Upgrading RC4 to Final¶

To upgrade a RC4 installation to Final, go to the Software Center page and follow Server Manager instructions.

config delete admins
/etc/e-smith/events/actions/initialize-default-databases

config setprop dovecot SharedMailboxesStatus enabled
signal-event nethserver-mail-server-update

Changelog¶

NethServer Final changelog

Known bugs¶

• List of known bugs
• Discussions around possible bugs

Discontinued packages¶

The following packages were available in the previous 6 release and have been removed in 7:

• nethserver-collectd-web: replaced by nethserver-cgp
• nethserver-password: integrated inside nethserver-sssd
• nethserver-faxweb2: see the discussion faxweb2 vs avantfax.
• nethserver-fetchmail: replaced by getmail
• nethserver-ocsinventory, nethserver-adagios: due to compatibility problems with Nagios, these modules will be mantained only on NethServer 6 release

Minimum requirements¶

Minimum requirements are:

• 64 bit CPU (x86_64)
• 1 GB of RAM
• 10 GB of disk space

Installation types¶

NethServer supports two installation modes. In short:

Installing from ISO

• Download the ISO image
• Prepare a DVD or USB stick
• Follow the wizard

Installing from YUM

• Install CentOS Minimal
• Configure the network
• Install from network

Installing from ISO¶

dd if=NethServer.iso of=/dev/sdc

raid=none

disks=sdx,sdy

fspassword=s3cr3t

Install on CentOS¶

It is possible to install NethServer on a fresh CentOS minimal installation using a couple of commands to download the additional software packages. This installation method is designed for virtual private servers (VPS) where CentOS comes already installed by the VPS provider.

Enable NethServer software repositories with this command:

yum localinstall -y http://mirror.nethserver.org/nethserver/nethserver-release-7.rpm

To install the base system, run:

nethserver-install

Alternatively, to install base system and additional modules, pass the name of the module as a parameter to the install script. Example:

nethserver-install nethserver-mail nethserver-nextcloud

Next steps¶

At the end of the installation procedure, access the server-manager to install additional software.

Login¶

The login page will give you a trusted access to the web interface. Log in as root and type the password chosen during NethServer installation.

Change the current password¶

You can change the root password from the web interface by going to the root@host.domain.com label on the upper right corner of the screen and clicking on Profile.

The login page allows selecting an alternative language among those already installed on the system. After logging in, go to the Software center page to install additional languages.

Logout¶

Terminate the current Server Manager session by going to the root@host.domain.com label on the upper right corner of the screen and by clicking on Logout.

Software updates¶

Updates for the installed software are listed under the Updates tab. A message appears when software updates are available.

List of installed packages¶

The complete list of installed RPM packages is available under Installed > Packages.

The section Installed software displays all packages already installed into the system with the full package version.

Additional languages¶

The Server Manager allows selecting the interface language at the login screen. Only installed languages are listed.

In Available tab, select the Languages category and install the desired languages.

Dashboard¶

The Dashboard page is the landing page after a successful login. The page will display the status and configuration of the system.

Network¶

The Network page configures how the server is connected to the local network (LAN) and/or other networks (i.e. Internet).

If the server has firewall and gateway functionality, it will handle extra networks with special functions like DMZ (DeMilitarized Zone) and guests network.

NethServer supports an unlimited number of network interfaces. Any network managed by the system must follow these rules:

• networks must be physically separated (multiple networks can’t be connected to the same switch/hub)
• networks must be logically separated: each network must have different addresses
• private networks, like LANs, must follow address’s convention from RFC1918 document. See Address for private networks (RFC1918)

Every network interface has a specific role which determines its behavior. All roles are identified by colors. Each role corresponds to a well-known zone with special network traffic rules:

• green: local network (green role/zone). Hosts on this network can access any other configured network
• blue: guests network (blue role/zone). Hosts on this network can access orange and red networks, but can’t access the green network
• orange: DMZ network (orange role/zone). Hosts on this network can access red network, but can’t access to blue and green networks
• red: public network (red role/zone). Hosts on this network can access only the server itself

See Policy for more information on roles and firewall rules.

If the server is installed on a public VPS (Virtual Private Server), it should must be configured with a green interface. All critical services should be closed using Network services panel.

Network services¶

A network service is a service running on the firewall itself.

These services are always available to hosts on green network (local network). Access policies can be modified from Network services page.

Available policies are:

• Access only from green networks (private): all hosts from green networks and from VPNs
• Access from green and red networks (public): any host from green networks, VPNs and external networks. But not guests (blue) and DMZ (orange) networks
• Access only from the server itself (none): no host can connect to selected service

Trusted networks¶

Trusted networks are special networks (local, VPNs or remote) allowed to access special server’s services.

For example, hosts inside trusted networks can access to:

• Server Manager
• Shared folders (SAMBA)

If the remote network is reachable using a router, remember to add a static route inside Static routes page.

Static routes¶

This page allow to create special static routes which will use the specified gateway. These routes are usually used to connect private network.

Remember to add the network to Trusted networks, if you wish to allow remote hosts to access local services.

Organization contacts¶

The Organization contacts page fields are used as default values for user accounts. The organization name and address are also displayed on the Server Manager login screen.

Server certificate¶

The Server certificate page shows the currently installed X.509 certificates, and the default one provided by system services for TLS/SSL encrypted communications.

The Set as default button allows choosing the default certificate. When a new certificate is chosen, all services using TLS/SSL are restarted and network clients will be required to accept the new certificate.

When NethServer is installed a temporary default self-signed certificate is generated automatically. It should be edited by inserting proper values before configuring the network clients to use it. As alternatives, the Server certificate page allows:

• uploading an existing certificate and private RSA key. Optionally a certificate chain file can be specified, too. All files must be PEM-encoded.
• requesting a new Let’s Encrypt [1] certificate. This is possible if the following requirements are met:
  1. The server must be reachable from outside at port 80. Make sure your port 80 is open to the public Internet (you can check with sites like [2]);
  2. The domains that you want the certificate for must be public domain names associated to server own public IP. Make sure you have public DNS name pointing to your server (you can check with sites like [3]).

Shutdown¶

The machine where NethServer is installed can be rebooted or halted from the Shutdown page. Choose an option (reboot or halt) then click on submit button.

Always use this module to avoid bad shutdown which can cause data damages.

Log viewer¶

All services will save operations inside files called logs. The log analysis is the main tool to find and resolve problems. To analyze log files click in Log viewer.

This module allows to:

• start search on all server’s logs
• display a single log
• follow the content of a log in real time

Date and time¶

After installation, make sure the server is configured with the correct timezone. The machine clock can be configured manually or automatically using public NTP servers (preferred).

The machine clock is very important in many protocols. To avoid problems, all hosts in LAN can be configured to use the server as NTP server.

Inline help¶

All packages inside the Server Manager contain an inline help. The inline help explains how the module works and all available options.

These help pages are available in all Server Manager’s languages.

A list of all available inline help pages can be found at the address:

https://<server>:980/<language>/Help

Example

If the server has address 192.168.1.2, and you want to see all English help pages, use this address:

https://192.168.1.2:980/en/Help

Account providers¶

NethServer supports authentication and authorization against either a local or remote account provider.

Supported provider types are:

• Local OpenLDAP running on NethServer itself,
• Remote LDAP server with RFC2307 schema,
• Local Samba 4 Active Directory Domain Controller,
• Remote Active Directory (both Microsoft and Samba).

Be aware of the following rules about account providers:

1. Once NethServer has been bound to an account provider the FQDN cannot be changed any more.
2. Local account providers cannot be uninstalled.

Remote providers

A clean NethServer installation is ready to connect to a remote account provider of both types (LDAP, AD). The root user can configure the remote account provider from the Accounts provider page.

After NethServer has been bound to a remote account provider the User and groups page shows the domain accounts in read-only mode.

Local providers

To run a local account provider go to Software center page and install either OpenLDAP or Samba 4 account provider from the modules list.

After installing a local provider (either Samba 4 or OpenLDAP), the administrator can create, modify and delete the users and groups.

ifconfig br0 promisc

Users¶

A newly created user account remains locked until it has set a password. Disabled users are denied to access system services.

When creating a user, following fields are mandatory:

• User name
• Full name (name and surname)

A user can be added to one or more group from the Users page or from the Groups one.

Sometimes you need to block user’s access to services without deleting the account. This can be achieved using the Lock and Unlock actions.

Groups¶

A group of users can be granted some permission, such as authorize access over a shared folder. The granted permission is propagated to all group members.

Two special groups can be created. Members of these groups are granted access to the panels of the Server Manager:

• domain admins: members of this group have the same permissions as the root user from the Server Manager.
• managers: members of this group are granted access to the Management section of the Server Manager.

Admin account¶

If a local AD or LDAP provider is installed, an admin user, member of the domain admins group is created automatically. This account allows access to all configuration pages within the Server Manager. It is initially disabled and has no access from the console.

Where applicable, the admin account is granted special privileges on some specific services, such as joining a workstation to an Active Directory domain.

If NethServer is bound to a remote account provider, the admin user and domain admins group could be created manually, if they do not already exist.

If a user or group with a similar purpose is already present in the remote account provider database, but it is named differently, NethServer can be configured to rely on it with the following commands:

config setprop admins user customadmin group customadmins
/etc/e-smith/events/actions/system-adjust custom

Password management¶

The system provides the ability to set constraints on password complexity and expiration.

Password policies can be changed from web interface.

Import users¶

It is possible to create user accounts from a TSV (Tab Separated Values) file with the following format:

username <TAB> fullName <TAB> password <NEWLINE>

Example:

mario <TAB> Mario Rossi <TAB> 112233 <NEWLINE>

then execute:

/usr/share/doc/nethserver-directory-<ver>/import_users <youfilename>

For example, if the user’s file is /root/users.tsv, execute following command:

/usr/share/doc/nethserver-sssd-`rpm --query --qf "%{VERSION}" nethserver-sssd`/scripts/import_users /root/users.tsv

Alternative separator character:

import_users users.tsv ','

username <TAB> emailaddress <NEWLINE>

signal-event group-create group1 user1 user2 user3
signal-event group-modify group1 user1 user3 user4

Hosts¶

The Hosts page allows you to map host names to IP addresses, whether they are local or remote.

For example, if you have an internal web server, you can associate the name www.mysite.com with the IP of the web server. Then all clients can reach the website by typing the chosen name.

Locally configured names always take precedence over DNS records from external servers. In fact, if the provider inserts www.mydomain.com with an IP address corresponding to the official web server, but inside NethServer the IP of www.mydomain.com is configured with another address, hosts inside the LAN will not be able to see the site.

Alias¶

An alias is an alternative name used to reach the local server. For example, if the server is called mail.example.com, you can create a DNS alias myname.example.com. The server will then be accessible from clients on the LAN even using the name you just defined.

Aliases are only valid for the internal LAN. If you want the server is reachable from the outside with the same name you need to ask the provider to associate the public address of the server to the desired name.

DHCP configuration¶

The DHCP server can be enabled on all green and blue interfaces (see Network). NethServer will assign a free IP address within the configured DHCP range in DHCP > DHCP server page.

The DHCP range must be defined within the network of the associated interface. For instance, if the green interface has IP/netmask 192.168.1.1/255.255.255.0 the range must be 192.168.1.2 - 192.168.1.254.

Host IP reservation¶

The DHCP server leases an IP address to a device for a limited period of time. If a device requires to always have the same IP address, it can be granted an IP reservation associated to its MAC address.

The page DHCP > IP reservation lists the currently assigned IP addresses:

• a line with IP reservation button identifies an host with a temporary lease (gray color);
• a line with Edit button identifies an host with a reserved IP (black color). A small two arrows icon near the host name says the DHCP lease is expired: this is a normal condition for hosts with static IP configuration, as they never contact the DHCP server.

Boot from network configuration¶

To allow clients to boot from network, the following components are required:

• the DHCP server, as we have seen in the previous sections,
• the TFTP server [2],
• the software for the client, served through TFTP.

TFTP is a very simple file transfer protocol and usually it is used for automated transfer of configuration and boot files.

In NethServer the TFTP implementation comes with the DHCP module and is enabled by default. To allow accessing a file through TFTP, simply put it in /var/lib/tftpboot directory.

config setprop dhcp tftp-status disabled
signal-event nethserver-dnsmasq-save

For instance, we now configure a client to boot CentOS from the network. In NethServer, type at root’s console:

yum install syslinux
cp /usr/share/syslinux/{pxelinux.0,menu.c32,memdisk,mboot.c32,chain.c32} /var/lib/tftpboot/
config setprop dnsmasq dhcp-boot pxelinux.0
signal-event nethserver-dnsmasq-save
mkdir /var/lib/tftpboot/pxelinux.cfg

Then create the file /var/lib/tftpboot/pxelinux.cfg/default with the following content:

default menu.c32
prompt 0
timeout 300

MENU TITLE PXE Menu

LABEL CentOS
  kernel CentOS/vmlinuz
  append initrd=CentOS/initrd.img

Create a CentOS directory:

mkdir /var/lib/tftpboot/CentOS

Copy inside the directory vmlinuz and initrd.img files. These files are public, and can be found in the ISO image, in /images/pxeboot directory or downloaded from a CentOS mirror.

Finally, power on the client host, selecting PXE boot (or boot from network) from the start up screen.

References

Data restore¶

Make sure that backup destination is reachable (for example, USB disk must be connected).

backup-data-list

restore-file <position> <file>

restore-file /tmp /var/lib/nethserver/vmail/test

restore-file / /var/lib/nethserver/vmail/test

restore-file -t 15D /tmp "/var/lib/nethserver/ibay/test/myfile"

Disaster recovery¶

The system is restored in two phases: configuration first, then data. Right after configuration restore, the system is ready to be used if proper packages are installed. You can install additional packages before or after restore. For example, if mail-server is installed, the system can send and receive mail.

Other restored configurations:

• Users and groups
• SSL certificates

Steps to be executed:

1. Install the new machine with the same host name as the old one
2. Configure a data backup, so the system can retrieve saved data and configuration
3. If the old machine was the network gateway, remember to re-install firewall module
4. Restore the configuration backup from page Backup (configuration) > Restore in Server Manager, or executing: restore-config
5. If a warning message requires it, reconfigure the network roles assignment. See Restore network roles below.
6. Verify the system is functional
7. Restore data backup executing: restore-data

config setprop backup-config reinstall disabled

Data backup customization¶

If additional software is installed, the administrator can edit the list of files and directories included (or excluded).

/opt/mysoftware

**Download**

/var/lib/nethserver/vmail/test/

Configuration backup customization¶

In most cases it is not necessary to change the configuration backup. But it can be useful, for example, if you have installed a custom SSL certificate. In this case you can add the file that contains the certificate to the list of files to backup.

/etc/pki/mycert.pem

USB disk configuration¶

The best filesystem for USB backup disks is EXT3. FAT filesystem is supported but not recommended, while NTFS is not supported.

Before formatting the disk, attach it to the server and find the device name:

# dmesg | tail -20

Apr 15 16:20:43 mynethserver kernel: usb-storage: device found at 4
Apr 15 16:20:43 mynethserver kernel: usb-storage: waiting for device to settle before scanning
Apr 15 16:20:48 mynethserver kernel:   Vendor: WDC WD32  Model: 00BEVT-00ZCT0     Rev:
Apr 15 16:20:48 mynethserver kernel:   Type:   Direct-Access           ANSI SCSI revision: 02
Apr 15 16:20:49 mynethserver kernel: SCSI device sdc: 625142448 512-byte hdwr sectors (320073 MB)
Apr 15 16:20:49 mynethserver kernel: sdc: Write Protect is off
Apr 15 16:20:49 mynethserver kernel: sdc: Mode Sense: 34 00 00 00
Apr 15 16:20:49 mynethserver kernel: sdc: assuming drive cache: write through
Apr 15 16:20:49 mynethserver kernel: SCSI device sdc: 625142448 512-byte hdwr sectors (320073 MB)
Apr 15 16:20:49 mynethserver kernel: sdc: Write Protect is off
Apr 15 16:20:49 mynethserver kernel: sdc: Mode Sense: 34 00 00 00
Apr 15 16:20:49 mynethserver kernel: sdc: assuming drive cache: write through
Apr 15 16:20:49 mynethserver kernel:  sdc: sdc1
Apr 15 16:20:49 mynethserver kernel: sd 7:0:0:0: Attached scsi disk sdc
Apr 15 16:20:49 mynethserver kernel: sd 7:0:0:0: Attached scsi generic sg3 type 0
Apr 15 16:20:49 mynethserver kernel: usb-storage: device scan complete

Another good command could be:

lsblk -io KNAME,TYPE,SIZE,MODEL

In this scenario, the disk is accessibile as sdc device.

• Create a Linux partition on the whole disk:

  echo "0," | sfdisk /dev/sdc
  

• Create the filesystem on sdc1 partition with a label named backup:

  mke2fs -v -T largefile4 -j /dev/sdc1 -L backup
  

• Detach and reconnect the USB disk:

  You can simulate it with the following command:

  blockdev --rereadpt /dev/sdc
  

• Now the backup label will be displayed inside the Backup (data) page.

Domains¶

NethServer can handle an unlimited number of mail domains, configurable from the Email > Domains page. For each domain there are two alternatives:

• Deliver messages to local mailboxes, according to the Maildir [8] format.
• Relay messages to another mail server.

NethServer allows storing an hidden copy of all messages directed to a particular domain: they will be delivered to the final recipient and also to a custom email address. The hidden copy is enabled by the Always send a copy (Bcc) check box.

NethServer can automatically append a legal notice to sent messages. This text is called disclaimer and it can be used to meet some legal requirements. Please note signature and disclaimer are very different concepts.

The signature should be inserted inside the message text only by the mail client (MUA): Outlook, Thunderbird, etc. Usually it is a user-defined text containing information such as sender addresses and phone numbers.

Signature example:

John Smith
President | My Mighty Company | Middle Earth
555-555-5555 | john@mydomain.com | http://www.mydomain.com

The “disclaimer” is a fixed text and can only be attached (not added) to messages by the mail server.

This technique allows maintaining the integrity of the message in case of digital signature.

Disclaimer example:

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed.  If you have received this email in error please
notify the system manager.  This message contains confidential
information and is intended only for the individual named.

The disclaimer text can contain Markdown [9] code to format the text.

Email addresses¶

Each user has a personal mailbox and any user name in the form <username>@<domain> is also a valid email address to deliver messages into it.

The list of mailboxes is shown by the Email addresses > User mailboxes page. The Edit button allows disabling the Access to email services (IMAP, POP3, SMTP/AUTH) for a specific user. Messages delivered to that user’s mailbox can be forwarded to an external email address.

Mailboxes can be shared among groups of users. The Email addresses > Shared mailboxes page allows creating a new shared mailbox and defining one or more owning groups. Shared mailboxes can also be created by any IMAP client supporting IMAP ACL protocol extension (RFC 4314).

The system enables the creation of an unlimited number of additional email addresses, from the Email addresses > Mail aliases page. Each mail alias is associated with one or more destinations. A destination can be of the following types:

• user mailbox,
• shared mailbox,
• external email address.

A mail alias can be bound to any mail domain or be specific to one mail domain. For example:

• First domain: mydomain.net
• Second domain: example.com
• Email address info valid for both domains: info@mydomain.net, info@example.com
• Email address goofy valid only for one domain: goofy@example.com

Sometimes a company forbids communications from outside the organization using personal email addresses. The Local network only option blocks the possibility of an address to receive email from the outside. Still the “local network only” address can be used to exchange messages with other accounts of the system.

Mailbox configuration¶

The Email > Mailboxes page controls what protocols are available to access a user mailbox:

• IMAP [10] (recommended)
• POP3 [11] (obsolete)

For security reasons, all protocols require STARTTLS encryption by default. The Allow unencrypted connections, disables this important requirement, and allows passing clear-text passwords and mail contents on the network.

From the same page, the disk space of each mailbox can be limited to a default quota. If the mailbox quota is enabled, the Dashboard > Mail quota page summarizes the quota usage for each user. This summary is updated when a user logs in or a message is delivered. The quota can be customized for a specific user in Email addresses > User mailboxes > Edit > Custom mailbox quota.

Messages marked as spam (see Filter) can be automatically moved into the Junk folder by enabling the option Move to “Junk” folder. Spam messages are expunged automatically after the Hold for period has elapsed. The spam retention period can be customized for a specific user in Email addresses > User mailboxes > Edit > Customize spam message retention.

The root user can impersonate another user, gaining full rights to any mailbox contents and folder permissions. The Root can log in as another user option controls this empowerment, known also as master user in [2].

When Root can log in as another user is enabled, the following credentials are accepted by the IMAP server:

• user name with *root suffix appended
• root’s password

For instance, to access as john with root password secr3t, use the following credentials:

• user name: john*root
• password: secr3t

Messages¶

From the Email > Messages page, the Queue message max size slider sets the maximum size of messages traversing the system. If this limit is exceeded, a message cannot enter the system at all and is rejected.

Once a message enters NethServer, it is persisted to a queue, waiting for final delivery or relay. When NethServer relays a message to a remote server, errors may occur. For instance,

• the network connection fails, or
• the other server is down or is overloaded.

Those and other errors are temporary: in such cases, NethServer attempts to reconnect the remote host at regular intervals until a limit is reached. The Queue message lifetime slider changes this limit. By default it is set to 4 days.

While messages are in the queue, the administrator can request an immediate message relay attempt, by pressing the button Attempt to send from the Email > Queue management page. Otherwise the administrator can selectively delete queued messages or empty the queue with Delete all button.

To keep an hidden copy of any message traversing the mail server, enable the Always send a copy (Bcc) check box. This feature is different from the same check box under Email > Domain as it does not differentiate between mail domains and catches also any outgoing message.

The Send using a smarthost option, forces all outgoing messages to be directed through a special SMTP server, technically named smarthost. A smarthost accepts to relay messages under some restrictions. It could check:

• the client IP address,
• the client SMTP AUTH credentials.

Filter¶

All transiting email messages are subjected to a list of checks that can be selectively enabled in Email > Filter page:

• Block of attachments
• Anti-virus
• Anti-spam

Block port 25¶

If the system is acting as the network gateway, green and blue zones will not be able to send mail to external servers through port 25 (SMTP). Blocking port 25 could prevent remotely controlled machines inside the LAN from sending SPAM.

The administrator can change this policy creating a custom firewall rule inside the Rules page.

Client configuration¶

The server supports standard-compliant email clients using the following IANA ports:

• imap/143
• pop3/110
• smtp/587
• sieve/4190

Authentication requires the STARTTLS command and supports the following variants:

• LOGIN
• PLAIN
• GSSAPI (only if NethServer is bound to Samba/Microsoft Active Directory)

Also the following SSL-enabled ports are available for legacy software that still does not support STARTTLS:

• imaps/993
• pop3s/995
• smtps/465

If NethServer acts also as DNS server on the LAN, it registers its name as MX record along with the following aliases:

• smtp.<domain>
• imap.<domain>
• pop.<domain>
• pop3.<domain>

For example:

• Domain: mysite.com
• Hostname: mail.mysite.com
• MX record: mail.mysite.com
• Available aliases: smtp.mysite.com, imap.mysite.com, pop.mysite.com, pop3.mysite.com.

To disable local MX and aliases, access the root’s console and type:

config setprop postfix MxRecordStatus disabled
signal-event nethserver-hosts-update

Special SMTP access policies¶

The default NethServer configuration requires that all clients use the submission port (587) with encryption and authentication enabled to send mail through the SMTP server.

To ease the configuration of legacy environments, the Email > SMTP access page allows making some exceptions on the default SMTP access policy.

For instance, there are some devices (printers, scanners, ...) that do not support SMTP authentication, encryption or port settings. Those can be enabled to send email messages by listing their IP address in Allow relay from IP addresses text area.

Moreover, under Advanced options there are further options:

• The Allow relay from trusted networks option allows any client in the trusted networks to send email messages without any restriction.
• The Enable authentication on port 25 option allows authenticated SMTP clients to send email messages also on port 25.

Custom HELO¶

The first step of an SMTP session is the exchange of HELO command (or EHLO). This command takes a valid server name as required parameter (RFC 1123).

NethServer and other mail servers try to reduce spam by not accepting HELO domains that are not registered on a public DNS.

When talking to another mail server, NethServer uses its full host name (FQDN) as the value for the HELO command. If the FQDN is not registered in public DNS, the HELO can be fixed by setting a special prop. For instance, assuming myhelo.example.com is the publicly registered DNS record, type the following commands:

config setprop postfix HeloHost myhelo.example.com
signal-event nethserver-mail-common-save

This configuration is also valuable if the mail server is using a free dynamic DNS service.

Outlook deleted mail¶

Unlike almost any IMAP client, Outlook does not move deleted messages to the trash folder, but simply marks them as “deleted”.

It’s possibile to automatically move messages inside the trash using following commands:

config setprop dovecot DeletedToTrash enabled
signal-event nethserver-mail-server-save

You should also change Outlook configuration to hide deleted messages from inbox folder. This configuration is available in the options menu.

Log¶

Every mail server operation is saved in the following log files:

• /var/log/maillog registers all mail transactions
• /var/log/imap contains users login and logout operations

A transaction recorded in the maillog file usually involves different components of the mail server. Each line contains respectively

• the timestamp,
• the host name,
• the component name, and the process-id of the component instance
• a text message detailing the operation

A picture of the whole system is available from workaround.org [16].

References

Plugins¶

Roundcube supports many plugins that are already bundled within the installation.

The plugins that are enabled by default are:

• Manage sieve: manage filters for incoming mail
• Mark as junk: mark the selected messages as Junk and move them to the configured Junk folder

Recommended plugins:

• New mail notifier
• Emoticons
• VCard support

Plugins can be added or removed by editing the comma-separated list inside the Plugins property. For example, to enable “mail notification”, “mark as junk” and “manage sieve plugins”, execute from command line:

config setprop roundcubemail PluginsList managesieve,markasjunk,newmail_notifier
signal-event nethserver-roundcubemail-update

A list of bundled plugins can be found inside /usr/share/roundcubemail/plugins directory. To get the list, just execute:

ls /usr/share/roundcubemail/plugins

Access¶

With default configuration webmail is accessible using HTTPS from any network.

If you want to restrict the access only from green and trusted networks, execute:

config setprop roundcubemail access private
signal-event nethserver-roundcubemail-update

If you want to open the access from any network:

config setprop roundcubemail access public
signal-event nethserver-roundcubemail-update

Removing¶

If you want remove Roundcube, remove all the mail server RPMs and no longer have an email system on the server, do this step on the server console – either directly or by ssh.

yum autoremove nethserver-roundcubemail

Authentication¶

WebTop vs SOGo¶

WebTop and SOGo can be installed on the same machine.

ActiveSync is enabled by default on SOGo and WebTop, but if both packages are installed, SOGo will take precedence.

To disable ActiveSync on SOGo:

config setprop sogod ActiveSync disabled
signal-event nethserver-sogo-update

To disable ActiveSync on WebTop:

config setprop webtop ActiveSync disabled
signal-event nethserver-webtop4-update

All incoming mail filters configured within SOGo, must be manually recreated inside WebTop interface. This also applies if the user is switching from WebTop to SOGo.

Active Directory authentication¶

After an Active Directory domain has been joined, access WebTop administration page, then from tree menu on the left, select Domain -> NethServer.

Edit the following fields:

• Authentication Uri: select ldapAD mode and insert the full FQDN of the server and port 389. Example: w2k8.nethserver.org:389
• Admin LDAP: user name of AD domain administrator
• LDAP Password: user password of AD domain administrator

After saving, the page Users will display users from Active Directory.

Importing from SOGo¶

Please read all directions before importing any data to ensure import is successful

Migration of Calendar and Address book data from SOGo to Webop can be accomplished by using the following scripts, and following the steps listed below:

• Calendars: /usr/share/webtop/doc/sogo2webtop_cal.php
• Address books: /usr/share/webtop/doc/sogo2webtop_card.php

Before using the scripts you need to install this package:

yum install php-mysql -y

When launching the scripts, indicate the user name you want to import from SOGo:

php /usr/share/webtop/doc/sogo2webtop_cal.php <user>
php /usr/share/webtop/doc/sogo2webtop_card.php <user>

Where user can be a username or all.

Examples

To import all address books from SOGo:

php /usr/share/webtop/doc/sogo2webtop_card.php all

To import the calendar of user “foo”:

php /usr/share/webtop/doc/sogo2webtop_cal.php foo

Importing from Outlook PST¶

You can import email, calendars and address books from an Outlook PST archive.

Before using followings scripts, you will need to install libpst package:

yum install libpst -y

/usr/share/webtop/doc/pst2webtop.sh <filename.pst> <user>

/usr/share/webtop/doc/pst2webtop_card.php <user> <file_to_import> <phonebook_category>

Contacts Folder found: Cartelle personali/Contatti/contacts
 Import to webtop:
./pst2webtop_card.php foo '/tmp/tmp.0vPbWYf8Uo/Cartelle personali/Contatti/contacts' <foldername>

/usr/share/webtop/doc/pst2webtop_card.php foo '/tmp/tmp.0vPbWYf8Uo/Cartelle personali/Contatti/contacts' WebTop

/usr/share/webtop/doc/pst2webtop_cal.php <user> <file_to_import> <foldername>

Events Folder found: Cartelle personali/Calendario/calendar
 Import to webtop:
./pst2webtop_cal.php foo '/tmp/tmp.0vPbWYf8Uo/Cartelle personali/Calendario/calendar' <foldername>

/usr/share/webtop/doc/pst2webtop_cal.php foo '/tmp/tmp.0vPbWYf8Uo/Cartelle personali/Calendario/calendar' WebTop

Google and Dropbox integration¶

Users can add their own Google Drive and Dropbox accounts inside WebTop. Before proceeding, the administrator must create a pair of API access credentials.

POP3s¶

The proxy can also intercept POP3s connections on port 995. The proxy will establish a secure connection to the external server, but data exchange with LAN client will be in the clear text.

Client¶

Jabber clients are available for all desktop and mobile platforms.

Some widespread clients:

• Pidgin is available for Windows and Linux
• Adium for Mac OS X
• BeejibelIM for Android and iOS, Xabber only for Android

When you configure the client, make sure TLS (or SSL) is enabled. Enter the user name and the domain of the machine.

If NethServer is also the DNS server of the network, the client should automatically find the server’s address through special pre-configured DNS records. Otherwise, specify the server address in the advanced options.

Administrators¶

All users within the group jabberadmins are considered administrators of the chat server.

Administrators can:

• Send broadcast messages
• Check the status of connected users

The group jabberadmins is configurable from Groups page.

Custom device¶

If the UPS is connected to a port that is not listed in the web interface, you can configure a custom device with the following commands:

config setprop ups Device <your_device>
signal-event nethserver-nut-save

UPS statistics¶

If the statistics module (collectd) is installed and running, the module will automatically collect statistic data about UPS status.

Modem¶

Although HylaFAX supports a large number of brands and models, we recommend using an external serial or USB modem.

If an internal modem blocks, you must reboot the whole server, while an external modem can be turned off separately. In addition, the majority of internal modems on the market belongs to the so-called family of winmodem, “software” modems that need a driver, usually available only on Windows.

Also be aware that many external USB modem are also winmodem.

You should prefer modems in Class 1 or 1.0, especially if based on Rockwell/Conexant or Lucent/Agere chips. The system also supports modems in classes 2, 2.0 and 2.1.

Client¶

We recommend using the fax client YajHFC (http://www.yajhfc.de/) that connects directly to the server and allows:

• the use of an LDAP address book
• ability to select the modem to send
• view the status of modems

Samba virtual printer¶

If SambaFax option is enabled, the server will create virtual printer called “sambafax” available to the local network.

Each client must configure the printer using the Apple LaserWriter 16/600 PS driver.

Sent documents must meet the following prerequisites:

• Must contain exactly the string “Fax Number”, containing the fax number, for example:

  Fax Number: 12345678
  

• The string may be present in any position of the document, but on a single line

• The string must be written in non-bitmap font (eg. Truetype)

Faxes will be sent using the sending user id. This information will be displayed in the fax queue.

Mail2Fax¶

All emails sent to the local network at sendfax@<domainname> will be transformed into a fax and sent to the recipient.

The <domainname> must match a local mail domain configured for local delivery.

The email must comply with this format:

• The recipient’s number must be specified in the object (or subject)
• The email must be in plain text format
• It may contain attachments such as PDF or PS which will be converted and sent with your fax

Virtual modems¶

Virtual modems are software modems connected to a PBX (Asterisk usually) using a IAX extension.

The configuration of the virtual modems consists of two parts:

1. Creation of IAX extension within the PBX
2. Configuration of virtual modem

Policy¶

Each interface is identified with a color indicating its role within the system. See Network.

When a network packet passes through a firewall zone, the system evaluates a list of rules to decide whether traffic should be blocked or allowed. Policies are the default rules to be applied when the network traffic does not match any existing criteria.

The firewall implements two default policies editable from the page Firewall rules -> Configure:

• Allowed: all traffic from green to red is allowed
• Blocked: all traffic from green to red network is blocked. Specific traffic must be allowed with custom rules.

Firewall policies allow inter-zone traffic accordingly to this schema:

GREEN -> BLUE -> ORANGE -> RED

Traffic is allowed from left to right, blocked from right to left.

You can create rules between zones to change default policies from Firewall rules page.

Rules¶

Rules apply to all traffic passing through the firewall. When a network packet moves from one zone to another, the system looks among configured rules. If the packet match a rule, the rule is applied.

A rule consists of four main parts:

• Action
• Source
• Destination
• Service
• Time condition

Available actions are:

• ACCEPT: accept the network traffic
• REJECT: block the traffic and notify the sender host
• DROP: block the traffic, packets are dropped and no notification is sent to the sender host
• ROUTE: route the traffic to the specified WAN provider. See Multi WAN.

db NethServer::Database::Ndpi keys

Multi WAN¶

The term WAN (Wide Area Network) refers to a public network outside the server, usually connected to the Internet. A provider is the company who actually manage the WAN link.

The system supports up to 15 WAN connections. If the server has two or more configured red cards, it is required to proceed with provider configuration from Multi WAN page.

Each provider represents a WAN connection and is associated with a network adapter. Each provider defines a weight: higher the weight, higher the priority of the network card associated with the provider.

The system can use WAN connections in two modes (button Configure on page Multi WAN):

• Balance: all providers are used simultaneously according to their weight
• Active backup: providers are used one at a fly from the one with the highest weight. If the provider you are using loses its connection, all traffic will be diverted to the next provider.

To determine the status of a provider, the system sends an ICMP packet (ping) at regular intervals. If the number of dropped packets exceeds a certain threshold, the provider is disabled.

The administrator can configure the sensitivity of the monitoring through the following parameters:

• Percentage of lost packets
• Number of consecutive lost packets
• Interval in seconds between sent packets

The Firewall rules page allows to route network packets to a given WAN provider, if some criteria are met. See Rules.

Port forward¶

The firewall blocks requests from public networks to private ones. For example, if web server is running inside the LAN, only computers on the local network can access the service on the green zone. Any request made by a user outside the local network is blocked.

To allow any external user access to the web server you must create a port forward. A port forward is a rule that allows limited access to resources from outside of the LAN.

When you configure the server, you must choose the listening ports. The traffic from red interfaces will be redirected to selected ports. In the case of a web server, listening ports are usually port 80 (HTTP) and 443 (HTTPS).

When you create a port forward, you must specify at least the following parameters:

• The source port
• The destination port, which can be different from the origin port
• The address of the internal host to which the traffic should be redirected
• It’s possibile to specify a port range using a colon as separator in the source port field (eX: 1000:2000), in this case the field destination port must be left void

NAT 1:1¶

One-to-one NAT is a way to make systems behind a firewall and configured with private IP addresses appear to have public IP addresses.

If you have a bunch of public IP addresses and if you want to associate one of these to a specific network host, NAT 1:1 is the way.

Traffic shaping¶

Traffic shaping allows to apply priority rules on network traffic through the firewall. In this way it is possible to optimize the transmission, check the latency and tune the available bandwidth.

To enable traffic shaping it is necessary to know the amount of available bandwidth in both directions and fill in the fields indicating the speed of the Internet link. Be aware that in case of congestion by the provider there is nothing to do in order to improve performance.

Traffic shaping rules can be configured from the Firewall rules page, while the available bandwidth can be set from the Network page for all red interfaces.

The system provides two levels of priority, high and low: as default all traffic has medium priority. It is possible to assign high or low priority to certain services based on the port used (eg low traffic peer to peer).

The system works even without specifying services to high or low priority, because, by default, the interactive traffic is automatically run at high priority (which means, for example, it is not necessary to specify ports for VoIP traffic or SSH). Even the traffic type PING is guaranteed high priority.

Firewall objects¶

Firewall objects are representations of network components and are useful to simplify the creation of rules.

There are 6 types of objects, 5 of them represent sources and destinations:

• Host: representing local and remote computers. Example: web_server, pc_boss

• Groups of hosts: representing homogeneous groups of computers. Hosts in a host group should always be reachable using the same interface. Example: servers, pc_segreteria

• CIDR Networks: You can express a CIDR network in order to simplify firewall rules.

  Example 1 : last 14 IP address of the network are assigned to servers (192.168.0.240/28).

  Example 2 : you have multiple green interfaces but you want to create firewall rules only for one green (192.168.2.0/24).

• Zone: representing networks of hosts, they must be expressed in CIDR notation. Their usage is for defining a part of a network with different firewall rules from those of the nominal interface. They are used for very specific needs.

• Time conditions: can be associated to firewall rules to limit their effectiveness to a given period of time.

The last type of object is used to specify the type of traffic:

• Services: a service listening on a host with at least one port and protocol. Example: ssh, https

When creating rules, you can use the records defined in DNS and DHCP and PXE server like host objects. In addition, each network interface with an associated role is automatically listed among the available zones.

IP/MAC binding¶

When the system is acting as DHCP server, the firewall can use the list of DHCP reservations to strictly check all traffic generated from hosts inside local networks. When IP/MAC binding is enabled, the administrator will choose what policy will be applied to hosts without a DHCP reservation. The common use is to allow traffic only from known hosts and block all other traffic. In this case, hosts without a reservation will not be able to access the firewall nor the external network.

To enable traffic only from well-known hosts, follow these steps:

1. Create a DHCP reservation for a host
2. Go to Firewall rules page and select from Configure from the button menu
3. Select MAC validation (IP/MAC binding)
4. Choose Block traffic as policy to apply to unregistered hosts

Client configuration¶

The proxy is always listening on port 3128. When using manual or authenticated modes, all clients must be explicitly configured to use the proxy. The configuration panel is accessible from the browser settings. By the way, most clients will be automatically configured using WPAD protocol. In this case it is useful to enable Block HTTP and HTTPS ports option to avoid proxy bypass.

If the proxy is installed in transparent mode, all web traffic coming from clients is diverted through the proxy. No configuration is required on individual clients.

Certificate file is saved inside /etc/pki/tls/certs/NSRV.crt file, it can be downloaded from client at http://<ip_server>/proxy.crt address.

SSL Proxy¶

In transparent SSL mode, the server is able to also analyze HTTPS traffic. The proxy implements the “peek and splice” behavior: it establishes the SSL connection with remote sites and checks the validity of certificates without decrypting the traffic. Then the server can filter requested URLs using the web filter and return back the response to the client.

Bypass¶

In some cases it may be necessary to ensure that traffic originating from specific IP or destined to some sites it’s not routed through the HTTP/HTTPS proxy.

The proxy allows you to create:

• bypass by source, configurable from Hosts without proxy section
• bypass by destination, configurable from Sites without proxy section

Bypass rules are also configured inside the WPAD file.

Report¶

Install nethserver-lightsquid package to generate web navigation reports.

LightSquid is a lite and fast log analyzer for Squid proxy, it parses logs and generates new HTML report every day, summarizing browsing habits of the proxy’s users. Link to web interface can be found at the Applications tab inside the Dashboard.

Cache¶

Under tab Cache there is a form to configure cache parameters:

• The cache can be enabled or disabled (disabled by default)
• Disk cache size: maximum value of squid cache on disk (in MB)
• Min object size: can be left at 0 to cache everything, but may be raised if small objects are not desired in the cache (in kB)
• Max object size: objects larger than this setting will not be saved on disk. If speed is more desirable than saving bandwidth, this should be set to a low value (in kB)

The button Empty cache also works if squid is disabled, it might be useful to clear space on disk.

config setprop squid NoCache www.nethserver.org,www.google.com
signal-event nethserver-squid-save

Safe ports¶

Safe ports are a list of ports accessible using the proxy. If a port is not inside the safe port list, the proxy will refuse to contact the server. For example, given a HTTP service running on port 1234, the server can’t be accessed using the proxy.

The SafePorts property is a comma-separated list of ports. Listed ports will be added to the default list of safe ports.

Eg. Access extra ports 446 and 1234:

config setprop squid SafePorts 446,1234
signal-event nethserver-squid-save

Filters¶

A filter can:

• block access to categories of sites
• block access to sites accessed using IP address (recommended)
• filter URLs with regular expressions
• block files with specific extensions
• enable global blacklist and whitelist

A filter can operate in two different modes:

• Allow all: allow access to all sites, except those explicitly blocked
• Block all: blocks access to all sites, except those explicitly permitted

Antivirus¶

It is recommended to always enable virus scanning on the web page content. If the proxy is configured in SSL transparent mode (SSL Proxy), virus scanning will work even on contents downloaded via HTTPS.

Troubleshooting¶

If a bad page is not blocked, please verify:

• the client is surfing using the proxy
• the client doesn’t have a configured bypass inside Hosts without proxy section
• the client is not browsing a site with a configured bypass inside Sites without proxy section
• the client is really associated with a profile not allowed to visit the page
• the client is surfing within a time frame when the filter is permissive

Manual configuration¶

If Reverse proxy page is not enough, you can always configure Apache manually, by creating a new file inside /etc/httpd/conf.d/ directory.

Example

Create /etc/httpd/conf.d/myproxypass.conf file with this content:

<VirtualHost *:443>
    SSLEngine On
    SSLProxyEngine On
    ProxyPass /owa https://myserver.exchange.org/
    ProxyPassReverse /owa https://myserver.exchange.org/
</VirtualHost>

<VirtualHost *:80>
    ServerName www.mydomain.org
    ProxyPreserveHost On
    ProxyPass / http://10.10.1.10/
    ProxyPassReverse / http://10.10.1.10/
</VirtualHost>

Please refer to official Apache documentation for more information: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

Virtual host names (FQDN)¶

Is the list of Fully Qualified Domain Names that are associated to the virtual host. Values must be separated with a ”,” (comma). To access virtual host, is also needed a DNS record. If enabled under “Additional actions” an alias for the server is automatically created on “DNS > Server alias”, but it’s useful only for clients that use the server as DNS.

Configuring a web application¶

When a new virtual host is created, also the folder /var/lib/nethserver/vhost/NAME is created. If FTP access is enabled, is possible to upload files to this folder using an FTP client and, virtual host name as username.

HTTP authentication password should be different from FTP ones, because FTP is used for upload content on virtual host and HTTP to read content.

Apache permissions¶

FTP uploaded files has group “apache”. If you need to allow apache write or execution access, you can change group permissions using the FTP client

Authorizations¶

If Active directory is selected as account provider, a shared folder is owned by a group of users (Owning group). Each member of the group is allowed to read the folder contents. Optionally the group can be entitled to modify the folder contents and the read permission can be extended to everyone accessing the system. This simple permission model is based on the traditional UNIX file system permissions.

Access privileges can be refined further with the ACL tab, allowing individual users and other groups to gain read and write permissions.

If Guest access is enabled, any provided authentication credentials are considered valid.

If an LDAP account provider is selected or there is no account provider at all, any access to shared folders is considered as Guest access so that everyone is allowed to read and write its content.

Network access¶

SMB/CIFS is a widely adopted protocol that allows to share files across a computer network. In a way similar to Web URLs above, the shared folder name becomes the SMB “share name”.

For instance, the SMB network addresses of the docs share could be

\\192.168.1.1\docs
\\MYSERVER\docs

At any time, the Reset permissions button propagates the shared folder UNIX permissions and Posix ACLs to its contents.

If the option Network recycle bin is enabled, removed files are actually moved into a special “wastebasket” directory. The Keep homonym files keeps distinct file names inside the wastebasket directory, preventing overwrites.

If Browseable is enabled, the shared folder is listed publicly. This does not affect the permission to use this resource.

BandwidthD¶

BandwidthD tracks usage of TCP/IP network subnets and builds graphs to display utilization. After installation, BandwidthD is automatically started. Graphs can be accessed using the Server Manager.

ntopng¶

ntopng is a powerful tool that allows you to analyze real-time network traffic. It allows you to evaluate the bandwidth used by individual hosts and to identify the most commonly used network protocols.

Enable ntopng

Enabling ntopng, all traffic passing through the network interfaces will be analyzed. It can cause a slowdown of the network and an increased in system load.

Port

The port where to view the ntopng web interface.

Password for ‘admin’ user

Admin user password. This password is not related to the NethServer admin password.

Interfaces

Interfaces on which ntopng will listens to.

Network latency¶

The ping plugin measure the network latency. At regular intervals, it sends a ping to the configured upstream DNS. If the multi WAN module is configured, any enabled provider is also checked.

Additional hosts could be monitored (i.e. a web server) using a comma separated list of hosts inside the PingHosts property.

Example:

config setprop collectd PingHosts www.google.com,www.nethserver.org
signal-event nethserver-collectd-update

OpenVPN¶

OpenVPN lets you easily create VPN connections, It brings with numerous advantages including:

• Availability of clients for various operating systems: Windows, Linux, Apple, Android, iOS
• Multiple NAT traversal, you do not need a dedicated static IP on the firewall
• High stability
• Simple configuration

Installation¶

The installation can be done through the NethServer web interface. After the installation:

• open the url https://your_nethserver_ip/nextcloud
• use admin/Nethesis,1234 as default credentials
• change the default password

All users configured inside any user provider (see Users and groups) can automatically access the NextCloud installation. After the installation a new application widget is added to the NethServer web interface dashboard.

Trusted Domains¶

Trusted domains are a list of domains that users can log into. Default trusted domains are:

• domain name
• ip address

To add a new one use:

config setprop nextcloud TrustedDomains server.domain.com
signal-event nethserver-nextcloud-update

To add more than one, concatenate the names with a comma.

System users¶

After enabling system users, all virtual users will be disabled. All configuration must be done using the command line.

Enable system users:

config setprop vsftpd UserType system
signal-event nethserver-vsftpd-save

Given a user name goofy, first make sure the user has Remote shell access. Then, enable the FTP access:

db accounts setprop goofy FTPAccess enabled
signal-event user-modify goofy
signal-event nethserver-vsftpd-save

To disable an already enabled user:

db accounts setprop goofy FTPAccess disabled
signal-event nethserver-vsftpd-save

If not explicitly disabled, all system users are chrooted. To disable a chroot for a system user:

db accounts setprop goofy FTPChroot disabled
signal-event nethserver-vsftpd-save

Overview¶

The tool is disabled by default.

To enable it simply run: config set phone-home configuration status enabled

If the tool is enabled the information sent are:

• UUID: stored in /var/lib/yum/uuid
• RELEASE: get by /sbin/e-smith/config getprop sysconfig Version

All the infos are used to populate the map.

Configuration¶

If you use a proxy edit the correct placeholders in file phone-home stored in /etc/sysconfig/ :

SERVER_IP=__serverip__
PROXY_SERVER=__proxyserver__
PROXY_USER=__proxyuser__
PROXY_PASS=__proxypass__
PROXY_PORT=__proxyport__

Configuration¶

The web application listen on port 8000 of your host machine, for example: http://HOST_IP:8000/.

The service is disabled by default.

From the Virtual machines page you can:

• enable the virtual machines manager
• enable the virtual machines console access from web browser

To access the web interface you must login with credentials that can be found on the same page:

• User: admin
• Password: random alphanumeric (editable)

For more information, see official documentation:

• http://wiki.qemu.org/Manual
• http://www.linux-kvm.org/page/Documents

Installation¶

If the software is an RPM package, please use yum to install it: the system will take care to resolve all needed dependencies.

In case a yum installation is not possible, the best target directory for additional software is under /opt. For example, given a software named mysoftware, install it on /opt/mysoftware.

Backup¶

Directory containing relevant data should be included inside the backup by adding a line to /etc/backup-data.d/custom.include. See Data backup customization.

Firewall¶

If the software needs some open ports on the firewall, create a new service named fw_<softwarename>.

For example, given the software mysoftware which needs ports 3344 and 5566 on LAN, use the following commands:

config set fw_mysoftware service status enabled TCPPorts 3344,5566 access green
signal-event firewall-adjust
signal-event runlevel-adjust

Starting and stopping¶

NethServer uses the standard systemd multiuser target.

Software installed with yum should already be configured to start at boot. To check the configuration, execute the systemctl command. The command will display a list of services with their own status.

To enable a service on boot:

systemctl enable mysoftware

To disable a service on boot:

systemctl disable mysoftware

Email¶

Before running NethServer in production, some considerations about the network and existing mail client configurations are required: what ports are in use, if SMTPAUTH and TLS are enabled. Refer to Client configuration and Special SMTP access policies sections for more informations.

In a mail server migration, the source mail server could be on production even after the backup has been done, and email messages continue to be delivered until it is taken down permanently.

An helper rsync script is provided by package nethserver-mail-server, to re-synchronize destination mailboxes with the source host: /usr/share/doc/nethserver-mail-server-<VERSION>/sync_maildirs.sh. It runs on the destination host:

Usage:
  ./sync_maildirs.sh [-h] [-n] [-p] -s IPADDR
      -h          help message
      -n          dry run
      -p PORT     ssh port on source host (default 22)
      -s IPADDR   rsync from source host IPADDR

The source host at IPADDR must be accessible by the root user, through ssh with public key authentication.