If you assign a user the kolab-admin role, they get permission in kolab-webadmin to edit email addresses. However, kolab-admin does not have access to cn=kolab,cn=config and hence cannot see domain aliases.
Hence, if a user has at least one email address with a domain other than their primary domain, kolab-webadmin will report "Email address x not in local domain" on every attempted edit.
Suggested solution: give the kolab-admin role access by default to cn=kolab,cn=config.