Horde Groupware Webserver

7 minute read , Apr 09, 2015

Horde Groupware Webserver Edition is a free, enterprise ready, browser based communication suite. Users can read, send and organize server messages and manage and share calendars, contacts, tasks, notes, files and bookmarks. It can be extended with any of the released Horde applications or the Horde modules that are still in development, like a bookmark manager, or a file manager.

Horde will provide access to our IMAP server via web console.


We install PEAR and then using this system install we install another version of PEAR that is system independent and will be used for Horde install and upgrade only.

root@server:~# aptitude install debpear
root@server:~# mkdir /var/www/webmail
root@server:~# pear config-create /var/www/webmail/ /var/www/webmail/pear.conf
root@server:~# pear -c /var/www/webmail/pear.conf install pear
root@server:~# /var/www/webmail/pear/pear -c /var/www/webmail/pear.conf channel-discover pear.horde.org
root@server:~# /var/www/webmail/pear/pear -c /var/www/webmail/pear.conf install horde/horde_role
root@server:~# /var/www/webmail/pear/pear -c /var/www/webmail/pear.conf run-scripts horde/horde_role
root@server:~# /var/www/webmail/pear/pear -c /var/www/webmail/pear.conf install -a -B horde/webmail

Next we setup MySQL database:

root@server:~# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 42
Server version: 5.5.31-0+wheezy1 (Debian)
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database webmail;
Query OK, 1 row affected (0.00 sec)
mysql> use webmail;
Database changed
mysql> grant all on webmail.* to 'webmail'@'localhost' identified by '<password>';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> exit

and install the PHP5 database module:

root@server:~# aptitude install php5-mysql

We can now install Horde:

root@server:~# PHP_PEAR_SYSCONF_DIR=/var/www/webmail php -d include_path=/var/www/webmail/pear/php /var/www/webmail/pear/webmail-install

Installing Horde Groupware Webserver Edition
Configuring database settings
What database backend should we use?
    (false) [None]
    (mysql) MySQL / PDO
    (mysqli) MySQL (mysqli)
    (pgsql) PostgreSQL
    (sqlite) SQLite
Type your choice []: mysql
Request persistent connections?
    (1) Yes
    (0) No
Type your choice [0]:
Username to connect to the database as* [] webmail
Password to connect with
How should we connect to the database?
    (unix) UNIX Sockets
    (tcp) TCP/IP
Type your choice [unix]: unix
Location of UNIX socket [] /var/run/mysqld/mysqld.sock
Database name to use* [] webmail
Internally used charset* [utf-8]
Use SSL to connect to the server?
    (1) Yes
    (0) No
Type your choice [0]:
Certification Authority to use for SSL connections []
Split reads to a different server?
    (false) Disabled
    (true) Enabled
Type your choice [false]:
Writing main configuration file... done.
Creating and updating database tables... done.
Configuring administrator settings
Specify an existing server user who you want to give administrator
permissions (optional): <my-admin>
Writing main configuration file... done.
Thank you for using Horde Groupware Webserver Edition!

The settings can be found in the main config file /var/www/webmail/config/conf.php in case we need to change anything.

IMAP configuration

We create new local config file /var/www/webmail/imp/config/backends.local.php to tell Horde how to connect to the IMAP server (courier-imap already installed):

$servers['imap'] = array(
    'disabled' => false,
    'name' => 'IMAP Server',
    'hostspec' => 'localhost',
    'hordeauth' => 'false',
    'protocol' => 'imap',
    'port' => '443',
    'secure' => 'tls',
    'serverdomain' => '',
    // 'smtphost' => '',
    // 'smtpport' => '25',
    'cache' => 'false',

Apache configuration

Install and setup Apache:

root@server:~# aptitude install apache2 libapache2-mod-php5 libapache2-mod-geoip

Configure GeoIP module in the /etc/apache2/mods-enabled/geoip.conf file (needs geoip-database package installed):

<IfModule mod_geoip.c>
  GeoIPEnable On
  GeoIPDBFile /usr/share/GeoIP/GeoIP.dat
  GeoIPEnableUTF8 On
  GeoIPOutput Env
  GeoIPScanProxyHeaders On

Edit the default host in /etc/apache2/sites-available/default file:

<VirtualHost *:80>
    #RewriteEngine On
    #RewriteCond %{HTTPS} !=on
    #RewriteRule ^(.*)$ https://server.mydomain.com$1
    ServerName server.mydomain.com
    RedirectMatch 302 (?i)/autodiscover/autodiscover.xml https://server.mydomain.com/autodiscover/autodiscover.xml
    <Directory "/var/www/webmail/">
        php_value include_path /var/www/webmail/pear/php
        SetEnv PHP_PEAR_SYSCONF_DIR /var/www/webmail

Create the following file to set SSL access /etc/apache2/sites-available/default-ssl:

<IfModule mod_ssl.c>
SSLStrictSNIVhostCheck off
<VirtualHost _default_:443>
    ServerName server.mydomain.com
    ServerAdmin root@localhost
    DocumentRoot /var/www
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
        SetEnvIf GEOIP_COUNTRY_CODE KR BlockCountry
        SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
        Order allow,deny
        Allow from all
        Deny from env=BlockCountry
    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
        SetEnvIf GEOIP_COUNTRY_CODE KR BlockCountry
        SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
        Order allow,deny
        Allow from all
        Deny from env=BlockCountry
    ErrorLog ${APACHE_LOG_DIR}/error.log
    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from ::1/128
    SSLEngine on
    SSLCertificateFile    /etc/ssl/private/star_mydomain_com.pem
    SSLCertificateKeyFile /etc/ssl/private/star_mydomain_com_KEY.pem
    SSLCertificateChainFile /etc/ssl/private/DigiCertCA.pem
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [7-9]" ssl-unclean-shutdown
    #### HORDE WEBMAIL ###
    Alias /Microsoft-Server-ActiveSync /var/www/webmail/rpc.php   
    ## Replace Alias with Rewrite in case of php via mod_fcgid
    #RewriteRule ^/Microsoft-Server-ActiveSync /webmail/rpc.php [PT,L,QSA]
    RewriteRule .* - [E=HTTP_MS_ASPROTOCOLVERSION:%{HTTP:Ms-Asprotocolversion}]
    RewriteRule .* - [E=HTTP_X_MS_POLICYKEY:%{HTTP:X-Ms-Policykey}]
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    ## Autodiscovery
    Alias /autodiscover/autodiscover.xml /var/www/webmail/rpc.php
    Alias /Autodiscover/Autodiscover.xml /var/www/webmail/rpc.php
    Alias /AutoDiscover/AutoDiscover.xml /var/www/webmail/rpc.php
    <Directory "/var/www/webmail/">
        Options +FollowSymlinks
        Order deny,allow
        Allow from all
        php_value include_path /var/www/webmail/pear/php
        SetEnv PHP_PEAR_SYSCONF_DIR /var/www/webmail
    ## Protect the APC GUI cache page
    <Files "apc.php">
            AuthName Opcache-gui
            AuthType Basic
            AuthBasicProvider ldap
            AuthBasicAuthoritative on
            AuthLDAPURL "ldap://ldap.mydomain.com ldapreplica.mydomain.com:389/ou=Users,dc=mydomain,dc=com?uid" STARTTLS
            AuthLDAPBindDN cn=<my-ldap-user>,ou=Users,dc=mydomain,dc=com
            AuthLDAPBindPassword <password>
            AuthLDAPGroupAttribute memberUid
            AuthLDAPGroupAttributeIsDN off
            Require ldap-group cn=<my-ldap-group>,ou=Groups,dc=mydomain,dc=com
            Require valid-user
            Satisfy all

then enable the modules we are going need:

root@server:~# a2enmod ssl
root@server:~# a2enmod ldap
root@server:~# a2enmod authnz_ldap

check the configuration and restart Apache:

root@server:~# apache2ctl configtest
root@server:~# service apache2 restart


The following settings need to be present in the /var/www/webmail/config/conf.php confgiuration file for Microsoft-Server-ActiveSync support:

$conf['activesync']['emailsync'] = true;
$conf['activesync']['version'] = '14';
$conf['activesync']['autodiscovery'] = 'full';
$conf['activesync']['outlookdiscovery'] = false;
$conf['activesync']['logging']['type'] = 'horde';
$conf['activesync']['ping']['heartbeatmin'] = 60;
$conf['activesync']['ping']['heartbeatmax'] = 2700;
$conf['activesync']['ping']['heartbeatdefault'] = 480;
$conf['activesync']['ping']['deviceping'] = true;
$conf['activesync']['ping']['waitinterval'] = 15;
$conf['activesync']['enabled'] = true;

and the following line to the apache SSL vhost as shown above:

Alias /Microsoft-Server-ActiveSync /var/www/webmail/rpc.php

Horde Tuning

There couple of things we can do to optimize Horde’s performance.


Install and enable PHP APC code cache so the web server doesn’t have to re-parse the php code for each request:

root@server:~# aptitude install php-apc

this will enable the module in /etc/php5/conf.d/apc.ini file:


if not, on Debian/Ubuntu systems we can enable manually by running:

root@server:~# php5enmod apc

then to configure it we create the following file /etc/php5/conf.d/20-apc.ini:

;max amount of memory a script can occupy
; means we are always atomically editing the files
apc.filters = "-/var/www/webmail/pear/php/apc\.php$"
apc.mmap_file_mask = /tmp/apc-encompass.XXXXXX

and restart Apache. This will expose the APC monitoring GUI at /var/www/webmail/pear/php/apc.php and to protect it we have setup the LDAP authentication as shown in the Apache SSL config /etc/apache2/sites-enabled/default-ssl.

There are some user credentials in the apc.php file too which we can setup if we need to protect the page in case we don’t want to do that through apache:

defaults('ADMIN_USERNAME','apc');             // Admin Username
defaults('ADMIN_PASSWORD','password');        // Admin Password - CHANGE THIS TO ENABLE!!!

The moment we change the default password the authentication will get enabled.

As mentioned above the APC is installed from ubuntu package repo. The newest version though is always available via php/pecl:

root@server:~# pecl channel-update pecl.php.net
Updating channel "pecl.php.net"
Update of Channel "pecl.php.net" succeeded

root@server:~# pecl search apc
Retrieving data...0%
.Matched packages, channel pecl.php.net:
Package Stable/(Latest) Local
APC     3.1.13 (stable) 3.1.13 Alternative PHP Cache
APCu    4.0.7 (beta)           APCu - APC User Cache

Autoload caching module

To benefit from further optimizations we can install autolad caching module which links the php classes to file paths (so in case the php compiler finds missing class it can convert the name into file path and load the file containing the missing class):

root@server:~# /var/www/webmail/pear/pear -c /var/www/webmail/pear.conf install -a -B horde/horde_autoloader_cache
horde/Horde_Autoloader_Cache can optionally use PHP extension "eaccelerator"
horde/Horde_Autoloader_Cache can optionally use PHP extension "xcache"
downloading Horde_Autoloader_Cache-2.0.3.tgz ...
Starting to download Horde_Autoloader_Cache-2.0.3.tgz (12,020 bytes)
.....done: 12,020 bytes
install ok: channel://pear.horde.org/Horde_Autoloader_Cache-2.0.3

Install PHP image libraries

We run:

root@server~# aptitude install libcurl4-openssl-dev libmagic-dev libimage-exiftool-perl
root@server~# pecl install pecl_http

and add:


to the Apache PHP5 ini file /etc/php5/apache2/php.ini or into a new file /etc/php5/conf.d/http.ini that we create in the PHP5 config directory.

Enable viewing HTML eservers

In the /var/www/webmail/imp/config/mime_drivers.php file find the following section:

    /* HTML driver settings */
    'html' => array(
        /* NOTE: Inline HTML display is turned OFF by default. */
        'inline' => false,
        'handles' => array(

and change inline to true.

Updating Horde

We have already done the first step at the beggining of the installation:

root@server:~# /var/www/webmail/pear/pear -c /var/www/webmail/pear.conf channel-discover pear.horde.org
Adding Channel "pear.horde.org" succeeded
Discovery of channel "pear.horde.org" succeeded

so we just need to execute the following two:

root@server:~# /var/www/webmail/pear/pear -c /var/www/webmail/pear.conf remote-list -c horde
root@server:~# /var/www/webmail/pear/pear -c /var/www/webmail/pear.conf upgrade -a -B horde/webmail

Then login to the Horde admin console as the administrator user we set upon installation, go to the Configuration screen under Administration and click on “Upgrade all DB schemas” button.

Leave a Comment