1. About this Guide

This guide will walk you through the installation and configuration of the native Microsoft Outlook compatibility layer SOGo offers.

Prior going over this guide, you should have a working SOGo installation. Please refer to the SOGo Installation and Configuration Guide for more information on installing and configuring SOGo.

This guide also includes instructions for configuring Microsoft Outlook with SOGo.

The instructions are based on version 3.2.10 of SOGo.

The latest version of this guide is available at http://www.sogo.nu/downloads/documentation.html.

2. Introduction

SOGo is a free and modern scalable groupware server. It offers shared calendars, address books, and emails through your favourite Web browser and by using a native client such as Mozilla Thunderbird and Lightning.

SOGo is standard-compliant. It supports CalDAV, CardDAV, GroupDAV, iMIP and iTIP and reuses existing IMAP, SMTP and database servers — making the solution easy to deploy and interoperable with many applications.

SOGo features:

  • Scalable architecture suitable for deployments from dozen to many thousand users

  • Rich Web-based interface that shares the look and feel, the features and the data of Mozilla Thunderbird and Lightning

  • Improved integration with Mozilla Thunderbird and Lightning by using the SOGo Connector and the SOGo Integrator

  • Native compatibility for Microsoft Outlook 2003, 2007, 2010, and 2013

  • Two-way synchronization support with any Microsoft ActiveSync-capable device, and Outlook 2013

SOGo is developed by a community of developers located mainly in North America and Europe. More information can be found on http://www.sogo.nu/.

3. Architecture

The following diagram demonstrates the architecture of the native Outlook compatibility layer of SOGo.

openchange

With Samba 4 and OpenChange, Microsoft Outlook clients can communicate natively with SOGo using the Microsoft Exchange protocol, without requiring costly and hard-to-maintain third-party MAPI connectors for Microsoft Outlook.

4. Requirements

Organizations generally have solutions to authenticate users such as LDAP servers or Microsoft Active Directory servers.

The solution being used will influence how users are provisioned in Samba 4, a key component for native Outlook compatibility in SOGo.

4.1. LDAP Server

If your organization uses a LDAP server such OpenLDAP, Novell eDirectory, Apache Directory or any other solution, you must use Samba 4’s internal directory server and synchronize the data between both.

Synchronization scripts are not provided and unless you have clear-text passwords of your existing users, they will have to be changed during your initial synchronization so that your LDAP’s server passwords are identical to the ones from Samba 4.

Any modifications to your existing LDAP server (password change, user addition or deletion, etc.) will have to be replicated to Samba 4’s internal directory server.

Note that if you install Samba 4 on a server that is already running a LDAP service, you will have to change to TCP port on which your LDAP server listens to. Samba 4 will use the TCP port 389 and it can’t be changed.

For example, with OpenLDAP, you can use the -h parameter for slapd to make it listen on an other TCP port.

4.2. Microsoft Active Directory

If your organization uses Microsoft Active Directory, Samba 4 will need to be joined to your Active Directory domain, as a DC.

Samba 4 will be able to reuse all the information contained in Microsoft Active Directory and no synchronization process needs to be put in place as information will get replicated to Samba 4 automatically.

For more information on joining Samba 4 to an existing Microsoft Active Directory domain, please refer to the Samba 4 documentation available at the following URL:

More specifically, have a look at the samba-tool domain join command. Note that joining Samba 4 to your Active Directory domain as a member will currently not work. An authentication bug is present in Samba 4 which then prevents all Outlook users to successfully authenticate through Samba 4. This issue has been reported to the Samba team and is being worked on.

4.3. Other or No Solution

If your organization neither uses a LDAP server or Microsoft Active Directory, you can start using Samba 4 as your directory server.

Samba 4’s directory can be queried over LDAP just like Microsoft Active Directory and can also serve as a domain controller for Windows-based environments.

For example, SOGo can very well use Samba 4’s built-in directory server to authenticate users. A SOGoUserSources entry to achieve this wold look like this:

su - sogo
defaults write sogod SOGoUserSources '(
    {
        CNFieldName = displayName;
        IDFieldName = cn;
        UIDFieldName = sAMAccountName;
        baseDN = "cn=Users,dc=example,dc=com";
        bindDN = "cn=Administrator,cn=Users,dc=example,dc=com";
        bindFields = (
            sAMAccountName
        );
        bindPassword = "%1OpenChange";
        canAuthenticate = YES;
        displayName = "Shared Addresses";
        hostname = "127.0.0.1";
        id = samba;
        isAddressBook = YES;
        port = 389;
    }
)'

Please refer to the SOGo Installation and Configuration Guide for more information regarding SOGoUserSources.

4.4. IMAP Server and Trust

An IMAP server supporting the ACL, UIDPLUS and QRESYNC IMAP extensions is required, such as Cyrus IMAP version 2.4 or later, or Dovecot version 2.1 or later. If your current IMAP server does not support these extensions, you can use Dovecot’s proxying capabilities. The follow configuration example makes Dovecot proxy all IMAP request to an existing server:

auth_mechanisms = plain login
imapc_host = inverse.ca
imapc_port = 993
imapc_ssl = imaps
imapc_ssl_verify = no
mail_gid = imapproxy
mail_home = /home/imapproxy/%u
mail_location = imapc:~/imapc
mail_uid = imapproxy
passdb {
  args = host=inverse.ca ssl=imaps port=993 ssl_ca_dir=/etc/pki/tls/certs
  default_fields = userdb_imapc_user=%u userdb_imapc_password=%w
  driver = imap
}
protocols = imap
ssl = no
userdb {
  driver = prefetch
}

SOGo would then be configured to use Dovecot’s proxy as the IMAP server.

Moreover, the authentication mode in use by Windows with Samba and Exchange servers prevent the backend from knowing the real password being used by the user. This implies that the IMAP server must accept any passwords from the host on which Samba is running.

To accomplish this with Cyrus IMAP Server, set sasl_pwcheck_method to alwaystrue in /etc/imapd.conf. You should restrain this to an imapd instance dedicated to SOGo.

For Dovecot, use an authentication source similar to:

passdb {
  driver = static
  args = nopassword=y allow_nets=127.0.0.1/32
}

You should also make sure that you restrain this only to the SOGo processes.

For any other IMAP server, refer to the product’s documentation. If such capability is not offered, you can alternatively define the cleartext password for each user. Please refer to the Adding Users section from this document.

5. Installation

This section will guide you through the installation of the native Microsoft Outlook compatibility layer SOGo offers.

5.1. Ubuntu 16.04 (Xenial Xerus)

Please follow the instructions from https://sogo.nu/download.html to setup your apt sources.

Then install Samba 4 on top of an existing SOGo installation:

apt-get update
apt-get install samba samba-dev

Once completed, install the packages related to OpenChange and the SOGo provider:

apt-get install openchangeserver \
                sogo-openchange \
                openchangeproxy \
                python-ocsmanager \
                mysql-server \
                python-mysqldb \
                openchange-ocsmanager \
                openchange-rpcproxy \
                python-sievelib \
                python-spyne \
                python-rpclib

Once the packages are installed, refer to the Configuration chapter from this guide.

The ocsmanager.conf and rpcproxy.conf are currently located in /etc/apache2/conf.d. These should be moved to /etc/apache2/conf-available. This is a packaging error that will soon be fixed.
You might have to adjust the rpcproxy.conf configuration file to add the Require all granted permission if you get Apache errors such as client denied by server configuration.

6. Configuration

In this section, you’ll learn how to configure the native Microsoft Outlook compatibility layer that SOGo offers.

6.1. SOGo Configuration

First thing to do is to configure SOGo to use your current services, which are your IMAP, SMTP and SQL database servers. The configuration instructions for this are available in the SOGo Installation and Configuration Guide available from http://www.sogo.nu/.

Please refer to that documentation before continuing with the instructions included in this guide.

6.2. Samba 4 Configuration

Run the following commands as root: 

samba-tool domain provision --realm=example.com \
          --domain=EXAMPLE \
          --adminpass='%1OpenChange' \
          --server-role='domain controller'

samba-tool user setexpiry administrator --noexpiry

You might consider changing the realm and domain used, to suit your environment.

You might also have to remove /etc/samba/smb.conf prior running this command.

Add the following parameters to the [global] section of the /etc/samba/smb.conf configuration file:

### Configuration required by OpenChange server ###
dsdb:schema update allowed = true
dcerpc endpoint servers = epmapper, mapiproxy, dnsserver
dcerpc_mapiproxy:server = true
dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr
### Configuration required by OpenChange server ###

Your Samba 4 configuration file should look like this:

# Global parameters
[global]
  server role = active directory domain controller
  workgroup = EXAMPLE
  realm = example.com
  netbios name = sogo
  passdb backend = samba4
  ### Configuration required by OpenChange server ###
  dsdb:schema update allowed = true
  dcerpc endpoint servers = +epmapper, +mapiproxy
  dcerpc_mapiproxy:server = true
  dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr
  ### Configuration required by OpenChange server ###

[netlogon]
  path = /var/lib/samba/sysvol/example.com/scripts
  read only = No

[sysvol]
  path = /var/lib/samba/sysvol
  read only = No

6.3. OpenChange Configuration

Since v2.2, OpenChange stores its metadata in MySQL so you need to have it installed.

First, create the OpenChange MySQL user:

$ mysql -u root -p
mysql> CREATE USER 'openchange-user'@'localhost' IDENTIFIED BY 'openchange$123';
mysql> GRANT ALL PRIVILEGES ON `openchange`.* TO 'openchang