Kolab

From ArchWiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Kolab is an unified communication and collaboration system, composed of a server-side daemon which offers storage and synchronization capabilities for contact, calendar, mail and file data. Clients can use several well defined formats like vCard, iCal, XML, IMAP and LDAP to communicate with the Kolab server.

Installation

Kolab server is available in the AUR via the kolabAUR[broken link: package not found] meta-package. This package will install all Kolab components, as well as the neccesary external services: cyrus-imapdAUR, Postfix, 389-ds-base, MariaDB, Amavis, ClamAV, SpamAssassin and Apache HTTP Server with PHP support.

Configuration

Warning: Kolab changes the configuration of many system components. If you use any of the services listed above, you may want to backup your configuration, as the Kolab installation process is likely to overwrite part of it

At first, Kolab requires you to use a FQDN (fully qualified domain name), with at least three dot-separated parts. Therefore adjust and append:

/etc/hosts
192.168.1.101 kolab.example.org

Write the same domain name into /etc/hostname. You should also check your DNS settings and reverse DNS resolution.

Arch-specific configuration

Kolab makes many assumptions about the system it is installing on. The kolabAUR[broken link: package not found] packages ships with an script that brings the system to a state where the Kolab setup script is useful. Run it as root:

# arch-setup-kolab

This will:

  • Check your FQDN (can be skipped adding the --no-fqdn option)
  • Initialize or update the ClamAV and SpamAssassin databases
  • Initialize the Cyrus IMAP cache directory
  • Create the Postfix aliases database (aliases.db)
  • Configure ClamAV to be able to access Amavis directories
  • Enable the PHP module in Apache
  • Add all Kolab applications to Apache in /etc/httpd/conf/extra/kolab.conf
  • Add Roundcube to Apache
  • Enable the required PHP extensions, and condigure the include_path and open_basedir in {{ic|/etc/php/conf.d/kolab.ini)
  • Configure libsasl to use the SASL daemon shipped with Kolab
  • Create a dummy certificate for localhost (/etc/ssl/private/localhost.pem) and install it as a trust anchor (/etc/ca-certificates/trust-source/anchors/localhost.pem)

Kolab configuration

Kolab ships with its own configuration script (contained in pykolabAUR[broken link: package not found]. Run it as root:

# setup-kolab

This runs all configurations steps neccesary for Kolab. During the process, multiple questions will be asked, regarding passwords, etc. The defaults are fine for all but two questions:

  • The password for the LDAP Directory Manager is the password you use for logging in to the web administration panel
  • When asked about MySQL, you should select 1: Existing MySQL server and then the password for the root MySQL user (by default, empty)

You can also list the steps with setup-kolab help and selectively run some of them.

First steps

Creating a user

The web admin panel is located at http://localhost/kolab-webadmin/. You can login using cn=Directory Manager as the user, and the password you chose during the previous step. You can recover the password by running:

$ grep ^bind_pw /etc/kolab/kolab.conf

You can then create a user and login as it in http://localhost/roundcube/ by using the email address or the UID of the user and the assigned password.

More information in the Kolab documentation: [1]

Enabling proper TLS

The default installation creates a dummy localhost certificate, as some parts of Kolab (most notably kolabd) use TLS to communicate with the IMAP daemon. However, this will not work for external clients. In order to install a proper certificate you must edit the following files:

/etc/postfix/main.cf
# TLS
smtpd_tls_cert_file=/etc/ssl/private/localhost.pem
smtpd_tls_key_file=/etc/ssl/private/localhost.pem
/etc/cyrus/imapd.conf
tls_cert_file: /etc/ssl/private/localhost.pem
tls_key_file: /etc/ssl/private/localhost.pem

The cert_file should point to a PEM file containing your certificate (and intermediate CA certificates if that's the case), and the key_file should contain your PEM-encoded private key.

After that, restart Postfix and Cyrus imapd:

# systemctl restart postfix cyrus-master

Additionally, you have to change the Roundcube configuration in order to include your domain name instead of localhost. If not, certificate validation will fail (the server is presenting a certificate for the domain and Roundcube expects one for localhost) and the web interface will be unusable. Replace localhost with your domain name in the Roundcube configuration:

/etc/webapps/roundcubemail/config/config.inc.php
// IMAP Server Settings
$config['default_host'] = 'tls://localhost';

// SMTP Server Settings
$config['smtp_server'] = 'tls://localhost';

Finally, you can dispose of the temporary dummy certificate generated by the installation process:

# rm /etc/ssl/private/localhost.pem
# rm /etc/ca-certificates/trust-source/anchors/localhost.pem
# update-ca-trust

If you notice slow performance in roundcube, specially if you are using a big keypair, you may want to disable TLS for local connections.

Frontends

Roundcubemail Plugin

Besides the basic Roundcubemail installation and configuration, this roundcubemail-plugins-kolabAUR plugin package is needed for advanced groupware functionality.

Start/stop the services

The installation process should have enable and started all Kolab services. The following services are used by Kolab (and can be managed by systemctl):

  • 389-ds-base.target: LDAP directory for configuration and authentication
  • amavisd: Bridge from Postfix to ClamAV and SpamAssassin
  • clamd: Virus scanning
  • cyrus-master: IMAP/PÔP3 server
  • httpd: Apache web server
  • kolabd: Synchronizes LDAP configuration with Cyrus IMAP (list of mailboxes)
  • kolab-saslauthd: Handles SASL auth for Postfix
  • mysqld: Database engine for RoundCube and Kolab components
  • postfix: SMTP server
  • wallace: Scans incoming mail for groupware content

Troubleshooting

PHP Error: required kolabformat module not found

Make sure that /usr/share/php is in the include_path and open_basedir variables in the PHP configuration. The most likely cause is that they are overwritten in the Roundcube Apache configuration (/etc/httpd/conf/extra/roundcube.conf).

Error creating tasks / Tasks are not syncronized with Roundcube

The default configuration for the tasklist plugin is to use the database backend to store the tasks. This is usually changed by the arch-setup-kolab script. To do it manually, copy /usr/share/webapps/roundcubemail/plugins/tasklist/config.inc.php.dist to /etc/webapps/roundcubemail/config/tasklist.inc.php.

Web interface is slow when accessing IMAP folders

The default configuration uses TLS for all communications with the IMAP server. This can be slow, specially if you are using a large certificate. You can configure Cyrus IMAP server in order to not require tls for localhost. To do so, edit:

/etc/cyrus/cyrus.conf
SERVICES {
    # add or remove based on preferences
    imap                cmd="imapd" listen="yourdomain:imap" prefork=5
    imaps               cmd="imapd -s" listen="imaps" prefork=1
    imapl               cmd="imapd" listen="localhost:imap" prefork=5

Add a new service imapl that listens on localhost. We also need to change the imap service to listen only on the external addresses, as otherwise, it will conflict with the newly created service.

Now, add a line to imapd.conf to enable plaintext authentication when connection from localhost (using the imapl service).

/etc/cyrus/imapd.conf
allowplaintext: no
imapl_allowplaintext: yes

Restart the cyrus services:

# systemctl restart postfix cyrus-master

Finally, configure roundcube to disable tls. Set the default host to localhost, without any protocol:

/etc/webapps/roundcubemail/config/config.inc.php
// IMAP Server Settings
$config['default_host'] = 'localhost';

Changing folders in roundcube should be much faster now, while forcing TLS for remote connections.

See also