I guess this was just done out of habbit.
And if you look a bit deeper you will also find a few of those commands already in use from the original script as it seems.

Debian

root@grom-deb:/usr/local/share/grommunio-setup# grep -iR firewall-cmd
common/ssl_setup:    firewall-cmd --add-port=80/tcp --zone=public --permanent
common/ssl_setup:    firewall-cmd --add-service=https --zone=public --permanent
common/ssl_setup:    firewall-cmd --reload

OpenSuse-OVA

grommunio-test:/usr/share/grommunio-setup # grep -iR firewall
common/ssl_setup:    firewall-cmd --add-port=80/tcp --zone=public --permanent
common/ssl_setup:    firewall-cmd --add-service=https --zone=public --permanent
common/ssl_setup:    firewall-cmd --reload
setup.sh:writelog "Config stage: open required firewall ports"
setup.sh:  firewall-cmd --add-service=https --zone=public --permanent
setup.sh:  firewall-cmd --add-port=25/tcp --zone=public --permanent
setup.sh:  firewall-cmd --add-port=80/tcp --zone=public --permanent
setup.sh:  firewall-cmd --add-port=110/tcp --zone=public --permanent
setup.sh:  firewall-cmd --add-port=143/tcp --zone=public --permanent
setup.sh:  firewall-cmd --add-port=587/tcp --zone=public --permanent
setup.sh:  firewall-cmd --add-port=993/tcp --zone=public --permanent
setup.sh:  firewall-cmd --add-port=8080/tcp --zone=public --permanent
setup.sh:  firewall-cmd --add-port=8443/tcp --zone=public --permanent
setup.sh:  firewall-cmd --reload

I don't really know what cockpit is and after a quick search this seems to be some new (maybe not so insecure) webmin?

To provide the same capabilities in terms of management the use of firewalld maybe is the best choice.

  • It's pretty easy to handle(you will not be so likely to lock down your network by accident).
  • The OpenSuse-Release already is shipped with it which then also means than any problems or enhancements could be handled without thinking in two different worlds (*clearsthroat* zypper in -y zypper-aptitude).

And on my thought that iptables has to be switched with nftables-commands anyways, i took a peek in the Debian-Wiki and it seems like it isn't discouraged to make use firewalld anyways.

cheers!

@eryx Thanks for the script. The link in the first post is not up-to-date anymore, btw.

I cannot get antispam running. The script configures grommunio-antispam but never installs the package. Therefore, I used the .deb file in the temp_packages directory. But no e-mails are scanned. I can only login to the rspamd status page if worker-controller.inc is copied to /etc/rspamd/local.d instead of /etc/grommunio-antispam/local.d. I suspect the whole configuration under /etc/grommunio-antispam/ is not read.

grommunio-antispam status

grommunio-antispam.service - rapid spam filtering system
     Loaded: loaded (/lib/systemd/system/grommunio-antispam.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-09-13 18:45:49 CEST; 8s ago
       Docs: https://rspamd.com/doc/
   Main PID: 367724 (rspamd)
      Tasks: 8 (limit: 19171)
     Memory: 145.5M
        CPU: 1.269s
     CGroup: /system.slice/grommunio-antispam.service
             ├─367724 rspamd: main process
             ├─367726 rspamd: rspamd_proxy process (localhost:11332)
             ├─367727 rspamd: controller process (localhost:11334)
             ├─367728 rspamd: normal process (localhost:11333)
             ├─367729 rspamd: normal process (localhost:11333)
             ├─367730 rspamd: normal process (localhost:11333)
             ├─367731 rspamd: normal process (localhost:11333)
             └─367732 rspamd: hs_helper process

Sep 13 18:45:50 vps5 rspamd[367727]: #367727(controller) <5z4saj>; cfg; rspamd_stat_cache_redis_init: cannot init redis cache for BAYES_SPAM
Sep 13 18:45:50 vps5 rspamd[367727]: #367727(controller) <5z4saj>; cfg; rspamd_stat_init: error adding cache redis for symbol BAYES_SPAM
Sep 13 18:45:50 vps5 rspamd[367727]: #367727(controller) <5z4saj>; cfg; rspamd_stat_init: cannot init backend redis for statfile BAYES_SPAM
Sep 13 18:45:50 vps5 rspamd[367727]: #367727(controller) <5z4saj>; cfg; rspamd_redis_init: cannot init redis backend for BAYES_HAM
Sep 13 18:45:50 vps5 rspamd[367727]: #367727(controller) <5z4saj>; cfg; rspamd_stat_cache_redis_init: cannot init redis cache for BAYES_HAM
Sep 13 18:45:50 vps5 rspamd[367727]: #367727(controller) <5z4saj>; cfg; rspamd_stat_init: error adding cache redis for symbol BAYES_HAM
Sep 13 18:45:50 vps5 rspamd[367727]: #367727(controller) <5z4saj>; cfg; rspamd_stat_init: cannot init backend redis for statfile BAYES_HAM
Sep 13 18:45:50 vps5 rspamd[367727]: #367727(controller) <k6xuay>; rrd; rspamd_rrd_open: rrd file opened: /var/lib/rspamd/rspamd.rrd
  • crpb replied to this.

    FelixVictor @eryx Thanks for the script. The link in the first post is not up-to-date anymore, btw.

    Changed the Link. Normal User-Rights don't allow for Editing Posts after someone has answered.

      Heyho, sorry for the long wait. I will have a look tomorrow. Regarding the iptables, it's exactly as @crpb said, it's because I'm only used ti iptables. Never worked with firewalld. If someone can suggest something there would be great, would be nice to get a PR for this ;-)

        eryx

        Sure thing, I will see to it and send a PR, once I get that ready.

          @crpb thanks for the PullRequest. I've added two comments. At least the one would be nice if you can translate the one comment :-)

          6 days later

          @eryx
          *hrhr*, yeah it was late and after multiple snapshot-reverts and retries and accidentaly resetting my repo-clone i was to lazy to rebuild all those commits and just copied it over.. and just going over the commit i see a typo in postconf... just did a PR.

          And the jest about groundhog-day was about the wrong User for nginx in Debian.
          @mwilliams a reminder: it is still "www-data" and not "nginx" in Debian(and Ubuntu) :P.
          https://community.grommunio.com/d/181-debian-11-installation-howto/3

          ^^ yep got that ;-) Thanks for the correction. I merged it.

          Ich hab das script auch mal getestet und bin sehr glücklich! Super Arbeit! Top!!!

          7 days later

          hi,
          eines ist mir noch aufgefallen: das gesetzte admin-pw funtioniert nicht für: https://ip::8443/rspamd/

          im installscript wird:
          rspamadm pw -p "XXXX" | sed -e 's#^#password = "#' -e 's#$#";#' >/etc/grommunio-antispam/local.d/worker-controller.inc
          gesetzt.
          Auch wenn man hier ein neus setzt, komm ich nicht ins admin-if vom rspamd.
          mach ich was falsch?

          printf 'password = "%s";\n' $(rspamadm pw -p "${ADMIN_PASS") hätts ja auch getan aber gut.

          And the same result here. Then i uninstalled grommunio-antispam and tada.. it works.
          I guess the Package @eryx build isn't really needed with all of it's content.
          There is also a Note in some Topic from @mwilliams about grommunio-antispam/rspamd that it is basically just a renamed release.
          Those two rspamd/grommunio-antispam services did fight each other :P

          At least these things would be beneficial i guess.

          root@grom-deb:~# tar Jft "$TMPDIR/data.tar.xz"|grep -iE 'grommunio.*spam.*'
./lib/systemd/system/grommunio-spam-run.service
./lib/systemd/system/grommunio-spam-run.timer
./usr/sbin/grommunio-spam-run
root@grom-deb:~# tar Jft "$TMPDIR/data.tar.xz"|grep -E 'grommunio.*run' |xargs -n 1 tar Jfx "$TMPDIR/data.tar.xz" -C /
root@grom-deb:~# systemctl daemon-reload
root@grom-deb:~# systemctl enable --now grommunio-spam-run.timer grommunio-spam-run.service
Created symlink /etc/systemd/system/timers.target.wants/grommunio-spam-run.timer → /lib/systemd/system/grommunio-spam-run.timer.

          And those lines should wander into the Files in /etc/rspamd/

          /etc/grommunio-antispam/local.d/worker-controller.inc-# If the mailer is running on the same host use a unix socket
/etc/grommunio-antispam/local.d/worker-controller.inc:#bind_socket = "/run/grommunio-antispam/worker-controller.socket mode=0666";
--
/etc/grommunio-antispam/local.d/worker-proxy.inc-# If the mailer is running on the same host use a unix socket
/etc/grommunio-antispam/local.d/worker-proxy.inc:#bind_socket = "/run/grommunio-antispam/worker-proxy.socket mode=0666";
--
/etc/grommunio-antispam/local.d/worker-normal.inc-# If the mailer is running on the same host use a unix socket
/etc/grommunio-antispam/local.d/worker-normal.inc:#bind_socket = "/run/grommunio-antispam/worker.socket mode=0666";

          But if you look into all those Files this would be done with a few heredoc's and no pulling of some package or anything because there aren't much changes...
          Well maybe my diff from another Topic to have a Configvalue if those Mails should be deleted or not :-).
          https://community.grommunio.com/d/285-spam-ham-learnedlernen/21

            Hi, I did a grommunio Debian 11 installation from scratch (without script). Now I have an issue with php-fpm. Grommunio wants to place the php-fpm sockets in /run/php-fpm unfortunately /run is a temporary file system and systemd on Debian 11 did not create /run/php-fpm. Question in which /run folder, your installation places the grommunio-sync and grommunio-web sockets?

            Hi Walter,
            mine looks like this:
            `root@mail:~# ll /run/php*
            /run/php:
            insgesamt 4
            -rw-r--r-- 1 root root 6 29. Sep 14:23 php7.4-fpm.pid
            srw-rw---- 1 www-data www-data 0 29. Sep 14:23 php7.4-fpm.sock=
            lrwxrwxrwx 1 root root 30 27. Sep 16:15 php-fpm.sock -> /etc/alternatives/php-fpm.sock=

            /run/php-fpm:
            insgesamt 0
            srw-rw-rw- 1 grodav grodav 0 29. Sep 14:23 grommunio-dav=
            srw-rw-rw- 1 grosync grosync 0 29. Sep 14:23 grommunio-sync=
            srw-rw-rw- 1 groweb groweb 0 29. Sep 14:23 grommunio-web=
            root@mail:~#
            `

              segro How did you manage to get /run/php-fpm/ created? My Debian 11 does not create /run/php-fpm/ after a reboot.

                Hey Walter, I installed via the script and I thaugt, you just want to have a compare to your manual installation.

                  segro thank you, I found it, this lines solves the issue:
                  # fix run directory for php-fpm
                  echo "d /run/php-fpm 0755 www-data gromox - -" >/etc/tmpfiles.d/run-php-fpm.conf
                  systemd-tmpfiles --create
                  Unfortunately this rises the next error in an grommunio package:
                  /usr/lib/tmpfiles.d/grommunio-admin-api.conf:1: Failed to resolve group 'nginx'.
                  I replaced 'nginx' with 'www-data' in this .config file.

                  • crpb replied to this.

                      WalterH

                      So after an apt-get dist-upgrade this problem may occur again.

                      Fix

                      cp /usr/lib/tmpfiles.d/grommunio-admin-api.conf /etc/tmpfiles.d/
sed -i 's/nginx/www-data/g' /etc/tmpfiles.d/grommunio-admin-api.conf

                      Which we also should do with the install-script :P

                      PR: https://github.com/eryx12o45/grommunio-setup/pull/17

                          crpb great idea to copy the file in the user location.

                            © 2020-2024 grommunio GmbH. All rights reserved. | https://grommunio.com | Data Protection | Legal notice