Debian 11 Groupware Server – LEMP Stack

Installing a mailserver running on Debian 11 (Either as a VM, on bare-metal or in an LXC Container).

Since Google has decided to retire their Google Apps for Business and force migration to their paid Workspace Product, I found the need to migrate some of my deployed domains to a self-hosted Mail Service. My requirements were for a groupware server which can deal with shared calendars, mailboxes and contacts and therefore I developed my earlier guide (Which you can read here).

Solutions like iRedMail insisting on charging for really basic functionality (Alias) and Mailcow’s refusal to support deployment outside of Docker and their maintainers refusal to engage on the issues raised when they implement changes for no reason other than to break Docker on LXC lead me down a really deep rabbit-hole to build my solution from existing standards and open-source software.

While my earlier guide got the job done, I have a preference for NninX over Apache and therefore have been tweaking the guide to get this, newer guide, which does not rely on NginX, but also has the added benefit of using the official upstream repos of each of the core applications which are in use and therefore has slightly more updated software.

The short-term goal was to get the deployment to actually work (Done), medium term to get some advanced features to work (Done) and ultimately develop an installation script to automate the deployment (Ala iRedMail without the drama).

After finally deploying this in a working state using SOGo, I realized that it would be fairly easy to give the user the choice between SOGo or NextCloud or, if he so chooses, both, so I moved SOGo into a separate section and added a sectoin for NextCloud. For this installation I am not going to use switches on the same Virtual Host, but rather deploy seperate Virtual Hosts for each relevant application.

I give thanks, attribution and recognition to the following projects which gave sufficient insight into making all of these disparate products work:

1. The original ISPMail tutorial (I suggest this as a great starting point) which expertly describes the disparate technologies and how they are brought together in the modern email server.
2. PostfixAdmin Guide for ISPMail to get PostfixAdmin to work on earlier Debian versions, however does not describe the deployment steps in sufficient detail for a complete newbie to use on a fresh Debian 11 system.
3. This tutorial on vogan which got me moving in the right direction for getting IMAP Mailbox Sharing to work (It’s all ACL’s and Databases and finally working, however as NextCloud does not support mailbox sharing, this only works in SOGo for now).
4. The SOGo Installation Guide which, while not very well written, does get you there in the end.
5. This tutorial from ComputingForGeeks, which has a few minor errors and deviations from best practices which I have changed here.

So let’s get started with this process, again, if you want to understand the steps involved in getting a working Email Server off the ground, read the ISPMail tutorial, this is not about holding your hand, it’s about getting your server working.

Why Debian 11?

Because it’s what I prefer for server deployments, stable and mostly secure, if you want to use any other distro, you can, but I chose Debian and I also chose to use only the official Maintainer repos where available. I have used these same steps to deploy to Arch and Fedora, with the relevant changes for each distro and it works.

Conventions

To make this guide more universal, I am using some conventions which therefore assumes the following, you can replace the conventional terms with those you will be deploying. I am also assuming that you have a static IPv4 address pointing to your server and that your existing DNS records are correctly configured. I am also assuming that you are running all of this as root, while this is not absolutely required, if you choose to run as a non-root user with sudo privileges, add sudo in front of each command.

Conventions

Field	Convention
Domain Name	example.org
Server Name (fqdn)	mail.example.org
PostfixAdmin Subdomain	postfixadmin.example.org
MX Records (DNS)	mail.example.org
Database Name	mailserver
Database Read-Only User	mailserver@127.0.0.1
Database Read-Only Password	{userpassword}
Database Admin User	mailadmin@localhost
Database Admin Password	{adminpassword}

In order to get secure passwords, use https://passwordsgenerator.net/ make sure that you exclude special characters when generating the passwords to avoid problems in .config files, I suggest 30 character long passwords as this will play nicely with the relevant hashed password length for the database.

What Are We Installing?

Debian ships with nano by default (I know VIM could be better, but I prefer the interface and simplicity of nano, the memes regarding VIM say enough). We will assume a fresh base install of Debian 11 (Bullseye) and will be installing the following additional packages (And their dependencies):

1. Debian 11 (GNU/Linux OS)
2. MariaDB (Database Server)
3. Postfix (Mail Server)
4. Dovecot (Mailbox Server)
5. NginX (Webserver)
6. PHP (Scripting Language)
7. Redis (Caching Server)
8. Rspamd (Spam Filter Server – Optional)
9. Certbot (LetsEncrypt SSL Certificate Provider)
10. SOGo (Groupware Software including IMAP client)

A huge thank you to the developers and maintainers of each of the above packages, without whom, none of this would work. Seriously, support these people.

For those who do not want to use Apache, I am adding sample Virtual Host configs for NginX, this is optional, I intend to remove Apache from this guide in the future and rely solely on NginX as it is much better suited to this kind of work.

Ensure that we are starting with an up to date server

Before any task, I always recommend making sure that all your installed packages are up to date, this will minimize negative interactions when running installation steps.

apt update && apt upgrade -y

Install the Package Maintainer Repos

As I mentioned earlier, I am going to install the package maintainer versions of some of the key software, however if that is your need, you can ignore this part and move directly to the next one, noting that you will need to amend all the Virtual Host configs to refer to PHP7.2 instead of PHP8.1 as this is what the official Debian Repos contain.

First, let’s install some prerequisite software:

apt install lsb-release ca-certificates apt-transport-https software-properties-common gnupg2 curl dirmngr -y

PHP

Add the repo to apt souces with the following command:

echo "deb https://packages.sury.org/php/ bullseye main" | tee /etc/apt/sources.list.d/sury-php.list

Install the GPG Key for this repo:

curl -fsSL  https://packages.sury.org/php/apt.gpg | gpg --dearmor -o /etc/apt/trusted.gpg.d/sury-keyring.gpg

NginX

Add the repo to apt sources with the following command:

echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] 
http://nginx.org/packages/debian bullseye nginx" 
    | tee /etc/apt/sources.list.d/nginx.list

Install the Signing Key for this repo:

curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor 
    | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null

Dovecot

Add the repo to apt sources with the following command:

echo "deb https://repo.dovecot.org/ce-2.3-latest/debian/bullseye bullseye main" | tee /etc/apt/sources.list.d/dovecot.list

Install the Signing Key for this repo:

curl https://repo.dovecot.org/DOVECOT-REPO-GPG | gpg --import

gpg --export ED409DA1 > /etc/apt/trusted.gpg.d/dovecot.gpg

SOGo

Add the repo to apt sources with the following command:

echo "deb https://packages.sogo.nu/nightly/5/debian/ bullseye bullseye" | tee /etc/apt/sources.list.d/sogo.list

Install the Signing Key for this repo:

wget -O- "http://pgp.mit.edu/pks/lookup?op=get&search=0xCB2D3A2AA0030E2C" | gpg --dearmor | apt-key add -

wget -O- "https://keys.openpgp.org/vks/v1/by-fingerprint/74FFC6D72B925A34B5D356BDF8A27B36A6E2EAE9" | gpg --dearmor | apt-key add -

MariaDB

Add the repo to apt sources with the following command:

curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup

bash mariadb_repo_setup --os-type=debian  --os-version=bullseye

wget http://ftp.us.debian.org/debian/pool/main/r/readline5/libreadline5_5.2+dfsg-3+b13_amd64.deb

dpkg -i libreadline5_5.2+dfsg-3+b13_amd64.deb

 

Install required packages

This installs all the packages we require to get everything to work:

apt update && apt install mariadb-server postfix postfix-mysql nginx php8.1 php8.1-{imap,mbstring,mysql,fpm} rspamd redis-server certbot python3-certbot-nginx dovecot-mysql dovecot-pop3d dovecot-imapd dovecot-managesieved dovecot-lmtpd sogo -y

Add the nginx user to the www-data group:

usermod -aG www-data nginx

Prepare MariaDB

We need to create the mailserver database, as well as give permissions to both an admin user and a read-only user, note that the admin user is only given rights on localhost, while the read-only user is given rights via 127.0.0.1, this is important.

mysql

CREATE DATABASE mailserver;
GRANT ALL ON mailserver.* TO 'mailadmin'@'localhost' IDENTIFIED BY '{adminpassword}';
GRANT SELECT ON mailserver.* to 'mailserver'@'127.0.0.1' IDENTIFIED BY '{userpassword}';
CREATE DATABASE mailshares;
GRANT ALL ON mailshares.* to 'mailadmin'@'localhost' IDENTIFIED BY '{adminpassword}';
CREATE DATABASE sogo;
GRANT ALL ON sogo.* to 'mailadmin'@'localhost' IDENTIFIED BY '{adminpassword}';
FLUSH PRIVILEGES;
quit

 

Configure NginX Webserver and get a LetsEncrypt SSL Certificates

Before LetsEncrypt will provide us with free SSL certificates, we need to configure a webserver to listen for the specified subdomains on port 80, to do that, we will create some empty websites (Virtual Hosts):

1. Create a site for mail.example.org:

   nano /etc/nginx/conf.d/mail.example.org.conf

2. Edit the file to look like this:

   server {
      listen 80;
      server_name mail.example.org;
   
      root /usr/share/nginx/html;
      index index.html index.htm;
   }

3. Create a site for postfixadmin.example.org:

   nano /etc/nginx/conf.d/postfixadmin.example.org.conf

4. Edit the file to look like this:

   server {
      listen 80;
      server_name postfixadmin.example.org;
   
      root /usr/share/nginx/html;
      index index.html index.htm;
   }

5. Remove the default NginX Virtual Host:

   rm /etc/nginx/conf.d/default.conf

6. Enable and Start NginX:

   systemctl enable --now nginx

7. Get your SSL Certificates from LetsEncrypt:

   certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email admin@example.org -d mail.example.org
   

   certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email admin@example.com -d postfixadmin.example.org

8. Give the NgninX user (www-data) access to the certificates:
   This is necessary to address a known issue with PostfixAdmin:

   usermod -aG dovecot www-data

   chown www-data:www-data /etc/letsencrypt/live/mail.example.org/privkey.pem

   chown www-data:www-data /etc/letsencrypt/live/postfixadmin.example.org/privkey.pem

   chown www-data:www-data /etc/letsencrypt/live

   chown www-data:www-data /etc/letsencrypt/archive

9. Configure Certbot Post-Hook:
   This will have Certbot update ownership of the certificates and restart the mailserver whenever the certificate is updated:

   nano /etc/letsencrypt/cli.ini

   Add the following to the end of the file:

   post-hook = chown www-data:www-data /etc/letsencrypt/live/mail.example.org/privkey.pem && /etc/letsencrypt/live/postfixadmin.example.org/privkey.pem && chown www-data:www-data /etc/letsencrypt/live && chown www-data:www-data /etc/letsencrypt/archive && systemctl restart postfix dovecot nginx

 

Install PostfixAdmin and let it create the required database tables we will be using for our installation

Note, that since we haven’t configured Dovevot to use the SSL certificates yet, you CAN NOT CREATE AN ADMIN USER YET!!!

1. Download the latest version of PostfixAdmin:
   Grab the latest version from their GitHub repo and move it to the an appropriate folder, at the time of writing this, version 3.3.10 was the latest:

   wget -O postfixadmin.tgz https://github.com/postfixadmin/postfixadmin/archive/postfixadmin-3.3.13.tar.gz

   tar -zxvf postfixadmin.tgz

   mv postfixadmin-postfixadmin-3.3.13 /srv/postfixadmin

   rm postfixadmin.tgz

2. Create the required templates_c folder and give Apache privileges to write to it:

   mkdir -p /srv/postfixadmin/templates_c

   chown -R www-data /srv/postfixadmin/templates_c

3. Create the required config.local.php file with the following contents:
   We will change it in step 5 below once we have generated a secure password hash:

   nano /srv/postfixadmin/config.local.php

   And Edit it to work with your database configured earlier {adminpassword} is the one you configured in MariaDB:

   <?php
   $CONF['database_type'] = 'mysqli';
   $CONF['database_host'] = 'localhost';
   $CONF['database_user'] = 'mailadmin';
   $CONF['database_password'] = '{adminpassword}';
   $CONF['database_name'] = 'mailserver';
   $CONF['encrypt'] = 'dovecot:BLF-CRYPT';
   $CONF['quota'] = 'YES';
   $CONF['quota_multiplier'] = '1024000';
   $CONF['new_quota_table'] = 'YES';
   $CONF['default_aliases'] = array (
   'abuse' => 'abuse@example.org',
   'hostmaster' => 'hostmaster@example.org',
   'postmaster' => 'postmaster@example.org',
   'webmaster' => 'webmaster@example.org');
   $CONF['footer_text'] = 'Return to mail.example.org';
   $CONF['footer_link'] = 'https://mail.example.org';
   $CONF['domain_path'] = 'NO';
   $CONF['domain_in_mailbox'] = 'YES';
   $CONF['configured'] = true;
   ?>

4. Change Your PostfixAdmin config file:

   nano /etc/nginx/conf.d/postfixadmin.example.org.conf

   And edit it to now look like this:

   server {
       server_name postfixadmin.example.org;
       root /srv/postfixadmin/public;
       error_log /var/log/nginx/postfixadmin_error.log;
       access_log /var/log/nginx/postfixadmin_access.log;
       index index.php;
   
       location ~* .php$ {
            fastcgi_split_path_info ^(.+?.php)(/.*)$;
            if (!-f $document_root$fastcgi_script_name) {return 404;}
            fastcgi_pass  unix:/run/php/php8.1-fpm.sock;
            fastcgi_index index.php;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       }
   
       listen 443 ssl;
       ssl_certificate /etc/letsencrypt/live/postfixadmin.example.org/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/postfixadmin.example.org/privkey.pem;
       include /etc/letsencrypt/options-ssl-nginx.conf;
       ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
   
       add_header Strict-Transport-Security "max-age=31536000" always;
   
   
       ssl_trusted_certificate /etc/letsencrypt/live/postfixadmin.example.org/chain.pem;
       ssl_stapling on;
       ssl_stapling_verify on;
   
   }
   server {
       if ($host = postfixadmin.example.org) {
           return 301 https://$host$request_uri;
       }
       listen 80;
       server_name postfixadmin.example.org;
       error_log /var/log/nginx/postfixadmin_error.log;
       access_log /var/log/nginx/postfixadmin_access.log;
   }

5. Reload NginX to accept the new configuration:

   systemctl reload nginx

6. Get a Secure Setup Password:
   On your webbrowser, browse to https://mail.example.org/setup.php and enter a secure Setup Password, it will show you a configuration string which you need to copy into your .conf file, it will look something like this:

   $CONF['setup_password'] = '{Some Secure Password String}';

7. Configure the Setup Password in the PostfixAdmin config file you created in step 3 above:

   nano /srv/postfixadmin/config.local.php

   Paste the string from step 4 above so your file should now look something like this:

   <?php
   $CONF['database_type'] = 'mysqli';
   $CONF['database_host'] = 'localhost';
   $CONF['database_user'] = 'mailadmin';
   $CONF['database_password'] = '{adminpassword}';
   $CONF['database_name'] = 'mailserver';
   $CONF['encrypt'] = 'dovecot:BLF-CRYPT';
   $CONF['quota'] = 'YES';
   $CONF['quota_multiplier'] = '1024000';
   $CONF['new_quota_table'] = 'YES';
   $CONF['default_aliases'] = array (
   'abuse' => 'abuse@example.org',
   'hostmaster' => 'hostmaster@example.org',
   'postmaster' => 'postmaster@example.org',
   'webmaster' => 'webmaster@example.org');
   $CONF['footer_text'] = 'Return to mail.example.org';
   $CONF['footer_link'] = 'https://mail.example.org';
   $CONF['domain_path'] = 'NO';
   $CONF['domain_in_mailbox'] = 'YES';
   $CONF['setup_password'] = '{Some Secure Password String}';
   $CONF['configured'] = true;
   ?>

8. Allow PostfixAdmin to deploy your database tables for you:
   From your webbrowser, browse back  to https://postfixadmin.example.org/admin/setup.php and login in with the Setup Password you used to create the secure string in step 4. It will tell you that there’s a problem with the encryption, that is fine, it will still generate the tables in your database (You will see a string saying that tables were successfully updated or, are up to date). For now, we are done with this, once we have finished configuring Dovecot, the error regarding the password will be resolved.

 

Configure Postfix

1. Configure Postfix to Map mailboxes to the Database
   Earlier we configured a database in MariaDB and then populated that database with tables with PostfixAdmin. We need Postfix to actually use the data in those databases and therefore, we need to tell it where the database is as well as which fields it needs to get from each table.
   a. Virtual Domains
   Virtual Domains are simply the Domains for which your mailserver accepts email (example.org or as many other as you want to add), we need to tell Postfix which domains it is allowed to accept mail for so we need to create a MAP file:

   nano /etc/postfix/mysql-virtual-mailbox-domains.cf

   And configure it as follows (Again, use your {userpassword}):

   user = mailserver
   password = {userpassword}
   hosts = 127.0.0.1
   dbname = mailserver
   query = SELECT 1 FROM domain WHERE domain='%s'

   Now tell Postfix that this is the MAP file:

   postconf virtual_mailbox_domains=mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf

   b. Virtual Mailboxes
   A Virtual Mailbox is basically the mail user’ (user@example.org) specific mailbox, so again, like in step a above, we need to tell Postfix how to verify the mailboxes:

   nano /etc/postfix/mysql-virtual-mailbox-maps.cf

   Configure this file as follows:

   user = mailserver
   password = {userpassword}
   hosts = 127.0.0.1
   dbname = mailserver
   query = SELECT 1 FROM mailbox WHERE username='%s'

   And tell Postfix to use this MAP:

   postconf virtual_mailbox_maps=mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf

   c. Virtual Aliases
   A Virtual Alias is where we configure an alias (or an internal mailing list) so that an emali sent to alias@example.org will be received by any users configured to that alias. You can create an alias in PostfixAdmin.

   nano /etc/postfix/mysql-virtual-alias-maps.cf

   Configure this file as follows:

   user = mailserver
   password = {userpassword}
   hosts = 127.0.0.1
   dbname = mailserver
   query = SELECT goto FROM alias WHERE address='%s'

   And tell Postfix to use this MAP:

   postconf virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf

   d. Email2Email
   This will allow a logged-in user to be able to send email as another user on the domain (Mailbox Delegation).

   nano /etc/postfix/mysql-email2email.cf

   Configure the file as follows:

   user = mailserver
   password = {userpassword}
   hosts = 127.0.0.1
   dbname = mailserver
   query = SELECT username FROM mailbox WHERE username='%s'

   And tell Postfix to use this MAP:

   postconf virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf

   e. Set Permissions for these files
   We need Postfix to have access to these files in order to use them, so we change permissions as follows:

   chgrp postfix /etc/postfix/mysql-*.cf

   chmod u=rw,g=r,o= /etc/postfix/mysql-*.cf

 

Configure Dovecot

Dovecot does all the important mail handling, moving emails to the appropriate users folder and we need to make some changes so that we don’t use systemmail (Where each user must be a specific PAM user) but rather use vmail.

1. Create vmail user and group
   We want to use UID 5000 for this, so make sure that it is not used (On a clean install this should not be an issue).

   groupadd -g 5000 vmail

   useradd -g vmail -u 5000 vmail -d /var/vmail -m

   chown -R vmail:vmail /var/vmail

2. Configure Dovecot
   Dovecot has several .conf files stored in /etc/dovecot/conf.d/ and we will be modifying some of these to enable the plugins we will be using in our deployment.
   a. User Authentication:

   nano /etc/dovecot/conf.d/10-auth.conf

   Find and edit the auth_mechanisms line:

   auth_mechanisms = plain login

   And at the bottom, comment out the !include auth-system.conf.ext line and uncomment the !include auth-sql.conf.ext lines:

   #!include auth-system.conf.ext
   !include auth-sql.conf.ext
   #!include auth-ldap.conf.ext
   #!include auth-passwdfile.conf.ext
   #!include auth-checkpassword.conf.ext
   #!include auth-static.conf.ext

   b. Mail Directory Format:

   nano /etc/dovecot/conf.d/10-mail.conf

   Edit the mail_location line to resemble the below:

   mail_location = maildir:~/Maildir

   Modify the namespace inbox { line section to resemble this:

   namespace inbox {
     type = private
     separator = /
     prefix =
     inbox = yes
   }

   Uncomment and edit the mail_privileged_group line:

   mail_privileged_group = mail

   Also Uncomment and edit the mail_plugins line:

   mail_plugins = quota

   c. Master Config File

   nano /etc/dovecot/conf.d/10-master.conf

   Here we need to edit the service lmtp and service auth sections as follows:

   service lmtp {
     unix_listener /var/spool/postfix/private/dovecot-lmtp {
       group = postfix
       mode = 0600
       user = postfix
     }
   }

   service auth {
     unix_listener /var/spool/postfix/private/auth {
       mode = 0660
       user = postfix
       group = postfix
     }

   And add the following at the end of the file (This is for PostfixAdmin):

   service stats {
     unix_listener stats-reader {
       user = www-data
       group = www-data
       mode = 0660
   }
     unix_listener stats-writer {
       user = www-data
       group = www-data
       mode = 0660
     }
   }

   d. SSL Configuration

   nano /etc/dovecot/conf.d/10-ssl.conf

   Edit the following three lines to match our configuration:

   ssl = required
   
   ssl_cert = </etc/letsencrypt/live/mail.example.org/fullchain.pem
   ssl_key = </etc/letsencrypt/live/mail.example.org/privkey.pem

   e. SQL Connection
   We need to tell Dovecot to authenticate against our MariaDB database:

   nano /etc/dovecot/dovecot-sql.conf.ext

   Add the following to the end of the file (Again, note the {userpassword}):

   driver = mysql
    connect = 
    host=127.0.0.1 
    dbname=mailserver 
    user=mailserver 
    password={userpassword}
   user_query = SELECT username as user, 
   concat('*:bytes=', quota) AS quota_rule, 
   '/var/vmail/%d/%n' AS home, 
   5000 AS uid, 5000 AS gid 
   FROM mailbox WHERE username='%u'
   password_query = SELECT password FROM mailbox WHERE username='%u'
   iterate_query = SELECT username AS user FROM mailbox

   Since we don’t want this password to leak to non-root users:

   chown root:root /etc/dovecot/dovecot-sql.conf.ext

   chmod go= /etc/dovecot/dovecot-sql.conf.ext

   f. Map Virtual Mail Folders for Outlook (And SOGo) Compatibility:
   If you look at our sogo.conf file later in this tutorial, you will note the fields SOGoSentFolderName, SOGoTrashFolderName and SOGoJunkFolderName are mapped to Microsoft Outlook style names, well, we should tell Dovecot to “Alias” these folders to IMAP standard folders as well:

   nano /etc/dovecot/conf.d/15-mailboxes.conf

   You can add these lines below the mailbox “Sent Mail” mapping:

   mailbox "Sent Items" {
       special_use = Sent
     }
   
   mailbox "Junk Email" {
       special_use = Junk
     }
   
   mailbox "Deleted Items" {
       special_use = Trash
     }

   g. Configure lmtp

   postconf virtual_transport=lmtp:unix:private/dovecot-lmtp

   Edit the lmtp.conf file:

   nano /etc/dovecot/conf.d/20-lmtp.conf

   In the protocol lmtp { section, edit the mail_plugins line as follows:

   mail_plugins = $mail_plugins sieve

   h. Configure Quotas
   We need to configure Quotas to work, which is used to set storage limits per user in PostfixAdmin:

   nano /etc/dovecot/conf.d/90-quota.conf

   Edit any plugin { section to look like this:

   plugin {
     quota = maildir:User quota
     quota_status_success = DUNNO
     quota_status_nouser = DUNNO
     quota_status_overquota = "452 4.2.2 Mailbox is full and cannot receive any more emails"
   }

   Add the following new sections:

   service quota-status {
     executable = /usr/lib/dovecot/quota-status -p postfix
     unix_listener /var/spool/postfix/private/quota-status {
       user = postfix
     }
   }
   
   plugin {
    quota_warning = storage=95%% quota-warning 95 %u
    quota_warning2 = storage=80%% quota-warning 80 %u
   }
   service quota-warning {
      executable = script /usr/local/bin/quota-warning.sh
      unix_listener quota-warning {
        user = vmail
        group = vmail
        mode = 0660
      }
   }

   Create a shell script to set the email which will be sent to your users when they approach or reach thier quota:

   nano /usr/local/bin/quota-warning.sh

   And make it look like this (Note tha From: email line, change this to your postmaster address):

   #!/bin/sh
   PERCENT=$1
   USER=$2
   cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o "plugin/quota=maildir:User quota:noenforcing"
   From: postmaster@example.org
   Subject: Quota warning - $PERCENT% reached
   
   Your mailbox can only store a limited amount of emails.
   Currently it is $PERCENT% full. If you reach 100% then
   new emails cannot be stored. Thanks for your understanding.
   EOF

   Make this file executable:

   chmod +x /usr/local/bin/quota-warning.sh

   i. Restart Dovecot

   systemctl restart dovecot

 

Finalize Postfix Configuration

Now that we have Dovecot configured, we can finalize our Postfix configuration.

1. Enable some Postfix configurations:
   Remember to substitute your fqdn in these commands where mail.example.org appears:

   postconf smtpd_sasl_type=dovecot

   postconf smtpd_sasl_path=private/auth

   postconf smtpd_sasl_auth_enable=yes

   postconf smtpd_tls_security_level=may

   postconf smtpd_tls_auth_only=yes

   postconf smtpd_tls_cert_file=/etc/letsencrypt/live/mail.example.org/fullchain.pem

   postconf smtpd_tls_key_file=/etc/letsencrypt/live/mail.example.org/privkey.pem

   postconf smtp_tls_security_level=may

2. Make some changes to the Postfix master.cf file:

   nano /etc/postfix/master.cf

   Uncomment the submission inet line and uncomment the listed options, note, the indentation is important, only delete the preceding # and not any spaces:

   submission inet n       -       y       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_auth_only=yes
    -o smtpd_reject_unlisted_recipient=no
    -o smtpd_recipient_restrictions=
    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING

   Enable our configurations:

   postconf smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf

   postconf inet_interfaces=all

   postconf 'smtpd_recipient_restrictions = reject_unauth_destination check_policy_service unix:private/quota-status'

   postconf smtpd_milters=inet:127.0.0.1:11332

   postconf non_smtpd_milters=inet:127.0.0.1:11332

   postconf milter_mail_macros="i {mail_addr} {client_addr} {client_name} {auth_authen}"

3. Restart Postfix

   systemctl restart postfix

Configure Rspamd

Rspamd is a very good Spam Filter, we need to make some configurations to allow Rspamd to work with Dovecot and our Sieve Plugin.

1. Set “Sensitivity” for Rspamd to be quite permissive
   Create a new actions.conf file:

   nano /etc/rspamd/local.d/actions.conf

   Make the settings:

   reject = 150;
   add_header = 6;
   greylist = 4;

2. Enable Extended Headers
   This will allow RSAPMD to add fields to the email headers which will tell recipients that the email is trusted (Subject to DKIM being configured).
   Create a milter_headers.conf file:

   nano /etc/rspamd/override.d/milter_headers.conf

   Enter the following strings:

   
   backend = "redis";
   extended_spam_headers = true;

3. Configure Dovecot’s Sieve plugin
   We want Dovecot to filter messages flagged as Spam to the user’s Junk folder, so we need to configure this:
   a. Enable the use of a sieve-after folder:

   nano /etc/dovecot/conf.d/90-sieve.conf

   Uncomment and Edit the sieve_after string:

   sieve_after = /etc/dovecot/sieve-after

   b. Create the sieve-after folder as configured in step a. above, and create a spam-to-folder sieve instruction:

   mkdir /etc/dovecot/sieve-after

   Create spam-to-folder.sieve file:

   nano /etc/dovecot/sieve-after/spam-to-folder.sieve

   And add the following string:

   require ["fileinto"];
   if header :contains "X-Spam" "Yes" {
    fileinto "Junk";
    stop;
   }

   Now convert this human-readable file to a sieve instruction:

   sievec /etc/dovecot/sieve-after/spam-to-folder.sieve

4. Configure Redis to use UNIX Socket (Speed):
   Edit the redis.conf file to disable TCP sockets and enable the UNIX socket:

   nano /etc/redis/redis.conf

   Set the TCP Port to 0 (Disable listening on TCP):

   port 0

   Uncomment the Unix Socket Lines:

   unixsocket /var/run/redis/redis-server.sock
   unixsocketperm 770

5. Grant Redis privileges to _rspamd:

   userdmod -aG redis _rspamd

6. Configure Rspamd Redis server:
   Create a file so Rspamd knows where to find Redis:

   nano /etc/rspamd/override.d/redis.conf

   And enter the following line:

   servers = "/var/run/redis/redis-server.sock";

   Restart Rspamd:

   systemctl restart rspamd

7. Configure Rspamd to learn
   Rspamd can learn to identify spam by monitoring user actions (When users move an email to their Junk folder, it will be marked as ham, and if this action is repeated by other users, it will be marked as Spam).
   a. Enable learning:

   nano /etc/rspamd/override.d/classifier-bayes.conf

   Paste these lines to the file:

   backend = "redis";
   autolearn = true;

   b. Configure the Dovecot Sieve plugin for IMAP folders:

   nano /etc/dovecot/conf.d/20-imap.conf

   Uncomment and edit the mail_plugins line:

   mail_plugins = $mail_plugins quota imap_sieve

   c. Configure the Dovecot Sieve plugin:

   nano /etc/dovecot/conf.d/90-sieve.conf

   Add the following lines in the plugin { section:

   # From elsewhere to Junk folder
   imapsieve_mailbox1_name = Junk
   imapsieve_mailbox1_causes = COPY
   imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve
   
   # From Junk folder to elsewhere
   imapsieve_mailbox2_name = *
   imapsieve_mailbox2_from = Junk
   imapsieve_mailbox2_causes = COPY
   imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve
   
   sieve_pipe_bin_dir = /etc/dovecot/sieve
   sieve_global_extensions = +vnd.dovecot.pipe
   sieve_plugins = sieve_imapsieve sieve_extprograms

   d. Create the Dovecot sieve folder:

   mkdir /etc/dovecot/sieve

   e. Create Sieve files:
   Create a learn-spam file:

   nano /etc/dovecot/sieve/learn-spam.sieve

   Enter the following strings:

   require ["vnd.dovecot.pipe", "copy", "imapsieve"];
   pipe :copy "rspamd-learn-spam.sh";

   Create a learn-ham file:

   nano /etc/dovecot/sieve/learn-ham.sieve

   Enter the following strings:

   require ["vnd.dovecot.pipe", "copy", "imapsieve", "variables"];
   if string "${mailbox}" "Trash" {
     stop;
   }
   pipe :copy "rspamd-learn-ham.sh";

   f. Restart Dovecot

   systemctl restart dovecot

   g. Convert sieve files

   sievec /etc/dovecot/sieve/learn-spam.sieve

   sievec /etc/dovecot/sieve/learn-ham.sieve

   chmod u=rw,go= /etc/dovecot/sieve/learn-{spam,ham}.{sieve,svbin}

   chown vmail.vmail /etc/dovecot/sieve/learn-{spam,ham}.{sieve,svbin}

   h. Create Learning Scripts for Rspamd
   Create learn-spam.sh

   nano /etc/dovecot/sieve/rspamd-learn-spam.sh

   Enter follwowing script:

   #!/bin/sh
   exec /usr/bin/rspamc learn_spam

   Create learn-ham.sh

   nano /etc/dovecot/sieve/rspamd-learn-ham.sh

   Enter following script:

   #!/bin/sh
   exec /usr/bin/rspamc learn_ham

   Make these .sh files executible by the vmail user:

   chmod u=rwx,go= /etc/dovecot/sieve/rspamd-learn-{spam,ham}.sh

   chown vmail.vmail /etc/dovecot/sieve/rspamd-learn-{spam,ham}.sh

   i. Restart Dovecot

   systemctl restart dovecot

   j. Configure Rspamd Password
   Generate password hash:

   rspamadm pw

   Copy the hashed paswowrd {Rspamd Password Hash} Create the Rspamd controller.inc file:

   nano /etc/rspamd/local.d/worker-controller.inc

   Edit the file using the hashed password generated above (Note the leading and trailing “:

   password = "{Rspamd Password Hash}"

   k. Restart Rspamd

   systemctl restart rspamd

 

Configure DKIM

DKIM verifies that emails received by other persons and purporting to be from your domain, are, in-fact, from your domain, it relies on a DNS Record with your public key to do this.

1. Create dkim folder and give Rspamd privileges:

   mkdir /var/lib/rspamd/dkim

   chown _rspamd:_rspamd /var/lib/rspamd/dkim

2. Generate DKIM Key
   Choose a string of around 8 characters (I use the date on the day, ex. 20220209), we will refer to this as {DKIMKey}:

   rspamadm dkim_keygen -d example.org -s {DKIMKey}

   Copy the PUBLIC part of the key (p={RANDOM STRING OF NUMBERS}). This should be one uninterrupted line so edit any spaces or linebreaks out. This is your {DKIMPublikKey}

3. Configure your DNS Server for DKIM
   Create a TXT Record in your DNS Server for the maildomain you wish to certify, the name of the record will be:

   {DKIMKey}._domainkey.example.org

   And the Content of the TXT Record will be {DKIMPublicKey} (including the p= section).

4. Configure Rspamd to use the DKIM Key:
   a. Create the dkim_signing.conf file

   nano /etc/rspamd/local.d/dkim_signing.conf

   Paste the following strings:

   path = "/var/lib/rspamd/dkim/$domain.$selector.key";
   selector_map = "/etc/rspamd/dkim_selectors.map";

   b. Link Rspamd to the DKIM Key you created
   Edit dkim_selectors.map:

   nano /etc/rspamd/dkim_selectors.map

   Enter a string which is based on your domain {DKIMKey}:

   example.org {DKIMKey}

   c. Reload Rspamd

   systemctl reload rspamd

 

Deploy your first user

You can now login to https://postfixadmin.example.org/setup.php with your setup password and create an admin user. Once you have done this, you can browse to https://postfixadmin.example.org and login with your admin user created in this step.

From here, you can create your first domain (example.org) and your first mail user (user@example.org) as well as your first alias (alias@example.org) and test that everything works.

Username: user@example.org Password: Whatever you configured for the user

You can login with any IMAP mail client (Microsoft Outlook, Thunderbird, KMail, etc.) and the configurations are:

Mail Configuration

IMAP Server	mail.example.org	Port	143
SMTP Server	mail.example.org	Port	587
Encryption	STARTTLS	Type	Plain
WebDAV Address	https://mail.example.org/SOGo/dav

Enable Mailbox Sharing

1. Create additional tables in the existing database:

   mysql

   USE mailshares;
   CREATE TABLE user_shares (
    from_user varchar(100) not null,
    to_user varchar(100) not null,
    dummy char(1) DEFAULT '1',    -- always '1' currently
    primary key (from_user, to_user)
    );
   CREATE TABLE anyone_shares (
    from_user varchar(100) not null,
    dummy char(1) DEFAULT '1',    -- always '1' currently
    primary key (from_user)
   );
   QUIT;

2. Edit Dovecot mail.conf file to enable shared mailboxes:

   nano /etc/dovecot/conf.d/10-mail.conf

   Uncomment and edit the sample shared namespace section to look like this:

   namespace {
    type = shared
    seperator - /
    prefix = shared/%%u/
    # a) Per-user seen flags. Maildir indexes are shared. (INDEXPVT requires v2.2+)
    location = maildir:%%h/Maildir:INDEXPVT=~/Maildir/shared/%%u
    # b) Per-user seen flags. Maildir indexes are not shared. If users have direct filesystem level access to their mails, this is a safer option:
    #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u:INDEXPVT=~/Maildir/shared/%%u
    subscriptions = no
    list = children
   }

   Edit the mail_plugins section to enable acl

   mail_plugins = quota acl

3. Configure the Dovecot ACL plugin

   nano /etc/dovecot/conf.d/90-acl.conf

   Edit it to look as follows:

   plugin {
     acl = vfile
   }
   
   plugin {
     acl_shared_dict = proxy::acl
   }
   
   dict {
     acl = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
   }

4. Enable the dict service in master.conf

   nano /etc/dovecot/conf.d/10-master.conf

   Uncomment and edit the service dict { section like this:

   service dict {
     unix_listener dict {
       mode = 0600
       user = vmail
       group = vmail
     }
   }

5. Configure dict-sql-conf.ext

   nano /etc/dovecot/dovecot-dict-sql.conf.ext

   Uncomment and Edit the file to resemble this:

   connect = host=localhost dbname=mailshares user=mailadmin password={adminpassword}
   
   map {
     pattern = shared/shared-boxes/user/$to/$from
     table = user_shares
     value_field = dummy
   
     fields {
       from_user = $from
       to_user = $to
     }
   }
   
   map {
     pattern = shared/shared-boxes/anyone/$from
     table = anyone_shares
     value_field = dummy
   
     fields {
       from_user = $from
     }
   }

6. Enable imap_acl and acl plugins in imap.conf

   nano /etc/dovecot/conf.d/20-imap.conf

   Edit the mail_plugins section to resemble this:

   mail_plugins = $mail_plugins quota imap_sieve imap_acl acl

7. Enable acl plugin in lmtp.conf

   nano /etc/dovecot/conf.d/20-lmtp.conf

   Edit the mail_plugins section to resemble this:

   mail_plugins = $mail_plugins quota sieve acl

 

Enable ClamAV Scanning – Testing (Packages not included in first step)

ClamAV is an opensource Antivirus Scanner and while it is not as effective as some commercial options, integration with Rspamd is quite simple. Antivirus scanning on a mail server by itself is not good enough and a holistic approach to security is still necessary, but every little bit helps.

1. Install ClamAV Components:

   apt install -y clamav clamav-daemon clamav-unofficial-sigs

    

2. Configure Rspamd to use ClamAV

   nano /etc/rspamd/modules.d/antivirus.conf

   Modify file to resemble (This rejects mail with Virus, modify to move to Junk):

   clamav {
     scan_mime_parts = false;
     scan_text_mime = true;
     scan_image_mime = true;
     symbol = "CLAM_VIRUS";
     type = "clamav";
     log_clean = true;
     servers = "clamd:3310";
     max_size = 20971520;
   }

3. Enable ClamAV daemon

   systemctl enable clamav-daemon

4. Restart Rspamd

   systemctl restart rspamd

Enable Firewall with nftables – Testing (Packages not included in first step)

1. Install nftables:

   apt install nftables -y

2. Change Debian settings to have the iptables command use nftables

   update-alternatives --config iptables

3. Create Firewall Rules file:

   nano /etc/nftables.conf

   Configuring as follows:

   #!/usr/sbin/nft -f
   flush ruleset
   table inet filter {
     chain input {
       type filter hook input priority 0; policy drop;
   
       iifname lo accept
       ct state established,related accept
       tcp dport { ssh, http, https, imap2, imaps, pop3, pop3s, submission, smtp } ct state new accept
   
       # ICMP: errors, pings
       ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept
       # ICMPv6: errors, pings, routing
       ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
   
       # Reject other packets
       ip protocol tcp reject with tcp reset
     }
   }

4. Have nftables start at boot

   systemctl enable nftables

5. Start nftables

   systemctl start nftables

 

Brute force mitigation with fail2ban – Testing (Packages not included in first step)

We will use fail2ban to monitor various system logs and look for patterns which might suggest abuse. Ideally this will prevent bad actors from gaining access to your system, however it can result in legitimate users being blocked too.

Fail2ban uses “Jails” along with your firewall to block IP addresses that are missbehaving.

You can use fail2ban-client status to see which jails are active, and you can use fail2ban-client status sshd to see which clients are currently rejected and why.

1. Install fail2ban

   apt install fail2ban -y

2. Restart nftables

   systemctl restart nftables

3. Enable Postfix and Dovecot monitoring to fail2ban
   While you can look at /etc/fail2ban/jail.conf for some sample configs for various servers, we need to create a config file for our servers:

   nano /etc/fail2ban/jail.local

   Making it look like this:

   [apache-auth]
   enabled = true
   
   [dovecot]
   enabled = true
   port    = pop3,pop3s,imap2,imaps,submission,465,sieve
   
   [postfix]
   enabled = true
   
   [sieve]
   enabled = true

   Test your config:

   fail2ban-server -t

   Restart fail2ban

   systemctl restart fail2ban

Configure SOGo Groupware

1. Create a database view for SOGo:
   Firstly, SOGo relies on some specific table columns to authenticate users, since we don’t want duplicates and since we want PostfixAdmin to manage users, domains and aliases, we want to make SOGo use this information to authenticate users. To do that, we will create a VIEW, which is like a fake table made up of data from other tables in MariaDB.

   mysql

   USE mailserver;
   CREATE VIEW sogo_view AS SELECT username AS c_uid, username AS c_name, password AS c_password, name AS c_cn, username AS mail FROM mailserver.mailbox;
   QUIT;

2. Configure SOGo:
   I suggest going through every line, however key issues will be {adminpassword}, {userpassword} and your timezone (I use Africa/Johannesburg):

   nano /etc/sogo/sogo.conf

   The Debian standard sogo.conf (For clarity on each of the configurable fields, check out the SOGo Installation Guide) (sucks, clear out everything (Don’t rm the file unless you know how to fix permissions on a newly created file). Once you are finished, your sogo.conf file will look something like this:

   {
     /* *********************  Main SOGo configuration file  **********************
      *                                                                           *
      * Since the content of this file is a dictionary in OpenStep plist format,  *
      * the curly braces enclosing the body of the configuration are mandatory.   *
      * See the Installation Guide for details on the format.                     *
      *                                                                           *
      * C and C++ style comments are supported.                                   *
      *                                                                           *
      * This example configuration contains only a subset of all available        *
      * configuration parameters. Please see the installation guide more details. *
      *                                                                           *
      * ~sogo/GNUstep/Defaults/.GNUstepDefaults has precedence over this file,    *
      * make sure to move it away to avoid unwanted parameter overrides.          *
      *                                                                           *
      * **************************************************************************/
   
     /* Database configuration (mysql://, postgresql:// or oracle://) */
     SOGoProfileURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_user_profile";
     OCSFolderInfoURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_folder_info";
     OCSSessionsFolderURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_sessions_folder";
     OCSEMailAlarmsFolderURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_emailalarms_folder";
   
     OCSStoreURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_store";
     OCSAclURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_acl";
     OCSCacheFolderURL = "mysql://mailadmin:{adminpassword}@localhost:3306/sogo/sogo_cache";
   
     /* Mail */
     SOGoSentFolderName = "Sent Items";
     SOGoTrashFolderName = "Deleted Items";
     SOGoDraftsFolderName = Drafts;
     SOGoJunkFolderName = "Junk Email";
     SOGoIMAPServer = "localhost";
     SOGoSieveServer = "sieve://127.0.0.1:4190";
     SOGoSMTPServer = "smtp://mail.example.org:587/?tls=YES";
     SOGoSMTPAuthenticationType = PLAIN;
     //SOGoMailDomain = acme.com;
     SOGoMailingMechanism = smtp;
     SOGoForceExternalLoginWithEmail = YES;
     SOGoMemcachedhost = 127.0.0.1;
     //SOGoMailSpoolPath = /var/spool/sogo;
     NGImap4ConnectionStringSeparator = "/";
     SOGoIMAPAclConformsToIMAPExt = YES;
     //SOGoMailAuxiliaryUserAccountsEnabled = NO;
     
     /* Calendar Settings */
     SOGoCalendarDefaultRoles = (
          PublicModifier,
          ConfidentialDAndTViewer,
          PrivateDandTViewer,
          ObjectCreator
      );
     SOGoDayStartTime = 8;
     SOGoDayEndTime = 17;
     SOGoFirstDayOfWeek = 1;
     SOGoCalendarEventsDefaultClassification = PUBLIC;
     SOGoCalendarTasksDefaultClassification = PUBLIC;
     
   
     /* Notifications */
     //SOGoAppointmentSendEMailNotifications = NO;
     SOGoACLsSendEMailNotifications = YES;
     //SOGoFoldersSendEMailNotifications = NO;
   
     /* Authentication */
     //SOGoPasswordChangeEnabled = YES;
   
     /* LDAP authentication example */
     //SOGoUserSources = (
     //  {
     //    type = ldap;
     //    CNFieldName = cn;
     //    UIDFieldName = uid;
     //    IDFieldName = uid; // first field of the DN for direct binds
     //    bindFields = (uid, mail); // array of fields to use for indirect binds
     //    baseDN = "ou=users,dc=acme,dc=com";
     //    bindDN = "uid=sogo,ou=users,dc=acme,dc=com";
     //    bindPassword = qwerty;
     //    canAuthenticate = YES;
     //    displayName = "Shared Addresses";
     //    hostname = "ldap://127.0.0.1:389";
     //    id = public;
     //    isAddressBook = YES;
     //  }
     //);
   
     /* LDAP AD/Samba4 example */
     //SOGoUserSources = (
     //  {
     //    type = ldap;
     //    CNFieldName = cn;
     //    UIDFieldName = sAMAccountName;
     //    baseDN = "CN=users,dc=domain,dc=tld";
     //    bindDN = "CN=sogo,CN=users,DC=domain,DC=tld";
     //    bindFields = (sAMAccountName, mail);
     //    bindPassword = password;
     //    canAuthenticate = YES;
     //    displayName = "Public";
     //    hostname = "ldap://127.0.0.1:389";
     //    filter = "mail = '*'";
     //    id = directory;
     //    isAddressBook = YES;
     //  }
     //);
   
   
     /* SQL authentication example */
     /*  These database columns MUST be present in the view/table:
      *    c_uid - will be used for authentication -  it's the username or username@domain.tld)
      *    c_name - which can be identical to c_uid -  will be used to uniquely identify entries
      *    c_password - password of the user, plain-text, md5 or sha encoded for now
      *    c_cn - the user's common name - such as "John Doe"
      *    mail - the user's mail address
      *  See the installation guide for more details
      */
     SOGoUserSources =
       (
         {
           type = sql;
           id = directory;
           viewURL = "mysql://mailserver:{userpassword}@127.0.0.1:3306/mailserver/sogo_view";
           canAuthenticate = YES;
           isAddressBook = YES;
           userPasswordAlgorithm = blf-crypt;
         }
       );
   
     /* Web Interface */
     SOGoPageTitle = "My Mail Server";
     SOGoVacationEnabled = YES;
     SOGoForwardEnabled = YES;
     SOGoSieveScriptsEnabled = YES;
     SOGoMailAuxiliaryUserAccountsEnabled = YES;
     // SOGoTrustProxyAuthentication = NO;
     //SOGoXSRFValidationEnabled = NO;
   
     /* General - SOGoTimeZone *MUST* be defined */
     SOGoLanguage = English;
     SOGoTimeZone = Africa/Johannesburg;
     //SOGoSuperUsernames = (sogo1, sogo2); // This is an array - keep the parens!
     //SxVMemLimit = 384;
     //WOPidFile = "/var/run/sogo/sogo.pid";
     SOGoMemcachedHost = 127.0.0.1;
     
     /* Debug */
     //SOGoDebugRequests = YES;
     //SoDebugBaseURL = YES;
     //ImapDebugEnabled = YES;
     //LDAPDebugEnabled = YES;
     //PGDebugEnabled = YES;
     //MySQL4DebugEnabled = YES;
     //SOGoUIxDebugEnabled = YES;
     //WODontZipResponse = YES;
     //WOLogFile = /var/log/sogo/sogo.log;
   }

3. Restart SOGo

   systemctl restart sogo

4. Edit the mail.example.org.conf file for NginX:

   nano /etc/nginx/conf.d/mail.example.org.conf

   And edit it to now look like this::

   server {
     server_name mail.example.org;
     root /usr/lib/GNUstep/SOGo/WebServerResources/;
     error_log /var/log/nginx/sogo_error.log;
     access_log /var/log/nginx/sogo_access.log;
     listen 443 ssl;
       ssl_certificate /etc/letsencrypt/live/mail.example.org/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/mail.example.org/privkey.pem;
       include /etc/letsencrypt/options-ssl-nginx.conf;
       ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
       add_header Strict-Transport-Security "max-age=31536000" always;
       ssl_trusted_certificate /etc/letsencrypt/live/mail.example.org/chain.pem;
       ssl_stapling on;
       ssl_stapling_verify on;
   
     location = / {
       rewrite ^ https://$server_name/SOGo/;
       allow all;
     }
   
     location = /principals/ {
       rewrite ^ https://$server_name/SOGo/dav;
       allow all;
     }
   
     location ^~/SOGo/ {
       proxy_pass "http://127.0.0.1:20000";
       proxy_redirect "http://127.0.0.1:20000" default;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header Host $host;
       proxy_set_header x-webobjects-server-protocol HTTP/1.1;
       proxy_set_header x-webobjects-remote-host 127.0.0.1;
       proxy_set_header x-webobjects-server-name $server_name;
       proxy_set_header x-webobjects-server-url $scheme://$host;
       proxy_connect_timeout 90;
       proxy_send_timeout 90;
       proxy_read_timeout 90;
       proxy_buffer_size 4k;
       proxy_buffers 4 32k;
       proxy_busy_buffers_size 64k;
       proxy_temp_file_write_size 64k;
       client_max_body_size 100m;
       client_body_buffer_size 128k;
       break;
     }
   
     location /SOGo.woa/WebServerResources/ {
       alias /usr/lib/GNUstep/SOGo/WebServerResources/;
       allow all;
     }
   
     location /SOGo/WebServerResources/ {
       alias /usr/lib/GNUstep/SOGo/WebServerResources/;
       allow all;
     }
   
     location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ {
       alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
     }
   
     location ^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*.(jpg|png|gif|css|js)$ {
       alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
     }
   }
   
   server {
     server_name mail.example.org;
     listen 80;
     error_log /var/log/nginx/sogo_error.log;
     access_log /var/log/nginx/sogo_access.log;
     if ($host = mail.example.org) {
         return 301 https://$host$request_uri;
     }
   }

5. Reload NginX Configuration

   systemctl reload nginx

   That is it, SOGo should now be accessible at https://mail.example.org and you should be able to log in with any user created in postfixadmin.