To start IceWarp Administration Console on Linux GUI, simply install Wine.
You can download installation package from this page:
https://www.winehq.org/download/
Copy /opt/icewarp/install/remoteconfig.exe file from your IceWarp Server to target Linux desktop.
Run command:
$ wine remoteconfig.exe
and follow-up Windows installation procces. Navigate to installed directory and run command:
$ wine config.exe
First of all, before starting migration process it is needed to read the guide on our website (http://dl.icewarp.com/documentation/server/tools/IceWarp_Migrator_Guide.pdf) by this guide you could find all aspects of migration process.
In this KB article we will just cover some questions regarding the post migration steps, to restore target server.
First of all what you need to know, the target server is stopped. This is done in similar manner as the source server stop. Modules are not stopped, but services are disabled. Because it is necessary to have RCP working, web is disabled using API variable of c_mail_control_disableweb, but c_mail_control_active remains enabled. Thus, there is a green circle in the config services list showing, that web is running. However only RCP is available – no HTTP service. This can be confusing for an admin that does not finish the migration and ends with disabled server. Web has to be re-enabled via API, in this case open API console from File > API console (or just shortcut Shift + Ctrl + A). Type in filter c_mail_control_disableweb and change value from true to false, this will enable WebClient.
Second step is testing the availability of features in WebClient. Try to create meeting in Calendar, send and receive message, create new Task. Also try to upload and create files in Documents.
If you store data in MySQL, MS SQL, Oracle or another relational database management system, please make sure that all configurations in console for DB’s were correctly added at target server.
Dual authentication is new feature for better security of your server-client connection.
It is very usefull if you want to protect your mail server from unauthorised access to your webclient, EAS account or other client without special client pkcs12 certificate, with defined rule whenever you will require the certificate while connecting from all or only external network. According to the fact that pkcs12 certificate generated via openssl can be also password protected, super strong and generated for each user separetely, for email signing and encryption as well, your server and all informations in users accounts can be secured as well as current connection to banking sector.
Following scenario is for your own self-signed certificate authority created in openssl on windows.
After installing the binaries run openssl.exe from the install dir and create private key, self sign and import to your server trusted root CA authorities.
For better security, tips and tricks generating the certificates search in google as e.g. following article.
Steps:
-create root key
-self sign root certificate
-import root certificate into trusted root certification authorities
-set signed root.pem as trusted CA in icewarp admin console
-generate client certificate, sign it with root CA and convert to pkcs12 form.
-create rule for IP in console>web -access tab and enable checkbox require client certificate
-import pkcs12 certificate to users web browser settings/certificates/your(personal) certificates
EXAMPLES:
1.to create the root key execute:
openssl> genrsa -des3 -out rootCA.key 4096 -aes-256-cbc
(-des3 command is for password encryption of the key, you will be asked for this password each time signing a csr)
2.next step is to self-sign this certificate:
openssl> req -x509 -new -nodes -key rootCA.key -days 2048 -out rootCA.pem
This will start an interactive script which will ask you for various bits of information. Fill it out as you see fit.
Once done, this will create an SSL certificate called rootCA.pem, signed by itself, valid for 2048 days, and it will act as your root certificate.
To make this certificate trusted in your server, copy the rootCA.pem elsewhere and rename it to rootCA.crt, double click it and click on install certificate,
in the import certificate wizzard choose the store for certificates, enable show physical store checkbox
and choose Trusted root certificate authorities- local computer
To define the self signed certificate as CA certificate in Icewarp go to console>certificates>CA certificates -click on add button
choose the rootCA.pem file and confirm, now you have defined CA certificate for your icewarp server.
(you can create and use more CA certificates together, e.g. each domain can use its own CA, so you can easily manage client certificates- at the moment the only way how to protect your server against abuse of client cert is to recreate the CA)
3.Next step is to generate client certificate, sign it with root CA and convert to pkcs12 form.
note: in case you would like to create client certificates for each user separately, for email signing and encryption, skip steps 3.-5. and instead of them follow this article
openssl> genrsa -des3 -out client.key 2048 -aes-256-cbc
4.Once the key is created, you’ll generate the certificate signing request.
openssl> req -new -key client.key -out client.csr
You’ll be asked various questions (Country, State/Province, etc.). Answer them how you see fit. The important question to answer is common-name.
Common Name (eg, YOUR name) []: your server hostname (or domain name)
(in this concrete example, you can fill as CN whatever you want, but filling hostname would add more trust to users, who would not delete the certificate as unknown during some "moment of weakness", also domain names might be usefull for managing mutliple domain server)
note: if you are planning to generate more client certificates and want to create complex certificates CA authority and managment in openssl, the CN must be unique for each certificate
5.Once that’s done, you’ll sign the CSR, which requires the CA root key.
openssl> x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days 500
6.The client certificate and key must be converted to the PKCS12 format before getting imported into a client desktop's browser. To perform this conversion, complete the following procedure:
openssl> pkcs12 -export -in <Directory-Path>/<Client-Certificate-Filename> -inkey <Directory-Path>/<Client-Key-Filename> -out <Directory-Path>/<Client-PKCS12-Filename> -name "<PKCS12-Name>"
For example, to convert the /shared/exampleCA/client1.crt certificate with the /shared/exampleCA/client1.key key to the PKCS12 file named client1.p12, type the following command:
openssl pkcs12 -export -in /shared/exampleCA/client1.crt -inkey /shared/exampleCA/client1.key -out /shared/exampleCA/client1.p12 -name "client1 pkcs12"
7.Now go to icewarp console>web -double click the settings for webclient page>access and create a rule for requesting certificate from client while connecting to webclient.
this rule is filtering dual auth for connection from outside of internal network you can specify the URI, e.g. /webmail or /Microsoft-Server-ActiveSync for EAS, users would have to import the pfx/p12/pkcs12 certificate nito their devices. (to be honest, I did not test it via EAS yet)
8.On client machine insert the pkcs12 certificate into users browser -settings/certificates/your certificates import (depends on browser) or import the certificate in system via certificate import wizzard.
o.vanek
To filter which users has activated or deactivated services in IceWarp Server Administration Console under Domains & Acounts- users - policies tab you can follow bellow suggested example of sql query in IceWarp integrated SQL Manager or tool command.
If you are using the default SQLite database or have your accounts on filesystem, you can use tool.exe (or *.sh) with this command:
tool --filter="(u_webmail=1)" display account *@domain.com U_Name
-this comand will list all users of specific domain with enabled webclient service in admin console>domain>user>policies services chapter
If you are using Mysql or Microsoft sql database you have to run following query in IceWarp integrated SQL Manager because these API variables are stored in column U_ServiceAccess as bits:
SELECT U_ID, U_Mailbox, (U_ServicesAccess & 8 ) AS U_IM FROM Users where (U_ServicesAccess & 8 )=0;
-this query will list all users with enabled Instant Messaging service in their settings, you can export the list as csv file.
To filter all users who has e.g. disabled service groupware in their account settings use following query:
SELECT U_ID, U_Mailbox, (U_ServicesAccess & 64 ) AS U_GW FROM Users where (U_ServicesAccess & 64 )<>0;
- if you want to filter all users with enabled webclient execute:
SELECT U_ID, U_Mailbox, (U_ServicesAccess & 16 ) AS U_WebMail FROM Users where (U_ServicesAccess & 16 )=0;
Here is the list of flags and values of ServieAccess column:
U_LocalDomain = $01; // 1 U_SMTP = $02; // 2 U_POPIMAP = $04; // 4 U_IM = $08; // 8 U_WebMail = $10; // 16 U_AS = $20; // 32 U_GW = $40; // 64 U_CR = $80; // 128
o.vanek
To export all blacklisted addresses from your database via IceWarp Server Administration console:
1) connect the integrated SQL Manager with your Anti-Spam database
2) write your appropriet query:
select * from senders where SndAuthorized = 0
(for exporting whitelist use SndAuthorized = 1)
For exporting blacklist of one user write this query:
select * from senders where SndAuthorized = 0 and SndOwner = 'user@domain.net'
(for filtering whole domain use SndDomain instead of SndOwner)
3) execute the query
4) export the query and save it as csv file on your file-system
Regarding the OpenSSL vulnerability issues covered by Security Alert (A15-06-04) please upgrade openssl libraries in your system. In order to that follow the procedure described further below.
Afected Systems:
OpenSSL versions prior to 0.9.8zg, 1.0.0s, 1.0.1n or 1.0.2b
All current versions of IceWarp Server are using affected versions of OpenSSL libraries.
IceWarp Server versions 10.0.5-10.4.1 are using 0.9.8x product version of OpenSSL
IceWarp Server versions 10.4.2-11.0.0 build 2 are using 1.0.0x product version of OpenSSL
IceWarp Server versions 11.0.0 build 3 and later are using 1.0.1x product version of OpenSSL.
On Windows
a) IceWarp Server 32 bit version
Feel free to update to the latest OpenSSL libraries of the same product version.
b) IceWarp Server 64 bit version
On Linux
1) update your operating system
o.vanek
The following must be done on both the domain controller and IceWarp Server:
The following must be done on the client side:
Now you can try to browse SSO dedicated URL of webmail (i.e. http://mail.xmigrator.com/webmail/sso) - if all went good, webmail of the same user as the one logged on to OS Windows will open. If not, Kerberos logs will become very usefull; turn them on in server Administration console: System / Logging / Debug tab / Kerberos.
known issues:
if source LDIF attribute value used for local username source contains dash, you have to enable checkbox: "add AD login to alias" and set "remote account matching" on: "match with alias".
a.rusek, o.vanek
SQLite is file-based database engine. Each database is stored in one file. In SQLite there are no limitations for storing data into database. It could be saved the whole Iliad and Odyssey into one column.
There are more professional engines like MySQL, MS SQL etc... Here must be specified the length of the column and these engines are also checking the content.
Progress of migration is logged in to file “icewarp\calendar\calendar.log. All error messages could be found here.
There are two types of problems which could happen during migration from SQLite to MySQL/ MS SQL:
Data saved in source SQLite database are longer then datatype which is used by MySQL/ MS SQL.
File calendar.xml is used during migration for creating a new database. That means the new databases will be created with increased new values of columns and data too long error should not appear again. Repeat this process until calendar.log shows no such errors.
example from calendar.log
18:59:51 Table TagLinks migration error: Error executing query: Data too long for column 'TGL_ID' at row 1
for column 'TGL_ID' at row 1 could be fixed by editing file calendar\calendar.xml.
Edit file IceWarp\calendar\calendar.xml and increase the value of mentioned column. Example of row: TGL_ID %%varchar%%(12) à TGL_ID %%varchar%%(24).
Migration should be tried again, if it gets the same error, this number should be increased two times. TGL_ID %%varchar%%(24) à TGL_ID %%varchar%%(48) etc.
For ItmCategory, ItmFirstName, ItmSuffix... and other columns must be read from error log too.
SQLite does not check the content of data. You could save everything to one column. MySQL/MS SQL is checking the content type of each column. This problem occurs when you are trying to save something which does not fit the type of the column.
It is strongly recommend editing the source data to fit the mentioned data type in source database.
example from calendar.log
18:56:43 Table ContactItem migration error: Error executing query: Incorrect string value: '\xF0\x9F\x98\x9B\xF0\x9F...' for column 'ItmDescription' at row 1
In this case “\” character must be removed or leave whole column empty.
NOTE: this article is for testing purposes only.
In case you are facing following errors in error log:
SYSTEM [49E8] 04:53:30:688 DB lib Error executing query: Incorrect string value: '\xF0\x9F\x94\xA8' for column 'SndSubject' at row 1, SQL: INSERT INTO Senders (SndEmail, SndAuthorized, SndCreatedOn, SndCreatedAt, SndFolder, SndOwner, SndDomain, SndIP, SndWord, SndSubject) VALUES ('update@booblol.in','2',2457443,17610,'2016022404533053443458','popo.gape@miraclehospitality.com','miraclehospitality.com','209.105.231.156','TVV8 S2JQ','Cleaning? Plastic? Tool Kits? We got them allߔ觩')
We have a solution based on this article:
The solution is to convert databases to use utf8mb4 character set and reconfigure IceWarp Server to use it as well (set API variable c_system_mysqldefaultcharset to utf8mb4).
To prevent data loss or other issues caused by unexpected behavior, backup your databases prior executing conversion script and follow these steps:
- stop all IceWarp Server services
- run the script enclosed below
- set API variable c_system_mysqldefaultcharset to utf8m4 (run tool.sh set system c_system_mysqldefaultcharset utf8mb4)
- restart all IceWarp Server services
Following bash script is for automatic collation of all tables used by Icewarp to utf8m4:
-----------------------------------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
#
# The purpose of this script is to ease the proces of database charset and collation conversion
# by default, it coverts to utf8mb4 charset and utf8mb4_unicode_ci collation, however you can use what ever you like
# Using unicode collation variant is more accureate while general is faster (choice is yours)
# switch to utf8mb4 enables support of insertions of 4bytes symbols into mysql
# databases you do not want to affect should be listed into exclude file (exclude_dbs.txt) one per line
# it is also possible to alter the line where database names are read so grep selects instead of excluding databases
# script also attempts automatically modify column indexes to varchar(191) if they are bigger than that
# otherwise it leaves them unaffected
# maximum size of the index will vary depending on character set converted to (191 is for default)
###
#
#replace user and pass with your mysql credentials
#
user=yourusername
pass=yourpassword
char=utf8mb4
coll=utf8mb4_unicode_ci
####
#
echo "Script for automatic conversion of database charset has started, please backup your databases and check whether your selection of databases to process is correct indeed."
read -p "Do you wish to continue? (yes/no)" CONT
if [ "$CONT" == "yes" ]; then
# read db names
databases=`mysql -u$user -p$pass -N -e "SHOW DATABASES;" | tr -d "| " | grep -v -f exclude_dbs.txt`
for db in $databases; do
echo "Reading tables from database: $db"
tables=$(mysql -u$user -p$pass -N -e "SHOW TABLES FROM ${db}" | tr -d "| ")
for table in $tables; do
>|text
echo $table
# alter tables
mysql -u$user -p$pass -N -e "ALTER TABLE ${db}.${table} CONVERT TO CHARACTER SET ${char} COLLATE ${coll};"
if [ $? -gt 0 ]; then
echo "SHOW FTABLES: ${db}.${table}"
mysql -u$user -p$pass -N -e "show indexes in ${db}.${table} where column_name in (select column_name from information_schema.statistics where column_name in (select column_name from information_schema.columns where table_schema = '${db}' and column_type > 'varchar(191)'));" >> text
cat text | while read line
do
query=$(echo -e "${db}\t${line}" | awk -F"\t" '{printf("alter table %s.%s modify %s varchar(191);\n", $1, $2, $6)}')
mysql -u$user -p$pass -N -e "${query}" >>sql.log 2>&1
if [ $? -gt 0 ]; then
echo -e "error in:\n $query"
fi
done
mysql -u$user -p$pass -N -e "ALTER TABLE ${db}.${table} CONVERT TO CHARACTER SET ${char} COLLATE ${coll};"
fi
done
done
elif [ "$CONT" == "no" ]
then
echo "script has been succesfully terminated";
exit
else
echo "well, correct answer is yes or no";
exit
fi
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Usage is very simple, modify user and pass variables and replace following raw of the script with one of below written lines, You have 3 possibilities how to select which databases to collate:
1)databases=`mysql -u$user -p$pass -N -e "SHOW DATABASES;" | tr -d "| " | grep -v -f /path/to/exclude_dbs.txt`
create txt file exclude_dbs.txt where you can write all databases you wish to exclude from collation - write them on separate lines
2)databases=`mysql -u$user -p$pass -N -e "SHOW DATABASES;" | tr -d "| " | grep IW_`
this is usable if you have databases used in icewarp named with same pre-fix e.g. IW_%%database%%
3)databases=`mysql -u$user -p$pass -N -e "SHOW DATABASES;" | tr -d "| "`
this will select everything
In any case of troubles, you can use this script to revert back to utf8 with simply replacing utf8mb4 to utf8.
Note: whole scenario is currently under testing and should be used on your own risk, for more reference see following article:
https://mathiasbynens.be/notes/mysql-utf8mb4
a.rusek,o.vanek
v
v
v
v
v
v
v
In case you are using lot mailing lists with expected frequent change of subscribers amount, following scenario might be helpfull for you. Its written for separate mysql database called e.g. mailing_lists with two tables, first table ml_addr is for storing mail acounts with auto-incremented ID as primary key and type 1 (for mailing list) and default null for members, unique index is set for column 'email', second table ml_lst is the "tying table" where are two columns lst_id for id of mailing list and mb_id for id of subscribers, unique index are set for combination (lst_id, mb_id) because users can be subscribed in more than 1 mailing lists.
Whole process is rule based, therefore you can specify in which case you want to add or remove users in/from mailing list subscription.
Database creation part
mysql>create database mailing_lists collate utf8_general_ci;
1.table:
mysql>create table ml_addr ( id int(11) not null auto_increment, a_type int(1) default null, email varchar (255) not null unique, primary key (id));
2.table:
mysql>create table ml_lst ( lst_id int(11), mb_id int(11), unique key (lst_id, mb_id));
Now you need to insert manually mailing lists addresses into database, for mutiple insertion search google how to insert from bulk file:
mysql>insert into ml_addr (a_type, email) values ( '1', 'mailinglist@yourdomain.net');
In this case as this was first record in ml_addr table its id is 1, so in console>domain>Mailing Lists>mailinglist
-select members from database
-set DB settings to connect to the created mamiling_lists database
-sql statement, I would suggest to fill there full path to txt file with following sql statement:
select ml_addr.email from ml_addr join ml_lst on ml_addr.id = ml_lst.mb_id where ml_lst.lst_id='%id of your mailing list%'
to show id of mailing lists simply execute: select * from ml_addr where a_type='1';
Content filter part:
subscribe member:
to auto insert account as specific mailing list create 2 rules to match:
where To: message header matches: mailinglist1@domain.net;mailinglist2@domain.org...
and where subject matches: subscribe
action:
Exectute sql statement:
insert into ml_addr (email) values ('%%Sender_Email%%');
create second rule with same condition as first rule with action:
Execute sql statement:
insert into ml_lst (lst_id, mb_id) select s1.id as mlid, s2.id as uid from ml_addr s1 cross join ml_addr s2 where s1.id <> s2.id and s1.email='%%Recipient_Email%%' and s2.email='%%Sender_Email%%';
-two rules are required because we can execute only one sql statement in one rule or you can use these sql statements in a script made for insertion into mysql from a bulk file: %%sender_email%% is account you want to add as a member of a mailinglist (%%recipient_email%%)
unsubscribe member:
create rule:
Where To: message header matches mailinglist@domain.net
AND Where Subject: message header matches unsubscribe
actions:
Exectute sql statement:
delete from ml_lst where lst_id in (select id from ml_addr where email='%%Recipient_Email%%') and mb_id in (select id from ml_addr where email='%%Sender_Email%%');
and delete message
and stop processing more rules
final step is to add html footer to mailing list in mailing lists>message tab
here is an example of html footer with "mail to" function:
<i>
<br><a href="mailto:mailinglist@domain.net?subject=unsubscribe">unsubscribe</a>
</i>
for subscription change "unsubscribe" to "subscribe" to be triggered by the rule created for subscription, you can have both links in footer of each message.
To clean up the database from emails whitch are no longer used create a windows task or cron job to execute:
delete from ml_addr where id not in (select lst_id from ml_lst) and id not in (select mb_id from ml_lst);
!be aware, this will delete every record from table ml_addr which ID is not used in ml_lst table, so in case you would have there stored email of mailing list without members, it will be erased also.
o.vanek
When adding the LDAP server to Outlook follow the steps below.
1. Enter the server name.
2. Check the box This server requires me to log on.
3. Fill in the Username: cn=admin and password from the sldap.conf file. Note: Icewarp does not require SPA so no need to check this box.
4. Click more settings and then click the search tab. You need to supply a Custom Search Base of dc=root and then click ok.
5. After completing this restart outlook and you can now search the Other address book from the drop downs when selecting Address Book.
