Grommunio Mail Server
This material is work-in-progress ... This is a work in progress |
- HOWTO: Install AlpineLinux Mail Server with Grommunio
This tutorial outlines the steps for setting up a mail server on Alpine Linux using **Grommunio**, a modern, open-source groupware solution that supports email and calendar services. The installation includes MariaDB, Nginx, PHP, Postfix, and other components necessary for a fully functioning mail server.
- Prerequisites
Before proceeding with the installation, ensure you have a fresh Alpine Linux system setup. You'll need root privileges to execute these commands.
- Steps:
1. Install and configure MariaDB 2. MariaDB performance tuning (optional) 3. Install and configure Nginx 4. Install and configure PHP 5. Install and configure Postfix 6. Install and configure Grommunio 7. Configure Valkey (Redis replacement) 8. Install and configure Rspamd 9. Finalize and verify installation
---
- 1. Install and Configure MariaDB
- Step 1: Install MariaDB
To start, install MariaDB and necessary client utilities:
```sh apk add mariadb mariadb-client mariadb-server-utils ```
- Step 2: Set up MariaDB Database Variables
Define the variables used in the setup and create a symlink to the MariaDB data directory.
```sh DB_DATA_PATH="/srv/mysql" DB_ROOT_PASS="Passw0rd1" DB_USER="admin" DB_PASS="Passw0rd2" ```
Setup system tables and configure the symlink for MariaDB:
```sh sudo mysql_install_db --user=mysql --datadir=${DB_DATA_PATH} ln -s /srv/mysql /var/lib/mysql rc-service mariadb restart ```
- Step 3: Secure MariaDB
Run the built-in security script to set a root password and configure MariaDB security settings.
```sh sudo mysql_secure_installation ```
- Step 4: Create MariaDB User for Grommunio
Create a new user for Grommunio and assign privileges:
```sh echo "GRANT ALL ON *.* TO ${DB_USER}@'127.0.0.1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" > /tmp/sql echo "GRANT ALL ON *.* TO ${DB_USER}@'localhost' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql echo "GRANT ALL ON *.* TO ${DB_USER}@'::1' IDENTIFIED BY '${DB_PASS}' WITH GRANT OPTION;" >> /tmp/sql echo "DELETE FROM mysql.user WHERE User=;" >> /tmp/sql echo "FLUSH PRIVILEGES;" >> /tmp/sql cat /tmp/sql | mysql -u root --password="${DB_ROOT_PASS}" ```
- Step 5: Configure MariaDB for Grommunio
Edit the MariaDB configuration for better performance:
```sh vi /etc/my.cnf.d/mariadb-server.cnf ```
Add the following configuration:
```ini [mysqld] innodb_log_buffer_size=16M innodb_log_file_size=32M innodb_read_io_threads=4 innodb_write_io_threads=4 join_buffer_size=512K query_cache_size=0 query_cache_type=0 query_cache_limit=2M performance_schema=ON bind-address = 127.0.0.1 skip-name-resolve=ON ```
Create a default charset configuration for MariaDB:
```sh cat > /etc/my.cnf.d/mariadb-server-default-charset.cnf << EOF [client] default-character-set = utf8mb4
[mysqld] collation_server = utf8mb4_general_ci character_set_server = utf8mb4
[mysql] default-character-set = utf8mb4 EOF ```
Restart MariaDB and enable it to start on boot:
```sh rc-update add mariadb default service mariadb restart ```
- Step 6: Verify MariaDB Setup
Check if the MariaDB listener is running and bound to the correct address:
```sh ss -tulpn ```
- Step 7: Create Grommunio Database
Define the database parameters and create the Grommunio database:
```sh MYSQL_HOST="localhost" MYSQL_USER="grommunio" MYSQL_PASS="Passw0rd3" MYSQL_DB="grommunio"
echo "create database $MYSQL_DB character set 'utf8mb4';" > /tmp/sql echo "grant select, insert, update, delete, create, drop, index, alter, create temporary tables, lock tables on $MYSQL_DB.* TO $MYSQL_USER@$MYSQL_HOST identified by '$MYSQL_PASS';" >> /tmp/sql echo "flush privileges;" >> /tmp/sql cat /tmp/sql | mysql -u admin --password="${DB_PASS}" ```
Test the database connection:
```sh mysql -hlocalhost -u grommunio -p${MYSQL_PASS} grommunio ```
---
- 2. MariaDB Performance Tuning (Optional)
Install and configure MySQLTuner to help with database performance:
```sh wget -v --no-check-certificate https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl -O /tmp/mysqltuner.pl mv /tmp/mysqltuner.pl /usr/local/bin/mysqltuner.pl chmod 755 /usr/local/bin/mysqltuner.pl apk add perl perl-doc /usr/local/bin/mysqltuner.pl --user admin --pass ${DB_PASS} ```
---
- 3. Install and Configure Nginx
- Step 1: Install Nginx
Install the necessary Nginx modules:
```sh apk add nginx nginx-mod-http-headers-more nginx-mod-http-vts nginx-mod-http-brotli ```
- Step 2: Configure Nginx
Backup the original Nginx configuration and edit it for security headers and TLS settings:
```sh cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig vi /etc/nginx/nginx.conf ```
Add the following configuration:
```nginx error_log syslog:server=unix:/dev/log,facility=local2,nohostname warn; more_set_headers "Strict-Transport-Security : max-age=2592000; includeSubDomains;"; more_set_headers "X-Frame-Options : SAMEORIGIN"; more_set_headers "Content-Security-Policy : default-src https: data: 'unsafe-inline' 'unsafe-eval' always"; more_set_headers "X-Xss-Protection : 1; mode=block"; more_set_headers "X-Content-Type-Options : nosniff"; more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; more_set_headers "Server : Follow the white rabbit.";
ssl_protocols TLSv1.2 TLSv1.3; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m;
log_format main_ssl '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' 'client_ciphers="$ssl_ciphers" client_curves="$ssl_curves"';
access_log off; ```
Restart Nginx and enable it to start on boot:
```sh rc-update add nginx service nginx restart ```
---
- 4. Install and Configure PHP
- Step 1: Install PHP
Install the required PHP packages for Grommunio:
```sh apk add php83 php83-fpm ```
- Step 2: Harden PHP Configuration
Disable insecure PHP settings and adjust PHP limits:
```sh sed 's/^;\?\(allow_url_fopen\).*/\1 = Off/' -i /etc/php83/php.ini sed 's/^;\?\(expose_php\).*/\1 = Off/' -i /etc/php83/php.ini sed 's/^;\?\(display_errors\).*/\1 = Off/' -i /etc/php83/php.ini sed 's/^;\?\(log_errors\).*/\1 = On/' -i /etc/php83/php.ini ```
- Step 3: Configure Session Security
Configure PHP session security:
```sh sed 's/^;\?\(session.use_strict_mode\).*/\1 = 1/' -i /etc/php83/php.ini sed 's/^;\?\(session.cookie_secure\).*/\1 = 1/' -i /etc/php83/php.ini sed 's/^;\?\(session.cookie_httponly\).*/\1 = 1/' -i /etc/php83/php.ini ```
---
- 5. Install and Configure Postfix
- Step 1: Install Postfix
Install Postfix and related modules:
```sh apk add postfix postfix-mysql postfix-pcre ```
- Step 2: Configure Postfix
Backup and configure the Postfix settings. Adapt the values as necessary, such as `myhostname`, `mynetworks`, and `smtp_tls_chain_files`:
```sh mv /etc/postfix/main.cf /etc/postfix/main.cf.orig mv /etc/postfix/master.cf /etc/postfix/master.cf.orig ```
Run Postfix setup:
```sh newaliases postmap /etc/postfix/transport ```
Enable Postfix service:
```sh rc-update add postfix service postfix restart ```
- Step 3: Verify Postfix Logs
Check the Postfix logs for any errors:
```sh tail -f /var/log/maillog ```
---
- 6. Install and Configure Grommunio
Install and configure Grommunio to provide email and calendar functionality. Follow the detailed installation steps outlined in the official Grommunio documentation.
---
- 7. Configure Valkey (Redis Replacement)
Configure Valkey for optimal caching and session handling, replacing Redis if required.
---
- 8. Install and Configure Rspamd
Rspamd provides spam filtering for your mail server. Follow the official documentation to install and configure Rspamd to work with Postfix and Nginx.
---
- 9. Finalize and Verify Installation
- Step 1: Test Server Components
Ensure that all services (Postfix, MariaDB, Nginx, PHP, Grommunio) are running correctly:
```sh ss -tulpn ```
- Step 2: Verify Mail Functionality
Test sending and receiving emails using a mail client and verifying server logs for any errors.