1. About this Guide
This guide will walk you through the installation and configuration of the native Microsoft Outlook compatibility layer SOGo offers.
Prior going over this guide, you should have a working SOGo installation. Please refer to the SOGo Installation and Configuration Guide for more information on installing and configuring SOGo.
This guide also includes instructions for configuring Microsoft Outlook with SOGo.
The instructions are based on version 3.2.10 of SOGo.
The latest version of this guide is available at http://www.sogo.nu/downloads/documentation.html.
2. Introduction
SOGo is a free and modern scalable groupware server. It offers shared calendars, address books, and emails through your favourite Web browser and by using a native client such as Mozilla Thunderbird and Lightning.
SOGo is standard-compliant. It supports CalDAV, CardDAV, GroupDAV, iMIP and iTIP and reuses existing IMAP, SMTP and database servers — making the solution easy to deploy and interoperable with many applications.
SOGo features:
-
Scalable architecture suitable for deployments from dozen to many thousand users
-
Rich Web-based interface that shares the look and feel, the features and the data of Mozilla Thunderbird and Lightning
-
Improved integration with Mozilla Thunderbird and Lightning by using the SOGo Connector and the SOGo Integrator
-
Native compatibility for Microsoft Outlook 2003, 2007, 2010, and 2013
-
Two-way synchronization support with any Microsoft ActiveSync-capable device, and Outlook 2013
SOGo is developed by a community of developers located mainly in North America and Europe. More information can be found on http://www.sogo.nu/.
3. Architecture
The following diagram demonstrates the architecture of the native Outlook compatibility layer of SOGo.

With Samba 4 and OpenChange, Microsoft Outlook clients can communicate natively with SOGo using the Microsoft Exchange protocol, without requiring costly and hard-to-maintain third-party MAPI connectors for Microsoft Outlook.
4. Requirements
Organizations generally have solutions to authenticate users such as LDAP servers or Microsoft Active Directory servers.
The solution being used will influence how users are provisioned in Samba 4, a key component for native Outlook compatibility in SOGo.
4.1. LDAP Server
If your organization uses a LDAP server such OpenLDAP, Novell eDirectory, Apache Directory or any other solution, you must use Samba 4’s internal directory server and synchronize the data between both.
Synchronization scripts are not provided and unless you have clear-text passwords of your existing users, they will have to be changed during your initial synchronization so that your LDAP’s server passwords are identical to the ones from Samba 4.
Any modifications to your existing LDAP server (password change, user addition or deletion, etc.) will have to be replicated to Samba 4’s internal directory server.
Note that if you install Samba 4 on a server that is already running a LDAP service, you will have to change to TCP port on which your LDAP server listens to. Samba 4 will use the TCP port 389 and it can’t be changed.
For example, with OpenLDAP, you can use the -h
parameter for slapd
to make it listen on an other TCP port.
4.2. Microsoft Active Directory
If your organization uses Microsoft Active Directory, Samba 4 will need to be joined to your Active Directory domain, as a DC.
Samba 4 will be able to reuse all the information contained in Microsoft Active Directory and no synchronization process needs to be put in place as information will get replicated to Samba 4 automatically.
For more information on joining Samba 4 to an existing Microsoft Active Directory domain, please refer to the Samba 4 documentation available at the following URL:
More specifically, have a look at the samba-tool domain join
command.
Note that joining Samba 4 to your Active Directory domain as a member
will currently not work. An authentication bug is present in Samba 4
which then prevents all Outlook users to successfully authenticate
through Samba 4. This issue has been reported to the Samba team and is
being worked on.
4.3. Other or No Solution
If your organization neither uses a LDAP server or Microsoft Active Directory, you can start using Samba 4 as your directory server.
Samba 4’s directory can be queried over LDAP just like Microsoft Active Directory and can also serve as a domain controller for Windows-based environments.
For example, SOGo can very well use Samba 4’s built-in directory server to authenticate users. A SOGoUserSources entry to achieve this wold look like this:
su - sogo defaults write sogod SOGoUserSources '( { CNFieldName = displayName; IDFieldName = cn; UIDFieldName = sAMAccountName; baseDN = "cn=Users,dc=example,dc=com"; bindDN = "cn=Administrator,cn=Users,dc=example,dc=com"; bindFields = ( sAMAccountName ); bindPassword = "%1OpenChange"; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = "127.0.0.1"; id = samba; isAddressBook = YES; port = 389; } )'
Please refer to the SOGo Installation and Configuration Guide for more
information regarding SOGoUserSources
.
4.4. IMAP Server and Trust
An IMAP server supporting the ACL, UIDPLUS and QRESYNC IMAP extensions is required, such as Cyrus IMAP version 2.4 or later, or Dovecot version 2.1 or later. If your current IMAP server does not support these extensions, you can use Dovecot’s proxying capabilities. The follow configuration example makes Dovecot proxy all IMAP request to an existing server:
auth_mechanisms = plain login imapc_host = inverse.ca imapc_port = 993 imapc_ssl = imaps imapc_ssl_verify = no mail_gid = imapproxy mail_home = /home/imapproxy/%u mail_location = imapc:~/imapc mail_uid = imapproxy passdb { args = host=inverse.ca ssl=imaps port=993 ssl_ca_dir=/etc/pki/tls/certs default_fields = userdb_imapc_user=%u userdb_imapc_password=%w driver = imap } protocols = imap ssl = no userdb { driver = prefetch }
SOGo would then be configured to use Dovecot’s proxy as the IMAP server.
Moreover, the authentication mode in use by Windows with Samba and Exchange servers prevent the backend from knowing the real password being used by the user. This implies that the IMAP server must accept any passwords from the host on which Samba is running.
To accomplish this with Cyrus IMAP Server, set sasl_pwcheck_method
to alwaystrue
in /etc/imapd.conf
. You should restrain this to
an imapd
instance dedicated to SOGo.
For Dovecot, use an authentication source similar to:
passdb { driver = static args = nopassword=y allow_nets=127.0.0.1/32 }
You should also make sure that you restrain this only to the SOGo processes.
For any other IMAP server, refer to the product’s documentation. If such capability is not offered, you can alternatively define the cleartext password for each user. Please refer to the Adding Users section from this document.
5. Installation
This section will guide you through the installation of the native Microsoft Outlook compatibility layer SOGo offers.
5.1. Ubuntu 16.04 (Xenial Xerus)
Please follow the instructions from https://sogo.nu/download.html to setup your apt sources.
Then install Samba 4 on top of an existing SOGo installation:
apt-get update apt-get install samba samba-dev
Once completed, install the packages related to OpenChange and the SOGo provider:
apt-get install openchangeserver \ sogo-openchange \ openchangeproxy \ python-ocsmanager \ mysql-server \ python-mysqldb \ openchange-ocsmanager \ openchange-rpcproxy \ python-sievelib \ python-spyne \ python-rpclib
Once the packages are installed, refer to the Configuration chapter from this guide.
The ocsmanager.conf and rpcproxy.conf are currently located in
/etc/apache2/conf.d . These should be moved to /etc/apache2/conf-available .
This is a packaging error that will soon be fixed.
|
You might have to adjust the rpcproxy.conf configuration file to add the
Require all granted permission if you get Apache errors such as
client denied by server configuration .
|
6. Configuration
In this section, you’ll learn how to configure the native Microsoft Outlook compatibility layer that SOGo offers.
6.1. SOGo Configuration
First thing to do is to configure SOGo to use your current services, which are your IMAP, SMTP and SQL database servers. The configuration instructions for this are available in the SOGo Installation and Configuration Guide available from http://www.sogo.nu/.
Please refer to that documentation before continuing with the instructions included in this guide.
6.2. Samba 4 Configuration
Run the following commands as root:
samba-tool domain provision --realm=example.com \ --domain=EXAMPLE \ --adminpass='%1OpenChange' \ --server-role='domain controller' samba-tool user setexpiry administrator --noexpiry
You might consider changing the realm and domain used, to suit your environment.
You might also have to
remove /etc/samba/smb.conf
prior running this command.
Add the following parameters to the [global]
section of the
/etc/samba/smb.conf
configuration file:
### Configuration required by OpenChange server ### dsdb:schema update allowed = true dcerpc endpoint servers = epmapper, mapiproxy, dnsserver dcerpc_mapiproxy:server = true dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr ### Configuration required by OpenChange server ###
Your Samba 4 configuration file should look like this:
# Global parameters [global] server role = active directory domain controller workgroup = EXAMPLE realm = example.com netbios name = sogo passdb backend = samba4 ### Configuration required by OpenChange server ### dsdb:schema update allowed = true dcerpc endpoint servers = +epmapper, +mapiproxy dcerpc_mapiproxy:server = true dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr ### Configuration required by OpenChange server ### [netlogon] path = /var/lib/samba/sysvol/example.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No
6.3. OpenChange Configuration
Since v2.2, OpenChange stores its metadata in MySQL so you need to have it installed.
First, create the OpenChange MySQL user:
$ mysql -u root -p mysql> CREATE USER 'openchange-user'@'localhost' IDENTIFIED BY 'openchange$123'; mysql> GRANT ALL PRIVILEGES ON `openchange`.* TO 'openchang