Zarafa 7 Groupware on Debian Squeeze
17. April 2013


Install dependencies by invocing:

aptitude install postfix mysql-server apache2 php5


Zarafa-monitor needs en_US.UTF-8, which could be a problem on differently localized systems. Just reconfigure it by:

dpkg-reconfigure locales


Zarafa (manually)

  1. Download the lastest final version from (if you would like to have as much features as possible, like mapi connector, use the free-edition instead of opensource edition)
  2. Unpack the tar.gz
    tar -xf zcp-7.1.4-41394-debian-6.0-x86_64-free.tar.gz
  3. Install it by invoking:
    cd zcp-7.1.4-41394-debian-6.0-x86_64/

Zarafa (from yaffas repository – only for Debian 6 atm)

  1. Add the following to your /etc/apt/sources.list
    # zarafa repos
    deb ./
  2. Install Zarafa
    aptitude install zarafa zarafa-utils zarafa-webapp
  3. Configure database and import the schema



  1. Download the latest version from
  2. Unpack the tar.gz
    tar -xf z-push-2.0.7-1690.tar.gz
  3. Create needed directories
    mkdir -p /usr/share/z-push
    mkdir -p /var/lib/z-push
    mkdir -p /var/log/z-push
  4. Copy z-push-2.0.7-1690 directory
    cp -R z-push-2.0.7-1690/* /usr/share/z-push
  5.  Set privileges (have a look at “executing zarafa as non-root user” to create the zarafa group before doing the following)
    chown -R www-data:zarafa /var/lib/z-push
    chown -R www-data:zarafa /var/log/z-push
    chown -R www-data:zarafa /usr/share/z-push
  6. Create symlinks to z-push admin tools
    ln -s /usr/share/z-push/z-push-admin.php /usr/sbin/z-push-admin
    ln -s /usr/share/z-push/z-push-top.php /usr/sbin/z-push-top
  7. check config in /usr/share/z-push/config.php


Mysql Connection

During installation, zarafa asks you to enter mysql root user credentials. The schema is automatically created during this process. But from my point of view, Zarafa shouldn’t use the root credentials during production use. It’s quite simple to create a new user having all privileges on zarafa db but not everywhere else.

-- open mysql client with sufficient privlieges, using the debian sysmaintainer configured in /etc/mysql/debian.cnf f.e.
mysql --defaults-extra-file=/etc/mysql/debian.cnf
-- create a new user with all privileges on zarafa db, only able to connect from local system
grant all privileges on zarafa.* to 'zarafa'@'localhost' identified by '<password>';

After doing this, you have to tell zarafa-server to use the new connection credentials. Edit /etc/zarafa/server.cfg to enter your new data:

# MYSQL SETTINGS (for database_engine = mysql)

# MySQL hostname to connect to for database access
mysql_host              = localhost

# MySQL port to connect with (usually 3306)
mysql_port              = 3306

# The user under which we connect with MySQL
mysql_user              = zarafa

# The password for the user (leave empty for no password)
mysql_password          = <password>

# Override the default MySQL socket to access mysql locally
# Works only if the mysql_host value is empty or 'localhost'
mysql_socket            =

# Database to connect to
mysql_database          = zarafa

Postfix Config

add this to /etc/postfix/

# virtual mailbox config
virtual_mailbox_maps = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_transport = lmtp:

# domains to accept for zarafa (comma separated)
virtual_mailbox_domains = <your domains here, comma separated>

create a file named /etc/postfix/virtual holding your valid adresses   map and activate the new file and config

postmap /etc/postfix/virtual
/etc/init.d/postfix reload

Postfix TLS-Auth for SMTP against Zarafa-IMAP

To avoid having an open mail-relay, there should be the need to authenticate to send mails to  domains other than those, your postfix feels responsible for. There is a nice way to authenticate against zarafa for this.


aptitude install sasl2-bin


  • Create a new file /etc/postfix/sasl/smtpd.conf with the following content:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
  • modify /etc/default/saslauthd to match the following
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
  •  add the following to your /etc/postfix/
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
  •  to fix some permission-problems on the mux file just do:
adduser postfix sasl
/etc/init.d/postfix restart


  • make sure that you have enabled imap on port 143

Execution as a non-root user

create user and group

addgroup --system zarafa
adduser --system --home /dev/null --no-create-home --ingroup zarafa --disabled-password --gecos 'Zarafa services' --shell /bin/false zarafa

Configuring user and group for Zarafa services

The Zarafa Services can start as root and drop their privileges to a user and group, defined in the config. Check every .cfg file in /etc/zarafa and change the following:

# drop privileges and run the process as this user
run_as_user             = zarafa

# drop privileges and run the process as this group
run_as_group            = zarafa

change permissions on zarafa files

If Zarafa isn’t running as root any more, there are some files and folders needing modified privileges. Just execute the following as script or directly in the shell to fix it.


# stop all services
/etc/init.d/zarafa-dagent stop
/etc/init.d/zarafa-gateway stop
/etc/init.d/zarafa-ical stop
/etc/init.d/zarafa-licensed stop
/etc/init.d/zarafa-monitor stop
/etc/init.d/zarafa-search stop
/etc/init.d/zarafa-server stop
/etc/init.d/zarafa-spooler stop

# change permissions
chown -R zarafa:zarafa /var/log/zarafa
chown -R root:zarafa /etc/zarafa/
chown -R root:www-data /etc/zarafa/webapp
chown -R root:www-data /etc/zarafa/webaccess-ajax
chown -R zarafa:zarafa /var/lib/zarafa
chown -R www-data:www-data /var/lib/zarafa-webapp/tmp
chown -R zarafa:www-data /usr/share/zarafa-webaccess
chown -R zarafa:www-data /usr/share/zarafa-webapp

# start all services
/etc/init.d/zarafa-dagent start
/etc/init.d/zarafa-gateway start
/etc/init.d/zarafa-ical start
/etc/init.d/zarafa-licensed start
/etc/init.d/zarafa-monitor start
/etc/init.d/zarafa-search start
/etc/init.d/zarafa-server start
/etc/init.d/zarafa-spooler start

check if everything is running fine as user zarafa

ps aux | grep zarafa


SSL Encrypted Connection

To have web-based traffic SSL encrypted, you have to configure apache 2 to do so. Secured IMAP and so on has to be configured in zarafa directly.

Creating a Certificate

First of all you have to create a csr (certificate signing request) for your certificate. This csr must get signed by a ca (certificate authority) of your choice. In this example, I will use a self signed ca to do this.

#create csr
openssl req -nodes -newkey rsa:2048 -keyout zarafacert.key -out zarafacert.csr
# sign the created cert with your ca key, valid for 10 years
openssl x509 -CA ca.crt -CAkey ca.key -CAserial serial.txt -req -in zarafacert.csr -out zarafacert.crt -days 3650

Configure Zarafa Gateway for SSL usage

While pop3 and imap are quite insecure cause of unencrypted transfer of user credentials and data, you should configure zarafa to ssl encrypt these protocols. To do so, you have to modify /etc/zarafa/gateway.cfg

pop3_enable     =       no
pop3s_enable    =       yes

imap_enable     =       no
imaps_enable    =       yes

# File with RSA key for SSL
ssl_private_key_file    =       /etc/apache2/ssl/zarafa.key

#File with certificate for SSL
ssl_certificate_file    =       /etc/apache2/ssl/zarafa.crt

After doing so, just restart zarafa gateway by:

/etc/init.d/zarafa-gateway restart

Configure Apache for SSL usage

Have a look at the next chapter. The apache site-configuration already reflects ssl usage including all necessary configuration.

Apache Configuration

Zarafa-Server listenes on port 236 per default. If you want to connect Outlook Clients f.e. you should configure apache 2 to act as a reverse proxy directing incoming traffic on http://host/zarafa to zarafa. Furthermore Apache2 has to publish the webmail interfaces and z-push Active Sync functionality. This can be done in a single apache site-configuration file as follows.

  1. activate apache modules
    a2enmod proxy_http expires headers setenvif deflate ssl
  2. create /etc/apache2/sites-available/zarafa.conf
    Alias /webapp /usr/share/zarafa-webapp
    Alias /webaccess /usr/share/zarafa-webaccess
    Alias /Microsoft-Server-ActiveSync /usr/share/z-push/index.php
    # Modules to enable for the caching instructions to work:
    #   mod_expires
    #   mod_headers
    #   mod_setenvif - for Internet Explorer quirks
    # For compression:
    #   mod_deflate
    <VirtualHost *:443>
            SSLEngine On
            SSLCertificateFile /etc/apache2/ssl/zarafa.crt
            SSLCertificateKeyFile /etc/apache2/ssl/zarafa.key
            <IfModule mod_proxy.c>
                    # proxy soap traffix from :80/zarafa to :236
                    ProxyPass        /zarafa http://localhost:236
                    ProxyPassReverse /zarafa http://localhost:236
            <Directory /usr/share/zarafa-webapp/>
                    DirectoryIndex index.php
                    Options -Indexes +FollowSymLinks
                    AllowOverride Options
                    Order allow,deny
                    Allow from all
                    FileETag All
                    # Uncomment to enhance security of WebApp by restricting cookies to only
                    # be provided over HTTPS connections
                    php_flag session.cookie_secure on
                    php_flag session.cookie_httponly on
                   # Manipulate the cache control headers if mod_expires and
                    # mod_headers are both enabled; otherwise the client will depend
                    # on the ETag header.  However, you can set FileETag to "None" if
                    # you have multiple servers serving WebApp to the same user.  In
                    # that case, apache will fall back to the config below so make
                    # sure these two modules are loaded!
                    <IfModule expires_module>
                            <IfModule headers_module>
                                    ExpiresActive On
                                    ExpiresDefault "now"
                                    <filesMatch "\.(jpg|gif|png)$">
                                            # All (static) resources set to 2 months expiration time.
                                            ExpiresDefault "access plus 2 months"
                                            Header append Cache-Control "public"
                                    <FilesMatch "\.(js|css)$">
                                            # All non-dynamic files set to 2 weeks expiration time.
                                            ExpiresDefault "access plus 2 weeks"
                                            # User agents are requested to revalidate for each resource
                                            # so that the server can always serve a newer version if
                                            # necessary.
                                            Header append Cache-Control "no-cache, must-revalidate"
                                            # Treat IE a little differently due to the remarks on no-cache
                                            # on
                                            <IfModule setenvif_module>
                                                    BrowserMatch MSIE ie_bug
                                            Header set Cache-Control "must-revalidate, private" env=ie_bug
                                    <filesMatch "\.(php)$">
                                            # PHP files must always be retrieved from the server.
                                            ExpiresActive Off
                                            Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
                                            Header set Pragma "no-cache"
                   # Enable gzip compression if the module is available
                    <IfModule deflate_module>
                            <filesMatch "\.(js|css)$">
                                    SetOutputFilter DEFLATE
            <Directory /usr/share/zarafa-webaccess/>
                    DirectoryIndex index.php
                    Options -Indexes +FollowSymLinks
                    AllowOverride Options
                    Order allow,deny
                    Allow from all
                    # Uncomment to enhance security of WebApp by restricting cookies to only
                    # be provided over HTTPS connections
                    php_flag session.cookie_secure on
                    php_flag session.cookie_httponly on
            <Directory /usr/share/z-push>
                    php_flag magic_quotes_gpc off
                    php_flag register_globals off
                    php_flag magic_quotes_runtime off
                    php_flag short_open_tag on
            ErrorLog ${APACHE_LOG_DIR}/error-zarafa.log
            LogLevel warn
            CustomLog ${APACHE_LOG_DIR}/access-zarafa.log combined


  3. delete unneeded config created by zarafa installer in /etc/apache2/sites-available
  4. activate new site-configuration
    a2ensite zarafa
    /etc/init.d/apache2 reload


Administration basics

Zarafa users creation

zarafa-admin -c <user name> -p <password> -e <email> -f <full name> -a <administrator>
zarafa-admin -u john --enable-feature imap
zarafa-admin -u john --disable-feature pop3



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.


  1. wel, thank your for this Howto.
    only this line,
    openssl x509 -CA ca.crt -CAkey ca.key -CAserial serial.txt -req -in zarafacert.csr -out zarafacert.crt -days 3650
    Does not work, there is no CA setup in your howto. would be nice for others to know this.

    I did this setup on debian Wheezy and its all working ok.
    Thanks !

    1. Hello,

      nice to see that there is somebody reading this.
      The step you mention is intended to be done on an existing ca, maybe a corporate ca. Furthermore you can use public ca’s to sign your request.
      If you don’t care of certificate errors or even wan’t to have it for testing purpose, you can create a self-signed certificate by:

      openssl x509 -req -days 3650 -in zarafacert.csr -signkey zarafacert.key -out zarafacert.crt

      kind regards,

  2. Hello,
    I need you help, I follow your manual installation complete.
    However, the message appears sasl 0: NO “authentication failed”

    1. Hello, did you already check my advices about this?
      There are different reasons for this error. Check logfiles for something interesting.

  3. Hey there,

    thanks for your work. You really helped me.



  4. Hi, I like this write-up. So far I tried installing 7.1.7 on debian. Instead of using z-push I installed d-push out of the repo’s.

    It would sync my mail, but not my contacts on my iphone. Any clue why?

    1. Contacts sync behaves some strange but I’ve never used it so far. I think there was a problem in z-push allowing only read-only or one-way sync of contacts.

  5. Hello,

    Nice work !

    I’m trying to install on debian 8 (jessie).
    I had to enable also module ssl with “a2enmod proxy_http expires headers setenvif deflate ssl” because it was not enabled on a fresh debian.

    I think it should be “2. create /etc/apache2/sites-available/zarafa.conf”… in Apache configuration (extension must be .conf for a2ensite to work)


    1. Thank you for feedback.
      I updated the article to include your hints.

  6. will there be packages for debian wheezy since squeeze is already oldstable?

    1. This all also works on debian wheezy. It would be great having zarafa packages available but I havn’t found anything yet for latest versions. Started to put it in my own repo but had no time to test it.

  7. Thanks for the good dokumentation. I have installed Zarafa like this. I have activate ssl. everytime i want the Porxy zarafa.conf a2ensite zarafa start, comes the ERROR: Site Zarafa does not exist! Have you an Idea about this Problem.