# Setup vm from 64 bit centos6.5 iso, take all the defaults, desktop
# install

# Set the hostname to a fully qualified globally resolvable name,
# something like oc.example.com; we assume the mail domain is then
# example.com after removing the leading component

# Set a fixed ip address - not dhcp. below we need to point
# /etc/resolv.conf to the internal samba dns server running on this
# machine, and that would be overwritten by the dhcp client.

# Set the time zone to something that does NOT include a
# space. America/Los Angeles does not work, but America/Chicago works.
# Possibly Ubuntu uses underscore instead of spaces.

# http://www.openchange.org/cookbook/configuring.html

# there are three hard-coded users here;
#   sogo             is specified in some of the rpms
#   openchange-user  is used for the msql account
#   johndoe          is a test mail account

function logme() {
    echo ""
    echo ""
    echo '****' "$(date) $@"
}

function makesemodule() {
    modulename="$1"
    checkmodule -M -m -o $modulename.mod $modulename.te
    semodule_package -o $modulename.pp -m $modulename.mod
    rm -f $modulename.mod
    semodule -i $modulename.pp
}

function makeauser() {
    user="$1"
    pass="$2"
    logme "create $user in samba"
    samba-tool user add "$user" "$pass"
    logme "extend $user in openchange"
    openchange_newuser --create "$user"
    logme "setup mail directories for $user"
    (
        REALM=$(hostname)
        MAILDOMAIN=$(echo $REALM | cut -d. -f2-)
        cd /var/spool/mail
        mkdir "$user"
        mkdir -p "$user"/Drafts "$user"/Sent "$user"/Trash
        chown -R vmail:vmail "$user"
        cd /etc/mail
        echo "$user@$MAILDOMAIN   $user@DOVECOT" >>virtusertable
        echo "$user@$REALM        $user@DOVECOT" >>virtusertable
        make
    )
}

function setupenv() {
    DOMAIN="$1"
    ADMINPASS="$2"
    REALM=$(hostname)
    HOST=$(echo $REALM | cut -d. -f1)
    MAILDOMAIN=$(echo $REALM | cut -d. -f2-)
    AUTODISC=autodiscover.$MAILDOMAIN
    REALMDN=$(echo .$REALM | sed -e 'sx\.x,DC=xg' | cut -c2-)
    IP=$(ip -4 addr list eth0 primary | tail -1 | awk '{print $2}' | cut -d/ -f1)
    REALMUC=$(echo $REALM | tr 'a-z' 'A-Z')
}

function phase0() {
    logme 'add epel repository'
    yum -y install http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

    logme 'disable gnustep from epel'
    # http://www.sogo.nu/english/support/faq/article/how-to-install-sogo-and-sope-through-yum.html
    fn=/etc/yum.repos.d/epel.repo
    sed -i -e 's,enabled=.*,\0\nexclude=gnustep-*,g' $fn

    logme 'install updates'
    yum -y update
}

function phase1() {
logme 'starting phase 1, does most of the work'
setupenv "$1" "$2"

logme 'add openchange repository'
cat >/etc/yum.repos.d/SOGo.repo <<EOF
[sogo-rhel6]
name=Inverse SOGo build Repository
baseurl=http://inverse.ca/downloads/SOGo/RHEL6/nightly/\$basearch
gpgcheck=0
EOF

logme 'add rpmforge repository'
yum -y install http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm

logme 'enable rpmforge extras'
# http://www.sogo.nu/english/support/faq/article/how-to-install-sogo-and-sope-through-yum.html
yum-config-manager --enable rpmforge-extras

logme 'rpmforge extras conflicts with perl package in updates'
fn=/etc/yum.repos.d/CentOS-Base.repo
sed -i -e 's,gpgcheck=.*,\0\nexclude=perl-Compress-Raw-Zlib,g' $fn

logme 'pickup the system time zone'
. /etc/sysconfig/clock
echo "system is configured for time zone $ZONE"
if [ -n "$(echo $ZONE | awk '{print $2}')" ]; then
    echo "bad time zone $ZONE"
    echo "must be only one token"
    exit
fi

logme 'get a sane server'
service postfix stop
yum -y install sendmail sendmail-cf policycoreutils-python
yum -y remove postfix
service sendmail start
for i in nfslock portreserve rpcbind rpcgssd rpcidmapd NetworkManager; do
    service $i stop
    chkconfig --levels 2345 $i off
done

logme 'remove the static default firewall'
service iptables stop
service ip6tables stop
chkconfig --levels 2345 iptables off
chkconfig --levels 2345 ip6tables off

logme 'add dynamic firewall'
yum -y install http://www.five-ten-sg.com/syslog2iptables/packages/centos6/syslog2iptables-1.15-1.el6.x86_64.rpm
service syslog2iptables start

logme 'setup selinux context for dnsbl, pretending to be spamassassin'
semanage fcontext -a -t spamd_initrc_exec_t   '/etc/rc\.d/init\.d/dnsbl'
semanage fcontext -a -t spamass_milter_exec_t '/usr/sbin/dnsbl'
semanage fcontext -a -t spamass_milter_data_t '/var/run/dnsbl(/.*)?'
semanage fcontext -a -t spamass_milter_data_t '/var/run/dnsbl\.pid'
semanage fcontext -a -t spamass_milter_data_t '/etc/dnsbl(/.*)?'

logme 'spam filtering'
yum -y install http://www.five-ten-sg.com/dnsbl/packages/centos6/dnsbl-6.44-1.el6.x86_64.rpm
restorecon -R /usr/sbin/dnsbl /var/run/dnsbl* /etc/dnsbl /etc/rc.d/init.d/dnsbl

logme 'virus scanning'
yum -y install http://www.five-ten-sg.com/util/amavisd-milter-1.5.0-6.x86_64.rpm
yum -y install amavisd-new
fn=/etc/amavisd/amavisd.conf
sed -i -r -e "s/..(@bypass_spam_checks)/\1/g"                 $fn
sed -i -r -e "s/(max_servers =).*;/\1 5;/g"                   $fn
sed -i -r -e "s/(mydomain =).*;/\1 '$REALM';/g"                $fn
sed -i -r -e "s,(QUARANTINEDIR =).*;,\1 '/var/virusmails';,g" $fn
sed -i -r -e "s,(unix_socketname =).*;,\1 '/var/run/amavisd/amavisd.sock';,g" $fn
sed -i -r -e "s,(final_virus_destiny *=).*;,\1 D_REJECT;,g"    $fn
sed -i -r -e "s,(final_banned_destiny *=).*;,\1 D_REJECT;,g"   $fn
sed -i -r -e "s,(final_spam_destiny *=).*;,\1 D_REJECT;,g"     $fn
sed -i -r -e "s,(final_bad_header_destiny *=).*;,\1 D_PASS;,g" $fn

logme 'selinux modifications'
cat >amavisdpatch.te <<EOF
module amavisdpatch 1.0;

require {
    type system_cronjob_tmp_t;
    type amavis_t;
    type hostname_exec_t;
    type shell_exec_t;
    class unix_stream_socket connectto;
    class file open;
    class file read;
    class file execute;
    class file execute_no_trans;
}

#============= amavis_t ==============
allow amavis_t self:unix_stream_socket connectto;
allow amavis_t system_cronjob_tmp_t:file read;
allow amavis_t hostname_exec_t:file { open read execute execute_no_trans };
allow amavis_t shell_exec_t:file execute;
EOF
cat >dnsbl.te <<EOF
module dnsbl 1.0;

require {
    type admin_home_t;
    type dcc_var_t;
    type initrc_t;
    type net_conf_t;
    type sendmail_t;
    type smtp_port_t;
    type spamass_milter_data_t;
    type spamass_milter_t;
    type spamc_t;
    type spamd_t;
    type var_run_t;
    type var_t;
    class capability { setuid dac_read_search setgid dac_override };
    class dir { create search open read getattr write add_name remove_name };
    class file { create open read write append ioctl getattr link unlink rename setattr };
    class lnk_file read;
    class process { siginh noatsecure rlimitinh sigkill };
    class sock_file { getattr create write unlink };
    class tcp_socket { create connect read write shutdown name_connect };
    class udp_socket { create connect read write ioctl };
    class unix_stream_socket connectto;
}

#============= spamass_milter_t ==============
allow spamass_milter_t dcc_var_t:dir search;
allow spamass_milter_t dcc_var_t:file { getattr open read };
allow spamass_milter_t dcc_var_t:sock_file write;
allow spamass_milter_t initrc_t:unix_stream_socket connectto;
allow spamass_milter_t net_conf_t:file { read getattr open };
allow spamass_milter_t self:capability { setuid dac_read_search setgid dac_override };
allow spamass_milter_t self:tcp_socket { create connect read write shutdown };
allow spamass_milter_t self:udp_socket { create connect write read ioctl };
allow spamass_milter_t self:unix_stream_socket connectto;
allow spamass_milter_t smtp_port_t:tcp_socket name_connect;
allow spamass_milter_t spamass_milter_data_t:lnk_file read;
allow spamass_milter_t spamc_t:process { siginh noatsecure rlimitinh sigkill };
allow spamass_milter_t var_run_t:dir { add_name remove_name write };
allow spamass_milter_t var_run_t:file { create open getattr write };
allow spamass_milter_t var_run_t:sock_file { create unlink write };
allow spamass_milter_t var_t:file { open getattr read };
allow spamass_milter_t var_t:sock_file write;

#============= spamd_t ==============
allow spamd_t spamass_milter_data_t:dir { create search open read getattr write add_name remove_name };
allow spamd_t spamass_milter_data_t:file { create open read write append getattr ioctl link unlink rename setattr };
allow spamd_t admin_home_t:dir { create search add_name write };
EOF
cat >sendmail.te <<EOF
module sendmail 1.0;

require {
    type var_run_t;
    type amavis_t;
    type amavis_var_run_t;
    type etc_mail_t;
    type httpd_t;
    type mqueue_spool_t;
    type sendmail_t;
    class dir { search add_name write getattr };
    class file { write create };
    class sock_file { getattr write };
    class unix_stream_socket connectto;
}

#============= sendmail_t ==============
#!!!! The source type 'sendmail_t' can write to a 'dir' of the following types:
# mail_spool_t, mqueue_spool_t, etc_t, user_home_t, var_run_t, var_log_t, dovecot_spool_t, sendmail_tmp_t, etc_aliases_t, user_home_dir_t, mail_spool_t, sendmail_log_t, tmp_t, nfs_t

allow sendmail_t amavis_t:unix_stream_socket connectto;
allow sendmail_t amavis_var_run_t:dir { getattr search };
allow sendmail_t amavis_var_run_t:sock_file { getattr write };
allow sendmail_t etc_mail_t:dir { add_name write };
allow sendmail_t etc_mail_t:file { create write };
allow sendmail_t var_run_t:sock_file { getattr write };


# allow php to send mail
#============= httpd_t ==============
allow httpd_t amavis_var_run_t:dir getattr;
allow httpd_t mqueue_spool_t:dir { search add_name write getattr };
allow httpd_t sendmail_t:dir getattr;
EOF

logme 'selinux fixup'
setsebool -P antivirus_can_scan_system=true
for m in amavisdpatch dnsbl sendmail; do
    makesemodule $m
done

logme 'fix rpmforge spamassassin, needs sa-update first'
sa-update

logme 'install perl-Convert-BinHex for amavisd, something else brought that in on a normal centos install'
yum -y install perl-Convert-BinHex

logme 'add services'
services="spamassassin clamd clamd.amavisd amavisd amavisd-milter dnsbl"
for service in $services; do
    chkconfig --levels 2345 $service on
done
for service in $services; do
    service $service start
done

logme 'install openchange'
yum -y remove sssd-common evolution-mapi    # sogo packages conflict with these
yum -y update
packages="
          dovecot
          dovecot-pigeonhole
          haveged
          mod_ssl
          nc
          openchange
          openchange-ocsmanager
          openchange-rpcproxy
          openldap-clients
          samba
          sendmail-cf
          sogo
          sogo-openchange-backend
          sope49-gdl1-mysql
          telnet
         "
yum -y install $packages

logme 'verify all the packages really got installed'
yum -y list $packages

# errors in packaging!!
#  Updating   : samba-common-4.1.11-2.centos6.x86_64                       14/47
# /var/tmp/rpm-tmp.CdnqdB: line 2: /usr/bin/systemd-tmpfiles: No such file or directory
#
# the samba rpm for centos6 should not try to run systemd-tmpfiles - that is only
# on centos7. The rpm also does not include a SysV init script for samba. That is
# fixed below.

logme 'enable mod_wsgi'
sed -i -e 's/^#LoadModule/LoadModule/g' /etc/httpd/conf.d/wsgi.conf

logme 'initialize samba'
rm -f /etc/samba/smb.conf
samba-tool domain provision --realm=$REALM --domain=$DOMAIN --adminpass="$ADMINPASS" --server-role='dc'

logme 'setup kerberos'
# http://thread.gmane.org/gmane.comp.groupware.sogo.user/11358
mv /etc/krb5.conf /etc/krb5.conf.save
cp -a /var/lib/samba/private/krb5.conf /etc
cat >>/etc/krb5.conf <<EOF
[realms]
        $REALMUC = {
        kdc = $HOST.$REALM
        }
EOF

logme 'add samba config for openchange'
cat >>/etc/samba/smb.conf <<EOF

[global]
### Configuration required by OpenChange server ###
dcerpc endpoint servers = epmapper, mapiproxy, dnsserver
dcerpc_mapiproxy:server = true
dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr
mapistore:namedproperties = mysql
namedproperties:mysql_user = openchange-user
namedproperties:mysql_pass = $ADMINPASS
namedproperties:mysql_host = localhost
namedproperties:mysql_db = openchange
mapistore:indexing_backend = mysql://openchange-user:$ADMINPASS@localhost/openchange
mapiproxy:openchangedb = mysql://openchange-user:$ADMINPASS@localhost/openchange
### Configuration required by OpenChange server ###
EOF

logme 'install mysql'
yum -y install mysql-server MySQL-python

logme 'mysql localhost only'
fn=/etc/my.cnf
sed -i -e 's,symbolic-links=0,\0\nbind-address = localhost,g' $fn

logme 'initial setup mysql'
chkconfig --levels 2345 mysqld on
service mysqld start
sleep 15
mysqladmin --user=root password "$ADMINPASS"
mysql --user=root --password="$ADMINPASS" <<EOF
CREATE USER 'openchange-user'@'localhost' IDENTIFIED BY '$ADMINPASS';
GRANT ALL PRIVILEGES ON \`openchange\`.* TO 'openchange-user'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
EOF

logme 'setup openchange using mysql'
openchange_provision --standalone
openchange_provision --openchangedb --openchangedb-uri mysql://openchange-user:$ADMINPASS@localhost/openchange
echo "show tables;" | mysql --user=openchange-user --password="$ADMINPASS" openchange

logme 'extend the admin account already created during provisioning above'
openchange_newuser --create Administrator

logme 'manual test to see that something is working'
mkdir /var/run/samba
samba -d3 -i -M single &
pid=$!
sleep 15
echo ""
x=$(dig $REALM @127.0.0.1 +short)
y=$(dig $HOST.$REALM  @127.0.0.1 +short)
# debug from http://blogs.nologin.es/rickyepoderi/index.php?/archives/71-Samba-4.0.0.html
logme 'test 1'; dig _kerberos._udp.$REALM SRV @127.0.0.1 +short
logme 'test 2'; dig _ldap._tcp.$REALM SRV @127.0.0.1 +short
logme 'test 3'; smbclient -L localhost -U%
logme 'test 4'; smbclient //localhost/netlogon "-UAdministrator%$ADMINPASS" -c 'ls'
logme 'test 5'; ldapsearch -LLL -h localhost -p 389 -D "Administrator@$REALM" -w "$ADMINPASS" -b "" -s base dn=
logme 'test 6'; ldapsearch -LLL -h localhost -p 389 -D "Administrator@$REALM" -w "$ADMINPASS" -b "$REALMDN" -s base
logme 'test 7'; ldapsearch -LLL -h localhost -p 389 -D "Administrator@$REALM" -w "$ADMINPASS" -b "DC=DomainDnsZones,$REALMDN" -s base
logme 'test 8'; ldapsearch -LLL -h localhost -p 389 -D "cn=administrator,cn=users,$REALMDN" -w "$ADMINPASS" -b "cn=users,$REALMDN" -s subtree | egrep '^(dn|mail):'
kill $pid
if [ "$x" != "$IP" ] || [ "$y" != "$IP" ]; then
    echo "$x should be $IP"
    exit
fi

logme 'fix missing SysV init script'
(cd /etc/rc.d/init.d
 cp smb samba
 sed -i -e 's/smbd/samba/g' samba
 sed -i -e 's/SMBD/SAMBA/g' samba
 sed -i -e 's/SMB/SAMBA/g'  samba
 sed -i -e 's,subsys/smb,subsys/samba,g' samba
)
chkconfig --add samba
chkconfig --levels 2345 samba on
# https://bugzilla.redhat.com/show_bug.cgi?id=1013878
setsebool -P samba_export_all_rw=true
service samba start

logme 'now point our own resolv.conf into samba'
mv -f /etc/resolv.conf /etc/resolv.conf.save
cat >/etc/resolv.conf <<EOF
nameserver $IP
domain $REALM
EOF

logme 'fix missing part of ocsmanager, need to rebuild part of openchange from source'
# http://www.sogo.nu/bugs/view.php?id=3012
(
    mkdir tmpbuilder
    cd tmpbuilder
    yum -y install samba-devel samba-pidl python-devel memcached-devel libmemcached-devel
    yum -y install mysql-devel cyrus-sasl-devel ## dependencies not caught by ./configure
    yum -y groupinstall 'Development Tools'
    git clone https://github.com/openchange/openchange.git
    cd openchange
    sed -i -e 's,libmemcached >= 1.0.8,libmemcached >= 0.49,g' configure.ac
    ./autogen.sh
    ./configure --prefix=/usr --enable-pyopenchange
    make
    logme $(pwd) 'find mapistore and openchange directories'
    cp python/openchange/mapistore.so /usr/lib64/python2.6/site-packages/openchange/
)

logme 'fixup boot time config for eth0'
sed -i -r -e "s/(DNS.=).*$/\1$IP/g"      /etc/sysconfig/network-scripts/ifcfg-eth0
sed -i -r -e "s/(DOMAIN=).*$/\1$REALM/g" /etc/sysconfig/network-scripts/ifcfg-eth0

logme 'add user account for backend'
# this default could be changed in
# /etc/sysconfig/sogo but the rpm has already created the local
# account, so we use that default
samba-tool user add sogo "$ADMINPASS"

# there are many errors in the cookbook at
# http://www.openchange.org/cookbook/backends/sogo/index.html
#
# key=value; lines missing the = and trailing ;

# remove other conf file, as claimed below, but the format of
# ~sogo/GNUstep/Defaults/.GNUstepDefaults does not look anything
# like this one. That one is xml, this one plist.
mv ~sogo/GNUstep/Defaults ~sogo/GNUstep/Defaults.save
# and that movement does not seem to do any good, since the file
# is recreated when sogod restarts.

logme 'replace entire sogo conf file here'
mv /etc/sogo/sogo.conf /etc/sogo/sogo.conf.save
cat >/etc/sogo/sogo.conf <<EOF
{
  /* *********************  Main SOGo configuration file  **********************
   *                                                                           *
   * Since the content of this file is a dictionary in OpenStep plist format,  *
   * the curly braces enclosing the body of the configuration are mandatory.   *
   * See the Installation Guide for details on the format.                     *
   *                                                                           *
   * C and C++ style comments are supported.                                   *
   *                                                                           *
   * This example configuration contains only a subset of all available        *
   * configuration parameters. Please see the installation guide more details. *
   *                                                                           *
   * ~sogo/GNUstep/Defaults/.GNUstepDefaults has precedence over this file,    *
   * make sure to move it away to avoid unwanted parameter overrides.          *
   *                                                                           *
   * **************************************************************************/

    /* General */
    WOPort = 20000;
    WOLogFile = /var/log/sogo/sogo.log;
    WOPidFile = /var/run/sogo/sogo.pid;
    SOGoTimeZone = "$ZONE";
    SOGoMailDomain = $MAILDOMAIN;
    SOGoPasswordChangeEnabled = YES;
    SOGoLanguage = English;
    SOGoMemcachedHost = localhost;
    SxVMemLimit = 384;
    SOGoCalendarDefaultRoles = (PublicDAndTViewer,ConfidentialDAndTViewer);

    /* Database configuration */
    SOGoProfileURL = "mysql://openchange-user:$ADMINPASS@localhost/openchange/sogo_user_profile";
    OCSFolderInfoURL = "mysql://openchange-user:$ADMINPASS@localhost/openchange/sogo_folder_info";
    OCSSessionsFolderURL = "mysql://openchange-user:$ADMINPASS@localhost/openchange/sogo_sessions_folder";

    /* common imap and smtp */
    SOGoForceExternalLoginWithEmail = YES;

    /* imap */
    NGImap4ConnectionStringSeparator = ".";
    SOGoIMAPAclConformsToIMAPExt = NO;
    SOGoMailSpoolPath = /var/spool/sogo;
    SOGoIMAPServer = 127.0.0.1:143;
    SOGoSieveServer = sieve://127.0.0.1:4190;
    SOGoDraftsFolderName = Drafts;
    SOGoSentFolderName = Sent;
    SOGoTrashFolderName = Trash;
    SOGoMailShowSubscribedFoldersOnly = NO;

    /* smtp */
    SOGoSMTPServer = 127.0.0.1;
    SOGoMailingMechanism = smtp;

    /* Notifications */
    SOGoAppointmentSendEMailNotifications = YES;
    SOGoACLsSendEMailNotifications = NO;
    SOGoFoldersSendEMailNotifications = NO;

    /* LDAP AD/Samba4 example */
    SOGoUserSources = (
        {
            id = sambaLogin;
            displayName = "SambaLogin";
            canAuthenticate = YES;
            type = ldap;
            CNFieldName = displayName;
            IDFieldName = cn;
            UIDFieldName = sAMAccountName;
            hostname = "ldap://127.0.0.1";
            baseDN = "CN=Users,$REALMDN";
            bindDN = "CN=sogo,CN=Users,$REALMDN";
            bindPassword = "$ADMINPASS";
            bindFields = (sAMAccountName);
        },
        {
            id = sambaShared;
            displayName = "Shared Addressbook";
            canAuthenticate = NO;
            isAddressBook = YES;
            type = ldap;
            CNFieldName = cn;
            IDFieldName = mail;
            UIDFieldName = mail;
            hostname = "ldap://127.0.0.1";
            baseDN = "$REALMDN";
            bindDN = "CN=sogo,CN=Users,$REALMDN";
            bindPassword = "$ADMINPASS";
            filter = "((NOT isCriticalSystemObject='TRUE') AND (mail=\'*\') AND (NOT objectClass=contact))";
        },
        {
            id = sambaContacts;
            displayName = "Shared Contacts";
            canAuthenticate = NO;
            isAddressBook = YES;
            type = ldap;
            CNFieldName = cn;
            IDFieldName = mail;
            UIDFieldName = mail;
            hostname = "ldap://127.0.0.1";
            baseDN = "$REALMDN";
            bindDN = "CN=sogo,CN=Users,$REALMDN";
            bindPassword = "$ADMINPASS";
            filter = "((((objectClass=person) AND (objectClass=contact) AND ((uidNumber>=2000) OR (mail='*')))
                     AND (NOT isCriticalSystemObject='TRUE') AND (NOT showInAdvancedViewOnly='TRUE') AND (NOT uid=Guest))
                     OR (((objectClass=group) AND (gidNumber>=2000)) AND (NOT isCriticalSystemObject='TRUE') AND (NOT showInAdvancedViewOnly='TRUE')))";
            mapping = {
                          displayname = ("cn");
                      };
        }
    );

    /* Web Interface */
    SOGoPageTitle = SOGo;
    SOGoVacationEnabled = YES;
    SOGoForwardEnabled = YES;
    SOGoSieveScriptsEnabled = YES;
    SOGoMailAuxiliaryUserAccountsEnabled = YES;
    SOGoTrustProxyAuthentication = NO;

    /* Debug */
    GCSFolderDebugEnabled = YES;
    GCSFolderStoreDebugEnabled = YES;
    ImapDebugEnabled = YES;
    LDAPDebugEnabled = YES;
    MySQL4DebugEnabled = YES;
    NGImap4DisableIMAP4Pooling = YES;
    OCSFolderManagerSQLDebugEnabled = YES;
    PGDebugEnabled = YES;
    SOGoDebugRequests = YES;
    SOGoMailKeepDraftsAfterSend = YES;
    SOGoUIxDebugEnabled = YES;
    SoDebugBaseURL = YES;
    SoDebugObjectTraversal = YES;
    SoSecurityManagerDebugEnabled = YES;
    WODebugZipResponse = YES;
    WODontZipResponse = YES;
}
EOF

logme 'fixup apache/sogo config'
# http://www.openchange.org/cookbook/backends/sogo/webui.html
fn=/etc/httpd/conf.d/SOGo.conf
sed -i -e "s/https:/http:/g" $fn
sed -i -e "s/yourhostname/$REALM/g" $fn
sed -i -e "s/443/80/g" $fn

logme 'apache needs to connect to proxy port 20000'
setsebool -P httpd_can_network_connect=true
setsebool -P httpd_can_sendmail=true

logme 'configure memcached to only listen on localhost'
cat >>/etc/sysconfig/memcached <<EOF
OPTIONS="-l localhost"
EOF

logme 'error in rpmforge/extras/memcached - missing directory for pid file'
mkdir /var/run/memcached
chown nobody:nobody /var/run/memcached

logme 'start apache'
chkconfig --levels 2345 httpd on
chkconfig --levels 2345 haveged on
chkconfig --levels 2345 memcached on
service memcached start
service haveged start
# do some work to help gather entropy
for i in {1..10}; do
    ps axf >/dev/null
    sleep 1
done
service httpd start

logme 'start sogo'
service sogod restart
sleep 10
curl -L http://$REALM/SOGo | grep -q 'loginScreen'
if [ $? -eq 1 ]; then
    echo "sogo not running properly"
    echo "try http://$REALM/SOGo"
    exit
fi

logme 'create the user account for dovecot'
# system account since centos selinux tries to relable all user home directories
# and we want to keep /var/spool/mail as mail_spool_t
useradd -r -s /bin/bash -d /var/spool/mail -G mail vmail
chown -R vmail:vmail /var/spool/mail

logme 'configure and start dovecot'
# http://www.openchange.org/cookbook/backends/sogo/dovecot.html
sed -i -e 's/^..include_try/\!include_try/g' /etc/dovecot/dovecot.conf
sed -i -e 's/^\!include auth-system.conf/#\!include auth-system.conf/g' /etc/dovecot/conf.d/10-auth.conf
vmailuid=$(id -u vmail)
vmailgid=$(id -g vmail)
cat >/etc/dovecot/local.conf <<EOF
disable_plaintext_auth = no
mail_location = maildir:/var/spool/mail/%u
mail_uid = vmail
mail_gid = vmail
auth_username_format = %Ln
auth_first_valid_uid = $vmailuid
auth_last_valid_uid = $vmailuid
first_valid_uid = $vmailuid
last_valid_uid = $vmailuid
first_valid_gid = $vmailgid
last_valid_gid = $vmailgid

passdb {
    args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
    driver = ldap
}

userdb {
    args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
    driver = ldap
}

service auth {
    unix_listener auth-master {
        group = vmail
        mode = 0600
        user = vmail
    }
    unix_listener auth-userdb {
        user = vmail
    }
    user = root
}

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

protocols = imap sieve

protocol lda {
    hostname = $REALM
    postmaster_address = postmaster@$MAILDOMAIN
    mail_plugins = \$mail_plugins sieve
}

protocol pop3 {
    pop3_uidl_format = %08Xu%08Xv
}
EOF
# https://wiki.archlinux.org/index.php/OpenChange_Server#LDAP_configuration_2
# http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds
cat >/etc/dovecot/dovecot-ldap-passdb.conf.ext <<EOF
hosts = localhost
auth_bind = yes
auth_bind_userdn = cn=%u,cn=users,$REALMDN
ldap_version = 3
base = $REALMDN
scope = subtree
deref = never
EOF
cat >/etc/dovecot/dovecot-ldap-userdb.conf.ext <<EOF
hosts = localhost
dn = cn=administrator,cn=users,$REALMDN
dnpass = $ADMINPASS
ldap_version = 3
base = cn=users,$REALMDN
scope = subtree
deref = never
user_attrs = =home=/var/spool/mail/%u
user_filter = (&(objectClass=person)(sAMAccountName=%u)(mail=*))
# Attributes and filter to get a list of all users
iterate_attrs = sAMAccountName=user
iterate_filter = (&(objectClass=person)(mail=*))
EOF

logme 'fix permissions for config file'
chmod 600 /etc/dovecot/dovecot-ldap-userdb.conf.ext

# install selinux patch to allow dovecot to talk to the samba ldap socket
# http://iabsis.com/EN/article/35-6/Dovecot-installation
# but that did not help with authentication.
if [ 1 -eq 0 ]; then
modulename=oc-patch
cat >$modulename.te <<EOF
module oc-patch 1.0;

require {
	type dovecot_auth_t;
	type samba_var_t;
    type unconfined_t;
	class sock_file write;
    class unix_stream_socket connectto;
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t samba_var_t:sock_file write;
allow dovecot_auth_t unconfined_t:unix_stream_socket connectto;
EOF
makesemodule $modulename
fi

logme 'restart dovecot'
chkconfig --levels 2345 dovecot on
service dovecot restart

logme 'configure and start sendmail'
# http://wiki2.dovecot.org/LDA/Sendmail
cat >/usr/share/sendmail-cf/mailer/dovecot.m4 <<EOF
PUSHDIVERT(-1)
# http://sites.google.com/site/mclroy/dovecot/dovecot-m4
#
# Copyright (c) 1998-2001 Sendmail, Inc. and its suppliers.
#    All rights reserved.
#
# By using this file, you agree to the terms and conditions set
# forth in the LICENSE file which can be found at the top level of
# the sendmail distribution.
#
# Copyright © 2010 Michael Roy <mclroy@gmail.com>
# License: GNU GPL version 3 or later <http://www.gnu.org/licenses/gpl.html>
#

_DEFIFNOT(\`DOVECOT_MAILER_MAX', \`ifdef(\`SMTP_MAILER_MAX', \`SMTP_MAILER_MAX', \`10240000')')
_DEFIFNOT(\`DOVECOT_MAILER_PATH', \`/usr/libexec/dovecot/dovecot-lda')
_DEFIFNOT(\`DOVECOT_MAILER_FLAGS', \`l59DFMPhnu')
_DEFIFNOT(\`DOVECOT_MAILER_ARGS', \`/usr/libexec/dovecot/dovecot-lda -d \$u')
_DEFIFNOT(\`DOVECOT_MAILER_USER', \`keeper:mail')

POPDIVERT

######################################################################
###         Dovecot-lda Mailer specification                       ###
######################################################################

Mdovecot,    P=DOVECOT_MAILER_PATH,
        F=DOVECOT_MAILER_FLAGS,
        S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
        _OPTINS(\`DOVECOT_MAILER_MAX', \`M=', \`, ')
        _OPTINS(\`DOVECOT_MAILER_USER', \`U=', \`, ')
        T=DNS/RFC822/X-Unix,
        A=DOVECOT_MAILER_ARGS
EOF

# http://jmaimon.com/sendmail/anfi.homeunix.net/sendmail/localNalias.html
cat >/etc/mail/mailertable <<EOF
DOVECOT  dovecot:localhost
LOCAL    local:
EOF

cat >/etc/mail/access <<EOF
to:DOVECOT  REJECT
to:LOCAL    REJECT
EOF

cat >/etc/mail/local-host-names <<EOF
$MAILDOMAIN
$REALM
$HOST.$REALM
EOF

cat >/etc/mail/genericstable <<EOF
EOF

cat >/etc/mail/virtusertable <<EOF
@$MAILDOMAIN                error:nouser User unknown
@$REALM                     error:nouser User unknown
@$HOST.$REALM               error:nouser User unknown
postmaster@$MAILDOMAIN      root@LOCAL
postmaster@$REALM           root@LOCAL
postmaster@$HOST.$REALM     root@LOCAL
root@$REALM                 root@LOCAL
virusscan@$REALM            root@LOCAL
amavis@$REALM               root@LOCAL
administrator@$MAILDOMAIN   administrator@DOVECOT
administrator@$REALM        administrator@DOVECOT
EOF

touch /etc/mail/relay-domains

cat >/etc/mail/sendmail.ct <<EOF
root
daemon
virusscan
amavis
EOF

cat > /etc/mail/virtual-host-domains <<EOF
# even though these domains are not local (not in class w)
# we look them up in virtusertable for exceptions before
# relay processing or mailertable processing
EOF

cat >/etc/mail/submit.mc <<EOF
divert(-1)
#
# Copyright (c) 2001, 2002 Sendmail, Inc. and its suppliers.
#       All rights reserved.
#
# By using this file, you agree to the terms and conditions set
# forth in the LICENSE file which can be found at the top level of
# the sendmail distribution.
#
#
#
#  This is the prototype file for a set-group-ID sm-msp sendmail that
#  acts as a initial mail submission program.
#
divert(0)dnl
include(\`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(\`linux setup for Red Hat Linux')
define(\`confCF_VERSION', \`Submit')
define(\`__OSTYPE__',\`')dnl dirty hack to keep proto.m4 from complaining
define(\`_USE_DECNET_SYNTAX_', \`1')dnl support DECnet
define(\`confTIME_ZONE', \`USE_TZ')
define(\`confPID_FILE', \`/var/run/sm-client.pid')
dnl define(\`confDIRECT_SUBMISSION_MODIFIERS',\`C')
define(\`ALIAS_FILE', /etc/mail/aliases)
define(\`MAIL_SETTINGS_DIR', \`/etc/mail/')
define(\`confCT_FILE', \`/etc/mail/sendmail.ct')
define(\`confDOUBLE_BOUNCE_ADDRESS', \`')
define(\`confLOG_LEVEL', \`20')
define(\`confQUEUE_LA', 25)
define(\`confREFUSE_LA', 20)
define(\`MILTER', 1)
define(\`STATUS_FILE', /var/log/mail/sm-client.st)
INPUT_MAIL_FILTER(\`milter-amavisd', \`S=local:/var/run/amavisd/amavisd-milter.sock, F=T, T=S:10m;R:10m;E:10m')
FEATURE(\`always_add_domain')
FEATURE(\`use_ct_file')
FEATURE(\`genericstable',\`hash /etc/mail/genericstable.db')
FEATURE(\`masquerade_envelope')dnl
MASQUERADE_AS(\`$MAILDOMAIN')dnl
MASQUERADE_DOMAIN(\`$REALM')dnl
MASQUERADE_DOMAIN(\`$HOST.$REALM')dnl
FEATURE(\`msp')
EOF

cat >/etc/mail/sendmail.mc <<EOF
divert(-1)
dnl This is the sendmail macro config file. If you make changes to this file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/mail/sendmail.cf by running the following command:
dnl
dnl        m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
dnl
include(\`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(\`linux setup for Red Hat Linux')
OSTYPE(\`linux')
undefine(\`UUCP_RELAY')
undefine(\`BITNET_RELAY')
define(\`ALIAS_FILE', /etc/mail/aliases)
define(\`confAUTH_MECHANISMS', \`LOGIN PLAIN')
define(\`confAUTH_OPTIONS', \`A')
define(\`confBAD_RCPT_THROTTLE', 2)
define(\`confCONNECTION_RATE_THROTTLE', 1)
define(\`confCR_FILE', \`/etc/mail/relay-domains')
define(\`confCT_FILE', \`/etc/mail/sendmail.ct')
define(\`confCW_FILE', \`/etc/mail/local-host-names')
define(\`confDEF_USER_ID',\`\`8:12'')
define(\`confDONT_PROBE_INTERFACES',true)
define(\`confDOUBLE_BOUNCE_ADDRESS', \`')
define(\`confLOG_LEVEL', \`20')
define(\`confMAX_DAEMON_CHILDREN', \`30')
define(\`confMAX_MESSAGE_SIZE', 30000000)
define(\`confMAX_RCPTS_PER_MESSAGE',500)
define(\`confME_TOO', true)
define(\`confPRIVACY_FLAGS', \`goaway,nobodyreturn,noreceipts')
define(\`confQUEUE_LA', 25)
define(\`confREFUSE_LA', 20)
define(\`confTO_COMMAND', \`2m')
define(\`confTO_CONNECT', \`1m')
define(\`confTO_DATABLOCK', \`3m')
define(\`confTO_IDENT', \`0')
define(\`confTO_QUEUERETURN', \`5d')dnl
define(\`confTO_QUEUEWARN', \`10d')dnl
define(\`confTO_STARTTLS', \`3m')
define(\`DOVECOT_MAILER_USER', \`vmail:vmail')
define(\`MAIL_SETTINGS_DIR', \`/etc/mail/')
define(\`MILTER', 1)
define(\`PROCMAIL_MAILER_PATH',\`/usr/bin/procmail')
define(\`STATUS_FILE', /var/log/mail/statistics)
define(\`confSMTP_LOGIN_MSG',\`\$?{if_name}\${if_name}\$|\$j\$. Sendmail \$v/\$Z; \$b')
FEATURE(\`no_default_msa',\`dnl')
DAEMON_OPTIONS(\`Port=smtp, Name=MTA, M=h')
DAEMON_OPTIONS(\`Port=587, Name=MSA, M=E')
FEATURE(always_add_domain)
FEATURE(local_procmail,\`',\`procmail -t -Y -a \$h -d \$u')dnl The '-t' option will retry delivery if e.g. the user runs over his quota.
FEATURE(redirect)
FEATURE(use_ct_file)
FEATURE(use_cw_file)
FEATURE(\`access_db',\`hash -T<TMPF> /etc/mail/access.db')
FEATURE(\`greet_pause',\`250')
FEATURE(\`delay_checks', \`friend')
FEATURE(\`relay_hosts_only')
FEATURE(\`mailertable',\`hash /etc/mail/mailertable.db')
FEATURE(\`virtusertable',\`hash /etc/mail/virtusertable.db')
FEATURE(\`genericstable',\`hash /etc/mail/genericstable.db')
FEATURE(\`masquerade_envelope')dnl
MASQUERADE_AS(\`$MAILDOMAIN')dnl
MASQUERADE_DOMAIN(\`$REALM')dnl
MASQUERADE_DOMAIN(\`$HOST.$REALM')dnl
VIRTUSER_DOMAIN_FILE(\`/etc/mail/virtual-host-domains')
TRUST_AUTH_MECH(\`LOGIN PLAIN')dnl
INPUT_MAIL_FILTER(\`dnsbl',          \`S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=C:30s;S:5m;R:5m;E:5m')
INPUT_MAIL_FILTER(\`milter-amavisd', \`S=local:/var/run/amavisd/amavisd-milter.sock, F=T, T=S:10m;R:10m;E:10m')
MAILER(smtp)
MAILER(procmail)
MAILER(dovecot)dnl
define(\`confCACERT_PATH',\`/etc/pki/tls/certs')
define(\`confCACERT',\`/etc/pki/tls/certs/ca-bundle.crt')
define(\`confSERVER_CERT',\`/etc/pki/tls/certs/sendmail.pem')
define(\`confSERVER_KEY',\`/etc/pki/tls/certs/sendmail.pem')
LOCAL_CONFIG
CPDOVECOT
EOF

logme 'move the alias file in with the other mail files'
mv /etc/aliases /etc/mail

logme 'setup saslauthd to do ldap authentication into the samba ldap server'
# https://github.com/DigitalOcean-User-Projects/Articles-and-Tutorials/blob/master/sogo_an_MS_exchange_alt.md
# http://www.su4me.de/soft_gw_so.html
# http://comments.gmane.org/gmane.mail.imap.cyrus/11782
cat >/etc/saslauthd.conf <<EOF
ldap_servers: ldap://localhost:389
ldap_version: 3
ldap_auth_method: fastbind
ldap_filter: cn=%u,cn=Users,$REALMDN
ldap_scope: sub
EOF

cat >>/etc/sysconfig/saslauthd <<EOF
MECH=ldap
DAEMONOPTS="--user saslauth"
EOF

logme 'setup permissions'
chown saslauth:saslauth /var/run/saslauthd
chown saslauth:saslauth /etc/saslauthd.conf
chmod 600               /etc/saslauthd.conf

logme 'create sendmail config and restart servers'
(cd /etc/mail; make)
chkconfig --levels 2345 saslauthd on
chkconfig --levels 2345 sendmail on
service saslauthd restart
service sendmail restart
newaliases

logme 'test sendmail users'
sendmail -bv postmaster@$REALM
sendmail -bv administrator@$MAILDOMAIN
# johndoe created below, should fail here
sendmail -bv johndoe@$MAILDOMAIN

logme 'create a dovecot test user'
makeauser johndoe "$ADMINPASS"

logme 'test sasl authentication, so sendmail smtp auth should work properly now, first two succeed, last one fails'
testsaslauthd -u administrator -p "$ADMINPASS"
testsaslauthd -u johndoe -p "$ADMINPASS"
# this one should fail
testsaslauthd -u johndoe -p x"$ADMINPASS"

#logme 'import your users from stdin'
#while read user pass; do
#    makeauser "$user" "$pass"
#done

logme 'test sending mail'
ls -alt /var/spool/mail/johndoe/new
echo "$(date) this is a simple test" | mail -s 'subject here' -r administrator@$REALM johndoe@$MAILDOMAIN
sleep 15
ls -alt /var/spool/mail/johndoe/new

logme 'test dovecot login'
nc -i 4 localhost 143 <<EOF
1 LOGIN johndoe $ADMINPASS
EOF
nc -i 4 localhost 143 <<EOF
1 LOGIN johndoe@$REALM $ADMINPASS
EOF

logme 'allow abrtd to process unpackaged files'
fn=/etc/abrt/abrt-action-save-package-data.conf
sed -i -e 's/ProcessUnpackaged = no/ProcessUnpackaged = yes/g' $fn
sed -i -e 's/OpenGPGCheck = yes/OpenGPGCheck = no/g'           $fn
service abrtd restart

logme 'configure ocsmanager'
# http://www.openchange.org/cookbook/ocsmanager.html
# http://www.sogo.nu/files/docs/SOGo%20Native%20Microsoft%20Outlook%20Configuration.pdf
# https://wiki.archlinux.org/index.php/OpenChange_Server#Apache
# http://www.sogo.nu/bugs/view.php?id=3012
mv /etc/ocsmanager/ocsmanager.ini /etc/ocsmanager/ocsmanager.ini.save
cat >/etc/ocsmanager/ocsmanager.ini <<EOF
#
# ocsmanager - Pylons configuration
#
# The %(here)s variable will be replaced with the parent directory of this file
#
[DEFAULT]
debug = true
email_to = postmaster@$MAILDOMAIN
smtp_server = localhost
error_email_from = root@$MAILDOMAIN

[main]
# Possible authentication system
auth = ldap
mapistore_root = /var/lib/samba/private
mapistore_data = /var/lib/samba/private/mapistore
debug = yes

[auth:ldap]
host = ldap://localhost
port = 389
bind_dn = CN=Users,$REALMDN
bind_pw = $ADMINPASS
basedn = CN=Users,$REALMDN
#filter = (cn=%s)
#attrs = userPassword, x-isActive

[server:main]
use = egg:Paste#http
host = 127.0.0.1
port = 5000
protocol_version = HTTP/1.1

[app:main]
use = egg:ocsmanager
full_stack = true
static_files = true
cache_dir = %(here)s/data
beaker.session.key = ocsmanager
beaker.session.secret = $(dd if=/dev/urandom bs=1k count=1 2>/dev/null | md5sum | cut -c-32)
app_instance_uuid = {$(uuidgen)}
NTLMAUTHHANDLER_WORKDIR = /var/cache/ntlmauthhandler
SAMBA_HOST = 127.0.0.1

[rpcproxy:ldap]
host = localhost
port = 389
basedn = CN=Users,$REALMDN

# If you'd like to fine-tune the individual locations of the cache data dirs
# for the Cache data, or the Session saves, un-comment the desired settings
# here:
#beaker.cache.data_dir = %(here)s/data/cache
#beaker.session.data_dir = %(here)s/data/sessions

# WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*
# Debug mode will enable the interactive debugging tool, allowing ANYONE to
# execute malicious code after an exception is raised.
set debug = false

[autodiscover:rpcproxy]
# We assume the autodiscover host and the EWS (Free/Busy) are in the same host
# external_hostname = hostname
# Require SSL to logon. Default value is false
# ssl = true

[outofoffice]
# Path of the sieve script for the user
#   Expansion variables (example user.name@example.com):
#       \$domain   = example.com
#       \$user     = user.name
#       \$fulluser = user.name@example.com
sieve_script_path = /var/spool/mail/\$user/sieve-script
# If the sieve script directory hierarchy does not exists it will be created
sieve_script_path_mkdir = false

# Logging configuration
[loggers]
keys = root

[handlers]
keys = console

[formatters]
keys = generic

[logger_root]
level = INFO
handlers = console

[handler_console]
class = StreamHandler
args = (sys.stderr,)
level = NOTSET
formatter = generic

[formatter_generic]
format = %(asctime)s %(levelname)-5.5s [%(name)s] [%(threadName)s] %(message)s
EOF
chmod 640 /etc/ocsmanager/ocsmanager.ini
chkconfig --add openchange-ocsmanager
service openchange-ocsmanager start

logme 'create directories needed for ssl keys'
mkdir /etc/httpd/certs

logme 'End of phase 1: manually generate the sendmail, dovecot and'
echo  'web server ssl keys, get them signed and installed.'
echo  'you might script that, then continue with phase2'
echo  ''
echo  'install keys into:'
echo  '   /etc/pki/tls/certs/sendmail.pem'
echo  '   /etc/pki/dovecot/certs/dovecot.pem'
echo  '   /etc/pki/dovecot/private/dovecot.pem'
echo  "   /etc/httpd/certs/$REALM.cert"
echo  "   /etc/httpd/certs/$REALM.key"
echo  "   /etc/httpd/certs/$AUTODISC.cert"
echo  "   /etc/httpd/certs/$AUTODISC.key"
echo  ''
echo  'place the CA certificate in /tmp/*.pem if you have your own'
echo  'certificate authority. Otherwise, we assume the certificates'
echo  'above are signed by a public CA.'
}
## end of phase 1



function phase2() {
    logme 'starting phase 2, ssl configuration'
    setupenv unused unused

    logme 'restart dovecot/sendmail to pickup new ssl keys'
    service dovecot restart
    service sendmail restart

    logme 'configure apache ssl'
    # https://wiki.mozilla.org/Security/Server_Side_TLS#Apache
    cat >>/etc/httpd/conf.d/$REALM.conf <<EOF
<VirtualHost $REALM:443>
    ServerName $REALM
    DocumentRoot /var/www/html
    ServerAdmin administrator@$MAILDOMAIN
    CustomLog /var/log/httpd/access_log combined
    SSLEngine             on
    SSLProtocol           all -SSLv2 -SSLv3
    SSLCipherSuite        ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
    SSLHonorCipherOrder   on
    #SSLCompression        off
    Header                add Strict-Transport-Security "max-age=15768000"
    SSLCertificateFile    /etc/httpd/certs/$REALM.cert
    SSLCertificateKeyFile /etc/httpd/certs/$REALM.key
</VirtualHost>
<VirtualHost $AUTODISC:443>
    ServerName $AUTODISC
    DocumentRoot /var/www/html
    ServerAdmin administrator@$MAILDOMAIN
    CustomLog /var/log/httpd/access_log combined
    SSLEngine             on
    SSLProtocol           all -SSLv2 -SSLv3
    SSLCipherSuite        ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
    SSLHonorCipherOrder   on
    #SSLCompression        off
    Header                add Strict-Transport-Security "max-age=15768000"
    SSLCertificateFile    /etc/httpd/certs/$AUTODISC.cert
    SSLCertificateKeyFile /etc/httpd/certs/$AUTODISC.key
</VirtualHost>
EOF

    logme 'restart apache for new config'
    service httpd restart
    ca=$(ls -1 /tmp/*.pem 2>/dev/null | head -1)
    if [ -n "$ca" ]; then
        curl -L --cacert "$ca" https://$REALM/SOGo | grep -q 'loginScreen'
    else
        curl -L https://$REALM/SOGo | grep -q 'loginScreen'
    fi
    if [ $? -eq 1 ]; then
        echo "sogo not running properly, perhaps the ssl key is not properly signed"
        echo "try https://$REALM/SOGo"
        exit
    fi
}


# run the specified phase with arguments
$1 "$2" "$3"

# openchange.bash phase1 'DOMAINCHANGEME' 'adminpasschangeme!'
# -- generate and install ssl keys
# openchange.bash phase2
# openchange.bash makeauser 'username' 'password'