• Info
  • Prepare for the EWS / grommunio 2023.11.1 release

The current community release contains the EWS code and many improvements. Unfortunately, there also some issues. Here I provide some tips and tricks to fix these issues.

1. grommunio-sync have a new dependency for php-intl

Commit: https://github.com/grommunio/grommunio-sync/commit/2a3ca65b623b3ae920afbe12853c996f183b9ad9 added the new dependency for php-intl.
Unfortunately, this dependency is not hard coded in the grommunio-sync package. On some systems the php-intl is already installed and grommunio-sync works as expected. Some systems miss the php-intl and grommunio-sync stops working after the update.
The simple solution is: manually install the php-intl package.

  • Open SuSE 15.5
    zypper in php8-intl
  • Debian 11
    apt install php7.4-intl
  • Debian 12
    apt install php8.2-intl

2. grommunio log files, stored in a new location

The grommunio nginx log files change their locations from /var/log/grommunio/ to /var/log/nginx/. With this change, there is no need for a separate grommunio logrotate command grommunio-nginx.lr, the nginx logrotate will also rotate the grommunio logs. The following command shows, which logs stored in /var/log/grommunio/: nginx -T | grep /var/log/grommunio/ the returned list, depends on the installed features and migration status.
The transition to the new location, is on the way but not finished. Some logs are now stored in /var/log/nginx/ but some logs are still in the old location /var/log/grommunio/.
This is not an issue, unfortunately the developers removed the logrotate command /etc/logrotate.d/grommunio-nginx.lr. Without of the logrotate command, the logs in /var/log/grommunio/ grow and grow and grow and fill the root volume until the system fails.
Test if the file /etc/logrotate.d/grommunio-nginx.lr exists:
cat /etc/logrotate.d/grommunio-nginx.lr

If you see the content of the file, nothing have to be done. If the file do not exists, the simple solution is, create a new /etc/logrotate.d/grommunio-nginx.lr file with this content:

/var/log/grommunio/*.log {
    compress
    dateext
    maxage 365
    rotate 99
    size=+4096k
    missingok
    notifempty
    delaycompress
    # next line is for Open SuSE
    su nginx root
    # for Debian use
    #su www-data root
    lastaction
      # -s reopen will use the pid file passed in the config file or the compiled in default path
      /usr/sbin/nginx -s reopen
    endscript
}

I have seen this issue only on SuSE systems. The difference between SuSE and Debian are the system user for nginx. The SuSE specific line is su nginx root and the Debian specific line is: su www-data root in /etc/logrotate.d/grommunio-nginx.lr.
I assume every grommunio update will remove the grommunio-nginx.lr, so create a copy in a save place and restore the grommunio-nginx.lr after every update.

A future update will move all logs to the new location /var/log/nginx/ than we may remove the logrotate file and the directory /var/log/grommunio/.

Today's community update (08.11.2023) finished the log file migration
Test if all logs are no longer in /var/log/grommunio: nginx -T | grep /var/log/grommunio/
This command should not return any log files. If this command returns one or more log files, something strange happend on your system, do not continue with Clean Up!

The changes in detail:

  • gromox
    - access_log /var/log/grommunio/nginx-access.log
    + access_log /var/log/nginx/nginx-access.log
  • grommunio-web
    https://github.com/grommunio/grommunio-web/commit/38ace1085b5e4fd68d04cddc83d4179df20af87c
    - access_log /var/log/grommunio/nginx-web-access.log;
    - error_log /var/log/grommunio/nginx-web-error.log;
    + access_log /var/log/nginx/nginx-web-access.log;
    + error_log /var/log/nginx/nginx-web-error.log;
  • grommunio-sync
    https://github.com/grommunio/grommunio-sync/commit/7fa34b97c0b775e8a5ae8f9d9b230ec950a1c9bb
    - access_log  /var/log/grommunio/nginx-sync-access.log;
    - error_log   /var/log/grommunio/nginx-sync-error.log;
    + access_log  /var/log/nginx/nginx-sync-access.log;
    + error_log   /var/log/nginx/nginx-sync-error.log;
  • grommunio-dav
    https://github.com/grommunio/grommunio-dav/commit/b3d78010695a277686bf7ae4c1f5fcd7553d974a
    - access_log  /var/log/grommunio/nginx-dav-access.log;
    - error_log   /var/log/grommunio/nginx-dav-error.log;
    + access_log  /var/log/nginx/nginx-dav-access.log;
    + error_log   /var/log/nginx/nginx-dav-error.log;

Clean Up the system

1. If you use fail2ban, you need to update the /etc/fail2ban/jail.local!
Missing the fail2ban update, presents outdated log files to faile2ban and fail2ban will not block intruders as expected or can't start.

  1. Switch the log location in jail.local
    sed -i 's: /var/log/grommunio/: /var/log/nginx/:g' /etc/fail2ban/jail.local
  2. Restart fail2ban
    systemctl restart fail2ban
  3. Verity if fail2ban is running
    systemctl status fail2ban
  4. If fail2ban is not running, fix the error.

2. Remove the old log directory, logrotate and logrotate fix

  1. Remove the old log directory
    rm -r /var/log/grommunio
  2. Remove the logrotate command - if it exist
    rm /etc/logrotate.d/grommunio-nginx.lr
  3. Remove the logrotate fix - if it exist
    rm /etc/cron.d/logrotate_failed

3. Set the correct owner for the log files in /var/log/nginx/
Some times the owner is incorrect for the log files in /var/log/nginx/, simply reset the owner to nginx:root for Open SuSE or www-data:adm on Debian.

  • Open Suse
    chown nginx:root /var/log/nginx/*
  • Debian
    chown www-data:adm /var/log/nginx/*

3. EWS is disabled - how to enable

Currently EWS is disabled, I assume there is a parameter in an configuration file, unfortunately I did not have enough time to read the EWS code. So I can't answer the question how to enable EWS.
This commit clarifies how to enable EWS: https://github.com/grommunio/gromox/commit/6e623631ccc32226fd1019add12e08aba2eb8e17 for testing.
To enable EWS set the parameter: ews_beta = 1 in configuration file: /et/gromox/ews.cfg
If the ews.cfg file contains this parameter: ews_experimental = 1, remove this line, it is outdated.
Now update your system and test EWS.
As the parameter name suggests, please remember EWS is a beta release.

4. Future updates

I will update this post when I have more information about the update

a. Modifications

20231108 added: Today's community update (08.11.2023) finished the log file migration.
20231108 added: If you use fail2ban, you need to update the /etc/fail2ban/jail.local!
20231109 added: EWS is disabled
20231110 modified: EWS is disabled - how to enable

hello, thanks for the good news. we have done the first tests now both outlook for mac and macos are not working yet..would you have detailed info for the release?

    ak4020 a question, how you enabled the EWS functionality? EWS is per default disabled.

    oh no, may i ask how to do this? unfortunately i haven't found anything..would be mega thanks.

    so we have test with active ews and 401 error we become on outook for mac and macos internet accounts.

    Some additions to the original post:
    20231108 added: Today's community update (08.11.2023) finished the log file migration.
    20231108 added: If you use fail2ban, you need to update the /etc/fail2ban/jail.local!
    20231109 added: EWS is disabled
    See above.

    @WalterH Kannst du vielleicht noch die Versionen ergänzen? Der aktuelle Stand im Debian Repository scheint die Änderungen nämlich auch am 9.11. noch nicht zu haben.

    The current Debian package: grommunio-sync_2.0.38.12b2e4f-0_all.deb contains the new log file locations in crommunio-sync.conf:

    location /Microsoft-Server-ActiveSync {
      alias       /usr/share/grommunio-sync/index.php;
      access_log  /var/log/nginx/nginx-sync-access.log;
      error_log   /var/log/nginx/nginx-sync-error.log;
    ...

    Sorry for being too unspecific: My issue is not with grommunio-sync.

    root@:~# nginx -T | grep /var/log/grommunio/
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
      access_log  /var/log/grommunio/nginx-admin-access.log;
      error_log /var/log/grommunio/nginx-admin-error.log;
      access_log  /var/log/grommunio/nginx-admin-access.log;
      error_log /var/log/grommunio/nginx-admin-error.log;
    error_log /var/log/grommunio/nginx-error.log;
    access_log /var/log/grommunio/nginx-access.log;

    Shouldn´t the update also provide new versions of the conf files in /etc/nginx/conf.d or do I need to update them manually?
    No big deal at all, I just want to make shure if all the updates have been pushed to Debian 12 already.

      weini Try a full update:

      apt update
      apt full-upgrade

      I hope, this helps.
      BTW. the Debian package: grommunio-sync_2.0.38.12b2e4f-0_all.deb was from Debian 11 repository.

      nope, doesn´t help unfortunately.

      Debian 12 repository does also have the grommunio-sync_2.0.38.12b2e4f-0_all.deb, this should be good.

      Which version of grommunio-common contains the new logrotate stuff and the /etc/nginx/conf.d/grommunio.conf, which points to the /var/log/nginx/ log folder?
      I have grommunio-common 21.8eb9e0e-1+34.1 installed, but even with this, my /etc/nginx/conf.d/grommunio.conf points to the /var/log/grommunio/ log folder. So either it is not overwritten when the package is installed or the Debian package in that version still points to the old location.

      Nothing to really worry, I can easily fix this in the config file. It simply looks a bit strange to me.

      I think I got it: I modified /etc/nginx/conf.d/grommunio.conf to adjust the port numbers.
      It seems that the file is then completely skipped in the update. I would have expected at least a /etc/nginx/conf.d/grommunio.conf.dpkg-new being created - but this is not the case.

      Would be great if the packages could be adjusted so that at least dpgk-new files are written for all that lives under /etc. For the files where changes are more likely, I would even suggest to ask the admin if the file should be kept or overwritten when the installation is running.

        On the Appliance, the directory /etc/nginx/conf.d contains two files, the file: grommunio.conf with content:

        cat /etc/nginx/conf.d/grommunio.conf
        include /usr/share/grommunio-common/nginx.conf;

        /usr/share/grommunio-common/nginx.conf includes /usr/share/grommunio-common/nginx/upstreams.d/*.conf;

        cat /usr/share/grommunio-common/nginx.conf
        include /etc/grommunio-common/nginx/upstreams.d/*.conf;
        include /usr/share/grommunio-common/nginx/upstreams.d/*.conf;
        
        error_log /var/log/nginx/nginx-error.log;
        access_log /var/log/nginx/nginx-access.log;
        ...

        In /usr/share/grommunio-common/nginx/upstreams.d/ we find the corresponding include files:

        ls -l /usr/share/grommunio-common/nginx/upstreams.d/
        total 16
        -rw-r--r-- 1 root root 75 Aug  3 12:03 grommunio-dav.conf
        -rw-r--r-- 1 root root 77 Aug 24 21:02 grommunio-sync.conf
        -rw-r--r-- 1 root root 75 Oct 31 16:14 grommunio-web.conf
        -rw-r--r-- 1 root root 52 Oct 25 19:00 gromox.conf

        This should be the same on Debian - I hope so.

          WalterH Minutes ago I verified this on an Debian 11 system. Debian 11 have exactly the same layout as the appliance.
          I assume, you have some configuration files in the wrong location.

          No definitely not!
          As I wrote above, I had the old log folder in /etc/nginx/conf.d/grommunio.conf and I´m quite certain that this file was skipped from being updated because I modified it.
          I now manually adjusted the log paths in this file and it is all good.

            weini Would be great if the packages could be adjusted so that at least dpgk-new files

            dpgk-new files will only be created, if the configuration file was modified by an admin and a new configuration file exists. In this case, there is now new configuration file for /etc/nginx/conf.d/grommunio.conf.

            weini post the content of your /etc/nginx/conf.d/grommunio.conf file.

            Sure, this was the /etc/nginx/conf.d/grommunio.conf before I modified the log paths manually:

            include /etc/grommunio-common/nginx/upstreams.d/*.conf;
            include /usr/share/grommunio-common/nginx/upstreams.d/*.conf;
            
            error_log /var/log/grommunio/nginx-error.log;
            access_log /var/log/grommunio/nginx-access.log;
            
            map $http_user_agent $filter_user_agent {
              default 'unknown';
              ~(iPhone|iPad) ios;
              ~Android android;
              ~Linux linux;
              ~(Windows|MSIE|Mozilla) windows;
              ~Mac macos;
              ~(FreeBSD|OpenBSD|NetBSD) bsd;
              ~Outlook outlook;
              ~Thunderbird thunderbird;
            }
            
            map $http_host $this_host {
              "" $host;
              default $http_host;
            }
            map $http_x_forwarded_proto $the_scheme {
              default $http_x_forwarded_proto;
              "" $scheme;
            }
            map $http_x_forwarded_host $the_host {
              default $http_x_forwarded_host;
              "" $this_host;
            }
            map $http_upgrade $proxy_connection {
              default upgrade;
              "" close;
            }
            
            map $request_uri $topdir {
              ~(?<captured_topdir>^/[a-zA-Z0-9]+/[a-zA-Z0-9]+)[/] $captured_topdir;
            }
            
            server {
              listen 20080;
              listen [::]:20080;
              server_name _;
              return 301 https://$host$request_uri;
              include /usr/share/grommunio-common/nginx/traffic_status_params*.conf;
            }
            
            server {
              server_name  _;
              listen [::]:20443 ssl http2;
              listen 20443 ssl http2;
            
              #use real id and not from apache2 reverse proxy
              real_ip_header    X-Forwarded-For;
              set_real_ip_from  127.0.0.1;
            
              include /etc/grommunio-common/nginx/ssl_*.conf;
              include /usr/share/grommunio-common/nginx/ssl_params.conf;
              include /usr/share/grommunio-common/nginx/proxy_params.conf;
              include /usr/share/grommunio-common/nginx/security.conf;
            
              include /usr/share/grommunio-common/nginx/brotli-params*.conf;
              include /usr/share/grommunio-common/nginx/traffic_status_params*.conf;
              include /etc/nginx/conf.d/grommunio_custom-*.conf.include;
            
              server_tokens off;
            
              include /etc/grommunio-common/nginx/locations.d/*.conf;
              include /usr/share/grommunio-common/nginx/locations.d/*.conf;
            }

              weini you have an very strange setup! My /etc/nginx/conf.d/grommunio.conf file contains only one line:

              cat /etc/nginx/conf.d/grommunio.conf
              include /usr/share/grommunio-common/nginx.conf;

              I assume, this setup can not be supported.

              Please show the content of /usr/share/grommunio-common/nginx/upstreams.d/ with:
              ls -l /usr/share/grommunio-common/nginx/upstreams.d/

              © 2020-2024 grommunio GmbH. All rights reserved. | https://grommunio.com | Data Protection | Legal notice