MDM Plugin not working

fbartels

Some logs would help. So the webserver logging of your z-push instance, webserver logging of your kopano webapp instance. some network details, etc.

icey

Hi Felix,

What further information do you need? And how should i provide logs?
Some network details? It is just a vserver and on it the mysql, apache, postfix is running. No further server which is connected. A fail2ban is also running.
The z-push is working for iOS device and so on. Just the MDM plugin brings this error and i can´t figure it out,

Thanks
Markus

fbartels

@fbartels said in MDM Plugin not working:

webserver logging of your z-push instance, webserver logging of your kopano webapp instance

Additionally is SSL involved? What kind of certificate? Redirect to ssl?

icey

Hi fbartels,

here are the requested logs, hopefully all you need for helping.
sapper-plus.de/kopano.rar

Thanks in advance
Markus

fbartels

That link does not contain the archive. What about my other questions,

icey

it contains the archive, nothing else! it is a rar archive and its working. what do you see when clicking the link?

The other questions: yes of course i use ssl with a certificate from lets encrypt. but mdm connects locally without ssl. i got a rdirect set for those who try reaching webapp by http.

fbartels

Interesting now its downloading. like five minutes ago it still gave an “under construction” like webpage.

fbartels

I checked the apache logfile and could fine two calls to the soap backend feeding data to the mdm plugin. what is interesting here is that your call looks like

:443 195.225.105.159 - - [10/Feb/2018:11:24:25 +0100] "POST /?Cmd=WebserviceInfo&DeviceId=webservice&DeviceType=webservice&User=gustav HTTP/1.1" 200 3907 "-" "PHP-SOAP/5.6.33-0+deb8u1"`

while on my testsystem it looks like this:

::1 - felix [11/Feb/2018:12:13:24 +0100] "POST /Microsoft-Server-ActiveSync?Cmd=WebserviceDevice&DeviceId=webservice&DeviceType=webservice&User=felix HTTP/1.1" 200 895 "-" "PHP-SOAP/5.6.30-0+deb8u1"

The missing Microsoft-Server-ActiveSync part would suggest that something is wrong with your apache configuration imho. Additionally you should check if your z-push is actually reachable by the data specified in /etc/kopano/webapp/config-mdm.php.

icey

Hi Felix,
in the /etc/kopano/webapp/config-mdm.php nothing special is configured:

<?php
define('PLUGIN_MDM_USER_DEFAULT_ENABLE_MDM', false);
define('PLUGIN_MDM_SERVER', 'localhost');
define('PLUGIN_MDM_SERVER_SSL', false);
?>

And in Apache it looks like this:

Alias /Microsoft-Server-ActiveSync /usr/share/z-push/index.php 
<Directory /usr/share/z-push>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride all
    Order allow,deny
    Allow from all
    php_flag magic_quotes_gpc off
    php_flag register_globals off
    php_flag magic_quotes_runtime off
    php_flag short_open_tag on
    
    RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://sapper-plus.de/Microsoft-Server-ActiveSync/ [R]
</Directory>


<VirtualHost *:443>
SSLEngine On
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/letsencrypt/live/sapper-plus.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sapper-plus.de/privkey.pem
#ServerName sapper-plus.de
</VirtualHost>

So the funny thing is, that on another server it is configured nearly the same, and there is everything working fine…

Greetz
Markus

fbartels

I’d remove the RewriteRule (.*) https://sapper-plus.de/Microsoft-Server-ActiveSync/ [R] line and try again.

icey

Hi Felix,

unfortunately no change. Still same prob. Also in the webapp there is shown at z-push: “version not available”

Greetz
Markus

fbartels

Hi @icey ,

then I’m unfortunately at the end of my direct ideas. If you have a subscription I would recommend to get in contact with our support so that someone can have a direct look at your system.

thctlo

I suggest that you configure your vhost better.

define(‘PLUGIN_MDM_SERVER’, ‘localhost’);
change localhost to you webserver vhostname.
enable SSL because https://sapper-plus.de is set on ssl.

now, about the vhost config.
sapper-plus.de < is NOT a hostname but a domainname, and should only be used as an alias for your top level site ( for example www. )
yes, it works, but is more confusing imo. i suggest, in your dns create, www and mail as hostnames.

Setup a dedicated hostname for the ssl vhost, configure it.

i’ll show my example for apache on debian stretch.

# Non SSL
<VirtualHost mail.example.com:80>

    ServerAdmin webmaster@example.com
    ServerName mail.example.com
	# Note autodiscover, works only if you use a wildcard, ! Lets Encrypt does not support wildards yet. 
        # you may put this (autodisover) also in www or toplevel vhost config. 
    ServerAlias autodiscover.example.com mail autodiscover

    DocumentRoot /usr/share/kopano-webapp/
    ServerSignature Off
    <Directory "/usr/share/kopano-webapp">
        Require all denied
        AllowOverride All
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/mail-error.log
    CustomLog ${APACHE_LOG_DIR}/mail-access.log combined

    ## kopano settings. 
	## by default a2enmod enables for all sites, i dont like that.
	## so i run a2disconf kopano-webapp and include the config.
    Include /etc/apache2/conf-available/kopano-webapp.conf

    # Make sure that your using ssl.
    RewriteEngine   On
    RewriteCond     %{HTTPS}        off
    RewriteRule     ^(.*)$          https://mail.example.com/%{REQUEST_URI} [L,R]

</VirtualHost>
# SSL 
<VirtualHost mail.example.com:443>

    ServerAdmin webmaster@example.com
    ServerName mail.example.com
	# Note, this only works if you use a wildcard ssl.
    ServerAlias autodiscover.example.com

    DocumentRoot /usr/share/kopano-webapp

    ErrorLog ${APACHE_LOG_DIR}/mail1-internal-ssl-error.log
    CustomLog ${APACHE_LOG_DIR}/mail1-internal-ssl-access.log combined
    ServerSignature Off

    <IfModule mod_ssl.c>
        SSLEngine on
		# Do change these to your own certs. 
        SSLCertificateFile      /etc/ssl/certs/cert4096.pem
        SSLCertificateKeyFile   /etc/ssl/private/key.pem
        SSLCACertificateFile    /etc/ssl/certs/ca.pem

        # Add the following to your Apache config.
		# ! Note Debian 8 may not like this. 
        #SSLOpenSSLConfCmd DHParameters "/etc/ssl/dh/dh4096.pem"

		# adviced to use only tls1.2
        # SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
		SSLProtocol TLSv1.2
        SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

        SSLHonorCipherOrder On

        Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        SSLHonorCipherOrder on
        SSLStrictSNIVHostCheck Off
        SSLCompression Off
      
	</IfModule>

    ## kopano settings.
	Include /etc/apache2/conf-available/kopano-webapp.conf

	Include /etc/apache2/conf-available/z-push.conf
	#    Include /etc/apache2/conf-available/z-push-autodiscover.conf

</VirtualHost>

now use the z-push repo,
https://wiki.z-hub.io/display/ZP/Installation#Installation-DebianundUbuntubasedsystems

setup a “file” repo for you kopano files" or install manualy kopano-webapp-plugin-mdm and the needed other packages.

reboot, and connect your Phone. If that does not work, i’ll eat my shoe, then is a bug you did hit.
This works fine here on ubuntu 16.04, debian 8 and debian 9.

thctlo

ps.
443 195.225.105.159 - - [10/Feb/2018:11:24:25 +0100] “POST /?Cmd=WebserviceInfo&DeviceId=webservice&DeviceType=webservice&User=gustav HTTP/1.1” 200 3907 “-” “PHP-SOAP/5.6.33-0+deb8u1”`

This is an incorrect redirect, to a wrong vhost/ip which is not configured,
This is, as far i can see, only configured in the “non-ssl” : RewriteRule (.*) https://sapper-plus.de/Microsoft-Server-ActiveSync/ [R]

so logical that its hard to see.

icey

Hi thctlo,

thanks for your answer. I will give this a try and have a detailed look at my apache conf. I will come back with my results at the weekend. Before i don´t have time to work on that.
Thanks
Markus

icey

Hi @ all,

fixing the apache confs and renewing all certificates MDM Plugin now works fine.

THANKS FOR HELP!!!

Greetz
Markus