An own, completely secured, mail server with Zarafa

I have already written a german tutorial about this topic. Now it is time to write an english one and  I am also about to write my first english blog post here. In this kind of tutorial I like to explain how a Zarafa-Mailserver could be installed to make sure that it runs with a completely secured configuration. For this, we will install a zarafa server with postfix as mail handle base. And we also want to install Amavis as virus scanner, spamassassin as spam protection and use SSL/TLS communication for the encryption. The complete tutorial is based on Ubuntu 14.04 LTS and Zarafa 7.1.11. But it should also work on different versions and Debian as well. If you need support or the entire installation, please contact CVA GmbH (CET / CEST 08:00 am to 06:00 pm). So lets start with the installation process: first we need to fix the requirements.

To see this post in german click here: Diesen Post in Deutsch anzeigen




First, I have to change the current directory to my personal home directory by using the „cd ~“ command. In the next step, we need to find the correct software version for our operating system. We browse the zarafa web achiev, to find the correct software I will use Zarafa version 7.1.11 for Ubuntu 14.04 LTS. We may need to download the Microsoft Outlook integration from the windows folder on the web achiev. For the final SSL/TLS integration we also need to create certificates on StartSSL for example. But this step requires a valid unsecure mail server installation first, because we need to confirm our domain.

To download the correct Zarafa software we can use the following shell command:


After the download is completed, we need to extract all files into a new folder.

tar xvfz zcp-7.1.11-46050-ubuntu-14.04-x86_64-free.tar.gz

We also need to install MySQL on our server and maybe we should install Apache2 or Nginx too. One way to do this, is to install a LAMP-Server. To do this, you can follow this guide: Install LAMP-Server on Ubuntu. The installation of MySQL or to have the access to one, is absolute required in this guide. Apache2 and/or Nginx is only required for the web access to our mailserver.

For the next step, we need to configure our domain correctly for the server. We need to create the subdomains „secure“, „mail“ and „www“ and a MX-Record with priority 10, for the mail subdomain. After this, we need to wait until the domain points on the correct server. This can take up to an hour or more. When this is completed, lets get started with the installation process.




First of all, we need to install postfix on the server. Because this is the basement of our zarafa, we configurate later. To trigger the installation we could use this command line

apt-get install postfix

After that, a few configuration questions will appear. For most of them we can use the default configuration, because we have to change them later. But it is recommended to do the correct configuration for the domain question.



Lets go on with zarafa. First of all we need to change our directory to the unpacked achiev folder. From there, we could start the installation script.


And again we can use the default configuration. Focussed on the installation process, we need to enter a valid zarafa serialnumber. We can buy a license from or we leave the serial empty and run the free version (you can enter a valid serialnumber later). It is important to configure the MySQL informations correctly because the tables for Zarafa will be created in the install process.

If everything is correct, we should already be able to call the web interface for Zarafa. For this, enter http://SERVER_IP/webapp/ in your webbrowser. If this does not work correctly, we might need to check the log files, for possible errors, missing mods and things like this (it only works if Apache2 or Nginx is installed and running). For Apache2, the ssl, rewrite, and the php5 module have to be loaded.


SASL Authentication

In the next part of this tutorial, we need to install SASL, to protect our SMTP Gateway. If SASL is installed and running, SMTP will require valid authentications. To install, use this command line:

apt-get install sasl2-bin

Thats all for now. Lets go on with fail2ban.



Same as SASL, fail2ban is a great addition for our server. It will protect the server from Brute-Force and DDoS attacks. For the installation, we only need to use this command line:

apt-get install fail2ban iptables-persistent



Amavis will work as a virus scanner for us.

apt-get install amavisd-new clamav-daemon spamassassin razor pyzor

Now the installation process is nearly completed. In the next step we need to configurate the services we installed.



Lets start with the configuration of our services. We dont have any certificates yet, so we need to complete the installation process without any kind of certificate. The certificate configuration appears later in this post.


Basic config

As a basic, we should start to configure the SASL authentification on the server. To do this, we need to edit this file

nano /etc/postfix/sasl/smtpd.conf

And add this content

pwcheck_method: saslauthd
mech_list: plain login

If this is done, we need to add the postfix user to the sasl group. For this we need to execute this command:

gpasswd -a postfix sasl

Now we can start with the main postfix configuration:

nano /etc/postfix/

First we need to disable the „relayhost“ row. After this, we have to add this to the end of the configuration file:

# SASL Auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,check_relay_domains,reject_unauth_destination 

# Amavis

# Zarafa Mailbox mapping
virtual_mailbox_domains =
virtual_alias_maps = hash:/etc/aliases
mailbox_command = /usr/bin/zarafa-dagent "$USER"
virtual_transport = zarafa: zarafa_destination_recipient_limit = 1

Save and exit the file. Now we need to change the SASL configuration again here:

nano /etc/default/saslauthd

The easiest way is to delete everything in this file and add this:

DESC="SASL Authentication Daemon"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Now we need to add a virtual mail user.

adduser --system --no-create-home vmail
adduser clamav amavis

Lets add the virtual mail user to our zarafa configuration here:

nano /etc/zarafa/server.cfg

Search for „local_admin_users“ and edit the row, thats shown in the commentary above. Now lets connect amavis to our mail chain by editing this:

nano /etc/amavis/conf.d/15-content_filter_mode

Make sure the file looks similiar to this one:

use strict;

@bypass_virus_checks_maps = (
 \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

@bypass_spam_checks_maps = (
 \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);


And go on with spamassassin and enable it by editing this file:

nano /etc/default/spamassassin

Switch the ENABLED variable from 0 to 1. Now lets activate fail2ban for our services by setting the enabled flag on true for postfix, sasl, apache / nginx and ssh by editing this file:

nano /etc/fail2ban/jail.conf

Finally we need to configure our postfix master configuration. Add under the line „pickup    unix  n       –       –       60      1       pickup“ this:

# Amavis
 -o content_filter=
 -o receive_override_options=no_header_body_checks
# Amavis end

And under the line „smtp      unix  –       –       –       –       –       smtp“  this:

smtps inet n - n - - smtpd
 -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

Next we need to replace the submission block incl. -o parameters with this:

submission inet n       -       -       -       -       smtpd -v
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

And at the end this:

zarafa unix - n n - 10 pipe
 flags=DRhu user=vmail argv=/usr/bin/zarafa-dagent -R ${recipient}
# Amavis
smtp-amavis unix - - - - 2 smtp
 -o smtp_data_done_timeout=1200
 -o smtp_send_xforward_command=yes
 -o disable_dns_lookups=yes
 -o max_use=20 inet n - - - - smtpd
 -o content_filter=
 -o local_recipient_maps=
 -o relay_recipient_maps=
 -o smtpd_restriction_classes=
 -o smtpd_delay_reject=no
 -o smtpd_client_restrictions=permit_mynetworks,reject
 -o smtpd_helo_restrictions=
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,reject
 -o smtpd_data_restrictions=reject_unauth_pipelining
 -o smtpd_end_of_data_restrictions=
 -o mynetworks=
 -o smtpd_error_sleep_time=0
 -o smtpd_soft_error_limit=1001
 -o smtpd_hard_error_limit=1000
 -o smtpd_client_connection_count_limit=0
 -o smtpd_client_connection_rate_limit=0
 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

So the basic configuration is completed. Now lets add a user to our mailserver to check and obtain the mail for the ssl domain registration.

adduser mailuser --no-create-home
zarafa-admin -c mailuser -p mailpassword -f "Mailuser Example" -e "" 
zarafa-admin -u mailuser --enable-feature imap 
zarafa-admin --create-store mailuser

Lets change the aliases next, to make a mail forwarding works.

nano /etc/aliases

For a simple solution, add this line (change mailuser to the mailuser you just created):

root: mailuser

Now execute this:


And now all mails will be forwarded to the mailuser. For that amavis can use razor and pyzor, the following is additionally required:

su - amavis -s /bin/bash
razor-admin -create
razor-admin -register
pyzor discover

I also  recommend to change the following settings in the file „/etc/amavis/conf.d/20-debian_defaults„:

$sa_tag_level_deflt  = undef;
$sa_tag2_level_deflt = 5;
$sa_kill_level_deflt = 20;

Finally we need to restart all services with this little „script“:

service saslauthd restart
service spamassassin restart
service clamav-daemon restart
service amavis restart
service postfix restart
service zarafa-dagent restart
service zarafa-server restart
service apache2 restart
service fail2ban restart

Now you should have web access (if you installed apache or nginx) to this webservices:

WebApp: http://SERVER_IP_ADRESSE/webapp/
Webaccess: http://SERVER_IP_ADRESSE/webaccess/


Educating the Spam-Filters

You should download some spam mails for the learning process from here: I will unpack the achiev to „/var/mail/spam/“ and run the learning routin of spamassassin.

sa-learn --no-sync --spam /var/mail/spam/

It is recommanded to download at least the latest 3 achievs from the page above before you executing the learn command. Also you can use a auto learn function by editing this file:

nano /etc/spamassassin/

And uncomment this two lines:

use_bayes 1
bayes_auto_learn 1

Note: The automatic learn uses a lot of the system resources and it will not learn correctly without any help (such as learn from spam achieves).


SSL Configuration

Now lets start with the ssl configuration to encrypt the communication between the server and the desktop clients. You can take certificates from for example (Note: this certificates need to be updated each year). We need the „Web Server SSL/TLS Certificate“ kind of certificates for our secure Subdomain. First lets store the private key in a file:

nano /etc/keys/mail.ssl.key

And execute the openssl to „uncrypt“ this private key for our server.

openssl rsa -in /etc/keys/mail.ssl.key -out /etc/keys/mail.ssl.key

Next up we need to store the domain certificate here for example:

nano /etc/keys/mail.ssl.crt

And last but not least we need the CA-Certificate and the Class1-CA-Certificate. If you use StartSSL you could use this:

nano /etc/keys/

And enter this:


Next the CA-Certificate:

nano /etc/keys/ca.pem

With this content:


Now we need to combine our certificates with this command:

cd /etc/keys/ && cat mail.ssl.crt mail.ssl.key ca.pem >

Now we can edit our postfix main configuration again

nano /etc/postfix/

Replace the Part between „# TLS parameters“ and „# See /usr/share/doc…“ with this (dont forget to change the domain right):

smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes

smtpd_tls_cert_file = /etc/keys/
maildrop_destination_recipient_limit = 1

smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Last but not least we need to change the zarafa gateway configuration here

nano /etc/zarafa/gateway.cfg

and switch this options to yes:

pop3s_enable    =       yes
imaps_enable    =       yes

Finally restart anything again.

service saslauthd restart
service spamassassin restart
service clamav-daemon restart
service amavis restart
service postfix restart
service zarafa-dagent restart
service zarafa-server restart
service apache2 restart
service fail2ban restart

Now it should be possible to connect via SSL/TLS to our server. If not: Check your firewall and that the services are running. Also check the logfiles.




Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will „temporarily reject“ any email from an origin it does not recognize. If the mail is legitimate the originating server will try to send it again after a delay, and if sufficient time has elapsed the email will be accepted.

To install greylisting use the following command:

apt-get install postgrey

Now you need to add „check_policy_service inet:“ to the property „smtpd_recipient_restrictions“ in the file „/etc/postfix/“ (Warning: Port could be different!! If the port is wrong you will see a connection error in the mail log). The configuration should now be like this:

smtpd_recipient_restrictions =  permit_mynetworks,
				check_policy_service inet:

Restart postfix (or reload) to set the config active „service postfix restart„.


Zarafa Bayesian Learning

To learn spam mails directly from zarafa you can use this quick tutorial:
Zarafa Bayesian Learning (to install the Perl-IMAP plugin in Debian / Ubuntu you need this command: „apt-get install libmail-imapclient-perl„)


Adding a Zarafa license

To add a zarafa license edit this file:

nano /etc/zarafa/license/base

And enter the license as plaintext to this file. Now restart the zarafa services.

service zarafa-dagent restart
service zarafa-gateway restart
service zarafa-ical restart
service zarafa-licensed restart
service zarafa-monitor restart
service zarafa-search restart
service zarafa-server restart
service zarafa-spooler restart


Zarafa-Mailserver administration

For a documentation of the zarafa administration possibilitys watch this: (DB plugin)


Changing the MySQL Password

If you change the MySQL password change it here and restart zarafa:

nano /etc/zarafa/server.cfg


Weitere Informationen zur Mailserver Funktionsweise

Anti-Spam (spamassassin):
Anti-Virus (Amavis):



I hope this small tutorial could help someone. 🙂


You like this post and you want to support me? Share this page in social media networks, check out the amazon links or use PayPal. Every kind of support is great for websites like this.

Ein Gedanke zu “An own, completely secured, mail server with Zarafa

  1. Thank you for this, I used it to install zarafa 7.2 almost without a hitch. There was a couple of changes – 7.2 no longer uses an install script and the one that had me confused for a few hours was in /etc/postfix/ zarafa-dagent has moved to sbin so that line should read ‚mailbox_command = /usr/sbin/zarafa-dagent „$USER“ ‚

Hinterlasse ein Kommentar.


Cookies erleichtern die Bereitstellung unserer Dienste. Mit der Nutzung unserer Webseite erklären Sie sich damit einverstanden, dass wir Cookies verwenden. Informationen zum Datenschutz

Die Cookie-Einstellungen auf dieser Website sind auf "Cookies zulassen" eingestellt, um das beste Surferlebnis zu ermöglichen. Wenn du diese Website ohne Änderung der Cookie-Einstellungen verwendest oder auf "Akzeptieren" klickst, erklärst du sich damit einverstanden.