Security alert for zarafa-server-7.2.4-100 (beginning 2016-12-10)

Thanks to a very dedicated user (Mike) a serious security issue has been found in the default configuration. This bug allows user to access data of any known email account on your system.

zarafa-gateway.service and ical.service are executed as zarafa user. This causes zarafa-server to answer any request as if it came from the administrator. In this case credentials are not checked and every access is granted.

Who is affected?
– Anybody who installed ‘>= zarafa-server-7.2.4-100’ (beginning 2016-12-10) and used the installation script, which installed the default configuration

– Anybody who uses ‘>= zarafa-server-7.2.4-1’ (beginning 2016-08-19), used the default configuration, exposed ical / gateway service ( => and left the run_as_user unchanged (run_as_user=zarafa)

How to fix?
1) Update zarafa-server to ‘zarafa-server-’. The fix is done during installation.
2) Fix it manually…

$ vi /etc/zarafa/ical.cfg
 run_as_user = nobody
 run_as_group = nobody

$ vi /etc/zarafa/gateway.cfg
 run_as_user = nobody
 run_as_group = nobody

$ vi /usr/lib/tmpfiles.d/zarafa-tmpfiles.conf
 d /run/zarafad 0777 zarafa zarafa
 d /var/run/zarafad 0777 zarafa zarafa

$ rm /var/run/zarafad/
$ rm /var/run/zarafad/

$ systemd-tmpfiles –create
$ systemd-tmpfiles –clean

$ systemctl restart zarafa-gateway
$ systemctl restart zarafa-ical


Manage Zarafa- and Postfix-Users

Small office or home setups of Zarafa are not connected to LDAP, Active Directory or other enterprise user management systems. For this purpose Zarafa servers come with an integrated command line user management.

Unfortunately persons who are responsible for mailbox administration don’t always have technical skills or command line root access. On the other hand administrators have to manage their mail transfer agent like Postfix in parallel.

This gaps are filled perfectly by the Postfix Admin enrichment Zarafa Postfix Admin (ZPA).

Postfix Admin is a web based interface used to manage mailboxes, virtual domains, aliases and fetchmail for Postfix. ZPA extends its function so it manages accounts and aliases for Zarafa at the same time.

Quick Demo – Running on Raspberry Pi 2

Read on my next post how to install, run and access the Zarafa-Postfix-Admin.


Zarafa packages for Arch Linux x64 and i686

Today I’m glad to announce release of the new Zarafa packages for Archlinux on x64 and i686 systems. Just follow the post for Arch Linux ARM and use its repository.

The package has been renamed to zarafa-server and all posts have been changed according to this. The transition from zarafa-server-arm to zarafa-server package will be handled seamlessly by pacman.


Zarafa packages for Arch Linux ARM / x86 / i686

Lately someone asked me for help with his Zarafa-Server on his RaspberryPi 2 (ARM). He tried to build an installation package with my MAKEPKG file from Archlinux User Repository. But shortly I realized that it’s a pain compiling with gcc 5 on his system.

So that nobody else has to go through this, I decided to create a package repository for Arch Linux ARM. There you’ll find the latest build of Zarafas installation packages for Odroid and Raspberry Pi 2 devices.

Since I’m using this packages on my own, I can tell it’s working by the day it’s created. Future versions will be released as soon I proved them working integrated with the other Zarafa related packages.

Quick Demo – Running on Raspberry Pi 2

So what’s in there?

  • zarafa-server => Server with database, settings and locally trusted certificates
  • zarafa-libical => Libical with zarafas patches
  • zarafa-libvmime => Libvmime with zarafas patches
  • zarafa-webapp => Modern WebClient
  • zarafa-webapp-clockwidget => Clock for dashboard
  • zarafa-webapp-contactfax => Create mail with contacts fax number
  • zarafa-webapp-delayeddelivery => Schedule mails
  • zarafa-webapp-filepreviewer => Viewer for attachments
  • zarafa-webapp-files => OwnCloud / WebDAV integration
  • zarafa-webapp-folderwidgets => Mailfolders for dashboard
  • zarafa-webapp-gmaps => Show contacts address on google maps
  • zarafa-webapp-mdm => Mobile Device Management
  • zarafa-webapp-oauthlib => Create API classes with OAuth authentication
  • zarafa-webapp-passwd => Change your password from WebApp
  • zarafa-webapp-pimfolder => Quickly move your mail to another folder
  • zarafa-webapp-quickitems => Create items from dashboard
  • zarafa-webapp-smime => S/MIME integration
  • zarafa-webapp-spellchecker => Spellchecker
  • zarafa-webapp-titlecounter => Unread messages counter for browser tab
  • zarafa-webapp-webappmanual => Link to manual in toolbar
  • zarafa-webapp-webodf => Viewer for attached WebODF documents
  • zarafa-webapp-xmpp => XMPP based chat client
  • sabre-zarafa => CardDAV
  • z-push => ActiveSync

Read on my next post how to install, run and access the server.


Zarafa Mailserver

It’s hard to explain how much work it is to setup your own private state of the art private mail service. The list of components to care of might be pretty scary. But from my own expirience I can tell, it’s possible!

That’s why I decided to write some tutorial about this and share my knowledge. My final objective is to show how you can setup and run a mailserver keeping your mails at home and letting a smarthost handle transfers and checks.

Continue reading