Installation
System Requirements
TUXGUARD Mail Gateway can be installed on a single server, but it is highly recommended to have at least two systems for redundancy and a dedicated server that runs the web interface (and databases) for best performance.
If you are sending a lot of outbound or relay traffic for a lot of domains and other SMTP servers (e.g. using TUXGUARD Mail Gateway for SMTP AUTH or as a smart host), then it is highly recommended that you dedicate one or more servers to outbound traffic only and not to mix it with the inbound service.
This is to prevent inbound and outbound services adversely affecting each other should there be any abnormal traffic levels.
OS
A minimal installation of Redhat Enterprise Linux 7 or CentOS 7 with all updates applied is required.
Hardware
The recommended system specification is:
- Intel Xeon CPU with minimum 2 cores or better
- min. 8GB RAM for the Web/Database master (due to the ElasticSearch requirements)
- 2GB RAM per Core for additional Workers
- min. 32 GB HDD
In case of running both Web master and a Worker instance on the same host 16GB RAM are recommended.
A minimal Red Hat Enterprise Linux or CentOS installation with TUXGUARD Mail Gateway uses around 3GB disk space, but a minimum of 32GB, all on one large partition, is recommended for a small system since the system uses space for logging, temporary files, etc..
The database role will take approximately 5GB of disk space per million SMTP transactions logged.
Network
We recommend to ensure the following:
- installation on machines at network edge within DMZ without any ‘helpers’ or ALG (Application Level Gateways) enabled on firewall (such as Cisco SMTP/ESMTP inspection, PIX fixup protocol or any other form of SMTP Proxy)
- application must speak directly to the host originating the message and see its external IP (the only exception to this being if a HAProxy is used for SMTP traffic)
Ports
The following ports need to be accessible by the workers on the Webmaster host:
| Service | Protocol | Port |
|---|---|---|
| Elasticsearch | TCP | 9200 |
| TCP | 9300 | |
| UDP | 9700 | |
| Postgres | TCP | 5432 |
| Redis | TCP | 6379 |
One a worker host, the following ports are necessary:
| Service | Protocol | Port | Direction |
|---|---|---|---|
| Haraka | TCP | 3000 | external |
| TCP | 5000 | external | |
| Postgres | TCP | 5432 | webmaster |
Additionally, all ports that have been configured in the Mail Core configuration page.
Preparing the installation
Before starting the installation verify that
- firewalld is enabled and running
- the system hostname is set-up correctly. If this is not the case, run the command:
hostnamectl set-hostname <hostname>
Important: the hostname needs to be set to a valid FQDN of the host
- a static IP address is set
- at least 2GB swap space is available
- all ports are open between the Web/Database master host and each worker host (the installer will correctly re-configure and secure firewalld during its final step)
- the root user on each worker host must be able to ssh to the Web/Database master host using a userid that can sudo to root.
- the hosts all have an active internet connection
Webmaster Installation
1) Add the TUXMAIL yum repository to your target host by running:
curl -o /etc/yum.repos.d/tuxguard.repo https://tuxmail-manual.tuxguard.com/files/tuxmail.repo
2) Start the installation by running:
yum clean all && yum install tuxmail-web -y
Worker Installation (on web host)
In order to install a worker on the same host as the webmaster, simply run the following on the webmaster host:
yum install tuxmail-worker -y
Worker Installation (remote)
In order to install a worker on a remote host:
1) ensure a working ssh-connection to your webhost
2) Add the worker node by running
ssh root@<your-web-host> "tux_add_cluster_node `hostname` "|bash
Web/Database master setup
After the Web/Database master has been installed successfully, the following steps are needed to complete setup:
1) Navigate to https://your-web-master-host-ip (or the appropriate DNS entry) using a browser (we recommend using the
latest version of Firefox or Chrome)
2) Accept SSL exception
3) Optional step: import a backup file (more Information here)
4) Import your license file by either uploading the .json or copy-pasting its contents into the appropriate text field
5) Create an initial Superadmin user by filling out the form
You can now login using the created initial credentials.
Once you’re done with your TUXGUARD Mail Gateway setup, you should remove any hosts from your MX records that do not run TUXGUARD Mail Gateway (e.g. backup MXs) as they will adversely affect filtering performance.
Alternatively you can stop the SMTP services on any of these hosts and only start them in a DR scenario.
Worker
During worker installation, the following steps are being performed automatically:
- copy the SSH key from the master Web/Databese host, enables passwordless access to any of the cluster nodes
- allows access through the firewall to the host
- copies the tuxmail.repo file to the host
- starts the installation of ‘tuxmail-worker’ automatically which automatically creates a replica of the master node
Installation may take a few minutes to complete as virus and spam definitions are downloaded for the first time to ensure everything is completely up-to-date.
Once the installation is complete, your system is ready to scan emails.