Home Install Kolab Mail Server on Ubuntu

Install Kolab Mail Server on Ubuntu

This post will show you how to install Kolab mail server on ubuntu 14.04, in this example on a DigitalOcean VPS.  Kolab's recipient policy will be removed because I do not need guaranteed unique email addresses, secondary alias addresses setup etc. DKIM is another important factor when configuring a mail server as it allows other mail servers to validate the authenticity of you emails. There are many useful plugins available for roundcube such as integration with Google Authenticator app. For sources see the reference section at the end.

Install Kolab

The first step is to install Kolab on the VPS. Add the following to /etc/apt/sources.list.d/kolab.list using nano or similar.

deb http://obs.kolabsys.com/repositories/Kolab:/3.3/Ubuntu_14.04/ ./
deb http://obs.kolabsys.com/repositories/Kolab:/3.3:/Updates/Ubuntu_14.04/ ./

We need to import the authentication key to validate the packages. Run these commands.

gpg --search devel@lists.kolab.org
gpg --export --armor devel@lists.kolab.org | apt-key add -

To make sure the Ubuntu server priorities the packages from the Kolab repository we need to create a preferences file. Create and put the following in /etc/apt/preferences.d/kolab:

Package: *
Pin: origin obs.kolabsys.com
Pin-Priority: 501

Setup Kolab

Before running the setup tool the server MUST have its FQDN (Fully Qualified Domain Name) configured. To check run cat /etc/hosts

# Your system has configured 'manage_etc_hosts' as True.
# As a result, if you wish for changes to this file to persist
# then you will need to either
# a.) make changes to the master file in /etc/cloud/templates/hosts.tmpl
# b.) change or remove the value of 'manage_etc_hosts' in
#     /etc/cloud/cloud.cfg or cloud-config from user-data mail.example.com mail.example.com localhost

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Also run cat /etc/hostname which should show:


Now we need to configure the Kolab server which is surprisingly easy because we can use the provided setup tool. Run the following command:


This will launch a command line wizard asking some questions. You can either accept the generated answer in the square brackets by pressing enter or type in your own. Below are examples of the questions in order, when running the command an explanation of parameter is provided.

LDAP Admin User [ 93jef0fej09]:
LDAP Directory Manager User [gsljgwbfi3u93rf3w]:

Please choose the system user and group the service should use to run under.
These should be existing, unprivileged, local system POSIX accounts with no

User [dirsrv]:

Cyrus Administrator password [LwW_gjn645m46]:
Kolab Service password [riY4t4ywe-dURe1]:

MySQL kolab password [bFR43t4$DTojmx1]:

Need to type out the timezone manually.

Timezone ID [UTC]: Europe/London

MySQL roundcube password [OH-zT66jhf6jnZKc]:

Remove Kolab Recipient Policy

Kolab has a recipient policy designed to generate the primary and secondary email addresses of the users based on their first and last names, this would obviously be useful in an enterprise environment however within a personal or small business environment then it could become annoying. Kolab does allow the creation of more alias addresses but the user would have 3 generated already. I wanted to specify my own primary email address and create as many or as little aliases as I wanted.

Firstly edit this file: /etc/kolab/kolab.conf

Remove these lines from around line 8:

primary_mail = %(surname)s@%(domain)s
secondary_mail = {
0: {
"{0}.{1}@{2}": "format('%(givenname)s'[0:1].capitalize(), '%(surname)s', '%(domain)s')"
1: {
"{0}@{1}": "format('%(uid)s', '%(domain)s')"
2: {
"{0}@{1}": "format('%(givenname)s.%(surname)s', '%(domain)s')"

Right at the bottom of the file is a section with your domain name:

default_quota = 1048576
primary_mail = %(givenname)s.%(surname)s@%(domain)s //Remove this line

Then restart the service:

service kolab-server restart

Now we need to copy a template file, modify it and then run the file to modify the current Kolab installation. This can be a bit tricky to remove exactly the right things, I have missed one line and then could not add more than one alias address as the plus button had been removed.
Run this command to copy the template file.

cp /usr/share/doc/kolab-webadmin/sample-insert-user_types.php.gz /usr/share/kolab-webadmin/

Move to the directory with the cd command and unzip the file with:

gunzip sample-insert-user_types.php.gz

Edit the PHP Template file

Edit these lines as directed:

    $attributes = Array(
            "auto_form_fields" => Array(
                    // Note that this form field is marked as optional in
                    // 'form_fields'.
                    "alias" => Array(
                            "type" => "list", //Remove
                            "data" => Array(  //Remove
                                    "givenname", //Remove
                                    "preferredlanguage", //Remove
                                    "sn", //Remove
                                ), //Remove
                    "cn" => Array(
                            "data" => Array(
                    "displayname" => Array(
                            "data" => Array(
                    "mail" => Array(
                            "data" => Array( //Remove
                                    "givenname", //Remove
                                    "preferredlanguage", //Remove
                                    "sn", //Remove
                                ), //Remove

It should like:

    $attributes = Array(
            "auto_form_fields" => Array(
                    // Note that this form field is marked as optional in
                    // 'form_fields'.
                    "alias" => Array(
                    "cn" => Array(
                            "data" => Array(
                    "displayname" => Array(
                            "data" => Array(
                    "mail" => Array(

Now further down the file we need to add some extra lines:

"form_fields" => Array(
                    "alias" => Array(
                            "optional" => true,
                            "type" => "list" //Very important, without this then you wont be able to add more than one alias address
                    "givenname" => Array(),
                    "initials" => Array(
                            "optional" => true,
                            "Type" => "list"

//Add the below mail section
                    "mail" => Array(
                            "optional" => true

Save the file and then check for syntax errors:

php -l sample-insert-user_types.php

Apply the changes to the Kolab installation:

php sample-insert-user_types.php

Access Kolab Webmail top level domain

The default behaviour of Kolab is to provide the webmail access at mail.example.com/webmail or mail.example.com/roundcubemail which I don't want. To access webmail at mail.example.com then it is a simple edit of the apache2 site configuration.

Edit /etc/apache2/sites-enabled/roundcubemail.conf

Find the following lines:

Alias /roundcubemail /usr/share/roundcubemail/public_html/
Alias /webmail /usr/share/roundcubemail/public_html/

Replace the above lines with this one. Basically we are removing the /roundcubemail or /webmail of the above lines.

Alias / /usr/share/roundcubemail/public_html/

Restart Apache2:

service apache2 restart

I would like to change the default /kolab-webadmin to just admin but when I tried the same approach I got errors after logging in so I might come back to that at a later date.


Post grey is a very useful way of stopping spam emails. Here is a good explanation of Greylisting from Kolab Blog.

"Stopping spam before it enters the queue is a good thing. One way to achieve this is Greylisting: Reject a triplet (sending host, sender address, recipient address) on the first deliver attempt with a temporary error (450 4.2.0 <tobias@tobrunet.ch>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/tobrunet.ch.html) and save this triplet. On the second delivery attempt check the triplet against the database and if it matches, allow this message to be delivered. This stops many spam senders because they only try it once. A correctly configured MTA tries it again after a few minutes and the mail is delivered."

Enable postgrey by editing the /etc/postfix/main.cf file:

# "check_policy_service inet:" enables Postgrey.
smtpd_recipient_restrictions =
reject_rbl_client zen.spamhaus.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client dnsbl.njabl.org,
check_policy_service unix:private/recipient_policy_incoming,
check_policy_service inet:, //Added to enable postgrey

Enable Anti-Virus and SpamAssassin

Edit /etc/amavis/conf.d/15-content_filter_mode

# Default antivirus checking mode
# Please note, that anti-virus checking is DISABLED by
# default.
# If You wish to enable it, please uncomment the following lines:

@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

# Default SPAM checking mode
# Please note, that anti-spam checking is DISABLED by
# default.
# If You wish to enable it, please uncomment the following lines:

@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

Un-comment the appropriate lines in the above file to enable anti-virus/spam checking.

Add the users to the correct groups:

adduser clamav amavis
adduser amavis clamav

Please note that the clamav daemon uses around 200MB for each instance and won't run on a VPS with less than 1Gb and on a 1GB needs a swap partition to be able to restart the service.

Shows the ClamAV memory usage running on a Kolab mail server installation.

Create SWAP File

We are using a VPS from DigitalOcean and this does not have a swap partition assigned to it however we can just create a swap file instead, as DigitalOcean use SSDs for their storage then the swap file is pretty quick.

Create a file called swapfile in the root file system.

fallocate -l 2048M /swapfile

Check to see if the file has been created.

ls -la /
-rw-r--r--   1 root root 2147483648 Oct 13 19:20 swapfile

Set the correct permissions.

chmod 600 /swapfile

ls -la /
-rw-------   1 root root 2147483648 Oct 13 19:20 swapfile

Format it as a SWAP type.

mkswap /swapfile
Setting up swapspace version 1, size = 2097148 KiB
no label, UUID=59661226-6b9d-419d-a39c-6a81b3928af9

Activate the SWAP file so it is used as SWAP, you should see SWAP available in htop after running this command.

swapon /swapfile

Edit the Fstab to enable the swap partition on boot.

/swapfile none swap defaults 0 0

Now clamav will restart correctly because it can allocate the memory.

POODLE Attack Revealed, Disable SSLv3

Information from BetterCrypto.

Edit the Postfix Main.cf

Change the TLS section to:

# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem #smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key


# enable opportunistic TLS support in the SMTP server and client
#smtpd_use_tls=yes //I think this is no longer used
smtp_tls_security_level = may
smtpd_tls_security_level = may

# if you have authentication enabled, only offer it after STARTTLS
smtpd_tls_auth_only = yes
tls_ssl_options = NO_COMPRESSION
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Edit the /etc/cyrus.conf

If you don't need or use Pop3 then it may as well be disabled.

#    pop3               cmd="pop3d" listen="pop3" prefork=3
#    pop3s              cmd="pop3d -s" listen="pop3s" prefork=1

Edit /etc/imapd.conf

tls_cert_file: /etc/apache2/ssl/ssl.crt
tls_key_file: /etc/apache2/ssl/private.key
tls_ca_file: /etc/apache2/ssl/sub.class1.server.ca.pem

# The list of SSL/TLS ciphers to allow, in decreasing order of precedence.
# The format of the string is described in ciphers(1). The Debian default
# selects TLSv1 high-security ciphers only, and removes all anonymous ciphers
# from the list (because they provide no defense against man-in-the-middle
# attacks). It also orders the list so that stronger ciphers come first.

Configure DNS/SPF (Important for a trusted mail server)

Please look at this post about DNS configuration.

Adding Plugins to Roundcube

Adding plugins is quite simple. Please do not confuse myRoundcube with roundcube as these are not the official plugins, they are modified versions that require the use of their plugin manager and they also charge for some of the plus versions of plugins. This is not to say do not use them as many people do but I prefer not to be forced to use a tool just to install and get the plugins.

On roundcubes official wiki they mention the main.inc.php file but in the Kolab install it is /usr/share/roundcubemail/config/config.inc.php instead.

My favourite plugins so far are: markasjunk2 , serverinfo and twofactor_gauthenticator.

The way to install a plugin is to copy the plugin the correct directory and then enable it in the plugin array. You don't even need to restart any services, just refresh the page. The links above have instructions on installation but I will go through install the serverinfo plugin. This plugin adds useful information to your settings page such as port numbers etc.

Download the zip/tar file to a directory on the server using wget.

wget http://axel.sjostedt.no/misc/files/rcube_plg_serverinfo.tar.gz

Unzip the file:

gunzip rcube_plg_serverinfo.tar.gz 
tar -xvf rcube_plg_serverinfo.tar

Copy the folder to the plugin directory:

cp -R serverinfo /usr/share/roundcubemail/plugins/

Edit this file /usr/share/roundcubemail/config/config.inc.php and find the plugin section. I have removed most from this list as it is a little long and not necessary to show the whole list.

// Plugins
    $config['plugins'] = array(
            // contextmenu must be after kolab_addressbook (#444)

I have added the plugin serverinfo. Generally the plugin name is the name of folder copied. Please note, When downloading some of the plugins from Github the folder normally needs to be renamed as per the instructions.

Now the plugin is enabled.


Kolab Installation Guide | Kolab.org

Kolab Anti Spam | Kolob Blog

Roundcube Plugin Repository | Roundcube.net

Arch Swap File | Arch Wiki

Mail Tester

DKIM Take up Experiment

DKIM Configuration | Exratione


This post is licensed under CC BY 4.0 by the author.

If you have found this site useful, please consider buying me a coffee :)

Proud supporter of the Gnome Foundation

Become a Friend of GNOME


Secure Webmin with Google Authenticator

Get Android Notifications Gnome Desktop Linux

Comments powered by Disqus.