The Best Open Source Email & Collaboration Software

Administration tip #1: How to run WebApp on a separate web server

This blog post is a part of a blog post series about tips and tweaks for a Zarafa server. These tips should make the life of any Zarafa installation just a little bit more secure and stable.

An often asked question at support is “Does my ZCP server allow me to run WebApp on a separate (virtualized or not) webserver?” In my opinion, this is actually a smart question. I will explain why and how you could move WebApp to a separate server.

(A 5 minute read).

Why should I think about running WebApp on a separate webserver?

An email server needs to be stable and secure. That’s a no-brainer for you and me: it does happen unfortunately too often that your infrastructure is assaulted by third parties. I will give two examples of cases that I’ve seen happening at customers:

  1. Intruders try to hack your system(s) to allow themselves access to files and other valuable business information.
  2. Uninvited guests organize a series of many DOS attacks.

How could a separate webserver for WebApp help me?

Let’s go back to the scenarios explained above. In the first scenario, traditionally you would want to have your externally reachable webserver in a separate (strictly locked-down) DMZ-Zone. This ensures that – in case someone successfully hacks your server – he will only get access to the webserver and not to the whole Zarafa server environment. Of course he could then potentially access the internal port to the internal servers but those are traditionally locked down well by us (port 236/237).

In scenario two, someone is repeatedly DOS’ing you which puts your Zarafa environment in danger. Again, when you run WebApp on a separate server, only THAT server will be impacted. Your Zarafa environment will remain to work while you work on the solution.

Ok, I am convinced. What to do next?

That’s great to hear. Now I need to put my money where my mouth is:

  • Install the following Zarafa packages in addition to Apache:
    • php5-mapi
    • zarafa-client
    • zarafa-libs
    • zarafa-webapp
    • zarafa-contacts
  • Modify the /etc/zarafa/webapp/config.php file. For example:


    This config line will let the Zarafa server connect unencrypted at

  • Last but not least: it is also recommended to enable the following apache modules as stated in the zarafa-webapp apache config:
    • expires_module
    • headers_module
    • setenvif_module
    • deflate_module

And you’re done! Didn’t hurt that much, right? I would like to point out one last thing though: please remember that security is a mindset. Following these tips is not enough. But you did make your groupware environment just a little bit more secure and that is always a smart thing to do if you would ask me.



Post new comment


Jobs at Zarafa

View zarafa tour 2013 video

Zarafa customers