Document last modified 03/03/2004, 11:30am - see bottom for details

 

For latest version of this page please see: http://bio.fsu.edu/~sysalex/freebsd-mail-server_v7.htm

 

Installing FreeBSD 4.9 mail server with mailscanner 4.x, spamassassin, ssl/tls pop, pine, and webmail (IMP) via imap (not ssl-imap so imap from localhost only).

 

 

 

 

Note 1: You will need to request a webmail.<your_domain_name> alias for your mail servers ip address from whom ever handles your ip registration.

 

Note 2 :  I use the terms “folder” and “directory”.  They mean the same thing.

 

Note 3 :  I’ll be adding special notes for those rebuilding a current FreeBSD box.  These notes will be in red.  I should state that by rebuilding I mean use new or different hardware to create an updated version of an old server.   Change the hostname on the old box or new box during the build process.  I change the hostname on the new box till I’m done then change it to the true server name after I’ve tested it to make sure that everything is working.  Then I rebuild the old box to be exactly the same as the new box and keep it in case the new one dies.  This way I always have a backup mail server ready to go with the exact same versions of all software.  The config files that contain hostname are: /etc/rc.conf,  /etc/hosts.allow,  /usr/local/etc/apache/httpd.conf,  /usr/local/www/phpmyadmin/config.inc.php and /var/MailScanner/etc/MailScanner.conf.       I register backup server names (webmail2.bio.fsu.edu, bio2.bio.fsu.edu) so that I can test the server while I’m rebuilding)

 

Install FreeBSD v4.9.    I usually do a “Average user, binaries and docs only”, no xwindows.  If you haven’t installed freebsd before instructions are at:

   http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html.  I usually just download the floppies (kern.flp and mfsroot.flp), boot from kern.flp and go from there.  Be sure to use fdimage to create your floppies.

 

Don’t install ports when asked.  I find it best to download the lastest.

 

Add Bash v2.x, GCC 2.95 and no-login when asked if you want to install additional software (packages).

 

If you didn’t include sources in your initial install, use /stand/sysinstall  and  choose Configure->Distributions->src to download sources for everything (ALL).

 

Recompile the kernel to get rid of all the stuff it contains you don’t need.  This cuts my kernel size to less than half it’s previous size.  Directions for recompiling the kernel are at

    http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html

and here’s a link to my “KERNCONF” file.   Note that yours will almost certainly be different.  You’ll definitely want to look at cpu type and ethernet card, mine is set for pentium >= II and Intel EtherExpress Pro.  Other than that it’s a standard pc with one floppy drive, hard drives on both channels and no cd.

Basic procedure is

                - cd to /usr/src/sys/i386/conf

               - cp GENERIC to <your host name in caps>

               - edit <your host name in caps> to reflect your hardware

               - cd to /usr/src and run “make buildkernel KERNCONF=<your host name in caps>

               - cp /kernel  /kernel.ORIG

               - run “make installkernel KERNCONF=<your hostname in caps>

               - reboot to use new kernel (run “shutdown –r now”)

 

Download latest ports.tar.gz and install it by moving the file to /usr, gunzipping and untarring it.

 

Make a directory for installing stuff.  I use /usr/install thus “mkdir  /usr/install”

 

Cd to /etc, copy rc.conf rc.conf.ORIG and edit rc.conf.  Add

  inetd_enable = “YES”

 

Copy hosts.allow hosts.allow.ORIG and edit hosts.allow to make one much more secure.  I only allow ssh from inside FSU and certain outside ip’s.  I allow pop from anywhere.  I allow anything from localhost (includes imap).  I allow finger from inside biology.  I deny all else.  So mine looks like:

 

# hosts.allow access control file for "tcp wrapped" applications.

# $FreeBSD: src/etc/hosts.allow,v 1.8.2.3 2000/07/20 15:17:44 ume Exp $

#

# NOTE: The hosts.deny file is deprecated.

#       Place both 'allow' and 'deny' rules in the hosts.allow file.

#       See hosts_options(5) for the format of this file.

#       hosts_access(5) no longer fully applies.

 

 

# Prevent those with no reverse DNS from connecting.

ALL : PARANOID : RFC931 20 : deny

# Prevent unregistered IP’s from connecting.

#ALL : UNKNOWN : RFC931 20 : deny

 

# Allow anything from localhost.  Note that an IP address (not a host

# name) *MUST* be specified for portmap(8).

# This also allows imap from localhost for IMP

ALL : localhost 127.0.0.1 : allow

 

# Allow qpopper and sendmail from anywhere

popper : ALL : allow

qpopper : ALL : allow

sendmail : ALL : allow

 

# Allow finger from inside biology

fingerd : .bio.fsu.edu : allow

fingerd : ALL : deny

 

# Allow ssh from .fsu.edu

sshd : .fsu.edu : allow

 

# Allow SSH from select IP's

sshd : 128.128.171.231 128.128.171.191 .micske01.fl.comcast.net .mkethn01.fl.comcast.net .tharpe01.fl.comcast.net
.aby.bellsouth.net .bbridg01.fl.comcast.net tschinkel.electronet.net : allow

 

# Deny all else

ALL : ALL : deny

 

 

 

(FreeBSD Server Rebuild?: just scp hosts.allow from old box instead and change the local hostname if necessary).

 

 

Copy /etc/hosts /etc/hosts.ORIG and edit /etc/hosts.  Change the “my.domain”  in localhost.my.domain (2 places) to your domain name (ex “localhost.bio.fsu.edu).

 

(FreeBSD Server Rebuild?: If I’m rebuilding a system this is where I copy over the user accounts and data.  I usually just copy and paste the entry’s from both the passwd and master.passwd to the same files on the new system using: ssh shell on a windows box, vi and copy and paste.  Then run vipw, make a meaningless change and quit, which rebuilds the database.).

 

Install newer Perl

 

The version of perl that comes with FreeBSD 4.7 and earlier (and maybe later) doesn’t support all we want to do.  So we have to change to version 5.6.

 

Cd to /usr/ports/lang/perl5 and install with a “make install”.  After install type “perl –v”, you’ll notice it’s still the old version.  Fix this with “/usr/local/bin/use.perl  port”.  Now “perl –v” should report back the new version.

 

 

Install cclient

 

Cd to /usr/ports/mail/cclient and run “make WITH_SSL_AND_PLAINTEXT=true install”

 

 

Install imap-uw

 

Cd to /usr/ports/mail/imap-uw and run “make WITH_SSL_AND_PLAINTEXT=true install”

 

 

Install Pine (my users insist, leave this off if you can)

 

Cd to /usr/ports/mail/pine4 and run “make install”.

 

 

Install apache-modssl

 

Cd to /usr/ports/www/apache13-modssl and run “make install”. 

 

If you had a previous version of httpd.conf you will want to enable any special options you had in the new httpd.conf.  I usually run a diff between the new file and old file to spot any differences.

 

Generate a certificate for your webserver by running which can be downloaded as script here (usage: “mkwebcerts <your host name>” :

  openssl genrsa -out <your host name>.key 1024

  openssl req -new -key <your host name>.key -out <your host name>.csr

  openssl x509 -req -days 3650 -in <your host name>.csr –signkey <your host name>.key -out <your host name>.crt

 

When asked for “Common Name” enter the FQDN you registered for your webmail server (ie. webmail.<your domain name>).  The other questions the common sense answer is correct.  When asked for a password or passphrase just hit enter (each time).

 

Move the resulting .crt and .key files  to /usr/local/etc/apache.  Chown them to www:www and chmod them to 550. 

 

(FreeBSD Server Rebuild?: just scp the .crt and .key files from your old machine to the new box).

 

Edit httpd.conf and change

    ServerName <your host name>

    ServerAdmin <your email address>

    SSLCertificateFile /usr/local/etc/apache/<your host name>.crt

    SSLCertificateKeyFile /usr/local/etc/apache/<your host name>.key

 

and add

    <Directory "/usr/local/www/horde">

        SSLRequire  %{SSL_CIPHER_USEKEYSIZE} >= 128

        SSLRequireSSL

    </Directory>

directly underneath the

    <Directory "/usr/local/www/cgi-bin">

        SSLOptions +StdEnvVars

    </Directory>

block of code.

 

 

Here’s a couple of hints for those of you new to apache. 

 

The default install of apache does not have cgi-scripts enabled.  To enable cgi scripts:

 

Change the “None” in Options to “ExecCGI” in the cgi-bin entry as follows.

    <Directory "/usr/local/www/cgi-bin">

            AllowOverride None

            Options ExecCGI

            Order allow,deny

            Allow from all

     </Directory>

 

and uncomment

    AddHandler cgi-script .cgi

 

(FreeBSD Server Rebuild?: don’t just copy over the httpd.conf file from your old box.   Copy it over with a different name then run diff between you old one and your new one and add in the things needed from the old one to the new one.  Ignore the php stuff for now.

 

 

Install MySQL (server and client)

 

Cd to /usr/ports/databases/mysql323-server and run “make install”.  This will install both server and client.

 

 

Copy over users and data from previous system (if applicable)

 

Make sure you’ve copied over your users (password files) and rebuilt the user database (vipw).  Then tar up any data (/usr/local/www, /home, etc) on the old box and move it to the new box and untar.  The root www directory on the box we are building will be /usr/local/www/data.

 

 

Install php4

 

Cd to /usr/ports/lang/php4 and run “make install”.  On the options screen, leave the defaults all ready checked checked and add:

DOMXML, FTP, GETTEXT, IMAP, MCAL, MCRYPT, OpenLDAP, OpenSSL, PSPELL and XML.

 

After install cd to /usr/local/etc and copy php.ini-dist to php.ini and php.ini.ORIG.  Edit php.ini and change

 

upload_max_filesize = 30M                # max upload file size in webmail

 

Download latest version log facility for PHP from http://pear.php.net/packages.php.   I got version 1.8.0.  Move the file to some a temporary directory and gunzip it and untar it.  Then cd into the resulting folder and move the contents (Log and Log.php) to  /usr/local/lib/php.

 

Check to make sure that the php install added the php application code to your /usr/local/etc/apache/httpd.conf file.  The chunk of code it was susposed to add is:

 

<IfModule mod_php3.c>

        AddType application/x-httpd-php3 .php3

        AddType application/x-httpd-php3-source .php3s

    </IfModule>       

    <IfModule mod_php4.c>    

        AddType application/x-httpd-php .php

        AddType application/x-httpd-php-source .phps

    </IfModule>

 

and it goes right under the

    <IfModule mod_negotiation.c>

        LanguagePriority en da nl et fr de el it ja kr no pl pt pt-br ru ltz ca es sv tw

    </IfModule>

 

block of code.  If it didn’t put it in go ahead an paste it in.  Also you’ll want to add index.php to the list of index pages under the DirectoryIndex section if it didn’t get added.  I use both php and shtml so mine looks like:

 

<IfModule mod_dir.c>

    <IfModule mod_php3.c>

        <IfModule mod_php4.c>

            DirectoryIndex index.php index.php3 index.shtml index.html index.htm

        </IfModule>

        <IfModule !mod_php4.c>

            DirectoryIndex index.php3 index.shtml index.html index.htm

        </IfModule>

    </IfModule>

    <IfModule !mod_php3.c>

        <IfModule mod_php4.c>

            DirectoryIndex index.php index.shtml index.html index.htm

        </IfModule>

        <IfModule !mod_php4.c>

            DirectoryIndex index.shtml index.html index.htm

        </IfModule>

    </IfModule>

</IfModule>

 

 

Install phpMySqlAdmin

 

Download latest version from http://www.phpmyadmin.net.  There is no install as such for this, just unzip and untar the contents to /usr/local/www/data/<folder name>.    Most people use phpMyAdmin as the folder name, so I used something else.  Chown the folder to www:www with “chown –R www:www <folder name>”.    Go into this folder and copy config.inc.php config.inc.php.ORIG.  Edit config.inc.php and change

 

  $cfg['PmaAbsoluteUri'] = 'http://<your host name>/<phpMyAdmin folder>';

 

 

OK reboot with a shutdown –r now and when it comes back up launch a browser on a computer somewhere and go to http://<your host name>/<phpMyAdmin folder>.  The phpmyadmin page should load.  Click on privileges and delete all the users except root on localhost (2 any’s and a root at machine name).  Edit the root at locahost user and set a password.  Reload the mysql server.  At this point it should kick you out.  Edit config.inc.php and put in your new password.

 

$cfg['Servers'][$i]['password']      = '<your password>';          // MySQL password

 

 You should now be able to reload the phpmyadmin page.  Chown config.inc.php to www:www and chmod it to 550.

 

Now we must protect the phpMyAdmin folder.  I did this by editing /usr/local/etc/apache/httpd.conf and adding an entry for the directory that reads (for example purposes I’m using phpMyAdmin as the folder name and replaced the ip’s with X’s and Y’s):

 

<Directory /usr/local/www/data/phpMyAdmin>

    Order Deny,Allow

    Deny from all

    Allow from XXX.XXX.XXX.XXX  YYY.YYY.YYY.YYY

</Directory>

 

Check your config file with “apachectl configtest” and if OK restart apache with “apachectl restart”.   You should now be able to load the phpMyAdmin page from only the ip’s you entered.  Any other ip should return “Forbidden . . .”.

 

At this point I add a .htaccess userid and password to this folder as well.  See the apache documentation for how to do this, http://httpd.apache.org/docs/howto/auth.html#basicworks.

 

(FreeBSD Server Rebuild?: Unless you have the latest version of phpmyadmin on your old box (unlikely) move your phpMyAdmin folder to some other name and install latest version).

 

Install Qpopper

 

Download latest version from ftp://ftp.qualcomm.com/eudora/servers/unix/popper.  I got qpopper4.0.5.tar.gz.  Move this file to /usr/install and gunzip and untar it and cd into the resulting directory.   The install procedure is

    - ./configure –with-openssl

    - make

    - make install

    - make clean

 

But qpopper has a bug in relation to recent versions of OpenSSL.  So we have to enable the work arounds for known client bugs when qpopper calls OpenSSL functions.  So before running the installation cd to the popper folder and copy pop_tls_openssl.c to pop_tls_openssl.c.ORIG.  Edit pop_tls_openssl.c, about 35% into the file you’ll find:

 

     /*

     * Set desired options

     */

     if ( pPOP->tls_options ) {

        long opts = 0;

        opts = SSL_CTX_set_options ( pTLS->m_OpenSSLctx, pPOP->tls_options );

        DEBUG_LOG2 ( pPOP, "...set options %#0x; options now %#0lx",

                     pPOP->tls_options, opts );

     }

 

Replace that with:

 

/* Enable all of OpenSSL's bug fixes -- this lets the Eudora/Qpopper */

/* combination work with recent versions of OpenSSL. */

SSL_CTX_set_options (pTLS->m_OpenSSLctx, SSL_OP_ALL);

 

 

You can also download a copy of the patched file from me here.

 

Make sure a diff  on your edited version (or the one you downloaded from me) and the original file looks like:

 

beta# diff pop_tls_openssl.c pop_tls_openssl.c.ORIG

349,351c349,357

<     /* Enable all of OpenSSL's bug fixes -- this lets the Eudora/Qpopper */

<     /* combination work with recent versions of OpenSSL. */

<     SSL_CTX_set_options (pTLS->m_OpenSSLctx, SSL_OP_ALL);

---

>     /*

>      * Set desired options

>      */

>     if ( pPOP->tls_options ) {

>         long opts = 0;

>         opts = SSL_CTX_set_options ( pTLS->m_OpenSSLctx, pPOP->tls_options );

>         DEBUG_LOG2 ( pPOP, "...set options %#0x; options now %#0lx",

>                      pPOP->tls_options, opts );

>     }

 

Now we configure, make and install with (don’t forget to cd back up a directory first):

     ./configure –with-openssl

     make

     make install

     make clean

 

 

OK, now we want to make qpopper use tls/ssl pop.  So cd to /usr/local/etc and make a directory called qpopper.  Cd to this directory and edit a new file called qpopper.conf, insert

 

    set tls-support = stls

    set tls-server-cert-file = /etc/mail/certs/cert.pem

 

and save the file.  Edit a file called qpopper-altport.conf and insert

   

    set tls-support = alternate-port

    set tls-server-cert-file = /etc/mail/certs/cert.pem

 

and save the file.   In case you’re wondering, we’re going to make ssl/tls pop work on both the starndard port (110) and the alternate port (995).  This makes setting up email clients (eudora, etc) that much more fool proof.  And that’s a good thing.

 

Cd to /etc/mail and “mkdir certs”.  Cd to certs and run

   openssl req -new -nodes -out req.pem -keyout cert.pem

   openssl genrsa -des3 -out ca.key 1024

   openssl req -new -x509 -days 365 -key ca.key -out ca.crt

   openssl x509 -req -CA ca.crt -CAkey ca.key -days 365 -in req.pem -out signed-req.pem -CAcreateserial

   cp cert.pem cert.pem.ORIG

   cat signed-req.pem >> cert.pem

 

This will ask you a bunch of questions, twice, most of which aren’t important.  The only critical ones are

   - for passwords or pass phrases enter the same thing each time

   - for common name enter the fully qualified domain name of your machine

 

You can download the entire set of commands as a script here.

 

(FreeBSD Server Rebuild?:  just scp cert.pem from you old box to your new box instead.)

 

Cd to /etc and copy inetd.conf inetd.conf.ORIG.  Edit inetd.conf and change (add the pop3s line under your current pop3 line):

 

    pop3    stream  tcp     nowait  root    /usr/local/sbin/popper  qpopper -s -l 1 -p 4 -f /usr/local/etc/qpopper/qpopper.conf

    pop3s   stream  tcp     nowait  root    /usr/local/sbin/popper  qpopper -s -l 2 -p 4 -f /usr/local/etc/qpopper/qpopper-altport.conf

    imap4   stream  tcp     nowait  root    /usr/local/libexec/imapd        imapd

 

Hup your inetd and you should now be able to pop into your email.  Remember to add the certificate to your trusted certificates in eudora.  For details see the bottom part of the page at: http://www.bio.fsu.edu/complabs/eudora.htm.

 

Note:  The “-p 4” in the pop3 inetd lines enforces the use of ssl/tls pop.  If you want to allow but not force ssl/tls pop remove the “-p 4” from the line(s).

 

 

Install uvscan

 

Get vbsd416l.tar.z from Bob Smith at SL.   Go to your /usr/install directory and do a “mkdir vbsd416l” and then “cd vbsd416l”.   (Vbsd416l.tar.z doesn’t create it’s own directory when you untar it).    Move the installer to the current directory.   Gunzip the installer, and then untar it.  Then run ./install-uvscan,  accept all defaults.

 

Here’s where you run into problems with libc.so.3 (which doesn’t exist), so cd to /usr/lib and then “ln –s libc.so.4 libc.so.3”.

 

Install latest dat files by untarring them to a temp directory and from that directory run

“cp  *.dat  /usr/local/uvscan”

 

Run “/usr/local/uvscan/uvscan  --version” to check the results.

 

 

Do a little work on sendmail

 

Cd to /etc/mail.  Copy sendmail.cf sendmail.cf.ORIG.  Edit sendmail.cf.  Near the top you’ll find “# my official domain name” and under that a line that has just “CP.”.  Right under that add:

 

# UUCP relay host

DYmailer.fsu.edu

CPUUCP

 

#  BITNET relay host

DBmailer.fsu.edu

CPBITNET

 

 

Also change:

# load average at which we just queue messages

O QueueLA=24

 

# load average at which we refuse connections

O RefuseLA=36

 

Save sendmail.cf. 

 

Edit a new file called access.   Mine looks like this.

 

fsu.edu RELAY

128.186 RELAY

146.201 RELAY

144.174 RELAY

192.5.82 RELAY

192.12.121 RELAY

192.12.122 RELAY

192.80.53 RELAY

192.190.34 RELAY

192.135.64 RELAY

192.135.65 RELAY

127.0.0.1 RELAY

205.145.233.1 RELAY

uunet.uu.net RELAY

uga.cc.uga.edu RELAY

155.206.125 RELAY

199.44.121 RELAY

204.145.215 RELAY

 

 I got this from Tom Kitterman quite a while back so hopefully it’s still right.  Make the database with “makemap hash access < access”.  This creates a file called access.db.

 

If you receive mail for more than just your domain edit a new file called local-host-names and insert the domain names.  Mine looks like this.

 

                southernmatters.com

lakejacksonturtles.org

 

Add aliases to /etc/mail/aliases and rebuild alias database with “newaliases”.

 

(FreeBSD Server Rebuild?: scp local-host-names from your old box to your new box.  Paste any old aliases you had in /etc/mail/aliases into your new aliases file, copy over any alias files you had).

 

 

Install MailScanner

 

First we must install a bunch of mailscanner dependencies so:

 

Install /usr/ports/devel/p5-IO-stringy with a “make install”

Install /usr/ports/converters/p5-MIME-Base64 with a “make install”

Install /usr/ports/mail/p5-Mail-Tools with a “make install”

 

Install /usr/ports/devel/p5-File-Spec

    Cd /usr/ports/devel/p5-File-Spec

    Make a backup copy of Makefile

    Edit Makefile and change perl level max to 500610 (was 500600).

       .if ${PERL_LEVEL} > 500610

           IGNORE=         This port is for perl 5.6.1 and under only.

       .endif

    run “make install”

 

Install /usr/ports/www/p5-HTML-Tagset with a “make install”

Install /usr/ports/www/p5-HTML-Parser with a “make install”

Install /usr/ports/mail/p5-MIME-Tools with a “make install”

Install /usr/ports/devel/p5-File-Temp with a “make install”

Install /usr/ports/converters/p5-Convert-TNEF with a “make install”

Install /usr/ports/converters/tnef with a “make install”

Install /usr/ports/net/p5-Net-CIDR with a “make install”

 

 

At this point a “pkg_info” should look something like:

 

apache+mod_ssl-1.3.27+2.8.12 The Apache 1.3 webserver with SSL/TLS functionality

aspell-0.50.3_1     Spelling checker with better suggestion logic than ispell

autoconf213-2.13.000227_5 Automatically configure source code on many Un*x platforms

bash-2.05b.004      The GNU Bourne Again Shell

cclient-2002,1      Mark Crispin's C-client mail access routines

db3-3.3.11,1        The Berkeley DB package, revision 3

expat-1.95.6_1      XML 1.0 parser written in C

gcc-2.95.3          GNU Compiler Collection

gettext-0.11.5_1    GNU gettext package

gmake-3.80          GNU version of 'make' utility

imap-uw-2002_1,1    University of Washington IMAP4rev1/POP2/POP3 mail servers

libiconv-1.8_2      A character set conversion library

libmcal-0.7         Modular Calendar Access Library

libmcrypt-2.5.6_1   Multi-cipher cryptographic library (used in PHP3)

libtool-1.3.4_4     Generic shared library support script

libxml2-2.5.4       Xml parser library for GNOME

m4-1.4_1            GNU m4

mm-1.2.1            Shared memory allocation library for pre-forked process mod

mod_php4-4.3.1      PHP4 module for Apache

mysql-client-3.23.55 Multithreaded SQL database (client)

mysql-server-3.23.55 Multithreaded SQL database (server)

nologin-1.0_1       Refuse a login to a user, and make a note of it in syslog

openldap20-2.0.25_3 Open source LDAP client and server software

p5-Authen-SASL-2.02 Perl5 module for SASL authentication

p5-Convert-TNEF-0.17 Perl module to read TNEF files

p5-DBI-1.34_1       The perl5 Database Interface.  Required for DBD::* modules

p5-Data-ShowTable-3.3 Perl5 module to pretty-print arrays of data

p5-File-Spec-0.82   A Perl module for portably manipulating file specifications

p5-File-Temp-0.12_1 Perl5 module to generate temporary files or directories saf

p5-HTML-Parser-3.27 Perl5 module for parse HTML tag

p5-HTML-Tagset-3.03 Some useful data table in parsing HTML

p5-IO-stringy-2.108 Perl5 module for using IO handles with non-file objects

p5-MIME-Base64-2.16 Perl5 module for Base64 and Quoted-Printable encodings

p5-MIME-Tools-5.411a_2 A set of perl5 modules for MIME

p5-Mail-Tools-1.58  Perl5 modules for dealing with Internet e-mail messages

p5-Mysql-modules-1.2216 Perl5 modules for accessing MySQL databases

p5-Net-1.12,1       Perl5 modules to access and use network protocols

p5-Net-Daemon-0.36  Perl5 extension for portable daemons

p5-PlRPC-0.2016     Perl module for writing RPC servers and clients

p5-Storable-2.06    Persistency for perl data structures

p5-Test-Harness-2.26 Run perl standard test scripts with statistics

p5-Test-Simple-0.47_1 Basic utilities for writing tests in perl

perl-5.6.1_11       Practical Extraction and Report Language

pkgconfig-0.15.0    An utility used to retrieve information about installed lib

python-2.2.2_2      An interpreted object-oriented programming language

tnef-1.1            Unpack data encapsulated into Microsoft Outlook's applicati

 

Whew.  Go get a cup of your favorite beverage or whatever.  You deserve it.

 

Download latest 4.X version of mailscanner from http://www.sng.ecs.soton.ac.uk/mailscanner and move it to /usr/install and then untar it.   Download the full version, not the FreeBSD package.  I tried the package install and couldn’t get it to work.

 

It seems that MailScanner was developed for Solaris, and expects to live in /opt/mailscanner.  Editing everything to /var/mailscanner still didn’t work for me and since freebsd doesn’t have an /opt the easy solution is to soft link /var to /opt with “ln  –s  /var  /opt”.

 

Move MailScanner-<your version> to /opt with “mv MailScanner-<your version> /opt”.

Link MailScanner-<your version> to MailScanner with “ln –s /var/MailScanner-<your version> /var/MailScanner”

 

Cd to /var/MailScanner/lib/MailScanner and make a backup copy of SystemsDefs.pm.  Edit SystemsDefs.pm and change:

 

    $global::sed = '/usr/bin/sed';

 

Cd to /var/MailScanner/bin.  Make a backup copy of check_mailscanner, edit check_mailscanner and change:

   

        # -- Nick Phillips <nwp@lemon-computing.com>

 

        pid=`$PS -axww |

              $GREP '[ ]'$msbindir/$process |

              $AWK '{print $1}'`

 

         if [ "x$pid" = "x" ]; then

 

Basically you’ve just pulled out all the if-thens for all operating systems except freebsd, and since it’s the only one, all you need is the code inside the if-then.

 

Delete the softlink from tnef.SOLARIS to tnef with “rm tnef”.  Link tnef to the tnef port you installed earlier with “ln -s /usr/local/bin/tnef tnef”.

 

Cd to /var/MailScanner/etc and make a backup copy of MailScanner.conf.  Edit MailScanner.conf and change:

 

      Sendmail = /usr/sbin/sendmail

      Sendmail2 = /usr/sbin/sendmail

      Expand TNEF = no

      Virus Scanners = mcafee

      Silent Viruses = W32/Klez.h@MM W32/Klez.gen@MM W32/Braid.a@MM W95/Spaces.gen

      Still Deliver Silent Viruses = no     

      Allow IFrame Tags = yes

      Hostname = <your FQDN>

      Virus Subject Text = {Virus}

      Filename Subject Text = {Virus}

      Warning Is Attachment = no

      Spam List = ORDB-RBL spamcop.net Infinite-Monkeys

      Use SpamAssassin = yes

      Max SpamAssassin Size = 180000

      Required SpamAssassin Score = 8

      Always Include SpamAssassin Report = yes

      High Scoring Spam Actions = delete

 

 

Create the MailScanner spool directories with

      mkdir -p /var/spool/MailScanner/incoming

      mkdir  /var/spool/MailScanner/quarantine

      mkdir /var/spool/mqueue.in

      chgrp daemon /var/spool/MailScanner/*  

      chgrp daemon  /var/spool/mqueue.in

 

 

Make a backup copy of /etc/rc.conf, edit /etc/rc.conf and add the following text to the end of the file

 

   # MailScanner starts here

   mta_start_script="/opt/MailScanner/bin/rc.MailScanner"

   MailScanner_incoming_queue="/var/spool/mqueue.in"

   MailScanner_queue_time="15m"

   MailScanner_check="/opt/MailScanner/bin/check_mailscanner"

   MailScanner_pidfile="/opt/MailScanner/var/MailScanner.pid"

   # MailScanner ends here

 

 

Download and install /opt/MailScanner/bin/rc.MailScanner with

 

   cd /opt/MailScanner/bin

   fetch http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/freebsd/rc.MailScanner

   chmod 755 rc.MailScanner

 

 

MailScanner should now be started when the system boots, but don’t reboot or try to start it yet.  The following is FYI only at this point.

      To start and stop MailScanner manually, use

           /opt/MailScanner/bin/rc.MailScanner start

      and

          /opt/MailScanner/bin/rc.MailScanner stop

 

 

Install SpamAssassin

 

   We’re due for a break here and the easy install of SpamAssassin is it.  

Cd to /usr/ports/mail/p5-Mail-SpamAssassin and install it with a “make install”.

 

 

Ok now you can reboot.  At this point you should have a fully functional mail server with MailScanner and SpamAssassin working, but no webmail, yet.

 

 

Install IMP (webmail)

 

  Cd to /usr/ports/mail/imp3 and install with a “make WITHOUT_SSL=true install”.    This will take quite a while as there are lots of dependencies.   Don’t fret about the WITHOUT_SSL, this means the connection from IMP to imap won’t be encrypted, which, since it’s on the same machine, is OK.  The encryption will be handeled by apache-modssl, which handles the connection from the machine to the end user.

 

  Make sure the install added

 

        # Horde's include directory

        Include /usr/local/etc/horde

 

  To the bottom of /usr/local/etc/apach/httpd.conf.  If not add it.

 

 

Configure httpd.conf for IMP and setup a redirect

 

   Cd to /usr/local/etc/apache and copy httpd.conf to httpd.conf.BAK.  Look for the virtual host section (near the bottom).  Add a virtual host for redirecting to your encrypted web server.  The only way I can get virtual hosts to work is to make all the sites on the server a virtual host so :

 

NameVirtualHost *

#

<VirtualHost *>

    ServerAdmin webmaster@<your host name>

    DocumentRoot /usr/local/www/data

    ServerName <your host name>

    ErrorLog /var/log/httpd-error.log

    CustomLog /var/log/httpd-access.log common

</VirtualHost>

 

<VirtualHost *>

    ServerAdmin webmaster@<your host name>

    DocumentRoot /usr/local/www/redirect

    ServerName webmail.<your domain name>

    ErrorLog /var/log/httpd-redirect-error.log

    CustomLog /var/log/httpd-redirect-access.log common

</VirtualHost>

 

 

Now we have to make the redirect actually happen so cd to /usr/local/www and make a directory called redirect.  Inside that edit a file called index.html and put in:

<HTML>

<HEAD>

<TITLE>Redirect to secure-webmail</TITLE>

<META HTTP-EQUIV="refresh" content="0;URL=https://webmail.<your domain name>">     

</HEAD>

<BODY>

<p>

<font size="5">You are being redirected to       

<a href="https://webmail.<your domain name>">https://webmail.<your domain name></a></font>              

<p>

</BODY>

</HTML>

 

 

And create the encrypted virtual host.  At the  bottom of /usr/local/etc/apache/httpd.conf you’ll find

 

##

## SSL Virtual Host Context

##

 

Change the DocumentRoot ServerName and ServerAdmin values, you can also setup separate log files

 

#  General setup for the virtual host

DocumentRoot "/usr/local/www/horde"

ServerName webmail.<your domain name>

ServerAdmin webmaster@<your domain name>

ErrorLog /var/log/httpd-horde-error.log

TransferLog /var/log/httpd-horde-access.log

 

 

Note: You will want to replace <your host name> and <your domain name> with the machine’s host name and domain name in the examples above.  So watch the <>’s.

 

 

Configure Horde

 

Cd to /usr/local/www/horde/scripts/db and copy mysql_create.sql to mysql_create.sql.ORIG.  Edit mysql_create and change the password from “horde” to <something else> where it says:

 

-- IMPORTANT: Change this password!

        password('horde')

 

Create the the horde database with “mysql –u root –p < mysql_create.sql”, enter the mysql root password when prompted.

Verify that you can connect to the horde database with “mysql -u horde –p”, enter the horde password (<something else>) when prompted.

 

(FreeBSD Server Rebuild?: Instead of importing the mysql_create.sql file, mysqldump the horde and mysql databases on the old box to .sql files with “mysqldump -u root --opt horde > old_horde.sql”,  “mysqldump -u root --opt mysql > old_mysql.sql”, scp these files to the new box and import these into the new box with “mysql –u root –p horde < old_horde.sql” and “mysql –u root –p mysql < old_mysql.sql”.  Then reload mysql.  At this point all mysql usernames and passwords will be as they were on the old box.  And all user data stored in the horde database (address books, etc) will have been copied over.)

 

Cd to /usr/local/www/horde/config and copy horde.php horde.php.ORIG.  Edit horde.php and change:

    $conf['use_ssl'] = 1;

    $conf['auth']['params']['dsn'] = '{localhost:143/imap}INBOX';

    $conf['log']['priority'] = LOG_INFO;

    $conf['prefs']['params']['username'] = 'horde';

    $conf['prefs']['params']['password'] = '<something else>';

 

Copy registry.php registry.php.ORIG and edit registry.php.  Find the horde section  under Application registry section (first  block) and change (right under 'icon' => '/horde/graphics/home.gif',):

    'name' => _("Webmail on <your host name>"),

   

 

Add user www to trusted mail users. 

  

Edit /etc/mail/trusted-users and put in “www”.

 

 

Configure IMP

 

Cd to /usr/local/www/horde/imp/config.  Copy servers.php servers.php.ORIG.  Edit servers.php and remove the three server configurations under under the imap configuration (pop, cyrus and exchange).  Change the imap configuration as follows (you may find that all is correct all ready):

 

  $servers['imap'] = array(

    'name' => 'IMAP Server',

    'server' => 'localhost',

    'protocol' => 'imap/notls',

    'port' => 143,

    'folders' => 'Mail/',

    'namespace' => '',

    'maildomain' => '<Your mail domain or FQHN>',

    'smtphost' => 'localhost',

    'realm' => '',

    'preferred' => ''

);

 

 

 

Configure Turba

 

  Cd to /usr/local/www/horde/turba/config and copy sources.php sources.php.ORIG.  Edit sources.php and look for the “local.sql” section with “’title’ => ‘My Addressbook’”.  Change

    'username' => 'horde',  

    'password' => '<something else>',

 

  Create the turba database.  Cd to /usr/local/www/horde/turba/scripts/drivers and run

“msyql –u root –p < turba.sql”, enter the root password for MySQL when prompted.

 

(FreeBSD Server Rebuild?: Don’t import turba.sql .  You grabbed your old one when you imported your old_horde.sql database.)

 

Cross your fingers and reboot with a “shutdown –r now”.

 

After your system comes back up you should be able to logon to webmail at https://webmail.<your_domain_name>

 

Remove horde@% user from mysql

 

The horde@% user is not needed, go to http://<your host name>/<phpMyAdmin folder> and click on privileges.  Delete the horde@% user.

 

(FreeBSD Server Rebuild?: No need for this step.)

 

 

Additional Security Steps

 

Add

 

kern_securelevel_enable="YES"

kern_securelevel="3"

syslogd_flags="-ss"

 

to /etc/rc.conf.  You’ll need to reboot for this to take effect.

 

 

To enforce minimum password requirements add

 

        :minpasswordlen=8:\

        :mixpasswordcase:\

 

to /etc/login.conf under the “default” section and rebuild database with “cap_mkdb /etc/login.conf”.

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

 

Change log

 

                12-17-2003: Added red notes for those rebuilding a previous FreeBSD system.  Added “Additional Security Steps” section.

 

                3-3-2004: Removed gmake from list of additional software (packages) to install during the initial setup of FreeBSD.

 Letting it be installed as a dependency, from the ports collection, works out better.