Administration

This chapter includes explanatory details on how to administrate components of grommunio with the available toolset.

grommunio console UI (CUI)

The grommunio console user interface (grommunio-cui) provides a console interface which allows the administrator to perform basic tasks to ready the appliance for the admin UI (admin web interface) or admin CLI (admin command line interface).

The main purpose of CUI is to provide basic system administration tasks, such as network configuration and time synchronization.

Main screen

After starting grommunio-cui, you are in the main screen. With login, you are able to make system configuration changes.

In the main screen, the following functions are available:

• F1: Switching the color scheme (light vs. dark mode)

• F2: Login to unlock system configuration mode

• F5: Switching of keyboard layout

• L: Open system log viewer

Login

To enter into system configuration mode press F2 and enter the system superuser account (root).

Important

The initial root password is unset (empty). When asked for password at first login, just enter an empty password.

Main configuration screen

The main menu provides the following functionality available to grommunio-cui:

• Change system password

• Network configuration

• Timezone configuration

• Timesync configuration

• grommunio setup wizard

• Change Admin Web UI password

• Terminal

• Reboot

• Shutdown

Change system password

The option Change system password sets the superuser account password (root). Do this directly after installation. Use a secure password. We recommend using a password comprised of four words or more.

Network configuration

The option Network configuration starts the network configuration utility (yast2 lan), which provides support for all reasonable network configuration settings. For detailed information on how to configure the network by using the yast utility, please refer to the online documentation of YaST at https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-network.html#sec-network-yast

Important

The minimal set of configuration recommended to be changed includes: Hostname, Network Addressing (IP), DNS (Nameservers), Routing (Default Gateway).

Timezone configuration

The command Timezone configuration can be used to set the preferred timezone displayed in server logs, etc. It has no practical impact on e-mails, because mail user agents such as grommunio-web translate timestamps to the timezone of the particular device the program is running on anyway.

Timesync configuration

Timesync configuration is done with a simple interface providing the ability to set the timezone according to your region and timezone of that region. It generally is recommended to keep the setting Hardware Clock Set to UTC, since this provides the recommended timezone-agnostic behavior for services (such as with logs, etc.).

After these basic setup, your grommunio Appliance should:

• be able to connect to the Internet (availability of Updates, etc.)

• have a valid timezone set

• have a valid timeserver configured, with the system time appropriately synchronized

grommunio setup wizard

With the beforehand basic setup steps completed, it is recommended to run the grommunio setup wizard to complete the configuration based on your needs.

The option grommunio setup wizard initiates the command grommunio-setup and walks you through the first-time setup of grommunio.

Important

While grommunio-setup can be executed more than once, please note that running through the setup process of grommunio-setup always resets the entire installation. grommunio-setup automatically detects, if it has been run already and will warn you that if you continue all data stored will be lost.

Welcome screen

Starting grommunio-setup welcomes you with a descriptive welcome screen.

Repository setup

As first step, grommunio-setup requests you to enter subscription details. These subscription details are included in your purchase of the description, alongside with the subscription certificate delivered for installation at a later stage. If left empty, grommunio-setup will automatically include the community repositories.

Note

Community repositories are delivered on best-effort basis and are not supported. While grommunio welcomes community members to use grommunio, the software distribution available with the subscription repositories include production-relevant benefits. Subscription repositories (available only with a valid subscription) include quality-tested packages, hotfixes and extra features not available to community repositories.

Database variant

In the next stage of grommunio-setup, you are requested to answer which central database type you want to configure. Most installations use the local database installation, where the MySQL-database is initialized and prepared automatically. For larger and/or special setups it might be recommended to connect to an already existing database instead. Examples include larger clusters, multi-node and distributed setups.

Database settings

With the choice of “local database”, the next installation step will automatically provide you with information which is used for initialization of the database. For standard setups, it is recommended to leave the default values. The values for the installation are generated randomly which protects your installation from unauthorized access.

Administration User

After setting up the database, a default administrator password is requested for the login with the grommunio Admin API. The default user (admin) is then initialized with the password entered here. By default, grommunio automatically generates a password and shows it at the end of the setup procedure.

Important

At the end of the setup procedure the password entered here will be shown in the summary screen after setup. Please make sure no unauthorized people are accessing or viewing the system console for retrieval of this major credential at the end of the grommunio setup procedure.

Note

You can always reset this password at a later stage through grommunio-cui.

Fully Qualified Domain Name

The next stage of grommunio-setup requests the configuration of the fully qualified domain name (FQDN). The FQDN traditionally consists of the hostname, combined with the primary domain of the system. The name chosen here is strongly recommended to be part of the certificates generated at a later stage in grommunio-setup.

Primary mail domain

By continuing to the next stage, it is requested to provide the primary mail domain. The primary mail domain is important as main system domain for further system configuration.

Relayhost configuration

If the installation is not to be directly sending E-Mails (by resolving the recipients MTA’s directly), a relayhost is recommended to be set. This next step allows the configuration of a relayhost which for example can be used for integration with existing firewalls or mail security appliances. If the configured target should be used directly (by requesting the IP Address through DNS A-records instead of the associated MX-records), the relayhost should be enclosed with square brackets, like “[mail.isp.com]”.

TLS configuration

The next step of configuration with grommunio-setup provides a menu with a choice of the preferred TLS setup with the grommunio installation:

0: Creation of self-signed certificate

Creating your own self-signed certificate is the simplest option - Creating an own self-signed certificate will though show up as untrusted at first connect and needs to be trusted before continuing. This behavior is normal and is because any client that connects has no possibility validation if the certificate has a valid source. This setting is the default and does not require any preparation for certificate generation. grommunio does not recommend this option for production environments, as this option requires any client to first trust the certificate in use. This option is the best for validation and demo installations of grommunio.

1: Creation of own CA (certificate authority) and certificate

Creating your own certificate authority is an extended option which allows you to create self-signed certificates with an own certificate authority. This way, you can (manually) create further certificates under the umbrella of a own central authority with multiple server certificates to be signed by the same certificate authority generated by yourself. This option is the best for validation and demo installation of larger installations of grommunio with multiple instances.

2: Import of an existing TLS certificate from files

Importing your own certificate allows any type of external certificate pair (PEM-encoded) to be used with your grommunio installation. Note that it is recommended to either use SAN certificates with multiple domains or a wildcard certificate. With your choice of your own TLS certificates, you have the highest flexibility to either use a trusted CA or a publicly signed certificate by an offically trusted certification authority including, but not limited to, Thawte, Digicert, Comodo or others.

3: Automatic generation of certificates with Let’s Encrypt

Using this option allows the automatic certificate generation process with the Let’s Encrypt certificate authority. Using Let’s Encrypt certificates is free of charge, however the terms of service by Let’s Encrypt apply, which are referenced during installation. Using this option automatically requests the domains from the selection you made, and automatically starts the validation process. For this automated process to work successfully, Let’s Encrypt verifies _all_ defined domain names by creating a challenge on the appliance. For this to work, port 80 (HTTP) needs to be accessible from the Internet during this step of verification (and any subsequent automated renewal) with all the domains pointing to the appliance. This option is recommended for any simple installation and allows the most seamless installation experience if prepared correctly.

Any certificates so generated are placed in /etc/grommunio/ssl and are automatically referenced by any services of the appliance.

Setup finalization

After all above steps of grommunio-setup have been completed, the final dialog shows the summarized information of the installation is shown as reference.

Important

All installation/setup relevant information is stored at /var/log/grommunio-setup.log. This file includes the passwords used for initialization which you may copy to a secure location or delete if not required anymore.

Admin web password reset

The option Admin web password reset changes the password of the main administration user (admin). For administrators which want to execute this option without running grommunio-cui first, this can be done anytime by executing the command grommunio-admin passwd.

Terminal

The option Terminal enables a class shell with the ability to exit back to grommunio-cui by issuing the exit command at any given time. This option should be used with care and only by experienced administrators.

Important

Please note that the Terminal executed here provides full administrative rights (root access) to the Appliance. With this level of permissions it is recommended to proceed with extreme caution.

Reboot

The option Reboot reboots the entire grommunio Appliance. Please note, that during the reboot the services provides will not be available.

Shutdown

The option Shutdown shuts down the entire grommunio Appliance. Please note, that until the Appliance has been made available again by starting it again, the services will not be available.

grommunio admin UI (AUI)

After successfully installing the grommunio Appliance, you can access the UI through your browser on port 8080 (8443 with https soon).

Since you most likely set a password for admin UI while installing the Appliance, you can immediately use these credentials to login.

To navigate through the UI, simply use the drawer on the left side of the page.

Dashboard

After a successfull login, you can see the dashboard with live data of the machine grommunio runs on.

Antispam

Since grommunio has its own antispam service, according data can be displayed in the Dashboard.

Services

Antispam isn’t the only grommunio service, in fact there are lots more. The current state of these services can be seen on the left side of the dashboard.

You can stop, restart or start these services from here by clicking the action buttons of a service in the list.

CPU

A live and history display of the CPU usage.

Memory

A live and history display of the memory usage.

Disks and swap

A live display of the disks and swap.

Load

A display of the system load over the last 1, 5 and 15 minutes.

Domains

Click on Domain list in the drawer, which will redirect you to the list view of existing domains. If you just set up grommunio, the table will be empty. If you want to show currently deactivated domains check the checkbox show deactivated.

Adding a domain

To add a new domain, click the blue NEW DOMAIN button to open the form dialog:

The following properties can be set:

• Domain (required): The name of the domain (cannot be changed afterwards)

• Status: Whether domain should be currently activated or deactivated

• Organization: Organization of the domain

• Maximum users (required): The maximum amount of users (e-mails) of this domain

• Title: Title of the domain

• Address: Address of the domain

• Administrator: Administrator of the domain

• Telephone: Hotline for problems

Click Add to confirm or Cancel to cancel.

Editing a domain

To edit an existing domain, click on a domain in the list to open the detailed view of a domain.

Simply change attributes to your needs, then click Save on the bottom to save your changes.

To change the current password of the domain, click Change password next to the domain name. You will be prompted to set and repeat your new password.

Deleting a domain

To delete a domain, click on the trash icon of a domain in the domain list view.

The following flags can be set:

• Delete permanently: Checking this, will completely remove the domain out of the database, not just deactivate it

• Delete files: Only available if permanently deleting, will delete all files of this domain

Click Confirm to confirm or Cancel to cancel

Reactivating domains

If you didn’t delete a domain permanently, it will automatically be set to deactivated. To reactivate a domain, click on a domain in the list to get to the detailed view. Now change the status from deactivated to activated.

Users

If at least one domain exists in the database, users can be added to a domain. To show existing users of a domain, navigate to the domain view in the drawer.

Click on a domain to expand available sub-pages and click on Users, which will redirect you to the list of users of this domain. If you just installed grommunio or added the domain, the list will be empty.

Adding a user

To add a new user, click the blue NEW USER button to open the form dialog:

The following properties can be set:

• Username (required): Username of the user

• Password (required): Password of the user

• Display name: Name to be displayed for this user

• Storage quota limit: Storage limit of the user

• Type: Type of user

Click Add to confirm or Cancel to cancel. If you need to further specify user properties, click Add and Edit to open the detailed view of this user.

Editing a user

To edit an existing user, click on a user in the list to open the detailed view of a user.

There are 6 main categories of user properties:

• Account: RPC/HTTP (Outlook Anywhere), MAPI/HTTP, IMAP, POP3 etc. configuration

• User: MAPI props

• Contact: Additional MAPI props

• Roles: Roles of the user

• SMTP: Additional e-mails for this user (aliases)

• Fetchmail: Configuration to fetch mails from other servers via fetchmail

Account

The following properties can be edited:

• Status: Status of the user

• Type: Type of user

• Language: Language of the user

• Used space

  • Send quota limit: Maximum size of the mailbox before sending messages is blocked

  • Receive quota limit: Maximum size of the mailbox before message reception is blocked

  • Storage quota limit: Maximum size of the mailbox before storing (any kind of) objects is blocked

• Allow SMTP sending: Allows the user to send e-mails via SMTP

• Allow password changes: Allows the user to change his/her password

• Allow POP3/IMAP logins: Allows logins via POP3 or IMAP

Note that, because a message first needs to be exist internally before it can be sent, the storage quota limit is also relevant for sending. Conversely, for reception, the storage quota limit must allow storing messages. (It follows that the storage quota should always be more than receive quota, and more than send quota.)

To change the current password of the user, click Change password next to the username. You will be prompted to set and repeat your new password.

User & Contact

Common MAPI props. These are self-explanatory.

Roles

Roles of the user, which can be edited with the autocompleting textfield

SMTP

User aliases. Edit the textfield to edit an alias, click ADD E-MAIL to add or click the delete icon to delete an alias.

Fetchmail

It is possible to fetch e-mails from other mailserver via fetchmail. To configure this feature, you can add several e-mail servers and/or users to fetch mails from.

To add new fetchmail entry, click the circled plus-icon, which will open the following input form:

• Source server (required): E-Mail server to fetch from

• Source user (required): E-Mail address to fetch from

• Source password (required): Password to the source users account

• Source folder (required): Source folder to sync from

• Source auth: Type of authentication to use

• Protocol (required): Protocol to use

• SSL certifcate path (if Use SSL is checked): Path to local certificate directory or empty to use local default

• SSL fingerprint (if Use SSL is checked): Fingerprint of the server certificate

• Extra options: (if Use SSL is checked): Additional fetchmail options

• Active: Whether fetchmail is currently activated

• Use SSL: Whether to use SSL

• Fetch all: Whether to fetch seen mails

• Keep: Keep original e-mails

• SSL certificate check: Check ssl certificate

To edit these properties, click on a row in the table. To delete an entry, click the trash icon of a table row.

IMPORTANT! Any changes will only be saved after clicking the click Save on the bottom of the page.

Deleting a user

To delete a user, click on the trash icon of a user in the user view.

The following flags can be set:

• Delete files: Will delete all files of this user

Click Confirm to confirm or Cancel to cancel.

Folders

If at least one domain exists in the database, folders can be added to a domain. To show existing folders of a domain, navigate to the domain view in the drawer.

Click on a domain to expand available sub-pages and click on Folders, which will redirect you to the list of folders of this domain. If you have just installed grommunio or added the domain, the list will be empty.

Adding a folder

To add a new folder, click the blue NEW FOLDER button to open the form dialog:

The following properties can be set:

• Folder name (required): Name of folder

• Container: Type of folder container

• Comment: Comment

• Owners: Owners of this folder (Multi-select of users in the database)

Click Add to confirm or Cancel to cancel.

Editing a folder

To edit an existing folder, click on a folder in the list to open the detailed view of a folder.

Simply change attributes to your needs, then click Save on the bottom to save your changes.

To add new owners, click the + next to “Owners”. Enter all users of database to be added as owner of this folder. To remove an owner, click trash icon next to the owner and confirm.

Deleting a folder

To delete a folder, click on the trash icon of a folder in the folder view. Click Confirm to confirm or Cancel to cancel.

Groups

If at least one domain exists in the database, groups can be added to a domain. To show existing groups of a domain, navigate to the domain view in the drawer.

Click on a domain to expand available sub-pages and click on Groups, which will redirect you to the list of groups of this domain. If you have just installed grommunio or added the domain, the list will be empty.

Groups have a hierarchical structure, but aren’t built like a tree, but like a directional, loop-free graph. Thus, groups can have multiple parent-groups and child-groups.

To simply show a list of groups click on the List tab. It is also possible to show a more advanced view of groups by clicking on the Tree tab. In order to simplify a potentially massive structure of groups, instead of a graph, different trees can be displayed here. By selecting a root group, a cut-out of the graph can be shown as a tree with the selected group as root-node. All recursive children will be displayed.

Adding a group

To add a new group, click the blue NEW GROUP button to open the form dialog:

The following properties can be set:

• Groupname (required): Name of the group

• Parent groups: Which groups does this group inherit from?

• Members: Groupmembers

• Filters: See below

Either members of filters can be specified.

Group filters

A group can have a clause to filter users with. This could for example be username == exampleUser. In this case, all users that are named “exampleUser” are part of this group. To further specify, a CNF clause on properties can be written.

The UI uses Expansionpanels (EP) to visualize a conjunctive normal form (CNF) clause. Each EP symbolises a logical AND, so each EP must be true, for the entire clause to be true. Each EP also contains multiple textfields. One row of which represents an expression in the CNF (above: username == exampleUser). Each row is combined by a logical OR, so an EP is true, if at least one row (one expression) in the EP is true. That also means, that at least one expression in every EP of the filter must be true for a user to be part of the group.

Editing a group

To edit an existing group, you can either:

• Click on a group in the list

• Click on a node in the tree view

Simply change attributes to your needs, then click Save on the bottom to save your changes.

To quickly navigate through a group hierarchy, click a childgroup at the bottom or click a breadcrumb at the top.

Deleting a group

To delete a group, click on the trash icon of a group in the list view. Click Confirm to confirm or Cancel to cancel.

Mail lists

If at least one domain exists in the database, mail lists can be added to a domain. To show existing mail lists of a domain, navigate to the domain view in the drawer.

Click on a domain to expand available sub-pages and click on Mail lists, which will redirect you to the list of mail lists of this domain. If you have just installed grommunio or added the domain, the list will be empty.

Adding a mail list

To add a new mail list, click the blue NEW MAIL LIST button to open the form dialog:

The following properties can be set:

• Mail list name (required): Name of mail list

• Type: Type of mail list

• Privilege: Mail list privilege (not available if type=Domain)

• Recipients: Recipients of e-mails

• Senders: Senders of e-mails (only available if privilege=Specific)

Click Add to confirm or Cancel to cancel.

Editing a mail list

To edit an existing mail list, click on a mail list in the list to open the detailed view of a mail list.

Simply change attributes to your needs, then click Save on the bottom to save your changes.

Deleting a mail list

To delete a mail list, click on the trash icon of a mail list in the list view. Click Confirm to confirm or Cancel to cancel.

Roles

Click on Roles in the drawer, which will redirect you to the list view of existing roles. If you have just set up grommunio, the table will be empty.

By default, every time a domain is added, a new role with rights for the new domain will be added. Additionally, you can create your own roles to specify access rights for multiple domains.

Adding a role

To add a new role, click the blue NEW ROLE button to open the form dialog:

The following properties can be set:

• Name (required): Name of the role

• Users: Users to which this role will be assigned to

• Permissions:

  • SystemAdmin: Permits any operation

  • DomainAdmin: Permits operations on for specific domain

  • DomainPurge: If present, grants permission to purge any writable domain

  • OrgAdmin: Grants DomainAdmin permission to any domain with matching orgID

  • Params: Domain/Organisation to get access to with this role

• Description: Role description

Click Add to confirm or Cancel to cancel.

Editing a role

To edit an existing role, click on a role in the list to open the detailed view of a role.

Simply change attributes to your needs, then click Save on the bottom to save your changes.

Deleting a role

To delete a role, click on the trash icon of a role in the list view. Click Confirm to confirm or Cancel to cancel.

Organizations

Click on Organizations in the drawer, which will redirect you to the list view of existing organizations. If you have just set up grommunio, the table will be empty.

Organizations are used to group domains, and give access to multiple domains in the system by using the OrgAdmin role. Every domain can be associated with at most one organization.

Adding an organization

To add a new organization, click the blue NEW ORGANIZATION button to open the form dialog:

The following properties can be set:

• Name (required): Name of the organization

• Description: Detailed description of the organization

Click Add to confirm or Cancel to cancel.

Editing an organization

To edit an existing organization, click on an organization in the list to open the detailed view of an organization.

Simply change attributes to your needs, then click Save on the bottom to save your changes.

Deleting an oranization

To delete an oranization, click on the trash icon of a role in the list view. Click Confirm to confirm or Cancel to cancel.

Settings

To change global settings, click on the User-icon and Settings

Currently you can only change

• Language: Swap between English and German

• Darkmode: Swap between light- and Darkmode

License

To use the full potential of grommunio you can upload your license by clicking Upload and selecting your purchased license. If you do not have a grommunio license yet, but want to upgrade, you can click on Buy now.

The following license properties are display:

• Product: Type of grommunio subscription (Community, Business, etc…)

• Created: Date on which the license was created

• Expires: Lat day on which the license needs to be renewed

• Users: Current amount of users on this license

• Max users: Maximum amount of users that can be created with the current license

LDAP

It it possible to synchronise users from external user directories using LDAP. To configure LDAP, click on LDAP in the drawer, which will redirect you to the LDAP configuration form.

Availability

LDAP not available means the LDAP config isn’t set up correctly or the server can’t be reached. If you want to disable LDAP manually, flip the LDAP enabled switch.

Configuration

Through this form, you create a ldap.yaml file, which configures an LDAP connection.

Properties are split into the following categories:

• LDAP Server

• Attribute Configuration

• Custom Mapping

To save a configuration, click Save at the bottom or click Delete Config to delete the current configuration.

LDAP Server

The following properties are available:

• LDAP-Server (server): Address of the LDAP server to connect to

• LDAP Bind User (bindUser): DN of the user to perform initial bind with

• StartTLS: Whether to utilize the StartTLS mechanism to secure the connection

• LDAP Base DN (baseDn): Base DN to use for user search

Authentication manager

Primary authentication mechanism

• Always MySQL (default): MySQL authentication

• Always LDAP: LDAP authentication

• Automatic: The choice between LDAP/MySQL occurs dynamically, depending on whether the user was imported from LDAP originally.

Attribute Configuration

The following properties are available:

• LDAP Templates (templates): Template to prefill any fields below. Available are:

  • OpenLDAP

  • ActiveDirectory

• LDAP Filter (filters): LDAP search filter to apply to user lookup

• Unique Identifier Attribute (objectID): Name of an attribute that uniquely idetifies an LDAP object

• LDAP Username Attribute (username): Name of the attribute that corresponds to the username (e-mail address)

• LDAP Default Quota (defaultQuota): Storage quota of imported users if no mapping exists

• LDAP Display Name Attribute (displayName): Name of the attribute that contains the name

LDAP Search Attributes

Controls which attributes the “Search in LDAP” functionality will look at when searching using an arbitrary search string.

Custom Mapping

LDAP attribute -> PropTag mapping to use for LDAP import. Any mappings specified take precendence over active templates.

You can create a list of (Name, Value) pairs

• Name: Name of the PropTag the attribute maps to

• Value: Value of the PropTag the attribute maps to

User import and synchronisation

To import/sync users from all domains, you have to have SystemAdmin permissions. If you do, click on IMPORT USERS or SYNC USERS. This will import/sync all users of all domains.

If you don’t have these permissions, you can import/sync users for your domain. To do that, navigate to the user list(s) of your domain(s).

Importing users will synchronise all already imported users and also import new ones. Synchronising will only do the first.

Domain user import and synchronisation

In the users list, you can either import/sync all users of this domain by clicking Import/Sync ldap users. If you want to import specific users, you can do the following:

User import

Click on Search in ldap to open a list view of ldap users. Simply enter a username at the searchbar and click the import icon of a user to import.

There is the option to force the import. If checked, an existing user with this usename in the grommunio database will be overwritten.

You can sync these specific users by clicking on them in the list view and clicking the Sync button in the detailed view (only for LDAP users).

Detaching a user

If you want to modify an ldap user, you need to detach it from ldap. You can achieve this by clicking Detach in the detailed user view. This essentially removes the synchronisation until forcefully overwritting the user via another import.

Removing orphaned users

If a user was removed from the ldap directory, the imported user will be orphaned. To show and/or delete currently orphaned users, click on Check ldap users.

DB Configuration

It is possible to create config files in the database to manage services. Every config file manages exactly one file and includes lines of (key, value) pairs.

This creates a hierarchical structure:

• ServiceA

  • FileA

    • foo=bar

  • FileB

    • test=example

    • test2=example2

• ServiceB

  • FileC

    • key=value

Adding a file

A useful example would be to configure a relayhost in postfix:

Editing a file

To edit a file, click on the service the file belongs to. This will open a detailed view of the service with a list of its files. Click on a file to open its detailed view and edit the (key, value) pairs to your needs.

Click Save to confirm or Cancel to discard your changes.

Deleting a file

To delete a file, click on the service the file belongs to. This will open a detailed view of the service with a list of its files. Click on the trash icon of a file to delete it and confirm.

Configuring grommunio-dbconf

grommunio-dbconf is an internal service, that will execute actions/commands when configs change. These actions can be specified for every service separately.

Adding a grommunio-dbconf file

Actions to be executed when a config of a service <servicename> changes, need to be set in the file grommunio-dbconf/<servicename>.

There are pre-made commands to set for either key-, file- or service-changes. Those can be found on the Commands tab

If a command doesn’t exist, the next lower level command will be executed (service -> file -> key).

For example, you could configure postfix changes like this:

This will, among else, restart the service if the service config changes.

Logs

Click on Logs in the drawer, which will redirect you to the list of available logs. Usually, you will see a list of grommunio/gromox services, which journalctl logs you can view here.

Click on the uparrow to show previous logs. Click on the the refresh button to fetch new logs or toggle the autorefresh switch to automatically refresh logs of the selected service every 5 seconds. Click on a log line to fetch every log after the timestap of the clicked line.

Mail queue

These lists will update automatically every 10 seconds.

Mobile devices

Click on Mobile devices in the drawer, which will redirect you to the list of synchronised mobile devices. This view is a recreation of the grommunio-sync-top CUI.

The view will update the devices every 2 seconds. On the top, you can specify filters for the table, like text-based search or activity of devices.

Sync policies

The synchronisation behavior of devices is specified by the sync policies, which are a set of rules. When a user logs into an account, these policies will be applied to the device and updated as soon as the policy is changed. It is not possible to change the policies globally, but per domain (all users of a domain) or per user. To change the policy for all users of a domain, navigate to the list of domains and click on the domain for which you want to change the policy. Under the Sync policy tab, you can see the current rules.

Blue checkboxes, sliders or textfields indicate deviations from the default policy, grey ones match it.

To specify specific rules for a user, navigate to list of users and click on the user for whom you want to change the policy. Just like domain-specific policies, current rules are displayed under the Sync policy tab. Again, blue checkboxes, sliders or textfields indicate deviations from the domain policy of this user, grey ones match it.

Live Status

Click on Live Status in the drawer, which will redirect you to the live, realtime view of the grommunio web services. Any HTTP request shows up in live status, including MAPI/HTTP, EAS, EWS and other requests made. All connections other than grommunio Groupware, e.g. Chat and Files are also viewable and can be tracked by the entry-point URL in the list.

At the top you can select one of the available vhosts and the update interval.

grommunio admin CLI (ACLI)

grommunio-admin

grommunio-admin is the command line interface tool of the grommunio Admin API. grommunio-admin is a low level administrative tool for grommunio configuration and provides a large number of subcommands to administrate grommunio accordingly.

grommunio-admin also provides bash completion functionality and an interactive shell, with the following subcommands available:

config	Show or check configuration. See grommunio-admin-config.
connect	Connect to remote CLI. See grommunio-admin-connect.
dbconf	Database-stored configuration management. See grommunio-admin-dbconf.
domain	Domain management. See grommunio-admin-domain.
fetchmail	Fetchmail management for retrieval of remote mails. See grommunio-admin-fetchmail.
fs	Filesystem operations. See grommunio-admin-fs.
ldap	LDAP/Active Directory configuration, diagnostics and synchronization. See grommunio-admin-ldap.
mconf	Managed configurations manipulation. See grommunio-admin-mconf.
mlist	Mailing/distribution list management. See grommunio-admin-mlist.
passwd	Internal user password management. See grommunio-admin-passwd.
run	Run the REST API. See grommunio-admin-run.
shell	Start interactive shell. See grommunio-admin-shell.
taginfo	Print information about MAPI property tags. See grommunio-admin-taginfo.
user	User management. See grommunio-admin-user.
version	Show version information. See grommunio-admin-version.

grommunio-admin-config

Name

grommunio-admin config — grommunio-admin config introspection

Synopsis

grommunio-admin config check

grommunio-admin config (dump|*get*) [KEY]

grommunio-admin config trace [-s] (files|*values*) [KEY]

Commands

check

Check the structural validity of the configuration.

Does currently not validate the semantic integrity, i.e. existence of referenced files, LDAP or database connectivity etc., although this functionality may be added in the future.

dump, get

Print the complete configuration.

As the grommunio-admin configuration can (and probably will) be distributed over multiple files, the get command provides an easy way to see the effective configuration.

The output can be reduced to a single KEY, if specified. Sub-levels can be specified in dotted notation (e.g. sync.defaultPolicy)

The dump command is an alias for get and remains for backward compatibility.

trace

Trace source of effective configuration.

Results can be presented either by file (files), showing which parts of a file are actually used, or by value (values), showing which file each value originates from.

Installation of the Python termcolor package is advised for a more readable output. See section Tracing for more information.

Options

KEY

Only view specified key.

-s, --show-history

Display more value history (see section Tracing for more information)

Tracing

By-File

Print annotated contents of each file.

Each line is marked and color coded to show its status. The following annotations are used:

• +, green: The value is part of the final configuration

• x, red: The value is overwritten by a later file

• *, yellow: The object or list is extended by a later file

• ~, grey: The value is overwritten with the same value

Additionally, lines overwriting or extending previous entries are printed in boldface.

When specifying –show-history, each value that is overwritten or extended is annotated with the files doing so (each being color coded with the effect it has on the value).

By-Value

Print annotated effective configuration.

Each line is annotated with the file it originates from. In case of objects and lists, all contributing files are listed.

When specifying –show-history, overwritten files containing that value are listed as well. The effective source file is underlined.

For better visualization, color coding is done on a per-file basis: Each file is assigned an individual style which is used for its contributions. Objects and lists originating from multiple files are always shown in boldface white.

grommunio-admin-connect

Name

grommunio-admin connect — Connect to remote CLI

Synopsis

grommunio-admin connect [-c COMMAND] [–no-verify] [–redirect-fs [–auto-save (local|remote|discard|print)]] [-v] HOST [USER [PASSWORD]]

Description

Connect to a remote server to invoke CLI commands on.

Requires a running admin API with active remote CLI and a user with SystemAdminPermission.

Note that the remote CLI currently uses a REST interface which does not provide a standard input, rendering commands that rely on user interaction useless.

Options

HOST

Host to connect to, in the format protocol://hostname:port, where protocol is either http or https. If omitted, the protocol is auto-detected, with https taking precendence over http. If no port is specified, the default ports 8080 (http) and 8443 (https) are used.

PASSWORD

Password to use for authentication. Default is to prompt.

USER

User to use for authentication. Defaults is admin.

--auto-save ACTION

Choose automatic action for received files when filesystem redirection is enabled. Possible actions are:

discard - discard any received file

local - save at local path

print - print file contents to stdout and discard

remote - save at path reported from remote server

-c, --command

Execute command on remote server and exit instead of starting an interactive shell.

--no-verify

Continue with https even if the TLS certificate presented by the server is invalid. Required if the server uses a self-signed certificate that is not installed on the system. Use with caution.

--redirect-fs

Redirect CLI initiated file operations to local filesystem. See section Filesystem Emulation for details.

-v, --verbose

Print more detailed information about the connection process.

Filesystem Emulation

When the –redirect-fs option is given, CLI initiated file operations are performed in an emulated filesystem and written files are sent back to the client.

Note that this does only apply to files which are opend by CLI operations, while module-level operations (e.g. loading of configurations) are unaffected.

Files received from the remote server can then be viewed or saved locally.

grommunio-admin-dbconf

Name

grommunio-admin dbconf — Database-stored configuration management.

Synopsis

grommunio-admin dbconf (commit | delete) SERVICE [FILE [KEY]]

grommunio-admin dbconf get SERVICE FILE [KEY]

grommunio-admin dbconf list [SERVICE [FILE [KEY]]]

grommunio-admin dbconf set [-b] [-i] [–] SERVICE FILE KEY VALUE

Description

grommunio dbconf provides the ability to store and manage configurations at a single location while making it available across distributed systems. The configurations are stored in the central MySQL database and can be accessed via grommunio-dbconf and grommunio-admin-dbconf.

While both tools essentially provide the same functionality, grommunio-dbconf provides far better performance and is intended to be used for quickly accessing the configuration.

Configurations consist of key/value pairs organized in files, grouped by service. Each service can have an arbitrary number of configuration files, which in turn can contain an arbitrary number of unique keys.

Commands

commit

Trigger commit hook for service, file or key

delete

Delete service, file or key

get

Get file or single key

list

List available services, files or keys

set

Set a configuration key

Options

SERVICE

Name of the service to configure

FILE

Name of the configuration file

KEY

Name of the configuration key

VALUE

Value to store in the key

--

Indicate that all options have been specified and only names follow

-b, --batch

Do not auto-commit

-i, --init

Only set if configuration key does not exist yet

Commit Hooks

When modifying values, potential consumers can be notified of this change via commit hooks, for example by restarting the service using the configuration. For security reasons only a few white-listed commands are available (see section AVAILABLE COMMIT COMMANDS).

Commit hooks can be defined on key, file or service level. set operations always trigger commits at key level, while the commit command can directly trigger key or service level hooks depending on whether a file or key is specified.

If no hook is defined for a specific trigger level, it automatically falls through to the next lower level, in the order key > file > service.

Commit hooks for a service can be defined by setting commit_key, commit_file and commit_service keys under grommunio-dbconf/<service> to a valid command (see below).

Available Commit Commands

The following commands are available:

Key

postconf -e $ENTRY

File

There are currently no file-level commands.

Service

systemctl reload $SERVICE

systemctl restart $SERVICE

Command Variable Expansion

Commands can contain $-prefixed variables that are expanded before execution. The literal $$ can be used to generate a single $.

The following variables are valid:

ENTRY

Expands to $KEY=$VALUE (key level only)

FILE

Complete content of the modified file as newline separated key=value entries (file level only)

FILENAME

Name of the modified file (key and file level)

KEY

The modified key (key level only)

SERVICE

Name of the modified service

VALUE

New value of the modified key (key level only)

grommunio-admin-domain

Name

grommunio-admin domain — Domain management

Synopsis

grommunio-admin domain create [<FIELDS>] [–create-role] [–skip-adaptor-reload] -u MAXUSER DOMAINNAME

grommunio-admin domain delete DOMAINSPEC

grommunio-admin domain list [-f FIELD=<value>] [-s FIELD] [DOMAINSPEC]

grommunio-admin domain modify [<FIELDS>] DOMAINSPEC

grommunio-admin domain purge [–files] [-y] DOMAINSPEC

grommunio-admin domain recover DOMAINSPEC

grommunio-admin domain show [-f FIELD=<value>] [-s FIELD] DOMAINSPEC

Description

Subcommand to show and manipulate domains.

Commands

create

Create a new domain

delete

Soft-delete a domain

list

List domains

modify

Modify domain

purge

Permanently delete domain

recover

Recover a soft-deleted domain

show

Show detailed information about a domain

Options

DOMAINNAME

Complete name of the domain

DOMAINSPEC

Domain name prefix or domain ID

--create-role

Automatically create a domain administrator role for the new domain

--files

Also delete files from disk

-f FIELD=<value>, --filter FIELD=<value>

Filter expression in the form of ‘field=value’. Can be specified multiple times to refine filter

--skip-adaptor-reload

Do not reload gromox-adaptor service after domain creation

-s FIELD, --sort FIELD

Sort by field. Can be given multiple times

-y, --yes

Assume yes instead of prompting

Fields

--address ADDRESS

Content of address field

--adminName ADMINNAME

Name of the domain administrator or primary contact

--endDay ENDDAY

Date of domain expiration in YYYY-MM-DD format

--orgID ID

ID of the organization to assign the domain to

--tel TEL

Telephone number of domain administrator or primary contact

-u MAXUSER, --maxUser MAXUSER

Maxmimum number of users in the domain

grommunio-admin-fetchmail

Name

grommunio-admin fetchmail — Manage fetchmail settings and generate rc file

Synopsis

grommunio-admin fetchmail create [<FIELDS>] –srcPassword PASSWORD –srcServer SERVER –srcUser USER USERSPEC [MAILBOX]

grommunio-admin fetchmail delete [-y] MBSPEC

grommunio-admin fetchmail list [-f FILTER] [-s SORT] [MBSPEC]

grommunio-admin fetchmail modify [<FIELDS>] MBSPEC

grommunio-admin fetchmail print [-q] MBSPEC

grommunio-admin fetchmail show [–password] MBSPEC

grommunio-admin fetchmail write-rc [–force] [-o FILE] [-p] [-t MINUTES] [-v]

Description

Subcommand to show and manipulate fetchmail entries and generate fetchmailrc file.

Commands

create

Create a new fetchmail entry

delete

Delete fetchmail entry

list

List fetchmail entries

modify

Modify fetchmail entry

print

Print fetchmail configuration line generated by the entry

show

Show detailed information about fetchmail entry

write-rc

Write fetchmail configuration file (fetchmailrc)

Options

MAILBOX

E-Mail address of the local mailbox to deliver the mails to. Defaults to e-mail address of the specified user

MBSPEC

Mailbox prefix or ID of the fetchmail entry

USERSPEC

Username prefix or ID of the user to attach the entry to

-f FIELD=<value>, --filter FIELD=<value>

Filter expression in the form of ‘field=value’. Can be specified multiple times to refine filter

--force

Write rc file even if no entries were changed since the last write

-o, --out-file

Path to write configuration to. Default is /etc/fetchmailrc

--password

Print the source password

-p, --print

Additionally print rc file to stdout

-q, --quiet

Do not print additional info

-s FIELD, --sort FIELD

Sort by field. Can be given multiple times

-t, --time

Time in minutes since the last write. Default is to autodetect by file mtime

-v, --verbose

Be more verbose

-y, --yes

Delete mutiple entries without prompting

Fields

--active STATE

Whether the entry is active. STATE can be one of 0, 1, yes or no. Default is 1

--extraOptions EXTRAOPTIONS

Space separated list of options to write into the fetchmailrc

--fetchall STATE

Whether to fetch mails marked as seen on the source server. STATE can be one of 0, 1, yes or no. Default is 0

--keep STATE

Whether to keep fetched mails on the source server. STATE can be one of 0, 1, yes or no. Default is 1

--protocol PROTOCOL

Protocol to use for fetching. Can be one of POP3, IMAP, POP2, ETRN or AUTO. Default is IMAP

--srcAuth AUTH

Authentication method to use. Can be one of password, kerberos_v5, kerberos, kerberos_v4, gssapi, cram-md5, otp, ntlm, msn, ssh, any. Default is password

--srcFolder FOLDER

Source folder to fetch from

--srcPassword PASSWORD

Password of the source user

--srcServer SERVER

Source server to fetch from

--srcUser USER

Source user to fetch mails from

--sslCertCheck STATE

Whether to force SSL certificate check. STATE can be one of 0, 1, yes or no. Default is 0

--sslCertPath SSLCERTPATH

Path to a directory containing trusted certificates or empty to use system default

--useSSL STATE

Enable SSL

grommunio-admin-fs

Name

grommunio-admin fs — Filesystem operations

Synopsis

grommunio-admin fs clean [-d] [-s] [PARTITION]

grommunio-admin fs du [PARTITION]

Description

Show space used by user and domain home directories or remove unsued files.

Unused files may remain when users or domains are deleted without removing their files.

Commands

clean

Remove directories and files that are not used by any domain or user.

du

Show data usage statistics

Options

PARTITION

Apply only to selected partition. Can be either domain or user

-d, --dryrun

Do not delete anything, just print what would be deleted

-s, --nostat

Do not collect disk usage statistics of deleted files

grommunio-admin-ldap

Name

grommunio-admin ldap — LDAP tools

Synopsis

grommunio-admin ldap check [-r [-m] [-y]]

grommunio-admin ldap configure

grommunio-admin ldap downsync [-a] [-c] [-f] [-y] [USER [USER …]]

grommunio-admin ldap dump USER

grommunio-admin ldap info

grommunio-admin ldap reload

grommunio-admin ldap search [-n MAX_RESULTS] [USER]

Description

The grommunio admin ldap module provides functions for configuring and testing the LDAP connection and dowloading or updating users.

Commands

check

Check if the LDAP objects imported users are linked to can still be found, optionally removing orphaned users

configure

Interactively configure or modify LDAP connection

downsync

Synchronize or import users from LDAP

dump

Print LDAP object

info

Show connection status

reload

Reload the LDAP configuration and reconnect

search

Search for users

Options

USER

LDAP object ID or search string

-a, --all

Synchronize all imported users. No new users are created, to import users use -c

-c, --complete

Import or update all users from the LDAP tree

-f, --force

Force update users that are linked to a different or no LDAP object

-m, --remove-maildirs

Also remove user files from disk

-n, --max-results

Maximum number of results or 0 to diable limit (default 25)

-r, --remove

Remove imported users of which the linked LDAP object could not be found

-y, --yes

Do not prompt, assume yes

grommunio-admin-mconf

Name

grommunio-admin mconf — Managed configuration manipulation

Synopsis

grommunio-admin mconf dump CONFIG

grommunio-admin mconf modify CONFIG unset KEY

grommunio-admin mconf modify CONFIG ACTION [-i | -b] KEY VALUE

grommunio-admin mconf print CONFIG

grommunio-admin mconf reload CONFIG

grommunio-admin mconf save CONFIG

Description

grommunio managed configuration (mconf) offers the possibility to manipulate configuration files used by gromox.

Commands

dump

Print configuration file that would be generated from internal state

modify

Modify internal configuration state

print

Print internal configuration state

reload

Reload configuration from disk

save

Save configuration file to disk

Options

ACTION

Modification action:

add - Add entry to list

remove - Remove entry from list

set - Add key

unset - Remove key

CONFIG

Configuration file, either authmgr or ldap

KEY

Configuration key

VALUE

Configuration value for numeric or boolean values use -b and -i respectively

-b, --bool

Convert value to boolean, valid values are y, n, yes, no, true, false, 1, 0

-i, --int

Convert value to integer, octal (0o) and hexadecimal (0x) prefixes are supported

grommunio-admin-mlist

Name

grommunio-admin mlist — Mailing/distribution list management

Synopsis

grommunio-admin mlist add MLISTSPEC (sender|recipient) ENTRY grommunio-admin mlist create [-c CLASS] [-p PRIVILEGE] [-r RECIPIENT] [-s SENDER] [-t TYPE] NAME

grommunio-admin mlist delete [-y] MLISTSPEC

grommunio-admin mlist list [-f FIELD=<value>] [-s FIELD] [MLISTSPEC]

grommunio-admin mlist modify [-c CLASS] [-p PRIVILEGE] [-r RECIPIENT] MLISTSPEC grommunio-admin mlist remove MLISTSPEC (sender|recipient) ENTRY grommunio-admin mlist show

Description

Create, modify or delete mailing lists.

Commands

add

Add sender or recipient to list

create

Create a new mailing list

delete

Delete mailing list

list

List mailing lists

modify

Modify mailing list

remove

Remove sender or recipient from list

show

Show detailed information about mailing list

Options

-c CLASS, --class CLASS

ID of the associated class (class type only)

-p PRIVILEGE, --privilege PRIVILEGE

Set who is allowed to send mails to the list, one of all, domain, internal, outgoing or specific

-f FIELD=<value>, --filter FIELD=<value>

Filter expression in the form of ‘field=value’. Can be specified multiple times to refine filter

-s FIELD, --sort FIELD

Sort by field. Can be given multiple times

-t TYPE, --type TYPE

List type (recipient selection), one of normal, domain or class

grommunio-admin-passwd

Name

grommunio-admin passwd — Set user password

Synopsis

grommunio-admin passwd [-a] [-l LENGTH] [-p PASSWORD] [USER]

Description

Set user password.

If no user is specified, the password is set for the admin user, which is created automatically if necessary.

If neither -a nor -p is provided, the user is prompted for a password.

Options

USER

User to set password for (default admin)

-a, --auto

Automatically generate a password

-l LENGTH, --length LENGTH

Length of the automatically generated password (default 16)

-p PASSWORD, --password PASSWORD

Password to set (do not prompt)

grommunio-admin-run

Name

grommunio-admin run — Start a stand-alone HTTP server

Synopsis

grommunio-admin run [-d] [-i IP] [–no-config-check] [-p PORT]

Description

Run REST API in a stand-alone HTTP server.

—–DO NOT USE IN PRODUCTION!—–

This command is intended for development and testing. A production instance should use an external WSGI server like uwsgi.

Options

-d, --debug

Enable debug mode

-i IP, --ip IP

Host address to bind to (default 0.0.0.0)

--no-config-check

Skip configuration check

-p PORT, --port PORT

Host port to bind to (default 5001)

grommunio-admin-shell

Name

grommunio-admin shell — Start interactive shell

Synopsis

grommunio-admin shell [-d] [-n] [-x]

Description

The interactive shell mode allows execution of multiple (new line separated) commands in a single session. Command syntax is identical to the CLI arguments, with addition of the exit command which ends the interactive shell.

If possible, typed history will be saved in ~/.grommunio-admin.history.

Options

-d, --debug

Enable more verbose debug output

-n, --no-history

Disable loading/saving of the typed history

-x, --exit

Exit immediately if a command results in a non-zero exit code

grommunio-admin-taginfo

Name

grommunio-admin taginfo — Show information about proptags

Synopsis

grommunio-admin taginfo TAG [TAG …]

Description

Display information about a property tag, as defined in the Microsoft Exchange Server Protocols Master Property List.

Note that property names used by grommunio may differ from the names defined by Microsoft.

Options

TAG

Decimal or hexadecimal (with 0x prefix) Tag ID or grommunio tag name

grommunio-admin-user

Name

grommunio-admin user — User management

Synopsis

grommunio-admin user delete [-k] [-y] USERSPEC

grommunio-admin user list [-f FIELD=<value>] [-s FIELD] [USERSPEC]

grommunio-admin user show [-f FIELD=<value>] [-s FIELD] USERSPEC

Description

Subcommand to show and delete users.

No functionality for adding or modifying users is implemented at the moment.

Commands

delete

Delete user

list

List users

show

Show detailed information about a user

Options

USERSPEC

User name prefix or user ID

-f FIELD=<value>, --filter FIELD=<value>

Filter expression in the form of ‘field=value’. Can be specified multiple times to refine filter

-k, --keep-files

Do not delete user files from disk

-s FIELD, --sort FIELD

Sort by field. Can be given multiple times

-y, --yes

Assume yes instead of prompting

grommunio-admin-version

Name

grommunio-admin version — Show backend and/or API version

Synopsis

grommunio-admin version [-a] [-b] [-c]

Description

Show the current version of the API (specification) or the backend (code).

The combined mode (default) appends the difference between between backend and API version at the end of the API version.

If multiple options are given, each requested version is printed on a separate line. The order is always API – backend – combined.

Options

-a, --api

Print API version

-b, --backend

Print backend version

-c, --combined

Print combined version

grommunio-dbconf

Name

grommunio-dbconf — Database-stored configuration tool

Synopsis

grommunio-dbconf [-v] [–] (commit | delete) SERVICE [FILE [KEY]]

grommunio-dbconf get [-v] [–] SERVICE FILE [KEY]

grommunio-dbconf list [-v] [–] [SERVICE [FILE [KEY]]]

grommunio-dbconf set [-b] [-i] [-v] [–] SERVICE FILE KEY [VALUE]

Description

grommunio dbconf provides the ability to store and manage configurations at a single location while making it available across distributed systems. The configurations are stored in the central MySQL database and can be accessed via grommunio-dbconf and grommunio-admin-dbconf.

While both tools essentially provide the same functionality, grommunio-dbconf provides far better performance and is intended to be used for quickly accessing the configuration.

Configurations consist of key/value pairs organized in files, grouped by service. Each service can have an arbitrary number of configuration files, which in turn can contain an arbitrary number of unique keys.

Commands

commit

Trigger commit hook for service, file or key

delete

Delete service, file or key

get

Get file or single key

list

List available services, files or keys

set

Set a configuration key

Options

SERVICE

Name of the service to configure

FILE

Name of the configuration file

KEY

Name of the configuration key

VALUE

Value to store in the key

--

Indicate that all options have been specified and only names follow

-b, --batch

Do not auto-commit

-i, --init

Only set if configuration key does not exist yet

-v, --verbose

Increase verbosity level (up to 3) to produce more diagnostic output

Commit Hooks

When modifying values, potential consumers can be notified of this change via commit hooks, for example by restarting the service using the configuration. For security reasons only a few white-listed commands are available (see section AVAILABLE COMMIT COMMANDS).

Commit hooks can be defined on key, file or service level. set operations always trigger commits at key level, while the commit command can directly trigger key or service level hooks depending on whether a file or key is specified.

If no hook is defined for a specific trigger level, it automatically falls through to the next lower level, in the order key > file > service.

Commit hooks for a service can be defined by setting commit_key, commit_file and commit_service keys under grommunio-dbconf/<service> to a valid command (see below).

Available Commit Commands

The following commands are available:

Key

postconf -e $ENTRY

File

There are currently no file-level commands.

Service

systemctl reload $SERVICE

systemctl restart $SERVICE

Command Variable Expansion

Commands can contain $-prefixed variables that are expanded before execution. The literal $$ can be used to generate a single $.

The following variables are valid:

ENTRY

Expands to $KEY=$VALUE (key level only)

FILE

Complete content of the modified file as newline separated key=value entries (file level only)

FILENAME

Name of the modified file (key and file level)

KEY

The modified key (key level only)

SERVICE

Name of the modified service

VALUE

New value of the modified key (key level only)