Intro

If you have a SME and want to be your own master regarding your internet presence, your file sharing and working on the go possibilities, you will need your own webserver. The easiest nowadays is getting a virtual server from one of the many providers.

We will use a Debian virtual server. It should serve the following needs:

– Mailserver with: Webmail, IMAP-login from mail client programs, smtp server for mail delivery from clients

– Cloud storage for: Contacts

– Webserver: Serving our website to the web

– Online backup: saving our files from office hard disks in a secure remote place

You may select the most basic offer for a virtual server because these applications don’t need a lot of CPU power. Select a good bandwidth (a few TB should be enough) with enough hard disk space for a full backup of your company’s files. This page will show the tools and configuration of a set of tools we are using. There may be better choices, but these are the ones we’ve found, This page’s main purpose is a reminder on how we’ve set up things for ourselves. Therefore, it’s not a ful tutorial. If you don’t know debian at all, have no networking skills and are looking for a “from zero to happy” walk through, you will have to look elesewere. Given this, feel free to post comments on this page with questions, suggestions or corrections (I’m sorry that comments are currently not working).

Basic Server setup

List installed packages

dpkg-query -l 'pattern'

sshd

First of everything, deactivate root login on SSH!

Thanks to how-to-geek for the explanation.

Create a user for your future logins:

adduser USER

choose a strong password!

Then log out and log in again over ssh with your new user.  Become root by using su. If this doesn’t work, don’t deactivate root login. Find out what’s wrong first.

Now edit sshd_config:

editor /etc/ssh/sshd_config
PermitRootLogin no

Now restart ssh:

/etc/init.d/sshd restart

or with a Debian using systemd as pid0:

systemctl restart sshd

And your done!

Login without password

Create ssh-key on client. -b option gives ky length in bytes, -t defines the algorithm.

ssh-keygen -b 4096 -t rsa

create a directory ~/.ssh for the USER created above, if it doesn’t exist already.

mkdir /home/USER/.ssh
chmod 700 /home/USER/.ssh
chown USER /home/USER/.ssh

append local machines key to known keys on host:

cat ~/.ssh/id_rsa.pub | ssh USER@domain 'cat >> .ssh/authorized_keys'

Back on the server, make sure the file has the correct rights:

chmod 600 ~/.ssh/authorized_keys

Try logging in without password.

Disable Password Login

You may also disable password login once your private keys are stored on the server. If you loose the stored key, no login will be possible anymore! So better have more than one known machine/key in the authorized_keys.

To disable password login, set the following options in sshd_config:

ChallengeResponseAuthentication no
PasswordAuthentication no

Restart ssh.

NTP

Your server should always have the accurate time. Installing NTP is one of the first tasks on any new server:

apt-get install ntp

fail2ban

apt-get install fail2ban
editor /etc/fail2ban/jail.conf

Just changed lines and section headings for orientation are given. Be stricter than the default:

[DEFAULT]
bantime = 1200
[ssh]
maxretry = 3
[pam-generic]
enabled = true
[ssh-ddos]
enabled  = true
maxretry = 3
[apache]
enabled  = true
maxretry = 10
# exim filters added from internet source
# http://kevin.deldycke.com/2011/06/configuring-fail2ban-debian-squeeze/
[exim]
enabled = true
filter = exim
port = smtp,ssmtp
action = iptables-allports
logpath = /var/log/exim*/rejectlog
maxretry = 3
# the exim-relay filter is not part of official distribution, but from
# http://kevin.deldycke.com/2011/06/configuring-fail2ban-debian-squeeze/

[exim-relay]
enabled  = true
filter   = exim-relay
port     = smtp,ssmtp
action   = iptables-allports
logpath  = /var/log/exim*/rejectlog
maxretry = 1

You will also have to add the exim-relay filter as provided by http://kevin.deldycke.com/2011/06/configuring-fail2ban-debian-squeeze/. Create a file called exim-relay.conf in /etc/fail2ban/filter.d and add the following text:

# Based on default exim.conf filter by Cyril Jaquier
# Real life example:[Definition]

# Option:  failregex
# Notes.:  regex to match use of my exim mail server as a relay it does not
#          allow.
# Values:  TEXT
#
failregex = \[<HOST>\] .*(?:relay not permitted)

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Restart fail2ban after installing apache2 and configuring exim. If you want to restart it right now, set apache and exim jails to false. Brute force attacks are then less likely to suceed. Check if fail2ban is running with this command:

service fail2ban status

Setting quotas

To check existing quotas on the root filesystem:

sudo repquota -s /

To change quota for user foo to 150GB (space limit only), hard limit:

find block size:

cat /usr/include/x86_64-linux-gnu/sys/mount.h | grep BLOCK_SIZE

calculate 150 GB / BLOCK_SIZE * 1024 ^3 = block limit

edit quota:

sudo edquota foo

set the calculated block limit on the hard column.

SSL/TLS-Certificates

Installing and using SSL-certificates can be tricky. This section gives some hints. Where to use and install such certificates is explained later.

Certificates from Certificate Authority

Create certificates for server, store them. To create a 4KB key and certificate request with openssl:

openssl genrsa -out PRIVATE_KEY_NAME.key 4096
openssl req -new -key PRIVATE_KEY_NAME.key -out CERT_REQUEST_NAME.csr

You will have to get certificates from a trusted CA to avoid warning messages in your mail programs. Check e.g. https://www.startssl.com/

If you get your Certificate from the SSL signing authority, you will have to store intermediate and root certificates for the authority as well. With StartSSL, the intermediate certificate will be called “sub.classX.ca.pem” and the root certificate just “ca.pem” on their server. You must then create a concatenated certificate file for usage with apache, exim, dovecot etc.
To get a certificate chain file, use cat:

cat YOUR-SERVER-CERTIFICATE INTERMEDIATE-CERTIFICATE ROOT-CERTIFICATE > CHAIN-FILE-NAME

Certificates from Lets’s encrypt

Download certbot-auto for Debian from here:

https://certbot.eff.org/#debianwheezy-apache

Documentation for certbot is here:

https://certbot.eff.org/docs/

Just replace certbot by certbot-auto for all commands in the documentation.

Some basic commands. Get certificate for specific domain, place as many -d switches as you want to include in the same certificate:

certbot-auto certonly --webroot -w /path/to/site/on/server -d domain.org -d sub.domain.org

See installed certificates:

certbot-auto certificates

Cron line. The renew-hook may be used for a script to restart dovecot because it won’t reload the certificate while running:

/usr/local/bin/certbot-auto renew --no-self-upgrade --renew-hook /script/to/run/after/renew/only

Webserver

apache2

apt-get install apache2

set webservice root directory in “/etc/apache2/sites-available/default” and “/etc/apache2/sites-available/default-ssl”

Enable ssh module to get https:/ working:

a3enmod ssl
service apache restart

mysql

apt-get install mysql-server

Set an admin password and remember it.

Create a user and a database for your worpress installation.

phpmyadmin

Start installation with

apt-get install phpmyadmin

Choose apache2 as server to config automatically. Choose “Yes” to configure with db-config common. Enter the password for your MySQL root user. Choose a password for phpmyadmin.

Go to /etc/phpmyadmin. Edit config.inc.php to disable root login to mySQL over phpmyadmin. Search for the Comment “/* Authentication type */”, insert following line below the line $cfg[‘Servers’][$i][‘auth_type’] = ‘cookie’;

$cfg['Servers'][$i]['AllowRoot'] = FALSE;

Restart Apache webserver.

wordpress

apt-get install curl php5-mysql libapache2-mod-php5

download wordpress from their server

cd /home/sshlogin
mkdir downloads
cd downloads
wget https://wordpress.org/latest.tar.gz
tar -xzf latest.tar.gz
mv wordpress/* "your website's ROOT_DIRECTORY"
chown -R www-data:www-data "your website's ROOT_DIRECTORY"

Go to your server with the browser and set up wordpress.

As soon as you have set up https:// for your webpage, you should add this line to your wp-config.php:

define('FORCE_SSL_ADMIN', true);

Mailserver

exim

Installation and basic config

exim 4 will receive and send mail over smtp to other mailservers or from connecting clients. It will deliver mail to the users having their mail account on our server. Install:

apt-get install exim4-daemon-heavy

Run the debian config script for exim with:

dpkg-reconfigure exim4-config

Choose “internet site; mail is sent and received  directly using SMTP” on first page.

Enter Domain name on second page.

Leave the field for “IP-adresses to listen on” blank on third page.

Add your domain on the page for local domains (example.org).

Don’t relay mails for any other domain, thus leave the fields for relay domains and also IPs on next page blank.

Dial-on-Demand: No

On next page you will have to set exim to use “Maildir in home folders” and not “mbox in /var/mail”. The point is somewath irritating, because our setting will save mails in mbox-format but in the users’ home folders.

Multiple Domains

We are going to use a simple setup for multiple domains with one important limitation: local parts of mail addresses must be unique througout all domains! If you can live with this, multi-domains is simple, just add all domain names to the local_domains list.

ATTENTION: local parts for all domains MUST NOT overlap!

Add domain names to MACRO definition:

/etc/exim4/conf.d/main/00_localmacros_DOMAIN

MAIN_LOCAL_DOMAINS = localhost:hostname:example.org:sample.net

Add virtual users to /etc/CONFIG DIR FOR VIRTUAL USERS if new mailboxes shall be used

Add aliases to /etc/aliases only, if mail should be forwarded.

Both options are explained later

TLS/SSL and SMTP login

The directory containing your ssl keys/certificates needs to be readable for exim. On Debian systems, this means it has to belong to group Debian-exim.

You cannot store your exim ssl-keys in /etc/ssl/private. Store them e.g in /etc/exim4 and set chown to root:Debian-exim chmod 440.

edit /etc/exim4/conf.d/main/03_exim4-config_tlsoptions. The certificate line must reference to the chain file created as explained above:

MAIN_TLS_CERTIFICATE = /etc/exim4/NAME.crt
MAIN_TLS_PRIVATEKEY = /etc/exim4/NAME.key

Create your local macro file /etc/exim4/conf.d/main/00_localmacros_SERVERNAME or any other name starting with 00.
Set it to:

MAIN_TLS_ENABLE = true
daemon_smtp_ports = smtp : 587

Go to /etc/exim4/conf.d/auth/30_exim4-config_examples and set:

cram_md5:
  driver = cram_md5
  public_name = CRAM-MD5
# config server behaviour if clients want to authenticate
  server_secret = ${lookup{$auth1}lsearch{/etc/exim4/FILENAME}{$value}fail}
  server_set_id = $auth1

Create the file /etc/exim4/FILENAME and set account credentials like USERNAME:PASSWORD each on one line. This file contains passwords, set the rights to chmod 600. User is chown Debian-exim:Debian-exim.

Now, your server should provide cram_md5 login (encrypted password in thunderbird) and STARTTLS on ports 25 and 587.

virtual users with mbox format mailboxes

Configuration according to this page, with modificaton for security reasons (user) and regarding usage with dovecot:

http://www.tq01.com/configuring-exim-with-virtual-users-on-debian

adduser mailusers --disabled-login --no-create-home

mkdir /home/mailusers
chown mailusers:mailusers /home/mailusers
mkdir /etc/CONFIG DIR FOR VIRTUAL USERS
touch /etc/CONFIG DIR FOR VIRTUAL USERS/DOMAIN 
chown Debian-exim:Debian-exim /etc/CONFIG DIR FOR VIRTUAL USERS/DOMAIN 
chmod 600 /etc/CONFIG DIR FOR VIRTUAL USERS/DOMAIN 
echo "mail.user:IMAP-Password":::: >> /etc/CONFIG DIR FOR VIRTUAL USERS/DOMAIN
touch /etc/exim4/conf.d/transport/29_exim4-config_virtual_users

Contents of this file. This config will create an mbox for each virtual user in /home/mailusers/USERNAME/mail/inbox:

virt_user_mailboxes:
  driver = appendfile
  user = mailusers
  file = /home/mailusers/$local_part/mail/inbox
  create_directory
  delivery_date_add
  envelope_to_add
  return_path_add
  group = mail
  mode = 0600

Create configuration for router:

touch /etc/exim4/conf.d/router/901_exim4-config_virtual_users

contents of this file:

virt_user_domains:
  driver = accept
  domains = dsearch;/etc/CONFIG DIR FOR VIRTUAL USERS
  local_parts = lsearch;/etc/CONFIG DIR FOR VIRTUAL USERS/$domain  
  transport = virt_user_mailboxes   
  no_more

run update-exim4.conf
restart exim

virtual users with mailboxes in maildir format

If you’re planning to access your email using IMAP, the maildir format has the advantage, that it can handle as many subfolders as desired. It can also handle mixed folders with mail and subfolders in it. This behaviour is almost impossible with mbox mailboxes, or at least a real pain to configure.

only changes compared to the above configuration are in /etc/exim4/conf.d/transport/29_exim4-config_virtual_users. We will now store mail in /home/mailusers/USERNAME/maildir:

virt_user_mailboxes:
  driver = appendfile
  user = mailusers
  maildir_format = true
  directory = /home/mailusers/$local_part/Maildir/
  create_directory
  delivery_date_add
  envelope_to_add
  return_path_add
  group = mail
  mode = 0600

mail aliases

set mail adresses you’d like to forward to another account in /etc/aliases. You don’t have to set up any virtual users for thos “from” accounts. Looks like FROM-ACCOUNT : TO-ACCOUNT

mail lists / team mails

Example in Exim4’s documentation.

Use this option, if you want to have mail addresses that forward to a team.

Create a redirect transport in /etc/exim4/conf.d/router/

editor /etc/exim4/conf.d/router/902_exim4-config_mail-lists

fill it with this text:

lists:
  driver = redirect
  domains = DOMAIN NAME FOR LIST MAILS
  file = /etc/mail_lists/$local_part
  forbid_pipe
  forbid_file
  errors_to = MAIL ADDRESS FOR ERROR MAILS

create the Directory /etc/mail_lists

and create a file with the local part of the forward mail. If you want team@DOMAIN:

editor /etc/mail_lists/team

fill it with the mail addresses that mails should be forwarded to.

Exim 4 cheat sheet

Very handy for debbuging:

http://bradthemad.org/tech/notes/exim_cheatsheet.php

Some checks

EHLO response, SMTP banner:

telnet IP-ADDRESS 25

Authentication mechanisms:

telnet IP-ADDRESS 25
EHLO "SOME DOMAIN NAME"

Exim will response with authentication mechanisms that it offers

fighting spam

Some tricks on this website:

https://www.janoszen.com/2013/01/07/filtering-spam-with-exim-only/

Deny mail that claims to be from localhost but isn’t:

In File /etc/exim4/conf.d/acl/30_exim4-config_check_mail:

below are additions by umweltchemie
 # Accept all authenticated connections
 accept
 authenticated = *
 # Accept all local hosts
 accept
 hosts = +relay_from_hosts
 # Deny if sending host claims to be a local user
 deny
 sender_domains = owndomain.org
 message = "Fake sender address"
 log_message = message denied because from was local domain

# accept the rest
 accept

spamassassin

Check incoming mail for spam. Install spamassassin:

apt-get install spamassassin

read it’s documentation:

gunzip /usr/share/doc/spamassassin/README.spamd.gz
less /usr/share/doc/spamassassin/README.spamd

Modify /etc/default/spamassasin: change ENABLED=1

Go to /etc/exim4/conf.d/acl/, create file 000_acl_macros_hostname  with macro:

 # file name for 40_exim4-config_check_data external file hook
CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/conf.d/acl/acl_rules_servername

create file named in CHECK_DATA_LOCAL_ACL_FILE:

warn
     spam = Debian-exim:true
     add_header = X-Spam_score: $spam_score\n\
               X-Spam_score_int: $spam_score_int\n\
               X-Spam_bar: $spam_bar\n\

Start spamassassin:

/etc/init.d/spamassassin start

Restart exim

Spam assassin and thunderbird

Thunderbird allows users to set the option to trust spam assassin headers. Thunderbird expects one of two flags in a mail header to sort out junk mail. These are “X-Spam-Status” or “X-Spam-Flag”. You will need to create a acl rule for exim that set one of these flags. While spam assassin is actually checking your incoming mail, only exim can write additional headers to the mail delivered. In the example, we are using “X-Spam-Flag”, but “X-Spam-Status” would do as well.

editor /etc/exim4/conf.d/acl/acl_rules_SERVERNAME

add following text to the already defined add_header variable. Just add it on a new line and keep an empty line below the text:

# add X-Spam-Flag to all mail
 X-Spam-Flag: ${if >{$spam_score_int}{100}{Yes}{No}}

Server side spam filtering

You may also filter spam mail out on server side by creating a .forward file in your users home folder and adding a filter rule. In our case with the X-Spam-flag set in the mail header as explained in the chapter for firefox above, this is now also quite simple.

First, we need a router that reads exim filter files for our virtual users.
Create file /etc/exim4/conf.d/router/610_exim4-config_virtual_userforward
Fill it with following commands:

### router/610_exim4-config_virtual_userforward
###############################################

# This router handles forwarding using traditional .forward files in virtual users'
# mail directories. It also allows mail filtering with a forward file
# starting with the string "# Exim filter" or "# Sieve filter".

virtualuserforward:
debug_print = "R: virtual userforward for $local_part@$domain"
driver = redirect
domains = +local_domains
# replacement for check_local_user by gaess
local_parts = lsearch;/etc/CONFIG DIR FOR VIRTUAL USERS/$domain
# set to virtual users home folders, path to filter file
file = /home/mailusers/$local_part/PATH TO FILTER FILE
require_files = /home/mailusers/$local_part/PATH TO FILTER FILE
user = mailusers
no_verify
no_expn
check_ancestor
allow_filter
forbid_smtp_code = true
directory_transport = address_directory
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
skip_syntax_errors
syntax_errors_to = MAILUSER@$domain
syntax_errors_text = \
This is an automatically generated message. An error has\n\
been found in $local_part 's .forward file. Details of the error are\n\
reported below. While this error persists, you will receive\n\
a copy of this message for every message that is addressed\n\
to you. If your .forward file is a filter file, or if it is\n\
a non-filter file containing no valid forwarding addresses,\n\
a copy of each incoming message will be put in your normal\n\
mailbox. If a non-filter file contains at least one valid\n\
forwarding address, forwarding to the valid addresses will\n\
happen, and those will be the only deliveries that occur.

create user filter files in /home/mailusers/$local_part/PATH TO FILTER FILE.
The following filter will move spam files to the junk folder. You may have to change the junk
folder name to comply with your mail clients folders:

# Exim filter

if
$h_X-Spam-Flag: CONTAINS "Yes"
then
save /home/mailusers/$local_part/Maildir/.Junk/
finish
endif

Train Spamassassin

You may train spamassassins’ filter with spam mail that was not recognized. Save all mail you want to feed to the trainer in a distinct folder. Then run:

sa-learn --spam FOLDERPATH

ClamAV

ClamAV is a virus checker for linux.

apt-get install clamav clamav-daemon

Set up daemon configuration in /etc/clamav/clamd.conf:

#increase if you're getting "Directory recursion limit exceeded" errors
MaxDirectoryRecursion 30
ExcludePath ^/sys/
ExcludePath ^/proc/

Scan for infected files (recursively):

clamdscan /directory

Check incoming mail for viruses.

Uncomment the following line  in /etc/exim4/conf.d/main/02_exim4-config_options:

av_scanner = clamd:/var/run/clamav/clamd.ctl

Go to /etc/exim4/conf.d/acl/40_exim4-config_check_data and uncomment the following lines:

   deny
     malware = *
     message = This message was detected as possible malware ($malware_name).

Add clamav to all groups it should be able to check files for. In my case:

editor /etc/group
Debian-exim:clamav
mailusers:clamav

Restart exim.

dovecot

Installation:

apt-get install dovecot-common dovecot-imapd dovecot-pop3d

Create users dovecot and dovenull. They shouldn’t belong to any other group than their own.

Set /etc/hostname and /etc/hosts correctly. Delete existing dovecot.pem in /etc/ssl/private and /etc/ssl/certs and run dovecot configuration:

dpkg-reconfigure dovecot-common

Go to /etc/dovecot and edit configuration files:

cd /etc/dovecot
editor dovecot.conf

Set following lines. The listing below just declares changes to the default dovecot config-files.

Settings in dovecot.conf:

login_greeting = mail server ready.

More settings in files in conf.d directory:

10-auth.conf:

comment the systems-auth line and uncomment the passwdfile line (only virtual mail users are allowed to log in):

#!include auth-system.conf.ext
!include auth-passwdfile.conf.ext

auth-passwdfile.conf.ext:

passdb {
  driver = passwd-file
  args = /etc/CONFIG DIR FOR VIRTUAL USERS/DOMAIN
 } 
userdb {   
  driver = passwd-file   
  args = username_format=%n /etc/CONFIG DIR FOR VIRTUAL USERS/DOMAIN 
  default_fields = uid=mailusers gid=mailusers home=/home/mailusers/%u 
}

10-logging.conf:

log_timestamp = "%Y-%m-%d %H:%M:%S "

If you are using mailboxes in mbox format, 10-mail.conf:

mail_location = mbox:/home/mailusers/%u/mail:INBOX=/home/mailusers/%u/mail/inbox
mail_privileged_group = mailusers

If you are using mailboxes in maildir format, 10-mail.conf:

mail_location = maildir:/home/mailusers/%u/Maildir
namespace {
  separator = .
  inbox = yes
}
mail_privileged_group = mail

10-master.conf:

service imap-login {
  #chroot = login # may be obsolete
  inet_listener imaps {
    address = *
    port = 993
  }
  process_min_avail = 1
}
service pop3-login {
  chroot = login
  process_min_avail = 1
  service_count = 1
  user = dovecot
}

service imap {
  process_limit = 16
}

service pop3 {
  process_limit = 16
}

service auth {
    user = root 
    vsz_limit = 256 M
}

10-ssl.conf:

ssl = required
ssl_cert = </etc/ssl/CRT-FILE
ssl_key = </etc/ssl/KEY-FILE

new file 25-pop3.conf including work-arounds for our friends from redmond

protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv 
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}

The option below shouldn’t be needed any more for dovecot 2.x:

protocols = imap pop3

I’m setting up a mail server with few users. therefore only one process is listening for connections and only 16 login processes are allowed to be running simultaneously.

To use the same virtual users file as exim4, just create a password for your user like this:

doveadm pw -s SHA512-CRYPT

Copy the returned string on the right side of the first semicolon in /etc/CONFIG DIR FOR VIRTUAL USERS/DOMAIN. The remaining semicolons are for field UID:GID:home-Directory. We are leaving these empty and using the default values from the config file. The fields have to be present nevertheless to not run into a dovecot error on login.

Migrating mbox to maildir

dsync comes with dovecot and tries to do the migration while keeping all UUIDs intact. If this migration works, your mail clients shouldn’t even notice the change:

Set dovecot configuration to maildir. Restart dovecot, then:

su mailusers
dsync -u USERNAME mirror RIGHT HAND SIDE OLD CONFIG LINE FOR MBOX

In one case, I’ve had to replace the %u placeholder in the old configline by the actual user name as well. If dsync takes forever, something is wrong. It should be quite quick. In my case, not all mail from my inbox was converted (i had about 5000 mails in my inbox). So i had to try something else.

apt-get install mb2md
su mailusers
mb2md -s DIRECTORY WITH MBOXES -d DIRECTORY FOR MAILDIR

This converted all mail. ButI’ve had to resubscribe to all folders in my mail client and all mail was downloaded again.

One pitfall cuold be that your Maildir folder and all folders inside it have to have the same permissions. Otherwise “renaming failed” errors may appear when trying to delete or rename folders.

Webmail – Roundcube

Install from debian repos:

apt-get install roundcube

Set main.inc.php in /etc/roundcube:

$rcmail_config['force_https'] = true;

More about configuring roundcube can be found in the official wiki:
http://trac.roundcube.net/wiki/Howto_Config

Carddav plugin

Get it here, follow README. The link following wget may be outdated, check on github first.

https://github.com/christian-putzke/Roundcube-CardDAV

wget https://github.com/christian-putzke/Roundcube-CardDAV/archive/v0.5.tar.gz
tar xvzf v0.5.tar.gz 
mv Roundcube-CardDAV-0.5 /var/lib/roundcube/plugins/
cd /var/lib/roundcube/plugins/Roundcube-CardDAV-0.5/SQL/
mysql -u roundcube -p roundcube < mysql.sql

Go to /etc/roundcube and edit “main.inc.php”

$rcmail_config['log_session'] = true;
$rcmail_config['default_host'] = 'localhost';
$rcmail_config['plugins'] = array('carddav');

mailman

Mailman is the software to set up mailing lists. Installation on debian is well supported:

apt-get install mailman

owncloud

Installation

Install community edition from SUSE build server.

echo 'deb http://download.opensuse.org/repositories/isv:/ownCloud:/community/Debian_7.0/ /' >> /etc/apt/sources.list.d/owncloud.list 
wget http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/Release.key
apt-key add - < Release.key
apt-get update
apt-get install owncloud

Create a user for owncloud in mysql and create a database for it:
create database NAME
grant all on NAME.* to ‘USER’@’localhost’ identified by ‘password’;

uncomment the aliases in /etc/apache2/conf.d/owncloud or edit as you wish.
Restart apache.
Navigate to your server’s owncloud directory with your browser immediatly. Because owncloud will now present the installation dialog to anybody browsing the page. Make your settings. Choose MySQL as Database.

Updates

The update process for owncloud is a permanent nuisance. Every time that owncloud has been updated by using apt-get update, you will need to manually complete the process. Until this is done, your cloud remains in maintenance mode and all sync services stop working WITHOUT NOTICE. It’s a complete mess.

Here are the commands to run every single time after owncloud has been updated:

Complete update

sudo -u www-data /usr/bin/php /var/www/owncloud/occ upgrade

Enable modules, here examples for contacts and calendar:

sudo -u www-data /usr/bin/php /var/www/owncloud/occ app:enable calendar

sudo -u www-data /usr/bin/php /var/www/owncloud/occ app:enable contacts

Get it out of maintenance mode:

sudo -u www-data /usr/bin/php /var/www/owncloud/occ maintenance:mode --off

I really don’t know why owncloud is the single application on the planet that cannot run an automated update!