6 Server Preparations
Before you are able to install OpenEMM on the server you have to prepare the server first.
Create a group and a user openemm:
groupadd openemm
useradd -m -g openemm -d /home/openemm -s /bin/bash openemm
passwd openemm
su - openemm
6.1 Firewall Configuration
If necessary, install the firewall software, enable and start it:
Open port 25 and port 8080 in your firewall and add a port forwarding from port 80 to 8080, so you do not have to enter the URL of your OpenEMM server with ":8080" at the end:
If your zone is "public" (if not, use the zone name you got with the aforementioned statement):
firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --zone=public --add-port=25/tcp --permanent
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 --permanent
firewall-cmd --reload
If you want to use the HTTPS protocol instead of HTTP (which we strongly recommend for production environments), you need a forwarding from port 443 to 8443:
If you use SUSE, we recommend to use iptables which can be installed with
6.2 Postfix Deployment
Since you want to use Postfix as SMTP server (MTA), you have to stop and remove Sendmail first (in case it is installed), and you have to install the required packages for Postfix (in case it is not already installed).
RHEL:
SLES:
RHEL + SLES:
Further dependencies will be resolved and installed automatically by the repository management software.
Switch the default SMTP server to Postfix with
and create a symlink so that OpenEMM can find the Postfix mail log file:
After installation of Postfix, you have to change its configuration to unleash all features. To do this, change to the Postfix main configuration directory:
Add some configuration parameters to Postfix' main configuration file main.cf:
inet_interfaces = all
inet_protocols = all
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 0
message_size_limit = 0
maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = $smtp_tls_ciphers
hash_queue_depth = 2
enable_long_queue_ids = yes
relay_domains = hash:/home/openemm/var/run/relay.domains
transport_maps = hash:/home/openemm/var/run/transport.maps
smtpd_milters = unix:/home/openemm/var/run/bav.sock
If lines with parameters of the same name already exist in file main.cf (like inet_interfaces, inet_protocols or smtpd_tls_security_level), comment them with character # at the beginning to avoid any warning messages or overwrite them with the new values in case you do not want to keep the original values as backup.
The two files relay.domains and transport.maps as well as Linux socket bav.sock are automatically created at first startup time of the mailloop service. File relay.domains specifies your mailloop service domain name, so that responses like auto-replies and bounces sent to an email address with this domain name are accepted by Postfix for relaying. File transport.maps defines for the mailloop service domain name the service used for processing.
Additionally, you have to set parameter myhostname in file main.cf to the FQDN of your OpenEMM server like openemm.domain.com. Otherwise, mails would be sent with sender domain localhost.loacldomain instead.
If you want to be able to receive autoresponder, bounce and feedback mails encrypted with the TLS protocol, add
smtpd_use_tls = yes
smtpd_tls_loglevel = 2
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_eecdh_grade = strong
smtpd_tls_cert_file = <path_to_CERT_file>
smtpd_tls_key_file = <path_to_KEY_file>
smtpd_tls_CAfile = <path_to_CERT_chain>
smtpd_tls_CApath = <path_to_CERT_directory>
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = high
to file main.cf. Take care to replace the four placeholders with the real directory paths to the specified files to make sure that Postfix is able to receive TLS encrypted mails. Certificate mail.crt may be a self-signed certificate.
Finally, the configuration parameters for service "mailloop" are defined in configuration file master.cf. Add these two lines:
Please do not omit the two space characters before keyword "flags" to indicate the parser that the line is continued!
Last not least, activate the TLS manager in file master.cf by uncommenting (i.e. removing the leading #) line
To activate your manual changes to the configuration of Postfix, restart Postfix with
To make sure that Postfix is started at each server reboot, add the service to run level 3 and 5:
You might want to test this settings with a server reboot to be on the safe side.
In case you start Postfix separately from OpenEMM and Postfix complains that file relay.domains is missing, you can ignore this warning because OpenEMM take care to create this file at startup time in case it is missing.
6.3 Tomcat Deployment
OpenEMM needs web application engine Tomcat for the frontend services (GUI, statistics and webservices). Tomcat can be installed with OpenEMM Support Tool OST. For details please read section OST (OpenEMM Support Tool) below.
If you want to operate OpenEMM with the HTTPS protocol, the server key files (*.key, *.pem) and server certificate files (*.crt, cacerts) for the TLS configuration (to allow HTTPS connections) must be provided from your side as these files are server and client specific. See section Apache NIO Connector for details.
6.4 Configuration of Operating System Logging Parameters
Current versions of RHEL and SLES provide a "feature" that drops messages from being logged if the server has a high workload. If you use the default configuration values of RHEL or SLES (i.e. 1,000 entries max. within 30 seconds), and if the OpenEMM server has a high workload due to a high mail output, this can lead to missing entries in the maillog. However, missing entries in the maillog mean that OpenEMM does not know whether mails were delivered successfully or not and may lead to an incomplete bounce management and incomplete statistics!
To make sure that even under high workload all messages are logged to the maillog, we recommend to change (or add) the following values of file journald.conf in directory /etc/systemd:
Afterwards, restart the journal daemon with
to activate your changes.
SLES:
Additionally, add (or change) the following values in file rsyslog.conf of directory /etc after the line with parameter $IMJournalStateFile imjournal.state:
RHEL 8:
Change in file rsyslog.conf in directory /etc lines
module(load="imjournal" # provides access to the systemd journal
StateFile="imjournal.state") # File to store the position in the journal
to the following one-liner:
module(load="imjournal" StateFile="imjournal.state" ratelimit.interval="10" ratelimit.burst="20000")
RHEL+ SLES:
Afterwards, restart the rsyslog service to activate your changes in file rsyslog.conf:
6.5 Miscellaneous
OpenEMM needs a minimum value of 16384 for kernel parameter nofile, which defines the maximum number of open files per process. OST (OpenEMM Support Tool) will check and change if necessary.
OpenEMM requires read access to the mail log file at /var/log/maillog and logrotate has to be aware of this fact, too. Open file syslog in directory /etc/logrotate.d and add the following line after the line sharedscripts:
and run
to set the permissions of the current maillog.