Gerald Brandt | 27 May 02:32 2016

Disable amavis


I have an external spam/virus checker. When it finds an issue, it sends the spam/virus/blocked-banned file to a special email account, where I can release the file, or delete it.

This allows me to accept files from known good place or people and release it to the end user.

Kolab blocks the email with the virus/spam/banned file from going to the account.

I commented out # content_filter = smtp-amavis:[]:10024 to get things working again. Is this the right way to do it? Will the config change last through updates?

The end result is that Kolab does not need to do any spam/virus checking at all, it's all done by ScrollOut F1.

users mailing list
users <at>
Tom Davidson | 26 May 00:48 2016

sync with ms exchange

I would like to deploy kolab co-existing with my employer's ms exchange services. My goals are to provide kolab  as an option to co-workers and to ease my own use kontact.  Replacing ms exchange, outlook 365... is not an option right now.

Does anyone have experience with davmail? Can Kontact be downstream of exchange? What other tools are out there to speak exchange web services?

​thanks, tom​

users mailing list
users <at>
Alf B. Rustad | 22 May 20:50 2016

setup-kolab gives misleading message (on Debian 8 Winterfell packages)

I set out to try the latest and greatest Kolab packages this week-end. The install is done on a 64-bit Debian 8 using the Winterfell packages. I had to rerun the setup-kolab script after I entered something wrong the first time, and got this message:

It seems 389 Directory Server has an existing instance configured. This setup
script does not intend to destroy or overwrite your data. Please make sure
/etc/dirsrv/ and /var/lib/dirsrv/ are clean so that this setup does not have to

Following the advice, I removed the content of those two folders to be able to run the setup-kolab script again, but then I got this error message:

Could not copy file '/etc/dirsrv/config/certmap.conf' to '/etc/dirsrv/slapd-cloud/certmap.conf'. Error: No such file or directory

 so it seems the first message is misleading, encouraging users to remove a file that is a needed part of the 389-ds-base installation. I suggest rephrasing the message, even a very generic message is better, e.g.,
It seems 389 Directory Server has an existing instance configured. This setup
script does not intend to destroy or overwrite your data. Please make sure
/etc/dirsrv/ and /var/lib/dirsrv/ are in the same state as when the direcotry server was installed so that this setup does not have to worry.
Even better would be to include an option to clear the directory server when running setup-kolab.
Almost forgot, thanks for an awesome software suite!
users mailing list
users <at>
Roland Kolb | 20 May 14:44 2016

Performance-Issues after Update Kolab 3.4 to 16 on Centos7


since I have updated my Kolab from 3.4 to 16 (Centos7) I have big 
performance problems.
It seems that this occurs mainly after users have added / changed 
entries in the calender.
During this performace issue no access to send, to receive mails, to 
change, to look on the calendar. After 30min or longer it is possible again.

When I check the memory (smem -u -t -k -w) with focus on apache, kolab, 
and cyrus I noticed that the numbers at the apache is very when the 
performance issue occurs.

During the normal status smem looks like

smem -u -t -k -w

User     Count     Swap      USS      PSS      RSS
libstoragemgmt     1        0   204.0K   207.0K   824.0K
rtkit        1        0   276.0K   291.0K     1.3M
rpc          1        0   580.0K   583.0K     1.1M
chrony       1        0   576.0K   608.0K     1.9M
avahi        2        0   500.0K   720.0K     2.1M
dbus         1        0     1.3M     1.4M     2.7M
colord       1        0     4.0M     4.3M     8.0M
postfix      5        0     6.9M     7.4M    22.3M
polkitd      1        0    23.1M    23.2M    26.7M
mongodb      1        0    52.9M    52.9M    54.0M
nobody       2        0   102.7M   102.9M   108.1M
nx           2        0   105.4M   109.0M   116.1M
gdm         26        0   198.2M   214.3M   314.0M
amavis       3        0   148.4M   220.0M   352.7M
cyrus      148        0   246.7M   248.8M   768.5M
kolab       29        0   288.5M   402.2M     1.2G
root        43        0   504.7M   551.8M   717.4M
mysql        2        0   597.3M   597.6M   600.8M
apache      24        0   715.8M   729.4M     1.1G

When the performance issues occurs it looks like (the other numbers are 
nearly the same)

cyrus       97        0   142.1M   144.4M   473.7M
kolab       29        0   179.0M   246.0M     1.3G
apache      54        0     1.5G     1.5G     2.6G

In the error message I found often looks like

stream_socket_client(): Could not connect to localhost:143: Connection 
refused in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php


kolab guam: 10:07:00.886 [error] gen_fsm <0.28450.1> in state 
passthrough terminated with reason: no function clause matching 
kolab guam: 10:07:00.886 [error] CRASH REPORT Process <0.28450.1> with 0 
neighbours exited with reason: no function clause matching 

or in iRony/errors:
Failed to write to kolab cache
DB Error: Duplicate entry for key "PRIMARY" (SQL-Query: Insert into 

or in maillog:
kolab amavis[3721]: (03721-09) prolong_timer 
ask_daemon_internal_connect: timer 10, was 282, deadline in 472.9 s
kolab amavis[3721]: (03721-09) ClamAV-clamd: Connecting to socket 
/var/spool/amavisd/clamd.sock, retry #2
kolab amavis[3721]: (03721-09) new socket by IO::Socket::UNIX to 
/var/spool/amavisd/clamd.sock, timeout set to 10
kolab amavis[3721]: (03721-09) (!)connect to 
/var/spool/amavisd/clamd.sock failed, attempt #1: Can't connect to a 
UNIX socket /var/spool/amavisd/clamd.sock: Datei oder Verzeichnis nicht 
kolab amavis[3721]: (03721-09) get_deadline ask_daemon_internal - 
deadline in 472.9 s, set to 284.000 s
kolab amavis[3721]: (03721-09) prolong_timer ask_daemon_internal: timer 
284, was 10, deadline in 472.9 s
kolab amavis[3721]: (03721-09) get_deadline run_av_5 - deadline in 472.9 
s, set to 284.000 s
kolab amavis[3721]: (03721-09) prolong_timer run_av_5: timer 284, was 
284, deadline in 472.9 s
kolab amavis[3721]: (03721-09) (!)ClamAV-clamd av-scanner FAILED: run_av 
error: Too many retries to talk to /var/spool/amavisd/clamd.sock (All 
attempts (1) failed connecting to /var/spool/amavisd/clamd.sock) at 
(eval 130) line 613.\n
kolab amavis[3721]: (03721-09) (!)WARN: all primary virus scanners 
failed, considering backups

Has anybody the same issue? What was / were the problem(s)? Which tasks 
rises up the numbers at the apache? Only kolab runs on this server.


Christian Hügel | 18 May 23:35 2016

Possible migration from 3.2 to 3.4

Good evening,

I'm still using 3.2 (multi domain as a lxc container) which runs fine so 
far. I was thinking lately to migrate to 3.4. My plan is to setup a new 3.4 
multidomain installation  and import only the user and domain database. How 
would this import look like? I could sync then all folders and mails with 
rsync. Is this approach doable? Or do I have to stick withe the description 
in the docs? Thanks

Soliva Andrea | 12 May 12:56 2016

Kolab 3.4 on CentOS 6.6/7 with Sophos Anti-Virus and SAVDI how-to

Hi all

probably interessting for somebody which would like to have a alternativ 
or an addtional Antivirus Scanner for ClamAV which I use also with 
SaneSecurity! There is no comercial background why I'm sending this 
how-to. Instead this how-to brings with this Sophos Anti-Virus 
installation as "savdi" a great possibility to scale as high-performance 
because the installation can be done on a seperate remote server. The 
installation is small as straight a head as can be used for any 
"amavisd" Installation!

Let's start to show you how to get for a local installation which can be 
easy also ported to a remote installation.

This how-to is based on CentOS 6.6 but from my point of view also for 
CentOS 7

==== Installation of "Sophos Anti-Virus 9" based product ====

Prerequisit for this installation of "Sophos Anti-Virus 9" is regular 
license of:

         Sophos Server Protection (Vendor SKU WLVA1CSAA)

This license includes actually a installation for Windows, Linux or 
vShield. This license is for one server. A license for one server costs 
for 12 month:

         CHF 77.00 exkl. MwSt.

This means also: The license must be renewed based on a subscription. If 
the subscription is not renewed the product does not care about but you 
do not receive anymore
virus definition database upgrades. A subscription for 12 month costs:

         CHF 77.00 exkl. MwSt.

If you buy a license for 3 year Sophos charges you only 2 years which 
means license for 3 years costs you:

         CHF 154.00 exkl. MwSt.

Actually the installation of "Sophos Anti-Virus 9" is very easy as can 
be done with a installation script based on ASCII-Interface. As 
mentioned before you need for a  installation a license because this 
information (license) with a Username as Password must be entered within 
the setup/installation script as the source can be officialy only 
downloaded with a corresponding login which you receive if you buy the 
license. If you have the login/license the source is downloadable over 
following link:

         NOTE There is only a i386 file not 64bit file available!

Of course the Username as Password for the license can also be entered 
in a seperate step (see how to do it at the end of this how-to). This 
means also to test etc. you can also install the stuff without entering 
the information of Username and Password but you will not receive 
updates from update server! Create a temp directory end extract the 

         # cd /root
         # gzip -dc sav-linux-9-i386.tgz | tar xvf -
         # cd sophos-av
         # ./

         NOTE if you use "./install --help" you see the options which can 
be used for the installation! For the installation
              itself please be careful that you DO NOT use the "on-access 
scanner" as the "Sophos Anti-Virus GUI". The Gui
              can be deactivated if you DO NOT define a corresponding 
password for the access!

Lets show how the installation runs:

         --------------- ---------------

         Sophos Anti-Virus
         Copyright (c) 1989-2015 Sophos Limited. All rights reserved.

         Welcome to the Sophos Anti-Virus installer. Sophos Anti-Virus 
contains an on-access scanner, an on-demand command-
         line scanner, the Sophos Anti-Virus daemon, and the Sophos 
Anti-Virus GUI.

         On-access scanner         Scans files as they are accessed, and 
grants access
                                   to only those that are threat-free.
         On-demand scanner         Scans the computer, or parts of the 
         Sophos Anti-Virus daemon  Background process that provides 
control, logging,
                                   and email alerting for Sophos 
         Sophos Anti-Virus GUI     User interface accessed through a web 

         Press <return> to display Licence. Then press <spc> to scroll 

         NOTE You can use "Q" that you don't have to scroll through the 
License Agreement :-)

         Do you accept the licence? Yes(Y)/No(N) [N]
         > y

         Where do you want to install Sophos Anti-Virus? [/opt/sophos-av]
         > /opt/sophos-av

         Do you want to enable on-access scanning? Yes(Y)/No(N) [Y]
         > N

         On-access scanning disabled. Use savscan for on-demand scanning.
         Sophos Anti-Virus GUI is accessible at http://localhost:8081/ 
from your web browser.
         You must now enter a username/password for Sophos Anti-Virus 
GUI. If you enter a blank password, the Sophos Anti-
         Virus GUI will be disabled.

         Username for Sophos Anti-Virus GUI? [admin]

         Password for Sophos Anti-Virus GUI?

         If you enter a blank password, the Sophos Anti-Virus GUI will be 
         Password for Sophos Anti-Virus GUI?

         Disabling Sophos Anti-Virus GUI because no password was 
provided. To enable it run /opt/sophos-av/bin/savsetup
         Sophos recommends that you configure Sophos Anti-Virus to 

         It can update either from Sophos directly (requiring 
username/password details) or from your own server (directory or
         website (possibly requiring username/password)).

         Which type of auto-updating do you want? From Sophos(s)/From own 
server(o)/None(n) [s]
         > '''s'''

         --------------- ---------------

         NOTE After "s" you have to enter the license information which 
means this Username and Password will be delivered within a
              PDF if you buy the license.

              User [Username]
              Passwort [Password]

After that final step the installation will be done in "/opt/sophos-av". 
The installation adds a addtional user as group to the system:

         # cat /etc/passwd | grep sophos
         sophosav:x:301:2002:Sophos Anti-virus:/opt/sophos-av:/bin/bash

         # cat /etc/group | grep sophos

The "Sophos Anti-Virus" Client can be configured over command line with 
different tools. The logs can be viewed with the tool "savlog" as with 
correspondig options:

         # /opt/sophos-av/bin/savlog --help
         savlog: Display the Sophos Anti-Virus log
         Usage: savlog [OPTION] ...
           --help               Display this help information
           --version            Display the version and copyright 
           --lang-neutral       Export the log in a language neutral XML 
           --utc                Display the time and date in UTC
           --today              Restrict log messages to those in the 
last 24 hours
           --maxage=NUMBER      Restrict log messages to those in the 
last 24 * NUMBER
           --after=NUMBER       Restrict log messages to those NUMBER 
seconds after
                                  1 January 1970 00:00:00.00
           --after=HH:MM[:SS]   Restrict log messages to those after the 
given time today
           --before=NUMBER      Restrict log messages to those before 
NUMBER seconds
                                  after 1 January 1970 00:00:00.00
           --before=HH:MM[:SS]  Restrict log messages to those before the 
given time
           --category=STRING    Restrict log messages to those whose 
category starts
                                  with STRING
           --systemLog          Display the syslog (/var/log/messages) 
rather than the
                                  product log
           --namedscan=NAME     Display log messages for the specified 
named scan
           --noHeader           Don't display column headings
           -N                   Restrict log messages to N most recent 

Remeber the logs can be viewed with "savlog" but it does not configure 
your logs. Let's say we would like to see the logs in Time UTC as Logs 
for the last 7 days:

         # /opt/sophos-av/bin/savlog  --utc --maxage=7

Check if the "On-Access scanner" is not active. This is absolutly 
important and fundamental. Please do not use the "On-Access scanner":

         # /opt/sophos-av/bin/savdstatus --verbose
         Sophos Anti-Virus daemon is active
         On-access scanning is not running

If you need this "On-Access scanner" for any reason you can activate it 
with the below command but please be aware that you DO NOT USE it for 
our "amavisd" installation:

         # /opt/sophos-av/bin/savdctl disable

The configuration for "Sophos Anti-Virus" is located in the directory 
"/opt/sophos-av/etc" within the file "savd.cfg". This file is a xml 
formated file and can be directly edit but easier is to use the 
corresponding command line tool called "savconfig":

         # /opt/sophos-av/bin/savconfig --help
         savconfig: Configure Sophos Anti-Virus
         Usage: savconfig [OPTION] ... [OPERATION] [PARAMETER] [VALUE]
           --[no]append        Set append mode
           --[no]lock          Prevent override by user
           -u, --user          Access the User layer
           -c, --corporate     Access the Corporate layer
           -U, --consoleupdate Access the Console Update Policy layer
           -A, --consoleav     Access the Console Anti-virus Policy layer
           -s, --sophos        Access the Sophos layer
           -f, --configfile    Use alternative configuration file
           -v, --all           Display values of, or help for, basic 
           --advanced          Display values of, or help for, advanced 

           -F, --readfromfile  Substitute argument with value read from 

           set                 Set a parameter
           update              Update a named scan
           add                 Append a value to a list parameter
           remove              Remove a value from a list parameter
           delete              Remove a parameter
           query/get           Output the value of a parameter
           help                Display this help information

         The query operation can be used without parameters to list all 
         The help operation can provide further information on any 
parameter that you
         specify, or on all parameters when you combine the operation 
with the '-v' or
         '--all' option.

For more information have a look to the installation guide:


If you like to see the current configuration of "Sophos Anti-Virus" use 
following command:

         # /opt/sophos-av/bin/savconfig --all
         Email: root <at> localhost
         EmailDemandSummaryIfThreat: true
         EmailLanguage: English
         EmailNotifier: true
         EmailServer: localhost:25
         EnableOnStart: false
         ExclusionEncodings: UTF-8
         LogMaxSizeMB: 100
         NotifyOnUpdate: false
         PrimaryUpdateSourcePath: sophos:
         PrimaryUpdateUsername: XGJ439H5TX
         PrimaryUpdatePassword: ********
         SendErrorEmail: true
         SendThreatEmail: true
         UINotifier: true
         UIpopupNotification: true
         UIttyNotification: true
         UpdatePeriodMinutes: 60
         NamedScans Not configured
         LiveProtection: enabled
         ScanArchives: mixed

For our installation we will configure some stuff like disable Email 
notification as Update intervall etc.:

         # /opt/sophos-av/bin/savconfig set EmailNotifier disabled
         # /opt/sophos-av/bin/savconfig set SendErrorEmail false
         # /opt/sophos-av/bin/savconfig set SendThreatEmail false
         # /opt/sophos-av/bin/savconfig set UINotifier disabled
         # /opt/sophos-av/bin/savconfig set UpdatePeriodMinutes 180
         # /opt/sophos-av/bin/savconfig set LogMaxSizeMB 15
         # /opt/sophos-av/bin/savconfig set LiveProtection false
         # /opt/sophos-av/bin/savconfig set DisableFeedback true

As mentioned already this configuration will be written directly to 
"/opt/sophos-av/etc/savd.cfg". After using the commands before check 
again the current config:

         # /opt/sophos-av/bin/savconfig --all
         Email: root <at> localhost
         EmailDemandSummaryIfThreat: true
         EmailLanguage: English
         EmailNotifier: true
         EmailServer: localhost:25
         EnableOnStart: false
         ExclusionEncodings: UTF-8
         LogMaxSizeMB: 15
         NotifyOnUpdate: false
         PrimaryUpdateSourcePath: sophos:
         PrimaryUpdateUsername: [Your Username]
         PrimaryUpdatePassword: ********
         SendErrorEmail: false
         SendThreatEmail: false
         UINotifier: true
         UIpopupNotification: true
         UIttyNotification: true
         UpdatePeriodMinutes: 180
         NamedScans Not configured
         LiveProtection: enabled
         ScanArchives: mixed

With below command you can force - if you have entered the license 
information - a manuell Update of the "Sophos Anti-Virus" Engine as 

         # /opt/sophos-av/bin/savupdate

The installation itself installed scripts for start/stop within the 
directory "/etc/init.d/". Please adjust the rights of the script:

         # chmod 755 /etc/init.d/sav-*

For testing purpose you can now start the first time the "Sophos 
Anti-Virus" without "Gui" as with deactivated "On-Access scanner":

         # /etc/init.d/sav-protect start

Check if the deamon is running:

         # ps -ef | grep savscand
         root     12288 12250  0 13:15 ?        00:00:00 savscand 
--namedscan=unix://root <at> tmp/namedscansprocessor.0 

If you have problems check the logs:


I preffer to have logs in "/var/log" instaed of above directory. We move 
logs to "/var/log":

         # /etc/init.d/sav-protect stop
         # mv /opt/sophos-av/log /var/log/sophos-av
         # ln -s /var/log/sophos-av/ /opt/sophos-av/log
         # /etc/init.d/sav-protect start

The installation of "Sophos Anti-Virus" is done but we are not finished 
to use it with "amavisd". Please go ahead with the next step!

==== Installation of "savdi" Interface (SSSP/ICAP) for "Sophos 
Anti-Virus 9" ====

The "savdi" Interface is from one point of view based on SSSP (Port 
4010) as ICAP (4020). This means from comunication point of view also 
following: "amavisd" will comunicate with "" with the 
"savdi" Interface and this interface will forward the information to 
"Sophos Anti-Virus" to the "ICAP" Interface which means 
"". Because of these comunication interfaces it is 
possible to install the "savdi" interface on a seperate server and use 
server IP's instaed of "". In this way you can reach a high 
scale as higher performance. This how-to proceeds with the local 
installation of "savdi" which means "Sophos Anti-Virus" as "savdi" are 
both installed on the Kolab server. By the way both are using minimum of 
memory and resources from this point of view no problem. To install 
"savdi" you have to download the source from Sophos:

If you run the installation script (./ without 
parameters the stuff will be installed in following directories:


I do not like to have this stuff within this directories which means we 
will use a PREFIX. If you do so you have to be careful about PATH 
variables which must be covered. We will install the "savdi" prog to 
"/opt/sophos-savdi". For this we need some manuel created directories as 
soft link (to cover PATH variable):

         NOTE Please use the correct file for the installation which 
means if you use on a 32bit the 64bit file or the otherway
              arround you will receive a error regarding "". 
Because the "Sophos Anti-Virus" was done with 32bit we
              use 32bit file!

         # mkdir /opt/sophos-savdi
         # mkdir /opt/sophos-savdi/lib

         # ln -s /opt/sophos-av/lib/ /usr/lib/
         # ln -s /opt/sophos-av/lib/ /usr/lib/
         # ln -s /opt/sophos-av/lib/ 

Create a temporary directory as extract the source and run installation 
with the PREFIX (use "./ -h" to see Options for 

         # cd /root
         # mkdir /root/savdi
         # cd /root/savdi
         # tar xvf savdi-23-linux-32bit.tar
         # cd /root/savdi-install
         # ./ -v -d /opt/sophos-savdi

Let's see how the installation runs:

         --------------- ---------------

         Sophos Anti-Virus SAVI daemon installation utility [Linux/Intel]
         Copyright (c) 2006-2015 Sophos Limited, Oxford, England

         Reading installation text

         Checking libraries are installed
         libsavi: /usr/lib/
         Checking virus data is installed
         Virus data: /opt/sophos-av/lib/sav

         Binaries will be installed in '/opt/sophos-savdi/bin'
         Message text will be installed in '/opt/sophos-savdi/savdi'

         SAVI daemon will be installed

         ===> Installing binaries
         Created directory /opt/sophos-savdi/bin
         savdid copied to /opt/sophos-savdi/bin/savdid

         ===> Installing messages
         Created directory /opt/sophos-savdi/savdi
         savdidlang_en.txt copied to 
         /var/tmp/savdid.conf copied to 

         ===> Checking paths are accessible
         Warning: $PATH does not include /opt/sophos-savdi/bin
                  To run Sophos Anti-Virus you need to set environment 
variable $PATH so
                  that it includes /opt/sophos-savdi/bin.

         Warning: Virus data found at /opt/sophos-av/lib/sav
                  The SAVI daemon may fail to find the virus data unless 
you update its
                  configuration file (savdid.conf) with the location of 
the virus data.
         Some environment variables may need to be set on your system. To 
make these
         settings permanent, add them to your login script or profile; to 
make these
         settings systemwide, amend /etc/login or /etc/profile.

         --------------- ---------------

We have some warnings about PATH which can be solved easy with following 

         # ln -s /opt/sophos-savdi/savdi/ /usr/local/savdi
         # ln -s /opt/sophos-savdi/bin/savdid /usr/local/bin/savdid

Now "savdi" can be/must be configured with the file "savdid.conf". Let's 
make a copy of the original file first:

         # cp -p /opt/sophos-savdi/savdi/savdid.conf 

Now you can configure "savdi" like shown below but please go through the 
config to look if it covers your need. This has to be done also 
specially for remote server installation to cover such a installation. 
There is also a documentation on "savdi" which explains the different 
configuration points:

         SAVDI for dummies.docx

         # vi /opt/sophos-savdi/savdi/savdid.conf

         --------------- /opt/sophos-savdi/savdi/savdid.conf 

         # Sample configuration file for use on *nix systems

         # The name of a file to hold the process ID
         # Only used when running in daemon mode
         # Default is /var/run/

         pidfile: /export/kolab/spool/amavisd/sssp.sock

         # User name and group for daemon to switch to for normal running
         # savdi must be running as root for this to be useful
         user: amavis
         group: amavis

         # No of worker threads to start up
         # Normally should be at least the maximum no of clients
         # Default is 3
         threadcount: 3

         # Maximum no of connections/sessions to queue up
         # Further connections will be rejected
         maxqueuedsessions: 3

         # Where to find the virus data if it is held somewhere other 
than normal
         # These options can be specified under the savi configuration 
but that
         # is not advised.

         # NB The following two lines may be modified by the *nix install 
         virusdatadir: /opt/sophos-av/lib/sav
         idedir: /opt/sophos-av/lib/sav

         #virusdataname: vdl

         # What to do when the daemon must exit
         # Options are:-
         #     DONTWAIT (just exit now!)
         #     REQUEST  (wait for current requests to complete)
         #     SESSION  (wait for current sessions to complete)
         # Case 1) An exception has occurred and operation could be 
         onexception: REQUEST

         # Case 2) A request has been made for it to exit
         # If there are long running sessions then REQUEST should be 
         onrequest: REQUEST

         log {
             # Specify the logging mechanism {CONSOLE|FILE|SYSLOG}

             type: FILE

             # Where to write the log files (if FILE is selected)
             logdir: /var/log/savdi/

             # Specify the level of logging required
             # 0 = errors+threats
             # 1 = (0) + process events
             # 2 = (1) + session events
             # Default is 2

             loglevel: 2

         # Define a IP channel for localhost

         channel {

                 # Send to the log requests received from clients
                 # For debugging. Default: NO
                 # logrequests: YES

                  logrequests: YES
             commprotocol {
                 type: IP

                 # IP Address to listen on, default is (any)
                 port: 4020

                 # Subnet of acceptable client IP addresses.
                 # Default is to accept from any client.

                 # idle timeout in secs when waiting for a request
                 # 0 is forever. Default: 0
                 requesttimeout: 120

                 # timeout in secs between characters when sending data
                 sendtimeout: 2

                 # idle timeout in secs between characters when receiving 
                 recvtimeout: 10

             service {
                 # The name of the service, arbitrary as long as the 
                 # uses the same name.
                 name: sophos

                 # The type of service, for now can only be avscan
                 type: avscan

                 scanprotocol {
                     # The type of protocol in use. Can only be ICAP.
                     type: ICAP

                     # Version of the configuration for this service.
                     # Update when changes are made that may alter the
                     # result returned to the client. Default: XXX
                     version: 1.02

                     # Objects sent for scanning can be retained if they 
                     # infected or cause the service a problem. Allowed 
                     # are NONE, MALWARE, PROBLEM, ALL. ALL meaning both
                     # MALWARE and PROBLEM. Default: NONE
                     # retain: NONE

                     # A list of file extensions for files which the 
                     # should not send to this server. The list is sent 
                     # to the client. See ICAP Transfer-Ignore header. A
                     # Transfer-Complete: * header is automatically 
                     # Default is none.
                     # dontsend: .jpg, .gif, .bmp, .tiff

                     # 204 is the ICAP code indicating that the object
                     # sent for processing is unmodified and OK and will
                     # not be returned to the client. Default: NO
                     # allow204: NO

                     # Don't automatically close the connection after a
                     # transaction. Default: NO
                     keepalive: YES

                     # Maximum permitted size, in bytes, of the body in a 
                     # Zero is no limit. Default: 0
                     # maxbodysize: 0

                     # Maximum amount of memory, in bytes, to use for an 
object, before
                     # putting it into a temporary file. Default: 1000000
                     #maxmemorysize: 1024

                     # Maximum size of the chunks, in bytes, for returned 
data, 0 is
                     # no maximum. Default: 0
                     # maxchunksize: 0

                     # Where to place and name temporary files
                     # Default: <standard temp directory>/SAVDI_
                     # On *nix systems: /var/tmp/SAVDI_
                     # tmpfilestub: /var/tmp/savdi/files/icap_

                     # The block-* options determine what to do with 
                     # that result in some sort of error.

                     # Any of these files may be infected.

                     # NB Files identified as malware are always blocked.

                     # Treat zip-bombs as malignant. Zip-bombs are 
                     # files that have many files which are vary highly
                     # compressed. They are intended to either deny use 
                     # a scanner by keeping it occupied for excessive 
                     # or use excessive resources, such as disc space on 
                     # end-point. Default: YES
                     block-bombs: YES

                     # Block encrypted files. Encrypted files cannot be 
                     # and may harbour malware. Default: NO
                     block-encrypted: NO

                     # Block corrupt files. Some files are simply 
corrupt, others
                     # may not conform to the standard, or one of its 
                     # variants, but may still be usable. Default: NO
                     block-corrupt: NO

                     # Block timeouts. It took too long to scan the file 
                     # the scan was terminated early. (See the 
                     # option in the scanner section.) Default: YES
                     block-timeouts: NO

                     # The AV engine returned some other error. Scanning 
of the
                     # file possibly did not complete. Default: YES
                     block-errors: NO

                     # The AV engine caused an exception. Exceptions can 
                     # considered as errors that were not caught in time.
                     # Scanning of the file did not complete. Default: 
                     block-exceptions: NO

                     # At least one client (c-icap) seems to always 
expect a
                     # body, even an empty one. Default: NO
                     # forceemptybody: YES

                 scanner {
                     # See the SAVDI documentation for details for 
                     # SAVI

                     type: SAVI
                     inprocess: YES

                     # Turn on auto-stop, ie zip-bomb detection
                     savists: enableautostop 1

                     # Turn on most of the other options
                     savigrp: grpsuper 1

                     # Limit the time taken to scan a file to this number 
of seconds
                     # Zero is forever. Default: 0
                     # maxscantime: 0

             # Other services with different configurations can be 

         #    service {
         #        name: sophosdef
         #        type: avscan
         #        scanprotocol {
         #            type: ICAP
         #            keepalive: YES
         #            allow204: NO
         #            maxmemorysize: 1000000
         #            maxchunksize: 1000
         #        }
         #        scanner {
         #            type: SAVI
         #            inprocess: YES
         #        }
         #    }

         # Define an IP channel for SSSP

         channel {

             commprotocol {
                 type: IP

                 # IP Address to listen on, default is (any)

                 port: 4010

                 # Subnet of acceptable client IP addresses


                 # idle timeout in secs when waiting for a request
                 # 0, the default, is forever
                 requesttimeout: 120

                 # timeout in secs between characters when sending data
                 sendtimeout: 2

                 # idle timeout in secs between characters when receiving 
                 recvtimeout: 5

                     scanprotocol {
                         type: SSSP

                         # Do we allow the client to use SCANFILE?
                         allowscanfile: SUBDIR

                         # Do we allow the client to use SCANDATA?
                         allowscandata: YES

                         # If SCANDATA is allowed:-
                         # maximum amount of data, in bytes, the client 
can send
                         maxscandata: 500000
                 # maximum amount, in bytes, to held in memory before 
using a temp file
                 maxmemorysize: 250000
                 # path name and stub for generating temp file names.
                 tmpfilestub: /tmp/savid_tmp

                 # Log each request made by a client?
                 # logrequests: YES

             scanner {
                 # type and inprocess can only be SAVI and YES for now
                 type: SAVI
                 inprocess: YES

                 # Max time to be allowed for scanning a single file
                 maxscantime: 3

                 # Max time in seconds to be allowed to complete a 
                 maxrequesttime: 10

                 # Deny scanning of /dev and my home directory
                 # except for the test directory, Everything else
                 # is allowed
                 # If deny is used then everything else is allowed unless
                 # explicitly denied
                 # If allow is used then everything else is denied unless
                 # explicitly allowed.
                 # If a directory tree is allowed, sub-trees may be 
                 # denied, but the converse is not true. If a directory 
                 # is denied it is not possible to allow subtrees.

                 deny: /dev
                 deny: /home
         #        allow: /home/specialuser

                 #Some SAVI/Engine options
                 savigrp: GrpArchiveUnpack 0
                 savigrp: GrpInternet 1
                 savists: Xml 1

         --------------- /opt/sophos-savdi/savdi/savdid.conf 

Within the config there is defined a log directory which does not 
exists. Please create this log directory:

         # mkdir /var/log/savdi/
         # chown vscan:vscan /var/log/savdi
         # chmod 755 /var/log/savdi

For "savdi" will be not installed a start/stop script. But the "savdi" 
binary has some options which can be used to create a start/stop script:

         # /opt/sophos-savdi/bin/savdid -h
         Usage: savdid [-d] [-c CONFIG_FILE] [-f PIDFILE] [-l] [-V] [-p] 
         -d will run savdid as a daemon
         -c use the CONFIG_FILE configuration file.
         -f to specify the file to use to hold the active PID.
         -l log to CONSOLE.
         -V print Version information and exit.
         -p print configuration help and exit.
         -s suppresses the initial version and copyright info.

Refrencing to this options you can test "savdi" to verify if all is 
working fine:

         # /opt/sophos-savdi/bin/savdid -l -c 
         SAV Dynamic Interface 2.3.0
         Copyright 2000-2015 Sophos Limited. All rights reserved
         151217:131053 00034407 Process starting
             PID: 11898

This option "l" starts "savdi" not as deamon instaed within the 
"console". Stop "savdi" with:

         Ctrl + C

If you verified all you can start "savdi" as Deamon with following 

         # /opt/sophos-savdi/bin/savdid -d -s -c 

Check the start within the log file:

         # ls -la /var/log/savdi/

Check if "savdi" Deamons are up and running:

         # ps -ef | grep savdid
         root     12014     1  0 13:12 ?        00:00:00 
/opt/sophos-savdi/bin/savdid -d -s -c 
         vscan    12015 12014 35 13:12 ?        00:00:06 
/opt/sophos-savdi/bin/savdid -s -c /opt/sophos-savdi/savdi/savdid.conf 

Check if the SSSP as ICAP interface are available:

         # netstat -an | grep 4010
         tcp        0      0    *        

         # netstat -an | grep 4020
         tcp        0      0      *        

Check if pid file is created and on the right place or exists:

         # ls -la /export/amavis/sssp.sock
         -rw-r--r-- 1 root root 5 Dec 17 13:20 /export/amavis/sssp.sock

Now start the "Sophos Anti-Virus" client:

         # /etc/init.d/sav-protect start
         Starting Sophos Anti-Virus daemon: [  OK  ]

Now you can integrate "savdi" within "amavisd" as primary scanner with as backup scanner with command line scanner (local only 
no remote server support):

         # vi /opt/amavisd-2.10.1/etc/amavisd.conf

         --------------- /opt/amavisd-2.10.1/etc/amavisd.conf 

          <at> av_scanners = (

          ['Sophos-SSSP',  # SAV Dynamic Interface
            \&ask_daemon, ["{}", 'sssp:[]:4010'],
            qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ],


          <at> av_scanners_backup = (

           ['Sophos Anti Virus (savscan)',   # formerly known as 'sweep'
             ['/opt/sophos-av/bin/savscan', 'savscan'],  # 'sweep'
             '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
             '--no-reset-atime {}',
             [0,2], qr/Virus .*? found/m,
             qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
           # other options to consider: -idedir=/usr/local/sav
           # A name 'sweep' clashes with a name of an audio editor 
(Debian and FreeBSD).
           # Make sure the correct 'sweep' is found in the path if using 
the old name.

         --------------- /opt/amavisd-2.10.1/etc/amavisd.conf 

Do a restart of "amavisd" that our config will become active:

         # service amavisd restart

Check the logs of "amavisd" if our primary scanner as backup scanner 
will be recognized by "amavisd":

         # tail -f /var/log/amavisd/amavis.log
         Dec 17 13:25:01 
/opt/amavisd-2.10.1/sbin/amavisd[12353]: Using primary internal av 
scanner code for Sophos-SSSP
         Dec 17 13:25:01 
/opt/amavisd-2.10.1/sbin/amavisd[12353]: Found secondary av scanner 
Sophos Anti Virus (savscan) at /opt/sophos-av/bin/savscan

Now you can test the scann on command line with the EICAR Test string 
which means create a txt file on command line and add the EICAR test 
string as send a mail to a mailbox:

         # echo [EICAR Test Strign] > /export/sysop/virus.txt
         # cat /export/sysop/virus.txt | /usr/sbin/sendmail 
user <at>

Check in realtime the logs for "amavisd":

         # tail -f /var/log/amavisd/amavis.log
         Dec 17 14:00:51 
/opt/amavisd-2.10.1/sbin/amavisd[12845]: (12845-01) run_av 
         Dec 17 14:00:51 
/opt/amavisd-2.10.1/sbin/amavisd[12845]: (12845-01) virus_scan: 
(EICAR-AV-Test), detected by 1 scanners: Sophos-SSSP

Also check in realtime the logs for "savdid":

         # tail -f /var/log/savdi/[date of day log]

If all is fine create a start/stop script for "savdi":

         # vi /etc/init.d/savdid

         --------------- /etc/init.d/savdid ---------------

         # savdid        This shell script takes care of starting and 
         #               savdid.

         case "$1" in
                 echo "Starting savdid in port 4010 / 4020: "

                 /opt/sophos-savdi/bin/savdid -d -s -c 

                 echo "savdid was started in port 4010 / 4020: "

                 echo "Shutting down savdid in port 4010 / 4020: "

                 kill `cat /export/amavis/sssp.sock`

                 echo "savdid was terminating in port 4010 / 4020: "

                 echo "Restart savdid in port 4010 / 4020: "

                 kill -HUP `cat /export/amavis/sssp.sock`

                 echo "savdid was restarted in port 4010 / 4020: "

                 echo "Usage: $0 savdid { start | stop | restart }"
                 exit 1
         exit 0

         --------------- /etc/init.d/savdid ---------------

Check the rights for the start script:

         # chown root:root /etc/init.d/savdid
         # chmod 755 /etc/init.d/savdid

Create within the RC Levels corresponding entries that "savdid" will be 
startet automatically if server ist started:

         # cd /etc/rc0.d/
         # ln -s  ../init.d/savdid /etc/rc0.d/K87savdid
         # cd /etc/rc1.d/
         # ln -s  ../init.d/savdid /etc/rc1.d/K87savdid
         # cd /etc/rc3.d/
         # ln -s  ../init.d/savdid /etc/rc3.d/S13savdid
         # cd /etc/rc6.d/
         # ln -s  ../init.d/savdid /etc/rc6.d/K87savdid

Test the start/stop script:

         # /etc/init.d/savdid stop | start | restart

Chek the logs of "savdid" regarding stop/start:


Keep in mind that you need always to start "sav-protect" first and 
afterwards "savdid" which means also:

         # /etc/init.d/savdid stop
         # /etc/init.d/sav-protect stop

         # /etc/init.d/sav-protect start
         # /etc/init.d/savdid start

==== "Renew Subscription" für "Sophos Anti-Virus 9" ====

If you need to renew subscription of license the Username and Password 
must be new entered with the config which means:

         # /opt/sophos-av/bin/savconfig --all
         Email: root <at> localhost
         EmailDemandSummaryIfThreat: true
         EmailLanguage: English
         EmailNotifier: true
         EmailServer: localhost:25
         EnableOnStart: false
         ExclusionEncodings: UTF-8
         LogMaxSizeMB: 15
         NotifyOnUpdate: false
         PrimaryUpdateSourcePath: sophos:
         PrimaryUpdateUsername: [Username]
         PrimaryUpdatePassword: ********
         SendErrorEmail: false
         SendThreatEmail: false
         UINotifier: true
         UIpopupNotification: true
         UIttyNotification: true
         UpdatePeriodMinutes: 180
         NamedScans Not configured
         LiveProtection: enabled
         ScanArchives: mixed

Now set Username and Passwort for the license with the corresponding 
parameters "PrimaryUpdateUsername" as "PrimaryUpdatePassword":

         # /opt/sophos-av/bin/savconfig set PrimaryUpdateUsername [Neuer 
Username für Subscription]
         # /opt/sophos-av/bin/savconfig set PrimaryUpdatePassword [Neues 
Passwort für Subscription]

         # /etc/init.d/savdid stop
         # /etc/init.d/sav-protect stop

         # /etc/init.d/sav-protect start
         # /etc/init.d/savdid start

Hope you enjoy this how-to and probably helps you to get a addtional 
Antivirus Scanner to the Kolab Installation you need a scalable 


Mit freundlichen Grüssen


users mailing list
users <at>
Gerald Brandt | 11 May 16:09 2016

Upgrade 3.4 to 14 on Ubuntu


I'm running 3.4 on Ubuntu 14.04. It looks like Kolab 14 is a safe 
upgrade, but I'm not sure.

Are there instructions for upgrading 3.4 to 14 on Ubuntu (or Debian 7, I 

Pasi Kärkkäinen | 11 May 15:43 2016

Upgrading from Kolab 3.3 el7

Hello list,

I'm currently running Kolab 3.3 on CentOS 7. What's the "best practice" for updating the system? Should I
first upgrade to Kolab 3.4, and then to Kolab 16 ? Or can I upgrade directly from 3.3 -> 16 ?

Did anyone try that? 

I assume going first from 3.3 to 3.4 would be less error prone.. 


-- Pasi
Tardif, Christian | 10 May 17:40 2016

CalDAV / CardDAV url

Recently I removed the web proxy that I used to have in front of my webserver, as I was having problems with CalDAV / CardDAV. With Web Proxy in place, the URL's that roundcubemail was giving used to by http:// URL's
Now that the proxy is removed and that I've setup apache to answer to httpd directly, I can see that some URL's are now https:// (like R/O Calendar URL) but still http:// for some others (R/W CalDAV, and CardDAV).
I think this may be an issue. If, for whatever reason, the URL returned by the server to the client is HTTP instead of HTTPS, the client will try to update through HTTP and them receive a 302 error msg , which could be seen by the client as a service unavailable (the issue I'm having simce my migration to Kolab 16.   Can it be ?
So how do I modify the URL shown in roundcube to make sure they are HTTPS ?

Christian Tardif
christian.tardif <at>

SVP, pensez à l’environnement avant d’imprimer ce message.


users mailing list
users <at>
kolab.user | 6 May 02:08 2016

OSX iCal connection

Several months ago there was a thread with the same subject. Back in
4.3 time I had all working but neglected to write down required workarounds. Now, fresh in pristine
Kolab_16, after following secure HOWTO and mulity domains HOWTO, iOS devices have no problems
whatsoever however latest OSX is not working.

Instructions offered in don't help.

If I use account type Automatic then in log file:

"PROPFIND /.well-known/carddav HTTP/1.1" 405 245
"PROPFIND / HTTP/1.1" 405 226
"PROPFIND /principals/ HTTP/1.1" 405 237

and "Unable to verify account name or password" error

If I use account type Manual and specify server address as the configuration
dialog completes, in log file I see 

"PROPFIND /iRony HTTP/1.1" 301 238
"PROPFIND /iRony/ HTTP/1.1" 401 291
user <at> "PROPFIND /iRony/ HTTP/1.1" 207 637
user <at> "OPTIONS /iRony/principals/ HTTP/1.1" 200 -
user <at> "PROPFIND /iRony/principals/ HTTP/1.1" 207 1319
user <at> "PROPFIND /iRony/addressbooks/ HTTP/1.1" 207 3676
user <at> "PROPFIND /.well-known/carddav HTTP/1.1" 405 245
user <at> "PROPFIND / HTTP/1.1" 405 226
user <at> "PROPFIND /principals/ HTTP/1.1" 405 237
user <at> "PROPFIND /.well-known/carddav HTTP/1.1" 405 245

and contacts list is empty

If I use account type Advanced and specify full URL listed in Show CardDAV URL menu I don't see .well-known in
server log but address book is still empty in Contacts application.

Has anyone able to get Contacts and Calendar working in latest OSX?
Gregor Adamczyk | 5 May 06:34 2016

guam crashes

Dear list members,

guam crashes often that seems be a fact.

Imap stops working and nobody can receive mails until a restart.

So my temporary solution is to modify:

vi /usr/lib/systemd/system/guam.service

and add:


Do somebody have a better ideal to deal with the GUAM instability?

-- Mit freundlichen Grüßen/With best regards Gregor Adamczyk
users mailing list
users <at>