Document last modified 4-09-2007, 4:50pm - see bottom for details

For latest version of this page please see: http://bio.fsu.edu/~sysalex/freebsd-mail-server.htm

Installing FreeBSD 6.2 mail server with mailscanner 4.x, spamassassin, ssl/tls pop, ssl imap, smtp-auth, starttls, and webmail (IMP).

Note 0: This page was written to document the procedure I use to build my mail servers. If you notice any errors or have any suggestions for changes to this page I would like to hear them. You can email me at astuy@bio.fsu.edu. Also I would like to thank Sean Burnside for his help on apache22 and horde cookies problem.

Note 1: You will need to request a webmail.<your_domain_name> alias for your mail servers ip address from whom ever handles your ip registration.

Note 2 : I use the terms “folder” and “directory”. They mean the same thing. Also terms placed in <>’s are usually variables, meaning don’t type in the <>’s. For example <your sysadmin login username> is the username you su to root from. The exception to terms placed in <>'s being variables is the httpd.conf file.

Note 3 : Why Qpopper? Most everybody where I work uses Eudora for their email client.

Note 4 : I’ll be adding special notes for those rebuilding a current FreeBSD box. These notes will be in red. I should state that by rebuilding I mean use new or different hardware to create an updated version of an old server. Change the hostname on the old box or new box during the build process. I change the hostname on the new box till I’m done then change it to the true server name after I’ve tested it to make sure that everything is working. Then I rebuild the old box to be exactly the same as the new box and keep it in case the new one dies. This way I always have a backup mail server ready to go with the exact same versions of all software. The config files that contain hostname are: /etc/rc.conf, /etc/hosts.allow, /usr/local/etc/apache22/httpd.conf, /usr/local/www/apache22/data/phpmyadmin/config.inc.php and /usr/local/etc/MailScanner/MailScanner.conf. I register backup server names (webmail2.bio.fsu.edu, bio2.bio.fsu.edu) so that I can test the server while I’m rebuilding). Previous versions had a method for moving the IMP address book database but changes in database format have precluded that from working reliably. I recommend having your users export their address book to a file before rebuild and then have them import that back afterwards.

Install FreeBSD 6.2. I usually do a “Average user, binaries and docs only”, no xwindows. If you haven’t installed freebsd before instructions are at:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html.

I usually just download the bootonly.iso, burn it to cd, boot from cd, and go from there to install via network interface.

Don’t install ports when asked. I download the latest from the link on the FreeBSD website to make sure I get latest version.

Add bash v3.x and no-login when asked if you want to install additional software (packages).

If you didn’t include sources in your initial install, use sysinstall and choose Configure->Distributions->src to download sources for everything (ALL).

Recompile the kernel to get rid of all the stuff it contains you don’t need. This cuts my kernel size to less than half it’s previous size. Directions for recompiling the kernel are at

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html

and here’s a link to my “KERNCONF” file. Note that yours will almost certainly be different. You’ll definitely want to look at cpu type, ethernet card and raid controller, mine is set for pentium >= II, Intel GB Lan and 3ware 9500 raid. Other than that it’s a standard pc. Note: If you remove the inet6 stuff from the kernel you’ll want to remove the “0 DaemonPortOptions=Name=Ipv6, Family=inet6, Modifiers=0” line in /etc/mail/sendmail.cf. More on that later.

Basic procedure for building and installing new kernel is:

- cd to /usr/src/sys/i386/conf

- cp GENERIC to <your host name in caps>

- edit <your host name in caps> to reflect your hardware

- cd to /usr/src and run “make buildkernel KERNCONF=<your host name in caps>

- run “make installkernel KERNCONF=<your hostname in caps>

- reboot to use new kernel (run “shutdown –r now”)

- mv /boot/kernel.old /boot/kernel.ORIG # ORIG assumes this is your first kernel recompile. Else change ORIG to something appropriate.

Hint: install all applicable security patches from http://www.freebsd.org/security before compiling kernel. That way any patches that require kernel rebuild are completed in above step.

If you commented out ipv6 in kernel don’t fret about the sendmail ipv6 error message, we’ll deal with it shortly.

Download latest ports.tar.gz and install it by moving the file to /usr, gunzipping and untarring it.

Make a directory for installing stuff. I use /usr/install thus “mkdir /usr/install”

Copy hosts.allow hosts.allow.ORIG and edit hosts.allow to make one much more secure. I only allow ssh from my work pc. I allow sendmail, pop and imap from anywhere. I allow anything from localhost. I allow finger from inside biology. I deny all else. So mine looks:

# hosts.allow access control file for "tcp wrapped" applications.

# $FreeBSD: src/etc/hosts.allow,v 1.0.7 2005/12/07 15:17:44 sysalex Exp $

# Allow anything from localhost. Note that an IP address (not a host

# name) *MUST* be specified for portmap(8).

# This also allows imapd from localhost for IMP

ALL : localhost 127.0.0.1 : allow

ALL : bio.fsu.edu 128.186.38.55 : allow

# Prevent those with no reverse DNS from connecting.

ALL : PARANOID : RFC931 20 : deny

# Prevent unregistered IP’s from connecting.

#ALL : UNKNOWN : RFC931 20 : deny

# Allow sendmail, popper and imap from anywhere

sendmail : ALL : allow

popper : ALL : allow

qpopper : ALL : allow

imapd : ALL : allow

# Allow finger from inside biology

fingerd : .bio.fsu.edu : allow

fingerd : ALL : deny

# Allow ssh from alexpc

sshd : alexpc.bio.fsu.edu : allow

sshd : ALL : deny

# Deny all else

ALL : ALL : deny

(FreeBSD Server Rebuild?: just scp hosts.allow from old box instead and change the local hostname if necessary).

Copy /etc/hosts /etc/hosts.ORIG and edit /etc/hosts. Change the “my.domain” in localhost.my.domain (2 places) to your domain name (ex “localhost.bio.fsu.edu).

Backup /etc/rc.conf with “cp /etc/rc.conf /etc/rc.conf.ORIG” or something similar. Edit /etc/rc.conf and add

inetd_enable=”YES”

sendmail_enable="YES"

On older versions of freebsd the inetd_enable and sendmail_enable may all ready be on.

Reboot the computer to start sendmail and inetd.

Install newer Perl

FreeBSD 6.2 doesn’t have perl by default. So we need to install version 5.8.8 or better.

Cd to /usr/ports/lang/perl5.8 and install with a “make install”.

Check results with “perl –v”. You may have to do a “rehash” first, depending on your shell.

Install cclient

Cd to /usr/ports/mail/cclient and run “make -DWITH_SSL_AND_PLAINTEXT install”

Install imap-uw

Cd to /usr/ports/mail/imap-uw and run “make -DWITH_SSL_AND_PLAINTEXT install”

After install finishes cd to /usr/ports/mail/imap-uw/files, make a backup copy of imap-uw.cnf, edit imap-uw.cnf and change

1.commonName_value = <FQDN of your machine>

Cd back to /usr/ports/mail/imap-uw and make a cert for imap with “make cert”. When asked for Common Name type in the FQDN of your machine.

Install cyrus-sasl2-saslauthd

Cd to /usr/ports/security/cyrus-sasl2-saslauthd and install with “make install”. This will also install cyrus-sasl2.

Backup /etc/rc.conf with “cp /etc/rc.conf /etc/rc.conf.BAK” or something similar. Edit /etc/rc.conf and add

cyrus_pwcheck_enable="YES"

saslauthd_enable="YES"

Install Qpopper

Cd to /usr/ports/mail/qpopper and install with “make install”. Leave default options selected, but remove IP6 support if you removed it from your kernel, this option may not be available.

We want to make qpopper use tls/ssl pop. So cd to /usr/local/etc/qpopper and edit a new file called qpopper.conf, insert

set tls-support = stls

set tls-server-cert-file = /etc/mail/popcerts/cert.pem

and save the file. Edit a file called qpopper-altport.conf and insert

set tls-support = alternate-port

set tls-server-cert-file = /etc/mail/popcerts/cert.pem

and save the file. In case you’re wondering, we’re going to make ssl/tls pop work on both the starndard port (110) and the alternate port (995). This makes setting up email clients (eudora, etc) that much more fool proof. And that’s a good thing.

Cd to /etc/mail and “mkdir popcerts”. Cd to popcerts and run

openssl req -new -nodes -out req.pem -keyout cert.pem

openssl genrsa -des3 -out ca.key 1024

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

openssl x509 -req -CA ca.crt -CAkey ca.key -days 3650 -in req.pem -out signed-req.pem -CAcreateserial

cp cert.pem cert.pem.ORIG

cat signed-req.pem >> cert.pem

This will ask you a bunch of questions, twice, most of which aren’t important. The only critical ones are

- for passwords or pass phrases enter the same thing each time

- for common name enter the fully qualified domain name of your machine

You can download the entire set of commands as a script here.

FreeBSD Server Rebuild?: just scp cert.pem from you old box to your new box instead. Though you may need to create certs for the temporary name you are using if doing a rebuild under another machine name.

Cd to /etc and copy inetd.conf inetd.conf.ORIG. Edit inetd.conf and change (add the pop3s line under your current pop3 line):

pop3 stream tcp nowait root /usr/local/libexec/qpopper qpopper -s -l 1 -p 4 -f /usr/local/etc/qpopper/qpopper.conf

pop3s stream tcp nowait root /usr/local/libexec/qpopper qpopper -s -l 2 -p 4 -f /usr/local/etc/qpopper/qpopper-altport.conf

# imap4 stream tcp nowait root /usr/local/libexec/imapd imapd # If you enable this you enable plain text passwords to imap

imaps stream tcp nowait root /usr/local/libexec/imapd imapd

Hup your inetd with “kill –HUP <pid of inetd>” and you should now be able to pop and imap into your email with a ssl/tls enabled email client. If you're using Eudora version previous to 6.2.5 add the certificate to your trusted certificates. For details see the bottom part of the page at: http://www.bio.fsu.edu/complabs/eudora.htm.

Note: The “-p 4” in the pop3 inetd lines enforces the use of ssl/tls pop. If you want to allow but not force ssl/tls pop remove the “-p 4” from the line(s) (not recommended).

Do a little work on sendmail

Backup your /etc/make.conf with something like “cp /etc/make.conf /etc/make.conf.BAK”. Edit /etc/make.conf and add

# Add SMTP AUTH support to Sendmail

SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2

SENDMAIL_LDFLAGS+= -L/usr/local/lib

SENDMAIL_LDADD+= -lsasl2

# Enable alternate port (smtps) for sendmail.

SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL

Rebuild sendmail

Issue commands:

cd /usr/src

make buildworld

cd /usr/src/usr.sbin/sendmail

make clean

make depend

make

make install

Make an SSL cert for sendmail. These directions for creating the sendmail cert were obtained from sendmail.org.

Issue commands:

cd /usr/install

mkdir CA

cd CA

mkdir certs crl newcerts private

echo "01" > serial

cp /dev/null index.txt

cp /etc/ssl/openssl.cnf ./openssl.cnf

Ok, now edit openssl.cnf and change

dir = . # Where everything is kept )

To make the CA (certificate authority)

openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf

To make a new certificate:

cd CA (same directory created above)

openssl req -nodes -new -x509 -keyout mykey.pem -out mykey.pem -days 365 -config openssl.cnf

(certificate and private key in file mykey.pem) To sign new certificate with certificate authority:

cd CA (same directory created above)

openssl x509 -x509toreq -in mykey.pem -signkey mykey.pem -out tmp.pem

openssl ca -config openssl.cnf -policy policy_anything -out mycert.pem -infiles tmp.pem

rm -f tmp.pem

mkdir /etc/mail/certs

cp cacert.pem /etc/mail/certs

cp mycert.pem /etc/mail/certs

cp mykey.pem /etc/mail/certs

chmod 600 /etc/mail/certs/*.pem

Generate a site mc file

Issue commands:

cd /etc/mail

make all

Edit the new mc file (<FQDN>.mc) and add

dnl set SASL2 options

TRUST_AUTH_MECH(`PLAIN LOGIN')dnl

define(`confAUTH_MECHANISMS', `PLAIN LOGIN')dnl

define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl

dnl starttls stuff

define(`CERT_DIR', `/etc/mail/certs')dnl

define(`confCACERT_PATH', `CERT_DIR')dnl

define(`confCACERT', `CERT_DIR/cacert.pem')dnl

define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl

define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl

define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl

define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl

define(`confAUTH_OPTIONS',`A p y')dnl

DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

dnl change log level

define(`confLOG_LEVEL', `15')dnl

dnl change load levels

define(`confQUEUE_LA', `24')dnl

define(`confREFUSE_LA', `36')dnl

If you disabled ipv6 support in your kernel you’ll want to comment out the

“DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')”

line by putting in a “dnl” at the start of the line.

Install the new cf file and restart sendmail with “make all install restart”

Start sasl2 with “/usr/local/etc/rc.d/saslauthd start”.

You should now be able to send mail via a STARTTLS enabled mail client, even to domains that would require a relay.

If things don’t work check the /var/log/maillog file for errors. If things do work you could bump the log level

down in the mc file and enable that with a “make all install restart”.

To enable relaying from inside your domain with out smtp-auth edit a new file /etc/mail/access. Mine looks like this.

fsu.edu RELAY

128.186 RELAY

146.201 RELAY

144.174 RELAY

evilspammer.com REJECT

You should replace “.fsu.edu” and the ip’s with the domain(s) and ip’s from which you wish to relay mail without smtp-auth authentication.

Make the access database with “makemap hash access < access”. This creates a file called access.db.

Edit a file called /etc/mail/local-host-names and insert the domains for which the machine will be receiving mail. I receive mail for bio.fsu.edu and two other domains so mine looks like this.

bio.fsu.edu

southernmatters.com

lakejacksonturtles.org

Restart sendmail with "cd /etc/mail;make restart"

Edit /etc/mail/aliases and at least redirect root to an account you check. Also add any other aliases you want for your domain. Rebuild alias database with “newaliases”.

(FreeBSD Server Rebuild?: scp local-host-names and certs from your old box to your new box. Paste any old aliases you had in /etc/mail/aliases into your new aliases file, copy over any alias files you had).

Install apache-modssl

Cd to /usr/ports/www/apache22 and run “make install”.

If you had a previous version of httpd.conf you will want to enable any special options you had in the new httpd.conf. I usually run a diff between the new file and old file to spot any differences. If you are upgrading from apache1.3.x then be aware that the old httpd.conf file has been split up between /usr/local/etc/apache22/httpd.conf and /usr/local/etc/apache22/extra/*.conf.

Cd to /usr/local/etc/apache22 and “mkdir certs”. Cd to certs. Generate a certificate for your webserver by running the following commands. Probably best to copy and paste them into something like /usr/local/sbin/mkwebcerts, chmod that to 700 and then run it.

openssl genrsa -des3 -out webmail.key 1024

openssl rsa -noout -text -in webmail.key

openssl rsa -in webmail.key -out webmail.key.unsecure

openssl req -new -x509 -nodes -sha1 -days 365 -key webmail.key -out webmail.crt

openssl x509 -noout -text -in webmail.crt

When asked for “Common Name” enter the FQDN you registered for your webmail server (ie. webmail.<your domain name>). The other questions the common sense answer is correct. When asked for a password or passphrase type in the same thing each time.

Chown the cert files to www:www and chmod them to 550.

(FreeBSD Server Rebuild?: just scp the .crt and .key files from your old machine to the new box). Though you may need to create certs for the temporary name you are using if doing a rebuild under another machine name.

Edit httpd.conf and change

ServerName <your host name>

ServerAdmin <your email address>

Include etc/apache22/extra/httpd-userdir.conf

Include etc/apache22/extra/httpd-default.conf

Include etc/apache22/extra/httpd-ssl.conf

Edit httpd-ssl.conf and change

SSLCertificateFile /usr/local/etc/apache22/certs/webmail.crt

SSLCertificateKeyFile /usr/local/etc/apache22/certs/webmail.key.unsecure

Edit /etc/rc.conf and add

apache22_enable="YES"

apache22_ssl_enable="YES"

apache22_http_accept_enable="YES"

Here’s a couple of hints for those of you new to apache.

The default install of apache does not have cgi-scripts enabled. To enable cgi scripts:

Change the “None” in Options to “ExecCGI” in the cgi-bin entry as follows.

AllowOverride None

Options ExecCGI

Order allow,deny

Allow from all

</Directory>

and uncomment

AddHandler cgi-script .cgi

(FreeBSD Server Rebuild?: don’t just copy over the httpd.conf file from your old box. Copy it over with a different name then run diff between you old one and your new one and add in the things needed from the old one to the new one. Ignore the php stuff for now.

Install MySQL (server and client)

Cd to /usr/ports/databases/mysql41-server and run “make install”. This will install both server and client. Edit /etc/rc.conf and add

mysql_enable=”YES”

Install php4

Cd to /usr/ports/lang/php4 and run “make install”. On the options screen enable “APACHE”, “DEBUG”, “MULTIBYTE”, “OPENSSL”, and if you compiled your kernel w/o IPV6 support, remove it here as well.

Cd to /usr/ports/lang/php4-extensions and run “make install”. On the options screen, leave the defaults all ready checked checked and add:

DOMXML, FILEINFO, FTP, GD, GETTEXT, ICONV, IMAP, LDAP, MBSTRING, MCAL, MCRYPT, PDF, PSPELL and XML (may be selected all ready). Note that “OPENSSL” is NOT selected. The options in blue are not necessary but useful for other applications. Use the default options on any dependencies.

After install cd to /usr/local/etc and copy php.ini-recommended to php.ini and php.ini.ORIG. Edit php.ini and change

upload_max_filesize = 32M # max upload file size in webmail

post_max_size = 32M # max upload file size in webmail

memory_limit = 64M ; Maximum amount of memory a script may consume (8MB)

Cd to /usr/ports/databases/pear-DB and run “make install”.

Cd to /usr/ports/sysutils/pear-Log and run “make install”. Enable pear-DB support.

Check to make sure that the php install added the php application code to your /usr/local/etc/apache22/httpd.conf file. The chunk of code it was supposed to add is:

AddType application/x-httpd-php .php

AddType application/x-httpd-php-source .phps

and it goes right under the

#AddType application/x-gzip .tgz

block of code. If it didn’t put it in (and it usually doesn’t) go ahead an paste it in. Also you’ll want to add index.php to the list of index pages under the DirectoryIndex section if it didn’t get added. I use both php and shtml so mine looks like:

DirectoryIndex index.php index.shtml index.html index.htm

</IfModule>

And add a directory entry for horde

Directory "/usr/local/www/apache22/horde">

Options Indexes FollowSymLinks

AllowOverride None

Order allow,deny

Allow from all

</Directory>

Cd to /usr/ports/graphics/GraphicsMagick and install with "make install". This step is optional but a good idea if you plan to do any image manipulation with apache.

Install phpMySqlAdmin

Download latest version from http://www.phpmyadmin.net. There is no install as such for this, just unzip and untar the contents to /usr/local/www/apache22/data/<folder name>. Most people use phpMyAdmin as the folder name, so I used something else. Chown the folder to www:www with “chown –R www:www <folder name>”. Go into this folder and copy ./libraries/config.default.php to ./config.inc.php.

OK reboot with a shutdown –r now and when it comes back up launch a browser on a computer somewhere and go to http://<your host name>/<phpMyAdmin folder>. The phpmyadmin page should load. If it doesn’t you could try editing config.inc.php and change

$cfg['PmaAbsoluteUri'] = 'http://<your host name>/<phpMyAdmin folder>';

Click on privileges and delete all the users except root on localhost (2 any’s and a root at machine name). If the user refuses to delete remove all database and table specific privileges for that user and then try again. Edit the root at localhost user and set a password. Reload the mysql server. At this point it should kick you out. Edit config.inc.php and put in your new password.

$cfg['Servers'][$i]['password'] = '<your password>'; // MySQL password

You should now be able to reload the phpmyadmin page. Chown config.inc.php to www:www and chmod it to 550.

Now we must protect the phpMyAdmin folder. I did this by editing /usr/local/etc/apache22/httpd.conf and adding an entry for the directory that reads (for example purposes I’m using phpMyAdmin as the folder name and replaced the ip’s with X’s and Y’s):

AllowOverride AuthConfig

Order deny,allow

Deny from all

Allow from XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY

AuthName "Any blurb you want, gets displayed in login dialog box"

AuthType Basic

AuthUserFile /usr/local/etc/apache22/http_pws/phpMyAdmin.dat

Require valid-user

Satisfy All

</Directory>

I put my directory entries underneath the one for /home/*/public_html.

You’ll need to create the /usr/local/etc/apache22/http_pws folder. Then use the “htpasswd –c /usr/local/etc/apache22/http_pws/phpMyAdmin.dat <username>” command to create the phpadmin.dat file.

Check your config file with “apachectl configtest” and if OK restart apache with “apachectl stop; apachectl startssl”. You should now be able to load the phpMyAdmin page from only the ip’s you entered. Any other ip should return “Forbidden . . .”.

(FreeBSD Server Rebuild?: Unless you have the latest version of phpmyadmin on your old box (unlikely) move your phpMyAdmin folder to somewhere safe and install latest version).

Install uvscan

Get latest version of mcafee for freebsd (vbsd440l.tar.z as of 12-10-2004) from somewhere. Go to your /usr/install directory and do a “mkdir vbsd” and then “cd vbsd”. (Vbsd440l.tar.z doesn’t create it’s own directory when you untar it). Move the installer to the current directory. Gunzip the installer, and then untar it. Then run ./install-uvscan, accept all defaults.

Here’s where you run into problems with libc.so.3 (which doesn’t exist), so cd to /usr/lib and then “ln –s libc.so.4 libc.so.3” (FreeBSD 4.11) or "ln -s /lib/libc.so.6 libc.so.3" (FreeBSD 6)

If uvscan complains about libm.so.2 (FreeBSD 6) then cd to /usr/lib and “ln -s libm.so libm.so.2”.

Install latest dat files by untarring them to a temp directory and from that directory run

“cp *.dat /usr/local/uvscan”

Run “/usr/local/uvscan/uvscan --version” to check the results.

Install MailScanner

Cd to /usr/ports/mail/p5-Mail-SpamAssassin and install with “make install”. Leave all defaults selected and add MYSQL, RAZOR and TOOLS support.

Cd to /usr/ports/mail/mailscanner and install with “make install”. Deselect SPAMASSASSIN and CLAMAV, assuming you have all ready installed spamassassin and will be using uvscan, not clamav.

Generate default config files with “make initial-config”.

Create the MailScanner spool directories with

mkdir -p /var/spool/MailScanner/incoming

mkdir /var/spool/MailScanner/quarantine

mkdir /var/spool/mqueue.in

chgrp daemon /var/spool/MailScanner/*

chgrp daemon /var/spool/mqueue.in

cd to /usr/local/etc/MailScanner and copy MailScanner.conf to MailScanner.conf.ORIG. edit MailScanner.conf and change

%org-name% = <Your org name>

%org-long-name% = <Your org name in long format>

%web-site% = <link to whatever web page you want, a page describing mailscanner seems appropriate>

Expand TNEF = no

File Command = /usr/local/bin/file

Maximum Attachment Size = 41943040

Minimum Attachment Size = 1

Maximum Archive Depth = 0

Virus Scanners = mcafee

Virus Scanner Timeout = 600

Quarantine Infections = no

Quarantine Whole Message = yes

Always Include SpamAssassin Report = yes

Virus Subject Text = {Virus}

Filename Subject Text = {Filename}

Disarmed Modify Subject = no

Phishing Modify Subject = yes

Warning Is Attachment = no

Spam List = ORDB-RBL SBL+XBL # You can un-comment this to enable them

Spam Lists To Reach High Score = 2

Use SpamAssassin = yes

Rebuild Bayes Every = 86400

Wait During Bayes Rebuild = yes

High Scoring Spam Actions = delete

Enable Spam Bounce = no

cd to /usr/local/etc/MailScanner/mcp and copy mcp.spam.assassin.prefs.conf.sample to mcp.spam.assassin.prefs.conf.

cd to /usr/local/etc/rc.d. There should be two new startup scripts, mta and mailscanner. If they have .sample at the end, remove that.

edit /etc/rc.conf, set sendmail_enable="NONE" and add the following

mailscanner_enable="YES"

mta_enable="YES"

mta_type="sendmail"

mta_profiles="incoming outgoing submitqueue"

mta_incoming_flags="-L sm-mta-in -bd -OPrivacyOptions=noetrn -OQueueDirectory=/var/spool/mqueue.in -ODeliveryMode=queueonly"

mta_incoming_pidfile="/var/run/sendmail_in.pid"

mta_incoming_configfile="/etc/mail/sendmail.cf"

mta_outgoing_flags="-L sm-mta-out -q15m"

mta_outgoing_pidfile="/var/run/sendmail_out.pid"

mta_outgoing_configfile="/etc/mail/sendmail.cf"

mta_submitqueue_flags="-L sm-msp-queue -Ac -q15m"

mta_submitqueue_pidfile="/var/spool/clientmqueue/sm-client.pid"

mta_submitqueue_configfile="/etc/mail/submit.cf"

MailScanner should now be started when the system boots, but don’t reboot or try to start it yet. The following is FYI only at this point.

To start, stop or restart MailScanner manually, use

/usr/local/etc/rc.d/mailscanner start/stop/restart

To start,stop or restart sendmail manually, use

/usr/local/etc/rc.d/mta start/stop/restart

Cd to /usr/ports/sysutils/file and install with “make install”.

Cd to /usr/ports/mail/pyzor and install with “make install”. If you deselected IP6 support in earlier steps, deselect it here as well.

Cd to /usr/ports/mail/dcc-dccd and install with “make install”.

Pyzor, razor and bayes need periodic updates. I run the following script from crontab once a day:

#! /usr/local/bin/bash

# get a list of the Pyzor servers

/usr/local/bin/pyzor discover

# refresh /root/.razor/

/usr/local/bin/razor-admin -discover

# re-build the Bayes database daily

/usr/local/bin/sa-learn -p /usr/local/etc/MailScanner/spam.assassin.prefs.conf --sync --force-expire

Cd to /usr/local/etc/MailScanner and copy spam.assassin.prefs.conf to spam.assassin.prefs.conf.ORIG. Edit spam.assassin.prefs.conf and add bayes_ignore_header lines for the org-name you added when editing MailScanner.conf. My org-name was “FSU-Biology” so my bayes_ignore_header lines are:

bayes_ignore_header X-FSU-Biology-MailScanner

bayes_ignore_header X-FSU-Biology-MailScanner-SpamCheck

bayes_ignore_header X-FSU-Biology-MailScanner-SpamScore

bayes_ignore_header X-FSU-Biology-MailScanner-Information

and change

pyzor_path /usr/local/bin/pyzor

Ok now you can reboot. At this point you should have a fully functional mail server with MailScanner and SpamAssassin working, but no webmail, yet.

Install IMP (webmail)

If /usr/local/www/horde exists all ready (from untar of previous data) move this with something like “mv /usr/local/www/horde /usr/local/www/horde.OLD”.

Cd to /usr/ports/mail/imp and install with a “make install”. In the options for Pear-Auth options box select PEAR-FILE-PASSWD, PEAR-NET-POP3 and PEAR-DB support. When the Pear-Mail options box appears select Pear-Net-Smtp support. The install will take quite a while as there are lots of dependencies so this is a good time to get a cup of your favorite beverage.

Make sure the install added

# Horde's include directory

Include /usr/local/etc/horde

to the bottom of /usr/local/etc/apache22/httpd.conf. If not add it.

and add

SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128

SSLRequireSSL

</Directory>

directly underneath the

SSLOptions +StdEnvVars

</Directory>

block of code.

Configure httpd.conf for IMP and setup a redirect

If someone types in http://webmail.<your domain name> we want them to get redirected to https://webmail.<your domain name>.

Cd to /usr/local/etc/apache22 and copy httpd.conf to httpd.conf.BAK. Look for the virtual host section (near the bottom). Add a virtual host for redirecting to your encrypted web server. The only way I can get virtual hosts to work is to make all the sites on the server a virtual host so :

NameVirtualHost *:80

ServerAdmin webmaster@<your host name>

DocumentRoot /usr/local/www/apache22/data

ServerName <your host name>

ErrorLog /var/log/httpd-error.log

CustomLog /var/log/httpd-access.log common

</VirtualHost>

ServerAdmin webmaster@<your host name>

DocumentRoot /usr/local/www/apache22/redirect

ServerName webmail.<your domain name>

ErrorLog /var/log/httpd-redirect-error.log

CustomLog /var/log/httpd-redirect-access.log common

</VirtualHost>

Now we have to make the redirect actually happen so cd to /usr/local/www/apache22 and make a directory called redirect. Inside that edit a file called index.html and put in:

<HTML>

<HEAD>

<TITLE>Redirect to secure-webmail</TITLE>

<META HTTP-EQUIV="refresh" content="0;URL=https://webmail.<your domain name>">

</HEAD>

<BODY>

<p>

<font size="5">You are being redirected to

<a href="https://webmail.<your domain name>">https://webmail.<your domain name></a></font>

<p>

</BODY>

</HTML>

And create the encrypted virtual host. At the bottom of /usr/local/etc/apache22/httpd.conf you’ll find

## SSL Virtual Host Context

Change the DocumentRoot ServerName and ServerAdmin values, you can also setup separate log files

# General setup for the virtual host

DocumentRoot "/usr/local/www/horde"

ServerName webmail.<your domain name>

ServerAdmin webmaster@<your domain name>

ErrorLog /var/log/httpd-horde-error.log

TransferLog /var/log/httpd-horde-access.log

Note: You will want to replace <your host name> and <your domain name> with the machine’s host name and domain name in the examples above. So watch the <>’s.

Configure Horde

Cd to /usr/local/www/horde/scripts/sql and copy create.mysql.sql to create.mysql.sql.ORIG. Edit create.mysql.sql and change the password from “horde” to <something else> where it says:

-- IMPORTANT: Change this password!

password('horde')

Create the the horde database with “mysql –u root –p < create.mysql.sql”, enter the mysql root password when prompted.

Verify that you can connect to the horde database with “mysql -u horde –p”, enter the horde password (<something else>) when prompted.

Chmod create.mysql.sql to 550 and chown it to root:wheel. Or edit it and wipe out the password.

Cd to /usr/local/etc/apache22/Includes and edit httpd-horde.conf. Change

php_value memory_limit 64M # should match value of memory_limit in /usr/local/etc/php.ini

Cd to /usr/local/www/horde/config and copy conf.php conf.php.ORIG.

Add user www to trusted mail users.

Edit /etc/mail/trusted-users and put in “www”.

Configure IMP

Cd to /usr/local/www/horde/imp/config. Copy servers.php servers.php.ORIG. Edit servers.php and remove the four server configurations under the imap configuration (pop, cyrus, exchange, kolab). Change the imap configuration as follows:

$servers['imap'] = array(

'name' => 'IMAP Server',

// 'server' => '<Your host name>',

'server' => 'localhost',

'hordeauth' => false,

'protocol' => 'imap/ssl/novalidate-cert',

'port' => 993,

'folders' => 'Mail/',

'namespace' => '',

'maildomain' => '<Your domain name>',

// 'smtphost' => '<Your host name>',

'smtphost' => 'localhost',

'smtpport' => 25,

'realm' => '',

'preferred' => '',

'dotfiles' => false,

'hierarchies' => array()

);

To change the "Welcome to Horde" blurb to "Welcome to Webmail.<domain name>" copy login.php to login.php.ORIG, edit login.php and change

$title = sprintf(_("Welcome to Webmail.<your domain name>"), $registry->get('name', ($imp_auth) ? 'horde' : null));

Configure Turba

Cd to /usr/local/www/horde/turba/config and copy sources.php sources.php.ORIG. Edit sources.php and look for the “localsql” section with “’title’ => ‘My Addressbook’”. Delete all the other sources for address books.

Create the turba database. Cd to /usr/local/www/horde/turba/scripts/sql and run

“mysql -u root -p horde < turba_objects.mysql.sql”, enter the root password for MySQL when prompted.

Configure Nag

Create the nag database. Cd to /usr/local/www/horde/nag/scripts/sql and run

“mysql -u root -p horde < nag.sql”, enter the root password for MySQL when prompted.

GUI config of horde, imp, turba

Reboot with a “shutdown –r now”. After your system comes back go to https://webmail.<your domain name> and the horde config page should show up.

Click on Administration->Setup->Address Book (turba) and change

- Should we display an import/export link in Turba’s menu: check

- Select any applications that should be linked in Turba's menu: Imp

- Name of client addressbook: localsql

Click the "Generate Address Book Configuration" button.

Click on Administration->Setup->Filters (ingo) and change

- Select any applications that should be linked in Ingo's menu: Imp

Click the "Generate Filters Configuration" button.

Click on Administration->Setup->Mail (imp) and change

- Select any applications that should be linked in IMP's menu: ingo, turba

Click the "Generate Mail Configuration" button.

Click on Administration->Setup->Tasks (nag)

- Choose MySQL as database backend

Click the "Generate Tasks Configuration" button.

Click on Administration->Setup->Horde (horde) and change

Database

- database server/host = localhost

- Username to connect to the database as = horde

- Password = <something else>

- Database name to use = horde

Preference System

- What preferences driver should we use? = SQL Database

Authentication

- Which users should be treated as administrators ... = Administrator, <your sysadmin login username>

- What backend should we use for authenticating users to Horde? = Let a Horde application handle authentication

- The application which is providing authentication = imp

Click the "Generate Horde Configuration" button.

Log out from horde and log back in using <your sysadmin login username>. Most likely it will fail. To fix:

Cd /usr/local/www/horde/config

Edit conf.php

set $conf['session']['use_only_cookies'] = false;

Log in using <your sysadmin login username>. You should now have webmail and administration rights. All others that log in should have just webmail.

If something goes wrong and/or you don't get administrative rights cd to /usr/local/www/horde/config, copy conf.php.ORIG to conf.php, go to https://webmail.<your domain name> and try again.

Remove horde@% user from mysql

The horde@% user is not needed, go to http://<your host name>/<phpMyAdmin folder> and click on privileges. Delete the horde@% user. Once again you may have to delete all database and table specific privileges for the user first. It's also possible this user won't exist, though on my last install he was back. If the user doesn't exist just ignore this step.

Copy over users and data from previous system (if applicable)

Make sure you’ve copied over your users (password files /etc/passwd and /etc/master.passwd) and rebuilt the user database (vipw or “pwd_mkdb /etc/master.passwd”). Change the host name on the old server or turn off sendmail, mailscanner and inetd, then tar up any data (/usr/local/www, /home, /var/mail, etc) on the old box and move it to the new box and untar. The root www directory on the box we are building will be /usr/local/www/. Be careful to remove (or move) the default web directories under /usr/local/www before trying to untar your old ones to that location.

FuzzyOcr

The FuzzyOcr plugin for spamassassin will ocr scan images for spam words and forward the information to spamassassin. If you are getting spam messages that are nothing but an image and random text you might want to add this plugin. Directions at fuzzyocr.htm

Additional Security Steps

Add

kern_securelevel_enable="YES"

kern_securelevel="3"

syslogd_flags="-ss"

to /etc/rc.conf. You’ll need to reboot for this to take effect.

To enforce minimum password requirements add

:minpasswordlen=8:\

:mixpasswordcase:\

to /etc/login.conf under the “default” section and rebuild database with “cap_mkdb /etc/login.conf”.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Change log

3-21-2007, 4:50pm : /usr/local/etc/apache should have been /usr/local/etc/apache22 for all occurences, fixed. /usr/local/www/data should have been /usr/local/www/apache22/data for all occurences, fixed.
3-22-2007, 2:50pm : Added FuzzyOcr plugin instructions
4-09-2007, 4:50pm : Location of httpd-horde.conf should have been /usr/local/etc/apache22/Includes, but was still the old value of /usr/local/etc/horde

You are visitor since 1/11/2006.