Installation of grommunio – Building Your Own Groupware Platform
Practical guide including pre-configuration, installation, DNS setup, testing, and forecast

1. Introduction

With grommunio, a modern groupware solution is available that deliberately positions itself as an alternative to traditional cloud offerings such as Microsoft 365 or Exchange. Developed in Austria and fully open source, grommunio provides a modular platform for email, calendars, contacts, and collaboration.

A key advantage lies in its architecture: grommunio is delivered as an appliance, based on openSUSE, and can be brought into operation relatively quickly. At the same time, the solution remains flexible enough to be deployed in more complex infrastructures or fully automated rollouts.

In this article, we demonstrate how to set up a grommunio instance using the appliance – including typical pitfalls that are actually relevant in practice. These are often the deciding factors between a smooth installation and one that runs into avoidable issues early on.



2. Preparing the Infrastructure

Before starting the actual installation, the environment should be properly prepared. In our case, the system is operated in a virtualized setup, for example using Proxmox. First, a virtual machine is created and the network is correctly assigned. This includes assigning the correct VLAN and ensuring that the VM will later be reachable under the intended IP address.

Next, the appliance ISO is mounted and the VM is started. The installation itself is generally straightforward but requires clean preparation. Network, DNS, and name resolution should be correctly configured before starting.



An important point: If Let’s Encrypt is to be used later for certificates, the DNS names must already be correctly set before installation or certificate issuance. Without proper name resolution or a reachable FQDN, certificate issuance will often fail.

Another relevant limitation of the appliance: predefined LVM partitioning cannot currently be cleanly configured during the appliance installation. If LVM or a custom storage layout is required, these adjustments must be performed manually afterward.

A brief outlook: besides the appliance, grommunio can also be installed fully manually or automated (e.g., via Ansible) on Red Hat-, Debian-, or SUSE-based systems. However, the appliance is the easiest entry point, especially for an initial proof of concept or a quick core deployment.



Here you can already set the system password as a first step:



If successful, the next step is to begin with the network configuration.


3. Network Pre-Configuration

A common pitfall during appliance installation is network configuration. While YaST2 initially appears convenient, it can be misleading in practice. Although IP address and subnet are visible, the default gateway is not configured where many would expect it. This often leads to a situation where the system appears reachable locally but lacks proper upstream connectivity.

In practice, it has proven useful to configure the network cleanly via the terminal before starting the actual setup. This ensures that hostname, DNS, routing, and IP configuration are consistent.

The following should be fully configured before starting the guided setup:

  • valid hostname / FQDN
  • static IP address
  • default gateway
  • DNS server
  • search domain
  • working name resolution

Configuration with YaST2


We configure the network interface, hostname and DNS, as well as the routing.
The network interface itself is set to static:



In the next step, we configure the DNS settings:



If necessary, static routes or the default gateway are also configured:



After making the changes, switch to the terminal and test connectivity by pinging an external IP address and a DNS name:



Configuration via the terminal


We configure the network interface, hostname and DNS, as well as the routing.
The network interface itself is set to static; the file is located at /etc/sysconfig/network/ifcfg-eth0:

bash
SERCONTROL='no'
IPADDR='188.40.144.21/24'
BOOTPROTO='static'
STARTMODE='auto'
ZONE='public'

After that:

bash
ifdown eth0
ifup eth0

In the next step, we configure the DNS settings in /etc/resolv.conf:

bash
search forgeone.eu
nameserver 9.9.9.9
nameserver 149.112.112.112

If necessary, static routes or the default gateway are also configured in /etc/sysconfig/network/ifroute-eth0:

bash
default 188.40.144.254 - eth0

After making the changes, restart wicked:

bash
systemctl restart wicked

Afterwards, test connectivity by pinging an external IP address and a DNS name:

typescript
ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=56 time=5.56 ms


ping google.at
PING google.at (142.251.141.163) 56(84) bytes of data.
64 bytes from lcprga-ag-in-f3.1e100.net (142.251.141.163): icmp_seq=1 ttl=116 time=12.4 ms

This step is crucial. If the gateway, DNS, or FQDN are not working properly before the setup, errors often occur later with package repositories, name resolution, or certificate issuance. The system may appear to be installed, but it is not yet properly prepared for operation.

Whether using YaST2 or configuring directly via the CLI, both approaches must result in a working network connection.

4. Starting the Installation and First Steps

After preparation, the appliance can be started and configured via the CUI interface. Even though this process is guided, it is still important that the base configuration has already been correctly set.


The installer then proceeds to the guided installation, where components can be selected:

  • Core – groupware for email, calendar, and contacts
  • Meet – adapted Jitsi
  • Chat – adapted Mattermost
  • Files – adapted Nextcloud
  • Office – adapted OnlyOffice
  • Archive – adapted Piler
  • Auth – adapted Keycloak (currently installed separately)

It is important to note that only the packages or modules for which the appropriate licenses are available are supported. For example, a basic license only supports the core functions and not the additional modules. “Supported” means that while all modules can technically be installed, if an issue occurs within those modules—or if such an issue affects a module covered by the license—only uninstalling the unsupported module will resolve it, as it is otherwise not covered.

The license you receive from a grommunio partner can be activated here. If you leave the fields empty, the Community Edition will be installed.



This is where it is determined whether the public DNS records have already been set correctly in advance if you choose Let’s Encrypt. Alternatively, you can proceed with a self-signed certificate or your own certificate.



The remainder of the installation process is generally straightforward. If there are issues with certificate issuance using certbot and Let’s Encrypt, this step can also be triggered again later via the CLI.

bash
certbot --nginx -d mail.forgeone.eu -d webmail.forgeone.eu -d autodiscover.forgeone.eu


5. Domain and DNS Configuration After Installation

After successful installation, configuration continues in the grommunio web interface. Optionally, an organization can be created. Within it (or directly), the desired mail domain is configured.

Once the domain is set up, required DNS records can be configured:

  • MX records
  • SPF (TXT)
  • DKIM
  • DMARC
  • SRV records


A particularly important point is DKIM. If no DKIM key is available yet, OpenDKIM can be installed afterward and the key can be generated manually. The keys are typically stored under /etc/opendkim/keys/<example.com>/. In this case, however, we place them in /var/lib/grommunio-antispam/dkim/forgeone.eu/.

bash
zypper install opendkim

Creating the directories, generating the DKIM private and public keys, and setting the permissions:

bash
mkdir -p /var/lib/grommunio-antispam/dkim/forgeone.eu
cd /var/lib/grommunio-antispam/dkim/forgeone.eu || exit 1


opendkim-genkey -s mail -d forgeone.eu -b 2048


chown groas:grommunio mail.private mail.txt
chmod 640 mail.private
chmod 644 mail.txt
chmod 750 /var/lib/grommunio-antispam/dkim
chmod 750 /var/lib/grommunio-antispam/dkim/forgeone.eu

After generating the key, the public part (in mail.txt) must be added to the DNS zone.

bash
mail._domainkey	IN	TXT	( "v=DKIM1; k=rsa; "
	  "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnAOkWGe+4sPuzxzz8VYzet9RkmljJ6/

In addition, the DKIM signing must be made known to rspamd so that outgoing emails for the respective domain are properly signed.

bash
vim /etc/grommunio-antispam/override.d/dkim_signing.conf

Then copy the following content into dkim_signing.conf:

bash
enabled = true;


use_domain = "header";
sign_authenticated = true;
sign_local = true;
try_fallback = false;
selector = "mail";
domain {
  forgeone.eu {
    path = "/var/lib/grommunio-antispam/dkim/forgeone.eu/mail.private";
    selector = "mail";
  }
}


symbol = "DKIM_SIGNED";

After that, restart the services and check whether grommunio-antispam has started up again:

bash
stemctl restart grommunio-antispam


systemctl status grommunio-antispam


journalctl -u grommunio-antispam -f


6. Testing and Initial Delivery

Once the core system, DNS, and signing are configured, testing follows. A very useful tool in this context is mail-tester.com. It allows you to verify whether SPF, DKIM, and DMARC are working correctly and how the delivery quality is rated from the perspective of external recipients.

Especially with new mail servers, it should also be taken into account that some providers—such as t-online.de—block new mail servers or new IP addresses by default. In the initial response, it is usually stated that you need to contact them proactively so that the server’s or IP address’s reputation can be approved or reset.

This step is not unusual, but it should be planned for to ensure that production operation runs smoothly later on.

https://mail-tester.com (the free version allows a limited number of tests per day)



7. Current State and Manual Adjustments

As of March 22, 2026, some steps still require manual work after appliance installation:

  • DKIM configuration
  • grommunio-auth / Keycloak integration

These are straightforward to implement once the base configuration is stable. After that, the server is fully operational for core use.

8. Conclusion

The grommunio appliance enables setting up a complete groupware platform in a short time. While installation itself is simple, proper preparation—especially regarding network, DNS, and FQDN—is crucial.

Getting these basics right before starting the setup avoids many common issues. That’s why pre-configuration should be done deliberately and systematically.

9. Forecast

In the next article, we will demonstrate how to operate grommunio as a cluster or in a high-availability architecture. The focus will be on transforming a single appliance installation into a more robust, scalable, and production-ready setup.