diff --git a/.env b/.env
index 20d40d5..7e86462 100644
--- a/.env
+++ b/.env
@@ -1,14 +1,19 @@
-COMPOSE_PROJECT_NAME=kopano
+TAG=zntrl
+COMPOSE_PROJECT_NAME=$TAG
# database credentials
MYSQL_ROOT_PASSWORD=modT9&?.
MYSQL_KOPANO_PASSWORD=zAKt(85&
+MYSQL_PORT=3307
#
-MAIL_DOMAIN=zntrl.de
+MAIL_DOMAIN=$TAG.de
POSTFIX_MTA_HOST=mta.$MAIL_DOMAIN
POSTFIX_SMTP_PORT=8025
-POSTFIX_MTA_SSL_KEY=
-POSTFIX_MTA_SSL_CERT=
POSTFIX_RELAY_HOST=relay.zntrl.de
POSTFIX_RELAY_PORT=465
-POSTFIX_RELAY_SSL_KEY=
-POSTFIX_RELAY_SSL_CERT=
\ No newline at end of file
+#
+WEBAPP_PORT=8080
+Z_PUSH_PORT=8081
+#
+DCKR_SERVER=$TAG-server-1
+DCKR_DAGENT=$TAG-dagent-1
+DCKR_SERVER=$TAG-server-1
diff --git a/core/Dockerfile b/core/Dockerfile
index d9a8f43..7becef2 100644
--- a/core/Dockerfile
+++ b/core/Dockerfile
@@ -17,7 +17,7 @@ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* ~/.cache ~/.npm
rm -rf core-11.0.2.50.507cbae-Ubuntu_20.04-amd64
EOF
# use envsubst in entrypoint script to convert config templates to actual config files
-COPY --chmod=0775 entrypoint.sh /entrypoint.sh
+COPY --chmod=0775 core/entrypoint.sh /entrypoint.sh
# https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#configure-kopano-dagent-for-delivery-via-unix-socket
# mapi (client-server)
#EXPOSE 236
@@ -25,6 +25,23 @@ COPY --chmod=0775 entrypoint.sh /entrypoint.sh
#EXPOSE 237
# lmtp (dagent)
#EXPOSE 2003
+COPY etc-template /root/etc/
+RUN << EOF
+cp -p /etc/kopano/server.cfg /etc/kopano/server.cfg-dist
+sed -i \
+ -e's/server_listen = \*\%lo:236/server_listen = 0.0.0.0:236/' \
+ -e's|#server_ssl_key_file = /etc/kopano/ssl/server.pem|server_ssl_key_file = /etc/kopano/ssl/private/server-key-cert.pem|' \
+ -e's|#server_ssl_ca_file = /etc/kopano/ssl/cacert.pem|server_ssl_ca_file = /etc/kopano/ssl/certs/balusign-ca-chain.pem|' \
+ -e's|#server_ssl_ca_path = /etc/kopano/ssl/certs|server_ssl_ca_path = /etc/kopano/ssl/certs|' \
+ -e's|#sslkeys_path = /etc/kopano/sslkeys|sslkeys_path = /etc/kopano/sslkeys|' \
+ -e's|#server_name =|server_name = zntrl.de|' \
+ -e's|#database_engine = mysql|database_engine = mysql|' \
+ -e's|#mysql_host = localhost|mysql_host = mysql|' \
+ -e's|#mysql_user = root|mysql_user = kopano|' \
+ -e's|#mysql_password =|mysql_password = $MYSQL_PASSWD|' \
+ -e's|#mysql_database = kopano|mysql_database = kopano|' \
+ /etc/kopano/server.cfg
+EOF
VOLUME /var/lib/kopano/attachments
VOLUME /var/lib/kopano/search
ENTRYPOINT ["/entrypoint.sh"]
diff --git a/core/entrypoint.sh b/core/entrypoint.sh
index b453729..a7e79f8 100644
--- a/core/entrypoint.sh
+++ b/core/entrypoint.sh
@@ -2,4 +2,11 @@
set -e
chown kopano:kopano /var/lib/kopano/attachments
# runas user kopano
+env
+cp -rp /root/etc/kopano/* /etc/kopano
+for $F in $(find /root/etc/kopano -name '*.cfg' -type f)
+do
+ envsubst <$F >/etc/kopano/${F##*/}
+ diff $F /etc/kopano/${F##*/}
+done
exec "$@"
diff --git a/core/scratchpad.sh b/core/scratchpad.sh
index 669f847..46f122d 100644
--- a/core/scratchpad.sh
+++ b/core/scratchpad.sh
@@ -1,8 +1,8 @@
#!/usr/bin/bash
# export DOCKER_BUILDKIT=1
docker run -d --rm --name dist -p80:80 -v/root/kopano-docker/dist:/usr/local/apache2/htdocs httpd
-docker build --no-cache --progress=plain -t core .
-docker build -t core .
+docker build --no-cache --progress=plain -t core -f core/Dockerfile .
+docker build -t core -f core/Dockerfile .
docker run --rm -it --name core -p8081:80 core bash
docker logs -f core
docker exec -it core bash
diff --git a/docker-compose.yml b/docker-compose.yml
index 10e5e1f..4b27018 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,8 +1,10 @@
# name_prefix: kopano, see COMPOSE_PROJECT_NAME in .env
services:
server:
- build: ./core
- image: baloan/core
+ build:
+ context: .
+ dockerfile: core/Dockerfile
+ # image: baloan/core
depends_on:
- mysql
ports:
@@ -12,8 +14,10 @@ services:
- attachments:/var/lib/kopano/attachments
command: /usr/sbin/kopano-server
search:
- build: ./core
- image: baloan/core
+ build:
+ context: .
+ dockerfile: core/Dockerfile
+ # image: baloan/core
depends_on:
- server
volumes:
@@ -21,16 +25,20 @@ services:
- search:/var/lib/kopano/search
command: /usr/sbin/kopano-search
spooler:
- build: ./core
- image: baloan/core
+ build:
+ context: .
+ dockerfile: core/Dockerfile
+ # image: baloan/core
depends_on:
- server
volumes:
- ./etc-zntrl/kopano:/etc/kopano:ro
command: /usr/sbin/kopano-spooler
dagent:
- build: ./core
- image: baloan/core
+ build:
+ context: .
+ dockerfile: core/Dockerfile
+ # image: baloan/core
volumes:
- ./etc-zntrl/kopano:/etc/kopano:ro
depends_on:
@@ -47,8 +55,10 @@ services:
ports:
- 3307:3306
webapp:
- build: ./webapp
- image: baloan/webapp
+ build:
+ context: .
+ dockerfile: webapp/Dockerfile
+ # image: baloan/webapp
labels:
- traefik.enable=true
- traefik.http.routers.webapp.rule=Host(`$MAIL_DOMAIN`) && PathPrefix(`/webapp`)
@@ -64,8 +74,10 @@ services:
- default
- traefik
z-push:
- build: ./z-push
- image: baloan/z-push
+ build:
+ context: .
+ dockerfile: z-push/Dockerfile
+ # image: baloan/z-push
labels:
- traefik.enable=true
- traefik.http.routers.webapp.rule=Host(`$MAIL_DOMAIN`) && PathPrefix(`/Microsoft-Server-ActiveSync`)
@@ -82,17 +94,21 @@ services:
- default
- traefik
postfix:
- build: ./postfix
+ build:
+ context: .
+ dockerfile: postfix/Dockerfile
+ # image: baloan/postfix
tty: true
- image: baloan/postfix
ports:
- 8025:25
volumes:
- spool:/var/spool/postfix
spampd:
- build: ./spampd
+ build:
+ context: .
+ dockerfile: spampd/Dockerfile
+ # image: baloan/spampd
tty: true
- image: baloan/spampd
volumes:
- spamassassin:/var/lib/spamassassin
networks:
diff --git a/etc-template/kopano/admin.cfg b/etc-template/kopano/admin.cfg
new file mode 100644
index 0000000..935a65d
--- /dev/null
+++ b/etc-template/kopano/admin.cfg
@@ -0,0 +1,7 @@
+# The language for folders in newly-created stores, specified as a
+# locale identifier ("en_US", "de_DE", etc.)
+#default_store_locale =
+
+#server_socket = default:
+#sslkey_file = some.pem
+#sslkey_pass = magic
diff --git a/etc-template/kopano/autorespond.cfg b/etc-template/kopano/autorespond.cfg
new file mode 100644
index 0000000..cba6d83
--- /dev/null
+++ b/etc-template/kopano/autorespond.cfg
@@ -0,0 +1,22 @@
+##############################################################
+# AUTORESPOND SETTINGS
+
+# Autorespond if the recipient is in the Cc field
+#autorespond_cc = no
+
+# Autorespond if the recipient is in the Bcc field
+#autorespond_bcc = no
+
+# Autorespond if the recipient is not in any of To, Cc or Bcc
+# (i.e. received the message through a distribution list)
+#autorespond_norecip = no
+
+# Only send reply to same e-mail address once per 24 hours
+#timelimit = 86400
+
+# File which contains when vacation message was sent
+#senddb = /var/lib/kopano/autorespond.db
+
+# Copy to sentmail - whether responses should be saved in the
+# users sentmail folder or not
+#copy_to_sentmail = yes
diff --git a/etc-template/kopano/backup.cfg b/etc-template/kopano/backup.cfg
new file mode 100644
index 0000000..446a394
--- /dev/null
+++ b/etc-template/kopano/backup.cfg
@@ -0,0 +1,31 @@
+##############################################################
+# SERVER SETTINGS
+
+# Socket to find the connection to the storage server.
+# Use https to reach servers over the network
+#server_socket = file:///var/run/kopano/server.sock
+
+# Login to the storage server using this SSL Key
+#sslkey_file = /etc/kopano/ssl/search.pem
+
+# The password of the SSL Key
+#sslkey_pass = replace-with-server-cert-password
+
+##############################################################
+# LOG SETTINGS
+
+# Logging method (syslog, file)
+#log_method = file
+
+# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
+#log_level = 3
+
+# Logfile for log_method = file, use '-' for stderr
+# Default: -
+#log_file = /var/log/kopano/backup.log
+
+##############################################################
+# BACKUP SETTINGS
+
+# maximum number of stores to backup in parallel
+#worker_processes = 1
diff --git a/etc-template/kopano/dagent.cfg b/etc-template/kopano/dagent.cfg
new file mode 100644
index 0000000..c31bb8f
--- /dev/null
+++ b/etc-template/kopano/dagent.cfg
@@ -0,0 +1,93 @@
+# See the kopano-dagent.cfg(5) manpage for details and more directives.
+
+# Space-separated list of address:port specifiers with optional %interface
+# infix for where the server should listen for LMTP connections.
+#
+# "unix:/var/spool/kopano/dagent.sock" — local socket
+# "*:2003" — port 2003, all protocols
+# "[::]:2003" — port 2003 on IPv6 only
+# "[2001:db8::1]:2003" — port 2003 on specific address only
+#
+lmtp_listen = *:2003
+#lmtp_listen = unix:/var/spool/kopano/dagent.sock
+
+# connection to the storage server
+#server_socket = file:///var/run/kopano/server.sock
+server_socket = https://zntrl-server-1:237
+# Login to the storage server using this SSL Key
+sslkey_file = /etc/kopano/ssl/private/dagent-key-cert.pem
+# The password of the SSL Key
+sslkey_pass =
+
+#log_method = auto
+# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
+log_level = 5
+# log_file = /var/log/kopano/dagent.log
+log_timestamp = yes
+
+# Log raw message to a file. Can be "no", "all", or a list of usernames
+# for which messages should be saved.
+#log_raw_message = no
+#log_raw_message_path = /var/lib/kopano
+
+# Maximum LMTP threads that can be running simultaneously
+# This is also limited by your SMTP server. (20 is the postfix default concurrency limit)
+#lmtp_max_threads = 20
+
+# The following e-mail header will mark the mail as spam, so the mail
+# is placed in the Junk Mail folder, and not the Inbox.
+# The name is case insensitive.
+# set to empty to not use this detection scheme.
+#spam_header_name = X-Spam-Status
+
+# If the above header is found, and contains the following value
+# the mail will be considered as spam.
+# Notes:
+# - The value is case insensitive.
+# - Leading and trailing spaces are stripped.
+# - The word 'bayes' also contains the word 'yes'.
+#spam_header_value = Yes,
+
+# Enable archive_on_delivery to automatically archive all incoming
+# messages on delivery.
+# This will do nothing if no archive is attached to the target mailbox.
+#archive_on_delivery = no
+
+# Enable the dagent Python plugin framework. Disables threading.
+#plugin_enabled = yes
+
+# Path to the activated dagent plugins.
+# This folder contains symlinks to the kopano plugins and custom scripts. The plugins are
+# installed in '/usr/share/kopano-dagent/python/plugins/'. To activate a plugin create a symbolic
+# link in the 'plugin_path' directory.
+#
+# Example:
+# $ ln -s /usr/share/kopano-dagent/python/plugins/BMP2PNG.py /var/lib/kopano/dagent/plugins/BMP2PNG.py
+#plugin_path = /var/lib/kopano/dagent/plugins
+
+##############################################################
+# DAGENT RULE SETTINGS
+
+# Enable the addition of X-Kopano-Rule-Action headers on messages
+# that have been forwarded or replied by a rule.
+#set_rule_headers = yes
+
+# Enable this option to prevent rules from potentially causing a loop. An
+# e-mail can only be forwarded once when this option is enabled. Requires the
+# set_rule_headers option to also be enabled.
+#no_double_forward = yes
+
+# Domain list to which forwarding is allowed. (Cuts off after 1000 characters,
+# and knows no escape chars, so use the _file variants if needed.)
+#forward_whitelist_domains = *
+#forward_whitelist_domains_file =
+#forward_whitelist_domain_subject = REJECT: %subject not forwarded (administratively blocked)
+#forward_whitelist_domain_message = The Kopano mail system has rejected your request to forward your e-mail with subject %subject (via mail filters) to %sender: the operation is not permitted.\n\nRemove the rule or contact your administrator about the forward_whitelist_domains setting.
+#forward_whitelist_domain_message_file =
+
+# When multiple HTML MIME parts are found, they can be joined to form a
+# continuous e-mail. (If not, they will become attachments.) Joining them
+# however can compromise the document integrity, as stylesheets and JavaScripts
+# affect the entire joined document.
+#
+#insecure_html_join = no
diff --git a/etc-template/kopano/gateway.cfg b/etc-template/kopano/gateway.cfg
new file mode 100644
index 0000000..9a326d3
--- /dev/null
+++ b/etc-template/kopano/gateway.cfg
@@ -0,0 +1,47 @@
+# See the kopano-gateway.cfg(5) manpage for details and more directives.
+
+# Space-separated list of address:port specifiers with optional %interface
+# infix for where the server should listen for connections.
+# imaps is normally on 993, pop3s on 995.
+#
+#pop3_listen = *%lo:110
+#pop3s_listen =
+#imap_listen = *%lo:143
+#imaps_listen =
+# File with RSA key for SSL
+#ssl_private_key_file = /etc/kopano/gateway/privkey.pem
+#File with certificate for SSL
+#ssl_certificate_file = /etc/kopano/gateway/cert.pem
+
+# Disable all plaintext authentications unless SSL/TLS is used
+#disable_plaintext_auth = no
+# Verify client certificate
+#ssl_verify_client = no
+# Client verify file and/or path
+#ssl_verify_file =
+#ssl_verify_path =
+#tls_min_proto = tls1.2
+
+# Connection to the storage server.
+# Please refer to the administrator manual or manpage why HTTP is used rather than the UNIX socket.
+#server_socket = http://localhost:236/
+# Bypass authentification when connecting as an administrator to the UNIX socket.
+#bypass_auth = no
+
+# Whether to show the hostname in the logon greeting to clients.
+#server_hostname_greeting = no
+# Override own DNS name for presentation in the protocol greeting line.
+#server_hostname =
+
+#log_method = auto
+# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
+log_level = 5
+log_file = /var/log/kopano/gateway.log
+#log_timestamp = yes
+
+# Only mail folder for IMAP or all subfolders (calendar, contacts, tasks, etc. too)
+#imap_only_mailfolders = yes
+# Show Public folders for IMAP
+#imap_public_folders = yes
+# The maximum size of an email that can be uploaded to the gateway
+#imap_max_messagesize = 128M
diff --git a/etc-template/kopano/grapi.cfg b/etc-template/kopano/grapi.cfg
new file mode 100644
index 0000000..303e640
--- /dev/null
+++ b/etc-template/kopano/grapi.cfg
@@ -0,0 +1,38 @@
+##############################################################
+# Groupware REST API SETTINGS
+
+# Number of worker processes.
+num_workers = 2
+
+# Disable TLS validation for all client request.
+# When set to yes, TLS certificate validation is turned off. This is insecure
+# and should not be used in production setups.
+#insecure = no
+
+# Path where to create the gc-rest sockets.
+#socket_path = /var/run/kopano-grapi
+
+# Socket to find the connection to the storage server.
+# Use https to reach servers over the network.
+#server_socket = file:///var/run/kopano/server.sock
+
+# Path where to store persistent runtime data.
+#persistency_path = /var/lib/kopano-grapi
+
+# Path where to find translation catalogs.
+#translations_path = /usr/share/kopano-grapi/i18n
+
+# The API includes experimental endpoints which are not yet recommended to run
+# in production setups and are thus disabled by default. When set to yes, all
+# endpoints marked experimental are made available. Defaults to no.
+#enable_experimental_endpoints = yes
+
+###############################################################
+# Log settings
+
+# Log level controls the verbosity of the output log. It can be one of
+# `critical`, `error`, `warning`, `info` or `debug`. Defaults to `info`.
+log_level = info
+log_method = file
+log_file = /var/log/kopano/server.log
+
diff --git a/etc-template/kopano/ical.cfg b/etc-template/kopano/ical.cfg
new file mode 100644
index 0000000..f61e2ff
--- /dev/null
+++ b/etc-template/kopano/ical.cfg
@@ -0,0 +1,34 @@
+# See the kopano-ical.cfg(5) manpage for details and more directives.
+
+# Space-separated list of address:port specifiers with optional %interface
+# infix for where the server should listen for connections.
+# ical has often been placed on 8080 and icals on 8443.
+#
+#ical_listen = *%lo:8080
+#icals_listen =
+#tls_min_proto = tls1.2
+# File with RSA key for SSL
+#ssl_private_key_file = /etc/kopano/ical/privkey.pem
+# File with certificate for SSL
+#ssl_certificate_file = /etc/kopano/ical/cert.pem
+
+# Verify client certificate
+#ssl_verify_client = no
+# Client verify file and/or path
+#ssl_verify_file =
+#ssl_verify_path =
+
+# default connection to the storage server
+# Please refer to the administrator manual or manpage why HTTP is used rather than the UNIX socket.
+#server_socket = http://localhost:236/
+
+#log_method = auto
+# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
+#log_level = 3
+#log_file = /var/log/kopano/ical.log
+#log_timestamp = yes
+
+# The timezone of the system clock
+#server_timezone = Europe/Amsterdam
+# Enable the iCalendar GET method for downloading calendars
+#enable_ical_get = yes
diff --git a/etc-template/kopano/kapid-pubs-secret.key b/etc-template/kopano/kapid-pubs-secret.key
new file mode 100644
index 0000000..656700f
--- /dev/null
+++ b/etc-template/kopano/kapid-pubs-secret.key
@@ -0,0 +1 @@
+3be77a9c8294eb60dadf05399576a9048582bb77f8fc86af40660f931d743b65
\ No newline at end of file
diff --git a/etc-template/kopano/kapid.cfg b/etc-template/kopano/kapid.cfg
new file mode 100644
index 0000000..9052a5a
--- /dev/null
+++ b/etc-template/kopano/kapid.cfg
@@ -0,0 +1,66 @@
+##############################################################
+# Kopano API SETTINGS
+
+# OpenID Connect Issuer Identifier.
+#oidc_issuer_identifier=
+
+# Address:port specifier for where kapid should listen for
+# incoming connections.
+#listen = 127.0.0.1:8039
+
+# Disable TLS validation for all client request.
+# When set to yes, TLS certificate validation is turned off. This is insecure
+# and should not be used in production setups.
+#insecure = no
+
+# Comman separated list of plugin names which should be loaded.
+# If this is not set or the value is empty, kapid scans the plugins_path
+# on startup and loads all plugins found.
+#plugins =
+
+# Path to the location of kapi plugins.
+#plugins_path = /usr/lib/kopano/kapi-plugins
+
+###############################################################
+# Log settings
+
+# Log level controls the verbosity of the output log. It can be one of
+# `panic`, `fatal`, `error`, `warn`, `info` or `debug`. Defaults to `info`.
+#log_level = info
+
+###############################################################
+# Groupware REST API (grapi) Plugin settings
+
+# Path where to find Kopano Groupware REST (grapi) sockets.
+#plugin_grapi_socket_path = /var/run/kopano-grapi
+
+###############################################################
+# Pubs API (pubs) Plugin settings
+
+# Path to a key file to be used as secret for Pubs HMAC tokens.
+# If no secret_key file is set, a random value will be generated on
+# startup (not suitable for production use, since it changes on
+# restart). A suitable key file can be generated with
+# `openssl rand -out /etc/kopano/kapid-pubs-secret.key -hex 64`.
+#plugin_pubs_secret_key = /etc/kopano/kapid-pubs-secret.key
+
+###############################################################
+# Key value store API (kvs) Plugin settings
+
+# Database backend to use for persistent storage of kvs data. A supported
+# backend must be set (sqlite3, mysql). Defaults to `sqlite3` if not set.
+#plugin_kvs_db_drivername = sqlite3
+
+# Database backend data source name. This setting depends on the storage
+# backend (plugin_kvs_db_drivername). A DNS is required to use the kvs plugin.
+# - For `sqlite3` the value should be the full path to the database file.
+# - For `mysql`, us a MySQL DSN in the following format:
+# [username[:password]@][protocol[(address)]]/dbname[?param1=value1&...¶mN=valueN]
+# See https://github.com/go-sql-driver/mysql#dsn-data-source-name for a
+# full list of supported MySQL DSN params with examples.
+# If not set and plugin_kvs_db_drivername is also not set a default value will
+# be used which uses SQLite3.
+#plugin_kvs_db_datasource = /var/lib/kopano/kapi-kvs/kvs.db
+
+# Path where to find the database migration scripts.
+#plugin_kvs_db_migrations = /usr/lib/kopano/kapi-kvs/db/migrations
diff --git a/etc-template/kopano/konnectd-encryption-secret.key b/etc-template/kopano/konnectd-encryption-secret.key
new file mode 100644
index 0000000..1dd1515
--- /dev/null
+++ b/etc-template/kopano/konnectd-encryption-secret.key
@@ -0,0 +1 @@
+rL(k�"�u$ԟ+o�F��3
8k
\ No newline at end of file
diff --git a/etc-template/kopano/konnectd-identifier-scopes.yaml b/etc-template/kopano/konnectd-identifier-scopes.yaml
new file mode 100644
index 0000000..f9b4b6e
--- /dev/null
+++ b/etc-template/kopano/konnectd-identifier-scopes.yaml
@@ -0,0 +1,14 @@
+# This file contains additional scopes for Konnect. All of the scopes listed
+# here are made available to clients upon request if not limited by other means.
+
+---
+scopes:
+ kopano/kwm:
+ description: "Access Kopano Meet"
+
+ kopano/kvs:
+ description: "Access Kopano Key Value Store"
+
+ kopano/pubs:
+ description: "Access Kopano Pub/Sub"
+
diff --git a/etc-template/kopano/konnectd-signing-private-key.pem b/etc-template/kopano/konnectd-signing-private-key.pem
new file mode 120000
index 0000000..cce160f
--- /dev/null
+++ b/etc-template/kopano/konnectd-signing-private-key.pem
@@ -0,0 +1 @@
+/etc/kopano/konnectkeys/konnect-20210314-0ae1.pem
\ No newline at end of file
diff --git a/etc-template/kopano/konnectd.cfg b/etc-template/kopano/konnectd.cfg
new file mode 100644
index 0000000..e9bf222
--- /dev/null
+++ b/etc-template/kopano/konnectd.cfg
@@ -0,0 +1,146 @@
+##############################################################
+# Kopano Konnect SETTINGS
+
+# OpenID Connect Issuer Identifier.
+# This setting defines the OpenID Connect Issuer Identifier to be provided by
+# this Konnect server. Setting this is mandatory and the setting must be a
+# https URL which can be accessed by all applications and users which are to
+# use this Konnect for sign-in or validation. Defaults to "https://localhost" to
+# allow unconfigured startup.
+#oidc_issuer_identifier=https://localhost
+
+# Address:port specifier for where konnectd should listen for
+# incoming connections. Defaults to `127.0.0.1:8777`.
+#listen = 127.0.0.1:8777
+
+# Disable TLS validation for all client request.
+# When set to yes, TLS certificate validation is turned off. This is insecure
+# and should not be used in production setups. Defaults to `no`.
+#insecure = no
+
+# Identity manager which provides the user backend Konnect should use. This is
+# one of `kc` or `ldap`. Defaults to `kc`, which means Konnect will use a
+# Kopano Groupware Storage server as backend.
+#identity_manager = kc
+
+# Full file path to a PEM encoded PKCS#1 or PKCS#5 private key which is used to
+# sign tokens. This file must exist and be valid to be able to start the
+# service. A suitable key can be generated with:
+# `openssl genpkey -algorithm RSA \
+# -out konnectd-signing-private-key.pem.pem \
+# -pkeyopt rsa_keygen_bits:4096`
+# If this is not set, Konnect will try to load
+# /etc/kopano/konnectd-signing-private-key.pem
+# and if not found, fall back to a random key on every startup. Not set by
+# default. If set, the file must be there.
+#signing_private_key = /etc/kopano/konnectd-signing-private-key.pem
+
+# Key ID to use in created JWT. This setting is useful once private keys need
+# to be changed because they expire. It should be a unique value identiying
+# the signing_private_key. Example: `k20180912-1`. Not set by default, which
+# means that Konnect uses the file name of the key file (dereferencing symlinks)
+# without extension.
+#signing_kid =
+
+# JWT signing method. This must match the private key type as defined in
+# signing_private_key and defaults to `PS256`.
+#signing_method = PS256
+
+# Full path to a directory containing pem encoded keys for validation. Konnect
+# loads all `*.pem` files in that directory and adds the public key parts (if
+# found) to the validator for received tokens using the file name without
+# extension as key ID.
+#validation_keys_path =
+
+# Full file path to a encryption secret key file containing random bytes. This
+# file must exist to be able to start the service. A suitable file can be
+# generated with:
+# `openssl rand -out konnectd-encryption-secret.key 32`
+# If this is not set, Konnect will try to load
+# /etc/kopano/konnectd-encryption-secret.key
+# and if not found, fall back to a random key on every startup. Not set by
+# default. If set, the file must be there.
+#encryption_secret_key = /etc/kopano/konnectd-encryption-secret.key
+
+# Full file path to the identifier registration configuration file. This file
+# must exist to be able to start the service. An example file is shipped with
+# the documentation / sources. If not set, Konnect will try to load
+# /etc/kopano/konnectd-identifier-registration.yaml
+# without failing when the file is not there. If set, the file must be there.
+#identifier_registration_conf = /etc/kopano/konnectd-identifier-registration.yaml
+
+# Full file path to the identifier scopes configuration file. An example file is
+# shipped with the documentation / sources. If not set, Konnect will try to
+# load /etc/kopano/konnectd-identifier-scopes.yaml without failing if the file
+# is not there. If set, the file must be there.
+#identifier_scopes_conf = /etc/kopano/konnectd-identifier-scopes.yaml
+
+# Path to the location of konnectd web resources. This is a mandatory setting
+# since Konnect needs to find its web resources to start.
+#web_resources_path = /usr/share/kopano-konnect
+
+# Custom base path for URI endpoints for Konnect API and the identifier web
+# application. This needs to be changed when Konnect is served from a path
+# instead of the root of the domain.
+#uri_base_path = /
+
+# Space separated list of scopes to be accepted by this Konnect server. By
+# default this is not set, which means that all scopes which are known by the
+# Konnect server and its configured identifier backend are allowed.
+#allowed_scopes =
+
+# Space separated list of IP address or CIDR network ranges of remote addresses
+# which are to be trusted. This is used to allow special behavior if Konnect
+# runs behind a trusted proxy which injects authentication credentials into
+# HTTP requests. Not set by default.
+#trusted_proxies =
+
+# Flag to enable client controlled guest support. When set to `yes`, a registered
+# client can send authorize guests, by sending signed requests. Defaults to `no`.
+#allow_client_guests = no
+
+# Flag to enable dynamic client registration API. When set to `yes`, clients
+# can register themselves and make authorized calls to the token endpoint.
+# Defaults to `no`.
+#allow_dynamic_client_registration = no
+
+# Additional arguments to be passed to the identity manager.
+#identity_manager_args =
+
+###############################################################
+# Log settings
+
+# Log level controls the verbosity of the output log. It can be one of
+# `panic`, `fatal`, `error`, `warn`, `info` or `debug`. Defaults to `info`.
+#log_level = info
+
+###############################################################
+# Kopano Groupware Storage Server Identity Manager (kc)
+
+# URI for connecting to the Kopano Groupware Storage server. This can either be
+# a http(s):// URL for remote systems or a file:// URI to a socket for local
+# connection. Defaults to `file:///run/kopano/server.sock` and is only used
+# when the identity_manager is `kc`.
+#kc_server_uri = file:///run/kopano/server.sock
+
+# Session timeout for sessions of the Kopano Groupware Storage server in
+# seconds. Access token valid duration is limited to this value and Konnect
+# will expire sessions if they are inactive for the timeout duration. This value
+# needs to be lower or same as the corresponding value used in the Kopano
+# Groupware Storage server's configuration to avoid constant session expiration
+# and recreation.
+#kc_session_timeout = 300
+
+###############################################################
+# LDAP Identity Manager (ldap)
+
+# Below are the settings for the LDAP identity manager. They are only used when
+# the identity_manager is `ldap`.
+#ldap_uri =
+#ldap_binddn =
+#ldap_bindpw =
+#ldap_basedn =
+#ldap_scope = sub
+#ldap_login_attribute = uid
+#ldap_uuid_attribute = uidNumber
+#ldap_filter = (objectClass=inetOrgPerson)
diff --git a/etc-template/kopano/konnectkeys/konnect-20210314-0ae1.pem b/etc-template/kopano/konnectkeys/konnect-20210314-0ae1.pem
new file mode 100644
index 0000000..3d0c625
--- /dev/null
+++ b/etc-template/kopano/konnectkeys/konnect-20210314-0ae1.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDKeeORq+iJ/Rzp
+Q9Jhqldvx0jEprZkTz30DWQrxgzr3lgpowY4sPT9P4uu73Y+czMv8CvMX9gacBv8
+ctbhPL2unmYpRX1Vpgw25E768CyX4etn+LCkZy4KvevuPB8Z6Hx1BseM3tu/nWYP
+Uf9TczHN48vjLKrsu6zeEXy3TsUpmEqgIQN9DxdMCVlzh9wl7+gx/9JrpM24slFA
+4S/ieeaOtlzv8nIWWUB+qeWM35b5ZEtejsiqDaBGHhNhj2z6igUfRrmEkL3V0lkd
+nwaMIWYg0mhiZrX1fQy2wsEpWwDjhy6GQp15IIySv9NgjN5P/PqnCjhPQAxwznt8
+KwZucCAh52g/rwykPoMW14SlfVe97zxjEw1MfFmjwi/7jFHh8AGTNl+BVIbZZ/O/
+YgxLurKbNEeNcyl/aaZFlNL11RYRa5QOwrc65+ChRhO4rbvsenstpQbky/vvbZ8v
+9BbvcuC/I0TTWJxFBpGHuK2iTFiViAE9bLfKAxsXuZofw74pwltTXU2wyTm/weih
+HVTs4DlUtUefsltZRFHVBDDTcUc9WwVtKjvCNKUbE5ZXHRkiZuWxLgjci/4UvrRj
+WstQVzbGfGWgi710ZovvKqn1gRJoakJTrdYk9YQMnKuLWuq9DNby4N/jdlbAs7NM
+8jEe9TTnJW8z7HX6NQPT/ugoqfnPFQIDAQABAoICAFVU8VefP62IAvs8HhoTFC6D
+qmNWb1/vFYkZa7IXEbMGTdmeXyzdRyLD+TaMrSS8oEH/0jWb3xOlU+Yc7/qVAsvo
+7d1O7/d8t4Eazz5qoiCQkgmLgcaHxZu5VwlcRS9CD9GyPb9c3PfweebTA+xDjCXd
+bzwawx5qKfydGhaXF/jjue+qejHmfkcJWa2bAGjspssLqb68Agdo/118ihXEkipr
+KNfnMbXBf7DiIWAxiwsn/auoOWGRxI5IdpqTO7aLHIWF5QG9joPi1rPpJXVBTi1e
+/6cY6m6/ePA9O/MV61X4zt6+jGdUFGp0db0nITpMv8ZORFUCBTw1iU1XRKqejqt6
+/dYb1BTSy5vSUUkjV5isrvXsZd4ZEXzC8xvdu4PyXfIUXDJrCR4N/bLCup6C0r82
+7goPw1Lxlr1nPN5A8rzABFrRgcWiiQNs0s82qbE+bf/ZLDXkjK62dDg9ziKE5mQ6
+sXQOBZYIYrdAXLs7SRHcPXyWgCZKlps02jA1w0jWRJPXooeq34ce7N0BlkS6oSde
+nH/m+EiYf3EFJtgIRcp+Wp3uXc2Se87fSs6GFK6FkHt496yZLY8UuFdXky1XQQJB
+FsrPNJr9vuYz38AwACm7mylw7G1zn9WvIbBP83lA/TmlO/dhQiX/zgcILhA4lYod
+ackLcmQlJCY1Oa9tVUIBAoIBAQDx5oJ/99xq0PC9zNBew9NTMqsDhLjNwEq6xdIe
+RcXRlXubZVA7yTnQ6xRQsEyRU2538hq8ErVCngNMOrgS3iTiADIWhRLr0VBEe4rj
+IGJGIXbrXNUE3tZvnn/OljNz08grzqsCRJSk2OYvCk/9W7v5gXNIkTXIpUO4TXys
+s78BSGkg5k4AWv8i16PUrVblOTJgjCD2EkYrBWD4BazjlkbKNwGnbpEAjfgjuKmT
+DyK4fJ+vHc1pjR+2QZyEy94CyVsSi+n9al90ydTzf6kzIPBaYTjbp8edp8Z3dZKL
+fyUaQoZ1a+bEBxBQp0qVsFeOCUhMSq65cwt4je2W4TLLmyOhAoIBAQDWRx0nkmIa
+zQpsyr7ebpUJ7i973gw4qynnMrWQYlRq7TgGNoYBKmPe/3d+PBBjTsTWT7q8AdFD
+KAENEaWM+FzGErR3bu3sR1Flo1aF02mA6p4BEcSVX25PDsBdzBEg5CwVn+pHf1u4
+4GpXlmLhd3HiSzXOUPKrRRhzJHm3GKqoCRIW00eFllPI4vr/4kpgh8V/l4JpKZow
+/Sx882EjtxeGC14xKm9y9MF56oajxrPqxu574tBlfTn4eXyTiW4BsTcLcuf+s/lz
+R39Ky/FTY9P42QNHIlSX1tlXTe1gRc2qE3QlQYXcc2+P+yasiXNeEiAQFo63TH4I
+pWYKmaiTxPb1AoIBAQChr76YhHbK2t+fLbA1N1UgLiTKlELmG9qXXrRkUaS4wt68
+7oojfAvuDcMlb8Gt/YNAHw4pmaOYZH+1yyXQTrV+bj0MemQ8RUsOizk5OSMW1zVi
+eklUGRJhxyKMVi8MA4mvZlM9j9N/IA8zcAQpR9CsJA+HeK/nbjeGkBx+XyKTW/AQ
+8n8+k5QnmNVDyZzkWEfI6sD5WRuXk9/NyBVYhdDJRt0PKcM4CKzMS5jk1+AQShR9
++0CahZ6lttNEm/PIDwiVq/l5zkkBigqRu0nACAs/je5wO4QcZ9ErdeW+4fxNwhuX
+jsjPTB1mm3sp9JWBNckiXWTORgxrxwoAqIPIPekhAoIBAQCt5TSR4shfO7uUIs3X
+siKd1oEOo1uDudTd3lde/43G4REwaZtC4uX+GZEeDxy1mz0/N6Ex5r+vIo4HzyRt
+TTntPUzcCFhqAk7ajz4uiS38A2uLLqI9Hx9kZXJULMJR0Rq9yfPVZlRHq0hiIJfK
+pqbzoVnfP+5QdFitSRLGNux4RjQ59ej7Ts5cH2jXtQvrXwQ20fxx3+NUkoJCPTm+
+RF6A2ETu3aNoxZ0mleAClcV5aUwtmhrJ4mDjd6RUD5oJIYqsbeo82E4+8e0qBGyq
+4j8qmuOAHSpNt3zWz1UvZjbMKdF+UriR+dS2Inp2V24bD9aZd9UGiLtXxPMU8zLO
+CXDpAoIBAEycsfTcArULdH9q8mDEM+PiTr49kNL9X7UYDLziNTuU363jcYQ/iXDp
+gAdL21caMhcV3C+iAjSb70HwXu6NKEO7Lb703OtgTWHZE9kFssRlA91VSw3X5fCT
+I88MqRzFDsdrE9tUlDbQ2S3GP18PuMhLFJdPuZ4whdqiQMfnQxD25rG/Gi8eypz9
+J/t/LhciIJxaaBaT5YU/t0KGEAlsSrpuPN3sSq7iQYrrUKQY2Mghy4wKP1qwLhLX
+DEr1HZ3gfTZcdvk5ftkGvy4QP6rNRMNo/74l1yp+vAUf/4uA1Wu9QWOJfFOVvfV3
+bPlsxOijJGo9JSDH/en3wE654P52ygY=
+-----END PRIVATE KEY-----
diff --git a/etc-template/kopano/kweb/.kweb/.setup-done b/etc-template/kopano/kweb/.kweb/.setup-done
new file mode 100644
index 0000000..e69de29
diff --git a/etc-template/kopano/kwebd.cfg b/etc-template/kopano/kwebd.cfg
new file mode 100644
index 0000000..cb6727f
--- /dev/null
+++ b/etc-template/kopano/kwebd.cfg
@@ -0,0 +1,137 @@
+##############################################################
+# Kopano Web SETTINGS
+
+# Site's host name.
+# Full qualified host name. If set, kweb provides HTTP/HTTPS for this host
+# including automatic ACME CA TLS and Content Security Policy generation. If not
+# set (the default), kweb is available under all names and does not try to
+# obtain a certificate via ACME.
+#hostname=
+
+# ACME CA email.
+# To allow automatic TLS via ACME, the CA needs an email address. Provide your
+# email address here to enable automatic TLS via ACME. If tls_acme_email and
+# hostname are set, kweb will automatically manage TLS certificates unless
+# explictly disabled by other settings.
+#tls_acme_email =
+
+# ACME CA subscriber agreement.
+# Set to `yes` to accept the CA's subscriber agreement. If this is `no` or
+# not set and kweb is otherwise configured to use ACME, kweb will log the link
+# to the CA's subscriber agreement and then exit. You have to change this
+# setting to `yes` to use automatic TLS via ACME.
+#tls_acme_agree = no
+
+# ACME CA server directory.
+# URL to the certificate authority's ACME server directory. Default is to use
+# Let's Encrypt (https://acme-v02.api.letsencrypt.org/directory).
+#tls_acme_ca = https://acme-v02.api.letsencrypt.org/directory
+
+# HTTP Strict Transport Security.
+# Value for HTTP Strict Transport Security response header. Default to
+# `max-age=31536000;` and is only used if hostname is set. Set explicitly to
+# empty to disable.
+#hsts=max-age=31536000;
+
+# Bind address to bind the listeners.
+# This setting defines where to bind kweb http listeners. By default kweb binds
+# to all interfaces/ips since it needs to be available from external.
+#bind=0.0.0.0
+
+# Web root folder.
+# Full path to the web root. All files below that folder are served by kweb and
+# the path is used as base for otherwise relative paths.
+# Default: `/usr/share/kopano-kweb/www`
+#web_root = /usr/share/kopano-kweb/www
+
+# Port for HTTPS listener.
+# When TLS is enabled, kweb will serve the TLS listener on this port. Defaults
+# to 9443 if `hostname` is not set and `443` otherwise.
+https_port = 7443
+
+# Port for HTTP listener.
+# When TLS is disabled, kweb will serve the listener on this port. Defaults to
+# 9080 if `hostname` is not set and `80` otherwise.
+http_port = 7080
+
+# HTTP/2 support.
+# Set to `yes` to enable HTTP/2 support on all TLS listeners. HTTP/2 is enabled
+# by default. Set to `no` to disable.
+#http2 = yes
+
+# QUIC support.
+# Experimental support for QUIC. Set to `true` to enable. Default is `no`.
+#quic = no
+
+###############################################################
+# Log settings
+
+# HTTP request log file (access log in combined format).
+# Full path to log file where to log HTTP requests. Not set by default which
+# means requests are not logged.
+#request_log_file = /var/log/kopano-kweb/access.log
+
+###############################################################
+# TLS settings
+
+# TLS support.
+# Support encrypted listeners and automatic TLS certificate creation when set
+# to `yes`. Set to `no` to disable all TLS and listen on plain HTTP.
+#tls = yes
+
+# TLS certificate bundle.
+# Path to a TLS certificate bundle (concatenation of the server's certificate
+# followed by the CA's certificate chain). If set, the TLS listener will use
+# that certificate instead of trying automatic TLS.
+#tls_cert =
+
+# TLS private key.
+# Path to the server's private key file which matches the certificate bundle. It
+# must match the certificate in tls_cert.
+#tls_key =
+
+# TLS protocols.
+# Minimal and maximal TLS protocol versions to be offered. Defaults to TLS 1.2
+# and TLS 1.3 (`tls1.2 tls1.3`).
+#tls_protocols = tls1.2 tls1.3
+
+# TLS self sign.
+# By default kweb creates self signed TLS certificates on startup on if ACME is
+# not possible due to missing settings. If set to `yes`, ACME is disabled and a
+# self signed certificate will always be created. Default: `no`.
+#tls_always_self_sign = no
+
+# TLS must stable.
+# Enables must stable for certificates managed by kweb. If this is set to `yes`
+# and kweb requests certificates via ACME, those certificates will require that
+# the OSCP information is stapled with the response. Defaults to `no`.
+#tls_must_staple = no
+
+###############################################################
+# App settings
+
+# Default top level redirect.
+# When set, top level requests `/` will redirect to the configured value.
+# Not set by default.
+#default_redirect =
+
+# Legacy support.
+# To make integration into existing environments easier kwebd can act as a
+# reverse proxy to allow serving requests Kopano WebApp and Z-Push running e.g.
+# in Apache or Nginx. Set the address to the legacy web server here. Not set by
+# default.
+#legacy_reverse_proxy = 127.0.0.1:8000
+
+###############################################################
+# Limiting settings
+
+# Rate limit tate.
+# Limits Excessive access to services. Requests will be terminated with an error
+# 429 (Too Many Requests) and X-RateLimit-RetryAfter is added.
+# Format "rate burst unit", Defaults to "100 200 minute".
+#ratelimit_rate = "100 200 minute"
+
+# Rate limit whitelist.
+# Your trusted IPs (comma separated). Defines the CIDR IP range you don't want
+# to perform rate limit. Defaults to `127.0.0.1/8`.
+#ratelimit_whitelist = 127.0.0.1/8
diff --git a/etc-template/kopano/ldap.cfg b/etc-template/kopano/ldap.cfg
new file mode 100644
index 0000000..9064409
--- /dev/null
+++ b/etc-template/kopano/ldap.cfg
@@ -0,0 +1,36 @@
+# See the kopano-ldap.cfg(5) manpage for details and more directives
+
+# Select implementation.
+# If you have any reason to override settings from /usr/share/kopano/*.cfg,
+# do so at the end of this (/etc-resident) config file.
+#
+!include /usr/share/kopano/ldap.openldap.cfg
+#!include /usr/share/kopano/ldap.active-directory.cfg
+
+# List of URIs of LDAP servers to use. Make sure that etc/ldap/ldap.conf is
+# /configured correctly with TLS_CACERT when using "ldaps".
+ldap_uri =
+#ldap_starttls = no
+
+# The DN of the user to bind as for normal operations.
+# When empty, uses anonymous binding.
+ldap_bind_user =
+ldap_bind_passwd =
+
+# Top level search base, every object should be available under this tree
+ldap_search_base =
+
+# The timeout for network operations in seconds
+#ldap_network_timeout = 30
+
+# ldap_page_size limits the number of results from a query that will be downloaded at a time.
+# Default ADS MaxPageSize is 1000.
+#ldap_page_size = 1000
+
+#ldap_membership_cache_size = 256k
+#ldap_membership_cache_lifetime = 5
+
+# Use custom defined LDAP property mappings
+# This is not a requirement for most environments but allows custom mappings of
+# special LDAP properties to custom MAPI attributes
+#!propmap /etc/kopano/ldap.propmap.cfg
diff --git a/etc-template/kopano/monitor.cfg b/etc-template/kopano/monitor.cfg
new file mode 100644
index 0000000..010b342
--- /dev/null
+++ b/etc-template/kopano/monitor.cfg
@@ -0,0 +1,28 @@
+# See the kopano-monitor.cfg(5) manpage for details and more directives.
+
+#server_socket = file:///var/run/kopano/server.sock
+# Login to the storage server using this SSL Key
+#sslkey_file = /etc/kopano/ssl/monitor.pem
+# The password of the SSL Key
+#sslkey_pass = replace-with-monitor-cert-password
+# in a multi-server environment, which servers to monitor (default all)
+#servers =
+
+#log_method = auto
+# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
+#log_level = 3
+#log_file = -
+#log_timestamp = yes
+
+# Quota check interval (in minutes)
+#quota_check_interval = 15
+# Quota mail interval in days
+#mailquota_resend_interval = 1
+
+# Template to be used for quota emails which are sent to the user
+# when the various user quota levels have been exceeded.
+#userquota_warning_template = /etc/kopano/quotamail/userwarning.mail
+
+# Templates to be used for quota emails which are sent to the company administrators
+# when the company quota level has been exceeded.
+#companyquota_warning_template = /etc/kopano/quotamail/companywarning.mail
diff --git a/etc-template/kopano/php-mapi.cfg b/etc-template/kopano/php-mapi.cfg
new file mode 100644
index 0000000..f36b4d4
--- /dev/null
+++ b/etc-template/kopano/php-mapi.cfg
@@ -0,0 +1,30 @@
+##############################################################
+# LOG SETTINGS
+
+# Logging method (syslog, file), syslog facility is 'mail'
+#log_method = syslog
+
+# Logfile (for log_method = file, '-' for stderr)
+#log_file = /var/log/kopano/php-mapi.log
+
+# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
+#log_level = 3
+
+# Log timestamp - prefix each log line with timestamp in 'file'
+# logging mode
+#log_timestamp = yes
+
+# Buffer logging in what sized blocks. 0 for line-buffered (syslog-style).
+#log_buffer_size = 0
+
+# This setting will make php-mapi trace how long each MAPI-call
+# took into the selected logfile.
+# Make sure that the file exists and/or can be written to by the
+# apache user.
+# php_mapi_performance_trace_file = /var/log/kopano/php-mapi-perf-trace.log
+
+# Enable debug output for the mapi extension
+# Bitmask:
+# 1 = Log start of a function
+# 2 = Log end of a function
+#php_mapi_debug = 0
diff --git a/etc-template/kopano/quotamail/companywarning.mail b/etc-template/kopano/quotamail/companywarning.mail
new file mode 100644
index 0000000..fd22f6c
--- /dev/null
+++ b/etc-template/kopano/quotamail/companywarning.mail
@@ -0,0 +1,11 @@
+Subject: Quota of company ${KOPANO_QUOTA_COMPANY} has been exceeded
+
+The size of the public store for company ${KOPANO_QUOTA_COMPANY} has exceeded
+the size limits set by the administrator.
+The public store size is ${KOPANO_QUOTA_STORE_SIZE}.
+
+Mailbox size limit:
+ * Warninglevel (${KOPANO_QUOTA_WARN_SIZE})
+ - When this limit is exceeded this warning message will be sent
+
+See client Help for more information.
diff --git a/etc-template/kopano/quotamail/companywarning.mail.dpkg-new b/etc-template/kopano/quotamail/companywarning.mail.dpkg-new
new file mode 100644
index 0000000..fd22f6c
--- /dev/null
+++ b/etc-template/kopano/quotamail/companywarning.mail.dpkg-new
@@ -0,0 +1,11 @@
+Subject: Quota of company ${KOPANO_QUOTA_COMPANY} has been exceeded
+
+The size of the public store for company ${KOPANO_QUOTA_COMPANY} has exceeded
+the size limits set by the administrator.
+The public store size is ${KOPANO_QUOTA_STORE_SIZE}.
+
+Mailbox size limit:
+ * Warninglevel (${KOPANO_QUOTA_WARN_SIZE})
+ - When this limit is exceeded this warning message will be sent
+
+See client Help for more information.
diff --git a/etc-template/kopano/quotamail/userhard.mail b/etc-template/kopano/quotamail/userhard.mail
new file mode 100644
index 0000000..2c499cb
--- /dev/null
+++ b/etc-template/kopano/quotamail/userhard.mail
@@ -0,0 +1,17 @@
+Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded
+
+Your mailbox has exceeded one or more size limits set by your administrator.
+Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}.
+
+Mailbox size limits:
+ * Warninglevel (${KOPANO_QUOTA_WARN_SIZE})
+ - When this limit is exceeded a warning message will be sent
+ * Softlevel (${KOPANO_QUOTA_SOFT_SIZE})
+ - When this limit is exceeded you will not be able to send new email
+ * Hardlevel (${KOPANO_QUOTA_HARD_SIZE})
+ - When this limit is exceeded you will not be able to send and receive new email
+
+To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server.
+Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit.
+You must empty the Deleted Items folder after deleting items or the space will not be freed.
+See client Help for more information.
diff --git a/etc-template/kopano/quotamail/userhard.mail.dpkg-new b/etc-template/kopano/quotamail/userhard.mail.dpkg-new
new file mode 100644
index 0000000..2c499cb
--- /dev/null
+++ b/etc-template/kopano/quotamail/userhard.mail.dpkg-new
@@ -0,0 +1,17 @@
+Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded
+
+Your mailbox has exceeded one or more size limits set by your administrator.
+Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}.
+
+Mailbox size limits:
+ * Warninglevel (${KOPANO_QUOTA_WARN_SIZE})
+ - When this limit is exceeded a warning message will be sent
+ * Softlevel (${KOPANO_QUOTA_SOFT_SIZE})
+ - When this limit is exceeded you will not be able to send new email
+ * Hardlevel (${KOPANO_QUOTA_HARD_SIZE})
+ - When this limit is exceeded you will not be able to send and receive new email
+
+To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server.
+Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit.
+You must empty the Deleted Items folder after deleting items or the space will not be freed.
+See client Help for more information.
diff --git a/etc-template/kopano/quotamail/usersoft.mail b/etc-template/kopano/quotamail/usersoft.mail
new file mode 100644
index 0000000..2c499cb
--- /dev/null
+++ b/etc-template/kopano/quotamail/usersoft.mail
@@ -0,0 +1,17 @@
+Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded
+
+Your mailbox has exceeded one or more size limits set by your administrator.
+Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}.
+
+Mailbox size limits:
+ * Warninglevel (${KOPANO_QUOTA_WARN_SIZE})
+ - When this limit is exceeded a warning message will be sent
+ * Softlevel (${KOPANO_QUOTA_SOFT_SIZE})
+ - When this limit is exceeded you will not be able to send new email
+ * Hardlevel (${KOPANO_QUOTA_HARD_SIZE})
+ - When this limit is exceeded you will not be able to send and receive new email
+
+To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server.
+Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit.
+You must empty the Deleted Items folder after deleting items or the space will not be freed.
+See client Help for more information.
diff --git a/etc-template/kopano/quotamail/usersoft.mail.dpkg-new b/etc-template/kopano/quotamail/usersoft.mail.dpkg-new
new file mode 100644
index 0000000..2c499cb
--- /dev/null
+++ b/etc-template/kopano/quotamail/usersoft.mail.dpkg-new
@@ -0,0 +1,17 @@
+Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded
+
+Your mailbox has exceeded one or more size limits set by your administrator.
+Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}.
+
+Mailbox size limits:
+ * Warninglevel (${KOPANO_QUOTA_WARN_SIZE})
+ - When this limit is exceeded a warning message will be sent
+ * Softlevel (${KOPANO_QUOTA_SOFT_SIZE})
+ - When this limit is exceeded you will not be able to send new email
+ * Hardlevel (${KOPANO_QUOTA_HARD_SIZE})
+ - When this limit is exceeded you will not be able to send and receive new email
+
+To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server.
+Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit.
+You must empty the Deleted Items folder after deleting items or the space will not be freed.
+See client Help for more information.
diff --git a/etc-template/kopano/quotamail/userwarning.mail b/etc-template/kopano/quotamail/userwarning.mail
new file mode 100644
index 0000000..2c499cb
--- /dev/null
+++ b/etc-template/kopano/quotamail/userwarning.mail
@@ -0,0 +1,17 @@
+Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded
+
+Your mailbox has exceeded one or more size limits set by your administrator.
+Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}.
+
+Mailbox size limits:
+ * Warninglevel (${KOPANO_QUOTA_WARN_SIZE})
+ - When this limit is exceeded a warning message will be sent
+ * Softlevel (${KOPANO_QUOTA_SOFT_SIZE})
+ - When this limit is exceeded you will not be able to send new email
+ * Hardlevel (${KOPANO_QUOTA_HARD_SIZE})
+ - When this limit is exceeded you will not be able to send and receive new email
+
+To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server.
+Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit.
+You must empty the Deleted Items folder after deleting items or the space will not be freed.
+See client Help for more information.
diff --git a/etc-template/kopano/quotamail/userwarning.mail.dpkg-new b/etc-template/kopano/quotamail/userwarning.mail.dpkg-new
new file mode 100644
index 0000000..2c499cb
--- /dev/null
+++ b/etc-template/kopano/quotamail/userwarning.mail.dpkg-new
@@ -0,0 +1,17 @@
+Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded
+
+Your mailbox has exceeded one or more size limits set by your administrator.
+Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}.
+
+Mailbox size limits:
+ * Warninglevel (${KOPANO_QUOTA_WARN_SIZE})
+ - When this limit is exceeded a warning message will be sent
+ * Softlevel (${KOPANO_QUOTA_SOFT_SIZE})
+ - When this limit is exceeded you will not be able to send new email
+ * Hardlevel (${KOPANO_QUOTA_HARD_SIZE})
+ - When this limit is exceeded you will not be able to send and receive new email
+
+To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server.
+Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit.
+You must empty the Deleted Items folder after deleting items or the space will not be freed.
+See client Help for more information.
diff --git a/etc-template/kopano/search.cfg b/etc-template/kopano/search.cfg
new file mode 100644
index 0000000..0321f0e
--- /dev/null
+++ b/etc-template/kopano/search.cfg
@@ -0,0 +1,39 @@
+# See kopano-search.cfg(5) for more details and directives.
+
+# Location of the index files
+#index_path = /var/lib/kopano/search/
+# Limit the number of results returned (0 = no limit)
+#limit_results = 1000
+
+# Use https to reach servers over the network
+server_socket = https://zntrl-server-1:237
+# Login to the storage server using this SSL Key
+sslkey_file = /etc/kopano/ssl/private/system-key-cert.pem
+# The password of the SSL Key
+#sslkey_pass = replace-with-server-cert-password
+
+# To setup for multi-server, use: http://0.0.0.0:port or https://0.0.0.0:port
+#server_bind_name = file:///var/run/kopano/search.sock
+# File with certificate for SSL, used when server_bind_name uses https://...
+#ssl_certificate_file = /etc/kopano/search/cert.pem
+# File with RSA key for SSL, used when server_bind_name uses https://...
+#ssl_private_key_file = /etc/kopano/search/privkey.pem
+
+#log_method = auto
+# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
+log_level = 6
+#log_file = /var/log/kopano/search.log
+#log_timestamp = yes
+
+# Number of indexing processes used during initial indexing
+#index_processes = 1
+#index_drafts = yes
+#index_junk = yes
+# Prepare search suggestions ("did-you-mean?") during indexing
+# This takes up a large percentage of the used disk space
+#suggestions = yes
+
+# Should attachments be indexed
+#index_attachments = no
+# Maximum file size for attachments
+#index_attachment_max_size = 5M
diff --git a/etc-template/kopano/server.cfg b/etc-template/kopano/server.cfg
new file mode 100644
index 0000000..4950309
--- /dev/null
+++ b/etc-template/kopano/server.cfg
@@ -0,0 +1,121 @@
+# See the kopano-server.cfg(5) manpage for details and more directives.
+
+# If a directive is not used (i.e. commented out), the built-in server default
+# is used, so to disable certain features, the empty string value must explicitly be
+# set on them.
+
+# Space-separated list of address:port specifiers with optional %interface
+# infix for where the server should listen for connections.
+server_listen = 0.0.0.0:236
+server_listen_tls = 0.0.0.0:237
+# server_ssl_key_file: needs key and certificate
+server_ssl_key_file = /etc/kopano/ssl/private/server-key-cert.pem
+#server_ssl_key_pass =
+server_ssl_ca_file = /etc/kopano/ssl/certs/balusign-ca-chain.pem
+#server_ssl_ca_path = /etc/kopano/ssl/certs
+#server_tls_min_proto = tls1.2
+# Path of SSL Public keys of clients
+sslkeys_path = /etc/kopano/sslkeys
+
+# Name for identifying the server in a multi-server environment. Need
+# not be a DNS name, but this name needs to be present on a LDAP
+# kopano-server object's cn value.
+#server_name = kopano.server
+# Multi-server
+#enable_distributed_kopano = false
+
+database_engine = mysql
+mysql_host = mysql
+mysql_port = 3306
+mysql_user = kopano
+mysql_password = zAKt(85&
+mysql_database = kopano
+
+# Allow connections from normal users through the Unix socket
+#allow_local_users = yes
+
+# Space-separated list of users that are considered Kopano admins.
+local_admin_users = root kopano
+
+log_method = auto
+# log_file = /var/log/kopano/server.log
+# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
+log_level = 6
+log_timestamp = yes
+
+# Attachment backend driver type: "database", "files", "files_v2", "s3"
+#attachment_storage = files
+#attachment_path = /var/lib/kopano/attachments
+
+#attachment_s3_hostname = s3-eu-west-1.amazonaws.com
+# The region where the bucket is located, e.g. "eu-west-1"
+#attachment_s3_region =
+# The protocol that should be used to connect to S3, 'http' or 'https' (preferred)
+#attachment_s3_protocol =
+# The URL style of the bucket, "virtualhost" or "path"
+#attachment_s3_uristyle =
+# The access key id of your S3 account
+#attachment_s3_accesskeyid =
+# The secret access key of your S3 account
+#attachment_s3_secretaccesskey =
+# The bucket name in which the files will be stored
+#attachment_s3_bucketname =
+
+# User backend driver type: "db", "unix", "ldap"
+#user_plugin = db
+#user_plugin_config = /etc/kopano/ldap.cfg
+#enable_sso = false
+# Hostname override for Kerberos SSO
+#server_hostname =
+
+# OpenID Connect Issuer Identifier. When set, the server attempts OIDC discovery
+# and initialization on startup, using the configured issuer identifier.
+#kcoidc_issuer_identifier =
+#kcoidc_initialize_timeout = 60
+
+# Skip creation/deletion of users for testing purposes, instead log it.
+#user_safe_mode = no
+
+# Multi-tenancy
+#enable_hosted_kopano = false
+# Display format of store name
+# Allowed variables:
+# %u Username
+# %f Full name
+# %c Tenant's name
+#storename_format = %f
+
+# Loginname format for multi-tenancy installations
+# When the user does not login through a system-wide unique
+# username (like the email address) a unique name is created
+# by combining the username and the tenantname.
+# With this configuration option you can set how the
+# loginname should be built up.
+#
+# Note: Do not use the = character in the format.
+#
+# Allowed variables:
+# %u Username
+# %c Teantname
+#
+#loginname_format = %u
+
+#enable_gab = yes
+# Whether to hide/show the special GAB "Everyone" group that contains
+# every user and group for non-admins.
+#hide_everyone = no
+# Whether to hide/show the special GAB "SYSTEM" user for non-admins.
+#hide_system = yes
+# Synchronize GAB users on every open of the GAB (otherwise, only on
+# kopano-admin --sync)
+#sync_gab_realtime = yes
+
+# Use indexing service for faster searching.
+# Enabling this option requires kopano-indexd or kopano-search to be active.
+#search_enabled = yes
+#search_socket = file:///var/run/kopano/search.sock
+#search_timeout = 10
+
+# Disable features for users. This list is space separated.
+# Currently valid values: imap pop3 mobile outlook webapp
+disabled_features = pop3
diff --git a/etc-template/kopano/spamd.cfg b/etc-template/kopano/spamd.cfg
new file mode 100644
index 0000000..c51812b
--- /dev/null
+++ b/etc-template/kopano/spamd.cfg
@@ -0,0 +1,53 @@
+##############################################################
+# SPAMD SERVICE SETTINGS
+
+# run as specific user
+#run_as_user = kopano
+
+# run as specific group
+#run_as_group = kopano
+
+# control pid file
+#pid_file = /var/run/kopano/spamd.pid
+
+# run server in this path (when not using the -F switch)
+#running_path = /var/lib/kopano
+
+##############################################################
+# LOG SETTINGS
+
+# Logging method (syslog, file)
+#log_method = file
+
+# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
+#log_level = 3
+
+# Logfile for log_method = file, use '-' for stderr
+#log_file = /var/log/kopano/spamd.log
+
+# Log timestamp - prefix each log line with timestamp in 'file' logging mode
+#log_timestamp = 1
+
+###############################################################
+# SPAMD Specific settings
+
+# The dir where spam mails are written to which are later picked up
+# by the sa-learn program
+#spam_dir = /var/lib/kopano/spamd/spam
+
+# Location for the database containing metadata on learned spam
+#spam_db = /var/lib/kopano/spamd/spam.db
+
+# Learn ham, when the user moves emails from junk to inbox,
+# enabled by default.
+#learn_ham = yes
+
+# The dir where ham mails are written to which are later picked up
+# by the sa-learn program
+#ham_dir = /var/lib/kopano/spamd/ham
+
+# Spamassassin group
+#sa_group = amavis
+
+# Header tag for spam emails
+#header_tag = X-Spam-Flag
diff --git a/etc-template/kopano/spooler.cfg b/etc-template/kopano/spooler.cfg
new file mode 100644
index 0000000..a0beb41
--- /dev/null
+++ b/etc-template/kopano/spooler.cfg
@@ -0,0 +1,30 @@
+# See the kopano-spooler.cfg(5) manpage for details and more directives.
+
+# Outgoing mailserver
+smtp_server = postfix
+smtp_port = 25
+
+# Server Unix socket location
+server_socket = https://zntrl-server-1:237
+# Login to the storage server using this SSL Key
+sslkey_file = /etc/kopano/ssl/private/system-key-cert.pem
+# The password of the SSL Key
+sslkey_pass =
+
+#log_method = auto
+# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
+log_level = 6
+#log_file = -
+#log_timestamp = yes
+
+# Dump raw messages into specified directory before sending via SMTP.
+#log_raw_message_path = /var/lib/kopano
+#log_raw_message_stage1 = no
+
+# Maximum number of threads used to send outgoing messages
+#max_threads = 5
+
+# spooler Python plugin framework. Disables threading.
+#plugin_enabled = no
+# Path to the activated spooler plugins.
+#plugin_path = /var/lib/kopano/spooler/plugins
diff --git a/etc-template/kopano/ssl/certs/balusign-ca-chain.pem b/etc-template/kopano/ssl/certs/balusign-ca-chain.pem
new file mode 100644
index 0000000..10c08d7
--- /dev/null
+++ b/etc-template/kopano/ssl/certs/balusign-ca-chain.pem
@@ -0,0 +1,106 @@
+-----BEGIN CERTIFICATE-----
+MIIJgTCCBamgAwIBAgIBAjANBgkqhkiG9w0BAQwFADCBjzESMBAGCgmSJomT8ixk
+ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp
+Z24gUHJpdmF0ZSBTaXRlMRUwEwYDVQQLDAxQS0kgU2VydmljZXMxKTAnBgNVBAMM
+IEJhbHVTaWduIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIzMDQwNzA5NTIx
+MFoXDTMzMDQwNjA5NTIxMFowgY8xEjAQBgoJkiaJk/IsZAEZFgJkZTEXMBUGCgmS
+JomT8ixkARkWB2JhbG9naHMxHjAcBgNVBAoMFUJhbHVTaWduIFByaXZhdGUgU2l0
+ZTEiMCAGA1UECwwZSW5mb3JtYXRpb24gU2VjdXJpdHkgVW5pdDEcMBoGA1UEAwwT
+QmFsdVNpZ24gU2lnbmluZyBDQTCCA+IwDQYJKoZIhvcNAQEBBQADggPPADCCA8oC
+ggPBAKeU5NqQjKgTDVUYWwJanWyDiOLR7RyobQeFAVeGogwZQ/hOy+INl5VAps+7
+7YB6PnjXOa6tCFdJW+tQaXJxqsdU51W4LE6Iq5BpWGx9ltnqDcksXww7iIdHgblv
+4db0ErZM3CogOF3Sr2jYo28OmpqsEFMrbvJ2FDxgBG4/NIGUIqZumY8Aq9JyqA2a
+8yOKPiFyjeiABlNdyvoGNF0RnzxOeErO2loKtUuW5hfLxnUvzin1WnVtipEy1TOd
+E/eRoBfUpexyUXH2/DKw9CvH/ZGGz8oApe8SWSJlO4xSOgxONkuaybs+VzaMxtPU
+ACeeyOILVbQ25BhWSVOW9CfcUeQwqf7pViCUPx7kBSR/RpiLN1JGpEACW6B1D4wy
+OsOq55I0qSou7lJSJtkplSSzS1OxbK+SW1yq/FdPOJvqMIB88OuvrKlve4tDG7tQ
+hfbGrLnF0BKcBE3H2qkkujQ5zULptX1WpklBDnPvxcmlCGwW0XzrRHpOPQDTPbkh
+pH4a4Sph2rWFK7A0Qft8j2eMis7D1Wc30miV4DFYekQc5C3PernGwci3BM7qX4Xt
+5oNbjMk53N2VB5MjT1aVLWlW66+M9vPZ9Y+VCTfSs0p+rUwtyLoYPKulQRhg7zcS
+im6VnQatsiPZM6ssUNFu3602f6E6t0wdIOr1/WAuaIN0WWMWATkPhJ6tpcRSbu3e
+PpOwSbjbwxEPfk5q73xyJZ63XCfFAKihK2KpDOM2D2n0QhKyWOBa5Yw9BZaouSQz
+kBVFYYLm26wfOwvUKwLXX76BDOW33YO61EwV5Jswwp6L+x4Jn6CD4oloBR35ix9t
+aFXTmKA0zoRgrf7SiV38O6GCK3fIxGCz3YC3WRBWoZ519fM7YqqtG71LFPr5cTa8
+EU2QAxizw82Rp0e06yWCFGbfq+8eJB4r8f4+NM6Nqc/4IZZVcmMX3k/R9bOXw7L9
+7HI68QIa34KhQs9KFHUedr5QDS5yU2Ts1mpgzAkCvNqVYGbovm19OTwglDCrb6+i
+KQ29wi1CK9VJUSJx2RaOufh9COndNi640clgSWqClLPChCyhgosuwVPFOQYko6Ez
+nWl5LCvnLh3ieAqVys61t98ll9ueoVyD4HIcseuu9+h7xh02i/SVpD34CZlNwT+u
+BkhSzCoVoj2yp5RZeJFSqXT/99avmbI99O5RGxpTzB3MtADrX0zD1LK2jzvumRrv
+HIPGfB8TTl6aN1dDZ7aA67SnI7cybxhja+52DECwWCnxXx6MTM86/0ZNG6hZe/wu
+SQ3Q0QIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIB
+ADAdBgNVHQ4EFgQUypuBBCYN5ViDw4UBxZtTxzBXbBAwHwYDVR0jBBgwFoAU+o8o
+2baOIFDraC5/jXb/T0MRzrYwDQYJKoZIhvcNAQEMBQADggPBAKK6zoKmVe5FxVaP
+85TgjvbVQWZdaejlma9xZuSJPxicHuaEjuSrcthaqQ6rhdccLcniuY3+heKAjKqU
+fdGzOhjwyfAGFjP/xd/xb4c7eh7EQ/NnYPM82Miiw1pd4sA+8hJnDoLlK1dO+SAw
+5N0UrJLl+N33DT95fjykxNysCOxPSnNihKI86QlkpCUJ1GgupoRFRNJ7ditW8Fcu
+vWfZw3GSwWQNFAzBL0/xbiVh1/mZRnaKRK8APVT70M40UtIzu/Rr8D9TfoyDzuy5
+pkjQXhclz/tuctnvkwOEwmeOYHtozdg4SZlePJ4hrUkLIwgEcN1xk4XueioTT5+d
+VouUg6kg7YdpRiJH4PvLudUnoGs8+277gQZIyQgMoF0iR9IYXMBcDcaOnb6fcmKD
+Pxiu395c0a3alnugmkqRoJboiGFPbU0BUOXTV0uRLkXVFSs5FSccfUGrnPP+Kk73
+ePfOLVazmsiSF0J+k0ngh9U6I067FdAEqEFyqLj7nLT9B8Wd6YR1mCFzPUNg5k70
+pXeyap1Y+kW03+bsw/uakqTSf6aCFa+vXwyHoMsC1Pb8hCRtYh/FisON9IcGe0em
+A3JAwoiwLyAQT94/fNm+kf7LiM+lQP0Odj/dos9yBBqu5oZ2J0f+AAGpOqOy9zez
+hC8lEtn14y9QMmEoEHUdNPMIHS3W859ejF+tmZ+rpfLgL1VHmiv162gw0tRz1hX7
+NDNhqlNNBygC83hi+BzHLgfZIqTumRVIQulwzyhX6tqtG4TGvxQ3MXluKH2RA9Yk
+SM2Shm8l6RVaadA0gGmfmd97WVnd0jUJXFMpZSZCsLuI9PesTkW59cIloVvl6AXM
+csVJqGCiuElHZDAjGmGvHJJEnnckZCTC0czaoRSEN8GmDCWnewPn7VAUTR+Qv30G
+26yVOQWcNr7h8I7dkXEF9DfJRz/5p3+Tu0T7HCi8vwz4dAaB4YPm1Zl5TZSIF8U5
+TgV15BFN1nXSyLLdZsn1wcGjjFKR22kdyKonZjh2M+9ZGHDLAhY5abHzvK08d1av
+NvgPcddVAJCWxgabjdrA/gB4GDeNRSLYWPmvb5O4H/FfYteAVbbasoSmc+4zhv4D
+ZXsQvYwuyLuv6dDIlGeiHM8+u1wSP2Dp8PdE1E0xSg0kYp8AmwCTsjoKowMH8A7A
+wm/eGWZED2yoZLmIalE1ps76kfBBzNbJQMyioE0nrfU+0RF/RSAv/AzH6fz2pTta
+9lzdU5OOIo4HNAwaHyxla5gW6P0N+i1mUAq/z7ZLVrI7DvuRww==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIJfjCCBaagAwIBAgIBATANBgkqhkiG9w0BAQwFADCBjzESMBAGCgmSJomT8ixk
+ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp
+Z24gUHJpdmF0ZSBTaXRlMRUwEwYDVQQLDAxQS0kgU2VydmljZXMxKTAnBgNVBAMM
+IEJhbHVTaWduIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIzMDQwNzA5NTA1
+OFoXDTMzMDQwNjA5NTA1OFowgY8xEjAQBgoJkiaJk/IsZAEZFgJkZTEXMBUGCgmS
+JomT8ixkARkWB2JhbG9naHMxHjAcBgNVBAoMFUJhbHVTaWduIFByaXZhdGUgU2l0
+ZTEVMBMGA1UECwwMUEtJIFNlcnZpY2VzMSkwJwYDVQQDDCBCYWx1U2lnbiBDZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTCCA+IwDQYJKoZIhvcNAQEBBQADggPPADCCA8oC
+ggPBAOWJ0SL/yhWvkUlqKyAvDKKa5BFEAgUci1LYMUya0nm1SZZCg5J/PCr459LQ
+pLfzQCRKZsLlx3EDxvsw6hMtFzGKIUGVtEkNpxWcbKZhhln0jScdsyyVrdbYSXp3
+BwXtP2iC843Mk6vSSl7VKDmLAellR8Z3W3mjb6LXOBx3imitFNUDZpKv2jBrvHiv
+XeLcym6KuQ8EWZKGZNYUCrlQCpvbuAaHKF1C7KlKhR1LRZl7NcvFvnlrl4uUopSt
+TsZcK3Kb6jaiYr/19RNxDy/4GXbTsCtC9/lpo42iPm8KzNlTapZ2zGbmDeCzveDg
+N9NWNXyO5mYpnkFXTSEkmiwIdyWVLcomvyVKW0cyTUcET1s1D6NZokqvjolscyno
+Ff8Ez24IWbfRxT+OFHSqJwSHc7rXPGftoB1KBP7UP2K1EYYnC+vxDejRkdC0IFuv
+KrzonogkDDaJb6A0+hWSBSGMQpKfCbayTkU8nBzo8ilSM9S+dW0SIbWkptNdXZqL
+AQjT8hJe3vGejGXyGC7zLd0kEGBz098+JpbZLVyStakpJcn0HkZzUjxh7DSS3vtp
+3QV5IUZ4jBxp5/lRvCQ/Uz0re4KSXPXOMpEQwD1Ay7uPzADXv0ibMFfE22PT80fr
+r1YsJjT01C0QUbM4j++1w2kVara9wRaa/x2eEpCDHRRbvtNZ8K4YxqXxhoc7POOo
+X3/w9keXobo4BmH9uV2t2twg/lHiyBrQfSfsAr2+3/5Tt/pv6wuVCVJcxwFSm0ey
+ighWD5WUAvMvShFkGr8D/tyTulq33IySbh7tZFj40Fh88TD2Z1VWFWK+5OHWjsK0
+GSuOANw8Mj5Seq2RH8CkbrALok547YGLfls7pw4PTXkW/rmPallQLLLs8VT6MDwg
+SPk6sIMVOFF6rq9q5QV8EQliSYQ/vS4rh0qAG0zltaoWS40rTPsOGBJCftDOJFJp
+06XuLTyKrFRtCWP6dSuh+ju6EGTYk0rcBLeiKhFptB9HZtwE5Cd1khysfE3pDMiw
+ksGEjMnzhbLuTeBH9QlcYLZWqmH9ZK35qZ9cKvsHf0jlHYZOASnEaPX8CXhGWXKn
+skzOq4ihc6gZXKlSjX9Mglkfzru6hwg8f4i7L20wySrl/HOc8kuPZZ/UqLulBCI2
+yr6TKlvJXu5BkRUJZ0EGnpRCLaxWiNah+DcpbKeoHVIj5Z9Xq5p78N+d4LD9dKw0
+6VwcH74LJDT4jHVKu2zTuqyKTWw0jitqWjeexxPbeZTV4KBiIDYMEYVsr/Swx+u7
+4dU8YQIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAd
+BgNVHQ4EFgQU+o8o2baOIFDraC5/jXb/T0MRzrYwHwYDVR0jBBgwFoAU+o8o2baO
+IFDraC5/jXb/T0MRzrYwDQYJKoZIhvcNAQEMBQADggPBAAjgeEvyz2I/ZW81OIl2
+VsEMLuxq7GnCXabsKTklhHygjHPs1hr5/pn9fWo8pSSQGAOBFL/EnnHW+qYvzswY
+XSzIBVi2j7oUDRL2T9t3pBi0gNO9LYhAhSExocN9KStqQlxHZ5ei0QTbWCA6uArk
+lcwKhAihV7GvbPGYfRPSg95a/UXwyGAY8IffEL4J9Qn2LtyT57izErP3uPW8d3w7
+bNe2+Yqzd69Nk2CzSvIqtMSOoEFzTgvmzVoQdU9pi7zulkQYxIFmWvXxUnO2v+Jc
+exZ/CsJzCJBP8eQGY+5FUsunncnm16VS7bHoD5ZtWFcXsiM8xTt6mt7lMbjSl5px
+7N+FUPJHOpokXyX3Y/JK0KJCTcuJtyoZK81uJN6tgRaNN7GXn3Mlg0cmsG4d+Fib
+zxNAyhgtX6P0SpIfWLNBpdDWyjl6BnX4A7UtuH3eIEbYlms/kTm2ty0xJQiDrZkT
+yc9xNs+k9C8XKmPEnDK0BSObMmyEIz+lox32GS6vbNq18jLsjs+jk/1Zs72XAdNK
+AlU7+DrgbE3oulqKjTMqruuG/8WoF9s70ds1WUYwBGXzbjq6zR1xWb+vNGQ9ePpP
+KiTdJIPg0GO25MrZPVsHURsrFVTgdB5qfRj6RhDRrdMXuZ/mWMCetRd1EETzRIO0
+GgkGFHUFAWwiQDkmJYLrGB5t55Nq2JetAvwiUZuco8krUUQXcUu+sFrNjencctnX
+MHWYRERKMOB/eqhWdeTG04c94nV8BlpHAT3Iee8FfWA4zm0RxVreXICNOCPtxNXH
+aSEsgWBWw8/Zmk6VCEhuX6CernSmyqUc6PzREZRHFZD18lTRL5JxjXdm+qh8Nrxt
+puj2FaXSotGQZywm8hmqMU8hCti3m93FQDpcsgoSqiilmnLRIAWXVrSKRlXXTxKs
+Lpq3x9ZoARYbLEyxhRTdoMeU95OE64R1c6mcCcWPu53v59wYKmVMBOi4blTAXFn2
+9KEbwtgDcAdXTn6SGAOvrdibEG2GnBhTw689vJfC7Z2imGoDxwMKToCnK9tgwAwO
+/lv7oKpnA3GxzYojGZcKMGGGlfKFftZd36X/NZDmn9nmIGCqR0P04YWoX3utJOJH
+03bK11O62l9DQNEJSQ5Zjow5HMuhxTfhka4I0edjsoIekxePAR11riIHpfwLQWmF
+OybPqyC9MHzTLzSsISdZV1SDRQzCfpGbRtQSYAPF/T/hr2E2g+L+1tduQ07LICB0
++yKYtwF1rXkWwD4NvVYrk94fTCBPHK5SaMol8YlPer1ZUw==
+-----END CERTIFICATE-----
diff --git a/etc-template/kopano/ssl/openssl.cnf b/etc-template/kopano/ssl/openssl.cnf
new file mode 100644
index 0000000..4acca4b
--- /dev/null
+++ b/etc-template/kopano/ssl/openssl.cnf
@@ -0,0 +1,350 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = ./demoCA # TSA root directory
+serial = $dir/tsaserial # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/cacert.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
diff --git a/etc-template/kopano/ssl/private/server-key-cert.pem b/etc-template/kopano/ssl/private/server-key-cert.pem
new file mode 100644
index 0000000..d8410b4
--- /dev/null
+++ b/etc-template/kopano/ssl/private/server-key-cert.pem
@@ -0,0 +1,81 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDD8D6c+I14MM0k
+1Qj7wegQ7SutYDWXSfpLSQXp9RuB3ZKyjU9c0J4wilkK00Y7gdIKZN8tMlF2rQ3F
+Uwvn9uewq5k3pe2tE4v+Oooh5F9aNttTHOeRHTkgAkvcqyHPpCV8yO0a8t7elSzx
+dY3BBkIruO/zpvouhoYWXpdGxS+ctU/XlGFyWEUQkwVCPPreiDd3EP1h8idMikiD
+i4oKAYOa/xY/YKr29mp8rXK8xYn5xTV2xn62gLK1FB2g5l/XJt9sQY+g4Y04h8V8
+gYwSLLHBIbg6CCxK6kqY6qEgSMQ9y4swQ1q4R0adlN3gai5rFLeWcFnXVL4XCjoI
+A2GKFKDro/0/i2STQVi4+Hyyh6n3yfAm6PN5WX8FiVRRCCxf+kxqHJgpM8etqNyf
+fuADs49p8hc2efsTF8weCq4V3V0OyKU87GP1pKEfbERwJwE25C+V9Vp3Yi+3G8c3
+PU89qK/xTiCKZMK7Zsgmi5ROPBBVaM31GOcjS0YnErnvBc5LqGsCAwEAAQKCAYEA
+hwpdHPJxDhUUTf5FYr4RoxjSsXtNdCeYSaraWJSFkMuU/1pFCEL/w5SWKc/S59Bh
+YqiC6DN10cUTaJwD6KtSo4Cg6KmDVXXTVjQiX5l13kdQgce6EVmCtXzfrAaGFwWa
+kJYqVBhvYhiOERxjxlT55ghf2B2M7+PnJiOrPytH1Ulg7cNmJdiQQQwS48QDYrue
+/oDHIWozi50CvSa+zIaenYSRYLzPF8ZdPfCM022R2oMAhgvn6QBqKkLi6LHd+/rd
+azKksg1Gzhq2TzJohoVsvvmJsRBJansobr40WcUNUCvg8VsCp39GEEjb9Purkwkl
+l2klq/dbvtiI011DtUyQi/zpcVaQykllm5bNTpVIm7waTz6BtaOnAGWJpIw8TtFh
+ri2VM2e1XTlQbxzohIzqk1W3vJkxXnK4uWG5XDuhcKkRmAb4sEZ6KIr3KKMsiK6g
+a9Rc+xcoVnC+N2nDUkMZHIhutgGBKX2qOqpkxRpIfXdxLEZPTjXaNR3g3ypdNtcB
+AoHBAPZH+p+d1ias+7ZzY8nTiB2bUwyXWGq0awt7mwj3cmucxqXKAd7QUnwAR8vm
+i9bNqZixKR8Y/kNC0aBwoWwROPC3AisRkHovYSF2IX+5kkvE0Q9zhNxe590e96Go
+gB+oF1OVIu/6v3G/t2wB1Q2ebrj+gQ9T5wz0u3pO0XXRe1ZT08Dse/Z2t4RyCzIL
+c/eq/PJE0cSfEvNDUVFfOFIrlzk65wxjuPt6xEma8nyCQjcwSOFc73KaZQc61qGr
+ibSDSQKBwQDLq691PN0XplkWn6kvJlx8xHbkM9Qtcm71OpdSNXCIftXJVzovJlmE
+nPNQr1do52zX2SRyyVp/majnZxduW4R/P2GnM7fMv1rcuKAWaAhXND4hvycKUB/L
+kzQXoGqIm+4tBdoO5BpAiwdovB2LC4Uq1CWxKf04FJsLgeY/zYEp149eqQb4M5ED
+U0bTIg05oONpzmjfFUCZQ3DdNRXDdfVx98Y9+uvxcR4dNV+ffg7ptx833+dANsV+
+j9njR5uMmhMCgcB3cs3BoOH+/CNRiIG7n9cC1RTgpH8DseHBPgAhxzI9s1o9is6B
+bPS0o8YuxPDKDBHXtwVEyfB4Wu4lLLt+GJRPW9O3Y9t5B4XKnur8cdrc2Oa04chs
+wbMfcieUxo7ty68UoN7DGhDEcMHbpr/YzSDSpM2fy4fipshPN+8rf6CcbCfmCEzP
+ayDzIgUADsH+O3ZXYr2C6cxdJCdKmi5M3EuKPGFXhv5vKkoNkRNPBDZtYgPXGiYg
+pXWenhD/dJ1jadECgcAb0TQiqBBuZXrvexkJZozlQZQXcPi+yE1dUwZN5Rycl+4t
+FKvOuscpNKKK15fxrQIRrQesYdHpcZw/FrZ9jSRYmNiGlKq63TvUv6alyMmy12DR
+DSGQ6AafsFhCDdffFqT+Izl4JTFstVBqvp6uWgFzKwyG2PxLx4yxkqlW94N3qohb
+XmykQ66/rIUU2ybBQzcsQVPTfDyZcjudCt4RFzBRw4yg9H97N37scFjCGN6Cj09F
+O2CDRbfNpGoW/7XAC18CgcEA3dlrXNY/zA3BMtN6HgxkrVrbIDd5BPkbfuhBTSb4
+1KJNOsynbZPQ6ADlOVWEjKvJAapyffkgOXbPMSUCX49tTO2UGU+2zE+oegKdhIgc
+OJse92htMDQTsXLBT+J5ujeqvGIoGVK7eXWJewBiaQAQE+hBqoXrusRbn0Kw8YPN
+4kLhbUn9jU5asTcL22V2Z8M/ic833VqNCYmucGUUx6j6QQgfbYM+hsQ5w4MFwrae
+O8ZUs6iTPyVgxAbBt2zFMH4I
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIHTDCCA3SgAwIBAgIBAjANBgkqhkiG9w0BAQwFADCBjzESMBAGCgmSJomT8ixk
+ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp
+Z24gUHJpdmF0ZSBTaXRlMSIwIAYDVQQLDBlJbmZvcm1hdGlvbiBTZWN1cml0eSBV
+bml0MRwwGgYDVQQDDBNCYWx1U2lnbiBTaWduaW5nIENBMB4XDTIzMDQwNzA5NTky
+NloXDTI0MDQwNjA5NTkyNlowcDESMBAGCgmSJomT8ixkARkWAmRlMRcwFQYKCZIm
+iZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNpZ24gUHJpdmF0ZSBTaXRl
+MRAwDgYDVQQLDAdJbmZvU2VjMQ8wDQYDVQQDDAZzZXJ2ZXIwggGiMA0GCSqGSIb3
+DQEBAQUAA4IBjwAwggGKAoIBgQDD8D6c+I14MM0k1Qj7wegQ7SutYDWXSfpLSQXp
+9RuB3ZKyjU9c0J4wilkK00Y7gdIKZN8tMlF2rQ3FUwvn9uewq5k3pe2tE4v+Oooh
+5F9aNttTHOeRHTkgAkvcqyHPpCV8yO0a8t7elSzxdY3BBkIruO/zpvouhoYWXpdG
+xS+ctU/XlGFyWEUQkwVCPPreiDd3EP1h8idMikiDi4oKAYOa/xY/YKr29mp8rXK8
+xYn5xTV2xn62gLK1FB2g5l/XJt9sQY+g4Y04h8V8gYwSLLHBIbg6CCxK6kqY6qEg
+SMQ9y4swQ1q4R0adlN3gai5rFLeWcFnXVL4XCjoIA2GKFKDro/0/i2STQVi4+Hyy
+h6n3yfAm6PN5WX8FiVRRCCxf+kxqHJgpM8etqNyffuADs49p8hc2efsTF8weCq4V
+3V0OyKU87GP1pKEfbERwJwE25C+V9Vp3Yi+3G8c3PU89qK/xTiCKZMK7Zsgmi5RO
+PBBVaM31GOcjS0YnErnvBc5LqGsCAwEAAaOBkDCBjTAOBgNVHQ8BAf8EBAMCBaAw
+CQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0O
+BBYEFBKiISlxH+ktQIPjAMBTsxskqkKUMB8GA1UdIwQYMBaAFMqbgQQmDeVYg8OF
+AcWbU8cwV2wQMBEGA1UdEQQKMAiCBnNlcnZlcjANBgkqhkiG9w0BAQwFAAOCA8EA
+bUVsCWPSANeyHAtGERQxTRwwFcshva8MjrQjxuKhLcMCnVqUrLRZ9Yq7VsPlrGoq
+vc5+zDnS0WU6PkdvsOElFcfRjvo80NueWrTSreBzAAwNDlGjRxJSw/jeRnaOOgN2
+khqnQSi8w3VhlzVNwG2OrNzED0zf3Kp0oaAnaOy/55rS+xVKGydguwuCsZf3Pi3e
+h1G4GuDjCoGbAKnSQPfXavGaRrDHPuNMmiqOFkC0eEMTT9z3vsqXVWYwWMt2PRtf
+ASPauYRGpmh/ZWpfTAno4boTFIXC4xnKpQZuEBKwLUaw2/bAENhzesxe/DzjxUNK
+2O6o+2NCz9phydOWovbe4k+ybvRXCZcZ0nbdcJb8WU2lq3ceht1jxwHObLkv1bV3
+kJlxnd1pyw+wR83H+FkwCVODsvlJGbpThyRHtj3T2TCrPXqgJDHmva19r6p1YKXR
+p7v6TljZ9FFYhu4tYCtN8O/xb6mF1BN6JpzADgiGreejClST1oEQToVZu06mPanv
+mRVHuS4Em+L0KX0tV9a3WPhHP9dggxfYZ6HI258sXonnpZaKZRnYlaGyUVE6FDpF
+qBzvKFxLGM2ttbd91CzeRqDXodG8ehYp5ed8e4mEbeT2JseLaUYMskYi6TVIIWll
+YKouPCxcacyf570TPnqQog/YLkz0bZDYagOA1vtno6ViViDo541xQ4B6tVuVTLVT
+n6NglRiSGo081ntmnt6t3AkU38kPP/GX55kq5naP+ydIUC0XU2ENLXFkZIR/1+Sj
+zZt7rXDOmTR2QOb2LqlL+ucZahGNOoeFP4aP1gqgjnxzuVPakXt3pRaK1NAHO/Eb
+117r06ueKfMXBeGanADT3Zjnoj5ep6Ti49MF8TTw75pT3nilbmMuvdfwtYIbD4kV
+aDD1SP4wgnRBVavehaIVx8lN5d5py0gN/BjqqmFwqg953K2Q8/3vwZWQTfhedfa/
+YQlq4sjYpmvAQExUAMsOUiNDbuTMgi7fD/fC3Dxvb3t/QQ+IdzWxH9Ls0j805sHb
+ybc4X2zeZU3Bd6xO1ngo+6ki910Yuj/vXHlXl7RF3axdKj6ZrpysC/VGewmPtUa4
+EcgV16vxIgCyiL0ePzcn9Ni8Li/qXE6QrSfZF59kOaMk3dnXAkgx6hHA99Sa7OX7
+qgjZ/M3dTf7I4dkwy+YqHWfwstw0RByrvw4xY7expbgp0wdvhXQWc9wF1mL8usNB
+6TF4biVcOQMtVz7l3JHuZiYACFvE+/sf0GcLGI//9NxkSmL8nYOlGRxWU47rhQoz
+-----END CERTIFICATE-----
diff --git a/etc-template/kopano/ssl/private/system-key-cert.pem b/etc-template/kopano/ssl/private/system-key-cert.pem
new file mode 100644
index 0000000..229efe1
--- /dev/null
+++ b/etc-template/kopano/ssl/private/system-key-cert.pem
@@ -0,0 +1,81 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQC6TbbQSfuxKR6m
+B/u+MRh5OFmXFS3E89oO8hgHJ9XhLOutqSlYrU0gjSDCBURmCtpwjUYFay4N6KR2
+N/iAUlLDvJyJQgtWO6ur64/WiDzxLobjDb/11pLFWmdw26nKJz6cT8mrid/SbtS7
+gsIZgsaQGzx3evNhrbvh3/ue8gYEQamhqRaxIZXZckTgVSgydtEun+6rs99fSQVI
+fd6kB+1IB1mqtBhl8m6hy5cX6+hKQbyScXlvKhQFhQpxmVHsa9+ry8l31YIcGs2p
+e4q+AxzTpXmLpllmy8FIRn6J3//gGBv1QZLc3RC/sbQI0BNkRqpSSGU/tvIIp8m6
+7kdyzwIKIbASM8Ff+47A/ejVM27SJ6QsRUWShQjKY3v7953R+U9PevroGPVlAUiR
+LVdSKFqaIePTgvnAZj/fEZhtdiuB3G9i274EFMIuPwsqC3YiKS10R1XlZ+g+ZWMa
+aZ5FOGKFsurXggDJSxIABOWtPDNs2Tp11acszf5L5cv8blHwmjMCAwEAAQKCAYEA
+rCcJyhjDQiacEpIH9uyJD+KZLrm8TGWE1xCwUVRnF6cZtKQ+95lUTsL6RS720FAx
+H5X74R/0M5gI+NCpiXII1qRgBZmIvktvS/LlPDkyDy+OJxtaiYGYqFLsiOYCVDHF
+ck1sLl29/Ea7vvWKBGbKsvjn/AQaB+WxWnxNl8dO9fnzFNYZiN5fCMrFiIJIHbGb
+hDj3I6SXwQXJov3kkLBee5OHMO0wKmxF/K4TVWCBirSJ2syOiMFaNOuGBgjGIfBe
+7/xg9wpMP786iX4mStQH8lyDhAE99GzUgT6oQfqiXOVWMX4/y0nqr3F7zJ3EisEP
+zyROpZZqLCCf7ZhlpVxhZlLNz2E1omDHy5xfim/Q/oWmtOfjqlL/DNHceJekmQ/P
+Qtnb6gs07hdtjKfz+YFMDpuqyc7HY2gnosQacOsWySssNhrj5Y4yKlPdY9m6IjQP
+0VI9GwnKJhxXIeCzTlIzSM9izso2U15JISiaxOJ4saBBnNrkp9Eu1/fDDCAgIk7B
+AoHBAOOx2PZ8TqLfc3ADk/yS0evV6K5I2isdIMcvECLhMIKfPcTmwfQCMmuTmnG/
+7n5pHTeO3g6IA4b2MhTvgrdvKPNtEwhYSBsenDN0bMC8+DJKH1wsOi/+ksTpND7i
+fa7/FNM77SDpBH63Mkm/LVt/8ItkYCbHH58vb/HtFaYsIwEVrZwzlZtA8GgXJCWC
+wAX8fNjXJKRn59Gaz9nEkbcsMarHqruJJ7QtGemPEwPb5wZlFyQveDbxjgyiD0QF
+8GOhoQKBwQDRdqKyNeKXwDTORkXpXSxt611xHS7stGkCGEZLn8iS6RXB2goElTpz
+xVA128jKqzTDBD3ySiB1R2/GmDjX/jUN8htt4y4TajBOvolUO+jStVVSPIafNqpO
+IeDJEyi3DIooipeVa0EOWHpsSS9qLg2fzPe2LeuURR397RCf9eYb2JGwgnv7IQlB
+QijFIxEBYIMU+xhJUdqOsSn6xc4zzkEeEhrg/AbCkpOadVDgtL+nBXmju32y8I2l
+sX10jyK8U1MCgcEAqBtsdj88x592WSMrJXU4q4gY7GQ5P0+YHbcvkLD14dqz/iXo
+2MCufSJTCtyLtqTgv14psEzXXdNzEmXq+oeFkoPbY3PaeLtW096HVJ2wGWEEWkcF
+Bt5Lejo7KpqJ9KO7umEqJ/wiJ3QWGsCdOkrxS9jl7Htja2HYoqNKMo+voGNi9EpZ
+kHCXjiJXu6IXJ9RMUMQ293MHgodsIfmxI63rVY1pDmCrAamy0e+iOF0o6l3EgiDR
+/q7FE6qq3qwL2WNBAoHASjeD3CsVl3lF/JSPrukRlfzgRfT2LG6cCl75gVAjLFKk
+H+SWyhrp9B1El2DBm3XgIv08yb2UFJn0M+S5t2Zd/Av9xgjJyZ1FcpE2bX8wtoAD
+tDi35m/jFf4Q/I3qTjmGNmks3od7LI8TCY1A3JlmwGlKl+VbZFS9FLzLuDHTj6hD
+rsv9C/Ufp1y+v2L2YouExolViJ0VGJwTaMRvlJGPJw15MqB58LUo0YCh4IyKn65j
+9Cy5lA6B0eS6s/MHdrz7AoHAX39pf8mkBoK8HwxahCIQZG5iDZdaqIKh4+YT2coA
+YPC15q5t4ZKE9kxYMBi4iiNZ9ffAUbYoRRjRus7Xv5Aq6h5zlGTANhUy0vT71HDv
+jih0ZvPVJ0VMfsyeAuMl+hVaPt7tE4FBlHsK72+/EDyzt0S22E1FXi8QnP31b0Zt
+GlpvOi6ybxYjzU/MQo++aMEaHHM1l9cDFrBVKaUChx/s4qmW8H3jPusiX0BEQI4+
++TVfDYZt4VumRof/NszbiNo9
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIHTDCCA3SgAwIBAgIBATANBgkqhkiG9w0BAQwFADCBjzESMBAGCgmSJomT8ixk
+ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp
+Z24gUHJpdmF0ZSBTaXRlMSIwIAYDVQQLDBlJbmZvcm1hdGlvbiBTZWN1cml0eSBV
+bml0MRwwGgYDVQQDDBNCYWx1U2lnbiBTaWduaW5nIENBMB4XDTIzMDQwNzA5NTgy
+N1oXDTI0MDQwNjA5NTgyN1owcDESMBAGCgmSJomT8ixkARkWAmRlMRcwFQYKCZIm
+iZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNpZ24gUHJpdmF0ZSBTaXRl
+MRAwDgYDVQQLDAdJbmZvU2VjMQ8wDQYDVQQDDAZzeXN0ZW0wggGiMA0GCSqGSIb3
+DQEBAQUAA4IBjwAwggGKAoIBgQC6TbbQSfuxKR6mB/u+MRh5OFmXFS3E89oO8hgH
+J9XhLOutqSlYrU0gjSDCBURmCtpwjUYFay4N6KR2N/iAUlLDvJyJQgtWO6ur64/W
+iDzxLobjDb/11pLFWmdw26nKJz6cT8mrid/SbtS7gsIZgsaQGzx3evNhrbvh3/ue
+8gYEQamhqRaxIZXZckTgVSgydtEun+6rs99fSQVIfd6kB+1IB1mqtBhl8m6hy5cX
+6+hKQbyScXlvKhQFhQpxmVHsa9+ry8l31YIcGs2pe4q+AxzTpXmLpllmy8FIRn6J
+3//gGBv1QZLc3RC/sbQI0BNkRqpSSGU/tvIIp8m67kdyzwIKIbASM8Ff+47A/ejV
+M27SJ6QsRUWShQjKY3v7953R+U9PevroGPVlAUiRLVdSKFqaIePTgvnAZj/fEZht
+diuB3G9i274EFMIuPwsqC3YiKS10R1XlZ+g+ZWMaaZ5FOGKFsurXggDJSxIABOWt
+PDNs2Tp11acszf5L5cv8blHwmjMCAwEAAaOBkDCBjTAOBgNVHQ8BAf8EBAMCBaAw
+CQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0O
+BBYEFNarMOs1gZ+SF8je3HIVWc33CiU2MB8GA1UdIwQYMBaAFMqbgQQmDeVYg8OF
+AcWbU8cwV2wQMBEGA1UdEQQKMAiCBnN5c3RlbTANBgkqhkiG9w0BAQwFAAOCA8EA
+cI5rB8CVIJW9orWtHGGd+WjDxzljowd4lPSxkkxC1MewUOGQ6csN+e6MFKnLF6Kn
+nnMMjRKms7cPL+vC4bBqNmyroYNlYzt9PEjd5Ruwy44+H895wkPZkIzUnjusQcgY
+kd/SLQcLo53S/YYVSO/02Ma1i9rPbpN8RNSVhkvwA0rCMV85hGGoTlfZ3gLVpjR/
+zMRiFAdAhAQ4+RRFm6GtcBv8CZ7W/ctkmp/ybFyAtotCkhsIcPAjnHrBvlxxkWxf
+lsB/ydCMqQWJmgO8MUmZazu3JD1ZRICLBXzIvx1z6REFx4SGArM0JxkXkgLB+8O4
+HXc8pPcxfcTx46A7Pqg5UpD7E1jcrbxcpw4+paTaRBdMSzpZhOeVA4R1yeMjmd4w
+/M4ZQ89szU4Bf9cGkj9QU2op7NGPNFu/WezibxjM/TDxwfPW2MdRaXe0rv8nEdeg
+tpinawr+7Adl51J76kKGXnyVMAjNV5OtjeYPGBEvcAOJQj92bD8CrEwA8qetPZBb
+jeMv1CgCZuUTq1OUFy9bWiE6tHJwhrP88ZCcHtFEOmo02TyW0mQsyUQAA8/KYvVe
+icFBWIj+WXPOSQDzFYi7HLR4BNH8gZlqrWdGSzbg1YaXFBB7rDMvQhZqvqJ/K0Ot
+967obnQQe+kalwsRsXAWPfp7LcyHBQCVvJO//IDa5pyHVpyVk/WgOcE1QOyLnccf
+gLTxcxymWAUh09WjjKKRc5IkWFkHaczyW8DxchLxjYJWk8wmwR9cTvmSuss6QeSb
+a7SlcRyDPrCD2irZnpLEfPLl5BNjlCiv1AXhxGm/LXSh2h2Ynaa5MAE7fdDfl0CV
+b2vZrligtpdezVAkWDB3w/DTrh3CJc0FdpLRwp7Ee53DGyVLFMCalpoPeqBpqpq5
+tAfCNoJ8pzoe5P7cYyY72cWaxMHdcqhVvSvJkYEmdqSY1pRMF6pttnRwj7Oi0XUr
+W9bi5QrkqKe+SB7nK3+dPbhWTH9T5Cyo7tI8fbujIBZ1pQHprONDlMWaqECReP22
+jhMqKkNA1V4rgNehMDUODgcDYGb4Xcghp0n7Epgp/Ep9axVa/kRv3uYGzcgXYwLY
++aKu1LkAyVplg6Vb5Q+HRweA7/m3rB6afd073i/jYkjuWGVo5Cq9RQ++BRyd6dqg
+/VqWcn4iZ0VeXH3O909td/Jrq29RbC2Yj1Zb4Qg5NQ2hmOkXsYCptBXJpQXcel2W
+jSz2CSGkuPtPVykaiBhwcXlHJYJ3ezUDpirM1+JckO0JTblDd385esuR8XAfqe9W
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/etc-template/kopano/sslkeys/system-public-key.pem b/etc-template/kopano/sslkeys/system-public-key.pem
new file mode 100644
index 0000000..325bad9
--- /dev/null
+++ b/etc-template/kopano/sslkeys/system-public-key.pem
@@ -0,0 +1,11 @@
+-----BEGIN PUBLIC KEY-----
+MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuk220En7sSkepgf7vjEY
+eThZlxUtxPPaDvIYByfV4SzrrakpWK1NII0gwgVEZgracI1GBWsuDeikdjf4gFJS
+w7yciUILVjurq+uP1og88S6G4w2/9daSxVpncNupyic+nE/Jq4nf0m7Uu4LCGYLG
+kBs8d3rzYa274d/7nvIGBEGpoakWsSGV2XJE4FUoMnbRLp/uq7PfX0kFSH3epAft
+SAdZqrQYZfJuocuXF+voSkG8knF5byoUBYUKcZlR7Gvfq8vJd9WCHBrNqXuKvgMc
+06V5i6ZZZsvBSEZ+id//4Bgb9UGS3N0Qv7G0CNATZEaqUkhlP7byCKfJuu5Hcs8C
+CiGwEjPBX/uOwP3o1TNu0iekLEVFkoUIymN7+/ed0flPT3r66Bj1ZQFIkS1XUiha
+miHj04L5wGY/3xGYbXYrgdxvYtu+BBTCLj8LKgt2IiktdEdV5WfoPmVjGmmeRThi
+hbLq14IAyUsSAATlrTwzbNk6ddWnLM3+S+XL/G5R8JozAgMBAAE=
+-----END PUBLIC KEY-----
\ No newline at end of file
diff --git a/etc-template/kopano/statsd.cfg b/etc-template/kopano/statsd.cfg
new file mode 100644
index 0000000..26050b8
--- /dev/null
+++ b/etc-template/kopano/statsd.cfg
@@ -0,0 +1,8 @@
+# One address:port specifier for where to listen for HTTP connections.
+#statsd_listen = unix:/var/run/kopano/statsd.sock
+
+# Location for keeping RRD files
+#statsd_rrd = /var/lib/kopano/rrd
+
+#run_as_user = kopano
+#run_as_group = kopano
diff --git a/etc-template/kopano/unix.cfg b/etc-template/kopano/unix.cfg
new file mode 100644
index 0000000..b1d807f
--- /dev/null
+++ b/etc-template/kopano/unix.cfg
@@ -0,0 +1,42 @@
+##############################################################
+# UNIX USER PLUGIN SETTINGS
+#
+# Any of these directives that are required, are only required if the
+# userplugin parameter is set to unix.
+
+# Charset used in /etc/passwd for the fullname of a user. Normally this
+# is us-ascii, but this can differ according to your setup.
+# The charset specified here must be supported by your iconv(1)
+# setup. See iconv -l for all charsets.
+fullname_charset = iso-8859-15
+
+# Default email domain for constructing new users
+# Required, no default
+default_domain = kopano.com
+
+# The lowest user id that is considered a regular user
+# Optional, default = 1000
+min_user_uid = 1000
+
+# The highest user id that is considered a regular user
+# Optional, default = 10000
+max_user_uid = 10000
+
+# A list of user ids that are not considered to be regular users
+# Optional, default = empty
+# except_user_uids =
+
+# The lowest group id that is considered a regular group
+# Optional, default = 1000
+min_group_gid = 1000
+
+# The highest group id that is considered a regular group
+# Optional, default = 10000
+max_group_gid = 10000
+
+# A list of group ids that are not considered to be regular groups
+# Optional, default = empty
+# except_group_gids =
+
+# Create a user as non-active when it has this Unix shell
+non_login_shell = /sbin/nologin /bin/false
diff --git a/etc-template/kopano/webapp/.htaccess b/etc-template/kopano/webapp/.htaccess
new file mode 100644
index 0000000..a6c4a4f
--- /dev/null
+++ b/etc-template/kopano/webapp/.htaccess
@@ -0,0 +1,28 @@
+# some apache settings
+Options -Indexes
+
+# The maximum POST limit. To upload large files, this value must be larger than upload_max_filesize.
+
+ php_value post_max_size 31M
+ php_value upload_max_filesize 30M
+
+
+
+ php_value post_max_size 31M
+ php_value upload_max_filesize 30M
+
+
+# Deny access to config.php, config.php.dist, debug.php, debug.php.dist, defaults.php
+# because they could become a security vulnerability when accessible
+# Better safe then sorry
+
+
+ Deny from all
+
+
+ = 2.4>
+
+ Require all denied
+
+
+
diff --git a/etc-template/kopano/webapp/config-contactfax.php b/etc-template/kopano/webapp/config-contactfax.php
new file mode 100644
index 0000000..06f2da4
--- /dev/null
+++ b/etc-template/kopano/webapp/config-contactfax.php
@@ -0,0 +1,4 @@
+
diff --git a/etc-template/kopano/webapp/config-gmaps.php b/etc-template/kopano/webapp/config-gmaps.php
new file mode 100644
index 0000000..9f2acd1
--- /dev/null
+++ b/etc-template/kopano/webapp/config-gmaps.php
@@ -0,0 +1,13 @@
+
diff --git a/etc-template/kopano/webapp/config-intranet.php b/etc-template/kopano/webapp/config-intranet.php
new file mode 100644
index 0000000..6682ac0
--- /dev/null
+++ b/etc-template/kopano/webapp/config-intranet.php
@@ -0,0 +1,17 @@
+');
+
+// This setting can be changed by the user in his settings.
+// Here you can define the default behaviour.
+define('PLUGIN_MATTERMOST_AUTOSTART', true);
diff --git a/etc-template/kopano/webapp/config-meet.php b/etc-template/kopano/webapp/config-meet.php
new file mode 100644
index 0000000..44dc00b
--- /dev/null
+++ b/etc-template/kopano/webapp/config-meet.php
@@ -0,0 +1,19 @@
+
+ *
+ *******************************************************************************/
+
+// This file contains the configuration options of the Meet plugin
+
+// This disables the plugin by default
+define('PLUGIN_MEET_USER_DEFAULT_ENABLE', false);
+
+// The URL of the Meet PWA
+//define('PLUGIN_MEET_MEET_URL', 'https://');
+
+// The URL of the Meet join flow
+//define('PLUGIN_MEET_MEET_JOIN_URL' '/meet/r/join/group/');
diff --git a/etc-template/kopano/webapp/config-pimfolder.php b/etc-template/kopano/webapp/config-pimfolder.php
new file mode 100644
index 0000000..261104f
--- /dev/null
+++ b/etc-template/kopano/webapp/config-pimfolder.php
@@ -0,0 +1,4 @@
+
diff --git a/etc-template/kopano/webapp/config-threema4deskapp.php b/etc-template/kopano/webapp/config-threema4deskapp.php
new file mode 100644
index 0000000..4bd35a7
--- /dev/null
+++ b/etc-template/kopano/webapp/config-threema4deskapp.php
@@ -0,0 +1,6 @@
+ 'pink',
+ // 'displayName' => _('Pink'),
+ // 'base' => '#ff0099'
+ // )
+ // )));
+
+ // Additional categories can be added by uncommenting and editing the following define.
+ // The format is the same as the format of DEFAULT_CATEGORIES which is defined in default.php
+ // To change the default categories, DEFAULT_CATEGORIES can also be defined here.
+ // Note: Every category should have a unique name, because it is used to identify the category
+ // define("ADDITIONAL_CATEGORIES", json_encode(array(
+ // array(
+ // 'name' => _('Family'),
+ // 'color' => '#000000',
+ // 'quickAccess' => true,
+ // 'sortIndex' => 10
+ // )
+ // )));
+
+ // Additional Prefix for the Contact name can be added by uncommenting and editing the following define.
+ // define("CONTACT_PREFIX", json_encode(array(
+ // array(_('Er.')),
+ // array(_('Gr.'))
+ // )));
+
+ // Additional Suffix for the Contact name can be added by uncommenting and editing the following define.
+ // define("CONTACT_SUFFIX", json_encode(array(
+ // array(_('A')),
+ // array(_('B'))
+ // )));
+
+ // Define the polling interval in minutes for unread mail in shared stores.
+ define("SHARED_STORE_POLLING_INTERVAL", 15);
+
+ // Define the amount of emails to load in the background, in batches of 10 emails per request every x seconds
+ // defined by PREFETCH_EMAIL_INTERVAL until the defined amount of items is loaded. Setting this value to zero
+ // disables this feature.
+ define("PREFETCH_EMAIL_COUNT", 10);
+
+ // Define the interval between loading of new emails in the background.
+ define("PREFETCH_EMAIL_INTERVAL", 30);
+
+ /**************************************\
+ * Memory usage and timeouts *
+ \**************************************/
+
+ // This sets the maximum time in seconds that is allowed to run before it is terminated by the parser.
+ ini_set("max_execution_time", 300); // 5 minutes
+
+ // BLOCK_SIZE (in bytes) is used for attachments by mapi_stream_read/mapi_stream_write
+ define("BLOCK_SIZE", 1048576);
+
+ // Time that static files may exist in the client's cache (13 weeks)
+ define("EXPIRES_TIME", 60*60*24*7*13);
+
+ // Time that the state files are allowed to survive (in seconds)
+ // For filesystems on which relatime is used, this value should be larger then the relatime_interval
+ // for kernels 2.6.30 and above relatime is enabled by default, and the relatime_interval is set to
+ // 24 hours.
+ define("STATE_FILE_MAX_LIFETIME", 28*60*60);
+
+ // Time that attachments are allowed to survive (in seconds)
+ define("UPLOADED_ATTACHMENT_MAX_LIFETIME", 6*60*60);
+
+ /**********************************************************************************
+ * Logging settings
+ *
+ * Possible LOG_USER_LEVEL values are:
+ * LOGLEVEL_OFF - no logging
+ * LOGLEVEL_FATAL - log only critical errors
+ * LOGLEVEL_ERROR - logs events which might require corrective actions
+ * LOGLEVEL_WARN - might lead to an error or require corrective actions in the future
+ * LOGLEVEL_INFO - usually completed actions
+ * LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers
+ *
+ * The verbosity increases from top to bottom. More verbose levels include less verbose
+ * ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR,
+ * LOGLEVEL_WARN and LOGLEVEL_INFO level entries.
+ *
+ **************************************************************************************/
+ define("LOG_USER_LEVEL", LOGLEVEL_INFO);
+
+ // To save e.g. user activity data only for selected users, provide the username followed by semicolon.
+ // The data will be saved into a dedicated file per user in the LOG_FILE_DIR
+ // Users have to be encapsulated in quotes, several users are semicolon separated, like:
+ // define('LOG_USERS', 'user1;user2;user3');
+ define("LOG_USERS", "");
+
+ // Location of the log directory
+ // e.g /var/log/webapp-userslog/users/
+ // The directory will be created when it does not exist.
+ // Webserver user should have permissions to write in this folder
+ define("LOG_FILE_DIR", "");
+
+ /**************************************\
+ * Languages *
+ \**************************************/
+
+ // Location to the translations
+ define("LANGUAGE_DIR", "server/language/");
+
+ // Defines the default interface language. This can be overridden by the user.
+ if (isset($_ENV['LANG']) && $_ENV['LANG']!="C") {
+ define('LANG', $_ENV["LANG"]); // This means the server environment language determines the web client language.
+ } else {
+ define('LANG', 'en_US.UTF-8'); // default fallback language
+ }
+
+ // List of languages that should be enabled in the logon
+ // screen's language drop down. Languages should be specified
+ // using _[.UTF-8], and separated with
+ // semicolon. A list of available languages can be found in
+ // the manual or by looking at the list of directories in
+ // /usr/share/kopano-webapp/server/language .
+ define("ENABLED_LANGUAGES", "cs_CZ;da_DK;de_DE;en_GB;en_US;es_CA;es_ES;fi_FI;fr_FR;hu_HU;it_IT;ja_JP;nb_NO;nl_NL;pl_PL;pt_BR;ru_RU;sl_SI;tr_TR;zh_CN");
+
+ // Defines the default time zone
+ if (!ini_get('date.timezone')) {
+ date_default_timezone_set('Europe/Berlin');
+ }
+
+ /**************************************\
+ * Powerpaste *
+ \**************************************/
+
+ // Options for TinyMCE's powerpaste plugin, see https://www.tiny.cloud/docs/plugins/powerpaste/#configurationoptions
+ // for more details.
+ define("POWERPASTE_WORD_IMPORT", "merge");
+ define("POWERPASTE_HTML_IMPORT", "merge");
+ define("POWERPASTE_ALLOW_LOCAL_IMAGES", true);
+
+ /**************************************\
+ * Debugging *
+ \**************************************/
+
+ // Do not log errors into stdout, since this generates faulty JSON responses.
+ ini_set("display_errors", false);
+
+ ini_set("log_errors", true);
+ error_reporting(E_ERROR);
+
+ // Log successful logins
+ define("LOG_SUCCESSFUL_LOGINS", false);
+
+ if (file_exists('debug.php')) {
+ include_once('debug.php');
+ } else {
+ // define empty dump function in case we still use it somewhere
+ function dump(){}
+ }
+?>
diff --git a/etc-template/postfix/main.cf b/etc-template/postfix/main.cf
new file mode 100644
index 0000000..4bb165d
--- /dev/null
+++ b/etc-template/postfix/main.cf
@@ -0,0 +1,64 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
+biff = no
+# maillog_file = /dev/stdout
+# maillog_file=/var/log/postfix.log
+# maillog_file_permissions=0644
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on fresh installs.
+compatibility_level = 2
+
+# local domains
+myhostname = nuc0.zntrl.de
+mydestination = $myhostname, localhost.$mydomain, localhost
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = $mydomain
+# mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+# trusts all hosts in the kopano docker network
+mynetworks_style = subnet
+
+# virtual domains
+virtual_mailbox_domains = zntrl.de ads64.de
+virtual_mailbox_maps = hash:/etc/postfix/vmailbox
+virtual_alias_maps = hash:/etc/postfix/virtual
+# virtual_transport = lmtp:unix:/var/spool/kopano/dagent.sock
+virtual_transport = lmtp:dagent:2003
+lmtp_tls_loglevel = 1
+
+# default outbound transport for all domains, use one relay for all domains
+# authenticates to relay.zntrl.de for authorisation to relay mail, see also: SMTP (outbound)
+default_transport = smtp:[relay.zntrl.de]:465
+
+# SMTPD (inbound) TLS parameters
+smtpd_tls_CApath = /etc/ssl/certs
+smtpd_tls_CAfile = /usr/local/share/ca-certificates/kopano-ca.crt
+smtpd_tls_key_file = /etc/ssl/private/zntrl.key
+smtpd_tls_cert_file = /etc/ssl/zntrl.crt
+smtpd_tls_security_level = may
+smtpd_tls_loglevel = 1
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+
+# SMTP (outbound)
+smtp_tls_CApath=/etc/ssl/certs
+smtp_tls_CAfile = /usr/local/share/ca-certificates/kopano-ca.crt
+smtp_tls_key_file = /etc/ssl/private/zntrl.key
+smtp_tls_cert_file = /etc/ssl/zntrl.crt
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_wrappermode = yes
+smtp_tls_security_level = encrypt
+smtp_tls_loglevel = 1
+
+mailbox_size_limit = 0
+message_size_limit = 50000000
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
diff --git a/etc-template/postfix/master.cf b/etc-template/postfix/master.cf
new file mode 100644
index 0000000..17ecf60
--- /dev/null
+++ b/etc-template/postfix/master.cf
@@ -0,0 +1,84 @@
+#
+# Postfix master process configuration file. For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (no) (never) (100)
+# ==========================================================================
+smtp inet n - y - - smtpd
+ -o content_filter=scan:kopano-spampd-1:10025
+ -o receive_override_options=no_address_mappings
+#smtp inet n - y - 1 postscreen
+#smtpd pass - - y - - smtpd
+#dnsblog unix - - y - 0 dnsblog
+#tlsproxy unix - - y - 0 tlsproxy
+#submission inet n - y - - smtpd
+# -o syslog_name=postfix/submission
+# -o smtpd_tls_security_level=encrypt
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_tls_auth_only=yes
+# -o smtpd_reject_unlisted_recipient=no
+# -o smtpd_client_restrictions=$mua_client_restrictions
+# -o smtpd_helo_restrictions=$mua_helo_restrictions
+# -o smtpd_sender_restrictions=$mua_sender_restrictions
+# -o smtpd_recipient_restrictions=
+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+#smtps inet n - y - - smtpd
+# -o syslog_name=postfix/smtps
+# -o smtpd_tls_wrappermode=yes
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_reject_unlisted_recipient=no
+# -o smtpd_client_restrictions=$mua_client_restrictions
+# -o smtpd_helo_restrictions=$mua_helo_restrictions
+# -o smtpd_sender_restrictions=$mua_sender_restrictions
+# -o smtpd_recipient_restrictions=
+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+#628 inet n - y - - qmqpd
+pickup unix n - y 60 1 pickup
+cleanup unix n - y - 0 cleanup
+qmgr unix n - n 300 1 qmgr
+#qmgr unix n - n 300 1 oqmgr
+tlsmgr unix - - y 1000? 1 tlsmgr
+rewrite unix - - y - - trivial-rewrite
+bounce unix - - y - 0 bounce
+defer unix - - y - 0 bounce
+trace unix - - y - 0 bounce
+verify unix - - y - 1 verify
+flush unix n - y 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+smtp unix - - y - - smtp
+relay unix - - y - - smtp
+ -o syslog_name=postfix/$service_name
+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq unix n - y - - showq
+error unix - - y - - error
+retry unix - - y - - error
+discard unix - - y - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - n - - lmtp
+anvil unix - - y - 1 anvil
+scache unix - - y - 1 scache
+postlog unix-dgram n - n - 1 postlogd
+#
+# Proxy receiver, see https://cwiki.apache.org/confluence/display/spamassassin/IntegratePostfixViaSpampd
+#
+10026 inet n - n - 10 smtpd
+ -o content_filter=
+ -o myhostname=mta.zntrl.de
+ -o mynetworks=127.0.0.0/8
+ -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+ -o smtpd_tls_security_level=none
+ -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
+ -o smtpd_helo_restrictions=
+ -o smtpd_client_restrictions=
+ -o smtpd_sender_restrictions=
+ -o smtpd_relay_restrictions=
+ -o smtpd_recipient_restrictions=permit_mynetworks,reject
diff --git a/etc-template/postfix/virtual b/etc-template/postfix/virtual
new file mode 100644
index 0000000..1734f7f
--- /dev/null
+++ b/etc-template/postfix/virtual
@@ -0,0 +1,3 @@
+postmaster@zntrl.de postmaster
+abuse@zntrl.de postmaster
+
diff --git a/etc-template/postfix/virtual.db b/etc-template/postfix/virtual.db
new file mode 100644
index 0000000..b82c97a
Binary files /dev/null and b/etc-template/postfix/virtual.db differ
diff --git a/etc-template/postfix/vmailbox b/etc-template/postfix/vmailbox
new file mode 100644
index 0000000..a8e24a6
--- /dev/null
+++ b/etc-template/postfix/vmailbox
@@ -0,0 +1,8 @@
+baloan@zntrl.de notused
+blu3prince@zntrl.de notused
+fafnir@zntrl.de notused
+postmaster@zntrl.de notused
+andreas@ads64.de notused
+postmaster@ads64.de notused
+# Comment out the entry below to implement a catch-all.
+# @zntrl.de notused
diff --git a/etc-template/postfix/vmailbox.db b/etc-template/postfix/vmailbox.db
new file mode 100644
index 0000000..c103053
Binary files /dev/null and b/etc-template/postfix/vmailbox.db differ
diff --git a/etc-template/z-push/autodiscover.conf.php b/etc-template/z-push/autodiscover.conf.php
new file mode 100644
index 0000000..3bd1540
--- /dev/null
+++ b/etc-template/z-push/autodiscover.conf.php
@@ -0,0 +1,88 @@
+.
+*
+* Consult LICENSE file for details
+************************************************/
+
+/**********************************************************************************
+ * Default settings
+ */
+
+ // Replace zpush.example.com with your z-push's host name and uncomment the line below.
+ define('ZPUSH_HOST', 'zntrl.de');
+
+ // Defines the default time zone, change e.g. to "Europe/London" if necessary
+ define('TIMEZONE', 'Europe/Berlin');
+
+ // Defines the base path on the server
+ define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/');
+
+ /*
+ * Whether to use the complete email address as a login name
+ * (e.g. user@company.com) or the username only (user).
+ * Possible values:
+ * false - use the username only (default).
+ * true - use the complete email address.
+ */
+ define('USE_FULLEMAIL_FOR_LOGIN', false);
+
+/**********************************************************************************
+ * Logging settings
+ * Possible LOGLEVEL and LOGUSERLEVEL values are:
+ * LOGLEVEL_OFF - no logging
+ * LOGLEVEL_FATAL - log only critical errors
+ * LOGLEVEL_ERROR - logs events which might require corrective actions
+ * LOGLEVEL_WARN - might lead to an error or require corrective actions in the future
+ * LOGLEVEL_INFO - usually completed actions
+ * LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers
+ * LOGLEVEL_WBXML - also prints the WBXML sent to/from the device
+ * LOGLEVEL_DEVICEID - also prints the device id for every log entry
+ * LOGLEVEL_WBXMLSTACK - also prints the contents of WBXML stack
+ *
+ * The verbosity increases from top to bottom. More verbose levels include less verbose
+ * ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR,
+ * LOGLEVEL_WARN and LOGLEVEL_INFO level entries.
+ */
+
+ define('LOGBACKEND', 'filelog');
+
+ define('LOGFILEDIR', '/var/log/z-push/');
+ define('LOGFILE', LOGFILEDIR . 'autodiscover.log');
+ define('LOGERRORFILE', LOGFILEDIR . 'autodiscover-error.log');
+ define('LOGLEVEL', LOGLEVEL_WBXML);
+ define('LOGUSERLEVEL', LOGLEVEL);
+ $specialLogUsers = array();
+
+ // Syslog settings
+ // false will log to local syslog, otherwise put the remote syslog IP here
+ define('LOG_SYSLOG_HOST', false);
+ // Syslog port
+ define('LOG_SYSLOG_PORT', 514);
+ // Program showed in the syslog. Useful if you have more than one instance login to the same syslog
+ define('LOG_SYSLOG_PROGRAM', 'z-push-autodiscover');
+ // Syslog facility - use LOG_USER when running on Windows
+ define('LOG_SYSLOG_FACILITY', LOG_LOCAL0);
+/**********************************************************************************
+ * Backend settings
+ */
+ // the backend data provider
+ define('BACKEND_PROVIDER', '');
diff --git a/etc-template/z-push/autodiscover.conf.php.dist b/etc-template/z-push/autodiscover.conf.php.dist
new file mode 100644
index 0000000..4075594
--- /dev/null
+++ b/etc-template/z-push/autodiscover.conf.php.dist
@@ -0,0 +1,88 @@
+.
+*
+* Consult LICENSE file for details
+************************************************/
+
+/**********************************************************************************
+ * Default settings
+ */
+
+ // Replace zpush.example.com with your z-push's host name and uncomment the line below.
+ // define('ZPUSH_HOST', 'zpush.example.com');
+
+ // Defines the default time zone, change e.g. to "Europe/London" if necessary
+ define('TIMEZONE', '');
+
+ // Defines the base path on the server
+ define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/');
+
+ /*
+ * Whether to use the complete email address as a login name
+ * (e.g. user@company.com) or the username only (user).
+ * Possible values:
+ * false - use the username only (default).
+ * true - use the complete email address.
+ */
+ define('USE_FULLEMAIL_FOR_LOGIN', false);
+
+/**********************************************************************************
+ * Logging settings
+ * Possible LOGLEVEL and LOGUSERLEVEL values are:
+ * LOGLEVEL_OFF - no logging
+ * LOGLEVEL_FATAL - log only critical errors
+ * LOGLEVEL_ERROR - logs events which might require corrective actions
+ * LOGLEVEL_WARN - might lead to an error or require corrective actions in the future
+ * LOGLEVEL_INFO - usually completed actions
+ * LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers
+ * LOGLEVEL_WBXML - also prints the WBXML sent to/from the device
+ * LOGLEVEL_DEVICEID - also prints the device id for every log entry
+ * LOGLEVEL_WBXMLSTACK - also prints the contents of WBXML stack
+ *
+ * The verbosity increases from top to bottom. More verbose levels include less verbose
+ * ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR,
+ * LOGLEVEL_WARN and LOGLEVEL_INFO level entries.
+ */
+
+ define('LOGBACKEND', 'filelog');
+
+ define('LOGFILEDIR', '/var/log/z-push/');
+ define('LOGFILE', LOGFILEDIR . 'autodiscover.log');
+ define('LOGERRORFILE', LOGFILEDIR . 'autodiscover-error.log');
+ define('LOGLEVEL', LOGLEVEL_INFO);
+ define('LOGUSERLEVEL', LOGLEVEL);
+ $specialLogUsers = array();
+
+ // Syslog settings
+ // false will log to local syslog, otherwise put the remote syslog IP here
+ define('LOG_SYSLOG_HOST', false);
+ // Syslog port
+ define('LOG_SYSLOG_PORT', 514);
+ // Program showed in the syslog. Useful if you have more than one instance login to the same syslog
+ define('LOG_SYSLOG_PROGRAM', 'z-push-autodiscover');
+ // Syslog facility - use LOG_USER when running on Windows
+ define('LOG_SYSLOG_FACILITY', LOG_LOCAL0);
+/**********************************************************************************
+ * Backend settings
+ */
+ // the backend data provider
+ define('BACKEND_PROVIDER', '');
diff --git a/etc-template/z-push/gabsync.conf.php b/etc-template/z-push/gabsync.conf.php
new file mode 100644
index 0000000..5993ef4
--- /dev/null
+++ b/etc-template/z-push/gabsync.conf.php
@@ -0,0 +1,86 @@
+.
+*
+* Consult LICENSE file for details
+* ************************************************/
+
+// The field to be hashed that is unique and never changes
+// in the entire lifetime of the GAB entry.
+define('HASHFIELD', 'account');
+define('AMOUNT_OF_CHUNKS', 10);
+
+// SyncWorker implementation to be used
+define('SYNCWORKER', 'Kopano');
+
+// Unique id to find a contact from the GAB (value to be supplied by -u on the command line)
+// Zarafa supports: 'account' and 'smtpAddress' (email)
+define('UNIQUEID', 'smtpAddress');
+
+// Server connection settings
+// Depending on your setup, it might be advisable to change the lines below to one defined with your
+// default socket location.
+// Normally "default:" points to the default setting ("file:///var/run/kopano/server.sock")
+// Examples: define("SERVER", "default:");
+// define("SERVER", "http://localhost:236/kopano");
+// define("SERVER", "https://localhost:237/kopano");
+// define("SERVER", "file:///var/run/kopano/server.sock");
+// If you are using ZCP >= 7.2.0, set it to the zarafa location, e.g.
+// define("SERVER", "http://localhost:236/zarafa");
+// define("SERVER", "https://localhost:237/zarafa");
+// define("SERVER", "file:///var/run/zarafad/server.sock");
+// For ZCP versions prior to 7.2.0 the socket location is different (http(s) sockets are the same):
+// define("SERVER", "file:///var/run/zarafa");
+
+define('SERVER', 'http://server:236/kopano');
+
+define('USERNAME', 'SYSTEM');
+define('PASSWORD', '');
+define('CERTIFICATE', null);
+define('CERTIFICATE_PASSWORD', null);
+
+// Store where the hidden folder is located.
+// For the public folder, use SYSTEM
+// to use another store, use the same as USERNAME
+// or another store where USERNAME has full access to.
+define('HIDDEN_FOLDERSTORE', 'SYSTEM');
+
+/// Do not change (unless you know exactly what you do)
+define('HIDDEN_FOLDERNAME', 'Z-Push-KOE-GAB');
+
+// Types of the objects to sync to GAB.
+define('GAB_SYNC_USER', 1);
+define('GAB_SYNC_CONTACT', 2);
+define('GAB_SYNC_GROUP', 4);
+define('GAB_SYNC_ROOM', 8);
+define('GAB_SYNC_EQUIPMENT', 16);
+
+define('GAB_SYNC_ALL', GAB_SYNC_USER | GAB_SYNC_CONTACT | GAB_SYNC_GROUP | GAB_SYNC_ROOM | GAB_SYNC_EQUIPMENT);
+
+// Set which items from GAB should be synced.
+// Default value is GAB_SYNC_ALL which syncs all items.
+// In order to sync only some specific types combine them with "|", e.g.
+// to sync only users and groups use:
+// define('GAB_SYNC_TYPES', GAB_SYNC_USER | GAB_SYNC_CONTACT);
+// In order to exclude specific types combine "& ~TYPE", e.g.
+// to sync all types except rooms and equipments use:
+// define('GAB_SYNC_TYPES', GAB_SYNC_ALL & ~GAB_SYNC_ROOM & ~GAB_SYNC_EQUIPMENT);
+define('GAB_SYNC_TYPES', GAB_SYNC_ALL);
diff --git a/etc-template/z-push/kopano.conf.php b/etc-template/z-push/kopano.conf.php
new file mode 100644
index 0000000..9a76a96
--- /dev/null
+++ b/etc-template/z-push/kopano.conf.php
@@ -0,0 +1,83 @@
+.
+*
+* Consult LICENSE file for details
+************************************************/
+
+// ************************
+// BackendKopano settings
+// ************************
+
+// Defines the server to which we want to connect.
+//
+// Depending on your setup, it might be advisable to change the lines below to one defined with your
+// default socket location.
+// Normally "default:" points to the default setting ("file:///var/run/kopano/server.sock")
+// Examples: define("MAPI_SERVER", "default:");
+// define("MAPI_SERVER", "http://localhost:236/kopano");
+// define("MAPI_SERVER", "https://localhost:237/kopano");
+// define("MAPI_SERVER", "file:///var/run/kopano/server.sock");
+// If you are using ZCP >= 7.2.0, set it to the zarafa location, e.g.
+// define("MAPI_SERVER", "http://localhost:236/zarafa");
+// define("MAPI_SERVER", "https://localhost:237/zarafa");
+// define("MAPI_SERVER", "file:///var/run/zarafad/server.sock");
+// For ZCP versions prior to 7.2.0 the socket location is different (http(s) sockets are the same):
+// define("MAPI_SERVER", "file:///var/run/zarafa");
+
+define('MAPI_SERVER', 'http://$DCKR_SERVER:236/kopano');
+
+// Read-Only shared folders
+// When trying to write a change on a read-only folder this data is dropped and replaced on the device of the user.
+// Enabling the option below, sends an email to the user notifying that this happened (default enabled).
+// If this is disabled, the data will be dropped silently and will be lost.
+// The template of the email sent can be customized here. The placeholders can also be used in the subject.
+define('READ_ONLY_NOTIFY_LOST_DATA', true);
+// String to mark the data changed by the user (that he is trying to save)
+define('READ_ONLY_NOTIFY_YOURDATA', 'Your data');
+// Email template to be sent to the user
+define('READ_ONLY_NOTIFY_SUBJECT', "Z-Push: Writing operation not permitted - data reset");
+define('READ_ONLY_NOTIFY_BODY', <<0 - Store the minimum number of previously used passwords.
+devpwhistory = 0
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Policies for ActiveSync version 12.1 and higher
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; The device allows to use a storage card.
+; 0 - SD card not allowed.
+; 1 - SD card allowed.
+allowstoragecard = 1
+
+; The device allows to use the built-in camera.
+; 0 - Usage of the built-in camera not allowed.
+; 1 - Usage of built-in the camera allowed.
+allowcam = 1
+
+; Specifies if the client uses encryption.
+; 0 - Encryption not required.
+; 1 - Encryption required.
+reqdevenc = 0
+
+; Specifies if the device allows unsigned applications to execute.
+; 0 - Unsigned applications not allowed to execute.
+; 1 - Unsigned applications allowed to execute.
+allowunsignedapps = 1
+
+; The required complexity level of the device password.
+; Valid values for mindevcomplexchars are between 1 and 4. The value specifies
+; the number of character groups to be contained in the password.
+; The character groups are:
+; - Lower case alphabetical characters
+; - Upper case alphabetical characters
+; - Numbers
+; - Non-alphanumeric characters
+; For example, if the value of mindevcomplexchars is 2, a password may contain
+; lower case and upper case characters. A password with numbers and non-alphanumeric
+; characters would be also valid.
+mindevcomplexchars = 3
+
+; The device allows the use of Wi-Fi connections.
+; 0 - The use of Wi-Fi connections not allowed.
+; 1 - The use of Wi-Fi connections allowed.
+allowwifi = 1
+
+; The device allows the use of SMS or text messaging.
+; 0 - SMS or text messaging not allowed.
+; 1 - SMS or text messaging allowed.
+allowtextmessaging = 1
+
+; The device allows access to POP or IMAP email.
+; 0 - POP or IMAP email access not allowed.
+; 1 - POP or IMAP email access allowed.
+allowpopimapemail = 1
+
+; The use of Bluetooth on the device.
+; 0 - Disable Bluetooth.
+; 1 - Disable Bluetooth, but allow the configuration of hands-free profiles.
+; 2 - Allow Bluetooth.
+allowbluetooth = 2
+
+; The device allows the use of IrDA (infrared) connections.
+; 0 - Disable IrDA.
+; 1 - Allow IrDA.
+allowirda = 1
+
+; The device requires manual synchronization when the device is roaming.
+; 0 - Do not require manual sync; allow direct push when roaming.
+; 1 - Require manual sync when roaming.
+reqmansyncroam = 0
+
+; The maximum number of calendar days that can be synchronized.
+; 0 - All days
+; 4 - 2 weeks
+; 5 - 1 month
+; 6 - 3 months
+; 7 - 6 months
+maxcalagefilter = 0
+
+; Specifies if the client uses HTML-formatted email.
+; 0 - HTML-formatted email not allowed.
+; 1 - HTML-formatted email allowed.
+allowhtmlemail = 1
+
+; The email age limit for synchronization.
+; 0 - Sync all
+; 1 - 1 day
+; 2 - 3 days
+; 3 - 1 week
+; 4 - 2 weeks
+; 5 - 1 month
+maxemailagefilter = 0
+
+; The maximum truncation size for plain text–formatted email.
+; -1 - No truncation.
+; 0 - Truncate only the header.
+; >0 - Truncate the email body to the specified size.
+maxemailbodytruncsize = -1
+
+; The maximum truncation size for HTML-formatted email.
+; -1 - No truncation.
+; 0 - Truncate only the header.
+; >0 - Truncate the email body to the specified size.
+maxemailhtmlbodytruncsize = -1
+
+; Specifies if the client sends signed S/MIME messages.
+; 0 - Signed S/MIME messages not required.
+; 1 - Signed S/MIME messages required.
+reqsignedsmimemessages = 0
+
+; Specifies if the client sends encrypted email messages.
+; 0 - Encrypted email messages not required.
+; 1 - Email messages required to be encrypted.
+reqencsmimemessages = 0
+
+; The algorithm used to sign S/MIME messages.
+; 0 - Use SHA1.
+; 1 - Use MD5.
+reqsignedsmimealgorithm = 0
+
+; The algorithm used to encrypt S/MIME messages.
+; 0 - TripleDES algorithm
+; 1 - DES algorithm
+; 2 - RC2128bit
+; 3 - RC264bit
+; 4 - RC240bit
+reqencsmimealgorithm = 0
+
+; Controls negotiation of the encryption algorithm.
+; 0 - Do not negotiate.
+; 1 - Negotiate a strong algorithm.
+; 2 - Negotiate any algorithm.
+allowsmimeencalgneg = 2
+
+; Specifies if the client can use soft certificates to sign outgoing messages.
+; 0 - Soft certificates are not allowed.
+; 1 - Soft certificates are allowed.
+allowsmimesoftcerts = 1
+
+; Specifies if the device allows the use of a web browser.
+; 0 - Do not allow the use of a web browser.
+; 1 - Allow the use of a web browser.
+allowbrowser = 1
+
+; Specifies if the device allows the user to configure a personal email account.
+; 0 - Do not allow the user to configure a personal email account.
+; 1 - Allow the user to configure a personal email account.
+allowconsumeremail = 1
+
+; Specifies if the device allows the use of Internet Sharing.
+; 0 - Do not allow the use of Internet Sharing.
+; 1 - Allow the use of Internet Sharing.
+allowinternetsharing = 1
\ No newline at end of file
diff --git a/etc-template/z-push/z-push.conf.php b/etc-template/z-push/z-push.conf.php
new file mode 100644
index 0000000..0aed8cf
--- /dev/null
+++ b/etc-template/z-push/z-push.conf.php
@@ -0,0 +1,373 @@
+.
+*
+* Consult LICENSE file for details
+************************************************/
+
+/**********************************************************************************
+ * Default settings
+ */
+ // Defines the default time zone, change e.g. to "Europe/London" if necessary
+ define('TIMEZONE', 'Europe/Berlin');
+
+ // Defines the base path on the server
+ define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/');
+
+ // Try to set unlimited timeout
+ define('SCRIPT_TIMEOUT', 0);
+
+ // When accessing through a proxy, the "X-Forwarded-For" header contains the original remote IP
+ define('USE_CUSTOM_REMOTE_IP_HEADER', false);
+
+ // When using client certificates, we can check if the login sent matches the owner of the certificate.
+ // This setting specifies the owner parameter in the certificate to look at.
+ define("CERTIFICATE_OWNER_PARAMETER", "SSL_CLIENT_S_DN_CN");
+
+ /*
+ * Whether to use the complete email address as a login name
+ * (e.g. user@company.com) or the username only (user).
+ * This is required for Z-Push to work properly after autodiscover.
+ * Possible values:
+ * false - use the username only.
+ * true - string the mobile sends as username, e.g. full email address (default).
+ */
+ define('USE_FULLEMAIL_FOR_LOGIN', true);
+
+/**********************************************************************************
+ * StateMachine setting
+ *
+ * These StateMachines can be used:
+ * FILE - FileStateMachine (default). Needs STATE_DIR set as well.
+ * SQL - SqlStateMachine has own configuration file. STATE_DIR is ignored.
+ * State migration script is available, more informations: https://wiki.z-hub.io/x/xIAa
+ */
+ define('STATE_MACHINE', 'FILE');
+ define('STATE_DIR', '/var/lib/z-push/');
+
+/**********************************************************************************
+ * IPC - InterProcessCommunication
+ *
+ * Is either provided by using shared memory on a single host or
+ * using the memcache provider for multi-host environments.
+ * When another implementation should be used, the class can be set here explicitly.
+ * If empty Z-Push will try to use available providers.
+ */
+ define('IPC_PROVIDER', '');
+
+/**********************************************************************************
+ * Logging settings
+ *
+ * The LOGBACKEND specifies where the logs are sent to.
+ * Either to file ("filelog") or to a "syslog" server or a custom log class in core/log/logclass.
+ * filelog and syslog have several options that can be set below.
+ * For more information about the syslog configuration, see https://wiki.z-hub.io/x/HIAT
+
+ * Possible LOGLEVEL and LOGUSERLEVEL values are:
+ * LOGLEVEL_OFF - no logging
+ * LOGLEVEL_FATAL - log only critical errors
+ * LOGLEVEL_ERROR - logs events which might require corrective actions
+ * LOGLEVEL_WARN - might lead to an error or require corrective actions in the future
+ * LOGLEVEL_INFO - usually completed actions
+ * LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers
+ * LOGLEVEL_WBXML - also prints the WBXML sent to/from the device
+ * LOGLEVEL_DEVICEID - also prints the device id for every log entry
+ * LOGLEVEL_WBXMLSTACK - also prints the contents of WBXML stack
+ *
+ * The verbosity increases from top to bottom. More verbose levels include less verbose
+ * ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR,
+ * LOGLEVEL_WARN and LOGLEVEL_INFO level entries.
+ *
+ * LOGAUTHFAIL is logged to the LOGBACKEND.
+ */
+ define('LOGBACKEND', 'filelog');
+ define('LOGLEVEL', LOGLEVEL_INFO);
+ define('LOGAUTHFAIL', false);
+
+ // To save e.g. WBXML data only for selected users, add the usernames to the array
+ // The data will be saved into a dedicated file per user in the LOGFILEDIR
+ // Users have to be encapusulated in quotes, several users are comma separated, like:
+ // $specialLogUsers = array('info@domain.com', 'myusername');
+ define('LOGUSERLEVEL', LOGLEVEL_DEVICEID);
+ $specialLogUsers = array('andreas',);
+
+ // Filelog settings
+ define('LOGFILEDIR', '/var/log/z-push/');
+ define('LOGFILE', LOGFILEDIR . 'z-push.log');
+ define('LOGERRORFILE', LOGFILEDIR . 'z-push-error.log');
+
+ // Syslog settings
+ // false will log to local syslog, otherwise put the remote syslog IP here
+ define('LOG_SYSLOG_HOST', false);
+ // Syslog port
+ define('LOG_SYSLOG_PORT', 514);
+ // Program showed in the syslog. Useful if you have more than one instance login to the same syslog
+ define('LOG_SYSLOG_PROGRAM', 'z-push');
+ // Syslog facility - use LOG_USER when running on Windows
+ define('LOG_SYSLOG_FACILITY', LOG_LOCAL0);
+
+ // Location of the trusted CA, e.g. '/etc/ssl/certs/EmailCA.pem'
+ // Uncomment and modify the following line if the validation of the certificates fails.
+ // define('CAINFO', '/etc/ssl/certs/EmailCA.pem');
+
+/**********************************************************************************
+ * Mobile settings
+ */
+ // Device Provisioning
+ define('PROVISIONING', true);
+
+ // This option allows the 'loose enforcement' of the provisioning policies for older
+ // devices which don't support provisioning (like WM 5 and HTC Android Mail) - dw2412 contribution
+ // false (default) - Enforce provisioning for all devices
+ // true - allow older devices, but enforce policies on devices which support it
+ define('LOOSE_PROVISIONING', false);
+
+ // The file containing the policies' settings.
+ // Set a full path or relative to the z-push main directory
+ define('PROVISIONING_POLICYFILE', 'policies.ini');
+
+ // Default conflict preference
+ // Some devices allow to set if the server or PIM (mobile)
+ // should win in case of a synchronization conflict
+ // SYNC_CONFLICT_OVERWRITE_SERVER - Server is overwritten, PIM wins
+ // SYNC_CONFLICT_OVERWRITE_PIM - PIM is overwritten, Server wins (default)
+ define('SYNC_CONFLICT_DEFAULT', SYNC_CONFLICT_OVERWRITE_PIM);
+
+ // Global limitation of items to be synchronized
+ // The mobile can define a sync back period for calendar and email items
+ // For large stores with many items the time period could be limited to a max value
+ // If the mobile transmits a wider time period, the defined max value is used
+ // Applicable values:
+ // SYNC_FILTERTYPE_ALL (default, no limitation)
+ // SYNC_FILTERTYPE_1DAY, SYNC_FILTERTYPE_3DAYS, SYNC_FILTERTYPE_1WEEK, SYNC_FILTERTYPE_2WEEKS,
+ // SYNC_FILTERTYPE_1MONTH, SYNC_FILTERTYPE_3MONTHS, SYNC_FILTERTYPE_6MONTHS
+ define('SYNC_FILTERTIME_MAX', SYNC_FILTERTYPE_ALL);
+
+ // Interval in seconds before checking if there are changes on the server when in Ping.
+ // It means the highest time span before a change is pushed to a mobile. Set it to
+ // a higher value if you have a high load on the server.
+ define('PING_INTERVAL', 30);
+
+ // Set the fileas (save as) order for contacts in the webaccess/webapp/outlook.
+ // It will only affect new/modified contacts on the mobile which then are synced to the server.
+ // Possible values are:
+ // SYNC_FILEAS_FIRSTLAST - fileas will be "Firstname Middlename Lastname"
+ // SYNC_FILEAS_LASTFIRST - fileas will be "Lastname, Firstname Middlename"
+ // SYNC_FILEAS_COMPANYONLY - fileas will be "Company"
+ // SYNC_FILEAS_COMPANYLAST - fileas will be "Company (Lastname, Firstname Middlename)"
+ // SYNC_FILEAS_COMPANYFIRST - fileas will be "Company (Firstname Middlename Lastname)"
+ // SYNC_FILEAS_LASTCOMPANY - fileas will be "Lastname, Firstname Middlename (Company)"
+ // SYNC_FILEAS_FIRSTCOMPANY - fileas will be "Firstname Middlename Lastname (Company)"
+ // The company-fileas will only be set if a contact has a company set. If one of
+ // company-fileas is selected and a contact doesn't have a company set, it will default
+ // to SYNC_FILEAS_FIRSTLAST or SYNC_FILEAS_LASTFIRST (depending on if last or first
+ // option is selected for company).
+ // If SYNC_FILEAS_COMPANYONLY is selected and company of the contact is not set
+ // SYNC_FILEAS_LASTFIRST will be used
+ define('FILEAS_ORDER', SYNC_FILEAS_LASTCOMPANY);
+
+ // Maximum amount of items to be synchronized per request.
+ // Normally this value is requested by the mobile. Common values are 5, 25, 50 or 100.
+ // Exporting too much items can cause mobile timeout on busy systems.
+ // Z-Push will use the lowest provided value, either set here or by the mobile.
+ // MS Outlook 2013+ request up to 512 items to accelerate the sync process.
+ // If you detect high load (also on subsystems) you could try a lower setting.
+ // max: 512 - value used if mobile does not limit amount of items
+ define('SYNC_MAX_ITEMS', 512);
+
+ // The devices usually send a list of supported properties for calendar and contact
+ // items. If a device does not includes such a supported property in Sync request,
+ // it means the property's value will be deleted on the server.
+ // However some devices do not send a list of supported properties. It is then impossible
+ // to tell if a property was deleted or it was not set at all if it does not appear in Sync.
+ // This parameter defines Z-Push behaviour during Sync if a device does not issue a list with
+ // supported properties.
+ // See also https://jira.z-hub.io/browse/ZP-302.
+ // Possible values:
+ // false - do not unset properties which are not sent during Sync (default)
+ // true - unset properties which are not sent during Sync
+ define('UNSET_UNDEFINED_PROPERTIES', false);
+
+ // ActiveSync specifies that a contact photo may not exceed 48 KB. This value is checked
+ // in the semantic sanity checks and contacts with larger photos are not synchronized.
+ // This limitation is not being followed by the ActiveSync clients which set much bigger
+ // contact photos. You can override the default value of the max photo size.
+ // default: 5242880 - 5 MB default max photo size in bytes
+ define('SYNC_CONTACTS_MAXPICTURESIZE', 5242880);
+
+ // Over the WebserviceUsers command it is possible to retrieve a list of all
+ // known devices and users on this Z-Push system. The authenticated user needs to have
+ // admin rights and a public folder must exist.
+ // In multicompany environments this enable an admin user of any company to retrieve
+ // this full list, so this feature is disabled by default. Enable with care.
+ define('ALLOW_WEBSERVICE_USERS_ACCESS', false);
+
+ // Users with many folders can use the 'partial foldersync' feature, where the server
+ // actively stops processing the folder list if it takes too long. Other requests are
+ // then redirected to the FolderSync to synchronize the remaining items.
+ // Device compatibility for this procedure is not fully understood.
+ // NOTE: THIS IS AN EXPERIMENTAL FEATURE WHICH COULD PREVENT YOUR MOBILES FROM SYNCHRONIZING.
+ define('USE_PARTIAL_FOLDERSYNC', false);
+
+ // The minimum accepted time in second that a ping command should last.
+ // It is strongly advised to keep this config to false. Some device
+ // might not be able to send a higher value than the one specificied here and thus
+ // unable to start a push connection.
+ // If set to false, there will be no lower bound to the ping lifetime.
+ // The minimum accepted value is 1 second. The maximum accepted value is 3540 seconds (59 minutes).
+ define('PING_LOWER_BOUND_LIFETIME', false);
+
+ // The maximum accepted time in second that a ping command should last.
+ // If set to false, there will be no higher bound to the ping lifetime.
+ // The minimum accepted value is 1 second. The maximum accepted value is 3540 seconds (59 minutes).
+ define('PING_HIGHER_BOUND_LIFETIME', false);
+
+ // Maximum response time
+ // Mobiles implement different timeouts to their TCP/IP connections. Android devices for example
+ // have a hard timeout of 30 seconds. If the server is not able to answer a request within this timeframe,
+ // the answer will not be recieved and the device will send a new one overloading the server.
+ // There are three categories
+ // - Short timeout - server has up within 30 seconds - is automatically applied for not categorized types
+ // - Medium timeout - server has up to 90 seconds to respond
+ // - Long timeout - server has up to 4 minutes to respond
+ // If a timeout is almost reached the server will break and sent the results it has until this
+ // point. You can add DeviceType strings to the categories.
+ // In general longer timeouts are better, because more data can be streamed at once.
+ define('SYNC_TIMEOUT_MEDIUM_DEVICETYPES', "SAMSUNGGTI");
+ define('SYNC_TIMEOUT_LONG_DEVICETYPES', "iPod, iPad, iPhone, WP, WindowsOutlook, WindowsMail");
+
+ // Time in seconds the device should wait whenever the service is unavailable,
+ // e.g. when a backend service is unavailable.
+ // Z-Push sends a "Retry-After" header in the response with the here defined value.
+ // It is up to the device to respect or not this directive so even if this option is set,
+ // the device might not wait requested time frame.
+ // Number of seconds before retry, to disable set to: false
+ define('RETRY_AFTER_DELAY', 300);
+
+/**********************************************************************************
+ * Backend settings
+ */
+ // the backend data provider
+ define('BACKEND_PROVIDER', '');
+
+/**********************************************************************************
+ * Search provider settings
+ *
+ * Alternative backend to perform SEARCH requests (GAL search)
+ * By default the main Backend defines the preferred search functionality.
+ * If set, the Search Provider will always be preferred.
+ * Use 'BackendSearchLDAP' to search in a LDAP directory (see backend/searchldap/config.php)
+ */
+ define('SEARCH_PROVIDER', '');
+ // Time in seconds for the server search. Setting it too high might result in timeout.
+ // Setting it too low might not return all results. Default is 10.
+ define('SEARCH_WAIT', 10);
+ // The maximum number of results to send to the client. Setting it too high
+ // might result in timeout. Default is 10.
+ define('SEARCH_MAXRESULTS', 10);
+
+/**********************************************************************************
+ * Kopano Outlook Extension - Settings
+ *
+ * The Kopano Outlook Extension (KOE) provides MS Outlook 2013 and newer with
+ * functionality not provided by ActiveSync or not implemented by Outlook.
+ * For more information, see: https://wiki.z-hub.io/x/z4Aa
+ */
+ // Global Address Book functionality
+ define('KOE_CAPABILITY_GAB', true);
+ // Synchronize mail flags from the server to Outlook/KOE
+ define('KOE_CAPABILITY_RECEIVEFLAGS', true);
+ // Encode flags when sending from Outlook/KOE
+ define('KOE_CAPABILITY_SENDFLAGS', true);
+ // Out-of-office support
+ define('KOE_CAPABILITY_OOF', true);
+ // Out-of-office support with start & end times (superseeds KOE_CAPABILITY_OOF)
+ define('KOE_CAPABILITY_OOFTIMES', true);
+ // Notes support
+ define('KOE_CAPABILITY_NOTES', true);
+ // Shared folder support
+ define('KOE_CAPABILITY_SHAREDFOLDER', true);
+ // Send-As support for Outlook/KOE and mobiles
+ define('KOE_CAPABILITY_SENDAS', true);
+ // Secondary Contact folders (own and shared)
+ define('KOE_CAPABILITY_SECONDARYCONTACTS', true);
+ // Copy WebApp signature into KOE
+ define('KOE_CAPABILITY_SIGNATURES', true);
+
+ // To synchronize the GAB KOE, the GAB store and folderid need to be specified.
+ // Use the gab-sync script to generate this data. The name needs to
+ // match the config of the gab-sync script.
+ // More information here: https://wiki.z-hub.io/x/z4Aa (GAB Sync Script)
+ define('KOE_GAB_STORE', 'SYSTEM');
+ define('KOE_GAB_FOLDERID', '');
+ define('KOE_GAB_NAME', 'Z-Push-KOE-GAB');
+
+/**********************************************************************************
+ * Synchronize additional folders to all mobiles
+ *
+ * With this feature, special folders can be synchronized to all mobiles.
+ * This is useful for e.g. global company contacts.
+ *
+ * This feature is supported only by certain devices, like iPhones.
+ * Check the compatibility list for supported devices:
+ * http://z-push.org/compatibility
+ *
+ * To synchronize a folder, add a section setting all parameters as below:
+ * store: the ressource where the folder is located.
+ * Kopano users use 'SYSTEM' for the 'Public Folder'
+ * folderid: folder id of the folder to be synchronized
+ * name: name to be displayed on the mobile device
+ * type: supported types are:
+ * SYNC_FOLDER_TYPE_USER_CONTACT
+ * SYNC_FOLDER_TYPE_USER_APPOINTMENT
+ * SYNC_FOLDER_TYPE_USER_TASK
+ * SYNC_FOLDER_TYPE_USER_MAIL
+ * SYNC_FOLDER_TYPE_USER_NOTE
+ *
+ * Additional notes:
+ * - on Kopano systems use backend/kopano/listfolders.php script to get a list
+ * of available folders
+ *
+ * - all Z-Push users must have at least reading permissions so the configured
+ * folders can be synchronized to the mobile. Else they are ignored.
+ *
+ * - this feature is only partly suitable for multi-tenancy environments,
+ * as ALL users from ALL tenents need access to the configured store & folder.
+ * When configuring a public folder, this will cause problems, as each user has
+ * a different public folder in his tenant, so the folder are not available.
+
+ * - changing this configuration could cause HIGH LOAD on the system, as all
+ * connected devices will be updated and load the data contained in the
+ * added/modified folders.
+ */
+
+ $additionalFolders = array(
+ // demo entry for the synchronization of contacts from the public folder.
+ // uncomment (remove '/*' '*/') and fill in the folderid
+/*
+ array(
+ 'store' => "SYSTEM",
+ 'folderid' => "",
+ 'name' => "Public Contacts",
+ 'type' => SYNC_FOLDER_TYPE_USER_CONTACT,
+ ),
+*/
+ );
diff --git a/etc-template/z-push/z-push.conf.php.dpkg-dist b/etc-template/z-push/z-push.conf.php.dpkg-dist
new file mode 100644
index 0000000..7fe9cbb
--- /dev/null
+++ b/etc-template/z-push/z-push.conf.php.dpkg-dist
@@ -0,0 +1,418 @@
+.
+*
+* Consult LICENSE file for details
+************************************************/
+
+/**********************************************************************************
+ * Default settings
+ */
+ // Defines the default time zone, change e.g. to "Europe/London" if necessary
+ define('TIMEZONE', '');
+
+ // Defines the base path on the server
+ define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/');
+
+ // Try to set unlimited timeout
+ define('SCRIPT_TIMEOUT', 0);
+
+ // This should be solved on THE webserver level if there are proxies
+ // between mobile client and Z-Push.
+ // IMPORTANT: This setting will be deprecated in Z-Push 2.7.0.
+ // Use a custom header to determinate the remote IP of a client.
+ // By default, the server provided REMOTE_ADDR is used. If the header here set
+ // is available, the provided value will be used, else REMOTE_ADDR is maintained.
+ // set to false to disable this behaviour.
+ // common values: 'HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP' (casing is ignored)
+ define('USE_CUSTOM_REMOTE_IP_HEADER', false);
+
+ // When using client certificates, we can check if the login sent matches the owner of the certificate.
+ // This setting specifies the owner parameter in the certificate to look at.
+ define("CERTIFICATE_OWNER_PARAMETER", "SSL_CLIENT_S_DN_CN");
+
+ /*
+ * Whether to use the complete email address as a login name
+ * (e.g. user@company.com) or the username only (user).
+ * This is required for Z-Push to work properly after autodiscover.
+ * Possible values:
+ * false - use the username only.
+ * true - string the mobile sends as username, e.g. full email address (default).
+ */
+ define('USE_FULLEMAIL_FOR_LOGIN', true);
+
+/**********************************************************************************
+ * StateMachine setting
+ *
+ * These StateMachines can be used:
+ * FILE - FileStateMachine (default). Needs STATE_DIR set as well.
+ * SQL - SqlStateMachine has own configuration file. STATE_DIR is ignored.
+ * State migration script is available, more informations: https://wiki.z-hub.io/x/xIAa
+ */
+ define('STATE_MACHINE', 'FILE');
+ define('STATE_DIR', '/var/lib/z-push/');
+
+/**********************************************************************************
+ * IPC - InterProcessCommunication
+ *
+ * Is either provided by using shared memory on a single host or
+ * using the memcache provider for multi-host environments.
+ * When another implementation should be used, the class can be set here explicitly.
+ * If empty Z-Push will try to use available providers.
+
+ * Possible values:
+ * IpcSharedMemoryProvider - default. Requires z-push-ipc-sharedmemory package.
+ * IpcMemcachedProvider - requires z-push-ipc-memcached package. It is necessary to set up
+ * memcached server before (it won't be installed by z-push-ipc-memcached).
+ * IpcWincacheProvider - for windows systems.
+ */
+ define('IPC_PROVIDER', '');
+
+/**********************************************************************************
+ * Logging settings
+ *
+ * The LOGBACKEND specifies where the logs are sent to.
+ * Either to file ("filelog") or to a "syslog" server or a custom log class in core/log/logclass.
+ * filelog and syslog have several options that can be set below.
+ * For more information about the syslog configuration, see https://wiki.z-hub.io/x/HIAT
+
+ * Possible LOGLEVEL and LOGUSERLEVEL values are:
+ * LOGLEVEL_OFF - no logging
+ * LOGLEVEL_FATAL - log only critical errors
+ * LOGLEVEL_ERROR - logs events which might require corrective actions
+ * LOGLEVEL_WARN - might lead to an error or require corrective actions in the future
+ * LOGLEVEL_INFO - usually completed actions
+ * LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers
+ * LOGLEVEL_WBXML - also prints the WBXML sent to/from the device
+ * LOGLEVEL_DEVICEID - also prints the device id for every log entry
+ * LOGLEVEL_WBXMLSTACK - also prints the contents of WBXML stack
+ *
+ * The verbosity increases from top to bottom. More verbose levels include less verbose
+ * ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR,
+ * LOGLEVEL_WARN and LOGLEVEL_INFO level entries.
+ *
+ * LOGAUTHFAIL is logged to the LOGBACKEND.
+ */
+ define('LOGBACKEND', 'filelog');
+ define('LOGLEVEL', LOGLEVEL_INFO);
+ define('LOGAUTHFAIL', false);
+
+ // To save e.g. WBXML data only for selected users, add the usernames to the array
+ // The data will be saved into a dedicated file per user in the LOGFILEDIR
+ // Users have to be encapusulated in quotes, several users are comma separated, like:
+ // $specialLogUsers = array('info@domain.com', 'myusername');
+ define('LOGUSERLEVEL', LOGLEVEL_DEVICEID);
+ $specialLogUsers = array();
+
+ // Filelog settings
+ define('LOGFILEDIR', '/var/log/z-push/');
+ define('LOGFILE', LOGFILEDIR . 'z-push.log');
+ define('LOGERRORFILE', LOGFILEDIR . 'z-push-error.log');
+
+ // Syslog settings
+ // false will log to local syslog, otherwise put the remote syslog IP here
+ define('LOG_SYSLOG_HOST', false);
+ // Syslog port
+ define('LOG_SYSLOG_PORT', 514);
+ // Program showed in the syslog. Useful if you have more than one instance login to the same syslog
+ define('LOG_SYSLOG_PROGRAM', 'z-push');
+ // Syslog facility - use LOG_USER when running on Windows
+ define('LOG_SYSLOG_FACILITY', LOG_LOCAL0);
+
+ // Location of the trusted CA, e.g. '/etc/ssl/certs/EmailCA.pem'
+ // Uncomment and modify the following line if the validation of the certificates fails.
+ // define('CAINFO', '/etc/ssl/certs/EmailCA.pem');
+
+/**********************************************************************************
+ * Mobile settings
+ */
+ // Device Provisioning
+ define('PROVISIONING', true);
+
+ // This option allows the 'loose enforcement' of the provisioning policies for older
+ // devices which don't support provisioning (like WM 5 and HTC Android Mail) - dw2412 contribution
+ // false (default) - Enforce provisioning for all devices
+ // true - allow older devices, but enforce policies on devices which support it
+ define('LOOSE_PROVISIONING', false);
+
+ // The file containing the policies' settings.
+ // Set a full path or relative to the z-push main directory
+ define('PROVISIONING_POLICYFILE', 'policies.ini');
+
+ // Default conflict preference
+ // Some devices allow to set if the server or PIM (mobile)
+ // should win in case of a synchronization conflict
+ // SYNC_CONFLICT_OVERWRITE_SERVER - Server is overwritten, PIM wins
+ // SYNC_CONFLICT_OVERWRITE_PIM - PIM is overwritten, Server wins (default)
+ define('SYNC_CONFLICT_DEFAULT', SYNC_CONFLICT_OVERWRITE_PIM);
+
+ // Global limitation of items to be synchronized
+ // The mobile can define a sync back period for calendar and email items
+ // For large stores with many items the time period could be limited to a max value
+ // If the mobile transmits a wider time period, the defined max value is used
+ // Applicable values:
+ // SYNC_FILTERTYPE_ALL (default, no limitation)
+ // SYNC_FILTERTYPE_1DAY, SYNC_FILTERTYPE_3DAYS, SYNC_FILTERTYPE_1WEEK, SYNC_FILTERTYPE_2WEEKS,
+ // SYNC_FILTERTYPE_1MONTH, SYNC_FILTERTYPE_3MONTHS, SYNC_FILTERTYPE_6MONTHS
+ define('SYNC_FILTERTIME_MAX', SYNC_FILTERTYPE_ALL);
+
+ // Interval in seconds before checking if there are changes on the server when in Ping.
+ // It means the highest time span before a change is pushed to a mobile. Set it to
+ // a higher value if you have a high load on the server.
+ define('PING_INTERVAL', 30);
+
+ // Set the fileas (save as) order for contacts in the webaccess/webapp/outlook.
+ // It will only affect new/modified contacts on the mobile which then are synced to the server.
+ // Possible values are:
+ // SYNC_FILEAS_FIRSTLAST - fileas will be "Firstname Middlename Lastname"
+ // SYNC_FILEAS_LASTFIRST - fileas will be "Lastname, Firstname Middlename"
+ // SYNC_FILEAS_COMPANYONLY - fileas will be "Company"
+ // SYNC_FILEAS_COMPANYLAST - fileas will be "Company (Lastname, Firstname Middlename)"
+ // SYNC_FILEAS_COMPANYFIRST - fileas will be "Company (Firstname Middlename Lastname)"
+ // SYNC_FILEAS_LASTCOMPANY - fileas will be "Lastname, Firstname Middlename (Company)"
+ // SYNC_FILEAS_FIRSTCOMPANY - fileas will be "Firstname Middlename Lastname (Company)"
+ // The company-fileas will only be set if a contact has a company set. If one of
+ // company-fileas is selected and a contact doesn't have a company set, it will default
+ // to SYNC_FILEAS_FIRSTLAST or SYNC_FILEAS_LASTFIRST (depending on if last or first
+ // option is selected for company).
+ // If SYNC_FILEAS_COMPANYONLY is selected and company of the contact is not set
+ // SYNC_FILEAS_LASTFIRST will be used
+ define('FILEAS_ORDER', SYNC_FILEAS_LASTFIRST);
+
+ // Maximum amount of items to be synchronized per request.
+ // Normally this value is requested by the mobile. Common values are 5, 25, 50 or 100.
+ // Exporting too much items can cause mobile timeout on busy systems.
+ // Z-Push will use the lowest provided value, either set here or by the mobile.
+ // MS Outlook 2013+ request up to 512 items to accelerate the sync process.
+ // If you detect high load (also on subsystems) you could try a lower setting.
+ // max: 512 - value used if mobile does not limit amount of items
+ define('SYNC_MAX_ITEMS', 512);
+
+ // The devices usually send a list of supported properties for calendar and contact
+ // items. If a device does not includes such a supported property in Sync request,
+ // it means the property's value will be deleted on the server.
+ // However some devices do not send a list of supported properties. It is then impossible
+ // to tell if a property was deleted or it was not set at all if it does not appear in Sync.
+ // This parameter defines Z-Push behaviour during Sync if a device does not issue a list with
+ // supported properties.
+ // See also https://jira.z-hub.io/browse/ZP-302.
+ // Possible values:
+ // false - do not unset properties which are not sent during Sync (default)
+ // true - unset properties which are not sent during Sync
+ define('UNSET_UNDEFINED_PROPERTIES', false);
+
+ // ActiveSync specifies that a contact photo may not exceed 48 KB. This value is checked
+ // in the semantic sanity checks and contacts with larger photos are not synchronized.
+ // This limitation is not being followed by the ActiveSync clients which set much bigger
+ // contact photos. You can override the default value of the max photo size.
+ // default: 5242880 - 5 MB default max photo size in bytes
+ define('SYNC_CONTACTS_MAXPICTURESIZE', 5242880);
+
+ // Over the WebserviceUsers command it is possible to retrieve a list of all
+ // known devices and users on this Z-Push system. The authenticated user needs to have
+ // admin rights and a public folder must exist.
+ // In multicompany environments this enable an admin user of any company to retrieve
+ // this full list, so this feature is disabled by default. Enable with care.
+ define('ALLOW_WEBSERVICE_USERS_ACCESS', false);
+
+ // Users with many folders can use the 'partial foldersync' feature, where the server
+ // actively stops processing the folder list if it takes too long. Other requests are
+ // then redirected to the FolderSync to synchronize the remaining items.
+ // Device compatibility for this procedure is not fully understood.
+ // NOTE: THIS IS AN EXPERIMENTAL FEATURE WHICH COULD PREVENT YOUR MOBILES FROM SYNCHRONIZING.
+ define('USE_PARTIAL_FOLDERSYNC', false);
+
+ // The minimum accepted time in second that a ping command should last.
+ // It is strongly advised to keep this config to false. Some device
+ // might not be able to send a higher value than the one specificied here and thus
+ // unable to start a push connection.
+ // If set to false, there will be no lower bound to the ping lifetime.
+ // The minimum accepted value is 1 second. The maximum accepted value is 3540 seconds (59 minutes).
+ define('PING_LOWER_BOUND_LIFETIME', false);
+
+ // The maximum accepted time in second that a ping command should last.
+ // If set to false, there will be no higher bound to the ping lifetime.
+ // The minimum accepted value is 1 second. The maximum accepted value is 3540 seconds (59 minutes).
+ define('PING_HIGHER_BOUND_LIFETIME', false);
+
+ // Maximum response time
+ // Mobiles implement different timeouts to their TCP/IP connections. Android devices for example
+ // have a hard timeout of 30 seconds. If the server is not able to answer a request within this timeframe,
+ // the answer will not be recieved and the device will send a new one overloading the server.
+ // There are three categories
+ // - Short timeout - server has up within 30 seconds - is automatically applied for not categorized types
+ // - Medium timeout - server has up to 90 seconds to respond
+ // - Long timeout - server has up to 4 minutes to respond
+ // If a timeout is almost reached the server will break and sent the results it has until this
+ // point. You can add DeviceType strings to the categories.
+ // In general longer timeouts are better, because more data can be streamed at once.
+ define('SYNC_TIMEOUT_MEDIUM_DEVICETYPES', "SAMSUNGGTI");
+ define('SYNC_TIMEOUT_LONG_DEVICETYPES', "iPod, iPad, iPhone, WP, WindowsOutlook, WindowsMail");
+
+ // Time in seconds the device should wait whenever the service is unavailable,
+ // e.g. when a backend service is unavailable.
+ // Z-Push sends a "Retry-After" header in the response with the here defined value.
+ // It is up to the device to respect or not this directive so even if this option is set,
+ // the device might not wait requested time frame.
+ // Number of seconds before retry, to disable set to: false
+ define('RETRY_AFTER_DELAY', 300);
+
+/**********************************************************************************
+ * Backend settings
+ */
+ // The backend data provider.
+ // Leave this value empty and Z-Push will autoload a backend. The sequence of autoload is:
+ // BackendKopano, BackendCombined, BackendIMAP, BackendVCardDir, BackendMaildir.
+ // If BackendKopano is not installed, Z-Push will load BackendCombined. If BackendCombined
+ // also is not installed, Z-Push will load BackendIMAP and so on.
+ // If you prefer explicitly configure a backend provider, currently possible values are:
+ // BackendKopano - to use with the Kopano groupware. Syncs emails, calendar items,
+ // contacts, tasks and notes or any combination of the listed items.
+ // BackendCombined - combine multiple backends for different items, e.g.
+ // BackendIMAP for emails, BackendCalDAV for calendar items,
+ // BackendCardDAV for contacts etc. You can configure what backend
+ // syncs which items in /etc/combined.conf.php.
+ // BackendIMAP - to sync emails with an IMAP server.
+ // BackendCalDAV - to sync calendar items and / or tasks with a CalDAV server.
+ // BackendCardDAV - to sync contacts with a CardDAV server.
+ // BackendMaildir - to sync emails from a Maildir.
+ // BackendStickyNote - to sync notes with a Postgres server.
+ // BackendVCardDir - to sync contacts with vcard folder.
+ define('BACKEND_PROVIDER', '');
+
+/**********************************************************************************
+ * Search provider settings
+ *
+ * Alternative backend to perform SEARCH requests (GAL search)
+ * By default the main Backend defines the preferred search functionality.
+ * If set, the Search Provider will always be preferred.
+ * Use 'BackendSearchLDAP' to search in a LDAP directory (see backend/searchldap/config.php)
+ */
+ define('SEARCH_PROVIDER', '');
+ // Time in seconds for the server search. Setting it too high might result in timeout.
+ // Setting it too low might not return all results. Default is 10.
+ define('SEARCH_WAIT', 10);
+ // The maximum number of results to send to the client. Setting it too high
+ // might result in timeout. Default is 10.
+ define('SEARCH_MAXRESULTS', 10);
+
+/**********************************************************************************
+ * Kopano Outlook Extension - Settings
+ *
+ * The Kopano Outlook Extension (KOE) provides MS Outlook 2013 and newer with
+ * functionality not provided by ActiveSync or not implemented by Outlook.
+ * For more information, see: https://wiki.z-hub.io/x/z4Aa
+ */
+ // Global Address Book functionality
+ define('KOE_CAPABILITY_GAB', true);
+ // Synchronize mail flags from the server to Outlook/KOE
+ define('KOE_CAPABILITY_RECEIVEFLAGS', true);
+ // Encode flags when sending from Outlook/KOE
+ define('KOE_CAPABILITY_SENDFLAGS', true);
+ // Out-of-office support
+ define('KOE_CAPABILITY_OOF', true);
+ // Out-of-office support with start & end times (superseeds KOE_CAPABILITY_OOF)
+ define('KOE_CAPABILITY_OOFTIMES', true);
+ // Notes support
+ define('KOE_CAPABILITY_NOTES', true);
+ // Shared folder support
+ define('KOE_CAPABILITY_SHAREDFOLDER', true);
+ // Send-As support for Outlook/KOE and mobiles
+ define('KOE_CAPABILITY_SENDAS', true);
+ // Secondary Contact folders (own and shared)
+ define('KOE_CAPABILITY_SECONDARYCONTACTS', true);
+ // Copy WebApp signature into KOE
+ define('KOE_CAPABILITY_SIGNATURES', true);
+ // Delivery receipt requests
+ define('KOE_CAPABILITY_RECEIPTS', true);
+ // Impersonate other users
+ define('KOE_CAPABILITY_IMPERSONATE', true);
+
+ // To synchronize the GAB KOE, the GAB store and folderid need to be specified.
+ // Use the gab-sync script to generate this data. The name needs to
+ // match the config of the gab-sync script.
+ // More information here: https://wiki.z-hub.io/x/z4Aa (GAB Sync Script)
+ define('KOE_GAB_STORE', 'SYSTEM');
+ define('KOE_GAB_FOLDERID', '');
+ define('KOE_GAB_NAME', 'Z-Push-KOE-GAB');
+
+/**********************************************************************************
+ * Synchronize additional folders to all mobiles
+ *
+ * With this feature, special folders can be synchronized to all mobiles.
+ * This is useful for e.g. global company contacts.
+ *
+ * This feature is supported only by certain devices, like iPhones.
+ * Check the compatibility list for supported devices:
+ * http://z-push.org/compatibility
+ *
+ * To synchronize a folder, add a section setting all parameters as below:
+ * store: the ressource where the folder is located.
+ * Kopano users use 'SYSTEM' for the 'Public Folder'
+ * folderid: folder id of the folder to be synchronized
+ * name: name to be displayed on the mobile device
+ * type: supported types are:
+ * SYNC_FOLDER_TYPE_USER_CONTACT
+ * SYNC_FOLDER_TYPE_USER_APPOINTMENT
+ * SYNC_FOLDER_TYPE_USER_TASK
+ * SYNC_FOLDER_TYPE_USER_MAIL
+ * SYNC_FOLDER_TYPE_USER_NOTE
+ * flags: sets additional options on the shared folder. Supported are:
+ * DeviceManager::FLD_FLAGS_NONE
+ * No flags configured, default flag to be set
+ * DeviceManager::FLD_FLAGS_SENDASOWNER
+ * When replying in this folder, automatically do Send-As
+ * DeviceManager::FLD_FLAGS_CALENDARREMINDERS
+ * If set, Outlook shows reminders for these shares with KOE
+ * DeviceManager::FLD_FLAGS_NOREADONLYNOTIFY
+ * If set, Z-Push won't send notification emails for changes
+ * if the folder is read-only
+ *
+ * Additional notes:
+ * - on Kopano systems use backend/kopano/listfolders.php script to get a list
+ * of available folders
+ *
+ * - all Z-Push users must have at least reading permissions so the configured
+ * folders can be synchronized to the mobile. Else they are ignored.
+ *
+ * - this feature is only partly suitable for multi-tenancy environments,
+ * as ALL users from ALL tenents need access to the configured store & folder.
+ * When configuring a public folder, this will cause problems, as each user has
+ * a different public folder in his tenant, so the folder are not available.
+
+ * - changing this configuration could cause HIGH LOAD on the system, as all
+ * connected devices will be updated and load the data contained in the
+ * added/modified folders.
+ */
+
+ $additionalFolders = array(
+ // demo entry for the synchronization of contacts from the public folder.
+ // uncomment (remove '/*' '*/') and fill in the folderid
+/*
+ array(
+ 'store' => "SYSTEM",
+ 'folderid' => "",
+ 'name' => "Public Contacts",
+ 'type' => SYNC_FOLDER_TYPE_USER_CONTACT,
+ 'flags' => DeviceManager::FLD_FLAGS_NONE,
+ ),
+*/
+ );
diff --git a/etc-zntrl/kopano/dagent.cfg b/etc-zntrl/kopano/dagent.cfg
index f61d751..c31bb8f 100644
--- a/etc-zntrl/kopano/dagent.cfg
+++ b/etc-zntrl/kopano/dagent.cfg
@@ -13,9 +13,9 @@ lmtp_listen = *:2003
# connection to the storage server
#server_socket = file:///var/run/kopano/server.sock
-server_socket = https://server:237
+server_socket = https://zntrl-server-1:237
# Login to the storage server using this SSL Key
-sslkey_file = /etc/kopano/ssl/private/system-key-cert.pem
+sslkey_file = /etc/kopano/ssl/private/dagent-key-cert.pem
# The password of the SSL Key
sslkey_pass =
diff --git a/etc-zntrl/kopano/search.cfg b/etc-zntrl/kopano/search.cfg
index 7f0772f..0321f0e 100644
--- a/etc-zntrl/kopano/search.cfg
+++ b/etc-zntrl/kopano/search.cfg
@@ -6,7 +6,7 @@
#limit_results = 1000
# Use https to reach servers over the network
-server_socket = https://server:237
+server_socket = https://zntrl-server-1:237
# Login to the storage server using this SSL Key
sslkey_file = /etc/kopano/ssl/private/system-key-cert.pem
# The password of the SSL Key
diff --git a/etc-zntrl/kopano/spooler.cfg b/etc-zntrl/kopano/spooler.cfg
index fb97131..a0beb41 100644
--- a/etc-zntrl/kopano/spooler.cfg
+++ b/etc-zntrl/kopano/spooler.cfg
@@ -5,7 +5,7 @@ smtp_server = postfix
smtp_port = 25
# Server Unix socket location
-server_socket = https://server:237
+server_socket = https://zntrl-server-1:237
# Login to the storage server using this SSL Key
sslkey_file = /etc/kopano/ssl/private/system-key-cert.pem
# The password of the SSL Key
diff --git a/etc-zntrl/z-push/z-push.conf.php b/etc-zntrl/z-push/z-push.conf.php
index 79c197a..0aed8cf 100644
--- a/etc-zntrl/z-push/z-push.conf.php
+++ b/etc-zntrl/z-push/z-push.conf.php
@@ -27,7 +27,7 @@
* Default settings
*/
// Defines the default time zone, change e.g. to "Europe/London" if necessary
- define('TIMEZONE', '');
+ define('TIMEZONE', 'Europe/Berlin');
// Defines the base path on the server
define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/');
diff --git a/mysql/docker-entrypoint-initdb.d/00-create-kopano-user.sql b/mysql/docker-entrypoint-initdb.d/00-create-kopano-user.sql
index e9bc804..b40afff 100644
--- a/mysql/docker-entrypoint-initdb.d/00-create-kopano-user.sql
+++ b/mysql/docker-entrypoint-initdb.d/00-create-kopano-user.sql
@@ -1,4 +1,4 @@
-CREATE USER 'kopano' IDENTIFIED BY 'Asdf2345';
+CREATE USER 'kopano' IDENTIFIED BY '$MYSQL_KOPANO_PASSWORD';
GRANT ALL ON kopano.* TO 'kopano'@'%';
flush privileges;
-- database is created by server automatically if not present
diff --git a/postfix/Dockerfile b/postfix/Dockerfile
index fe2c454..5e4e604 100644
--- a/postfix/Dockerfile
+++ b/postfix/Dockerfile
@@ -10,8 +10,7 @@ apt-get install -y rsyslog
apt-get autoclean
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* ~/.cache ~/.npm
EOF
-COPY etc/postfix/ /etc/postfix/
-COPY etc/ssl/ /etc/ssl/
+COPY etc-template /root/etc
# https://github.com/moby/moby/issues/31243#issuecomment-406879017
RUN <certs/$CN-key-certs.pem
\ No newline at end of file
+cat certs/$CN.key certs/$CN.crt >certs/$CN-key-certs.pem
diff --git a/ssl/dist-certs b/ssl/dist-certs
new file mode 100644
index 0000000..eec1074
--- /dev/null
+++ b/ssl/dist-certs
@@ -0,0 +1,5 @@
+#!/usr/bin/bash
+cp certs/relay_clientcerts ~/kopano-docker/etc-relay/postfix
+cp certs/relay_clientcerts ~/kopano-docker/etc-zntrl/postfix
+cp certs/relay_clientcerts ~/kopano-docker/etc-baloghs/postfix
+cp certs/relay_clientcerts ~/kopano-docker/etc-ads64/postfix
diff --git a/ssl/mkcerts b/ssl/mkcerts
index 2cdf14e..a8be9e9 100644
--- a/ssl/mkcerts
+++ b/ssl/mkcerts
@@ -29,11 +29,8 @@ openssl ca -batch -selfsign -in tmp/kopano-ca.csr -passin env:CA_PWD -notext -ou
./create-key z-push
# create postfix clients ssl key pair (for authentification)
-echo >certs/relay_clientcerts
+echo -n >certs/relay_clientcerts
./create-postfix-certs relay
./create-postfix-certs zntrl
./create-postfix-certs baloghs
-
-cp certs/relay_clientcerts ~/kopano-docker/etc-relay/postfix
-cp certs/relay_clientcerts ~/kopano-docker/etc-zntrl/postfix
-cp certs/relay_clientcerts ~/kopano-docker/etc-baloghs/postfix
+./create-postfix-certs ads64
diff --git a/webapp/Dockerfile b/webapp/Dockerfile
index d2a5b2f..e96eae7 100644
--- a/webapp/Dockerfile
+++ b/webapp/Dockerfile
@@ -24,11 +24,17 @@ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* ~/.cache ~/.npm
rm -rf webapp-6.0.0.57.1049268-Ubuntu_20.04-all
rm -rf core-11.0.2.50.507cbae-Ubuntu_20.04-amd64
EOF
+COPY etc-zntrl /root/etc
+# RUN <