Document last modified
03/03/2004, 11:30am - see bottom for details
For latest version of this page please see: http://bio.fsu.edu/~sysalex/freebsd-mail-server_v7.htm
Installing FreeBSD 4.9 mail server with mailscanner 4.x, spamassassin, ssl/tls pop, pine, and webmail (IMP) via imap (not ssl-imap so imap from localhost only).
Note 1: You will need to request a webmail.<your_domain_name> alias for your mail servers ip address from whom ever handles your ip registration.
Note 2 : I use the terms “folder” and “directory”. They mean the same thing.
Note 3 : I’ll be adding special notes for those rebuilding a current FreeBSD box. These notes will be in red. I should state that by rebuilding I mean use new or different hardware to create an updated version of an old server. Change the hostname on the old box or new box during the build process. I change the hostname on the new box till I’m done then change it to the true server name after I’ve tested it to make sure that everything is working. Then I rebuild the old box to be exactly the same as the new box and keep it in case the new one dies. This way I always have a backup mail server ready to go with the exact same versions of all software. The config files that contain hostname are: /etc/rc.conf, /etc/hosts.allow, /usr/local/etc/apache/httpd.conf, /usr/local/www/phpmyadmin/config.inc.php and /var/MailScanner/etc/MailScanner.conf. I register backup server names (webmail2.bio.fsu.edu, bio2.bio.fsu.edu) so that I can test the server while I’m rebuilding)
Install FreeBSD v4.9. I usually do a “Average user, binaries and docs only”, no xwindows. If you haven’t installed freebsd before instructions are at:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html. I usually just download the floppies (kern.flp and mfsroot.flp), boot from kern.flp and go from there. Be sure to use fdimage to create your floppies.
Don’t install ports when asked. I find it best to download the lastest.
Add Bash v2.x, GCC 2.95 and no-login when asked if you want to install additional software (packages).
If you didn’t include sources in your initial install, use /stand/sysinstall and choose Configure->Distributions->src to download sources for everything (ALL).
Recompile the kernel to get rid of all the stuff it contains you don’t need. This cuts my kernel size to less than half it’s previous size. Directions for recompiling the kernel are at
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html
and here’s a link to my “KERNCONF” file. Note that yours will almost certainly be different. You’ll definitely want to look at cpu type and ethernet card, mine is set for pentium >= II and Intel EtherExpress Pro. Other than that it’s a standard pc with one floppy drive, hard drives on both channels and no cd.
Basic procedure is
- cd to /usr/src/sys/i386/conf
- cp GENERIC to <your host name in caps>
- edit <your host name in caps> to reflect your hardware
- cd to /usr/src and run “make buildkernel KERNCONF=<your host name in caps>
- cp /kernel /kernel.ORIG
- run “make installkernel KERNCONF=<your hostname in caps>
- reboot to use new kernel (run “shutdown –r now”)
Download latest ports.tar.gz and install it by moving the file to /usr, gunzipping and untarring it.
Make a directory for installing stuff. I use /usr/install thus “mkdir /usr/install”
Cd to /etc, copy rc.conf rc.conf.ORIG and edit rc.conf. Add
inetd_enable = “YES”
Copy hosts.allow hosts.allow.ORIG and edit hosts.allow to make one much more secure. I only allow ssh from inside FSU and certain outside ip’s. I allow pop from anywhere. I allow anything from localhost (includes imap). I allow finger from inside biology. I deny all else. So mine looks like:
# hosts.allow access control file for "tcp wrapped" applications.
# $FreeBSD: src/etc/hosts.allow,v 1.8.2.3 2000/07/20 15:17:44 ume Exp $
#
# NOTE: The hosts.deny file is deprecated.
# Place both 'allow' and 'deny' rules in the hosts.allow file.
# See hosts_options(5) for the format of this file.
# hosts_access(5) no longer fully applies.
# Prevent those with no reverse DNS from connecting.
ALL : PARANOID : RFC931 20 : deny
# Prevent unregistered IP’s from connecting.
#ALL : UNKNOWN : RFC931 20 : deny
# Allow anything from localhost. Note that an IP address (not a host
# name) *MUST* be specified for portmap(8).
# This also allows imap from localhost for IMP
ALL : localhost 127.0.0.1 : allow
# Allow qpopper and sendmail from anywhere
popper : ALL : allow
qpopper : ALL : allow
sendmail : ALL : allow
# Allow finger from inside biology
fingerd : .bio.fsu.edu : allow
fingerd : ALL : deny
# Allow ssh from .fsu.edu
sshd : .fsu.edu : allow
# Allow SSH from select IP's
sshd : 128.128.171.231
128.128.171.191 .micske01.fl.comcast.net .mkethn01.fl.comcast.net
.tharpe01.fl.comcast.net
.aby.bellsouth.net .bbridg01.fl.comcast.net tschinkel.electronet.net : allow
# Deny all else
ALL : ALL : deny
(FreeBSD Server Rebuild?: just scp
hosts.allow from old box instead and change the local hostname if necessary).
Copy /etc/hosts /etc/hosts.ORIG and edit /etc/hosts. Change the “my.domain” in localhost.my.domain (2 places) to your domain name (ex “localhost.bio.fsu.edu).
(FreeBSD Server Rebuild?: If I’m rebuilding a system this is where I copy over the user accounts and data. I usually just copy and paste the entry’s from both the passwd and master.passwd to the same files on the new system using: ssh shell on a windows box, vi and copy and paste. Then run vipw, make a meaningless change and quit, which rebuilds the database.).
The version of perl that comes with FreeBSD 4.7 and earlier (and maybe later) doesn’t support all we want to do. So we have to change to version 5.6.
Cd to /usr/ports/lang/perl5 and install with a “make install”. After install type “perl –v”, you’ll notice it’s still the old version. Fix this with “/usr/local/bin/use.perl port”. Now “perl –v” should report back the new version.
Install
cclient
Cd to /usr/ports/mail/cclient and run “make WITH_SSL_AND_PLAINTEXT=true install”
Cd to /usr/ports/mail/imap-uw and run “make WITH_SSL_AND_PLAINTEXT=true install”
Install Pine (my users insist, leave this off if you can)
Cd to /usr/ports/mail/pine4 and run “make install”.
Cd to /usr/ports/www/apache13-modssl and run “make install”.
If you had a previous version of httpd.conf you will want to enable any special options you had in the new httpd.conf. I usually run a diff between the new file and old file to spot any differences.
Generate a certificate for your webserver by running which can be downloaded as script here (usage: “mkwebcerts <your host name>” :
openssl genrsa -out
<your host name>.key 1024
openssl req -new -key <your host name>.key -out <your host name>.csr
openssl x509 -req -days 3650 -in <your host name>.csr –signkey <your host name>.key -out <your host name>.crt
When asked for “Common Name” enter the FQDN you registered for your webmail server (ie. webmail.<your domain name>). The other questions the common sense answer is correct. When asked for a password or passphrase just hit enter (each time).
Move the resulting .crt and .key files to /usr/local/etc/apache. Chown them to www:www and chmod them to 550.
(FreeBSD Server Rebuild?: just scp
the .crt and .key files from your old machine to the new box).
Edit httpd.conf and change
ServerName <your host name>
ServerAdmin <your email address>
SSLCertificateFile /usr/local/etc/apache/<your host name>.crt
SSLCertificateKeyFile /usr/local/etc/apache/<your host name>.key
and add
<Directory "/usr/local/www/horde">
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
SSLRequireSSL
</Directory>
directly underneath the
<Directory "/usr/local/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
block of code.
Here’s a couple of hints for those of you new to apache.
The default install of apache does not have cgi-scripts enabled. To enable cgi scripts:
Change the “None” in Options to “ExecCGI” in the cgi-bin entry as follows.
<Directory "/usr/local/www/cgi-bin">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
and uncomment
AddHandler cgi-script .cgi
(FreeBSD Server Rebuild?: don’t just copy over the httpd.conf file from your old box. Copy it over with a different name then run diff between you old one and your new one and add in the things needed from the old one to the new one. Ignore the php stuff for now.
Cd to /usr/ports/databases/mysql323-server and run “make install”. This will install both server and client.
Copy
over users and data from previous system (if applicable)
Make sure you’ve copied over your users (password files) and rebuilt the user database (vipw). Then tar up any data (/usr/local/www, /home, etc) on the old box and move it to the new box and untar. The root www directory on the box we are building will be /usr/local/www/data.
Cd to /usr/ports/lang/php4 and run “make install”. On the options screen, leave the defaults all ready checked checked and add:
DOMXML, FTP, GETTEXT, IMAP, MCAL, MCRYPT, OpenLDAP, OpenSSL, PSPELL and XML.
After install cd to /usr/local/etc and copy php.ini-dist to php.ini and php.ini.ORIG. Edit php.ini and change
upload_max_filesize = 30M # max upload file size in webmail
Download latest version log facility for PHP from http://pear.php.net/packages.php. I got version 1.8.0. Move the file to some a temporary directory and gunzip it and untar it. Then cd into the resulting folder and move the contents (Log and Log.php) to /usr/local/lib/php.
Check to make sure that the php install added the php application code to your /usr/local/etc/apache/httpd.conf file. The chunk of code it was susposed to add is:
<IfModule mod_php3.c>
AddType application/x-httpd-php3 .php3
AddType application/x-httpd-php3-source .php3s
</IfModule>
<IfModule mod_php4.c>
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
</IfModule>
and it goes right under the
<IfModule mod_negotiation.c>
LanguagePriority en da nl et fr de el it ja kr no pl pt pt-br ru ltz ca es sv tw
</IfModule>
block of code. If it didn’t put it in go ahead an paste it in. Also you’ll want to add index.php to the list of index pages under the DirectoryIndex section if it didn’t get added. I use both php and shtml so mine looks like:
<IfModule mod_dir.c>
<IfModule mod_php3.c>
<IfModule mod_php4.c>
DirectoryIndex index.php index.php3 index.shtml index.html index.htm
</IfModule>
<IfModule !mod_php4.c>
DirectoryIndex index.php3 index.shtml index.html index.htm
</IfModule>
</IfModule>
<IfModule !mod_php3.c>
<IfModule mod_php4.c>
DirectoryIndex index.php index.shtml index.html index.htm
</IfModule>
<IfModule !mod_php4.c>
DirectoryIndex index.shtml index.html index.htm
</IfModule>
</IfModule>
</IfModule>
Download latest version from http://www.phpmyadmin.net. There is no install as such for this, just unzip and untar the contents to /usr/local/www/data/<folder name>. Most people use phpMyAdmin as the folder name, so I used something else. Chown the folder to www:www with “chown –R www:www <folder name>”. Go into this folder and copy config.inc.php config.inc.php.ORIG. Edit config.inc.php and change
$cfg['PmaAbsoluteUri'] = 'http://<your host name>/<phpMyAdmin folder>';
OK reboot with a shutdown –r now and when it comes back up launch a browser on a computer somewhere and go to http://<your host name>/<phpMyAdmin folder>. The phpmyadmin page should load. Click on privileges and delete all the users except root on localhost (2 any’s and a root at machine name). Edit the root at locahost user and set a password. Reload the mysql server. At this point it should kick you out. Edit config.inc.php and put in your new password.
$cfg['Servers'][$i]['password'] = '<your password>'; // MySQL password
You should now be able to reload the phpmyadmin page. Chown config.inc.php to www:www and chmod it to 550.
Now we must protect the phpMyAdmin folder. I did this by editing /usr/local/etc/apache/httpd.conf and adding an entry for the directory that reads (for example purposes I’m using phpMyAdmin as the folder name and replaced the ip’s with X’s and Y’s):
<Directory /usr/local/www/data/phpMyAdmin>
Order Deny,Allow
Deny from all
Allow from XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY
</Directory>
Check your config file with “apachectl configtest” and if OK restart apache with “apachectl restart”. You should now be able to load the phpMyAdmin page from only the ip’s you entered. Any other ip should return “Forbidden . . .”.
At this point I add a .htaccess userid and password to this folder as well. See the apache documentation for how to do this, http://httpd.apache.org/docs/howto/auth.html#basicworks.
(FreeBSD Server Rebuild?: Unless you have the latest version of phpmyadmin on your old box (unlikely) move your phpMyAdmin folder to some other name and install latest version).
Download latest version from ftp://ftp.qualcomm.com/eudora/servers/unix/popper. I got qpopper4.0.5.tar.gz. Move this file to /usr/install and gunzip and untar it and cd into the resulting directory. The install procedure is
- ./configure –with-openssl
- make
- make install
- make clean
But qpopper has a bug in relation to recent versions of OpenSSL. So we have to enable the work arounds for known client bugs when qpopper calls OpenSSL functions. So before running the installation cd to the popper folder and copy pop_tls_openssl.c to pop_tls_openssl.c.ORIG. Edit pop_tls_openssl.c, about 35% into the file you’ll find:
/*
* Set desired options
*/
if ( pPOP->tls_options ) {
long opts = 0;
opts = SSL_CTX_set_options ( pTLS->m_OpenSSLctx, pPOP->tls_options );
DEBUG_LOG2 ( pPOP, "...set options %#0x; options now %#0lx",
pPOP->tls_options, opts );
}
Replace that with:
/* Enable all of OpenSSL's bug fixes -- this lets the Eudora/Qpopper */
/* combination work with recent versions of OpenSSL. */
SSL_CTX_set_options (pTLS->m_OpenSSLctx, SSL_OP_ALL);
You can also download a copy of the patched file from me here.
Make sure a diff on your edited version (or the one you downloaded from me) and the original file looks like:
beta# diff pop_tls_openssl.c pop_tls_openssl.c.ORIG
349,351c349,357
< /* Enable all of OpenSSL's bug fixes -- this lets the Eudora/Qpopper */
< /* combination work with recent versions of OpenSSL. */
< SSL_CTX_set_options (pTLS->m_OpenSSLctx, SSL_OP_ALL);
---
> /*
> * Set desired options
> */
> if ( pPOP->tls_options ) {
> long opts = 0;
> opts = SSL_CTX_set_options ( pTLS->m_OpenSSLctx, pPOP->tls_options );
> DEBUG_LOG2 ( pPOP, "...set options %#0x; options now %#0lx",
> pPOP->tls_options, opts );
> }
Now we configure, make and install with (don’t forget to cd back up a directory first):
./configure –with-openssl
make
make install
make clean
OK, now we want to make qpopper use tls/ssl pop. So cd to /usr/local/etc and make a directory called qpopper. Cd to this directory and edit a new file called qpopper.conf, insert
set tls-support = stls
set tls-server-cert-file = /etc/mail/certs/cert.pem
and save the file. Edit a file called qpopper-altport.conf and insert
set tls-support = alternate-port
set tls-server-cert-file = /etc/mail/certs/cert.pem
and save the file. In case you’re wondering, we’re going to make ssl/tls pop work on both the starndard port (110) and the alternate port (995). This makes setting up email clients (eudora, etc) that much more fool proof. And that’s a good thing.
Cd to /etc/mail and “mkdir certs”. Cd to certs and run
openssl req -new -nodes -out req.pem -keyout cert.pem
openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl x509 -req -CA ca.crt -CAkey ca.key -days 365 -in req.pem -out signed-req.pem -CAcreateserial
cp cert.pem cert.pem.ORIG
cat signed-req.pem >> cert.pem
This will ask you a bunch of questions, twice, most of which aren’t important. The only critical ones are
- for passwords or pass phrases enter the same thing each time
- for common name enter the fully qualified domain name of your machine
You can download the entire set of commands as a script here.
(FreeBSD Server Rebuild?: just scp cert.pem from you old box to your new box instead.)
Cd to /etc and copy inetd.conf inetd.conf.ORIG. Edit inetd.conf and change (add the pop3s line under your current pop3 line):
pop3 stream tcp nowait root /usr/local/sbin/popper qpopper -s -l 1 -p 4 -f /usr/local/etc/qpopper/qpopper.conf
pop3s stream tcp nowait root /usr/local/sbin/popper qpopper -s -l 2 -p 4 -f /usr/local/etc/qpopper/qpopper-altport.conf
imap4 stream tcp nowait root /usr/local/libexec/imapd imapd
Hup your inetd and you should now be able to pop into your email. Remember to add the certificate to your trusted certificates in eudora. For details see the bottom part of the page at: http://www.bio.fsu.edu/complabs/eudora.htm.
Note: The “-p 4” in the pop3 inetd lines enforces the use of ssl/tls pop. If you want to allow but not force ssl/tls pop remove the “-p 4” from the line(s).
Get vbsd416l.tar.z from Bob Smith at SL. Go to your /usr/install directory and do a “mkdir vbsd416l” and then “cd vbsd416l”. (Vbsd416l.tar.z doesn’t create it’s own directory when you untar it). Move the installer to the current directory. Gunzip the installer, and then untar it. Then run ./install-uvscan, accept all defaults.
Here’s where you run into problems with libc.so.3 (which doesn’t exist), so cd to /usr/lib and then “ln –s libc.so.4 libc.so.3”.
Install latest dat files by untarring them to a temp directory and from that directory run
“cp *.dat /usr/local/uvscan”
Run “/usr/local/uvscan/uvscan --version” to check the results.
Cd to /etc/mail. Copy sendmail.cf sendmail.cf.ORIG. Edit sendmail.cf. Near the top you’ll find “# my official domain name” and under that a line that has just “CP.”. Right under that add:
# UUCP relay host
DYmailer.fsu.edu
CPUUCP
# BITNET relay host
DBmailer.fsu.edu
CPBITNET
Also change:
# load average at which we just queue messages
O QueueLA=24
# load average at which we refuse connections
O RefuseLA=36
Save sendmail.cf.
Edit a new file called access. Mine looks like this.
fsu.edu RELAY
128.186 RELAY
146.201 RELAY
144.174 RELAY
192.5.82 RELAY
192.12.121 RELAY
192.12.122 RELAY
192.80.53 RELAY
192.190.34 RELAY
192.135.64 RELAY
192.135.65 RELAY
127.0.0.1 RELAY
205.145.233.1 RELAY
uunet.uu.net RELAY
uga.cc.uga.edu RELAY
155.206.125 RELAY
199.44.121 RELAY
204.145.215 RELAY
I got this from Tom Kitterman quite a while back so hopefully it’s still right. Make the database with “makemap hash access < access”. This creates a file called access.db.
If you receive mail for more than just your domain edit a new file called local-host-names and insert the domain names. Mine looks like this.
southernmatters.com
lakejacksonturtles.org
Add aliases to /etc/mail/aliases and rebuild alias database with “newaliases”.
(FreeBSD Server Rebuild?: scp local-host-names from your old box to your new box. Paste any old aliases you had in /etc/mail/aliases into your new aliases file, copy over any alias files you had).
First we must install a bunch of mailscanner dependencies so:
Install /usr/ports/devel/p5-IO-stringy with a “make install”
Install /usr/ports/converters/p5-MIME-Base64 with a “make install”
Install /usr/ports/mail/p5-Mail-Tools with a “make install”
Install /usr/ports/devel/p5-File-Spec
Cd /usr/ports/devel/p5-File-Spec
Make a backup copy of Makefile
Edit Makefile and change perl level max to 500610 (was 500600).
.if ${PERL_LEVEL} > 500610
IGNORE= This port is for perl 5.6.1 and under only.
.endif
run “make install”
Install /usr/ports/www/p5-HTML-Tagset with a “make install”
Install /usr/ports/www/p5-HTML-Parser with a “make install”
Install /usr/ports/mail/p5-MIME-Tools with a “make install”
Install /usr/ports/devel/p5-File-Temp with a “make install”
Install /usr/ports/converters/p5-Convert-TNEF with a “make install”
Install /usr/ports/converters/tnef with a “make install”
Install /usr/ports/net/p5-Net-CIDR with a “make install”
At this point a “pkg_info” should look something like:
apache+mod_ssl-1.3.27+2.8.12 The Apache 1.3 webserver with SSL/TLS functionality
aspell-0.50.3_1 Spelling checker with better suggestion logic than ispell
autoconf213-2.13.000227_5 Automatically configure source code on many Un*x platforms
bash-2.05b.004 The GNU Bourne Again Shell
cclient-2002,1 Mark Crispin's C-client mail access routines
db3-3.3.11,1 The Berkeley DB package, revision 3
expat-1.95.6_1 XML 1.0 parser written in C
gcc-2.95.3 GNU Compiler Collection
gettext-0.11.5_1 GNU gettext package
gmake-3.80 GNU version of 'make' utility
imap-uw-2002_1,1 University of Washington IMAP4rev1/POP2/POP3 mail servers
libiconv-1.8_2 A character set conversion library
libmcal-0.7 Modular Calendar Access Library
libmcrypt-2.5.6_1 Multi-cipher cryptographic library (used in PHP3)
libtool-1.3.4_4 Generic shared library support script
libxml2-2.5.4 Xml parser library for GNOME
m4-1.4_1 GNU m4
mm-1.2.1 Shared memory allocation library for pre-forked process mod
mod_php4-4.3.1 PHP4 module for Apache
mysql-client-3.23.55 Multithreaded SQL database (client)
mysql-server-3.23.55 Multithreaded SQL database (server)
nologin-1.0_1 Refuse a login to a user, and make a note of it in syslog
openldap20-2.0.25_3 Open source LDAP client and server software
p5-Authen-SASL-2.02 Perl5 module for SASL authentication
p5-Convert-TNEF-0.17 Perl module to read TNEF files
p5-DBI-1.34_1 The perl5 Database Interface. Required for DBD::* modules
p5-Data-ShowTable-3.3 Perl5 module to pretty-print arrays of data
p5-File-Spec-0.82 A Perl module for portably manipulating file specifications
p5-File-Temp-0.12_1 Perl5 module to generate temporary files or directories saf
p5-HTML-Parser-3.27 Perl5 module for parse HTML tag
p5-HTML-Tagset-3.03 Some useful data table in parsing HTML
p5-IO-stringy-2.108 Perl5 module for using IO handles with non-file objects
p5-MIME-Base64-2.16 Perl5 module for Base64 and Quoted-Printable encodings
p5-MIME-Tools-5.411a_2 A set of perl5 modules for MIME
p5-Mail-Tools-1.58 Perl5 modules for dealing with Internet e-mail messages
p5-Mysql-modules-1.2216 Perl5 modules for accessing MySQL databases
p5-Net-1.12,1 Perl5 modules to access and use network protocols
p5-Net-Daemon-0.36 Perl5 extension for portable daemons
p5-PlRPC-0.2016 Perl module for writing RPC servers and clients
p5-Storable-2.06 Persistency for perl data structures
p5-Test-Harness-2.26 Run perl standard test scripts with statistics
p5-Test-Simple-0.47_1 Basic utilities for writing tests in perl
perl-5.6.1_11 Practical Extraction and Report Language
pkgconfig-0.15.0 An utility used to retrieve information about installed lib
python-2.2.2_2 An interpreted object-oriented programming language
tnef-1.1 Unpack data encapsulated into Microsoft Outlook's applicati
Whew. Go get a cup of your favorite beverage or whatever. You deserve it.
Download latest 4.X version of mailscanner from http://www.sng.ecs.soton.ac.uk/mailscanner and move it to /usr/install and then untar it. Download the full version, not the FreeBSD package. I tried the package install and couldn’t get it to work.
It seems that MailScanner was developed for Solaris, and expects to live in /opt/mailscanner. Editing everything to /var/mailscanner still didn’t work for me and since freebsd doesn’t have an /opt the easy solution is to soft link /var to /opt with “ln –s /var /opt”.
Move MailScanner-<your version> to /opt with “mv MailScanner-<your version> /opt”.
Link MailScanner-<your version> to MailScanner with “ln –s /var/MailScanner-<your version> /var/MailScanner”
Cd to /var/MailScanner/lib/MailScanner and make a backup
copy of SystemsDefs.pm. Edit SystemsDefs.pm and change:
$global::sed = '/usr/bin/sed';
Cd to /var/MailScanner/bin. Make a backup copy of check_mailscanner, edit check_mailscanner and change:
# -- Nick Phillips <nwp@lemon-computing.com>
pid=`$PS -axww |
$GREP '[ ]'$msbindir/$process |
$AWK '{print $1}'`
if [ "x$pid" = "x" ]; then
Basically you’ve just pulled out all the if-thens for all operating systems except freebsd, and since it’s the only one, all you need is the code inside the if-then.
Delete the softlink from tnef.SOLARIS to tnef with “rm tnef”. Link tnef to the tnef port you installed earlier with “ln -s /usr/local/bin/tnef tnef”.
Cd to /var/MailScanner/etc and make a backup copy of MailScanner.conf. Edit MailScanner.conf and change:
Sendmail = /usr/sbin/sendmail
Sendmail2 = /usr/sbin/sendmail
Expand TNEF = no
Virus Scanners = mcafee
Silent Viruses = W32/Klez.h@MM W32/Klez.gen@MM W32/Braid.a@MM W95/Spaces.gen
Still Deliver Silent Viruses = no
Allow IFrame Tags = yes
Hostname = <your FQDN>
Virus Subject Text = {Virus}
Filename Subject Text = {Virus}
Warning Is Attachment = no
Spam List = ORDB-RBL spamcop.net Infinite-Monkeys
Use SpamAssassin = yes
Max SpamAssassin Size = 180000
Required SpamAssassin Score = 8
Always Include SpamAssassin Report = yes
High Scoring Spam Actions = delete
Create the MailScanner spool directories with
mkdir -p /var/spool/MailScanner/incoming
mkdir /var/spool/MailScanner/quarantine
mkdir /var/spool/mqueue.in
chgrp daemon /var/spool/MailScanner/*
chgrp daemon /var/spool/mqueue.in
Make a backup copy of /etc/rc.conf, edit /etc/rc.conf and add the following text to the end of the file
# MailScanner starts here
mta_start_script="/opt/MailScanner/bin/rc.MailScanner"
MailScanner_incoming_queue="/var/spool/mqueue.in"
MailScanner_queue_time="15m"
MailScanner_check="/opt/MailScanner/bin/check_mailscanner"
MailScanner_pidfile="/opt/MailScanner/var/MailScanner.pid"
# MailScanner ends here
Download and install /opt/MailScanner/bin/rc.MailScanner with
cd /opt/MailScanner/bin
fetch http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/freebsd/rc.MailScanner
chmod 755 rc.MailScanner
MailScanner should now be started when the system boots, but don’t reboot or try to start it yet. The following is FYI only at this point.
To start and stop MailScanner manually, use
/opt/MailScanner/bin/rc.MailScanner start
and
/opt/MailScanner/bin/rc.MailScanner stop
We’re due for a break here and the easy install of SpamAssassin is it.
Cd to /usr/ports/mail/p5-Mail-SpamAssassin and install it with a “make install”.
Ok now you can reboot.
At this point you should have a fully functional mail server with MailScanner
and SpamAssassin working, but no webmail, yet.
Cd to /usr/ports/mail/imp3 and install with a “make WITHOUT_SSL=true install”. This will take quite a while as there are lots of dependencies. Don’t fret about the WITHOUT_SSL, this means the connection from IMP to imap won’t be encrypted, which, since it’s on the same machine, is OK. The encryption will be handeled by apache-modssl, which handles the connection from the machine to the end user.
Make sure the install added
# Horde's include directory
Include /usr/local/etc/horde
To the bottom of /usr/local/etc/apach/httpd.conf. If not add it.
Cd to /usr/local/etc/apache and copy httpd.conf to httpd.conf.BAK. Look for the virtual host section (near the bottom). Add a virtual host for redirecting to your encrypted web server. The only way I can get virtual hosts to work is to make all the sites on the server a virtual host so :
NameVirtualHost *
#
<VirtualHost *>
ServerAdmin webmaster@<your host name>
DocumentRoot /usr/local/www/data
ServerName <your host name>
ErrorLog /var/log/httpd-error.log
CustomLog /var/log/httpd-access.log common
</VirtualHost>
<VirtualHost *>
ServerAdmin webmaster@<your host name>
DocumentRoot /usr/local/www/redirect
ServerName webmail.<your domain name>
ErrorLog /var/log/httpd-redirect-error.log
CustomLog /var/log/httpd-redirect-access.log common
</VirtualHost>
Now we have to make the redirect actually happen so cd to /usr/local/www and make a directory called redirect. Inside that edit a file called index.html and put in:
<HTML>
<HEAD>
<TITLE>Redirect to secure-webmail</TITLE>
<META HTTP-EQUIV="refresh"
content="0;URL=https://webmail.<your domain name>">
</HEAD>
<BODY>
<p>
<font size="5">You are being redirected
to
<a href="https://webmail.<your domain
name>">https://webmail.<your domain
name></a></font>
<p>
</BODY>
</HTML>
And create the encrypted virtual host. At the bottom of /usr/local/etc/apache/httpd.conf you’ll find
##
## SSL Virtual Host Context
##
Change the DocumentRoot ServerName and ServerAdmin values, you can also setup separate log files
# General setup for the virtual host
DocumentRoot "/usr/local/www/horde"
ServerName webmail.<your domain name>
ServerAdmin webmaster@<your domain name>
ErrorLog /var/log/httpd-horde-error.log
TransferLog /var/log/httpd-horde-access.log
Note: You will want to replace <your host name> and <your domain name> with the machine’s host name and domain name in the examples above. So watch the <>’s.
Cd to /usr/local/www/horde/scripts/db and copy mysql_create.sql to mysql_create.sql.ORIG. Edit mysql_create and change the password from “horde” to <something else> where it says:
-- IMPORTANT: Change this password!
password('horde')
Create the the horde database with “mysql –u root –p < mysql_create.sql”, enter the mysql root password when prompted.
Verify that you can connect to the horde database with “mysql -u horde –p”, enter the horde password (<something else>) when prompted.
(FreeBSD Server Rebuild?: Instead of importing the mysql_create.sql file, mysqldump the horde and mysql databases on the old box to .sql files with “mysqldump -u root --opt horde > old_horde.sql”, “mysqldump -u root --opt mysql > old_mysql.sql”, scp these files to the new box and import these into the new box with “mysql –u root –p horde < old_horde.sql” and “mysql –u root –p mysql < old_mysql.sql”. Then reload mysql. At this point all mysql usernames and passwords will be as they were on the old box. And all user data stored in the horde database (address books, etc) will have been copied over.)
Cd to /usr/local/www/horde/config and copy horde.php horde.php.ORIG. Edit horde.php and change:
$conf['use_ssl'] = 1;
$conf['auth']['params']['dsn'] = '{localhost:143/imap}INBOX';
$conf['log']['priority'] = LOG_INFO;
$conf['prefs']['params']['username'] = 'horde';
$conf['prefs']['params']['password'] = '<something else>';
Copy registry.php registry.php.ORIG and edit registry.php. Find the horde section under Application registry section (first block) and change (right under 'icon' => '/horde/graphics/home.gif',):
'name' => _("Webmail on <your host name>"),
Add user www to trusted mail users.
Edit /etc/mail/trusted-users and put in “www”.
Cd to /usr/local/www/horde/imp/config. Copy servers.php servers.php.ORIG. Edit servers.php and remove the three server configurations under under the imap configuration (pop, cyrus and exchange). Change the imap configuration as follows (you may find that all is correct all ready):
$servers['imap'] = array(
'name' => 'IMAP Server',
'server' => 'localhost',
'protocol' => 'imap/notls',
'port' => 143,
'folders' => 'Mail/',
'namespace' => '',
'maildomain' => '<Your mail domain or FQHN>',
'smtphost' => 'localhost',
'realm' => '',
'preferred' => ''
);
Cd to /usr/local/www/horde/turba/config and copy sources.php sources.php.ORIG. Edit sources.php and look for the “local.sql” section with “’title’ => ‘My Addressbook’”. Change
'username' => 'horde',
'password' => '<something else>',
Create the turba database. Cd to /usr/local/www/horde/turba/scripts/drivers and run
“msyql –u root –p < turba.sql”, enter the root password for MySQL when prompted.
(FreeBSD Server Rebuild?: Don’t import turba.sql . You grabbed your old one when you imported your old_horde.sql database.)
Cross
your fingers and reboot with a “shutdown –r now”.
After your system comes back up you should be able to logon to webmail at https://webmail.<your_domain_name>
Remove
horde@% user from mysql
The horde@% user is not needed, go to http://<your host name>/<phpMyAdmin folder> and click on privileges. Delete the horde@% user.
(FreeBSD Server Rebuild?: No need for this step.)
Add
kern_securelevel_enable="YES"
kern_securelevel="3"
syslogd_flags="-ss"
to /etc/rc.conf. You’ll need to reboot for this to take effect.
To enforce minimum password requirements add
:minpasswordlen=8:\
:mixpasswordcase:\
to /etc/login.conf under the “default” section and rebuild database with “cap_mkdb /etc/login.conf”.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Change log
12-17-2003: Added red notes for those rebuilding a previous FreeBSD system. Added “Additional Security Steps” section.
3-3-2004: Removed gmake from list of additional software (packages) to install during the initial setup of FreeBSD.
Letting it be installed as a dependency, from the ports collection, works out better.