Configure a Debian 11 Groupware Server - LAMP Stack

By Eben van Deventer on May 17, 2022
Expert

Installing a mailserver on a Debian 11 LXC Container with Groupware Features contained in SOGo or NextCloud.

Since Google has decided to retire their Google Apps for Business and force migration to their paid Workspace Product, I found the need to migrate some of my deployed domains to a self-hosted Mail Service. My requirements were for a groupware server which can deal with shared calendars, mailboxes and contacts.


Solutions like iRedMail insisting on charging for really basic functionality (Alias) and Mailcow's refusal to support deployment outside of Docker and their maintainers refusal to engage on the issues raised when they implement changes for no reason other than to break Docker on LXC lead me down a really deep rabbit-hole to build my solution from existing standards and open-source software.


The short-term goal was to get the deployment to actually work (Done), medium term to get some advanced features to work (Done) and ultimately develop an installation script to automate the deployment (Ala iRedMail without the drama).


After finally deploying this in a working state using SOGo, I realized that it would be fairly easy to give the user the choice between SOGo or NextCloud or, if he so chooses, both, so I moved SOGo into a separate section and added a sectoin for NextCloud.


I give thanks, attribution and recognition to the following projects which gave sufficient insight into making all of these disparate products work:


  1. The original ISPMail tutorial (I suggest this as a great starting point) which expertly describes the disparate technologies and how they are brought together in the modern email server.
  2. PostfixAdmin Guidle for ISPMail to get PostfixAdmin to work on earlier Debian versions, however does not describe the deployment steps in sufficient detail for a complete newbie to use on a fresh Debian 11 system.
  3. This tutorial on vogan which got me moving in the right direction for getting IMAP Mailbox Sharing to work (It's all ACL's and Databases and finally working, however as NextCloud does not support mailbox sharing, this only works in SOGo for now).
  4. The SOGo Installation Guide which, while not very well written, does get you there in the end.
  5. This tutorial from ComputingForGeeks, which has a few minor errors and deviations from best practices which I have changed here.


So let's get started with this process, again, if you want to understand the steps involved in getting a working Email Server off the ground, read the ISPMail tutorial, this is not about holding your hand, it's about getting your server working.


Why Debian 11?


Because it's what I prefer for server deployments, stable and mostly secure, if you want to use any other distro, you can, but I chose Debian and I also chose to use only the official Debian repos because, again, stability is the most important aspect in deploying servers. I have used these same steps to deploy to Arch and Fedora, with the relevant changes for each distro and it works.


Conventions


To make this guide more universal, I am using some conventions which therefore assumes the following, you can replace the conventional terms with those you will be deploying. I am also assuming that you have a static IPv4 address pointing to your server and that your existing DNS records are correctly configured. I am also assuming that you are running all of this as root, while this is not absolutely required, if you choose to run as a non-root user with sudo privileges, add sudo in front of each command.



Domain Nameexample.org
Server Name (fqdn)mail.example.org
MX Records (DNS)mail.example.org
Database Namemailserver
Database Read-Only Usermailserver@127.0.0.1
Database Read-Only Password{userpassword}
Database Admin Usermailadmin@localhost
Database Admin Password{adminpassword}

In order to get secure passwords, use https://passwordsgenerator.net/ make sure that you exclude special characters when generating the passwords to avoid problems in .config files, I suggest 30 character long passwords as this will play nicely with the relevant hashed password length for the database.


What Are We Installing?


Debian ships with nano by default (I know VIM could be better, but I prefer the interface and simplicity of nano, the memes regarding VIM say enough). We will assume a fresh base install of Debian 11 (Bullseye) and will be installing the following additional packages (And their dependencies):


  1. Debian 11 (GNU/Linux OS)
  2. MariaDB (Database Server)
  3. Postfix (Mail Server)
  4. Dovecot (Mailbox Server)
  5. Apache (Webserver, properly apache2)
  6. PHP (Scripting Language)
  7. Redis (Caching Server)
  8. Rspamd (Spam Filter Server - Optional)
  9. Certbot (LetsEncrypt SSL Certificate Provider)
  10. SOGo (Groupware Software including IMAP client - Optional)
  11. NextCLoud (Cloud File Server with support for Mail through an IMAP Client plugin - Optional)


A huge thank you to the developers and maintainers of each of the above packages, without whom, none of this would work. Seriously, support these people.


For those who do not want to use Apache, I am adding sample Virtual Host configs for NginX, this is optional, I intend to remove Apache from this guide in the future and rely solely on NginX as it is much better suited to this kind of work.


Ensure that we are starting with an up to date server


Before any task, I always recommend making sure that all your installed packages are up to date, this will minimize negative interactions when running installation steps.

apt update && apt upgrade -y


Install required packages


This installs all the packages we require to get everything to work:

apt install mariadb-server postfix postfix-mysql apache2 php php-{imap,mbstring,mysql} rspamd redis-server certbot dovecot-mysql dovecot-pop3d dovecot-imapd dovecot-managesieved dovecot-lmtpd ca-certificates -y


Prepare MariaDB


We need to create the mailserver database, as well as give permissions to both an admin user and a read-only user, note that the admin user is only given rights on localhost, while the read-only user is given rights via 127.0.0.1, this is important.

mysql


CREATE DATABASE mailserver;


GRANT ALL ON mailserver.* TO 'mailadmin'@'localhost' IDENTIFIED BY '{adminpassword}';


GRANT SELECT ON mailserver.* to 'mailserver'@'127.0.0.1' IDENTIFIED BY '{userpassword}';


CREATE DATABASE mailshares;


GRANT ALL ON mailshares.* to 'mailadmin'@'localhost' IDENTIFIED BY '{adminpassword}';


FLUSH PRIVILEGES;


quit


Configure Apache Webserver and get a LetsEncrypt SSL Certificate


Eventually I would like to move over to NginX for this, however deploying on Apache is easier at a small perormance cost and will work fine for our purposes until I can figure out the NginX recipe for the same deployment.


  1. Enable required Apache modules:
a2enmod ssl rewrite headers proxy proxy_http
  1. Disable the Apache default site:
a2dissite 000-default.conf
  1. Remove the Apache default site config file:
rm /etc/apache2/sites-available/*.conf
  1. Create the intial config for the new apache2 site:
  2. We are using the fqdn of the mailserver, mail.example.org, feel free to use your own fqdn, the only thing that actually matters is that it is in the right folder and ends as .conf
nano /etc/apache2/sites-available/mail.example.org-http.conf
  1. Make sure that the contents look like this:
<VirtualHost *:80>
  ServerName mail.example.org
  DocumentRoot /var/www/html
</VirtualHost>
  1. Enable your newly created site:
a2ensite mail.example.org
  1. Restart Apache:
systemctl restart apache2
  1. Get your SSL Certificate from LetsEncrypt:
certbot certonly --webroot --webroot-path /var/www/html -d mail.example.org --agree-tos --email admin@example.org
  1. Give the apache user (www-data) access to the certificates:
  2. This is necessary to address a known issue with PostfixAdmin:
usermod -aG dovecot www-data


chown www-data:www-data /etc/letsencrypt/live/mail.example.org/privkey.pem


chown www-data:www-data /etc/letsencrypt/live


chown www-data:www-data /etc/letsencrypt/archive
  1. Configure Certbot Post-Hook:
  2. This will have Certbot update ownership of the certificates and restart the mailserver whenever the certificate is updated:
nano /etc/letsencrypt/cli.ini
  1. Add the following to the end of the file:
post-hook = chown www-data:www-data /etc/letsencrypt/live/mail.example.org/privkey.pem && chown www-data:www-data /etc/letsencrypt/live && chown www-data:www-data /etc/letsencrypt/archive && systemctl restart postfix dovecot apache2
  1. Make a autoconfig-mail file:
  2. This works with Mozilla Thunderbird, if nothing else, to give you a reference when deploying users. Make a note of the contents of this file as well, these are the IMAP and SMTP client configurations we are going to configure later.
mkdir /var/www/html/autoconfig-mail


chown www-data /var/www/html/autoconfig-mail/


nano /var/www/html/autoconfig-mail/config-v1.1.xml
  1. Paste the following contents into the new file:
<?xml version="1.0" encoding="UTF-8"?>

<clientConfig version="1.1">
  <emailProvider id="My Mail Server">
    <domain>example.org</domain>
    <displayName>My Mail Server</displayName>
    <displayShortName>Mailserver</displayShortName>
    <incomingServer type="imap">
      <hostname>mail.example.org</hostname>
      <port>143</port>
      <socketType>STARTTLS</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </incomingServer>
    <outgoingServer type="smtp">
      <hostname>mail.example.org</hostname>
      <port>587</port>
      <socketType>STARTTLS</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </outgoingServer>
  </emailProvider>
</clientConfig>
  1. Create the SSL version of your site config file:
  2. This is the one which will direct all your website traffic to the appropriate apps:
nano /etc/apache2/sites-available/mail.example.org-https.conf
  1. Paste the following contents there, this will be the site which points to all the apps we will be deploying in this guide:
<VirtualHost *:443>
 ServerName mail.example.org
 DocumentRoot /var/www/html
 <Location /rspamd>
  Require all granted
 </Location>
 RewriteEngine On
 RewriteRule ^/rspamd$ /rspamd/ [R,L]
 RewriteRule ^/rspamd/(.*) http://localhost:11334/$1 [P,L]
 Alias /.well-known/autoconfig/mail /var/www/html/autoconfig-mail
 Alias /admin /srv/postfixadmin/public
 <Location /admin>
   Options FollowSymLinks
   AllowOverride All
   Require all granted
 </Location>
   SSLEngine on
   SSLCertificateFile /etc/letsencrypt/live/mail.example.org/fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/mail.example.org/privkey.pem
</VirtualHost>
  1. Let's enable this site:
a2ensite mail.example.org-https
  1. And now let's direct all non-SSL traffic to the secured SSL site:
nano /etc/apache2/sites-available/mail.example.org-http.conf
  1. And edit the file to include the redirects:
<VirtualHost *:80>
 ServerName mail.example.org
 DocumentRoot /var/www/html
 RewriteEngine On
 RewriteCond %{REQUEST_URI} !.well-known/acme-challenge
 RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [R=301,L]
</VirtualHost>
  1. Finally, reload the Apache configs:
  2. This ensures that Apache starts serving the, now secure, website for your mailserver:
systemctl reload apache2


Install PostfixAdmin and let it create the required database tables we will be using for our installation


Note, that since we haven't configured Dovevot to use the SSL certificates yet, you CAN NOT CREATE AN ADMIN USER YET!!!


  1. Download the latest version of PostfixAdmin:
  2. Grab the latest version from their GitHub repo and move it to the an appropriate folder, at the time of writing this, version 3.3.10 was the latest:
wget -O postfixadmin.tgz https://github.com/postfixadmin/postfixadmin/archive/postfixadmin-3.3.11.tar.gz


tar -zxvf postfixadmin.tgz


mv postfixadmin-postfixadmin-3.3.10 /srv/postfixadmin


rm postfixadmin.tgz
  1. Create the required templates_c folder and give Apache privileges to write to it:
mkdir -p /srv/postfixadmin/templates_c


chown -R www-data /srv/postfixadmin/templates_c
  1. Create the required config.local.php file with the following contents:
  2. We will change it in step 5 below once we have generated a secure password hash:
nano /srv/postfixadmin/config.local.php
  1. And Edit it to work with your database configured earlier {adminpassword} is the one you configured in MariaDB:
<?php
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'mailadmin';
$CONF['database_password'] = '{adminpassword}';
$CONF['database_name'] = 'mailserver';
$CONF['encrypt'] = 'dovecot:BLF-CRYPT';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['new_quota_table'] = 'YES';
$CONF['default_aliases'] = array (
'abuse' => 'abuse@example.org',
'hostmaster' => 'hostmaster@example.org',
'postmaster' => 'postmaster@example.org',
'webmaster' => 'webmaster@example.org');
$CONF['footer_text'] = 'Return to mail.example.org';
$CONF['footer_link'] = 'https://mail.example.org';
$CONF['domain_path'] = 'NO';
$CONF['domain_in_mailbox'] = 'YES';
$CONF['configured'] = true;
?>
  1. Get a Secure Setup Password:
  2. On your webbrowser, browse to https://mail.example.org/admin/setup.php and enter a secure Setup Password, it will show you a configuration string which you need to copy into your .conf file, it will look something like this:
$CONF['setup_password'] = '{Some Secure Password String}';
  1. Configure the Setup Password in the PostfixAdmin config file you created in step 3 above:
nano /srv/postfixadmin/config.local.php
  1. Paste the string from step 4 above so your file should now look something like this:
<?php
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'mailadmin';
$CONF['database_password'] = '{adminpassword}';
$CONF['database_name'] = 'mailserver';
$CONF['encrypt'] = 'dovecot:BLF-CRYPT';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['new_quota_table'] = 'YES';
$CONF['default_aliases'] = array (
'abuse' => 'abuse@example.org',
'hostmaster' => 'hostmaster@example.org',
'postmaster' => 'postmaster@example.org',
'webmaster' => 'webmaster@example.org');
$CONF['footer_text'] = 'Return to mail.example.org';
$CONF['footer_link'] = 'https://mail.example.org';
$CONF['domain_path'] = 'NO';
$CONF['domain_in_mailbox'] = 'YES';
$CONF['setup_password'] = '{Some Secure Password String}';
$CONF['configured'] = true;
?>
  1. Allow PostfixAdmin to deploy your database tables for you:
  2. From your webbrowser, browse back to https://mail.example.org/admin/setup.php and login in with the Setup Password you used to create the secure string in step 4. It will tell you that there's a problem with the encryption, that is fine, it will still generate the tables in your database (You will see a string saying that tables were successfully updated or, are up to date). For now, we are done with this, once we have finished configuring Dovecot, the error regarding the password will be resolved.
  3. Optional - NginX virtual host .conf file for PostfixAdmin as subdomain
server {
    server_name postfixadmin.example.org;
    root /srv/postfixadmin/public;
    error_log /var/log/nginx/postfixadmin_error.log;
    access_log /var/log/nginx/postfixadmin_access.log;
    index index.php;

    location ~* \.php$ {
         fastcgi_split_path_info ^(.+?\.php)(/.*)$;
         if (!-f $document_root$fastcgi_script_name) {return 404;}
         fastcgi_pass  unix:/run/php/php7.2-fpm.sock;
         fastcgi_index index.php;
         include fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/postfixadmin.example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/postfixadmin.example.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    add_header Strict-Transport-Security "max-age=31536000" always;


    ssl_trusted_certificate /etc/letsencrypt/live/postfixadmin.example.org/chain.pem;
    ssl_stapling on;
    ssl_stapling_verify on;

}
server {
    if ($host = postfixadmin.example.org) {
        return 301 https://$host$request_uri;
    }
    listen 80;
    server_name postfixadmin.example.org;
    error_log /var/log/nginx/postfixadmin_error.log;
    access_log /var/log/nginx/postfixadmin_access.log;
}


Configure Postfix


  1. Configure Postfix to Map mailboxes to the Database
  2. Earlier we configured a database in MariaDB and then populated that database with tables with PostfixAdmin. We need Postfix to actually use the data in those databases and therefore, we need to tell it where the database is as well as which fields it needs to get from each table.
  3. a. Virtual Domains
  4. Virtual Domains are simply the Domains for which your mailserver accepts email (example.org or as many other as you want to add), we need to tell Postfix which domains it is allowed to accept mail for so we need to create a MAP file:
nano /etc/postfix/mysql-virtual-mailbox-domains.cf
  1. And configure it as follows (Again, use your {userpassword}):
user = mailserver
password = {userpassword}
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM domain WHERE domain='%s'
  1. Now tell Postfix that this is the MAP file:
postconf virtual_mailbox_domains=mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
  1. b. Virtual Mailboxes
  2. A Virtual Mailbox is basically the mail user' (user@example.org) specific mailbox, so again, like in step a above, we need to tell Postfix how to verify the mailboxes:
nano /etc/postfix/mysql-virtual-mailbox-maps.cf
  1. Configure this file as follows:
user = mailserver
password = {userpassword}
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM mailbox WHERE username='%s'
  1. And tell Postfix to use this MAP:
postconf virtual_mailbox_maps=mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
  1. c. Virtual Aliases
  2. A Virtual Alias is where we configure an alias (or an internal mailing list) so that an emali sent to alias@example.org will be received by any users configured to that alias. You can create an alias in PostfixAdmin.
nano /etc/postfix/mysql-virtual-alias-maps.cf
  1. Configure this file as follows:
user = mailserver
password = {userpassword}
hosts = 127.0.0.1
dbname = mailserver
query = SELECT goto FROM alias WHERE address='%s'
  1. And tell Postfix to use this MAP:
postconf virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf
  1. d. Email2Email
  2. This will allow a logged-in user to be able to send email as another user on the domain (Mailbox Delegation).
nano /etc/postfix/mysql-email2email.cf
  1. Configure the file as follows:
user = mailserver
password = {userpassword}
hosts = 127.0.0.1
dbname = mailserver
query = SELECT username FROM mailbox WHERE username='%s'
  1. And tell Postfix to use this MAP:
postconf virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
  1. e. Set Permissions for these files
  2. We need Postfix to have access to these files in order to use them, so we change permissions as follows:
chgrp postfix /etc/postfix/mysql-*.cf


chmod u=rw,g=r,o= /etc/postfix/mysql-*.cf


Configure Dovecot


Dovecot does all the important mail handling, moving emails to the appropriate users folder and we need to make some changes so that we don't use systemmail (Where each user must be a specific PAM user) but rather use vmail.


  1. Create vmail user and group
  2. We want to use UID 5000 for this, so make sure that it is not used (On a clean install this should not be an issue).
groupadd -g 5000 vmail


useradd -g vmail -u 5000 vmail -d /var/vmail -m


chown -R vmail:vmail /var/vmail
  1. Configure Dovecot
  2. Dovecot has several .conf files stored in /etc/dovecot/conf.d/ and we will be modifying some of these to enable the plugins we will be using in our deployment.
  3. a. User Authentication:
nano /etc/dovecot/conf.d/10-auth.conf
  1. Find and edit the auth_mechanisms line:
auth_mechanisms = plain login
  1. And at the bottom, comment out the !include auth-system.conf.ext line and uncomment the !include auth-sql.conf.ext lines:
#!include auth-system.conf.ext
!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-static.conf.ext
  1. b. Mail Directory Format:
nano /etc/dovecot/conf.d/10-mail.conf
  1. Edit the mail_location line to resemble the below:
mail_location = maildir:~/Maildir
  1. Modify the namespace inbox { line section to resemble this:
namespace inbox {
  type = private
  separator = /
  prefix =
  inbox = yes
}
  1. Uncomment and edit the mail_privileged_group line:
mail_privileged_group = mail
  1. Also Uncomment and edit the mail_plugins line:
mail_plugins = quota
  1. c. Master Config File
nano /etc/dovecot/conf.d/10-master.conf
  1. Here we need to edit the service lmtp and service auth sections as follows:
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
  1. And add the following at the end of the file (This is for PostfixAdmin):
service stats {
  unix_listener stats-reader {
    user = www-data
    group = www-data
    mode = 0660
}
  unix_listener stats-writer {
    user = www-data
    group = www-data
    mode = 0660
  }
}
  1. d. SSL Configuration
nano /etc/dovecot/conf.d/10-ssl.conf
  1. Edit the following three lines to match our configuration:
ssl = required

ssl_cert = </etc/letsencrypt/live/mail.example.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.org/privkey.pem
  1. e. SQL Connection
  2. We need to tell Dovecot to authenticate against our MariaDB database:
nano /etc/dovecot/dovecot-sql.conf.ext
  1. Add the following to the end of the file (Again, note the {userpassword}):
driver = mysql
 connect = \
 host=127.0.0.1 \
 dbname=mailserver \
 user=mailserver \
 password={userpassword}
user_query = SELECT username as user, \
concat('*:bytes=', quota) AS quota_rule, \
'/var/vmail/%d/%n' AS home, \
5000 AS uid, 5000 AS gid \
FROM mailbox WHERE username='%u'
password_query = SELECT password FROM mailbox WHERE username='%u'
iterate_query = SELECT username AS user FROM mailbox
  1. Since we don't want this password to leak to non-root users:
chown root:root /etc/dovecot/dovecot-sql.conf.ext


chmod go= /etc/dovecot/dovecot-sql.conf.ext
  1. f. Map Virtual Mail Folders for Outlook (And SOGo) Compatibility:
  2. If you look at our sogo.conf file later in this tutorial, you will note the fields SOGoSentFolderName, SOGoTrashFolderName and SOGoJunkFolderName are mapped to Microsoft Outlook style names, well, we should tell Dovecot to "Alias" these folders to IMAP standard folders as well:
nano /etc/dovecot/conf.d/15-mailboxes.conf
  1. You can add these lines below the mailbox "Sent Mail" mapping:
mailbox "Sent Items" {
    special_use = \Sent
  }

mailbox "Junk Email" {
    special_use = \Junk
  }

mailbox "Deleted Items" {
    special_use = \Trash
  }
  1. g. Configure lmtp
postconf virtual_transport=lmtp:unix:private/dovecot-lmtp
  1. Edit the lmtp.conf file:
nano /etc/dovecot/conf.d/20-lmtp.conf
  1. In the protocol lmtp { section, edit the mail_plugins line as follows:
mail_plugins = $mail_plugins sieve
  1. h. Configure Quotas
  2. We need to configure Quotas to work, which is used to set storage limits per user in PostfixAdmin:
nano /etc/dovecot/conf.d/90-quota.conf
  1. Edit any plugin { section to look like this:
plugin {
  quota = maildir:User quota
  quota_status_success = DUNNO
  quota_status_nouser = DUNNO
  quota_status_overquota = "452 4.2.2 Mailbox is full and cannot receive any more emails"
}
  1. Add the following new sections:
service quota-status {
  executable = /usr/lib/dovecot/quota-status -p postfix
  unix_listener /var/spool/postfix/private/quota-status {
    user = postfix
  }
}

plugin {
 quota_warning = storage=95%% quota-warning 95 %u
 quota_warning2 = storage=80%% quota-warning 80 %u
}
service quota-warning {
   executable = script /usr/local/bin/quota-warning.sh
   unix_listener quota-warning {
     user = vmail
     group = vmail
     mode = 0660
   }
}
  1. Create a shell script to set the email which will be sent to your users when they approach or reach thier quota:
nano /usr/local/bin/quota-warning.sh
  1. And make it look like this (Note tha From: email line, change this to your postmaster address):
#!/bin/sh
PERCENT=$1
USER=$2
cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o "plugin/quota=maildir:User quota:noenforcing"
From: postmaster@example.org
Subject: Quota warning - $PERCENT% reached

Your mailbox can only store a limited amount of emails.
Currently it is $PERCENT% full. If you reach 100% then
new emails cannot be stored. Thanks for your understanding.
EOF
  1. Make this file executable:
chmod +x /usr/local/bin/quota-warning.sh
  1. i. Restart Dovecot
systemctl restart dovecot


Finalize Postfix Configuration


Now that we have Dovecot configured, we can finalize our Postfix configuration.

  1. Enable some Postfix configurations:
  2. Remember to substitute your fqdn in these commands where mail.example.org appears:
postconf smtpd_sasl_type=dovecot


postconf smtpd_sasl_path=private/auth


postconf smtpd_sasl_auth_enable=yes


postconf smtpd_tls_security_level=may


postconf smtpd_tls_auth_only=yes


postconf smtpd_tls_cert_file=/etc/letsencrypt/live/mail.example.org/fullchain.pem


postconf smtpd_tls_key_file=/etc/letsencrypt/live/mail.example.org/privkey.pem


postconf smtp_tls_security_level=may
  1. Make some changes to the Postfix master.cf file:
nano /etc/postfix/master.cf
  1. Uncomment the submission inet line and uncomment the listed options, note, the indentation is important, only delete the preceding # and not any spaces:
submission inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_tls_auth_only=yes
 -o smtpd_reject_unlisted_recipient=no
 -o smtpd_recipient_restrictions=
 -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING
  1. Enable our configurations:
postconf smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf


postconf inet_interfaces=all


postconf 'smtpd_recipient_restrictions = reject_unauth_destination check_policy_service unix:private/quota-status'


postconf smtpd_milters=inet:127.0.0.1:11332


postconf non_smtpd_milters=inet:127.0.0.1:11332


postconf milter_mail_macros="i {mail_addr} {client_addr} {client_name} {auth_authen}"
  1. Restart Postfix
systemctl restart postfix

Configure Rspamd - Optional


Rspamd is a very good Spam Filter, we need to make some configurations to allow Rspamd to work with Dovecot and our Sieve Plugin.

  1. Set "Sensitivity" for Rspamd to be quite permissive
  2. Create a new actions.conf file:
nano /etc/rspamd/local.d/actions.conf
  1. Make the settings:
reject = 150;
add_header = 6;
greylist = 4;
  1. Enable Extended Headers
  2. This will allow RSAPMD to add fields to the email headers which will tell recipients that the email is trusted (Subject to DKIM being configured).
  3. Create a milter_headers.conf file:
nano /etc/rspamd/override.d/milter_headers.conf
  1. Enter the following strings:

backend = "redis";
extended_spam_headers = true;
  1. Configure Dovecot's Sieve plugin
  2. We want Dovecot to filter messages flagged as Spam to the user's Junk folder, so we need to configure this:
  3. a. Enable the use of a sieve-after folder:
nano /etc/dovecot/conf.d/90-sieve.conf
  1. Uncomment and Edit the sieve_after string:
sieve_after = /etc/dovecot/sieve-after
  1. b. Create the sieve-after folder as configured in step a. above, and create a spam-to-folder sieve instruction:
mkdir /etc/dovecot/sieve-after
  1. Create spam-to-folder.sieve file:
nano /etc/dovecot/sieve-after/spam-to-folder.sieve
  1. And add the following string:
require ["fileinto"];
if header :contains "X-Spam" "Yes" {
 fileinto "Junk";
 stop;
}
  1. Now convert this human-readable file to a sieve instruction:
sievec /etc/dovecot/sieve-after/spam-to-folder.sieve
  1. Configure Redis to use UNIX Socket (Speed):
  2. Edit the redis.conf file to disable TCP sockets and enable the UNIX socket:
nano /etc/redis/redis.conf
  1. Set the TCP Port to 0 (Disable listening on TCP):
port 0
  1. Uncomment the Unix Socket Lines:
unixsocket /var/run/redis/redis-server.sock
unixsocketperm 770
  1. Grant Redis privileges to _rspamd:
userdmod -aG redis _rspamd
  1. Configure Rspamd Redis server:
  2. Create a file so Rspamd knows where to find Redis:
nano /etc/rspamd/override.d/redis.conf
  1. And enter the following line:
servers = "/var/run/redis/redis-server.sock";
  1. Restart Rspamd:
systemctl restart rspamd
  1. Configure Rspamd to learn
  2. Rspamd can learn to identify spam by monitoring user actions (When users move an email to their Junk folder, it will be marked as ham, and if this action is repeated by other users, it will be marked as Spam).
  3. a. Enable learning:
nano /etc/rspamd/override.d/classifier-bayes.conf
  1. Paste these lines to the file:
backend = "redis";
autolearn = true;
  1. b. Configure the Dovecot Sieve plugin for IMAP folders:
nano /etc/dovecot/conf.d/20-imap.conf
  1. Uncomment and edit the mail_plugins line:
mail_plugins = $mail_plugins quota imap_sieve
  1. c. Configure the Dovecot Sieve plugin:
nano /etc/dovecot/conf.d/90-sieve.conf
  1. Add the following lines in the plugin { section:
# From elsewhere to Junk folder
imapsieve_mailbox1_name = Junk
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve

# From Junk folder to elsewhere
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve

sieve_pipe_bin_dir = /etc/dovecot/sieve
sieve_global_extensions = +vnd.dovecot.pipe
sieve_plugins = sieve_imapsieve sieve_extprograms
  1. d. Create the Dovecot sieve folder:
mkdir /etc/dovecot/sieve
  1. e. Create Sieve files:
  2. Create a learn-spam file:
nano /etc/dovecot/sieve/learn-spam.sieve
  1. Enter the following strings:
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamd-learn-spam.sh";
  1. Create a learn-ham file:
nano /etc/dovecot/sieve/learn-ham.sieve
  1. Enter the following strings:
require ["vnd.dovecot.pipe", "copy", "imapsieve", "variables"];
if string "${mailbox}" "Trash" {
  stop;
}
pipe :copy "rspamd-learn-ham.sh";
  1. f. Restart Dovecot
systemctl restart dovecot
  1. g. Convert sieve files
sievec /etc/dovecot/sieve/learn-spam.sieve
sievec /etc/dovecot/sieve/learn-ham.sieve
chmod u=rw,go= /etc/dovecot/sieve/learn-{spam,ham}.{sieve,svbin}
chown vmail.vmail /etc/dovecot/sieve/learn-{spam,ham}.{sieve,svbin}
  1. h. Create Learning Scripts for Rspamd
  2. Create learn-spam.sh
nano /etc/dovecot/sieve/rspamd-learn-spam.sh
  1. Enter following script:
#!/bin/sh
exec /usr/bin/rspamc learn_spam
  1. Create learn-ham.sh
nano /etc/dovecot/sieve/rspamd-learn-ham.sh
  1. Enter following script:
#!/bin/sh
exec /usr/bin/rspamc learn_ham
  1. Make these .sh files executible by the vmail user:
chmod u=rwx,go= /etc/dovecot/sieve/rspamd-learn-{spam,ham}.sh
chown vmail.vmail /etc/dovecot/sieve/rspamd-learn-{spam,ham}.sh
  1. i. Restart Dovecot
systemctl restart dovecot
  1. j. Configure Rspamd Password
  2. Generate password hash:
rspamadm pw
  1. Copy the hashed paswowrd {Rspamd Password Hash} Create the Rspamd controller.inc file:
nano /etc/rspamd/local.d/worker-controller.inc
  1. Edit the file using the hashed password generated above (Note the leading and trailing ":
password = "{Rspamd Password Hash}"
  1. k. Restart Rspamd
systemctl restart rspamd


Configure DKIM - Optional but recommended


DKIM verifies that emails received by other persons and purporting to be from your domain, are, in-fact, from your domain, it relies on a DNS Record with your public key to do this.


  1. Create dkim folder and give Rspamd privileges:
mkdir /var/lib/rspamd/dkim
chown _rspamd:_rspamd /var/lib/rspamd/dkim
  1. Generate DKIM Key
  2. Choose a string of around 8 characters (I use the date on the day, ex. 20220209), we will refer to this as {DKIMKey}:
rspamadm dkim_keygen -d example.org -s {DKIMKey}
  1. Copy the PUBLIC part of the key (p={RANDOM STRING OF NUMBERS}). This should be one uninterrupted line so edit any spaces or linebreaks out. This is your {DKIMPublikKey}
  2. Configure your DNS Server for DKIM
  3. Create a TXT Record in your DNS Server for the maildomain you wish to certify, the name of the record will be:
{DKIMKey}._domainkey.example.org
  1. And the Content of the TXT Record will be {DKIMPublicKey} (including the p= section).
  2. Configure Rspamd to use the DKIM Key:
  3. a. Create the dkim_signing.conf file
nano /etc/rspamd/local.d/dkim_signing.conf
  1. Paste the following strings:
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector_map = "/etc/rspamd/dkim_selectors.map";
  1. b. Link Rspamd to the DKIM Key you created
  2. Edit dkim_selectors.map:
nano /etc/rspamd/dkim_selectors.map
  1. Enter a string which is based on your domain {DKIMKey}:
example.org {DKIMKey}
  1. c. Reload Rspamd
systemctl reload rspamd


Deploy your first user


You can now login to https://mail.example.org/admin/setup.php with your setup password and create an admin user. Once you have done this, you can browse to https://mail.example.org/admin and login with your admin user created in this step.


From here, you can create your first domain (example.org) and your first mail user (user@example.org) as well as your first alias (alias@example.org) and test that everything works.


Username: user@example.org Password: Whatever you configured for the user

You can login with any IMAP mail client (Microsoft Outlook, Thunderbird, KMail, etc.) and the configurations are:

IMAP Servermail.example.orgPort143
SMTP Servermail.example.orgPort587
EncryptionSTARTTLSTypePlain
WebDAV Addresshttps://mail.example.org/SOGo/dav  

Enable Mailbox Sharing (Currently only works with SOGo as interface)


This is working in SOGo, however NextCloud does not support this functionality. Note that it works interms of the mail server, but there is no way to admin sharing outside of SQL Queries or the SOGo interface at this time.

You can test whether ACLs are working using the following command (to_user being the person with whom the from_user mailbox is shared):

doveadm acl debug -u to_user@example.org  shared/from_user@example.org
  1. Create additional tables in the existing database:
mysql


USE mailshares;


CREATE TABLE user_shares (
 from_user varchar(100) not null,
 to_user varchar(100) not null,
 dummy char(1) DEFAULT '1',    -- always '1' currently
 primary key (from_user, to_user)
 );


CREATE TABLE anyone_shares (
 from_user varchar(100) not null,
 dummy char(1) DEFAULT '1',    -- always '1' currently
 primary key (from_user)
);


QUIT;
  1. Edit Dovecot mail.conf file to enable shared mailboxes:
nano /etc/dovecot/conf.d/10-mail.conf
  1. Uncomment and edit the sample shared namespace section to look like this:
namespace {
 type = shared
 seperator - /
 prefix = shared/%%u/
 # a) Per-user seen flags. Maildir indexes are shared. (INDEXPVT requires v2.2+)
 location = maildir:%%h/Maildir:INDEXPVT=~/Maildir/shared/%%u
 # b) Per-user seen flags. Maildir indexes are not shared. If users have direct filesystem level access to their mails, this is a safer option:
 #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u:INDEXPVT=~/Maildir/shared/%%u
 subscriptions = no
 list = children
}
  1. Edit the mail_plugins section to enable acl
mail_plugins = quota acl
  1. Configure the Dovecot ACL plugin
nano /etc/dovecot/conf.d/90-acl.conf
  1. Edit it to look as follows:
plugin {
  acl = vfile
}

plugin {
  acl_shared_dict = proxy::acl
}

dict {
  acl = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
  1. Enable the dict service in master.conf
nano /etc/dovecot/conf.d/10-master.conf
  1. Uncomment and edit the service dict { section like this:
service dict {
  unix_listener dict {
    mode = 0600
    user = vmail
    group = vmail
  }
}
  1. Configure dict-sql-conf.ext
nano /etc/dovecot/dovecot-dict-sql.conf.ext
  1. Uncomment and Edit the file to resemble this:
connect = host=localhost dbname=mailshares user=mailadmin password={adminpassword}

map {
  pattern = shared/shared-boxes/user/$to/$from
  table = user_shares
  value_field = dummy

  fields {
    from_user = $from
    to_user = $to
  }
}

map {
  pattern = shared/shared-boxes/anyone/$from
  table = anyone_shares
  value_field = dummy

  fields {
    from_user = $from
  }
}
  1. Enable imap_acl and acl plugins in imap.conf
nano /etc/dovecot/conf.d/20-imap.conf
  1. Edit the mail_plugins section to resemble this:
mail_plugins = $mail_plugins quota imap_sieve imap_acl acl
  1. Enable acl plugin in lmtp.conf
nano /etc/dovecot/conf.d/20-lmtp.conf
  1. Edit the mail_plugins section to resemble this:
mail_plugins = $mail_plugins quota sieve acl


Enable ClamAV Scanning - Testing (Packages not included in first step)


ClamAV is an opensource Antivirus Scanner and while it is not as effective as some commercial options, integration with Rspamd is quite simple. Antivirus scanning on a mail server by itself is not good enough and a holistic approach to security is still necessary, but every little bit helps.


  1. Install ClamAV Components:
apt install -y clamav clamav-daemon clamav-unofficial-sigs
  1. Configure Rspamd to use ClamAV
nano /etc/rspamd/modules.d/antivirus.conf
  1. Modify file to resemble (This rejects mail with Virus, modify to move to Junk):
clamav {
  scan_mime_parts = false;
  scan_text_mime = true;
  scan_image_mime = true;
  symbol = "CLAM_VIRUS";
  type = "clamav";
  log_clean = true;
  servers = "clamd:3310";
  max_size = 20971520;
}
  1. Enable ClamAV daemon
systemctl enable clamav-daemon
  1. Restart Rspamd
systemctl restart rspamd


Enable Firewall with nftables - Testing (Packages not included in first step)

  1. Install nftables:
apt install nftables -y
  1. Change Debian settings to have the iptables command use nftables
update-alternatives --config iptables
  1. Create Firewall Rules file:
nano /etc/nftables.conf
  1. Configuring as follows:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    iifname lo accept
    ct state established,related accept
    tcp dport { ssh, http, https, imap2, imaps, pop3, pop3s, submission, smtp } ct state new accept

    # ICMP: errors, pings
    ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept
    # ICMPv6: errors, pings, routing
    ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"

    # Reject other packets
    ip protocol tcp reject with tcp reset
  }
}
  1. Have nftables start at boot
systemctl enable nftables
  1. Start nftables
systemctl start nftables


Brute force mitigation with fail2ban - Testing (Packages not included in first step)


We will use fail2ban to monitor various system logs and look for patterns which might suggest abuse. Ideally this will prevent bad actors from gaining access to your system, however it can result in legitimate users being blocked too.


Fail2ban uses "Jails" along with your firewall to block IP addresses that are missbehaving.


You can use fail2ban-client status to see which jails are active, and you can use fail2ban-client status sshd to see which clients are currently rejected and why.


  1. Install fail2ban
apt install fail2ban -y
  1. Restart nftables
systemctl restart nftables
  1. Enable Postfix and Dovecot monitoring to fail2ban
  2. While you can look at /etc/fail2ban/jail.conf for some sample configs for various servers, we need to create a config file for our servers:
nano /etc/fail2ban/jail.local
  1. Making it look like this:
[apache-auth]
enabled = true

[dovecot]
enabled = true
port    = pop3,pop3s,imap2,imaps,submission,465,sieve

[postfix]
enabled = true

[sieve]
enabled = true
  1. Test your config:
fail2ban-server -t
  1. Restart fail2ban
systemctl restart fail2ban


Install SOGo Groupware (Optional)


  1. Install SOGo from default Debian repositories:
apt install sogo -y
  1. Create a database for SOGo specific information (Seperate from the PostfixAdmin Database):
mysql


CREATE DATABASE sogo;


GRANT ALL ON sogo.* to 'mailadmin'@'localhost' IDENTIFIED BY '{adminpassword}';


FLUSH PRIVILEGES;
  1. Create a database view for SOGo:
  2. Firstly, SOGo relies on some specific table columns to authenticate users, since we don't want duplicates and since we want PostfixAdmin to manage users, domains and aliases, we want to make SOGo use this information to authenticate users. To do that, we will create a VIEW, which is like a fake table made up of data from other tables in MariaDB.
mysql


USE mailserver;


CREATE VIEW sogo_view AS SELECT username AS c_uid, username AS c_name, password AS c_password, name AS c_cn, username AS mail FROM mailserver.mailbox;


QUIT;
  1. Configure SOGo:
  2. I suggest going through every line, however key issues will be {adminpassword}, {userpassword} and your timezone (I use Africa/Johannesburg):
nano /etc/sogo/sogo.conf
  1. The Debian standard sogo.conf (For clarity on each of the configurable fields, check out the SOGo Installation Guide) sucks, clear out everything (Don't rm the file unless you know how to fix permissions on a newly created file). Once you are finished, your sogo.conf file will look something like this:
{
  /* *********************  Main SOGo configuration file  **********************
   *                                                                           *
   * Since the content of this file is a dictionary in OpenStep plist format,  *
   * the curly braces enclosing the body of the configuration are mandatory.   *
   * See the Installation Guide for details on the format.                     *
   *                                                                           *
   * C and C++ style comments are supported.                                   *
   *                                                                           *
   * This example configuration contains only a subset of all available        *
   * configuration parameters. Please see the installation guide more details. *
   *                                                                           *
   * ~sogo/GNUstep/Defaults/.GNUstepDefaults has precedence over this file,    *
   * make sure to move it away to avoid unwanted parameter overrides.          *
   *                                                                           *
   * **************************************************************************/

  /* Database configuration (mysql://, postgresql:// or oracle://) */
  SOGoProfileURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_user_profile";
  OCSFolderInfoURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_folder_info";
  OCSSessionsFolderURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_sessions_folder";
  OCSEMailAlarmsFolderURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_emailalarms_folder";

  OCSStoreURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_store";
  OCSAclURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_acl";
  OCSCacheFolderURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_cache";

  /* Mail */
  SOGoSentFolderName = "Sent Items";
  SOGoTrashFolderName = "Deleted Items";
  SOGoDraftsFolderName = Drafts;
  SOGoJunkFolderName = "Junk Email";
  SOGoIMAPServer = "localhost";
  SOGoSieveServer = "sieve://127.0.0.1:4190";
  SOGoSMTPServer = "smtp://mail.example.org:587/?tls=YES";
  SOGoSMTPAuthenticationType = PLAIN;
  //SOGoMailDomain = acme.com;
  SOGoMailingMechanism = smtp;
  SOGoForceExternalLoginWithEmail = YES;
  SOGoMemcachedhost = 127.0.0.1;
  //SOGoMailSpoolPath = /var/spool/sogo;
  NGImap4ConnectionStringSeparator = "/";
  SOGoIMAPAclConformsToIMAPExt = YES;
  //SOGoMailAuxiliaryUserAccountsEnabled = NO;
  
  /* Calendar Settings */
  SOGoCalendarDefaultRoles = (
       PublicModifier,
       ConfidentialDAndTViewer,
       PrivateDandTViewer,
       ObjectCreator
   );
  SOGoDayStartTime = 8;
  SOGoDayEndTime = 17;
  SOGoFirstDayOfWeek = 1;
  SOGoCalendarEventsDefaultClassification = PUBLIC;
  SOGoCalendarTasksDefaultClassification = PUBLIC;
  

  /* Notifications */
  //SOGoAppointmentSendEMailNotifications = NO;
  SOGoACLsSendEMailNotifications = YES;
  //SOGoFoldersSendEMailNotifications = NO;

  /* Authentication */
  //SOGoPasswordChangeEnabled = YES;

  /* LDAP authentication example */
  //SOGoUserSources = (
  //  {
  //    type = ldap;
  //    CNFieldName = cn;
  //    UIDFieldName = uid;
  //    IDFieldName = uid; // first field of the DN for direct binds
  //    bindFields = (uid, mail); // array of fields to use for indirect binds
  //    baseDN = "ou=users,dc=acme,dc=com";
  //    bindDN = "uid=sogo,ou=users,dc=acme,dc=com";
  //    bindPassword = qwerty;
  //    canAuthenticate = YES;
  //    displayName = "Shared Addresses";
  //    hostname = "ldap://127.0.0.1:389";
  //    id = public;
  //    isAddressBook = YES;
  //  }
  //);

  /* LDAP AD/Samba4 example */
  //SOGoUserSources = (
  //  {
  //    type = ldap;
  //    CNFieldName = cn;
  //    UIDFieldName = sAMAccountName;
  //    baseDN = "CN=users,dc=domain,dc=tld";
  //    bindDN = "CN=sogo,CN=users,DC=domain,DC=tld";
  //    bindFields = (sAMAccountName, mail);
  //    bindPassword = password;
  //    canAuthenticate = YES;
  //    displayName = "Public";
  //    hostname = "ldap://127.0.0.1:389";
  //    filter = "mail = '*'";
  //    id = directory;
  //    isAddressBook = YES;
  //  }
  //);


  /* SQL authentication example */
  /*  These database columns MUST be present in the view/table:
   *    c_uid - will be used for authentication -  it's the username or username@domain.tld)
   *    c_name - which can be identical to c_uid -  will be used to uniquely identify entries
   *    c_password - password of the user, plain-text, md5 or sha encoded for now
   *    c_cn - the user's common name - such as "John Doe"
   *    mail - the user's mail address
   *  See the installation guide for more details
   */
  SOGoUserSources =
    (
      {
        type = sql;
        id = directory;
        viewURL = "mysql://mailserver:{userpassword}@127.0.0.1:3306/mailserver/sogo_view";
        canAuthenticate = YES;
        isAddressBook = YES;
        userPasswordAlgorithm = blf-crypt;
      }
    );

  /* Web Interface */
  SOGoPageTitle = "My Mail Server";
  SOGoVacationEnabled = YES;
  SOGoForwardEnabled = YES;
  SOGoSieveScriptsEnabled = YES;
  SOGoMailAuxiliaryUserAccountsEnabled = YES;
  // SOGoTrustProxyAuthentication = NO;
  //SOGoXSRFValidationEnabled = NO;

  /* General - SOGoTimeZone *MUST* be defined */
  SOGoLanguage = English;
  SOGoTimeZone = Africa/Johannesburg;
  //SOGoSuperUsernames = (sogo1, sogo2); // This is an array - keep the parens!
  //SxVMemLimit = 384;
  //WOPidFile = "/var/run/sogo/sogo.pid";
  SOGoMemcachedHost = 127.0.0.1;
  
  /* Debug */
  //SOGoDebugRequests = YES;
  //SoDebugBaseURL = YES;
  //ImapDebugEnabled = YES;
  //LDAPDebugEnabled = YES;
  //PGDebugEnabled = YES;
  //MySQL4DebugEnabled = YES;
  //SOGoUIxDebugEnabled = YES;
  //WODontZipResponse = YES;
  //WOLogFile = /var/log/sogo/sogo.log;
}
  1. Restart SOGo
systemctl restart sogo
  1. Create a SOGo cofiguration file for Apache:
nano /etc/apache2/conf-available/SOGo.conf
  1. And Paste the following in there (Note the RedirectMatch line and point to your fqnd, this makes the SOGo app the default app when brosing to https://mail.example.org):
Alias /SOGo.woa/WebServerResources/ \
      /usr/lib/GNUstep/SOGo/WebServerResources/
Alias /SOGo/WebServerResources/ \
      /usr/lib/GNUstep/SOGo/WebServerResources/

<Directory /usr/lib/GNUstep/SOGo/>
    AllowOverride None

    <IfVersion < 2.4>
        Order deny,allow
        Allow from all
    </IfVersion>
    <IfVersion >= 2.4>
        Require all granted
    </IfVersion>

    # Explicitly allow caching of static content to avoid browser specific behavior.
    # A resource's URL MUST change in order to have the client load the new version.
    <IfModule expires_module>
      ExpiresActive On
      ExpiresDefault "access plus 1 year"
    </IfModule>
</Directory>

# Don't send the Referer header for cross-origin requests
Header always set Referrer-Policy "same-origin"

## Uncomment the following to enable proxy-side authentication, you will then
## need to set the "SOGoTrustProxyAuthentication" SOGo user default to YES and
## adjust the "x-webobjects-remote-user" proxy header in the "Proxy" section
## below.
#
## For full proxy-side authentication:
#<Location /SOGo>
#  AuthType XXX
#  Require valid-user
#  SetEnv proxy-nokeepalive 1
#  Allow from all
#</Location>
#
## For proxy-side authentication only for CardDAV and GroupDAV from external
## clients:
#<Location /SOGo/dav>
#  AuthType XXX
#  Require valid-user
#  SetEnv proxy-nokeepalive 1
#  Allow from all
#</Location>

ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On

# When using CAS, you should uncomment this and install cas-proxy-validate.py
# in /usr/lib/cgi-bin to reduce server overloading
#
# ProxyPass /SOGo/casProxy http://localhost/cgi-bin/cas-proxy-validate.py
# <Proxy http://localhost/app/cas-proxy-validate.py>
#   Order deny,allow
#   Allow from your-cas-host-addr
# </Proxy>

# Redirect / to /SOGo
RedirectMatch ^/$ https://mail.example.org/SOGo

# Enable to use Microsoft ActiveSync support
# Note that you MUST have many sogod workers to use ActiveSync.
# See the SOGo Installation and Configuration guide for more details.
#
#ProxyPass /Microsoft-Server-ActiveSync \
# http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \
# retry=60 connectiontimeout=5 timeout=360

ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0 nocanon

<Proxy http://127.0.0.1:20000/SOGo>
## Adjust the following to your configuration
## and make sure to enable the headers module
<IfModule headers_module>
  RequestHeader set "x-webobjects-server-port" "443"
  SetEnvIf Host (.*) HTTP_HOST=$1
  RequestHeader set "x-webobjects-server-name" "%{HTTP_HOST}e" env=HTTP_HOST
  RequestHeader set "x-webobjects-server-url" "https://%{HTTP_HOST}e" env=HTTP_HOST

## When using proxy-side autentication, you need to uncomment and
## adjust the following line:
  RequestHeader unset "x-webobjects-remote-user"
#  RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e" env=REMOTE_USER

  RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
</IfModule>

  AddDefaultCharset UTF-8

  Order allow,deny
  Allow from all
</Proxy>

# For Apple autoconfiguration
<IfModule rewrite_module>
  RewriteEngine On
  RewriteRule ^/.well-known/caldav/?$ /SOGo/dav [R=301]
  RewriteRule ^/.well-known/carddav/?$ /SOGo/dav [R=301]
</IfModule>
  1. Enable the SOGo Apache configuration:
a2enconf SOGo
  1. Reload Apache Configuration
systemctl reload apache2
  1. That is it, SOGo should now be accessible at https://mail.example.org/SOGo and you should be able to log in with any user created in postfixadmin.
  2. Optional - NginX virtual host .conf file for SOGo as subdomain
server {
  server_name mail.example.org;
  root /usr/lib/GNUstep/SOGo/WebServerResources/;
  error_log /var/log/nginx/sogo_error.log;
  access_log /var/log/nginx/sogo_access.log;
  listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/mail.example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mail.example.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    add_header Strict-Transport-Security "max-age=31536000" always;
    ssl_trusted_certificate /etc/letsencrypt/live/mail.example.org/chain.pem;
    ssl_stapling on;
    ssl_stapling_verify on;

  location = / {
    rewrite ^ https://$server_name/SOGo/;
    allow all;
  }

  location = /principals/ {
    rewrite ^ https://$server_name/SOGo/dav;
    allow all;
  }

  location ^~/SOGo/ {
    proxy_pass "http://127.0.0.1:20000";
    proxy_redirect "http://127.0.0.1:20000" default;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_set_header x-webobjects-server-protocol HTTP/1.1;
    proxy_set_header x-webobjects-remote-host 127.0.0.1;
    proxy_set_header x-webobjects-server-name $server_name;
    proxy_set_header x-webobjects-server-url $scheme://$host;
    proxy_connect_timeout 90;
    proxy_send_timeout 90;
    proxy_read_timeout 90;
    proxy_buffer_size 4k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
    client_max_body_size 100m;
    client_body_buffer_size 128k;
    break;
  }

  location /SOGo.woa/WebServerResources/ {
    alias /usr/lib/GNUstep/SOGo/WebServerResources/;
    allow all;
  }

  location /SOGo/WebServerResources/ {
    alias /usr/lib/GNUstep/SOGo/WebServerResources/;
    allow all;
  }

  location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ {
    alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
  }

  location ^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$ {
    alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
  }
}

server {
  server_name mail.example.org;
  listen 80;
  error_log /var/log/nginx/sogo_error.log;
  access_log /var/log/nginx/sogo_access.log;
  if ($host = mail.example.org) {
      return 301 https://$host$request_uri;
  }
}


Installing NextCloud (Optional)


Note that While NextCloud is not natively an email client, it has apps which include mail. Unfortunately, they do not support mailbox sharing through IMAP, however I'm sure if enough people ask for that feature it will be implemented.


  1. Add some additional dependencies:
  2. We will need some additional PHP modules which the standard installation above doesn't need, as well as sudo (in case you need to manually install a NextCloud Plugin from the command line as www-data user) and unzip to decompress the NextCloud zip file:
apt install php-{cli,xml,zip,curl,gd,cgi} unzip sudo -y
  1. Create a database for NextCloud to use:
mysql


CREATE USER 'nextcloud'@'localhost' IDENTIFIED BY 'StrongDBP@SSwo$d';


CREATE DATABASE nextcloud;


GRANT ALL PRIVILEGES ON nextcloud.* TO 'nextcloud'@'localhost';


FLUSH PRIVILEGES;


QUIT;
  1. Edit the php.ini file:
nano /etc/php/*/apache2/php.ini
  1. And make sure the following lines look correct for your environment:
date.timezone = Africa/Johannesburg
memory_limit = 512M
upload_max_filesize = 500M
post_max_size = 500M
max_execution_time = 300
  1. Add an Alias for NextCloud to your Apache Site:
nano /etc/apache2/sites-available/mail.example.org-https.conf
  1. If you followed this guide, you need to add an Alias and Location block for NextCloud:
<VirtualHost *:443>
 ServerName mail.example.org
 DocumentRoot /var/www/html
 <Location /rspamd>
  Require all granted
 </Location>
 RewriteEngine On
 RewriteRule ^/rspamd$ /rspamd/ [R,L]
 RewriteRule ^/rspamd/(.*) http://localhost:11334/$1 [P,L]
 Alias /.well-known/autoconfig/mail /var/www/html/autoconfig-mail
 Alias /admin /srv/postfixadmin/public
 <Location /admin>
   Options FollowSymLinks
   AllowOverride All
   Require all granted
 </Location>
 Alias /nextcloud /srv/nextcloud
 <Location /nextcloud>
   Require all granted
 </Location>
   SSLEngine on
   SSLCertificateFile /etc/letsencrypt/live/mail.example.org/fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/mail.example.org/privkey.pem
</VirtualHost>
  1. Restart Apache:
systemctl restart apache2
  1. Download the latest version of NextCloud (24.0.3 at the time of writing):
wget https://download.nextcloud.com/server/releases/nextcloud-24.0.3.zip
  1. Unzip the file:
unzip nextcloud-24.0.3.zip
  1. Move the NextCloud folder to your /srv folder:
mv /nextcloud /srv/nextcloud
  1. Fix permissions for the NextCloud Folder:
chown -R www-data:www-data /srv/nextcloud


chmod -R 755 /srv/nextcloud
  1. You should now be able to login to your NextCloud installation at https://mail.example.org/nextcloud, create an admin user, use the database credentials you configured earlier and let it complete the installation. A known bug is that when installation competes it tries to go to the wrong page. Just navigate back to https://mail.example.org/nextcloud and you should be fine.
  2. Install Collabora Online - Built-in CODE Server (Optional, but useful if you want to edit documents online):
  3. This installation generally fails from the apps store in NextCloud due to its size, you can manually install this app as follows using the occ command from the console:
cd /srv/nextcloud


sudo -u www-data php -d memory_limit=512M ./occ app:install richdocumentscode
  1. Optional - NginX virtual host .conf file for NextCloud as subdomain
upstream php-handler {
    server unix:/run/php/php7.2-fpm.sock;
}

map $arg_v $asset_immutable {
    "" "";
    default "immutable";
}

server {
    server_name nextcloud.example.org;
    root /srv/nextcloud;
    server_tokens off;
    error_log /var/log/nginx/nextcloud_error.log;
    access_log /var/log/nginx/nextcloud_access.log;
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/nextcloud.example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.example.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    add_header Strict-Transport-Security "max-age=31536000" always;
    ssl_trusted_certificate /etc/letsencrypt/live/nextcloud.example.org/chain.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    client_max_body_size 512M;
    client_body_timeout 300s;
    fastcgi_buffers 64 4K;
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
    client_body_buffer_size 512k;
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;
    fastcgi_hide_header X-Powered-By;
    index index.php index.html /index.php$request_uri;

    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location ^~ /.well-known {
        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }
        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
        return 301 /index.php$request_uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
    location ~ \.php(?:$|/) {
        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
        fastcgi_max_temp_file_size 0;
    }

    location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
        access_log off;
        location ~ \.wasm$ {
            default_type application/wasm;
        }
    }

    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;
        access_log off;
    }

    location /remote {
        return 301 /remote.php$request_uri;
    }

    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }

}

server {
    if ($host = nextcloud.example.org) {
        return 301 https://$host$request_uri;
    }
    server_name nextcloud.example.org;
    listen 80;
    error_log /var/log/nginx/nextcloud_error.log;
    access_log /var/log/nginx/nextcloud_access.log;
}


More articles on Groupware

More articles on Groupware
Comments

No comments yet.

Add a comment
Ctrl+Enter to add comment