Prerequisites

Prepare 2 Ubuntu servers(version 16.04) under the same VLAN, one for Seafile, one for Kolab.
Note: In the process of installing Ubuntu, do not encrypt the Home directory.

Seafile server deployment

Follow the instructions from the Seafile official installation manual: Deploying Seafile with MySQL, Config Seafhub with Nginx.

When finished, Seafile web service should be running at http://Seafile-server-IP-address .

Kolab server deployment

Setup FQDN

Assuming the FQDN to set is mail.example.com, run the following command.

sudo su
echo 'mail.example.com' > /etc/hostname
sed -i 's|^127.0.1.1.*|127.0.1.1\tmail.example.com\tmail|g' /etc/hosts
Install Kolab
apt update && apt upgrade -y

# add kolab package source
echo '
deb http://obs.kolabsys.com/repositories/Kolab:/16/Ubuntu_16.04/ ./
deb-src http://obs.kolabsys.com/repositories/Kolab:/16/Ubuntu_16.04/ ./
' > /etc/apt/sources.list.d/kolab.list

# import the GPG key used to sign the packages
wget -q -O- https://ssl.kolabsys.com/community.asc | apt-key add -

# make sure the apt preferences pin the obs.kolabsys.com origin as a preferred source
echo '
Package: *
Pin: origin obs.kolabsys.com
Pin-Priority: 501
' > /etc/apt/preferences.d/kolab

# Install kolab to the system
apt update && apt install kolab
Setup Kolab
setup-kolab

During the installation, set the administrative credentials through several prompts.

After the setup is complete, the Kolab web services should be running at http://kolab-server-IP-address/kolab-webadmin and http://kolab-server-IP-address/roundcubemail.

Internet access

  • Add A records in the domain admin panel of example.com, pointing mail.example.com and seafile.example.com to the VLAN’s public IP address.
  • Map the ports 80 and 443 on the main router to the corresponding ports of the Seafile server .
  • Map the ports 143, 993, 25, 587 on the main router to the corresponding ports of the Kolab server.
  • In the local DNS server, add DNS records for internal access to the Seafile and Kolab server.

Enable Https for Seafile

To enable Https for Seafile, simply follow the instruction in the Seafile official manual: Enabling Https with Nginx.

Enable SSL for Kolab web client and Acitivesync

Add the following file to /etc/apache2/sites-available/kolab-webmail.conf:

<VirtualHost *:80>

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        RewriteEngine on
        RewriteRule ^/$ /webmail [L,R=301]

</VirtualHost>


<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined


                SSLEngine on

                SSLCertificateFile      /etc/ssl/private/officehub.asia.pem
                SSLCertificateKeyFile   /etc/ssl/private/officehub.asia.pem

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                RewriteEngine on
                # RewriteCond %{SERVER_PORT} !^8443$
                RewriteRule ^/$ /mail [L,R=301]

        </VirtualHost>
</IfModule>

Disable the default site conf file and enable kolab-webmail.conf which was created earlier. And then restart the apache process.

a2dissite 000-default.conf
a2ensite kolab-webmail.conf

apache2ctl graceful

Reverse proxy for the Kolab web service

Use Nginx on the Seafile server as a proxy server for the Kolab web service.

In the Seafile server terminal, run the following command:

sudo su
touch /etc/nginx/sites-available/kolab.conf
ln -s /etc/nginx/sites-available/kolab.conf /etc/nginx/sites-enabled/kolab.conf

Assuming below properties:

  • Kolab server FQDN: mail.example.com
  • Kolab server IP address: 192.168.1.21
  • path to cert file: /etc/ssl/certs/example.com.pem
  • path to private key file: /etc/ssl/private/example.com.key
  • path to ssl_dhparam file: /etc/nginx/dhparam.pem ( created in enabling Https for Seafile )

Write the following configuration to the kolab.conf file.

server {
    listen       80;
    server_name  mail.example.com;
    rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https

    # Enables or disables emitting nginx version on error pages and in the "Server" response header field.
    server_tokens off;
}

server {
    listen       443;
    ssl on;
    ssl_certificate /etc/ssl/certs/example.com.pem;          # path to your cacert.pem
    ssl_certificate_key /etc/ssl/private/example.com.key;    # path to your privkey.pem
    server_name mail.example.com;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:5m;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/nginx/dhparam.pem;

    # secure settings (A+ at SSL Labs ssltest at time of writing)
    # see https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
    ssl_prefer_server_ciphers on;

    proxy_set_header X-Forwarded-For $remote_addr;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    server_tokens off;

    location / {
        proxy_pass         https://mail.example.com
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
        proxy_set_header   X-Forwarded-Proto https;

        access_log      /var/log/nginx/kolab.access.log;
        error_log       /var/log/nginx/kolab.error.log;

        proxy_read_timeout  1200s;
    }

Restart the nginx, secured public web access is now applied to the Kolab web client:

nginx -s reload

Enable SSL/TLS for Kolab IMAP and SMTP services

Prepare a certificate bundle file including the cert, the CA cert, the intermediate CA cert and the private key:

cat /path/to/the/cert/example.com.crt \
    /path/to/the/ca/cert/example.com.pem \
    /path/to/the/intermediate/ca/cert/example.com.pem \
    /path/to/the/private/key/example.com.key \
    > /etc/ssl/private/cyrus-imapd.pem

Enable SSL/TLS for cyrus-imapd and postfix:

sed -r -i \
    -e 's|^tls_server_cert.*|tls_server_cert: /etc/ssl/private/cyrus-imapd.pem|g' \
    -e 's|^tls_server_key.*|tls_server_key: /etc/ssl/private/cyrus-imapd.pem|g' \
    -e 's|^tls_server_ca_file.*|tls_server_ca_file: /etc/ssl/private/cyrus-imapd.pem|g' \
    /etc/imapd.conf

sed -i \
    's|{\scertfile,.*\s}|{ certfile, "/etc/ssl/private/cyrus-imapd.pem" }|g' \
    /etc/guam/sys.config

postconf -e smtpd_tls_key_file=/etc/ssl/private/cyrus-imapd.pem
postconf -e smtpd_tls_cert_file=/etc/ssl/private/cyrus-imapd.pem
postconf -e smtpd_tls_CAfile=/etc/ssl/private/cyrus-imapd.pem
postconf -e smtp_tls_mandatory_protocols='!SSLv2,!SSLv3'
postconf -e smtp_tls_protocols='!SSLv2,!SSLv3'
postconf -e smtpd_tls_mandatory_protocols='!SSLv2,!SSLv3'
postconf -e smtpd_tls_protocols='!SSLv2,!SSLv3'
postconf -e smtpd_tls_mandatory_ciphers=high
postconf -e smtpd_tls_eecdh_grade=ultra
postconf -e tls_preempt_cipherlist=yes
postconf -e tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

After the configuring, restart cyrus-imapd and postfix:

systemctl restart cyrus-imapd postfix

All done.