Group Dynamics

In many corporations and institutions, groupware solutions based on Linux serve as productivity tools to free users from Microsoft vendor tie-in for email, calendars, and other functions, as well as save licensing costs on a large scale. Although proprietary solutions such as Microsoft Teams, Slack, Skype for Business, Webex, and Zoom have claimed major slices of the market for themselves, the open source camp is still lagging behind in the groupware sector.

Despite a long tradition, with former giants Scalix, Zimbra, and Horde, only a few open source solutions still survive at the enterprise level, even as real-time collaboration becomes more important with a rise in the number of home offices. German-Dutch software manufacturer Kopano [1] is now looking to fill this gap with its open source software of the same name.

In this article, I describe the installation of all components on a Ubuntu server. For a small setup with up to 25 users, the Kopano team recommends a server with at least two CPUs, 2GB of RAM, and 5GB of disk space. Depending on the number of active users, the RAM requirement can increase to 16GB.

In Real Time

Kopano relies on the software stack from Zarafa, which became extremely popular thanks to, among other things, its MAPI and ActiveSync emulation named Z-Push. The ambitious feature list (Table 1) reveals that Kopano wants to be far more than its ancestor: In addition to email, group calendar, address book, tasks, notes, and document processing, real-time communication is now also on the agenda.

As usual in the industry, Kopano offers the software in a freemium model [2]. Most components can be used under AGPLv3 without support. Subscription customers pay EUR15 per user per year, with a sliding scale in increments of five users.

Data Control

Kopano extends the core features of the groupware platform to include modern technologies such as group chat and video conferencing. With Mattermost [3], Kopano also integrates a comprehensive open source real-time messenger for teams, much like the popular Slack.

The Kopano team has developed its own open source solution for video conferences. Kopano Meet [4] is based on the modern WebRTC standard, supports peer-to-peer connections and a bridge, and encrypts connections with the Datagram Transport Layer Security protocol and Secure Real-time Transport Protocol (DTLS-SRTP). Although companies have been dependent so far on commercial providers for real-time communication, Kopano is looking to help security-conscious users offer video conferencing in a private cloud or on-premises.

Flexible Setups

For a quick start, Kopano offers downloads on its website of virtual appliances for VMware, VirtualBox, and KVM [5]. Alternatively, if you only want to try a short test, you can access an online demo [6].

To install the software yourself, you have to invest a little more time and patience. Very detailed documentation [7] and installation packages are available for Debian from version 8, RHEL from version 6, SLES 12, Ubuntu 18.04, and Univention Corporate Server from version 4.2.

Setup Aid

The modular Kopano (Figure 1) comprises a large number of components and services. To put a basic system into operation, you need Kopano Core as a groupware back end and the Kopano WebApp web client.

The modular architecture enables scalable setups, including distribution to multiple servers, as well as multiclient operation.

Kopano Core

Kopano requires a LAMP stack (traditionally, Linux, Apache, MySQL, PHP). Apache2 or Nginx are suitable as web servers. For a secure communication over HTTPS, you should set up SSL from the beginning, including the necessary certificates.

Kopano provides a repository for subscription customers of various Linux distributions through which you can install the numerous components with meta packages (Listing 1). The software automatically creates a local Linux user account and a kopano group, which you will need later. If you are happy, or have to make do, with the community packages, download the required packages [8] and install them with the package manager as described in Listing 2 for Ubuntu 18.04.

### Integrate Kopano Core Repository
### Retrieve <license key>
### Subscription customers at login
$ sudo su
[...]
# URL=https://serial:<license key>@download.kopano.io/supported/core:/final/Ubuntu_18.04/
# echo "deb $URL /">> /etc/apt/sources.list.d/kopano.list
# curl $URL/Release.key | apt-key add -
# apt install apt-transport-https
# apt update
### Install Kopano Core packages
# apt install kopano-server-packages
# exit

$ wget https://download.kopano.io/community/core%3A/core-10.0.6.349.8669778-Ubuntu_18.04-amd64.tar.gz
$ tar xfz core-10.0.6.349.8669778-Ubuntu_18.04-amd64.tar.gz
$ cd core-10.0.6.349.8669778-Ubuntu_18.04-amd64
$ sudo dpkg -i *.deb
### If apt fails to resolve dependencies:
$ sudo apt install -f

To work as the new Kopano administrator, create a user account in MySQL or MariaDB and make the database known to the Kopano server (Listing 3). For the storage Kopano needs for the user data, you can install and configure OpenLDAP.

$ sudo mysql
mysql> CREATE USER '<Kopano_MySQL_user>'@'localhost' IDENTIFIED BY '<Kopano_MySQL_Password>';
mysql> GRANT ALL PRIVILEGES ON <Kopano_MySQL_database_name>.* TO '<Kopano_MySQL_user>'@'localhost';
mysql> quit;

The database just installed is also suitable as a user back end. In the file /etc/kopano/server.cfg, enter the lines from Listing 4; then, launch the Kopano server (Listing 5, line 3). To complete the back-end configuration, create a Kopano user (line 4) so you can log in later for test purposes. The command in Figure 2 shows whether the step was successful.

user_plugin = db
database_engine = mysql
# The user under which you connect with MySQL
mysql_user = <Kopano_MySQL_user>
# The password for the user (leave empty for no password)
mysql_password = <Kopano_MySQL_password>
# Database to connect to
mysql_database = <I>Kopano_MySQL_database_name>

01 $ sudo vi /etc/kopano/server.cfg
02 [... see Listing 4 ...]
03 $ sudo service kopano-server start
04 $ sudo kopano-cli --create -u <Kopano_testuser> --fullname "<Full_Name>" --password <password> --email <email>

Web Client

Now you have a working back end, but it is of little use without a front end. Listing 6 shows how to install the Kopano browser client, WebApp. For a quick test, you can temporarily disable the SSL requirement by setting the

define("INSECURE_COOKIES", True);

### If you have a subscription
$ sudo su
# URL=https://serial:<License key>@download.kopano.io/supported/webapp:/final/Ubuntu_18.04/
# echo "deb $URL /">> /etc/apt/sources.list.d/kopano-webapp.list
# curl $URL/Release.key | apt-key add -
# apt install kopano-webapp
# exit
### If you have the Community Packages
$ wget https://download.kopano.io/community/webapp%3A/webapp-4.2.2860%2B1697.1.12a4e21-Ubuntu_18.04-all.tar.gz
$ tar xfz webapp-4.2.2860+1697.1.12a4e21-Ubuntu_18.04-all.tar.gz
$ cd webapp-4.2.2860+1697.1.12a4e21-Ubuntu_18.04-all
$ sudo dpkg -i *.deb
### If dependencies cannot be resolved:
$ sudo apt install -f

entry in the /etc/kopano/webapp/config.php file.

The Kopano front end loads in the web browser after restarting the web server with

sudo service apache2 reload

(Figure 3). If the installer has not reconfigured the URL, the address is https://<domain>/webapp/.

Thanks to the groupware core functions, the web client can now use email, calendar, address book, tasks, and notes.

Setting Up MTA

As usual with open source groupware, Kopano does not come with its own mail agent but relies on popular Linux software such as Postfix. Listing 7 shows how to integrate Postfix into the groupware. For this purpose, you first create a local Unix socket (lines 2-5) and edit two configuration files (Listing 8). Then, launch the services in question (Listing 7, lines 7-9).

01 $ sudo su
02 # mkdir -p /var/spool/kopano
03 # chown kopano:kopano /var/spool/kopano
04 # chmod go= /var/spool/kopano
05 # setfacl -m u:postfix:rwx /var/spool/kopano
06 [... Listing 8 ...]
07 # service kopano-dagent start
08 # service kopano-spooler start
09 # service postfix start
10 # exit

# Edit /etc/kopano/dagent.cfg file
lmtp_listen = unix:/var/spool/kopano/dagent.sock
# File /etc/postfix/main.cf: Define transport
virtual_transport = lmtp:unix:/var/spool/kopano/dagent.sock

Usually the Kopano admin then integrates the Mail Transfer Agent (MTA) with an LDAP service, be it OpenLDAP or Active Directory. The corresponding configuration procedure is described in the Kopano documentation [9].

Groupware Client

The setup described so far already gives you a comprehensive groupware setup, but this is only the beginning, because a number of optional use cases and extensions await.

For example, as an alternative to the web client, Kopano Core provides numerous protocols by default for use with native client apps, such as CalDAV to connect a calendar (Figure 4). If you want, you can also install Z-Push [10] to offer Outlook users the range of functions they are accustomed to from Microsoft Exchange via ActiveSync.

Kopano WebApp can be extended with various add-ons, such as Files for group document storage or MDM for mobile device management. WhatsApp is also available as a plugin, but only for the DeskApp desktop client.

Even an archiving tool can be installed. The Archiver [11] (although it is subject to a charge) is mainly used to store old email messages to avoid slowing down the system in the long term. Companies that need a legally compliant archiving solution can tie in Benno [12] with Kopano.

Add-on configuration files are found in the appropriate subdirectory in /etc/kopano/.

Mattermost and Kopano

One exciting option for expanding the groupware suite is adding the Mattermost group chat solution, which slots into the web client as a plugin. The installation package provided by Kopano contains both Mattermost and the integration components for Kopano.

Once the repository has been integrated and the package downloaded and unpacked, the software can be installed by typing:

sudo apt install mattermost-server

Next, you need to run a configuration script to create the required tables in the Kopano database:

$ sudo mattermost-db-configure -u <Kopano_MySQL_User> -p <Kopano_MySQL_Password> -d <Mattermost_Database_Name> -n <Mattermost_User> -o <Mattermost_Password>

Finally, the client and web server need Mattermost-specific header settings (Listing 9).

### /etc/kopano/webapp/config-mattermost.php
### Set up Mattermost URL
define('PLUGIN_MATTERMOST_URL', 'https://mattermost.<Domain>');
### Headers for Content Security, sample code in the vhost files.
[...]
### Optional headers to access Mattermost from the Kopano WebApp
Header set X-Frame-Options "ALLOW-FROM https://kopano.<Domain>/webapp/"
Header edit Content-Security-Policy ^(.*)$ "$1;frame-ancestors 'self' https://kopano.<Domain>/webapp/"
Header unset X-Frame-Options
Header unset Content-Security-Policy

Team Chat with Mattermost

Starting the Mattermost service completes the integration. The WebApp client now displays a new tab with the group chat (Figure 5). When using the service for the first time, you need to take into account some special features that the integration imposes. The first Mattermost user is automatically the Mattermost admin. Additionally, you have to complete the SMTP configuration so that Mattermost can send email (e.g., for invitations).

From the users' point of view, integration is essentially limited to their ability to access the Mattermost window directly through WebApp. Single sign-on is still missing, so you have to create and manage all users twice. You can load and add new users from the command line with:

$ sudo mattermost-platform user invite <user>@<example>.com home

More in-depth integration (e.g., sharing email and appointments in Mattermost) is planned according to a blog post [13].

Secure Video Meetings

As a newly implemented solution for video calls, Kopano Meet replaces the old WebMeeting module. The open source solution can be operated as a standalone utility in your private cloud, as well as on-premises and combined with your own Kopano installation. The company also offers a SaaS variant [14]. Within the framework of publicly available conferences, completely free use is also possible [15], much like Jitsi.

Kopano Meet can handle audio and video calls in groups and enables screen sharing. According to the Kopano Meet FAQ [16], it includes peer-to-peer encryption and therefore does not need to store sensitive data on the participating servers.

Meet is a progressive web app (PWA) based on React and the Kopano Web Meetings JavaScript Client Library (kwmjs). It transmits images and voice over the WebRTC standard and therefore runs smoothly in most current browsers.

Bandwidth

Kopano Meet limits the bandwidth for connections to a maximum of 1Mbps per participant for video and audio and 2.5Mbps for a screen-sharing session. It uses the free Opus codec for audio transmission and VP8 to encode the stream for video. Both codecs offer good compression and still deliver good results, even when facing low bandwidth. Kopano promises acceptable audio quality, even at 8Kbps.

The number of people who can use Kopano Meet simultaneously is not really answered in the project's FAQ. For the free version, the project page specifies up to 10 users and two group meetings. Payment packages start at $75 per month, supporting 25 users and five groups [17].

Meet integrates as a menu item in a separate tab of the Kopano web app and has access to the Kopano address book. Invitations can be generated by email. Authentication is handled transparently with the Kopano Konnect service as the single sign-on provider.

Installing Kopano Meet

Meet can be installed as a container or appliance (Listing 10). Packages for a separate installation were only available for Ubuntu, Debian, and the Univention Server at the editorial deadline (July 2020).

$ sudo su
[...]
# URL=https://serial:<I>License_Key<I>@download.kopano.io/supported/meet:/final/Ubuntu_18.04/
# echo "deb $URL /">> /etc/apt/sources.list.d/kopano-meet.list
# curl $URL/Release.key | apt-key add -
# apt update
# apt install kopano-meet-packages
# exit
### Alternative
$ sudo apt install kopano-meet kopano-kapid kopano-grapi-bin kopano-kwmserverd

Initially, Kopano delivers and installs the webmeetings package (the Meet predecessor) together with the WebApp packages, causing some confusion. The WebMeetings project is no longer developing and has nothing to do with Meet.

In the lab setup for this article, my attempt to load the packages failed with a dependency error for kopano-grapi. This error can be avoided by entering kopano-grapi-bin (Listing 10, last line).

Setting Up Kopano Meet

To make Kopano Meet work, you first need to set up various other Kopano services that talk to each other over TLS connections.

Authentication and authorization for Meet is managed by kopano-konnectd with OpenID Connect. kopano-kapid and kopano-grapi enable data access to the Meet user's address book with a REST API. The service for establishing WebRTC connections is provided by kopano-kwmseverd.

For Konnect to handle logins, you have to configure the Kopano server by enabling the enable_sso setting in the /etc/kopano/server.cfg file. The table in Figure 6 summarizes the essential settings you should configure to enable interaction. Further information is provided in the installation instructions [18].

Because the individual services communicate by HTTPS, Kopano has to both resolve the hostname for the local system and trust the SSL certificates used by the local system. The localhost hostname will not work. The groupware project therefore recommends kopano-webd for the web server, which is already preconfigured and automatically sets up TLS with Let's Encrypt. Listing 11 shows the essential settings.

# Valid domain name
Hostname = kopano.<Domain>
# Contact address for Let's Encrypt,
# When TLS certificates expire
tls_acme_email = <admin>@<Domain>
tls_acme_agree = yes
# Use existing certificate
tls_cert = </path_to_certificate>
tls_key = </path_to_certificate/key>
# Use as a reverse proxy for an
# existing web server. Automatically forwards
# /meet and /Microsoft Server ActiveSync
legacy_reverse_proxy = 127.0.0.1:8000

In addition to the Kopano components, Kopano requires a TURN server to establish an initial connection between callers. If a direct connection fails, TURN also forwards communications between callers. The Kopano team recommends Coturn [19] as a popular open source solution and alternatively provides commercial Kopano customers with a hosted TURN server.

You need to store the shared secret of your TURN server in the /etc/kopano/kwmserverd-turnservice.secret file and then add it to /etc/kopano/kwmserverd.cfg (Listing 12). If all the components are plugged together correctly and the services are restarted, you should be able to call Meet with https://<My_Domain>/meet (Figure 7).

turn_uris = #turn:turnserver:443?transport=udp
turn_server_shared_secret = /etc/kopano/kwmserverd-turnservice.secret

Meet also allows guest users in conferences, which is particularly important if the company wants to work and hold regular meetings with external partners.

Kopano does impose a few configuration hurdles before you can offer unrestricted hospitality, though. You need to adapt Meet, the Connect service, and the Kopano Web Meetings Server (kwmserver). These fairly extensive changes are described in the official documentation [20].

Kopano User Experience

Whether with WebApp in the browser or DeskApp on the desktop, the Kopano client works very smoothly, responds quickly, and offers sophisticated usability. In both client versions, you get a real desktop feeling.

The only drawback is the web interface, which is not responsive and therefore not optimized for mobile devices. Kopano continues the Zarafa philosophy into the present: Mobile devices should use the available native protocols for data synchronization to sync the end device and server, from CalDAV and CardDAV to IMAP and Z-Push.

This reasoning seems anachronistic, especially in view of the new Mattermost and Meet components, because they live by integration in WebApp; at the same time, they are very much aimed at mobile users, who are forced to use the respective programs as standalone variants on their mobile devices.

According to Kopano, however, improvements are in the cards. On the basis of Meet, a new generation of apps will be developed gradually to use calendars and email. With PWA technology, they will run flexibly on a variety of devices, including offline use. PWA already removes the need to install an app for Meet. Moreover, it is possible to switch seamlessly from one device to another within an ongoing session.

Outlook Connected

Kopano Core enables the native use of Microsoft Outlook (2013 and higher) with the ActiveSync protocol. The Z-Push software allows smartphone users to synchronize their email, contacts, calendar entries, and tasks.

The optional Kopano OL extension package is a native Component Object Model (COM) plugin that extends available functionality with collaborative features not supported by the ActiveSync transport implementation available in Microsoft Outlook. Kopano promises that Microsoft updates for Outlook will not interfere with the functionality provided by the extension.

Conclusions

Kopano presents itself as an extensive and mature groupware environment that fulfils almost all the wishes of admins and users. The proven Zarafa basis is an important asset on the one hand; on the other hand, the modern Mattermost and Meet add-ons are heading in the right direction. Unfortunately, mobile users in particular will find the support for smartphones incomplete. One hopes Kopano will continue to pursue the promising PWA approach.

Setting up a comprehensive groupware platform with all of the components it involves requires a great deal of time and in-depth Linux knowledge. If you can provide both, the reward for your efforts will be a stable system with a flexible client environment.