Installation & Initial Setup¶
System Requirements¶
| Component | Minimum |
|---|---|
| OS | Debian 12 (Bookworm), amd64 or arm64 |
| RAM | 2 GB (4 GB recommended) |
| CPU | 2 cores |
| Disk | 20 GB (more depending on mail volume and archiving) |
| Network | Ports 25 (SMTP), 587 (Submission), 443 (HTTPS) reachable |
| DNS | Fully qualified hostname (FQDN) with A record |
Installation¶
The install script sets up all system components:
- Postfix (SMTP MTA)
- rspamd 4.0 (filter engine)
- ClamAV (antivirus)
- YARA sandbox
- KeyDB (rspamd replication in cluster mode)
- PostgreSQL 16 (database)
- nginx (reverse proxy for the web UI)
All binaries are installed as static Go binaries (/usr/sbin/nmg-*).
Initial Setup (Setup Wizard)¶
After installation, open a browser and navigate to https://<hostname>/setup.
Step 1: Admin Account¶
Enter an email address and password for the first administrator account. This account has full access to all settings.
Step 2: License Key¶
Enter the license key from the customer portal. The key is stored at /var/lib/nmg/license_key (mode 0600). On expiry, a 30-day grace period activates automatically via the local cache.
Step 3: FQDN & TLS¶
- FQDN: The server's fully qualified hostname (e.g.
mail.example.com) - TLS: Either Let's Encrypt (automatic, port 80 must be reachable) or a custom certificate (paths to
.crtand.key)
Package Updates¶
# Manual update of a single node
nmg-ctl update
# Rolling cluster update (recommended)
# In the web UI under Settings → Updates
With Auto-Update enabled, nmg checks for new packages daily and installs them automatically. For cluster setups, rolling updates are recommended (one node at a time) to maintain uninterrupted operation.
Directory Layout¶
| Path | Contents |
|---|---|
/etc/nmg/ |
Configuration files |
/var/lib/nmg/ |
Runtime data (cluster, license cache, sandbox blobs) |
/var/log/nmg/ |
Log files (api, scheduler, sandbox) |
/usr/share/nmg/web/ |
Web UI (management + quarantine portal) |
Ports¶
| Port | Protocol | Function |
|---|---|---|
| 25 | SMTP | Inbound mail from the internet (MX) |
| 587 | SMTP Submission | Outbound mail from clients |
| 443 | HTTPS | Web UI (management + quarantine portal) |
| 80 | HTTP | Let's Encrypt renewal (ACME) |