Cool Solution - Kerio Connect

From Univention Wiki

Jump to: navigation, search
Produktlogo UCS Version 3.2

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

Note: This article is not yet reviewed.

This article describes briefly the installation and configuration of Kerio Connect under UCS 3.2 on a DC Master.

- Desktop
- Samba 4


Create a Kerio-Useraccount with LDAP read rights in the Univention-Management-Console. A simple authentication account is sufficient.

Login & Download

Login on the master:

ssh root@master

Download the Kerio Connect software. For Debian and Ubuntu (amd64) you can use:


Or for i386:


You can search for other applicable packages at Kerio download page.


Before installing check if there are any other mail server running (eg. postfix or sendmail):

/etc/init.d/postfix status

If this is the case stop them with:

/etc/init.d/postfix stop

And disable the autostart:

ucr set postfix/autostart=no

After that install the downloaded package with:

dpkg -i kerio-connect-8.2.2-2224-linux-amd64.deb

If the basic setup screen doesn't show up you have to start it manually with:

cd /opt/kerio/mailserver         
dpkg-reconfigure kerio-connect

Configure UCS

By default all non standard ports on the UCS Firewall are blocked. Therefor you need to open the port 4040 for the Kerio Connect administration interface. In the Univention Management Console or with:

ucr set security/packetfilter/package/kerioconnect/tcp/4040/all=ACCEPT
ucr set security/packetfilter/package/kerioconnect/tcp/4040/all/en="Kerio Connect administration interface"

Afterwards restart to let the settings take effect.

Adding LDAP Schema Extensions

On the master download and copy the LDAP Schema to the shared Univention-LDAP directory:

mv kerio-mailserver.schema /usr/share/univention-ldap/schema/

In the Univention-Info directory you have to register the schema. Create a new file with:

touch /etc/univention/templates/info/

And add:

Type: multifile
Multifile: etc/ldap/slapd.conf
Variables: ldap/server/type
Variables: ldap/master
Type: subfile
Multifile: etc/ldap/slapd.conf
Subfile: etc/ldap/slapd.conf.d/67kerio-mailserver_schema 

Afterwards create a new file with:

touch /etc/univention/templates/files/etc/ldap/slapd.conf.d/67kerio-mailserver_schema

And add:

import os.path
schema = '/usr/share/univention-ldap/schema/kerio-mailserver.schema'
if configRegistry['ldap/server/type'] == 'master' and os.path.exists(schema):
       print 'include         %s' % schema

Thereafter you have to regenerate the slapd.conf with:

ucr commit /etc/ldap/slapd.conf

And register the LDAP-Schema to UCS:

. /usr/share/univention-lib/
ucs_registerLDAPSchema /usr/share/univention-ldap/schema/kerio-mailserver.schema

Adding extended attributes in UCS

For a further description about extended attributes see the developer reference. To create extended attributes in the UCS-LDAP it is recommended to create it in the custom attributes container under LDAP_BASE -> univention -> custom attributes in the UMC. Add a container "kerioconnect" with type "Container: Container" and add all Kerio Connect extended attributes. The minimal attribute set for Kerio Connect user are:

- objectClass: kerio-Mail-User 
- kerio-Mail-Active: 1

For the Kerio Connect Group the minimal definition is:

- objectClass: kerio-Mail-Group
- kerio-Mail-Active: 1

Additional attributes can be added according to the kerio-mailserver.schema.

Note: This works only for users and not for groups. OpenLDAP uses only one way mapping when group contains its members. If you want to use groups in Kerio Connect you have to extend the user schema with a groupMemberShip attribute for a bidirectional mapping.

Configure Kerio Connect

To configure Kerio Connect you will need to do some customization.

Change LDAP-Ports

You need to change the default LDAP-Ports in the mailserver.cfg. Stop Kerio Connect with:

/etc/init.d/kerio-connect stop

Change LDAP-Ports 389/636 to 7389/7636 in:

vim /opt/kerio/mailserver/mailserver.cfg

Afterwards start Kerio Connect with:

/etc/init.d/kerio-connect start

Adding LDAP-Connection

- Login in at Kerio Connect administration interface IP-Address:4040/admin.
- Go to Configuration -> Domains -> YourDomain -> Edit -> Directory Service
- Check "Map user accounts and groups from a directory service to this domain"
- Choose Apple Open Directory (Kerberos 5 authentication) as Directory service type
- In the Directory server (domain controller) section choose:
Hostname: hostname:7389
Username: DN-Kerio-Useraccount from UMC
Password: xxxxx
- "Test Connection".

Mapping LDAP-Attributes

Download LDAP-Mapping:


Change the Guid variables in the User and Group map tables in



  <value><attribute type="string">entryUUID</attribute></value>

and move to /opt/kerio/mailserver/ldapmap/:

mv /opt/kerio/mailserver/ldapmap/

This attributes are used to uniquely identify user and group.

Stop Kerio Connect with:

/etc/init.d/kerio-connect stop

Change Variable "MapFile" in your newly created Ldap configuration in /opt/kerio/mailserver/mailserver.cfg to

<variable name="MapFile"></variable>

Afterwards start Kerio Connect with:

/etc/init.d/kerio-connect start

Change ports of Webmail user interface

The Kerio Connect mailserver listen by default on 80/443 for the webmail user interface. This conflicts with the running Apache so that you need to switch to a different port or different IP address for the user interface. The section below describes how you can switch to a different port.

- In the Kerio Connect administration interface
- Go to Configuration -> Services
- Edit the HTTP and/or the HTTPS services
- On the "Properties" tab, select the port 80/443 and click remove 

And open accordingly the ports for 8800/8843:

ucr set security/packetfilter/package/kerioconnect/tcp/8800/all=ACCEPT
ucr set security/packetfilter/package/kerioconnect/tcp/8800/all/en="Kerio Connect user interface"
ucr set security/packetfilter/package/kerioconnect/tcp/8843/all=ACCEPT
ucr set security/packetfilter/package/kerioconnect/tcp/8843/all/en="Kerio Connect user interface"


  • If you get an "Package not found error" like:
dpkg: Abhängigkeitsprobleme verhindern Konfiguration von kerio-connect:
kerio-connect hängt ab von sysstat; aber:
Paket sysstat ist nicht installiert.
dpkg: Fehler beim Bearbeiten von kerio-connect (--install):
Abhängigkeitsprobleme - verbleibt unkonfiguriert
Fehler traten auf beim Bearbeiten von:


univention-install packagename

Maybe it is also necessary to activate "unmaintained repositories" with:

ucr set repository/online/unmaintained='yes'
  • LDAP-Connection Problems can be tested with:

ldapsearch -x -H ldap://localhost:7389 -D dn -w password

  • Kerio Log:
  • Ldap debugging:
/etc/init.d/slapd stop
slapd -d 1 -h ldap://


Personal tools