Grommunio Mail Server: Difference between revisions

From Alpine Linux
No edit summary
No edit summary
Line 29: Line 29:
To start, install MariaDB and necessary client utilities:
To start, install MariaDB and necessary client utilities:


```sh
   apk add mariadb mariadb-client mariadb-server-utils
   apk add mariadb mariadb-client mariadb-server-utils
```


=== Step 2: Set up MariaDB Database Variables ===
=== Step 2: Set up MariaDB Database Variables ===
Define the variables used in the setup and create a symlink to the MariaDB data directory.
Define the variables used in the setup and create a symlink to the MariaDB data directory.


```sh
  DB_DATA_PATH="/srv/mysql"
DB_DATA_PATH="/srv/mysql"
  DB_ROOT_PASS="Passw0rd1"
DB_ROOT_PASS="Passw0rd1"
  DB_USER="admin"
DB_USER="admin"
  DB_PASS="Passw0rd2"
DB_PASS="Passw0rd2"
```


Setup system tables and configure the symlink for MariaDB:
Setup system tables and configure the symlink for MariaDB:


```sh
  sudo mysql_install_db --user=mysql --datadir=${DB_DATA_PATH}
sudo mysql_install_db --user=mysql --datadir=${DB_DATA_PATH}
  ln -s /srv/mysql /var/lib/mysql
ln -s /srv/mysql /var/lib/mysql
  rc-service mariadb restart
rc-service mariadb restart
 
```


=== Step 3: Secure MariaDB ===
=== Step 3: Secure MariaDB ===
Run the built-in security script to set a root password and configure MariaDB security settings.
Run the built-in security script to set a root password and configure MariaDB security settings.


```sh
  sudo mysql_secure_installation
sudo mysql_secure_installation
```


=== Step 4: Create MariaDB User for Grommunio ===
=== Step 4: Create MariaDB User for Grommunio ===
Create a new user for Grommunio and assign privileges:
Create a new user for Grommunio and assign privileges:


```sh
  echo "GRANT ALL ON *.* TO ${DB_USER}@'127.0.0.1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" > /tmp/sql
echo "GRANT ALL ON *.* TO ${DB_USER}@'127.0.0.1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" > /tmp/sql
  echo "GRANT ALL ON *.* TO ${DB_USER}@'localhost' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql
echo "GRANT ALL ON *.* TO ${DB_USER}@'localhost' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql
  echo "GRANT ALL ON *.* TO ${DB_USER}@'::1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql
echo "GRANT ALL ON *.* TO ${DB_USER}@'::1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql
  echo "DELETE FROM mysql.user WHERE User='';" >> /tmp/sql
echo "DELETE FROM mysql.user WHERE User='';" >> /tmp/sql
  echo "FLUSH PRIVILEGES;" >> /tmp/sql
echo "FLUSH PRIVILEGES;" >> /tmp/sql
  cat /tmp/sql | mysql -u root --password="${DB_ROOT_PASS}"
cat /tmp/sql | mysql -u root --password="${DB_ROOT_PASS}"
 
```


=== Step 5: Configure MariaDB for Grommunio ===
=== Step 5: Configure MariaDB for Grommunio ===
Edit the MariaDB configuration for better performance:
Edit the MariaDB configuration for better performance:


```sh
  vi /etc/my.cnf.d/mariadb-server.cnf
vi /etc/my.cnf.d/mariadb-server.cnf
```


Add the following configuration:
Add the following configuration:


```ini
  [mysqld]
[mysqld]
  innodb_log_buffer_size=16M
innodb_log_buffer_size=16M
  innodb_log_file_size=32M
innodb_log_file_size=32M
  innodb_read_io_threads=4
innodb_read_io_threads=4
  innodb_write_io_threads=4
innodb_write_io_threads=4
  join_buffer_size=512K
join_buffer_size=512K
  query_cache_size=0
query_cache_size=0
  query_cache_type=0
query_cache_type=0
  query_cache_limit=2M
query_cache_limit=2M
  performance_schema=ON
performance_schema=ON
  bind-address = 127.0.0.1
bind-address = 127.0.0.1
  skip-name-resolve=ON
skip-name-resolve=ON
```


Create a default charset configuration for MariaDB:
Create a default charset configuration for MariaDB:


```sh
  cat > /etc/my.cnf.d/mariadb-server-default-charset.cnf << EOF
cat > /etc/my.cnf.d/mariadb-server-default-charset.cnf << EOF
  [client]
[client]
  default-character-set = utf8mb4
default-character-set = utf8mb4
 
 
  [mysqld]
[mysqld]
  collation_server = utf8mb4_general_ci
collation_server = utf8mb4_general_ci
  character_set_server = utf8mb4
character_set_server = utf8mb4
 
 
  [mysql]
[mysql]
  default-character-set = utf8mb4
default-character-set = utf8mb4
  EOF
EOF
```


Restart MariaDB and enable it to start on boot:
Restart MariaDB and enable it to start on boot:


```sh
  rc-update add mariadb default
rc-update add mariadb default
  service mariadb restart
service mariadb restart
```


=== Step 6: Verify MariaDB Setup
=== Step 6: Verify MariaDB Setup
Check if the MariaDB listener is running and bound to the correct address:
Check if the MariaDB listener is running and bound to the correct address:


```sh
  ss -tulpn
ss -tulpn
 
```


=== Step 7: Create Grommunio Database ===
=== Step 7: Create Grommunio Database ===
Define the database parameters and create the Grommunio database:
Define the database parameters and create the Grommunio database:


```sh
  MYSQL_HOST="localhost"
MYSQL_HOST="localhost"
  MYSQL_USER="grommunio"
MYSQL_USER="grommunio"
  MYSQL_PASS="Passw0rd3"
MYSQL_PASS="Passw0rd3"
  MYSQL_DB="grommunio"
MYSQL_DB="grommunio"


echo "create database $MYSQL_DB character set 'utf8mb4';" > /tmp/sql
  echo "create database $MYSQL_DB character set 'utf8mb4';" > /tmp/sql
echo "grant select, insert, update, delete, create, drop, index, alter, create temporary tables, lock tables on $MYSQL_DB.* TO $MYSQL_USER@$MYSQL_HOST identified by '$MYSQL_PASS';" >> /tmp/sql
  echo "grant select, insert, update, delete, create, drop, index, alter, create temporary tables, lock tables on  
echo "flush privileges;" >> /tmp/sql
  $MYSQL_DB.* TO $MYSQL_USER@$MYSQL_HOST identified by '$MYSQL_PASS';" >> /tmp/sql
cat /tmp/sql | mysql -u admin --password="${DB_PASS}"
  echo "flush privileges;" >> /tmp/sql
```
  cat /tmp/sql | mysql -u admin --password="${DB_PASS}"


Test the database connection:
Test the database connection:


```sh
  mysql -hlocalhost -u grommunio -p${MYSQL_PASS} grommunio
mysql -hlocalhost -u grommunio -p${MYSQL_PASS} grommunio
```


---


== 2. MariaDB Performance Tuning (Optional) ==
== 2. MariaDB Performance Tuning (Optional) ==
Line 151: Line 130:
Install and configure MySQLTuner to help with database performance:
Install and configure MySQLTuner to help with database performance:


```sh
  wget -v --no-check-certificate https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl -O /tmp/mysqltuner.pl
wget -v --no-check-certificate https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl -O /tmp/mysqltuner.pl
  mv /tmp/mysqltuner.pl /usr/local/bin/mysqltuner.pl
mv /tmp/mysqltuner.pl /usr/local/bin/mysqltuner.pl
  chmod 755 /usr/local/bin/mysqltuner.pl
chmod 755 /usr/local/bin/mysqltuner.pl
  apk add perl perl-doc
apk add perl perl-doc
  /usr/local/bin/mysqltuner.pl --user admin --pass ${DB_PASS}
/usr/local/bin/mysqltuner.pl --user admin --pass ${DB_PASS}
```


---


== 3. Install and Configure Nginx ==
== 3. Install and Configure Nginx ==
Line 166: Line 142:
Install the necessary Nginx modules:
Install the necessary Nginx modules:


```sh
  apk add nginx nginx-mod-http-headers-more nginx-mod-http-vts nginx-mod-http-brotli
apk add nginx nginx-mod-http-headers-more nginx-mod-http-vts nginx-mod-http-brotli
 
```


=== Step 2: Configure Nginx ===
=== Step 2: Configure Nginx ===
Backup the original Nginx configuration and edit it for security headers and TLS settings:
Backup the original Nginx configuration and edit it for security headers and TLS settings:


```sh
  cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig
  vi /etc/nginx/nginx.conf
vi /etc/nginx/nginx.conf
 
```


Add the following configuration:
Add the following configuration:


```nginx
  error_log syslog:server=unix:/dev/log,facility=local2,nohostname warn;
error_log syslog:server=unix:/dev/log,facility=local2,nohostname warn;
  more_set_headers "Strict-Transport-Security : max-age=2592000; includeSubDomains;";
more_set_headers "Strict-Transport-Security : max-age=2592000; includeSubDomains;";
  more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Frame-Options : SAMEORIGIN";
  more_set_headers "Content-Security-Policy : default-src https: data: 'unsafe-inline' 'unsafe-eval' always";
more_set_headers "Content-Security-Policy : default-src https: data: 'unsafe-inline' 'unsafe-eval' always";
  more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Xss-Protection : 1; mode=block";
  more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "X-Content-Type-Options : nosniff";
  more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
  more_set_headers "Server : Follow the white rabbit.";
more_set_headers "Server : Follow the white rabbit.";


ssl_protocols TLSv1.2 TLSv1.3;
  ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:1m;
  ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
  ssl_session_timeout 5m;


log_format main_ssl '$remote_addr - $remote_user [$time_local] "$request" '
  log_format main_ssl '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
  '$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
  '"$http_user_agent" "$http_x_forwarded_for" '
'client_ciphers="$ssl_ciphers" client_curves="$ssl_curves"';
  'client_ciphers="$ssl_ciphers" client_curves="$ssl_curves"';
 
  access_log off;


access_log off;
```


Restart Nginx and enable it to start on boot:
Restart Nginx and enable it to start on boot:


```sh
  rc-update add nginx
rc-update add nginx
  service nginx restart
service nginx restart
```


---


== 4. Install and Configure PHP ==
== 4. Install and Configure PHP ==
Line 216: Line 186:
Install the required PHP packages for Grommunio:
Install the required PHP packages for Grommunio:


```sh
  apk add php83 php83-fpm
apk add php83 php83-fpm
 
```


=== Step 2: Harden PHP Configuration ===
=== Step 2: Harden PHP Configuration ===
Disable insecure PHP settings and adjust PHP limits:
Disable insecure PHP settings and adjust PHP limits:


```sh
  sed 's/^;\?\(allow_url_fopen\).*/\1 = Off/' -i /etc/php83/php.ini
sed 's/^;\?\(allow_url_fopen\).*/\1 = Off/' -i /etc/php83/php.ini
  sed 's/^;\?\(expose_php\).*/\1 = Off/' -i /etc/php83/php.ini
sed 's/^;\?\(expose_php\).*/\1 = Off/' -i /etc/php83/php.ini
  sed 's/^;\?\(display_errors\).*/\1 = Off/' -i /etc/php83/php.ini
sed 's/^;\?\(display_errors\).*/\1 = Off/' -i /etc/php83/php.ini
  sed 's/^;\?\(log_errors\).*/\1 = On/' -i /etc/php83/php.ini
sed 's/^;\?\(log_errors\).*/\1 = On/' -i /etc/php83/php.ini
 
```


=== Step 3: Configure Session Security ===
=== Step 3: Configure Session Security ===
Configure PHP session security:
Configure PHP session security:


```sh
  sed 's/^;\?\(session.use_strict_mode\).*/\1 = 1/' -i /etc/php83/php.ini
sed 's/^;\?\(session.use_strict_mode\).*/\1 = 1/' -i /etc/php83/php.ini
  sed 's/^;\?\(session.cookie_secure\).*/\1 = 1/' -i /etc/php83/php.ini
sed 's/^;\?\(session.cookie_secure\).*/\1 = 1/' -i /etc/php83/php.ini
  sed 's/^;\?\(session.cookie_httponly\).*/\1 = 1/' -i /etc/php83/php.ini
sed 's/^;\?\(session.cookie_httponly\).*/\1 = 1/' -i /etc/php83/php.ini
```


---


== 5. Install and Configure Postfix ==
== 5. Install and Configure Postfix ==
Line 246: Line 211:
Install Postfix and related modules:
Install Postfix and related modules:


```sh
  apk add postfix postfix-mysql postfix-pcre
apk add postfix postfix-mysql postfix-pcre
 
```


=== Step 2: Configure Postfix ===
=== Step 2: Configure Postfix ===
Backup and configure the Postfix settings. Adapt the values as necessary, such as `myhostname`, `mynetworks`, and `smtp_tls_chain_files`:
Backup and configure the Postfix settings. Adapt the values as necessary, such as `myhostname`, `mynetworks`, and `smtp_tls_chain_files`:


```sh
  mv /etc/postfix/main.cf /etc/postfix/main.cf.orig
mv /etc/postfix/main.cf /etc/postfix/main.cf.orig
  mv /etc/postfix/master.cf /etc/postfix/master.cf.orig
mv /etc/postfix/master.cf /etc/postfix/master.cf.orig
 
```


Run Postfix setup:
Run Postfix setup:


```sh
  newaliases
newaliases
  postmap /etc/postfix/transport
postmap /etc/postfix/transport
 
```


Enable Postfix service:
Enable Postfix service:


```sh
  rc-update add postfix
rc-update add postfix
  service postfix restart
service postfix restart
 
```


=== Step 3: Verify Postfix Logs ===
=== Step 3: Verify Postfix Logs ===
Check the Postfix logs for any errors:
Check the Postfix logs for any errors:


```sh
tail -f /var/log/maillog
tail -f /var/log/maillog
```


---


== 6. Install and Configure Grommunio ==
== 6. Install and Configure Grommunio ==
Line 287: Line 243:
Install and configure Grommunio to provide email and calendar functionality. Follow the detailed installation steps outlined in the official Grommunio documentation.
Install and configure Grommunio to provide email and calendar functionality. Follow the detailed installation steps outlined in the official Grommunio documentation.


---


== 7. Configure Valkey (Redis Replacement) ==
== 7. Configure Valkey (Redis Replacement) ==
Configure Valkey for optimal caching and session handling, replacing Redis if required.
Configure Valkey for optimal caching and session handling, replacing Redis if required.


---


== 8. Install and Configure Rspamd ==
== 8. Install and Configure Rspamd ==
Line 298: Line 252:
Rspamd provides spam filtering for your mail server. Follow the official documentation to install and configure Rspamd to work with Postfix and Nginx.
Rspamd provides spam filtering for your mail server. Follow the official documentation to install and configure Rspamd to work with Postfix and Nginx.


---


== 9. Finalize and Verify Installation ==
== 9. Finalize and Verify Installation ==
Line 305: Line 258:
Ensure that all services (Postfix, MariaDB, Nginx, PHP, Grommunio) are running correctly:
Ensure that all services (Postfix, MariaDB, Nginx, PHP, Grommunio) are running correctly:


```sh
  ss -tulpn
ss -tulpn
 
```


=== Step 2: Verify Mail Functionality ===
=== Step 2: Verify Mail Functionality ===
Line 318: Line 270:
Since Grommunio requires IPv6 for its daemons:
Since Grommunio requires IPv6 for its daemons:


1. **Edit `/etc/hosts` to include IPv6 localhost:**
1. Edit `/etc/hosts` to include IPv6 localhost:
  ```bash
  vi /etc/hosts
  vi /etc/hosts
  -----
  -----
  ::1 localhost ipv6-localhost ipv6-loopback
  ::1 localhost ipv6-localhost ipv6-loopback
  -----
  -----
 
  ```
 
2. Ensure IPv6 is enabled in `/etc/sysctl.conf`:
  sed -i 's/^net\.ipv6\.conf\..*\.disable_ipv6\s=\s1/#&/' /etc/sysctl.conf
  sysctl -p
  ping ::1  # Test if IPv6 is working


2. **Ensure IPv6 is enabled in `/etc/sysctl.conf`:**
  ```bash
  sed -i 's/^net\.ipv6\.conf\..*\.disable_ipv6\s=\s1/#&/' /etc/sysctl.conf
  sysctl -p
  ping ::1  # Test if IPv6 is working
  ```


=== 2. Configure Database Parameters ===
=== 2. Configure Database Parameters ===
Set up your MySQL database connection details:
Set up your MySQL database connection details:
```bash
 
MYSQL_HOST="localhost"
  MYSQL_HOST="localhost"
MYSQL_USER="grommunio"
  MYSQL_USER="grommunio"
MYSQL_PASS="Passw0rd3"
  MYSQL_PASS="Passw0rd3"
MYSQL_DB="grommunio"
  MYSQL_DB="grommunio"
```
 


=== 3. Specify Internal FQDN, Mail Domain, and Relayhost ===
=== 3. Specify Internal FQDN, Mail Domain, and Relayhost ===
Adjust the following for your specific setup:
Adjust the following for your specific setup:
```bash
 
FQDN="mail.example.local"
  FQDN="mail.example.local"
MAILDOMAIN="example.com"
  MAILDOMAIN="example.com"
RELAYHOST="123.123.123.1"
  RELAYHOST="123.123.123.1"
ADMIN_PASS="Passw0rd4"
  ADMIN_PASS="Passw0rd4"
```
 


=== 4. Install Dependencies and Grommunio Packages ===
=== 4. Install Dependencies and Grommunio Packages ===
Install necessary dependencies:
Install necessary dependencies:
```bash
 
apk add valkey valkey-cli cyrus-sasl cyrus-sasl-login util-linux-login
  apk add valkey valkey-cli cyrus-sasl cyrus-sasl-login util-linux-login
apk add grommunio-gromox grommunio-web grommunio-admin-api grommunio-admin-web grommunio-index grommunio-error-pages
  apk add grommunio-gromox grommunio-web grommunio-admin-api grommunio-admin-web grommunio-index grommunio-error-pages
```
 


Optionally, install deprecated ActiveSync if needed:
Optionally, install deprecated ActiveSync if needed:
```bash
 
# apk add grommunio-dav grommunio-sync
  # apk add grommunio-dav grommunio-sync
```
 


=== 5. Move Mail Storage to Another Disk ===
=== 5. Move Mail Storage to Another Disk ===
Move the largest directory `/var/lib/gromox` to another disk and create a symlink:
Move the largest directory `/var/lib/gromox` to another disk and create a symlink:
```bash
 
mv /var/lib/gromox /srv/gromox
  mv /var/lib/gromox /srv/gromox
ln -s /srv/gromox /var/lib/gromox
  ln -s /srv/gromox /var/lib/gromox
```
 


=== 6. Enable Required Services ===
=== 6. Enable Required Services ===
Enable all necessary Grommunio services:
Enable all necessary Grommunio services:
```bash
 
rc-update add grommunio-admin-api
  rc-update add grommunio-admin-api
rc-update add gromox-delivery
  rc-update add gromox-delivery
rc-update add gromox-delivery-queue
  rc-update add gromox-delivery-queue
# Add all the other grommunio services
  # Add all the other grommunio services
```
 


=== 7. Configure Grommunio Files ===
=== 7. Configure Grommunio Files ===
Modify the configuration files to match your environment:
Modify the configuration files to match your environment:
```bash
 
sed -i "s/mail.example.local/${FQDN}/g" /etc/gromox/*.cfg
  sed -i "s/mail.example.local/${FQDN}/g" /etc/gromox/*.cfg
sed -i "s/example.com/${MAILDOMAIN}/g" /etc/gromox/*.cfg
  sed -i "s/example.com/${MAILDOMAIN}/g" /etc/gromox/*.cfg
# Continue modifying other configuration files (mysql_adaptor.cfg, autodiscover.ini, etc.)
  # Continue modifying other configuration files (mysql_adaptor.cfg, autodiscover.ini, etc.)
```
 


=== 8. Configure Postfix ===
=== 8. Configure Postfix ===
Prepare Postfix for integration with Grommunio:
Prepare Postfix for integration with Grommunio:
```bash
 
cp -p /etc/postfix/grommunio-virtual-mailbox-maps.cf /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf
  cp -p /etc/postfix/grommunio-virtual-mailbox-maps.cf /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf
sed -i '/^query =/d' /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf
  sed -i '/^query =/d' /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf
echo "query = SELECT username FROM users WHERE username='%s' UNION SELECT aliasname FROM aliases WHERE mainname='%s'" >> /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf
  echo "query = SELECT username FROM users WHERE username='%s' UNION SELECT aliasname FROM aliases WHERE mainname='%s'" >> /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf
```
 


=== 9. Configure TLS Certificates ===
=== 9. Configure TLS Certificates ===
Link and configure your SSL certificates:
Link and configure your SSL certificates:
```bash
 
ln -s /etc/grommunio-common/nginx/ssl_certificate.conf /etc/grommunio-admin-common/nginx-ssl.conf
  ln -s /etc/grommunio-common/nginx/ssl_certificate.conf /etc/grommunio-admin-common/nginx-ssl.conf
cat /etc/ssl/private/${FQDN}.key.pem /etc/ssl/certs/${FQDN}.cert.pem > /etc/ssl/private/${FQDN}.key_cert.pem
  cat /etc/ssl/private/${FQDN}.key.pem /etc/ssl/certs/${FQDN}.cert.pem > /etc/ssl/private/${FQDN}.key_cert.pem
chmod 640 /etc/ssl/private/*.key_cert.pem
  chmod 640 /etc/ssl/private/*.key_cert.pem
addgroup gromox ssl-cert
  addgroup gromox ssl-cert
```
 


=== 10. Configure PAM and SASL ===
=== 10. Configure PAM and SASL ===
Set up authentication services:
Set up authentication services:
```bash
 
# Configure PAM for SMTP
  # Configure PAM for SMTP
cat > /etc/pam.d/smtp <<EOF
  cat > /etc/pam.d/smtp <<EOF
#%PAM-1.0
  #%PAM-1.0
auth required pam_gromox.so service=smtp
  auth required pam_gromox.so service=smtp
account required pam_permit.so
  account required pam_permit.so
EOF
  EOF
# Configure SASL authentication
 
cat > /etc/conf.d/saslauthd <<EOF
  # Configure SASL authentication
SASLAUTHD_OPTS="-a pam -r"
  cat > /etc/conf.d/saslauthd <<EOF
EOF
  SASLAUTHD_OPTS="-a pam -r"
```
  EOF
 


=== 11. Initialize the Database and Set Admin Password ===
=== 11. Initialize the Database and Set Admin Password ===
Initialize the database:
Initialize the database:
```bash
 
gromox-dbop -C
  gromox-dbop -C
```
 
Set the Grommunio admin password:
Set the Grommunio admin password:
```bash
 
grommunio-admin passwd --password "${ADMIN_PASS}"
  grommunio-admin passwd --password "${ADMIN_PASS}"
```
 


=== 12. Configure Firewall Ports ===
=== 12. Configure Firewall Ports ===
Open the necessary firewall ports:
Open the necessary firewall ports:
```bash
# Required ports: 25, 80, 443, etc.
```


---
  # Required ports: 25, 80, 443, etc.
 


== 6. Configure Valkey (Redis Replacement) ==
== 6. Configure Valkey (Redis Replacement) ==


=== 1. Enable Syslog: ===
=== 1. Enable Syslog: ===
  ```bash
 
  vi /etc/valkey/grommunio.conf
  vi /etc/valkey/grommunio.conf
  -----
  -----
  syslog-enabled yes
  syslog-enabled yes
  syslog-ident valkey
  syslog-ident valkey
  syslog-facility local0
  syslog-facility local0
  -----
  -----
  ```
 


=== 2. Enable Memory Overcommit: ===
=== 2. Enable Memory Overcommit: ===
  ```bash
 
  vi /etc/sysctl.conf
  vi /etc/sysctl.conf
  -----
  -----
  vm.overcommit_memory = 1
  vm.overcommit_memory = 1
  -----
  -----
  sysctl -p
  sysctl -p
  ```
 


=== 3. Start Valkey and Test: ===
=== 3. Start Valkey and Test: ===
  ```bash
  rcctl restart valkey@grommunio
  valkey-cli ping  # Expected result: 'PONG'
  ```


---
  rcctl restart valkey@grommunio
  valkey-cli ping  # Expected result: 'PONG'
 
 


== 7. Install and Configure Rspamd ==
== 7. Install and Configure Rspamd ==


=== 1. Install Rspamd: ===
=== 1. Install Rspamd: ===
```bash
 
apk add rspamd rspamd-client
  apk add rspamd rspamd-client
```
 


=== 2. Configure Rspamd: ===
=== 2. Configure Rspamd: ===
Modify Rspamd configuration files:
Modify Rspamd configuration files:
```bash
cat > /etc/rspamd/local.d/options.inc <<EOF
dns {
  enable_dnssec = true;
  timeout = 4s;
  retransmits = 5;
}
EOF


cat > /etc/rspamd/local.d/redis.conf <<EOF
  cat > /etc/rspamd/local.d/options.inc <<EOF
read_servers = "127.0.0.1";
  dns {
write_servers = "127.0.0.1";
    enable_dnssec = true;
EOF
    timeout = 4s;
  retransmits = 5;
  }
  EOF
 
  cat > /etc/rspamd/local.d/redis.conf <<EOF
  read_servers = "127.0.0.1";
  write_servers = "127.0.0.1";
  EOF
 
  cat > /etc/rspamd/local.d/worker-proxy.inc <<EOF
  milter = yes;
  bind_socket = "/var/run/rspamd/worker-proxy.sock mode=0660 owner=rspamd";
  timeout = 120s;
  upstream "local" {
    default = yes;
    self_scan = yes;
  }
  count = 4;
  EOF


cat > /etc/rspamd/local.d/worker-proxy.inc <<EOF
milter = yes;
bind_socket = "/var/run/rspamd/worker-proxy.sock mode=0660 owner=rspamd";
timeout = 120s;
upstream "local" {
  default = yes;
  self_scan = yes;
}
count = 4;
EOF
```


=== 3. Add Postfix to Rspamd Group: ===
=== 3. Add Postfix to Rspamd Group: ===
```bash
 
addgroup postfix rspamd
  addgroup postfix rspamd
```
 


=== 4. Configure DKIM Signing: ===
=== 4. Configure DKIM Signing: ===
```bash
 
cat > /etc/rspamd/local.d/dkim_signing.conf <<EOF
  cat > /etc/rspamd/local.d/dkim_signing.conf <<EOF
enabled = true;
  enabled = true;
path = "/var/lib/rspamd/dkim/\$domain-\$selector.key";
  path = "/var/lib/rspamd/dkim/\$domain-\$selector.key";
selector = "dkim";
  selector = "dkim";
sign_authenticated = true;
  sign_authenticated = true;
sign_local = false;
  sign_local = false;
domain {
  domain {
  example.com { selector = "202406"; }
    example.com { selector = "202406"; }
}
  }
EOF
  EOF
```
 


=== 5. Generate DKIM Key Pair: ===
=== 5. Generate DKIM Key Pair: ===
```bash
 
mkdir -p /var/lib/rspamd/dkim
  mkdir -p /var/lib/rspamd/dkim
rspamadm dkim_keygen -s 202406 -t ED25519 -d example.com -k /var/lib/rspamd/dkim/example.com-202406.key > /var/lib/rspamd/dkim/example.com-202406.pub
  rspamadm dkim_keygen -s 202406 -t ED25519 -d example.com -k /var/lib/rspamd/dkim/example.com-202406.key >  
```
  /var/lib/rspamd/dkim/example.com-202406.pub
 


=== 6. Start Rspamd: ===
=== 6. Start Rspamd: ===
```bash
rc-update add rspamd
rcctl start rspamd
```


---
  rc-update add rspamd
  rcctl start rspamd
 


== 8. Finalize and Verify Installation ==
== 8. Finalize and Verify Installation ==
Line 538: Line 485:
=== 1. Restart Services: ===
=== 1. Restart Services: ===
Restart all services:
Restart all services:
```bash
 
rcctl restart postfix saslauthd rspamd valkey@grommunio nginx php-fpm83 gromox-delivery gromox-event \
  rcctl restart postfix saslauthd rspamd valkey@grommunio nginx php-fpm83 gromox-delivery gromox-event \
  gromox-http gromox-imap gromox-midb gromox-pop3 gromox-delivery-queue gromox-timer gromox-zcore \
    gromox-http gromox-imap gromox-midb gromox-pop3 gromox-delivery-queue gromox-timer gromox-zcore \
  grommunio-admin-api
    grommunio-admin-api
```
 


=== 2. Verify Service Status: ===
=== 2. Verify Service Status: ===
Check the status of all services:
Check the status of all services:
```bash
 
rcctl status
  rcctl status
```
 


=== 3. Check Logs: ===
=== 3. Check Logs: ===
Inspect logs for any errors or issues:
Inspect logs for any errors or issues:
```bash
 
find /var/log -type f | xargs tail -n50 | grep -iE '==>|fail|crit|error|alert|corrupt|warning'
  find /var/log -type f | xargs tail -n50 | grep -iE '==>|fail|crit|error|alert|corrupt|warning'
```
 


=== 4. Web UI Access: ===
=== 4. Web UI Access: ===
Admin UI: [https://mail.example.local:8443](https://mail.example.local:8443)
Admin UI: [https://mail.example.local:8443](https://mail.example.local:8443)


---


== End User Configuration: ==
== End User Configuration: ==

Revision as of 22:42, 30 November 2024

This material is work-in-progress ...

This is a work in progress
(Last edited by Midas on 30 Nov 2024.)


HOWTO: Install AlpineLinux Mail Server with Grommunio

This tutorial outlines the steps for setting up a mail server on Alpine Linux using Grommunio, a modern, open-source groupware solution that supports email and calendar services. The installation includes MariaDB, Nginx, PHP, Postfix, and other components necessary for a fully functioning mail server.

Prerequisites

Before proceeding with the installation, ensure you have a fresh Alpine Linux system setup. You'll need root privileges to execute these commands.

Steps:

  1. Install and configure MariaDB
  2. MariaDB performance tuning (optional)
  3. Install and configure Nginx
  4. Install and configure PHP
  5. Install and configure Postfix
  6. Install and configure Grommunio
  7. Configure Valkey (Redis replacement)
  8. Install and configure Rspamd
  9. Finalize and verify installation


1. Install and Configure MariaDB

Step 1: Install MariaDB

To start, install MariaDB and necessary client utilities:

 apk add mariadb mariadb-client mariadb-server-utils

Step 2: Set up MariaDB Database Variables

Define the variables used in the setup and create a symlink to the MariaDB data directory.

 DB_DATA_PATH="/srv/mysql"
 DB_ROOT_PASS="Passw0rd1"
 DB_USER="admin"
 DB_PASS="Passw0rd2"

Setup system tables and configure the symlink for MariaDB:

 sudo mysql_install_db --user=mysql --datadir=${DB_DATA_PATH}
 ln -s /srv/mysql /var/lib/mysql
 rc-service mariadb restart


Step 3: Secure MariaDB

Run the built-in security script to set a root password and configure MariaDB security settings.

 sudo mysql_secure_installation

Step 4: Create MariaDB User for Grommunio

Create a new user for Grommunio and assign privileges:

 echo "GRANT ALL ON *.* TO ${DB_USER}@'127.0.0.1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" > /tmp/sql
 echo "GRANT ALL ON *.* TO ${DB_USER}@'localhost' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql
 echo "GRANT ALL ON *.* TO ${DB_USER}@'::1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql
 echo "DELETE FROM mysql.user WHERE User=;" >> /tmp/sql
 echo "FLUSH PRIVILEGES;" >> /tmp/sql
 cat /tmp/sql | mysql -u root --password="${DB_ROOT_PASS}"


Step 5: Configure MariaDB for Grommunio

Edit the MariaDB configuration for better performance:

 vi /etc/my.cnf.d/mariadb-server.cnf

Add the following configuration:

 [mysqld]
 innodb_log_buffer_size=16M
 innodb_log_file_size=32M
 innodb_read_io_threads=4
 innodb_write_io_threads=4
 join_buffer_size=512K
 query_cache_size=0
 query_cache_type=0
 query_cache_limit=2M
 performance_schema=ON
 bind-address = 127.0.0.1
 skip-name-resolve=ON

Create a default charset configuration for MariaDB:

 cat > /etc/my.cnf.d/mariadb-server-default-charset.cnf << EOF
 [client]
 default-character-set = utf8mb4
 
 [mysqld]
 collation_server = utf8mb4_general_ci
 character_set_server = utf8mb4
 
 [mysql]
 default-character-set = utf8mb4
 EOF

Restart MariaDB and enable it to start on boot:

 rc-update add mariadb default
 service mariadb restart

=== Step 6: Verify MariaDB Setup Check if the MariaDB listener is running and bound to the correct address:

 ss -tulpn


Step 7: Create Grommunio Database

Define the database parameters and create the Grommunio database:

 MYSQL_HOST="localhost"
 MYSQL_USER="grommunio"
 MYSQL_PASS="Passw0rd3"
 MYSQL_DB="grommunio"
 echo "create database $MYSQL_DB character set 'utf8mb4';" > /tmp/sql
 echo "grant select, insert, update, delete, create, drop, index, alter, create temporary tables, lock tables on 
 $MYSQL_DB.* TO $MYSQL_USER@$MYSQL_HOST identified by '$MYSQL_PASS';" >> /tmp/sql
 echo "flush privileges;" >> /tmp/sql
 cat /tmp/sql | mysql -u admin --password="${DB_PASS}"

Test the database connection:

 mysql -hlocalhost -u grommunio -p${MYSQL_PASS} grommunio


2. MariaDB Performance Tuning (Optional)

Install and configure MySQLTuner to help with database performance:

 wget -v --no-check-certificate https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl -O /tmp/mysqltuner.pl
 mv /tmp/mysqltuner.pl /usr/local/bin/mysqltuner.pl
 chmod 755 /usr/local/bin/mysqltuner.pl
 apk add perl perl-doc
 /usr/local/bin/mysqltuner.pl --user admin --pass ${DB_PASS}


3. Install and Configure Nginx

Step 1: Install Nginx

Install the necessary Nginx modules:

 apk add nginx nginx-mod-http-headers-more nginx-mod-http-vts nginx-mod-http-brotli


Step 2: Configure Nginx

Backup the original Nginx configuration and edit it for security headers and TLS settings:

 cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig
 vi /etc/nginx/nginx.conf


Add the following configuration:

 error_log syslog:server=unix:/dev/log,facility=local2,nohostname warn;
 more_set_headers "Strict-Transport-Security : max-age=2592000; includeSubDomains;";
 more_set_headers "X-Frame-Options : SAMEORIGIN";
 more_set_headers "Content-Security-Policy : default-src https: data: 'unsafe-inline' 'unsafe-eval' always";
 more_set_headers "X-Xss-Protection : 1; mode=block";
 more_set_headers "X-Content-Type-Options : nosniff";
 more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
 more_set_headers "Server : Follow the white rabbit.";
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_session_cache shared:SSL:1m;
 ssl_session_timeout 5m;
 log_format main_ssl '$remote_addr - $remote_user [$time_local] "$request" '
 '$status $body_bytes_sent "$http_referer" '
 '"$http_user_agent" "$http_x_forwarded_for" '
 'client_ciphers="$ssl_ciphers" client_curves="$ssl_curves"';
 
 access_log off;


Restart Nginx and enable it to start on boot:

 rc-update add nginx
 service nginx restart


4. Install and Configure PHP

Step 1: Install PHP

Install the required PHP packages for Grommunio:

 apk add php83 php83-fpm


Step 2: Harden PHP Configuration

Disable insecure PHP settings and adjust PHP limits:

 sed 's/^;\?\(allow_url_fopen\).*/\1 = Off/' -i /etc/php83/php.ini
 sed 's/^;\?\(expose_php\).*/\1 = Off/' -i /etc/php83/php.ini
 sed 's/^;\?\(display_errors\).*/\1 = Off/' -i /etc/php83/php.ini
 sed 's/^;\?\(log_errors\).*/\1 = On/' -i /etc/php83/php.ini


Step 3: Configure Session Security

Configure PHP session security:

 sed 's/^;\?\(session.use_strict_mode\).*/\1 = 1/' -i /etc/php83/php.ini
 sed 's/^;\?\(session.cookie_secure\).*/\1 = 1/' -i /etc/php83/php.ini
 sed 's/^;\?\(session.cookie_httponly\).*/\1 = 1/' -i /etc/php83/php.ini


5. Install and Configure Postfix

Step 1: Install Postfix

Install Postfix and related modules:

 apk add postfix postfix-mysql postfix-pcre


Step 2: Configure Postfix

Backup and configure the Postfix settings. Adapt the values as necessary, such as `myhostname`, `mynetworks`, and `smtp_tls_chain_files`:

 mv /etc/postfix/main.cf /etc/postfix/main.cf.orig
 mv /etc/postfix/master.cf /etc/postfix/master.cf.orig


Run Postfix setup:

 newaliases
 postmap /etc/postfix/transport


Enable Postfix service:

 rc-update add postfix
 service postfix restart


Step 3: Verify Postfix Logs

Check the Postfix logs for any errors:

tail -f /var/log/maillog


6. Install and Configure Grommunio

Install and configure Grommunio to provide email and calendar functionality. Follow the detailed installation steps outlined in the official Grommunio documentation.


7. Configure Valkey (Redis Replacement)

Configure Valkey for optimal caching and session handling, replacing Redis if required.


8. Install and Configure Rspamd

Rspamd provides spam filtering for your mail server. Follow the official documentation to install and configure Rspamd to work with Postfix and Nginx.


9. Finalize and Verify Installation

Step 1: Test Server Components

Ensure that all services (Postfix, MariaDB, Nginx, PHP, Grommunio) are running correctly:

 ss -tulpn


Step 2: Verify Mail Functionality

Test sending and receiving emails using a mail client and verifying server logs for any errors.


5. Install and Configure Grommunio

1. Enable IPv6

Since Grommunio requires IPv6 for its daemons:

1. Edit `/etc/hosts` to include IPv6 localhost:

 vi /etc/hosts
 -----
 ::1		localhost ipv6-localhost ipv6-loopback
 -----


2. Ensure IPv6 is enabled in `/etc/sysctl.conf`:

 sed -i 's/^net\.ipv6\.conf\..*\.disable_ipv6\s=\s1/#&/' /etc/sysctl.conf
 sysctl -p
 ping ::1  # Test if IPv6 is working


2. Configure Database Parameters

Set up your MySQL database connection details:

 MYSQL_HOST="localhost"
 MYSQL_USER="grommunio"
 MYSQL_PASS="Passw0rd3"
 MYSQL_DB="grommunio"


3. Specify Internal FQDN, Mail Domain, and Relayhost

Adjust the following for your specific setup:

 FQDN="mail.example.local"
 MAILDOMAIN="example.com"
 RELAYHOST="123.123.123.1"
 ADMIN_PASS="Passw0rd4"


4. Install Dependencies and Grommunio Packages

Install necessary dependencies:

 apk add valkey valkey-cli cyrus-sasl cyrus-sasl-login util-linux-login
 apk add grommunio-gromox grommunio-web grommunio-admin-api grommunio-admin-web grommunio-index grommunio-error-pages


Optionally, install deprecated ActiveSync if needed:

 # apk add grommunio-dav grommunio-sync


5. Move Mail Storage to Another Disk

Move the largest directory `/var/lib/gromox` to another disk and create a symlink:

 mv /var/lib/gromox /srv/gromox
 ln -s /srv/gromox /var/lib/gromox


6. Enable Required Services

Enable all necessary Grommunio services:

 rc-update add grommunio-admin-api
 rc-update add gromox-delivery
 rc-update add gromox-delivery-queue
 # Add all the other grommunio services


7. Configure Grommunio Files

Modify the configuration files to match your environment:

 sed -i "s/mail.example.local/${FQDN}/g" /etc/gromox/*.cfg
 sed -i "s/example.com/${MAILDOMAIN}/g" /etc/gromox/*.cfg
 # Continue modifying other configuration files (mysql_adaptor.cfg, autodiscover.ini, etc.)


8. Configure Postfix

Prepare Postfix for integration with Grommunio:

 cp -p /etc/postfix/grommunio-virtual-mailbox-maps.cf /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf
 sed -i '/^query =/d' /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf
 echo "query = SELECT username FROM users WHERE username='%s' UNION SELECT aliasname FROM aliases WHERE mainname='%s'" >> /etc/postfix/grommunio-virtual-mailbox-sender-maps.cf


9. Configure TLS Certificates

Link and configure your SSL certificates:

 ln -s /etc/grommunio-common/nginx/ssl_certificate.conf /etc/grommunio-admin-common/nginx-ssl.conf
 cat /etc/ssl/private/${FQDN}.key.pem /etc/ssl/certs/${FQDN}.cert.pem > /etc/ssl/private/${FQDN}.key_cert.pem
 chmod 640 /etc/ssl/private/*.key_cert.pem
 addgroup gromox ssl-cert


10. Configure PAM and SASL

Set up authentication services:

 # Configure PAM for SMTP
 cat > /etc/pam.d/smtp <<EOF
 #%PAM-1.0
 auth required pam_gromox.so service=smtp
 account required pam_permit.so
 EOF
 # Configure SASL authentication
 cat > /etc/conf.d/saslauthd <<EOF
 SASLAUTHD_OPTS="-a pam -r"
 EOF


11. Initialize the Database and Set Admin Password

Initialize the database:

 gromox-dbop -C

Set the Grommunio admin password:

 grommunio-admin passwd --password "${ADMIN_PASS}"


12. Configure Firewall Ports

Open the necessary firewall ports:

 # Required ports: 25, 80, 443, etc.


6. Configure Valkey (Redis Replacement)

1. Enable Syslog:

 vi /etc/valkey/grommunio.conf
 -----
 syslog-enabled yes
 syslog-ident valkey
 syslog-facility local0
 -----


2. Enable Memory Overcommit:

 vi /etc/sysctl.conf
 -----
 vm.overcommit_memory = 1
 -----
 sysctl -p


3. Start Valkey and Test:

 rcctl restart valkey@grommunio
 valkey-cli ping  # Expected result: 'PONG'


7. Install and Configure Rspamd

1. Install Rspamd:

 apk add rspamd rspamd-client


2. Configure Rspamd:

Modify Rspamd configuration files:

 cat > /etc/rspamd/local.d/options.inc <<EOF
 dns {
   enable_dnssec = true;
   timeout = 4s;
  retransmits = 5;
 }
 EOF
 cat > /etc/rspamd/local.d/redis.conf <<EOF
 read_servers = "127.0.0.1";
 write_servers = "127.0.0.1";
 EOF
 cat > /etc/rspamd/local.d/worker-proxy.inc <<EOF
 milter = yes;
 bind_socket = "/var/run/rspamd/worker-proxy.sock mode=0660 owner=rspamd";
 timeout = 120s;
 upstream "local" {
   default = yes;
   self_scan = yes;
 }
 count = 4;
 EOF


3. Add Postfix to Rspamd Group:

 addgroup postfix rspamd


4. Configure DKIM Signing:

 cat > /etc/rspamd/local.d/dkim_signing.conf <<EOF
 enabled = true;
 path = "/var/lib/rspamd/dkim/\$domain-\$selector.key";
 selector = "dkim";
 sign_authenticated = true;
 sign_local = false;
 domain {
   example.com { selector = "202406"; }
 }
 EOF


5. Generate DKIM Key Pair:

 mkdir -p /var/lib/rspamd/dkim
 rspamadm dkim_keygen -s 202406 -t ED25519 -d example.com -k /var/lib/rspamd/dkim/example.com-202406.key > 
 /var/lib/rspamd/dkim/example.com-202406.pub


6. Start Rspamd:

 rc-update add rspamd
 rcctl start rspamd


8. Finalize and Verify Installation

1. Restart Services:

Restart all services:

 rcctl restart postfix saslauthd rspamd valkey@grommunio nginx php-fpm83 gromox-delivery gromox-event \
   gromox-http gromox-imap gromox-midb gromox-pop3 gromox-delivery-queue gromox-timer gromox-zcore \
   grommunio-admin-api


2. Verify Service Status:

Check the status of all services:

 rcctl status


3. Check Logs:

Inspect logs for any errors or issues:

 find /var/log -type f | xargs tail -n50 | grep -iE '==>|fail|crit|error|alert|corrupt|warning'


4. Web UI Access:

Admin UI: [1](https://mail.example.local:8443)


End User Configuration:

1. Admin UI:

Log into the Admin UI with the username `admin` and the previously created `ADMIN_PASS`.

2. License Configuration:

If you have a license, you can configure it under Grommunio settings in the Admin UI.