Document last modified 2/17/2008, 9pm – see bottom for details.
This is latest version (v8) of freebsd-mail-server pages.
Installing FreeBSD 6.3 mail server with mailscanner, spamassassin, cyrus ssl/tls pop, cyrus ssl/tls imap, smtp-auth, starttls, and webmail (IMP).
Note 0: This page was written to document the procedure I use to build my mail servers. If you notice any errors or have any suggestions for changes to this page I would like to hear them. You can email me at astuy@bio.fsu.edu. I would like to thank Sean Burnside for his help on apache22 and horde cookies problem and also Hiram Gibbard and Daniel Whelan for help with the Cyrus sieve / Horde ingo section.
Note 1: You will need to request a webmail.<your_domain_name> alias for your mail servers ip address from whom ever handles your ip registration.
Note 2 : I use the terms “folder” and “directory”. They mean the same thing. Also terms placed in <>’s are usually variables, meaning don’t type in the <>’s. For example <your_userid> is the username you su to root from. The exception to terms placed in <>'s being variables is the httpd.conf file.
Note 3 : Previous versions of this document used qualcomm’s qpopper and imap-uw imap. For performance reasons this has been changed to cyrus. Cyrus uses a proprietary mailbox format. The page syncing_mailboxes_with_imapsync.php documents our procedure for converting mailboxes from other formats to cyrus. This page will be posted soon.
Note 4 : I’ll be adding special notes for those rebuilding a current FreeBSD box. These notes will be in red. I should state that by rebuilding I mean use new or different hardware to create an updated version of an old server. Change the hostname on the old box or new box during the build process. I change the hostname on the new box till I’m done then change it to the true server name after I’ve tested it to make sure that everything is working. Then I rebuild the old box to be exactly the same as the new box and keep it in case the new one dies. This way I always have a backup mail server ready to go with the exact same versions of all software. The config files that contain hostname are: /etc/rc.conf, /etc/hosts.allow, /usr/local/etc/apache22/httpd.conf, /usr/local/www/apache22/data/phpmyadmin/config.inc.php and /usr/local/etc/MailScanner/MailScanner.conf. I register backup server names (webmail2.bio.fsu.edu, bio2.bio.fsu.edu) so that I can test the server while I’m rebuilding). Previous versions had a method for moving the IMP address book database but changes in database format have precluded that from working reliably. I recommend having your users export their address book to a file before rebuild and then have them import that back afterwards.
Install FreeBSD 6.3. I usually do a “Average user, binaries and docs only”, no xwindows. If you haven’t installed freebsd before instructions are at:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html.
I usually just download the bootonly.iso, burn it to cd, boot from cd, and go from there to install via network interface.
Don’t install ports when asked. I download the latest from the link on the FreeBSD website to make sure I get latest version.
If you didn’t include sources in your initial install, use sysinstall and choose Configure->Distributions->src to download sources for everything (ALL).
Recompile the kernel to get rid of all the stuff it contains you don’t need. This cuts my kernel size to less than half it’s previous size. Directions for recompiling the kernel are at
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html
and here’s a link to my “KERNCONF” file. Note that yours will almost certainly be different. You’ll definitely want to look at cpu type, ethernet card and raid controller, mine is set for pentium >= II, Intel GB Lan and 3ware 9500 raid. Other than that it’s a standard pc. Note: If you remove the inet6 stuff from the kernel you’ll want to remove the “0 DaemonPortOptions=Name=Ipv6, Family=inet6, Modifiers=0” line in /etc/mail/sendmail.cf. More on that later.
Basic procedure for building and installing new kernel is:
- cd to /usr/src/sys/i386/conf
- cp GENERIC to <your host name in caps>
- edit <your host name in caps> to reflect your hardware
- cd to /usr/src and run “make buildkernel KERNCONF=<your host name in caps>
- run “make installkernel KERNCONF=<your hostname in caps>
- reboot to use new kernel (run “shutdown –r now”)
- mv /boot/kernel.old /boot/kernel.ORIG # ORIG assumes this is your first kernel recompile. Else change ORIG to something appropriate.
Hint: install all applicable security patches from http://www.freebsd.org/security before compiling kernel. That way any patches that require kernel rebuild are completed in above step.
If you commented out ipv6 in kernel don’t fret about the sendmail ipv6 error message, we’ll deal with it shortly.
Download latest ports.tar.gz and install it by moving the file to /usr, gunzipping and untarring it.
Update ports
Please note I only recommend this on a new box. Updating ports on an old box can result in broken ports. On a recent box it works pretty well, though sometimes some tweaking is required.
Cd to /usr/ports/net/cvsup-without-gui and run “make install”. When that’s done run
“cvsup /usr/share/examples/cvsup/ports-supfile -h cvsup2.freebsd.org”.
If denied access on cvsup2 try cvsup3.
Install portupgrade (if not all ready installed) with
“cd /usr/ports/ports-mgmt/portupgrade” and a “make install”
Backup your current ports db with
“cd /var/db” and “tar cvfz var.db.pkg.<todays_date>.tgz pkg”
Find and fix stale dependencies
“/usr/local/sbin/pkgdb -F” # Answer "YES" to fix questions.
Recompile/Upgrade ports, choose default options on config screens, except remove ip6 if you compiled kernel w/o ip6
“/usr/local/sbin/portupgrade -ra”
Hint, if you are running a sh shell you may have to type “rehash” before it will find the cvsup command.
Install bash and change some config files
Install bash. Cd to /usr/ports/shells/bash and “make install”. Change your shell to “/usr/local/bin/bash” with vipw. Run adduser –C and set default shell to bash.
Make a directory for installing stuff. I use /usr/install thus “mkdir /usr/install”
Copy hosts.allow hosts.allow.ORIG and edit hosts.allow to make one much more secure. I only allow ssh from my work pc. I allow sendmail, pop and imap from anywhere. I allow anything from localhost. I allow finger from inside biology. I deny all else. So mine looks:
# hosts.allow access control file for "tcp wrapped" applications.
# $FreeBSD: src/etc/hosts.allow,v 1.0.7 2005/12/07 15:17:44 sysalex Exp $
#
# Allow anything from localhost. Note that an IP address (not a host
# name) *MUST* be specified for portmap(8).
# This also allows imapd from localhost for IMP
ALL : localhost 127.0.0.1 : allow
ALL : bio.fsu.edu 128.186.38.55 : allow
# Prevent those with no reverse DNS from connecting.
#ALL : PARANOID : RFC931 20 : deny
# Prevent unregistered IP’s from connecting.
#ALL : UNKNOWN : RFC931 20 : deny
# Allow sendmail, popper and imap from anywhere
sendmail : ALL : allow
imaps : ALL : allow
imap : ALL : allow
pop3s : ALL : allow
pop3 : ALL : allow
sieve : ALL : allow
# Allow finger from inside biology
fingerd : .bio.fsu.edu : allow
fingerd : ALL : deny
# Allow ssh from alexpc
sshd : alexpc.bio.fsu.edu : allow
sshd : ALL : deny
# Deny all else
ALL : ALL : deny
(FreeBSD Server Rebuild?: just scp hosts.allow from old box instead and change the local hostname if necessary).
Copy /etc/hosts /etc/hosts.ORIG and edit /etc/hosts. Change the “my.domain” in localhost.my.domain (2 places) to your domain name (ex “localhost.bio.fsu.edu).
Backup /etc/rc.conf with “cp /etc/rc.conf /etc/rc.conf.ORIG” or something similar. Edit /etc/rc.conf and add
apache22_enable="YES"
apache22_ssl_enable="YES"
apache22_http_accept_enable="YES"
cyrus_imapd_enable="YES"
cyrus_pwcheck_enable="YES"
mysql_enable="YES"
saslauthd_enable="YES"
sendmail_enable="YES"
On older versions of freebsd sendmail_enable may all ready be on.
FreeBSD 6.3 doesn’t have perl by default but if you installed portupgrade perl was probably installed as a dependency. If not install it
Cd to /usr/ports/lang/perl5.8 and install with a “make install”.
Check results with “perl –v”. You may have to do a “rehash” first, depending on your shell.
Install cclient
Cd to /usr/ports/mail/cclient and run “make -DWITH_SSL_AND_PLAINTEXT install”. Accept defaults on config options.
Cd to /usr/ports/security/cyrus-sasl2-saslauthd and install with “make -DWITHOUT_OTP install”. This will also install cyrus-sasl2.
Backup /etc/rc.conf with “cp /etc/rc.conf /etc/rc.conf.BAK” or something similar. Edit /etc/rc.conf and add
cyrus_pwcheck_enable="YES"
saslauthd_enable="YES"
Install cyrus-imapd23
cd /usr/ports/mail/cyrus-imapd23 and install with “make install”.
Copy /usr/local/etc/imapd.conf /usr/local/etc/imapd.conf.ORIG. Edit /usr/local/etc/imapd.conf and change
allowplaintext: no
admins: <your_userid>
sasl_pwcheck_method: saslauthd
tls_cert_file: /var/imap/server.pem
tls_key_file: /var/imap/server.pem
Create the cyrus directories
cd /var
mkdir imap
chown cyrus:mail imap
chmod 750 imap
cd /var/spool
mkdir imap
chown cyrus:mail imap
chmod 750 imap
cd /var/imap
mkdir sieve
chown cyrus:mail sieve
chmod 750 sieve
Cd to /var/imap and make the server.pem file with
openssl req -new -x509 -nodes -out /var/imap/server.pem -keyout /var/imap/server.pem -days 365
When asked for “Common Name” enter the FQDN of your mail server.
Change the owner, group and permissions server.pem
chown cyrus:cyrus server.pem
chmod 440 server.pem
Su to the cyrus user with “su cyrus” and run mkimap with “/usr/local/cyrus/bin/mkimap”.
Create an admin user in the sasl password db.
saslpasswd2 -c <your_userid>
Log into the cyrus administration interface (cyradm) interface.
cyradm localhost -u <your_userid>
Once logged into cyrus (you should have a prompt that looks like “localhost>”) create cyrus mail boxes for root and yourself.
cm user.root
cm user.<your_userid>
exit
Cd to /etc and copy syslog.conf to syslog.conf.ORIG. Edit syslog.conf and add
# cyrus
local6.debug /var/log/imapd.log
auth.debug /var/log/auth.debug.log
Create the log files with “touch /var/log/imapd.log” and “touch /var/log/auth.debug.log”.
Backup your /etc/make.conf with something like “cp /etc/make.conf /etc/make.conf.BAK”. Edit /etc/make.conf and add
# Add SMTP AUTH support to Sendmail
SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS+= -L/usr/local/lib
SENDMAIL_LDADD+= -lsasl2
# Enable alternate port (smtps) for sendmail.
SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL
Rebuild sendmail
cd /usr/src
make buildworld
cd /usr/src/usr.sbin/sendmail
make clean
make depend
make
make install
Make an SSL cert for sendmail. These directions for creating the sendmail cert were obtained from sendmail.org.
cd /usr/install
mkdir CA
cd CA
mkdir certs crl newcerts private
echo "01" > serial
cp /dev/null index.txt
cp /etc/ssl/openssl.cnf ./openssl.cnf
Ok, now edit openssl.cnf and change
dir = . # Where everything is kept )
To make the CA (certificate authority)
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf
To make a new certificate:
cd CA (same directory created above)
openssl req -nodes -new -x509 -keyout mykey.pem -out mykey.pem -days 365 -config openssl.cnf
(certificate and private key in file mykey.pem) To sign new certificate with certificate authority:
cd CA (same directory created above)
openssl x509 -x509toreq -in mykey.pem -signkey mykey.pem -out tmp.pem
openssl ca -config openssl.cnf -policy policy_anything -out mycert.pem -infiles tmp.pem
rm -f tmp.pem
mkdir /etc/mail/certs
cp cacert.pem /etc/mail/certs
cp mycert.pem /etc/mail/certs
cp mykey.pem /etc/mail/certs
chmod 600 /etc/mail/certs/*.pem
Generate a site mc file
cd /etc/mail
make all
Edit the new mc file (<FQDN>.mc) and add
define(`confLOCAL_MAILER', `cyrusv2')
MAILER(`cyrusv2')
dnl set SASL2 options
TRUST_AUTH_MECH(`PLAIN LOGIN')dnl
define(`confAUTH_MECHANISMS', `PLAIN LOGIN')dnl
define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl
dnl starttls stuff
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
define(`confAUTH_OPTIONS',`A p y')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl change log level
define(`confLOG_LEVEL', `15')dnl
dnl change load levels
define(`confQUEUE_LA', `24')dnl
define(`confREFUSE_LA', `36')dnl
If you disabled ipv6 support in your kernel you’ll want to comment out the
“DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')”
line by putting in a “dnl” at the start of the line.
Install the new cf file with “make all install”
To enable relaying from inside your domain with out smtp-auth edit a new file /etc/mail/access. Mine looks like this.
fsu.edu RELAY
128.186 RELAY
146.201 RELAY
144.174 RELAY
evilspammer.com REJECT
You should replace “.fsu.edu” and the ip’s with the domain(s) and ip’s from which you wish to relay mail without smtp-auth authentication.
Make the access database with “makemap hash access < access”. This creates a file called access.db.
Edit a file called /etc/mail/local-host-names and insert the domains for which the machine will be receiving mail. I receive mail for bio.fsu.edu and two other domains so mine looks like this.
bio.fsu.edu
southernmatters.com
lakejacksonturtles.org
Edit /etc/mail/aliases and at least redirect root to an account you check. Also add any other aliases you want for your domain. Rebuild alias database with “newaliases”.
(FreeBSD Server Rebuild?: scp local-host-names and certs from your old box to your new box. Paste any old aliases you had in /etc/mail/aliases into your new aliases file, copy over any alias files you had).
Reboot. When the system comes back up you should have a functional mail server. Test sending a message to your account on the machine and reading it with pop and imap. Test SMTP, POP and IMAP on both standard and alternate ports. Test that plaintext passwords without encryption are disallowed. Use Eudora to test SMTP and POP using the “Never”, “If Available, STARTTLS, “Required, Alternate Port” and “Required, STARTTLS” options. Use Thunderbird to test IMAP using the “Never”, “TLS”, and “SSL” options.
If things don’t work check the /var/log/maillog, /var/log/imapd.log and /var/log/messages files for errors. Also if /var/log/auth.log has entries like “imaps[610]: OTP unavailable because can't read/write key database /etc/opiekeys: Permission denied” then assuming you aren’t going to use opiekeys you can “chown cyrus /etc/opiekeys” to get rid of the error messages.
Cd to /usr/ports/www/apache22 and run “make install”. Accept default options but disable IPv6 if you disabled in your kernel.
If you had a previous version of httpd.conf you will want to enable any special options you had in the new /usr/local/etc/apache22/httpd.conf. I usually run a diff between the new file and old file to spot any differences. If you are upgrading from apache1.3.x then be aware that the old httpd.conf file has been split up between /usr/local/etc/apache22/httpd.conf and /usr/local/etc/apache22/extra/*.conf.
Cd to /usr/local/etc/apache22 and “mkdir certs”. Cd to certs. Generate a certificate for your webserver by running the following commands. Probably best to copy and paste them into something like /usr/local/sbin/mkwebcerts, chmod that to 700 and then run it.
openssl genrsa -des3 -out webmail.key 1024
openssl rsa -noout -text -in webmail.key
openssl rsa -in webmail.key -out webmail.key.unsecure
openssl req -new -x509 -nodes -sha1 -days 365 -key webmail.key -out webmail.crt
openssl x509 -noout -text -in webmail.crt
When asked for “Common Name” enter the FQDN you registered for your webmail server (ie. webmail.<your domain name>). The other questions the common sense answer is correct. When asked for a password or passphrase type in the same thing each time.
Chown the cert files to www:www and chmod them to 440.
(FreeBSD Server Rebuild?: just scp the .crt and .key files from your old machine to the new box). Though you may need to create certs for the temporary name you are using if doing a rebuild under another machine name.
Edit httpd.conf and change
ServerName <your host name>
ServerAdmin <your email address>
Include etc/apache22/extra/httpd-userdir.conf
Include etc/apache22/extra/httpd-default.conf
Include etc/apache22/extra/httpd-ssl.conf
Edit httpd-ssl.conf and change
ServerName webmail2.<your domain>:443
ServerAdmin <your email address>
SSLCertificateFile /usr/local/etc/apache22/certs/webmail.crt
SSLCertificateKeyFile /usr/local/etc/apache22/certs/webmail.key.unsecure
Make sure you added the following to /etc/rc.conf
apache22_enable="YES"
apache22_ssl_enable="YES"
apache22_http_accept_enable="YES"
Here’s a couple of hints for those of you new to apache.
The default install of apache does not have cgi-scripts enabled. To enable cgi scripts:
Change the “None” in Options to “ExecCGI” in the cgi-bin entry as follows.
<Directory "/usr/local/www/cgi-bin">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
and uncomment
AddHandler cgi-script .cgi
(FreeBSD Server Rebuild?: don’t just copy over the httpd.conf file from your old box. Copy it over with a different name then run diff between you old one and your new one and add in the things needed from the old one to the new one. Ignore the php stuff for now.
Cd to /usr/ports/databases/mysql50-server and run “make install”. This will install both server and client. Edit /etc/rc.conf and add
mysql_enable=”YES”
Cd to /usr/ports/lang/php4 and run “make install”. On the options screen leave the defaults all ready checked checked and add: “APACHE”, “DEBUG”, “MULTIBYTE”, “OPENSSL”. If you compiled your kernel w/o IPV6 support, remove it here as well.
Cd to /usr/ports/lang/php4-extensions and run “make install”. On the options screen, leave the defaults all ready checked checked and add:
DOMXML, FILEINFO, FTP, GD, GETTEXT, ICONV, IMAP, LDAP, MBSTRING, MCAL, MCRYPT, PDF, PSPELL and XML (may be selected all ready). Note that “OPENSSL” is NOT selected. The options in blue are not necessary but useful for other applications. Use the default options on any dependencies.
After install cd to /usr/local/etc and copy php.ini-recommended to php.ini and php.ini.ORIG. Edit php.ini and change
upload_max_filesize = 32M # max upload file size in webmail
post_max_size = 32M # max upload file size in webmail
memory_limit = 64M ; Maximum amount of memory a script may consume (8MB)
Cd to /usr/ports/databases/pear-DB and run “make install”.
Cd to /usr/ports/sysutils/pear-Log and run “make install”. Enable pear-DB support.
Check to make sure that the php install added the php application code to your /usr/local/etc/apache22/httpd.conf file. The chunk of code it was supposed to add is:
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
and it goes right under the
#AddType application/x-gzip .tgz
block of code. If it didn’t put it in (and it usually doesn’t) go ahead an paste it in. Also you’ll want to add index.php to the list of index pages under the DirectoryIndex section if it didn’t get added. I use both php and shtml so mine looks like:
<IfModule dir_module>
DirectoryIndex index.php index.shtml index.html index.htm
</IfModule>
And add a directory entry for horde
Directory "/usr/local/www/horde">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Cd to /usr/ports/graphics/GraphicsMagick and install with "make install". This step is optional but a good idea if you plan to do any image manipulation with apache.
Download latest version from http://www.phpmyadmin.net. There is no install as such for this, just unzip and untar the contents to /usr/local/www/apache22/data/<folder name>. Most people use phpMyAdmin as the folder name, so I used something else. Chown the folder to www:www with “chown –R www:www <folder name>”. Go into this folder and copy ./libraries/config.default.php to ./config.inc.php.
OK reboot with a shutdown –r now and when it comes back up launch a browser on a computer somewhere and go to http://<your host name>/<phpMyAdmin folder>. The phpmyadmin page should load. If it doesn’t you could try editing config.inc.php and change
$cfg['PmaAbsoluteUri'] = 'http://<your host name>/<phpMyAdmin folder>';
Click on privileges and delete all the users except root on localhost (2 any’s and a root at machine name). If the user refuses to delete remove all database and table specific privileges for that user and then try again. Edit the root at localhost user and set a password. Reload the mysql server. At this point it should kick you out. Edit config.inc.php and put in your new password.
$cfg['Servers'][$i]['password'] = '<your password>'; // MySQL password
You should now be able to reload the phpmyadmin page. Chown config.inc.php to www:www and chmod it to 550.
Now we must protect the phpMyAdmin folder. I did this by editing /usr/local/etc/apache22/httpd.conf and adding an entry for the directory that reads (for example purposes I’m using phpMyAdmin as the folder name and replaced the ip’s with X’s and Y’s):
<Directory /usr/local/www/apache22/data/phpMyAdmin>
AllowOverride AuthConfig
Order deny,allow
Deny from all
Allow from XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY
AuthName "Any blurb you want, gets displayed in login dialog box"
AuthType Basic
AuthUserFile /usr/local/etc/apache22/http_pws/phpMyAdmin.dat
Require valid-user
Satisfy All
</Directory>
I put my directory entries underneath the one for /home/*/public_html.
You’ll need to create the /usr/local/etc/apache22/http_pws folder. Then use the “htpasswd –c /usr/local/etc/apache22/http_pws/phpMyAdmin.dat <username>” command to create the phpadmin.dat file.
Check your config file with “apachectl configtest” and if OK restart apache with “apachectl stop; apachectl startssl”. You should now be able to load the phpMyAdmin page from only the ip’s you entered. Any other ip should return “Forbidden . . .”.
(FreeBSD Server Rebuild?: Unless you have the latest version of phpmyadmin on your old box (unlikely) move your phpMyAdmin folder to somewhere safe and install latest version).
Mcafee uvscan
Get latest version of mcafee for freebsd (vbs6520l.tar.z as of 8-10-2007) from somewhere. Go to your /usr/install directory and do a “mkdir vbsd” and then “cd vbsd”. (vbs6520l.tar.z doesn’t create it’s own directory when you untar it). Move the installer to the current directory. Gunzip the installer, and then untar it. Then run ./install-uvscan, accept all defaults.
Cd to /usr/local/sbin and fetch http://bio.fsu.edu/~sysalex/uvscan-update. chmod uvscan-update so that only root can run it: “chmod 700 uvscan-update”. And run it “./uvscan-update”.
Run “/usr/local/uvscan/uvscan --version” to check the results.
Run uvscan-update out of cron daily or more often to keep mcafee uvscan virus definitions current.
F-Prot
Cd to /usr/ports/security/f-prot and “make install”.
Run /usr/local/f-prot/tools/check-updates.pl to update virus definitions. Also run this out of cron dailey or more often. But don’t be surprised if mailscanner updates f-prot for you.
Cd to /usr/ports/mail/p5-Mail-SpamAssassin and install with “make install”. Leave all defaults selected and add MYSQL, RAZOR and TOOLS support.
Cd to /usr/ports/mail/mailscanner and install with “make install”. Deselect SPAMASSASSIN and CLAMAV, assuming you have all ready installed spamassassin and will be using uvscan, not clamav.
Generate default config files with “make initial-config”.
Create the MailScanner spool directories with
mkdir -p /var/spool/MailScanner/incoming
mkdir /var/spool/MailScanner/quarantine
mkdir /var/spool/mqueue.in
chgrp daemon /var/spool/MailScanner/*
chgrp daemon /var/spool/mqueue.in
cd to /usr/local/etc/MailScanner and copy MailScanner.conf to MailScanner.conf.ORIG. edit MailScanner.conf and change
%org-name% = <Your org name>
%org-long-name% = <Your org name in long format>
%web-site% = <link to whatever web page you want, a page describing mailscanner seems appropriate>
Expand TNEF = no
File Command = /usr/local/bin/file
Maximum Attachment Size = 41943040 # 40 mb
Maximum Message Size = 67108864 # 64 mb
Minimum Attachment Size = 1
Maximum Archive Depth = 0
Virus Scanners = f-prot mcafee
Virus Scanner Timeout = 600
Quarantine Infections = no
Quarantine Whole Message = yes
Always Include SpamAssassin Report = yes
Virus Subject Text = {Virus}
Filename Subject Text = {Filename}
Disarmed Modify Subject = no
Phishing Modify Subject = yes
Warning Is Attachment = no
Spam List = spamhaus.org spamhaus-XBL spamcop.net NJABL CBL DSBL # You can un-comment this to enable them
Spam Lists To Reach High Score = 2
Use SpamAssassin = yes
Rebuild Bayes Every = 86400
Wait During Bayes Rebuild = yes
High Scoring Spam Actions = delete
Enable Spam Bounce = no
Make sure that spam.lists.conf contains the following definitions, else add them.
spamhaus.org sbl.spamhaus.org. spamhaus-XBL xbl.spamhaus.org. spamcop.net bl.spamcop.net. NJABL dnsbl.njabl.org. CBL cbl.abuseat.org. DSBL list.dsbl.org.
cd to /usr/local/etc/MailScanner/mcp
cp mcp.spam.assassin.prefs.conf.sample mcp.spam.assassin.prefs.conf
cd to /usr/local/etc/MailScanner
fetch http://www.mailscanner.eu/phishing.bad.sites.conf.master
cp phishing.bad.sites.conf.master phishing.bad.sites.conf
cd to /usr/local/etc/rc.d. There should be two new startup scripts, mta and mailscanner. If they have .sample at the end, remove that.
edit /etc/rc.conf, set sendmail_enable="NONE" and add the following
mailscanner_enable="YES"
mta_enable="YES"
mta_type="sendmail"
mta_profiles="incoming outgoing submitqueue"
mta_incoming_flags="-L sm-mta-in -bd -OPrivacyOptions=noetrn -OQueueDirectory=/var/spool/mqueue.in -ODeliveryMode=queueonly"
mta_incoming_pidfile="/var/run/sendmail_in.pid"
mta_incoming_configfile="/etc/mail/sendmail.cf"
mta_outgoing_flags="-L sm-mta-out -q15m"
mta_outgoing_pidfile="/var/run/sendmail_out.pid"
mta_outgoing_configfile="/etc/mail/sendmail.cf"
mta_submitqueue_flags="-L sm-msp-queue -Ac -q15m"
mta_submitqueue_pidfile="/var/spool/clientmqueue/sm-client.pid"
mta_submitqueue_configfile="/etc/mail/submit.cf"
MailScanner should now be started when the system boots, but don’t reboot or try to start it yet. The following is FYI only at this point.
To start, stop or restart MailScanner manually, use
/usr/local/etc/rc.d/mailscanner start/stop/restart
To start,stop or restart sendmail manually, use
/usr/local/etc/rc.d/mta start/stop/restart
Cd to /usr/ports/sysutils/file and install with “make install”.
Cd to /usr/ports/mail/pyzor and install with “make install”. If you deselected IP6 support in earlier steps, deselect it here as well.
Cd to /usr/ports/mail/dcc-dccd and install with “make install”.
Pyzor, razor and bayes need periodic updates. Run the following script from crontab once a day:
#! /usr/local/bin/bash
# get a list of the Pyzor servers
/usr/local/bin/pyzor discover
# refresh /root/.razor/
/usr/local/bin/razor-admin –discover
# re-build the Bayes database daily
/usr/local/bin/sa-learn -p /usr/local/etc/MailScanner/spam.assassin.prefs.conf --sync --force-expire
Cd to /usr/local/etc/MailScanner and copy spam.assassin.prefs.conf to spam.assassin.prefs.conf.ORIG. Edit spam.assassin.prefs.conf and add bayes_ignore_header lines for the org-name you added when editing MailScanner.conf. My org-name was “FSU-Biology” so my bayes_ignore_header lines are:
bayes_ignore_header X-FSU-Biology-MailScanner
bayes_ignore_header X-FSU-Biology-MailScanner-SpamCheck
bayes_ignore_header X-FSU-Biology-MailScanner-SpamScore
bayes_ignore_header X-FSU-Biology-MailScanner-Information
and change
ifplugin Mail::SpamAssassin::Plugin::Pyzor
pyzor_path /usr/local/bin/pyzor
endif
Ok now you can reboot. At this point you should have a fully functional mail server with MailScanner and SpamAssassin working, but no webmail, yet.
If /usr/local/www/horde exists all ready (from untar of previous data) move this with something like “mv /usr/local/www/horde /usr/local/www/horde.OLD”.
Cd to /usr/ports/mail/horde-imp and install with a “make install”. Leave defaults for options and in the options for Pear-Auth options box add PEAR_LOG, PEAR-FILE-PASSWD, PEAR-NET-POP3 and PEAR-DB support. When the Pear-Mail options box appears add Pear-Net-Smtp support. The install will take quite a while as there are lots of dependencies so this is a good time to get a cup of your favorite beverage.
Cd to /usr/ports/mail/horde-turba and “make install”.
Cd to /usr/ports/mail/horde-vacation and “make install”.
Cd to /usr/ports/mail/horde-ingo and “make install”.
Edit /usr/local/etc/apache22/extra/httpd-ssl.conf and add
<Directory "/usr/local/www/horde">
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
SSLRequireSSL
</Directory>
directly underneath the
<Directory "/usr/local/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
block of code.
And change
# General setup for the virtual host
DocumentRoot "/usr/local/www/horde"
.
.
ErrorLog "/var/log/httpd-horde-error.log"
TransferLog "/var/log/httpd-horde-access.log"
If someone types in http://webmail.<your domain name> we want them to get redirected to https://webmail.<your domain name>.
Cd to /usr/local/etc/apache22, Edit httpd.conf and change
Include etc/apache22/extra/ httpd-vhosts.conf
And add a directory entry for horde
Directory "</usr/local/www/horde">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Cd to /usr/local/etc/apache22/extra and copy httpd-vhosts.conf to httpd-vhosts.conf.ORIG. Edit httpd-vhosts.conf, look for the virtual host section (near the bottom). Add a virtual host for redirecting to your encrypted webmail server and also one for your normal host name.
NameVirtualHost *:80
#
<VirtualHost *:80>
ServerAdmin webmaster@<your host name>
DocumentRoot "/usr/local/www/apache22/data"
ServerName <your host name>
ErrorLog "/var/log/httpd-error.log"
CustomLog "/var/log/httpd-access.log" combined
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@<your host name>
DocumentRoot "/usr/local/www/horde"
ServerName webmail. <your domain name>
Redirect permanent / https://webmail. <your domain name>/
ErrorLog "/var/log/httpd-horde-error.log"
CustomLog "/var/log/httpd-horde-access.log" combined
</VirtualHost>
And create the encrypted virtual host. Edit /usr/local/etc/apache22/extra/httpd-ssl.conf and find
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
Change the DocumentRoot ServerName and ServerAdmin values, setup separate log files
# General setup for the virtual host
DocumentRoot "/usr/local/www/horde"
ServerName webmail.<your domain name>
ServerAdmin webmaster@<your domain name>
ErrorLog /var/log/httpd-horde-error.log
TransferLog /var/log/httpd-horde-access.log combined
Note: You will want to replace <your host name> and <your domain name> with the machine’s host name and domain name in the examples above. So watch the <>’s.
Cd to /usr/local/www/horde/scripts/sql and copy create.mysql.sql to create.mysql.sql.ORIG. Edit create.mysql.sql and change the password from “horde” to <something else> where it says:
-- IMPORTANT: Change this password!
PASSWORD('horde')
Create the the horde database with “mysql –u root –p < create.mysql.sql”, enter the mysql root password when prompted.
Verify that you can connect to the horde database with “mysql -u horde –p”, enter the horde password (<something else>) when prompted.
Chmod create.mysql.sql to 550 and chown it to root:wheel. Or edit it and wipe out the password.
Cd to /usr/local/etc/apache22/Includes and edit httpd-horde.conf. Change
php_value memory_limit 64M # should match value of memory_limit in /usr/local/etc/php.ini
Cd to /usr/local/www/horde/config and copy conf.php conf.php.ORIG.
Add user www to trusted mail users.
Edit /etc/mail/trusted-users and put in “www”.
Cd to /usr/local/www/horde/imp/config. Copy servers.php servers.php.ORIG. Edit servers.php and remove all server configurations except the cyrus configuration (imap, pop, cyrus, exchange, kolab). Change the cyrus configuration as follows:
$servers['cyrus'] = array(
'name' => 'Cyrus IMAP Server',
'server' => 'localhost',
'hordeauth' => false,
'protocol' => 'imap/ssl/novalidate-cert',
'port' => 993,
'maildomain' => '<your_host_name>',
'smtphost' => 'smtp.<your_host_name>',
'smtpport' => 25,
'realm' => '',
'preferred' => '',
'quota' => array(
'driver' => 'cyrus',
'params' => array(),
),
'acl' => array(
'driver' => 'rfc2086',
),
);
Note that the admin info array entry has been deleted.
To change the "Welcome to Horde" blurb to "Welcome to Webmail.<domain name>", cd /usr/local/www/horde/imp, copy login.php to login.php.ORIG, edit login.php and change
$title = "Welcome to Webmail.<your domain name>”;
Cd to /usr/local/www/horde/turba/config and copy sources.php sources.php.ORIG. Edit sources.php and look for the “localsql” section with “’title’ => ‘My Addressbook’”. Delete all the other sources for address books.
Create the turba database. Cd to /usr/local/www/horde/turba/scripts/sql and run
“mysql -u root -p horde < turba.mysql.sql”, enter the root password for MySQL when prompted.
Cd to /usr/local/www/horde/ingo/config. Make a backup copy of backends.php. Edit backends.php, remove all entries except for the one named sieve and change it as follows
/* Sieve Example */
$backends['sieve'] = array(
'driver' => 'timsieved',
'preferred' => 'localhost',
'hordeauth' => true,
'params' => array(
// Hostname of the timsieved server
'hostspec' => 'localhost',
// Login type of the server
'logintype' => 'PLAIN',
// Enable/disable TLS encryption
'usetls' => true,
// Port number of the timsieved server
'port' => 2000,
// Name of the sieve script
'scriptname' => 'ingo',
),
'script' => 'sieve',
'scriptparams' => array()
);
Make a backup copy of /etc/services. Edit /etc/services, scroll down to port 2000, comment out the two “callbook” entries and insert
sieve 2000/tcp #Sieve
I sieve 2000/udp #Sieve
beneath them.
GUI config of horde, imp, turba
Check your apache config files with “apachectl configtest”. If it’s ok then stop apache httpd with “apachectl stop”, then start apache httpd with “apachectl start”.
After apache httpd starts go to https://webmail.<your domain name> and the horde config page should show up.
Click on Administration->Setup->Address Book (turba) and change
- Should we display an import/export link in Turba’s menu: check
- Select any applications that should be linked in Turba's menu: Imp
- Name of client addressbook: localsql
Click the "Generate Address Book Configuration" button.
Click on Administration->Setup->Filters (ingo) and change
- Select any applications that should be linked in Ingo's menu: Imp
Click the "Generate Filters Configuration" button.
Click on Administration->Setup->Mail (imp) and change
- Select any applications that should be linked in IMP's menu: ingo, turba
Click the "Generate Mail Configuration" button.
Click on Administration->Setup->Vacation (vacation)
- Choose MySQL as database backend
Click the "Generate Tasks Configuration" button.
Click on Administration->Setup->Horde (horde) and change
Database
- What database backend should we use? = MySQL
- database server/host = localhost
- Username to connect to the database as = horde
- Password = <something else>
- Database name to use = horde
Preference System
- What preferences driver should we use? = SQL Database
Authentication
- Which users should be treated as administrators ... = <your_userid>
- What backend should we use for authenticating users to Horde? = Let a Horde application handle authentication
- The application which is providing authentication = imp
Click the "Generate Horde Configuration" button.
Log out from horde and log back in using <your_userid>. Most likely it will fail. To fix:
Cd /usr/local/www/horde/config
Edit conf.php
set $conf['session']['use_only_cookies'] = false;
Log in using <your_userid>. You should now have webmail and administration rights. All others that log in should have just webmail.
If something goes wrong and/or you don't get administrative rights cd to /usr/local/www/horde/config, copy conf.php.ORIG to conf.php, go to https://webmail.<your domain name> and try again.
Create users and mailboxes
Each email user will need a /etc/passwd account (see adduser) and a cyrus mailbox. To create the cyrus mailbox log in to the cyradm interface with “cyradm localhost –u <your userid>”. At the “localhost>” prompt type “cm user.<userid>” to create a mailbox for the user. You can also type “setquota user.<userid> <size in kb>” to set a quota on the mailbox. Ex. “setquota user.jsmith 1048576” would set jsmith’s quota to 1gb. Type exit to exit the cyradm interface.
Copy over users and data from previous system (if applicable)
Copy over your users (copy and paste from password files /etc/passwd and /etc/master.passwd) and rebuild the user database (“pwd_mkdb /etc/master.passwd”). Create user mailboxes using cyradm (see above). Sync mailboxes from current_mail_server to new_mail_server one time to move majority of data. See syncing_mailboxes_with_imapsync.php for documentation on syncing mailboxes between imap servers. Turn off sendmail and mailscanner on current_mail_server, then sync up mailboxes again. Shutdown current_mail_server, change hostname, certs, config files on new_mail_server to those matching current_mail_server and reboot new_mail_server which will then come up as the new current_mail_server.
The FuzzyOcr plugin for spamassassin will ocr scan images for spam words and forward the information to spamassassin. If you are getting spam messages that are nothing but an image and random text you might want to add this plugin. Directions at fuzzyocr.htm
Add
kern_securelevel_enable="YES"
kern_securelevel="3"
syslogd_flags="-ss"
to /etc/rc.conf. You’ll need to reboot for this to take effect.
To enforce minimum password requirements add
:minpasswordlen=8:\
:mixpasswordcase:\
to /etc/login.conf under the “default” section and rebuild database with “cap_mkdb /etc/login.conf”.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Change log
You are visitor since 1/11/2006.