Resolved How to use ActiveSync with Horde

[Atramasis]

I have activated ActiveSync on my server and it works pretty well. Now I want to share my experience and maybe get some new suggestions.
Thanks to everyone who helped to achieve it, I learned a lot from many posts.

1. Choose a domain and an email address for administration. It should be a domain with SSL (there are even free SSL providers); this is not necessary but better.
2. Edit in the file /etc/psa-webmail/horde/horde/conf.php these lines:

$conf['auth']['admins'] = array('your-admin-email-address');
$conf['activesync']['enabled'] = true;
$conf['activesync']['version'] = '14.1';

3. In Plesk Panel go to your main domain Subscription > Websites & Domains > Web Server Settings. Activate Process PHP by nginx and put following code into both: Additional directives for HTTP and Additional directives for HTTPS:

# Enable ActiveSync
<Directory /usr/share/psa-horde>
 Order allow,deny
 Allow from all
</Directory>
RewriteEngine On
RewriteRule ^/Microsoft-Server-ActiveSync /usr/share/psa-horde/rpc.php [L,QSA]
Alias /autodiscover/autodiscover.xml /usr/share/psa-horde/rpc.php
Alias /Autodiscover/Autodiscover.xml /usr/share/psa-horde/rpc.php
Alias /AutoDiscover/AutoDiscover.xml /usr/share/psa-horde/rpc.php
# End Enable ActiveSync

4. Now in Plesk go to Websites & Domains > PHP Settings and set max_execution_time to custom value 3000 (it should be more than the value of $conf['activesync']['ping']['heartbeatmax'] in your horde.conf)
If you do this, Plesk automatically sets proxy_read_timeout 3000; in your nginx.conf, which is important.

5. Go to Tools & Settings > Mail Server Settings and set Maximum number of connections for a user per IP address to a higher value, e.g. 40.
I had to raise this value to prevent an error in mail.err:
courier-imapd: Maximum connection limit reached for ::1
(Horde makes many local connections to IMAP and it stops to authenticate when the limit is met, your mail client can't login and asks for a password.)

If you use Courier you can alternatively edit the file /etc/courier-imap/imapd:

MAXPERIP=40

6.
Reload Apache and Courier IMAP services (Plesk Panel > Tools & Settings > Services Management)

7. Optional, but needed for some clients (e.g. Windows 8.1 Mail app):
Go to your Webmail and log in with your admin account. Go to Settings (the gear icon) > Administration > Permissions.
Add following tree:
All Permissions > Horde > ActiveSync > Provisioning
In Provisioning, set Allow for All Authenticated Users

That's it!
Try to connect with a client (i.e. Outlook 2013). Use these values:
username: full email address (eg. [email protected])
server: your chosen main domain ( e.g. server.com)
domain: the domain of your email address (e.g. mydomain.com) <-- This is necessary for some clients (e.g. Windows 8.1 Mail app).

There are more steps needed to make Autodiscover work, but it is not so important for me.
For more info, here is the official Horde Wiki.

 

[MarkusSc]

....
RewriteRule ^/Microsoft-Server-ActiveSync /usr/share/psa-horde/rpc.php [L,QSA]
Alias /autodiscover/autodiscover.xml /usr/share/psa-horde/rpc.php
Alias /Autodiscover/Autodiscover.xml /usr/share/psa-horde/rpc.php
Alias /AutoDiscover/AutoDiscover.xml /usr/share/psa-horde/rpc.php
# End Enable ActiveSync[/CODE]
.

Hello, thanks a lot for this information, I finally got activesync to work, but there are two things I do not quite understand:

In the file

/etc/psa-webmail/horde/horde/conf.php

I kept the database password retrieval untouched:

$conf['sql']['database'] = 'horde';
if (!($fd = fopen('/etc/psa-webmail/horde/.horde.shadow', 'r'))) {
  echo "<script>alert('Unable to get webmail password!')</script>";
  exit();
}
fscanf($fd, "%s", $buff);
fclose($fd);
$conf['sql']['password'] = preg_replace("/\n/", "", $buff);

The problem is, that the file

/usr/share/psa-horde/rpc.php

cannot retrieve the password now and the browser throws an "unable to get webmail password", if I test the page https://domain.tld/Microsoft-Server-ActiveSync by trying to open it in a browser.

If you use the horde configuration in webmail.domain.tld, it directly puts the password directive in the aforementionned file

/etc/psa-webmail/horde/horde/conf.php

but this is "non standard" then and plesk coud get into trouble:

$conf['sql']['password'] = 'gnurplfrunzbrilul'

See here for further details http://benohead.com/horde-unable-get-webmail-password/.

I have to change the owner of the file .horde.shadow to apache.horde_sysgroup for activesync to work, normally this is root.horde_sysgroup (bug or feature?).

Are there any security risks by doing so? Why doesn't the rest of horde have problems to retrieve the password in the standard way?

The second problem is, when activesync is working, it keeps downloading the one and only accout-testmail again and again. If I delete it, it goes to trash folder and after a few seconds, the same email is in the inbox a second time.
Calendar seems to work for me....

Thanks in advance for answering.

Markus

 

[Atramasis]

I don't have these lines in my conf.php: (Horde 5.1.5 on Ubuntu 12.4 with Plesk 11.5)

if (!($fd = fopen('/etc/psa-webmail/horde/.horde.shadow', 'r'))) {
  echo "<script>alert('Unable to get webmail password!')</script>";
  exit();
}
fscanf($fd, "%s", $buff);
fclose($fd);
$conf['sql']['password'] = preg_replace("/\n/", "", $buff);

In my config this is all about 'sql':

$conf['sql']['username'] = 'horde';
$conf['sql']['password'] = 'QblablablablaZn';
$conf['sql']['socket'] = '/var/run/mysqld/mysqld.sock';
$conf['sql']['protocol'] = 'unix';
$conf['sql']['database'] = 'horde';
$conf['sql']['charset'] = 'utf8';
$conf['sql']['ssl'] = false;
$conf['sql']['splitread'] = false;
$conf['sql']['phptype'] = 'mysql';

Regarding the second problem (and maybe it helps with the first?) you could try to disable caching (or set to other than SQL at least):

$conf['cache']['driver'] = 'Null';

I had to do it to avoid similar problems.

 

[MarkusSc]

With centOS 6.5 it seems to use an extra password file named .horde.shadow, which won't be used any more, if
I put the SQL stuff directly into the conf.php. The other Horde stuff works either, without changeing it. It' s a permission problem, which I have to track down.

The cache hint, i'll try wehen I'm back to my desk.

Thank you!

Markus

 

[MarkusSc]

O.K. with

$conf['cache']['driver'] = 'File';

it works and the message in the outlook folder is persistant. 'Sql' was set by plesk default but not recommended by Horde .

Thanks for that!

But the other problem keeps existing:

The file

/usr/share/psa-horde/rpc.php

cannot access the file

/etc/psa-webmail/horde/.horde.shadow

to retrieve the sql password if the owner of .horde.shadow is not set to 'apache'.

How can I find out under which user the rpc.php runs, since it has to be different to the other horde scripts, since they are able without problems to retrieve the password with the standard owner 'root' by the code

$conf['sql']['database'] = 'horde';
if (!($fd = fopen('/etc/psa-webmail/horde/.horde.shadow', 'r'))) {
  echo "<script>alert('Unable to get webmail password!')</script>";
  exit();
}
fscanf($fd, "%s", $buff);
fclose($fd);
$conf['sql']['password'] = preg_replace("/\n/", "", $buff);

in the file conf.php?

To state correctly, with the owner change, activesync seems to work for me, but I'm searching for the possibility to get it to run with the most of the plesk standard settings. And I'd like to understand, why the standard horde php's can access the password and the rpc.php cannot?

Thanks for answering...

Markus

 

[MatthiasC]

Running Horde 5.1.5 on CentOS 6.5 with Plesk 11.5.30 Update #33.

I have completed the steps outlined by Atramasis and have come to the same result as MarkusSc.
After change owner of .horde.shadow to apache.horde_sysgroup, the error-message in browser disappear,
when opening mydomain.ltd/Microsoft-Server-ActiveSync. But still it doesn't work with any device.

I think, when opening mydomain.ltd/Microsoft-Server-ActiveSync a login window should appear
(At least that is the behavior that I know of exchange servers.). But it does not.
There is only the normal "Browser not supported" message.

What about this line in config-file, does it has to be changed?

$conf['sql']['password'] = preg_replace("/\n/", "", $buff);

Thanks!

 

[Atramasis]

I don't know if it is a solution, but you could try this: In additional directives replace the line RewriteRule ^/Microsoft-Server-ActiveSync /usr/share/psa-horde/rpc.php [L,QSA] with this line:

Alias /Microsoft-Server-ActiveSync /usr/share/psa-horde/rpc.php

It should do the same, but maybe the authentication works better with Alias on some systems.

 

[MatthiasC]

Have tried it, but unfortunately makes no difference.

 

[MatthiasC]

@MarkusSc
Could you again briefly describe what you have done in addition to the guidance of Atramasis to make it work? Thank You.

 

[MarkusSc]

The file /etc/psa-webmail/horde/.horde.shadow cannot be read by the normal webserver process, since it runs under the user 'apache', but the file can only accessed by users belonging to the group 'horde-sysgroup' which 'apache' is not. As an effect, the database password cannot be retrieved, and rpc.php cannot connect to the database => ActiveSync does not work.

I commented out the code (/*.......*/):

$conf['sql']['database'] = 'horde';
if (!($fd = fopen('/etc/psa-webmail/horde/.horde.shadow', 'r'))) {
  echo "<script>alert('Unable to get webmail password!')</script>";
  exit();
}
fscanf($fd, "%s", $buff);
fclose($fd);
$conf['sql']['password'] = preg_replace("/\n/", "", $buff);

and added the line found in the ubuntu configuration from Atramasis (replace the password by the one found in '/etc/psa-webmail/horde/.horde.shadow')

$conf['sql']['password'] = 'QblablablablaZn';

After that, everything works, since horde through rpc.php can connect to the database.

Changing the owner of '/etc/psa-webmail/horde/.horde.shadow' form 'root.horde_sysgroup' to 'apache.horde_sysgroup' would work, too, but I think, that would be more insecure.

By just commenting out the centos-specific code and replacing it by the ubuntu one, there should not be any security flaws.

Sorry for me answering that late, but I did not get an E-Mail from your post.

If there are any further questions, just ask......

There is a second post from me in the pipeline, but in advance: In order to get things to work, there is an AllowOverride FileInfo directive neccessary for the /usr/share/psa-horde directory.

Regards Markus

 

[MarkusSc]

ActiveSync AutoDiscovery with ActiveSync-Server places on a subdomain

In addition I've placed my ActiveSync-Server on a subdomain named eas.domain.tld. Then you can configure individual (php-)settings and you are independant of the standard domain.tld settings, you could use for another service like owncloud f. ex.. But then AutoDiscovery does not work any more, since it cannot find anything on domain.tld.

If you want AutoDiscovery to work with this you need another subdomain named autodiscover.domain.tld

Add the following code to the webserver http/https directions in plesk panel webserver-settings:

RedirectMatch 302 (?i)/autodiscover/autodiscover.xml https://eas.domain.tld/autodiscover/autodiscover.xml
RedirectMatch 302 (?i)/Autodiscover/Autodiscover.xml https://eas.domain.tld/Autodiscover/Autodiscover.xml
RedirectMatch 302 (?i)/AutoDiscover/AutoDiscover.xml https://eas.domain.tld/autodiscover/autodiscover.xml

This redirects to the eas.domain.tld server, where ActiveSync resides.

Add the following code to the webserver http/https directions in plesk panel webserver-settings of eas.domain.tld:

#Konfiguration für ActiveSync mittels Horde
<Directory /usr/share/psa-horde>
    php_flag magic_quotes_gpc off
    php_flag register_globals off
    php_flag magic_quotes_runtime off
    php_flag short_open_tag on
    Order allow,deny
    Allow from all
    AllowOverride FileInfo
</Directory>

Alias /Microsoft-Server-ActiveSync /usr/share/psa-horde/rpc.php
Alias /autodiscover/autodiscover.xml /usr/share/psa-horde/rpc.php
Alias /Autodiscover/Autodiscover.xml /usr/share/psa-horde/rpc.php
Alias /AutoDiscover/AutoDiscover.xml /usr/share/psa-horde/rpc.php

#Ende der Konfiguration für ActiveSync mittels Horde

If you just use the regular apache with mod_php then the alias directions work without flaws. When using mod_fcgi or nginx then you should use the rewrite-directions above. I think that some of the php-settings above are standard, but I thought explicitly setting them should not do any harm.

The above part

 Order allow,deny
    Allow from all
    AllowOverride FileInfo

is neccessary, because in the directory /usr/share/psa-horde there has to be a .htaccess file with the following content:

# IMPORTANT: DO NOT EDIT THIS FILE!
# It will be overwritten with any future upgrade.

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond   %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}/$1 [QSA,L]
    RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    RewriteCond   %{REQUEST_FILENAME}  !-d
    RewriteCond   %{REQUEST_FILENAME}  !-f
    RewriteRule ^(.*)$ rampage.php [QSA,L]
</IfModule>

In that file there was an allow from all directive, I had to edit out. And I added code for redirecting to https for all connections.

This .htaccess file is never executed, if you forget to add the

 Order allow,deny
    Allow from all
    AllowOverride FileInfo

to your domain configuration. If you leave the Allow from all code in the .htaccess file, this leads to an apache error.

So the configuration above is the only one that worked for me.

 

[MatthiasC]

Thank you for your detailed answers! Now it is partly working: contacts and calendar are ok, but no emails. Outlook 2013 says: "Waiting for Server". Android shows no email, without error.

Schöne Grüße!

 

[MarkusSc]

Gut, dann weiter.....;-))

I think we are now at the point with the device registration in horde. Every device is registered at the first login attempt. I had the absent emails, too.

Login to Webmail.domain.tld with an Admin Account from Horde. (You added this account to your horde.conf some time before....)

I had to remove (not delete) (entfernen, nicht löschen) the devices in horde webmail and had to recreate the account in Outlook 2013 and on the other clients once. This was then accepted as sort of restart and the emails appeared. See the following screenshot. Remove or reprovision every device. Be careful, the button 'löschen' in german is for remote wiping the device. The buttons are not shown in the screenshot, since on the right personal data is shown, so the buttons are the ones on the right of every device entry.



Some devices like Windows Phone and Windows 8.1. standard Mail need the provisioning feature of horde enabled. For that, you have to go to the rights (Rechte) section, and add the settings as shown in the following screenshot.

The first level has to be set to allow everything for every authenticated user, the provisioning setting has to be allow (erlauben)...The ActiveSync setting has only one checkbox without text, I enabled it, too.



Beste Grüße....

 

[MatthiasC]

Have tried everything, unfortunately, still no e-mails.

Devices look like this:
Android | Android/4.3-EAS-1.3Sun, 09 Mar 2014 00:47:33 +0000 4048... Provisioned
WindowsOutlook15 | Outlook/15.0 (15.0.4551.1507; MSI; x86)Sun, 09 Mar 2014 00:34:38 +0000 0 Not Provisioned

I don't know, why Outlook is not provisioned... but whatever, emails do not appear on both devices.

 

[MarkusSc]

Outlook 2013 never gets provisioned, only iPad, WindowsPhone and Standard WindowsMail and other mobile Devices do so, Outlook 2013 works without that.

Try to send a new E-Mail to the account, on my devices the new ones appeared.

One thing: The same setting with AllowOverride FileInfo has to be made in the conf-file for webmail.domain.tld in order for webmail to work:
In the file /etc/httpd/conf/plesk.conf.d/horde.conf add the AllowOverride line below (twice for http and https).

 <IfModule mod_fcgid.c>
        FcgidInitialEnv PP_CUSTOM_PHP_CGI_INDEX fastcgi
        FcgidInitialEnv PP_CUSTOM_PHP_INI "/etc/psa-webmail/horde/horde/php.ini"
        FcgidMaxRequestLen 134217728
        <Directory "/usr/share/psa-horde">
            <Files ~ (\.php$)>
                SetHandler fcgid-script
                FCGIWrapper /var/www/cgi-bin/cgi_wrapper/cgi_wrapper .php
                Options +ExecCGI
            </Files>

            SSLRequireSSL
            Order allow,deny
            Allow from all
            AllowOverride FileInfo
        </Directory>

 

[meddie]

Hi guys,

just do not get out. it doesn't work.
At the beginning i tried it to do like described by Atramasis.
But i have some differencies:
"3. In Plesk Panel go to your main domain Subscription > Websites & Domains > Web Server Settings. Activate Process PHP by nginx" <-- i dont have this PH nginx

the i have tried this one:
"edit
/var/www/vhosts/mydomain.de/conf/vhost.conf
/var/www/vhosts/mydomain.de/conf/vhost_ssl.conf

<Directory /usr/share/psa-horde>
php_flag magic_quotes_gpc off
php_flag register_globals off
php_flag magic_quotes_runtime off
php_flag short_open_tag on
</Directory>
Alias /Microsoft-Server-ActiveSync /usr/share/psa-horde/rpc.php
Alias /autodiscover/autodiscover.xml /usr/share/psa-horde/rpc.php

then
/usr/local/psa/admin/bin/httpdmng --reconfigure-all
/etc/init.d/apache2 restart

then go to
/etc/psa-webmail/horde/horde/
editconf.php
At the end, theres a point Activesync, set it to true

search for "$conf['auth']['admins'] = array()
and add your mailadress with the quotes '[email protected]'

login at webmail.mydomain.de
go to settings -> administration -> configuration

there youll see a few points where it says "needs to be updated"
just klick on the points, and at the end of the site klick "generate config and copy the config, in a colored box you'll see where to store the conf.php files:

/usr/share/psa-horde/nag/config/conf.php
/etc/psa-webmail/horde/horde/conf.php
/etc/psa-webmail/horde/imp/conf.php
/etc/psa-webmail/horde/passwd/conf.php

don't forget to make a backup of the files.
restart apache

/etc/init.d/apache2 restart"

but i didnt work too.
I have a vserver from strato. Ubuntu 12.04 with Plesk 11.5.30 and Horde 5.1.5.

Marcus you got to work it and you have the same system maybe you can help me?
Thanks a lot and sorry my german is better than my english ;-)

 

[ernie49]

Hello everyone,

Has anyone get to run Horde ActiveSync correctly with Centos 6.5?

Thanks in advance.

Ernie

 

[ProSeriesNewb]

I am interested in setting up ActiveSync on Plesk 11.5 running on CentOS 5.8. Has anyone had success. If it will work I will try these steps. Are the procedures above using Horde 6.1.6?

Thanks,

Mike

 

[Incomode]

Hi guys

I try to configure ActiveSync according to the instructions in the first post.
But now I have the problem that the rpc.php are not processed. When I try to open the url <domain>/Microsoft-Server-ActiveSync my browser want to download the file. I think the problem is that the php module is not configured right. I sat the open_basedir to /usr/share/psa-horde/ too, but it not helped.
I am grateful for any help.

 

[Lee_Collier]

I have a few things to add to this topic having just been through the above. I'm on Plesk 12.0.18 on Ubuntu 12.04

I followed some of the above, then did some digging of my own, here's how I got it all to work:

Instead of step 2, I went to /etc/apache2/plesk.conf.d/webmails/horde/ and created a new file local.conf - this is automatically added to the apache vhost configuration for horde via an include directive:

ServerAlias autodiscover.*
<Directory /usr/share/psa-horde>

Order allow,deny
Allow from all​

</Directory>
RewriteEngine On
RewriteRule ^/Microsoft-Server-ActiveSync /usr/share/psa-horde/rpc.php [L,QSA]
Alias /autodiscover/autodiscover.xml /usr/share/psa-horde/rpc.php
Alias /Autodiscover/Autodiscover.xml /usr/share/psa-horde/rpc.php
Alias /AutoDiscover/AutoDiscover.xml /usr/share/psa-horde/rpc.php
​

This is based on the plesk horde configuration that has the server alias horde.webmail.* for all domains used with the server, and adds in the autodiscover alias.

This essentially follows the instructions in the first post of the thread, but rather than putting it into each domain, it adds it to the configuration files for the horde.webmail virtual host so that every domain will benefit, and all domains can use Activesync transparently.

I made the same changes to horde.conf, although the only thing you _have_ to do is add your main email address to the ['auth']['admins'] array, everything else can be done from the horde UI. I used the instructions from the Horde Wiki to enable Activesync support via the horde web UI, I left all the options at their defaults.

After adding the permission tree (step 7 in the original post) there are 2 things you _must_ do. On the ActiveSync branch, you have to click little pencil icon then click the unlabelled check box for 'All authenticated users'. Then for the Horde (horde) branch click the little pencil and enable 'Show' and 'Read' for 'All authenticated users'.

I think this last step is what is messing it up for a lot of people - the default Horde configuration presumably allows all authenticated users to log in, by adding this permission tree we're overriding that and accidentally only allowing administrators to log in. The resultant error message is deeply unhelpful and leads to messing around with cookie paths and permissions which are all find in the default Plesk install and shouldn't need to be touched.

After doing the above, any email address from any domain will auto configure for Activesync using Microsoft Outlook and various mobile clients.