Synology certificates, SSL and Open VPN [DSM 5.0]

Information for DSM 5.0 The certifiactes can be found here: /usr/syno/etc/ssl This page gives you good information how to create home made certificates for your Synology NAS: http://forum.synology.com/wiki/index.php/How_to_generate_custom_SSL_certificates I prefer to let a Certificate Authority sign my certificates. CA Cert offers this as a free services (https://www.cacert.org/). It will not give you 100% guarantee, but it is better then using the self signed certificates from synology:

  • You can import the root certificate of the CA to most tools/OS. That way you do not need to add a security exception when connecting.
  • Some tools do not allow you to add security exception, so using a self signed certificate is not an option.

Restart OpenVPN server: /var/packages/VPNCenter/target/scripts/openvpn.sh {start|stop|restart} But it does not stop, you need to kill the processes manually. But reastart works, wierd….. /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf contains the configuration file for the OpenVPN server. Enable the logging option log-append /var/log/openvpn.log To get useful information on what is happening with the server The SSH keys used for OpenVPN can be found here:

/usr/syno/etc/packages/VPNCenter/openvpn/keys
In the config file openvpn.conf, there are pointers to these files.

note that the certificates we use are probably not from the type “server”.  If you get this error when connecting to the server:

VERIFY nsCertType ERROR: CN=<yourHostName>, require nsCertType=SERVER

then remove this line from the client config:
ns-cert-type server

SMTP server setup on Synology [DSM 5.2]

The setup is straightforward, but there are a few pitfalls.

  • Hostname(FQDN).
    This Full Qualified Domain Name is the full name of the server as <$hostname.$domainname>. When  you login to the SMTP server, the server will identify itself with this name

    220 <$hostname.$domainname> ESMTP Postfix

    This name could be the name as defined in the MX DNS record for your domain. But this is not a requirement.
    If your domain is high on the SPAM blacklist, add the name you would get with a reverse DNS lookup. These are not necessarily the same.

  • Additional domain.
    Add all domains that your server is defined as mail server according to the MX DNS records. This is at least 1 domain.
  • SMTP relay
    Fill in the SMTP server of your ISP. Note that SSL connection is not supported, only TLS or not-encrypted. Port could be 25, or 587, depending on your ISP.  (do NOT use port 465 since that is explicitly used for SSL)

 

Synology HTTP deamon and other Synology services [DSM 5.2]

The configuration files for the HTTP deamon can be found in:
/etc/httpd/conf

Several configuration files are recreated when you restart the HTTP service, so pay attention to which files are going to be edited.

The ‘source’ for the httpd.conf is httpd.conf-user in /usr/syno/apache/conf. But it might be cleaner to edir one of the included config files inside the /etc/httpd/conf/extra directory

The HTTP deamon can be restarted with:

/usr/syno/sbin/synoservicecfg --restart httpd-user
 /usr/syno/sbin/synoservicecfg --restart httpd-sys

There are more services that can be restarted with the same tool. For a complete list, look at

/usr/syno/sbin/synoservicecfg --list

 

 

Zarafa Z-push install on Synology

There is a Synology package available that helps for easy installation, but it is based on an old version of Z-push.  Better start a clean installation with the latest version. The installation notes can be found here:

https://z-push.org/svn/z-push/trunk/src/INSTALL

Download the latest version from http://z-push.org/download/ and install it in /usr/share/z-push.

Log files can go to /var/log/z-push and settings can go to /var/lib/z-push.

Make sure all directories have owner http:http and correct writing permissions. Also add these directories to the open_basedir variable of PHP, which you can find in:
Control panel -> web services -> PHP settings

Modifications to config.php are minimal. Add the time-zone and if any of the default directories was changed, modify it here.

z-push-admin.php and z-push-top.php are executables and help you with the administration of Z-push. Run them without options to see if your installation is correct.

We need to define a redirection alias for the Z-push directory. This can be done in /etc/httpd/conf/extra/rhttpd-ssl.conf-user. Add the following line inside the :443 directive.

Alias /Microsoft-Server-ActiveSync /usr/share/z-push/index.php

This way, the directive is only valid on the SSL secured http connection, and not in the normal one.
Restart the server to see the effects.

Synology: Zarafa database backup and restore (migrate)

The backup can be done while the sever is running. For restoring, the server must be stopped first.

Backup with mysqldunp:

mysqldump -u root -p <password> -h localhost --skip-lock-tables --single-transaction --databases zarafa > zarafa.dump.sql

Restore with mysql

mysql -u root -p <password> zarafa < zarafa.dump.sql

Sometimes the dump was created with chunks bigger then the server accepts:
ERROR 1153 (08S01) at line 6734: Got a packet bigger than ‘max_allowed_packet’ bytes

Then open a terminal with mysql -u root

and enter the following

mysql -u root
set global net_buffer_length=1000000; 
set global max_allowed_packet=1000000000;

Leave the terminal open, and use the following in a new terminal:

mysql -u root -p <password> --max_allowed_packet=100M zarafa < zarafa.dump.sql

Don’t forget the attachments, since they are saved separately. Backup with:

tar -zcvf zarafa_attachment.tar.gz /var/lib/zarafa/

And restore the attachments with:

tar -zxvf zarafa_attachement.tar.gz
rm -rf /var/lib/zarafa/*
mv var/lib/zarafa/* /var/lib/zarafa
chown -R zarafa:zarafa /var/lib/zarafa