Grommunio Mail Server: Difference between revisions

From Alpine Linux
No edit summary
No edit summary
Line 12: Line 12:
== Steps: ==
== Steps: ==


# Install and configure MariaDB
# Install and configure MariaDB
# MariaDB performance tuning (optional)
# MariaDB performance tuning (optional)
Line 22: Line 23:
# Finalize and verify installation
# Finalize and verify installation


---


== 1. Install and Configure MariaDB ==
== 1. Install and Configure MariaDB ==
Line 30: Line 30:


```sh
```sh
apk add mariadb mariadb-client mariadb-server-utils
  apk add mariadb mariadb-client mariadb-server-utils
```
```


Line 51: Line 51:
```
```


=== Step 3: Secure MariaDB
=== Step 3: Secure MariaDB ===
Run the built-in security script to set a root password and configure MariaDB security settings.
Run the built-in security script to set a root password and configure MariaDB security settings.



Revision as of 22:32, 30 November 2024

This material is work-in-progress ...

This is a work in progress
(Last edited by Midas on 30 Nov 2024.)


HOWTO: Install AlpineLinux Mail Server with Grommunio

This tutorial outlines the steps for setting up a mail server on Alpine Linux using Grommunio, a modern, open-source groupware solution that supports email and calendar services. The installation includes MariaDB, Nginx, PHP, Postfix, and other components necessary for a fully functioning mail server.

Prerequisites

Before proceeding with the installation, ensure you have a fresh Alpine Linux system setup. You'll need root privileges to execute these commands.

Steps:

  1. Install and configure MariaDB
  2. MariaDB performance tuning (optional)
  3. Install and configure Nginx
  4. Install and configure PHP
  5. Install and configure Postfix
  6. Install and configure Grommunio
  7. Configure Valkey (Redis replacement)
  8. Install and configure Rspamd
  9. Finalize and verify installation


1. Install and Configure MariaDB

Step 1: Install MariaDB

To start, install MariaDB and necessary client utilities:

```sh

 apk add mariadb mariadb-client mariadb-server-utils

```

Step 2: Set up MariaDB Database Variables

Define the variables used in the setup and create a symlink to the MariaDB data directory.

```sh DB_DATA_PATH="/srv/mysql" DB_ROOT_PASS="Passw0rd1" DB_USER="admin" DB_PASS="Passw0rd2" ```

Setup system tables and configure the symlink for MariaDB:

```sh sudo mysql_install_db --user=mysql --datadir=${DB_DATA_PATH} ln -s /srv/mysql /var/lib/mysql rc-service mariadb restart ```

Step 3: Secure MariaDB

Run the built-in security script to set a root password and configure MariaDB security settings.

```sh sudo mysql_secure_installation ```

Step 4: Create MariaDB User for Grommunio

Create a new user for Grommunio and assign privileges:

```sh echo "GRANT ALL ON *.* TO ${DB_USER}@'127.0.0.1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" > /tmp/sql echo "GRANT ALL ON *.* TO ${DB_USER}@'localhost' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql echo "GRANT ALL ON *.* TO ${DB_USER}@'::1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql echo "DELETE FROM mysql.user WHERE User=;" >> /tmp/sql echo "FLUSH PRIVILEGES;" >> /tmp/sql cat /tmp/sql | mysql -u root --password="${DB_ROOT_PASS}" ```

Step 5: Configure MariaDB for Grommunio

Edit the MariaDB configuration for better performance:

```sh vi /etc/my.cnf.d/mariadb-server.cnf ```

Add the following configuration:

```ini [mysqld] innodb_log_buffer_size=16M innodb_log_file_size=32M innodb_read_io_threads=4 innodb_write_io_threads=4 join_buffer_size=512K query_cache_size=0 query_cache_type=0 query_cache_limit=2M performance_schema=ON bind-address = 127.0.0.1 skip-name-resolve=ON ```

Create a default charset configuration for MariaDB:

```sh cat > /etc/my.cnf.d/mariadb-server-default-charset.cnf << EOF [client] default-character-set = utf8mb4

[mysqld] collation_server = utf8mb4_general_ci character_set_server = utf8mb4

[mysql] default-character-set = utf8mb4 EOF ```

Restart MariaDB and enable it to start on boot:

```sh rc-update add mariadb default service mariadb restart ```

=== Step 6: Verify MariaDB Setup Check if the MariaDB listener is running and bound to the correct address:

```sh ss -tulpn ```

Step 7: Create Grommunio Database

Define the database parameters and create the Grommunio database:

```sh MYSQL_HOST="localhost" MYSQL_USER="grommunio" MYSQL_PASS="Passw0rd3" MYSQL_DB="grommunio"

echo "create database $MYSQL_DB character set 'utf8mb4';" > /tmp/sql echo "grant select, insert, update, delete, create, drop, index, alter, create temporary tables, lock tables on $MYSQL_DB.* TO $MYSQL_USER@$MYSQL_HOST identified by '$MYSQL_PASS';" >> /tmp/sql echo "flush privileges;" >> /tmp/sql cat /tmp/sql | mysql -u admin --password="${DB_PASS}" ```

Test the database connection:

```sh mysql -hlocalhost -u grommunio -p${MYSQL_PASS} grommunio ```

---

2. MariaDB Performance Tuning (Optional)

Install and configure MySQLTuner to help with database performance:

```sh wget -v --no-check-certificate https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl -O /tmp/mysqltuner.pl mv /tmp/mysqltuner.pl /usr/local/bin/mysqltuner.pl chmod 755 /usr/local/bin/mysqltuner.pl apk add perl perl-doc /usr/local/bin/mysqltuner.pl --user admin --pass ${DB_PASS} ```

---

3. Install and Configure Nginx

Step 1: Install Nginx

Install the necessary Nginx modules:

```sh apk add nginx nginx-mod-http-headers-more nginx-mod-http-vts nginx-mod-http-brotli ```

Step 2: Configure Nginx

Backup the original Nginx configuration and edit it for security headers and TLS settings:

```sh cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig vi /etc/nginx/nginx.conf ```

Add the following configuration:

```nginx error_log syslog:server=unix:/dev/log,facility=local2,nohostname warn; more_set_headers "Strict-Transport-Security : max-age=2592000; includeSubDomains;"; more_set_headers "X-Frame-Options : SAMEORIGIN"; more_set_headers "Content-Security-Policy : default-src https: data: 'unsafe-inline' 'unsafe-eval' always"; more_set_headers "X-Xss-Protection : 1; mode=block"; more_set_headers "X-Content-Type-Options : nosniff"; more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; more_set_headers "Server : Follow the white rabbit.";

ssl_protocols TLSv1.2 TLSv1.3; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m;

log_format main_ssl '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' 'client_ciphers="$ssl_ciphers" client_curves="$ssl_curves"';

access_log off; ```

Restart Nginx and enable it to start on boot:

```sh rc-update add nginx service nginx restart ```

---

4. Install and Configure PHP

Step 1: Install PHP

Install the required PHP packages for Grommunio:

```sh apk add php83 php83-fpm ```

Step 2: Harden PHP Configuration

Disable insecure PHP settings and adjust PHP limits:

```sh sed 's/^;\?\(allow_url_fopen\).*/\1 = Off/' -i /etc/php83/php.ini sed 's/^;\?\(expose_php\).*/\1 = Off/' -i /etc/php83/php.ini sed 's/^;\?\(display_errors\).*/\1 = Off/' -i /etc/php83/php.ini sed 's/^;\?\(log_errors\).*/\1 = On/' -i /etc/php83/php.ini ```

Step 3: Configure Session Security

Configure PHP session security:

```sh sed 's/^;\?\(session.use_strict_mode\).*/\1 = 1/' -i /etc/php83/php.ini sed 's/^;\?\(session.cookie_secure\).*/\1 = 1/' -i /etc/php83/php.ini sed 's/^;\?\(session.cookie_httponly\).*/\1 = 1/' -i /etc/php83/php.ini ```

---

5. Install and Configure Postfix

Step 1: Install Postfix

Install Postfix and related modules:

```sh apk add postfix postfix-mysql postfix-pcre ```

Step 2: Configure Postfix

Backup and configure the Postfix settings. Adapt the values as necessary, such as `myhostname`, `mynetworks`, and `smtp_tls_chain_files`:

```sh mv /etc/postfix/main.cf /etc/postfix/main.cf.orig mv /etc/postfix/master.cf /etc/postfix/master.cf.orig ```

Run Postfix setup:

```sh newaliases postmap /etc/postfix/transport ```

Enable Postfix service:

```sh rc-update add postfix service postfix restart ```

Step 3: Verify Postfix Logs

Check the Postfix logs for any errors:


```sh tail -f /var/log/maillog ```

---

6. Install and Configure Grommunio

Install and configure Grommunio to provide email and calendar functionality. Follow the detailed installation steps outlined in the official Grommunio documentation.

---

7. Configure Valkey (Redis Replacement)

Configure Valkey for optimal caching and session handling, replacing Redis if required.

---

8. Install and Configure Rspamd

Rspamd provides spam filtering for your mail server. Follow the official documentation to install and configure Rspamd to work with Postfix and Nginx.

---

9. Finalize and Verify Installation

Step 1: Test Server Components

Ensure that all services (Postfix, MariaDB, Nginx, PHP, Grommunio) are running correctly:

```sh ss -tulpn ```

Step 2: Verify Mail Functionality

Test sending and receiving emails using a mail client and verifying server logs for any errors.


5. Install and Configure Grommunio

1. Enable IPv6

Since Grommunio requires IPv6 for its daemons:

1. **Edit `/etc/hosts` to include IPv6 localhost:**

  ```bash
  vi /etc/hosts
  -----
  ::1		localhost ipv6-localhost ipv6-loopback
  -----
  ```

2. **Ensure IPv6 is enabled in `/etc/sysctl.conf`:**

  ```bash
  sed -i 's/^net\.ipv6\.conf\..*\.disable_ipv6\s=\s1/#&/' /etc/sysctl.conf
  sysctl -p
  ping ::1  # Test if IPv6 is working
  ```

2. Configure Database Parameters

Set up your MySQL database connection details: ```bash MYSQL_HOST="localhost" MYSQL_USER="grommunio" MYSQL_PASS="Passw0rd3" MYSQL_DB="grommunio" ```

3. Specify Internal FQDN, Mail Domain, and Relayhost

Adjust the following for your specific setup: ```bash FQDN="mail.example.local" MAILDOMAIN="example.com" RELAYHOST="123.123.123.1" ADMIN_PASS="Passw0rd4" ```

4. Install Dependencies and Grommunio Packages

Install necessary dependencies: ```bash apk add valkey valkey-cli cyrus-sasl cyrus-sasl-login util-linux-login apk add grommunio-gromox grommunio-web grommunio-admin-api grommunio-admin-web grommunio-index grommunio-error-pages ```

Optionally, install deprecated ActiveSync if needed: ```bash

  1. apk add grommunio-dav grommunio-sync

```

5. Move Mail Storage to Another Disk

Move the largest directory `/var/lib/gromox` to another disk and create a symlink: ```bash mv /var/lib/gromox /srv/gromox ln -s /srv/gromox /var/lib/gromox ```

6. Enable Required Services

Enable all necessary Grommunio services: ```bash rc-update add grommunio-admin-api rc-update add gromox-delivery rc-update add gromox-delivery-queue

  1. Add all the other grommunio services

```

7. Configure Grommunio Files

Modify the configuration files to match your environment: ```bash sed -i "s/mail.example.local/${FQDN}/g" /etc/gromox/*.cfg sed -i "s/example.com/${MAILDOMAIN}/g" /etc/gromox/*.cfg

  1. Continue modifying other configuration files (mysql_adaptor.cfg, autodiscover.ini, etc.)

```

8. Configure Postfix

Prepare Postfix for integration with Grommunio: ```bash cp -p /etc/postfix/grommunio-virtual-mailbox-maps.cf /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf sed -i '/^query =/d' /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf echo "query = SELECT username FROM users WHERE username='%s' UNION SELECT aliasname FROM aliases WHERE mainname='%s'" >> /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf ```

9. Configure TLS Certificates

Link and configure your SSL certificates: ```bash ln -s /etc/grommunio-common/nginx/ssl_certificate.conf /etc/grommunio-admin-common/nginx-ssl.conf cat /etc/ssl/private/${FQDN}.key.pem /etc/ssl/certs/${FQDN}.cert.pem > /etc/ssl/private/${FQDN}.key_cert.pem chmod 640 /etc/ssl/private/*.key_cert.pem addgroup gromox ssl-cert ```

10. Configure PAM and SASL

Set up authentication services: ```bash

  1. Configure PAM for SMTP

cat > /etc/pam.d/smtp <<EOF

  1. %PAM-1.0

auth required pam_gromox.so service=smtp account required pam_permit.so EOF

  1. Configure SASL authentication

cat > /etc/conf.d/saslauthd <<EOF SASLAUTHD_OPTS="-a pam -r" EOF ```

11. Initialize the Database and Set Admin Password

Initialize the database: ```bash gromox-dbop -C ``` Set the Grommunio admin password: ```bash grommunio-admin passwd --password "${ADMIN_PASS}" ```

12. Configure Firewall Ports

Open the necessary firewall ports: ```bash

  1. Required ports: 25, 80, 443, etc.

```

---

6. Configure Valkey (Redis Replacement)

1. Enable Syslog:

  ```bash
  vi /etc/valkey/grommunio.conf
  -----
  syslog-enabled yes
  syslog-ident valkey
  syslog-facility local0
  -----
  ```

2. Enable Memory Overcommit:

  ```bash
  vi /etc/sysctl.conf
  -----
  vm.overcommit_memory = 1
  -----
  sysctl -p
  ```

3. Start Valkey and Test:

  ```bash
  rcctl restart valkey@grommunio
  valkey-cli ping  # Expected result: 'PONG'
  ```

---

7. Install and Configure Rspamd

1. Install Rspamd:

```bash apk add rspamd rspamd-client ```

2. Configure Rspamd:

Modify Rspamd configuration files: ```bash cat > /etc/rspamd/local.d/options.inc <<EOF dns {

 enable_dnssec = true;
 timeout = 4s;
 retransmits = 5;

} EOF

cat > /etc/rspamd/local.d/redis.conf <<EOF read_servers = "127.0.0.1"; write_servers = "127.0.0.1"; EOF

cat > /etc/rspamd/local.d/worker-proxy.inc <<EOF milter = yes; bind_socket = "/var/run/rspamd/worker-proxy.sock mode=0660 owner=rspamd"; timeout = 120s; upstream "local" {

 default = yes;
 self_scan = yes;

} count = 4; EOF ```

3. Add Postfix to Rspamd Group:

```bash addgroup postfix rspamd ```

4. Configure DKIM Signing:

```bash cat > /etc/rspamd/local.d/dkim_signing.conf <<EOF enabled = true; path = "/var/lib/rspamd/dkim/\$domain-\$selector.key"; selector = "dkim"; sign_authenticated = true; sign_local = false; domain {

 example.com { selector = "202406"; }

} EOF ```

5. Generate DKIM Key Pair:

```bash mkdir -p /var/lib/rspamd/dkim rspamadm dkim_keygen -s 202406 -t ED25519 -d example.com -k /var/lib/rspamd/dkim/example.com-202406.key > /var/lib/rspamd/dkim/example.com-202406.pub ```

6. Start Rspamd:

```bash rc-update add rspamd rcctl start rspamd ```

---

8. Finalize and Verify Installation

1. Restart Services:

Restart all services: ```bash rcctl restart postfix saslauthd rspamd valkey@grommunio nginx php-fpm83 gromox-delivery gromox-event \

 gromox-http gromox-imap gromox-midb gromox-pop3 gromox-delivery-queue gromox-timer gromox-zcore \
 grommunio-admin-api

```

2. Verify Service Status:

Check the status of all services: ```bash rcctl status ```

3. Check Logs:

Inspect logs for any errors or issues: ```bash find /var/log -type f | xargs tail -n50 | grep -iE '==>|fail|crit|error|alert|corrupt|warning' ```

4. Web UI Access:

Admin UI: [1](https://mail.example.local:8443)

---

End User Configuration:

1. Admin UI:

Log into the Admin UI with the username `admin` and the previously created `ADMIN_PASS`.

2. License Configuration:

If you have a license, you can configure it under Grommunio settings in the Admin UI.