Document
last modified 12/10/2004, 4:45pm - see bottom for details
For latest version of this page please see: http://bio.fsu.edu/~sysalex/freebsd-mail-server.htm
Installing FreeBSD 4.10
mail server with mailscanner 4.x, spamassassin, ssl/tls pop, pine, and webmail
(IMP) via imap (not ssl-imap so imap from localhost only).
Note 0: This page was
written to document the procedure I use to build my mail servers. I have 15
years experience with FreeBSD but I’m sure I could still be doing some things
in a better way. If you notice any errors or have any suggestions for changes
to this page I would like to hear them. You can email me at astuy@bio.fsu.edu.
Note 1: You will need to
request a webmail.<your_domain_name> alias for your mail servers ip
address from whom ever handles your ip registration.
Note 2 : I use the terms
“folder” and “directory”. They mean the same thing. Also terms placed in
<>’s are usually variables, meaning don’t type in the <>’s. The
exception to this is the httpd.conf file.
Note 3 : I’ll be adding
special notes for those rebuilding a current FreeBSD box. These notes will be
in red. I should state that by rebuilding I mean use new or different hardware
to create an updated version of an old server. Change the hostname on the old
box or new box during the build process. I change the hostname on the new box
till I’m done then change it to the true server name after I’ve tested it to
make sure that everything is working. Then I rebuild the old box to be exactly
the same as the new box and keep it in case the new one dies. This way I always
have a backup mail server ready to go with the exact same versions of all
software. The config files that contain hostname are: /etc/rc.conf,
/etc/hosts.allow, /usr/local/etc/apache/httpd.conf,
/usr/local/www/data/phpmyadmin/config.inc.php and
/usr/local/etc/MailScanner/MailScanner.conf. I register backup server names (webmail2.bio.fsu.edu,
bio2.bio.fsu.edu) so that I can test the server while I’m rebuilding). Previous versions had a method for moving the
IMP address book database but changes in database format have precluded that from
working reliably. I recommend having
your users export their address book to a file before rebuild and then have
them import that back afterwards.
Install FreeBSD v4.10. I usually do a “Average user, binaries and docs only”, no xwindows.
If you haven’t installed freebsd before instructions are at:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html.
I usually just download
the floppies (kern.flp and mfsroot.flp), boot from kern.flp and go from there
to install via network interface. Be sure to use fdimage to create your
floppies.
Don’t install ports when
asked. I download the latest from the link on the FreeBSD website to make sure
I get latest version.
Add bash v3.x, gcc 2.95
and no-login when asked if you want to install additional software (packages).
If you didn’t include
sources in your initial install, use /stand/sysinstall and choose
Configure->Distributions->src to download sources for everything (ALL).
Recompile the kernel to
get rid of all the stuff it contains you don’t need. This cuts my kernel size
to less than half it’s previous size. Directions for recompiling the kernel are
at
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html
and here’s a link to my “KERNCONF” file. Note that
yours will almost certainly be different. You’ll definitely want to look at cpu
type and ethernet card, mine is set for pentium >= II and Intel EtherExpress
Pro. Other than that it’s a standard pc with one floppy drive, hard drives on
both channels and no cd. Note: If you remove the inet6 stuff from the kernel
you’ll want to comment out the “0 DaemonPortOptions=Name=Ipv6, Family=inet6,
Modifiers=0” line in /etc/mail/sendmail.cf.
Basic procedure for
building and installing new kernel is:
- cd to /usr/src/sys/i386/conf
- cp GENERIC to <your
host name in caps>
- edit <your host name
in caps> to reflect your hardware
- cd to /usr/src and run
“make buildkernel KERNCONF=<your host name in caps>
- cp /kernel /kernel.ORIG
- run “make installkernel
KERNCONF=<your hostname in caps>
-
reboot to use new
kernel (run “shutdown –r now”)
Hint: install all
applicable security patches from http://www.freebsd.org/security
before compiling kernel. That way any
patches that require kernel rebuild are completed in above step.
Download latest ports.tar.gz
and install it by moving the file to /usr, gunzipping and untarring it.
Make a directory for installing
stuff. I use /usr/install thus “mkdir /usr/install”
Cd to /etc, copy rc.conf
rc.conf.ORIG and edit rc.conf. Add
inetd_enable = “YES”
Copy hosts.allow
hosts.allow.ORIG and edit hosts.allow to make one much more secure. I only
allow ssh from inside FSU and certain outside ip’s. I allow pop from anywhere.
I allow anything from localhost (includes imap). I allow finger from inside
biology. I deny all else. So mine looks like:
#
hosts.allow access control file for "tcp wrapped" applications.
#
$FreeBSD: src/etc/hosts.allow,v 1.8.2.3 2000/07/20 15:17:44 ume Exp $
#
#
NOTE: The hosts.deny file is deprecated.
#
Place both 'allow' and 'deny' rules in the hosts.allow file.
#
See hosts_options(5) for the format of this file.
#
hosts_access(5) no longer fully applies.
#
Prevent those with no reverse DNS from connecting.
ALL
: PARANOID : RFC931 20 : deny
#
Prevent unregistered IP’s from connecting.
#ALL
: UNKNOWN : RFC931 20 : deny
#
Allow anything from localhost. Note that an IP address (not a host
#
name) *MUST* be specified for portmap(8).
#
This also allows imap from localhost for IMP
ALL
: localhost 127.0.0.1 : allow
#
Allow qpopper and sendmail from anywhere
popper
: ALL : allow
qpopper
: ALL : allow
sendmail
: ALL : allow
#
Allow finger from inside biology
fingerd
: .bio.fsu.edu : allow
fingerd
: ALL : deny
#
Allow ssh from .fsu.edu
sshd
: .fsu.edu : allow
#
Allow SSH from select IP's
sshd
: 128.128.171.231 128.128.171.191 .micske01.fl.comcast.net
.mkethn01.fl.comcast.net .tharpe01.fl.comcast.net
.aby.bellsouth.net .bbridg01.fl.comcast.net tschinkel.electronet.net : allow
#
Deny all else
ALL
: ALL : deny
(FreeBSD Server Rebuild?:
just scp hosts.allow from old box instead and change the local hostname if
necessary).
Copy /etc/hosts
/etc/hosts.ORIG and edit /etc/hosts. Change the “my.domain” in
localhost.my.domain (2 places) to your domain name (ex “localhost.bio.fsu.edu).
(FreeBSD Server
Rebuild?: If I’m rebuilding a system this is where I copy over the user
accounts and data. I usually just copy and paste the entry’s from both the
passwd and master.passwd to the same files on the new system using: ssh shell
on a windows box, vi and copy and paste. Then run vipw, make a meaningless
change and quit, which rebuilds the database.).
The version of perl that
comes with FreeBSD 4.10 and earlier (and maybe later) doesn’t support all we
want to do. So we have to change to version 5.6.
Cd to
/usr/ports/lang/perl5 and install with a “make install”. After install type
“perl –v”, you’ll notice it’s still the old version. Fix this with
“/usr/local/bin/use.perl port”. Now “perl –v” should report back the new version.
Install cclient
Cd to
/usr/ports/mail/cclient and run “make WITH_SSL_AND_PLAINTEXT=true install”
Cd to
/usr/ports/mail/imap-uw and run “make WITH_SSL_AND_PLAINTEXT=true install”
Install Pine (my
users insist, leave this off if you can)
Cd to
/usr/ports/mail/pine4 and run “make install”.
Cd to
/usr/ports/www/apache13-modssl and run “make install”.
If you had a previous
version of httpd.conf you will want to enable any special options you had in
the new httpd.conf. I usually run a diff between the new file and old file to
spot any differences.
Generate a certificate for
your webserver by running the following commands (which can be downloaded as
script here (usage:
“mkwebcerts <your host name>”)) :
openssl genrsa -out
<your host name>.key 1024
openssl req -new -key
<your host name>.key -out <your host name>.csr
openssl x509 -req -days
3650 -in <your host name>.csr –signkey <your host name>.key -out
<your host name>.crt
When asked for “Common
Name” enter the FQDN you registered for your webmail server (ie.
webmail.<your domain name>). The other questions the common sense answer
is correct. When asked for a password or passphrase just hit enter (each time).
Move the resulting .crt
and .key files to /usr/local/etc/apache. Chown them to www:www and chmod them
to 550.
(FreeBSD Server
Rebuild?: just scp the .crt and .key files from your old machine to the new
box). Though you may need to create
certs for the temporary name you are using if doing a rebuild under another
machine name.
Edit httpd.conf and change
ServerName <your host
name>
ServerAdmin <your email
address>
SSLCertificateFile
/usr/local/etc/apache/<your host name>.crt
SSLCertificateKeyFile
/usr/local/etc/apache/<your host name>.key
Edit /etc/rc.conf and add
apache_enable=”YES”
Here’s a couple of hints
for those of you new to apache.
The default install of apache
does not have cgi-scripts enabled. To enable cgi scripts:
Change the “None” in
Options to “ExecCGI” in the cgi-bin entry as follows.
<Directory
"/usr/local/www/cgi-bin">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
and uncomment
AddHandler cgi-script .cgi
(FreeBSD Server
Rebuild?: don’t just copy over the httpd.conf file from your old box. Copy it
over with a different name then run diff between you old one and your new one and
add in the things needed from the old one to the new one. Ignore the php stuff
for now.
Cd to
/usr/ports/databases/mysql323-server and run “make install”. This will install
both server and client.
Copy over users and data from previous system (if
applicable)
Make sure you’ve copied
over your users (password files /etc/passwd and /etc/master.passwd) and rebuilt
the user database (vipw). Then tar up any data (/usr/local/www, /home, etc) on
the old box and move it to the new box and untar. The root www directory on the
box we are building will be /usr/local/www/.
Cd to /usr/ports/lang/php4
and run “make install”. On the options screen if you compiled your kernel w/o IP6
support, remove it here as well, also enable debug.
Cd to
/usr/ports/lang/php4-extensions and run “make install”. On the options screen,
leave the defaults all ready checked checked and add:
DOMXML, FTP, GETTEXT,
IMAP, LDAP, MCAL, MCRYPT, OpenSSL, PSPELL and XML (may be selected all ready).
Use the default options on any dependencies.
After install cd to
/usr/local/etc and copy php.ini-recommended to php.ini and php.ini.ORIG. Edit
php.ini and change
upload_max_filesize
= 30M # max upload file size in webmail
memory_limit
= 30M ; Maximum amount of memory a script may consume (8MB)
Cd to
/usr/ports/sysutils/pear-DB and run “make install”.
Cd to
/usr/ports/sysutils/pear-Log and run “make install”.
Check to make sure that
the php install added the php application code to your
/usr/local/etc/apache/httpd.conf file. The chunk of code it was susposed to add
is:
<IfModule
mod_php3.c>
AddType
application/x-httpd-php3 .php3
AddType
application/x-httpd-php3-source .php3s
</IfModule>
<IfModule mod_php4.c>
AddType
application/x-httpd-php .php
AddType
application/x-httpd-php-source .phps
</IfModule>
and it goes right under
the
<IfModule
mod_negotiation.c>
LanguagePriority en da nl
et fr de el it ja kr no pl pt pt-br ru ltz ca es sv tw
</IfModule>
block
of code. If it didn’t put it in (and it usually doesn’t) go ahead an paste it
in. Also you’ll want to add index.php to the list of index pages under the
DirectoryIndex section if it didn’t get added. I use both php and shtml so mine
looks like:
<IfModule mod_dir.c>
<IfModule
mod_php3.c>
<IfModule
mod_php4.c>
DirectoryIndex index.php
index.php3 index.shtml index.html index.htm
</IfModule>
<IfModule
!mod_php4.c>
DirectoryIndex index.php3
index.shtml index.html index.htm
</IfModule>
</IfModule>
<IfModule
!mod_php3.c>
<IfModule
mod_php4.c>
DirectoryIndex index.php
index.shtml index.html index.htm
</IfModule>
<IfModule
!mod_php4.c>
DirectoryIndex index.shtml
index.html index.htm
</IfModule>
</IfModule>
</IfModule>
Download latest version
from http://www.phpmyadmin.net. There
is no install as such for this, just unzip and untar the contents to
/usr/local/www/data/<folder name>. Most people use phpMyAdmin as the
folder name, so I used something else. Chown the folder to www:www with “chown
–R www:www <folder name>”. Go into this folder and copy config.inc.php
config.inc.php.ORIG. Edit config.inc.php and change
$cfg['PmaAbsoluteUri'] =
'http://<your host name>/<phpMyAdmin folder>';
OK reboot with a shutdown
–r now and when it comes back up launch a browser on a computer somewhere and
go to http://<your host
name>/<phpMyAdmin folder>. The phpmyadmin page should load. Click on
privileges and delete all the users except root on localhost (2 any’s and a
root at machine name). Edit the root at localhost user and set a password.
Reload the mysql server. At this point it should kick you out. Edit
config.inc.php and put in your new password.
$cfg['Servers'][$i]['password']
= '<your password>'; // MySQL password
You should now be able to
reload the phpmyadmin page. Chown config.inc.php to www:www and chmod it to
550.
Now we must protect the
phpMyAdmin folder. I did this by editing /usr/local/etc/apache/httpd.conf and
adding an entry for the directory that reads (for example purposes I’m using
phpMyAdmin as the folder name and replaced the ip’s with X’s and Y’s):
<Directory
/usr/local/www/data/phpMyAdmin>
Order Deny,Allow
Deny from all
Allow from XXX.XXX.XXX.XXX
YYY.YYY.YYY.YYY
</Directory>
Check your config file
with “apachectl configtest” and if OK restart apache with “apachectl restart”.
You should now be able to load the phpMyAdmin page from only the ip’s you
entered. Any other ip should return “Forbidden . . .”.
At this point I add a
.htaccess userid and password to this folder as well. See the apache
documentation for how to do this,
http://httpd.apache.org/docs/howto/auth.html#basicworks.
(FreeBSD Server
Rebuild?: Unless you have the latest version of phpmyadmin on your old box
(unlikely) move your phpMyAdmin folder to somewhere safe and install latest
version).
Download latest version
from ftp://ftp.qualcomm.com/eudora/servers/unix/popper.
I got qpopper4.0.5.tar.gz. Move this file to /usr/install and gunzip and untar
it and cd into the resulting directory. The install procedure is
- ./configure
–with-openssl
- make
- make install
- make clean
But qpopper has a bug in
relation to recent versions of OpenSSL. So we have to enable the work arounds
for known client bugs when qpopper calls OpenSSL functions. So before running
the installation cd to the popper folder and copy pop_tls_openssl.c to pop_tls_openssl.c.ORIG.
Edit pop_tls_openssl.c, about 35% into the file you’ll find:
/*
* Set desired options
*/
if ( pPOP->tls_options
) {
long opts = 0;
opts = SSL_CTX_set_options
( pTLS->m_OpenSSLctx, pPOP->tls_options );
DEBUG_LOG2 ( pPOP,
"...set options %#0x; options now %#0lx",
pPOP->tls_options, opts
);
}
Replace that with:
/* Enable all of OpenSSL's
bug fixes -- this lets the Eudora/Qpopper */
/* combination work with
recent versions of OpenSSL. */
SSL_CTX_set_options
(pTLS->m_OpenSSLctx, SSL_OP_ALL);
You can also download a
copy of the patched file from me here.
Make sure a diff on your
edited version (or the one you downloaded from me) and the original file looks
like:
beta# diff
pop_tls_openssl.c pop_tls_openssl.c.ORIG
349,351c349,357
< /* Enable all of
OpenSSL's bug fixes -- this lets the Eudora/Qpopper */
< /* combination work
with recent versions of OpenSSL. */
< SSL_CTX_set_options
(pTLS->m_OpenSSLctx, SSL_OP_ALL);
---
> /*
> * Set desired options
> */
> if (
pPOP->tls_options ) {
> long opts = 0;
> opts =
SSL_CTX_set_options ( pTLS->m_OpenSSLctx, pPOP->tls_options );
> DEBUG_LOG2 ( pPOP,
"...set options %#0x; options now %#0lx",
> pPOP->tls_options,
opts );
> }
Now we configure, make and
install with (don’t forget to cd back up a directory first):
./configure –with-openssl
make
make install
make clean
OK, now we want to make
qpopper use tls/ssl pop. So cd to /usr/local/etc and make a directory called
qpopper. Cd to this directory and edit a new file called qpopper.conf, insert
set tls-support = stls
set tls-server-cert-file =
/etc/mail/certs/cert.pem
and save the file. Edit a
file called qpopper-altport.conf and insert
set tls-support =
alternate-port
set tls-server-cert-file =
/etc/mail/certs/cert.pem
and save the file. In case
you’re wondering, we’re going to make ssl/tls pop work on both the starndard
port (110) and the alternate port (995). This makes setting up email clients
(eudora, etc) that much more fool proof. And that’s a good thing.
Cd to /etc/mail and “mkdir
certs”. Cd to certs and run
openssl req -new -nodes
-out req.pem -keyout cert.pem
openssl genrsa -des3 -out
ca.key 1024
openssl req -new -x509
-days 3650 -key ca.key -out ca.crt
openssl x509 -req -CA
ca.crt -CAkey ca.key -days 3650 -in req.pem -out signed-req.pem -CAcreateserial
cp cert.pem cert.pem.ORIG
cat signed-req.pem
>> cert.pem
This will ask you a bunch
of questions, twice, most of which aren’t important. The only critical ones are
- for passwords or pass
phrases enter the same thing each time
- for common name enter
the fully qualified domain name of your machine
You can download the
entire set of commands as a script here.
FreeBSD Server Rebuild?: just scp cert.pem from you old box to your new box instead. Though you may need to create certs for the temporary name you are using if doing a rebuild under another machine name.
Cd to /etc and copy
inetd.conf inetd.conf.ORIG. Edit inetd.conf and change (add the pop3s line
under your current pop3 line):
pop3 stream tcp nowait
root /usr/local/sbin/popper qpopper -s -l 1 -p 4 -f
/usr/local/etc/qpopper/qpopper.conf
pop3s stream tcp nowait
root /usr/local/sbin/popper qpopper -s -l 2 -p 4 -f
/usr/local/etc/qpopper/qpopper-altport.conf
imap4 stream tcp nowait
root /usr/local/libexec/imapd imapd
Hup your inetd and you
should now be able to pop into your email. Remember to add the certificate to
your trusted certificates in eudora. For details see the bottom part of the
page at: http://www.bio.fsu.edu/complabs/eudora.htm.
Note: The “-p 4” in the pop3
inetd lines enforces the use of ssl/tls pop. If you want to allow but not force
ssl/tls pop remove the “-p 4” from the line(s).
Get latest version of
mcafee for freebsd (vbsd440l.tar.z as of 12-10-2004) from somewhere. Go to your
/usr/install directory and do a “mkdir vbsd” and then “cd vbsd”.
(Vbsd440l.tar.z doesn’t create it’s own directory when you untar it). Move the
installer to the current directory. Gunzip the installer, and then untar it.
Then run ./install-uvscan, accept all defaults.
Here’s where you run into
problems with libc.so.3 (which doesn’t exist), so cd to /usr/lib and then “ln
–s libc.so.4 libc.so.3”.
Install latest dat files
by untarring them to a temp directory and from that directory run
“cp *.dat /usr/local/uvscan”
Run
“/usr/local/uvscan/uvscan --version” to check the results.
Cd to /etc/mail. Copy
sendmail.cf sendmail.cf.ORIG. Edit sendmail.cf and change:
#
load average at which we just queue messages
O
QueueLA=24
#
load average at which we refuse connections
O
RefuseLA=36
Save sendmail.cf.
Edit a new file called
access. You want to enable relaying from your domains. Mine looks like this.
fsu.edu
RELAY
128.186
RELAY
146.201
RELAY
144.174
RELAY
evilspammer.com
REJECT
Make the access database
with “makemap hash access < access”. This creates a file called access.db.
If you receive mail for
more than just your domain edit a new file called local-host-names and insert
the domain names. Mine looks like this.
southernmatters.com
lakejacksonturtles.org
Edit /etc/mail/aliases and
at least redirect root to an account you check. Also add any other aliases you
want for your domain. Rebuild alias database with “newaliases”.
(FreeBSD Server Rebuild?:
scp local-host-names from your old box to your new box. Paste any old aliases
you had in /etc/mail/aliases into your new aliases file, copy over any alias
files you had).
MailScanner croaks with a
bunch of errors with latest version of p5-MIME-Tools. You can fix this later if you want to try the
default version of p5-MIME-Tools, but to never see the error:
-
Cd to /usr/ports/mail
and “mv p5-MIME-Tools p5-MIME-Tools.NEW”.
-
Download
p5-MIME-Tools version 5.411a_3,1 from somewhere. You can get it at http://bio.fsu.edu/~sysalex/p5-MIME-Tools_5.411a_3,1.tar
-
Move or copy
p5-MIME-Tools_5.411a_3,1.tar to /usr/ports/mail and untar.
Cd to /usr/ports/mail/mailscanner
and install with “make install”.
Generate default config
files with “make initial-config”.
Create the MailScanner
spool directories with
mkdir -p
/var/spool/MailScanner/incoming
mkdir
/var/spool/MailScanner/quarantine
mkdir /var/spool/mqueue.in
chgrp daemon
/var/spool/MailScanner/*
chgrp daemon
/var/spool/mqueue.in
cd to
/usr/local/etc/MailScanner and copy MailScanner.conf to MailScanner.conf.ORIG.
edit MailScanner.conf and change
%org-name% = <Your org
name>
Expand TNEF = no
File Command =
/usr/bin/file
Virus Scanners = mcafee
Still Deliver Silent
Viruses = no
Allow IFrame Tags = yes
Quarantine Infections = no
Add Envelope From Header =
no
Virus Subject Text =
{Virus}
Filename Subject Text =
{Filename}
Warning Is Attachment = no
Use SpamAssassin = yes
High Scoring Spam Actions
= delete
#Enable Spam Bounce =
%rules-dir%/bounce.rules
Always Include
SpamAssassin Report = yes # You will probably want to disable this after
testing
cd to /usr/local/etc/rc.d.
Copy mta.sh.sample to mta.sh. edit mta.sh and change “mta=exim” to
“mta=sendmail” (if needed, may be set all ready). Copy mailscanner.sh.sample to
mailscanner.sh.
edit /etc/rc.conf and set
sendmail_enable="NO".
MailScanner should now be
started when the system boots, but don’t reboot or try to start it yet. The
following is FYI only at this point.
To start, stop or restart
MailScanner manually, use
/usr/local/etc/rc.d/mailscanner.sh
start/stop/restart
Cd to /usr/ports/mail/p5-Mail-SpamAssassin
and install it with a “make install”.
Deselect IP6 support if you did so in previous steps.
Cd to
/usr/ports/mail/pyzor and install with “make install”.
Cd to
/usr/ports/mail/dcc-dccd and install with “make install”.
Pyzor, razor and bayes
need periodic updates. I run the
following script from crontab once a day:
#! /usr/local/bin/bash
# get a list of the Pyzor servers
/usr/local/bin/pyzor discover
# refresh /root/.razor/
/usr/local/bin/razor-admin –discover
# re-build the Bayes database daily
/usr/local/bin/sa-learn -p
/usr/local/etc/MailScanner/spam.assassin.prefs.conf --rebuild --force-expire
Cd to
/usr/local/etc/MailScanner and copy spam.assassin.prefs.conf to
spam.assassin.prefs.conf.ORIG. Edit
spam.assassin.prefs.conf and add bayes_ignore_header lines for the org-name you
added when editing MailScanner.conf. My
org-name was “FSU-Biology” so my bayes_ignore_header lines are:
bayes_ignore_header X-FSU-Biology-MailScanner
bayes_ignore_header
X-FSU-Biology-MailScanner-SpamCheck
bayes_ignore_header
X-FSU-Biology-MailScanner-SpamScore
bayes_ignore_header
X-FSU-Biology-MailScanner-Information
Ok now you can
reboot. At this point you should have a fully functional mail server with
MailScanner and SpamAssassin working, but no webmail, yet.
If you
didn’t replace default version of p5-MIME-Tools with
p5-MIME-Tools_5.411a_3,1.tar as discussed at top of MailScanner section you are
probably now getting a bunch of errors when MailScanner tries to start. Fix this with:
-
cd
to /usr/ports/mail/p5-MIME-Tools
-
“make
deinstall”
-
cd
to /usr/ports/mail
-
mv
p5-MIME-Tools p5-MIME-Tools.NEW
-
fetch
http://bio.fsu.edu/~sysalex/p5-MIME-Tools_5.411a_3,1.tar
-
tar
xf p5-MIME-Tools_5.411a_3,1.tar
-
cd
p5-MIME-Tools
-
make
install
If /usr/local/www/horde exists all ready (from untar of previous data) move this with something like “mv /usr/local/www/horde /usr/local/www/horde.OLD”.
Cd to /usr/ports/mail/imp3
and install with a “make WITHOUT_SSL=true install”.
This will take quite a while as there are lots of dependencies so this is a
good time to get a cup of your favorite beverage. Don’t fret about the
WITHOUT_SSL, this means the connection from IMP to imap won’t be encrypted,
which, since it’s on the same machine, is OK. The encryption will be handled by
apache-modssl, which handles the connection from the machine to the end user.
Make sure the install
added
# Horde's include directory
Include
/usr/local/etc/horde
To the bottom of
/usr/local/etc/apach/httpd.conf. If not add it.
and add
<Directory
"/usr/local/www/horde">
SSLRequire
%{SSL_CIPHER_USEKEYSIZE} >= 128
SSLRequireSSL
</Directory>
directly underneath the
<Directory "/usr/local/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
block of code.
Cd to
/usr/local/etc/apache and copy httpd.conf to httpd.conf.BAK. Look for the virtual
host section (near the bottom). Add a virtual host for redirecting to your
encrypted web server. The only way I can get virtual hosts to work is to make
all the sites on the server a virtual host so :
NameVirtualHost *
#
<VirtualHost *>
ServerAdmin webmaster@<your host name>
DocumentRoot
/usr/local/www/data
ServerName <your host
name>
ErrorLog
/var/log/httpd-error.log
CustomLog
/var/log/httpd-access.log common
</VirtualHost>
<VirtualHost *>
ServerAdmin webmaster@<your host name>
DocumentRoot
/usr/local/www/redirect
ServerName
webmail.<your domain name>
ErrorLog
/var/log/httpd-redirect-error.log
CustomLog
/var/log/httpd-redirect-access.log common
</VirtualHost>
Now we have to make the
redirect actually happen so cd to /usr/local/www and make a directory called
redirect. Inside that edit a file called index.html and put in:
<HTML>
<HEAD>
<TITLE>Redirect
to secure-webmail</TITLE>
<
</HEAD>
<BODY>
<p>
<font
size="5">You are being redirected to
<a
href="https://webmail.<your domain
name>">https://webmail.<your domain
name></a></font>
<p>
</BODY>
</HTML>
And create the encrypted virtual
host. At the bottom of /usr/local/etc/apache/httpd.conf you’ll find
##
## SSL Virtual Host
Context
##
Change the DocumentRoot
ServerName and ServerAdmin values, you can also setup separate log files
# General setup for the
virtual host
DocumentRoot
"/usr/local/www/horde"
ServerName
webmail.<your domain name>
ServerAdmin webmaster@<your domain name>
ErrorLog
/var/log/httpd-horde-error.log
TransferLog
/var/log/httpd-horde-access.log
Note: You will want to
replace <your host name> and <your domain name> with the machine’s
host name and domain name in the examples above. So watch the <>’s.
Cd to
/usr/local/www/horde/scripts/db and copy mysql_create.sql to
mysql_create.sql.ORIG. Edit mysql_create and change the password from “horde”
to <something else> where it says:
-- IMPORTANT: Change this
password!
password('horde')
Create the the horde
database with “mysql –u root –p < mysql_create.sql”, enter the mysql root password
when prompted.
Verify that you can
connect to the horde database with “mysql -u horde –p”, enter the horde
password (<something else>) when prompted.
Chmod mysql_create.sql to
550 and chown it to root:wheel. Or edit
it and wipe out the password.
Cd to
/usr/local/www/horde/config and copy horde.php horde.php.ORIG. Edit horde.php
and change:
$conf['use_ssl'] = 1;
$conf['auth']['params']['dsn']
= '{localhost:143/imap}INBOX';
$conf['log']['priority'] =
LOG_INFO;
$conf['prefs']['params']['username']
= 'horde';
$conf['prefs']['params']['password']
= '<something else>';
Make sure horde.php is
owned by www:www and is not world readable.
Copy registry.php
registry.php.ORIG and edit registry.php. Find the horde section under
Application registry section (first block) and change (right under 'icon' =>
'/horde/graphics/home.gif',):
'name' =>
_("Webmail on <your host name>"),
Add user www to trusted mail users.
Edit
/etc/mail/trusted-users and put in “www”.
Cd to /usr/local/www/horde/imp/config.
Copy servers.php servers.php.ORIG. Edit servers.php and remove the three server
configurations under under the imap configuration (pop, cyrus and exchange).
Change the imap configuration as follows (you may find that all is correct all
ready):
$servers['imap'] = array(
'name' => 'IMAP
Server',
'server' =>
'localhost',
'protocol' =>
'imap/notls',
'port' => 143,
'folders' => 'Mail/',
'namespace' => '',
'maildomain' =>
'<Your mail domain or FQHN>',
'smtphost' =>
'localhost',
'realm' => '',
'preferred' => ''
);
Cd to
/usr/local/www/horde/turba/config and copy sources.php sources.php.ORIG. Edit
sources.php and look for the “local.sql” section with “’title’ => ‘My
Addressbook’”. Change
'username' => 'horde',
'password' =>
'<something else>',
Chmod sources.php to 550
and chown it to www:www.
Create the turba database.
Cd to /usr/local/www/horde/turba/scripts/drivers and run
“msyql –u root –p <
turba.sql”, enter the root password for MySQL when prompted.
Cross your fingers and reboot with a “shutdown –r now”.
After your system comes
back up you should be able to logon to webmail at https://webmail.<your_domain_name>
Remove horde@% user from
mysql
The horde@% user is not needed, go to http://<your host name>/<phpMyAdmin
folder> and click on privileges. Delete the horde@%
user. I notice this user is not included
on my latest install. If that’s the case
just ignore this step.
Add
kern_securelevel_enable="YES"
kern_securelevel="3"
syslogd_flags="-ss"
to /etc/rc.conf. You’ll
need to reboot for this to take effect.
To enforce minimum
password requirements add
:minpasswordlen=8:\
:mixpasswordcase:\
to /etc/login.conf under
the “default” section and rebuild database with “cap_mkdb /etc/login.conf”.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Change log