Debian 11 Groupware Server - LEMP Stack

Installing a mailserver running on Debian 11 (Either as a VM, on bare-metal or in an LXC Container).

Since Google has decided to retire their Google Apps for Business and force migration to their paid Workspace Product, I found the need to migrate some of my deployed domains to a self-hosted Mail Service. My requirements were for a groupware server which can deal with shared calendars, mailboxes and contacts and therefore I developed my earlier guide (Which you can read here).

Solutions like iRedMail insisting on charging for really basic functionality (Alias) and Mailcow's refusal to support deployment outside of Docker and their maintainers refusal to engage on the issues raised when they implement changes for no reason other than to break Docker on LXC lead me down a really deep rabbit-hole to build my solution from existing standards and open-source software.

While my earlier guide got the job done, I have a preference for NninX over Apache and therefore have been tweaking the guide to get this, newer guide, which does not rely on NginX, but also has the added benefit of using the official upstream repos of each of the core applications which are in use and therefore has slightly more updated software.

The short-term goal was to get the deployment to actually work (Done), medium term to get some advanced features to work (Done) and ultimately develop an installation script to automate the deployment (Ala iRedMail without the drama).

After finally deploying this in a working state using SOGo, I realized that it would be fairly easy to give the user the choice between SOGo or NextCloud or, if he so chooses, both, so I moved SOGo into a separate section and added a sectoin for NextCloud. For this installation I am not going to use switches on the same Virtual Host, but rather deploy seperate Virtual Hosts for each relevant application.

I give thanks, attribution and recognition to the following projects which gave sufficient insight into making all of these disparate products work:

1. The original ISPMail tutorial (I suggest this as a great starting point) which expertly describes the disparate technologies and how they are brought together in the modern email server.
2. PostfixAdmin Guide for ISPMail to get PostfixAdmin to work on earlier Debian versions, however does not describe the deployment steps in sufficient detail for a complete newbie to use on a fresh Debian 11 system.
3. This tutorial on vogan which got me moving in the right direction for getting IMAP Mailbox Sharing to work (It's all ACL's and Databases and finally working, however as NextCloud does not support mailbox sharing, this only works in SOGo for now).
4. The SOGo Installation Guide which, while not very well written, does get you there in the end.
5. This tutorial from ComputingForGeeks, which has a few minor errors and deviations from best practices which I have changed here.

So let's get started with this process, again, if you want to understand the steps involved in getting a working Email Server off the ground, read the ISPMail tutorial, this is not about holding your hand, it's about getting your server working.

Why Debian 11?

Because it's what I prefer for server deployments, stable and mostly secure, if you want to use any other distro, you can, but I chose Debian and I also chose to use only the official Maintainer repos where available. I have used these same steps to deploy to Arch and Fedora, with the relevant changes for each distro and it works.

Conventions

To make this guide more universal, I am using some conventions which therefore assumes the following, you can replace the conventional terms with those you will be deploying. I am also assuming that you have a static IPv4 address pointing to your server and that your existing DNS records are correctly configured. I am also assuming that you are running all of this as root, while this is not absolutely required, if you choose to run as a non-root user with sudo privileges, add sudo in front of each command.

In order to get secure passwords, use https://passwordsgenerator.net/ make sure that you exclude special characters when generating the passwords to avoid problems in .config files, I suggest 30 character long passwords as this will play nicely with the relevant hashed password length for the database.

What Are We Installing?

Debian ships with nano by default (I know VIM could be better, but I prefer the interface and simplicity of nano, the memes regarding VIM say enough). We will assume a fresh base install of Debian 11 (Bullseye) and will be installing the following additional packages (And their dependencies):

1. Debian 11 (GNU/Linux OS)
2. MariaDB (Database Server)
3. Postfix (Mail Server)
4. Dovecot (Mailbox Server)
5. NginX (Webserver)
6. PHP (Scripting Language)
7. Redis (Caching Server)
8. Rspamd (Spam Filter Server - Optional)
9. Certbot (LetsEncrypt SSL Certificate Provider)
10. SOGo (Groupware Software including IMAP client)

A huge thank you to the developers and maintainers of each of the above packages, without whom, none of this would work. Seriously, support these people.

For those who do not want to use Apache, I am adding sample Virtual Host configs for NginX, this is optional, I intend to remove Apache from this guide in the future and rely solely on NginX as it is much better suited to this kind of work.

Ensure that we are starting with an up to date server

Before any task, I always recommend making sure that all your installed packages are up to date, this will minimize negative interactions when running installation steps.

apt update && apt upgrade -y

Install the Package Maintainer Repos

As I mentioned earlier, I am going to install the package maintainer versions of some of the key software, however if that is your need, you can ignore this part and move directly to the next one, noting that you will need to amend all the Virtual Host configs to refer to PHP7.2 instead of PHP8.1 as this is what the official Debian Repos contain.

First, let's install some prerequisite software:

apt install lsb-release ca-certificates apt-transport-https software-properties-common gnupg2 curl dirmngr -y

PHP

Add the repo to apt souces with the following command:

echo "deb https://packages.sury.org/php/ bullseye main" | tee /etc/apt/sources.list.d/sury-php.list

Install the GPG Key for this repo:

curl -fsSL  https://packages.sury.org/php/apt.gpg | gpg --dearmor -o /etc/apt/trusted.gpg.d/sury-keyring.gpg

NginX

Add the repo to apt sources with the following command:

echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] 
http://nginx.org/packages/debian bullseye nginx" 
    | tee /etc/apt/sources.list.d/nginx.list

Install the Signing Key for this repo:

curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor 
    | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null

Dovecot

Add the repo to apt sources with the following command:

echo "deb https://repo.dovecot.org/ce-2.3-latest/debian/bullseye bullseye main" | tee /etc/apt/sources.list.d/dovecot.list

Install the Signing Key for this repo:

curl https://repo.dovecot.org/DOVECOT-REPO-GPG | gpg --import
gpg --export ED409DA1 > /etc/apt/trusted.gpg.d/dovecot.gpg

SOGo

Add the repo to apt sources with the following command:

echo "deb https://packages.sogo.nu/nightly/5/debian/ bullseye bullseye" | tee /etc/apt/sources.list.d/sogo.list

Install the Signing Key for this repo:

wget -O- "http://pgp.mit.edu/pks/lookup?op=get&search=0xCB2D3A2AA0030E2C" | gpg --dearmor | apt-key add -
wget -O- "https://keys.openpgp.org/vks/v1/by-fingerprint/74FFC6D72B925A34B5D356BDF8A27B36A6E2EAE9" | gpg --dearmor | apt-key add -

MariaDB

Add the repo to apt sources with the following command:

curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup
bash mariadb_repo_setup --os-type=debian  --os-version=bullseye
wget http://ftp.us.debian.org/debian/pool/main/r/readline5/libreadline5_5.2+dfsg-3+b13_amd64.deb
dpkg -i libreadline5_5.2+dfsg-3+b13_amd64.deb

Install required packages

This installs all the packages we require to get everything to work:

apt update && apt install mariadb-server postfix postfix-mysql nginx php8.1 php8.1-{imap,mbstring,mysql,fpm} rspamd redis-server certbot python3-certbot-nginx dovecot-mysql dovecot-pop3d dovecot-imapd dovecot-managesieved dovecot-lmtpd sogo -y

Add the nginx user to the www-data group:

usermod -aG www-data nginx

Prepare MariaDB

We need to create the mailserver database, as well as give permissions to both an admin user and a read-only user, note that the admin user is only given rights on localhost, while the read-only user is given rights via 127.0.0.1, this is important.

mysql
CREATE DATABASE mailserver;
GRANT ALL ON mailserver.* TO 'mailadmin'@'localhost' IDENTIFIED BY '{adminpassword}';
GRANT SELECT ON mailserver.* to 'mailserver'@'127.0.0.1' IDENTIFIED BY '{userpassword}';
CREATE DATABASE mailshares;
GRANT ALL ON mailshares.* to 'mailadmin'@'localhost' IDENTIFIED BY '{adminpassword}';
CREATE DATABASE sogo;
GRANT ALL ON sogo.* to 'mailadmin'@'localhost' IDENTIFIED BY '{adminpassword}';
FLUSH PRIVILEGES;
quit

Configure NginX Webserver and get a LetsEncrypt SSL Certificates

Before LetsEncrypt will provide us with free SSL certificates, we need to configure a webserver to listen for the specified subdomains on port 80, to do that, we will create some empty websites (Virtual Hosts):

1. Create a site for mail.example.org:

nano /etc/nginx/conf.d/mail.example.org.conf

1. Edit the file to look like this:

server {
   listen 80;
   server_name mail.example.org;

   root /usr/share/nginx/html;
   index index.html index.htm;
}

1. Create a site for postfixadmin.example.org:

nano /etc/nginx/conf.d/postfixadmin.example.org.conf

1. Edit the file to look like this:

server {
   listen 80;
   server_name postfixadmin.example.org;

   root /usr/share/nginx/html;
   index index.html index.htm;
}

1. Remove the default NginX Virtual Host:

rm /etc/nginx/conf.d/default.conf

1. Enable and Start NginX:

systemctl enable --now nginx

1. Get your SSL Certificates from LetsEncrypt:

certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email admin@example.org -d mail.example.org

certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email admin@example.com -d postfixadmin.example.org

1. Give the NgninX user (www-data) access to the certificates:

This is necessary to address a known issue with PostfixAdmin:

usermod -aG dovecot www-data
chown www-data:www-data /etc/letsencrypt/live/mail.example.org/privkey.pem
chown www-data:www-data /etc/letsencrypt/live/postfixadmin.example.org/privkey.pem
chown www-data:www-data /etc/letsencrypt/live
chown www-data:www-data /etc/letsencrypt/archive

1. Configure Certbot Post-Hook:

This will have Certbot update ownership of the certificates and restart the mailserver whenever the certificate is updated:

nano /etc/letsencrypt/cli.ini

1. Add the following to the end of the file:

post-hook = chown www-data:www-data /etc/letsencrypt/live/mail.example.org/privkey.pem && /etc/letsencrypt/live/postfixadmin.example.org/privkey.pem && chown www-data:www-data /etc/letsencrypt/live && chown www-data:www-data /etc/letsencrypt/archive && systemctl restart postfix dovecot nginx

Install PostfixAdmin and let it create the required database tables we will be using for our installation

Note, that since we haven't configured Dovevot to use the SSL certificates yet, you CAN NOT CREATE AN ADMIN USER YET!!!

1. Download the latest version of PostfixAdmin:

Grab the latest version from their GitHub repo and move it to the an appropriate folder, at the time of writing this, version 3.3.10 was the latest:

wget -O postfixadmin.tgz https://github.com/postfixadmin/postfixadmin/archive/postfixadmin-3.3.13.tar.gz
tar -zxvf postfixadmin.tgz
mv postfixadmin-postfixadmin-3.3.13 /srv/postfixadmin
rm postfixadmin.tgz

1. Create the required templates_c folder and give Apache privileges to write to it:

mkdir -p /srv/postfixadmin/templates_c

chown -R www-data /srv/postfixadmin/templates_c

1. Create the required config.local.php file with the following contents:

We will change it in step 5 below once we have generated a secure password hash:

nano /srv/postfixadmin/config.local.php

1. And Edit it to work with your database configured earlier {adminpassword} is the one you configured in MariaDB:

<?php
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'mailadmin';
$CONF['database_password'] = '{adminpassword}';
$CONF['database_name'] = 'mailserver';
$CONF['encrypt'] = 'dovecot:BLF-CRYPT';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['new_quota_table'] = 'YES';
$CONF['default_aliases'] = array (
'abuse' => 'abuse@example.org',
'hostmaster' => 'hostmaster@example.org',
'postmaster' => 'postmaster@example.org',
'webmaster' => 'webmaster@example.org');
$CONF['footer_text'] = 'Return to mail.example.org';
$CONF['footer_link'] = 'https://mail.example.org';
$CONF['domain_path'] = 'NO';
$CONF['domain_in_mailbox'] = 'YES';
$CONF['configured'] = true;
?>

1. Change Your PostfixAdmin config file:

nano /etc/nginx/conf.d/postfixadmin.example.org.conf

1. And edit it to now look like this:

server {
    server_name postfixadmin.example.org;
    root /srv/postfixadmin/public;
    error_log /var/log/nginx/postfixadmin_error.log;
    access_log /var/log/nginx/postfixadmin_access.log;
    index index.php;

    location ~* .php$ {
         fastcgi_split_path_info ^(.+?.php)(/.*)$;
         if (!-f $document_root$fastcgi_script_name) {return 404;}
         fastcgi_pass  unix:/run/php/php8.1-fpm.sock;
         fastcgi_index index.php;
         include fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/postfixadmin.example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/postfixadmin.example.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    add_header Strict-Transport-Security "max-age=31536000" always;


    ssl_trusted_certificate /etc/letsencrypt/live/postfixadmin.example.org/chain.pem;
    ssl_stapling on;
    ssl_stapling_verify on;

}
server {
    if ($host = postfixadmin.example.org) {
        return 301 https://$host$request_uri;
    }
    listen 80;
    server_name postfixadmin.example.org;
    error_log /var/log/nginx/postfixadmin_error.log;
    access_log /var/log/nginx/postfixadmin_access.log;
}

1. Reload NginX to accept the new configuration:

systemctl reload nginx

1. Get a Secure Setup Password:

On your webbrowser, browse to https://mail.example.org/setup.php and enter a secure Setup Password, it will show you a configuration string which you need to copy into your .conf file, it will look something like this:

$CONF['setup_password'] = '{Some Secure Password String}';

1. Configure the Setup Password in the PostfixAdmin config file you created in step 3 above:

nano /srv/postfixadmin/config.local.php

1. Paste the string from step 4 above so your file should now look something like this:

<?php
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'mailadmin';
$CONF['database_password'] = '{adminpassword}';
$CONF['database_name'] = 'mailserver';
$CONF['encrypt'] = 'dovecot:BLF-CRYPT';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['new_quota_table'] = 'YES';
$CONF['default_aliases'] = array (
'abuse' => 'abuse@example.org',
'hostmaster' => 'hostmaster@example.org',
'postmaster' => 'postmaster@example.org',
'webmaster' => 'webmaster@example.org');
$CONF['footer_text'] = 'Return to mail.example.org';
$CONF['footer_link'] = 'https://mail.example.org';
$CONF['domain_path'] = 'NO';
$CONF['domain_in_mailbox'] = 'YES';
$CONF['setup_password'] = '{Some Secure Password String}';
$CONF['configured'] = true;
?>

1. Allow PostfixAdmin to deploy your database tables for you:

From your webbrowser, browse back to https://postfixadmin.example.org/admin/setup.php and login in with the Setup Password you used to create the secure string in step 4. It will tell you that there's a problem with the encryption, that is fine, it will still generate the tables in your database (You will see a string saying that tables were successfully updated or, are up to date). For now, we are done with this, once we have finished configuring Dovecot, the error regarding the password will be resolved.

Configure Postfix

1. Configure Postfix to Map mailboxes to the Database
2. Earlier we configured a database in MariaDB and then populated that database with tables with PostfixAdmin. We need Postfix to actually use the data in those databases and therefore, we need to tell it where the database is as well as which fields it needs to get from each table.
3. a. Virtual Domains
4. Virtual Domains are simply the Domains for which your mailserver accepts email (example.org or as many other as you want to add), we need to tell Postfix which domains it is allowed to accept mail for so we need to create a MAP file:

nano /etc/postfix/mysql-virtual-mailbox-domains.cf

1. And configure it as follows (Again, use your {userpassword}):

user = mailserver
password = {userpassword}
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM domain WHERE domain='%s'

1. Now tell Postfix that this is the MAP file:

postconf virtual_mailbox_domains=mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf

1. b. Virtual Mailboxes
2. A Virtual Mailbox is basically the mail user' (user@example.org) specific mailbox, so again, like in step a above, we need to tell Postfix how to verify the mailboxes:

nano /etc/postfix/mysql-virtual-mailbox-maps.cf

1. Configure this file as follows:

user = mailserver
password = {userpassword}
hosts = 127.0.0.1
dbname = mailserver
query = SELECT 1 FROM mailbox WHERE username='%s'

1. And tell Postfix to use this MAP:

postconf virtual_mailbox_maps=mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf

1. c. Virtual Aliases
2. A Virtual Alias is where we configure an alias (or an internal mailing list) so that an emali sent to alias@example.org will be received by any users configured to that alias. You can create an alias in PostfixAdmin.

nano /etc/postfix/mysql-virtual-alias-maps.cf

1. Configure this file as follows:

user = mailserver
password = {userpassword}
hosts = 127.0.0.1
dbname = mailserver
query = SELECT goto FROM alias WHERE address='%s'

1. And tell Postfix to use this MAP:

postconf virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf

1. d. Email2Email
2. This will allow a logged-in user to be able to send email as another user on the domain (Mailbox Delegation).

nano /etc/postfix/mysql-email2email.cf

1. Configure the file as follows:

user = mailserver
password = {userpassword}
hosts = 127.0.0.1
dbname = mailserver
query = SELECT username FROM mailbox WHERE username='%s'

1. And tell Postfix to use this MAP:

postconf virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf

1. e. Set Permissions for these files
2. We need Postfix to have access to these files in order to use them, so we change permissions as follows:

chgrp postfix /etc/postfix/mysql-*.cf
chmod u=rw,g=r,o= /etc/postfix/mysql-*.cf

Configure Dovecot

Dovecot does all the important mail handling, moving emails to the appropriate users folder and we need to make some changes so that we don't use systemmail (Where each user must be a specific PAM user) but rather use vmail.

1. Create vmail user and group
2. We want to use UID 5000 for this, so make sure that it is not used (On a clean install this should not be an issue).

groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/vmail -m
chown -R vmail:vmail /var/vmail

1. Configure Dovecot
2. Dovecot has several .conf files stored in /etc/dovecot/conf.d/ and we will be modifying some of these to enable the plugins we will be using in our deployment.
3. a. User Authentication:

nano /etc/dovecot/conf.d/10-auth.conf

1. Find and edit the auth_mechanisms line:

auth_mechanisms = plain login

1. And at the bottom, comment out the !include auth-system.conf.ext line and uncomment the !include auth-sql.conf.ext lines:

#!include auth-system.conf.ext
!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-static.conf.ext

1. b. Mail Directory Format:

nano /etc/dovecot/conf.d/10-mail.conf

1. Edit the mail_location line to resemble the below:

mail_location = maildir:~/Maildir

1. Modify the namespace inbox { line section to resemble this:

namespace inbox {
  type = private
  separator = /
  prefix =
  inbox = yes
}

1. Uncomment and edit the mail_privileged_group line:

mail_privileged_group = mail

1. Also Uncomment and edit the mail_plugins line:

mail_plugins = quota

1. c. Master Config File

nano /etc/dovecot/conf.d/10-master.conf

1. Here we need to edit the service lmtp and service auth sections as follows:

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }

1. And add the following at the end of the file (This is for PostfixAdmin):

service stats {
  unix_listener stats-reader {
    user = www-data
    group = www-data
    mode = 0660
}
  unix_listener stats-writer {
    user = www-data
    group = www-data
    mode = 0660
  }
}

1. d. SSL Configuration

nano /etc/dovecot/conf.d/10-ssl.conf

1. Edit the following three lines to match our configuration:

ssl = required

ssl_cert = </etc/letsencrypt/live/mail.example.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.org/privkey.pem

1. e. SQL Connection
2. We need to tell Dovecot to authenticate against our MariaDB database:

nano /etc/dovecot/dovecot-sql.conf.ext

1. Add the following to the end of the file (Again, note the {userpassword}):

driver = mysql
 connect = 
 host=127.0.0.1 
 dbname=mailserver 
 user=mailserver 
 password={userpassword}
user_query = SELECT username as user, 
concat('*:bytes=', quota) AS quota_rule, 
'/var/vmail/%d/%n' AS home, 
5000 AS uid, 5000 AS gid 
FROM mailbox WHERE username='%u'
password_query = SELECT password FROM mailbox WHERE username='%u'
iterate_query = SELECT username AS user FROM mailbox

1. Since we don't want this password to leak to non-root users:

chown root:root /etc/dovecot/dovecot-sql.conf.ext

chmod go= /etc/dovecot/dovecot-sql.conf.ext

1. f. Map Virtual Mail Folders for Outlook (And SOGo) Compatibility:
2. If you look at our sogo.conf file later in this tutorial, you will note the fields SOGoSentFolderName, SOGoTrashFolderName and SOGoJunkFolderName are mapped to Microsoft Outlook style names, well, we should tell Dovecot to "Alias" these folders to IMAP standard folders as well:

nano /etc/dovecot/conf.d/15-mailboxes.conf

1. You can add these lines below the mailbox "Sent Mail" mapping:

mailbox "Sent Items" {
    special_use = Sent
  }

mailbox "Junk Email" {
    special_use = Junk
  }

mailbox "Deleted Items" {
    special_use = Trash
  }

1. g. Configure lmtp

postconf virtual_transport=lmtp:unix:private/dovecot-lmtp

1. Edit the lmtp.conf file:

nano /etc/dovecot/conf.d/20-lmtp.conf

1. In the protocol lmtp { section, edit the mail_plugins line as follows:

mail_plugins = $mail_plugins sieve

1. h. Configure Quotas
2. We need to configure Quotas to work, which is used to set storage limits per user in PostfixAdmin:

nano /etc/dovecot/conf.d/90-quota.conf

1. Edit any plugin { section to look like this:

plugin {
  quota = maildir:User quota
  quota_status_success = DUNNO
  quota_status_nouser = DUNNO
  quota_status_overquota = "452 4.2.2 Mailbox is full and cannot receive any more emails"
}

1. Add the following new sections:

service quota-status {
  executable = /usr/lib/dovecot/quota-status -p postfix
  unix_listener /var/spool/postfix/private/quota-status {
    user = postfix
  }
}

plugin {
 quota_warning = storage=95%% quota-warning 95 %u
 quota_warning2 = storage=80%% quota-warning 80 %u
}
service quota-warning {
   executable = script /usr/local/bin/quota-warning.sh
   unix_listener quota-warning {
     user = vmail
     group = vmail
     mode = 0660
   }
}

1. Create a shell script to set the email which will be sent to your users when they approach or reach thier quota:

nano /usr/local/bin/quota-warning.sh

1. And make it look like this (Note tha From: email line, change this to your postmaster address):

#!/bin/sh
PERCENT=$1
USER=$2
cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o "plugin/quota=maildir:User quota:noenforcing"
From: postmaster@example.org
Subject: Quota warning - $PERCENT% reached

Your mailbox can only store a limited amount of emails.
Currently it is $PERCENT% full. If you reach 100% then
new emails cannot be stored. Thanks for your understanding.
EOF

1. Make this file executable:

chmod +x /usr/local/bin/quota-warning.sh

1. i. Restart Dovecot

systemctl restart dovecot

Finalize Postfix Configuration

Now that we have Dovecot configured, we can finalize our Postfix configuration.

1. Enable some Postfix configurations:
2. Remember to substitute your fqdn in these commands where mail.example.org appears:

postconf smtpd_sasl_type=dovecot

postconf smtpd_sasl_path=private/auth

postconf smtpd_sasl_auth_enable=yes

postconf smtpd_tls_security_level=may

postconf smtpd_tls_auth_only=yes

postconf smtpd_tls_cert_file=/etc/letsencrypt/live/mail.example.org/fullchain.pem

postconf smtpd_tls_key_file=/etc/letsencrypt/live/mail.example.org/privkey.pem

postconf smtp_tls_security_level=may

1. Make some changes to the Postfix master.cf file:

nano /etc/postfix/master.cf

1. Uncomment the submission inet line and uncomment the listed options, note, the indentation is important, only delete the preceding # and not any spaces:

submission inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_tls_auth_only=yes
 -o smtpd_reject_unlisted_recipient=no
 -o smtpd_recipient_restrictions=
 -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING

1. Enable our configurations:

postconf smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf
postconf inet_interfaces=all
postconf 'smtpd_recipient_restrictions = reject_unauth_destination check_policy_service unix:private/quota-status'
postconf smtpd_milters=inet:127.0.0.1:11332
postconf non_smtpd_milters=inet:127.0.0.1:11332
postconf milter_mail_macros="i {mail_addr} {client_addr} {client_name} {auth_authen}"

1. Restart Postfix

systemctl restart postfix

Configure Rspamd

Rspamd is a very good Spam Filter, we need to make some configurations to allow Rspamd to work with Dovecot and our Sieve Plugin.

1. Set "Sensitivity" for Rspamd to be quite permissive
2. Create a new actions.conf file:

nano /etc/rspamd/local.d/actions.conf

1. Make the settings:

reject = 150;
add_header = 6;
greylist = 4;

1. Enable Extended Headers
2. This will allow RSAPMD to add fields to the email headers which will tell recipients that the email is trusted (Subject to DKIM being configured).
3. Create a milter_headers.conf file:

nano /etc/rspamd/override.d/milter_headers.conf

1. Enter the following strings:

backend = "redis";
extended_spam_headers = true;

1. Configure Dovecot's Sieve plugin
2. We want Dovecot to filter messages flagged as Spam to the user's Junk folder, so we need to configure this:
3. a. Enable the use of a sieve-after folder:

nano /etc/dovecot/conf.d/90-sieve.conf

1. Uncomment and Edit the sieve_after string:

sieve_after = /etc/dovecot/sieve-after

1. b. Create the sieve-after folder as configured in step a. above, and create a spam-to-folder sieve instruction:

mkdir /etc/dovecot/sieve-after

1. Create spam-to-folder.sieve file:

nano /etc/dovecot/sieve-after/spam-to-folder.sieve

1. And add the following string:

require ["fileinto"];
if header :contains "X-Spam" "Yes" {
 fileinto "Junk";
 stop;
}

1. Now convert this human-readable file to a sieve instruction:

sievec /etc/dovecot/sieve-after/spam-to-folder.sieve

1. Configure Redis to use UNIX Socket (Speed):
2. Edit the redis.conf file to disable TCP sockets and enable the UNIX socket:

nano /etc/redis/redis.conf

1. Set the TCP Port to 0 (Disable listening on TCP):

port 0

1. Uncomment the Unix Socket Lines:

unixsocket /var/run/redis/redis-server.sock
unixsocketperm 770

1. Grant Redis privileges to _rspamd:

userdmod -aG redis _rspamd

1. Configure Rspamd Redis server:
2. Create a file so Rspamd knows where to find Redis:

nano /etc/rspamd/override.d/redis.conf

1. And enter the following line:

servers = "/var/run/redis/redis-server.sock";

1. Restart Rspamd:

systemctl restart rspamd

1. Configure Rspamd to learn
2. Rspamd can learn to identify spam by monitoring user actions (When users move an email to their Junk folder, it will be marked as ham, and if this action is repeated by other users, it will be marked as Spam).
3. a. Enable learning:

nano /etc/rspamd/override.d/classifier-bayes.conf

1. Paste these lines to the file:

backend = "redis";
autolearn = true;

1. b. Configure the Dovecot Sieve plugin for IMAP folders:

nano /etc/dovecot/conf.d/20-imap.conf

1. Uncomment and edit the mail_plugins line:

mail_plugins = $mail_plugins quota imap_sieve

1. c. Configure the Dovecot Sieve plugin:

nano /etc/dovecot/conf.d/90-sieve.conf

1. Add the following lines in the plugin { section:

# From elsewhere to Junk folder
imapsieve_mailbox1_name = Junk
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve

# From Junk folder to elsewhere
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve

sieve_pipe_bin_dir = /etc/dovecot/sieve
sieve_global_extensions = +vnd.dovecot.pipe
sieve_plugins = sieve_imapsieve sieve_extprograms

1. d. Create the Dovecot sieve folder:

mkdir /etc/dovecot/sieve

1. e. Create Sieve files:
2. Create a learn-spam file:

nano /etc/dovecot/sieve/learn-spam.sieve

1. Enter the following strings:

require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamd-learn-spam.sh";

1. Create a learn-ham file:

nano /etc/dovecot/sieve/learn-ham.sieve

1. Enter the following strings:

require ["vnd.dovecot.pipe", "copy", "imapsieve", "variables"];
if string "${mailbox}" "Trash" {
  stop;
}
pipe :copy "rspamd-learn-ham.sh";

1. f. Restart Dovecot

systemctl restart dovecot

1. g. Convert sieve files

sievec /etc/dovecot/sieve/learn-spam.sieve
sievec /etc/dovecot/sieve/learn-ham.sieve
chmod u=rw,go= /etc/dovecot/sieve/learn-{spam,ham}.{sieve,svbin}
chown vmail.vmail /etc/dovecot/sieve/learn-{spam,ham}.{sieve,svbin}

1. h. Create Learning Scripts for Rspamd
2. Create learn-spam.sh

nano /etc/dovecot/sieve/rspamd-learn-spam.sh

1. Enter following script:

#!/bin/sh
exec /usr/bin/rspamc learn_spam

1. Create learn-ham.sh

nano /etc/dovecot/sieve/rspamd-learn-ham.sh

1. Enter following script:

#!/bin/sh
exec /usr/bin/rspamc learn_ham

1. Make these .sh files executible by the vmail user:

chmod u=rwx,go= /etc/dovecot/sieve/rspamd-learn-{spam,ham}.sh
chown vmail.vmail /etc/dovecot/sieve/rspamd-learn-{spam,ham}.sh

1. i. Restart Dovecot

systemctl restart dovecot

1. j. Configure Rspamd Password
2. Generate password hash:

rspamadm pw

1. Copy the hashed paswowrd {Rspamd Password Hash} Create the Rspamd controller.inc file:

nano /etc/rspamd/local.d/worker-controller.inc

1. Edit the file using the hashed password generated above (Note the leading and trailing ":

password = "{Rspamd Password Hash}"

1. k. Restart Rspamd

systemctl restart rspamd

Configure DKIM

DKIM verifies that emails received by other persons and purporting to be from your domain, are, in-fact, from your domain, it relies on a DNS Record with your public key to do this.

1. Create dkim folder and give Rspamd privileges:

mkdir /var/lib/rspamd/dkim
chown _rspamd:_rspamd /var/lib/rspamd/dkim

1. Generate DKIM Key
2. Choose a string of around 8 characters (I use the date on the day, ex. 20220209), we will refer to this as {DKIMKey}:

rspamadm dkim_keygen -d example.org -s {DKIMKey}

1. Copy the PUBLIC part of the key (p={RANDOM STRING OF NUMBERS}). This should be one uninterrupted line so edit any spaces or linebreaks out. This is your {DKIMPublikKey}
2. Configure your DNS Server for DKIM
3. Create a TXT Record in your DNS Server for the maildomain you wish to certify, the name of the record will be:

{DKIMKey}._domainkey.example.org

1. And the Content of the TXT Record will be {DKIMPublicKey} (including the p= section).
2. Configure Rspamd to use the DKIM Key:
3. a. Create the dkim_signing.conf file

nano /etc/rspamd/local.d/dkim_signing.conf

1. Paste the following strings:

path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector_map = "/etc/rspamd/dkim_selectors.map";

1. b. Link Rspamd to the DKIM Key you created
2. Edit dkim_selectors.map:

nano /etc/rspamd/dkim_selectors.map

1. Enter a string which is based on your domain {DKIMKey}:

example.org {DKIMKey}

1. c. Reload Rspamd

systemctl reload rspamd

Deploy your first user

You can now login to https://postfixadmin.example.org/setup.php with your setup password and create an admin user. Once you have done this, you can browse to https://postfixadmin.example.org and login with your admin user created in this step.

From here, you can create your first domain (example.org) and your first mail user (user@example.org) as well as your first alias (alias@example.org) and test that everything works.

Username: user@example.org Password: Whatever you configured for the user

You can login with any IMAP mail client (Microsoft Outlook, Thunderbird, KMail, etc.) and the configurations are:

Enable Mailbox Sharing

1. Create additional tables in the existing database:

mysql

USE mailshares;

CREATE TABLE user_shares (
 from_user varchar(100) not null,
 to_user varchar(100) not null,
 dummy char(1) DEFAULT '1',    -- always '1' currently
 primary key (from_user, to_user)
 );

CREATE TABLE anyone_shares (
 from_user varchar(100) not null,
 dummy char(1) DEFAULT '1',    -- always '1' currently
 primary key (from_user)
);

QUIT;

1. Edit Dovecot mail.conf file to enable shared mailboxes:

nano /etc/dovecot/conf.d/10-mail.conf

1. Uncomment and edit the sample shared namespace section to look like this:

namespace {
 type = shared
 seperator - /
 prefix = shared/%%u/
 # a) Per-user seen flags. Maildir indexes are shared. (INDEXPVT requires v2.2+)
 location = maildir:%%h/Maildir:INDEXPVT=~/Maildir/shared/%%u
 # b) Per-user seen flags. Maildir indexes are not shared. If users have direct filesystem level access to their mails, this is a safer option:
 #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u:INDEXPVT=~/Maildir/shared/%%u
 subscriptions = no
 list = children
}

1. Edit the mail_plugins section to enable acl

mail_plugins = quota acl

1. Configure the Dovecot ACL plugin

nano /etc/dovecot/conf.d/90-acl.conf

1. Edit it to look as follows:

plugin {
  acl = vfile
}

plugin {
  acl_shared_dict = proxy::acl
}

dict {
  acl = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}

1. Enable the dict service in master.conf

nano /etc/dovecot/conf.d/10-master.conf

1. Uncomment and edit the service dict { section like this:

service dict {
  unix_listener dict {
    mode = 0600
    user = vmail
    group = vmail
  }
}

1. Configure dict-sql-conf.ext

nano /etc/dovecot/dovecot-dict-sql.conf.ext

1. Uncomment and Edit the file to resemble this:

connect = host=localhost dbname=mailshares user=mailadmin password={adminpassword}

map {
  pattern = shared/shared-boxes/user/$to/$from
  table = user_shares
  value_field = dummy

  fields {
    from_user = $from
    to_user = $to
  }
}

map {
  pattern = shared/shared-boxes/anyone/$from
  table = anyone_shares
  value_field = dummy

  fields {
    from_user = $from
  }
}

1. Enable imap_acl and acl plugins in imap.conf

nano /etc/dovecot/conf.d/20-imap.conf

1. Edit the mail_plugins section to resemble this:

mail_plugins = $mail_plugins quota imap_sieve imap_acl acl

1. Enable acl plugin in lmtp.conf

nano /etc/dovecot/conf.d/20-lmtp.conf

1. Edit the mail_plugins section to resemble this:

mail_plugins = $mail_plugins quota sieve acl

Enable ClamAV Scanning - Testing (Packages not included in first step)

ClamAV is an opensource Antivirus Scanner and while it is not as effective as some commercial options, integration with Rspamd is quite simple. Antivirus scanning on a mail server by itself is not good enough and a holistic approach to security is still necessary, but every little bit helps.

1. Install ClamAV Components:

apt install -y clamav clamav-daemon clamav-unofficial-sigs

1. Configure Rspamd to use ClamAV

nano /etc/rspamd/modules.d/antivirus.conf

1. Modify file to resemble (This rejects mail with Virus, modify to move to Junk):

clamav {
  scan_mime_parts = false;
  scan_text_mime = true;
  scan_image_mime = true;
  symbol = "CLAM_VIRUS";
  type = "clamav";
  log_clean = true;
  servers = "clamd:3310";
  max_size = 20971520;
}

1. Enable ClamAV daemon

systemctl enable clamav-daemon

1. Restart Rspamd

systemctl restart rspamd

Enable Firewall with nftables - Testing (Packages not included in first step)

1. Install nftables:

apt install nftables -y

1. Change Debian settings to have the iptables command use nftables

update-alternatives --config iptables

1. Create Firewall Rules file:

nano /etc/nftables.conf

1. Configuring as follows:

#!/usr/sbin/nft -f
flush ruleset
table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    iifname lo accept
    ct state established,related accept
    tcp dport { ssh, http, https, imap2, imaps, pop3, pop3s, submission, smtp } ct state new accept

    # ICMP: errors, pings
    ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept
    # ICMPv6: errors, pings, routing
    ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"

    # Reject other packets
    ip protocol tcp reject with tcp reset
  }
}

1. Have nftables start at boot

systemctl enable nftables

1. Start nftables

systemctl start nftables

Brute force mitigation with fail2ban - Testing (Packages not included in first step)

We will use fail2ban to monitor various system logs and look for patterns which might suggest abuse. Ideally this will prevent bad actors from gaining access to your system, however it can result in legitimate users being blocked too.

Fail2ban uses "Jails" along with your firewall to block IP addresses that are missbehaving.

You can use fail2ban-client status to see which jails are active, and you can use fail2ban-client status sshd to see which clients are currently rejected and why.

1. Install fail2ban

apt install fail2ban -y

1. Restart nftables

systemctl restart nftables

1. Enable Postfix and Dovecot monitoring to fail2ban
2. While you can look at /etc/fail2ban/jail.conf for some sample configs for various servers, we need to create a config file for our servers:

nano /etc/fail2ban/jail.local

1. Making it look like this:

[apache-auth]
enabled = true

[dovecot]
enabled = true
port    = pop3,pop3s,imap2,imaps,submission,465,sieve

[postfix]
enabled = true

[sieve]
enabled = true

1. Test your config:

fail2ban-server -t

1. Restart fail2ban

systemctl restart fail2ban

Configure SOGo Groupware

1. Create a database view for SOGo:
2. Firstly, SOGo relies on some specific table columns to authenticate users, since we don't want duplicates and since we want PostfixAdmin to manage users, domains and aliases, we want to make SOGo use this information to authenticate users. To do that, we will create a VIEW, which is like a fake table made up of data from other tables in MariaDB.

mysql

USE mailserver;

CREATE VIEW sogo_view AS SELECT username AS c_uid, username AS c_name, password AS c_password, name AS c_cn, username AS mail FROM mailserver.mailbox;

QUIT;

1. Configure SOGo:
2. I suggest going through every line, however key issues will be {adminpassword}, {userpassword} and your timezone (I use Africa/Johannesburg):

nano /etc/sogo/sogo.conf

1. The Debian standard sogo.conf (For clarity on each of the configurable fields, check out the SOGo Installation Guide) (sucks, clear out everything (Don't rm the file unless you know how to fix permissions on a newly created file). Once you are finished, your sogo.conf file will look something like this:

{
  /* *********************  Main SOGo configuration file  **********************
   *                                                                           *
   * Since the content of this file is a dictionary in OpenStep plist format,  *
   * the curly braces enclosing the body of the configuration are mandatory.   *
   * See the Installation Guide for details on the format.                     *
   *                                                                           *
   * C and C++ style comments are supported.                                   *
   *                                                                           *
   * This example configuration contains only a subset of all available        *
   * configuration parameters. Please see the installation guide more details. *
   *                                                                           *
   * ~sogo/GNUstep/Defaults/.GNUstepDefaults has precedence over this file,    *
   * make sure to move it away to avoid unwanted parameter overrides.          *
   *                                                                           *
   * **************************************************************************/

  /* Database configuration (mysql://, postgresql:// or oracle://) */
  SOGoProfileURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_user_profile";
  OCSFolderInfoURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_folder_info";
  OCSSessionsFolderURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_sessions_folder";
  OCSEMailAlarmsFolderURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_emailalarms_folder";

  OCSStoreURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_store";
  OCSAclURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_acl";
  OCSCacheFolderURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_cache";

  /* Mail */
  SOGoSentFolderName = "Sent Items";
  SOGoTrashFolderName = "Deleted Items";
  SOGoDraftsFolderName = Drafts;
  SOGoJunkFolderName = "Junk Email";
  SOGoIMAPServer = "localhost";
  SOGoSieveServer = "sieve://127.0.0.1:4190";
  SOGoSMTPServer = "smtp://mail.example.org:587/?tls=YES";
  SOGoSMTPAuthenticationType = PLAIN;
  //SOGoMailDomain = acme.com;
  SOGoMailingMechanism = smtp;
  SOGoForceExternalLoginWithEmail = YES;
  SOGoMemcachedhost = 127.0.0.1;
  //SOGoMailSpoolPath = /var/spool/sogo;
  NGImap4ConnectionStringSeparator = "/";
  SOGoIMAPAclConformsToIMAPExt = YES;
  //SOGoMailAuxiliaryUserAccountsEnabled = NO;
  
  /* Calendar Settings */
  SOGoCalendarDefaultRoles = (
       PublicModifier,
       ConfidentialDAndTViewer,
       PrivateDandTViewer,
       ObjectCreator
   );
  SOGoDayStartTime = 8;
  SOGoDayEndTime = 17;
  SOGoFirstDayOfWeek = 1;
  SOGoCalendarEventsDefaultClassification = PUBLIC;
  SOGoCalendarTasksDefaultClassification = PUBLIC;
  

  /* Notifications */
  //SOGoAppointmentSendEMailNotifications = NO;
  SOGoACLsSendEMailNotifications = YES;
  //SOGoFoldersSendEMailNotifications = NO;

  /* Authentication */
  //SOGoPasswordChangeEnabled = YES;

  /* LDAP authentication example */
  //SOGoUserSources = (
  //  {
  //    type = ldap;
  //    CNFieldName = cn;
  //    UIDFieldName = uid;
  //    IDFieldName = uid; // first field of the DN for direct binds
  //    bindFields = (uid, mail); // array of fields to use for indirect binds
  //    baseDN = "ou=users,dc=acme,dc=com";
  //    bindDN = "uid=sogo,ou=users,dc=acme,dc=com";
  //    bindPassword = qwerty;
  //    canAuthenticate = YES;
  //    displayName = "Shared Addresses";
  //    hostname = "ldap://127.0.0.1:389";
  //    id = public;
  //    isAddressBook = YES;
  //  }
  //);

  /* LDAP AD/Samba4 example */
  //SOGoUserSources = (
  //  {
  //    type = ldap;
  //    CNFieldName = cn;
  //    UIDFieldName = sAMAccountName;
  //    baseDN = "CN=users,dc=domain,dc=tld";
  //    bindDN = "CN=sogo,CN=users,DC=domain,DC=tld";
  //    bindFields = (sAMAccountName, mail);
  //    bindPassword = password;
  //    canAuthenticate = YES;
  //    displayName = "Public";
  //    hostname = "ldap://127.0.0.1:389";
  //    filter = "mail = '*'";
  //    id = directory;
  //    isAddressBook = YES;
  //  }
  //);


  /* SQL authentication example */
  /*  These database columns MUST be present in the view/table:
   *    c_uid - will be used for authentication -  it's the username or username@domain.tld)
   *    c_name - which can be identical to c_uid -  will be used to uniquely identify entries
   *    c_password - password of the user, plain-text, md5 or sha encoded for now
   *    c_cn - the user's common name - such as "John Doe"
   *    mail - the user's mail address
   *  See the installation guide for more details
   */
  SOGoUserSources =
    (
      {
        type = sql;
        id = directory;
        viewURL = "mysql://mailserver:{userpassword}@127.0.0.1:3306/mailserver/sogo_view";
        canAuthenticate = YES;
        isAddressBook = YES;
        userPasswordAlgorithm = blf-crypt;
      }
    );

  /* Web Interface */
  SOGoPageTitle = "My Mail Server";
  SOGoVacationEnabled = YES;
  SOGoForwardEnabled = YES;
  SOGoSieveScriptsEnabled = YES;
  SOGoMailAuxiliaryUserAccountsEnabled = YES;
  // SOGoTrustProxyAuthentication = NO;
  //SOGoXSRFValidationEnabled = NO;

  /* General - SOGoTimeZone *MUST* be defined */
  SOGoLanguage = English;
  SOGoTimeZone = Africa/Johannesburg;
  //SOGoSuperUsernames = (sogo1, sogo2); // This is an array - keep the parens!
  //SxVMemLimit = 384;
  //WOPidFile = "/var/run/sogo/sogo.pid";
  SOGoMemcachedHost = 127.0.0.1;
  
  /* Debug */
  //SOGoDebugRequests = YES;
  //SoDebugBaseURL = YES;
  //ImapDebugEnabled = YES;
  //LDAPDebugEnabled = YES;
  //PGDebugEnabled = YES;
  //MySQL4DebugEnabled = YES;
  //SOGoUIxDebugEnabled = YES;
  //WODontZipResponse = YES;
  //WOLogFile = /var/log/sogo/sogo.log;
}

1. Restart SOGo

systemctl restart sogo

1. Edit the mail.example.org.conf file for NginX:

nano /etc/nginx/conf.d/mail.example.org.conf

1. And edit it to now look like this::

server {
  server_name mail.example.org;
  root /usr/lib/GNUstep/SOGo/WebServerResources/;
  error_log /var/log/nginx/sogo_error.log;
  access_log /var/log/nginx/sogo_access.log;
  listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/mail.example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mail.example.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    add_header Strict-Transport-Security "max-age=31536000" always;
    ssl_trusted_certificate /etc/letsencrypt/live/mail.example.org/chain.pem;
    ssl_stapling on;
    ssl_stapling_verify on;

  location = / {
    rewrite ^ https://$server_name/SOGo/;
    allow all;
  }

  location = /principals/ {
    rewrite ^ https://$server_name/SOGo/dav;
    allow all;
  }

  location ^~/SOGo/ {
    proxy_pass "http://127.0.0.1:20000";
    proxy_redirect "http://127.0.0.1:20000" default;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_set_header x-webobjects-server-protocol HTTP/1.1;
    proxy_set_header x-webobjects-remote-host 127.0.0.1;
    proxy_set_header x-webobjects-server-name $server_name;
    proxy_set_header x-webobjects-server-url $scheme://$host;
    proxy_connect_timeout 90;
    proxy_send_timeout 90;
    proxy_read_timeout 90;
    proxy_buffer_size 4k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
    client_max_body_size 100m;
    client_body_buffer_size 128k;
    break;
  }

  location /SOGo.woa/WebServerResources/ {
    alias /usr/lib/GNUstep/SOGo/WebServerResources/;
    allow all;
  }

  location /SOGo/WebServerResources/ {
    alias /usr/lib/GNUstep/SOGo/WebServerResources/;
    allow all;
  }

  location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ {
    alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
  }

  location ^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*.(jpg|png|gif|css|js)$ {
    alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
  }
}

server {
  server_name mail.example.org;
  listen 80;
  error_log /var/log/nginx/sogo_error.log;
  access_log /var/log/nginx/sogo_access.log;
  if ($host = mail.example.org) {
      return 301 https://$host$request_uri;
  }
}

1. Reload NginX Configuration

systemctl reload nginx

1. That is it, SOGo should now be accessible at https://mail.example.org and you should be able to log in with any user created in postfixadmin.