Preparing the System


When installing the Kolab server, we recommend using LVM when partitioning the system. The following directories could benefit from being on separate logical volumes, leaving about 10% of raw disk space in the volume group unallocated:

  • /var/lib/dirsrv/
  • /var/lib/mysql/
  • /var/lib/imap/
  • /var/spool/imap/


Partition and/or divide into logical volumes, configure the mount points and mount the filesystems prior to the installation of packages, as packages may deploy files into these directories.

Should you decide to partition only after the packages have already been installed, or after the deployment has already been used, first mount the filesystems somewhere else and synchronize the contents from the original directories over to the new filesystem hierarchy. Please note services should be stopped before doing so, or only corrupt data will be transfered. Remove the original contents of the filesystem after having synchronized, then mount the filesystems under their target mount points.

For large or multi-domain installations, we suggest moving /var/lib/imap/ and /var/spool/imap/ to /srv/imap/[$domain/]config/ and /srv/imap/[$domain/]default/ respectively.

In allowing /srv/imap/ to be one separate partition, backup using LVM snapshots is easier. Note that $domain in the aforementioned path is optional, and should only be used when multiple, but separate, isolated IMAP servers are to be started.


When partitions are mounted under the aforementioned directories, they do not necessarily have the correct filesystem permissions any longer. The following is a list of default permissions.

drwxr-xr-x.  3 root  root  4096 May 11 11:49 /var/lib/dirsrv/
drwxr-xr-x. 7  mysql mysql 4096 May 11 15:34 /var/lib/mysql/
drwxr-x---. 20 cyrus mail  4096 May 11 17:04 /var/lib/imap/
drwx------. 3  cyrus mail  4096 May 11 15:36 /var/spool/imap/


Not all components of Kolab Groupware are currently completely compatible with running under SELinux enforcing the targeted policy.

Please consider configuring SELinux to be permissive. Please let us know what AVC denials occur so we can work on fixing the issue.


The Kolab Web Administration Panel and Cyrus IMAP against the Kolab SASL authentication daemon currently require SELinux NOT enforcing the targeted policy.

To view the current mode SELinux operates in, execute the following command:

# sestatus

To temporarily disable SELinux’s enforcement of the targeted policy (without rebooting the system), issue the following command:

# setenforce 0

To disable SELinux’s enforcement of the targeted policy in a manner persistent across system restarts, edit /etc/selinux/config and set SELINUX to permissive rather than enforcing. Doing so also changes the Mode from config file: line in the output of sestatus.

System Firewall

Kolab Groupware deliberately does not touch any firewall settings, perhaps wrongly assuming you know best. Before you continue, you should verify your firewall allows the standard ports used with Kolab Groupware. These ports include:

Port Protocol Description
25 tcp Used to receive emails.
80 tcp Used for web interfaces.
110 tcp Used for POP.
143 tcp Used for IMAP.
389 tcp Used for LDAP directory services.
443 tcp Used for secure web interfaces.
465 tcp Used for secure mail transmission.
587 tcp Used for secure mail submission.
636 tcp Used for secure LDAP directory services.
993 tcp Used for secure IMAP.
995 tcp Used for secure POP.
4190 tcp Used for Managesieve.
8080 tcp Used for Manticore.

CentOS / RHEL 6

Summarizing these changes into /etc/sysconfig/iptables, working off of an original, default installation of Enterprise Linux 6, this file would look as follows:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 587 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 4190 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

After changing /etc/sysconfig/iptables, execute a service restart:

# service iptables restart

CentOS / RHEL 7

CentOS / RHEL 6 is using the firewalld to manage the kernel firewall. You’ve to make use of the firewall-cmd command to add new rules to open the required ports.

This script will open the required ports/services and make this changes permanent and reboot-save.

for s in ssh http https pop3s imaps smtp ldap ldaps
    firewall-cmd --permanent --add-service=$s
for p in 110/tcp 143/tcp 587/tcp
    firewall-cmd --permanent --add-port=$p
firewall-cmd --reload

System Users

  • No user or group with IDs 412, 413 or 414 may exist on the system prior to the installation of Kolab.
  • No user or group with the names kolab, kolab-n or kolab-r may exist on the system prior to the installation of Kolab.

The System Hostname and FQDN

The setup procedure of Kolab Groupware also requires that the Fully Qualified Domain Name (FQDN) for the system resolves back to the system. If the FQDN does not resolve back to the system itself, the Kolab Groupware server components will refer to the system by the configured or detected FQDN, but will fail to communicate with one another.


Please see Why Your System Should Have a Proper FQDN for more information.

Should the FQDN of the system (found with hostname -f) be, for example,, then should resolve to the IP address configured on one of the network interfaces not the loopback interface, and the IP address configured on said network interface should have a reverse DNS entry resulting in at least

Example Network and DNS Configuration

The following lists an example network and DNS configuration for a Kolab Groupware server.

# hostname -f
# ping -c 1
PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=64 time=0.014 ms

--- ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.014/0.014/0.014/0.000 ms
# ip addr sh eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:72:10:83 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth0
    inet6 fe80::5054:ff:fe72:1083/64 scope link
    valid_lft forever preferred_lft forever

The following depicts what services like LDAP and others will be using:

# python -c 'import socket; print socket.getfqdn();'

If you want to quickly fix your system’s FQDN resolving back to your server, an entry in /etc/hosts suffices for the time being:

# echo "$(ip addr sh eth0 | grep 'inet ' | awk '{print $2}' | cut -d'/' -f 1) $(hostname -f)" >> /etc/hosts

LXC Containers

LXC containers (“chroots on steroids”) need /dev/shm/ mounted read/write for user accounts.

The permissions on /dev/shm/ need to be as follows:

# ls -ld /dev/shm/
drwxrwxrwt 2 root root        40 2012-11-20 20:34 shm

To make sure the permissions are correct even after a reboot, make sure /etc/fstab contains a line similar to the following:

none /dev/shm tmpfs rw,nosuid,nodev,noexec 0 0

Note that alongside /dev/shm problems, resolving hostnames (especially localhost to, or inversely, to localhost) have also been reported.