Admin API TLS configuration

Since the process of the Admin API is relevant for the initial provisioning stage, it is per default made available via port 8080 and unencrypted. As soon as the setup process has finished, it is advised to switch to a TLS-based configuration.

The shipped grommunio configuration files are prepared for setting up TLS configuration with the existing configuration. To activate the TLS configuration of grommunio-admin, execute the following steps:

ln -s /etc/grommunio-common/nginx/ssl_certficate.conf /etc/grommunio-admin-common/nginx-ssl.conf

This assumes the configuration of the TLS certificates has been installed successfullly by the provisioning of grommunio Setup.

As a final step, uncomment the prepared configuration directive in the last line of the configuration file /etc/nginx/conf.d/grommunio-admin.conf as follows:

vhost_traffic_status_zone shared:vhost_traffic_status:8m;

# If you want to disable HTTP, take note that your configuration might
# need adaptation in the admin api configuration in
#   config.yaml -> options: -> vhosts: -> local:
include /usr/share/grommunio-admin-common/nginx.conf;

# Uncomment the following line to enable TLS for the admin interface.
# Make sure to create /etc/grommunio-admin-common/nginx-ssl.conf
# containing the certificate configuration
include /usr/share/grommunio-admin-common/nginx-ssl.conf;

After a subsequent successful configuration check of the webserver configuration, nginx may be restarted, and the Admin API is available on port 8443, e.g. https://mail.example.com:8443 :

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

# systemctl restart nginx

Note that by restarting the webserver, existing connections are terminated.

Certificate management

For the operation of grommunio, the use of TLS-based security is mandatory. With TLS certificates in place, any communication with grommunio’s services are protected by state-of-the-art encryption, which is mandatory for many clients and protocols.

If following the grommunio Setup path, also see also https://docs.grommunio.com/admin/administration.html#tls-configuration. Throughout the installation process, the administrator has multiple choices for TLS-based installation. For seamless operation, it is recommended to have a basic understanding of PKI concepts and the X.509 standard for certificates. Generally, grommunio uses PEM-encoded certificates.

If certificates need to be replaced, the certificates used by grommunio can be found by default in the following locations:

  • /etc/grommunio-common/ssl/server-bundle.pem (certificate bundle including certificate authority)

  • /etc/grommunio-common/ssl/server.key (private key)

By changing the certificates, all services using these certificates need to be restarted for the certificate to be used.

If Let’s Encrypt has been chosen for installation, the service grommunio-certbot-renew.timer automatically runs weekly to perform any new certificate request. The status of the timer service can be checked with:

systemctl status grommunio-certbot-renew.timer

Updating grommunio

Package Updates

During every installation of grommunio Appliance, it attempts to connect to the community repository of grommunio. This way, community updates are directly available to community users and can update the Appliance accordingly. Furthermore, grommunio provides the operating system repositories which provide state-of-the-art packages with latest updates available to the Linux operating system based on openSUSE Leap, a binary compatible distribution of SUSE Linux Enterprise Server.


Community repositories are delivered on a best-effort basis and are not supported. While grommunio welcomes community members to use grommunio, the software distribution available with the subscription repositories include production-relevant benefits. Subscription repositories (available only with a valid subscription) include quality-tested packages, hotfixes and extra features not available in community repositories.

For package management, the grommunio Appliances use zypper. Zypper is the package manager primarily used by SUSE-based distributions and is therefore default for the grommunio Appliances. Zypper has many similarities to other well-known package managers, such as dnf or apt.

The default repository file, /etc/zypp/repos.d/grommunio.repo is shipped with the following contents:


The default configuration does not verify SSL/TLS certificates intentionally. This enables support for:

  • configuration-less automated proxy environments with SSL/TLS interception

  • repository mirroring with selected partners and customers (hosting, large installations)

The integrity of all packages is secured by signatures on all packages distributed by grommunio with the grommunio GPG key, of which the public key is available at https://download.grommunio.com/community/packages/RPM-GPG-KEY-grommunio.

Your subscription credentials are provided to you via your grommunio partner and enables the availability of production-grade grommunio packages. These packages are quality-tested and only available to subscription customers.

To update your grommunio appliance with the most recent available updates, execute the following steps:

# zypper ref
Repository 'base' is up to date.
Repository 'debug' is up to date.
Repository 'debug-update' is up to date.
Repository 'grommunio' is up to date.
Repository 'update' is up to date.
All repositories have been refreshed.

# zypper up
Loading repository data...
Reading installed packages...

The following package is going to be upgraded:

 1 package to upgrade.
 Overall download size: 1.8 MiB. Already cached: 0 B. After the operation, additional 696.0 B will be used.
 Continue? [y/n/v/...? shows all options] (y):
 Retrieving package grommunio-admin-web-     (1/1), 1.8 MiB ( 15.0 MiB unpacked)
 Retrieving: grommunio-admin-web- ....................................[done]
 Checking for file conflicts: ............................................................................[done]
 (1/1) Installing: grommunio-admin-web- ..................................[done]

After the installation/update of some packages, services are not always restarted automatically due to the nature of the potential implications of such a restart during a package installation. For packages that have been updated however, a manual restart of the service is recommended. The command zypper ps -s lists such services that should be restarted at a convenient time to have the new update in place. An example of such an operation is:

# zypper ps -s

zypper ps -s
The following running processes use deleted files:

PID  | PPID | UID | User | Command   | Service
1553 | 1    | 0   | root | saslauthd | saslauthd

You may wish to restart these processes.
See 'man zypper' for information about the meaning of values in the above table.

No core libraries or services have been updated since the last system boot.
Reboot is probably not necessary.

# systemctl restart saslauthd

Backup & Disaster Recovery

grommunio fully supports snapshot-based backups of all modern filesystems and/or appliances. The snapshot mechanisms of the following filesystems, backup solutions or storage systems are tested and supported:

  • Acronis Backup

  • Arcserve Unified Data Protection (UDP)

  • Amanda Backup

  • Amazon EBS snapshots

  • Azure VM snapshots

  • Bacula Backup

  • btrfs-based snapshots

  • CephFS/RBD snapshots

  • Commvault Hyperscale

  • Dell EMC

  • Docker-based snapshots (docker checkpoint)

  • Google cloud persistent disk snapshots

  • HP StoreVirtual

  • Hitachi Vantara

  • Huawei OceanStor

  • Hyper-V snapshots

  • KVM-based snapshots

  • Kubernetes volume snapshots

  • LVM-based snapshots

  • LXC-based snapshots (lxc snapshot)

  • NetApp

  • NovaStor DataCenter

  • Nutanix

  • Pure Storage

  • VMware snapshots

  • Veeam Backup

  • Veritas

  • Xen-based snapshots

  • ZFS-based snapshots

With the snapshot mechanism provided by the storage provider, snapshots can be easily used to backup and restore entire mailboxes in a matter of seconds. For restoring mailboxes to another mailbox’s identity, it is recommended to ensure the mailbox is not in active use (such as mobile devices, profile synchronization). After the restore operation has completed, it is advised to restart the services gromox-http and gromox-midb to invalidate any existing runtime caches:

# systemctl restart gromox-http
# systemctl restart gromox-midb

To backup your grommunio installation, the following backup artifacts are relevant (per default):

  1. grommunio Groupware (gromox):

  • /var/lib/gromox/user: directory hierarchy for private mailboxes

  • /var/lib/gromox/domain: directory hierarchy for public mailboxes (public folders)

  • /var/lib/gromox/user/account@domain: individual mailbox container

  • MySQL database: grommunio

  1. grommunio Files:

  • /var/lib/grommunio-files

  • MySQL database: grofiles

  1. grommunio Chat:

  • /var/lib/grommunio-chat

  • MySQL database: grochat

  1. grommunio Archive:

  • /var/lib/grommunio-archive

  • MySQL database: groarchive

  1. grommunio Appliance:

  • File backup of /etc/grommunio*

  • File backup of /etc/nginx (if any non-standard configuration changes have been made)

  • File backup of /etc/php7/fpm/php-fpm.d (if any non-standard configuration changes have been made)

  • File backup of /etc/letsencrypt (if Let’s Encrypt certificates are used)

  • File backup of /etc/postfix (if any non-standard configuration changes have been made)


By using grommunio-dbconf, many file-based backups are not required. This is because dbconf stores configuration directives within the main grommunio database.

Database backup

Backup the grommunio databases grommunio, grofiles, groarchive, grochat and grofiles using standard procedures. Most backup solutions provide MySQL database backup agents for easy integration. For detailed backup options of your MySQL databases, refer to: https://dev.mysql.com/doc/refman/8.0/en/backup-types.html. If in doubt, the built-in utility mysqldump (https://dev.mysql.com/doc/refman/8.0/en/mysqldump.html can create single SQL backup files of databases. A manual MySQL backup dump can be issued with:

mysqldump --single-transaction --routines --triggers --events --add-drop-database > grommunio-mysql-backup.sql

File-based backup

Since grommunio works entirely on the basis of transactions, any file-based backup is consistent at sync time, as long as it utilizes a “deltasync” based operation. It is also possible to sync files from the original operating location to a remote/mounted location for disk-to-disk backup scenarios, if so desired. With rsync, the grommunio Appliance offers a simple tool to synchronize data for this backup method. A manual file backup based on deltasync functionality by rsync can be issued with:

rsync -HPavS <from-directory> <to-directory>