Document last modified 2/17/2008, 9pm – see bottom for details.

 

This is latest version (v8) of freebsd-mail-server pages.

 

Installing FreeBSD 6.3 mail server with mailscanner, spamassassin, cyrus ssl/tls pop,  cyrus ssl/tls imap, smtp-auth, starttls, and webmail (IMP).

 

Note 0: This page was written to document the procedure I use to build my mail servers. If you notice any errors or have any suggestions for changes to this page I would like to hear them. You can email me at astuy@bio.fsu.edu.   I would like to thank Sean Burnside for his help on apache22 and horde cookies problem and also Hiram Gibbard and Daniel Whelan for help with the Cyrus sieve / Horde ingo section.

 

Note 1: You will need to request a webmail.<your_domain_name> alias for your mail servers ip address from whom ever handles your ip registration.

 

Note 2 : I use the terms “folder” and “directory”. They mean the same thing. Also terms placed in <>’s are usually variables, meaning don’t type in the <>’s.  For example <your_userid> is the username you su to root from. The exception to terms placed in <>'s being variables is the httpd.conf file.

 

Note 3 : Previous versions of this document used qualcomm’s qpopper and imap-uw imap.  For performance reasons this has been changed to cyrus.   Cyrus uses a proprietary mailbox format.  The page syncing_mailboxes_with_imapsync.php documents our procedure for converting mailboxes from other formats to cyrus.  This page will be posted soon.

 

Note 4 : I’ll be adding special notes for those rebuilding a current FreeBSD box. These notes will be in red. I should state that by rebuilding I mean use new or different hardware to create an updated version of an old server. Change the hostname on the old box or new box during the build process. I change the hostname on the new box till I’m done then change it to the true server name after I’ve tested it to make sure that everything is working. Then I rebuild the old box to be exactly the same as the new box and keep it in case the new one dies. This way I always have a backup mail server ready to go with the exact same versions of all software. The config files that contain hostname are: /etc/rc.conf, /etc/hosts.allow, /usr/local/etc/apache22/httpd.conf, /usr/local/www/apache22/data/phpmyadmin/config.inc.php and /usr/local/etc/MailScanner/MailScanner.conf. I register backup server names (webmail2.bio.fsu.edu, bio2.bio.fsu.edu) so that I can test the server while I’m rebuilding).  Previous versions had a method for moving the IMP address book database but changes in database format have precluded that from working reliably.  I recommend having your users export their address book to a file before rebuild and then have them import that back afterwards.

 

Install FreeBSD 6.3. I usually do a “Average user, binaries and docs only”, no xwindows. If you haven’t installed freebsd before instructions are at:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html.

 

  

I usually just download the bootonly.iso, burn it to cd, boot from cd, and go from there to install via network interface.

 

Don’t install ports when asked. I download the latest from the link on the FreeBSD website to make sure I get latest version.

 

If you didn’t include sources in your initial install, use sysinstall and choose Configure->Distributions->src to download sources for everything (ALL).

 

Recompile the kernel to get rid of all the stuff it contains you don’t need. This cuts my kernel size to less than half it’s previous size. Directions for recompiling the kernel are at

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html

and here’s a link to my “KERNCONF” file. Note that yours will almost certainly be different. You’ll definitely want to look at cpu type, ethernet card and raid controller, mine is set for pentium >= II, Intel GB Lan and 3ware 9500 raid.  Other than that it’s a standard pc. Note: If you remove the inet6 stuff from the kernel you’ll want to remove the “0 DaemonPortOptions=Name=Ipv6, Family=inet6, Modifiers=0” line in /etc/mail/sendmail.cf.  More on that later.

 

Basic procedure for building and installing new kernel is:

          - cd to /usr/src/sys/i386/conf

- cp GENERIC to <your host name in caps>

- edit <your host name in caps> to reflect your hardware

- cd to /usr/src and run “make buildkernel KERNCONF=<your host name in caps>

          - run “make installkernel KERNCONF=<your hostname in caps>

- reboot to use new kernel (run “shutdown –r now”)

- mv /boot/kernel.old /boot/kernel.ORIG  # ORIG assumes this is your first kernel recompile.  Else change ORIG to something appropriate.

 

Hint: install all applicable security patches from http://www.freebsd.org/security before compiling kernel.  That way any patches that require kernel rebuild are completed in above step.

 

If you commented out ipv6 in kernel don’t fret about the sendmail ipv6 error message, we’ll deal with it shortly.

 

Download latest ports.tar.gz and install it by moving the file to /usr, gunzipping and untarring it.

 

 

Update ports

 

Please note I only recommend this on a new box.  Updating ports on an old box can result in broken ports.  On a recent box it works pretty well, though sometimes some tweaking is required.

 

Cd  to /usr/ports/net/cvsup-without-gui and run “make install”.  When that’s done run

 

“cvsup /usr/share/examples/cvsup/ports-supfile -h cvsup2.freebsd.org”.

 

If denied access on cvsup2 try cvsup3.

 

Install portupgrade (if not all ready installed) with

 

“cd /usr/ports/ports-mgmt/portupgrade” and a “make install”

 

Backup your current ports db with

 

“cd /var/db” and “tar cvfz var.db.pkg.<todays_date>.tgz pkg”

 

Find and fix stale dependencies

 

“/usr/local/sbin/pkgdb -F”  # Answer "YES" to fix questions.

 

Recompile/Upgrade ports, choose default options on config screens, except remove ip6 if you compiled kernel w/o ip6

 

“/usr/local/sbin/portupgrade -ra”

 

 

Hint, if you are running a sh shell you may have to type “rehash” before it will find the cvsup command.

 

 

Install bash and change some config files

 

 

Install bash.  Cd to /usr/ports/shells/bash and “make install”.  Change your shell to “/usr/local/bin/bash” with vipw.  Run adduser –C and set default shell to bash.

 

 

Make a directory for installing stuff. I use /usr/install thus “mkdir /usr/install”

 

Copy hosts.allow hosts.allow.ORIG and edit hosts.allow to make one much more secure. I only allow ssh from my work pc. I allow sendmail, pop and imap from anywhere. I allow anything from localhost. I allow finger from inside biology. I deny all else. So mine looks:

 

# hosts.allow access control file for "tcp wrapped" applications.

# $FreeBSD: src/etc/hosts.allow,v 1.0.7 2005/12/07 15:17:44 sysalex Exp $

#

 

# Allow anything from localhost. Note that an IP address (not a host

# name) *MUST* be specified for portmap(8).

# This also allows imapd from localhost for IMP

ALL : localhost 127.0.0.1 : allow

ALL : bio.fsu.edu 128.186.38.55 : allow

 

# Prevent those with no reverse DNS from connecting.

#ALL : PARANOID : RFC931 20 : deny

# Prevent unregistered IP’s from connecting.

#ALL : UNKNOWN : RFC931 20 : deny

 

# Allow sendmail, popper and imap from anywhere

sendmail : ALL : allow

imaps : ALL : allow

imap : ALL : allow

pop3s : ALL : allow

pop3 : ALL : allow 

sieve : ALL : allow

 

# Allow finger from inside biology

fingerd : .bio.fsu.edu : allow

fingerd : ALL : deny

 

# Allow ssh from alexpc

sshd : alexpc.bio.fsu.edu : allow

sshd : ALL : deny

 

# Deny all else

ALL : ALL : deny

 

 

 

(FreeBSD Server Rebuild?: just scp hosts.allow from old box instead and change the local hostname if necessary).

 

 

Copy /etc/hosts /etc/hosts.ORIG and edit /etc/hosts. Change the “my.domain” in localhost.my.domain (2 places) to your domain name (ex “localhost.bio.fsu.edu).

 

Backup /etc/rc.conf with “cp /etc/rc.conf /etc/rc.conf.ORIG” or something similar.  Edit /etc/rc.conf and add

 

   apache22_enable="YES"

   apache22_ssl_enable="YES"

   apache22_http_accept_enable="YES"

   cyrus_imapd_enable="YES"

   cyrus_pwcheck_enable="YES"

   mysql_enable="YES"

   saslauthd_enable="YES"

   sendmail_enable="YES"

 

On older versions of freebsd sendmail_enable may all ready be on.

 

 

Install newer Perl

 

FreeBSD 6.3 doesn’t have perl by default but if you installed portupgrade perl was probably installed as a dependency.  If not install it

 

Cd to /usr/ports/lang/perl5.8 and install with a “make install”.

 

Check results with “perl –v”.  You may have to do a “rehash” first, depending on your shell.

 

 

Install cclient

 

Cd to /usr/ports/mail/cclient and run “make -DWITH_SSL_AND_PLAINTEXT install”.  Accept defaults on config options.

 

 

Install cyrus-sasl2-saslauthd

 

Cd to /usr/ports/security/cyrus-sasl2-saslauthd and install with “make -DWITHOUT_OTP install”.  This will also install cyrus-sasl2.

 

Backup /etc/rc.conf with “cp /etc/rc.conf /etc/rc.conf.BAK” or something similar.  Edit /etc/rc.conf and add

 

   cyrus_pwcheck_enable="YES"

   saslauthd_enable="YES"

    

 

Install cyrus-imapd23

 

cd /usr/ports/mail/cyrus-imapd23 and install with “make install”.

 

Copy /usr/local/etc/imapd.conf /usr/local/etc/imapd.conf.ORIG.  Edit /usr/local/etc/imapd.conf and change

 

allowplaintext: no

admins: <your_userid>

sasl_pwcheck_method: saslauthd

tls_cert_file: /var/imap/server.pem

tls_key_file: /var/imap/server.pem

 

Create the cyrus directories

          cd /var

mkdir imap

chown cyrus:mail imap

chmod 750 imap

cd /var/spool

mkdir imap

chown cyrus:mail imap

chmod 750 imap

cd /var/imap

mkdir sieve

chown cyrus:mail sieve

chmod 750 sieve

 

 

Cd to /var/imap and make the server.pem file with

 

          openssl req -new -x509 -nodes -out /var/imap/server.pem -keyout /var/imap/server.pem -days 365

 

When asked for “Common Name” enter the FQDN of your mail server.

 

Change the owner, group and permissions server.pem

 

          chown cyrus:cyrus server.pem

          chmod 440 server.pem

 

Su to the cyrus user with “su cyrus” and run mkimap with “/usr/local/cyrus/bin/mkimap”.

 

Create an admin user in the sasl password db.

 

          saslpasswd2 -c <your_userid>

 

Log into the cyrus administration interface (cyradm) interface.

 

          cyradm localhost -u <your_userid>

 

Once logged into cyrus (you should have a prompt that looks like “localhost>”) create cyrus mail boxes for root and yourself.

         

          cm user.root

          cm user.<your_userid>

          exit

         

Cd to /etc and copy syslog.conf to syslog.conf.ORIG.  Edit syslog.conf and add

 

          # cyrus

local6.debug                                    /var/log/imapd.log

auth.debug                                      /var/log/auth.debug.log

 

Create the log files with “touch /var/log/imapd.log” and “touch /var/log/auth.debug.log”.

 

 

Do a little work on sendmail

 

Backup your /etc/make.conf with something like “cp /etc/make.conf /etc/make.conf.BAK”.  Edit /etc/make.conf and add

 

# Add SMTP AUTH support to Sendmail

SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2

SENDMAIL_LDFLAGS+= -L/usr/local/lib

SENDMAIL_LDADD+= -lsasl2

# Enable alternate port (smtps) for sendmail.

SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL

 

Rebuild sendmail

 

          cd /usr/src

make buildworld

          cd /usr/src/usr.sbin/sendmail

make clean

make depend

make

make install

 

Make an SSL cert for sendmail.  These directions for creating the sendmail cert were obtained from sendmail.org.

 

cd /usr/install

mkdir CA

cd CA

mkdir certs crl newcerts private

echo "01" > serial

cp /dev/null index.txt

cp /etc/ssl/openssl.cnf  ./openssl.cnf

 

Ok, now edit openssl.cnf and change

 

dir             = .                     # Where everything is kept )

 

To make the CA (certificate authority)

 

openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf

 

To make a new certificate:

 

cd CA        (same directory created above)

openssl req -nodes -new -x509 -keyout mykey.pem -out mykey.pem -days 365 -config openssl.cnf

 

(certificate and private key in file mykey.pem) To sign new certificate with certificate authority:

 

cd CA        (same directory created above)

openssl x509 -x509toreq -in mykey.pem -signkey mykey.pem -out tmp.pem

openssl ca -config openssl.cnf -policy policy_anything -out mycert.pem -infiles tmp.pem

rm -f tmp.pem

mkdir /etc/mail/certs

cp cacert.pem /etc/mail/certs

cp mycert.pem /etc/mail/certs

cp mykey.pem /etc/mail/certs

chmod 600 /etc/mail/certs/*.pem

 

  

Generate a site mc file

 

          cd /etc/mail

          make all

 

 

Edit the new mc file (<FQDN>.mc) and add

 

          define(`confLOCAL_MAILER', `cyrusv2')

MAILER(`cyrusv2')

 

          dnl set SASL2 options

TRUST_AUTH_MECH(`PLAIN LOGIN')dnl

define(`confAUTH_MECHANISMS', `PLAIN LOGIN')dnl

define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl

 

dnl starttls stuff

define(`CERT_DIR', `/etc/mail/certs')dnl

define(`confCACERT_PATH', `CERT_DIR')dnl

define(`confCACERT', `CERT_DIR/cacert.pem')dnl

define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl

define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl

define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl

define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl

define(`confAUTH_OPTIONS',`A p y')dnl

DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

 

dnl change log level

define(`confLOG_LEVEL', `15')dnl

 

dnl change load levels

define(`confQUEUE_LA', `24')dnl

define(`confREFUSE_LA', `36')dnl

 

 

If you disabled ipv6 support in your kernel you’ll want to comment out the 

  “DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')”

line by putting in a “dnl” at the start of the line.

 

Install the new cf file with “make all install”

 

To enable relaying from inside your domain with out smtp-auth edit a new file /etc/mail/access. Mine looks like this.

 

fsu.edu RELAY

128.186 RELAY

146.201 RELAY

144.174 RELAY

evilspammer.com REJECT

 

You should replace “.fsu.edu” and the ip’s with the domain(s) and ip’s from which you wish to relay mail without smtp-auth authentication. 

 

Make the access database with “makemap hash access < access”. This creates a file called access.db.

 

Edit a file called /etc/mail/local-host-names and insert the domains for which the machine will be receiving mail. I receive mail for bio.fsu.edu and two other domains so mine looks like this.

 

          bio.fsu.edu

          southernmatters.com

lakejacksonturtles.org

 

Edit /etc/mail/aliases and at least redirect root to an account you check. Also add any other aliases you want for your domain. Rebuild alias database with “newaliases”.

 

(FreeBSD Server Rebuild?: scp local-host-names and certs from your old box to your new box. Paste any old aliases you had in /etc/mail/aliases into your new aliases file, copy over any alias files you had).

 

Reboot.  When the system comes back up you should have a functional mail server.  Test sending a message to your account on the machine and reading it with pop and imap.   Test SMTP, POP and IMAP on both standard and alternate ports.  Test that plaintext passwords without encryption are disallowed.  Use Eudora to test SMTP and POP using the “Never”, “If Available, STARTTLS, “Required, Alternate Port” and “Required, STARTTLS” options.  Use Thunderbird to test IMAP using the “Never”, “TLS”, and “SSL” options.

 

If things don’t work check the /var/log/maillog, /var/log/imapd.log and /var/log/messages files for errors.  Also if /var/log/auth.log has entries like “imaps[610]: OTP unavailable because can't read/write key database /etc/opiekeys: Permission denied” then assuming you aren’t going to use opiekeys you can “chown cyrus /etc/opiekeys” to get rid of the error messages.

 

 

Install apache-modssl

 

Cd to /usr/ports/www/apache22 and run “make install”.   Accept default options but disable IPv6 if you disabled in your kernel.

 

If you had a previous version of httpd.conf you will want to enable any special options you had in the new /usr/local/etc/apache22/httpd.conf. I usually run a diff between the new file and old file to spot any differences.  If you are upgrading from apache1.3.x then be aware that the old httpd.conf file has been split up between /usr/local/etc/apache22/httpd.conf and /usr/local/etc/apache22/extra/*.conf.

 

Cd to /usr/local/etc/apache22 and “mkdir certs”. Cd to certs.  Generate a certificate for your webserver by running the following commands.  Probably best to copy and paste them into something like /usr/local/sbin/mkwebcerts, chmod that to 700 and then run it.

 

openssl genrsa -des3 -out webmail.key 1024

openssl rsa -noout -text -in webmail.key

openssl rsa -in webmail.key -out webmail.key.unsecure

openssl req -new -x509 -nodes -sha1 -days 365 -key webmail.key -out webmail.crt

openssl x509 -noout -text -in webmail.crt

 

When asked for “Common Name” enter the FQDN you registered for your webmail server (ie. webmail.<your domain name>). The other questions the common sense answer is correct. When asked for a password or passphrase type in the same thing each time.

 

Chown the cert files to www:www and chmod them to 440.

 

(FreeBSD Server Rebuild?: just scp the .crt and .key files from your old machine to the new box).  Though you may need to create certs for the temporary name you are using if doing a rebuild under another machine name.

 

Edit httpd.conf and change

ServerName <your host name>

ServerAdmin <your email address>

Include etc/apache22/extra/httpd-userdir.conf

Include etc/apache22/extra/httpd-default.conf

Include etc/apache22/extra/httpd-ssl.conf

 

Edit httpd-ssl.conf and change

          ServerName webmail2.<your domain>:443

          ServerAdmin <your email address>

SSLCertificateFile /usr/local/etc/apache22/certs/webmail.crt

SSLCertificateKeyFile /usr/local/etc/apache22/certs/webmail.key.unsecure

 

Make sure you added the following to /etc/rc.conf

apache22_enable="YES"

apache22_ssl_enable="YES"

apache22_http_accept_enable="YES"

 

Here’s a couple of hints for those of you new to apache.

 

The default install of apache does not have cgi-scripts enabled. To enable cgi scripts:

 

Change the “None” in Options to “ExecCGI” in the cgi-bin entry as follows.

<Directory "/usr/local/www/cgi-bin">

AllowOverride None

Options ExecCGI

Order allow,deny

Allow from all

</Directory>

 

and uncomment

AddHandler cgi-script .cgi

 

(FreeBSD Server Rebuild?: don’t just copy over the httpd.conf file from your old box. Copy it over with a different name then run diff between you old one and your new one and add in the things needed from the old one to the new one. Ignore the php stuff for now.

 

 

Install MySQL (server and client)

 

Cd to /usr/ports/databases/mysql50-server and run “make install”. This will install both server and client.  Edit /etc/rc.conf and add

 

          mysql_enable=”YES”

 

 

Install php4

 

Cd to /usr/ports/lang/php4 and run “make install”.   On the options screen leave the defaults all ready checked checked and add: “APACHE”, “DEBUG”, “MULTIBYTE”, “OPENSSL”.  If you compiled your kernel w/o IPV6 support, remove it here as well.

 

Cd to /usr/ports/lang/php4-extensions and run “make install”. On the options screen, leave the defaults all ready checked checked and add:

DOMXML, FILEINFO, FTP, GD, GETTEXT, ICONV, IMAP, LDAP, MBSTRING, MCAL, MCRYPT, PDF, PSPELL and XML (may be selected all ready).  Note that “OPENSSL” is NOT selected. The options in blue are not necessary but useful for other applications.  Use the default options on any dependencies.

 

After install cd to /usr/local/etc and copy php.ini-recommended to php.ini and php.ini.ORIG. Edit php.ini and change

 

upload_max_filesize = 32M   # max upload file size in webmail

post_max_size = 32M   # max upload file size in webmail

memory_limit = 64M ; Maximum amount of memory a script may consume (8MB)

 

Cd to /usr/ports/databases/pear-DB and run “make install”.

 

Cd to /usr/ports/sysutils/pear-Log and run “make install”.  Enable pear-DB support.

 

Check to make sure that the php install added the php application code to your /usr/local/etc/apache22/httpd.conf file. The chunk of code it was supposed to add is:

 

          AddType application/x-httpd-php .php

          AddType application/x-httpd-php-source .phps

 

and it goes right under the

 

#AddType application/x-gzip .tgz

 

block of code. If it didn’t put it in (and it usually doesn’t) go ahead an paste it in. Also you’ll want to add index.php to the list of index pages under the DirectoryIndex section if it didn’t get added. I use both php and shtml so mine looks like:

 

<IfModule dir_module>

                   DirectoryIndex index.php index.shtml index.html index.htm

</IfModule> 

 

And add a directory entry for horde

 

Directory "/usr/local/www/horde">

                   Options Indexes FollowSymLinks

                   AllowOverride None

                   Order allow,deny

                   Allow from all

</Directory>

 

Cd to /usr/ports/graphics/GraphicsMagick and install with "make install". This step is optional but a good idea if you plan to do any image manipulation with apache.

 

 

Install phpMySqlAdmin

 

Download latest version from http://www.phpmyadmin.net. There is no install as such for this, just unzip and untar the contents to /usr/local/www/apache22/data/<folder name>. Most people use phpMyAdmin as the folder name, so I used something else. Chown the folder to www:www with “chown –R www:www <folder name>”. Go into this folder and copy ./libraries/config.default.php to ./config.inc.php.

  

OK reboot with a shutdown –r now and when it comes back up launch a browser on a computer somewhere and go to http://<your host name>/<phpMyAdmin folder>. The phpmyadmin page should load.  If it doesn’t you could try editing config.inc.php and change

 

      $cfg['PmaAbsoluteUri'] = 'http://<your host name>/<phpMyAdmin folder>';

 

Click on privileges and delete all the users except root on localhost (2 any’s and a root at machine name). If the user refuses to delete remove all database and table specific privileges for that user and then try again. Edit the root at localhost user and set a password. Reload the mysql server. At this point it should kick you out. Edit config.inc.php and put in your new password.

 

$cfg['Servers'][$i]['password'] = '<your password>'; // MySQL password

 

You should now be able to reload the phpmyadmin page. Chown config.inc.php to www:www and chmod it to 550.

 

Now we must protect the phpMyAdmin folder. I did this by editing /usr/local/etc/apache22/httpd.conf and adding an entry for the directory that reads (for example purposes I’m using phpMyAdmin as the folder name and replaced the ip’s with X’s and Y’s):

 

<Directory /usr/local/www/apache22/data/phpMyAdmin>

    AllowOverride AuthConfig

    Order deny,allow

    Deny from all

    Allow from XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY

    AuthName "Any blurb you want, gets displayed in login dialog box"

    AuthType Basic

    AuthUserFile /usr/local/etc/apache22/http_pws/phpMyAdmin.dat

    Require valid-user

    Satisfy All

</Directory>

 

I put my directory entries underneath the one for /home/*/public_html.

 

You’ll need to create the /usr/local/etc/apache22/http_pws folder.   Then use the “htpasswd –c /usr/local/etc/apache22/http_pws/phpMyAdmin.dat <username>” command to create the phpadmin.dat file.

 

 

Check your config file with “apachectl configtest” and if OK restart apache with “apachectl stop; apachectl startssl”. You should now be able to load the phpMyAdmin page from only the ip’s you entered. Any other ip should return “Forbidden . . .”.

 

 

(FreeBSD Server Rebuild?: Unless you have the latest version of phpmyadmin on your old box (unlikely) move your phpMyAdmin folder to somewhere safe and install latest version).

 

 

Install uvscan, f-prot or other antivirus software

 

Mcafee uvscan

 

Get latest version of mcafee for freebsd (vbs6520l.tar.z as of 8-10-2007) from somewhere. Go to your /usr/install directory and do a “mkdir vbsd” and then “cd vbsd”. (vbs6520l.tar.z doesn’t create it’s own directory when you untar it). Move the installer to the current directory. Gunzip the installer, and then untar it. Then run ./install-uvscan, accept all defaults.

 

Cd to /usr/local/sbin and fetch http://bio.fsu.edu/~sysalex/uvscan-update.  chmod uvscan-update so that only root can run it: “chmod 700 uvscan-update”.  And run it “./uvscan-update”.

 

Run “/usr/local/uvscan/uvscan --version” to check the results.

 

Run uvscan-update out of cron daily or more often to keep mcafee uvscan virus definitions current.

 

 

F-Prot

 

Cd to /usr/ports/security/f-prot and “make install”.

 

Run /usr/local/f-prot/tools/check-updates.pl to update virus definitions.  Also run this out of cron dailey or more often.  But don’t be surprised if mailscanner updates f-prot for you.

 

 

Install MailScanner

 

Cd to /usr/ports/mail/p5-Mail-SpamAssassin and install with “make install”.  Leave all defaults selected and add MYSQL, RAZOR and TOOLS support.

 

Cd to /usr/ports/mail/mailscanner and install with “make install”.  Deselect SPAMASSASSIN and CLAMAV, assuming you have all ready installed spamassassin and will be using uvscan, not clamav.

 

Generate default config files with “make initial-config”.

 

Create the MailScanner spool directories with

mkdir -p /var/spool/MailScanner/incoming

mkdir /var/spool/MailScanner/quarantine

mkdir /var/spool/mqueue.in

chgrp daemon /var/spool/MailScanner/*

chgrp daemon /var/spool/mqueue.in

 

  

cd to /usr/local/etc/MailScanner and copy MailScanner.conf to MailScanner.conf.ORIG. edit MailScanner.conf and change

 

%org-name% = <Your org name>

%org-long-name% = <Your org name in long format>

%web-site% = <link to whatever web page you want, a page describing mailscanner seems appropriate>

Expand TNEF = no

File Command = /usr/local/bin/file

Maximum Attachment Size = 41943040      # 40 mb

Maximum Message Size = 67108864          # 64 mb

Minimum Attachment Size = 1

Maximum Archive Depth = 0

Virus Scanners = f-prot mcafee

Virus Scanner Timeout = 600

Quarantine Infections = no

Quarantine Whole Message = yes

Always Include SpamAssassin Report = yes

Virus Subject Text = {Virus}

Filename Subject Text = {Filename}

Disarmed Modify Subject = no

Phishing Modify Subject = yes

Warning Is Attachment = no

Spam List = spamhaus.org spamhaus-XBL spamcop.net NJABL CBL DSBL # You can un-comment this to enable them

Spam Lists To Reach High Score = 2

Use SpamAssassin = yes

Rebuild Bayes Every = 86400

Wait During Bayes Rebuild = yes

High Scoring Spam Actions = delete

Enable Spam Bounce = no

 

Make sure that spam.lists.conf contains the following definitions, else add them.

 

spamhaus.org sbl.spamhaus.org.

spamhaus-XBL xbl.spamhaus.org.

spamcop.net bl.spamcop.net.

NJABL dnsbl.njabl.org.

CBL cbl.abuseat.org.

DSBL list.dsbl.org.

 

cd to /usr/local/etc/MailScanner/mcp

cp mcp.spam.assassin.prefs.conf.sample mcp.spam.assassin.prefs.conf

cd to /usr/local/etc/MailScanner

fetch http://www.mailscanner.eu/phishing.bad.sites.conf.master

cp phishing.bad.sites.conf.master phishing.bad.sites.conf

 

cd to /usr/local/etc/rc.d. There should be two new startup scripts, mta and mailscanner.  If they have .sample at the end, remove that.

 

edit /etc/rc.conf, set sendmail_enable="NONE" and add the following

 

          mailscanner_enable="YES"

mta_enable="YES"

mta_type="sendmail"

mta_profiles="incoming outgoing submitqueue"

mta_incoming_flags="-L sm-mta-in -bd -OPrivacyOptions=noetrn -OQueueDirectory=/var/spool/mqueue.in -ODeliveryMode=queueonly"

mta_incoming_pidfile="/var/run/sendmail_in.pid"

mta_incoming_configfile="/etc/mail/sendmail.cf"

mta_outgoing_flags="-L sm-mta-out -q15m"

mta_outgoing_pidfile="/var/run/sendmail_out.pid"

mta_outgoing_configfile="/etc/mail/sendmail.cf"

mta_submitqueue_flags="-L sm-msp-queue -Ac -q15m"

mta_submitqueue_pidfile="/var/spool/clientmqueue/sm-client.pid"

mta_submitqueue_configfile="/etc/mail/submit.cf"

  

MailScanner should now be started when the system boots, but don’t reboot or try to start it yet. The following is FYI only at this point.

 

To start, stop or restart MailScanner manually, use

/usr/local/etc/rc.d/mailscanner start/stop/restart

 

To start,stop or restart sendmail manually, use

/usr/local/etc/rc.d/mta start/stop/restart

 

Cd to /usr/ports/sysutils/file and install with “make install”.

 

Cd to /usr/ports/mail/pyzor and install with “make install”.  If you deselected IP6 support in earlier steps, deselect it here as well.

 

Cd to /usr/ports/mail/dcc-dccd and install with “make install”.

 

Pyzor, razor and bayes need periodic updates.  Run the following script from crontab once a day:

 

     #! /usr/local/bin/bash

     # get a list of the Pyzor servers

     /usr/local/bin/pyzor discover

     # refresh /root/.razor/

     /usr/local/bin/razor-admin –discover

     

     # re-build the Bayes database daily

     /usr/local/bin/sa-learn -p /usr/local/etc/MailScanner/spam.assassin.prefs.conf --sync --force-expire

 

Cd to /usr/local/etc/MailScanner and copy spam.assassin.prefs.conf to spam.assassin.prefs.conf.ORIG.  Edit spam.assassin.prefs.conf and add bayes_ignore_header lines for the org-name you added when editing MailScanner.conf.  My org-name was “FSU-Biology” so my bayes_ignore_header lines are:

      bayes_ignore_header X-FSU-Biology-MailScanner

      bayes_ignore_header X-FSU-Biology-MailScanner-SpamCheck

      bayes_ignore_header X-FSU-Biology-MailScanner-SpamScore

      bayes_ignore_header X-FSU-Biology-MailScanner-Information

 

and change

      ifplugin Mail::SpamAssassin::Plugin::Pyzor     

      pyzor_path /usr/local/bin/pyzor 

      endif

 

 

Ok now you can reboot. At this point you should have a fully functional mail server with MailScanner and SpamAssassin working, but no webmail, yet.

 

 

Install IMP (webmail)

 

If /usr/local/www/horde exists all ready (from untar of previous data) move this with something like “mv /usr/local/www/horde /usr/local/www/horde.OLD”.

 

Cd to /usr/ports/mail/horde-imp and install with a “make install”.  Leave defaults for options and in the options for Pear-Auth options box add PEAR_LOG, PEAR-FILE-PASSWD, PEAR-NET-POP3 and PEAR-DB support.  When the Pear-Mail options box appears add Pear-Net-Smtp support.    The install will take quite a while as there are lots of dependencies so this is a good time to get a cup of your favorite beverage.

 

Cd to /usr/ports/mail/horde-turba and “make install”.

 

Cd to /usr/ports/mail/horde-vacation and “make install”.

 

Cd to /usr/ports/mail/horde-ingo and “make install”.

 

Edit /usr/local/etc/apache22/extra/httpd-ssl.conf and add

 

<Directory "/usr/local/www/horde">

                   SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128

                   SSLRequireSSL

</Directory>

 

directly underneath the

 

<Directory "/usr/local/www/cgi-bin">

                   SSLOptions +StdEnvVars

</Directory>

 

block of code.

 

And change

 

          #   General setup for the virtual host

DocumentRoot "/usr/local/www/horde"

.

.

ErrorLog "/var/log/httpd-horde-error.log"

TransferLog "/var/log/httpd-horde-access.log"     

 

 

Configure httpd.conf for IMP and setup a redirect

 

If someone types in http://webmail.<your domain name> we want them to get redirected to https://webmail.<your domain name>. 

 

Cd to /usr/local/etc/apache22, Edit httpd.conf and change

 

Include etc/apache22/extra/ httpd-vhosts.conf

 

And add a directory entry for horde

 

Directory "</usr/local/www/horde">

                   Options Indexes FollowSymLinks

                   AllowOverride None

                   Order allow,deny

                   Allow from all

</Directory>

 

 

Cd to /usr/local/etc/apache22/extra and copy httpd-vhosts.conf to httpd-vhosts.conf.ORIG.  Edit httpd-vhosts.conf, look for the virtual host section (near the bottom). Add a virtual host for redirecting to your encrypted webmail server and also one for your normal host name.

 

NameVirtualHost *:80

#

<VirtualHost *:80>

                   ServerAdmin webmaster@<your host name>

                   DocumentRoot "/usr/local/www/apache22/data"

                   ServerName <your host name>

ErrorLog "/var/log/httpd-error.log"

CustomLog "/var/log/httpd-access.log" combined

</VirtualHost>

 

<VirtualHost *:80>

ServerAdmin webmaster@<your host name>

DocumentRoot "/usr/local/www/horde"

ServerName webmail. <your domain name>

Redirect permanent / https://webmail. <your domain name>/

ErrorLog "/var/log/httpd-horde-error.log"

CustomLog "/var/log/httpd-horde-access.log" combined

</VirtualHost> 

 

 

 

And create the encrypted virtual host. Edit /usr/local/etc/apache22/extra/httpd-ssl.conf and find

 

##

## SSL Virtual Host Context

##

 

<VirtualHost _default_:443>

 

Change the DocumentRoot ServerName and ServerAdmin values, setup separate log files

 

# General setup for the virtual host

DocumentRoot "/usr/local/www/horde"

ServerName webmail.<your domain name>

ServerAdmin webmaster@<your domain name>

ErrorLog /var/log/httpd-horde-error.log

TransferLog /var/log/httpd-horde-access.log  combined

 

 

Note: You will want to replace <your host name> and <your domain name> with the machine’s host name and domain name in the examples above. So watch the <>’s.

 

 

Configure Horde

 

Cd to /usr/local/www/horde/scripts/sql and copy create.mysql.sql to create.mysql.sql.ORIG. Edit create.mysql.sql and change the password from “horde” to <something else> where it says:

 

-- IMPORTANT: Change this password!

PASSWORD('horde')

 

Create the the horde database with “mysql –u root –p < create.mysql.sql”, enter the mysql root password when prompted.

Verify that you can connect to the horde database with “mysql -u horde –p”, enter the horde password (<something else>) when prompted.

 

Chmod create.mysql.sql to 550 and chown it to root:wheel.  Or edit it and wipe out the password.

 

Cd to /usr/local/etc/apache22/Includes and edit httpd-horde.conf.  Change

php_value memory_limit 64M   # should match value of memory_limit in /usr/local/etc/php.ini

 

Cd to /usr/local/www/horde/config and copy conf.php conf.php.ORIG.

 

 

Add user www to trusted mail users.

 

Edit /etc/mail/trusted-users and put in “www”.

 

 

Configure IMP

 

Cd to /usr/local/www/horde/imp/config. Copy servers.php servers.php.ORIG. Edit servers.php and remove all server configurations except the cyrus configuration (imap, pop, cyrus, exchange, kolab). Change the cyrus configuration as follows:

 

$servers['cyrus'] = array(

    'name' => 'Cyrus IMAP Server',

    'server' => 'localhost',

    'hordeauth' => false,

    'protocol' => 'imap/ssl/novalidate-cert',

    'port' => 993,

    'maildomain' => '<your_host_name>',

    'smtphost' => 'smtp.<your_host_name>',

    'smtpport' => 25,

    'realm' => '',

    'preferred' => '',

     'quota' => array(

        'driver' => 'cyrus',

        'params' => array(),

    ),

    'acl' => array(

        'driver' => 'rfc2086',

    ),

); 

 

Note that the admin info array entry has been deleted.

 

To change the "Welcome to Horde" blurb to "Welcome to Webmail.<domain name>", cd /usr/local/www/horde/imp, copy login.php to login.php.ORIG, edit login.php and change

 

$title = "Welcome to Webmail.<your domain name>”;

 

Configure Turba

 

Cd to /usr/local/www/horde/turba/config and copy sources.php sources.php.ORIG. Edit sources.php and look for the “localsql” section with “’title’ => ‘My Addressbook’”. Delete all the other sources for address books.

 

Create the turba database. Cd to /usr/local/www/horde/turba/scripts/sql and run

“mysql -u root -p horde < turba.mysql.sql”, enter the root password for MySQL when prompted.

 

 

Configure Ingo

 

Cd to /usr/local/www/horde/ingo/config.  Make a backup copy of backends.php.  Edit backends.php, remove all entries except for the one named sieve and change it as follows

 

          /* Sieve Example */

$backends['sieve'] = array(

          'driver' => 'timsieved',

          'preferred' => 'localhost',

          'hordeauth' => true,

          'params' => array(

                    // Hostname of the timsieved server

                    'hostspec' => 'localhost',

                    // Login type of the server

                    'logintype' => 'PLAIN',

                    // Enable/disable TLS encryption

                    'usetls' => true,

                   // Port number of the timsieved server

                    'port' => 2000,

                   // Name of the sieve script

                   'scriptname' => 'ingo',

          ),

           'script' => 'sieve',

          'scriptparams' => array()

);

 

Make a backup copy of /etc/services.  Edit /etc/services, scroll down to port 2000, comment out the two “callbook” entries and insert

 

          sieve           2000/tcp   #Sieve

I         sieve           2000/udp   #Sieve

 

beneath them.

 

 

GUI config of horde, imp, turba

 

Check your apache config files with “apachectl configtest”.  If it’s ok then stop apache httpd with “apachectl stop”, then start apache httpd with “apachectl start”.

After apache httpd starts go to https://webmail.<your domain name> and the horde config page should show up.

 

Click on Administration->Setup->Address Book (turba) and change

          - Should we display an import/export link in Turba’s menu: check

          - Select any applications that should be linked in Turba's menu: Imp

          - Name of client addressbook: localsql

Click the "Generate Address Book Configuration" button.

 

Click on Administration->Setup->Filters (ingo) and change

          - Select any applications that should be linked in Ingo's menu: Imp

Click the "Generate Filters Configuration" button.

 

Click on Administration->Setup->Mail (imp) and change

          - Select any applications that should be linked in IMP's menu: ingo, turba

Click the "Generate Mail Configuration" button.

 

Click on Administration->Setup->Vacation (vacation)

-         Choose MySQL as database backend

Click the "Generate Tasks Configuration" button.

 

Click on Administration->Setup->Horde (horde) and change

          Database

            - What database backend should we use? = MySQL

          - database server/host = localhost

          - Username to connect to the database as = horde

          - Password = <something else>

          - Database name to use = horde

          Preference System

          - What preferences driver should we use? = SQL Database

          Authentication

          - Which users should be treated as administrators ... = <your_userid>

          - What backend should we use for authenticating users to Horde? = Let a Horde application handle authentication

          - The application which is providing authentication = imp

 Click the "Generate Horde Configuration" button.

 

 

Log out from horde and log back in using <your_userid>.  Most likely it will fail.  To fix:

Cd /usr/local/www/horde/config

Edit conf.php

set $conf['session']['use_only_cookies'] = false;

 

Log in using <your_userid>.  You should now have webmail and administration rights.  All others that log in should have just webmail.

 

If something goes wrong and/or you don't get administrative rights cd to /usr/local/www/horde/config, copy conf.php.ORIG to conf.php, go to https://webmail.<your domain name> and try again.

 

 

Create users and mailboxes

 

Each email user will need a /etc/passwd account (see adduser) and a cyrus mailbox.  To create the cyrus mailbox log in to the cyradm interface with “cyradm localhost –u <your userid>”.  At the “localhost>” prompt type “cm user.<userid>” to create a mailbox for the user.  You can also type “setquota user.<userid> <size in kb>” to set a quota on the mailbox.  Ex. “setquota user.jsmith 1048576” would set jsmith’s quota to 1gb.  Type exit to exit the cyradm interface.

 

 

Copy over users and data from previous system (if applicable)

 

Copy over your users (copy and paste from password files /etc/passwd and /etc/master.passwd) and rebuild the user database (“pwd_mkdb /etc/master.passwd”).   Create user mailboxes using cyradm (see above).  Sync mailboxes from current_mail_server to new_mail_server one time to move majority of data.  See syncing_mailboxes_with_imapsync.php for documentation on syncing mailboxes between imap servers.  Turn off sendmail and mailscanner on current_mail_server, then sync up mailboxes again.  Shutdown current_mail_server, change hostname, certs, config files on new_mail_server to those matching current_mail_server and reboot new_mail_server which will then come up as the new current_mail_server. 

 

 

 

FuzzyOcr

 

The FuzzyOcr plugin for spamassassin will ocr scan images for spam words and forward the information to spamassassin. If you are getting spam messages that are nothing but an image and random text you might want to add this plugin. Directions at fuzzyocr.htm

 

 

Additional Security Steps

 

Add

 

kern_securelevel_enable="YES"

kern_securelevel="3"

syslogd_flags="-ss"

 

to /etc/rc.conf. You’ll need to reboot for this to take effect.

 

 

To enforce minimum password requirements add

 

:minpasswordlen=8:\

:mixpasswordcase:\

 

to /etc/login.conf under the “default” section and rebuild database with “cap_mkdb /etc/login.conf”.

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

 

Change log

 

 

 


 

You are visitor since 1/11/2006.