Grommunio Mail Server: Difference between revisions
No edit summary |
No edit summary |
||
Line 12: | Line 12: | ||
== Steps: == | == Steps: == | ||
# | # Install and configure MariaDB | ||
# | # MariaDB performance tuning (optional) | ||
# | # Install and configure Nginx | ||
# | # Install and configure PHP | ||
# | # Install and configure Postfix | ||
# | # Install and configure Grommunio | ||
# | # Configure Valkey (Redis replacement) | ||
# | # Install and configure Rspamd | ||
# | # Finalize and verify installation | ||
--- | --- |
Revision as of 22:28, 30 November 2024
This material is work-in-progress ... This is a work in progress |
HOWTO: Install AlpineLinux Mail Server with Grommunio
This tutorial outlines the steps for setting up a mail server on Alpine Linux using Grommunio, a modern, open-source groupware solution that supports email and calendar services. The installation includes MariaDB, Nginx, PHP, Postfix, and other components necessary for a fully functioning mail server.
Prerequisites
Before proceeding with the installation, ensure you have a fresh Alpine Linux system setup. You'll need root privileges to execute these commands.
Steps:
- Install and configure MariaDB
- MariaDB performance tuning (optional)
- Install and configure Nginx
- Install and configure PHP
- Install and configure Postfix
- Install and configure Grommunio
- Configure Valkey (Redis replacement)
- Install and configure Rspamd
- Finalize and verify installation
---
1. Install and Configure MariaDB
Step 1: Install MariaDB
To start, install MariaDB and necessary client utilities:
```sh apk add mariadb mariadb-client mariadb-server-utils ```
Step 2: Set up MariaDB Database Variables
Define the variables used in the setup and create a symlink to the MariaDB data directory.
```sh DB_DATA_PATH="/srv/mysql" DB_ROOT_PASS="Passw0rd1" DB_USER="admin" DB_PASS="Passw0rd2" ```
Setup system tables and configure the symlink for MariaDB:
```sh sudo mysql_install_db --user=mysql --datadir=${DB_DATA_PATH} ln -s /srv/mysql /var/lib/mysql rc-service mariadb restart ```
=== Step 3: Secure MariaDB Run the built-in security script to set a root password and configure MariaDB security settings.
```sh sudo mysql_secure_installation ```
Step 4: Create MariaDB User for Grommunio
Create a new user for Grommunio and assign privileges:
```sh echo "GRANT ALL ON *.* TO ${DB_USER}@'127.0.0.1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" > /tmp/sql echo "GRANT ALL ON *.* TO ${DB_USER}@'localhost' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql echo "GRANT ALL ON *.* TO ${DB_USER}@'::1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql echo "DELETE FROM mysql.user WHERE User=;" >> /tmp/sql echo "FLUSH PRIVILEGES;" >> /tmp/sql cat /tmp/sql | mysql -u root --password="${DB_ROOT_PASS}" ```
Step 5: Configure MariaDB for Grommunio
Edit the MariaDB configuration for better performance:
```sh vi /etc/my.cnf.d/mariadb-server.cnf ```
Add the following configuration:
```ini [mysqld] innodb_log_buffer_size=16M innodb_log_file_size=32M innodb_read_io_threads=4 innodb_write_io_threads=4 join_buffer_size=512K query_cache_size=0 query_cache_type=0 query_cache_limit=2M performance_schema=ON bind-address = 127.0.0.1 skip-name-resolve=ON ```
Create a default charset configuration for MariaDB:
```sh cat > /etc/my.cnf.d/mariadb-server-default-charset.cnf << EOF [client] default-character-set = utf8mb4
[mysqld] collation_server = utf8mb4_general_ci character_set_server = utf8mb4
[mysql] default-character-set = utf8mb4 EOF ```
Restart MariaDB and enable it to start on boot:
```sh rc-update add mariadb default service mariadb restart ```
=== Step 6: Verify MariaDB Setup Check if the MariaDB listener is running and bound to the correct address:
```sh ss -tulpn ```
Step 7: Create Grommunio Database
Define the database parameters and create the Grommunio database:
```sh MYSQL_HOST="localhost" MYSQL_USER="grommunio" MYSQL_PASS="Passw0rd3" MYSQL_DB="grommunio"
echo "create database $MYSQL_DB character set 'utf8mb4';" > /tmp/sql echo "grant select, insert, update, delete, create, drop, index, alter, create temporary tables, lock tables on $MYSQL_DB.* TO $MYSQL_USER@$MYSQL_HOST identified by '$MYSQL_PASS';" >> /tmp/sql echo "flush privileges;" >> /tmp/sql cat /tmp/sql | mysql -u admin --password="${DB_PASS}" ```
Test the database connection:
```sh mysql -hlocalhost -u grommunio -p${MYSQL_PASS} grommunio ```
---
2. MariaDB Performance Tuning (Optional)
Install and configure MySQLTuner to help with database performance:
```sh wget -v --no-check-certificate https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl -O /tmp/mysqltuner.pl mv /tmp/mysqltuner.pl /usr/local/bin/mysqltuner.pl chmod 755 /usr/local/bin/mysqltuner.pl apk add perl perl-doc /usr/local/bin/mysqltuner.pl --user admin --pass ${DB_PASS} ```
---
3. Install and Configure Nginx
Step 1: Install Nginx
Install the necessary Nginx modules:
```sh apk add nginx nginx-mod-http-headers-more nginx-mod-http-vts nginx-mod-http-brotli ```
Step 2: Configure Nginx
Backup the original Nginx configuration and edit it for security headers and TLS settings:
```sh cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig vi /etc/nginx/nginx.conf ```
Add the following configuration:
```nginx error_log syslog:server=unix:/dev/log,facility=local2,nohostname warn; more_set_headers "Strict-Transport-Security : max-age=2592000; includeSubDomains;"; more_set_headers "X-Frame-Options : SAMEORIGIN"; more_set_headers "Content-Security-Policy : default-src https: data: 'unsafe-inline' 'unsafe-eval' always"; more_set_headers "X-Xss-Protection : 1; mode=block"; more_set_headers "X-Content-Type-Options : nosniff"; more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; more_set_headers "Server : Follow the white rabbit.";
ssl_protocols TLSv1.2 TLSv1.3; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m;
log_format main_ssl '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' 'client_ciphers="$ssl_ciphers" client_curves="$ssl_curves"';
access_log off; ```
Restart Nginx and enable it to start on boot:
```sh rc-update add nginx service nginx restart ```
---
4. Install and Configure PHP
Step 1: Install PHP
Install the required PHP packages for Grommunio:
```sh apk add php83 php83-fpm ```
Step 2: Harden PHP Configuration
Disable insecure PHP settings and adjust PHP limits:
```sh sed 's/^;\?\(allow_url_fopen\).*/\1 = Off/' -i /etc/php83/php.ini sed 's/^;\?\(expose_php\).*/\1 = Off/' -i /etc/php83/php.ini sed 's/^;\?\(display_errors\).*/\1 = Off/' -i /etc/php83/php.ini sed 's/^;\?\(log_errors\).*/\1 = On/' -i /etc/php83/php.ini ```
Step 3: Configure Session Security
Configure PHP session security:
```sh sed 's/^;\?\(session.use_strict_mode\).*/\1 = 1/' -i /etc/php83/php.ini sed 's/^;\?\(session.cookie_secure\).*/\1 = 1/' -i /etc/php83/php.ini sed 's/^;\?\(session.cookie_httponly\).*/\1 = 1/' -i /etc/php83/php.ini ```
---
5. Install and Configure Postfix
Step 1: Install Postfix
Install Postfix and related modules:
```sh apk add postfix postfix-mysql postfix-pcre ```
Step 2: Configure Postfix
Backup and configure the Postfix settings. Adapt the values as necessary, such as `myhostname`, `mynetworks`, and `smtp_tls_chain_files`:
```sh mv /etc/postfix/main.cf /etc/postfix/main.cf.orig mv /etc/postfix/master.cf /etc/postfix/master.cf.orig ```
Run Postfix setup:
```sh newaliases postmap /etc/postfix/transport ```
Enable Postfix service:
```sh rc-update add postfix service postfix restart ```
Step 3: Verify Postfix Logs
Check the Postfix logs for any errors:
```sh tail -f /var/log/maillog ```
---
6. Install and Configure Grommunio
Install and configure Grommunio to provide email and calendar functionality. Follow the detailed installation steps outlined in the official Grommunio documentation.
---
7. Configure Valkey (Redis Replacement)
Configure Valkey for optimal caching and session handling, replacing Redis if required.
---
8. Install and Configure Rspamd
Rspamd provides spam filtering for your mail server. Follow the official documentation to install and configure Rspamd to work with Postfix and Nginx.
---
9. Finalize and Verify Installation
Step 1: Test Server Components
Ensure that all services (Postfix, MariaDB, Nginx, PHP, Grommunio) are running correctly:
```sh ss -tulpn ```
Step 2: Verify Mail Functionality
Test sending and receiving emails using a mail client and verifying server logs for any errors.
5. Install and Configure Grommunio
1. Enable IPv6
Since Grommunio requires IPv6 for its daemons:
1. **Edit `/etc/hosts` to include IPv6 localhost:**
```bash vi /etc/hosts ----- ::1 localhost ipv6-localhost ipv6-loopback ----- ```
2. **Ensure IPv6 is enabled in `/etc/sysctl.conf`:**
```bash sed -i 's/^net\.ipv6\.conf\..*\.disable_ipv6\s=\s1/#&/' /etc/sysctl.conf sysctl -p ping ::1 # Test if IPv6 is working ```
2. Configure Database Parameters
Set up your MySQL database connection details: ```bash MYSQL_HOST="localhost" MYSQL_USER="grommunio" MYSQL_PASS="Passw0rd3" MYSQL_DB="grommunio" ```
3. Specify Internal FQDN, Mail Domain, and Relayhost
Adjust the following for your specific setup: ```bash FQDN="mail.example.local" MAILDOMAIN="example.com" RELAYHOST="123.123.123.1" ADMIN_PASS="Passw0rd4" ```
4. Install Dependencies and Grommunio Packages
Install necessary dependencies: ```bash apk add valkey valkey-cli cyrus-sasl cyrus-sasl-login util-linux-login apk add grommunio-gromox grommunio-web grommunio-admin-api grommunio-admin-web grommunio-index grommunio-error-pages ```
Optionally, install deprecated ActiveSync if needed: ```bash
- apk add grommunio-dav grommunio-sync
```
5. Move Mail Storage to Another Disk
Move the largest directory `/var/lib/gromox` to another disk and create a symlink: ```bash mv /var/lib/gromox /srv/gromox ln -s /srv/gromox /var/lib/gromox ```
6. Enable Required Services
Enable all necessary Grommunio services: ```bash rc-update add grommunio-admin-api rc-update add gromox-delivery rc-update add gromox-delivery-queue
- Add all the other grommunio services
```
7. Configure Grommunio Files
Modify the configuration files to match your environment: ```bash sed -i "s/mail.example.local/${FQDN}/g" /etc/gromox/*.cfg sed -i "s/example.com/${MAILDOMAIN}/g" /etc/gromox/*.cfg
- Continue modifying other configuration files (mysql_adaptor.cfg, autodiscover.ini, etc.)
```
8. Configure Postfix
Prepare Postfix for integration with Grommunio: ```bash cp -p /etc/postfix/grommunio-virtual-mailbox-maps.cf /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf sed -i '/^query =/d' /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf echo "query = SELECT username FROM users WHERE username='%s' UNION SELECT aliasname FROM aliases WHERE mainname='%s'" >> /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf ```
9. Configure TLS Certificates
Link and configure your SSL certificates: ```bash ln -s /etc/grommunio-common/nginx/ssl_certificate.conf /etc/grommunio-admin-common/nginx-ssl.conf cat /etc/ssl/private/${FQDN}.key.pem /etc/ssl/certs/${FQDN}.cert.pem > /etc/ssl/private/${FQDN}.key_cert.pem chmod 640 /etc/ssl/private/*.key_cert.pem addgroup gromox ssl-cert ```
10. Configure PAM and SASL
Set up authentication services: ```bash
- Configure PAM for SMTP
cat > /etc/pam.d/smtp <<EOF
- %PAM-1.0
auth required pam_gromox.so service=smtp account required pam_permit.so EOF
- Configure SASL authentication
cat > /etc/conf.d/saslauthd <<EOF SASLAUTHD_OPTS="-a pam -r" EOF ```
11. Initialize the Database and Set Admin Password
Initialize the database: ```bash gromox-dbop -C ``` Set the Grommunio admin password: ```bash grommunio-admin passwd --password "${ADMIN_PASS}" ```
12. Configure Firewall Ports
Open the necessary firewall ports: ```bash
- Required ports: 25, 80, 443, etc.
```
---
6. Configure Valkey (Redis Replacement)
1. Enable Syslog:
```bash vi /etc/valkey/grommunio.conf ----- syslog-enabled yes syslog-ident valkey syslog-facility local0 ----- ```
2. Enable Memory Overcommit:
```bash vi /etc/sysctl.conf ----- vm.overcommit_memory = 1 ----- sysctl -p ```
3. Start Valkey and Test:
```bash rcctl restart valkey@grommunio valkey-cli ping # Expected result: 'PONG' ```
---
7. Install and Configure Rspamd
1. Install Rspamd:
```bash apk add rspamd rspamd-client ```
2. Configure Rspamd:
Modify Rspamd configuration files: ```bash cat > /etc/rspamd/local.d/options.inc <<EOF dns {
enable_dnssec = true; timeout = 4s; retransmits = 5;
} EOF
cat > /etc/rspamd/local.d/redis.conf <<EOF read_servers = "127.0.0.1"; write_servers = "127.0.0.1"; EOF
cat > /etc/rspamd/local.d/worker-proxy.inc <<EOF milter = yes; bind_socket = "/var/run/rspamd/worker-proxy.sock mode=0660 owner=rspamd"; timeout = 120s; upstream "local" {
default = yes; self_scan = yes;
} count = 4; EOF ```
3. Add Postfix to Rspamd Group:
```bash addgroup postfix rspamd ```
4. Configure DKIM Signing:
```bash cat > /etc/rspamd/local.d/dkim_signing.conf <<EOF enabled = true; path = "/var/lib/rspamd/dkim/\$domain-\$selector.key"; selector = "dkim"; sign_authenticated = true; sign_local = false; domain {
example.com { selector = "202406"; }
} EOF ```
5. Generate DKIM Key Pair:
```bash mkdir -p /var/lib/rspamd/dkim rspamadm dkim_keygen -s 202406 -t ED25519 -d example.com -k /var/lib/rspamd/dkim/example.com-202406.key > /var/lib/rspamd/dkim/example.com-202406.pub ```
6. Start Rspamd:
```bash rc-update add rspamd rcctl start rspamd ```
---
8. Finalize and Verify Installation
1. Restart Services:
Restart all services: ```bash rcctl restart postfix saslauthd rspamd valkey@grommunio nginx php-fpm83 gromox-delivery gromox-event \
gromox-http gromox-imap gromox-midb gromox-pop3 gromox-delivery-queue gromox-timer gromox-zcore \ grommunio-admin-api
```
2. Verify Service Status:
Check the status of all services: ```bash rcctl status ```
3. Check Logs:
Inspect logs for any errors or issues: ```bash find /var/log -type f | xargs tail -n50 | grep -iE '==>|fail|crit|error|alert|corrupt|warning' ```
4. Web UI Access:
Admin UI: [1](https://mail.example.local:8443)
---
End User Configuration:
1. Admin UI:
Log into the Admin UI with the username `admin` and the previously created `ADMIN_PASS`.
2. License Configuration:
If you have a license, you can configure it under Grommunio settings in the Admin UI.