monitoring * Dynamic DNS support High-level network objects and services Network infrastructure * DHCP server * DNS server * NTP server Virtual private networks (VPN) * Dynamic auto-conguration of network paths HTTP proxy * Cache * User authentication * Content ltering (with categorized lists) * Transparent antivirus

2

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

Mail server * Spam ltering and antivirus * Transparent POP3 lter * White-, black- and grey-listing Web server * Virtual domains Intrusion Detection System (IDS) Certication Authority Groupware: Shared directory using LDAP (Windows/Linux/Mac) * Shared authentication (including Windows PDC) Shared storage as NAS (Network-attached storage) Shared printers Groupware server: calendars, address books, ... VoIP server * Voicemail * Meetings * Calls through outside vendor Instant messaging server (Jabber/XMPP) * Meetings User corner to allow users to modify their data Reports and monitoring Dashboard to centralize the information Disk, memory, load, temperature and host CPU monitoring Software RAID status and information regarding the hard drive use

3


Network service logs in databases, allowing you to have daily, weekly monthly and annual reports Event-based system monitoring * Notication via Jabber, mail and RSS Host management: Conguration and data backup Updates Control Center to easily administer and monitor multiple eBox hosts from one central point3

1.2

InstallationIn principle, eBox Platform is designed to be installed exclusively on one (real or virtual) machine. This does not prevent you from installing other unmanaged services, but these must be manually congured. eBox Platform runs on GNU/Linux operating system with the Long Term Support (LTS) release of Ubuntu Server Edition distribution 4 . The installation can be done in two different ways: Using the eBox Platform Installer (recommended). Installing from an existing Ubuntu Server Edition installation. In the second case, you need to add the ofcial eBox Platform repositories and to install the packages you are interested in. Nevertheless, the former one is easier since all the dependencies are in a single CD. Moreover, some pre-conguration is made during the installation process.

4


Figure 1.1: Installer language select

1.2.1 eBox Platform installerThe eBox Platform installer is based on the Ubuntu installer and therefore those who are already familiar with it will nd the installation process very similar. You can install using the default mode which deletes all disk content and creates the partitions needed by eBox using LVM and asking less questions or using the expert mode which allows you to make your own partitioning. Most people should choose the default option unless they are installing on a server with special requirements, for instance software RAID. After installing the base system and rebooting, you can start installing eBox Platform. The rst step will be create a user on the system. This user will be able to log on the system and will have sudo privileges. Then, you will be asked for a password for this user you just created. This password will be used to log on the eBox interface too. You have to enter this password twice. Now it is time to select which features you want to include on your system. There are two methods for this selection:For additional information regarding the Control Center, please visit: http://www.eboxtechnologies.com/products/controlcenter/ the company behind eBox Platform development. 4 Ubuntu is a GNU/Linux distribution developed by Canonical and the community oriented to laptops, desktops and servers .3

5


Figure 1.2: Installer menu

Figure 1.3: Administration user

Figure 1.4: Administration password

6


Figure 1.5: Conrm administration password

Figure 1.6: Package selection method

7


Simple: Depending on the task the server will be dedicated to, you can install a set of packages that provides several features. Advanced: You can select the packages individually. If a package has dependencies on other packages, these will be automatically selected later. If you select the simple installation method, you get a list of available proles. As shown in the gure eBox tasks to install, the mentioned list matches the following paragraphs of this manual.

Figure 1.7: eBox tasks to install

eBox Gateway: eBox is the local network gateway that provides secure and controlled Internet access. eBox Unied Threat Manager: eBox protects the local network against external attacks, intrusions, internal security threats and enables secure interconnection between local networks via Internet or via other external networks. eBox Infrastructure: eBox manages the local network infrastructure including the following basic services: DHCP, DNS, NTP, HTTP server, etc. eBox Ofce: eBox is an ofce server that allows sharing the following resources through the local network: les, printers, calendars, contacts, authentication, users and groups proles, etc. eBox Unied Communications: eBox becomes the unied communications server of your organization, including mail, instant messaging and voice over IP. You can select several proles to make eBox play different roles in your network. However, if you select the advanced installation method, you get the complete list of eBox Platform modules and you can select individually the modules you are interested in.

8


Figure 1.8: eBox packages to install

Once you have completed the selection, the necessary additional packages will be installed. This selection is not nal and you can install and remove packages according to your needs later. After you have selected the components to install, the installation process will begin and you will be shown a progress bar with the installation status. The installer will try to precongure some important conguration parameters. First will have to select the type of the server for the Users and Groups mode. If we just have one server choose standalone. If we are deploying a master-slave infrastructure or if we want to syncronize the users with a Microsoft Windows Active Directory, choose advanced. This step will appear only if usersandgroups module is installed. Also, it will ask if some of the network interfaces attached to the host are external (not within the local network, used to connect to the Internet or other external networks). Strict policies for all incoming trafc through external network interfaces will be applied. This step will appear only if network module was installed and the server has more than one network interface. After that, you will do the mail conguration, dening the default virtual domain. This step will appear only if mail is installed. Once you have answered these questions, every module you installed will be precongured and ready to be used via the web interface. Once the eBox Platform installation process is completed, you get graphical interface with a browser to authenticate in the eBox web interface using the password given in the rst steps of the

9


Figure 1.9: Installing eBox packages

Figure 1.10: Type of the server

10


Figure 1.11: Select external interfaces

Figure 1.12: Mail conguration

11


Figure 1.13: Preconguring eBox packages

installer.

Figure 1.14: eBox administration web interface

1.3

Administration web interfaceOnce you have installed eBox Platform, you can access the administration web interface at the following URL: https://network_address/ebox/

12


Here network_address is the IP address or a host name that resolves to the address where eBox is running. Warning: To access the web interface you should use Mozilla Firefox as they are some known issues with another browsers such as Microsoft Internet Explorer. The rst screen will ask for the administrator password:

After authentication you get the administration interface that is divided into three main sections: Left side menu: Contains links to all services, separated by categories, that can be congured using eBox. When you select a service, you might get a submenu to congure specic details of the selected service. Top menu: Contains actions to save the changes made to the content, make the changes effective and close the session. Main content: The main content is composed of one or several forms or tables with information about the service conguration and depends on the selection made in the left side menu and submenus. Sometimes you will get a tab bar at the top of the page: each tab represents a different subsection within the section you have accessed.

1.3.1 DashboardThe dashboard is the initial screen of the web interface. It contains a number of congurable widgets. You can reorganize them at any moment simply by clicking and dragging the titles. By clicking on Congure Widgets the interface changes, allowing you to remove and add new widgets. To add a new widget, you search for it in the top menu and drag it to the main part of the page.

13


Figure 1.15: Main screen

Figure 1.16: Left side menu

14


Figure 1.17: Top menu

Figure 1.18: Web User Interface conguration forms

Figure 1.19: Dashboard

15


Figure 1.20: Dashboard conguration

Module status There is a very important widget within the dashboard which shows the status from all installed modules in eBox. The gure depicts the current status for a service and action to apply on it. The available status are the following: Running: The service daemons are running to accept connections from the network clients. You can restart the service using Restart. Running unmanaged: If you havent congured the service yet, it is possible to nd it running with the default conguration from the distribution. Therefore it is not managed by eBox yet. Stopped: Some problem has happened since the service has to be running but it is stopped for some reason. In order to nd it out, you should check the log les for the service or eBox log le itself as How does eBox Platform work? section describes. You may try to start the service by clicking on Start. Disabled: The service has been disabled explicitly by the system administrator as it is explained in Modules status conguration.

1.3.2 Applying conguration changesAn important detail to take into account is the method eBox uses to apply the conguration changes made through the interface. First of all, you have to accept changes in the current form, but, once this is done, to make these changes effective and apply them on a permanent basis, you must click on Save Changes from the top menu. This button will change to red if there are unsaved changes. Failure to follow this procedure will result in the loss of all changes you have made throughout the

16


Figure 1.21: Module status widget

17


session once you log out. There are some special cases when you dont need to save the changes, but in these cases you will receive a notication.

Figure 1.22: Save changes

In addition to this, you can revert your changes. Hence if you have done something that you do not remember or you are unsure to do it, you can always discard them safely. Take into account, if you have made changes on the network interfaces conguration or the eBox Web administration port, then you may lose current connection to eBox, so you must rewrite the URL in the browser to reach administration interface again.

1.3.3 Modules status congurationAs it is discussed above, eBox is built up with modules. The majority of the modules are intended to manage network services that you must enable them through Module Status. Each module may have dependencies on others to work. For instance, DHCP service needs to have the network module enabled so that it can serve IP address leases through the congured network interfaces. Thus the dependencies are shown in Depends column. Enabling a module for the rst time in eBox jargon is called congure the module. Conguration is done once per module. By clicking on Status checkbox, you enable the module. If it is the rst time, a dialog is presented to accept to carry out a set of actions and le modications that enabling the service implies 5 . After that, you may save changes to apply these modications. Likewise, you may disable a module by unchecking the Status column for this module.

1.4

How does eBox Platform work?eBox Platform is not just a simple web interface to manage the most common network services 6 . One of the main goals of eBox Platform is to unify a set of network services that otherwise would work independently.5 6

You get longer support than on the normal version. With the LTS version you get 5 years of support on the server. This process is mandatory to comply the Debian Policy http://www.debian.org/doc/debian-policy/

18


Figure 1.23: Module status conguration

Figure 1.24: Conrm dialog to congure a module

19


All conguration of individual services is handled automatically by eBox. To do this eBox uses a template system. This automation prevents manual errors and saves administrators from having to know the details of each conguration le format. As eBox manages automatically these conguration les, you must not edit the original les as these will be overwritten as soon you save any conguration changes. Reports of events and possible errors of eBox are stored in the directory /var/log/ebox/ and are divided in the following les: /var/log/ebox/ebox.log: Errors related to eBox Platform. /var/log/ebox/error.log: Errors related to the web server. /var/log/ebox/access.log: Every access to the web server. If you want more information about an error that has occurred, you can enable the debugging mode by selecting the debug option in the /etc/ebox/99ebox.conf le. Once you have enabled this option, you should restart the web server of the interface by using sudo /etc/init.d/ebox apache restart.

1.5

Location within the network1.5.1 Local network congurationeBox Platform can be used in two different ways:

20


Router and lter of the Internet connection. Server of different network services. Both functionalities can be combined in a single host or divided among several hosts. The gure Different locations within the network displays the different locations eBox Platform server can take in the network, either as a link between networks or a server within the network.

Figure 1.25: Different locations within the network

Throughout this documentation you will nd out how to congure eBox Platform as a router and gateway. You will also learn how to congure eBox Platform in the case it acts as just another server within the network.

1.5.2 Network conguration with eBox PlatformIf you place a server within a network, you will most likely be assigned an IP address via DHCP protocol. Through Network Interfaces you can access each network card detected by the system and you can select between a static conguration (address congured manually), dynamic conguration (address congured via DHCP) or a Trunk 802.1Q to create VLANs. If you congure a static interface, you can associate one or more Virtual Interfaces to this real interface to serve additional IP addresses. These can be used to serve different networks or the same network with different address. If you dont have a router with PPPoE support, eBox can also manage PPPoE connections just selecting PPPoE as Method and entering the User name and Password given by your DSL provider.

To enable eBox to resolve domain names, you must indicate the address of one or several domain name servers in Network DNS.

21


Figure 1.26: Network interface conguration

Figure 1.27: Static conguration of network interfaces

Figure 1.28: PPPoE conguration of network interfaces

22


Figure 1.29: Conguration of DNS servers

If your Internet connection has a dynamic IP address and you want to map a domain name to your eBox, a third party dynamic DNS provider is required. eBox supports the connection to some of the most popular dynamic DNS providers. To congure dynamic DNS on eBox go to Network

DynDNS and select your service provider

and set up the user name, password and the domain name you want to update when your public address changes. Check the box Enable Dynamic DNS and Save changes.

Figure 1.30: Dynamic DNS conguration

eBox makes a connection to the provider getting your public IP address bypassing any NAT between you and Internet. If you are using this feature on a multigateway scenario 7 , dont forget to createIn order to understand the magnitude of the project, you can visit the independent site ohloh.net, where you can nd an extensive analysis of the eBox Platform code base .7

23


a rule that makes the connections to your provider use always the same gateway.

1.5.3 Network diagnosisTo check if you have congured the network correctly, you can use the tools available in Network Diagnosis.

Figure 1.31: Network diagnosis tools

Ping is a tool that uses the ICMP network diagnosis protocol to observe whether a particular remote host is reachable by means of a simple echo request. Additionally you can use the traceroute tool that is used to determine the route taken by packages across different networks until reaching a given remote host. This tool allows to trace the route the packages follow in order to carry out more advanced diagnosis. Besides, you can use the dig tool, which is used to verify the correct functioning of the name service resolution.

Practical example A Lets congure eBox so that it obtains the network conguration via DHCP. Therefore: 1. Action: Access the eBox interface, go to Network

Interfaces and, as network interface,

select eth0. Then choose the DHCP method. Click on Change. Effect: You have enabled the button Save Changes and the network interface maintains the entered data.

24


Figure 1.32: Ping tool

25


Figure 1.33: Traceroute tool

26


Figure 1.34: Dig tool

27


2. Action: Go to Module status and enable the Network module, in order to do this, check the box in the Status column. Effect: eBox asks for permission to overwrite some les. 3. Action: Read the changes that are going to be made in each modied le and grant eBox the permission to overwrite them. Effect: You have enabled the button Save Changes and you can enable some of the modules that depend on Network. 4. Action: Save the changes. Effect: eBox displays the progress while the changes are implemented. Once it has nished, you are notied. Now eBox manages the network conguration. 5. Action: Access Network Diagnosis tools. Ping ebox-platform.com. Effect: As a result, you are shown three successful connection attempts to the Internet server. 6. Action: Access Network Diagnosis tools. Ping the eBox of a fellow classmate. Effect: As a result, you are shown three successful connection attempts to the host. 7. Action: Access Network Diagnosis tools. Run a traceroute to ebox-technologies.com. Effect: As a result, you are shown a route of all the intermediate routers a packet traverses until it reaches the destination host.

Practical example B For the rest of the exercises of the manual, it is a good practice to enable the logs. Therefore: 1. Action: Access the eBox interface, go to Module status and enable the Logs module. In order to do this, check the box in the Status column. Effect: eBox asks for permission to carry out a series of actions. 2. Action: Read the actions that are going to be made and accept them. Effect: You have enabled the button Save Changes.

28


3. Action: Save the changes. Effect: eBox displays the progress while the changes are implemented. Once it has nished, you are notied. Now eBox has enabled the logs. You can check them at Logs Query logs in the section Logs.

29


30

Chapter 2 eBox Infrastructure

This section explains several of the services to manage and optimize internal trafc and the infrastructure of your local network, including domain management, automatic network conguration in network clients, publication of internal Web sites and time synchronization using the Internet. The conguration of these services requires great efforts, although they are easier to congure with eBox. The DHCP service is widely used to automatically congure different network parameters, such as the IP address of a host or the gateway to be used for Internet access. The DNS service provides access to services and hosts using names instead of IP addresses, which are more difcult to memorize. Many businesses use Web applications to which only internal access is available.

2.1

Network conguration service (DHCP)As indicated, DHCP (Dynamic Host Conguration Protocol) is a protocol that enables a device to request and obtain an IP address from a server with a list of available addresses to assign. The DHCP service1

is also used to obtain many other parameters, such as the default gateway,

the network mask, the IP addresses for the name servers or the search domain, among others. Hence, access to the network is made easier, without the need for manual conguration done by clients. When a DHCP client connects to the network, it sends a broadcast request and the DHCP server responds to valid requests with an IP address, the lease time granted for that IP and the parameters1

eBox uses ISC DHCP Software (https://www.isc.org/software/dhcp) to congure the DHCP service.

31


explained above. The request usually happens during the client booting period and must be completed before going on with the remaining network services. There are two ways of assigning addresses: Manual: Assignment is based on a table containing physical address (MAC)/IP address mappings, entered manually by the administrator. Dynamic: The network administrator assigns a range of IP addresses for a request- and-grant process that uses the lease concept with a controlled period in which the granted IP remains valid. The server keeps a table with the previous assignments to try to reassign the same IP to a client in successive requests.

2.1.1 DHCP server conguration with eBoxTo congure the DHCP service with eBox, at least one statically congured interface is required. Once this is available, go to the DHCP menu, where the DHCP server can be congured. As indicated above, some network parameters can be sent with the IP address. These parameters can be congured in the Common options tab. Default gateway: This is the gateway to be used by the client if it is unaware of another route to send the package to its destination. Its value can be eBox, a gateway already congured in the Network Gateways section or a custom IP address. Search domain: In a network with hosts named in line with .sub.domain.com, the search domain can be congured as sub.domain.com. Hence, when seeking to resolve an unsuccessful domain name, another attempt can be made by adding the search domain to the end of it or parts of it. For example, if smtp cannot be resolved as a domain, smtp.domain.com will be tried on the client host. The search domain can be entered or one congured in the DNS service can be selected. Primary name server: This is the DNS server 2 that the client will use when a name is to be resolved or an IP address needs to be translated into a name. Its value can be local eBox DNS (if the eBox DNS server is to be queried, take into account dns module must be enabled) or an IP address of another DNS server.2

Go to Name resolution service (DNS) section for more details about this service.

32

CHAPTER 2. EBOX INFRASTRUCTURE

Figure 2.1: Overview of DHCP service conguration

33


Secondary name server: DNS server that the client will use if the primary one is not available. Its value must be the IP address of a DNS server. NTP server: This is the NTP (Network Transport Protocol)3

server that the client will use when it

wants to synchronize its clock using the network. Its value can be none, local eBox NTP (take into account ntp module must be enabled) or a custom NTP server. WINS server: This is the WINS (Windows Internet Name Service) 4 server the client will use to resolve NetBIOS names. Its value can be none, local eBox (take into account samba must be enabled) or a custom one. The common options display the ranges of addresses distributed by DHCP and the addresses assigned manually. For the DHCP service to be active, there must be at least one range of addresses to be distributed or one static assignment. If not, the DHCP server will not serve IP addresses even if the service is listening on all the network interfaces. The ranges of addresses and the static addresses available for assignment from a certain interface are determined by the static address assigned to that interface. Any free IP address from the corresponding subnet can be used in ranges or static assignments. Adding a range in the Ranges section is done by entering a name by which to identify the range and the values to be assigned within the range appearing above. Static assignments of IP addresses are possible to determined physical addresses in the Fixed Addresses section. An address assigned in this way cannot form part of any range. You may add an optional description for that assignment as well.

Figure 2.2: Appearance of the advanced conguration for DHCPCheck out Time synchronization service (NTP) section for details about the time synchronization service WINS is the implementation for NBNS (NetBIOS Name Service). For more information about it, check out File sharing service and remote authentication section.4 3

34


The dynamic granting of addresses has a deadline before which renewal must be requested (congurable in the Advanced options tab) that varies from 1,800 seconds to 7,200 seconds. Static assignments do not expire and, therefore, are unlimited leases. A Lightweight Client is a special machine with no hard drive that is booted via the network by requesting the booting image (operating system) from a lightweight client server. eBox allows the PXE server 5 to which the client must connect to be congured. The PXE service, which is responsible for transmitting everything required for the lightweight client to be able to boot its system, must be congured separately. The PXE server may be an IP address or a name, in which case the path to the boot image or eBox must be indicated, in which case the image le can be loaded.

Dynamic DNS updates The DHCP server has the ability to dynamically update the DNS server 6 . That is, the DHCP server will update in real time the A and PTR records to map an IP address to a host name and vice versa when an IP address is leased and released. The way that is done, it depends on the DHCP server conguration. eBox provides dynamic DNS feature integrating dhcp and dns modules from the same box in Dynamic DNS Options tab. In order to enable this feature, the DNS module must be enabled as well. You may provide a Dynamic domain and a Static domain, which both will be added automatically to the DNS conguration. The dynamic domain maps the host names whose IP address corresponds from a range and the associated name follows this pattern: dhcp-.. Regarding to the static domain, the host name will follow this pattern: . being the name the one you set on Fixed addresses table. Take into account that any DHCP client name update is ignored from eBox. The update is done using a secure protocol 7 and, currently, only direct mapping is supported.5 Preboot eXecution Environment is an environment to boot PCs using a network interface independent of the storage devices (such as hard drives) or operating systems installed. (http://en.wikipedia.org/wiki/Preboot_Execution_Environment) 6 The RFC 2136 explains how to do dynamic updates in the Domain Name System 7 Communication is done using TSIG (Transaction SIGnature) to authenticate the dynamic update requests using a shared secret key.

35


Figure 2.3: Dynamic DNS updates conguration

Practical example Congure the DHCP service to assign a range of 20 network addresses. Check from another client host using dhclient that it works properly. To congure DHCP, the Network module must be enabled and congured. The network interface on which the DHCP server is to be congured must be static (manually assigned IP address) and the range to assign must be within the subnet determined by the network mask of that interface (e.g. range 10.1.2.1-10.1.2.21 of an interface 10.1.2.254/255.255.255.0). 1. Action: Enter eBox and access the control panel. Enter Module status and enable the DHCP module by marking its checkbox in the Status column. Effect: eBox requests permission to overwrite certain les. 2. Action: Read the changes of each of the les to be modied and grant eBox permission to overwrite them. Effect: The Save changes button has been enabled. 3. Action: Enter DHCP and select the interface on which the server is to be congured. The gateway may be eBox itself, one of the eBox gateways, a specic address or none (no routing to other networks). Furthermore, the search domain (domain added to all DNS names that cannot be resolved) can be dened along with at least one DNS server (primary DNS server and optionally a secondary one). eBox then indicates the range of available addresses. Select a subset of 20 addresses and in Add new give a signicant name to the range to be assigned by eBox. 4. Action: Save the changes.

36


Effect: eBox displays the progress while the changes are being applied. Once this is complete it indicates as such. eBox now manages the DHCP server conguration. 5. Action: From another PC connected to this network, request a dynamic IP from the range using dhclient:

$ sudo dhclient eth0 There is already a pid file /var/run/dhclient.pid with pid 9922 killed old client process, removed PID file Internet Systems Consortium DHCP Client V3.1.1 Copyright 2004-2008 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ wmaster0: unknown hardware address type 801 wmaster0: unknown hardware address type 801 Listening on LPF/eth0/00:1f:3e:35:21:4f Sending on LPF/eth0/00:1f:3e:35:21:4f Sending on Socket/fallback DHCPREQUEST on wlan0 to 255.255.255.255 port 67 DHCPACK from 10.1.2.254 bound to 10.1.2.1 -- renewal in 1468 seconds.6. Action: Verify from Dashboard that the address appearing in the widget DHCP leases is displayed.

2.2

Name resolution service (DNS)As explained, the function of the DNS (Domain Name System) is to convert hostnames that are readable and easy to remember by users into IP addresses and vice versa. The name domain system is a tree architecture, the aims of which are to avoid the duplication of data and to facilitate the search for domains. The service listens to requests in port 53 of the UDP and TCP transport protocols.

37


2.2.1 DNS cache server conguration with eBoxA name server can act as a cache 8 for queries that it cannot respond to. In other words, it will initially query the appropriate server, as it is based on a database without data, but the cache will subsequently reply, with the consequent decrease in response time. At present, most modern operating systems have a local library to translate the names that is responsible for storing its own domain name cache with the requests made by system applications (browser, e-mail clients, etc.).

Practical example A Check the correct operation of the cache name server. What is the response time with regard to the same request www.example.com? 1. Action: Access eBox, enter Module status and enable the DNS module by marking the checkbox in the Status column. Effect: eBox requests permission to overwrite certain les. 2. Action: Read the changes of each of the les to be modied and grant eBox permission to overwrite them. Effect: The Save changes button has been enabled. 3. Action: Go to Network DNS and add a new Domain name server with value 127.0.0.1. Effect: eBox is established to translate names to IP and vice versa. 4. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is complete it is indicated as such. eBox now manages the DNS server conguration. 5. Action: Use the Domain name resolution tool available in Network checking the response time.8

Diagnosis to check

the operation of the cache, querying the domain www.example.com consecutively and

A cache is a collection of duplicated data from an original source, where the original data is expensive to obtain or

compute compared to the cost of reading the cache (http://en.wikipedia.org/wiki/Cache).

38


2.2.2 DNS server conguration with eBoxDNS has a tree structure and the source is known as . or root. Under . are the TLDs (Top Level Domains), such as org, com, edu, net, etc. When searching in a DNS server, if it does not know the answer, the tree is recursively searched until it is found. Each . in an address (e.g. home.example.com) indicates a different branch of the DNS tree and a different query area. The name will be traversed from right to left.

Figure 2.4: DNS tree

As you may see on gure DNS tree, each zone has an authority name server 9 . When a client performs a query to a name server, it delegates the resolution to the name server pointed by a NS record which claims to be authoritative for that zone. For instance, a client queries for www.home.example.com IP address to a name server which is authoritative for example.com. As the name server has a record which indicates the authoritative name server for home.example.com zone (the NS record), then it delegates the answer to that server who should know the IP address for that host. Another important aspect is reverse resolution (in-addr.arpa), as it is possible to translate an IP address to a domain name. Furthermore, as many aliases (or canonical names) as required can be added to each associated name and the same IP address can have several associated names.9

A DNS server is the authority for a domain when it has all the data to resolve the query for that domain.

39


Another important characteristic of the DNS is the MX record. This record indicates the place where the e-mails to be sent to a certain domain are to be sent. For example, where an e-mail is to be sent to [email protected], the e-mail server will ask for the MX record of example.com and the service will reply that it is mail.example.com. The conguration in eBox is done through the DNS menu. In eBox, as many DNS domains as required can be congured. To congure a new domain, drop down the form by clicking on Add new. From here, the domain name and an optional IP address which the domain will refer to can be congured.

When a new domain is added, you may have noticed a eld called dynamic is set to false. A domain is set as dynamic when it is updated automatically by a process without restarting the server. A typical example for this is a DHCP server which updates the DNS records when it leases/releases an IP address for a host. Check out Dynamic DNS updates section for details about this conguration with eBox. Currently, if a domain is set as dynamic, then no manual conguration can be done using eBox interface.

Once a correct domain has been created, e.g. home.example.com, it is possible to complete the hostnames list for the domain. As many IP addresses as required can be added using the names decided. Reverse resolution is added automatically. Furthermore, as many aliases as required can also be used for each mapping.

40


eBox set automatically the authoritative name server for the congured domains to ns host name. If none is set, then 127.0.0.1 is set as authoritative name server for those domains. If you want to congure the authoritative name server manually for your domains (NS records), go to name servers and choose one of the congured host names for that domain or set a custom one. In a typical scenario, you may congure a ns host name using as IP address one of the congured in Network Interfaces section.

As an additional feature, e-mail server names can be added through mail exchangers by selecting a name for the domains in which eBox is the authority or an external one. Furthermore, a preference can be given, the lowest value of which gives highest priority, i.e. an e-mail client will rst try the server with the lowest preference number.

For a more in-depth look into the operation of the DNS, let us see what happens depending on the query made through the dig diagnosis tool located in Network Diagnosis. If a query is made for one of the domains added, eBox will reply with the appropriate answer immediately. Otherwise, the DNS server will query the root DNS servers and will reply to the user as

41


soon as it gets an answer. It is important to be aware of the fact that the name servers congured in Network DNS are used by client applications to resolve names, but are not used in any way by the DNS server. If you want eBox to resolve names using its own DNS server, you have to set up 127.0.0.1 as primary DNS server in the aforementioned section.

Practical example B Add a new domain to the DNS service. Within this domain, assign a network address to a host name. From another host, check that it resolves correctly using the dig tool. 1. Action: Check that the DNS service is active through Dashboard in the Module status widget. If it is not active, enable it in Module status. 2. Action: Enter DNS and in Add new enter the domain to be managed. A table will drop down where hostnames, mail servers for the domain and the domain address itself can be added. In Hostnames do the same by adding the host name and its associated IP address. 3. Action: Save the changes. Effect: eBox will request permission to write the new les. 4. Action: Accept the overwriting of these les and save the changes. Effect: The progress is displayed while the changes are being applied. Once this is complete it indicates as such. 5. Action: From another PC connected to this network, request the name resolution using dig, where 10.1.2.254 is, for example, the address of eBox and mirror.ebox-platform.com the domain to be resolved:

$ dig mirror.ebox-platform.com @10.1.2.254 ; DiG 9.5.1-P1 mirror.ebox-platform.com @10.1.2.254 ;; global options: printcmd ;; Got answer: ;; ->>HEADER get ejemplo > put eaea > ls > exit $ smbclient -U joe -L //192.168.45.90/ Domain=[eBox] OS=[Unix] Server=[Samba 3.0.14a-Debian]

103


Sharename Type Comment -----------------_foo Disk _mafia Disk hp Printer br Printer IPC$ IPC IPC Service (eBox Samba Server) ADMIN$ IPC IPC Service (eBox Samba Server) joe Disk Home Directories Domain=[eBox] OS=[Unix] Server=[Samba 3.0.14a-Debian] Server Comment --------------DME01 PC Verificaci eBox-SMB3 eBox Samba Server WARP-T42 Workgroup Master --------------eBox eBox-SMB3 GRUPO_TRABAJO POINT INICIOMS WARHOL MSHOME SHINNER WARP WARP-JIMBO

4.2.6 eBox as an authentication serverYou have to go to File Sharing General Settings and check the Enable PDC option in order to have eBox working as an authentication server (PDC).

104

CHAPTER 4. EBOX OFFICE

If the option Roaming Proles is enabled, the PDC server will store all the user proles. Any user prole will contain general information such as: Windows settings, Outlook e-mail accounts or its documents. Every time a user logs in an updated prole will be sent to them by the PDC server. The user can have access to his prole information from any computer. Please take into account the size of the users information when setting up your server in order to make sure there is enough space. In addition to that, the Disk Letter for the personal directory can be redened. When a user logs into the domain his personal directory will be automatically mapped to a drive with this letter. Finally, you can dene user policy passwords through File Sharing enforcement by the law. Minimum Password Length Maximum Password Age. The password has to be changed after this period. Enforce Password History. Stores a number of passwords once modied. This policy only applies when a password is changed from Windows. Actually Windows will enforce the policy when a user logs in in a machine registered in the domain.

PDC. This is usually an

105


4.2.7 PDC Client CongurationAn account with administration rights will be needed in order to congure a PDC client, this can be done going to Users and Groups Users File Sharing or PDC Account. You can also establish a Disk Quota.

Now, go to a different machine in the same LAN (keep in mind that the SMB/CIFS protocol works using broadcast) that has a CIFS-capable Windows (i.e., Windows XP Professional). Click on My PC

Properties. This will launch the Network Id wizard. We will reboot the server

after entering the administratiion user name and password as well as the domain name given in the File Sharing conguration. The machine name can be the one already set, as long as it does not collide with an existing one already in the domain. After nishing the process, you need to reboot the machine. Every user can see their disk usage and quota in My PC.

106


4.3

Printers sharing serviceIn order to share a printer in our network, allowing or denying users and groups the access to it, we need to have access to that printer from a host running eBox. This can be done through: direct connection, i.e., with a USB5

or parallel port, or through the local network. Besides that, if we want to

obtain good results on its operation, we will need to know certain information regarding the manufacturer, the model and the driver of the printer. Printers can be added going to Printers Once there, you will be asked to enter all the necessary details in a wizard. First of all, we need to name the printer and to establish a connection method for it. The following methods are currently supported by eBox: Parallel port: A physical printer connected to the eBox server using parallel port. USB: A physical printer connected to the eBox server using USB AppSocket: A remote printer that uses the AppSocket protocol, also known as JetDirect.5

Add printer.

Universal Serial Bus (USB) is a serial bus standard to connect devices to a host computer.

107


IPP: A remote printer that uses the Internet Printing Protocol (IPP) 6 . LPD: A remote printer that uses the Line Printer Daemon protocol (LPD) 7 . Samba: A remote printer shared through Samba or Windows printer sharing.

We will need to congure the connection parameters according to the selected method. For example, if we have a network printer, we will have to set up an IP address and a listening port as the following gure shows:

In the next four steps we will congure the printer driver that eBox needs to use in order to send the jobs to be printed out, dening: the manufacturer, the model, the printer driver as well as other settings.

Internet Printing Protocol (IPP) is a standard network protocol for remote printing as well as for managing print jobs, media size, resolution, and so forth. More information available on RFC 2910. Line Printer Daemon protocol (LPD) is a set of programs that provide printer spooling and network printer server functionality for Unix-like systems. More information available on RFC 1179.7

6

108


After these steps, the printer will be congured. Now you will be able to see not only the queued printing jobs but also the ones in progress. In addition to that, you can also modify any of the parameters already introduced in the wizard going to Printers Manage printers. The printers managed by eBox are accessible using the Samba protocol. You can

also enable the printing daemon CUPS in order to share the printers using IPP too.

Once the service is enabled and you have saved changes, you can give access to the resources editing either the group or the user (Groups Printers).

Edit Group Printers or Users Edit User

109


4.4

Groupware ServiceGroupware, also known as collaborative software, is a set of applications integrating the work of different users in common projects. Each user can connect to the system from various working stations on the local network or from anywhere in the world via the Internet. Some of the most important features of groupware tools are: Communication between users: mail, chat rooms, etc. Information sharing: shared calendars, task lists, common address books, knowledge base, le sharing, news, etc. Project management, resources, time management, bugtracking, etc.

110


There is a large number of groupware solutions available on the market. Among the Open Source alternatives, one of the most popular options is eGroupWare8

which is the one selected for eBox

Platform to implement such an important feature in business environments. Setting up eGroupware with eBox Platform is very simple. The goal is for the user not to need to access the traditional conguration offered in eGroupware and to allow him to manage all the settings from eBox interface, unless some advanced customization is required. In fact, the password for the conguration of eGroupware is auto-generated 9 by eBox and the administrator should use it under her own responsibility: by taking any wrong action the module might become improperly congured and left in an unstable status.

4.4.1 Groupware service settings with eBoxMost of eGroupware conguration is performed automatically by enabling the module and saving the changes. Without requiring any additional user intervention, eGroupware will be operating fully integrated with the eBox directory service (LDAP). All users being added to eBox from that moment on will be able to log in eGroupware without requiring any other action. In addition, we can integrate the webmail service provided by eGroupware with eBox mail module. For this the only action required is to select a pre-existing virtual domain and to enable the IMAP service, allowing for the reception of mail. This is done by the eBox installer automatically if you select ebox-egroupware to install. Instructions for creating a mail domain and conguring the IMAP service are fully explained in chapter Electronic Mail Service (SMTP/POP3-IMAP4). For the domain selection used by eGroupware, you should access the Groupware Virtual Mail Domain tab. The interface is shown in the following image. It is only needed to select the desired domain and click the button Change. Although, as usual, this action does not take effect until the button Save Changes is pressed.eGroupware: An enterprise ready groupware software for your network http://www.egroupware.org Note for eGroupware advanced users: The password is stored in the le /var/lib/ebox/conf/ebox-egroupware.passwd and usernames are admin and ebox for header and domain conguration respectively.9 8

111


In order for users to be able to use the mail service they will need to have their own accounts created on it. The image below (Users and Groups eGroupware.

Users) shows that during the conguration of

eGroupware a notice is displayed indicating the name of the mail account that should be used from

eGroupware consists of several applications; in eBox you can edit access permissions to these applications for each user assigning a permission template, as shown in the image above. There is a default permission template but you can dene other ad-hoc ones. The default permission template is useful for conguring most of the users of the system with the same permissions, so that when a new user is created permissions will be assigned automatically. To edit the default template go to the Groupware image.

Default Applications tab, as shown in the

112


For small groups of users such as administrators, you can dene a custom permission template and apply it manually for these users. To dene a new template go to Groupware

User Dened Permission Templates in the menu

and click on Add New. Once the name is entered it will appear on the table and you can edit the applications by clicking on Allowed Applications, in a similar way as with the default template.

Be aware that if you modify the default permission template, changes will only be applied to users that are created from that moment on. They will not be applied retroactively to users previously created. The same applies to the user-dened templates: if there were any users with that template applied on their conguration you should edit that users properties and apply the same template again once it has been modied.

113


Finally, once you have congured everything, you can access eGroupWare through the address http:///egroupware using the username and password dened in the eBox interface.

eGroupware management is beyond the scope of this manual. For any question, you should check the ofcial eGroupware user manual. It is available on-line in the ofcial website and it is also linked from within the application once you are inside.

Practical example Enable the Groupware module and check its integration with the mail. 1. Action: Access eBox, go to Module Status and activate module Groupware, checking the box in the column Status. You will be informed eGroupware conguration is about to change. Allow the operation by pressing the button Accept. Make sure you have previously enabled the modules on which it depends (Mail, Webserver, Users, ...). Effect: The button Save Changes is activated. 2. Action: Set up a virtual mail domain as shown in the example Practice example. In this example a user is added with her corresponding email account. Steps related to objects or forwarding policies in the example are not necessary. Follow the steps just until the point in which the user is added. Effect: The new user has a valid mail account. 3. Action: Access the :menuselection: Mail > General menu and in the Mail Server Options tab check the box IMAP Service Enabled and click Change. Effect: The change is saved temporarily but it will not be effective until changes are saved. 4. Action: Access the :menuselection: Groupware menu and in the Virtual Mail Domain tab select the previously created domain and click Change.

114


Effect: The change is saved temporarily but it will not be effective until changes are saved. 5. Action: Save changes. Effect: eBox shows the progress while applying the changes and informs when it is done. From now on eGroupware is congured correctly to be integrated with your IMAP server. 6. Action: Access the eGroupware interface (http:///egroupware) with the user you created earlier. Access the eGroupware mail application and send an email to your own address. Effect: You will receive in your inbox the email you just sent.

115


116

Chapter 5 eBox Unied Communications

In this section we will see the different communication methods for sharing information that are centralized in eBox and are all accessible using the same username and password. First, the mail service is explained. It allows a quick and easy integration with the preferred mail client of the users of the network, offering also the latest techniques available to prevent spam. Second, the instant messaging service through the Jabber / XMPP protocol. It provides an internal IM service without having to rely on external companies or an Internet connection. It also offers conference rooms and can be used with any of the many clients available. It allows faster communication in the cases where the mail is not enough. Finally, we will see an introduction to voice over IP, which enables each person to have an extension to make calls or participate in conferences easily. Additionally, with an external provider, eBox can be congured to connect to the traditional telephone network.

5.1

Electronic Mail Service (SMTP/POP3-IMAP4)The electronic mail service is a store and forward method messages over electronic communication systems.1

to compose, send, store and receive

117


Figure 5.1: Diagram where Alice sends an email to Bob

5.1.1 How electronic mail works through the InternetThe diagram depicts a typical event sequence that takes place when Alice writes a message to Bob using her Mail User Agent (MUA). 1. Her MUA formats the message in email format and uses the Simple Mail Transfer Protocol (SMTP) to send the message to the local Mail Transfer Agent (MTA). 2. The MTA looks at the destination address provided in the SMTP (not from the message header), in this case [email protected], and resolves a domain name to determine the fully qualied domain name of the destination mail exchanger server (MX record that was explained in the DNS section). 3. smtp.a.org sends the message to mx.b.org using SMTP, which delivers it to the mailbox of the user bob. 4. Bob receives the message through his MUA, which picks up the message using Pop Ofce Protocol (POP3). There are many alternative possibilities and complications to the previous email system sequence. For instance, Bob may pick up his email in many ways, for example using the Internet Message Access Protocol (IMAP), by logging into mx.b.org and reading it directly, or by using a Webmail service.Store and forward: Telecommunication technique in which information is sent to an intermediate station where it is kept and sent at a later time to the nal destination or to another intermediate station.1

118

CHAPTER 5. EBOX UNIFIED COMMUNICATIONS

The sending and reception of emails between mail servers is done through SMTP but the users pick up their email using POP3, IMAP or their secure versions (POP3S and IMAPS). Using these protocols provides interoperability among different servers and email clients. There are also proprietary protocols such as the ones used by Microsoft Exchange and IBM Lotus Notes.

POP3 vs. IMAP The POP3 design to retrieve email messages is useful for slow connections, allowing users to pick up all their email all at once to see and manage it without being connected. These messages are usually removed from the user mailbox in the server, although most MUAs allow to keep them on the server. The more modern IMAP, allows you to work on-line or ofine as well as to explicitly manage server stored messages. Additionally, it supports simultaneous access by multiple clients to the same mailbox or partial retrievals from MIME messages among other advantages. However, it is a quite complicated protocol with more server work load than POP3, which puts most of the load on the client side. The main advantages over POP3 are: Connected and disconnected modes of operation. Multiple clients simultaneously connected to the same mailbox. Access to MIME message parts and partial fetching. Message state information using ags (read, removed, replied, ...). Multiple mailboxes on the server (usually presented to the user as folders) allowing to make some of them public. Server-side searches Built-in extension mechanism Both POP3 and IMAP have secure versions, called respectively POP3S and IMAPS. The difference with its plain version is that they use TLS encryption so the content of the messages cannot be eavesdropped.

119


5.1.2 SMTP/POP3-IMAP4 server conguration with eBoxSetting up an email system service requires to congure an MTA to send and receive emails as well as IMAP and/or POP3 servers to allow users to retrieve their mails. To send and receive emails Postx3 2

acts as SMTP server. The email retrieval service (POP3,

IMAP4) is provided by Dovecot . Both servers support secure communication using SSL.

5.1.3 Receiving and relaying mailIn order to understand the mail system conguration, a distinction must be made between receiving mail and relaying mail. Reception is when the server accepts a mail message whose recipients contains an account that belongs to any of his virtual mail domains. Mail can be received from any client which is able to connect to the server. On the other hand, relay is done when the mail server receives a message whose recipients do not belong to any of his managed virtual mail domains, thus requiring forwarding the message to other server. Mail relay is restricted, otherwise spammers could use the server to send spam over the Internet. eBox allows mail relay in two cases: 1. an authenticated user 2. a source address that belongs to a network object which has a allowed relay policy

General conguration Through Mail General Mail server options Authentication, you can manage the authentication options. The following options are available: TLS for SMTP server: Force the clients to connect to the mail server using TLS encryption, thus avoiding eavesdropping. Require authentication: This setting enables the authentication usage. A user must use his email address and his password to identify himself, authenticated users can relay mail through the server. An account alias cannot be used to authenticate.2 3

Postx The Postx Home Page http://www.postx.org . Dovecot Secure IMAP and POP3 Server http://www.dovecot.org .

120


In the Mail General Mail server options Options section you may congure the general settings for the mail service: Smarthost to send mail: Domain name or IP address of the smarthost. You could also specify a port appending the text :[port_number ] after the address. The default port is the standard SMTP port, 25. If this option is set eBox will not send its messages directly, but each received email will be forwarded to the smarthost without keeping a copy. In this case, eBox would be an intermediary between the user who sends the email and the server which is the real message sender. Smarthost authentication: Whether the smarthost requires authentication using a user and password pair or not.

121


Server mailname: This sets the visible mail name of the system, it will be used by the mail server as the local address of the system. Postmaster address: The postmaster address by default is aliased to the root system user but it could be set to any account, belonging to any of managed virtual mail domains or not. This account is intended to be a standard way to reach the administrator of the mail server. Automatically-generated notication mails will typically use postmaster as reply address. Maximum mailbox size allowed: Using this option you could indicate a maximum size in MB for any user mailboxes. All mail which surpasses the limit will be rejected and the sender will be emailed a notication. This setting could be overridden for any user in the Users and Groups Users page. Maximum message size accepted: Indicates, if necessary, the maximum message size accepted by the smarthost in MB. This is enforced regardless of any mailbox size limit. Expiration period for deleted mails: If you enable this option those mail messages which are in the users trash folder will be deleted when their dates passes the day limit. Expiration period for spam mails: This option applies the same way as above option but regarding to the users spam folder. In order to congure the mail retrieval services go to the Mail retrieval services section. There eBox may be congured as POP3 and/or IMAP server, their secure versions POP3S and IMAPS are available too. Also the retrieve email for external accounts and ManageSieve services could be enabled in this section, we will discuss those services in Mail retrieval from external accounts section. In addition to this, eBox may be congured to relay mail without authentication from some network addresses. To do so, you can add relay policies for network objects through Mail General Relay policy for network objects. The policies are based on the source mail client IP address. If the relay is allowed from an object, then each object member may relay emails through eBox.

122


Warning: Be careful when using an Open Relay policy, i.e., forwarding email from everywhere, since your mail server will probably become a spam source. Finally, the mail server may be congured to use a content lter for their messages 4 . To do so, the lter server must receive the message from a xed port and send the result back to another established port where the mail server is bound to listen the response. Through Mail Mail lter options, you may choose a custom server or eBox as mail lter.

General

4

In Mail Filter section this topic is deeply explained.

123


Email account creation through virtual domains In order to set up an email account with a mailbox, a virtual domain and a user are required. From Mail Virtual Mail Domains, you may create as many virtual domains as you want. They provide the domain name for email accounts for eBox users. Moreover, it is possible to set aliases for a virtual domain. It does not make any difference to send an email to one virtual domain or any of its aliases.

In order to set up email accounts, you have to follow the same rules applied conguring any other user-based service . From Users and Groups

Users Edit Users Create mail account. You

select the main virtual domain for the user there. If you want to establish to the user more than a single email address, you can create aliases. Behind the scenes, the email messages are kept just once in a mailbox. However, it is not possible to use the alias to authenticate, you always have to use the real account.

Note that you can decide whether an email account should be created by default when a new user is added or not. You can change this behaviour in Users and Groups Mail Account. Likewise, you may set up aliases for user groups. Messages received by these aliases are sent to every user of the group which has an email account. Group aliases are created through Users and Groups Groups Create alias mail account to group. The group aliases are only available when, at least, one user of the group has an email account.

Default User Template

124


You may dene alias to external accounts as well. The mail sent to that alias will be forwarded to the external account. This kind of aliases are set on a virtual domain basis and does not require any email account and could be set in Mail Virtual Domains External accounts aliases.

Queue Management From Mail

Queue Management, you may see those email messages that havent already been

delivered. All the information about the messages is displayed. The allowed actions to perform are: deletion, content viewing or retrying sending (re-queuing the message again). There are also two buttons to delete or requeue all messages in queue.

Mail retrieval from external accounts You could congure eBox to retrieve email messages from external accounts, which are stored in external servers, and deliver them to the users mailboxes. In order to congure this you have to enable this service in Mail

General Mail server options Retrieval services section. Once it

is enabled, the users will have their mail fetched from their external accounts and delivered to their internal accounts mailbox. Each user can congure its external accounts through the user corner 5 . The user must have a email account to be able to do this. The external servers are pooled periodically so email retrieval is not instantaneous. To congure its external accounts, a user have to login in the user corner and click on Mail retrieval from external mail accounts in the left menu. In this page a list of users external accounts is shown, the user can add, edit and delete accounts. Each account has the following elds: External account: The username or the mail address required to login in the external mail retrieval service. Password: Password to authenticate the external account.5

The user corner conguration is explained in User Corner section

125


Mail server: Address of the mail server which hosts the external account. Protocol: Mail retrieval protocol used by the external account, it may be one of the following: POP3, POP3S, IMAP or IMAPS. Port: Port used to connect to the external mail server.

For retrieving external emails, eBox uses the Fetchmail 6 software.

Sieve scripts and ManageSieve protocol The Sieve language 7 allows the user to control how his mail messages are delivered, so it is possible to classify it in IMAP folders, forward it or use a vacation message among other things. The ManageSieve is a network protocol that allows the users to easily manage their Sieve scripts. To be able to use ManageSieve, it is required an email client that understands this protocol.8

To enable ManageSieve in eBox you have to turn on the service in Mail General Mail server options -> Retrieval services and it could be used by all the users with email account. In addition to this, if ManageSieve is enabled and the webmail scripts will be available in the webmail interface. The ManageSieve authentication is done with the email account of the user and its password. Sieve scripts of an account are executed regardless of the ManageSieve protocol option value.6 7 8 9

9

module in use, a management interface for Sieve

Fetchmail The Fetchmail Home Page http://fetchmail.berlios.de/ . For more info check out this page http://sieve.info/ . See a list of clients in this page http://sieve.info/clients The webmail module is explained in WebMail service chapter.

126


Email client conguration Unless users may use email only through the webmail or the egroupware webmail application, users would like to congure their email clients to use eBoxs mail server. The values of the required parameters would depend on the exact conguration of the module. Please note that different email clients could use other names for these parameters, so due to the great number of clients available this section is merely guidance.

5.1.4 SMTP parametersSMTP server: Enter the address of your eBox server. It could be either an IP address or a domain name. SMTP port: 25, if you are using TLS you could instead use the port 465. Secure connection: Select TLS if you have enabled TLS for SMTP server:, otherwise select none. If you are using TLS please read the warning below about SSL/TLS. SMTP username: Use this if you have enabled Require authentication. Use as username the full email address of the user, dont use the username nor any of his mail aliases. SMTP password: It is the user password.

5.1.5 POP3 parametersYou can only use POP3 settings when POP3 or POP3S services are enabled in eBox. POP3 server: Enter your eBox address likewise in the SMTP parameters section above. POP3 port: 110 or 995 if you are using POP3S. Secure connection: Select SSL if you are using POP3S, otherwise none. If you are using POP3S please read the warning below about SSL/TLS. POP3 username: Full email address, as above avoid the user name or any of his email aliases. POP3 password: Users password.

127


5.1.6 IMAP parametersIMAP conguration could be only used if either IMAP or IMAPS services are enabled. As you will see the parameters are almost identical to POP3 parameters. IMAP server: Enter your eBox address likewise in the SMTP parameters section above. IMAP port: 443 or 993 if you are using IMAPS. Secure connection: Select SSL if you are using IMAPS, otherwise none. If you are using IMAPS please read the warning below about SSL/TLS. IMAP username: Full email address, as above avoid the user name or any of his email aliases. IMAP password: Users password. Warning: In client implementations there are some confusion about the use of SSL and TLS

protocols. Some clients use SSL to mean that they will try to connect with TLS, others use TLS as a way to say that they will try to connect to the secure service through a port used normally by the plain version of the protocol.. In fact in some clients you will need to try both SSL and TLS modes to nd which one works. You have more information about this issue in this page http://wiki.dovecot.org/SSL , from the dovecots wiki.

5.1.7 ManageSieve client parametersTo connect to ManageSieve, you will need the following parameters: Sieve server: The same that your IMAP or POP server. Port: 4190, be warned that some applications use, mistakenly, the port number 2000 as default for ManageSieve. Secure connection: Set to true Username: Full mail address, as above avoid the user name or any of his email aliases. Password: Users password. Some clients allows you to select the same authentication than your IMAP or POP3 account if this is allowed, select it.

128


Catch-all account A catch-all account is those which receives a copy of all the mail sent and received by a mail domain. eBox allows you to dene a catch-all account for every virtual domain; to dene it you must go to Mail

Virtual Mail Domains and then click in the Settings cell.All the messages sent and received by the domain will be emailed as Blind Carbon Copy (BCC) to the dened address. If the mail to the catch-all address bounces, it will be returned to the sender.

Practice exampleSet up a virtual domain for the mail service. Create a user account and a mail account within the domain for that user. Congure the relay policy to send email messages. Send a test email message with the new account to an external mail account. 1. Action: Log into eBox, access Module status and enable Mail by checking its checkbox in the Status column. Enable Network and Users and Groups rst if they are not already enabled. Effect: eBox requests permission to overwrite certain les. 2. Action: Read the changes of each of the les to be modied and grant eBox permission to overwrite them. Effect: The Save changes button has been enabled. 3. Action: Go to Mail Virtual Mail Domains and click Add new to create a new domain. Enter the name in the appropriate eld. Effect: eBox noties you that you must save changes to use this virtual domain. 4. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is completed, you will be notied. Now you may use the newly created virtual mail domain. 5. Action: Enter Users and Groups Create and Edit button. Effect: The user is added immediately without saving changes. The edition screen is displayed for the newly created user.

Users Add User, ll up the user data and click the

129


6. Action: (This action is only required if you have disable the automatic creation of email accounts in Users and Groups > Default User Template > Mail Account). Enter a name for the user mail account in Create mail account and create it. Effect: The account has been added immediately and options to delete it or add aliases for it are shown. 7. Action: Enter the Object Add new menu. Fill in a name for the object and press Add. Click on Members in the created object. Fill in again a name for the member and write the host IP address where the mail will be sent from. Effect: The object has been added temporarily and you may use it in other eBox sections, but it is not persistent until you save changes. 8. Action: Enter Mail

General Relay policy for network objects. Select the previously

created object making sure Allow relay is checked and add it. Effect: The Save changes button has been enabled. 9. Action: Save the changes Effect: A relay policy for that object has been added, which makes possible from that object to send e-mails to the outside. 10. Action: Congure a selected MUA in order to use eBox as SMTP server and send a test email message from this new account to an external one. Effect: After a brief period you should receive the message in your external account mailbox. 11. Action: Verify using the mail server log le /var/log/mail.log that the email message was delivered correctly.

5.2

WebMail serviceThe webmail service allows users to read and send mail using a web interface provided by the mail server itself. Its main advantages are the no client conguration required by the user and easily accessible from any web browser that could reach the server. Their downsides are that the user experience is poorer than with most dedicated email user software and that web access should be allowed by the server. It also increases the server work load to render the mail messages, this job is done by the client in traditional email software.

130


eBox uses Roundcube to implement this service 10 .

5.2.1 Conguring a webmail in eBoxThe webmail service is enabled like another eBox service. However, it requires the mail module is congured to use either IMAP, IMAPS or both and the webserver module enabled. If it is not, webmail will refuse to enable itself.11

Webmail options You can access to the options clicking in the Webmail section in the left menu. You may establish the title that will use the webmail to identify itself, this title will be shown in the login screen and in the page HTML titles.

Login into the webmail In order to log into the webmail, rstly HTTP trafc must be allowed by the rewall from the source address used. The webmail login screen is available at http://[eBoxs address]/webmail from the browser. Then it has to enter his email address and his password. He has to use his real email address, an alias will not work.Roundcube webmail http://roundcube.net/ The mail conguration in eBox is deeply explained in Electronic Mail Service (SMTP/POP3-IMAP4) section and the webserver module is explained in Web data p

eBox for Network Administrators

Documents

Transcript of eBox for Network Administrators