This document serves as a quickstart for Kopano One on Debian 10 (buster). These are step by step instructions that get your system into a state that is secure, performant and most importantly: supported.
There are a few requirements to the installation and the hardware:
- The configuration is designed to scale to up to 250 users
- Hardware wise, for 250 users you would need 32GB of memory and 4-8 CPU cores. Storage needs to be plenty and high-performant.
- Everything must be located on the local system (such as the database and attachments). The exception here is LDAP / AD, which can run on a separate system.
- The 'sudo' command is installed and configured (this means, your user is member of the 'sudo' group).
Step by step instructions
This document assumes you have a non-root user with sudo-acces on a clean Debian 10 system.
Some packages need to be installed on the system before we begin:
$ sudo apt-get update $ sudo apt-get install \ apt-transport-https \ ca-certificates \ curl \ gnupg-agent \ software-properties-common
These instructions also depend on the server having a valid hostname, which includes the FQDN.
The command hostname -f
must return the exact hostname you want to use to access the system. If the command does not provide the exact hostname, use the hostname manpages to change it.
NB: This hostname will be used in the configuration of services and cannot be changed later
1. Configure the repository
Kopano One comes in a Debian style repository. Install the key and add the repository to the apt sources list.
Download and install the repository key:
$ curl -fsSL https://repo.kopano.com/kopano/one/20.09/gpg | sudo apt-key add -
Verify that you have the key with the fingerprint
801A 065C 9F19 C9D9 1AB8 FBEE EC50 B5F3 B9DA 48E3
by searching for the last 8 characters of the fingerprint:
$ sudo apt-key fingerprint B9DA48E3 pub rsa4096 2020-10-23 [SC] [expires: 2028-10-21] 801A 065C 9F19 C9D9 1AB8 FBEE EC50 B5F3 B9DA 48E3 uid [ unknown] Kopano Archive Automatic Signing Key (2020) (Kopano) <development@kopano.io> sub rsa4096 2020-10-23 [S] [expires: 2028-10-21]
Add the repository:
$ sudo add-apt-repository \ "deb https://repo.kopano.com/kopano/one/20.09 \ $(lsb_release -cs) \ supported"
2. Install Kopano One
Kopano One comes with a meta-package that will automatically install the software, the dependencies and the default configurations.
$ sudo apt-get update $ sudo apt-get install kopano-one
During the installation you might get prompted to configure Postfix. Choose the 'Internet site'-option, and keep the default values when prompted (we will configure postfix in a later step).
3. Install the license
While the software will run without a license, you’ll need a valid license with enough users to create new user accounts. On a fresh installation, this means you will need the license to be installed before the first mailbox can be created.
- Upload or paste your license to
/etc/kopano/licenses/kopano-license
(the filename does not matter, so use whatever you prefer)
4. Set up TLS
Kopano One requires trusted TLS. You will need a publicly trusted certificate and key.
Create the TLS directory
$ mkdir -p /srv/tls $ cd /srv/tls
Move your key/certificate to the required locations:
- Server key:
/srv/tls/server.key
- Certificate bundle:
/srv/tls/bundle.crt
Make sure the permissions to the files are secure:
$ chmod 644 bundle.crt $ chmod 640 server.key $ sudo chown root:www-data server.key
Add the kopano user to the www-data group so it has access to the key
$ sudo usermod -a -G www-data kopano
If you are setting up a testing environment, and want to create keys for testing purposes, follow the steps outlined on the generate TLS testing keys page.
5. Set permissions on the database
Kopano One needs to store its data locally in the MariaDB database. Set the permissions for this user - the database will be automatically create on first startup.
$ sudo mysql -e "GRANT ALL PRIVILEGES on kopano.* to 'kopano'@'localhost' IDENTIFIED via unix_socket;"
The kopano-server also needs to use ther correct user to access the database, so make sure to add the following to /etc/kopano/server.cfg:
mysql_user = kopano
6a. Install LDAP and create users for Kopano ONE
If you already have a LDAP or AD setup, you can skip this step and continue with 6b.
First install the ldap server:
$ sudo apt-get install slapd ldap-utils
When prompted, provide a password for the ldap-admin.
This password will be used in the next step, so make sure you remember it.
Veryify the installation of slapd configured your hostname correctly by running
$ sudo slapcat dn: dc=<EXAMPLE>,dc=<COM> objectClass: top objectClass: dcObject objectClass: organization o: <EXAMPLE.COM> dc: <EXAMPLE> structuralObjectClass: organization entryUUID: 907f25dc-91f2-1032-97fa-b34646bf14f6 creatorsName: cn=admin,dc=<EXAMPLE>,dc=<COM> createTimestamp: 20770805081250Z entryCSN: 20770805081250.289774Z modifiersName: cn=admin,dc=<EXAMPLE>,dc=<COM> modifyTimestamp: 20770805081250Z dn: cn=admin,dc=<EXAMPLE>,dc=<COM> objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9dm1rV21GdmVPbVBXTnI4blhSbE5oeVVmTTVSWm4vV2U= structuralObjectClass: organizationalRole entryUUID: 907fc91a-91f2-1032-97fb-b34646bf14f6 creatorsName: cn=admin,dc=<EXAMPLE>,dc=<COM> createTimestamp: 20770805081250Z entryCSN: 20770805081250.293957Z modifiersName: cn=admin,dc=<EXAMPLE>,dc=<COM> modifyTimestamp: 207730805081250Z
If the result is incorrect, reconfigure ldap:
$ sudo dpkg-reconfigure slapd
When prompted provide your (complete) hostname and further details:
Omit OpenLDAP server configuration? [yes/no] no DNS domain name: <EXAMPLE.COM> Organization name: <EXAMPLE> Administrator password: <PASSWORD> Database backend to use: 3 Do you want the database to be removed when slapd is purged? [yes/no] no Move old database? [yes/no] yes
Now add the Kopano schema to ldap:
$ sudo zcat /usr/share/doc/kopano/kopano.ldif.gz | sudo ldapadd -H ldapi:/// -Y EXTERNAL
For the next part we will create some ldif-files and add those. To keep things organised, we suggest creating a folder for these ldif-files:
$ mkdir kopano-ldifs $ cd kopano-ldifs
Create a file called users-org.ldif containing:
dn: ou=Users,dc=<EXAMPLE>,dc=<COM> objectClass: organizationalUnit objectClass: top ou: Users
Import the ldif file into ldap.
$ sudo ldapadd -x -D cn=admin,dc=<EXAMPLE>,dc=<COM> -W -f users-org.ldif
Check if the Users organisational unit was created:
$ sudo slapcat
User creation
Now we are ready to add a user to LDAP, create a new file called <USERNAME>.ldif
If kopanoAdmin is set to 1, the user will be an administrator and have access to all mailboxes, so make sure not to enable administrator privileges for users that don't need it, by setting kopanoAdmin to 0.
Every user needs a uniq uidNumber
and gidNumber
, so we suggest incrementing these for every user.
dn: uid=<USERNAME>,ou=Users,dc=<EXAMPLE>,dc=<COM> objectClass: posixAccount objectClass: top objectClass: kopano-user objectClass: inetOrgPerson gidNumber: <NUMBER> cn: <FIRSTNAME> <LASTNAME> homeDirectory: /home/<USERNAME> mail: <E-MAIL ADRESS> uidNumber: <NUMBER> uid: <USERNAME> kopanoAccount: 1 kopanoAdmin: <ADMIN> sn: <LASTNAME> userPassword: <PASSWORD>
Then add the user to LDAP:
$ sudo ldapadd -x -D cn=admin,dc=<EXAMPLE>,dc=<COM> -W -f <USERNAME>.ldif
And confirm the user is added:
$ sudo slapcat
If you want to create more users, you can repeat these steps for every user.
6b. Configure LDAP for kopano-server
The Kopano server needs to get the email-accounts created in LDAP or AD.
In the Kopano server configuration /etc/kopano/server.cfg
set the user plugin to ldap:
user_plugin = ldap
Next, copy the example ldap configuration:
$ sudo cp /usr/share/doc/kopano/example-config/ldap.cfg /etc/kopano/
Adapt it to the desired configuration, by setting the following in /etc/kopano/ldap.cfg
:
ldap_uri = ldap://<LDAP-SERVER-HOSTNAME> ldap_search_base = ou=Users,dc=<EXAMPLE>,dc=<COM> ldap_bind_user = cn=admin,dc=<EXAMPLE>,dc=<COM> ldap_bind_passwd = <LDAP-PASSWORD>
7. Configure Postfix
Postfix needs to be configured as the MTA and needs to talk to LDAP to resolve users and groups, and provide secure interfaces.
For resolving the primary e-mail address of the user, create the file /etc/postfix/ldap-users.cf
, add the following lines, and set the search_base
server_host = localhost search_base = ou=Users,dc=<EXAMPLE>,dc=<COM> version = 3 scope = sub query_filter = (&(objectClass=posixAccount)(mail=%s)) result_attribute = mail
Configure Postfix using the following commands:
sudo postconf -e mydestination=localhost.localdomain,localhost sudo postconf -e virtual_mailbox_domains=$(hostname -f) sudo postconf -e virtual_mailbox_maps=ldap:/etc/postfix/ldap-users.cf sudo postconf -e virtual_transport=lmtp:unix:kopano-dagent.sock sudo postconf -e inet_interfaces=all sudo postconf -e smtpd_tls_cert_file=/srv/tls/bundle.crt sudo postconf -e smtpd_tls_key_file=/srv/tls/server.key sudo postconf -e smtpd_tls_security_level=may sudo postconf -e smtpd_tls_auth_only=yes sudo postconf -e 'smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1' sudo postconf -e 'smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1' sudo postconf -e tls_preempt_cipherlist=no sudo postfix reload
Next, configure kopano-dagent to accept email from Postfix
In /etc/kopano/dagent.cfg
, set the following:
lmtp_listen = unix:/var/spool/postfix/kopano-dagent.sock
8. Set up Konnect (OpenID Connect)
Konnect provides the authentication for WebApp in Kopano One installations. Kopano-server and kopano-webapp need to be configured to use Konnect.
- In
/etc/kopano/konnectd.cfg
, set the following:
oidc_issuer_identifier = https://<FQDN>
- In
/etc/kopano/server.cfg
, set the following:
enable_sso = yes kcoidc_issuer_identifier = https://<FQDN>
- In
/etc/kopano/kapid.cfg
, set the following:
oidc_issuer_identifier = https://<FQDN>
- In
/etc/kopano/webapp/config.php
, set the following:
define("OIDC_ISS", "https://<FQDN>") define("OIDC_CLIENT_ID", "webapp-<FQDN>")
9. Configure IMAP
IMAP services need to be securily accessible.
- In
/etc/kopano/gateway.cfg
, set the following:
imaps_listen = *:993 ssl_private_key_file = /srv/tls/server.key ssl_certificate_file = /srv/tls/bundle.crt
10. Configure KDAV
If you want to use CalDAV and/or CardDAV, the root URI needs to be set in its configuration.
- In
/etc/kopano/kdav/config.php
, set the following:
define('DAV_ROOT_URI', '/kdav/');
11. Configure Kweb
Kweb is the Kopano provided webserver that delivers all the Kopano web applications in a performant and secure manner. It needs a little bit of configuration to use the TLS certificates generated or installed in step 4.
- In /etc/kopano/kwebd.cfg, set the following:
hostname=<FQDN> tls_cert=/srv/tls/bundle.crt tls_key=/srv/tls/server.key default_redirect=/webapp/
12. Restart services
Restart all services to activate changed configurations.
$ sudo systemctl restart "kopano-*" $ sudo systemctl restart postfix
13. Create the public store and sync users
Even if you don’t use a public store, make sure you create it, as it is used for some internal functions like publishing of free/busy information.
$ sudo kopano-storeadm -P $ sudo kopano-admin --sync $ sudo kopano-admin --list-users
You should now see a list of the users you created when configuring the LDAP or AD.
Done! You should now be able to login on https://<yourdomain.example.com>/webapp/ with the user(s) you created.