Beruflich Dokumente
Kultur Dokumente
QUOTE:
mysql_enable="yes"
QUOTE:
/usr/local/etc/rc.d/mysql-server.sh start
cyrus-sasl2
Get the cyrus-sasl2 crypt patches from http://frost.ath.cx/software/cyrus-sasl-
patches/. You might want to
add this link to your list of reference material. Follow the directions there to
apply them to your
cyrus-sasl2 source. Basicly you're going to take all of the FreeBSD patch files
and dump them into the
/usr/ports/security/cyrus-sasl2/files/ dir.
QUOTE:
make -DWITHOUT_OTP=YES -DWITHOUT_NTLM=YES -DWITHOUT_GSSAPI=YES -DWITH_MYSQL
QUOTE:
make install && make clean
Don't bother to follow the config options on the frost page, just patch the source
- we'll be covering the
config later on.
Cyrus
You'll be using Cyrus 2.3.x for this
Get the Autocreate INBOX patch for Cyrus files from
http://email.uoa.gr/projects/cyrus/autocreate/ for
your version of Cyrus and save them in your homedir. You should bookmark this link
for future reference as
well. Obviously if the version of Cyrus 2.3.x is not 2.3.3 then you should fetch
the appropriate versions
of the patches you need.
Compile and install cyrus:
Now extract, patch, and compile cyrus (in this case, 2.3.3):
QUOTE:
cd /usr/ports/mail/cyrus-imapd23/
make patch
cd work/cyrus-imapd-2.3.3/
patch -p1 < ~/cyrus-imapd-2.3.3-autocreate-0.10-0.diff
patch -p1 < ~/cyrus-imapd-2.3.3-autosieve-0.6.0.diff
cd ../..
make
Depending on your version more or less patch files may be required. Just apply all
of them.
Note that this differs from the default install paths but will bring things
together nicely. Do not use
/usr/local/cyrus/ which is where the cyrus programs are installed!
I realize it says servername which should be the FQDN and I'm telling you to use
domain1.tld instead.
Thing is, something is weird about the handling of domains and this seems to get
around it. This could be
a bug in cyrus22 or a bug because of the way I'm doing things, but using
domain1.tld seems to do the trick
for me. Your mileage might vary. The autocreatequota option is set to 100MB in
this example and you might
want to bump that up.
If you have a CA file for your SSL/TLS cert, then be sure to set tls_ca_file to
point at it as well in the
part above.
This sieve script will be copied to newly created users, compiled into bytecode,
and run against every
message that is delivered to the user. All this one does is check to see if the X-
Spam-Flag header is
present and set to YES. If it is, then the message is deposited to the spam folder
which was also
auto-created (if for some reason it doesn't exist it will go to the INBOX
instead). When a message is
found to be spam by SpamAssassin it gets this header. Obviously that's something
extra you'll have to add
yourself as I'm not covering it in this document.
If using this sieve script doesn't work later on you'll just have to create one
with your test user and
copy the phpscript.script to phpscript, blow away your user and their sieve dir
("How do I delete a user
from my system entirely?"), then try again.
Note: If you'll have any users using POP3 instead of IMAP then you'll probably
want to not do any of the
automatic sieve scripting settings. The reason being that, unless I'm mistaken,
POP3 will only get mail
from the Inbox and not other folders (such as the spam folder).
You'll also need to change the sieve listen line to make it use port 2000 instead
of sieve which does not
exist in /etc/services (there is "callbook" which you could use instead of 2000,
but why?). Editing this
line is better than editing a standard system file which you'll end up updating
someday anyway.
QUOTE:
sieve cmd="timsieved" listen="2000" prefork=0
This will spew a few lines saying that it created some files/dirs. If there are
any errors, take care of
them and try again. mkimap can only be run as the cyrus user, thus using sudo to
run it as the cyrus user
is required.
Make it so that cyrus will be started with the system by adding the following to
the end of /etc/rc.conf:
QUOTE:
cyrus_imapd_enable="YES"
Start cyrus-imapd22:
/usr/local/etc/rc.d/imapd.sh start
If you go back and look in /usr/local/imap/ you'll notice some more files have
been created there just
now.
postfix
Compile and install postfix 2.3.x
Compile postfix:
QUOTE:
cd /usr/ports/mail/postfix
make
A menu will appear asking you to select various options. This is mostly up to your
own needs, but you'll
want to make sure you select the TLS, SASL2, DB3 (provided SASL2 was built with
it, which it is by
default), and MySQL options at the very least. Make sure the "disable PCRE" option
is not checked. I also
use SPF but that patch has sometimes needed a little reworking in the past to make
it work with other
options and I won't cover that or how to configure for SPF in this document.
Install postfix:
QUOTE:
make install
At this point you'll be asked if you want to replace sendmail to which you need to
answer Yes. Once done
it will then mention two different sets of lines to add to your /etc/rc.conf. One
set would be good if
your postfix didn't depend on anything else, and another more suited to our needs.
Make sure
QUOTE:
sendmail="none"
is set in in your /etc/rc.conf file. The reason for this line is because our
postfix will depend on a
MySQL server having been started at (or about) the same time.
Tell postfix to only deliver one message at a time via cyrus. This line is added
to main.cf
QUOTE:
cyrus_destination_recipient_limit=1
Configure postfix to offer smtp auth only when TLS is active and enable TLS by
adding the following to
your main.cf:
QUOTE:
virtual_alias_maps = mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_domains =
mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_mailbox_limit = 10240000
virtual_transport = cyrus
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = no
smtpd_tls_key_file = /usr/local/etc/postfix/postfix.pem
smtpd_tls_cert_file = /usr/local/etc/postfix/postfix.pem
smtpd_tls_CAfile =
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/usr/local/etc/postfix/smtpd_scache
tls_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes
If you have a CA file for your SSL/TLS cert, then be sure to set smtpd_tls_CAfile
to point at it as well
in the part above.
I've been told that some books and how-tos say to use sdbm instead of btree.
Apparently the TLS support in
Postfix 2.2.x only supports btree, and in fact if you look at the current manual
it only mentions btree in
its example.
Make sure the path to the cyrus deliver program is correct and set the user
delivery name properly in
master.cf:
QUOTE:
cyrus unix - n n - - pipe
user=cyrus argv=/usr/local/cyrus/bin/deliver -e -r ${sender} -m ${extension}
${user}@${nexthop}
But Ed, we haven't created the database or tables in MySQL yet! Nope, we haven't.
We're going to do that
in a bit when we get to postfixadmin as that port includes the MySQL scheme files.
apache
We'll be using a default Apache 2.2.x installation for this:
QUOTE:
cd /usr/ports/www/apache22
make && make install && make clean && rehash
QUOTE:
apache22_enable="yes"
PHP
Install the PHP4 base:
QUOTE:
cd /usr/ports/lang/php4
make && make install && make clean
The default options here should be fine. Make sure the Apache2 checkbox is
checked, though.
This is where the major fun for PHP4 is. In the selection menu that comes up,
you'll need the following at
a minimum for all of this: imap, mcrypt, mhash, MySQL, OpenSSL, and PCRE. There'll
be some other stuff
selected and that's fine. Once this is done your options will be saved to the file
In a bit we'll need to make a couple changes to it which is why we're making it
writable by root (the
owner).
SquirrelMail will need the pear-DB port installed, but the SM port doesn't install
it for some reason so
we'll take care of that now:
Install:
QUOTE:
cd /usr/ports/databases/pear-DB
make install && make clean
phpMyAdmin
Installing phpMyAdmin is optional but might be handy. Feel free to skip it.
QUOTE:
cd /usr/ports/databases/phpmyadmin/
make && make install && make clean
QUOTE:
Alias /phpmyadmin/ "/usr/local/www/phpMyAdmin/"
<Directory "/usr/local/www/phpMyAdmin/">
Options Indexes MultiViews
AllowOverride None
Order deny,allow
allow from 12.34.56.78
deny from all
</Directory>
You'll want to add your IP address in there, and any others on seperate allow
lines, for each host you
want to grant access to phpMyAdmin. You don't want the world to have access to
this, do you?
Go edit the phpMyAdmin config file appropriately so it'll actually work and be a
little more secure
(requiring a password, etc).
postfixadmin
Install:
QUOTE:
cd /usr/ports/mail/postfixadmin
make install
Now let's install the DB scheme that we'll be using for pretty much everything.
These instructions are
mostly from the DATABASE_MYSQL.TXT file:
QUOTE:
mysql -u root -p < ~/DATABASE_MYSQL.TXT
Note that this file inserts two users into the MySQL user table, one for postfix
itself and another for
postfixadmin. The actual passwords are the same as the username by default. You
should edit the file to
change the passwords to something better than the defaults and then go back and
set that changed password
for the files used by postfix and cyrus if you didn't set those already.
QUOTE:
Now add the following to /usr/local/etc/apache2/Includes/mine.conf :
Alias /postfixadmin/ "/usr/local/www/postfixadmin/"
<Directory "/usr/local/www/postfixadmin">
Options Indexes
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
postfixadmin has three modes: admin, user, and domain admin. admin mode will be
used by you to do
everything. user mode will be used by your users to change their passwords and set
their forwarding
address when/if needed. domain admin will be used by the users whom you're hosting
a mail domain for -
they can login and admin their own domains to add/remove/ users and aliases.
Edit config.inc.php and make things nice. Things of primary note will be the
username and password (if
changed from the above DB scheme install) for the postfix database and the virtual
mail tables, and the
password format to generate which needs to be set to md5crypt.
Fix annoying create-mailbox checkbox which we'll never use:
QUOTE:
joe templates/create-mailbox.tpl
Remove the checked option from the HTML tag named fMail which is near the bottom
of the page. You will not
be using this option at all. No point in always having to uncheck it, right? And
really, you can just
comment out that whole part so it doesn't blemish the world.
Fix a bug in their code which breaks this app. with MySQL:
Somewhere in the 4.4.x line of PHP they added support for using various charactor
sets properly when
escaping strings with mysql_real_escape_string(). Unfortunatly this requires that
you have an active
connection to the database server. At several points in the postfixadmin code they
escape the user
inputted strings (which is very good) before they have established a connection to
any database server (in
this case that's bad). To fix this, open the file functions.inc.php and find the
escape_string function.
You need to add a call to the function db_connect() inside the block that has the
three IF statements. So
it'll have the db_connect() call, then the three IF statements. Don't forget to
add the semi-colon to the
end of the line and then save it.
Fire up a browser and go to http://somehost/postfixadmin/ and it'll say some poop
about needing to run
setup. The setup isn't really a setup so much as a checkup. Once you click on the
setup link, you should
see a list of stuff all saying OK. It'll probably complain about PHPs magic quotes
being off, but ignore
that as postfixadmin has its own internal work-around. Click on the link to
continue into the admin
section.
Disable setup.php:
QUOTE:
mv setup.php setup.hph
If the file remains, even if unreadable by apache, postfixadmin will always want
to run its little "setup"
poop which is pointless since we've already done it. You could probably just rm
this file, but you might
need it again for some reason.
Feel free to substitute the username admin for another, but make sure you also
either remove the admin
user or change its password. The -m option says to generate an MD5 hashed
password, and the -b says that
the password will be supplied on the commandline. Feel free to omit the -b option
and password on the
commandline so that it prompts you for it instead. I only use that option for this
document to make it
easier to cut&waste.
Now we need to add a database and tables to MySQL for the user preferences and
address books:
First, create the database squirrelmail will use:
QUOTE:
mysqladmin create squirrelmail
compatibility
This provides some needed APIs used by various plugins in order to be used with
multiple versions of SM.
In particular we'll be needing this for the vlogin plugin. You're likely to need
it for other plugins as
well. We'll use the port to install this for us:
QUOTE:
cd /usr/ports/mail/squirrelmail-compatibility-plugin/
make install && make clean
avelsieve
avelsieve is brought to us by the same people that made the autocreate patches for
cyrus-imapd22.
Currently you can get this plugin from
http://www.squirrelmail.org/plugin_view.php?id=73, but be sure to
check for updates.
QUOTE:
cd /usr/local/www/squirrelmail/plugins
tar xvfz ~/avelsieve-1.9.2.tar.gz
chown -R root:www avelsieve
cd avelsieve/config
cp config_sample.php config.php
cd ../..
quota_usage
Currently you can get this plugin from
http://www.squirrelmail.org/plugin_view.php?id=59. Extract and set
permissions:
QUOTE:
cd /usr/local/www/squirrelmail/plugins
tar xvfz ~/quota_usage-1.3-1.2.7.tar.gz
chown -R root:www quota_usage
cd quota_usage
cp config.php.sample config.php
cd ..
vlogin
Install the plugin:
QUOTE:
cd /usr/ports/mail/squirrelmail-vlogin-plugin
make install && make clean
In the event your system does not have the vlogin port, you'll need to get it from
QUOTE:
cd /usr/local/www/squirrelmail/plugins
tar xvfz ~/vlogin-3.8.0-1.2.7.tar.gz
chown -R root:www avelsieve
Now edit config.php and find the $virtualDomains array define near the top. It'll
have a couple virtual
domains defined already, but we're going to replace them:
QUOTE:
'host.domain1.tld' => array(
'domain' => 'domain1.tld',
'org_name' => 'Domain One',
'org_title' => '(isset($_SESSION["username"]) ? $_SESSION["username"] . " -
Mail" : "Mail")',
),
'host.domain2.tld' => array(
'domain' => 'domain2.tld',
'org_name' => 'Domain Two',
'org_title' => '(isset($_SESSION["username"]) ? $_SESSION["username"] . " -
Mail" : "Mail")',
),
You'll need to add a similar section for each hostname that someone will use to
access their webmail with.
For example, you have your server setup so that domain1.tld and www.domain1.tld
serve the same content
instead of domain1.tld redirecting to www.domain1.tld (or visa versa). So for this
to work right you'll
have to have two sections with the only difference being the hostname.
As you can see we've also removed the logo setting from the sample as you won't
have the image it refers
to. There are a lot of other settings which we aren't using, but you can look at
the other sample configs
to find them later. For now we don't need them.
Configure SquirrelMail
QUOTE:
cd /usr/local/www/squirrelmail
config/conf.pl
There's a ton of stuff in here you will want to set, such as your organization
name and URL. The critical
things are the follwoing, however:
Server Settings / IMAP Settings : Select cyrus as the Server Software, change the
Delimiter from . (dot)
to / (slash), and set Authentication type to login.
Plugins : Add the compatibility, vlogin, quota_usage, and avelsieve plugins to the
Installed Plugins list
from the Available Plugins list.
Database : Set DSN for Address Book and DSN for Preferences to both be
mysql://squirreluser:sqpassword@localhost/squirrelmail
Folder Options : Change the Trash, Sent, and Drafts paths to all use a / (slash)
instead of a . (dot).
Also change the Unseen Notify option from "Only on the INBOX" to "On all folders."
Add domains, users, and aliases
Open a browser and go to http://somehost/postfixadmin/admin/ and feed it whatever
username and password we
configured for that (admin:admin is the default, but I told you it should be
changed, remember?).
Click on New Domain. Type in the your domain and the same for the description as
well. The first domain we
add should be the domain1.tld that we used in the configs earlier. Adjust the
Aliases and Mailboxes
numbers accordingly - these are the max that postfixadmin will allow for each to
be created. Only
postfixadmin cares about these two values. The Quota value can be ignored, but you
should set it to the
same value (in MB) as was set in the cyrus imapd.conf file. If you check the Add
default mail aliases
option then abuse, hostmaster, webmaster, and postmaster aliases will be created
for this domain. You
almost certainly want to do this. Click on Add doamin to finish up.
Now click on Add mailbox. The first user we have to create is the cyrus admin user
which will simply be
"cyrus". This special user will be used to login and admin the cyrus system via
the cyradm program. If you
added more than one domain in the earlier step make sure you select the domain you
want this user to be in
from the pulldown list on the right. Now fill in the password and name fields.
Make sure Active is checked
and (if you didn't just comment it out entirely) that Create mailbox is not
checked. Click on Add mailbox
to finish.
Near the end of the postfix section we added an alias for cyrus to go to the
postmaster alias (which in
turn points to the root alias). This cyrus user we just created is for admin
purposes of the cyrus system.
If you want to create an alias that directs mail to multiple users (or aliases),
then create your alias as
described for a single person, then go to the Virtual List, select the domain with
the alias you just
added, and edit the added alias. If you've added a lot of aliases and the one you
want isn't listed, click
on the round right-arrow on the top right of the alias list. Once you edit an
alias you'll have a textarea
to add multiple aliases to. One fully-qualified address per line.
Go back a couple steps and make your own email account before continuing.
Now let's see if we can login as our newly created user. Go to
http://somehost/squirrelmail/ and enter
your username and password for the mailbox you just created in the form of
user@domain.tld even though
we've setup vlogin. Within seconds you should be logged in and see a mail folder
on the left and the INBOX
on the right. Remember those autocreate options we added to cyrus-imapd? In the
folder list you'll see one
called "spam." If you click on "Filters" along the top you should see the first
rule is the Spam rule.
How do I delete a user from my system entirely?
Assuming you've already deleted a user from the MySQL user tables either manually
or using postfixadmin
(preferred), your next step will be to login to the cyrus admin script, cyradm, as
the cyrus admin user:
QUOTE:
cyradm --user cyrus@domain1.tld localhost
Once you enter the correct password you'll get the cyradm prompt, enter the
following:
QUOTE:
sam user/user@domain.tld cyrus all
dm user/user@domain.tld
The sam command gives the user cyrus (your cyrus admin user) full rights to the
users INBOX. The dm
command then deletes the users INBOX and everything below it. Once a mailbox has
been deleted, it is gone
forever. There is no recovery short of restoring an old backup (if you have one).
Notice the user/ at the
beginning of the users email address? That's because you can have public folders
off of the root of the
cyrus folder space. Check the cyrus docs for more information on that - it can be
a bit tricky.
Troubleshooting
This section needs to be expanded greatly.
P: When I try to login from a remote client I get a user not found error, I see
that my name is
'name@domain.tld.' in the mysql log, but it works fine when I login from the
server itself (pine or
squirrelmail installed on the server).
S: Check your /etc/hosts file and make sure there are no periods at the ends of
your host names. Your
server may be working fine, but cyrus pays a lot of attention to things like the
hostname so it is
critical that they be proper.
End
So easy!