Document
last modified 08/06/2004, 4:45pm - see bottom for details
For latest version of this page please see: http://bio.fsu.edu/~sysalex/freebsd-mail-server.htm
Installing FreeBSD 4.10
mail server with mailscanner 4.x, spamassassin, ssl/tls pop, pine, and webmail
(IMP) via imap (not ssl-imap so imap from localhost only).
Note 0: This page simply
reflects the procedure I use to build my mail servers. I have 15 years experience with FreeBSD but
I’m sure that I’m still doing some things poorly. If you notice any errors or have any
suggestions for changes to this page I would like to hear them. You can email me at astuy@bio.fsu.edu.
Note 1: You will need to
request a webmail.<your_domain_name> alias for your mail servers ip
address from whom ever handles your ip registration.
Note 2 : I use the terms “folder” and
“directory”. They mean the same
thing. Also terms placed in <>’s
are usually variables, meaning don’t type in the <>’s. The exception to this is the httpd.conf file.
Note 3 : I’ll be adding special notes for those
rebuilding a current FreeBSD box. These
notes will be in red. I should state
that by rebuilding I mean use new or different hardware to create an updated
version of an old server. Change the
hostname on the old box or new box during the build process. I change the hostname on the new box till I’m
done then change it to the true server name after I’ve tested it to make sure
that everything is working. Then I
rebuild the old box to be exactly the same as the new box and keep it in case
the new one dies. This way I always have
a backup mail server ready to go with the exact same versions of all software. The config files that contain hostname are:
/etc/rc.conf, /etc/hosts.allow, /usr/local/etc/apache/httpd.conf, /usr/local/www/phpmyadmin/config.inc.php and
/var/MailScanner/etc/MailScanner.conf.
I register backup server names (webmail2.bio.fsu.edu, bio2.bio.fsu.edu)
so that I can test the server while I’m rebuilding)
Install FreeBSD v4.10. I usually do a “Average
user, binaries and docs only”, no xwindows.
If you haven’t installed freebsd before instructions are at:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html.
I usually just download
the floppies (kern.flp and mfsroot.flp), boot from kern.flp and go from
there to install via network
interface. Be sure to use fdimage to
create your floppies.
Don’t install ports when
asked. I download the latest from the
link on the FreeBSD website to make sure I get latest version. Is this the same as answering “yes” when
asked whether to install ports or do you get the ports collection as it was
when the version 4.10 of FreeBSD was released?
If someone knows the answer please enlighten me.
Add Bash v2.x, GCC 2.95
and no-login when asked if you want to install additional software (packages).
If you didn’t include
sources in your initial install, use /stand/sysinstall and
choose Configure->Distributions->src to download sources for
everything (ALL).
Recompile the kernel to
get rid of all the stuff it contains you don’t need. This cuts my kernel size to less than half
it’s previous size. Directions for
recompiling the kernel are at
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html
and here’s a link to my “KERNCONF” file. Note that yours will almost certainly be
different. You’ll definitely want to look
at cpu type and ethernet card, mine is set for pentium >= II and Intel
EtherExpress Pro. Other than that it’s a
standard pc with one floppy drive, hard drives on both channels and no cd. Note: If you remove the inet6 stuff from the
kernel you’ll want to comment out the “0 DaemonPortOptions=Name=Ipv6,
Family=inet6, Modifiers=0” line in /etc/mail/sendmail.cf.
Basic procedure for
building and installing new kernel is:
- cd to /usr/src/sys/i386/conf
- cp GENERIC to <your host
name in caps>
- edit <your host name in
caps> to reflect your hardware
- cd to /usr/src and run “make
buildkernel KERNCONF=<your host name in caps>
- cp /kernel /kernel.ORIG
- run “make installkernel KERNCONF=<your
hostname in caps>
-
reboot to use new
kernel (run “shutdown –r now”)
Download latest ports.tar.gz
and install it by moving the file to /usr, gunzipping and untarring it.
Make a directory for
installing stuff. I use /usr/install
thus “mkdir /usr/install”
Cd to /etc, copy rc.conf
rc.conf.ORIG and edit rc.conf. Add
inetd_enable = “YES”
Copy hosts.allow
hosts.allow.ORIG and edit hosts.allow to make one much more secure. I only allow ssh from inside FSU and certain
outside ip’s. I allow pop from
anywhere. I allow anything from
localhost (includes imap). I allow
finger from inside biology. I deny all
else. So mine looks like:
#
hosts.allow access control file for "tcp wrapped" applications.
#
$FreeBSD: src/etc/hosts.allow,v 1.8.2.3 2000/07/20 15:17:44 ume Exp $
#
#
NOTE: The hosts.deny file is deprecated.
# Place both 'allow' and 'deny' rules in
the hosts.allow file.
# See hosts_options(5) for the format of
this file.
# hosts_access(5) no longer fully applies.
#
Prevent those with no reverse DNS from connecting.
ALL
: PARANOID : RFC931 20 : deny
#
Prevent unregistered IP’s from connecting.
#ALL
: UNKNOWN : RFC931 20 : deny
#
Allow anything from localhost. Note that
an IP address (not a host
#
name) *MUST* be specified for portmap(8).
#
This also allows imap from localhost for IMP
ALL
: localhost 127.0.0.1 : allow
#
Allow qpopper and sendmail from anywhere
popper
: ALL : allow
qpopper
: ALL : allow
sendmail
: ALL : allow
#
Allow finger from inside biology
fingerd
: .bio.fsu.edu : allow
fingerd
: ALL : deny
#
Allow ssh from .fsu.edu
sshd
: .fsu.edu : allow
#
Allow SSH from select IP's
sshd
: 128.128.171.231 128.128.171.191 .micske01.fl.comcast.net
.mkethn01.fl.comcast.net .tharpe01.fl.comcast.net
.aby.bellsouth.net .bbridg01.fl.comcast.net tschinkel.electronet.net : allow
#
Deny all else
ALL
: ALL : deny
(FreeBSD Server
Rebuild?: just scp hosts.allow from old box instead and change the local
hostname if necessary).
Copy /etc/hosts
/etc/hosts.ORIG and edit /etc/hosts.
Change the “my.domain” in localhost.my.domain
(2 places) to your domain name (ex “localhost.bio.fsu.edu).
(FreeBSD Server
Rebuild?: If I’m rebuilding a system this is where I copy over the user
accounts and data. I usually just copy
and paste the entry’s from both the passwd and master.passwd to the same files
on the new system using: ssh shell on a windows box, vi and copy and
paste. Then run vipw, make a meaningless
change and quit, which rebuilds the database.).
The version of perl that
comes with FreeBSD 4.7 and earlier (and maybe later) doesn’t support all we
want to do. So we have to change to
version 5.6.
Cd to
/usr/ports/lang/perl5 and install with a “make install”. After install type “perl –v”, you’ll notice
it’s still the old version. Fix this
with “/usr/local/bin/use.perl
port”. Now “perl –v” should
report back the new version.
Install cclient
Cd to
/usr/ports/mail/cclient and run “make WITH_SSL_AND_PLAINTEXT=true install”
Cd to
/usr/ports/mail/imap-uw and run “make WITH_SSL_AND_PLAINTEXT=true install”
Install Pine
(my users insist, leave this off if you can)
Cd to
/usr/ports/mail/pine4 and run “make install”.
Cd to
/usr/ports/www/apache13-modssl and run “make install”.
If you had a previous
version of httpd.conf you will want to enable any special options you had in
the new httpd.conf. I usually run a diff
between the new file and old file to spot any differences.
Generate a certificate for
your webserver by running the following commands (which can be downloaded as
script here (usage:
“mkwebcerts <your host name>”)) :
openssl genrsa -out <your host
name>.key 1024
openssl req -new -key <your host
name>.key -out <your host name>.csr
openssl x509 -req -days 3650 -in <your
host name>.csr –signkey <your host name>.key -out <your host
name>.crt
When asked for “Common
Name” enter the FQDN you registered for your webmail server (ie.
webmail.<your domain name>). The
other questions the common sense answer is correct. When asked for a password or passphrase just
hit enter (each time).
Move the resulting .crt
and .key files to
/usr/local/etc/apache. Chown them to
www:www and chmod them to 550.
(FreeBSD Server
Rebuild?: just scp the .crt and .key files from your old machine to the new
box).
Edit httpd.conf and change
ServerName <your host name>
ServerAdmin <your email address>
SSLCertificateFile
/usr/local/etc/apache/<your host name>.crt
SSLCertificateKeyFile
/usr/local/etc/apache/<your host name>.key
Here’s a couple of hints
for those of you new to apache.
The default install of
apache does not have cgi-scripts enabled.
To enable cgi scripts:
Change the “None” in Options
to “ExecCGI” in the cgi-bin entry as follows.
<Directory
"/usr/local/www/cgi-bin">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
and uncomment
AddHandler cgi-script .cgi
(FreeBSD Server
Rebuild?: don’t just copy over the httpd.conf file from your old box. Copy it over with a different name then run
diff between you old one and your new one and add in the things needed from the
old one to the new one. Ignore the php
stuff for now.
Cd to
/usr/ports/databases/mysql323-server and run “make install”. This will install both server and client.
Copy over users and data from previous system (if
applicable)
Make sure you’ve copied
over your users (password files /etc/passwd and /etc/master.passwd) and rebuilt
the user database (vipw). Then tar up
any data (/usr/local/www, /home, etc) on the old box and move it to the new box
and untar. The root www directory on the
box we are building will be /usr/local/www/data.
Cd to /usr/ports/lang/php4
and run “make install”. On the options
screen if you compiled your kernel w/o IP6 support, remove it here as well.
Cd to
/usr/ports/lang/php4-extensions and run “make install”. On the options screen, leave the defaults all
ready checked checked and add:
DOMXML, FTP, GETTEXT,
IMAP, MCAL, MCRYPT, OpenLDAP, OpenSSL, PSPELL and XML. Use the default options on any dependencies.
After install cd to
/usr/local/etc and copy php.ini-recommended to php.ini and php.ini.ORIG. Edit php.ini and change
upload_max_filesize
= 30M # max upload file size in webmail
memory_limit
= 30M ; Maximum amount of memory a
script may consume (8MB)
Cd to /usr/ports/sysutils/pear-Log
and run “make install”.
Check to make sure that
the php install added the php application code to your
/usr/local/etc/apache/httpd.conf file.
The chunk of code it was susposed to add is:
<IfModule
mod_php3.c>
AddType application/x-httpd-php3 .php3
AddType application/x-httpd-php3-source
.php3s
</IfModule>
<IfModule mod_php4.c>
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source
.phps
</IfModule>
and it goes right under
the
<IfModule mod_negotiation.c>
LanguagePriority en da nl et fr de el
it ja kr no pl pt pt-br ru ltz ca es sv tw
</IfModule>
block
of code. If it didn’t put it in (and it
usually doesn’t) go ahead an paste it in.
Also you’ll want to add index.php to the list of index pages under the
DirectoryIndex section if it didn’t get added.
I use both php and shtml so mine looks like:
<IfModule mod_dir.c>
<IfModule mod_php3.c>
<IfModule mod_php4.c>
DirectoryIndex index.php index.php3
index.shtml index.html index.htm
</IfModule>
<IfModule !mod_php4.c>
DirectoryIndex index.php3
index.shtml index.html index.htm
</IfModule>
</IfModule>
<IfModule !mod_php3.c>
<IfModule mod_php4.c>
DirectoryIndex index.php
index.shtml index.html index.htm
</IfModule>
<IfModule !mod_php4.c>
DirectoryIndex index.shtml
index.html index.htm
</IfModule>
</IfModule>
</IfModule>
Download latest version
from http://www.phpmyadmin.net. There is no install as such for this, just
unzip and untar the contents to /usr/local/www/data/<folder name>. Most people use phpMyAdmin as the folder
name, so I used something else. Chown
the folder to www:www with “chown –R www:www <folder name>”. Go into this folder and copy config.inc.php
config.inc.php.ORIG. Edit config.inc.php
and change
$cfg['PmaAbsoluteUri'] = 'http://<your
host name>/<phpMyAdmin folder>';
OK reboot with a shutdown
–r now and when it comes back up launch a browser on a computer somewhere and
go to http://<your host
name>/<phpMyAdmin folder>. The
phpmyadmin page should load. Click on
privileges and delete all the users except root on localhost (2 any’s and a
root at machine name). Edit the root at
localhost user and set a password.
Reload the mysql server. At this
point it should kick you out. Edit
config.inc.php and put in your new password.
$cfg['Servers'][$i]['password'] = '<your password>'; // MySQL password
You should now be able to reload the
phpmyadmin page. Chown config.inc.php to
www:www and chmod it to 550.
Now we must protect the
phpMyAdmin folder. I did this by editing
/usr/local/etc/apache/httpd.conf and adding an entry for the directory that
reads (for example purposes I’m using phpMyAdmin as the folder name and replaced
the ip’s with X’s and Y’s):
<Directory
/usr/local/www/data/phpMyAdmin>
Order Deny,Allow
Deny from all
Allow from XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY
</Directory>
Check your config file
with “apachectl configtest” and if OK restart apache with “apachectl
restart”. You should now be able to
load the phpMyAdmin page from only the ip’s you entered. Any other ip should return “Forbidden . . .”.
At this point I add a
.htaccess userid and password to this folder as well. See the apache documentation for how to do
this, http://httpd.apache.org/docs/howto/auth.html#basicworks.
(FreeBSD Server
Rebuild?: Unless you have the latest version of phpmyadmin on your old box
(unlikely) move your phpMyAdmin folder to somewhere safe and install latest
version).
Download latest version
from ftp://ftp.qualcomm.com/eudora/servers/unix/popper. I got qpopper4.0.5.tar.gz. Move this file to /usr/install and gunzip and
untar it and cd into the resulting directory.
The install procedure is
- ./configure –with-openssl
- make
- make install
- make clean
But qpopper has a bug in
relation to recent versions of OpenSSL.
So we have to enable the work arounds for known client bugs when qpopper
calls OpenSSL functions. So before
running the installation cd to the popper folder and copy pop_tls_openssl.c to
pop_tls_openssl.c.ORIG. Edit
pop_tls_openssl.c, about 35% into the file you’ll find:
/*
* Set desired options
*/
if ( pPOP->tls_options ) {
long opts = 0;
opts = SSL_CTX_set_options (
pTLS->m_OpenSSLctx, pPOP->tls_options );
DEBUG_LOG2 ( pPOP, "...set options
%#0x; options now %#0lx",
pPOP->tls_options, opts
);
}
Replace that with:
/* Enable all of OpenSSL's
bug fixes -- this lets the Eudora/Qpopper */
/* combination work with
recent versions of OpenSSL. */
SSL_CTX_set_options
(pTLS->m_OpenSSLctx, SSL_OP_ALL);
You can also download a
copy of the patched file from me here.
Make sure a diff on your edited version (or the one you
downloaded from me) and the original file looks like:
beta# diff
pop_tls_openssl.c pop_tls_openssl.c.ORIG
349,351c349,357
< /*
Enable all of OpenSSL's bug fixes -- this lets the Eudora/Qpopper */
< /* combination work with recent versions
of OpenSSL. */
< SSL_CTX_set_options
(pTLS->m_OpenSSLctx, SSL_OP_ALL);
---
> /*
> * Set desired options
> */
> if ( pPOP->tls_options ) {
> long opts = 0;
> opts = SSL_CTX_set_options (
pTLS->m_OpenSSLctx, pPOP->tls_options );
> DEBUG_LOG2 ( pPOP, "...set
options %#0x; options now %#0lx",
> pPOP->tls_options,
opts );
> }
Now we configure, make and
install with (don’t forget to cd back up a directory first):
./configure –with-openssl
make
make install
make clean
OK, now we want to make
qpopper use tls/ssl pop. So cd to
/usr/local/etc and make a directory called qpopper. Cd to this directory and edit a new file
called qpopper.conf, insert
set tls-support = stls
set tls-server-cert-file =
/etc/mail/certs/cert.pem
and save the file. Edit a file called qpopper-altport.conf and
insert
set tls-support = alternate-port
set tls-server-cert-file =
/etc/mail/certs/cert.pem
and save the file. In case you’re wondering, we’re going to
make ssl/tls pop work on both the starndard port (110) and the alternate port
(995). This makes setting up email
clients (eudora, etc) that much more fool proof. And that’s a good thing.
Cd to /etc/mail and “mkdir
certs”. Cd to certs and run
openssl req -new -nodes -out req.pem -keyout
cert.pem
openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 365 -key ca.key
-out ca.crt
openssl x509 -req -CA ca.crt -CAkey ca.key
-days 365 -in req.pem -out signed-req.pem -CAcreateserial
cp cert.pem cert.pem.ORIG
cat signed-req.pem >> cert.pem
This will ask you a bunch
of questions, twice, most of which aren’t important. The only critical ones are
- for passwords or pass phrases enter the
same thing each time
- for common name enter the fully qualified
domain name of your machine
You can download the
entire set of commands as a script here.
(FreeBSD Server
Rebuild?: just scp cert.pem from you old
box to your new box instead.)
Cd to /etc and copy
inetd.conf inetd.conf.ORIG. Edit
inetd.conf and change (add the pop3s line under your current pop3 line):
pop3
stream tcp nowait
root
/usr/local/sbin/popper qpopper -s
-l 1 -p 4 -f /usr/local/etc/qpopper/qpopper.conf
pop3s
stream tcp nowait
root
/usr/local/sbin/popper qpopper -s
-l 2 -p 4 -f /usr/local/etc/qpopper/qpopper-altport.conf
imap4
stream tcp nowait
root
/usr/local/libexec/imapd
imapd
Hup your inetd and you
should now be able to pop into your email.
Remember to add the certificate to your trusted certificates in
eudora. For details see the bottom part
of the page at: http://www.bio.fsu.edu/complabs/eudora.htm.
Note: The “-p 4” in the pop3 inetd lines enforces
the use of ssl/tls pop. If you want to
allow but not force ssl/tls pop remove the “-p 4” from the line(s).
Get vbsd432l.tar.z from
somewhere. Go to your /usr/install
directory and do a “mkdir vbsd” and then “cd vbsd”. (Vbsd416l.tar.z doesn’t create it’s own
directory when you untar it). Move the
installer to the current directory.
Gunzip the installer, and then untar it.
Then run ./install-uvscan, accept
all defaults.
Here’s where you run into
problems with libc.so.3 (which doesn’t exist), so cd to /usr/lib and then “ln
–s libc.so.4 libc.so.3”.
Install latest dat files
by untarring them to a temp directory and from that directory run
“cp *.dat
/usr/local/uvscan”
Run
“/usr/local/uvscan/uvscan --version” to
check the results.
Cd to /etc/mail. Copy sendmail.cf sendmail.cf.ORIG. Edit sendmail.cf and change:
#
load average at which we just queue messages
O
QueueLA=24
#
load average at which we refuse connections
O
RefuseLA=36
Save sendmail.cf.
Edit a new file called
access. You want to enable relaying
from your domains. Mine looks like this.
fsu.edu
RELAY
128.186
RELAY
146.201
RELAY
144.174
RELAY
evilspammer.com
REJECT
Make the access database with
“makemap hash access < access”. This
creates a file called access.db.
If you receive mail for
more than just your domain edit a new file called local-host-names and insert
the domain names. Mine looks like this.
southernmatters.com
lakejacksonturtles.org
Edit /etc/mail/aliases and
at least redirect root to an account you check.
Also add any other aliases you want for your domain. Rebuild alias database with “newaliases”.
(FreeBSD Server
Rebuild?: scp local-host-names from your old box to your new box. Paste any old aliases you had in
/etc/mail/aliases into your new aliases file, copy over any alias files you
had).
Cd to
/usr/ports/mail/mailscanner and install with “make install”.
Create the MailScanner
spool directories with
mkdir -p /var/spool/MailScanner/incoming
mkdir
/var/spool/MailScanner/quarantine
mkdir /var/spool/mqueue.in
chgrp daemon
/var/spool/MailScanner/*
chgrp daemon /var/spool/mqueue.in
cd to /usr/local/etc/MailScanner
and copy MailScanner.conf to
MailScanner.conf.ORIG. edit
MailScanner.conf and change
%org-name% = <Your org
name>
Expand TNEF = no
File Command =
/usr/bin/file
Virus Scanners = mcafee
Still Deliver Silent
Viruses = no
Allow IFrame Tags = yes
Quarantine Infections = no
Add Envelope From Header =
no
Virus Subject Text =
{Virus}
Filename Subject Text =
{Filename}
Warning Is Attachment = no
Use SpamAssassin = yes
High Scoring Spam Actions
= delete
#Enable Spam Bounce =
%rules-dir%/bounce.rules
Always Include
SpamAssassin Report = yes # You will
probably want to disable this after testing
cd to
/usr/local/etc/rc.d. Copy mta.sh.sample
to mta.sh. edit mta.sh and change
“mta=exim” to “mta=sendmail”. Copy
mailscanner.sh.sample to mailscanner.sh.
edit /etc/rc.conf and set
sendmail_enable="NO".
MailScanner should now be
started when the system boots, but don’t reboot or try to start it yet. The following is FYI only at this point.
To start, stop or restart MailScanner
manually, use
/usr/local/etc/rc.d/mailscanner.sh
start/stop/restart
Cd to /usr/ports/mail/p5-Mail-SpamAssassin
and install it with a “make install”.
Cd to /usr/ports/mail/pyzor and install with
“make install”.
Ok now you can
reboot. At this point you should have a
fully functional mail server with MailScanner and SpamAssassin working, but no
webmail, yet.
Cd to /usr/ports/mail/imp3 and install with a
“make WITHOUT_SSL=true install”. This will take quite a while as there are
lots of dependencies so this is a good time to get a cup of your favorite
beverage. Don’t fret about the
WITHOUT_SSL, this means the connection from IMP to imap won’t be encrypted,
which, since it’s on the same machine, is OK.
The encryption will be handled by apache-modssl, which handles the
connection from the machine to the end user.
Make sure the install added
# Horde's include directory
Include /usr/local/etc/horde
To the bottom of
/usr/local/etc/apach/httpd.conf. If not
add it.
and add
<Directory
"/usr/local/www/horde">
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
SSLRequireSSL
</Directory>
directly underneath the
<Directory
"/usr/local/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
block of code.
Cd to /usr/local/etc/apache and copy
httpd.conf to httpd.conf.BAK. Look for
the virtual host section (near the bottom).
Add a virtual host for redirecting to your encrypted web server. The only way I can get virtual hosts to work
is to make all the sites on the server a virtual host so :
NameVirtualHost *
#
<VirtualHost *>
ServerAdmin webmaster@<your host name>
DocumentRoot /usr/local/www/data
ServerName <your host name>
ErrorLog /var/log/httpd-error.log
CustomLog /var/log/httpd-access.log common
</VirtualHost>
<VirtualHost *>
ServerAdmin webmaster@<your host name>
DocumentRoot /usr/local/www/redirect
ServerName webmail.<your domain name>
ErrorLog /var/log/httpd-redirect-error.log
CustomLog
/var/log/httpd-redirect-access.log common
</VirtualHost>
Now we have to make the
redirect actually happen so cd to /usr/local/www and make a directory called
redirect. Inside that edit a file called
index.html and put in:
<HTML>
<HEAD>
<TITLE>Redirect
to secure-webmail</TITLE>
<
</HEAD>
<BODY>
<p>
<font
size="5">You are being redirected to
<a
href="https://webmail.<your domain
name>">https://webmail.<your domain
name></a></font>
<p>
</BODY>
</HTML>
And create the encrypted
virtual host. At the bottom of /usr/local/etc/apache/httpd.conf
you’ll find
##
## SSL Virtual Host
Context
##
Change the DocumentRoot
ServerName and ServerAdmin values, you can also setup separate log files
# General setup for the virtual host
DocumentRoot
"/usr/local/www/horde"
ServerName
webmail.<your domain name>
ServerAdmin webmaster@<your domain name>
ErrorLog /var/log/httpd-horde-error.log
TransferLog
/var/log/httpd-horde-access.log
Note: You will want to
replace <your host name> and <your domain name> with the machine’s
host name and domain name in the examples above. So watch the <>’s.
Cd to
/usr/local/www/horde/scripts/db and copy mysql_create.sql to
mysql_create.sql.ORIG. Edit mysql_create
and change the password from “horde” to <something else> where it says:
-- IMPORTANT: Change this
password!
password('horde')
Create the the horde
database with “mysql –u root –p < mysql_create.sql”, enter the mysql root
password when prompted.
Verify that you can
connect to the horde database with “mysql -u horde –p”, enter the horde
password (<something else>) when prompted.
(FreeBSD Server
Rebuild?: Instead of importing the mysql_create.sql file, mysqldump the horde
and mysql databases on the old box to .sql files with “mysqldump -u root --opt
horde > old_horde.sql”, “mysqldump -u
root --opt mysql > old_mysql.sql”, scp these files to the new box and import
these into the new box with “mysql –u root –p horde < old_horde.sql” and
“mysql –u root –p mysql < old_mysql.sql”.
Then reload mysql. At this point
all mysql usernames and passwords will be as they were on the old box. And all user data stored in the horde
database (address books, etc) will have been copied over.)
Cd to
/usr/local/www/horde/config and copy horde.php horde.php.ORIG. Edit horde.php and change:
$conf['use_ssl'] = 1;
$conf['auth']['params']['dsn'] = '{localhost:143/imap}INBOX';
$conf['log']['priority'] = LOG_INFO;
$conf['prefs']['params']['username'] =
'horde';
$conf['prefs']['params']['password'] =
'<something else>';
Copy registry.php
registry.php.ORIG and edit registry.php.
Find the horde section under
Application registry section (first
block) and change (right under 'icon' =>
'/horde/graphics/home.gif',):
'name' => _("Webmail on <your
host name>"),
Add user www to trusted mail users.
Edit /etc/mail/trusted-users
and put in “www”.
Cd to
/usr/local/www/horde/imp/config. Copy
servers.php servers.php.ORIG. Edit
servers.php and remove the three server configurations under under the imap
configuration (pop, cyrus and exchange).
Change the imap configuration as follows (you may find that all is
correct all ready):
$servers['imap'] = array(
'name' => 'IMAP Server',
'server' => 'localhost',
'protocol' => 'imap/notls',
'port' => 143,
'folders' => 'Mail/',
'namespace' => '',
'maildomain' => '<Your mail domain or
FQHN>',
'smtphost' => 'localhost',
'realm' => '',
'preferred' => ''
);
Cd to /usr/local/www/horde/turba/config and
copy sources.php sources.php.ORIG. Edit
sources.php and look for the “local.sql” section with “’title’ => ‘My
Addressbook’”. Change
'username' => 'horde',
'password' => '<something else>',
Create the turba database. Cd to
/usr/local/www/horde/turba/scripts/drivers and run
“msyql –u root –p <
turba.sql”, enter the root password for MySQL when prompted.
(FreeBSD Server
Rebuild?: Don’t import turba.sql . You
grabbed your old one when you imported your old_horde.sql database.)
Cross your fingers and reboot with a “shutdown –r now”.
After your system comes
back up you should be able to logon to webmail at https://webmail.<your_domain_name>
Remove horde@% user from
mysql
The horde@% user is not needed, go to http://<your host name>/<phpMyAdmin
folder> and click on privileges.
Delete the horde@% user.
(FreeBSD Server Rebuild?:
No need for this step.)
Add
kern_securelevel_enable="YES"
kern_securelevel="3"
syslogd_flags="-ss"
to /etc/rc.conf. You’ll need to reboot for this to take
effect.
To enforce minimum password
requirements add
:minpasswordlen=8:\
:mixpasswordcase:\
to /etc/login.conf under
the “default” section and rebuild database with “cap_mkdb /etc/login.conf”.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Change log
8-06-2004: Added install php4-extensions port. Extensions used to get installed along with
php, that’s changed now and they must be
installed separately.
/usr/local/etc/php.ini is now copied from
php.ini-recommended instead of php.ini-dist