Grommunio Mail Server

From Alpine Linux
Revision as of 22:23, 30 November 2024 by Midas (talk | contribs)
This material is work-in-progress ...

This is a work in progress
(Last edited by Midas on 30 Nov 2024.)


HOWTO: Install AlpineLinux Mail Server with Grommunio

This tutorial outlines the steps for setting up a mail server on Alpine Linux using **Grommunio**, a modern, open-source groupware solution that supports email and calendar services. The installation includes MariaDB, Nginx, PHP, Postfix, and other components necessary for a fully functioning mail server.

Prerequisites

Before proceeding with the installation, ensure you have a fresh Alpine Linux system setup. You'll need root privileges to execute these commands.

Steps:

1. Install and configure MariaDB 2. MariaDB performance tuning (optional) 3. Install and configure Nginx 4. Install and configure PHP 5. Install and configure Postfix 6. Install and configure Grommunio 7. Configure Valkey (Redis replacement) 8. Install and configure Rspamd 9. Finalize and verify installation

---

1. Install and Configure MariaDB

Step 1: Install MariaDB

To start, install MariaDB and necessary client utilities:

```sh apk add mariadb mariadb-client mariadb-server-utils ```

Step 2: Set up MariaDB Database Variables

Define the variables used in the setup and create a symlink to the MariaDB data directory.

```sh DB_DATA_PATH="/srv/mysql" DB_ROOT_PASS="Passw0rd1" DB_USER="admin" DB_PASS="Passw0rd2" ```

Setup system tables and configure the symlink for MariaDB:

```sh sudo mysql_install_db --user=mysql --datadir=${DB_DATA_PATH} ln -s /srv/mysql /var/lib/mysql rc-service mariadb restart ```

=== Step 3: Secure MariaDB Run the built-in security script to set a root password and configure MariaDB security settings.

```sh sudo mysql_secure_installation ```

Step 4: Create MariaDB User for Grommunio

Create a new user for Grommunio and assign privileges:

```sh echo "GRANT ALL ON *.* TO ${DB_USER}@'127.0.0.1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" > /tmp/sql echo "GRANT ALL ON *.* TO ${DB_USER}@'localhost' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql echo "GRANT ALL ON *.* TO ${DB_USER}@'::1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql echo "DELETE FROM mysql.user WHERE User=;" >> /tmp/sql echo "FLUSH PRIVILEGES;" >> /tmp/sql cat /tmp/sql | mysql -u root --password="${DB_ROOT_PASS}" ```

Step 5: Configure MariaDB for Grommunio

Edit the MariaDB configuration for better performance:

```sh vi /etc/my.cnf.d/mariadb-server.cnf ```

Add the following configuration:

```ini [mysqld] innodb_log_buffer_size=16M innodb_log_file_size=32M innodb_read_io_threads=4 innodb_write_io_threads=4 join_buffer_size=512K query_cache_size=0 query_cache_type=0 query_cache_limit=2M performance_schema=ON bind-address = 127.0.0.1 skip-name-resolve=ON ```

Create a default charset configuration for MariaDB:

```sh cat > /etc/my.cnf.d/mariadb-server-default-charset.cnf << EOF [client] default-character-set = utf8mb4

[mysqld] collation_server = utf8mb4_general_ci character_set_server = utf8mb4

[mysql] default-character-set = utf8mb4 EOF ```

Restart MariaDB and enable it to start on boot:

```sh rc-update add mariadb default service mariadb restart ```

=== Step 6: Verify MariaDB Setup Check if the MariaDB listener is running and bound to the correct address:

```sh ss -tulpn ```

Step 7: Create Grommunio Database

Define the database parameters and create the Grommunio database:

```sh MYSQL_HOST="localhost" MYSQL_USER="grommunio" MYSQL_PASS="Passw0rd3" MYSQL_DB="grommunio"

echo "create database $MYSQL_DB character set 'utf8mb4';" > /tmp/sql echo "grant select, insert, update, delete, create, drop, index, alter, create temporary tables, lock tables on $MYSQL_DB.* TO $MYSQL_USER@$MYSQL_HOST identified by '$MYSQL_PASS';" >> /tmp/sql echo "flush privileges;" >> /tmp/sql cat /tmp/sql | mysql -u admin --password="${DB_PASS}" ```

Test the database connection:

```sh mysql -hlocalhost -u grommunio -p${MYSQL_PASS} grommunio ```

---

2. MariaDB Performance Tuning (Optional)

Install and configure MySQLTuner to help with database performance:

```sh wget -v --no-check-certificate https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl -O /tmp/mysqltuner.pl mv /tmp/mysqltuner.pl /usr/local/bin/mysqltuner.pl chmod 755 /usr/local/bin/mysqltuner.pl apk add perl perl-doc /usr/local/bin/mysqltuner.pl --user admin --pass ${DB_PASS} ```

---

3. Install and Configure Nginx

Step 1: Install Nginx

Install the necessary Nginx modules:

```sh apk add nginx nginx-mod-http-headers-more nginx-mod-http-vts nginx-mod-http-brotli ```

Step 2: Configure Nginx

Backup the original Nginx configuration and edit it for security headers and TLS settings:

```sh cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig vi /etc/nginx/nginx.conf ```

Add the following configuration:

```nginx error_log syslog:server=unix:/dev/log,facility=local2,nohostname warn; more_set_headers "Strict-Transport-Security : max-age=2592000; includeSubDomains;"; more_set_headers "X-Frame-Options : SAMEORIGIN"; more_set_headers "Content-Security-Policy : default-src https: data: 'unsafe-inline' 'unsafe-eval' always"; more_set_headers "X-Xss-Protection : 1; mode=block"; more_set_headers "X-Content-Type-Options : nosniff"; more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; more_set_headers "Server : Follow the white rabbit.";

ssl_protocols TLSv1.2 TLSv1.3; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m;

log_format main_ssl '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' 'client_ciphers="$ssl_ciphers" client_curves="$ssl_curves"';

access_log off; ```

Restart Nginx and enable it to start on boot:

```sh rc-update add nginx service nginx restart ```

---

4. Install and Configure PHP

Step 1: Install PHP

Install the required PHP packages for Grommunio:

```sh apk add php83 php83-fpm ```

Step 2: Harden PHP Configuration

Disable insecure PHP settings and adjust PHP limits:

```sh sed 's/^;\?\(allow_url_fopen\).*/\1 = Off/' -i /etc/php83/php.ini sed 's/^;\?\(expose_php\).*/\1 = Off/' -i /etc/php83/php.ini sed 's/^;\?\(display_errors\).*/\1 = Off/' -i /etc/php83/php.ini sed 's/^;\?\(log_errors\).*/\1 = On/' -i /etc/php83/php.ini ```

Step 3: Configure Session Security

Configure PHP session security:

```sh sed 's/^;\?\(session.use_strict_mode\).*/\1 = 1/' -i /etc/php83/php.ini sed 's/^;\?\(session.cookie_secure\).*/\1 = 1/' -i /etc/php83/php.ini sed 's/^;\?\(session.cookie_httponly\).*/\1 = 1/' -i /etc/php83/php.ini ```

---

5. Install and Configure Postfix

Step 1: Install Postfix

Install Postfix and related modules:

```sh apk add postfix postfix-mysql postfix-pcre ```

Step 2: Configure Postfix

Backup and configure the Postfix settings. Adapt the values as necessary, such as `myhostname`, `mynetworks`, and `smtp_tls_chain_files`:

```sh mv /etc/postfix/main.cf /etc/postfix/main.cf.orig mv /etc/postfix/master.cf /etc/postfix/master.cf.orig ```

Run Postfix setup:

```sh newaliases postmap /etc/postfix/transport ```

Enable Postfix service:

```sh rc-update add postfix service postfix restart ```

Step 3: Verify Postfix Logs

Check the Postfix logs for any errors:


```sh tail -f /var/log/maillog ```

---

6. Install and Configure Grommunio

Install and configure Grommunio to provide email and calendar functionality. Follow the detailed installation steps outlined in the official Grommunio documentation.

---

7. Configure Valkey (Redis Replacement)

Configure Valkey for optimal caching and session handling, replacing Redis if required.

---

8. Install and Configure Rspamd

Rspamd provides spam filtering for your mail server. Follow the official documentation to install and configure Rspamd to work with Postfix and Nginx.

---

9. Finalize and Verify Installation

Step 1: Test Server Components

Ensure that all services (Postfix, MariaDB, Nginx, PHP, Grommunio) are running correctly:

```sh ss -tulpn ```

Step 2: Verify Mail Functionality

Test sending and receiving emails using a mail client and verifying server logs for any errors.