Use Z-Push from official upstream repos. Configure imap, caldav, carddav backends properly for nextcloud. Using Z-Push Autodiscover.

roles/mailserver/defaults/main.yml

@@ -21,7 +21,4 @@ virtual_domains: []
 mail_virtual_users: []
 mail_virtual_aliases: []
 
-# zpush
-zpush_version: 2.1.1-1788
-# common_timezone is a sovereign variable
-zpush_timezone: "{{ common_timezone|default('Etc/UTC') }}"
+zpush_timezone: "{{ common_timezone | default('Etc/UTC') }}"

roles/mailserver/files/etc_apache2_conf.d_z-push.conf

@@ -1,7 +0,0 @@
-Alias /Microsoft-Server-ActiveSync /usr/share/z-push/index.php
-<Directory /usr/share/z-push>
-    php_flag magic_quotes_gpc off        
-    php_flag register_globals off        
-    php_flag magic_quotes_runtime off        
-    php_flag short_open_tag on    
-</Directory>

roles/mailserver/tasks/z-push.yml

@@ -1,64 +1,93 @@
-- name: Install required packages for z-push (PHP5 variant)
-  apt: pkg={{ item }} state=present
-  with_items:
-    - php-soap
-    - php5
-    - php5-cli
-    - php5-imap
-  when: (ansible_distribution_release != "xenial" and ansible_distribution_release != "bionic" and ansible_distribution_release != "stretch")
-  tags:
-    - dependencies
+---
+# Installs and configures the Z-Push "ActiveSync" push notifications.
 
-- name: Install required packages for z-push
-  apt: pkg={{ item }} state=present
-  with_items:
-    - php-soap
-    - php
-    - php-cli
-    - php-imap
-  when: (ansible_distribution_release == "xenial" or ansible_distribution_release == "bionic" or ansible_distribution_release == "stretch")
+- name: Ensure repository key for Z-Push is in place
+  apt_key:
+    url=http://repo.z-hub.io/z-push:/final/Debian_9.0/Release.key
+    state=present
   tags:
     - dependencies
 
-- name: Download z-push release
-  get_url:
-    url=http://download.z-push.org/final/2.1/z-push-{{ zpush_version }}.tar.gz
-    dest=/root/z-push-{{ zpush_version }}.tar.gz
-
-- name: Decompress z-push source
-  unarchive: src=/root/z-push-{{ zpush_version }}.tar.gz
-             dest=/root copy=no
-             creates=/root/z-push-{{ zpush_version }}
-
-- name: Create /usr/share/z-push
-  file: state=directory path=/usr/share/z-push
-
-- name: Copy z-push source files to /usr/share/z-push
-  shell: cp -R z-push-{{ zpush_version }}/* /usr/share/z-push/ chdir=/root
+- name: Add Z-Push repository
+  apt_repository:
+    repo="deb http://repo.z-hub.io/z-push:/final/Debian_9.0/ /"
   tags:
-    - skip_ansible_lint
+    - dependencies
 
-- name: Remove downloaded, temporary z-push source files
-  shell: rm -rf z-push* chdir=/root
+- name: Install Z-Push
+  apt:
+    name: "{{ packages }}"
+    state: present
+  vars:
+    packages:
+    - z-push-common
+    - z-push-backend-combined
+    - z-push-backend-imap
+    - z-push-backend-carddav
+    - z-push-backend-caldav
+    - z-push-ipc-sharedmemory
+    - z-push-config-apache
+    - z-push-autodiscover
   tags:
-    - skip_ansible_lint
+    - dependencies
 
-- name: Ensure z-push state and log directories are in place
-  file: state=directory path={{ item }} owner=www-data group=www-data mode=0755
+- name: Ensure Z-Push state and log directories are in place
+  file:
+    state=directory
+    path={{ item }}
+    owner=www-data
+    group=www-data
+    mode=0755
   with_items:
     - /data/zpush-state
     - /var/log/z-push
   notify: restart apache
 
-- name: Copy z-push's config.php into place
-  template: src=usr_share_z-push_config.php.j2 dest=/usr/share/z-push/config.php
+- name: Copy Z-Push common config.php into place
+  template:
+    src=usr_share_z-push_config.php.j2
+    dest=/usr/share/z-push/config.php
+
+- name: Copy Z-Push combined backend config.php into place
+  template:
+    src=usr_share_z-push_backend_combined_config.php.j2
+    dest=/usr/share/z-push/backend/combined/config.php
+
+- name: Copy Z-Push IMAP backend config.php into place
+  template:
+    src=usr_share_z-push_backend_imap_config.php.j2
+    dest=/usr/share/z-push/backend/imap/config.php
+
+- name: Copy Z-Push CardDAV backend config.php into place
+  template:
+    src=usr_share_z-push_backend_carddav_config.php.j2
+    dest=/usr/share/z-push/backend/carddav/config.php
 
-- name: Create z-push apache alias and php configuration file
-  copy: src=etc_apache2_conf.d_z-push.conf dest=/etc/apache2/conf-available/z-push.conf
+- name: Copy Z-Push CalDAV backend config.php into place
+  template:
+    src=usr_share_z-push_backend_caldav_config.php.j2
+    dest=/usr/share/z-push/backend/caldav/config.php
+
+- name: Copy Z-Push autodiscover config.php into place
+  template:
+    src=usr_share_z-push_autodiscover_config.php.j2
+    dest=/usr/share/z-push/autodiscover/config.php
+
+- name: Add Z-Push autodiscover to Apache config
+  lineinfile:
+    path: /etc/apache2/conf-available/z-push.conf
+    line: '    AliasMatch (?i)/Autodiscover/Autodiscover.xml$ "/usr/share/z-push/autodiscover/autodiscover.php"'
+    insertafter: 'Microsoft-Server-ActiveSync'
+  notify: restart apache
 
 - name: Enable z-push Apache alias and PHP configuration file
   command: a2enconf z-push creates=/etc/apache2/conf-enabled/z-push.conf
   notify: restart apache
 
 - name: Configure z-push logrotate
-  copy: src=etc_logrotate_z-push dest=/etc/logrotate.d/z-push owner=root group=root mode=0644
+  copy:
+    src=etc_logrotate_z-push
+    dest=/etc/logrotate.d/z-push
+    owner=root
+    group=root
+    mode=0644

roles/mailserver/templates/usr_share_z-push_autodiscover_config.php.j2

@@ -0,0 +1,110 @@
+<?php
+/***********************************************
+* File      :   config.php
+* Project   :   Z-Push
+* Descr     :   Autodiscover configuration file
+*
+* Created   :   30.07.2014
+*
+* Copyright 2007 - 2016 Zarafa Deutschland GmbH
+*
+* This program is free software: you can redistribute it and/or modify
+* it under the terms of the GNU Affero General Public License, version 3,
+* as published by the Free Software Foundation.
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU Affero General Public License for more details.
+*
+* You should have received a copy of the GNU Affero General Public License
+* along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*
+* Consult LICENSE file for details
+************************************************/
+
+/**********************************************************************************
+ *  Default settings
+ */
+
+    // Replace zpush.example.com with your z-push's host name and uncomment the line below.
+    define('ZPUSH_HOST', '{{ domain }}');
+
+    // Defines the default time zone, change e.g. to "Europe/London" if necessary
+    define('TIMEZONE', '{{ zpush_timezone }}');
+
+    // Defines the base path on the server
+    define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/');
+
+    /*
+     * Whether to use the complete email address as a login name
+     * (e.g. user@company.com) or the username only (user).
+     * Possible values:
+     * false - use the username only (default).
+     * true - use the complete email address.
+     */
+    define('USE_FULLEMAIL_FOR_LOGIN', true);
+
+    /*
+     * AutoDiscover requires the username to match either the email address
+     * or the local part of the email address.
+     * This is not always possible as the username might have a different
+     * schema than email address. Configure this parameter to match your
+     * username settings.
+     * @see https://wiki.z-hub.io/display/ZP/Configuring+Z-Push+Autodiscover#ConfiguringZ-PushAutodiscover-Configuration
+     * @see https://jira.z-hub.io/browse/ZP-1209
+     *
+     * Possible values:
+     * AUTODISCOVER_LOGIN_EMAIL             - uses the email address as provided when setting up the account
+     * AUTODISCOVER_LOGIN_NO_DOT            - removes the '.' from email address:
+     *                                          email: first.last@domain.com -> resulting username: firstlast
+     * AUTODISCOVER_LOGIN_F_NO_DOT_LAST     - cuts the first part before '.' after the first letter and
+     *                                          removes the '.' from email address:
+     *                                          email: first.last@domain.com -> resulting username: flast
+     * AUTODISCOVER_LOGIN_F_DOT_LAST        - cuts the part before '.' after the first letter and
+     *                                          leaves the part after '.' as is:
+     *                                          email: first.last@domain.com -> resulting username: f.last
+     */
+    define('AUTODISCOVER_LOGIN_TYPE', AUTODISCOVER_LOGIN_EMAIL);
+
+/**********************************************************************************
+ *  Logging settings
+ *  Possible LOGLEVEL and LOGUSERLEVEL values are:
+ *  LOGLEVEL_OFF            - no logging
+ *  LOGLEVEL_FATAL          - log only critical errors
+ *  LOGLEVEL_ERROR          - logs events which might require corrective actions
+ *  LOGLEVEL_WARN           - might lead to an error or require corrective actions in the future
+ *  LOGLEVEL_INFO           - usually completed actions
+ *  LOGLEVEL_DEBUG          - debugging information, typically only meaningful to developers
+ *  LOGLEVEL_WBXML          - also prints the WBXML sent to/from the device
+ *  LOGLEVEL_DEVICEID       - also prints the device id for every log entry
+ *  LOGLEVEL_WBXMLSTACK     - also prints the contents of WBXML stack
+ *
+ *  The verbosity increases from top to bottom. More verbose levels include less verbose
+ *  ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR,
+ *  LOGLEVEL_WARN and LOGLEVEL_INFO level entries.
+ */
+
+    define('LOGBACKEND', 'filelog');
+
+    define('LOGFILEDIR', '/var/log/z-push/');
+    define('LOGFILE', LOGFILEDIR . 'autodiscover.log');
+    define('LOGERRORFILE', LOGFILEDIR . 'autodiscover-error.log');
+    define('LOGLEVEL', LOGLEVEL_INFO);
+    define('LOGUSERLEVEL', LOGLEVEL);
+    $specialLogUsers = array();
+
+    // Syslog settings
+    // false will log to local syslog, otherwise put the remote syslog IP here
+    define('LOG_SYSLOG_HOST', false);
+    // Syslog port
+    define('LOG_SYSLOG_PORT', 514);
+    // Program showed in the syslog. Useful if you have more than one instance login to the same syslog
+    define('LOG_SYSLOG_PROGRAM', 'z-push-autodiscover');
+    // Syslog facility - use LOG_USER when running on Windows
+    define('LOG_SYSLOG_FACILITY', LOG_LOCAL0);
+/**********************************************************************************
+ *  Backend settings
+ */
+    // the backend data provider
+    define('BACKEND_PROVIDER', 'BackendCombined');

roles/mailserver/templates/usr_share_z-push_backend_caldav_config.php.j2

@@ -0,0 +1,56 @@
+<?php
+/***********************************************
+* File      :   config.php
+* Project   :   Z-Push
+* Descr     :   CalDAV backend configuration file
+*
+* Created   :   27.11.2012
+*
+* Copyright 2012 - 2014 Jean-Louis Dupond
+*
+* Jean-Louis Dupond released this code as AGPLv3 here: https://github.com/dupondje/PHP-Push-2/issues/93
+*
+* This program is free software: you can redistribute it and/or modify
+* it under the terms of the GNU Affero General Public License, version 3,
+* as published by the Free Software Foundation.
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU Affero General Public License for more details.
+*
+* You should have received a copy of the GNU Affero General Public License
+* along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*
+* Consult LICENSE file for details
+************************************************/
+
+// ************************
+//  BackendCalDAV settings
+// ************************
+
+// Server protocol: http or https
+define('CALDAV_PROTOCOL', 'https');
+
+// Server name
+define('CALDAV_SERVER', 'cloud.{{ domain }}');
+
+// Server port
+define('CALDAV_PORT', '443');
+
+// Path
+define('CALDAV_PATH', '/remote.php/dav/calendars/%u/');
+
+// Default CalDAV folder (calendar folder/principal). This will be marked as the default calendar in the mobile
+define('CALDAV_PERSONAL', 'personal');
+
+// If the CalDAV server supports the sync-collection operation
+// DAViCal, SOGo and SabreDav support it
+// SabreDav version must be at least 1.9.0, otherwise set this to false
+// Setting this to false will work with most servers, but it will be slower
+define('CALDAV_SUPPORTS_SYNC', true);
+
+
+// Maximum period to sync.
+// Some servers don't support more than 10 years so you will need to change this
+define('CALDAV_MAX_SYNC_PERIOD', 2147483647);

roles/mailserver/templates/usr_share_z-push_backend_carddav_config.php.j2

@@ -0,0 +1,91 @@
+<?php
+/***********************************************
+* File      :   config.php
+* Project   :   Z-Push
+* Descr     :   CardDAV backend configuration file
+*
+* Created   :   16.03.2013
+*
+* Copyright 2013 - 2016 Francisco Miguel Biete
+*
+* This program is free software: you can redistribute it and/or modify
+* it under the terms of the GNU Affero General Public License, version 3,
+* as published by the Free Software Foundation.
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU Affero General Public License for more details.
+*
+* You should have received a copy of the GNU Affero General Public License
+* along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*
+* Consult LICENSE file for details
+************************************************/
+
+// ************************
+//  BackendCardDAV settings
+// ************************
+
+// Server protocol: http or https
+define('CARDDAV_PROTOCOL', 'https');
+
+// Server name
+define('CARDDAV_SERVER', 'cloud.{{ domain }}');
+
+// Server port
+define('CARDDAV_PORT', '443');
+
+// Server path to the addressbook, or the principal with the addressbooks
+//  If your user has more than 1 addressbook point it to the principal.
+//  Example: user test@domain.com will have 2 addressbooks
+//      http://localhost/caldav.php/test@domain.com/addresses/personal
+//      http://localhost/caldav.php/test@domain.com/addresses/work
+//      You set the CARDDAV_PATH to '/caldav.php/%u/addresses/' and personal and work will be autodiscovered
+// %u: replaced with the username
+// %d: replaced with the domain
+//   Add the trailing /
+define('CARDDAV_PATH', '/remote.php/dav/addressbooks/users/%u/contacts/');
+
+
+// Server path to the default addressbook
+//  Mobile device will create new contacts here. It must be under CARDDAV_PATH
+// %u: replaced with the username
+// %d: replaced with the domain
+//   Add the trailing /
+define('CARDDAV_DEFAULT_PATH', '/remote.php/dav/addressbooks/users/%u/contacts/');
+
+// Server path to the GAL addressbook. This addressbook is readonly and searchable by the user, but it will NOT be synced.
+// If you don't want GAL, comment it
+// %u: replaced with the username
+// %d: replaced with the domain
+//  Add the trailing /
+//define('CARDDAV_GAL_PATH', '/caldav.php/%d/GAL/');
+
+// Minimal length for the search pattern to do the real search.
+define('CARDDAV_GAL_MIN_LENGTH', 5);
+
+// Addressbook display name, the name showed in the mobile device
+// %u: replaced with the username
+// %d: replaced with the domain
+define('CARDDAV_CONTACTS_FOLDER_NAME', '%u Addressbook');
+
+
+// If the CardDAV server supports the sync-collection operation
+// DAViCal and SabreDav support it, but Owncloud, SOGo don't
+// SabreDav version must be at least 1.9.0, otherwise set this to false
+// Setting this to false will work with most servers, but it will be slower: 1 petition for the href of vcards, and 1 petition for each vcard
+define('CARDDAV_SUPPORTS_SYNC', true);
+
+
+// If the CardDAV server supports the FN attribute for searches
+// DAViCal supports it, but SabreDav, Owncloud and SOGo don't
+// Setting this to true will search by FN. If false will search by sn, givenName and email
+// It's safe to leave it as false
+define('CARDDAV_SUPPORTS_FN_SEARCH', false);
+
+
+// If your carddav server needs to use file extension to recover a vcard.
+//    Davical needs it
+//    SOGo official demo online needs it, but some SOGo installation don't need it, so test it
+define('CARDDAV_URL_VCARD_EXTENSION', '.vcf');

roles/mailserver/templates/usr_share_z-push_backend_combined_config.php.j2

@@ -0,0 +1,84 @@
+<?php
+/***********************************************
+* File      :   backend/combined/config.php
+* Project   :   Z-Push
+* Descr     :   configuration file for the
+*               combined backend.
+*
+* Created   :   29.11.2010
+*
+* Copyright 2007 - 2016 Zarafa Deutschland GmbH
+*
+* This program is free software: you can redistribute it and/or modify
+* it under the terms of the GNU Affero General Public License, version 3,
+* as published by the Free Software Foundation.
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU Affero General Public License for more details.
+*
+* You should have received a copy of the GNU Affero General Public License
+* along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*
+* Consult LICENSE file for details
+************************************************/
+
+class BackendCombinedConfig {
+
+    // *************************
+    //  BackendCombined settings
+    // *************************
+    /**
+     * Returns the configuration of the combined backend
+     *
+     * @access public
+     * @return array
+     *
+     */
+    public static function GetBackendCombinedConfig() {
+        //use a function for it because php does not allow
+        //assigning variables to the class members (expecting T_STRING)
+        return array(
+            //the order in which the backends are loaded.
+            //login only succeeds if all backend return true on login
+            //sending mail: the mail is sent with first backend that is able to send the mail
+            'backends' => array(
+                'i' => array(
+                    'name' => 'BackendIMAP',
+                ),
+                'd' => array(
+                    'name' => 'BackendCardDAV',
+                ),
+                'c' => array(
+                    'name' => 'BackendCalDAV',
+                ),
+            ),
+            'delimiter' => '/',
+            //force one type of folder to one backend
+            //it must match one of the above defined backends
+            'folderbackend' => array(
+                SYNC_FOLDER_TYPE_INBOX => 'i',
+                SYNC_FOLDER_TYPE_DRAFTS => 'i',
+                SYNC_FOLDER_TYPE_WASTEBASKET => 'i',
+                SYNC_FOLDER_TYPE_SENTMAIL => 'i',
+                SYNC_FOLDER_TYPE_OUTBOX => 'i',
+                SYNC_FOLDER_TYPE_TASK => 'c',
+                SYNC_FOLDER_TYPE_APPOINTMENT => 'c',
+                SYNC_FOLDER_TYPE_CONTACT => 'd',
+                SYNC_FOLDER_TYPE_NOTE => 'c',
+                SYNC_FOLDER_TYPE_JOURNAL => 'c',
+                SYNC_FOLDER_TYPE_OTHER => 'i',
+                SYNC_FOLDER_TYPE_USER_MAIL => 'i',
+                SYNC_FOLDER_TYPE_USER_APPOINTMENT => 'c',
+                SYNC_FOLDER_TYPE_USER_CONTACT => 'd',
+                SYNC_FOLDER_TYPE_USER_TASK => 'c',
+                SYNC_FOLDER_TYPE_USER_JOURNAL => 'c',
+                SYNC_FOLDER_TYPE_USER_NOTE => 'c',
+                SYNC_FOLDER_TYPE_UNKNOWN => 'i',
+            ),
+            //creating a new folder in the root folder should create a folder in one backend
+            'rootcreatefolderbackend' => 'i',
+        );
+    }
+}

roles/mailserver/templates/usr_share_z-push_backend_imap_config.php.j2

@@ -0,0 +1,217 @@
+<?php
+/***********************************************
+* File      :   config.php
+* Project   :   Z-Push
+* Descr     :   IMAP backend configuration file
+*
+* Created   :   27.11.2012
+*
+* Copyright 2007 - 2016 Zarafa Deutschland GmbH
+*
+* This program is free software: you can redistribute it and/or modify
+* it under the terms of the GNU Affero General Public License, version 3,
+* as published by the Free Software Foundation.
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU Affero General Public License for more details.
+*
+* You should have received a copy of the GNU Affero General Public License
+* along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*
+* Consult LICENSE file for details
+************************************************/
+
+// ************************
+//  BackendIMAP settings
+// ************************
+
+// Defines the server to which we want to connect
+define('IMAP_SERVER', 'localhost');
+
+// connecting to custom port (993)
+define('IMAP_PORT', 993);
+
+// best cross-platform compatibility (see http://php.net/imap_open for options)
+define('IMAP_OPTIONS', '/ssl/novalidate-cert');
+
+
+// Mark messages as read when moving to Trash.
+//      BE AWARE that you will lose the unread flag, but some mail clients do this so the Trash folder doesn't get boldened
+define('IMAP_AUTOSEEN_ON_DELETE', false);
+
+
+// IMPORTANT: BASIC IMAP FOLDERS [ask your mail admin]
+        // We can have diferent cases (case insensitive):
+        // 1.
+        //      inbox
+        //      sent
+        //      drafts
+        //      trash
+        // 2.
+        //      inbox
+        //      common.sent
+        //      common.drafts
+        //      common.trash
+        // 3.
+        //      common.inbox
+        //      common.sent
+        //      common.drafts
+        //      common.trash
+        // 4.
+        //      common
+        //      common.sent
+        //      common.drafts
+        //      common.trash
+        //
+        // gmail is a special case, where the default folders are under the [gmail] prefix and the folders defined by the user are under INBOX.
+        // This configuration seems to work:
+        //      define('IMAP_FOLDER_PREFIX', '');
+        //      define('IMAP_FOLDER_PREFIX_IN_INBOX', false);
+        //      define('IMAP_FOLDER_INBOX', 'INBOX');
+        //      define('IMAP_FOLDER_SENT', '[Gmail]/Sent');
+        //      define('IMAP_FOLDER_DRAFT', '[Gmail]/Drafts');
+        //      define('IMAP_FOLDER_TRASH', '[Gmail]/Trash');
+        //      define('IMAP_FOLDER_SPAM', '[Gmail]/Spam');
+        //      define('IMAP_FOLDER_ARCHIVE', '[Gmail]/All Mail');
+
+// Since I know you won't configure this, I will raise an error unless you do.
+// When configured set this to true to remove the error
+define('IMAP_FOLDER_CONFIGURED', true);
+
+// Folder prefix is the common part in your names (3, 4)
+define('IMAP_FOLDER_PREFIX', 'inbox');
+
+// Inbox will have the preffix preppend (3 & 4 to true)
+define('IMAP_FOLDER_PREFIX_IN_INBOX', true);
+
+// Inbox folder name (case doesn't matter) - (empty in 4)
+define('IMAP_FOLDER_INBOX', 'INBOX');
+
+// Sent folder name (case doesn't matter)
+define('IMAP_FOLDER_SENT', 'Sent');
+
+// Draft folder name (case doesn't matter)
+define('IMAP_FOLDER_DRAFT', 'Drafts');
+
+// Trash folder name (case doesn't matter)
+define('IMAP_FOLDER_TRASH', 'Trash');
+
+// Spam folder name (case doesn't matter). Only showed as special by iOS devices
+define('IMAP_FOLDER_SPAM', 'Junk');
+
+// Archive folder name (case doesn't matter). Only showed as special by iOS devices
+define('IMAP_FOLDER_ARCHIVE', 'Archive');
+
+
+
+// forward messages inline (default true - inlined)
+define('IMAP_INLINE_FORWARD', true);
+
+// list of folders we want to exclude from sync. Names, or part of it, separated by |
+// example: dovecot.sieve|archive|spam
+define('IMAP_EXCLUDED_FOLDERS', '');
+
+
+
+// overwrite the "from" header with some value
+// options:
+//        ''              - do nothing, use the From header
+//        'username'      - the username will be set (usefull if your login is equal to your emailaddress)
+//        'domain'        - the value of the "domain" field is used
+//        'sql'           - the username will be the result of a sql query. REMEMBER TO INSTALL PHP-PDO AND PHP-DATABASE
+//        'ldap'          - the username will be the result of a ldap query. REMEMBER TO INSTALL PHP-LDAP!!
+//        '@mydomain.com' - the username is used and the given string will be appended
+define('IMAP_DEFAULTFROM', '');
+
+// DSN: formatted PDO connection string
+//    mysql:host=xxx;port=xxx;dbname=xxx
+// USER: username to DB
+// PASSWORD: password to DB
+// OPTIONS: array with options needed
+// QUERY: query to execute
+// FIELDS: columns in the query
+// FROM: string that will be the from, replacing the column names with the values
+define('IMAP_FROM_SQL_DSN', '');
+define('IMAP_FROM_SQL_USER', '');
+define('IMAP_FROM_SQL_PASSWORD', '');
+define('IMAP_FROM_SQL_OPTIONS', serialize(array(PDO::ATTR_PERSISTENT => true)));
+define('IMAP_FROM_SQL_QUERY', "select first_name, last_name, mail_address from users where mail_address = '#username@#domain'");
+define('IMAP_FROM_SQL_FIELDS', serialize(array('first_name', 'last_name', 'mail_address')));
+define('IMAP_FROM_SQL_EMAIL', '#mail_address');
+define('IMAP_FROM_SQL_FROM', '#first_name #last_name <#mail_address>');
+define('IMAP_FROM_SQL_FULLNAME', '#first_name #last_name');
+
+// SERVER: ldap server
+// SERVER_PORT: ldap port
+// USER: dn to use for connecting
+// PASSWORD: password
+// QUERY: query to execute
+// FIELDS: columns in the query
+// FROM: string that will be the from, replacing the field names with the values
+define('IMAP_FROM_LDAP_SERVER', 'localhost');
+define('IMAP_FROM_LDAP_SERVER_PORT', '389');
+define('IMAP_FROM_LDAP_USER', 'cn=zpush,ou=servers,dc=zpush,dc=org');
+define('IMAP_FROM_LDAP_PASSWORD', 'password');
+define('IMAP_FROM_LDAP_BASE', 'dc=zpush,dc=org');
+define('IMAP_FROM_LDAP_QUERY', '(mail=#username@#domain)');
+define('IMAP_FROM_LDAP_FIELDS', serialize(array('givenname', 'sn', 'mail')));
+define('IMAP_FROM_LDAP_EMAIL', '#mail');
+define('IMAP_FROM_LDAP_FROM', '#givenname #sn <#mail>');
+define('IMAP_FROM_LDAP_FULLNAME', '#givenname #sn');
+
+
+
+// Method used for sending mail
+// mail => mail() php function
+// sendmail => sendmail executable
+// smtp => direct connection against SMTP
+define('IMAP_SMTP_METHOD', 'mail');
+
+global $imap_smtp_params;
+// SMTP Parameters
+//      mail : no params
+$imap_smtp_params = array();
+//      sendmail
+//$imap_smtp_params = array('sendmail_path' => '/usr/bin/sendmail', 'sendmail_args' => '-i');
+//      smtp
+//          "host"              - The server to connect. Default is localhost.
+//          "port"              - The port to connect. Default is 25.
+//          "auth"              - Whether or not to use SMTP authentication. Default is FALSE.
+//          "username"          - The username to use for SMTP authentication. "imap_username" for using the same username as the imap server
+//          "password"          - The password to use for SMTP authentication. "imap_password" for using the same password as the imap server
+//          "localhost"         - The value to give when sending EHLO or HELO. Default is localhost
+//          "timeout"           - The SMTP connection timeout. Default is NULL (no timeout).
+//          "verp"              - Whether to use VERP or not. Default is FALSE.
+//          "debug"             - Whether to enable SMTP debug mode or not. Default is FALSE.
+//          "persist"           - Indicates whether or not the SMTP connection should persist over multiple calls to the send() method.
+//          "pipelining"        - Indicates whether or not the SMTP commands pipelining should be used.
+//          "verify_peer"       - Require verification of SSL certificate used. Default is TRUE.
+//          "verify_peer_name"  - Require verification of peer name. Default is TRUE.
+//          "allow_self_signed" - Allow self-signed certificates. Requires verify_peer. Default is FALSE.
+//$imap_smtp_params = array('host' => 'localhost', 'port' => 25, 'auth' => false);
+// If you want to use SSL with port 25 or port 465 you must preppend "ssl://" before the hostname or IP of your SMTP server
+// IMPORTANT: To use SSL you must use PHP 5.1 or later, install openssl libs and use ssl:// within the host variable
+// IMPORTANT: To use SSL with PHP 5.6 you should set verify_peer, verify_peer_name and allow_self_signed
+//$imap_smtp_params = array('host' => 'ssl://localhost', 'port' => 465, 'auth' => true, 'username' => 'imap_username', 'password' => 'imap_password');
+
+
+
+// If you are using IMAP_SMTP_METHOD = mail or sendmail and your sent messages are not correctly displayed you can change this to "\n".
+//   BUT, it doesn't comply with RFC 2822 and will break if using smtp method
+define('MAIL_MIMEPART_CRLF', "\r\n");
+
+
+// A file containing file mime types->extension mappings.
+//  SELINUX users: make sure the file has a security context accesible by your apache/php-fpm process
+define('SYSTEM_MIME_TYPES_MAPPING', '/etc/mime.types');
+
+
+// Use BackendCalDAV for Meetings. You cannot hope to get that functionality working without a caldav backend.
+define('IMAP_MEETING_USE_CALDAV', false);
+
+// If your IMAP server allows authenticating via GSSAPI, php-imap will not fall back properly to other authentication
+// methods and you will be unable to log in. Uncomment the following line to disable that authentication method.
+// Multiple methods can be specified as a comma-separated string.
+// define('IMAP_DISABLE_AUTHENTICATOR', 'GSSAPI');

roles/mailserver/templates/usr_share_z-push_config.php.j2

@@ -6,29 +6,11 @@
 *
 * Created   :   01.10.2007
 *
-* Copyright 2007 - 2013 Zarafa Deutschland GmbH
+* Copyright 2007 - 2016 Zarafa Deutschland GmbH
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License, version 3,
-* as published by the Free Software Foundation with the following additional
-* term according to sec. 7:
-*
-* According to sec. 7 of the GNU Affero General Public License, version 3,
-* the terms of the AGPL are supplemented with the following terms:
-*
-* "Zarafa" is a registered trademark of Zarafa B.V.
-* "Z-Push" is a registered trademark of Zarafa Deutschland GmbH
-* The licensing of the Program under the AGPL does not imply a trademark license.
-* Therefore any rights, title and interest in our trademarks remain entirely with us.
-*
-* However, if you propagate an unmodified version of the Program you are
-* allowed to use the term "Z-Push" to indicate that you distribute the Program.
-* Furthermore you may use our trademarks where it is necessary to indicate
-* the intended purpose of a product or service provided you use it in accordance
-* with honest practices in industrial or commercial matters.
-* If you want to propagate modified versions of the Program under the name "Z-Push",
-* you may only do so if you have a written permission by Zarafa Deutschland GmbH
-* (to acquire a permission please contact Zarafa at trademark@zarafa.com).
+* as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -53,21 +35,56 @@
     // Try to set unlimited timeout
     define('SCRIPT_TIMEOUT', 0);
 
-    // When accessing through a proxy, the "X-Forwarded-For" header contains the original remote IP
-    define('USE_X_FORWARDED_FOR_HEADER', false);
+    // Use a custom header to determinate the remote IP of a client.
+    // By default, the server provided REMOTE_ADDR is used. If the header here set
+    // is available, the provided value will be used, else REMOTE_ADDR is maintained.
+    // set to false to disable this behaviour.
+    // common values: 'HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP' (casing is ignored)
+    define('USE_CUSTOM_REMOTE_IP_HEADER', false);
 
     // When using client certificates, we can check if the login sent matches the owner of the certificate.
     // This setting specifies the owner parameter in the certificate to look at.
     define("CERTIFICATE_OWNER_PARAMETER", "SSL_CLIENT_S_DN_CN");
 
+    /*
+     * Whether to use the complete email address as a login name
+     * (e.g. user@company.com) or the username only (user).
+     * This is required for Z-Push to work properly after autodiscover.
+     * Possible values:
+     *   false - use the username only.
+     *   true  - string the mobile sends as username, e.g. full email address (default).
+     */
+    define('USE_FULLEMAIL_FOR_LOGIN', true);
+
 /**********************************************************************************
- *  Default FileStateMachine settings
+ * StateMachine setting
+ *
+ * These StateMachines can be used:
+ *   FILE  - FileStateMachine (default). Needs STATE_DIR set as well.
+ *   SQL   - SqlStateMachine has own configuration file. STATE_DIR is ignored.
+ *           State migration script is available, more informations: https://wiki.z-hub.io/x/xIAa
  */
+    define('STATE_MACHINE', 'FILE');
     define('STATE_DIR', '/data/zpush-state/');
 
+/**********************************************************************************
+ *  IPC - InterProcessCommunication
+ *
+ *  Is either provided by using shared memory on a single host or
+ *  using the memcache provider for multi-host environments.
+ *  When another implementation should be used, the class can be set here explicitly.
+ *  If empty Z-Push will try to use available providers.
+ */
+    define('IPC_PROVIDER', '');
 
 /**********************************************************************************
  *  Logging settings
+ *
+ *  The LOGBACKEND specifies where the logs are sent to.
+ *  Either to file ("filelog") or to a "syslog" server or a custom log class in core/log/logclass.
+ *  filelog and syslog have several options that can be set below.
+ *  For more information about the syslog configuration, see https://wiki.z-hub.io/x/HIAT
+
  *  Possible LOGLEVEL and LOGUSERLEVEL values are:
  *  LOGLEVEL_OFF            - no logging
  *  LOGLEVEL_FATAL          - log only critical errors
@@ -82,14 +99,13 @@
  *  The verbosity increases from top to bottom. More verbose levels include less verbose
  *  ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR,
  *  LOGLEVEL_WARN and LOGLEVEL_INFO level entries.
+ *
+ *  LOGAUTHFAIL is logged to the LOGBACKEND.
  */
-    define('LOGFILEDIR', '/var/log/z-push/');
-    define('LOGFILE', LOGFILEDIR . 'z-push.log');
-    define('LOGERRORFILE', LOGFILEDIR . 'z-push-error.log');
+    define('LOGBACKEND', 'filelog');
     define('LOGLEVEL', LOGLEVEL_INFO);
     define('LOGAUTHFAIL', false);
 
-
     // To save e.g. WBXML data only for selected users, add the usernames to the array
     // The data will be saved into a dedicated file per user in the LOGFILEDIR
     // Users have to be encapusulated in quotes, several users are comma separated, like:
@@ -97,6 +113,21 @@
     define('LOGUSERLEVEL', LOGLEVEL_DEVICEID);
     $specialLogUsers = array();
 
+    // Filelog settings
+    define('LOGFILEDIR', '/var/log/z-push/');
+    define('LOGFILE', LOGFILEDIR . 'z-push.log');
+    define('LOGERRORFILE', LOGFILEDIR . 'z-push-error.log');
+
+    // Syslog settings
+    // false will log to local syslog, otherwise put the remote syslog IP here
+    define('LOG_SYSLOG_HOST', false);
+    // Syslog port
+    define('LOG_SYSLOG_PORT', 514);
+    // Program showed in the syslog. Useful if you have more than one instance login to the same syslog
+    define('LOG_SYSLOG_PROGRAM', 'z-push');
+    // Syslog facility - use LOG_USER when running on Windows
+    define('LOG_SYSLOG_FACILITY', LOG_LOCAL0);
+
     // Location of the trusted CA, e.g. '/etc/ssl/certs/EmailCA.pem'
     // Uncomment and modify the following line if the validation of the certificates fails.
     // define('CAINFO', '/etc/ssl/certs/EmailCA.pem');
@@ -113,6 +144,10 @@
     // true - allow older devices, but enforce policies on devices which support it
     define('LOOSE_PROVISIONING', false);
 
+    // The file containing the policies' settings.
+    // Set a full path or relative to the z-push main directory
+    define('PROVISIONING_POLICYFILE', 'policies.ini');
+
     // Default conflict preference
     // Some devices allow to set if the server or PIM (mobile)
     // should win in case of a synchronization conflict
@@ -135,11 +170,6 @@
     // a higher value if you have a high load on the server.
     define('PING_INTERVAL', 30);
 
-    // Interval in seconds to force a re-check of potentially missed notifications when
-    // using a changes sink. Default are 300 seconds (every 5 min).
-    // This can also be disabled by setting it to false
-    define('SINK_FORCERECHECK', 300);
-
     // Set the fileas (save as) order for contacts in the webaccess/webapp/outlook.
     // It will only affect new/modified contacts on the mobile which then are synced to the server.
     // Possible values are:
@@ -158,12 +188,14 @@
     // SYNC_FILEAS_LASTFIRST will be used
     define('FILEAS_ORDER', SYNC_FILEAS_LASTFIRST);
 
-    // Amount of items to be synchronized per request
+    // Maximum amount of items to be synchronized per request.
     // Normally this value is requested by the mobile. Common values are 5, 25, 50 or 100.
     // Exporting too much items can cause mobile timeout on busy systems.
-    // Z-Push will use the lowest value, either set here or by the mobile.
-    // default: 100 - value used if mobile does not limit amount of items
-    define('SYNC_MAX_ITEMS', 100);
+    // Z-Push will use the lowest provided value, either set here or by the mobile.
+    // MS Outlook 2013+ request up to 512 items to accelerate the sync process.
+    // If you detect high load (also on subsystems) you could try a lower setting.
+    // max: 512 - value used if mobile does not limit amount of items
+    define('SYNC_MAX_ITEMS', 512);
 
     // The devices usually send a list of supported properties for calendar and contact
     // items. If a device does not includes such a supported property in Sync request,
@@ -172,7 +204,7 @@
     // to tell if a property was deleted or it was not set at all if it does not appear in Sync.
     // This parameter defines Z-Push behaviour during Sync if a device does not issue a list with
     // supported properties.
-    // See also https://jira.zarafa.com/browse/ZP-302.
+    // See also https://jira.z-hub.io/browse/ZP-302.
     // Possible values:
     // false - do not unset properties which are not sent during Sync (default)
     // true  - unset properties which are not sent during Sync
@@ -182,58 +214,63 @@
     // in the semantic sanity checks and contacts with larger photos are not synchronized.
     // This limitation is not being followed by the ActiveSync clients which set much bigger
     // contact photos. You can override the default value of the max photo size.
-    // default: 49152 - 48 KB default max photo size in bytes
-    define('SYNC_CONTACTS_MAXPICTURESIZE', 49152);
+    // default: 5242880 - 5 MB default max photo size in bytes
+    define('SYNC_CONTACTS_MAXPICTURESIZE', 5242880);
+
+    // Over the WebserviceUsers command it is possible to retrieve a list of all
+    // known devices and users on this Z-Push system. The authenticated user needs to have
+    // admin rights and a public folder must exist.
+    // In multicompany environments this enable an admin user of any company to retrieve
+    // this full list, so this feature is disabled by default. Enable with care.
+    define('ALLOW_WEBSERVICE_USERS_ACCESS', false);
+
+    // Users with many folders can use the 'partial foldersync' feature, where the server
+    // actively stops processing the folder list if it takes too long. Other requests are
+    // then redirected to the FolderSync to synchronize the remaining items.
+    // Device compatibility for this procedure is not fully understood.
+    // NOTE: THIS IS AN EXPERIMENTAL FEATURE WHICH COULD PREVENT YOUR MOBILES FROM SYNCHRONIZING.
+    define('USE_PARTIAL_FOLDERSYNC', false);
+
+    // The minimum accepted time in second that a ping command should last.
+    // It is strongly advised to keep this config to false. Some device
+    // might not be able to send a higher value than the one specificied here and thus
+    // unable to start a push connection.
+    // If set to false, there will be no lower bound to the ping lifetime.
+    // The minimum accepted value is 1 second. The maximum accepted value is 3540 seconds (59 minutes).
+    define('PING_LOWER_BOUND_LIFETIME', false);
+
+    // The maximum accepted time in second that a ping command should last.
+    // If set to false, there will be no higher bound to the ping lifetime.
+    // The minimum accepted value is 1 second. The maximum accepted value is 3540 seconds (59 minutes).
+    define('PING_HIGHER_BOUND_LIFETIME', false);
+
+    // Maximum response time
+    // Mobiles implement different timeouts to their TCP/IP connections. Android devices for example
+    // have a hard timeout of 30 seconds. If the server is not able to answer a request within this timeframe,
+    // the answer will not be recieved and the device will send a new one overloading the server.
+    // There are three categories
+    //   - Short timeout  - server has up within 30 seconds - is automatically applied for not categorized types
+    //   - Medium timeout - server has up to 90 seconds to respond
+    //   - Long timeout   - server has up to 4 minutes to respond
+    // If a timeout is almost reached the server will break and sent the results it has until this
+    // point. You can add DeviceType strings to the categories.
+    // In general longer timeouts are better, because more data can be streamed at once.
+    define('SYNC_TIMEOUT_MEDIUM_DEVICETYPES', "SAMSUNGGTI");
+    define('SYNC_TIMEOUT_LONG_DEVICETYPES',   "iPod, iPad, iPhone, WP, WindowsOutlook, WindowsMail");
+
+    // Time in seconds the device should wait whenever the service is unavailable,
+    // e.g. when a backend service is unavailable.
+    // Z-Push sends a "Retry-After" header in the response with the here defined value.
+    // It is up to the device to respect or not this directive so even if this option is set,
+    // the device might not wait requested time frame.
+    // Number of seconds before retry, to disable set to: false
+    define('RETRY_AFTER_DELAY', 300);
 
 /**********************************************************************************
  *  Backend settings
  */
     // the backend data provider
-    define('BACKEND_PROVIDER', 'BackendIMAP');
-
-
-    // ************************
-    //  BackendZarafa settings
-    // ************************
-    // Defines the server to which we want to connect
-    define('MAPI_SERVER', 'file:///var/run/zarafa');
-
-
-    // ************************
-    //  BackendIMAP settings
-    // ************************
-    // Defines the server to which we want to connect
-    define('IMAP_SERVER', 'localhost');
-    // connecting to default port (143)
-    define('IMAP_PORT', 993);
-    // best cross-platform compatibility (see http://php.net/imap_open for options)
-    define('IMAP_OPTIONS', '/ssl/novalidate-cert');
-    // overwrite the "from" header if it isn't set when sending emails
-    // options: 'username'    - the username will be set (usefull if your login is equal to your emailaddress)
-    //        'domain'    - the value of the "domain" field is used
-    //        '@mydomain.com' - the username is used and the given string will be appended
-    define('IMAP_DEFAULTFROM', '');
-    // copy outgoing mail to this folder. If not set d-push will try the default folders
-    define('IMAP_SENTFOLDER', 'Sent');
-    // forward messages inline (default false - as attachment)
-    define('IMAP_INLINE_FORWARD', false);
-    // don't use imap_mail() to send emails.
-    // true (default, uses imap_mail, which is broken - false uses mail(),
-    // which handles cc and from in a more sane way)
-    define('IMAP_USE_IMAPMAIL', false);
-
-
-    // ************************
-    //  BackendMaildir settings
-    // ************************
-    define('MAILDIR_BASE', '/tmp');
-    define('MAILDIR_SUBDIR', 'Maildir');
-
-    // **********************
-    //  BackendVCardDir settings
-    // **********************
-    define('VCARDDIR_DIR', '/home/%u/.kde/share/apps/kabc/stdvcf');
-
+    define('BACKEND_PROVIDER', 'BackendCombined');
 
 /**********************************************************************************
  *  Search provider settings
@@ -251,6 +288,45 @@
     // might result in timeout. Default is 10.
     define('SEARCH_MAXRESULTS', 10);
 
+/**********************************************************************************
+ *  Kopano Outlook Extension - Settings
+ *
+ *  The Kopano Outlook Extension (KOE) provides MS Outlook 2013 and newer with
+ *  functionality not provided by ActiveSync or not implemented by Outlook.
+ *  For more information, see: https://wiki.z-hub.io/x/z4Aa
+ */
+    // Global Address Book functionality
+    define('KOE_CAPABILITY_GAB', true);
+    // Synchronize mail flags from the server to Outlook/KOE
+    define('KOE_CAPABILITY_RECEIVEFLAGS', true);
+    // Encode flags when sending from Outlook/KOE
+    define('KOE_CAPABILITY_SENDFLAGS', true);
+    // Out-of-office support
+    define('KOE_CAPABILITY_OOF', true);
+    // Out-of-office support with start & end times (superseeds KOE_CAPABILITY_OOF)
+    define('KOE_CAPABILITY_OOFTIMES', true);
+    // Notes support
+    define('KOE_CAPABILITY_NOTES', true);
+    // Shared folder support
+    define('KOE_CAPABILITY_SHAREDFOLDER', true);
+    // Send-As support for Outlook/KOE and mobiles
+    define('KOE_CAPABILITY_SENDAS', true);
+    // Secondary Contact folders (own and shared)
+    define('KOE_CAPABILITY_SECONDARYCONTACTS', true);
+    // Copy WebApp signature into KOE
+    define('KOE_CAPABILITY_SIGNATURES', true);
+    // Delivery receipt requests
+    define('KOE_CAPABILITY_RECEIPTS', true);
+    // Impersonate other users
+    define('KOE_CAPABILITY_IMPERSONATE', true);
+
+    // To synchronize the GAB KOE, the GAB store and folderid need to be specified.
+    // Use the gab-sync script to generate this data. The name needs to
+    // match the config of the gab-sync script.
+    // More information here: https://wiki.z-hub.io/x/z4Aa (GAB Sync Script)
+    define('KOE_GAB_STORE', 'SYSTEM');
+    define('KOE_GAB_FOLDERID', '');
+    define('KOE_GAB_NAME', 'Z-Push-KOE-GAB');
 
 /**********************************************************************************
  *  Synchronize additional folders to all mobiles
@@ -260,11 +336,11 @@
  *
  *  This feature is supported only by certain devices, like iPhones.
  *  Check the compatibility list for supported devices:
- *      http://z-push.sf.net/compatibility
+ *      http://z-push.org/compatibility
  *
  *  To synchronize a folder, add a section setting all parameters as below:
  *      store:      the ressource where the folder is located.
- *                  Zarafa users use 'SYSTEM' for the 'Public Folder'
+ *                  Kopano users use 'SYSTEM' for the 'Public Folder'
  *      folderid:   folder id of the folder to be synchronized
  *      name:       name to be displayed on the mobile device
  *      type:       supported types are:
@@ -272,13 +348,21 @@
  *                      SYNC_FOLDER_TYPE_USER_APPOINTMENT
  *                      SYNC_FOLDER_TYPE_USER_TASK
  *                      SYNC_FOLDER_TYPE_USER_MAIL
+ *                      SYNC_FOLDER_TYPE_USER_NOTE
+ *      flags:      sets additional options on the shared folder. Supported are:
+ *                      DeviceManager::FLD_FLAGS_NONE
+ *                          No flags configured, default flag to be set
+ *                      DeviceManager::FLD_FLAGS_SENDASOWNER
+ *                          When replying in this folder, automatically do Send-As
+ *                      DeviceManager::FLD_FLAGS_CALENDARREMINDERS
+ *                          If set, Outlook shows reminders for these shares with KOE
  *
  *  Additional notes:
- *  - on Zarafa systems use backend/zarafa/listfolders.php script to get a list
+ *  - on Kopano systems use backend/kopano/listfolders.php script to get a list
  *    of available folders
  *
- *  - all Z-Push users must have full writing permissions (secretary rights) so
- *    the configured folders can be synchronized to the mobile
+ *  - all Z-Push users must have at least reading permissions so the configured
+ *    folders can be synchronized to the mobile. Else they are ignored.
  *
  *  - this feature is only partly suitable for multi-tenancy environments,
  *    as ALL users from ALL tenents need access to the configured store & folder.
@@ -299,8 +383,7 @@
             'folderid'  => "",
             'name'      => "Public Contacts",
             'type'      => SYNC_FOLDER_TYPE_USER_CONTACT,
+            'flags'     => DeviceManager::FLD_FLAGS_NONE,
         ),
 */
     );
-
-?>