Kolab Groupware 3.0

EnterpriseInstallation Guide

The Kolab Groupware Solution

Christian Mollekopf

Jeroen van Meeuwen

Enterprise Installation Guide Draft

Kolab Groupware 3.0 Enterprise Installation GuideThe Kolab Groupware SolutionEdition 1

Author Christian Mollekopf mollekopf@kolabsys.comAuthor Jeroen van Meeuwen vanmeeuwen@kolabsys.com

Copyright © 2011-2012 Kolab Systems AG This material may only be distributed subject to the termsand conditions set forth in the GNU Free Documentation License (GFDL), V1.2 or later (the latestversion is presently available at http://www.gnu.org/licenses/fdl.txt).

A short overview and summary of the book's subject and purpose, traditionally no more than oneparagraph long. Note: the abstract will appear in the front matter of your book and will also be placedin the description field of the book's RPM spec file.

Draft Draft

iii

Preface v1. Document Conventions ................................................................................................... v

1.1. Typographic Conventions ...................................................................................... v1.2. Pull-quote Conventions ........................................................................................ vi1.3. Notes and Warnings ........................................................................................... vii

2. Feedback ...................................................................................................................... vii2.1. Reporting Bugs in Kolab ..................................................................................... vii2.2. Mailing Lists ....................................................................................................... viii2.3. IRC ................................................................................................................... viii

3. About Kolab Groupware .................................................................................................. ix3.1. Free Software Components .................................................................................. ix3.2. Supported Platforms and System Requirements .................................................... ix3.3. Kolab Product Series ............................................................................................ x

I. Kolab Groupware Server 1

1. Preparing the System 31.1. Partitioning ........................................................................................................... 31.2. SELinux ............................................................................................................... 31.3. System Firewall .................................................................................................... 41.4. System Users ...................................................................................................... 51.5. The System Hostname and FQDN ........................................................................ 5

2. Overview 7

3. Installation 93.1. Kolab Server Installation ....................................................................................... 93.2. Repository Configuration ....................................................................................... 9

3.2.1. Installation with APT Packages .................................................................. 93.2.2. Installation with RPM Packages .................................................................. 9

3.3. Full default installation on a single server ............................................................. 133.4. Packagelist ........................................................................................................ 13

4. Configuration 154.1. Customizing the Setup Process ........................................................................... 154.2. Command-line Options for setup-kolab ............................................................ 154.3. LDAP Component .............................................................................................. 16

4.3.1. Allowing Anonymous Binds ...................................................................... 174.3.2. Accounts Created .................................................................................... 17

5. First Login 195.1. Creating a User .................................................................................................. 19

5.1.1. Troubleshooting ....................................................................................... 195.2. Creating a Kolab Administrator ............................................................................ 215.3. Logging in to Roundcube .................................................................................... 21

6. Server Appendix 236.1. Certificate Authority (CA)-Certificates ................................................................... 23

II. Kolab Groupware Webclients 25

7. Roundcube 277.1. Installing the Database ....................................................................................... 277.2. Preparing the Database ...................................................................................... 277.3. Installation .......................................................................................................... 277.4. Configuration ...................................................................................................... 28

Enterprise Installation Guide Draft

iv

8. Horde 298.1. Installing the Database ....................................................................................... 298.2. Preparing the Database ...................................................................................... 29

9. Webclient-Appendix 319.1. Installation of the MySQL-Database ..................................................................... 31

III. Kolab Groupware Desktop-Clients 33

10. Kontact 3510.1. Installation ........................................................................................................ 3510.2. Configuration .................................................................................................... 35

10.2.1. Configuration through the KolabWizard ................................................... 3510.2.2. Manual Configuration of Kontact ............................................................. 35

11. Thunderbird 37

12. Outlook 39

IV. Cyrus IMAP 41

13. Installation of Cyrus IMAP 4313.1. Installation ........................................................................................................ 43

14. Configuration of Cyrus IMAP 45

15. Configuring IMAP 47

16. Securing Cyrus IMAP Communications 49

17. IMAP Partitions 51

18. IMAP Option Reference 53

19. System Configuration Defaults 55

20. Creating a Cyrus Murder Setup 5720.1. Setting up the master update server .................................................................. 57

20.1.1. Choosing the mupdate mode .................................................................. 57

21. Creating an IMAP Backend Server 5921.1. Hooking in a new backend server into a murder setup ........................................ 59

22. Creating an IMAP Frontend Server 6122.1. Hooking in a new frontend server into a murder setup ......................................... 61

A. Revision History 63

Index 65

Draft Draft

v

Preface

1. Document ConventionsThis manual uses several conventions to highlight certain words and phrases and draw attention tospecific pieces of information.

In PDF and paper editions, this manual uses typefaces drawn from the Liberation Fonts1 set. TheLiberation Fonts set is also used in HTML editions if the set is installed on your system. If not,alternative but equivalent typefaces are displayed. Note: Red Hat Enterprise Linux 5 and later includesthe Liberation Fonts set by default.

1.1. Typographic ConventionsFour typographic conventions are used to call attention to specific words and phrases. Theseconventions, and the circumstances they apply to, are as follows.

Mono-spaced Bold

Used to highlight system input, including shell commands, file names and paths. Also used to highlightkeycaps and key combinations. For example:

To see the contents of the file my_next_bestselling_novel in your currentworking directory, enter the cat my_next_bestselling_novel command at theshell prompt and press Enter to execute the command.

The above includes a file name, a shell command and a keycap, all presented in mono-spaced boldand all distinguishable thanks to context.

Key combinations can be distinguished from keycaps by the hyphen connecting each part of a keycombination. For example:

Press Enter to execute the command.

Press Ctrl+Alt+F2 to switch to the first virtual terminal. Press Ctrl+Alt+F1 toreturn to your X-Windows session.

The first paragraph highlights the particular keycap to press. The second highlights two keycombinations (each a set of three keycaps with each set pressed simultaneously).

If source code is discussed, class names, methods, functions, variable names and returned valuesmentioned within a paragraph will be presented as above, in mono-spaced bold. For example:

File-related classes include filesystem for file systems, file for files, and dir fordirectories. Each class has its own associated set of permissions.

Proportional Bold

This denotes words or phrases encountered on a system, including application names; dialog box text;labeled buttons; check-box and radio button labels; menu titles and sub-menu titles. For example:

Choose System → Preferences → Mouse from the main menu bar to launch MousePreferences. In the Buttons tab, click the Left-handed mouse check box and click

1 https://fedorahosted.org/liberation-fonts/

Preface Draft

vi

Close to switch the primary mouse button from the left to the right (making the mousesuitable for use in the left hand).

To insert a special character into a gedit file, choose Applications → Accessories→ Character Map from the main menu bar. Next, choose Search → Find… fromthe Character Map menu bar, type the name of the character in the Search fieldand click Next. The character you sought will be highlighted in the Character Table.Double-click this highlighted character to place it in the Text to copy field and then

click the Copy button. Now switch back to your document and choose Edit → Pastefrom the gedit menu bar.

The above text includes application names; system-wide menu names and items; application-specificmenu names; and buttons and text found within a GUI interface, all presented in proportional bold andall distinguishable by context.

Mono-spaced Bold Italic or Proportional Bold Italic

Whether mono-spaced bold or proportional bold, the addition of italics indicates replaceable orvariable text. Italics denotes text you do not input literally or displayed text that changes depending oncircumstance. For example:

To connect to a remote machine using ssh, type ssh username@domain.name ata shell prompt. If the remote machine is example.com and your username on thatmachine is john, type ssh john@example.com.

The mount -o remount file-system command remounts the named filesystem. For example, to remount the /home file system, the command is mount -oremount /home.

To see the version of a currently installed package, use the rpm -q packagecommand. It will return a result as follows: package-version-release.

Note the words in bold italics above — username, domain.name, file-system, package, version andrelease. Each word is a placeholder, either for text you enter when issuing a command or for textdisplayed by the system.

Aside from standard usage for presenting the title of a work, italics denotes the first use of a new andimportant term. For example:

Publican is a DocBook publishing system.

1.2. Pull-quote ConventionsTerminal output and source code listings are set off visually from the surrounding text.

Output sent to a terminal is set in mono-spaced roman and presented thus:

books Desktop documentation drafts mss photos stuff svnbooks_tests Desktop1 downloads images notes scripts svgs

Source-code listings are also set in mono-spaced roman but add syntax highlighting as follows:

package org.jboss.book.jca.ex1;

import javax.naming.InitialContext;

public class ExClient{

Draft Notes and Warnings

vii

public static void main(String args[]) throws Exception { InitialContext iniCtx = new InitialContext(); Object ref = iniCtx.lookup("EchoBean"); EchoHome home = (EchoHome) ref; Echo echo = home.create();

System.out.println("Created Echo");

System.out.println("Echo.echo('Hello') = " + echo.echo("Hello")); }}

1.3. Notes and WarningsFinally, we use three visual styles to draw attention to information that might otherwise be overlooked.

Note

Notes are tips, shortcuts or alternative approaches to the task at hand. Ignoring a note shouldhave no negative consequences, but you might miss out on a trick that makes your life easier.

Important

Important boxes detail things that are easily missed: configuration changes that only apply tothe current session, or services that need restarting before an update will apply. Ignoring a boxlabeled 'Important' will not cause data loss but may cause irritation and frustration.

Warning

Warnings should not be ignored. Ignoring warnings will most likely cause data loss.

2. Feedback

We value feedback on our software as well as our documentation. Please find ways to contact us inthis section.

2.1. Reporting Bugs in KolabBug reports can be logged in our Bugzilla issue tracker2. Please bear in mind registration is required tolog bugs.

2 https://bugzilla.kolabsys.com

Preface Draft

viii

Before reporting a bug, please search the issue tracker for existing bugs that may report the sameproblem.

When reporting a bug, please prepare to provide the following information;

• Your platform, and if applicable, your distribution and the distribution version.

• The version(s) of the relevant Kolab component(s) you are using.

• If a custom version is used, any options that may have specified during the build process.

2.2. Mailing ListsMailing lists are a quick way to get in touch with a large number of subscribers, who may know theanswer to your question or can provide you with additional insight.

Announcement Mailing ListKolab Groupware administrators and developers are strongly encouraged to subscribe to themoderated, low-volume announcement mailing list, to which important release announcements aresubmitted. We have the announcement mailing list available at https://lists.kolab.org/mailman/listinfo/kolab-announce. To subscribe to the list, either click the aforementioned link and fill out the informationrequested, or send an email to kolab-announce-subscribe@kolab.org3.

User Mailing ListFor users of Kolab software, we run a public mailing list at https://lists.kolab.org/mailman/listinfo/kolab-users. To subscribe to the list, either click the aforementioned link and fill out the informationrequested, or send an email to kolab-users-subscribe@kolab.org4.

Development Mailing ListFor developers of Kolab software, as well as general discussion on bugs and patches, we run a publicmailing list at https://lists.kolab.org/mailman/listinfo/kolab-devel. To subscribe to the list and fill out theinformation requested, or send an email to kolab-devel-subscribe@kolab.org5.

2.2.1. ArchivesThe archives of the announcement, user support and development discussion mailing lists areavailable through web archives.

2.3. IRCInternet Relay Chat (IRC) is another way to get in touch with some of the people that develop and useKolab Groupware. Use your favorite IRC client to connect to the FreeNode IRC Network6, or use theweb-based chat7.

Once connected, join us in the #kolab IRC channel8.

3 mailto:kolab-announce-subscribe@kolab.org4 mailto:kolab-users-subscribe@kolab.org5 mailto:kolab-devel-subscribe@kolab.org6 http://freenode.net7 http://webchat.freenode.net?channels=kolab&uio=d48 irc://irc.freenode.net/kolab

Draft About Kolab Groupware

ix

3. About Kolab GroupwareKolab Groupware is a highly scalable, flexible, mutli-platform solution for Emails, Appointments,Contacts and more. It supports mixed client environments (Outlook/KDE) because of a well-defined,interoperable and open storage format. Any email client speaking standard protocols can be served.

The Kolab Groupware solution consists of many Free Software components, integrated by Kolab inorder to build a groupware solution.

3.1. Free Software ComponentsFree Software components included with Kolab Groupware include;

• PostfixPostfix attempts to be fast, easy to administer, and secure. The outside has a definite Sendmail-ishflavor, but the inside is completely different.

Website: http://www.postfix.org/

• Cyrus IMAPCyrus IMAP is a highly scalable enterprise mail system designed for use in enterprise environmentsof various sizes using standards based technologies. Cyrus IMAP technologies scale fromindependent use in email departments to a system centrally managed in a large enterprise.

Website: http://www.cyrusimap.org/

• OpenLDAPOpenLDAP Software is an open source implementation of the Lightweight Directory AccessProtocol.

Website: http://www.openldap.org/

• RoundcubeRoundcube webmail is a browser-based multilingual IMAP client with an application-like userinterface. It provides full functionality you expect from an e-mail client, including MIME support,address book, folder manipulation, message searching and spell checking.

Website: http://www.roundcube.net/

3.2. Supported Platforms and System RequirementsKolab Groupware is supported on the following platforms;

• All reasonably recent versions of Linux9, including but not limited to the following distributions, in noparticular order other then alphabetic;

• CentOS10

• Debian11

9 By reasonably recent versions of Linux, we intend to indicate the Kolab project can manage to keep up with the latestdistribution release ear-marked stable.10 http://centos.org11 http://debian.org

Preface Draft

x

• Fedora12

• Red Hat Enterprise Linux13

• Univention Corporate Server14

Should your Linux distribution or platform not be listed here, please refer to Section 2, “Feedback”for ways of contacting the Kolab Development team.

3.3. Kolab Product SeriesKolab Groupware consists of free software components, each of which are available from variousupstream development and support project organizations, including Linux distributions.

The Kolab Groupware developers, community members and Kolab Systems engineering and supportstaff maintain many of the packages related to Kolab with the Linux distributions through which thosepackages are available.

The Kolab software repositories can therefor include only those software components, or thosespecific versions of software components, that differentiate from what is available through theupstream Linux distribution software repositories, and possibly recommended or required additionalsoftware repositories.

Product series are versioned, each of them created to provide a sustainable stream of updates to theindividual software components included in that product serie.

The convention for Server Product Versioning is subject to the guidelines proposed and accepted asKolab Enhancement Proposal #515 (KEP #5 for short).

3.3.1. Product StreamsTwo different product streams exist, a community edition and an enterprise edition.

The differences between the community edition and the enterprise edition are as follows:

1. No debuginfo sub-packages are made available through the repositories for the communityedition. You typically need debuginfo sub-paclages in case stack traces need to be generated forbinary compiled programs such as mysql, openldap, cyrus-imapd, php and others.

2. The packages available through the repositories for the community edition are not signed with aPGP key, and therefor the authenticity of the packages cannot be verified.

3. The repositories for the community edition are made available through HTTP only, while theenterprise edition's repositories are available over HTTPS only. For the community edition, the theauthenticity cannot be verified.

4. In the repositories for the community edition, no package builds other then the latest are madeavailable. Rolling back a software update foo-1.0-2.el5 to a previously installed software versionfoo-1.0-1.el5 after a failed update is therefor not possible unless a copy of foo-1.0-1.el5 had beenpreserved.

12 http://fedoraproject.org13 http://redhat.com14 http://www.univention.de/index.php?id=964&L=115 http://wiki.kolab.org/KEP:5

Draft Kolab Product Series

xi

5. For the community edition, no security errata –other then for critical security issues– is sent out.

6. The enterprise edition is supported for a longer term than the community edition.

7. The software available in the enterprise edition is subjected to thorough quality assurance andcertification before being made available.

3.3.2. Repository Stages4 different repository stages exist, each of them indicating the expected level of stability, and point-in-time release.

The release and updates repositories contain the most stable software (community edition) whichis supported (professionally in the enterprise edition).

The updates-testing repositories contain software that is being stabilized (through the collection ofcommunity feedback for the community edition) before being submitted to the updates repository.

xii

Draft Draft

Part I. Kolab Groupware Server

Draft Chapter 1. Draft

3

Preparing the SystemThe installation of Kolab requires you prepare the system for installation.

1.1. PartitioningWhen installing the Kolab server, we recommend using LVM when partitioning the system. Thefollowing directories could benefit from being on separate logical volumes, leaving about 10% of rawdisk space in the volume group unallocated:

• /var/lib/mysql/

• /var/lib/imap/

• /var/spool/imap/

Important

Partition and/or divide into logical volumes, configure the mount points and mount the filesystemsprior to the installation of packages, as packages may deploy files into these directories.

Should you decide to partition only after the packages have already been installed, or after thedeployment has already been used, first mount the filesystems somewhere else and synchronizethe contents over from the original directories over to the new filesystem hierarchy. Please noteservices should be stopped before doing so, or only corrupt data will be transfered. Remove theoriginal contents of the filesystem after having synchronized, then mount the filesystems undertheir target mount points.

For large or multi-domain installations, we suggest moving /var/lib/imap/ and /var/spool/imap/ to /srv/imap/[$domain/]config/ and /srv/imap/[$domain/]default/respectively. In allowing /srv/imap/ to be one separate partition, backup using LVM snapshotsis easier. Note that $domain in the aforementioned path is optional, and should only be used whenmultiple, but separate, isolated IMAP servers are to be started.

Note

When partitions are mounted under the aforementioned directories, they do not necessarily havethe correct filesystem permissions any longer. The following is a list of default permissions.

• drwxr-xr-x. 7 mysql mysql 4096 May 11 15:34 /var/lib/mysql/

• drwxr-x---. 20 cyrus mail 4096 May 11 17:04 /var/lib/imap/

• drwx------. 3 cyrus mail 4096 May 11 15:36 /var/spool/imap/

1.2. SELinuxNot all components of Kolab Groupware are currently completely compatible with running underSELinux enforcing the targeted policy.

Chapter 1. Preparing the System Draft

4

Please consider configuring SELinux to be permissive. Please let us know what AVC denials occur sowe can work on fixing the issue.

Important

The Kolab Web Administration Panel currently depends on SELinux not enforcing the targetedpolicy.

To view the current mode SELinux operates in, execute the following command:

# sestatus

To temporarily disable SELinux's enforcement of the targeted policy (without rebooting the system),issue the following command:

# setenforce 0

To disable SELinux's enforcement of the targeted policy in a manner persistent across systemrestarts, edit /etc/selinux/config and set SELINUX to permissive rather than enforcing.Doing so also changes the Mode from config file: line in the output of sestatus.

1.3. System FirewallKolab Groupware deliberately does not touch any firewall settings, perhaps wrongly assuming youknow best. Before you continue, you should verify your firewall allows the standard ports used withKolab Groupware. These ports include:

• Port 25, tcpUsed to receive emails.

• Port 80, tcpUsed for web interfaces.

• Port 110, tcpUsed for POP.

• Port 143, tcpUsed for web IMAP.

• Port 389, tcpUsed for LDAP directory services.

• Port 443, tcpUsed for secure web interfaces.

• Port 465, tcpUsed for secure mail transmission.

• Port 587, tcpUsed for secure mail submission.

Draft System Users

5

• Port 636, tcpUsed for secure LDAP directory services.

• Port 993, tcpUsed for secure IMAP.

• Port 995, tcpUsed for secure POP.

Summarizing these changes into /etc/sysconfig/iptables, working off of an original, defaultinstallation of Centos 6, this file would look as follows:

# Firewall configuration written by system-config-firewall# Manual customization of this file is not recommended.*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 587 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibitedCOMMIT

After changing /etc/sysconfig/iptables, execute a service restart:

# service iptables restart

1.4. System Users1. No user or group with IDs 412, 413 or 414 may exist on the system prior to the installation of

Kolab.

2. No user or group with the names kolab, kolab-n or kolab-r may exist on the system prior tothe installation of Kolab.

1.5. The System Hostname and FQDNThe setup procedure of Kolab Groupware also requires that the Fully Qualified Domain Name (FQDN)for the system resolves back to the system. If the FQDN does not resolve back to the system itself, theKolab Groupware server components will refer to the system by the configured or detected FQDN, butwill fail to communicate with one another.

Should the FQDN of the system (found with hostname -f) be, for example, kolab.example.org, thenkolab.example.org should resolve to the IP address configured on one of the network interfaces not

Chapter 1. Preparing the System Draft

6

the loopback interface, and the IP address configured on said network interface should have a reverseDNS entry resulting in at least kolab.example.org

Example 1.1. Example Network and DNS ConfigurationThe following lists an example network and DNS configuration for a Kolab Groupware server.

# hostname -fkolab.example.org# ping -c 1 kolab.example.orgPING kolab.example.org (192.168.122.40) 56(84) bytes of data.64 bytes from kolab.example.org (192.168.122.40): icmp_seq=1 ttl=64 time=0.014 ms

--- kolab.example.org ping statistics ---1 packets transmitted, 1 received, 0% packet loss, time 0msrtt min/avg/max/mdev = 0.014/0.014/0.014/0.000 ms# ip addr sh eth02: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 52:54:00:72:10:83 brd ff:ff:ff:ff:ff:ff inet 192.168.122.40/24 brd 192.168.122.255 scope global eth0 inet6 fe80::5054:ff:fe72:1083/64 scope link valid_lft forever preferred_lft forever

Draft Chapter 2. Draft

7

OverviewThe Kolab server is built out of the best available Free and Open Source software components,most if not all of which are available through the Linux distribution of your preference. However, suchLinux distribution may not be as up-to-date as one might wish for the Kolab Groupware to provide thelatest and greatest functionality, or may simply have a different update policy from what is typicallyacceptable for a Groupware environment.

The Kolab server consist of the following 6 components, which can be distributed among severalsystems. Each of those components can be installed using the provided meta-package.

To install all components on a single system, a kolab meta-package is available, pulling in all otherpackages and dependencies.

• IMAPThe IMAP server component of Kolab Groupware, including a daemon which synchronizes useraccounts from LDAP with IMAP mailboxes.

To install the IMAP component, use the kolab-imap meta-package. This meta-packages pulls incyrus-imapd and kolab-server.

• LDAPThe LDAP directory server component is used for user and group information, authentication andauthorization.

To install the LDAP component, use the kolab-ldap meta-package. This meta-package pulls in389-ds and dependencies, and kolab-schema, the package containing the Kolab LDAP Schemaextensions.

• MTAThe MTA, including spam-filter, virus-scanner, Kolab SMTP Access Policy and the Kolab content-filter.

To install the MTA component, use meta-package kolab-mta, which installs Postfix, Amavisd,SpamAssassin, ClamAV, postfix-kolab and Wallace.

• Web Administration PanelThe Kolab web-based administration panel and API.

To install the Web Administration Panel and API, install the kolab-webadmin package.

• Web ClientThe web-based client for Kolab, based on Roundcube.

To install the Kolab web-client, use meta-package kolab-webclient. This meta-package pulls inRoundcube, the default MySQL database driver packages, and the Kolab plugins for Roundcube.

• DatabasesThe database component, shared between the Kolab Web Administration Panel, the Web Client,and the MTAs.

No meta-package for this component exists, as the default choice for a MySQL server is containedwithin a single package throughout the supported platforms.

8

Draft Chapter 3. Draft

9

InstallationThe Kolab community provides APT and RPM packages for most commonly used Linux distributions.Please see Section 3.2.1, “Installation with APT Packages” and Section 3.2.2, “Installation with RPMPackages” for more information.

3.1. Kolab Server InstallationTo get a fully working Kolab installation all of the components listed in Chapter 2, Overview need tobe installed and the system needs to be prepared according to the instructions listed in Chapter 1,Preparing the System.

The Kolab community provides APT and RPM packages for most commonly used Linux distributions.To get a fully working Kolab server on a single system, please install the “kolab-groupware” meta-package which will install all components, and run the setup script on a single system.

The default installation assumes that all components are installed on the same system.

If you have a distributed deployment or want non default components, please see Section 3.2.1,“Installation with APT Packages” and Section 3.2.2, “Installation with RPM Packages” for moreinformation.

For help with your deployment please refer to the “Deployment Guide”.

3.2. Repository ConfigurationKolab provides packages in extra repositories, therefore these repositories need to be configured first.

3.2.1. Installation with APT Packages

Important

APT packages for Kolab 3.0 are actively being worked on, but are not yet available.

3.2.2. Installation with RPM PackagesRPM packages are being provided for the following Linux distributions and versions:

Table 3.1. RPM Packages Distribution Support

Distribution Information

Name CodeName Version Architectures

EOS / EOL Date

CentOS - 6 i386, amd64 ApproximatelyQ4, 2017

Fedora Verne 16 i386, amd64 Q2, 2013

Fedora Beefy Miracle 17 i386, amd64 Q4, 2013

Red HatEnterprise Linux

Santiago 6 i386, amd64 ApproximatelyQ4, 2017

Before the installation, it is necessary to install the configuration for the Kolab software repositories.

Chapter 3. Installation Draft

10

3.2.2.1. Using the Priorities YUM Plugin to Avoid Package ConflictsSince any given package may, at any time, be or become available to the system through boththe Kolab repositories as well as through the regular distribution repositories, to avoid the risk ofswitching back and forth between the two different versions continuously, by mistake or by accident,we recommend you use the following procedure including employing YUM repository priorities toeliminate the risk of running in such problems in the future.

Consider installing the yum-priorities (Enterprise Linux 5) or yum-plugin-priorities package (allother platforms) to avoid such conflicts.

Procedure 3.1. Installing and Configuring YUM priorities1. Enterprise Linux 6

The yum-plugin-priorities is available from the EPEL package repository1. Please install it:

# yum install yum-plugin-priorities

2. FedoraThe yum-plugin-priorities is available in the standard repositories. Please install it:

# yum install yum-plugin-priorities

3. The repositories that have been installed using the kolab-3.0-enterprise-releasepackage(s) have a pre-configured priority of 50. The default repository priority is 99. This willset the correct priorities, unless you have repositories configured other than the base operatingsystem repositories (not including 'addons' and 'extras' on CentOS platforms), EPEL and theKolab Groupware repositories. Should the system happen to already make use of YUM priorities,please make sure the Kolab repositories have the appropriate priority.

3.2.2.2. Configuration Considerations for Additional RepositoriesMany additional third party software repositories exist, some of which provide packages also providedas part of the Red Hat Enterprise Linux or CentOS standard package repositories, the EPEL add-onrepository Kolab Groupware requires, and/or the Kolab Groupware software repositories itself.

Acceptable third party add-on software repositories include:

• EPEL (required)

• RPM Fusion (optional)

Repositories that the system must not be using, include:

• RPM Forge

• Webmin

Should the repository you wish to use not be listed here, please consult the Kolab Developmentmailing list2.

1 http://fedoraproject.org/wiki/EPEL2 mailto:kolab-devel@kolab.org

Draft Installation with RPM Packages

11

3.2.2.3. CentOSFor full instructions on installing Kolab Groupware on CentOS, please refer to the instructions inSection 3.2.2.5, “Red Hat Enterprise Linux”.

Disable 'addons' and 'extras' repositories

Please be aware that on CentOS, you will need to disable the 'addons' and 'extras' repositories,as they contain packages not part of the Enterprise Linux base operating system.

The disable these repositories, edit /etc/yum.repos.d/CentOS-Base.repo and append asetting enabled=0 to sections [addons] and [extras], or delete the sections entirely.

3.2.2.4. FedoraThe Kolab software repositories for Fedora ship two so-called -release packages:

1. kolab-3.0-enterprise-release

Depending on the version of Fedora, find the -release package at:

• Fedora 16 (Verne)3

• Fedora 17 (Beefy Miracle)4

2. kolab-3.0-enterprise-release-development

You can install the kolab-3.0-enterprise-release-development package using YUM,after having installed the kolab-3.0-enterprise-release package;

# yum install kolab-3.0-enterprise-release-development

Install this package using the following command:

# wget http://url/to/rpm# yum localinstall --nogpgcheck /path/to/rpm

3.2.2.5. Red Hat Enterprise LinuxThe EPEL5 repository is required for Kolab Groupware on Red Hat Enterprise Linux. Install the EPELrepository using the following procedure:

Procedure 3.2. Installing the epel-release Package1. Depending on the version of Red Hat Enterprise Linux, install the package as it is listed on the

following page:

• Enterprise Linux 56 (Tikanga)

3 https://mirror.kolabsys.com/fedora/kolab-3.0/f16/development/i386/repoview/kolab-3.0-enterprise-release.html4 https://mirror.kolabsys.com/fedora/kolab-3.0/f17/development/i386/repoview/kolab-3.0-enterprise-release.html5 http://fedoraproject.org/wiki/EPEL6 http://download.fedoraproject.org/pub/epel/5/i386/repoview/epel-release.html

Chapter 3. Installation Draft

12

• Enterprise Linux 67 (Santiago)

2. Install this package using the following command:

# wget http://url/to/rpm# yum localinstall --nogpgcheck /path/to/rpm

For access to the Enterprise edition, you must have been issued a SSL certificate by Kolab Systems.How to obtain, renew and use the SSL certificate to provide you with access to the Enterprise editions,please read https://support.kolabsys.com/Obtaining,_Renewing_and_Using_a_Client_SSL_Certificate.

The Kolab software repositories for Red Hat Enterprise Linux ship two so-called -release packages:

1. kolab-3.0-enterprise-release

Depending on the version of Red Hat Enterprise Linux, find the -release package at:

• Enterprise Linux 6 (Santiago)8

2. kolab-3.0-enterprise-release-development

You can install the kolab-3.0-enterprise-release-development package using YUM,after having installed the kolab-3.0-enterprise-release package;

# yum install kolab-3.0-enterprise-release-development

3.2.2.6. Repository Package Stages

Stable SoftwareStable software, versions of packages deemed ready for general availability and productionenvironments are distributed through two repositories, release and updates. These repositories areconfigured on the system, and enabled by default, by installing the kolab-3.0-enterprise-release package;

Stable Software Currently in TestingThe kolab-3.0-enterprise-release package also installs a repository through which upcomingupdates currently in their testing phase are distributed. This repository is called updates-testing, andis not enabled by default. Through Kolab Systems and/or community support channels, you maybe asked to test an update distributed through the updates-testing repository to see if it fixes a bugyou have reported. You would then, typically, temporarily enable the updates-testing repository bysupplying the --enablerepo=kolab-3.0-updates-testing command-line option to YUM,overriding the system configuration file setting.

Example 3.1. Installing an Update from updates-testing

# yum --enablerepo=kolab-3.0-updates-testing update [package]

7 http://download.fedoraproject.org/pub/epel/6/i386/repoview/epel-release.html8 https://mirror.kolabsys.com/redhat/kolab-3.0/el6/development/i386/repoview/kolab-3.0-enterprise-release.html

Draft Full default installation on a single server

13

Software Currently in DevelopmentSoftware that is currently in development for the product series you are running (in this case, series3.0) is available through the so-called development repository. This software is considered unstable.By default, you will not have the package installed that provides the configuration for this repository;the kolab-3.0-enterprise-release-development package. Installing this package will causethe development repository to be enabled by default.

3.3. Full default installation on a single serverIf you want a default installation with all components on a single server, please run:

# yum install kolab

Installing this meta-package will install all needed software components.

Once the installation is complete, you can continue with the configuration process as described inChapter 4, Configuration.

Alternatively you can install each component individually, which will give you the same result.

3.4. PackagelistThe following packages are available to install the individual components. Please use yourdistributions package management system to install them.

The default meta-package will install the default component. The alternative package is an alternativeto the default component. Optional packages provide extra functionality which is not needed for astandard installation.

Table 3.2. Packages

Package List

Package default meta-package

alternativepackage

optionalpackages

PackageDescription

Complete Server kolab - - A meta packageto installall defaultcomponents.

LDAP kolab-ldap - - The LDAPcomponent (389Directory Server).

IMAP kolab-imap - - The IMAPcomponent (CyrusIMAP).

MTA kolab-mta - - The MTAcomponent(Postfix bydefault).

Webadmin kolab-webadmin - - -

Webclient kolab-webclient - - -

14

Draft Chapter 4. Draft

15

ConfigurationTo bootstrap a default Kolab installation, with all components installed on a single system, the setup-kolab utility can be used. Run setup-kolab without any arguments to set up all Kolab components.

For non-default or distributed installations, trigger the setup of one or more components using setup-kolab <component>. See setup-kolab help for a list of components for which configuration isavailable.

Important

The setup utility by default asks for a bare minimum of input, and uses data available from thesystem, such as the system's fully qualified domain name (hostname and domain name parts,obtained from the reverse DNS entry on the network, not the configured FQDN) to setup thesystem with.

To use a custom hostname and domain-name, execute setup-kolab with the --fqdn option,specifying a fully qualified domain name. Fully qualified domain names are expected to consistof three components, the hostname, domain name and top-level domain, divided by a "." (dot)character.

The FQDN used, in any case, should resolve back to the system Kolab is being set up on.

To further customize the installation, please refer to Section 4.1, “Customizing the SetupProcess”.

4.1. Customizing the Setup ProcessSpecify a configuration file in any other location than the default location of /etc/kolab/kolab.conf to customize the setup process. setup-kolab accepts the --config=/path/to/file command-line option for this purpose.

Example 4.1. Setting up Kolab with a Customized Configuration FileThe following is an example of setting up a Kolab Groupware server with the help of a customizedconfiguration file.

# cp /etc/kolab/kolab.conf /root/mykolab.conf# (...edit settings in /root/mykolab.conf...)# setup-kolab -c /root/mykolab.conf

Important

Make sure the configuration file supplied to the setup process is complete and contains allsettings in the original configuration file, or the setup process will fail.

4.2. Command-line Options for setup-kolabExecuting setup-kolab --help will display the command-line options that setup-kolab accepts.

Chapter 4. Configuration Draft

16

# setup-kolab --helpUsage: setup-kolab.py [options]

Options: -h, --help show this help message and exit

Runtime Options: -c CONFIG_FILE, --config=CONFIG_FILE Configuration file to use -d DEBUGLEVEL, --debug=DEBUGLEVEL Set the debugging verbosity. Maximum is 9, tracing protocols like LDAP, SQL and IMAP. -l LOGLEVEL Set the logging level. One of info, warn, error, critical or debug --logfile=LOGFILE Log file to use -q, --quiet Be quiet. -y, --yes Answer yes to all questions.

LDAP Options: --fqdn=FQDN Specify FQDN (overriding defaults). --allow-anonymous Allow anonymous binds (default: no).

PHP Options: --timezone=TIMEZONE Specify the timezone for PHP.

PyKolab is a Kolab Systems product. For more information about Kolab orPyKolab, visit http://www.kolabsys.com

4.3. LDAP ComponentThe LDAP component of the setup utility configures a 389 Directory Server installation that has not yetbeen set up to work for a Kolab Groupware deployment, by feeding answers to setup-ds-admin.plthrough an answer file, loading the Kolab LDAP Schema extenions, and adding the default set of useraccounts Kolab Groupware requires.

Important

At the time of this writing, the setup for the LDAP component expects the setup is performed on aclean system, that has no existing LDAP server or server instance running.

This component also writes out the Kolab configuration file /etc/kolab/kolab.conf, which is usedby the other components' setup procedures. In case the LDAP component is set up on a separatesystem, use the resulting /etc/kolab/kolab.conf as the setup configuration file for the othercomponents.

The defaults for the LDAP setup include taking the system's Fully Qualified Domain Name, andmaking the domain name the primary domain, set up 389 DS with a default root DN, in an instancenamed with the system's hostname.

A server with a FQDN of kolab01.example.org will therefore be configured to rundc=example,dc=org for primary domain name space example.org in a 389 DirectoryServer instance named kolab01. To use a different FQDN, use command-line option --fqdn<your_fqdn>. The setup will still use the hostname and domain name components, however.

Draft Allowing Anonymous Binds

17

When run against an existing configuration file that is not /etc/kolab/kolab.conf (but, forexample, /etc/kolab/kolab-setup.conf), the setup process will take the existing configurationand set up a 389 Directory Server accordingly. This allows for greater flexibility in, among others,which root DN is used. You may discard the configuration file used for the setup afterwards, it containsno information of value other then for troubleshooting purposes, and it is not written to by the setupprocess.

4.3.1. Allowing Anonymous BindsBy default, Kolab Groupware sets up the LDAP server so that no anonymous binds are allowed. Thisis a security consideration, aiding in preventing certain reconnaissance attack vectors.

This means by default, the LDAP server port(s) could be exposed to the Internet, meaning your "RoadWarrior" users would be able to use the LDAP address book.

It prevents, however, the graphical 389 Directory Server console application from being used, as itbinds anonymously first, to find the LDAP entry used to login with.

Should you need to use the graphical 389 directory server console, and you feel confident othersecurity configuration is sufficient, you can allow anonymous binds from the get-go by specifying the--allow-anonymous command-line option to setup-kolab.

4.3.2. Accounts CreatedThe LDAP component setup creates 2 accounts in addition to the 2 accounts required to setup 389Directory Server. The following is a summary of which accounts are set up and/or created, and whattheir purpose is.

4.3.2.1. The Administrator AccountThe administrator account is an account required to set up 389 Directory Server, and is used for day-to-day administration through the 389 Graphical Console interface.

Despite the fact Kolab Groupware includes a Web Administration Panel for day-to-day administration,it does not provide an interface to all possible options and features exposed with 389 Directory Server.For example, at the time of this writing, the Kolab Web Administration Panel does not have capabilitiesallowing the administration on Organizational Units (the Directory Information Tree structure), nor theadministration of access control on entries or structures in the tree.

4.3.2.2. The Directory Manager AccountThe Directory Manager account is an account required to set up 389 Directory Server, and is used foradministration tasks beyond day-to-day administration. Such tasks include, for example, managingserver databases for LDAP root DNs (separate databases for isolated Directory Information Trees),configuring replication and TLS/SSL.

4.3.2.3. The Cyrus Administrator AccountIn order to be able to manage mailboxes, Kolab Groupware requires the availability of an account thatis a designated Cyrus IMAP administrator account.

As stated in the /etc/imapd.conf configuration file, the cyrus-admin user is a Cyrus IMAPadministrator. The setup creates the corresponding LDAP user account with the password suppliedduring setup.

The location of the user account is in ou=Special Users, so that the entry does not appear in anyGlobal Address Book on clients including Kontact and Roundcube.

Chapter 4. Configuration Draft

18

4.3.2.4. The Kolab Service AccountThe Kolab Service account is a dedicated account that services including Postfix, Roundcube and theKolab Web Administration Panel use to bind to LDAP.

This enables Kolab Groupware to configure LDAP to not allow anonymous binds. Not allowinganonymous binds is important when the Kolab server is exposed to the internet, which so-called road-warrior users may require it to be.

The Kolab Service account is supposed to have access to search, read and compare entriesthroughout the entire Directory Information Tree. This includes, for example, a part of the tree thathas been made 'invisible' to other users. Please see Example 4.2, “Restricting Access to Parts of theDirectory Information Tree” for an example scenario.

Additionally, the Kolab Service account is granted search, read and compare rights oncn=kolab,cn=config, the location where domain name spaces serviced by the Kolab Groupwaredeployment are stored.

Example 4.2. Restricting Access to Parts of the Directory Information TreeA Kolab Groupware environment set up for development, testing and demonstration purposesallows people to request accounts.

One account is issued to potential customer $x, while another is issued to potential customer $y.

Various Kolab Systems partners already have accounts that allow them to demonstrate KolabGroupware to potential customers. Additional test accounts are issued to those potential customersas well.

No partner or customer is allowed to browse the global address book and recognize the names ofall people that have been issued accounts, as this would disclose trade information and give unfairadvantage.

To this end, each organizational entity is issued a private organizational unit, to which access isseverly restricted, and accounts for people associated with this organizational entity are created inthis part of the directory information tree.

Regardless of who is issued access to said organizational unit, the Kolab services including Postfix,Roundcube and the Kolab Web Administration Panel require access to these parts of the tree inorder to;

• Find valid sender and recipient email addresses.

• Upon login, search for the user entry corresponding with the login username supplied, so that abind attempt with the supplied password can be attempted.

Draft Chapter 5. Draft

19

First LoginOnce you have successfully set up the Kolab Groupware server, it is time to add some users.

Navigate to the /kolab-webadmin URL on your webserver using HTTP. For example, a server set upon localhost would be at http://127.0.0.1/kolab-webadmin.

Login using the username cn=Directory Manager and the password you supplied during the setupprocess.

Important

It is important that the preparations listed in Section 1.2, “SELinux” and Section 1.3, “SystemFirewall” are implemented at this point.

Without the adjustments to the SELinux configuration, any user, including the administrator user,that logs in to the web administration panel will effectively have no permissions and can not add,edit or delete any users, groups, resources, shared folders, domains or other object types.

Without the adjustments to the firewall configuration, you will not be able to connect to the /kolab-webadmin URL at all.

5.1. Creating a UserCreate a first user, and verify the account is created successfully using ldapsearch from a terminal.

A mailbox should now also have been created. Examine the output of /usr/lib/cyrus-imapd/ctl_mboxlist -d, or, alternatively, run kolab list-mailboxes.

5.1.1. Troubleshooting

LDAP Entry Created, but No MailboxThis is a common error should no recipient policy be in place. Please see the Administrator Guide formore details on the recipient policy.

Cannot Supply Mail and/or Alternative Mail Addresses for the UserThe quick and easy way out is to set admin_auto_fields_rw to True in section [kolab_wap] in/etc/kolab/kolab.conf and log out and back in to the Kolab Web Administration Panel.

This course of action implies you are not seeking to employ a recipient policy to the Kolab useraccounts.

For a more sustainable approach, and greater flexibility, please consider the approach outlined in Edituser_types.

Edit user_typesThe user_types table in the MySQL kolab database contains the settings to create the form fieldsfor the Add User dialog.

Chapter 5. First Login Draft

20

At the time of this writing, editing those form fields is a manual process executed from the console.An enhancemnt for the Kolab Web Administration Panel and API is pending, see bug #6971 and bug#6782

For the procedure to edit the user_types, please refer to this procedure3 Administrator Guide.

Cannot Add UsersIf you cannot add users in the Kolab Web Administration, because no link exists, please verify thefollowing;

Procedure 5.1. Troubleshooting1. Please verify SELinux is not preventing Apache from executing the necessary binary to get

effective rights on a subject. The output of the sestatus command should look as follows:

# sestatusSELinux status: enabledSELinuxfs mount: /selinuxCurrent mode: permissiveMode from config file: permissivePolicy version: 24Policy from config file: targeted

or:

# sestatusSELinux is disabled

2. Please verify /usr/lib64/mozldap/ldapsearch (or /usr/lib/mozldap/ldapsearch on32-bit systems) is executable under Apache HTTPd.

# # su -s /bin/bash - apache -c '/usr/lib64/mozldap/ldapsearch --help >/dev/null 2>&1; echo $?'89# ls -l /usr/lib64/mozldap/ldapsearch-rwxr-xr-x. 1 root root 78920 Apr 12 15:42 /usr/lib64/mozldap/ldapsearch

3. Please verify the MySQL database has been properly initialized:

# mysql -u root -p kolab -e 'SHOW TABLES;'Enter password:+-----------------+| Tables_in_kolab |+-----------------+| group_types || options || resource_types || role_types || user_types |+-----------------+

1 https://bugzilla.kolabsys.com/show_bug.cgi?id=6972 https://bugzilla.kolabsys.com/show_bug.cgi?id=6783 http://docs.kolab.org/en-US/Kolab_Groupware/3.0/html/Administrator_Guide/chap-Administrator_Guide-Kolab_Web_Administration_Panel.html#proc-Administrator_Guide-Editing_user_types-Manually_Changing_the_user_types_Available

Draft Creating a Kolab Administrator

21

5.2. Creating a Kolab AdministratorIt is very important to realize the cn=Directory Manager is virtually the "root" user on the LDAPdirectory server. You should not need to use the account for day-to-day operations.

The default Kolab Groupware deployment has added a so-called role to the directory tree that allowsaccounts that have such role to edit, add and remove entries from the directory tree.

Create a new account or choose an existing account and navigate to the System tab. In the Role(s),enter kolab and select the kolab-admin entry. Click Submit to save the changes.

5.3. Logging in to RoundcubeWith the new user, you can now log in to the Kolab Groupware webmail client Roundcube.

You can find the webmail interface at the /roundcubemail URL on your webserver using HTTP. Forexample, a server set up on 192.168.122.2 would have the webmail interface at http://192.168.122.2/roundcubemail.

The username can be any of the uid, mail or alias attribute values.

22

Draft Chapter 6. Draft

23

Server Appendix

6.1. Certificate Authority (CA)-CertificatesKolab stores the CA-Certificates under the following locations:

Certificate: /etc/pki/tls/certs/host.example.org.cert

Private Key: /etc/pki/tls/private/host.example.org.key

Certificate Authority (CA) certificates: /etc/pki/tls/certs/host.example.org_ca.crt

The keys are all in the pem format.

If you already have certificates for the Kolab server, you can copy them to the above locations.

If you don't have certificates, you can generate them using:

Todo: -use pykolab to generate the certificates? -install package with the /usr/share/kolab/scripts/kolab_ca.sh scripts -generate and install cert use /etc/pki/tls/certs/Makefile from package openssl togenerate certificates?

24

Draft Draft

Part II. Kolab Groupware Webclients

Draft Chapter 7. Draft

27

RoundcubeRoundcube is the official Kolab-Webclient. Roundcube is provided trough the Kolab repositories. Seesect-Installation_Guide-Installation-Repository_Configuration

7.1. Installing the DatabaseRoundcube needs a database which is provided by the kolab-webclient-database package

# yum install kolab-webclient-database

7.2. Preparing the DatabaseRoundcube needs a MySQL database, which was installed as a dependency of the kolab-webclient-database package. Please refer to sect-Installation_Guide-Appendix-MySQL-Database if you have notalready installed the database.

The MySQL database needs to be populated with all tables relevant for roundcube.

1. open the mysql shell with

# mysql --user=root --password=MYSQLRootPassword

2. create the table with:

mysql> CREATE DATABASE roundcubemail;

mysql> GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY 'MYSQLRoundcubePassword';

mysql> FLUSH PRIVILEGES;

3. prepare the db with

# mysql --user=roundcube --password=MYSQLRoundcubePassword roundcubemail > /usr/share/doc/roundcubemail-0.6/SQL/

TODO the above SQL directory should be part of a roundcube-database package

7.3. InstallationTo install the complete Roundcubemail including kolab plugins:

# yum install roundcubemail-kolab

The following packages must be installed first: php-pear-MDB2-Driver-mysql.noarch

when this error occurs in /var/log/roundcubemail/errors: 06-Sep-2011 20:32:56 +0200]: DBError: unable to find package 'MDB2_Driver_mysql' file 'MDB2/Driver/mysql.php' in /usr/share/roundcubemail/program/include/rcube_mdb2.php on line 102 (GET /roundcubemail/) [06-Sep-201120:32:56] MDB2 Error: not found (-4): unable to find package 'MDB2_Driver_mysql' file 'MDB2/Driver/mysql.php'

Chapter 7. Roundcube Draft

28

also missing: yum install php-pear-Mail-Mime.noarch

configure drafts folder, otherwise saved drafts are lost

7.4. Configurationadjust /etc/roundcubemail/db.inc.php to match the password set above(MYSQLRoundcubePassword).

Adjust /etc/httpd/conf.d/roundcubemail.conf to allow access from all desired hosts.

/etc/httpd/conf.d/roundcubemail.conf /etc/logrotate.d/roundcubemail /etc/roundcubemail/acl.inc.php /etc/roundcubemail/db.inc.php /etc/roundcubemail/main.inc.php /etc/roundcubemail/managesieve.inc.php /etc/roundcubemail/password.inc.php /etc/roundcubemail/calendar.inc.php /etc/roundcubemail/kolab.inc.php /etc/roundcubemail/ldap_authentication.inc.php

Configuring roundcube plugins: $rcmail_config['plugins'] = array( 'acl', 'calendar','redundant_attachments', 'kolab_core', 'kolab_addressbook', 'kolab_folders', 'managesieve','newmail_notifier', ); Calendar plugin: $rcmail_config['calendar_driver'] = "kolab";

Draft Chapter 8. Draft

29

Horde

8.1. Installing the DatabaseHorde needs a database which is provided by the kolab-webclient-database package

# yum install kolab-webclient-database

8.2. Preparing the DatabaseHorde needs a MySQL database, which was installed as a dependency of the kolab-webclient-database package. Please refer to sect-Installation_Guide-Appendix-MySQL-Database if you have notalready installed the database.

Procedure 8.1. Configuring the Horde Database1. If you have not already installed mysql, please do so according to sect-Installation_Guide-

Appendix-MySQL-Database

2. Create the horde database:

# mysql -p -e 'CREATE DATABASE horde;'

3. Create the horde user and grant all privileges to the horde database to that horde user:

# mysql -p -e 'GRANT ALL PRIVILEGES on `horde`.* TO `horde`@`localhost` IDENTIFIED BY "YourPassword";'

30

Draft Chapter 9. Draft

31

Webclient-Appendix

9.1. Installation of the MySQL-Database

# yum install mysql mysql-sever

If you already had mysql installed you will need to update it to the version provided in the kolabrepositories.

# service mysqld start

If the install script failed to create the mysql user you can create it using

# /usr/sbin/useradd -g mysql -M -o -r -d /var/lib/mysql -s /bin/bash -c "MySQL Server" -u 27 mysql > /dev/null

in the end there should be a mysql user in a mysql group (check with 'id mysql' if the service fails tostart with an error like:

[ERROR] /usr/libexec/mysqld: Can't create/write to file '/var/run/mysqld/mysqld.pid' (Errcode: 13)

in /var/log/mysqld.log fix it with:

# chmod g+w /var/run/mysqld/

Set a new root password using

# /usr/bin/mysqladmin -u root password MYSQLRootPassword

Procedure 9.1. Configuring the Horde Database1. Configure the mysqld service to start on boot (runlevels 2 through 5):

chkconfig mysqld on

2. Edit /etc/my.cnf, and execute the following edits:

1. Set old_passwords to 0.

2. Make sure the InnoDB storage engine is enabled, by providing the MySQL server with thebinary log settings:

# Make sure all logs are flushed on shutdowninnodb_fast_shutdown=0

innodb_file_per_tableinnodb_data_file_path = ibdata1:128M:autoextend

Chapter 9. Webclient-Appendix Draft

32

The Size Values are Defaults

Adjust the default size values as shown in this step of the procedure to your needs asappropriate.

3. Start the MySQL server for the first time:

# service mysqld start

Initializing MySQL database: Installing MySQL system tables...OKFilling help tables...OK

To start mysqld at boot time you have to copysupport-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !To do so, start the server, then issue the following commands:/usr/bin/mysqladmin -u root password 'new-password'/usr/bin/mysqladmin -u root -h test90-2.test90.kolabsys.com password 'new-password'

Alternatively you can run:/usr/bin/mysql_secure_installation

which will also give you the option of removing the testdatabases and anonymous user created by default. This isstrongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.plcd mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

The latest information about MySQL is available on the web athttp://www.mysql.comSupport MySQL by buying support/licenses at http://shop.mysql.com [ OK ]Starting MySQL: [ OK ]

4. Run the initial configuration and securing, and follow the instructions:

# /usr/bin/mysql_secure_installation

Draft Draft

Part III. Kolab GroupwareDesktop-Clients

Draft Chapter 10. Draft

35

KontactKontact is the offical KDE PIM client, consisting of an email client (KMail) , an address book(KAddressbook) and an Organizer (KOrganizer). Kontact is part of the KDE Software Compilation.

10.1. InstallationKontact is available on all major linux distributions, and can be installed trough the native packagemanagement system. While the standard version provides all features, Kolab maintains enterpriseversions for improved stability.

To install the complete Kontact suite:

# yum install kontact

alternatively each component can be installed individually.

10.2. ConfigurationThe synchronisation with the Kolab Groupware server can either be configured manually or with theKolabwizard.

10.2.1. Configuration through the KolabWizardThe KolabWizard will guide you trough, the setup process step by step. If you experience anyproblems please follow the Manual Configuration.

10.2.2. Manual Configuration of Kontact

36

Draft Chapter 11. Draft

37

Thunderbirdpara

38

Draft Chapter 12. Draft

39

Outlookpara

40

Draft Draft

Part IV. Cyrus IMAP

Instructions on Using CyrusIMAP as the Kolab IMAP Server

This part of the Kolab 3.0 Installation Manual applies to installing, configuring, managing, upgrading,migrating and tweaking the Cyrus IMAP component of the Kolab Groupware Solution.

Draft Chapter 13. Draft

43

Installation of Cyrus IMAP

Kolab Systems Repository ConfigurationMake sure you have the Kolab Systems software repositories configured properly on the system,before executing any of the following commands. For more information on configuring the KolabSystems software repositories, please refer to Section 3.2, “Repository Configuration”.

13.1. InstallationThe package name for Cyrus IMAP is kolab-cyrus-imapd.

Installation Instructions for APT-based SystemsTo install Cyrus IMAP on APT-based systems such as Debian and Ubuntu Long-Term Support,execute the following command;

# apt-get -y install kolab-cyrus-imapd

Installation Instructions for RPM-based SystemsTo install Cyrus IMAP on RPM-based systems such as Fedora, Red Hat, CentOS and Scientific Linux,execute the following command;

# yum -y install kolab-cyrus-imapd

kolab-cyrus-imapd will be installed on the system, including any software Cyrus IMAP depends on.

The service cyrus-imapd will not yet be started, as you require configuration first.

TODO: We can't automatically configure the software; we don't know where the configuration shouldcome from and any hit is a lucky hit. We also don't know what the system is intended for. Nor can wefigure such out. Maybe develop and contruct in the Kolab Systems packaging a means for Cyrus IMAPto in fact be automatically configured using a slipstream command, so that the next step is to verify,not configure.

44

Draft Chapter 14. Draft

45

Configuration of Cyrus IMAPThe following configuration files are installed on the system:

• /etc/cyrus.confConfigure which services Cyrus IMAP is to offer, using /etc/cyrus.conf. By default, POP andIMAP services have both been enabled for normal (plaintext) only, as you require a certificate forTLS and SSL configurations. Please refer to Chapter 16, Securing Cyrus IMAP Communications formore details if you seek to secure communications.

• /etc/imapd.confThe behaviour of Cyrus IMAP is controlled using /etc/imapd.conf. Please refer to Chapter 15,Configuring IMAP for standard configurations, and Chapter 18, IMAP Option Reference for a list ofoptions.

• /etc/imapd.annotations.conf/etc/imapd.annotations.conf contains the Kolab annotations for use with the KolabGroupware Solution.

• System Configuration DefaultsWhile the location depends on whether you use an APT-based or RPM-based system, the contentsof the file describe system-wide configuration and service defaults, such as the location of /etc/cyrus.conf should you require such file to be in a different, non-default location. Please refer toChapter 19, System Configuration Defaults for more information on available options.

APT-based SystemsOn APT-based Systems, please use /etc/default/cyrus-imapd as the system configurationdefaults file.

RPM-based SystemsOn RPM-based Systems, please use /etc/sysconfig/cyrus-imapd as the systemconfiguration defaults file.

System Configuration Defaults

The system configuration defaults normally suffice, and should not have to be altered unlessyou have very specific requirements.

In addition to these configuration files, the following directories are used for Cyrus IMAP by default:

• /var/lib/imapCyrus IMAP stores it's databases and transactional data here, such as Sieve scripts.

• /var/spool/imapThe primary (default) IMAP partition. Please refer to Chapter 17, IMAP Partitions for

TODO: Quick To Go: Small deployments

46

Draft Chapter 15. Draft

47

Configuring IMAPTODO: While the defaults shipped in the Kolab Systems software packages are good to go for mostcommon Cyrus IMAP deployments, ...

48

Draft Chapter 16. Draft

49

Securing Cyrus IMAP CommunicationsTODO: Describe

50

Draft Chapter 17. Draft

51

IMAP PartitionsTODO

52

Draft Chapter 18. Draft

53

IMAP Option ReferenceTODO: list/table of options

54

Draft Chapter 19. Draft

55

System Configuration DefaultsThe following options are available in the system configuration defaults file (/etc/default/cyrus-imapd for APT-based systems and /etc/sysconfig/cyrus-imapd for RPM-based systems);

• CYRUS_CONFIGThe location of the Cyrus master configuration file, /etc/cyrus.conf by default. Valid options areexisting Cyrus configuration files.

• IMAPD_CONFIGThe location of the Cyrus IMAP configuration file, controlling aspects such as authentication, storagelocations, database types and other general Groupware infrastructure. /etc/imapd.conf bydefault. Valid options are existing Cyrus IMAP coniguration files.

• LISTENQUEUEThe size of the listen queue. 32 by default. Only integers are valid.

TODO: Figure out the maximum length/size of LISTENQUEUE

• CYRUS_VERBOSEWhat cyrus-master process. Not set by default.

TODO: Figure out useful values for CYRUS_VERBOSE

• CYRUS_OPTIONSAdditional options to pass on to the cyrus-master process. Not set by default. To get a list of validoptions, please refer to the cyrus-master(8) man page.

56

Draft Chapter 20. Draft

57

Creating a Cyrus Murder SetupTODO

20.1. Setting up the master update serverTODO

20.1.1. Choosing the mupdate modeTODO: on unified, replica, etc.

58

Draft Chapter 21. Draft

59

Creating an IMAP Backend ServerTODO

21.1. Hooking in a new backend server into a murder setupTODO

60

Draft Chapter 22. Draft

61

Creating an IMAP Frontend ServerTODO

22.1. Hooking in a new frontend server into a murder setupTODO

62

Draft Draft

63

Appendix A. Revision HistoryRevision 0 Sun May 16 2010 Dude McPants Dude.McPants@example.com

Initial creation of book by publican

64

Draft Draft

65

Index

Ffeedback

contact information for this manual, vii

66