2424 lines
128 KiB
Plaintext
2424 lines
128 KiB
Plaintext
Postfix-Cyrus-Web-cyradm-HOWTO
|
||
|
||
Luc de Louw
|
||
|
||
<luc at delouw.ch>
|
||
|
||
Revision History
|
||
Revision 1.2.6 2004-03-30 Revised by: ldl
|
||
Added minor additions and corrected to amavisd-new, corrected cronjob-time
|
||
for freshclam
|
||
Revision 1.2.5 2004-03-28 Revised by: ldl
|
||
Added Anti-Virus and SPAM methods (amavisd-new, spamassassin, clamav),
|
||
updated cyrus-imapd section with update instructions, added instruction to
|
||
restrict imapd admin access.
|
||
Revision 1.2.4 2003-11-30 Revised by: ldl
|
||
Input from English proofreading, minor correction and enhancements from
|
||
user-input, updated software mentioned in the HOWTO
|
||
Revision 1.2.3 2003-03-24 Revised by: ldl
|
||
Some minor correction and enhancements from user-input, updated software
|
||
mentioned in the HOWTO
|
||
Revision 1.2.2 2003-02-14 Revised by: ldl
|
||
Lots of grammar and typos fixed. Some corrections to the pam_mysql Makefile
|
||
Revision 1.2.1 2003-02-12 Revised by: ldl
|
||
Non-official test-release: Added lots of fixes and updates. Added OpenSSL and
|
||
more pam related stuff.
|
||
Revision 1.2.0 2002-10-16 Revised by: ldl
|
||
Added lot of user requests, updated the software mentioned in the HOWTO
|
||
Revision 1.1.7 2002-10-15 Revised by: ldl
|
||
Added Michael Muenz' hints for SMTP AUTH, corrected ca-cert related mistake,
|
||
improved SGML code (more metadata), updated the software mentioned in the
|
||
document.
|
||
Revision 1.1.6 2002-06-14 Revised by: ldl
|
||
Added sasl_mech_list: PLAIN to imapd.conf, added web-cyradm mailinglist,
|
||
added more to web-cyradm
|
||
Revision 1.1.5 2002-06-11 Revised by: ldl
|
||
Added new SQL query to initialize web-cyradm to have full data integrity in
|
||
the MySQL Database, mysql-mydestination.cf reported to be operational as
|
||
expected.
|
||
Revision 1.1.4 2002-05-15 Revised by: ldl
|
||
Added description what is needed in /etc/services Another fix for pam_mysql
|
||
compile, updated software versions.
|
||
Revision 1.1.3 2002-05-08 Revised by: ldl
|
||
Added more description for web-cyradm, fix for wrong path of the
|
||
saslauthdb-socket, Fix for wrong place of com_err.h, protection of the TLS/
|
||
SSL private key.
|
||
Revision 1.1.2 2002-04-29 Revised by: ldl
|
||
Added description for Redhat users how to install the init scripts.
|
||
Revision 1.1.1 2002-04-29 Revised by: ldl
|
||
Fixed bug in configuring cyrus-IMAP (disabled unused kerberos authentication)
|
||
Revision 1.1.0 2002-04-28 Revised by: ldl
|
||
Initial support for building cyrus from source, dropped binary installation
|
||
for Cyrus, because configuration has changed with Release 2.1.x
|
||
Revision 1.0.2 2002-04-25 Revised by: ldl
|
||
Added basic description for sieve and correct sender handling, minor fixes to
|
||
db related stuff, Added mysql-lookup for »mydestination« , fixed bug for
|
||
building postfix with mysql support.
|
||
Revision 1.0.1 2002-04-07 Revised by: ldl
|
||
Added an important fix for compiling pam_mysql
|
||
Revision 1.0.0 2002-04-07 Revised by: ldl
|
||
Initial Release
|
||
|
||
|
||
This document guides you through the installation of the Postfix mail
|
||
transportation agent (MTA), the Cyrus IMAP server. The goal is a fully
|
||
functional high-performance mailsystem with user-administration with
|
||
Web-cyradm, a webinterface. Data like virtualusers, aliases etc. are stored
|
||
in a mysql database.
|
||
|
||
-----------------------------------------------------------------------------
|
||
Table of Contents
|
||
1. Introduction
|
||
1.1. Contributors and Contacts
|
||
1.2. Why I wrote this document
|
||
1.3. Copyright Information
|
||
1.4. Disclaimer
|
||
1.5. New Versions
|
||
1.6. Credits
|
||
1.7. Feedback
|
||
1.8. Translations
|
||
|
||
|
||
2. Technologies
|
||
2.1. The Postfix MTA
|
||
2.2. Cyrus IMAP
|
||
2.3. Cyrus SASL
|
||
2.4. OpenSSL
|
||
2.5. MySQL Database
|
||
2.6. pam_mysql
|
||
2.7. Web-cyradm Webinterface
|
||
|
||
|
||
3. Getting and installing the software
|
||
3.1. Getting and installing MySQL
|
||
3.2. Getting and installing Berkeley DB
|
||
3.3. Getting and installing OpenSSL
|
||
3.4. Getting and installing Cyrus SASL and IMAP
|
||
3.5. Getting and installing Postfix
|
||
3.6. Getting and installing PAM
|
||
3.7. Getting and installing pam_mysql
|
||
3.8. Getting and installing Web-cyradm
|
||
|
||
|
||
4. Configuring MySQL
|
||
4.1. Securing MySQL
|
||
4.2. Setting up rinetd
|
||
|
||
|
||
5. Configuring PAM
|
||
6. Configuring Postfix
|
||
6.1. master.cf
|
||
6.2. main.cf
|
||
6.3. Fighting against SPAM
|
||
|
||
|
||
7. Configuring Cyrus IMAP
|
||
7.1. Creating the config files
|
||
7.2. Creating the directories
|
||
7.3. Changing the filesystem attributes
|
||
|
||
|
||
8. Configuring Web-cyradm
|
||
8.1. Cyrus setup
|
||
8.2. Database setup
|
||
8.3. Default Quota
|
||
8.4. Crypted passwords
|
||
8.5. Usernames
|
||
|
||
|
||
9. Testing the setup
|
||
9.1. (Re-)Starting the daemons
|
||
9.2. Testing Web-cyradm
|
||
9.3. Testing postfix
|
||
9.4. Testing the IMAP functionality
|
||
|
||
|
||
10. Fighting against Viruses and SPAM
|
||
10.1. Brief introdcution to viruses
|
||
10.2. Brief introduction to SPAM
|
||
10.3. Strategy against viruses
|
||
10.4. Strategy against SPAM
|
||
|
||
|
||
11. The software needed against viruses and SPAM
|
||
11.1. Getting and installing ClamAV
|
||
11.2. Razor
|
||
11.3. Getting and installing spamassassin
|
||
11.4. Getting and installing amavisd-new
|
||
11.5. Setting up postfix
|
||
|
||
|
||
12. Further Information
|
||
12.1. News groups
|
||
12.2. Mailing Lists
|
||
12.3. HOWTO
|
||
12.4. Ebooks
|
||
12.5. Local Resources
|
||
12.6. Web Sites
|
||
|
||
|
||
13. Questions and Answers
|
||
|
||
1. Introduction
|
||
|
||
The cyrus part is only valid for Cyrus-IMAP 2.1.x and Cyrus-SASL 2.1.x. If
|
||
you plan to use Cyrus-IMAP 2.0.x then please consult the deprecated version
|
||
1.0.x of this HOWTO.
|
||
|
||
I strongly recommend that you upgrade to Cyrus Version 2.1.x. If you do so,
|
||
you will have a better ability to get valuable support from the user
|
||
community
|
||
-----------------------------------------------------------------------------
|
||
|
||
1.1. Contributors and Contacts
|
||
|
||
First I would thank all those people who sent questions and suggestions that
|
||
made the further development of this document possible. It shows me that
|
||
sharing knowledge is the right way. I would encourage you to send me more
|
||
suggestion, just write me an email <luc at delouw.ch>
|
||
-----------------------------------------------------------------------------
|
||
|
||
1.2. Why I wrote this document
|
||
|
||
There are different approaches on how to set up different mailsystems. Most
|
||
documents that are available are related to Sendmail, procmail, WU-IMAPd and
|
||
friends. These packages are very good but are unfortunately very inflexible
|
||
in their user administration.
|
||
|
||
For a long time I was testing alternative MTA's like qmail, postfix and exim,
|
||
in conjunction with IMAP/POP-servers like Cyrus, vpopmail, Courier IMAP and
|
||
others.
|
||
|
||
At the end of the day, from my point of view the couple Postfix/Cyrus seems
|
||
to be the most flexible and best performing solution.
|
||
|
||
All these combinations of software had one thing in common: their was very
|
||
little documentation available describing how these packages work together
|
||
with each other. To install the software, lot of effort has be spent to get
|
||
all information needed to get all the software running.
|
||
-----------------------------------------------------------------------------
|
||
|
||
1.3. Copyright Information
|
||
|
||
This document is copyrighted (c) 2002, 2003, 2004 Luc de Louw and is
|
||
distributed under the terms of the Linux Documentation Project (LDP) license,
|
||
stated below.
|
||
|
||
Unless otherwise stated, Linux HOWTO documents are copyrighted by their
|
||
respective authors. Linux HOWTO documents may be reproduced and distributed
|
||
in whole or in part, in any medium physical or electronic, as long as this
|
||
copyright notice is retained on all copies. Commercial redistribution is
|
||
allowed and encouraged; however, the author would like to be notified of any
|
||
such distributions.
|
||
|
||
All translations, derivative works, or aggregate works incorporating any
|
||
Linux HOWTO documents must be covered under this copyright notice. That is,
|
||
you may not produce a derivative work from a HOWTO and impose additional
|
||
restrictions on its distribution. Exceptions to these rules may be granted
|
||
under certain conditions; please contact the Linux HOWTO coordinator at the
|
||
address given below.
|
||
|
||
In short, we wish to promote dissemination of this information through as
|
||
many channels as possible. However, we do wish to retain copyright on the
|
||
HOWTO documents, and would like to be notified of any plans to redistribute
|
||
the HOWTOs.
|
||
|
||
If you have any questions, please contact <linux-howto at metalab.unc.edu>
|
||
-----------------------------------------------------------------------------
|
||
|
||
1.4. Disclaimer
|
||
|
||
No liability for the contents of this documents can be accepted. Use the
|
||
concepts, examples and other content at your own risk. As this is a new
|
||
edition of this document, there may be errors and inaccuracies, that may of
|
||
course be damaging to your system. Proceed with caution, and although this is
|
||
highly unlikely, the author(s) do not take any responsibility for that.
|
||
|
||
All copyrights are held by their by their respective owners, unless
|
||
specifically noted otherwise. Use of a term in this document should not be
|
||
regarded as affecting the validity of any trademark or service mark.
|
||
|
||
Naming of particular products or brands should not be seen as endorsements.
|
||
|
||
You are strongly recommended to take a backup of your system before major
|
||
installation and backups at regular intervals.
|
||
-----------------------------------------------------------------------------
|
||
|
||
1.5. New Versions
|
||
|
||
New version of this document are announced on freshmeat
|
||
|
||
The latest version of this document can be obtained from [http://
|
||
www.delouw.ch/linux] http://www.delouw.ch/linux
|
||
|
||
* [http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/html/
|
||
index.html] HTML.
|
||
|
||
* [http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/
|
||
Postfix-Cyrus-Web-cyradm-HOWTO.ps] Postscript (ISO A4 format).
|
||
|
||
* [http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/
|
||
Postfix-Cyrus-Web-cyradm-HOWTO.pdf] Acrobat PDF.
|
||
|
||
* [http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/
|
||
Postfix-Cyrus-Web-cyradm-HOWTO.sgml] SGML Source.
|
||
|
||
* [http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/
|
||
Postfix-Cyrus-Web-cyradm-HOWTO.tar.gz] HTML gzipped tarball.
|
||
|
||
|
||
-----------------------------------------------------------------------------
|
||
1.6. Credits
|
||
|
||
* Martynas Bieliauskas <martynas at inet.lt> submitted a good idea how to
|
||
restrict the cyrus admin to localhost only.
|
||
|
||
* Michael Muenz <m.muenz at maxonline.de> for his help with SMTP
|
||
Authentication
|
||
|
||
* Ron Wheeler <rwheeler at artifact-software.com> for his help with editing
|
||
for readability
|
||
|
||
* The nice people at < discuss at tldp.org> for supporting me in writing
|
||
the HOWTOs.
|
||
|
||
|
||
-----------------------------------------------------------------------------
|
||
1.7. Feedback
|
||
|
||
Feedback is most certainly welcome for this document. Without your
|
||
submissions and input, this document wouldn't exist. Please send your
|
||
additions, comments and criticisms to the following email address : <luc at
|
||
delouw.ch>.
|
||
|
||
Please understand, that I don't want to add Cyrus-IMAP 2.0.x related stuff in
|
||
this document anymore.
|
||
-----------------------------------------------------------------------------
|
||
|
||
1.8. Translations
|
||
|
||
At the moment no translations are available. A German translation is planned
|
||
and would be written by me as soon as I get the time.
|
||
|
||
Translations to other languages are always welcome. If you translate this
|
||
document, please translate the SGML source. Please let me know if you begin
|
||
to translate, so I can set a link here.
|
||
-----------------------------------------------------------------------------
|
||
|
||
2. Technologies
|
||
|
||
2.1. The Postfix MTA
|
||
|
||
Postfix attempts to be fast, easy to administer, and secure,
|
||
while at the same time being sendmail compatible enough to
|
||
not upset existing users. Thus, the outside has a
|
||
sendmail-ish flavor, but the inside is completely different.
|
||
--www.postfix.org
|
||
|
||
Figure 1. Postfix - the big picture
|
||
|
||
[big-picture]
|
||
|
||
Doesn't it look impressive? - It looks much more complicated than it is.
|
||
Postfix is indeed nice to configure and handle.
|
||
|
||
Unlike sendmail, postfix is not one monolithic program, it is a compilation
|
||
of small programs, each of which has a specialized function. At this point I
|
||
don't what to go into details about what each program does what. If you are
|
||
interested how Postfix works, please see the documentation at [http://
|
||
www.postfix.org/docs.html] http://www.postfix.org/docs.html
|
||
|
||
In this document you will find the information needed to get the system
|
||
running in conjunction with the other components of a full e-mail setup.
|
||
-----------------------------------------------------------------------------
|
||
|
||
2.2. Cyrus IMAP
|
||
|
||
Cyrus IMAP is developed and maintained by Carnegie Mellon University.
|
||
|
||
Unlike the WU-IMAPd package, Cyrus uses its own method to store the user's
|
||
mail. Each message is stored in its own file. The benefit of using separate
|
||
files is improved reliability since only one message is lost if there is a
|
||
filesystem error. Metadata such as the status of a message (seen, etc) is
|
||
stored in a database. Additionally, the messages are indexed to improve Cyrus
|
||
performance, specially with lots of users and/or lots of big emails. There is
|
||
nothing else as fast as the Cyrus IMAP-server.
|
||
|
||
Another very important feature is that you don't need a local Un*x user for
|
||
each account. All users are authenticated by the IMAP-Server. This makes it a
|
||
great solution when you have a really huge number of users.
|
||
|
||
User administration is done by special IMAP-commands. This allows you to
|
||
either use the commandline interface or use one of the available Web
|
||
interfaces. This method is much more secure than a Webinterface to /etc/
|
||
passwd.
|
||
|
||
Starting from Cyrus 2.1, SASL-lib version 2 is used for authentication. For
|
||
the setup described in this HOWTO, a tree-layer authentication is
|
||
implemented. Cyrus authenticates with saslauthdaemon which forwards the
|
||
request to pam_mysql which finally looks up the user information in the
|
||
MySQL-table.
|
||
|
||
Since CMU changed the license policy for Cyrus, this software is going to be
|
||
used by many more users.
|
||
-----------------------------------------------------------------------------
|
||
|
||
2.3. Cyrus SASL
|
||
|
||
SASL means »Simple Authentication and Security Layer«. It is standardized by
|
||
the IETF (Internet Engineering Taskforce). SASL is used by network servers
|
||
(in this case Cyrus-IMAP) to handle authentication requests from clients.
|
||
|
||
Cyrus SASL is a extensive software, and sometimes not easy to understand.
|
||
Even I have just the minimum knowledge needed to write this HOWTO.
|
||
-----------------------------------------------------------------------------
|
||
|
||
2.4. OpenSSL
|
||
|
||
OpenSSL is a library needed by SASL for encryption of the data-stream. It is
|
||
used by almost all opensource software that need encryption. Most or all Un*x
|
||
distributions come with a pre-installed OpenSSL. Be sure to also install the
|
||
appropriate devel-package. If you like, you can compile OpenSSL by yourself.
|
||
This will be required if you need to fix a security hole.
|
||
-----------------------------------------------------------------------------
|
||
|
||
2.5. MySQL Database
|
||
|
||
MySQL is a very fast, powerful and very easy to use database.
|
||
|
||
Since Cyrus can authenticate its users with pam, you can use pam_mysql as a
|
||
connector to the user database stored in MySQL. This allows you to create a
|
||
nice Webinterface for your users for changing passwords, defining and
|
||
deleting aliases and more.
|
||
-----------------------------------------------------------------------------
|
||
|
||
2.6. pam_mysql
|
||
|
||
pam means "Pluggable Authentication module" and was originally proposed by
|
||
some people at Sun. In meantime a lot of modules have been developed. One of
|
||
them is an interface to MySQL
|
||
|
||
With pam_mysql you store the users password in a MySQL database. Further,
|
||
Postfix is able to lookup aliases from a MySQL-table. At the end of the day,
|
||
you have a base for all administrative tasks to be done by the postmaster.
|
||
|
||
You will be able to delegate some tasks to powerusers. For example, tasks
|
||
such as creating accounts, changing passwords and creating new aliases can be
|
||
delegated to an administrator for a particular domain. At the end of the day,
|
||
you, as a sysadmin, will have the time to do some more productive tasks or
|
||
write a HOWTO for the Linux Documentation Project.
|
||
-----------------------------------------------------------------------------
|
||
|
||
2.7. Web-cyradm Webinterface
|
||
|
||
Figure 2. Web-cyradm Domain administration
|
||
|
||
[home]
|
||
|
||
Web-cyradm is the webinterface that allows you to perform the administrative
|
||
tasks required to maintain the mail system. This screenshot shows the domain
|
||
administration part of Web-cyradm.
|
||
|
||
Web-cyradm is written in PHP, the most sophisticated html-preprocessor
|
||
language. If you don't have a webserver with php installed, I would like to
|
||
refer you to my [http://www.delouw.ch/linux/apache.phtml]
|
||
Apache-Compile-HOWTO. This document describes how to set up Apache with PHP
|
||
and other modules.
|
||
|
||
Web-cyradm is under active development from people around the globe. The list
|
||
of features grows with each release. If you would like to contribute to
|
||
web-cyradm, or you have a nice idea, feel free to contact the mailinglist on
|
||
[http://www.web-cyradm.org] http://www.web-cyradm.org
|
||
|
||
The following is a partial list of features:
|
||
|
||
* Administration of multiple virtual domains
|
||
|
||
* Setting of quotas
|
||
|
||
* Automatically creating usernames, either with a defined prefix, or the
|
||
domainname
|
||
|
||
* Delegation of tasks such as creating new users to »Domain Masters«
|
||
|
||
* Mapping of user-accounts to email addresses
|
||
|
||
* Forwarding of accounts to single aliases
|
||
|
||
* Vacation functions for a single aliases
|
||
|
||
* Support for SMTP Transport Tables
|
||
|
||
* Support for MySQL and PostgreSQL
|
||
|
||
* i18n (internationalization) support (including different charsets)
|
||
|
||
* Translated into 18 Languages and growing
|
||
|
||
|
||
Web-cyradm supports different roles of its users. If you plan to use it as a
|
||
frontend for your powerusers, please notice that security may be a problem.
|
||
The role based stuff needs a security review.
|
||
-----------------------------------------------------------------------------
|
||
|
||
3. Getting and installing the software
|
||
|
||
Most of the software is included in your Linux distribution. I. e. SuSE is
|
||
shipping Cyrus as far as I know since 7.1. Since SuSE 8.1, cyrus-imap 2.1 and
|
||
sasl2 is included, and works. It is still recommended to compile Cyrus by
|
||
yourself. SuSE does not ship a MySQL enabled Postfix.
|
||
|
||
Tip Deprecated packages for Debian stable and testing
|
||
Debian users probably want to install packages provided by Debian.
|
||
Unfortunately Debian stable (Woody) and testing (sarge) are using the
|
||
deprecated version of the software used in this HOWTO. I tested the
|
||
respective packages from Debian unstable (sid) and the are working.
|
||
Please note, that the maintainers at Debian are very conservative. The
|
||
software packages »postfix-mysql«, »libsasl2« and »cyrus21-imapd« are
|
||
stable, even if they are only available in the »unstable« tree.
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.1. Getting and installing MySQL
|
||
|
||
3.1.1. Download
|
||
|
||
Origin-Site: [http://www.mysql.com/downloads/] http://www.mysql.com/downloads
|
||
/
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.1.2. Building and installing
|
||
|
||
+---------------------------------------------------------------------------+
|
||
|cd /usr/local |
|
||
|tar -xvzf mysql-4.0.18.tar.gz |
|
||
|cd mysql-4.0.18 |
|
||
| |
|
||
|./configure \ |
|
||
|--prefix=/usr/local/mysql \ |
|
||
|--enable-assembler \ |
|
||
|--with-innodb \ |
|
||
|--without-debug |
|
||
| |
|
||
|make |
|
||
|make install |
|
||
| |
|
||
|/usr/local/mysql/bin/mysql_install_db |
|
||
|echo /usr/local/mysql/lib/mysql >> /etc/ld.so.conf |
|
||
|ldconfig |
|
||
| |
|
||
|ln -s /usr/local/mysql/include/mysql /usr/include/mysql |
|
||
|ln -s /usr/local/mysql/lib/mysql /usr/lib/mysql |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
To improve security, add a mysql-user on your system i.e. »mysql«, then
|
||
+---------------------------------------------------------------------------+
|
||
|chown -R mysql /usr/local/mysql/var |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
If you want to start MySQL automatically at boottime, copy /usr/local/mysql/
|
||
share/mysql/mysql.server to /etc/init.d/ for SuSE, for Redhat it is /etc/rc.d
|
||
/init.d instead of /etc/init.d/. Further you need to add symbolic links to /
|
||
etc/init.d/rc3.d for SuSE and /etc/rc.d/rc3.d for Redhat.
|
||
|
||
The following example is for SuSE Linux and should be easily changed for
|
||
Redhat and other Linux distributions and commercial Unix systems.
|
||
+---------------------------------------------------------------------------+
|
||
|cp /usr/local/mysql/share/mysql/mysql.server /etc/init.d/ |
|
||
|ln -s /etc/init.d/mysql.server /etc/init.d/rc3.d/S20mysql |
|
||
|ln -s /etc/init.d/mysql.server /etc/init.d/rc3.d/k08mysql |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.2. Getting and installing Berkeley DB
|
||
|
||
The Berkeley DB is a requirement for building Cyrus-SASL and Cyrus-IMAP. Some
|
||
Systems comes with recent versions but without the header files installed.
|
||
Please see your distributors CD/DVD to see if you can install the header
|
||
files from a package. Usually this package is called bdb-devel.
|
||
|
||
The version that comes with GNU/Debian Linux is out of date, you will need to
|
||
compile the most recent version instead. If you already installed Berkeley DB
|
||
on your Debian Box, please uninstall it to prevent conflicts.
|
||
|
||
It is also very important, that Cyrus-SASL and Cyrus-IMAP is compiled with
|
||
the same version of Berkeley DB or else you can run into problems.
|
||
|
||
Tip Berkeley DB versions
|
||
I only tested version 4.0.x versions of bdb. Please let me know if you
|
||
are successful with newer versions.
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.2.1. Download Berkeley DB
|
||
|
||
Origin-Site: [http://www.sleepycat.com/update/snapshot/db-4.0.14.tar.gz]
|
||
http://www.sleepycat.com/update/snapshot/db-4.0.14.tar.gz
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.2.2. Building and installing Berkeley DB
|
||
|
||
+---------------------------------------------------------------------------+
|
||
|cd dist |
|
||
| |
|
||
|./configure --prefix=/usr/local/bdb |
|
||
| |
|
||
|make |
|
||
|make install |
|
||
| |
|
||
|echo /usr/local/bdb/lib >> /etc/ld.so.conf |
|
||
|ldconfig |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.3. Getting and installing OpenSSL
|
||
|
||
3.3.1. Download OpenSSL
|
||
|
||
Origin-Site [http://www.openssl.org] http://www.openssl.org
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.3.2. Building and installing
|
||
|
||
+---------------------------------------------------------------------------+
|
||
|cd /usr/local |
|
||
|tar -xvzf openssl-0.9.7d.tar.gz |
|
||
| |
|
||
|cd openssl-0.9.7d |
|
||
| |
|
||
|./config shared |
|
||
| |
|
||
|make |
|
||
|make test |
|
||
|make install |
|
||
| |
|
||
|echo "/usr/local/ssl/lib" >> /etc/ld.so.conf |
|
||
|ldconfig |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
Tip Select your CPU to improve speed
|
||
By default the Makefile generates code for the i486 CPU. You can change
|
||
this by editing the Makefile after running config shared. Search for
|
||
-m486 and replace it i.e with -march=athlon
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.4. Getting and installing Cyrus SASL and IMAP
|
||
|
||
Building Cyrus SASL and IMAP from source is not a easy task. There are some
|
||
prerequisites to be fulfilled, and lots of difficult authentication related
|
||
stuff to be considered.
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.4.1. Download Cyrus SASL and Cyrus IMAP
|
||
|
||
Origin-Site: [ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
|
||
cyrus-sasl-2.1.18.tar.gz] ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
|
||
cyrus-sasl-2.1.18.tar.gz
|
||
|
||
Origin-Site: [ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
|
||
cyrus-imapd-2.2.3.tar.gz] ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
|
||
cyrus-imapd-2.2.3.tar.gz
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.4.2. Create the cyrus user
|
||
|
||
On most systems there is no cyrus user and mailgroup by default. Check for a
|
||
free UID, usually daemons are running with UIDs less that 100. As example I
|
||
am using UID 96 which is what SuSE has in the default /etc/passwd.
|
||
+---------------------------------------------------------------------------+
|
||
|groupadd mail |
|
||
|useradd -u 96 -d /usr/cyrus -g mail cyrus |
|
||
|passwd cyrus |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.4.3. Building and installing Cyrus SASL
|
||
|
||
+---------------------------------------------------------------------------+
|
||
|tar -xvzf cyrus-sasl-2.1.18.tar.gz |
|
||
|cd cyrus-sasl-2.1.18 |
|
||
| |
|
||
|./configure \ |
|
||
|--enable-anon \ |
|
||
|--enable-plain \ |
|
||
|--enable-login \ |
|
||
|--disable-krb4 \ |
|
||
|--disable-otp \ |
|
||
|--disable-cram \ |
|
||
|--disable-digest \ |
|
||
|--with-saslauthd=/var/run/saslauthd \ |
|
||
|--with-pam=/lib/security \ |
|
||
|--with-dblib=berkeley \ |
|
||
|--with-bdb-libdir=/usr/local/bdb/lib \ |
|
||
|--with-bdb-incdir=/usr/local/bdb/include \ |
|
||
|--with-openssl=/usr/local/ssl \ |
|
||
|--with-plugindir=/usr/local/lib/sasl2 |
|
||
| |
|
||
| |
|
||
|make |
|
||
|make install |
|
||
| |
|
||
|mkdir -p /var/run/saslauthd |
|
||
| |
|
||
|cd saslauthd |
|
||
|make testsaslauthd |
|
||
|cp testsaslauthd /usr/local/bin |
|
||
| |
|
||
|echo /usr/local/lib/sasl2 >> /etc/ld.so.conf |
|
||
|ldconfig |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
The SASL library is installed in /usr/local/lib/sasl2 but some programs are
|
||
expecting SASL in /usr/lib/sasl2. So it is a good idea to create a symbolic
|
||
link: ln -s /usr/local/lib/sasl2 /usr/lib/sasl2.
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.4.4. Building Cyrus-IMAP
|
||
|
||
+---------------------------------------------------------------------------+
|
||
|tar -xvzf cyrus-imapd-2.2.3.tar.gz |
|
||
|cd cyrus-imapd-2.2.3 |
|
||
| |
|
||
|export CPPFLAGS="-I/usr/include/et" |
|
||
| |
|
||
|./configure \ |
|
||
|--with-sasl=/usr/local/lib \ |
|
||
|--with-perl \ |
|
||
|--with-auth=unix \ |
|
||
|--with-dbdir=/usr/local/bdb \ |
|
||
|--with-bdb-libdir=/usr/local/bdb/lib \ |
|
||
|--with-bdb-incdir=/usr/local/bdb/include \ |
|
||
|--with-openssl=/usr/local/ssl \ |
|
||
|--without-ucdsnmp \ |
|
||
| |
|
||
|make depend |
|
||
|make |
|
||
|make install |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.4.5. Automatic startup script
|
||
|
||
If you wish to start the Cyrus IMAP daemon automatically after booting, you
|
||
need a startup script. Place the following script in /etc/init.d/. For
|
||
Redhat, it is /etc/rc.d/init.d instead of /etc/init.d/.
|
||
+---------------------------------------------------------------------------+
|
||
|#!/bin/bash |
|
||
|# |
|
||
|# Cyrus startup script |
|
||
| |
|
||
|case "$1" in |
|
||
| start) |
|
||
| # Starting SASL saslauthdaemon |
|
||
| /usr/local/sbin/saslauthd -c -a pam& |
|
||
| |
|
||
| # Starting Cyrus IMAP Server |
|
||
| /usr/cyrus/bin/master & |
|
||
| ;; |
|
||
| |
|
||
| stop) |
|
||
| |
|
||
| # Stopping SASL saslauthdaemon |
|
||
| killall saslauthd |
|
||
| |
|
||
| # Stopping Cyrus IMAP Server |
|
||
| killall /usr/cyrus/bin/master |
|
||
| |
|
||
| ;; |
|
||
| |
|
||
| *) |
|
||
| echo "Usage: $0 {start|stop}" |
|
||
| exit 1 |
|
||
| ;; |
|
||
| |
|
||
|esac |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
If I get the time, I will provide a more sophisticated script, but this
|
||
script works.
|
||
|
||
Now create the Symlinks in the runlevel directory (SuSE):
|
||
+---------------------------------------------------------------------------+
|
||
|ln -s /etc/init.d/cyrus /etc/init.d/rc3.d/S20 |
|
||
|ln -s /etc/init.d/cyrus /etc/init.d/rc3.d/K10 |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
For Redhat:
|
||
+---------------------------------------------------------------------------+
|
||
|ln -s /etc/rc.d/init.d/cyrus /etc/rc.d/rc3.d/S20cyrus |
|
||
|ln -s /etc/rc.d/init.d/cyrus /etc/rc.d/rc3.d/K10cyrus |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.4.6. Update Cyrus IMAPd
|
||
|
||
This section describes HOWTO update the IMAPd from version 2.1.x to 2.2.x
|
||
|
||
Caution Update is critical and can mean complete data loss
|
||
Please test this procedure on a test/pre-production server first.
|
||
Also have close look to install-upgrade.html that comes with the
|
||
cyrus-imapd distribution. Please note, that you shoud plan a downtime
|
||
for the production server to have the time to solve problems. Also
|
||
note, that nobody I cannot take responsibility for the update
|
||
procedure provided here
|
||
|
||
Cyrus changed the format of the dbd databases used for internal storage of
|
||
mailboxlist flags etc.
|
||
|
||
A convert script comes with the distribution. The most important database is
|
||
/var/imap/mailboxes.db. Without that database cyrus-imapd will NOT run. This
|
||
requires a backup. Lets do a dump and a backup of the database.
|
||
+-------------------------------------------------------------------------------+
|
||
|/etc/init.d/cyrus stop # be sure no cyrus process is running |
|
||
| |
|
||
|lsof /var/imap/mailboxes.db # be sure NO process is accessing the mailbox file |
|
||
| |
|
||
|su - cyrus |
|
||
|/usr/cyrus/bin/ctl_mboxlist -d > /tmp/mailbox.db.dump |
|
||
|cp /var/imap/mailboxes.db /var/imap/mailboxes.db.old |
|
||
+-------------------------------------------------------------------------------+
|
||
|
||
Convert the /var/imap/mailboxes.db
|
||
+-----------------------------------------------------------------------------------------------+
|
||
|/usr/cyrus/bin/cvt_cyrusdb /var/imap/mailboxes.db berkeley /var/imap/mailboxes.db.new skiplist |
|
||
|mv /var/imap/mailboxes.db.new /var/imap/mailboxes.db |
|
||
+-----------------------------------------------------------------------------------------------+
|
||
|
||
|
||
Convert all the »seen« databases:
|
||
+---------------------------------------------------------------------------------------------------------------------------+
|
||
|find /var/imap/user -name \*.seen -exec /usr/cyrus/bin/cvt_cyrusdb \{\} flat \{\}.new skiplist \; -exec mv \{\}.new \{\} \;|
|
||
+---------------------------------------------------------------------------------------------------------------------------+
|
||
|
||
Converting the sieve scripts
|
||
+---------------------------------------------------------------------------+
|
||
|/usr/local/cyrus-imapd-2.2.3/tools/masssievec /usr/cyrus/bin/sievec |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.5. Getting and installing Postfix
|
||
|
||
3.5.1. Download
|
||
|
||
Origin-Site: [http://www.postfix.org/ftp-sites.html] http://www.postfix.org/
|
||
ftp-sites.html
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.5.2. Creating a User-ID (UID) and Group-ID (GID) for postfix
|
||
|
||
Before you build and install postfix, be sure to create a »postfix« and a »
|
||
postdrop« user and group if they do not exist on the system. First check for
|
||
the groups. You can check this by grep postfix /etc/group and grep maildrop /
|
||
etc/group
|
||
|
||
If there are no such groups and users, you just create them. Search for a
|
||
free numeric UID and GID. In the following example I will use UID and GID
|
||
33333 for Postfix and 33335 for the maildrop UID and GID. These ID's
|
||
correspond to other documents.
|
||
+---------------------------------------------------------------------------+
|
||
|groupadd -g 33333 postfix |
|
||
|groupadd -g 33335 postdrop |
|
||
| |
|
||
|useradd -u 33333 -g 33333 -d /dev/null -s /bin/false postfix |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.5.3. Building and installing
|
||
|
||
The following section shows what you have to do if you installed MySQL from
|
||
source as described above. If you installed MySQL from a binary package such
|
||
as rpm or deb, then you have to change the include and library-flags to -I/
|
||
usr/include/mysql and -L/usr/lib/mysql.
|
||
|
||
Caution Old MTA needs to be uninstalled
|
||
It is important that you uninstall any sendmail version from RPM
|
||
based systems. I suggest that you remove sendmail, and install
|
||
Postfix instead. At least SuSE RPMs need a MTA. After installing the
|
||
Postfix-RPM, just install Postfix over the RPM installation by
|
||
following the HOWTO.
|
||
+---------------------------------------------------------------------------+
|
||
|tar -xvzf postfix-2.0.19.tar.gz |
|
||
| |
|
||
|cd postfix-2.0.19 |
|
||
| |
|
||
|make makefiles 'CCARGS=-DHAS_MYSQL \ |
|
||
|-I/usr/local/mysql/include/mysql -DUSE_SASL_AUTH \ |
|
||
|-I/usr/local/include/sasl -I/usr/local/bdb/include' \ |
|
||
|'AUXLIBS=-L/usr/local/mysql/lib/mysql \ |
|
||
|-lmysqlclient -lz -lm -L/usr/local/lib -lsasl2 -L/usr/local/bdb/lib' |
|
||
|make |
|
||
|make install |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
During make install a few question are asked. Just pressing Enter should
|
||
match your needs. For Redhat users it could be useful to enter /usr/local/
|
||
share/man
|
||
|
||
Now you need to create some symbolic links to start Postfix automatically on
|
||
system startup. The sample is for SuSE Linux, please consult your vendors
|
||
manual for other distributions.
|
||
+---------------------------------------------------------------------------+
|
||
|ln -s /usr/sbin/postfix /etc/init.d/rc3.d/S14postfix |
|
||
|ln -s /usr/sbin/postfix /etc/init.d/rc3.d/K07postfix |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.6. Getting and installing PAM
|
||
|
||
PAM is installed by default on almost all Linux distributions. I am not
|
||
describing how to compile PAM by yourself, because it could break your
|
||
system. Instead, I will describe how to install the package.
|
||
|
||
|
||
|
||
Users of a RPM based distribution can issue the following command:
|
||
|
||
|
||
+---------------------------------------------------------------------------+
|
||
|rpm -i pam-devel.rpm |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
|
||
Debian users can install the devel package with the following command:
|
||
+---------------------------------------------------------------------------+
|
||
|apt-get install libpam0g-dev |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.7. Getting and installing pam_mysql
|
||
|
||
3.7.1. Download
|
||
|
||
Origin-Site: [http://sourceforge.net/projects/pam-mysql/] http://
|
||
sourceforge.net/projects/pam-mysql/
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.7.2. Installing
|
||
|
||
+---------------------------------------------------------------------------+
|
||
|tar -xvzf pam_mysql-0.5.tar.gz |
|
||
| |
|
||
|cd pam_mysql |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
If you have compiled mysql by yourself, check the Makefile and enter the
|
||
correct path to your mysql libs and add the compiler flag CFLAGS -I/path/to/
|
||
mysql/include.
|
||
+----------------------------------------------------------------------------+
|
||
|ifndef FULL_LINUX_PAM_SOURCE_TREE |
|
||
|export DYNAMIC=-DPAM_DYNAMIC |
|
||
|export CC=gcc |
|
||
|export CFLAGS=-O2 -Dlinux -DLINUX_PAM \ |
|
||
| -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \ |
|
||
| -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \ |
|
||
| -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \ |
|
||
| -Wshadow -pedantic -fPIC -I/usr/local/mysql/include |
|
||
|export MKDIR=mkdir -p |
|
||
|export LD_D=gcc -shared -Xlinker -x -L/usr/local/mysql/lib/mysql -lz |
|
||
|endif |
|
||
+----------------------------------------------------------------------------+
|
||
|
||
After customizing that file you an go ahead with the pam_mysql compile.
|
||
+---------------------------------------------------------------------------+
|
||
|make |
|
||
| |
|
||
|cp pam_mysql.so /lib/security |
|
||
| |
|
||
|[[ ! -d /var/lib/mysql ]] && mkdir /var/lib/mysql |
|
||
|ln -s /tmp/mysql.sock /var/lib/mysql/mysql.sock |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.8. Getting and installing Web-cyradm
|
||
|
||
3.8.1. Download
|
||
|
||
Origin-Site: [http://www.web-cyradm.org] http://www.web-cyradm.org
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.8.2. Installing
|
||
|
||
+---------------------------------------------------------------------------+
|
||
|cd /usr/local/apache/htdocs |
|
||
| |
|
||
|tar -xvzf web-cyradm-0.5.4.tar.gz |
|
||
| |
|
||
|touch /var/log/web-cyradm.log |
|
||
|chown nobody /var/log/web-cyradm.log |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
After unpacking web-cyradm, move it to a place in your webserver's
|
||
documentroot.
|
||
|
||
Thats all. Now you need to configure the whole bunch of software.
|
||
|
||
Web-cyradm 0.5.4 is considered stable, and was released on 2003-12-05
|
||
|
||
Since web-cyradm uses PEAR for its database abstraction layer, you also need
|
||
a recent copy of PEAR. This is included in recent PHP Versions. I strongly
|
||
suggest to update PHP to 4.3.4, because a lot of important bugs have been
|
||
fixed.
|
||
|
||
A frequent mistake is to forget to touch the logfile and change the owner to
|
||
the Apache UID. This is usually »nobody« or »wwwrun«.
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.8.3. Create the databases and tables
|
||
|
||
Now we need to create the database and tables for Postfix and Web-cyradm and
|
||
add a user to the database.
|
||
|
||
Web-cyradm comes with several MySQL scripts: insertuser_mysql.sql and
|
||
create_mysql.sql. The first inserts the Database user to the database »mysql«
|
||
and creates the database »mail«. The second creates the required tables and
|
||
populates the database with an initial admin-user and the cyrus user.
|
||
|
||
The other scripts are used for incremental upgrading from older releases.
|
||
|
||
The password for the database user »mail« in this example is »secret«. Please
|
||
insert whatever user and password you like.
|
||
|
||
The username for the initial superuser is »admin« with the password »test«.
|
||
|
||
Caution Change the default password!
|
||
If a malicious user wants to gain unauthorized access to a system,
|
||
the first attempt is always the default username and password
|
||
supplied by the vendor. It is IMPORTANT that you change them in the
|
||
scripts before applying them.
|
||
|
||
After customizing the username and password, apply the scripts:
|
||
+---------------------------------------------------------------------------+
|
||
|/usr/local/mysql/bin/mysql -u root -p < \ |
|
||
|/usr/local/apache/htdocs/web-cyradm/scripts/insertuser_mysql.sql |
|
||
| |
|
||
|/usr/local/mysql/bin/mysql mail -u mail -p < \ |
|
||
|/usr/local/apache/htdocs/web-cyradm/scripts/create_mysql.sql |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
3.8.4. Upgrading from 0.5.3 to 0.5.4
|
||
|
||
In version 0.5.4 there is a small database enhancement. You can upgrade your
|
||
database by issuing the MySQL script that comes with the distribution.
|
||
+---------------------------------------------------------------------------+
|
||
|mysql mail -u mail -p < \ |
|
||
|scripts/upgrade-0.5.3-to-0.5.4_mysql.sql |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
Since Version 0.5.3 web-cyradm has full support for DES crypted passwords.
|
||
You can use the php-script migrate.php to convert the users passwords from
|
||
plain text to unix compatible crypt (DES).
|
||
|
||
Caution Migration from plain to crypt cannot be undone
|
||
Be sure to have a recent backup of your database before doing
|
||
anything with the migration script.
|
||
-----------------------------------------------------------------------------
|
||
|
||
4. Configuring MySQL
|
||
|
||
4.1. Securing MySQL
|
||
|
||
Because you are using MySQL to authenticate users, you need to restrict
|
||
network access to port 3306.
|
||
|
||
The easiest way is to only bind MySQL to the loopback interface 127.0.0.1.
|
||
This makes sure nobody can connect to your MySQL daemon via the network.
|
||
|
||
Edit /etc/init.d/mysql.server and change line 107 as following:
|
||
|
||
Original line:
|
||
+---------------------------------------------------------------------------+
|
||
|$bindir/safe_mysqld --datadir=$datadir --pid-file=$pid_file& |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
Changed line:
|
||
+---------------------------------------------------------------------------+
|
||
|$bindir/safe_mysqld --datadir=$datadir --pid-file=$pid_file \ |
|
||
|--bind-address=127.0.0.1& |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
Restart your MySQL daemon by issuing the command/etc/init.d/mysql.server
|
||
start
|
||
|
||
To ensure the configuration change was successful, netstat -an|grep LISTEN.
|
||
The Output should be looking similar to this:
|
||
+---------------------------------------------------------------------------+
|
||
|bond:~ # netstat -an|grep LISTEN |
|
||
|tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
4.2. Setting up rinetd
|
||
|
||
This step is only necessary if you run the MySQL sever on host other than the
|
||
mail server. This allows you to securely connect from another host since
|
||
access is allowed only from pre-defined IP addresses.
|
||
|
||
The example used is from the view of the host serving the MySQL database.
|
||
Lets assume your mail server has the IP 192.168.0.100 and the MySQL host has
|
||
192.168.0.200
|
||
|
||
Edit /etc/rinetd.conf and add:
|
||
+---------------------------------------------------------------------------+
|
||
|192.168.0.200 3306 127.0.0.1 3306 |
|
||
|allow 192.168.0.100 |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
This means: The MySQL host is listening on 192.168.0.200 port 3306. If
|
||
192.168.0.100 attempts a connection, it is forwarded to 127.0.0.1:3306. All
|
||
other hosts are rejected.
|
||
-----------------------------------------------------------------------------
|
||
|
||
5. Configuring PAM
|
||
|
||
Now we need to get sure that PAM knows how to authenticate the Cyrus users
|
||
|
||
You have to create the file /etc/pam.d/imap with the following entries:
|
||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||
|auth sufficient pam_mysql.so user=mail passwd=secret host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host logpidcolumn=pid logtimecolumn=time |
|
||
| |
|
||
|auth sufficient pam_unix_auth.so |
|
||
| |
|
||
|account required pam_mysql.so user=mail passwd=secret host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host logpidcolumn=pid logtimecolumn=time |
|
||
| |
|
||
|account sufficient pam_unix_acct.so |
|
||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||
|
||
The lines containing pam_unix_auth.so and pam_unix_acct.so are only needed if
|
||
you are migrating from WU-IMAP to Cyrus. This allows you to authenticate with
|
||
its old unix-password AND its new mysql-based password.
|
||
|
||
To use the other services provided by cyrus and smtp-authtication you need to
|
||
copy the file so that they match the service-ID
|
||
+---------------------------------------------------------------------------+
|
||
|cp /etc/pam.d/imap /etc/pam.d/pop |
|
||
|cp /etc/pam.d/imap /etc/pam.d/sieve |
|
||
|cp /etc/pam.d/imap /etc/pam.d/smtp |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
6. Configuring Postfix
|
||
|
||
Postfix needs two major config files: main.cf and master.cf. Both need your
|
||
attention.
|
||
-----------------------------------------------------------------------------
|
||
|
||
6.1. master.cf
|
||
|
||
You need to change just one line:
|
||
|
||
old:
|
||
+---------------------------------------------------------------------------+
|
||
|flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
new:
|
||
+----------------------------------------------------------------------------------+
|
||
|flags= user=cyrus argv=/usr/cyrus/bin/deliver -r ${sender} -m ${extension} ${user}|
|
||
+----------------------------------------------------------------------------------+
|
||
|
||
What does that change affect?
|
||
|
||
A look to the cyrus man-pages man deliver clears up that issue:
|
||
|
||
The Postfix default setup uses a wrong path to cyrus deliver, this is the
|
||
first change. The parameter »-r« inserts a proper return path. Without that,
|
||
mail rejected/retured by sieve will be sent to the cyrus user at yourdomain.
|
||
-----------------------------------------------------------------------------
|
||
|
||
6.2. main.cf
|
||
|
||
Here you need to change some more things like hostname, relaying,
|
||
alias-lookups etc.
|
||
|
||
First change the hostname:
|
||
+---------------------------------------------------------------------------+
|
||
|myhostname = foo.bar.org |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
mydestination
|
||
|
||
Here you have to put all domainnames that are local (corresponding to
|
||
sendmail's /etc/mail/sendmail.cw). If you have multiple domains, separate
|
||
them with comma.
|
||
+---------------------------------------------------------------------------+
|
||
|mydestination = foo.bar.org, example.com, furchbar-grausam.ch, |
|
||
| whatever.domain.tld, mysql:/etc/postfix/mysql-mydestination.cf |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
Relayhost
|
||
|
||
Here you define where to deliver outgoing mails. If you do not provide any
|
||
host, mail is delivered directly to the destination smtp host. Usually your
|
||
relayhosts are your internet service provider's smtp server.
|
||
+---------------------------------------------------------------------------+
|
||
|relayhost = relay01.foobar.net relay02.foobar.net relay03.foobar.net |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
Mailtransport
|
||
|
||
Here you define how the mails accepted for local delivery should be handled.
|
||
In your situation, mail should be delivered by the cyrus delivery program.
|
||
+---------------------------------------------------------------------------+
|
||
|mailbox_transport = cyrus |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
At the end of file you need to add:
|
||
+-----------------------------------------------------------------------------------+
|
||
|virtual_alias_maps = hash:/etc/postfix/virtual, mysql:/etc/postfix/mysql-virtual.cf|
|
||
+-----------------------------------------------------------------------------------+
|
||
|
||
If you don't want to have a overriding /etc/postfix/virtual, skip the hash
|
||
entry
|
||
|
||
Outgoing addresses should be rewritten from test0002 at domain to user.name
|
||
at virtualhost.com. This is important if you want to use a webmail interface.
|
||
+---------------------------------------------------------------------------+
|
||
|sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
Now you need to create the file /etc/postfix/mysql-virtual.cf:
|
||
+---------------------------------------------------------------------------+
|
||
|# |
|
||
|# mysql config file for alias lookups on postfix |
|
||
|# comments are ok. |
|
||
|# |
|
||
| |
|
||
|# the user name and password to log into the mysql server |
|
||
|hosts = localhost |
|
||
|user = mail |
|
||
|password = secret |
|
||
| |
|
||
|# the database name on the servers |
|
||
|dbname = mail |
|
||
| |
|
||
|# the table name |
|
||
|table = virtual |
|
||
| |
|
||
|# |
|
||
|select_field = dest |
|
||
|where_field = alias |
|
||
|additional_conditions = and status = '1' |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
The file /etc/postfix/mysql-canonical.cf:
|
||
+---------------------------------------------------------------------------+
|
||
|# mysql config file for canonical lookups on postfix |
|
||
|# comments are ok. |
|
||
|# |
|
||
| |
|
||
|# the user name and password to log into the mysql server |
|
||
|hosts = localhost |
|
||
|user = mail |
|
||
|password = secret |
|
||
| |
|
||
|# the database name on the servers |
|
||
|dbname = mail |
|
||
| |
|
||
|# the table name |
|
||
|table = virtual |
|
||
|# |
|
||
|select_field = alias |
|
||
|where_field = username |
|
||
|# Return the first match only |
|
||
|additional_conditions = and status = '1' limit 1 |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
Finally the file /etc/postfix/mysql-mydestination.cf:
|
||
+--------------------------------------------------------------------------------------+
|
||
|# mysql config file for local domain (like sendmail's sendmail.cw) lookups on postfix |
|
||
|# comments are ok. |
|
||
|# |
|
||
| |
|
||
|# the user name and password to log into the mysql server |
|
||
|hosts = localhost |
|
||
|user = mail |
|
||
|password = secret |
|
||
| |
|
||
|# the database name on the servers |
|
||
|dbname = mail |
|
||
| |
|
||
|# the table name |
|
||
|table = domain |
|
||
|# |
|
||
|select_field = domain_name |
|
||
|where_field = domain_name |
|
||
+--------------------------------------------------------------------------------------+
|
||
|
||
SMTP Authentication with SASL and PAM
|
||
|
||
Put the following in your /etc/postfix/main.cf
|
||
+-------------------------------------------------------------------------------------------------------+
|
||
|smtpd_sasl_auth_enable = yes |
|
||
|smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination |
|
||
|smtpd_sasl_security_options = noanonymous |
|
||
|smtpd_sasl_local_domain = |
|
||
|broken_sasl_auth_clients = yes |
|
||
+-------------------------------------------------------------------------------------------------------+
|
||
|
||
You also need to create the file /usr/local/lib/sasl2/smtpd.conf with the
|
||
following contents:
|
||
+---------------------------------------------------------------------------+
|
||
|pwcheck_method: saslauthd |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
The next step is to tell postfix how to find the saslauthd socket:
|
||
+---------------------------------------------------------------------------+
|
||
|mv /var/run/sasl2 /var/run/sasl2-old |
|
||
|ln -s /var/run/saslauthd /var/run/sasl2 |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
-----------------------------------------------------------------------------
|
||
6.3. Fighting against SPAM
|
||
|
||
This section describes how to implement a basic SPAM protection setup with
|
||
postfix. It does not use any external software like spamassassin, etc.
|
||
|
||
Postfix has some built-in filters that allow you to stop obvious SPAM
|
||
attempts. In particular these are:
|
||
|
||
* smtpd_helo_required = yes
|
||
|
||
This switch in main.cf means that SMTP clients connecting to your mail
|
||
server must give a »helo« when connecting.
|
||
|
||
* smtpd_recipient_restrictions
|
||
|
||
This option in main.cf lets you define different rules on the handling
|
||
the acceptance of mail. The following example simply rejects all invalid
|
||
sender and recipient data. Additionally it defines how to lookup known
|
||
spammers from online blacklists.
|
||
+---------------------------------------------------------------+
|
||
|smtpd_recipient_restrictions = |
|
||
| reject_invalid_hostname, |
|
||
| reject_non_fqdn_hostname, |
|
||
| reject_non_fqdn_sender, |
|
||
| reject_non_fqdn_recipient, |
|
||
| reject_unknown_sender_domain, |
|
||
| reject_unknown_recipient_domain, |
|
||
| reject_unauth_pipelining, |
|
||
| permit_mynetworks, |
|
||
| reject_unauth_destination, |
|
||
| reject_rbl_client zombie.dnsbl.sorbs.net, |
|
||
| reject_rbl_client relays.ordb.org, |
|
||
| reject_rbl_client opm.blitzed.org, |
|
||
| reject_rbl_client list.dsbl.org, |
|
||
| reject_rbl_client sbl.spamhaus.org, |
|
||
| permit |
|
||
+---------------------------------------------------------------+
|
||
|
||
|
||
* mime_header_checks=pcre:/etc/postfix/body_checks
|
||
|
||
MIME header checks let you reject mail which contains malicious MIME
|
||
content, i.e dangerous attachments such as Windows executables. Create
|
||
the file /etc/postfix/body_checks. The following example rejects all mail
|
||
that contains potentially dangerous attachments. In my experience, using
|
||
this example would filter out most of viruses delivered by e-mail. In any
|
||
event, a virus scanner should always be installed.
|
||
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||
| /^((Content-(Disposition: attachment;|Type:).*|\ +)| *)(file)?name\ *=\ *"?.*\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wmf)"?\ *$/ REJECT attachment type not allowed |
|
||
| |
|
||
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||
|
||
|
||
-----------------------------------------------------------------------------
|
||
7. Configuring Cyrus IMAP
|
||
|
||
7.1. Creating the config files
|
||
|
||
You have to create /etc/imapd.conf and /etc/cyrus.conf
|
||
-----------------------------------------------------------------------------
|
||
|
||
7.1.1. /etc/services
|
||
|
||
If you like to use sieve (a mail filtering language), you must change an
|
||
entry in /etc/services. With SuSE 8.0 take especially care about the port for
|
||
sieve, they defined the wrong port. Add or change the following lines:
|
||
+---------------------------------------------------------------------------+
|
||
|pop3 110/tcp |
|
||
|imap 143/tcp |
|
||
|imaps 993/tcp |
|
||
|pop3s 995/tcp |
|
||
|sieve 2000/tcp |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
7.1.2. /etc/imapd.conf
|
||
|
||
Be sure »servername« contains your FQHN (Fully Qualified Hostname)
|
||
|
||
The parameter »unixhierarchysep: yes« is only used if you like to have
|
||
usernames like »hans.mueller.somedomain.tld« see Section 8 for more info.
|
||
+---------------------------------------------------------------------------+
|
||
|postmaster: postmaster |
|
||
|configdirectory: /var/imap |
|
||
|partition-default: /var/spool/imap |
|
||
|# admins: cyrus # no admins! |
|
||
|allowanonymouslogin: no |
|
||
|allowplaintext: yes |
|
||
|sasl_mech_list: PLAIN |
|
||
|servername: servername |
|
||
|autocreatequota: 10000 |
|
||
|reject8bit: no |
|
||
|quotawarn: 90 |
|
||
|timeout: 30 |
|
||
|poptimeout: 10 |
|
||
|dracinterval: 0 |
|
||
|drachost: localhost |
|
||
|sasl_pwcheck_method: saslauthd |
|
||
|sievedir: /usr/sieve |
|
||
|sendmail: /usr/sbin/sendmail |
|
||
|sieve_maxscriptsize: 32 |
|
||
|sieve_maxscripts: 5 |
|
||
|#unixhierarchysep: yes |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
7.1.3. /etc/imapd-local.conf
|
||
|
||
Be sure »servername« contains your FQHN (Fully Qualified Hostname)
|
||
|
||
The parameter »unixhierarchysep: yes« is only used if you like to have
|
||
usernames like »hans.mueller.somedomain.tld« see Section 8 for more info.
|
||
|
||
This second file ensures, that admin users only can connect via localhost.
|
||
Decide by yourself if this additional security feature is needed for your
|
||
site.
|
||
+---------------------------------------------------------------------------+
|
||
|postmaster: postmaster |
|
||
|configdirectory: /var/imap |
|
||
|partition-default: /var/spool/imap |
|
||
|admins: cyrus |
|
||
|allowanonymouslogin: no |
|
||
|allowplaintext: yes |
|
||
|sasl_mech_list: PLAIN |
|
||
|servername: servername |
|
||
|autocreatequota: 10000 |
|
||
|reject8bit: no |
|
||
|quotawarn: 90 |
|
||
|timeout: 30 |
|
||
|poptimeout: 10 |
|
||
|dracinterval: 0 |
|
||
|drachost: localhost |
|
||
|sasl_pwcheck_method: saslauthd |
|
||
|sievedir: /usr/sieve |
|
||
|sendmail: /usr/sbin/sendmail |
|
||
|sieve_maxscriptsize: 32 |
|
||
|sieve_maxscripts: 5 |
|
||
|#unixhierarchysep: yes |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
7.1.4. Creating the TLS/SSL Certificate
|
||
|
||
If you want to enable Cyrus' TLS/SSL facilities, you have to create a
|
||
certificate first. This requires an OpenSSL installation
|
||
+---------------------------------------------------------------------------+
|
||
|openssl req -new -nodes -out req.pem -keyout key.pem |
|
||
|openssl rsa -in key.pem -out new.key.pem |
|
||
|openssl x509 -in req.pem -out ca-cert -req \ |
|
||
|-signkey new.key.pem -days 999 |
|
||
| |
|
||
|mkdir /var/imap |
|
||
| |
|
||
|cp new.key.pem /var/imap/server.pem |
|
||
|rm new.key.pem |
|
||
|cat ca-cert >> /var/imap/server.pem |
|
||
| |
|
||
|chown cyrus:mail /var/imap/server.pem |
|
||
|chmod 600 /var/imap/server.pem # Your key should be protected |
|
||
| |
|
||
|echo tls_ca_file: /var/imap/server.pem >> /etc/imapd.conf |
|
||
|echo tls_cert_file: /var/imap/server.pem >> /etc/imapd.conf |
|
||
|echo tls_key_file: /var/imap/server.pem >> /etc/imapd.conf |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
7.1.5. /etc/cyrus.conf
|
||
|
||
The other file you need to create is /etc/cyrus.conf It is the configuration
|
||
file for the Cyrus master process. It defines the startup procedures,
|
||
services and events to be spawned by process »master«.
|
||
+-------------------------------------------------------------------------------------------+
|
||
|# standard standalone server implementation |
|
||
| |
|
||
|START { |
|
||
| # do not delete this entry! |
|
||
| recover cmd="ctl_cyrusdb -r" |
|
||
| |
|
||
| # this is only necessary if using idled for IMAP IDLE |
|
||
|# idled cmd="idled" |
|
||
|} |
|
||
| |
|
||
|# UNIX sockets start with a slash and are put into /var/imap/socket |
|
||
|SERVICES { |
|
||
| # add or remove based on preferences |
|
||
| imap cmd="imapd" listen="192.168.0.1:imap" prefork=0 |
|
||
| imaplocal cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imap" prefork=0 |
|
||
| imaps cmd="imapd -s" listen="192.168.0.1:imaps" prefork=0 |
|
||
| imapslocal cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imaps" prefork=0 |
|
||
| pop3 cmd="pop3d" listen="pop3" prefork=0 |
|
||
| pop3s cmd="pop3d -s" listen="pop3s" prefork=0 |
|
||
| sieve cmd="timsieved" listen="192.168.0.1:sieve" prefork=0 |
|
||
| sievelocal cmd="timsieved -C /etc/imapd-local.conf listen="127.0.0.1:sieve" prefork=0 |
|
||
| |
|
||
| # at least one LMTP is required for delivery |
|
||
|# lmtp cmd="lmtpd" listen="lmtp" prefork=0 |
|
||
| lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0 |
|
||
| |
|
||
| # this is only necessary if using notifications |
|
||
|# notify cmd="notifyd" listen="/var/imap/socket/notify" proto="udp" prefork=1 |
|
||
|} |
|
||
| |
|
||
|EVENTS { |
|
||
| # this is required |
|
||
| checkpoint cmd="ctl_cyrusdb -c" period=30 |
|
||
| |
|
||
| # this is only necessary if using duplicate delivery suppression |
|
||
| delprune cmd="ctl_deliver -E 3" period=1440 |
|
||
| |
|
||
| # this is only necessary if caching TLS sessions |
|
||
| tlsprune cmd="tls_prune" period=1440 |
|
||
|} |
|
||
+-------------------------------------------------------------------------------------------+
|
||
|
||
Tip Please check your Systems IP address
|
||
In the example above the IP 192.168.0.1 is to be replaced with your
|
||
systems external IP address.
|
||
-----------------------------------------------------------------------------
|
||
|
||
7.2. Creating the directories
|
||
|
||
There must be created different directories. Additionally you should change
|
||
some attributes of the filesystem
|
||
-----------------------------------------------------------------------------
|
||
|
||
7.2.1. /var/imap
|
||
|
||
+---------------------------------------------------------------------------+
|
||
|cd /var |
|
||
|mkdir imap |
|
||
|chown cyrus:mail imap |
|
||
|chmod 750 imap |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
7.2.2. /var/spool/imap
|
||
|
||
+---------------------------------------------------------------------------+
|
||
|cd /var/spool |
|
||
|mkdir imap |
|
||
|chown cyrus:mail imap |
|
||
|chmod 750 imap |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
7.2.3. /usr/sieve
|
||
|
||
+---------------------------------------------------------------------------+
|
||
|cd /usr |
|
||
|mkdir sieve |
|
||
|chown cyrus:mail sieve |
|
||
|chmod 750 sieve |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
7.2.4. The rest of the directories
|
||
|
||
The rest of the directories can be created by the tool mkimap
|
||
+---------------------------------------------------------------------------+
|
||
|su - cyrus |
|
||
|/usr/local/cyrus-imapd-2.1.12/tools/mkimap |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
7.3. Changing the filesystem attributes
|
||
|
||
When using the ext2 filesystem, you must set an attribute, that defines, that
|
||
all changes are immediately committed to the disk. With todays journaling
|
||
filesystems there is no need. If you are still running ext2 filesystems, I
|
||
strongly suggest to switch to ext3 filesystems. Ext2 and ext3 are fully
|
||
compatible to each other.
|
||
|
||
To check what type of filesystem is used for /var issue the command mount or
|
||
see your /etc/fstab. Please note that the /var could also be a part of the
|
||
root or other filesystem.
|
||
+---------------------------------------------------------------------------+
|
||
|cd /var/imap |
|
||
| |
|
||
|chattr +S user quota user/* quota/* |
|
||
|chattr +S /var/spool/imap /var/spool/imap/* |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
8. Configuring Web-cyradm
|
||
|
||
First copy the distribution's config file, and create the logfile. The
|
||
logfile must be owned by the user that runs the webserver. This is usually
|
||
the user »nobody« or »wwwrun«.
|
||
+---------------------------------------------------------------------------+
|
||
|cd /usr/local/apache/htdocs/web-cyradm/config |
|
||
| |
|
||
|cp conf.php.dist conf.php |
|
||
| |
|
||
|touch /var/log/web-cyradm-login.log |
|
||
|chown nobody /var/log/web-cyradm-login.log |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
8.1. Cyrus setup
|
||
|
||
+---------------------------------------------------------------------------+
|
||
|#The Cyrus login stuff |
|
||
|$CYRUS = array( |
|
||
| 'HOST' => 'localhost', |
|
||
| 'PORT' => 143, |
|
||
| 'ADMIN' => 'cyrus', |
|
||
| 'PASS' => 'secret' |
|
||
|); |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
This should be self-explanatory. Please note there is no support for SSL
|
||
connections at the moment, this is especially important for users that would
|
||
like to have web-cyradm on a different server from the server running
|
||
cyrus-imapd ..
|
||
-----------------------------------------------------------------------------
|
||
|
||
8.2. Database setup
|
||
|
||
Since version 0.5.2 web-cyradm uses PEAR as a database abstraction layer.
|
||
This adds more flexibility. MySQL and PostgreSQL are currently supported.
|
||
Please note that a patch is required for PostgreSQL because Postfix does not
|
||
support PostgreSQL natively. I strongly suggest that you use MySQL. I know
|
||
MySQL has some restrictions on transactions and stuff, but it is supported in
|
||
the distributed Postfix code.
|
||
|
||
The entries should be self explanatory
|
||
+---------------------------------------------------------------------------+
|
||
|$DB = array( |
|
||
| 'TYPE' => 'mysql', |
|
||
| 'USER' => 'mail', |
|
||
| 'PASS' => 'secret', |
|
||
| 'PROTO' => 'unix', // set to "tcp" for TCP/IP |
|
||
| 'HOST' => 'localhost', |
|
||
| 'NAME' => 'mail' |
|
||
|); |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
8.3. Default Quota
|
||
|
||
The default quota to be used is set in the variable DEFAULT_QUOTA=20000 and
|
||
is used when creating a new domain
|
||
-----------------------------------------------------------------------------
|
||
|
||
8.4. Crypted passwords
|
||
|
||
Web-cyradm supports the storage of encrypted passwords. I strongly suggest
|
||
the use of encryption. There are three methods supported at the moment:
|
||
Unix-compatible (crypt), md5 and MySQL. The Unix-compatible encryption allows
|
||
you to import encrypted passwords from an existing /etc/shadow. This is the
|
||
preferred option.
|
||
|
||
Unfortunately, MySQL uses a proprietary encryption method which is only
|
||
available when using MySQL. I'm currently thinking about dropping support for
|
||
MySQL crypt, because it only works with MySQL and makes a migration to
|
||
another database impossible. As soon as there is a method available to
|
||
re-engineer the MySQL crypt on PHP there will be a solution (Help needed in
|
||
programming, legal constraints?)
|
||
|
||
Check the variable $CRYPT in the file config.inc.php. Value »plain« means no
|
||
encryption, »crypt« means Shadow compatible encryption, mysql means MySQL
|
||
encryption.
|
||
|
||
Caution Choose encryption method carefully
|
||
Since the supported encryption methods are all one-way encryptions,
|
||
there will be NO WAY to migrate from one to another. Note also, that
|
||
this is a global variable, it is used for all passwords, including
|
||
the password of the admin users. I STRONGLY suggest the use of Unix
|
||
Shadow compatible encryption, because it makes you independent of any
|
||
software vendor.
|
||
-----------------------------------------------------------------------------
|
||
|
||
8.5. Usernames
|
||
|
||
There are two username schemes supported which are defined in the variable »
|
||
DOMAIN_AS_PREFIX«. The default is to have a defined prefix ($DOMAIN_AS_PREFIX
|
||
=0), i.e. »test« for the domain »expample.com«. With this scheme, the first
|
||
user gets the username test0001, the second test0002 and incrementing.
|
||
|
||
The other one is to have usernames like »hans.mueller.example.com«. If that
|
||
case set $DOMAIN_AS_PREFIX=1
|
||
|
||
At the moment you can not mix both schemas, evaluate carefully with scheme
|
||
matches your needs best
|
||
|
||
If you choose to have $DOMAIN_AS_PREFIX=1, be sure you uncomment the option
|
||
unixhierarchysep: yes like described in Section 7.1.2
|
||
-----------------------------------------------------------------------------
|
||
|
||
9. Testing the setup
|
||
|
||
-----------------------------------------------------------------------------
|
||
9.1. (Re-)Starting the daemons
|
||
|
||
Now all the software has been installed and configured. Lets do some testings
|
||
now. First you have to (re-)start all the daemons affected
|
||
|
||
* postfix start
|
||
|
||
* /etc/init.d/cyrus start
|
||
|
||
* /etc/init.d/mysql.server start
|
||
|
||
* /usr/local/apache/bin/apachectl startssl
|
||
|
||
|
||
Hopefully all daemons started without any complaints. Note that this is
|
||
assuming saslauthd is started in the cyrus startup script.
|
||
|
||
Now you can verify if the daemons are running properly by issuing netstat -an
|
||
|grep LISTEN
|
||
|
||
The output should look similar like that:
|
||
+---------------------------------------------------------------------------+
|
||
|bond:~ # netstat -an|grep LISTEN |
|
||
|tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN |
|
||
|tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN |
|
||
|tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN |
|
||
|tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN |
|
||
|tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN |
|
||
|tcp 0 0 0.0.0.0:2000 0.0.0.0:* LISTEN |
|
||
|tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN |
|
||
|tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN |
|
||
|tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
The port are assigned like this:
|
||
|
||
* 993 imap-ssl
|
||
|
||
* 995 pop3-ssl
|
||
|
||
* 3306 mysql
|
||
|
||
* 110 pop3
|
||
|
||
* 143 imap
|
||
|
||
* 2000 sieve
|
||
|
||
* 80 http
|
||
|
||
* 25 smtp
|
||
|
||
* 443 https
|
||
|
||
|
||
-----------------------------------------------------------------------------
|
||
9.2. Testing Web-cyradm
|
||
|
||
Now you should be able to connect to [http://localhost/web-cyradm/] http://
|
||
localhost/web-cyradm/ Login with the credentials defined before.
|
||
|
||
Define a domainname and some accounts. Be sure the domainname belongs to your
|
||
server. If not you have to fake it by enter the domain in /etc/hosts. The
|
||
domain must also be defined as local in /etc/postfix/main.cf (mydestination =
|
||
domain)
|
||
|
||
Please be sure that you are providing a unique domain prefix when adding a
|
||
new domain. I.e. test for the domain test.org. If you don't provide such a
|
||
prefix you will get a error message.
|
||
-----------------------------------------------------------------------------
|
||
|
||
9.3. Testing postfix
|
||
|
||
Now we are going to write a mail:
|
||
+---------------------------------------------------------------------------+
|
||
|telnet localhost 25 |
|
||
|Trying ::1... |
|
||
|Trying 127.0.0.1... |
|
||
|Connected to localhost. |
|
||
|Escape character is '^]'. |
|
||
|220 mail ESMTP Postfix |
|
||
| |
|
||
|helo localhost |
|
||
|250 mail |
|
||
|mail from: testing at example.com |
|
||
|250 Ok |
|
||
|rcpt to: tester at localhost |
|
||
|250 Ok |
|
||
| |
|
||
|data |
|
||
|354 End data with <CR><LF>.<CR><LF> |
|
||
|some text |
|
||
|. |
|
||
|250 Ok: queued as B58E141D33 |
|
||
| |
|
||
|quit |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
If you see such a message, then all seems to work fine. Be sure to specify a
|
||
recipients address you previously defined in the web-cyradm database
|
||
|
||
If you get an error like this:
|
||
+---------------------------------------------------------------------------+
|
||
|rcpt to: tester at localhost |
|
||
|451 <tester at localhost>: Temporary lookup failure |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
Then either MySQL is not running, DB permission are not set properly or you
|
||
miss-configured /etc/postfix/main.cf
|
||
|
||
On any errors, I suggest to examine /var/log/mail. Often you will find some
|
||
hints whats went wrong.
|
||
-----------------------------------------------------------------------------
|
||
|
||
9.4. Testing the IMAP functionality
|
||
|
||
A lot of users like to test the cyrus-IMAPd with the Command Line Interface
|
||
(CLI) »cyradm« and they are failing. To be successful with cyradm, you will
|
||
need to add the cyrus user to /etc/sasldb2 because »cyradm« always
|
||
authenticates against SASL AND IMAP.
|
||
|
||
To add the Cyrus user to the sasldb use the command:
|
||
+---------------------------------------------------------------------------+
|
||
|saslpasswd2 -c cyrus |
|
||
|Password: (enter your passwd) |
|
||
|Again (for verification): (enter your password) |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
To use the »cyradm« CLI please take care that the tool does not recognize
|
||
standard CLI-options like -u and similar. Please follow the syntax like
|
||
described in the man page »cyradm 1« like the following example:
|
||
+----------------------------------------------------------------------------------------------------+
|
||
|bond:~ # cyradm --user cyrus --server localhost --auth plain |
|
||
|Password: # This is the SASL2 password |
|
||
|IMAP Password: # This is the IMAP password that you need to enter in the mysql-table »accountusers« |
|
||
|localhost> |
|
||
+----------------------------------------------------------------------------------------------------+
|
||
|
||
With the Cyrus command help you will see all possible commands and its
|
||
abbreviations.
|
||
|
||
To make that kind of tests. you just need a mailclient like kmail or netscape
|
||
(Yes of course, M$-Products are working as well) but in this example I'm
|
||
using kmail.
|
||
|
||
|
||
Figure 3. Creating a new account
|
||
|
||
[imap-account]
|
||
|
||
If you enabled TLS/SSL, you may wish to test also the following:
|
||
|
||
|
||
Figure 4. Testing TLS/SSL functionality
|
||
|
||
[imap-tls]
|
||
|
||
If login fails, and you are sure, you typed the right password, take care
|
||
that MySQL is running.
|
||
-----------------------------------------------------------------------------
|
||
|
||
10. Fighting against Viruses and SPAM
|
||
|
||
This chapter is optional and describes HOWTO fight against Viruses and SPAM.
|
||
-----------------------------------------------------------------------------
|
||
|
||
10.1. Brief introdcution to viruses
|
||
|
||
I think I do not need to explain how dangerous Viruses are. Unfortunately in
|
||
the most recent attacks from SCO.A (aka MyDoom) also more or less experienced
|
||
users get tricked by viruses. Most of todays viruses and worms comes via the
|
||
internet, most of them via E-Mail. Needless to say, that viruses should be
|
||
catched by the SMTP system if possible.
|
||
|
||
Caution Not a substitute
|
||
A mailsystem that filters viruses is NEVER a substitute for a local
|
||
installed anti-virus software. E-Mails are only one way how viruses
|
||
can penetrate computers.
|
||
-----------------------------------------------------------------------------
|
||
|
||
10.2. Brief introduction to SPAM
|
||
|
||
The other harmless but unwanted and disturbing E-Mails are SPAM e-mails. SPAM
|
||
is originally a disgusting canned meat. It is a synonym for UCE (Unsolicited
|
||
Commercial Email) and UBE (Unsolicited Bulk Email).
|
||
|
||
Studies claim, that up to 60 percent of the worldwide e-mail traffic is SPAM.
|
||
Before I installed the anti-SPAM filters on my SMTP servers, I received about
|
||
150 SPAMS's a day. One reason is this document. In ancient time, I noticed my
|
||
real e-mail address unprotected. E-mail harvesters are scanning websites
|
||
allover the world for addresses, and try to deliver its commercial, often
|
||
illegal offers.
|
||
-----------------------------------------------------------------------------
|
||
|
||
10.3. Strategy against viruses
|
||
|
||
The strategy against viruses is pretty forward: Filtering viruses delivered
|
||
via e-mail and having a localally installed anti-virus software.
|
||
|
||
Almost all vendors of anti-virus software have a up-to-date version for Linux
|
||
and Unix Systems, because most SMTP servers are running on Unix. In this
|
||
document I'll explain HOWTO implement [http://www.clamav.net] clamav, a very
|
||
active open source anti virus project.
|
||
-----------------------------------------------------------------------------
|
||
|
||
10.4. Strategy against SPAM
|
||
|
||
Fighting against SPAM is much more difficult than viruses. Why? It is because
|
||
every virus has a unique signature. SPAM can contain arbitrary content. Some
|
||
of the SPAM is in english, other is korean, other is in
|
||
"you-name-it-language".
|
||
|
||
The best method how to prevent SPAM is to handle your e-mail address as your
|
||
best treasured secret. NEVER put your address in a web-form or put it on your
|
||
website. I know, that is against the idea of the internet. Information must
|
||
be free. You can keep publishing your e-mail address if you implement the
|
||
configuration further below.
|
||
|
||
In the beginning of SPAM, filtering for keywords like »viagra« was enough.
|
||
Todays SPAM techniques are much more sophisticated. It is a war between users
|
||
and spammers. The solution against sophisticated SPAM is even more
|
||
sophisticated anti-spam software.Todays anti-spam software checks e-mail for
|
||
more than just keywords. They are checking for specific mail-header data etc.
|
||
Also a technique called [http://en.wikipedia.org/wiki/Epistemic_probability]
|
||
bayesian filters which can learn from particular input, distributed checksum
|
||
networks etc.
|
||
-----------------------------------------------------------------------------
|
||
|
||
11. The software needed against viruses and SPAM
|
||
|
||
This chapter describes how to install and handle the software against viruses
|
||
and SPAM
|
||
-----------------------------------------------------------------------------
|
||
|
||
11.1. Getting and installing ClamAV
|
||
|
||
11.1.1. Download
|
||
|
||
Origin-Site: [http://prdownloads.sourceforge.net/clamav/clamav-0.68.tar.gz]
|
||
http://prdownloads.sourceforge.net/clamav/clamav-0.68.tar.gz
|
||
-----------------------------------------------------------------------------
|
||
|
||
11.1.2. Building and installing
|
||
|
||
+---------------------------------------------------------------------------+
|
||
|# Adding a group for the clamav user |
|
||
|groupadd clamav |
|
||
| |
|
||
|# Adding the clamav user to your system |
|
||
|useradd -g clamav -c "clamav user" clamav |
|
||
| |
|
||
|cd /usr/local |
|
||
| |
|
||
|tar -xvzf clamav-0.68.tar.gz |
|
||
|cd clamav-0.68 |
|
||
| |
|
||
|./configure |
|
||
| |
|
||
|make && make install |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
11.1.3. Testing and configuring
|
||
|
||
To test the funtionality of clamav, you can run clamscan to get some results
|
||
from the testpatterns that are included in the clamav distribution run
|
||
clamscan -r -i /usr/local/clamav-0.68
|
||
|
||
The output should look like this:
|
||
+----------------------------------------------------------------------------------------+
|
||
|/usr/local/clamav-0.68/test/test1: ClamAV-Test-Signature FOUND |
|
||
|/usr/local/clamav-0.68/test/test1.bz2: ClamAV-Test-Signature FOUND |
|
||
|/usr/local/clamav-0.68/test/test2.zip: ClamAV-Test-Signature FOUND |
|
||
|/usr/local/clamav-0.68/test/test2.badext: ClamAV-Test-Signature FOUND |
|
||
|/usr/local/clamav-0.68/contrib/clamdwatch/clamdwatch.tar.gz: Eicar-Test-Signature FOUND |
|
||
| |
|
||
|----------- SCAN SUMMARY ----------- |
|
||
|Known viruses: 20482 |
|
||
|Scanned directories: 47 |
|
||
|Scanned files: 406 |
|
||
|Infected files: 5 |
|
||
|Data scanned: 5.48 MB |
|
||
|I/O buffer size: 131072 bytes |
|
||
|Time: 2.706 sec (0 m 2 s) |
|
||
+----------------------------------------------------------------------------------------+
|
||
|
||
Next step is to setup the automated update of the virus database. This is a
|
||
important step, because the speed of virus spreading is fast and would pick
|
||
up even further.
|
||
|
||
Create the needed logfiles
|
||
+---------------------------------------------------------------------------+
|
||
|touch /var/log/clam-update.log |
|
||
|chmod 600 /var/log/clam-update.log |
|
||
|chown clamav /var/log/clam-update.log |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
I suggest to update the signatures with a hourly cronjob. To edit the crontab
|
||
issue crontab -e and add the following line, and replace the »x« with a
|
||
random value between 1 and 59. This is some kind of time based loadbalancing
|
||
to ensure more people can fetch the updated.
|
||
+-----------------------------------------------------------------------------+
|
||
|#x * * * * /usr/local/bin/freshclam --quiet -l /var/log/clam-update.log|
|
||
+-----------------------------------------------------------------------------+
|
||
|
||
To test if the update process is working, please issue the command /usr/local
|
||
/bin/freshclam -l /var/log/clam-update.log and have a look at the output.
|
||
|
||
The output should look similar to this:
|
||
+----------------------------------------------------------------------------+
|
||
|ClamAV update process started at Tue Mar 23 19:58:11 2004 |
|
||
|Reading CVD header (main.cvd): OK |
|
||
|Downloading main.cvd [*] |
|
||
|main.cvd updated (version: 21, sigs: 20094, f-level: 1, builder: tkojm) |
|
||
|Reading CVD header (daily.cvd): OK |
|
||
|Downloading daily.cvd [*] |
|
||
|daily.cvd updated (version: 210, sigs: 596, f-level: 1, builder: acab) |
|
||
|Database updated (20690 signatures) from database.clamav.net (64.74.124.90).|
|
||
+----------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
11.2. Razor
|
||
|
||
Razor is one of the prerequisites of spamassassin.
|
||
-----------------------------------------------------------------------------
|
||
|
||
11.2.1. Download
|
||
|
||
Origin-Site: [http://prdownloads.sourceforge.net/razor/
|
||
razor-agents-sdk-2.03.tar.gz?download] http://prdownloads.sourceforge.net/
|
||
razor/razor-agents-sdk-2.03.tar.gz?download
|
||
|
||
Origin-Site: [http://prdownloads.sourceforge.net/razor/
|
||
razor-agents-2.40.tar.gz?download] http://prdownloads.sourceforge.net/razor/
|
||
razor-agents-2.40.tar.gz?download
|
||
+---------------------------------------------------------------------------+
|
||
|cd /usr/local |
|
||
| |
|
||
|tar -xvzf razor-agents-sdk-2.03.tar.gz |
|
||
|cd razor-agents-sdk-2.03 |
|
||
| |
|
||
|perl Makefile.PL |
|
||
|make && make install |
|
||
| |
|
||
|cd /usr/local |
|
||
|tar -xvzf razor-agents-2.40.tar.gz |
|
||
|cd razor-agents-2.40/ |
|
||
| |
|
||
|perl Makefile.PL |
|
||
|make && make install |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
-----------------------------------------------------------------------------
|
||
|
||
11.2.2. Registering and setting up
|
||
|
||
In order to use razor2 you need to register yourself as a user
|
||
|
||
Choose a unique username and password and issue razor-admin -register -user=
|
||
some_user -pass=somepass
|
||
-----------------------------------------------------------------------------
|
||
|
||
11.3. Getting and installing spamassassin
|
||
|
||
Spamassassin is the todays leading opensource project to fight against SPAM.
|
||
To describe how spamassassin works would be too much for this document. For
|
||
further information please consult [http://eu.spamassassin.org/doc.html]
|
||
http://eu.spamassassin.org/doc.html
|
||
-----------------------------------------------------------------------------
|
||
|
||
11.3.1. Download
|
||
|
||
Origin-Site: [http://eu.spamassassin.org/released/
|
||
Mail-SpamAssassin-2.63.tar.gz] http://eu.spamassassin.org/released/
|
||
Mail-SpamAssassin-2.63.tar.gz
|
||
-----------------------------------------------------------------------------
|
||
|
||
11.3.2. Prerequisites
|
||
|
||
Spamassassin depends on a lot of prerequisites. The easiest way is using the
|
||
CPAN repository. Issue the command perl -MCPAN -e shell and answer all
|
||
questions as needed.
|
||
-----------------------------------------------------------------------------
|
||
|
||
11.3.3. Building and installing
|
||
|
||
+---------------------------------------------------------------------------+
|
||
|cd /usr/local |
|
||
| |
|
||
|tar -xvzf Mail-SpamAssassin-2.63.tar.gz |
|
||
| |
|
||
|cd Mail-SpamAssassin-2.63 |
|
||
| |
|
||
|perl Makefile.PL |
|
||
| |
|
||
|# You get prompted to run Razor tests which you should answer with "y" |
|
||
|Run Razor v2 tests (these may fail due to network problems)? (y/n) [n] y |
|
||
| |
|
||
|make && make install |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
11.4. Getting and installing amavisd-new
|
||
|
||
Amavisd-new is the software that glues all the software described above
|
||
together to postfix
|
||
-----------------------------------------------------------------------------
|
||
|
||
11.4.1. Download
|
||
|
||
Origin-Site: [http://www.ijs.si/software/amavisd/
|
||
amavisd-new-20030616-p8.tar.gz] http://www.ijs.si/software/amavisd/
|
||
amavisd-new-20030616-p8.tar.gz
|
||
-----------------------------------------------------------------------------
|
||
|
||
11.4.2. Prerequisites
|
||
|
||
Amavisd-new needs a lot of prerequisites.
|
||
|
||
Run perl -MCPAN -e shell and issue:
|
||
+---------------------------------------------------------------------------+
|
||
|install ExtUtils::MakeMaker |
|
||
|install HTML::Parser |
|
||
|install DB_File |
|
||
|install Digest::SHA1 |
|
||
|install Archive::Tar |
|
||
|install Archive::Zip |
|
||
|install Compress::Zlib |
|
||
|install Convert::TNEF |
|
||
|install Convert::UUlib |
|
||
|install MIME::Base64 |
|
||
|install MIME::Parser |
|
||
|install Mail::Internet |
|
||
|install Mail::SPF::Query |
|
||
|install Net::Server |
|
||
|install Net::SMTP |
|
||
|install Net::DNS |
|
||
|install Digest::MD5 |
|
||
|install IO::Stringy |
|
||
|install Time::HiRes |
|
||
|install Unix::Syslog |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
At the end run ./amavisd and have a look at overseen prerequisites.
|
||
|
||
Edit /etc/amavisd.conf and change the variables $daemon_user to »amavis« and
|
||
$daemon_group to »amavis«. Another variable to change is $mydomain to match
|
||
your domain.
|
||
|
||
Please also consider to change the default settings for virus and spam mails
|
||
to avoid being notified about every intercepted mail
|
||
+---------------------------------------------------------------------------+
|
||
|$final_virus_destiny = D_DISCARD; # (defaults to D_BOUNCE) |
|
||
|$final_spam_destiny = D_DISCARD; # (defaults to D_REJECT) |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
In the beginning of SPAM filtering I recommend to set the kill-value to
|
||
something higher until you tweaked the filters. Change the variable
|
||
$sa_kill_level_deflt to 8 or even higher.
|
||
-----------------------------------------------------------------------------
|
||
|
||
11.4.3. Building and installing
|
||
|
||
+---------------------------------------------------------------------------+
|
||
|cd /usr/local |
|
||
| |
|
||
|tar -xvzf amavisd-new-20030616-p8.tar.gz |
|
||
| |
|
||
|cd amavisd-new-20030616 |
|
||
|cp amavisd /usr/local/sbin |
|
||
|cp amavisd.conf /etc |
|
||
|chown root /etc/amavisd.conf |
|
||
|chmod 644 /etc/amavisd.conf |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
Now it is the the time to define a group and a user for amavisd-new
|
||
+---------------------------------------------------------------------------+
|
||
|groupadd amavis |
|
||
|useradd -g amavis -c "Amavisd-new user" amavis |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
Next you have to define a directory for the quarantined mail:
|
||
+---------------------------------------------------------------------------+
|
||
|mkdir /var/virusmails |
|
||
|chown amavis:amavis /var/virusmails |
|
||
|chmod 750 /var/virusmails |
|
||
|mkdir /var/amavis |
|
||
|chown amavis:amavis /var/amavis |
|
||
|chmod 750 /var/amavis |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
The original init script in the amavisd-new distribution does only work work
|
||
with Redhat. Other distributions need to install my quick and dirty
|
||
init-script:
|
||
+---------------------------------------------------------------------------+
|
||
|#!/bin/bash |
|
||
|# |
|
||
|# Amavisd-new startup script |
|
||
| |
|
||
|case "$1" in |
|
||
| start) |
|
||
| # Starting amavisd |
|
||
| /usr/local/sbin/amavisd |
|
||
| ;; |
|
||
| |
|
||
| stop) |
|
||
| |
|
||
| # follows later |
|
||
| |
|
||
| ;; |
|
||
| |
|
||
| *) |
|
||
| echo "Usage: $0 {start|stop}" |
|
||
| exit 1 |
|
||
| ;; |
|
||
| |
|
||
|esac |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
11.5. Setting up postfix
|
||
|
||
Postfix needs to be configured to send each mail to amavis-new in order to
|
||
get sanitized.
|
||
|
||
You need to add the following line to /etc/postfix/main.cf
|
||
+---------------------------------------------------------------------------+
|
||
|content_filter = smtp-amavis:127.0.0.1:10024 |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
The /etc/postfix/master.cf needs also some adjustments to return the results
|
||
from amavisd-new to the mailingsystem.
|
||
|
||
Please add the following lines to your configuration:
|
||
+---------------------------------------------------------------------------+
|
||
|smtp-amavis unix - - y - 2 smtp -o smtp_data_done_timeout=1200 |
|
||
| |
|
||
|127.0.0.1:10025 inet n - n - - smtpd |
|
||
| -o content_filter= |
|
||
| -o local_recipient_maps= |
|
||
| -o relay_recipient_maps= |
|
||
| -o smtpd_restriction_classes= |
|
||
| -o smtpd_client_restrictions= |
|
||
| -o smtpd_helo_restrictions= |
|
||
| -o smtpd_sender_restrictions= |
|
||
| -o smtpd_recipient_restrictions=permit_mynetworks,reject |
|
||
| -o mynetworks=127.0.0.0/8 |
|
||
| -o strict_rfc821_envelopes=yes |
|
||
| -o smtpd_error_sleep_time=0 |
|
||
| -o smtpd_soft_error_limit=1001 |
|
||
| -o smtpd_hard_error_limit=1000 |
|
||
+---------------------------------------------------------------------------+
|
||
-----------------------------------------------------------------------------
|
||
|
||
12. Further Information
|
||
|
||
Here you will find some other resources available in the internet.
|
||
-----------------------------------------------------------------------------
|
||
|
||
12.1. News groups
|
||
|
||
Some of the most interesting news groups are:
|
||
|
||
* [news:alt.comp.mail.postfix] alt.comp.mail.postfix
|
||
|
||
This is low traffic group.
|
||
|
||
* [news:comp.mail.imap] comp.mail.imap
|
||
|
||
|
||
Maybe you also check out your country newsgroups e.g ch.comp.os.linux
|
||
|
||
Most newsgroups have their own FAQ that are designed to answer most of your
|
||
questions, as the name Frequently Asked Questions indicate. Fresh versions
|
||
should be posted regularly to the relevant newsgroups. If you cannot find it
|
||
in your news spool you could go directly to the [ftp://rtfm.mit.edu/] FAQ
|
||
main archive FTP site. The WWW versions can be browsed at the FAQ main
|
||
archive WWW site.
|
||
-----------------------------------------------------------------------------
|
||
|
||
12.2. Mailing Lists
|
||
|
||
-----------------------------------------------------------------------------
|
||
12.2.1. <postfix-users at postfix.org>
|
||
|
||
Send an mail to <majordomo at postfix.org> with the content (not subject):
|
||
+---------------------------------------------------------------------------+
|
||
|subscribe postfix-users |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
Before writing to the list, check out the archive: [http://www.deja.com/group
|
||
/mailing.postfix.users] http://www.deja.com/group/mailing.postfix.users
|
||
-----------------------------------------------------------------------------
|
||
|
||
12.2.2. <info-cyrus at lists.andrew.cmu.edu>
|
||
|
||
Send an mail to <majordomo at lists.andrew.cmu.edu> with the content (not
|
||
subject):
|
||
+---------------------------------------------------------------------------+
|
||
|subscribe info-cyrus |
|
||
+---------------------------------------------------------------------------+
|
||
|
||
Before writing to the list, check out the archive: [http://asg.web.cmu.edu/
|
||
archive/index.php?mailbox=archive.info-cyrus] http://asg.web.cmu.edu/archive/
|
||
index.php?mailbox=archive.info-cyrus
|
||
-----------------------------------------------------------------------------
|
||
|
||
12.2.3. <web-cyradm at web-cyradm.org>
|
||
|
||
Subscription can be done trough the webinterface [http://www.web-cyradm.org/
|
||
mailman/listinfo/web-cyradm] http://www.web-cyradm.org/mailman/listinfo/
|
||
web-cyradm
|
||
|
||
Before writing to the list, check out the archive for similar incidents:
|
||
http://www.web-cyradm.org/pipermail/web-cyradm/
|
||
-----------------------------------------------------------------------------
|
||
|
||
12.3. HOWTO
|
||
|
||
This are intended as the primary starting points to get the background
|
||
information as well as show you how to solve a specific problem. Some
|
||
relevant HOWTOs are [http://www.tldp.org/HOWTO/Cyrus-IMAP.html] Cyrus-IMAP
|
||
and [http://www.tldp.org/HOWTO/Apache-Compile-HOWTO/index.html]
|
||
Apache-Compile-HOWTO. The main site for these is the [http://www.tldp.org/]
|
||
LDP archive.
|
||
-----------------------------------------------------------------------------
|
||
|
||
12.4. Ebooks
|
||
|
||
There a few other HOWTOs and freely available documentations outside of the
|
||
TLDP.org
|
||
|
||
IBM recently released a new Redbook: [http://www.redbooks.ibm.com/redbooks/
|
||
pdfs/sg247034.pdf] BladeCenter, Linux, and Open Source: Blueprint for
|
||
e-business on demand.Especially chapter 6 is interesting when looking for
|
||
email solutions.
|
||
-----------------------------------------------------------------------------
|
||
|
||
12.5. Local Resources
|
||
|
||
Usually distributions installs some documentation to your system. As a
|
||
standard they are located in /usr/share/doc/packages
|
||
|
||
The SuSE rpms of Cyrus contains a lot a such documentation.
|
||
|
||
Postfix has some html-files in the source directory /usr/local/postfix-2.0.16
|
||
/html
|
||
|
||
PAM comes also with lots of documentation in /usr/share/doc/packages/pam
|
||
|
||
The pam_mysql module has a README with the incredible size of 1670 bytes.
|
||
-----------------------------------------------------------------------------
|
||
|
||
12.6. Web Sites
|
||
|
||
There are a huge number of informative web sites available. By their very
|
||
nature they change quickly so do not be surprised if these links become
|
||
quickly outdated.
|
||
|
||
A good starting point is of course the Linux Documentation Project home page,
|
||
an information central for documentation, project pages and much more.
|
||
|
||
To get more deepened information about Postfix, then [http://www.postfix.org]
|
||
www.postfix.org would be the starting point.
|
||
|
||
Please let me know if you have any other leads that can be of interest.
|
||
-----------------------------------------------------------------------------
|
||
|
||
13. Questions and Answers
|
||
|
||
Here I answer the questions which I got from users. If you don't find an
|
||
answer feel free to contact me
|
||
|
||
1. FAQ
|
||
13.1.1. Does web-cyradm only support users like »test0001« ? I'd like to
|
||
have a more descriptive username
|
||
13.1.2. Messages are bouncing. Postfix/pipe complains that "Mailbox does
|
||
not exist". Whats wrong?
|
||
13.1.3. web-cyradm complains about »Fatal error: Call to undefined
|
||
function: bindtextdomain() in /www/web-cyradm-0.5.3/index.php on line
|
||
46«, whats wrong?
|
||
13.1.4. I got a error from Web-cyradm like this »Fatal error: Call to
|
||
undefined function: query() in /usr/local/httpd/htdocs/web-cyradm/
|
||
auth.inc.php on line 17«
|
||
13.1.5. Why MySQL and not LDAP?
|
||
13.1.6. Why Postfix and not Qmail?
|
||
13.1.7. I got a Error: "Temporary lookup failure"
|
||
13.1.8. For what platforms does this HOWTO work?
|
||
|
||
|
||
|
||
1. FAQ
|
||
|
||
13.1.1. Does web-cyradm only support users like »test0001« ? I'd like to have
|
||
a more descriptive username
|
||
|
||
web-cyradm does also support usernames like »user.name.example.com« if you
|
||
configure it. Your need to change config.inc.php and change the value of
|
||
DOMAIN_AS_PREFIX to 1. then you need to add »unixhierarchysep: yes« to your /
|
||
etc/imapd.conf
|
||
|
||
13.1.2. Messages are bouncing. Postfix/pipe complains that "Mailbox does not
|
||
exist". Whats wrong?
|
||
|
||
Check that the cyrus login on web-cyradm (config.inc.php) is correct. The
|
||
username and password must exist in MySQL on table accountuser. Web-cyradm
|
||
will not complain if the cyrus login info is incorrect.
|
||
|
||
13.1.3. web-cyradm complains about »Fatal error: Call to undefined function:
|
||
bindtextdomain() in /www/web-cyradm-0.5.3/index.php on line 46«, whats wrong?
|
||
|
||
Web-cyradm needs gettext enabled PHP. Please compile PHP with the
|
||
configure-option --with-gettext.
|
||
|
||
gettext is needed for NLS (Native Language Support) which means contributors
|
||
can easily translate web-cyradm to there language. Fill in your Language in
|
||
the file /usr/local/apache/htdocs/web-cyradm/locale/templates/web-cyradm.pot
|
||
and send me the file, then your language will be supported in the next CVS
|
||
snapshot
|
||
|
||
13.1.4. I got a error from Web-cyradm like this »Fatal error: Call to
|
||
undefined function: query() in /usr/local/httpd/htdocs/web-cyradm/
|
||
auth.inc.php on line 17«
|
||
|
||
Web-cyradm depends on PEAR for database abstraction. PEAR is included in
|
||
recent PHP versions. Often PEAR is a separate package, check out the package
|
||
base of your distribution. I strongly suggest to update to the most recent
|
||
version of PHP anyway, because a lot of bugs have been fixed.
|
||
|
||
Another reason could be an authentication error with MySQL. Be sure the user
|
||
»mail« has enough rights to access the database and tables.
|
||
|
||
13.1.5. Why MySQL and not LDAP?
|
||
|
||
Good question. LDAP is role-based and it would be indeed a better solution
|
||
for such applications. Unfortunately LDAP is very hard to set up. You have to
|
||
make proper schemes etc. MySQL is the way strait ahead, it is very easy to
|
||
handle and versatile. There is a PAM module available for LDAP, feel free to
|
||
use it.
|
||
|
||
13.1.6. Why Postfix and not Qmail?
|
||
|
||
Lots of people like to see such a setup with Qmail. The reason why is,
|
||
Mysql-support is a hack and not in the included in the main source-tree. This
|
||
could end up in a bad situation. Think if a security-hole is found in qmail
|
||
and the patch does not work with the corrected version. Postfix is supporting
|
||
MySQL natively. Another (personal) reason is that I find Postfix more
|
||
sympatic (I don't know why)
|
||
|
||
13.1.7. I got a Error: "Temporary lookup failure"
|
||
|
||
Postfix cannot look up the alias table. Must common failure is that MySQL is
|
||
not running, or there is a authentication Error. Check /var/log/mail and /usr
|
||
/local/mysql/var/<hostname>.err to track the error.
|
||
|
||
13.1.8. For what platforms does this HOWTO work?
|
||
|
||
It is primarily for Linux. Until now I only tested it on Linux/IA32. Most
|
||
probably it will also work on other architectures. FreeBSD is reported
|
||
working fine. AIX has problems with at least PHP. Please report if you got it
|
||
running on other platform, so I can update this section.
|