ckd Disable SFTP by default. Disallow root login through SSH by default Add "Enable / Disable SSH Management" to CUI. Password for root should be generated during the installation and people must be forced to write it down, before installation can be completed. Automatic password generation for root, so customers do not choose a lousy one. Instead of root, use a "manager" account with sudo permissions (Change system password in CUI). When logging on with the "manager" user, the CUI should automatically start. Login to CUI should also be the password of the "manager" user, instead of root. For better user experience, default editor "nano" should be installed and set by default for both "manager" and root or at least prompt for selection on first use. Default RFC1918 restrictions for Grommunio Admin (port 8443/8080), enforcing this with firewalld isn't sufficient as customers tend to disable firewalld on SLES machines by default. All applications: E-Mail, Chat, Video, Files, Archive, RSpamd should be RFC1918 restricted by default. You coud add this to CUI in order to allow customers to "publish" their applications to the internet. Please add AppArmor or SELinux support for better security hardening. Consider creating dedicated partitions for logging and temp directories, so the system isn't affected / does not run out of space when too many log files are written (e. g. bruteforce, denial of service, software bugs etc.) Increase the size of the boot partition. In many cases servers are not frequently rebooted and regular system updates may cause the system to run out of space on this partition. Dedicated partition for all Grommunio related Log files so this information can easily be used by SIEM / Logging infrastructure. Menu option L (Logs) should require the "manager" password before displaying any information. Allow installing TLS-certificates through CUI, e. g. the "manager" logs on through SSH and then copy and paste the certificate /w chain and private key. The CUI should then automatcally restart all depending services. This would also solve the problem, that you won't have to open any outgoing ports for Let's Encrypt during installation. Allow the import of internal CA certificates on CUI, so those CAs are trusted by default. Most customers will most likely fail on how to do this, if they are not already familiar with SLES or with Linux in general and choose insecure configurations later. Add a security dashboard to Grommunio Admin that will list + check all recommended security measures and alert the customer, if not completed. You could also use this, to alert your customers on zero day vulnerabilities etc. Add a files health / integrity check for Grommunio, including a check on files, that do not belong there.