Groupware Server mit Debian Buster Unterbau (CalDAV, CardDAV, WebDAV, IMAPS, SMTPS)

installieren, modifizeren, administrieren
Antworten
Benutzeravatar
h3rb3rn
Administrator
Beiträge: 161
Registriert: vor 5 Jahre

Groupware Server mit Debian Buster Unterbau (CalDAV, CardDAV, WebDAV, IMAPS, SMTPS)

Beitrag von h3rb3rn » vor 7 Monate

aktualisierte Fassung vom 08.01.2020

Das Hostsystem

Debian Debian 10.1 Stretch amd64

Repo von Debian Stretch

Code: Alles auswählen

deb http://deb.debian.org/debian buster main contrib non-free
deb-src http://deb.debian.org/debian buster main contrib non-free

deb http://deb.debian.org/debian-security/ buster/updates main contrib non-free
deb-src http://deb.debian.org/debian-security/ buster/updates main contrib non-free

deb http://deb.debian.org/debian buster-updates main contrib non-free
deb-src http://deb.debian.org/debian buster-updates main contrib non-free

deb http://deb.debian.org/debian buster-backports main contrib non-free
deb-src http://deb.debian.org/debian buster-backports main contrib non-free


Debian Server installieren (Server oder Desktop ist egal)

Wichtig: wer per SSH seinen Server aufsetzt, der sollte alle Schritte in einer Bash ausführen welche in einer Screen Session gestartet wurde. Nur so führt der Server alle Schritte bis zum Ende aus auch wenn die SSH Session unterbrochen wurde.

Code: Alles auswählen

sudo apt update && sudo  apt -y install screen
Screen Session starten mit

Code: Alles auswählen

sudo screen bash
Hostname an die öffentliche Domain anpassen (wenn bei der Installation des Basis Systems noch nicht geschehen)

Der Hostname muss identisch (gleichnamig) sein zur verwendete Domain oder Subdomain die auf die Server IP zeigt. Die Server IP muss in der Domainverwaltung der Nameserver Einstellungen hinterlegt sein.

Beispiel:

Code: Alles auswählen

sudo nano /etc/hosts
Inhalt von /etc/hosts

Code: Alles auswählen

127.0.0.1       localhost
127.0.1.1       cloud.4noobs.de cloud

# The following lines are desirable for IPv6 capable hosts
#::1     localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters

Code: Alles auswählen

sudo nano /etc/hostname
Inhalt von /etc/hostname

Code: Alles auswählen

cloud

Server anschließend neu starten damit der neue Hostname übernommen wird.

Hinweis: Wenn die IP des Servers nicht in den Nameserver Einstellungen der Domain hinterlegt ist, kann der Hostname nicht aufgelöst werden. Dadurch lässt sich der Mailserver Dienst amavisd-new nicht konfigurieren.

Bei Heimservern, welche hinter einem DSL Anschluss mit öffentlicher IPv4 Adresse hängen, muss statt der Server IP die öffentliche IPv4 Adresse des DSL Anschlusses in den Nameserver Einstellungen der verwendeten Domain hinterlegt werden. Wer keine feste IP Adresse hat kann stattdessen auch einen CNAME Eintrag einen DynDNS Dienstes in den Nameserver Einstellungen hinterlegen. Zusätzlich muss ein Portforwarding im Router auf die lokale IP des Servers eingerichtet werden.
https://4noobs.de/viewtopic.php?f=4&t=1 ... rcona#p153


System bereinigen und für Groupware Installation vorbereiten

Code: Alles auswählen

sudo service sendmail stop; update-rc.d -f sendmail remove
Grundinstallation für Webservices und Verschlüsselungszertifikate

Paketquellen aktualisieren

Code: Alles auswählen

sudo apt update && sudo apt -y full-upgrade


Für Installation

Tools und Webserver

Code: Alles auswählen

sudo apt -y install ssh mc vim sudo unzip bzip2 arj nomarch lzop cabextract patch apt-transport-https lsb-release ca-certificates nginx letsencrypt python-certbot-nginx
Quelle: https://packages.sury.org/php/README.txt

Code: Alles auswählen

wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg

Code: Alles auswählen

sudo sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'

Code: Alles auswählen

sudo apt-get update && sudo apt -y install php-mysql php7.3 php7.3-common php7.3-gd php7.3-mysql php7.3-imap php7.3-cli php7.3-cgi php-pear imagemagick libruby php7.3-curl php7.3-intl php7.3-pspell php7.3-recode php7.3-sqlite3 php7.3-tidy php7.3-xmlrpc php7.3-xsl php7.3-opcache php-apcu php7.3-fpm redis-server php-memcache php-imagick php-gettext php7.3-zip php7.3-mbstring openssl easy-rsa openvpn aptitude libreoffice clamav libnet-ldap-perl libconvert-asn1-perl ntp ntpdate  bind9 dnsutils haveged fail2ban ufw javascript-common libjs-jquery-mousewheel php-net-sieve tinymce libnet-rblclient-perl libparse-syslog-perl php-mbstring php-curl software-properties-common


Mailserver Komponenten

Installieren

Code: Alles auswählen

sudo apt -y install postfix postfix-mysql postfix-doc getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd amavisd-new libdbd-mysql-perl libdbi-perl spamassassin clamav clamav-daemon apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl mailman
Konfigurieren

Code: Alles auswählen

sudo service spamassassin stop 
update-rc.d -f spamassassin remove

Code: Alles auswählen

sudo nano /etc/clamav/clamd.conf
Bei "AllowSupplementaryGroups" den Wert von "false auf "true" abändern

Code: Alles auswählen

AllowSupplementaryGroups true 

Code: Alles auswählen

sudo freshclam
sudo service clamav-daemon start
nachfolgende Codezeilen ausführen

Postausgangsserver konfigurieren

Code: Alles auswählen

sudo nano /etc/postfix/master.cf
Die # bei den nachfolgenden Codezeilen enffernen

Code: Alles auswählen

  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
Port des Postausgangsservers ändern

In vielen Firmen- und Hochschulnetzwerken ist der Port 25 gesperrt. Der Port 25 wird in der Regel für unverschlüsselten Mailversand genutzt und besonders von Spambots missbraucht. Unser Mailserver jedoch sendet verschlüsselt per SMTPS auf Port 465

Code: Alles auswählen

sudo nano /etc/postfix/master.cf
Die nachfolgende Zeile suchen

Code: Alles auswählen

smtp      inet  n       -       y       -       -       smtpd
das smtp zu Anfang der Zeile durch 465 ersetzen

Code: Alles auswählen

465      inet  n       -       y       -       -       smtpd
Speichern und Postfixserver neustarten

Code: Alles auswählen

sudo service postfix restart


Percona MySQL Server installieren

Quelle: https://www.percona.com/doc/percona-ser ... _repo.html

Code: Alles auswählen

wget https://repo.percona.com/apt/percona-release_latest.$(lsb_release -sc)_all.deb
sudo dpkg -i percona-release_latest.$(lsb_release -sc)_all.deb
sudo apt update && sudo percona-release setup ps57 percona-toolkit
sudo apt-get install percona-server-server-5.7


ISPConfig3 installieren

Code: Alles auswählen

cd /tmp
wget https://ispconfig.org/downloads/ISPConfig-3.1.15p2.tar.gz
tar xzf ISPConfig-3.1.15p2.tar.gz
cd ispconfig3_install
cd install
php install.php

Hinweis: für ein Update von ISPConfig3 den gleichen Weg gehen, aber statt "php install.php" muss "php update.php" ausgeführt werden!


Nach der Installation von ISPConfig3 Rechner neustarten und über das

Webinterfache https://ipdesservers:8080 aufrufen und mit

Benutzer: admin
Passwort: "das bei der Installation vergebene Passwort"

einloggen.

Webserver Einstellungen im ISPConfig3 für Nextcloud unter Nginx und PHP7.3-FPM

Pfad: Webseiten > Webseite > Domain > Optionen

Individuelle php.ini Einstellungen

Code: Alles auswählen

upload_max_filesize=20g
post_max_size=20g
always_populate_raw_post_data=-1
max_execution_time = 3600
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1
nginx Direktiven

Code: Alles auswählen

location / {
            try_files $uri $uri/ /index.php?$args;
}

add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Strict-Transport-Security "max-age=15768000; #includeSubDomains; preload;";
add_header Referrer-Policy no-referrer;
add_header X-Frame-Options "SAMEORIGIN";

location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
}
location ~ \.php$ {
            try_files /b615814d8f2c19dbcb25b1fbae07ce38.htm @php2;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
location = /.well-known/carddav {
            return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
            return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/acme-challenge { }
# set max upload size
client_max_body_size 20G;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
# pagespeed off;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
            return 404;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
            return 404;
}
location ~ ^(.+?\.php)(/.*)?$ {
            try_files $1 =404;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$1;
            fastcgi_param PATH_INFO $2;
            fastcgi_param HTTPS $https;
            {FASTCGIPASS}
            fastcgi_intercept_errors on;
            fastcgi_index index.php;
            fastcgi_buffers 64 64K;
            fastcgi_buffer_size 256k;
            fastcgi_param modHeadersAvailable true;
            fastcgi_read_timeout 7200;
}
location @php2 {
            fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param HTTPS $https;
            {FASTCGIPASS}
            fastcgi_intercept_errors on;
            fastcgi_index index.php;
            fastcgi_buffers 64 64K;
            fastcgi_buffer_size 256k;
            fastcgi_param modHeadersAvailable true;
            fastcgi_read_timeout 7200;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param HTTPS on;
            fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
            fastcgi_param front_controller_active true;
            #fastcgi_pass php-handler;
            #fastcgi_pass unix:/var/run/hhvm/hhvm.sock;
            {FASTCGIPASS}
            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
            try_files $uri/ =404;
            index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
            try_files $uri /index.php$uri$is_args$args;
            add_header Cache-Control "public, max-age=7200";
            # Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
            # Before enabling Strict-Transport-Security headers please read into this topic first.
            # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
            add_header X-Content-Type-Options nosniff;
            add_header X-Frame-Options "SAMEORIGIN";
            add_header X-XSS-Protection "1; mode=block";
            add_header X-Robots-Tag none;
            add_header X-Download-Options noopen;
            add_header X-Permitted-Cross-Domain-Policies none;
            # Optional: Don't log access to assets
            access_log off;
}
location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
            try_files $uri /index.php$uri$is_args$args;
            # Optional: Don't log access to other assets
            access_log off;
}
location = /data/htaccesstest.txt {
            allow all;
            log_not_found off;
            access_log off;
}
Nextcloud config/config.php

Code: Alles auswählen

<?php
$CONFIG = array (
  'instanceid' => 'oc6d91b3ca8b',
  'passwordsalt' => 'b7d8ac1fc71e161a117d0705227c8a',
  'secret' => '',
  'trusted_domains' =>
  array (
    0 => 'cloud.4noobs.de',
  ),
  'datadirectory' => '/var/www/clients/client1/web1/web/data',
  'dbtype' => 'mysql',
  'version' => '17.0.2.1',
  'overwrite.cli.url' => 'https://cloud.4noobs.de',
  'dbname' => '###DB-Name###',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '###DB-User###',
  'dbpassword' => '###DB-Password###',
  'installed' => true,
  'theme' => '',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Memcached',
  'memcached_servers' =>
  array (
    0 =>
    array (
      0 => 'localhost',
      1 => 11211,
    ),
  ),
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'localhost',
    'port' => 6379,
  ),
  'maintenance' => false,
  'app_install_overwrite' =>
  array (
    0 => 'documents',
  ),
);
OPCache in /etc/php/7.3/fpm/php.ini aktivieren

Code: Alles auswählen

...

[opcache]
; Determines if Zend OPCache is enabled
opcache.enable=1

; Determines if Zend OPCache is enabled for the CLI version of PHP
;opcache.enable_cli=0

; The OPcache shared memory storage size.
opcache.memory_consumption=128

; The amount of memory for interned strings in Mbytes.
opcache.interned_strings_buffer=8

; The maximum number of keys (scripts) in the OPcache hash table.
; Only numbers between 200 and 1000000 are allowed.
opcache.max_accelerated_files=10000

; The maximum percentage of "wasted" memory until a restart is scheduled.
;opcache.max_wasted_percentage=5

; When this directive is enabled, the OPcache appends the current working
; directory to the script key, thus eliminating possible collisions between
; files with the same name (basename). Disabling the directive improves
; performance, but may break existing applications.
;opcache.use_cwd=1

; When disabled, you must reset the OPcache manually or restart the
; webserver for changes to the filesystem to take effect.
;opcache.validate_timestamps=1

; How often (in seconds) to check file timestamps for changes to the shared
; memory storage allocation. ("1" means validate once per second, but only
; once per request. "0" means always validate)
opcache.revalidate_freq=1

; Enables or disables file search in include_path optimization
;opcache.revalidate_path=0

; If disabled, all PHPDoc comments are dropped from the code to reduce the
; size of the optimized code.
opcache.save_comments=1

...
PHP-FPM Performance Optimierung in /etc/php/7.3/fpm/pool.d/www.conf

Code: Alles auswählen

...

; Choose how the process manager will control the number of child processes.
; Possible Values:
;   static  - a fixed number (pm.max_children) of child processes;
;   dynamic - the number of child processes are set dynamically based on the
;             following directives. With this process management, there will be
;             always at least 1 children.
;             pm.max_children      - the maximum number of children that can
;                                    be alive at the same time.
;             pm.start_servers     - the number of children created on startup.
;             pm.min_spare_servers - the minimum number of children in 'idle'
;                                    state (waiting to process). If the number
;                                    of 'idle' processes is less than this
;                                    number then some children will be created.
;             pm.max_spare_servers - the maximum number of children in 'idle'
;                                    state (waiting to process). If the number
;                                    of 'idle' processes is greater than this
;                                    number then some children will be killed.
;  ondemand - no children are created at startup. Children will be forked when
;             new requests will connect. The following parameter are used:
;             pm.max_children           - the maximum number of children that
;                                         can be alive at the same time.
;             pm.process_idle_timeout   - The number of seconds after which
;                                         an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic

; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 120

; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 12
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 6

; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 18

...

Link:
BBcode:
HTML:
Hide post links
Show post links

Antworten