Page tree
Skip to end of metadata
Go to start of metadata

This document serves as a quickstart for Kopano One on Debian 10 (buster). These are step by step instructions that get your system into a state that is secure, performant and most importantly: supported.

There are a few requirements to the installation and the hardware:

  • The configuration is designed to scale to up to 250 users
  • Hardware wise, for 250 users you would need 32GB of memory and 4-8 CPU cores. Storage needs to be plenty and high-performant.
  • Everything must be located on the local system (such as the database and attachments). The exception here is LDAP / AD, which can run on a separate system.
  • The 'sudo' command is installed and configured (this means, your user is member of the 'sudo' group).

Step by step instructions

This document assumes you have a non-root user with sudo-acces on a clean Debian 10 system.

Some packages need to be installed on the system before we begin:

$ sudo apt-get update
$ sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \
    software-properties-common

These instructions also depend on the server having a valid hostname, which includes the FQDN.

The command hostname -f must return the exact hostname you want to use to access the system. If the command does not provide the exact hostname, use the hostname manpages to change it.

NB: This hostname will be used in the configuration of services and cannot be changed later

1. Configure the repository

Kopano One comes in a Debian style repository. Install the key and add the repository to the apt sources list.

Download and install the repository key:

$ curl -fsSL https://repo.kopano.com/kopano/one/20.09/gpg | sudo apt-key add -

Verify that you have the key with the fingerprint

801A 065C 9F19 C9D9 1AB8  FBEE EC50 B5F3 B9DA 48E3

by searching for the last 8 characters of the fingerprint:

$ sudo apt-key fingerprint B9DA48E3

pub   rsa4096 2020-10-23 [SC] [expires: 2028-10-21]
      801A 065C 9F19 C9D9 1AB8  FBEE EC50 B5F3 B9DA 48E3
uid           [ unknown] Kopano Archive Automatic Signing Key (2020) (Kopano) <development@kopano.io>
sub   rsa4096 2020-10-23 [S] [expires: 2028-10-21]

Add the repository:

$ sudo add-apt-repository \
   "deb https://repo.kopano.com/kopano/one/20.09 \
   $(lsb_release -cs) \
   supported"

2. Install Kopano One

Kopano One comes with a meta-package that will automatically install the software, the dependencies and the default configurations.

$ sudo apt-get update 
$ sudo apt-get install kopano-one

During the installation you might get prompted to configure Postfix. Choose the 'Internet site'-option, and keep the default values when prompted (we will configure postfix in a later step).

3. Install the license

While the software will run without a license, you’ll need a valid license with enough users to create new user accounts. On a fresh installation, this means you will need the license to be installed before the first mailbox can be created.

  • Upload or paste your license to /etc/kopano/licenses/kopano-license
    (the filename does not matter, so use whatever you prefer)

4. Set up TLS

Kopano One requires trusted TLS. You will need a publicly trusted certificate and key.

Create the TLS directory

$ mkdir -p /srv/tls
$ cd /srv/tls

Move your key/certificate to the required locations:

  • Server key: /srv/tls/server.key
  • Certificate bundle: /srv/tls/bundle.crt

Make sure the permissions to the files are secure:

$ chmod 644 bundle.crt
$ chmod 640 server.key
$ sudo chown root:www-data server.key

Add the kopano user to the www-data group so it has access to the key

$ sudo usermod -a -G www-data kopano

If you are setting up a testing environment, and want to create keys for testing purposes, follow the steps outlined on the generate TLS testing keys page.

5. Set permissions on the database

Kopano One needs to store its data locally in the MariaDB database. Set the permissions for this user - the database will be automatically create on first startup.

$ sudo mysql -e "GRANT ALL PRIVILEGES on kopano.* to 'kopano'@'localhost' IDENTIFIED via unix_socket;"

The kopano-server also needs to use ther correct user to access the database, so make sure to add the following to /etc/kopano/server.cfg:

mysql_user = kopano


6a. Install LDAP and create users for Kopano ONE

If you already have a LDAP or AD setup, you can skip this step and continue with 6b.

First install the ldap server:

$ sudo apt-get install slapd ldap-utils

When prompted, provide a password for the ldap-admin.

This password will be used in the next step, so make sure you remember it.

Veryify the installation of slapd configured your hostname correctly by running

$ sudo slapcat

dn: dc=<EXAMPLE>,dc=<COM>
objectClass: top
objectClass: dcObject
objectClass: organization
o: <EXAMPLE.COM>
dc: <EXAMPLE>
structuralObjectClass: organization
entryUUID: 907f25dc-91f2-1032-97fa-b34646bf14f6
creatorsName: cn=admin,dc=<EXAMPLE>,dc=<COM>
createTimestamp: 20770805081250Z
entryCSN: 20770805081250.289774Z
modifiersName: cn=admin,dc=<EXAMPLE>,dc=<COM>
modifyTimestamp: 20770805081250Z
  
dn: cn=admin,dc=<EXAMPLE>,dc=<COM>
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9dm1rV21GdmVPbVBXTnI4blhSbE5oeVVmTTVSWm4vV2U=
structuralObjectClass: organizationalRole
entryUUID: 907fc91a-91f2-1032-97fb-b34646bf14f6
creatorsName: cn=admin,dc=<EXAMPLE>,dc=<COM>
createTimestamp: 20770805081250Z
entryCSN: 20770805081250.293957Z
modifiersName: cn=admin,dc=<EXAMPLE>,dc=<COM>
modifyTimestamp: 207730805081250Z

If the result is incorrect, reconfigure ldap:

$ sudo dpkg-reconfigure slapd

When prompted provide your (complete) hostname and further details:

Omit OpenLDAP server configuration? [yes/no] no
DNS domain name: <EXAMPLE.COM>
Organization name: <EXAMPLE>
Administrator password: <PASSWORD>
Database backend to use: 3
Do you want the database to be removed when slapd is purged? [yes/no] no
Move old database? [yes/no] yes

Now add the Kopano schema to ldap:

$ sudo zcat /usr/share/doc/kopano/kopano.ldif.gz | sudo ldapadd -H ldapi:/// -Y EXTERNAL

For the next part we will create some ldif-files and add those. To keep things organised, we suggest creating a folder for these ldif-files:

$ mkdir kopano-ldifs
$ cd kopano-ldifs

Create a file called users-org.ldif containing:

dn: ou=Users,dc=<EXAMPLE>,dc=<COM>
objectClass: organizationalUnit
objectClass: top
ou: Users

Import the ldif file into ldap.

$ sudo ldapadd -x -D cn=admin,dc=<EXAMPLE>,dc=<COM> -W -f users-org.ldif

Check if the Users organisational unit was created:

$ sudo slapcat

User creation

Now we are ready to add a user to LDAP, create a new file called <USERNAME>.ldif

If kopanoAdmin is set to 1, the user will be an administrator and have access to all mailboxes, so make sure not to enable administrator privileges for users that don't need it, by setting kopanoAdmin to 0.

Every user needs a uniq uidNumber and gidNumber, so we suggest incrementing these for every user.

dn: uid=<USERNAME>,ou=Users,dc=<EXAMPLE>,dc=<COM>
objectClass: posixAccount
objectClass: top
objectClass: kopano-user
objectClass: inetOrgPerson
gidNumber: <NUMBER>
cn: <FIRSTNAME> <LASTNAME>
homeDirectory: /home/<USERNAME>
mail: <E-MAIL ADRESS>
uidNumber: <NUMBER>
uid: <USERNAME>
kopanoAccount: 1
kopanoAdmin: <ADMIN>
sn: <LASTNAME>
userPassword: <PASSWORD>

Then add the user to LDAP:

$ sudo ldapadd -x -D cn=admin,dc=<EXAMPLE>,dc=<COM> -W -f <USERNAME>.ldif

And confirm the user is added:

$ sudo slapcat

If you want to create more users, you can repeat these steps for every user.

6b. Configure LDAP for kopano-server

The Kopano server needs to get the email-accounts created in LDAP or AD.

In the Kopano server configuration /etc/kopano/server.cfg set the user plugin to ldap:

user_plugin = ldap

Next, copy the example ldap configuration:

$ sudo cp /usr/share/doc/kopano/example-config/ldap.cfg /etc/kopano/

Adapt it to the desired configuration, by setting the following in /etc/kopano/ldap.cfg:

ldap_uri = ldap://<LDAP-SERVER-HOSTNAME>
ldap_search_base = ou=Users,dc=<EXAMPLE>,dc=<COM>

ldap_bind_user = cn=admin,dc=<EXAMPLE>,dc=<COM>
ldap_bind_password = <LDAP-PASSWORD>

7. Configure Postfix

Postfix needs to be configured as the MTA and needs to talk to LDAP to resolve users and groups, and provide secure interfaces.

For resolving the primary e-mail address of the user, create the file /etc/postfix/ldap-users.cf, add the following lines, and set the search_base

server_host = localhost
search_base = ou=Users,dc=<EXAMPLE>,dc=<COM>
version = 3
scope = sub
query_filter = (&(objectClass=posixAccount)(mail=%s))
result_attribute = mail

Configure Postfix using the following commands:

sudo postconf -e mydestination=localhost.localdomain,localhost
sudo postconf -e virtual_mailbox_domains=$(hostname -f)
sudo postconf -e virtual_mailbox_maps=ldap:/etc/postfix/ldap-users.cf
sudo postconf -e virtual_transport=lmtp:unix:/var/spool/postfix/kopano-dagent.sock
sudo postconf -e inet_interfaces=all
sudo postconf -e smtpd_tls_cert_file=/srv/tls/bundle.crt
sudo postconf -e smtpd_tls_key_file=/srv/tls/server.key
sudo postconf -e smtpd_tls_security_level=may
sudo postconf -e smtpd_tls_auth_only=yes
sudo postconf -e 'smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
sudo postconf -e 'smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
sudo postconf -e tls_preempt_cipherlist=no
sudo postfix reload

Next, configure kopano-dagent to accept email from Postfix

In /etc/kopano/dagent.cfg, set the following:

lmtp_listen = unix:/var/spool/postfix/kopano-dagent.sock

8. Set up Konnect (OpenID Connect)

Konnect provides the authentication for WebApp in Kopano One installations. Kopano-server and kopano-webapp need to be configured to use Konnect.

  • In /etc/kopano/konnectd.cfg, set the following:

oidc_issuer_identifier = https://<FQDN> 
  • In /etc/kopano/server.cfg, set the following:

enable_sso = yes 
kcoidc_issuer_identifier = https://<FQDN> 
  • In /etc/kopano/kapid.cfg, set the following:

oidc_issuer_identifier = https://<FQDN> 
  • In /etc/kopano/webapp/config.php, set the following:

define("OIDC_ISS", "https://<FQDN>") 
define("OIDC_CLIENT_ID", "webapp-<FQDN>") 

9. Configure IMAP

IMAP services need to be securily accessible.

  • In /etc/kopano/gateway.cfg, set the following:
imaps_listen = *:993
ssl_private_key_file = /srv/tls/server.key
ssl_certificate_file = /srv/tls/bundle.crt

10. Configure KDAV

If you want to use CalDAV and/or CardDAV, the root URI needs to be set in its configuration.

  • In /etc/kopano/kdav/config.php, set the following:
define('DAV_ROOT_URI', '/kdav/');

11. Configure Kweb

Kweb is the Kopano provided webserver that delivers all the Kopano web applications in a performant and secure manner. It needs a little bit of configuration to use the TLS certificates generated or installed in step 4.

  • In /etc/kopano/kwebd.cfg, set the following:
hostname=<FQDN>
tls_cert=/srv/tls/bundle.crt
tls_key=/srv/tls/server.key
default_redirect=/webapp/

12. Restart services

Restart all services to activate changed configurations.

$ sudo systemctl restart "kopano-*"
$ sudo systemctl restart postfix

13. Create the public store and sync users

Even if you don’t use a public store, make sure you create it, as it is used for some internal functions like publishing of free/busy information.

$ sudo kopano-storeadm -P

$ sudo kopano-admin --sync
$ sudo kopano-admin --list-users 

You should now see a list of the users you created when configuring the LDAP or AD.

Done! You should now be able to login on https://<yourdomain.example.com>/webapp/ with the user(s) you created.

  • No labels