Grommunio Mail Server: Difference between revisions
No edit summary |
No edit summary |
||
Line 29: | Line 29: | ||
To start, install MariaDB and necessary client utilities: | To start, install MariaDB and necessary client utilities: | ||
apk add mariadb mariadb-client mariadb-server-utils | apk add mariadb mariadb-client mariadb-server-utils | ||
=== Step 2: Set up MariaDB Database Variables === | === Step 2: Set up MariaDB Database Variables === | ||
Define the variables used in the setup and create a symlink to the MariaDB data directory. | Define the variables used in the setup and create a symlink to the MariaDB data directory. | ||
DB_DATA_PATH="/srv/mysql" | |||
DB_DATA_PATH="/srv/mysql" | DB_ROOT_PASS="Passw0rd1" | ||
DB_ROOT_PASS="Passw0rd1" | DB_USER="admin" | ||
DB_USER="admin" | DB_PASS="Passw0rd2" | ||
DB_PASS="Passw0rd2" | |||
Setup system tables and configure the symlink for MariaDB: | Setup system tables and configure the symlink for MariaDB: | ||
sudo mysql_install_db --user=mysql --datadir=${DB_DATA_PATH} | |||
sudo mysql_install_db --user=mysql --datadir=${DB_DATA_PATH} | ln -s /srv/mysql /var/lib/mysql | ||
ln -s /srv/mysql /var/lib/mysql | rc-service mariadb restart | ||
rc-service mariadb restart | |||
=== Step 3: Secure MariaDB === | === Step 3: Secure MariaDB === | ||
Run the built-in security script to set a root password and configure MariaDB security settings. | Run the built-in security script to set a root password and configure MariaDB security settings. | ||
sudo mysql_secure_installation | |||
sudo mysql_secure_installation | |||
=== Step 4: Create MariaDB User for Grommunio === | === Step 4: Create MariaDB User for Grommunio === | ||
Create a new user for Grommunio and assign privileges: | Create a new user for Grommunio and assign privileges: | ||
echo "GRANT ALL ON *.* TO ${DB_USER}@'127.0.0.1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" > /tmp/sql | |||
echo "GRANT ALL ON *.* TO ${DB_USER}@'127.0.0.1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" > /tmp/sql | echo "GRANT ALL ON *.* TO ${DB_USER}@'localhost' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql | ||
echo "GRANT ALL ON *.* TO ${DB_USER}@'localhost' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql | echo "GRANT ALL ON *.* TO ${DB_USER}@'::1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql | ||
echo "GRANT ALL ON *.* TO ${DB_USER}@'::1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql | echo "DELETE FROM mysql.user WHERE User='';" >> /tmp/sql | ||
echo "DELETE FROM mysql.user WHERE User='';" >> /tmp/sql | echo "FLUSH PRIVILEGES;" >> /tmp/sql | ||
echo "FLUSH PRIVILEGES;" >> /tmp/sql | cat /tmp/sql | mysql -u root --password="${DB_ROOT_PASS}" | ||
cat /tmp/sql | mysql -u root --password="${DB_ROOT_PASS}" | |||
=== Step 5: Configure MariaDB for Grommunio === | === Step 5: Configure MariaDB for Grommunio === | ||
Edit the MariaDB configuration for better performance: | Edit the MariaDB configuration for better performance: | ||
vi /etc/my.cnf.d/mariadb-server.cnf | |||
vi /etc/my.cnf.d/mariadb-server.cnf | |||
Add the following configuration: | Add the following configuration: | ||
[mysqld] | |||
[mysqld] | innodb_log_buffer_size=16M | ||
innodb_log_buffer_size=16M | innodb_log_file_size=32M | ||
innodb_log_file_size=32M | innodb_read_io_threads=4 | ||
innodb_read_io_threads=4 | innodb_write_io_threads=4 | ||
innodb_write_io_threads=4 | join_buffer_size=512K | ||
join_buffer_size=512K | query_cache_size=0 | ||
query_cache_size=0 | query_cache_type=0 | ||
query_cache_type=0 | query_cache_limit=2M | ||
query_cache_limit=2M | performance_schema=ON | ||
performance_schema=ON | bind-address = 127.0.0.1 | ||
bind-address = 127.0.0.1 | skip-name-resolve=ON | ||
skip-name-resolve=ON | |||
Create a default charset configuration for MariaDB: | Create a default charset configuration for MariaDB: | ||
cat > /etc/my.cnf.d/mariadb-server-default-charset.cnf << EOF | |||
cat > /etc/my.cnf.d/mariadb-server-default-charset.cnf << EOF | [client] | ||
[client] | default-character-set = utf8mb4 | ||
default-character-set = utf8mb4 | |||
[mysqld] | |||
[mysqld] | collation_server = utf8mb4_general_ci | ||
collation_server = utf8mb4_general_ci | character_set_server = utf8mb4 | ||
character_set_server = utf8mb4 | |||
[mysql] | |||
[mysql] | default-character-set = utf8mb4 | ||
default-character-set = utf8mb4 | EOF | ||
EOF | |||
Restart MariaDB and enable it to start on boot: | Restart MariaDB and enable it to start on boot: | ||
rc-update add mariadb default | |||
rc-update add mariadb default | service mariadb restart | ||
service mariadb restart | |||
=== Step 6: Verify MariaDB Setup | === Step 6: Verify MariaDB Setup | ||
Check if the MariaDB listener is running and bound to the correct address: | Check if the MariaDB listener is running and bound to the correct address: | ||
ss -tulpn | |||
ss -tulpn | |||
=== Step 7: Create Grommunio Database === | === Step 7: Create Grommunio Database === | ||
Define the database parameters and create the Grommunio database: | Define the database parameters and create the Grommunio database: | ||
MYSQL_HOST="localhost" | |||
MYSQL_HOST="localhost" | MYSQL_USER="grommunio" | ||
MYSQL_USER="grommunio" | MYSQL_PASS="Passw0rd3" | ||
MYSQL_PASS="Passw0rd3" | MYSQL_DB="grommunio" | ||
MYSQL_DB="grommunio" | |||
echo "create database $MYSQL_DB character set 'utf8mb4';" > /tmp/sql | echo "create database $MYSQL_DB character set 'utf8mb4';" > /tmp/sql | ||
echo "grant select, insert, update, delete, create, drop, index, alter, create temporary tables, lock tables on $MYSQL_DB.* TO $MYSQL_USER@$MYSQL_HOST identified by '$MYSQL_PASS';" >> /tmp/sql | echo "grant select, insert, update, delete, create, drop, index, alter, create temporary tables, lock tables on | ||
echo "flush privileges;" >> /tmp/sql | $MYSQL_DB.* TO $MYSQL_USER@$MYSQL_HOST identified by '$MYSQL_PASS';" >> /tmp/sql | ||
cat /tmp/sql | mysql -u admin --password="${DB_PASS}" | echo "flush privileges;" >> /tmp/sql | ||
cat /tmp/sql | mysql -u admin --password="${DB_PASS}" | |||
Test the database connection: | Test the database connection: | ||
mysql -hlocalhost -u grommunio -p${MYSQL_PASS} grommunio | |||
mysql -hlocalhost -u grommunio -p${MYSQL_PASS} grommunio | |||
== 2. MariaDB Performance Tuning (Optional) == | == 2. MariaDB Performance Tuning (Optional) == | ||
Line 151: | Line 130: | ||
Install and configure MySQLTuner to help with database performance: | Install and configure MySQLTuner to help with database performance: | ||
wget -v --no-check-certificate https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl -O /tmp/mysqltuner.pl | |||
wget -v --no-check-certificate https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl -O /tmp/mysqltuner.pl | mv /tmp/mysqltuner.pl /usr/local/bin/mysqltuner.pl | ||
mv /tmp/mysqltuner.pl /usr/local/bin/mysqltuner.pl | chmod 755 /usr/local/bin/mysqltuner.pl | ||
chmod 755 /usr/local/bin/mysqltuner.pl | apk add perl perl-doc | ||
apk add perl perl-doc | /usr/local/bin/mysqltuner.pl --user admin --pass ${DB_PASS} | ||
/usr/local/bin/mysqltuner.pl --user admin --pass ${DB_PASS} | |||
== 3. Install and Configure Nginx == | == 3. Install and Configure Nginx == | ||
Line 166: | Line 142: | ||
Install the necessary Nginx modules: | Install the necessary Nginx modules: | ||
apk add nginx nginx-mod-http-headers-more nginx-mod-http-vts nginx-mod-http-brotli | |||
apk add nginx nginx-mod-http-headers-more nginx-mod-http-vts nginx-mod-http-brotli | |||
=== Step 2: Configure Nginx === | === Step 2: Configure Nginx === | ||
Backup the original Nginx configuration and edit it for security headers and TLS settings: | Backup the original Nginx configuration and edit it for security headers and TLS settings: | ||
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig | |||
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig | vi /etc/nginx/nginx.conf | ||
vi /etc/nginx/nginx.conf | |||
Add the following configuration: | Add the following configuration: | ||
error_log syslog:server=unix:/dev/log,facility=local2,nohostname warn; | |||
error_log syslog:server=unix:/dev/log,facility=local2,nohostname warn; | more_set_headers "Strict-Transport-Security : max-age=2592000; includeSubDomains;"; | ||
more_set_headers "Strict-Transport-Security : max-age=2592000; includeSubDomains;"; | more_set_headers "X-Frame-Options : SAMEORIGIN"; | ||
more_set_headers "X-Frame-Options : SAMEORIGIN"; | more_set_headers "Content-Security-Policy : default-src https: data: 'unsafe-inline' 'unsafe-eval' always"; | ||
more_set_headers "Content-Security-Policy : default-src https: data: 'unsafe-inline' 'unsafe-eval' always"; | more_set_headers "X-Xss-Protection : 1; mode=block"; | ||
more_set_headers "X-Xss-Protection : 1; mode=block"; | more_set_headers "X-Content-Type-Options : nosniff"; | ||
more_set_headers "X-Content-Type-Options : nosniff"; | more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; | ||
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; | more_set_headers "Server : Follow the white rabbit."; | ||
more_set_headers "Server : Follow the white rabbit."; | |||
ssl_protocols TLSv1.2 TLSv1.3; | ssl_protocols TLSv1.2 TLSv1.3; | ||
ssl_session_cache shared:SSL:1m; | ssl_session_cache shared:SSL:1m; | ||
ssl_session_timeout 5m; | ssl_session_timeout 5m; | ||
log_format main_ssl '$remote_addr - $remote_user [$time_local] "$request" ' | log_format main_ssl '$remote_addr - $remote_user [$time_local] "$request" ' | ||
'$status $body_bytes_sent "$http_referer" ' | '$status $body_bytes_sent "$http_referer" ' | ||
'"$http_user_agent" "$http_x_forwarded_for" ' | '"$http_user_agent" "$http_x_forwarded_for" ' | ||
'client_ciphers="$ssl_ciphers" client_curves="$ssl_curves"'; | 'client_ciphers="$ssl_ciphers" client_curves="$ssl_curves"'; | ||
access_log off; | |||
Restart Nginx and enable it to start on boot: | Restart Nginx and enable it to start on boot: | ||
rc-update add nginx | |||
rc-update add nginx | service nginx restart | ||
service nginx restart | |||
== 4. Install and Configure PHP == | == 4. Install and Configure PHP == | ||
Line 216: | Line 186: | ||
Install the required PHP packages for Grommunio: | Install the required PHP packages for Grommunio: | ||
apk add php83 php83-fpm | |||
apk add php83 php83-fpm | |||
=== Step 2: Harden PHP Configuration === | === Step 2: Harden PHP Configuration === | ||
Disable insecure PHP settings and adjust PHP limits: | Disable insecure PHP settings and adjust PHP limits: | ||
sed 's/^;\?\(allow_url_fopen\).*/\1 = Off/' -i /etc/php83/php.ini | |||
sed 's/^;\?\(allow_url_fopen\).*/\1 = Off/' -i /etc/php83/php.ini | sed 's/^;\?\(expose_php\).*/\1 = Off/' -i /etc/php83/php.ini | ||
sed 's/^;\?\(expose_php\).*/\1 = Off/' -i /etc/php83/php.ini | sed 's/^;\?\(display_errors\).*/\1 = Off/' -i /etc/php83/php.ini | ||
sed 's/^;\?\(display_errors\).*/\1 = Off/' -i /etc/php83/php.ini | sed 's/^;\?\(log_errors\).*/\1 = On/' -i /etc/php83/php.ini | ||
sed 's/^;\?\(log_errors\).*/\1 = On/' -i /etc/php83/php.ini | |||
=== Step 3: Configure Session Security === | === Step 3: Configure Session Security === | ||
Configure PHP session security: | Configure PHP session security: | ||
sed 's/^;\?\(session.use_strict_mode\).*/\1 = 1/' -i /etc/php83/php.ini | |||
sed 's/^;\?\(session.use_strict_mode\).*/\1 = 1/' -i /etc/php83/php.ini | sed 's/^;\?\(session.cookie_secure\).*/\1 = 1/' -i /etc/php83/php.ini | ||
sed 's/^;\?\(session.cookie_secure\).*/\1 = 1/' -i /etc/php83/php.ini | sed 's/^;\?\(session.cookie_httponly\).*/\1 = 1/' -i /etc/php83/php.ini | ||
sed 's/^;\?\(session.cookie_httponly\).*/\1 = 1/' -i /etc/php83/php.ini | |||
== 5. Install and Configure Postfix == | == 5. Install and Configure Postfix == | ||
Line 246: | Line 211: | ||
Install Postfix and related modules: | Install Postfix and related modules: | ||
apk add postfix postfix-mysql postfix-pcre | |||
apk add postfix postfix-mysql postfix-pcre | |||
=== Step 2: Configure Postfix === | === Step 2: Configure Postfix === | ||
Backup and configure the Postfix settings. Adapt the values as necessary, such as `myhostname`, `mynetworks`, and `smtp_tls_chain_files`: | Backup and configure the Postfix settings. Adapt the values as necessary, such as `myhostname`, `mynetworks`, and `smtp_tls_chain_files`: | ||
mv /etc/postfix/main.cf /etc/postfix/main.cf.orig | |||
mv /etc/postfix/main.cf /etc/postfix/main.cf.orig | mv /etc/postfix/master.cf /etc/postfix/master.cf.orig | ||
mv /etc/postfix/master.cf /etc/postfix/master.cf.orig | |||
Run Postfix setup: | Run Postfix setup: | ||
newaliases | |||
newaliases | postmap /etc/postfix/transport | ||
postmap /etc/postfix/transport | |||
Enable Postfix service: | Enable Postfix service: | ||
rc-update add postfix | |||
rc-update add postfix | service postfix restart | ||
service postfix restart | |||
=== Step 3: Verify Postfix Logs === | === Step 3: Verify Postfix Logs === | ||
Check the Postfix logs for any errors: | Check the Postfix logs for any errors: | ||
tail -f /var/log/maillog | tail -f /var/log/maillog | ||
== 6. Install and Configure Grommunio == | == 6. Install and Configure Grommunio == | ||
Line 287: | Line 243: | ||
Install and configure Grommunio to provide email and calendar functionality. Follow the detailed installation steps outlined in the official Grommunio documentation. | Install and configure Grommunio to provide email and calendar functionality. Follow the detailed installation steps outlined in the official Grommunio documentation. | ||
== 7. Configure Valkey (Redis Replacement) == | == 7. Configure Valkey (Redis Replacement) == | ||
Configure Valkey for optimal caching and session handling, replacing Redis if required. | Configure Valkey for optimal caching and session handling, replacing Redis if required. | ||
== 8. Install and Configure Rspamd == | == 8. Install and Configure Rspamd == | ||
Line 298: | Line 252: | ||
Rspamd provides spam filtering for your mail server. Follow the official documentation to install and configure Rspamd to work with Postfix and Nginx. | Rspamd provides spam filtering for your mail server. Follow the official documentation to install and configure Rspamd to work with Postfix and Nginx. | ||
== 9. Finalize and Verify Installation == | == 9. Finalize and Verify Installation == | ||
Line 305: | Line 258: | ||
Ensure that all services (Postfix, MariaDB, Nginx, PHP, Grommunio) are running correctly: | Ensure that all services (Postfix, MariaDB, Nginx, PHP, Grommunio) are running correctly: | ||
ss -tulpn | |||
ss -tulpn | |||
=== Step 2: Verify Mail Functionality === | === Step 2: Verify Mail Functionality === | ||
Line 318: | Line 270: | ||
Since Grommunio requires IPv6 for its daemons: | Since Grommunio requires IPv6 for its daemons: | ||
1. | 1. Edit `/etc/hosts` to include IPv6 localhost: | ||
vi /etc/hosts | |||
----- | |||
::1 localhost ipv6-localhost ipv6-loopback | |||
----- | |||
2. Ensure IPv6 is enabled in `/etc/sysctl.conf`: | |||
sed -i 's/^net\.ipv6\.conf\..*\.disable_ipv6\s=\s1/#&/' /etc/sysctl.conf | |||
sysctl -p | |||
ping ::1 # Test if IPv6 is working | |||
=== 2. Configure Database Parameters === | === 2. Configure Database Parameters === | ||
Set up your MySQL database connection details: | Set up your MySQL database connection details: | ||
MYSQL_HOST="localhost" | MYSQL_HOST="localhost" | ||
MYSQL_USER="grommunio" | MYSQL_USER="grommunio" | ||
MYSQL_PASS="Passw0rd3" | MYSQL_PASS="Passw0rd3" | ||
MYSQL_DB="grommunio" | MYSQL_DB="grommunio" | ||
=== 3. Specify Internal FQDN, Mail Domain, and Relayhost === | === 3. Specify Internal FQDN, Mail Domain, and Relayhost === | ||
Adjust the following for your specific setup: | Adjust the following for your specific setup: | ||
FQDN="mail.example.local" | FQDN="mail.example.local" | ||
MAILDOMAIN="example.com" | MAILDOMAIN="example.com" | ||
RELAYHOST="123.123.123.1" | RELAYHOST="123.123.123.1" | ||
ADMIN_PASS="Passw0rd4" | ADMIN_PASS="Passw0rd4" | ||
=== 4. Install Dependencies and Grommunio Packages === | === 4. Install Dependencies and Grommunio Packages === | ||
Install necessary dependencies: | Install necessary dependencies: | ||
apk add valkey valkey-cli cyrus-sasl cyrus-sasl-login util-linux-login | apk add valkey valkey-cli cyrus-sasl cyrus-sasl-login util-linux-login | ||
apk add grommunio-gromox grommunio-web grommunio-admin-api grommunio-admin-web grommunio-index grommunio-error-pages | apk add grommunio-gromox grommunio-web grommunio-admin-api grommunio-admin-web grommunio-index grommunio-error-pages | ||
Optionally, install deprecated ActiveSync if needed: | Optionally, install deprecated ActiveSync if needed: | ||
# apk add grommunio-dav grommunio-sync | # apk add grommunio-dav grommunio-sync | ||
=== 5. Move Mail Storage to Another Disk === | === 5. Move Mail Storage to Another Disk === | ||
Move the largest directory `/var/lib/gromox` to another disk and create a symlink: | Move the largest directory `/var/lib/gromox` to another disk and create a symlink: | ||
mv /var/lib/gromox /srv/gromox | mv /var/lib/gromox /srv/gromox | ||
ln -s /srv/gromox /var/lib/gromox | ln -s /srv/gromox /var/lib/gromox | ||
=== 6. Enable Required Services === | === 6. Enable Required Services === | ||
Enable all necessary Grommunio services: | Enable all necessary Grommunio services: | ||
rc-update add grommunio-admin-api | rc-update add grommunio-admin-api | ||
rc-update add gromox-delivery | rc-update add gromox-delivery | ||
rc-update add gromox-delivery-queue | rc-update add gromox-delivery-queue | ||
# Add all the other grommunio services | # Add all the other grommunio services | ||
=== 7. Configure Grommunio Files === | === 7. Configure Grommunio Files === | ||
Modify the configuration files to match your environment: | Modify the configuration files to match your environment: | ||
sed -i "s/mail.example.local/${FQDN}/g" /etc/gromox/*.cfg | sed -i "s/mail.example.local/${FQDN}/g" /etc/gromox/*.cfg | ||
sed -i "s/example.com/${MAILDOMAIN}/g" /etc/gromox/*.cfg | sed -i "s/example.com/${MAILDOMAIN}/g" /etc/gromox/*.cfg | ||
# Continue modifying other configuration files (mysql_adaptor.cfg, autodiscover.ini, etc.) | # Continue modifying other configuration files (mysql_adaptor.cfg, autodiscover.ini, etc.) | ||
=== 8. Configure Postfix === | === 8. Configure Postfix === | ||
Prepare Postfix for integration with Grommunio: | Prepare Postfix for integration with Grommunio: | ||
cp -p /etc/postfix/grommunio-virtual-mailbox-maps.cf /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf | cp -p /etc/postfix/grommunio-virtual-mailbox-maps.cf /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf | ||
sed -i '/^query =/d' /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf | sed -i '/^query =/d' /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf | ||
echo "query = SELECT username FROM users WHERE username='%s' UNION SELECT aliasname FROM aliases WHERE mainname='%s'" >> /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf | echo "query = SELECT username FROM users WHERE username='%s' UNION SELECT aliasname FROM aliases WHERE mainname='%s'" >> /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf | ||
=== 9. Configure TLS Certificates === | === 9. Configure TLS Certificates === | ||
Link and configure your SSL certificates: | Link and configure your SSL certificates: | ||
ln -s /etc/grommunio-common/nginx/ssl_certificate.conf /etc/grommunio-admin-common/nginx-ssl.conf | ln -s /etc/grommunio-common/nginx/ssl_certificate.conf /etc/grommunio-admin-common/nginx-ssl.conf | ||
cat /etc/ssl/private/${FQDN}.key.pem /etc/ssl/certs/${FQDN}.cert.pem > /etc/ssl/private/${FQDN}.key_cert.pem | cat /etc/ssl/private/${FQDN}.key.pem /etc/ssl/certs/${FQDN}.cert.pem > /etc/ssl/private/${FQDN}.key_cert.pem | ||
chmod 640 /etc/ssl/private/*.key_cert.pem | chmod 640 /etc/ssl/private/*.key_cert.pem | ||
addgroup gromox ssl-cert | addgroup gromox ssl-cert | ||
=== 10. Configure PAM and SASL === | === 10. Configure PAM and SASL === | ||
Set up authentication services: | Set up authentication services: | ||
# Configure PAM for SMTP | # Configure PAM for SMTP | ||
cat > /etc/pam.d/smtp <<EOF | cat > /etc/pam.d/smtp <<EOF | ||
#%PAM-1.0 | #%PAM-1.0 | ||
auth required pam_gromox.so service=smtp | auth required pam_gromox.so service=smtp | ||
account required pam_permit.so | account required pam_permit.so | ||
EOF | EOF | ||
# Configure SASL authentication | |||
cat > /etc/conf.d/saslauthd <<EOF | # Configure SASL authentication | ||
SASLAUTHD_OPTS="-a pam -r" | cat > /etc/conf.d/saslauthd <<EOF | ||
EOF | SASLAUTHD_OPTS="-a pam -r" | ||
EOF | |||
=== 11. Initialize the Database and Set Admin Password === | === 11. Initialize the Database and Set Admin Password === | ||
Initialize the database: | Initialize the database: | ||
gromox-dbop -C | gromox-dbop -C | ||
Set the Grommunio admin password: | Set the Grommunio admin password: | ||
grommunio-admin passwd --password "${ADMIN_PASS}" | grommunio-admin passwd --password "${ADMIN_PASS}" | ||
=== 12. Configure Firewall Ports === | === 12. Configure Firewall Ports === | ||
Open the necessary firewall ports: | Open the necessary firewall ports: | ||
# Required ports: 25, 80, 443, etc. | |||
== 6. Configure Valkey (Redis Replacement) == | == 6. Configure Valkey (Redis Replacement) == | ||
=== 1. Enable Syslog: === | === 1. Enable Syslog: === | ||
vi /etc/valkey/grommunio.conf | |||
----- | |||
syslog-enabled yes | |||
syslog-ident valkey | |||
syslog-facility local0 | |||
----- | |||
=== 2. Enable Memory Overcommit: === | === 2. Enable Memory Overcommit: === | ||
vi /etc/sysctl.conf | |||
----- | |||
vm.overcommit_memory = 1 | |||
----- | |||
sysctl -p | |||
=== 3. Start Valkey and Test: === | === 3. Start Valkey and Test: === | ||
- | rcctl restart valkey@grommunio | ||
valkey-cli ping # Expected result: 'PONG' | |||
== 7. Install and Configure Rspamd == | == 7. Install and Configure Rspamd == | ||
=== 1. Install Rspamd: === | === 1. Install Rspamd: === | ||
apk add rspamd rspamd-client | apk add rspamd rspamd-client | ||
=== 2. Configure Rspamd: === | === 2. Configure Rspamd: === | ||
Modify Rspamd configuration files: | Modify Rspamd configuration files: | ||
cat > /etc/rspamd/local.d/redis.conf <<EOF | cat > /etc/rspamd/local.d/options.inc <<EOF | ||
read_servers = "127.0.0.1"; | dns { | ||
write_servers = "127.0.0.1"; | enable_dnssec = true; | ||
EOF | timeout = 4s; | ||
retransmits = 5; | |||
} | |||
EOF | |||
cat > /etc/rspamd/local.d/redis.conf <<EOF | |||
read_servers = "127.0.0.1"; | |||
write_servers = "127.0.0.1"; | |||
EOF | |||
cat > /etc/rspamd/local.d/worker-proxy.inc <<EOF | |||
milter = yes; | |||
bind_socket = "/var/run/rspamd/worker-proxy.sock mode=0660 owner=rspamd"; | |||
timeout = 120s; | |||
upstream "local" { | |||
default = yes; | |||
self_scan = yes; | |||
} | |||
count = 4; | |||
EOF | |||
=== 3. Add Postfix to Rspamd Group: === | === 3. Add Postfix to Rspamd Group: === | ||
addgroup postfix rspamd | addgroup postfix rspamd | ||
=== 4. Configure DKIM Signing: === | === 4. Configure DKIM Signing: === | ||
cat > /etc/rspamd/local.d/dkim_signing.conf <<EOF | cat > /etc/rspamd/local.d/dkim_signing.conf <<EOF | ||
enabled = true; | enabled = true; | ||
path = "/var/lib/rspamd/dkim/\$domain-\$selector.key"; | path = "/var/lib/rspamd/dkim/\$domain-\$selector.key"; | ||
selector = "dkim"; | selector = "dkim"; | ||
sign_authenticated = true; | sign_authenticated = true; | ||
sign_local = false; | sign_local = false; | ||
domain { | domain { | ||
example.com { selector = "202406"; } | |||
} | } | ||
EOF | EOF | ||
=== 5. Generate DKIM Key Pair: === | === 5. Generate DKIM Key Pair: === | ||
mkdir -p /var/lib/rspamd/dkim | mkdir -p /var/lib/rspamd/dkim | ||
rspamadm dkim_keygen -s 202406 -t ED25519 -d example.com -k /var/lib/rspamd/dkim/example.com-202406.key > /var/lib/rspamd/dkim/example.com-202406.pub | rspamadm dkim_keygen -s 202406 -t ED25519 -d example.com -k /var/lib/rspamd/dkim/example.com-202406.key > | ||
/var/lib/rspamd/dkim/example.com-202406.pub | |||
=== 6. Start Rspamd: === | === 6. Start Rspamd: === | ||
- | rc-update add rspamd | ||
rcctl start rspamd | |||
== 8. Finalize and Verify Installation == | == 8. Finalize and Verify Installation == | ||
Line 538: | Line 485: | ||
=== 1. Restart Services: === | === 1. Restart Services: === | ||
Restart all services: | Restart all services: | ||
rcctl restart postfix saslauthd rspamd valkey@grommunio nginx php-fpm83 gromox-delivery gromox-event \ | rcctl restart postfix saslauthd rspamd valkey@grommunio nginx php-fpm83 gromox-delivery gromox-event \ | ||
gromox-http gromox-imap gromox-midb gromox-pop3 gromox-delivery-queue gromox-timer gromox-zcore \ | |||
grommunio-admin-api | |||
=== 2. Verify Service Status: === | === 2. Verify Service Status: === | ||
Check the status of all services: | Check the status of all services: | ||
rcctl status | rcctl status | ||
=== 3. Check Logs: === | === 3. Check Logs: === | ||
Inspect logs for any errors or issues: | Inspect logs for any errors or issues: | ||
find /var/log -type f | xargs tail -n50 | grep -iE '==>|fail|crit|error|alert|corrupt|warning' | find /var/log -type f | xargs tail -n50 | grep -iE '==>|fail|crit|error|alert|corrupt|warning' | ||
=== 4. Web UI Access: === | === 4. Web UI Access: === | ||
Admin UI: [https://mail.example.local:8443](https://mail.example.local:8443) | Admin UI: [https://mail.example.local:8443](https://mail.example.local:8443) | ||
== End User Configuration: == | == End User Configuration: == |
Revision as of 22:42, 30 November 2024
This material is work-in-progress ... This is a work in progress |
HOWTO: Install AlpineLinux Mail Server with Grommunio
This tutorial outlines the steps for setting up a mail server on Alpine Linux using Grommunio, a modern, open-source groupware solution that supports email and calendar services. The installation includes MariaDB, Nginx, PHP, Postfix, and other components necessary for a fully functioning mail server.
Prerequisites
Before proceeding with the installation, ensure you have a fresh Alpine Linux system setup. You'll need root privileges to execute these commands.
Steps:
- Install and configure MariaDB
- MariaDB performance tuning (optional)
- Install and configure Nginx
- Install and configure PHP
- Install and configure Postfix
- Install and configure Grommunio
- Configure Valkey (Redis replacement)
- Install and configure Rspamd
- Finalize and verify installation
1. Install and Configure MariaDB
Step 1: Install MariaDB
To start, install MariaDB and necessary client utilities:
apk add mariadb mariadb-client mariadb-server-utils
Step 2: Set up MariaDB Database Variables
Define the variables used in the setup and create a symlink to the MariaDB data directory.
DB_DATA_PATH="/srv/mysql" DB_ROOT_PASS="Passw0rd1" DB_USER="admin" DB_PASS="Passw0rd2"
Setup system tables and configure the symlink for MariaDB:
sudo mysql_install_db --user=mysql --datadir=${DB_DATA_PATH} ln -s /srv/mysql /var/lib/mysql rc-service mariadb restart
Step 3: Secure MariaDB
Run the built-in security script to set a root password and configure MariaDB security settings.
sudo mysql_secure_installation
Step 4: Create MariaDB User for Grommunio
Create a new user for Grommunio and assign privileges:
echo "GRANT ALL ON *.* TO ${DB_USER}@'127.0.0.1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" > /tmp/sql echo "GRANT ALL ON *.* TO ${DB_USER}@'localhost' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql echo "GRANT ALL ON *.* TO ${DB_USER}@'::1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql echo "DELETE FROM mysql.user WHERE User=;" >> /tmp/sql echo "FLUSH PRIVILEGES;" >> /tmp/sql cat /tmp/sql | mysql -u root --password="${DB_ROOT_PASS}"
Step 5: Configure MariaDB for Grommunio
Edit the MariaDB configuration for better performance:
vi /etc/my.cnf.d/mariadb-server.cnf
Add the following configuration:
[mysqld] innodb_log_buffer_size=16M innodb_log_file_size=32M innodb_read_io_threads=4 innodb_write_io_threads=4 join_buffer_size=512K query_cache_size=0 query_cache_type=0 query_cache_limit=2M performance_schema=ON bind-address = 127.0.0.1 skip-name-resolve=ON
Create a default charset configuration for MariaDB:
cat > /etc/my.cnf.d/mariadb-server-default-charset.cnf << EOF [client] default-character-set = utf8mb4 [mysqld] collation_server = utf8mb4_general_ci character_set_server = utf8mb4 [mysql] default-character-set = utf8mb4 EOF
Restart MariaDB and enable it to start on boot:
rc-update add mariadb default service mariadb restart
=== Step 6: Verify MariaDB Setup Check if the MariaDB listener is running and bound to the correct address:
ss -tulpn
Step 7: Create Grommunio Database
Define the database parameters and create the Grommunio database:
MYSQL_HOST="localhost" MYSQL_USER="grommunio" MYSQL_PASS="Passw0rd3" MYSQL_DB="grommunio"
echo "create database $MYSQL_DB character set 'utf8mb4';" > /tmp/sql echo "grant select, insert, update, delete, create, drop, index, alter, create temporary tables, lock tables on $MYSQL_DB.* TO $MYSQL_USER@$MYSQL_HOST identified by '$MYSQL_PASS';" >> /tmp/sql echo "flush privileges;" >> /tmp/sql cat /tmp/sql | mysql -u admin --password="${DB_PASS}"
Test the database connection:
mysql -hlocalhost -u grommunio -p${MYSQL_PASS} grommunio
2. MariaDB Performance Tuning (Optional)
Install and configure MySQLTuner to help with database performance:
wget -v --no-check-certificate https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl -O /tmp/mysqltuner.pl mv /tmp/mysqltuner.pl /usr/local/bin/mysqltuner.pl chmod 755 /usr/local/bin/mysqltuner.pl apk add perl perl-doc /usr/local/bin/mysqltuner.pl --user admin --pass ${DB_PASS}
3. Install and Configure Nginx
Step 1: Install Nginx
Install the necessary Nginx modules:
apk add nginx nginx-mod-http-headers-more nginx-mod-http-vts nginx-mod-http-brotli
Step 2: Configure Nginx
Backup the original Nginx configuration and edit it for security headers and TLS settings:
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig vi /etc/nginx/nginx.conf
Add the following configuration:
error_log syslog:server=unix:/dev/log,facility=local2,nohostname warn; more_set_headers "Strict-Transport-Security : max-age=2592000; includeSubDomains;"; more_set_headers "X-Frame-Options : SAMEORIGIN"; more_set_headers "Content-Security-Policy : default-src https: data: 'unsafe-inline' 'unsafe-eval' always"; more_set_headers "X-Xss-Protection : 1; mode=block"; more_set_headers "X-Content-Type-Options : nosniff"; more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; more_set_headers "Server : Follow the white rabbit.";
ssl_protocols TLSv1.2 TLSv1.3; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m;
log_format main_ssl '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' 'client_ciphers="$ssl_ciphers" client_curves="$ssl_curves"'; access_log off;
Restart Nginx and enable it to start on boot:
rc-update add nginx service nginx restart
4. Install and Configure PHP
Step 1: Install PHP
Install the required PHP packages for Grommunio:
apk add php83 php83-fpm
Step 2: Harden PHP Configuration
Disable insecure PHP settings and adjust PHP limits:
sed 's/^;\?\(allow_url_fopen\).*/\1 = Off/' -i /etc/php83/php.ini sed 's/^;\?\(expose_php\).*/\1 = Off/' -i /etc/php83/php.ini sed 's/^;\?\(display_errors\).*/\1 = Off/' -i /etc/php83/php.ini sed 's/^;\?\(log_errors\).*/\1 = On/' -i /etc/php83/php.ini
Step 3: Configure Session Security
Configure PHP session security:
sed 's/^;\?\(session.use_strict_mode\).*/\1 = 1/' -i /etc/php83/php.ini sed 's/^;\?\(session.cookie_secure\).*/\1 = 1/' -i /etc/php83/php.ini sed 's/^;\?\(session.cookie_httponly\).*/\1 = 1/' -i /etc/php83/php.ini
5. Install and Configure Postfix
Step 1: Install Postfix
Install Postfix and related modules:
apk add postfix postfix-mysql postfix-pcre
Step 2: Configure Postfix
Backup and configure the Postfix settings. Adapt the values as necessary, such as `myhostname`, `mynetworks`, and `smtp_tls_chain_files`:
mv /etc/postfix/main.cf /etc/postfix/main.cf.orig mv /etc/postfix/master.cf /etc/postfix/master.cf.orig
Run Postfix setup:
newaliases postmap /etc/postfix/transport
Enable Postfix service:
rc-update add postfix service postfix restart
Step 3: Verify Postfix Logs
Check the Postfix logs for any errors:
tail -f /var/log/maillog
6. Install and Configure Grommunio
Install and configure Grommunio to provide email and calendar functionality. Follow the detailed installation steps outlined in the official Grommunio documentation.
7. Configure Valkey (Redis Replacement)
Configure Valkey for optimal caching and session handling, replacing Redis if required.
8. Install and Configure Rspamd
Rspamd provides spam filtering for your mail server. Follow the official documentation to install and configure Rspamd to work with Postfix and Nginx.
9. Finalize and Verify Installation
Step 1: Test Server Components
Ensure that all services (Postfix, MariaDB, Nginx, PHP, Grommunio) are running correctly:
ss -tulpn
Step 2: Verify Mail Functionality
Test sending and receiving emails using a mail client and verifying server logs for any errors.
5. Install and Configure Grommunio
1. Enable IPv6
Since Grommunio requires IPv6 for its daemons:
1. Edit `/etc/hosts` to include IPv6 localhost:
vi /etc/hosts ----- ::1 localhost ipv6-localhost ipv6-loopback -----
2. Ensure IPv6 is enabled in `/etc/sysctl.conf`:
sed -i 's/^net\.ipv6\.conf\..*\.disable_ipv6\s=\s1/#&/' /etc/sysctl.conf sysctl -p ping ::1 # Test if IPv6 is working
2. Configure Database Parameters
Set up your MySQL database connection details:
MYSQL_HOST="localhost" MYSQL_USER="grommunio" MYSQL_PASS="Passw0rd3" MYSQL_DB="grommunio"
3. Specify Internal FQDN, Mail Domain, and Relayhost
Adjust the following for your specific setup:
FQDN="mail.example.local" MAILDOMAIN="example.com" RELAYHOST="123.123.123.1" ADMIN_PASS="Passw0rd4"
4. Install Dependencies and Grommunio Packages
Install necessary dependencies:
apk add valkey valkey-cli cyrus-sasl cyrus-sasl-login util-linux-login apk add grommunio-gromox grommunio-web grommunio-admin-api grommunio-admin-web grommunio-index grommunio-error-pages
Optionally, install deprecated ActiveSync if needed:
# apk add grommunio-dav grommunio-sync
5. Move Mail Storage to Another Disk
Move the largest directory `/var/lib/gromox` to another disk and create a symlink:
mv /var/lib/gromox /srv/gromox ln -s /srv/gromox /var/lib/gromox
6. Enable Required Services
Enable all necessary Grommunio services:
rc-update add grommunio-admin-api rc-update add gromox-delivery rc-update add gromox-delivery-queue # Add all the other grommunio services
7. Configure Grommunio Files
Modify the configuration files to match your environment:
sed -i "s/mail.example.local/${FQDN}/g" /etc/gromox/*.cfg sed -i "s/example.com/${MAILDOMAIN}/g" /etc/gromox/*.cfg # Continue modifying other configuration files (mysql_adaptor.cfg, autodiscover.ini, etc.)
8. Configure Postfix
Prepare Postfix for integration with Grommunio:
cp -p /etc/postfix/grommunio-virtual-mailbox-maps.cf /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf sed -i '/^query =/d' /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf echo "query = SELECT username FROM users WHERE username='%s' UNION SELECT aliasname FROM aliases WHERE mainname='%s'" >> /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf
9. Configure TLS Certificates
Link and configure your SSL certificates:
ln -s /etc/grommunio-common/nginx/ssl_certificate.conf /etc/grommunio-admin-common/nginx-ssl.conf cat /etc/ssl/private/${FQDN}.key.pem /etc/ssl/certs/${FQDN}.cert.pem > /etc/ssl/private/${FQDN}.key_cert.pem chmod 640 /etc/ssl/private/*.key_cert.pem addgroup gromox ssl-cert
10. Configure PAM and SASL
Set up authentication services:
# Configure PAM for SMTP cat > /etc/pam.d/smtp <<EOF #%PAM-1.0 auth required pam_gromox.so service=smtp account required pam_permit.so EOF
# Configure SASL authentication cat > /etc/conf.d/saslauthd <<EOF SASLAUTHD_OPTS="-a pam -r" EOF
11. Initialize the Database and Set Admin Password
Initialize the database:
gromox-dbop -C
Set the Grommunio admin password:
grommunio-admin passwd --password "${ADMIN_PASS}"
12. Configure Firewall Ports
Open the necessary firewall ports:
# Required ports: 25, 80, 443, etc.
6. Configure Valkey (Redis Replacement)
1. Enable Syslog:
vi /etc/valkey/grommunio.conf ----- syslog-enabled yes syslog-ident valkey syslog-facility local0 -----
2. Enable Memory Overcommit:
vi /etc/sysctl.conf ----- vm.overcommit_memory = 1 ----- sysctl -p
3. Start Valkey and Test:
rcctl restart valkey@grommunio valkey-cli ping # Expected result: 'PONG'
7. Install and Configure Rspamd
1. Install Rspamd:
apk add rspamd rspamd-client
2. Configure Rspamd:
Modify Rspamd configuration files:
cat > /etc/rspamd/local.d/options.inc <<EOF dns { enable_dnssec = true; timeout = 4s; retransmits = 5; } EOF
cat > /etc/rspamd/local.d/redis.conf <<EOF read_servers = "127.0.0.1"; write_servers = "127.0.0.1"; EOF
cat > /etc/rspamd/local.d/worker-proxy.inc <<EOF milter = yes; bind_socket = "/var/run/rspamd/worker-proxy.sock mode=0660 owner=rspamd"; timeout = 120s; upstream "local" { default = yes; self_scan = yes; } count = 4; EOF
3. Add Postfix to Rspamd Group:
addgroup postfix rspamd
4. Configure DKIM Signing:
cat > /etc/rspamd/local.d/dkim_signing.conf <<EOF enabled = true; path = "/var/lib/rspamd/dkim/\$domain-\$selector.key"; selector = "dkim"; sign_authenticated = true; sign_local = false; domain { example.com { selector = "202406"; } } EOF
5. Generate DKIM Key Pair:
mkdir -p /var/lib/rspamd/dkim rspamadm dkim_keygen -s 202406 -t ED25519 -d example.com -k /var/lib/rspamd/dkim/example.com-202406.key > /var/lib/rspamd/dkim/example.com-202406.pub
6. Start Rspamd:
rc-update add rspamd rcctl start rspamd
8. Finalize and Verify Installation
1. Restart Services:
Restart all services:
rcctl restart postfix saslauthd rspamd valkey@grommunio nginx php-fpm83 gromox-delivery gromox-event \ gromox-http gromox-imap gromox-midb gromox-pop3 gromox-delivery-queue gromox-timer gromox-zcore \ grommunio-admin-api
2. Verify Service Status:
Check the status of all services:
rcctl status
3. Check Logs:
Inspect logs for any errors or issues:
find /var/log -type f | xargs tail -n50 | grep -iE '==>|fail|crit|error|alert|corrupt|warning'
4. Web UI Access:
Admin UI: [1](https://mail.example.local:8443)
End User Configuration:
1. Admin UI:
Log into the Admin UI with the username `admin` and the previously created `ADMIN_PASS`.
2. License Configuration:
If you have a license, you can configure it under Grommunio settings in the Admin UI.