How can we help?




Follow

DUAL SERVER: Installation Guide

Steve -

What is mail server

The atmail mail server provides admin users with a GUI to perform many of the admin tasks related to running an email system. 

Some of the functionality provided by the mail server is:

  • the ability to create domains, accounts, sub-domains, and reset passwords.
  • Control settings related to IMAP, POP, and SMTP.
  • Integration of mail server and atmail suite.

What is atmail suite

atmail suite is a browser-based email client and comprises of the email client and JMAP API.  This can be integrated with atmail DAV to provide contacts and calendar as well.

Purpose of this guide

The atmail mail server and atmail suite can be installed on separate nodes. This environment will allow dedicated server resources per atmail service, one server can run imap, pop and smtp while a second server runs webmail and dav. This document will illustrate how to configure the atmail mail server and atmail suite software in an integrated environment. Our example will use the following hostnames for each service:

  • atmail mail server : atmail-mail.local
  • atmail suite : atmail-suite.local

Pre-installation notes

SYSTEM REQUIREMENTS

Before you install the atmail suite, please make sure you meet the minimum system requirements.  

Minimum system software requirements

Operating System - CentOS 7.x only

Postfix

If you are planning to use the atmail mail server, you will need to remove the Postifx MTA daemon, that is installed by default on CentOS 7.

As you will notice, Postfix is started and listens on localhost on port 25. Proceed with Postfix MTA service removal by issuing the following commands.

systemctl stop postfix
systemctl disable postfix
yum remove postfix -y

MariaDB

MariaDB must be installed and configured before installation of atmail suite or atmail mail server software.

yum install mariadb mariadb-server -y -q

Once the installation is complete, enable MariaDB to start on boot and start the service:

systemctl enable mariadb
systemctl start mariadb

Ensure that the MariaDB service is active:

systemctl status mariadb
● mariadb.service - MariaDB database server
 Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)
 Active: active (running) since Mon 2019-12-09 16:05:34 AEST; 2s ago
 Process: 18325 ExecStartPost=/usr/libexec/mariadb-wait-ready $MAINPID (code=exited, status=0/SUCCESS)
 Process: 18237 ExecStartPre=/usr/libexec/mariadb-prepare-db-dir %n (code=exited, status=0/SUCCESS)
 Main PID: 18324 (mysqld_safe)
 CGroup: /system.slice/mariadb.service
 ├─18324 /bin/sh /usr/bin/mysqld_safe --basedir=/usr
 └─18487 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=/var/log/mariadb/mariadb.log --pid-file...

Finally, run the mysql_secure_installation script:

mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password: *********
Re-enter new password: *********
Password updated successfully!
Reloading privilege tables..
 ... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] n
 ... skipping.

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
The root password for mariaDB has been set to none.  If you set a password, you will need to remember to supply it when installing mail server and atmail suite.

 Test if you are able to run mariaDB

mysql -u root -p
Enter password: *********
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 20
Server version: 5.5.64-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> exit
Bye

OpenSSL

OpenSSL must be installed and configured before installation of atmail suite or atmail mail server software.

yum install openssl openssl-libs -y -q

Firewalld

Ensure you have the appropriate firewalld configuration as this will ensure that the correct ports are opened.  By default, all ports other than 22 will be closed.

Check if firewalld is enabled and started

systemctl is-enabled firewalld
enabled

If this command does not return enabled you should perform the next command
systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@a8 services]# systemctl start firewalld
[root@a8 services]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2017-06-27 16:53:32 AEST; 5s ago

Ensure that firewalld is running:

systemctl start firewalld

List allowed services

firewall-cmd --list-service
dhcpv6-client ssh

Add required services: HTTPS, SMTP, IMAP, POP3, DAV, DHCP (May be required in a testing environment).

firewall-cmd --zone=public --add-service=smtp --add-service=smtps --add-service=imap --add-service=imaps --add-service=pop3 --add-service=pop3s --add-service=https --add-service=dhcp --permanent

firewall-cmd --zone=public --add-port=587/tcp --add-port=8443/tcp --permanent

Reload firewalld

firewall-cmd --reload

List allowed services and ports. Check for previously added additions. Please note, by default Exim does not have a service running on 587/tcp so this addition is optional.

firewall-cmd --list-all | grep 'services\|ports' | head -n 2
services: dhcp dhcpv6-client https imap imaps pop3 pop3s smtp smtps ssh
ports: 8443/tcp 587/tcp

 Further information on the use of firewalld can be seen at on our Help Centre page firewalld 

Extra Packages for Enterprise Linux (EPEL)

Some packages are available from the EPEL repository

yum install epel-release -y

This completes the Pre-installation notes

atmail Public Software Repository

 It is now possible to connect to the atmail Public Software Repository and allow yum to install the latest software releases directly.

 To configure your server to use the repository run

 bash <(curl -s https://repo.atmail.com/add_repo) 

This completes the setup of the server and it is now ready for the atmail software.

Continue with the atmail mail server in the next section or if you have already completed this please start the atmail suite Installation Notes further down.

atmail mail server Installation Notes

  • Use yum to install redis.
yum install redis -y
  • Then enable and start redis
systemctl enable redis
systemctl start redis 
  • Use yum to install exim.
yum install exim -y
  • Use yum to install the atmail-common rpm.
yum install atmail-common -y
  • Use yum to install the atmail-cosadm rpm
yum install atmail-cosadm -y
Creating group atmail ..... [ OK ]
Creating user atmail ..... [ OK ]
Switching SELinux to permissive mode ..... [ OK ]
  • Use yum to install the atmail-mailserver-ansible rpm.
yum install atmail-mailserver-ansible -y
  • For a dual server installation the atmail-mailserver-ansible-jap rpm is not needed and can be safely ignored as it has been included in the atmail-mailserver-ansible package above.
  • Use yum to install the atmail-mailserver rpm.
yum install atmail-mailserver -y
  • Configure the atmail mail server using the same MariaDB root password.
/usr/bin/atmail-mailserver-install
Enter DB host [ localhost ] : 
Enter DB port [ 3306 ] :
Enter DB Username with GRANT/CREATE ACCESS [ root ] :
Enter DB Username Password [  ] : *********
Configure Nginx [ yes ] :
Configure PHP-FPM [ yes ] :
  • Use yum to install the atmail-mailserver-plugin-WebmailIntegration rpm.
yum install atmail-mailserver-plugin-WebmailIntegration -y
Enabling plugins ..... [ OK ]

Adding plugin to DB ..... [ OK ]
Adding in config settings to DB ..... [ OK ]
  • Restart services.
systemctl restart php-fpm nginx
  • Register your atmail mail server license details. Access your installation via your URL yourdomainname.com/admin. 

This install uses self-signed certificates, the browser may warn you that the certificate is not trusted, please acknowledge the browser warning and proceed to the admin site.  There are instructions later on how to configure a new certificate. 

Default access details

https://yourdomainname.com/admin/
Username: admin
Password: admin
Click on Login

Register_a_license.png

Enter your atmail ID and the atmail mail server License key.

Add_new_license.png

Click on Register license key and you will receive a pop-up window entitled Insecure Password.

Security_Alert_popup.png

Click on OK to be taken to the Change Password screen

Set_new_admin_password.png

Enter both the old and new passwords before pressing the Change button. This will logout this session and ask you to login with the new password

  • Go to webadmin > Services and press Publish config.

 Publish_config.png

  • Restart services.
systemctl restart dovecot exim php-fpm nginx

Configure Certificates for HTTPS, IMAP, POP3 and SMTP

So there are secure connections between the two servers the next step is to configure the domain certificates. We will assume that the new private key is called new-cert.key and certificate chain is called new-cert.pem and that you have copied them onto the servers to /tmp directory.

  • For Nginx copy the two files new-cert.key and new-cert.pem and set the correct permissions
cp /tmp/new-cert.key /etc/pki/nginx/private/
cp /tmp/new-cert.pem /etc/pki/nginx/certs/

chown root:nginx /etc/pki/nginx/private/new-cert.key
chmod 0640 /etc/pki/nginx/private/new-cert.key

chown root:root /etc/pki/nginx/certs/new-cert.pem

chmod 0444 /etc/pki/nginx/certs/new-cert.pem
  • Update the nginx configuration file to use these new keys by changing the ssl_certificate_key and ssl_certificate lines.
vi /etc/nginx/conf.d/atmail.conf
ssl_certificate_key /etc/pki/nginx/private/new-cert.key;
ssl_certificate /etc/pki/nginx/certs/new-cert.pem;
  • Restart Nginx and apiserver
systemctl restart nginx apiserver

You will now be able to use https with a secure trusted connection.

  • For IMAP and POP3
cp /tmp/new-cert.key /etc/pki/dovecot/private/
cp /tmp/new-cert.pem /etc/pki/dovecot/certs/

chown root:root /etc/pki/dovecot/private/new-cert.key

chmod 0640 /etc/pki/dovecot/private/new-cert.key

chown root:root /etc/pki/dovecot/certs/new-cert.pem
chmod 0444 /etc/pki/dovecot/certs/new-cert.pem
  • Go to webadmin > Services > POP3/IMAP
    • Turn ON Enable SSL POP3/IMAP 
    • Turn ON Force SSL POP3/IMAP before authentication
    • update the entry for SSL certificate path 
    • update the entry for SSL key path.

POP3_IMAP.png

  • Click on Save settings and Publish config to save the changes
  • For SMTP
mkdir -p /etc/pki/exim/private /etc/pki/exim/certs

cp /tmp/new-cert.key /etc/pki/exim/private/
cp /tmp/new-cert.pem /etc/pki/exim/certs/

chown root:exim /etc/pki/exim/private/new-cert.key

chmod 0640 /etc/pki/exim/private/new-cert.key

chown root:root /etc/pki/exim/certs/new-cert.pem
chmod 0444 /etc/pki/exim/certs/new-cert.pem
  • Go to webadmin > Services > SMTP
    • Turn ON Force TLS/SSL before auth
    • update the entry for SSL certificate path
    • update the entry for SSL key path.

SMTP.png

  • Click on Save settings and Publish config to save the changes

Post-installation notes

PHP SETTINGS

Define your timezone for php by editing php.ini and updating the variable to your timezone as displayed below. A list of valid timezones can be found at http://php.net/date.timezone 

vi /etc/php.ini
[Date]                                                                                              
; Defines the default timezone used by the date functions 
; http://php.net/date.timezone                            
date.timezone = Australia/Brisbane 

After updating the php.ini file, restart services:

systemctl restart php-fpm nginx

KNOWN ISSUES

CRON

There are two known issues with the cron jobs for atmail on the mailstores which are held in /etc/cron.d/atmail-mailserver.cron, these can be corrected manually,

vi /etc/cron.d/atmail-mailserver.cron

The first is a missing command from the file, please add the following to run the task to remove deleted accounts from the server

0 10 * * * root php /usr/share/atmail/mailserver/webui/utilities/cron/delete_account.php

The second is the existing command has too many asterisks so does not run, please change

30 23 * * * * root php /usr/share/atmail/mailserver/webui/utilities/cron/atmail.php

to be

30 23 * * * root php /usr/share/atmail/mailserver/webui/utilities/cron/atmail.php

 

This completes the atmail mailserver installation on atmail-mail.local.

The next task is to install atmail suite onto the second server, atmail-suite.local.

This guide assumes the second server has been prepared following the same Pre-installation notes and atmail Public Software Repository sections above.

atmail suite Installation Notes

  • Use yum to install the atmail-common rpm.
yum install atmail-common -y
    Creating group atmail ..... [ OK ]
    Creating user atmail ..... [ OK ]
    Switching SELinux to permissive mode ..... [ OK ]
  • Use yum to install the atmail-api rpm.
yum install atmail-api -y
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
 Userid     : "Fedora EPEL (7) <epel@fedoraproject.org>"
 Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
 Package    : epel-release-7-11.noarch (@extras)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Remove /etc/atmail/api/.master on slave nodes
Created symlink from /etc/systemd/system/multi-user.target.wants/apiserver.service to /usr/lib/systemd/system/apiserver.service.
  • Configure the atmail API server. 

During this step you will need to define your IMAP and SMTP settings for your mail server host. Please note that your browser will need to resolve the entry placed in the URL Hostname fieldIn the example below, your browser will try to resolve https://atmail-suite.local/login. If testing, the easiest way is to use the servers IP address or check the current server hostname with

hostname


Then run the following command using the root password you set in the MariaDB installation

/usr/bin/atmail-api-install
Enter DB Host [ localhost ] :
Enter DB Port [ 3306 ] :
Enter DB user that has create user/grant access [ root ] :
Enter root password [  ] : *********
Enter URL Hostname where atmail services will be found [ atmail-suite.local ] :
Will the API provision contacts/calendars/myfiles [ yes ] :
Enter MAX ZIP DOWNLOAD in bytes [ 32000000 ] :
DAV provisioning has been enabled - you will need to update api.conf with details provided by dav install
Is this a webmail ONLY install ? (ie no mailserver) yes/no [ no ] : yes
Enter IMAP server:port accounts will connect to [ localhost:143 ] : atmail-mail.local:993
Will this connection use tls/ssl true/false [ false ] : true
Enter outbound SMTP server accounts will use [ localhost:25 ] : atmail-mail.local:465
Will this connection use SMTP Auth true/false [ true ] :
Will this connection use tls/ssl true/false [ false ] : true
Enter your atmail ID : <atmail ID>
Enter you licence key : <atmail suite licence key>
Configure NginX [ yes ]

Create the apiadmin profile:

source /etc/profile.d/atmail-apiadmin.sh

Create an admin user by running the following command with your values for username and password

apiadmin user add <username> <password> --role=admin
  • Use yum to install redis.
yum install redis -y
  • Then enable and start redis.
systemctl enable redis
systemctl start redis 
  • Edit api.conf.

Next, open your /etc/atmail/api/api.conf with a text editor and update the MAILSERVER_BASEURL with the hostname of your mail server installation.

vi /etc/atmail/api/api.conf

###
### API
###

API_ADDR=127.0.0.1:3000
EVENTSOURCE_ADDR=127.0.0.1:3001

BASE_URI=/api
API_URL=https://atmail-suite.local/api/jmap
EVENTSOURCE_URL=https://atmail-suite.local/event
UPLOAD_URL=https://atmail-suite.local/api/upload
DOWNLOAD_URL=https://atmail-suite.local/api/download?blobId={blobId}&name={name}&accountId={accountId}
REGISTER_URL=https://atmail-suite.local/api/register
MAILSERVER_BASEURL=atmail-mail.local
STATIC_BASE_URL=https://atmail-suite.local/static
  • Restart API service
systemctl restart apiserver
  • Check the status of apiserver and ensure it is active and running.
systemctl status apiserver
apiserver.service - atmail-api - jmap api for atmail webmail
   Loaded: loaded (/usr/lib/systemd/system/apiserver.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/apiserver.service.d
           └─depends.conf
   Active: active (running) since Fri 2020-03-20 15:16:40 GMT; 3min 21s ago
     Docs: http://www.atmail.com/
 Main PID: 21002 (apiserver)
   CGroup: /system.slice/apiserver.service
           └─21002 /usr/bin/apiserver -config /etc/atmail/api/api.conf
  • Use yum to install the atmail-webmail rpm.
yum install atmail-webmail -y

Configure the atmail webmail

/usr/bin/atmail-webmail-configure
Enter URL Hostname for atmail services [ localhost.localdomain ] :
Enter brand name for webmail (will be shown in browser tab/title bar) [ ] :
Configure NginX [ yes ] :
  • Restart NGINX
systemctl restart nginx
  • OPTIONAL:DAV PROVIDES BOTH CONTACTS AND CALENDAR SERVICES.

Use yum to install the atmail-dav rpm.

yum install atmail-dav -y
Generating self-signed cert

Configure the atmail DAV service using the same MariaDB root password

/usr/bin/atmail-dav-install
Enter DB Host [ localhost ] :
Enter DB Port [ 3306 ] :
Enter DB user that has create user/grant access [ root ] :
Enter root password [  ] : *********
Configure NginX [ yes ] :
Configure PHP-FPM [ yes ] :
Would you like the api.conf updated to include dav DSN yes/no [ yes ] :
  • Restart services.
systemctl restart php-fpm nginx apiserver

Once both services are up and running, we need to complete the integration.

  • Configure the Webmail API

webmail_api_dual.png

Click on Save Settings

Configure Certificates for HTTPS

So there are secure connections between users and the atmail Suite server the next step is to configure the domain certificates. We will assume that the new private key is called new-cert.key and certificate chain is called new-cert.pem and that you have copied them onto the servers to /tmp directory.

  • For Nginx copy the two files new-cert.key and new-cert.pem and set the correct permissions
cp /tmp/new-cert.key /etc/pki/nginx/private/
cp /tmp/new-cert.pem /etc/pki/nginx/certs/

chown root:nginx /etc/pki/nginx/private/new-cert.key
chmod 0640 /etc/pki/nginx/private/new-cert.key

chown root:root /etc/pki/nginx/certs/new-cert.pem

chmod 0444 /etc/pki/nginx/certs/new-cert.pem
  • Update the nginx configuration file to use these new keys by changing the ssl_certificate_key and ssl_certificate lines.
vi /etc/nginx/conf.d/atmail.conf
ssl_certificate_key /etc/pki/nginx/private/new-cert.key;
ssl_certificate /etc/pki/nginx/certs/new-cert.pem;
  • Restart Nginx and apiserver
systemctl restart nginx apiserver

You will now be able to use https with a secure trusted connection.

Your atmail suite installation is now complete!

Test your installation by connecting to webmail via your URL yourdomainname.com/login.

https://yourdomainname.com/login/

Post-installation notes

DAV INTEGRATION

If installing atmail-dav for contacts and calendars, the invites for an out the box install will not work as the dav sender needs to be set in the dav confilg file. 

Open the config.php file

vi /etc/atmail/dav/config.php

Find the DAV_SENDER value define('DAV_SENDER', 'noreply'); and update this to your email domain

define('DAV_SENDER', 'noreply@yourdomainname.com');

Save the update to the config.php file

Now you will be able to send calendar invites.

This completes the atmail suite installation on atmail-suite.local.

Now that both services are integrated, you can perform tasks like creating users via your https://atmail-mail.local/admin and then logging in with them via https://atmail-suite.local.

Troubleshooting

The following logs will be of use in troubleshooting issues:

Mail server:

  • /var/log/maillog
  • /var/log/atmail/*
  • /var/log/nginx/atmail_*
  • /var/log/php-fpm/*

Suite:

  • /var/log/atmail/api.log
  • /var/log/nginx/atmail_*
  • /var/log/nginx/dav_errors.log

Starting the apiserver with a HEALTH_CHECK and outputting to STDOUT will also provide verbose debugging.

Open your /etc/atmail/api/api.conf with a text editor and add the following entry to the top of the file.

vi /etc/atmail/api/api.conf

HEALTH_CHECK=true

You can then start apiserver using the below command:

/usr/bin/apiserver -c /etc/atmail/api/api.conf -V -console

 

Comments


Contact our support team


+61 (7) 5357 6605       support@atmail.com