
Kopano Groupware – an open source productivity suite
Group Dynamics
In many corporations and institutions, groupware solutions based on Linux serve as productivity tools to free users from Microsoft vendor tie-in for email, calendars, and other functions, as well as save licensing costs on a large scale. Although proprietary solutions such as Microsoft Teams, Slack, Skype for Business, Webex, and Zoom have claimed major slices of the market for themselves, the open source camp is still lagging behind in the groupware sector.
Despite a long tradition, with former giants Scalix, Zimbra, and Horde, only a few open source solutions still survive at the enterprise level, even as real-time collaboration becomes more important with a rise in the number of home offices. German-Dutch software manufacturer Kopano [1] is now looking to fill this gap with its open source software of the same name.
In this article, I describe the installation of all components on a Ubuntu server. For a small setup with up to 25 users, the Kopano team recommends a server with at least two CPUs, 2GB of RAM, and 5GB of disk space. Depending on the number of active users, the RAM requirement can increase to 16GB.
In Real Time
Kopano relies on the software stack from Zarafa, which became extremely popular thanks to, among other things, its MAPI and ActiveSync emulation named Z-Push. The ambitious feature list (Table 1) reveals that Kopano wants to be far more than its ancestor: In addition to email, group calendar, address book, tasks, notes, and document processing, real-time communication is now also on the agenda.
Tabelle 1: Kopano Features
Interactive Functions |
---|
|
(Group) Calendar |
Address book |
To-dos |
Notes |
Documents (back ends: FTP, ownCloud, Nextcloud, S3) |
Team chat (Mattermost) |
Video conferencing (Kopano Meet) |
WhatsApp (plugin for desktop app only) |
Archiving |
Search |
Spellchecker |
Mobile Device Management (MDM) |
Interfaces and Standards |
IMAP and POP3 |
CalDAV, CardDAV |
LDAP |
MAPI and ActiveSync (Z-Push) |
TLS, S/MIME |
As usual in the industry, Kopano offers the software in a freemium model [2]. Most components can be used under AGPLv3 without support. Subscription customers pay EUR15 per user per year, with a sliding scale in increments of five users.
Data Control
Kopano extends the core features of the groupware platform to include modern technologies such as group chat and video conferencing. With Mattermost [3], Kopano also integrates a comprehensive open source real-time messenger for teams, much like the popular Slack.
The Kopano team has developed its own open source solution for video conferences. Kopano Meet [4] is based on the modern WebRTC standard, supports peer-to-peer connections and a bridge, and encrypts connections with the Datagram Transport Layer Security protocol and Secure Real-time Transport Protocol (DTLS-SRTP). Although companies have been dependent so far on commercial providers for real-time communication, Kopano is looking to help security-conscious users offer video conferencing in a private cloud or on-premises.
Flexible Setups
For a quick start, Kopano offers downloads on its website of virtual appliances for VMware, VirtualBox, and KVM [5]. Alternatively, if you only want to try a short test, you can access an online demo [6].
To install the software yourself, you have to invest a little more time and patience. Very detailed documentation [7] and installation packages are available for Debian from version 8, RHEL from version 6, SLES 12, Ubuntu 18.04, and Univention Corporate Server from version 4.2.
Setup Aid
The modular Kopano (Figure 1) comprises a large number of components and services. To put a basic system into operation, you need Kopano Core as a groupware back end and the Kopano WebApp web client.

The modular architecture enables scalable setups, including distribution to multiple servers, as well as multiclient operation.
Kopano Core
Kopano requires a LAMP stack (traditionally, Linux, Apache, MySQL, PHP). Apache2 or Nginx are suitable as web servers. For a secure communication over HTTPS, you should set up SSL from the beginning, including the necessary certificates.
Kopano provides a repository for subscription customers of various Linux distributions through which you can install the numerous components with meta packages (Listing 1). The software automatically creates a local Linux user account and a kopano group, which you will need later. If you are happy, or have to make do, with the community packages, download the required packages [8] and install them with the package manager as described in Listing 2 for Ubuntu 18.04.
Listing 1: Licensed Kopano on Ubuntu 18.04
### Integrate Kopano Core Repository ### Retrieve <license key> ### Subscription customers at login $ sudo su [...] # URL=https://serial:<license key>@download.kopano.io/supported/core:/final/Ubuntu_18.04/ # echo "deb $URL /">> /etc/apt/sources.list.d/kopano.list # curl $URL/Release.key | apt-key add - # apt install apt-transport-https # apt update ### Install Kopano Core packages # apt install kopano-server-packages # exit
Listing 2: Community Kopano on Ubuntu 18.04
$ wget https://download.kopano.io/community/core%3A/core-10.0.6.349.8669778-Ubuntu_18.04-amd64.tar.gz $ tar xfz core-10.0.6.349.8669778-Ubuntu_18.04-amd64.tar.gz $ cd core-10.0.6.349.8669778-Ubuntu_18.04-amd64 $ sudo dpkg -i *.deb ### If apt fails to resolve dependencies: $ sudo apt install -f
To work as the new Kopano administrator, create a user account in MySQL or MariaDB and make the database known to the Kopano server (Listing 3). For the storage Kopano needs for the user data, you can install and configure OpenLDAP.
Listing 3: Configuring the MySQL Database
$ sudo mysql mysql> CREATE USER '<Kopano_MySQL_user>'@'localhost' IDENTIFIED BY '<Kopano_MySQL_Password>'; mysql> GRANT ALL PRIVILEGES ON <Kopano_MySQL_database_name>.* TO '<Kopano_MySQL_user>'@'localhost'; mysql> quit;
The database just installed is also suitable as a user back end. In the file /etc/kopano/server.cfg
, enter the lines from Listing 4; then, launch the Kopano server (Listing 5, line 3). To complete the back-end configuration, create a Kopano user (line 4) so you can log in later for test purposes. The command in Figure 2 shows whether the step was successful.
Listing 4: /etc/kopano/server.cfg
user_plugin = db database_engine = mysql # The user under which you connect with MySQL mysql_user = <Kopano_MySQL_user> # The password for the user (leave empty for no password) mysql_password = <Kopano_MySQL_password> # Database to connect to mysql_database = <I>Kopano_MySQL_database_name>
Listing 5: Start Server and Create Test User
01 $ sudo vi /etc/kopano/server.cfg 02 [... see Listing 4 ...] 03 $ sudo service kopano-server start 04 $ sudo kopano-cli --create -u <Kopano_testuser> --fullname "<Full_Name>" --password <password> --email <email>

Web Client
Now you have a working back end, but it is of little use without a front end. Listing 6 shows how to install the Kopano browser client, WebApp. For a quick test, you can temporarily disable the SSL requirement by setting the
define("INSECURE_COOKIES", True);
Listing 6: Installing the WebApp Client
### If you have a subscription $ sudo su # URL=https://serial:<License key>@download.kopano.io/supported/webapp:/final/Ubuntu_18.04/ # echo "deb $URL /">> /etc/apt/sources.list.d/kopano-webapp.list # curl $URL/Release.key | apt-key add - # apt install kopano-webapp # exit ### If you have the Community Packages $ wget https://download.kopano.io/community/webapp%3A/webapp-4.2.2860%2B1697.1.12a4e21-Ubuntu_18.04-all.tar.gz $ tar xfz webapp-4.2.2860+1697.1.12a4e21-Ubuntu_18.04-all.tar.gz $ cd webapp-4.2.2860+1697.1.12a4e21-Ubuntu_18.04-all $ sudo dpkg -i *.deb ### If dependencies cannot be resolved: $ sudo apt install -f
entry in the /etc/kopano/webapp/config.php
file.
The Kopano front end loads in the web browser after restarting the web server with
sudo service apache2 reload
(Figure 3). If the installer has not reconfigured the URL, the address is https://<domain>/webapp/.

Thanks to the groupware core functions, the web client can now use email, calendar, address book, tasks, and notes.
Setting Up MTA
As usual with open source groupware, Kopano does not come with its own mail agent but relies on popular Linux software such as Postfix. Listing 7 shows how to integrate Postfix into the groupware. For this purpose, you first create a local Unix socket (lines 2-5) and edit two configuration files (Listing 8). Then, launch the services in question (Listing 7, lines 7-9).
Listing 7: Connecting Postfix to Kopano
01 $ sudo su 02 # mkdir -p /var/spool/kopano 03 # chown kopano:kopano /var/spool/kopano 04 # chmod go= /var/spool/kopano 05 # setfacl -m u:postfix:rwx /var/spool/kopano 06 [... Listing 8 ...] 07 # service kopano-dagent start 08 # service kopano-spooler start 09 # service postfix start 10 # exit
Listing 8: Editing the Configuration
# Edit /etc/kopano/dagent.cfg file lmtp_listen = unix:/var/spool/kopano/dagent.sock # File /etc/postfix/main.cf: Define transport virtual_transport = lmtp:unix:/var/spool/kopano/dagent.sock
Usually the Kopano admin then integrates the Mail Transfer Agent (MTA) with an LDAP service, be it OpenLDAP or Active Directory. The corresponding configuration procedure is described in the Kopano documentation [9].
Groupware Client
The setup described so far already gives you a comprehensive groupware setup, but this is only the beginning, because a number of optional use cases and extensions await.
For example, as an alternative to the web client, Kopano Core provides numerous protocols by default for use with native client apps, such as CalDAV to connect a calendar (Figure 4). If you want, you can also install Z-Push [10] to offer Outlook users the range of functions they are accustomed to from Microsoft Exchange via ActiveSync.

Kopano WebApp can be extended with various add-ons, such as Files for group document storage or MDM for mobile device management. WhatsApp is also available as a plugin, but only for the DeskApp desktop client.
Even an archiving tool can be installed. The Archiver [11] (although it is subject to a charge) is mainly used to store old email messages to avoid slowing down the system in the long term. Companies that need a legally compliant archiving solution can tie in Benno [12] with Kopano.
Add-on configuration files are found in the appropriate subdirectory in /etc/kopano/
.
Mattermost and Kopano
One exciting option for expanding the groupware suite is adding the Mattermost group chat solution, which slots into the web client as a plugin. The installation package provided by Kopano contains both Mattermost and the integration components for Kopano.
Once the repository has been integrated and the package downloaded and unpacked, the software can be installed by typing:
sudo apt install mattermost-server
Next, you need to run a configuration script to create the required tables in the Kopano database:
$ sudo mattermost-db-configure -u <Kopano_MySQL_User> -p <Kopano_MySQL_Password> -d <Mattermost_Database_Name> -n <Mattermost_User> -o <Mattermost_Password>
Finally, the client and web server need Mattermost-specific header settings (Listing 9).
Listing 9: Mattermost Settings
### /etc/kopano/webapp/config-mattermost.php ### Set up Mattermost URL define('PLUGIN_MATTERMOST_URL', 'https://mattermost.<Domain>'); ### Headers for Content Security, sample code in the vhost files. [...] ### Optional headers to access Mattermost from the Kopano WebApp Header set X-Frame-Options "ALLOW-FROM https://kopano.<Domain>/webapp/" Header edit Content-Security-Policy ^(.*)$ "$1;frame-ancestors 'self' https://kopano.<Domain>/webapp/" Header unset X-Frame-Options Header unset Content-Security-Policy
Team Chat with Mattermost
Starting the Mattermost service completes the integration. The WebApp client now displays a new tab with the group chat (Figure 5). When using the service for the first time, you need to take into account some special features that the integration imposes. The first Mattermost user is automatically the Mattermost admin. Additionally, you have to complete the SMTP configuration so that Mattermost can send email (e.g., for invitations).

From the users' point of view, integration is essentially limited to their ability to access the Mattermost window directly through WebApp. Single sign-on is still missing, so you have to create and manage all users twice. You can load and add new users from the command line with:
$ sudo mattermost-platform user invite <user>@<example>.com home
More in-depth integration (e.g., sharing email and appointments in Mattermost) is planned according to a blog post [13].
Secure Video Meetings
As a newly implemented solution for video calls, Kopano Meet replaces the old WebMeeting module. The open source solution can be operated as a standalone utility in your private cloud, as well as on-premises and combined with your own Kopano installation. The company also offers a SaaS variant [14]. Within the framework of publicly available conferences, completely free use is also possible [15], much like Jitsi.
Kopano Meet can handle audio and video calls in groups and enables screen sharing. According to the Kopano Meet FAQ [16], it includes peer-to-peer encryption and therefore does not need to store sensitive data on the participating servers.
Meet is a progressive web app (PWA) based on React and the Kopano Web Meetings JavaScript Client Library (kwmjs). It transmits images and voice over the WebRTC standard and therefore runs smoothly in most current browsers.
Bandwidth
Kopano Meet limits the bandwidth for connections to a maximum of 1Mbps per participant for video and audio and 2.5Mbps for a screen-sharing session. It uses the free Opus codec for audio transmission and VP8 to encode the stream for video. Both codecs offer good compression and still deliver good results, even when facing low bandwidth. Kopano promises acceptable audio quality, even at 8Kbps.
The number of people who can use Kopano Meet simultaneously is not really answered in the project's FAQ. For the free version, the project page specifies up to 10 users and two group meetings. Payment packages start at $75 per month, supporting 25 users and five groups [17].
Meet integrates as a menu item in a separate tab of the Kopano web app and has access to the Kopano address book. Invitations can be generated by email. Authentication is handled transparently with the Kopano Konnect service as the single sign-on provider.
Installing Kopano Meet
Meet can be installed as a container or appliance (Listing 10). Packages for a separate installation were only available for Ubuntu, Debian, and the Univention Server at the editorial deadline (July 2020).
Listing 10: Installing Kopano Meet
$ sudo su [...] # URL=https://serial:<I>License_Key<I>@download.kopano.io/supported/meet:/final/Ubuntu_18.04/ # echo "deb $URL /">> /etc/apt/sources.list.d/kopano-meet.list # curl $URL/Release.key | apt-key add - # apt update # apt install kopano-meet-packages # exit ### Alternative $ sudo apt install kopano-meet kopano-kapid kopano-grapi-bin kopano-kwmserverd
Initially, Kopano delivers and installs the webmeetings package (the Meet predecessor) together with the WebApp packages, causing some confusion. The WebMeetings project is no longer developing and has nothing to do with Meet.
In the lab setup for this article, my attempt to load the packages failed with a dependency error for kopano-grapi. This error can be avoided by entering kopano-grapi-bin (Listing 10, last line).
Setting Up Kopano Meet
To make Kopano Meet work, you first need to set up various other Kopano services that talk to each other over TLS connections.
Authentication and authorization for Meet is managed by kopano-konnectd
with OpenID Connect. kopano-kapid
and kopano-grapi
enable data access to the Meet user's address book with a REST API. The service for establishing WebRTC connections is provided by kopano-kwmseverd
.
For Konnect to handle logins, you have to configure the Kopano server by enabling the enable_sso
setting in the /etc/kopano/server.cfg
file. The table in Figure 6 summarizes the essential settings you should configure to enable interaction. Further information is provided in the installation instructions [18].

Because the individual services communicate by HTTPS, Kopano has to both resolve the hostname for the local system and trust the SSL certificates used by the local system. The localhost hostname will not work. The groupware project therefore recommends kopano-webd
for the web server, which is already preconfigured and automatically sets up TLS with Let's Encrypt. Listing 11 shows the essential settings.
Listing 11: /etc/kopano/kwebd.cfg
# Valid domain name Hostname = kopano.<Domain> # Contact address for Let's Encrypt, # When TLS certificates expire tls_acme_email = <admin>@<Domain> tls_acme_agree = yes # Use existing certificate tls_cert = </path_to_certificate> tls_key = </path_to_certificate/key> # Use as a reverse proxy for an # existing web server. Automatically forwards # /meet and /Microsoft Server ActiveSync legacy_reverse_proxy = 127.0.0.1:8000
In addition to the Kopano components, Kopano requires a TURN server to establish an initial connection between callers. If a direct connection fails, TURN also forwards communications between callers. The Kopano team recommends Coturn [19] as a popular open source solution and alternatively provides commercial Kopano customers with a hosted TURN server.
You need to store the shared secret of your TURN server in the /etc/kopano/kwmserverd-turnservice.secret
file and then add it to /etc/kopano/kwmserverd.cfg
(Listing 12). If all the components are plugged together correctly and the services are restarted, you should be able to call Meet with https://<My_Domain>/meet (Figure 7).
Listing 12: TURN Server Configuration
turn_uris = #turn:turnserver:443?transport=udp turn_server_shared_secret = /etc/kopano/kwmserverd-turnservice.secret

Meet also allows guest users in conferences, which is particularly important if the company wants to work and hold regular meetings with external partners.
Kopano does impose a few configuration hurdles before you can offer unrestricted hospitality, though. You need to adapt Meet, the Connect service, and the Kopano Web Meetings Server (kwmserver). These fairly extensive changes are described in the official documentation [20].
Kopano User Experience
Whether with WebApp in the browser or DeskApp on the desktop, the Kopano client works very smoothly, responds quickly, and offers sophisticated usability. In both client versions, you get a real desktop feeling.
The only drawback is the web interface, which is not responsive and therefore not optimized for mobile devices. Kopano continues the Zarafa philosophy into the present: Mobile devices should use the available native protocols for data synchronization to sync the end device and server, from CalDAV and CardDAV to IMAP and Z-Push.
This reasoning seems anachronistic, especially in view of the new Mattermost and Meet components, because they live by integration in WebApp; at the same time, they are very much aimed at mobile users, who are forced to use the respective programs as standalone variants on their mobile devices.
According to Kopano, however, improvements are in the cards. On the basis of Meet, a new generation of apps will be developed gradually to use calendars and email. With PWA technology, they will run flexibly on a variety of devices, including offline use. PWA already removes the need to install an app for Meet. Moreover, it is possible to switch seamlessly from one device to another within an ongoing session.
Outlook Connected
Kopano Core enables the native use of Microsoft Outlook (2013 and higher) with the ActiveSync protocol. The Z-Push software allows smartphone users to synchronize their email, contacts, calendar entries, and tasks.
The optional Kopano OL extension package is a native Component Object Model (COM) plugin that extends available functionality with collaborative features not supported by the ActiveSync transport implementation available in Microsoft Outlook. Kopano promises that Microsoft updates for Outlook will not interfere with the functionality provided by the extension.
Conclusions
Kopano presents itself as an extensive and mature groupware environment that fulfils almost all the wishes of admins and users. The proven Zarafa basis is an important asset on the one hand; on the other hand, the modern Mattermost and Meet add-ons are heading in the right direction. Unfortunately, mobile users in particular will find the support for smartphones incomplete. One hopes Kopano will continue to pursue the promising PWA approach.
Setting up a comprehensive groupware platform with all of the components it involves requires a great deal of time and in-depth Linux knowledge. If you can provide both, the reward for your efforts will be a stable system with a flexible client environment.