LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity
LDP/LDP/howto/docbook/Postfix-Cyrus-Web-cyradm-HOWTO/Postfix-Cyrus-Web-cyradm-HO...

3040 lines
92 KiB
Plaintext
Raw Permalink Blame History

<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook V3.1//EN">
<article>
<!-- Header -->
<artheader>
<!-- title of HOWTO, include the word HOWTO -->
<title>Postfix-Cyrus-Web-cyradm-HOWTO</title>
<author>
<firstname>Luc</firstname>
<surname>de Louw</surname>
<affiliation>
<address>
<email>luc at delouw.ch</email>
</address>
</affiliation>
</author>
<revhistory>
<revision>
<revnumber>1.2.6</revnumber>
<date>2004-03-30</date>
<authorinitials>ldl</authorinitials>
<revremark>
Added minor additions and corrected to amavisd-new, corrected cronjob-time for freshclam
</revremark>
</revision>
<revision>
<revnumber>1.2.5</revnumber>
<date>2004-03-28</date>
<authorinitials>ldl</authorinitials>
<revremark>
Added Anti-Virus and SPAM methods (amavisd-new, spamassassin, clamav), updated cyrus-imapd section with update instructions, added instruction to restrict imapd admin access.
</revremark>
</revision>
<revision>
<revnumber>1.2.4</revnumber>
<date>2003-11-30</date>
<authorinitials>ldl</authorinitials>
<revremark>
Input from English proofreading, minor correction and enhancements from user-input, updated software mentioned in the HOWTO
</revremark>
</revision>
<revision>
<revnumber>1.2.3</revnumber>
<date>2003-03-24</date>
<authorinitials>ldl</authorinitials>
<revremark>
Some minor correction and enhancements from user-input, updated software mentioned in the HOWTO
</revremark>
</revision>
<revision>
<revnumber>1.2.2</revnumber>
<date>2003-02-14</date>
<authorinitials>ldl</authorinitials>
<revremark>
Lots of grammar and typos fixed. Some corrections to the pam_mysql Makefile
</revremark>
</revision>
<revision>
<revnumber>1.2.1</revnumber>
<date>2003-02-12</date>
<authorinitials>ldl</authorinitials>
<revremark>
Non-official test-release: Added lots of fixes and updates. Added OpenSSL and more pam related stuff.
</revremark>
</revision>
<revision>
<revnumber>1.2.0</revnumber>
<date>2002-10-16</date>
<authorinitials>ldl</authorinitials>
<revremark>
Added lot of user requests, updated the software mentioned in the HOWTO
</revremark>
</revision>
<revision>
<revnumber>1.1.7</revnumber>
<date>2002-10-15</date>
<authorinitials>ldl</authorinitials>
<revremark>
Added Michael Muenz' hints for SMTP AUTH, corrected ca-cert related mistake, improved SGML code (more metadata), updated the software mentioned in the document.
</revremark>
</revision>
<revision>
<revnumber>1.1.6</revnumber>
<date>2002-06-14</date>
<authorinitials>ldl</authorinitials>
<revremark>
Added sasl_mech_list: PLAIN to imapd.conf, added web-cyradm mailinglist, added more
to web-cyradm
</revremark>
</revision>
<revision>
<revnumber>1.1.5</revnumber>
<date>2002-06-11</date>
<authorinitials>ldl</authorinitials>
<revremark>
Added new SQL query to initialize web-cyradm
to have full data integrity in the MySQL Database, mysql-mydestination.cf reported to be operational as
expected.
</revremark>
</revision>
<revision>
<revnumber>1.1.4</revnumber>
<date>2002-05-15</date>
<authorinitials>ldl</authorinitials>
<revremark>
Added description what is needed in /etc/services
Another fix for pam_mysql compile, updated software versions.
</revremark>
</revision>
<revision>
<revnumber>1.1.3</revnumber>
<date>2002-05-08</date>
<authorinitials>ldl</authorinitials>
<revremark>
Added more description for web-cyradm, fix for wrong path of the saslauthdb-socket, Fix for
wrong place of com_err.h, protection of the TLS/SSL private key.
</revremark>
</revision>
<revision>
<revnumber>1.1.2</revnumber>
<date>2002-04-29</date>
<authorinitials>ldl</authorinitials>
<revremark>
Added description for Redhat users how to install the init scripts.
</revremark>
</revision>
<revision>
<revnumber>1.1.1</revnumber>
<date>2002-04-29</date>
<authorinitials>ldl</authorinitials>
<revremark>
Fixed bug in configuring cyrus-IMAP (disabled unused kerberos authentication)
</revremark>
</revision>
<revision>
<revnumber>1.1.0</revnumber>
<date>2002-04-28</date>
<authorinitials>ldl</authorinitials>
<revremark>
Initial support for building cyrus from source, dropped binary installation
for Cyrus, because configuration has changed with Release 2.1.x
</revremark>
</revision>
<revision>
<revnumber>1.0.2</revnumber>
<date>2002-04-25</date>
<authorinitials>ldl</authorinitials>
<revremark>
Added basic description for sieve and correct sender handling, minor fixes to db related
stuff, Added mysql-lookup for <20>mydestination<6F> , fixed bug for building postfix
with mysql support.
</revremark>
</revision>
<revision>
<revnumber>1.0.1</revnumber>
<date>2002-04-07</date>
<authorinitials>ldl</authorinitials>
<revremark>
Added an important fix for compiling pam_mysql
</revremark>
</revision>
<revision>
<revnumber>1.0.0</revnumber>
<date>2002-04-07</date>
<authorinitials>ldl</authorinitials>
<revremark>
Initial Release
</revremark>
</revision>
<!-- Additional (*earlier*) revision histories go here -->
</revhistory>
<abstract>
<indexterm>
<primary>Postfix and Cyrus</primary>
</indexterm>
<para>
This document guides you through the installation of the Postfix mail transportation agent (MTA),
the Cyrus IMAP server. The goal is a fully functional high-performance
mailsystem with user-administration with Web-cyradm, a webinterface. Data like virtualusers,
aliases etc. are stored in a mysql database.
</para>
</abstract>
</artheader>
<!-- Section1: intro -->
<sect1 id="intro">
<title>Introduction</title>
<para>
The cyrus part is only valid for Cyrus-IMAP 2.1.x and Cyrus-SASL 2.1.x. If you plan to use Cyrus-IMAP 2.0.x
then please consult the deprecated version 1.0.x of this HOWTO.</para>
<para>
I strongly recommend that you upgrade to Cyrus Version 2.1.x. If you do so, you will have a better ability to get
valuable support from the user community</para>
<indexterm>
<primary>disk!introduction</primary>
</indexterm>
<sect2>
<title>Contributors and Contacts</title>
<para>First I would thank all those people who sent questions and suggestions that made the
further development of this document possible. It shows me that sharing knowledge is the right way.
I would encourage you to send me more suggestion, just write me an email <email>luc at delouw.ch</email>
</para>
</sect2>
<sect2>
<title>Why I wrote this document</title>
<para>There are different approaches on how to set up different mailsystems. Most documents that are available are
related to Sendmail, procmail, WU-IMAPd and friends. These packages are very good but are unfortunately very
inflexible in their user administration.
</para>
<para>For a long time I was testing alternative MTA's like qmail, postfix and exim, in conjunction with IMAP/POP-servers like
Cyrus, vpopmail, Courier IMAP and others.</para>
<para>At the end of the day, from my point of view the couple Postfix/Cyrus seems to be the
most flexible and best performing solution.</para>
<para>All these combinations of software had one thing in common: their was very little documentation available
describing how these packages work together with each other.
To install the software, lot of effort has be spent to get all information needed to get all the
software running.</para>
</sect2>
<!-- Section2: copyright -->
<sect2 id="copyright">
<title>Copyright Information</title>
<para>
This document is copyrighted (c) 2002, 2003, 2004 Luc de Louw and is
distributed under the terms of the Linux Documentation Project
(LDP) license, stated below.
</para>
<para>
Unless otherwise stated, Linux HOWTO documents are
copyrighted by their respective authors. Linux HOWTO documents may
be reproduced and distributed in whole or in part, in any medium
physical or electronic, as long as this copyright notice is
retained on all copies. Commercial redistribution is allowed and
encouraged; however, the author would like to be notified of any
such distributions.
</para>
<para>
All translations, derivative works, or aggregate works
incorporating any Linux HOWTO documents must be covered under this
copyright notice. That is, you may not produce a derivative work
from a HOWTO and impose additional restrictions on its
distribution. Exceptions to these rules may be granted under
certain conditions; please contact the Linux HOWTO coordinator at
the address given below.
</para>
<para>
In short, we wish to promote dissemination of this
information through as many channels as possible. However, we do
wish to retain copyright on the HOWTO documents, and would like to
be notified of any plans to redistribute the HOWTOs.
</para>
<para>
If you have any questions, please contact
<email>linux-howto at metalab.unc.edu</email>
</para>
</sect2>
<!-- Section2: disclaimer -->
<sect2 id="disclaimer">
<title>Disclaimer</title>
<para>
No liability for the contents of this documents can be accepted.
Use the concepts, examples and other content at your own risk.
As this is a new edition of this document, there may be errors
and inaccuracies, that may of course be damaging to your system.
Proceed with caution, and although this is highly unlikely,
the author(s) do not take any responsibility for that.
</para>
<para>
All copyrights are held by their by their respective owners, unless
specifically noted otherwise. Use of a term in this document
should not be regarded as affecting the validity of any trademark
or service mark.
</para>
<para>
Naming of particular products or brands should not be seen
as endorsements.
</para>
<para>
You are strongly recommended to take a backup of your system
before major installation and backups at regular intervals.
</para>
</sect2>
<!-- Section2: newversions-->
<sect2 id="newversions">
<title>New Versions</title>
<indexterm>
<primary>(your index root)!news on</primary>
</indexterm>
<para>New version of this document are announced on freshmeat</para>
<para>
The latest version of this document can be obtained from
<ulink url="http://www.delouw.ch/linux">http://www.delouw.ch/linux</ulink>
</para>
<para>
<itemizedlist>
<listitem>
<para>
<ulink url="http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/html/index.html">HTML</ulink>.
</para>
</listitem>
<listitem>
<para>
<ulink url="http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/Postfix-Cyrus-Web-cyradm-HOWTO.ps">
Postscript (ISO A4 format)</ulink>.
</para>
</listitem>
<listitem>
<para>
<ulink URL="http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/Postfix-Cyrus-Web-cyradm-HOWTO.pdf">Acrobat PDF</ulink>.
</para>
</listitem>
<listitem>
<para>
<ulink URL="http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/Postfix-Cyrus-Web-cyradm-HOWTO.sgml">SGML Source</ulink>.
</para>
</listitem>
<listitem>
<para>
<ulink url="http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/Postfix-Cyrus-Web-cyradm-HOWTO.tar.gz">HTML gzipped tarball</ulink>.
</para>
</listitem>
</itemizedlist>
</para>
</sect2>
<!-- Section2: credits -->
<sect2 id="credits">
<title>Credits</title>
<itemizedlist>
<listitem>
<para>
Martynas Bieliauskas <email>martynas at inet.lt</email> submitted a good idea how to restrict the cyrus admin to localhost only.
</para>
</listitem>
<listitem>
<para>
Michael Muenz <email>m.muenz at maxonline.de</email> for his help with SMTP Authentication
</para>
</listitem>
<listitem>
<para>
Ron Wheeler <email>rwheeler at artifact-software.com</email> for his help with editing for readability
</para>
</listitem>
<listitem>
<para>
The nice people at <email> discuss at tldp.org</email> for
supporting me in writing the HOWTOs.
</para>
</listitem>
</itemizedlist>
</sect2>
<!-- Section2: feedback -->
<sect2 id="feedback">
<title>Feedback</title>
<para>
Feedback is most certainly welcome for this document. Without
your submissions and input, this document wouldn't exist. Please
send your additions, comments and criticisms to the following
email address : <email>luc at delouw.ch</email>.
</para>
<para>
Please understand, that I don't want to add Cyrus-IMAP 2.0.x related stuff in this document anymore.
</para>
</sect2>
<!-- Section2: translations -->
<sect2 id="translations">
<title>Translations</title>
<para>
At the moment no translations are available. A German translation is planned and would be
written by me as soon as I get the time.
</para>
<para>
Translations to other languages are always welcome. If you translate this document, please translate the
SGML source. Please let me know if you begin to translate, so I can set a link here.
</para>
</sect2>
</sect1>
<!-- Section1: intro: END -->
<!-- Section1: Technologies -->
<sect1 id="tech">
<title>Technologies</title>
<sect2 id="postfix">
<title>The Postfix MTA</title>
<blockquote><attribution>www.postfix.org</attribution>
<para>
Postfix attempts to be fast, easy to administer, and secure, while at the same time
being sendmail compatible enough to not upset existing users. Thus, the outside has a
sendmail-ish flavor, but the inside is completely different.</para></blockquote>
<para>
<figure>
<title>Postfix - the big picture</title>
<graphic FileRef="big-picture.png"></graphic>
</figure>
</para>
<para>Doesn't it look impressive? - It looks much more complicated than it is. Postfix is indeed nice
to configure and handle.</para>
<para>Unlike sendmail, postfix is not one monolithic program, it is a compilation of small programs, each of
which has a specialized function.
At this point I don't what to go into details about what each program does what.
If you are interested how Postfix works, please see the documentation at
<ulink url="http://www.postfix.org/docs.html">http://www.postfix.org/docs.html</ulink>
</para>
<para>In this document you will find the information needed to get the system running in conjunction with the other components of a full e-mail setup.</para>
</sect2>
<sect2 id="cyrus">
<title>Cyrus IMAP</title>
<para>Cyrus IMAP is developed and maintained by Carnegie Mellon University.</para>
<para>Unlike the WU-IMAPd package, Cyrus uses its own method to store the user's mail.
Each message is stored in its own file.
The benefit of using separate files is improved reliability since only one message is lost if there is a filesystem error.
Metadata such as the status of a message (seen, etc) is stored in a database.
Additionally, the messages are indexed to improve Cyrus performance, specially with lots of users and/or lots of big emails.
There is nothing else as fast as the Cyrus IMAP-server.</para>
<para>
Another very important feature is that you don't need a local Un*x user for each account. All users are
authenticated by the IMAP-Server. This makes it a great solution when you have a really huge number of users.</para>
<para>
User administration is done by special IMAP-commands. This allows you to either use the commandline interface
or use one of the available Web interfaces. This method is much more secure than a Webinterface to
<filename> /etc/passwd</filename>.</para>
<para>Starting from Cyrus 2.1, SASL-lib version 2 is used for authentication.
For the setup described in this HOWTO, a tree-layer authentication is implemented.
Cyrus authenticates with saslauthdaemon which forwards the request
to pam_mysql which finally looks up the user information in the MySQL-table.</para>
<para>
Since CMU changed the license policy for Cyrus, this software is going to be used by many more users.</para>
</sect2>
<sect2 id="sasl">
<title>Cyrus SASL</title>
<para>SASL means <20>Simple Authentication and Security Layer<65>. It is standardized by the IETF (Internet
Engineering Taskforce). SASL is used by network servers (in this case Cyrus-IMAP) to
handle authentication requests from clients.</para>
<para>Cyrus SASL is a extensive software, and sometimes not easy to understand.
Even I have just the minimum knowledge needed to write this HOWTO.</para>
</sect2>
<sect2 id="openssl">
<title>OpenSSL</title>
<para>OpenSSL is a library needed by SASL for encryption of the data-stream. It is used by
almost all opensource software that need encryption.
Most or all Un*x distributions come with a pre-installed OpenSSL.
Be sure to also install the appropriate devel-package. If you like, you can
compile OpenSSL by yourself. This will be required if you need to fix a security hole.
</para>
</sect2>
<sect2 id="mysql">
<title>MySQL Database</title>
<para>MySQL is a very fast, powerful and very easy to use database.</para>
<para>Since Cyrus can authenticate its users with pam, you can use pam_mysql as a connector to the
user database stored in MySQL. This allows you to create a nice Webinterface for your users for changing
passwords, defining and deleting aliases and more.</para>
</sect2>
<sect2 id="pam-mysql">
<title>pam_mysql</title>
<para>pam means "Pluggable Authentication module" and was originally proposed by some people at Sun.
In meantime a lot of modules have been developed. One of them is an interface to MySQL</para>
<para>With pam_mysql you store the users password in a MySQL database. Further, Postfix is able to
lookup aliases from a MySQL-table. At the end of the day, you have a base for all administrative tasks
to be done by the postmaster.</para>
<para>You will be able to delegate some tasks to powerusers. For example, tasks such as creating accounts, changing passwords and creating new aliases can be delegated to an administrator for a particular domain.
At the end of the day, you, as a sysadmin, will have the time to do some more productive tasks or write a HOWTO for the Linux Documentation Project.</para>
</sect2>
<sect2 id="web-cyradm">
<title>Web-cyradm Webinterface</title>
<para>
<figure>
<title>Web-cyradm Domain administration</title>
<graphic FileRef="home.png"></graphic>
</figure>
</para>
<para>Web-cyradm is the webinterface that allows you to perform the administrative tasks required to maintain the mail system.
This screenshot shows the domain administration part of Web-cyradm.</para>
<para>Web-cyradm is written in PHP, the most sophisticated html-preprocessor language.
If you don't have a webserver with php installed, I would like to refer you to my
<ulink url="http://www.delouw.ch/linux/apache.phtml">Apache-Compile-HOWTO</ulink>.
This document describes how to set up Apache with PHP and other modules.</para>
<para>Web-cyradm is under active development from people around the globe. The list of features grows
with each release. If you would like to contribute to web-cyradm, or you have a nice idea, feel free to contact
the mailinglist on <ulink url="http://www.web-cyradm.org">http://www.web-cyradm.org</ulink>
</para>
<para>
The following is a partial list of features:
<itemizedlist>
<listitem>
<para>Administration of multiple virtual domains</para>
</listitem>
<listitem>
<para>Setting of quotas</para>
</listitem>
<listitem>
<para>Automatically creating usernames, either with a defined prefix, or the domainname</para>
</listitem>
<listitem>
<para>Delegation of tasks such as creating new users to <20>Domain Masters<72> </para>
</listitem>
<listitem>
<para>Mapping of user-accounts to email addresses</para>
</listitem>
<listitem>
<para>Forwarding of accounts to single aliases</para>
</listitem>
<listitem>
<para>Vacation functions for a single aliases</para>
</listitem>
<listitem>
<para>Support for SMTP Transport Tables</para>
</listitem>
<listitem>
<para>Support for MySQL and PostgreSQL</para>
</listitem>
<listitem>
<para>i18n (internationalization) support (including different charsets)</para>
</listitem>
<listitem>
<para>Translated into 18 Languages and growing</para>
</listitem>
</itemizedlist>
</para>
<para>Web-cyradm supports different roles of its users.
If you plan to use it as a frontend for your powerusers, please notice
that security may be a problem. The role based stuff needs a security review.
</para>
</sect2>
</sect1>
<!-- Section1: Technologies: END -->
<!-- Section1: Install -->
<sect1 id="install">
<title>Getting and installing the software</title>
<para>
Most of the software is included in your Linux distribution. I. e. SuSE is shipping Cyrus as
far as I know since 7.1.
Since SuSE 8.1, cyrus-imap 2.1 and sasl2 is included, and works. It is still recommended to compile
Cyrus by yourself. SuSE does not ship a MySQL enabled Postfix.
</para>
<tip><title>Deprecated packages for Debian stable and testing</title>
<para>Debian users probably want to install packages provided by Debian. Unfortunately Debian stable (Woody) and testing (sarge) are using the deprecated version of the software used in this HOWTO. I tested the respective packages from Debian unstable (sid) and the are working. Please note, that the maintainers at Debian are very conservative. The software packages <20>postfix-mysql<71>, <20>libsasl2<6C> and <20>cyrus21-imapd<70> are stable, even if they are only available in the <20>unstable<6C> tree.</para>
</tip>
<!-- Section2: Mysql -->
<sect2 id="MySQL-install">
<title>Getting and installing MySQL</title>
<sect3><title>Download</title>
<para>
Origin-Site: <ulink url="http://www.mysql.com/downloads/">http://www.mysql.com/downloads/</ulink>
</para>
</sect3>
<sect3><title>Building and installing</title>
<screen>
cd /usr/local
tar -xvzf mysql-4.0.18.tar.gz
cd mysql-4.0.18
./configure \
--prefix=/usr/local/mysql \
--enable-assembler \
--with-innodb \
--without-debug
make
make install
/usr/local/mysql/bin/mysql_install_db
echo /usr/local/mysql/lib/mysql >> /etc/ld.so.conf
ldconfig
ln -s /usr/local/mysql/include/mysql /usr/include/mysql
ln -s /usr/local/mysql/lib/mysql /usr/lib/mysql
</screen>
<para>To improve security, add a mysql-user on your system i.e. <20>mysql<71>, then</para>
<screen>
chown -R mysql /usr/local/mysql/var
</screen>
<para>
If you want to start MySQL automatically at boottime, copy
<filename>/usr/local/mysql/share/mysql/mysql.server</filename> to <filename>/etc/init.d/</filename>
for SuSE, for Redhat it is <filename>/etc/rc.d/init.d</filename> instead of <filename>/etc/init.d/</filename>.
Further you need to add symbolic links to <filename>/etc/init.d/rc3.d</filename>
for SuSE and <filename>/etc/rc.d/rc3.d</filename> for Redhat.
</para>
<para>
The following example is for SuSE Linux and should be easily changed for Redhat and other Linux
distributions and commercial Unix systems.
</para>
<screen>
cp /usr/local/mysql/share/mysql/mysql.server /etc/init.d/
ln -s /etc/init.d/mysql.server /etc/init.d/rc3.d/S20mysql
ln -s /etc/init.d/mysql.server /etc/init.d/rc3.d/k08mysql
</screen>
</sect3>
</sect2>
<sect2 id="berkeley-db">
<title>Getting and installing Berkeley DB</title>
<para>
The Berkeley DB is a requirement for building Cyrus-SASL and Cyrus-IMAP. Some Systems comes with
recent versions but without the header files installed. Please see your distributors CD/DVD
to see if you can install the header files from a package. Usually this package is called bdb-devel.
</para>
<para>The version that comes with GNU/Debian Linux is out of date, you will need to compile the most
recent version instead. If you already installed Berkeley DB on your Debian Box, please
uninstall it to prevent conflicts.
</para>
<para>It is also very important, that Cyrus-SASL and Cyrus-IMAP is compiled with the same version of
Berkeley DB or else you can run into problems.</para>
<tip><title>Berkeley DB versions</title>
<para>
I only tested version 4.0.x versions of bdb. Please let me know if you are successful with newer versions.
</para></tip>
<sect3><title>Download Berkeley DB</title>
<para>
Origin-Site: <ulink url="http://www.sleepycat.com/update/snapshot/db-4.0.14.tar.gz">
http://www.sleepycat.com/update/snapshot/db-4.0.14.tar.gz</ulink>
</para>
</sect3>
<sect3><title>Building and installing Berkeley DB</title>
<para>
<screen>
cd dist
./configure --prefix=/usr/local/bdb
make
make install
echo /usr/local/bdb/lib >> /etc/ld.so.conf
ldconfig
</screen>
</para>
</sect3>
</sect2>
<sect2><title>Getting and installing OpenSSL</title>
<sect3><title>Download OpenSSL</title>
<para>Origin-Site
<ulink url="http://www.openssl.org">http://www.openssl.org</ulink>
</para>
</sect3>
<sect3><title>Building and installing</title>
<screen>
cd /usr/local
tar -xvzf openssl-0.9.7d.tar.gz
cd openssl-0.9.7d
./config shared
make
make test
make install
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
ldconfig
</screen>
<tip><title>Select your CPU to improve speed</title>
<para>
By default the Makefile generates code for the i486 CPU. You can change this by editing the
<filename>Makefile</filename> after running <command>config </command><option>shared</option>.
Search for <option>-m486</option> and replace it i.e with <option>-march=athlon</option>
</para></tip>
</sect3>
</sect2>
<!-- Section2: cyrus -->
<sect2 id="cyrus-install">
<title>Getting and installing Cyrus SASL and IMAP</title>
<para>
Building Cyrus SASL and IMAP from source is not a easy task. There are some prerequisites to be
fulfilled, and lots of difficult authentication related stuff to be considered.
</para>
<sect3><title>Download Cyrus SASL and Cyrus IMAP</title>
<para>
Origin-Site: <ulink url="ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.18.tar.gz">
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.18.tar.gz</ulink>
</para>
<para>Origin-Site: <ulink url="ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-imapd-2.2.3.tar.gz">
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-imapd-2.2.3.tar.gz</ulink>
</para>
</sect3>
<sect3><title>Create the cyrus user</title>
<para>
On most systems there is no cyrus user and mailgroup by default. Check for a free UID, usually daemons are running with UIDs less that 100.
As example I am using UID 96 which is what SuSE has in the default <filename>/etc/passwd</filename>.
</para>
<screen>
groupadd mail
useradd -u 96 -d /usr/cyrus -g mail cyrus
passwd cyrus
</screen>
</sect3>
<sect3><title>Building and installing Cyrus SASL</title>
<screen>
tar -xvzf cyrus-sasl-2.1.18.tar.gz
cd cyrus-sasl-2.1.18
./configure \
--enable-anon \
--enable-plain \
--enable-login \
--disable-krb4 \
--disable-otp \
--disable-cram \
--disable-digest \
--with-saslauthd=/var/run/saslauthd \
--with-pam=/lib/security \
--with-dblib=berkeley \
--with-bdb-libdir=/usr/local/bdb/lib \
--with-bdb-incdir=/usr/local/bdb/include \
--with-openssl=/usr/local/ssl \
--with-plugindir=/usr/local/lib/sasl2
make
make install
mkdir -p /var/run/saslauthd
cd saslauthd
make testsaslauthd
cp testsaslauthd /usr/local/bin
echo /usr/local/lib/sasl2 >> /etc/ld.so.conf
ldconfig
</screen>
<para>
The SASL library is installed in <filename>/usr/local/lib/sasl2</filename> but some programs are expecting SASL in
<filename>/usr/lib/sasl2</filename>. So it is a good idea to create a symbolic link:
<command>ln -s /usr/local/lib/sasl2 /usr/lib/sasl2</command>.
</para>
</sect3>
<sect3><title>Building Cyrus-IMAP</title>
<screen>
tar -xvzf cyrus-imapd-2.2.3.tar.gz
cd cyrus-imapd-2.2.3
export CPPFLAGS="-I/usr/include/et"
./configure \
--with-sasl=/usr/local/lib \
--with-perl \
--with-auth=unix \
--with-dbdir=/usr/local/bdb \
--with-bdb-libdir=/usr/local/bdb/lib \
--with-bdb-incdir=/usr/local/bdb/include \
--with-openssl=/usr/local/ssl \
--without-ucdsnmp \
make depend
make
make install
</screen>
</sect3>
<sect3 id="startupscript"><title>Automatic startup script</title>
<para>
If you wish to start the Cyrus IMAP daemon automatically after booting, you need a startup script.
Place the following script in <filename>/etc/init.d/</filename>. For Redhat, it is
<filename>/etc/rc.d/init.d</filename> instead of <filename>/etc/init.d/</filename>.</para>
<screen>
#!/bin/bash
#
# Cyrus startup script
case "$1" in
start)
# Starting SASL saslauthdaemon
/usr/local/sbin/saslauthd -c -a pam&
# Starting Cyrus IMAP Server
/usr/cyrus/bin/master &
;;
stop)
# Stopping SASL saslauthdaemon
killall saslauthd
# Stopping Cyrus IMAP Server
killall /usr/cyrus/bin/master
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
;;
esac
</screen>
<para>If I get the time, I will provide a more sophisticated script, but this script works.</para>
<para>Now create the Symlinks in the runlevel directory (SuSE):</para>
<screen>
ln -s /etc/init.d/cyrus /etc/init.d/rc3.d/S20
ln -s /etc/init.d/cyrus /etc/init.d/rc3.d/K10
</screen>
<para>For Redhat:</para>
<screen>
ln -s /etc/rc.d/init.d/cyrus /etc/rc.d/rc3.d/S20cyrus
ln -s /etc/rc.d/init.d/cyrus /etc/rc.d/rc3.d/K10cyrus
</screen>
</sect3>
<sect3 id="update-cyrus"><title>Update Cyrus IMAPd</title>
<para>This section describes HOWTO update the IMAPd from version 2.1.x to 2.2.x</para>
<caution><title>Update is critical and can mean complete data loss</title>
<para>Please test this procedure on a test/pre-production server first. Also have close look to <filename>install-upgrade.html</filename> that comes with the cyrus-imapd distribution. Please note, that you shoud plan a downtime for the production server to have the time to solve problems. Also note, that nobody I cannot take responsibility for the update procedure provided here</para>
</caution>
<para>Cyrus changed the format of the dbd databases used for internal storage of mailboxlist flags etc.</para>
<para>A convert script comes with the distribution. The most important database is <filename>/var/imap/mailboxes.db</filename>. Without that database cyrus-imapd will NOT run. This requires a backup. Lets do a dump and a backup of the database.</para>
<screen>
/etc/init.d/cyrus stop # be sure no cyrus process is running
lsof /var/imap/mailboxes.db # be sure NO process is accessing the mailbox file
su - cyrus
/usr/cyrus/bin/ctl_mboxlist -d > /tmp/mailbox.db.dump
cp /var/imap/mailboxes.db /var/imap/mailboxes.db.old
</screen>
<para>Convert the <filename>/var/imap/mailboxes.db</filename></para>
<screen>
/usr/cyrus/bin/cvt_cyrusdb /var/imap/mailboxes.db berkeley /var/imap/mailboxes.db.new skiplist
mv /var/imap/mailboxes.db.new /var/imap/mailboxes.db
</screen>
<para>Convert all the <20>seen<65> databases:</para>
<screen>
find /var/imap/user -name \*.seen -exec /usr/cyrus/bin/cvt_cyrusdb \{\} flat \{\}.new skiplist \; -exec mv \{\}.new \{\} \;
</screen>
<para>Converting the sieve scripts</para>
<screen>
/usr/local/cyrus-imapd-2.2.3/tools/masssievec /usr/cyrus/bin/sievec
</screen>
</sect3>
</sect2>
<!-- Section2: postfix -->
<sect2 id="postfix-install">
<title>Getting and installing Postfix</title>
<sect3><title>Download</title>
<para>
Origin-Site: <ulink url="http://www.postfix.org/ftp-sites.html">http://www.postfix.org/ftp-sites.html</ulink>
</para>
</sect3>
<sect3> <title>Creating a User-ID (UID) and Group-ID (GID) for postfix</title>
<para>
Before you build and install postfix, be sure to create a <20>postfix<69> and a <20>postdrop<6F> user and group if they do not exist on the system.
First check for the groups. You can check this by <command>grep postfix /etc/group</command> and
<command>grep maildrop /etc/group</command>
</para>
<para>
If there are no such groups and users, you just create them. Search for a free numeric UID and GID. In the
following example I will use UID and GID 33333 for Postfix and 33335 for the maildrop UID and GID. These ID's
correspond to other documents.
</para>
<screen>
groupadd -g 33333 postfix
groupadd -g 33335 postdrop
useradd -u 33333 -g 33333 -d /dev/null -s /bin/false postfix
</screen>
</sect3>
<sect3><title>Building and installing</title>
<para>
The following section shows what you have to do if you installed MySQL from source as described above.
If you installed MySQL from a binary package such as rpm or deb, then you have to change the
include and library-flags to -I/usr/include/mysql and -L/usr/lib/mysql.
</para>
<caution><title>Old MTA needs to be uninstalled</title>
<para>It is important that you uninstall any sendmail version from RPM based systems.
I suggest that you remove sendmail, and install Postfix instead. At least SuSE RPMs need a MTA.
After installing the Postfix-RPM, just install Postfix over the RPM installation by following the HOWTO.</para>
</caution>
<screen>
tar -xvzf postfix-2.0.19.tar.gz
cd postfix-2.0.19
make makefiles 'CCARGS=-DHAS_MYSQL \
-I/usr/local/mysql/include/mysql -DUSE_SASL_AUTH \
-I/usr/local/include/sasl -I/usr/local/bdb/include' \
'AUXLIBS=-L/usr/local/mysql/lib/mysql \
-lmysqlclient -lz -lm -L/usr/local/lib -lsasl2 -L/usr/local/bdb/lib'
make
make install
</screen>
<para>During <command>make install</command> a few question are asked. Just pressing
<keycap>Enter</keycap> should match your needs. For Redhat users it could be useful to
enter <filename>/usr/local/share/man</filename></para>
<para>Now you need to create some symbolic links to start Postfix automatically on system startup. The sample is
for SuSE Linux, please consult your vendors manual for other distributions.</para>
<screen>
ln -s /usr/sbin/postfix /etc/init.d/rc3.d/S14postfix
ln -s /usr/sbin/postfix /etc/init.d/rc3.d/K07postfix
</screen>
</sect3>
</sect2>
<sect2 id="pam-install">
<title>Getting and installing PAM</title>
<para>PAM is installed by default on almost all Linux distributions. I am not describing how to compile PAM
by yourself, because it could break your system. Instead, I will describe how to install the package.
</para>
<para>Users of a RPM based distribution can issue the following command:</para>
<screen>
rpm -i pam-devel.rpm
</screen>
<para>Debian users can install the devel package with the following command:</para>
<screen>
apt-get install libpam0g-dev
</screen>
</sect2>
<sect2 id="pam-mysql-install">
<title>Getting and installing pam_mysql</title>
<sect3><title>Download</title>
<para>Origin-Site: <ulink url="http://sourceforge.net/projects/pam-mysql/">
http://sourceforge.net/projects/pam-mysql/</ulink>
</para>
</sect3>
<sect3><title>Installing</title>
<screen>
tar -xvzf pam_mysql-0.5.tar.gz
cd pam_mysql
</screen>
<para>If you have compiled mysql by yourself,
check the <filename>Makefile</filename> and enter the correct path to your mysql libs and add the
compiler flag <varname>CFLAGS</varname> <option>-I/path/to/mysql/include</option>.
</para>
<screen>
ifndef FULL_LINUX_PAM_SOURCE_TREE
export DYNAMIC=-DPAM_DYNAMIC
export CC=gcc
export CFLAGS=-O2 -Dlinux -DLINUX_PAM \
-ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \
-Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \
-Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \
-Wshadow -pedantic -fPIC -I/usr/local/mysql/include
export MKDIR=mkdir -p
export LD_D=gcc -shared -Xlinker -x -L/usr/local/mysql/lib/mysql -lz
endif
</screen>
<para>After customizing that file you an go ahead with the pam_mysql compile.</para>
<screen>
make
cp pam_mysql.so /lib/security
[[ ! -d /var/lib/mysql ]] && mkdir /var/lib/mysql
ln -s /tmp/mysql.sock /var/lib/mysql/mysql.sock
</screen>
</sect3>
</sect2>
<sect2 id="web-cyradm-install">
<title>Getting and installing Web-cyradm</title>
<sect3><title>Download</title>
<para>
Origin-Site: <ulink url="http://www.web-cyradm.org">http://www.web-cyradm.org</ulink>
</para>
</sect3>
<sect3><title>Installing</title>
<screen>
cd /usr/local/apache/htdocs
tar -xvzf web-cyradm-0.5.4.tar.gz
touch /var/log/web-cyradm.log
chown nobody /var/log/web-cyradm.log
</screen>
<para>After unpacking web-cyradm, move it to a place in your webserver's documentroot.</para>
<para>Thats all. Now you need to configure the whole bunch of software.</para>
<para>Web-cyradm 0.5.4 is considered stable, and was released on 2003-12-05</para>
<para>Since web-cyradm uses PEAR for its database abstraction layer, you also need a recent
copy of PEAR. This is included in recent PHP Versions. I strongly suggest to update PHP
to 4.3.4, because a lot of important bugs have been fixed.
</para>
<para>A frequent mistake is to forget to touch the logfile and change the owner to the
Apache UID. This is usually <20>nobody<64> or <20>wwwrun<75>.</para>
</sect3>
<sect3 id="mysql-create-db">
<title>Create the databases and tables</title>
<para>Now we need to create the database and tables for Postfix and Web-cyradm and add a user to the
database.</para>
<para>
Web-cyradm comes with several MySQL scripts: <filename>insertuser_mysql.sql</filename> and
<filename>create_mysql.sql</filename>.
The first inserts the Database user to the database <20>mysql<71> and creates the database <20>mail<69>. The
second creates the required tables and populates the database with an initial admin-user and the
cyrus user.</para>
<para>The other scripts are used for incremental upgrading from older releases.</para>
<para>The password for the database user <20>mail<69> in this example is <20>secret<65>. Please insert whatever
user and password you like.</para>
<para>The username for the initial superuser is <20>admin<69> with the password <20>test<73>.</para>
<caution><title>Change the default password!</title>
<para>If a malicious user wants to gain unauthorized access to a system, the first attempt is always
the default username and password supplied by the vendor. It is IMPORTANT that you change them
in the scripts before applying them.</para></caution>
<para>After customizing the username and password, apply the scripts:</para>
<screen>
/usr/local/mysql/bin/mysql -u root -p &lt; \
/usr/local/apache/htdocs/web-cyradm/scripts/insertuser_mysql.sql
/usr/local/mysql/bin/mysql mail -u mail -p &lt; \
/usr/local/apache/htdocs/web-cyradm/scripts/create_mysql.sql
</screen>
</sect3>
<sect3 id="web-cyradm-update"><title>Upgrading from 0.5.3 to 0.5.4</title>
<para>In version 0.5.4 there is a small database enhancement. You can upgrade your database by
issuing the MySQL script that comes with the distribution.</para>
<screen>
mysql mail -u mail -p &lt; \
scripts/upgrade-0.5.3-to-0.5.4_mysql.sql
</screen>
<para>
Since Version 0.5.3 web-cyradm has full support for DES crypted passwords. You can use the php-script
<filename>migrate.php</filename> to convert the users passwords from plain text to unix compatible crypt (DES).
</para>
<caution><title>Migration from plain to crypt cannot be undone</title>
<para>Be sure to have a recent backup of your database before doing anything with the migration script.
</para></caution>
</sect3>
</sect2>
</sect1>
<!-- Section1: Install: END -->
<!-- Section1: configuration -->
<!-- <sect1 id="configuration">
<title>Configuration</title> -->
<sect1 id="mysql-config">
<title>Configuring MySQL</title>
<sect2 id="mysql-config-securing">
<title>Securing MySQL</title>
<para>Because you are using MySQL to authenticate users, you need to restrict network access
to port 3306.</para>
<para>The easiest way is to only bind MySQL to the loopback interface 127.0.0.1.
This makes sure nobody can connect to your MySQL daemon via the network.</para>
<para>
Edit <filename>/etc/init.d/mysql.server</filename> and change line 107 as following:</para>
<para>Original line:</para>
<screen>
$bindir/safe_mysqld --datadir=$datadir --pid-file=$pid_file&
</screen>
<para>Changed line:</para>
<screen>
$bindir/safe_mysqld --datadir=$datadir --pid-file=$pid_file \
--bind-address=127.0.0.1&
</screen>
<para>Restart your MySQL daemon by issuing the command<command>/etc/init.d/mysql.server start</command></para>
<para>To ensure the configuration change was successful, <command>netstat -an|grep LISTEN</command>. The
Output should be looking similar to this:</para>
<screen>
bond:~ # netstat -an|grep LISTEN
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
</screen>
</sect2>
<sect2 id="mysql-rinetd">
<title>Setting up rinetd</title>
<para>This step is only necessary if you run the MySQL sever on host other than the mail server. This allows
you to securely connect from another host since access is allowed only from pre-defined IP addresses.</para>
<para>The example used is from the view of the host serving the MySQL database. Lets assume your
mail server has the IP 192.168.0.100 and the MySQL host has 192.168.0.200</para>
<para>
Edit <filename>/etc/rinetd.conf</filename> and add:</para>
<screen>
192.168.0.200 3306 127.0.0.1 3306
allow 192.168.0.100
</screen>
<para>This means: The MySQL host is listening on 192.168.0.200 port 3306. If 192.168.0.100
attempts a connection, it is forwarded to 127.0.0.1:3306. All other hosts are rejected. </para>
</sect2>
</sect1>
<sect1 id="pam-config">
<title>Configuring PAM</title>
<para>Now we need to get sure that PAM knows how to authenticate the Cyrus users</para>
<para>You have to create the file <filename>/etc/pam.d/imap</filename> with the following entries:</para>
<screen>
auth sufficient pam_mysql.so user=mail passwd=secret host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host logpidcolumn=pid logtimecolumn=time
auth sufficient pam_unix_auth.so
account required pam_mysql.so user=mail passwd=secret host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host logpidcolumn=pid logtimecolumn=time
account sufficient pam_unix_acct.so
</screen>
<para>The lines containing <option>pam_unix_auth.so</option> and <option>pam_unix_acct.so</option>
are only needed if you are migrating from WU-IMAP to Cyrus.
This allows you to authenticate with its old unix-password AND its new mysql-based password.</para>
<para>To use the other services provided by cyrus and smtp-authtication you need to copy the file
so that they match the service-ID</para>
<screen>
cp /etc/pam.d/imap /etc/pam.d/pop
cp /etc/pam.d/imap /etc/pam.d/sieve
cp /etc/pam.d/imap /etc/pam.d/smtp
</screen>
</sect1>
<!-- Section2: postfix -->
<sect1 id="postfix-config">
<title>Configuring Postfix</title>
<para>Postfix needs two major config files: <filename>main.cf</filename> and <filename>master.cf</filename>.
Both need your attention.</para>
<sect2 id="postfix-master"><title>master.cf</title>
<para>You need to change just one line:</para>
<para>old: </para>
<screen>
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
</screen>
<para>new: </para>
<screen>
flags= user=cyrus argv=/usr/cyrus/bin/deliver -r ${sender} -m ${extension} ${user}
</screen>
<para>
What does that change affect?
</para>
<para>
A look to the cyrus man-pages <command>man deliver </command>clears up that issue:
</para>
<para>
The Postfix default setup uses a wrong path to cyrus deliver, this is the first change.
The parameter <20>-r<> inserts a proper return path. Without that, mail rejected/retured by sieve will
be sent to the cyrus user at yourdomain.
</para>
</sect2>
<sect2 id="postfix-main"><title>main.cf</title>
<para>Here you need to change some more things like hostname, relaying, alias-lookups etc.</para>
<para>First change the hostname:</para>
<screen>myhostname = foo.bar.org</screen>
<para>mydestination</para>
<para>Here you have to put all domainnames that are local (corresponding to sendmail's
<filename>/etc/mail/sendmail.cw)</filename>. If you have multiple domains, separate them with comma.</para>
<screen>
mydestination = foo.bar.org, example.com, furchbar-grausam.ch,
whatever.domain.tld, mysql:/etc/postfix/mysql-mydestination.cf
</screen>
<para>Relayhost</para>
<para>Here you define where to deliver outgoing mails. If you do not provide any host, mail is delivered directly
to the destination smtp host. Usually your relayhosts are your internet service provider's smtp server.</para>
<screen>relayhost = relay01.foobar.net relay02.foobar.net relay03.foobar.net</screen>
<para>Mailtransport</para>
<para>Here you define how the mails accepted for local delivery should be handled. In your situation, mail should be
delivered by the cyrus delivery program.</para>
<screen>mailbox_transport = cyrus</screen>
<para>At the end of file you need to add:</para>
<screen>virtual_alias_maps = hash:/etc/postfix/virtual, mysql:/etc/postfix/mysql-virtual.cf</screen>
<para>If you don't want to have a overriding /etc/postfix/virtual, skip the hash entry</para>
<para>Outgoing addresses should be rewritten from test0002 at domain
to user.name at virtualhost.com. This is important if you want to use a webmail interface.
</para>
<screen>
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
</screen>
<para>Now you need to create the file <filename>/etc/postfix/mysql-virtual.cf</filename>: </para>
<screen>
#
# mysql config file for alias lookups on postfix
# comments are ok.
#
# the user name and password to log into the mysql server
hosts = localhost
user = mail
password = secret
# the database name on the servers
dbname = mail
# the table name
table = virtual
#
select_field = dest
where_field = alias
additional_conditions = and status = '1'
</screen>
<para>The file <filename>/etc/postfix/mysql-canonical.cf</filename>:</para>
<screen>
# mysql config file for canonical lookups on postfix
# comments are ok.
#
# the user name and password to log into the mysql server
hosts = localhost
user = mail
password = secret
# the database name on the servers
dbname = mail
# the table name
table = virtual
#
select_field = alias
where_field = username
# Return the first match only
additional_conditions = and status = '1' limit 1
</screen>
<para>
Finally the file <filename>/etc/postfix/mysql-mydestination.cf</filename>:
</para>
<screen>
# mysql config file for local domain (like sendmail's sendmail.cw) lookups on postfix
# comments are ok.
#
# the user name and password to log into the mysql server
hosts = localhost
user = mail
password = secret
# the database name on the servers
dbname = mail
# the table name
table = domain
#
select_field = domain_name
where_field = domain_name
</screen>
<para>SMTP Authentication with SASL and PAM</para>
<para>Put the following in your <filename>/etc/postfix/main.cf</filename></para>
<screen>
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
</screen>
<para>You also need to create the file <filename>/usr/local/lib/sasl2/smtpd.conf</filename> with
the following contents:</para>
<screen>
pwcheck_method: saslauthd
</screen>
<para>The next step is to tell postfix how to find the saslauthd socket:</para>
<screen>
mv /var/run/sasl2 /var/run/sasl2-old
ln -s /var/run/saslauthd /var/run/sasl2
</screen>
<para></para>
</sect2>
<sect2 id="antispam">
<title>Fighting against SPAM</title>
<para>
This section describes how to implement a basic SPAM protection setup with postfix. It does not use any external software like spamassassin, etc.</para>
<para>
Postfix has some built-in filters that allow you to stop obvious SPAM attempts. In particular these are:</para>
<itemizedlist>
<listitem>
<para>
smtpd_helo_required = yes
</para>
<para>
This switch in <filename>main.cf</filename> means that SMTP clients connecting to your mail server must give
a <20>helo<6C> when connecting.
</para>
</listitem>
<listitem>
<para>
smtpd_recipient_restrictions
</para>
<para>This option in <filename>main.cf</filename> lets you define different rules on the handling the acceptance
of mail. The following example simply rejects all invalid sender and recipient data.
Additionally it defines how to lookup known spammers from online blacklists.
</para>
<screen>
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client relays.ordb.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
permit
</screen>
<para></para>
</listitem>
<listitem>
<para>mime_header_checks=pcre:/etc/postfix/body_checks</para>
<para>MIME header checks let you reject mail which contains malicious MIME content, i.e dangerous
attachments such as Windows executables. Create the file <filename>/etc/postfix/body_checks</filename>.
The following example rejects all mail that contains potentially dangerous attachments.
In my experience, using this example would filter out most of viruses delivered by e-mail.
In any event, a virus scanner should always be installed.
</para>
<screen>
/^((Content-(Disposition: attachment;|Type:).*|\ +)| *)(file)?name\ *=\ *"?.*\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wmf)"?\ *$/ REJECT attachment type not allowed
</screen>
</listitem>
</itemizedlist>
</sect2>
</sect1>
<!-- RMW end of revision-->
<!-- Section2: cyrus -->
<sect1 id="cyrus-config">
<title>Configuring Cyrus IMAP</title>
<sect2 id="cyrus-configfiles"><title>Creating the config files</title>
<para>You have to create <filename>/etc/imapd.conf</filename> and <filename>/etc/cyrus.conf</filename>
</para>
<sect3 id="etc-services"><title><filename>/etc/services</filename></title>
<para>
If you like to use sieve (a mail filtering language), you must change an entry
in <filename>/etc/services</filename>. With SuSE 8.0 take especially care about the port for sieve,
they defined the wrong port. Add or change the following lines:
</para>
<screen>
pop3 110/tcp
imap 143/tcp
imaps 993/tcp
pop3s 995/tcp
sieve 2000/tcp
</screen>
</sect3>
<sect3 id="etc-imapd"><title><filename>/etc/imapd.conf</filename></title>
<para>Be sure <20>servername<6D> contains your FQHN (Fully Qualified Hostname)</para>
<para>The parameter <20>unixhierarchysep: yes<65> is only used if you like to have usernames
like <20>hans.mueller.somedomain.tld<6C> see <xref linkend="web-cyradm-config"> for more info.</para>
<screen>
postmaster: postmaster
configdirectory: /var/imap
partition-default: /var/spool/imap
# admins: cyrus # no admins!
allowanonymouslogin: no
allowplaintext: yes
sasl_mech_list: PLAIN
servername: servername
autocreatequota: 10000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sievedir: /usr/sieve
sendmail: /usr/sbin/sendmail
sieve_maxscriptsize: 32
sieve_maxscripts: 5
#unixhierarchysep: yes
</screen>
</sect3>
<sect3 id="etc-imapd-local"><title><filename>/etc/imapd-local.conf</filename></title>
<para>Be sure <20>servername<6D> contains your FQHN (Fully Qualified Hostname)</para>
<para>The parameter <20>unixhierarchysep: yes<65> is only used if you like to have usernames
like <20>hans.mueller.somedomain.tld<6C> see <xref linkend="web-cyradm-config"> for more info.</para>
<para>This second file ensures, that admin users only can connect via localhost. Decide by yourself if this additional security feature is needed for your site.</para>
<screen>
postmaster: postmaster
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: cyrus
allowanonymouslogin: no
allowplaintext: yes
sasl_mech_list: PLAIN
servername: servername
autocreatequota: 10000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sievedir: /usr/sieve
sendmail: /usr/sbin/sendmail
sieve_maxscriptsize: 32
sieve_maxscripts: 5
#unixhierarchysep: yes
</screen>
</sect3>
<sect3 id="tls"><title>Creating the TLS/SSL Certificate</title>
<para>If you want to enable Cyrus' TLS/SSL facilities, you have to create a certificate first. This requires an
OpenSSL installation</para>
<screen>
openssl req -new -nodes -out req.pem -keyout key.pem
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req \
-signkey new.key.pem -days 999
mkdir /var/imap
cp new.key.pem /var/imap/server.pem
rm new.key.pem
cat ca-cert >> /var/imap/server.pem
chown cyrus:mail /var/imap/server.pem
chmod 600 /var/imap/server.pem # Your key should be protected
echo tls_ca_file: /var/imap/server.pem &gt;&gt; /etc/imapd.conf
echo tls_cert_file: /var/imap/server.pem &gt;&gt; /etc/imapd.conf
echo tls_key_file: /var/imap/server.pem &gt;&gt; /etc/imapd.conf
</screen>
</sect3>
<sect3 id="etc-cyrus-conf"><title><filename>/etc/cyrus.conf</filename></title>
<para>
The other file you need to create is <filename>/etc/cyrus.conf</filename>
It is the configuration file for the Cyrus master process. It defines the startup procedures, services
and events to be spawned by process <20>master<65>.</para>
<screen>
# standard standalone server implementation
START {
# do not delete this entry!
recover cmd="ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
# idled cmd="idled"
}
# UNIX sockets start with a slash and are put into /var/imap/socket
SERVICES {
# add or remove based on preferences
imap cmd="imapd" listen="192.168.0.1:imap" prefork=0
imaplocal cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imap" prefork=0
imaps cmd="imapd -s" listen="192.168.0.1:imaps" prefork=0
imapslocal cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imaps" prefork=0
pop3 cmd="pop3d" listen="pop3" prefork=0
pop3s cmd="pop3d -s" listen="pop3s" prefork=0
sieve cmd="timsieved" listen="192.168.0.1:sieve" prefork=0
sievelocal cmd="timsieved -C /etc/imapd-local.conf listen="127.0.0.1:sieve" prefork=0
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0
# this is only necessary if using notifications
# notify cmd="notifyd" listen="/var/imap/socket/notify" proto="udp" prefork=1
}
EVENTS {
# this is required
checkpoint cmd="ctl_cyrusdb -c" period=30
# this is only necessary if using duplicate delivery suppression
delprune cmd="ctl_deliver -E 3" period=1440
# this is only necessary if caching TLS sessions
tlsprune cmd="tls_prune" period=1440
}
</screen>
<tip><title>Please check your Systems IP address</title>
<para>In the example above the IP 192.168.0.1 is to be replaced with your systems external IP address.</para>
</tip>
</sect3>
</sect2>
<sect2 id="cyrus-directories"><title>Creating the directories</title>
<para>There must be created different directories. Additionally you should
change some attributes of the filesystem</para>
<sect3 id="var-imap"><title><filename>/var/imap</filename></title>
<screen>
cd /var
mkdir imap
chown cyrus:mail imap
chmod 750 imap
</screen>
</sect3>
<sect3 id="var-spool-imap"><title><filename>/var/spool/imap</filename></title>
<screen>
cd /var/spool
mkdir imap
chown cyrus:mail imap
chmod 750 imap
</screen>
</sect3>
<sect3 id="usr-sieve"><title><filename>/usr/sieve</filename></title>
<screen>
cd /usr
mkdir sieve
chown cyrus:mail sieve
chmod 750 sieve
</screen>
</sect3>
<sect3 id="other-dirs"><title>The rest of the directories</title>
<para>
The rest of the directories can be created by the tool <command>mkimap</command>
</para>
<screen>
su - cyrus
/usr/local/cyrus-imapd-2.1.12/tools/mkimap
</screen>
</sect3>
</sect2>
<sect2 id="ch-attrib"><title>Changing the filesystem attributes</title>
<para>When using the ext2 filesystem, you must set an attribute, that defines, that all changes
are immediately committed to the disk. With todays journaling filesystems there is no need.
If you are still running ext2 filesystems, I strongly suggest to switch to ext3 filesystems.
Ext2 and ext3 are fully compatible to each other.</para>
<para>To check what type of filesystem is used for <filename>/var</filename> issue the
command <command>mount</command> or see your <filename>/etc/fstab</filename>. Please note
that the <filename>/var</filename> could also be a part of the root or other filesystem.
</para>
<screen>
cd /var/imap
chattr +S user quota user/* quota/*
chattr +S /var/spool/imap /var/spool/imap/*
</screen>
</sect2>
</sect1>
<sect1 id="web-cyradm-config">
<title>Configuring Web-cyradm</title>
<para>First copy the distribution's config file, and create the logfile. The logfile must be owned by the user
that runs the webserver. This is usually the user <20>nobody<64> or <20>wwwrun<75>.</para>
<screen>
cd /usr/local/apache/htdocs/web-cyradm/config
cp conf.php.dist conf.php
touch /var/log/web-cyradm-login.log
chown nobody /var/log/web-cyradm-login.log
</screen>
<sect2><title>Cyrus setup</title>
<screen>
#The Cyrus login stuff
$CYRUS = array(
'HOST' => 'localhost',
'PORT' => 143,
'ADMIN' => 'cyrus',
'PASS' => 'secret'
);
</screen>
<para>
This should be self-explanatory. Please note there is no support for SSL connections at the moment,
this is especially important for users that would like to have web-cyradm on a different server
from the server running cyrus-imapd ..</para>
</sect2>
<sect2><title>Database setup</title>
<para>
Since version 0.5.2 web-cyradm uses PEAR as a database abstraction layer. This adds more flexibility.
MySQL and PostgreSQL are currently supported. Please note that a patch is required for PostgreSQL
because Postfix does not support PostgreSQL natively. I strongly suggest that you use MySQL.
I know MySQL has some restrictions on transactions and stuff, but it is supported in the distributed Postfix code.
</para>
<para>The entries should be self explanatory</para>
<screen>
$DB = array(
'TYPE' => 'mysql',
'USER' => 'mail',
'PASS' => 'secret',
'PROTO' => 'unix', // set to "tcp" for TCP/IP
'HOST' => 'localhost',
'NAME' => 'mail'
);
</screen>
</sect2>
<sect2><title>Default Quota</title>
<para>
The default quota to be used is set in the variable <varname>DEFAULT_QUOTA=20000</varname> and is used when
creating a new domain</para>
</sect2>
<sect2><title>Crypted passwords</title>
<para>Web-cyradm supports the storage of encrypted passwords. I strongly suggest the use of encryption.
There are three methods supported at the moment: Unix-compatible (crypt), md5 and MySQL.
The Unix-compatible encryption allows you to import encrypted passwords from an
existing <filename>/etc/shadow</filename>. This is the preferred option.
</para>
<para>
Unfortunately, MySQL uses a proprietary encryption method which is only available
when using MySQL. I'm currently thinking about dropping support for MySQL crypt, because it only
works with MySQL and makes a migration to another database impossible. As soon as there is a method available
to re-engineer the MySQL crypt on PHP there will be a solution (Help needed in programming, legal constraints?)
</para>
<para>Check the variable <varname>$CRYPT</varname> in the file <filename>config.inc.php</filename>.
Value <20>plain<69> means no encryption, <20>crypt<70> means Shadow compatible encryption,
mysql means MySQL encryption.</para>
<caution><title>Choose encryption method carefully</title>
<para>
Since the supported encryption methods are all one-way encryptions, there will be NO WAY to migrate from
one to another. Note also, that this is a global variable, it is used for all passwords,
including the password of the admin users. I STRONGLY suggest the use of Unix Shadow compatible encryption,
because it makes you independent of any software vendor.
</para>
</caution>
</sect2>
<sect2><title>Usernames</title>
<para>
There are two username schemes supported which are defined in the variable <20>DOMAIN_AS_PREFIX<49>.
The default is to have a defined prefix ($DOMAIN_AS_PREFIX=0), i.e. <20>test<73> for the domain <20>expample.com<6F>.
With this scheme, the first user gets the username test0001, the second test0002 and incrementing.
</para>
<para>The other one is to have usernames like <20>hans.mueller.example.com<6F>.
If that case set $DOMAIN_AS_PREFIX=1</para>
<para>At the moment you can not mix both schemas, evaluate carefully with scheme matches your needs best</para>
<para>If you choose to have $DOMAIN_AS_PREFIX=1, be sure you uncomment the
option <option>unixhierarchysep: yes</option> like described in <xref linkend="etc-imapd"></para>
</sect2>
</sect1>
<!-- </sect1> -->
<!-- Section1: config: END -->
<!-- Section1: test -->
<sect1 id="test">
<title>Testing the setup</title>
<indexterm>
<primary>(your index root)!implementation</primary>
</indexterm>
<sect2 id="test-running">
<title>(Re-)Starting the daemons</title>
<para>Now all the software has been installed and configured. Lets do some testings now.
First you have to (re-)start all the daemons affected </para>
<itemizedlist>
<listitem>
<para>
<command>postfix start</command>
</para>
</listitem>
<listitem>
<para>
<command>/etc/init.d/cyrus start</command>
</para>
</listitem>
<listitem>
<para>
<command>/etc/init.d/mysql.server start</command>
</para>
</listitem>
<listitem>
<para>
<command>/usr/local/apache/bin/apachectl startssl</command>
</para>
</listitem>
</itemizedlist>
<para>Hopefully all daemons started without any complaints. Note that this is assuming saslauthd is started
in the cyrus startup script.</para>
<para>Now you can verify if the daemons are running properly by issuing
<command>netstat -an|grep LISTEN</command></para>
<para>The output should look similar like that:</para>
<screen>
bond:~ # netstat -an|grep LISTEN
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
</screen>
<para>The port are assigned like this:</para>
<itemizedlist>
<listitem>
<para>
993 imap-ssl
</para>
</listitem>
<listitem>
<para>
995 pop3-ssl
</para>
</listitem>
<listitem>
<para>
3306 mysql
</para>
</listitem>
<listitem>
<para>
110 pop3
</para>
</listitem>
<listitem>
<para>
143 imap
</para>
</listitem>
<listitem>
<para>
2000 sieve
</para>
</listitem>
<listitem>
<para>
80 http
</para>
</listitem>
<listitem>
<para>
25 smtp
</para>
</listitem>
<listitem>
<para>
443 https
</para>
</listitem>
</itemizedlist>
</sect2>
<sect2 id="testing-web-cyradm">
<title>Testing Web-cyradm</title>
<para>Now you should be able to connect to <ulink url="http://localhost/web-cyradm/">http://localhost/web-cyradm/</ulink>
Login with the credentials defined before.</para>
<para>Define a domainname and some accounts. Be sure the domainname belongs to your server.
If not you have to fake it by enter the domain in <filename>/etc/hosts</filename>.
The domain must also be defined as local in
<filename>/etc/postfix/main.cf</filename> (mydestination = domain)</para>
<para>Please be sure that you are providing a unique domain prefix when adding a new domain. I.e. test for the domain
test.org. If you don't provide such a prefix you will get a error message.</para>
</sect2>
<sect2 id="testing-postfix">
<title>Testing postfix</title>
<para>Now we are going to write a mail:</para>
<screen>
telnet localhost 25
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail ESMTP Postfix
helo localhost
250 mail
mail from: testing at example.com
250 Ok
rcpt to: tester at localhost
250 Ok
data
354 End data with &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;
some text
.
250 Ok: queued as B58E141D33
quit
</screen>
<para>If you see such a message, then all seems to work fine. Be sure to specify a recipients
address you previously defined in the web-cyradm database</para>
<para>If you get an error like this:</para>
<screen>
rcpt to: tester at localhost
451 &lt;tester at localhost&gt;: Temporary lookup failure
</screen>
<para>Then either MySQL is not running, DB permission are not set properly or you
miss-configured <filename>/etc/postfix/main.cf</filename></para>
<para>On any errors, I suggest to examine <filename>/var/log/mail</filename>. Often you will find
some hints whats went wrong.</para>
</sect2>
<sect2 id="testing-cyrus">
<title>Testing the IMAP functionality</title>
<para>A lot of users like to test the cyrus-IMAPd with the Command Line Interface (CLI) <20>cyradm<64> and they are failing.
To be successful with cyradm, you will need to add the cyrus user to <filename>/etc/sasldb2</filename>
because <20>cyradm<64> always authenticates against SASL AND IMAP.</para>
<para>To add the Cyrus user to the sasldb use the command:</para>
<screen>
saslpasswd2 -c cyrus
Password: (enter your passwd)
Again (for verification): (enter your password)
</screen>
<para>To use the <20>cyradm<64> CLI please take care that the tool does not recognize standard CLI-options
like -u and similar. Please follow the syntax like described in the man page <20>cyradm 1<> like the
following example:</para>
<screen>
bond:~ # cyradm --user cyrus --server localhost --auth plain
Password: # This is the SASL2 password
IMAP Password: # This is the IMAP password that you need to enter in the mysql-table <20>accountusers<72>
localhost>
</screen>
<para>With the Cyrus command <command>help</command> you will see all possible commands and its abbreviations.
</para>
<para>To make that kind of tests. you just need a mailclient like kmail or netscape
(Yes of course, M$-Products are working as well) but in this example I'm using kmail.</para>
<figure>
<title>Creating a new account</title>
<graphic FileRef="imap-account.png"></graphic>
</figure>
<para>If you enabled TLS/SSL, you may wish to test also the following:</para>
<figure>
<title>Testing TLS/SSL functionality</title>
<graphic FileRef="imap-tls.png"></graphic>
</figure>
<para>If login fails, and you are sure, you typed the right password, take care that MySQL is running.</para>
</sect2>
</sect1>
<!-- Section1: test: END -->
<sect1 id="spam-and-virus-intro">
<title>Fighting against Viruses and SPAM</title>
<para>This chapter is optional and describes HOWTO fight against Viruses and SPAM.</para>
<sect2 id="brief-virus">
<title>Brief introdcution to viruses</title>
<para>I think I do not need to explain how dangerous Viruses are. Unfortunately in the most recent attacks from SCO.A (aka MyDoom) also more or less experienced users get tricked by viruses. Most of todays viruses and worms comes via the internet, most of them via E-Mail. Needless to say, that viruses should be catched by the SMTP system if possible.</para>
<caution><title>Not a substitute</title>
<para>A mailsystem that filters viruses is NEVER a substitute for a local installed anti-virus software. E-Mails are only one way how viruses can penetrate computers.</para>
</caution>
</sect2>
<sect2 id="brief-spam">
<title>Brief introduction to SPAM</title>
<para>
The other harmless but unwanted and disturbing E-Mails are SPAM e-mails. SPAM is originally a disgusting canned meat. It is a synonym for UCE (Unsolicited Commercial Email) and UBE (Unsolicited Bulk Email).
</para>
<para>
Studies claim, that up to 60 percent of the worldwide e-mail traffic is SPAM. Before I installed the anti-SPAM filters on my SMTP servers, I received about 150 SPAMS's a day. One reason is this document. In ancient time, I noticed my real e-mail address unprotected. E-mail harvesters are scanning websites allover the world for addresses, and try to deliver its commercial, often illegal offers.
</para>
</sect2>
<sect2 id="strategy-viruses">
<title>Strategy against viruses</title>
<para>The strategy against viruses is pretty forward: Filtering viruses delivered via e-mail and having a localally installed anti-virus software.</para>
<para>Almost all vendors of anti-virus software have a up-to-date version for Linux and Unix Systems, because most SMTP servers are running on Unix. In this document I'll explain HOWTO implement <ulink url="http://www.clamav.net">clamav</ulink>, a very active open source anti virus project.</para>
</sect2>
<sect2 id="strategy-spam">
<title>Strategy against SPAM</title>
<para>
Fighting against SPAM is much more difficult than viruses. Why? It is because every virus has a unique signature. SPAM can contain arbitrary content. Some of the SPAM is in english, other is korean, other is in "you-name-it-language".</para>
<para>The best method how to prevent SPAM is to handle your e-mail address as your best treasured secret. NEVER put your address in a web-form or put it on your website. I know, that is against the idea of the internet. Information must be free. You can keep publishing your e-mail address if you implement the configuration further below.
</para>
<para>In the beginning of SPAM, filtering for keywords like &raquo;viagra&laquo; was enough. Todays SPAM techniques are much more sophisticated. It is a war between users and spammers. The solution against sophisticated SPAM is even more sophisticated anti-spam software.Todays anti-spam software checks e-mail for more than just keywords. They are checking for specific mail-header data etc. Also a technique called <ulink url="http://en.wikipedia.org/wiki/Epistemic_probability">bayesian</ulink> filters which can learn from particular input, distributed checksum networks etc.</para>
</sect2>
</sect1>
<sect1 id="installing-anti-spam">
<title>The software needed against viruses and SPAM</title>
<para>This chapter describes how to install and handle the software against viruses and SPAM</para>
<sect2 id="get-clamav">
<title>Getting and installing ClamAV</title>
<sect3><title>Download</title>
<para>
Origin-Site: <ulink url="http://prdownloads.sourceforge.net/clamav/clamav-0.68.tar.gz">http://prdownloads.sourceforge.net/clamav/clamav-0.68.tar.gz</ulink>
</para>
</sect3>
<sect3><title>Building and installing</title>
<screen>
# Adding a group for the clamav user
groupadd clamav
# Adding the clamav user to your system
useradd -g clamav -c "clamav user" clamav
cd /usr/local
tar -xvzf clamav-0.68.tar.gz
cd clamav-0.68
./configure
make && make install
</screen>
</sect3>
<sect3><title>Testing and configuring</title>
<para>To test the funtionality of clamav, you can run <command>clamscan</command> to get some results from the testpatterns that are included in the clamav distribution run <command>clamscan -r -i /usr/local/clamav-0.68</command></para>
<para>The output should look like this:</para>
<screen>
/usr/local/clamav-0.68/test/test1: ClamAV-Test-Signature FOUND
/usr/local/clamav-0.68/test/test1.bz2: ClamAV-Test-Signature FOUND
/usr/local/clamav-0.68/test/test2.zip: ClamAV-Test-Signature FOUND
/usr/local/clamav-0.68/test/test2.badext: ClamAV-Test-Signature FOUND
/usr/local/clamav-0.68/contrib/clamdwatch/clamdwatch.tar.gz: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 20482
Scanned directories: 47
Scanned files: 406
Infected files: 5
Data scanned: 5.48 MB
I/O buffer size: 131072 bytes
Time: 2.706 sec (0 m 2 s)
</screen>
<para>Next step is to setup the automated update of the virus database. This is a important step, because the speed of virus spreading is fast and would pick up even further.</para>
<para>Create the needed logfiles</para>
<screen>
touch /var/log/clam-update.log
chmod 600 /var/log/clam-update.log
chown clamav /var/log/clam-update.log
</screen>
<para>I suggest to update the signatures with a hourly cronjob. To edit the crontab issue <command>crontab -e</command> and add the following line, and replace the <20>x<EFBFBD> with a random value between 1 and 59. This is some kind of time based loadbalancing to ensure more people can fetch the updated.</para>
<screen>
#x * * * * /usr/local/bin/freshclam --quiet -l /var/log/clam-update.log
</screen>
<para>To test if the update process is working, please issue the command <command>/usr/local/bin/freshclam -l /var/log/clam-update.log</command> and have a look at the output.</para>
<para>The output should look similar to this:</para>
<screen>
ClamAV update process started at Tue Mar 23 19:58:11 2004
Reading CVD header (main.cvd): OK
Downloading main.cvd [*]
main.cvd updated (version: 21, sigs: 20094, f-level: 1, builder: tkojm)
Reading CVD header (daily.cvd): OK
Downloading daily.cvd [*]
daily.cvd updated (version: 210, sigs: 596, f-level: 1, builder: acab)
Database updated (20690 signatures) from database.clamav.net (64.74.124.90).
</screen>
</sect3>
</sect2>
<sect2 id="razor">
<title>Razor</title>
<para>Razor is one of the prerequisites of spamassassin.</para>
<sect3><title>Download</title>
<para>
Origin-Site: <ulink url="http://prdownloads.sourceforge.net/razor/razor-agents-sdk-2.03.tar.gz?download">http://prdownloads.sourceforge.net/razor/razor-agents-sdk-2.03.tar.gz?download</ulink></para>
<para>
Origin-Site: <ulink url="http://prdownloads.sourceforge.net/razor/razor-agents-2.40.tar.gz?download">http://prdownloads.sourceforge.net/razor/razor-agents-2.40.tar.gz?download</ulink></para>
<screen>
cd /usr/local
tar -xvzf razor-agents-sdk-2.03.tar.gz
cd razor-agents-sdk-2.03
perl Makefile.PL
make && make install
cd /usr/local
tar -xvzf razor-agents-2.40.tar.gz
cd razor-agents-2.40/
perl Makefile.PL
make && make install
</screen>
</sect3>
<sect3><title>Registering and setting up</title>
<para>In order to use razor2 you need to register yourself as a user</para>
<para>Choose a unique username and password and issue <command>razor-admin -register -user=some_user -pass=somepass</command></para>
<!-- <para>To register yourself as a new user issue <command>razor-admin -d -create</command> -->
</sect3>
</sect2>
<sect2 id="get-spamassassin">
<title>Getting and installing spamassassin</title>
<para>Spamassassin is the todays leading opensource project to fight against SPAM. To describe how spamassassin works would be too much for this document. For further information please consult <ulink url="http://eu.spamassassin.org/doc.html">http://eu.spamassassin.org/doc.html</ulink></para>
<sect3><title>Download</title>
<para>
Origin-Site: <ulink url="http://eu.spamassassin.org/released/Mail-SpamAssassin-2.63.tar.gz">http://eu.spamassassin.org/released/Mail-SpamAssassin-2.63.tar.gz</ulink>
</para>
</sect3>
<sect3><title>Prerequisites</title>
<para>Spamassassin depends on a lot of prerequisites. The easiest way is using the CPAN repository. Issue the command <command>perl -MCPAN -e shell</command> and answer all questions as needed.</para>
</sect3>
<sect3><title>Building and installing</title>
<screen>
cd /usr/local
tar -xvzf Mail-SpamAssassin-2.63.tar.gz
cd Mail-SpamAssassin-2.63
perl Makefile.PL
# You get prompted to run Razor tests which you should answer with "y"
Run Razor v2 tests (these may fail due to network problems)? (y/n) [n] y
make && make install
</screen>
</sect3>
</sect2>
<!--
<sect2 id="DCC">
<title>Distributed checksum clearinghouse</title>
<para>DCC...</para>
</sect2>
<sect2 id="pyzor">
<title>pyzor</title>
<para>Pyzor...</para>
</sect2>
-->
<sect2 id="amavis-install">
<title>Getting and installing amavisd-new</title>
<para>Amavisd-new is the software that glues all the software described above together to postfix</para>
<sect3><title>Download</title>
<para>
Origin-Site: <ulink url="http://www.ijs.si/software/amavisd/amavisd-new-20030616-p8.tar.gz">http://www.ijs.si/software/amavisd/amavisd-new-20030616-p8.tar.gz</ulink></para>
</sect3>
<sect3><title>Prerequisites</title>
<para>Amavisd-new needs a lot of prerequisites.</para>
<para>Run <command>perl -MCPAN -e shell</command> and issue:</para>
<screen>
install ExtUtils::MakeMaker
install HTML::Parser
install DB_File
install Digest::SHA1
install Archive::Tar
install Archive::Zip
install Compress::Zlib
install Convert::TNEF
install Convert::UUlib
install MIME::Base64
install MIME::Parser
install Mail::Internet
install Mail::SPF::Query
install Net::Server
install Net::SMTP
install Net::DNS
install Digest::MD5
install IO::Stringy
install Time::HiRes
install Unix::Syslog
</screen>
<para>At the end run <command>./amavisd</command> and have a look at overseen prerequisites.</para>
<para>Edit <filename>/etc/amavisd.conf</filename> and change the variables <varname>$daemon_user</varname> to <20>amavis<69> and <varname>$daemon_group</varname> to <20>amavis<69>. Another variable to change is <varname>$mydomain to match your domain.</varname>
</para>
<para>Please also consider to change the default settings for virus and spam mails to avoid being notified about every intercepted mail</para>
<screen>
$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE)
$final_spam_destiny = D_DISCARD; # (defaults to D_REJECT)
</screen>
<para>In the beginning of SPAM filtering I recommend to set the kill-value to something higher until you tweaked the filters. Change the variable <varname>$sa_kill_level_deflt</varname> to 8 or even higher.</para>
</sect3>
<sect3><title>Building and installing</title>
<screen>
cd /usr/local
tar -xvzf amavisd-new-20030616-p8.tar.gz
cd amavisd-new-20030616
cp amavisd /usr/local/sbin
cp amavisd.conf /etc
chown root /etc/amavisd.conf
chmod 644 /etc/amavisd.conf
</screen>
<para>Now it is the time to define a group and a user for amavisd-new</para>
<screen>
groupadd amavis
useradd -g amavis -c "Amavisd-new user" amavis
</screen>
<para>Next you have to define a directory for the quarantined mail:</para>
<screen>
mkdir /var/virusmails
chown amavis:amavis /var/virusmails
chmod 750 /var/virusmails
mkdir /var/amavis
chown amavis:amavis /var/amavis
chmod 750 /var/amavis
</screen>
<para>The original init script in the amavisd-new distribution does only work with Redhat. Other distributions need to install my quick and dirty init-script:</para>
<screen>
#!/bin/bash
#
# Amavisd-new startup script
case "$1" in
start)
# Starting amavisd
/usr/local/sbin/amavisd
;;
stop)
# follows later
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
;;
esac
</screen>
</sect3>
</sect2>
<sect2 id="postfix-setup">
<title>Setting up postfix</title>
<para>Postfix needs to be configured to send each mail to amavis-new in order to get sanitized.</para>
<para>You need to add the following line to <filename>/etc/postfix/main.cf</filename></para>
<screen>
content_filter = smtp-amavis:127.0.0.1:10024
</screen>
<para>The <filename>/etc/postfix/master.cf</filename> needs also some adjustments to return the results from amavisd-new to the mailingsystem.</para>
<para>Please add the following lines to your configuration:</para>
<screen>
smtp-amavis unix - - y - 2 smtp -o smtp_data_done_timeout=1200
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
</screen>
</sect2>
</sect1>
<!-- Section1: moreinfo -->
<sect1 id="moreinfo">
<title>Further Information</title>
<indexterm>
<primary>(your index root)!information resources</primary>
</indexterm>
<para>
Here you will find some other resources available in the internet.
</para>
<!-- Section2: newsgroups -->
<sect2 id="newsgroups">
<title>News groups</title>
<indexterm>
<primary>disk!information resources!news groups</primary>
</indexterm>
<para>Some of the most interesting news groups are:
<itemizedlist>
<listitem>
<para>
<ulink url="news:alt.comp.mail.postfix">alt.comp.mail.postfix</ulink>
</para>
<para>This is low traffic group.</para>
</listitem>
<listitem>
<para>
<ulink url="news:comp.mail.imap">comp.mail.imap</ulink>
</para>
</listitem>
</itemizedlist>
</para>
<para>Maybe you also check out your country newsgroups e.g ch.comp.os.linux</para>
<para>
Most newsgroups have their own FAQ that are designed to answer most
of your questions, as the name Frequently Asked Questions indicate.
Fresh versions should be posted regularly to the relevant newsgroups.
If you cannot find it in your news spool you could go directly to the
<ulink url="ftp://rtfm.mit.edu/">FAQ main archive FTP site</ulink>.
The WWW versions can be browsed at the
<ulink url="http://www.cis.ohio-state.edu/hypertext/faq/usenet/FAQ-List.html">FAQ
main archive WWW site</ulink>.
</para>
</sect2>
<!-- Section2: maillists -->
<sect2 id="maillists">
<title>Mailing Lists</title>
<indexterm>
<primary>disk!information resources!mailing lists</primary>
</indexterm>
<sect3>
<title><email>postfix-users at postfix.org</email></title>
<para>
Send an mail to <email>majordomo at postfix.org</email> with the content (not subject):
<screen>
subscribe postfix-users</screen> </para>
<para>Before writing to the list, check out the archive: <ulink url="http://www.deja.com/group/mailing.postfix.users">
http://www.deja.com/group/mailing.postfix.users</ulink></para>
</sect3>
<sect3>
<title><email>info-cyrus at lists.andrew.cmu.edu</email></title>
<para>Send an mail to <email>majordomo at lists.andrew.cmu.edu</email> with the content (not subject):
<screen>
subscribe info-cyrus</screen> </para>
<para>Before writing to the list, check out the archive:
<ulink url="http://asg.web.cmu.edu/archive/index.php?mailbox=archive.info-cyrus">
http://asg.web.cmu.edu/archive/index.php?mailbox=archive.info-cyrus </ulink></para>
</sect3>
<sect3>
<title><email>web-cyradm at web-cyradm.org</email></title>
<para>
Subscription can be done trough the webinterface <ulink url="http://www.web-cyradm.org/mailman/listinfo/web-cyradm">
http://www.web-cyradm.org/mailman/listinfo/web-cyradm</ulink></para>
<para>Before writing to the list, check out the archive for similar incidents:
<ulink url="http://www.web-cyradm.org/pipermail/web-cyradm/">http://www.web-cyradm.org/pipermail/web-cyradm/
</ulink>
</para>
</sect3>
</sect2>
<!-- Section2: howto -->
<sect2 id="howto">
<title>HOWTO</title>
<indexterm>
<primary>disk!information resources!HOWTOs</primary>
</indexterm>
<para>
This are intended as the primary starting points to get the
background information as well as show you how to solve a
specific problem. Some relevant HOWTOs are
<Literal remap="tt"><ulink url="http://www.tldp.org/HOWTO/Cyrus-IMAP.html">Cyrus-IMAP</ulink></Literal> and
<Literal remap="tt"><ulink url="http://www.tldp.org/HOWTO/Apache-Compile-HOWTO/index.html">
Apache-Compile-HOWTO</ulink></Literal>. The main site for these is the
<ulink url="http://www.tldp.org/">LDP archive</ulink>.</para>
</sect2>
<sect2 id="ebooks">
<title>Ebooks</title>
<para>There a few other HOWTOs and freely available documentations outside of the TLDP.org</para>
<para>IBM recently released a new Redbook:
<Literal remap="tt"><ulink url="http://www.redbooks.ibm.com/redbooks/pdfs/sg247034.pdf">BladeCenter, Linux, and Open Source: Blueprint for e-business on demand</ulink>.</Literal>Especially chapter 6 is interesting when looking for email solutions.
</para>
</sect2>
<!-- Section2: local-res -->
<sect2 id="local-res">
<title>Local Resources</title>
<indexterm>
<primary>disk!information resources!local</primary>
</indexterm>
<para>
Usually distributions installs some documentation to your system. As a standard they are
located in <filename>/usr/share/doc/packages</filename></para>
<para>The SuSE rpms of Cyrus contains a lot a such documentation.</para>
<para>Postfix has some html-files in the source directory <filename>/usr/local/postfix-2.0.16/html</filename></para>
<para>PAM comes also with lots of documentation in <filename>/usr/share/doc/packages/pam</filename></para>
<para>The pam_mysql module has a README with the incredible size of 1670 bytes.</para>
</sect2>
<!-- Section2: web -->
<sect2 id="web">
<title>Web Sites</title>
<indexterm>
<primary>disk!information resources!WWW</primary>
</indexterm>
<indexterm>
<primary>disk!information resources!web pages</primary>
</indexterm>
<para>
There are a huge number of informative web sites available. By
their very nature they change quickly so do not be surprised
if these links become quickly outdated.
</para>
<para>
A good starting point is of course the
<ulink url="http://www.tldp.org/">Linux Documentation
Project</ulink> home page, an information central for
documentation, project pages and much more.
</para>
<para>
To get more deepened information about Postfix, then <ulink url="http://www.postfix.org">www.postfix.org</ulink>
would be the starting point.
</para>
<para>
Please let me know if you have any other leads that can be
of interest.
</para>
</sect2>
</sect1>
<!-- Section1: moreinfo: END -->
<!-- Section1: faq -->
<sect1 id="faq">
<title>Questions and Answers</title>
<para>
Here I answer the questions which I got from users. If you don't find an answer feel free to contact me
</para>
<qandaset>
<qandadiv><title>FAQ</title>
<qandaentry>
<question>
<para>
Does web-cyradm only support users like <20>test0001<30> ? I'd like to have a more descriptive username
</para>
</question>
<answer>
<para>
web-cyradm does also support usernames like <20>user.name.example.com<6F> if you configure it.
Your need to change config.inc.php and change the value of DOMAIN_AS_PREFIX to 1. then you need to add
<09>unixhierarchysep: yes<65> to your <filename>/etc/imapd.conf</filename>
</para>
</answer>
</qandaentry>
<qandaentry><question>
<para>
Messages are bouncing. Postfix/pipe complains that "Mailbox does not exist". Whats wrong?
</para>
</question>
<answer>
<para>
Check that the cyrus login on web-cyradm (config.inc.php) is correct.
The username and password must exist in MySQL on table accountuser.
Web-cyradm will not complain if the cyrus login info is incorrect.
</para>
</answer></qandaentry>
<qandaentry><question>
<para>
web-cyradm complains about <20>Fatal error: Call to undefined function: bindtextdomain()
in /www/web-cyradm-0.5.3/index.php on line 46<34>, whats wrong?
</para>
</question>
<answer>
<para>
Web-cyradm needs gettext enabled PHP. Please compile PHP with the configure-option --with-gettext.
</para>
<para>
gettext is needed for NLS (Native Language Support) which means
contributors can easily translate web-cyradm to there language. Fill in your Language in the file
<filename>/usr/local/apache/htdocs/web-cyradm/locale/templates/web-cyradm.pot</filename> and send me
the file, then your language will be supported in the next CVS snapshot</para>
</answer>
</qandaentry>
<qandaentry><question>
<para>
I got a error from Web-cyradm like this <20>Fatal error: Call to undefined function: query() in
/usr/local/httpd/htdocs/web-cyradm/auth.inc.php on line 17<31>
</para>
</question>
<answer>
<para>
Web-cyradm depends on PEAR for database abstraction. PEAR is included in recent PHP versions. Often
PEAR is a separate package, check out the package base of your distribution. I strongly suggest to update
to the most recent version of PHP anyway, because a lot of bugs have been fixed.</para>
<para>Another reason could be an authentication error with MySQL. Be sure the user <20>mail<69> has enough
rights to access the database and tables.</para>
</answer>
</qandaentry>
<qandaentry><question>
<para>
Why MySQL and not LDAP?
</para>
</question>
<answer>
<para>
Good question. LDAP is role-based and it would be indeed a better solution for such applications.
Unfortunately LDAP is very hard to set up. You have to make proper schemes etc. MySQL is the
way strait ahead, it is very easy to handle and versatile. There is a PAM module available
for LDAP, feel free to use it.
</para>
</answer>
</qandaentry>
<qandaentry><question>
<para>
Why Postfix and not Qmail?
</para>
</question>
<answer>
<para>
Lots of people like to see such a setup with Qmail. The reason why is, Mysql-support is a hack and not in the
included in the main source-tree. This could end up in a bad situation. Think if a security-hole is found in qmail
and the patch does not work with the corrected version. Postfix is supporting MySQL natively.
Another (personal) reason is that I find Postfix more sympatic (I don't know why)
</para>
</answer>
</qandaentry>
<qandaentry><question>
<para>
I got a Error: "Temporary lookup failure"
</para>
</question>
<answer>
<para>
Postfix cannot look up the alias table. Must common failure is that MySQL is not running,
or there is a authentication Error. Check <filename>/var/log/mail</filename> and
<filename>/usr/local/mysql/var/&lt;hostname&gt;.err</filename> to track the error.
</para>
</answer>
</qandaentry>
<qandaentry><question>
<para>
For what platforms does this HOWTO work?
</para>
</question>
<answer>
<para>
It is primarily for Linux. Until now I only tested it on Linux/IA32. Most probably it will also work on other
architectures.
FreeBSD is reported working fine. AIX has problems with at least PHP. Please report if you got it running
on other platform, so I can update this section.
</para>
</answer>
</qandaentry>
</qandadiv>
</qandaset>
</sect1>
</article>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-namecase-general:t
sgml-general-insert-case:lower
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:nil
sgml-parent-document:nil
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
-->
View Git Blame Copy Permalink