|
- Excuse my English please. I am not native english speaker. - Following this installation you DO NOT NEED to make any compilations, gcc, make etc. - I suppose here that we build multiple domain configuration. - This instruction is supposed to be as detailed as possible. - SSL/TLS (OpenSSH) topics are mostly not yet covered here. - SmartPost can be implemented on any operating system that supports all the parts of SmartPost. But in this document I am orienting on Linux RedHAT 9 solution. Please, don't follow blind this instruction! Always remember about your particular configuration. All this is about FRESH INSTALLATION. If you have already the XMail server with users database then go through steps 2,3,5, and 6 of this instraction, download and run xmail2smartpost script that will transfer your current XMail database to SmartPost infrastructure. 0. Operating system Currently only Linux RedHAT9 installation notes are available. Installation for other Linux/UNIX operating systems be about the same. 1. Preparations 1.1 All the unwanted demons should be stopped ... 1.2 All the unwanted packages should be uninstalled ... Here is the final list of my packages after cleaning the installation rpms.txt Total installation (excluding users mail boxes) for RedHat9 takes approximately 500Mb of disk space. Users mail boxes on Linux operating systems are stored in /var/MailRoot/domains 1.3 Prepare packages that we need RPM packages that come with RedHAT distribution are marked with Check please for the new available versions of all software.
Last version of SmartPost 1.4 Unpack SmartPost package I suppose that SmartPost is unpacked to the /root/soft/smartpost directory We need some files from this archive in the next sections. 2. Apache & PHP 2.1 Check if Apache and PHP packages are installed in the system
If not you should install this packages manually Use #rpm -ihv httpd-2.0.40-8.rpm etc. 2.2 Apache configuration Apache configuration file on RedHAT /etc/httpd/conf/httpd.conf Set ServerName variable here to 127.0.0.1:80 ServerName 127.0.0.1:80 Thus Apache can resolve the name through the local hosts file. 2.3 PHP configuration PHP configuration file is /etc/php.ini Save old php.ini to php.ini.old #cp /etc/php.ini /etc/php.ini.old In php.ini the following variables are important for us
Check you session.save_path variable points to /tmp that should be at least Apache writable. mysql.default_socket = "/var/lib/mysql/mysql.sock" is for RedHAT. Check where you have mysql.sock 3. MySQL 3.1 Check if MySQL packages are installed in the system mysql-x.xx.xx-x mysql-server-x.xx.xx-x If not you should install this packages manually Use #rpm -ihv mysql-x.xx.xx-x.rpm etc. After installation check your /etc/my.cnf MySQL config file. Here is my (it is short as a rule)
3.2 Set password for root account of MySQL We do not need to create root account for MySQL. It is always created there with an empty password by default. Let's set the new password for root #mysqladmin -u root -p password '*****' password here without qoutes You will be asked to enter old password, as it's empty in the beginning just press [Enter]. Don't use your real system root password here! To change password use command #mysqladmin -u root -p password '******' new password here without qoutes (you will be asked to enter your old password) 3.3 Database creation Our database's name is "mail". You can choose any other name. Just remember this name and change your configs according this name. Login to MySQL #mysql -u root -p (you will be asked to enter password) Create database mysql> create database mail; 3.4 Create MySQL accounts to rule our system Use mysql_setpermission interactive program. This nice program can create accounts that we need and give priveleges to this new created accounts. All this accounts below should have an access to database only from localhost for security reasons. This account has total control over MySQL (like root account). We need it to rule our database system through web interface. Use mysql_setpermission program choise 3 We should give full control to dbadmin over mysql and mail databases. We can use ordinary MySQL command line interface GRANT ALL PRIVILEGES ON mail.* TO dbadmin.localhost IDENTIFIED BY '*****' Note localhost here and password inside quotes (enter your password inside qoute marks). This account has only SELECT permissions over some tables from mysql database. It is needed by phpMyAdmin software to rule MySQL through web interface. Use mysql_setpermission program choise 5 In general, phpMyAdmin needs a controluser that has only the SELECT privilege on the mysql.user (all columns except "Password"), mysql.db (all columns) & mysql.tables_priv (all columns except "Grantor" & "Timestamp") tables. We can not grant privileges to this controluser account so accurate using mysql-setpermission program. To do this we should use MySQL command line interface. See phpMyAdmin documentation for more details. This account has full control only over mail database. Use mysql_setpermission program choise 3 Choose mail database and localhost. Choose password for mailadmin account. Don't forget this password. It's pretty strange, but once I tried to use the same password as loginname for mailadmin account I could not log in to mysql. Use command mysqlaccess. It has syntax #mysqlaccess -U root -P password NAME DBASE where password (without any quotemarks) is your root MySQL password from 3.2 of this instruction. Note -U and -P are big letters here. NAME and DBASE are account name and database name to ckeck permissions. For example
3.5 Create tables inside mail database We have unpacked our SmartPost package to /root/soft/smartpost (see 1.4) There is a file smartpost.sql inside /other-files directory. It contains SQL commands to create tables for our mail database. To import these commands to MySQL use #mysql -u root -p mail</root/soft/smartpost/other-files/smartpost.sql Where mail is your mail database name (see 3.3). You will be asked for MySQL's root password. 3.6 phpMyAdmin installation This is optional software but it can be extremly useful during the installation and testing our mail system. phpMyAdmin is really powerfull tool that can manage a whole MySQL server as well as a single database. To accomplish the latter you'll need a properly set up MySQL user who can read/write only the desired database (dbcontroluser account, we done it in 3.4). See phpMyAdmin documentation for more details. Unpack phpMyAdmin to webserver's document root to ../myadmin catalog. On Linux RedHAT web root is /var/www. Thus, phpMyAdmin installation is inside /var/www/myadmin Edit apache config file httpd.conf. On RedHAT it is situated in /etc/httpd/conf/ We should add alias to ../myadmin catalog somewhere inside Aliases subsection of httpd.conf
Restart Apache: #service httpd restart on RedHAT or #apachectl restart on other UNIX's operating systems. phpMyAdmin's configuration file is situated in the head directory of phpMyAdmin installation. I placed it in /var/www/myadmin This configuration file contains a lot of useful comments. Read them. We should configure MySQL servers URL and set authentication method to 'cookie' - phpMyAdmin URL. Don't use 127.0.0.1 or 'localhost' here. Here should be your real IP address. $cfg['PmaAbsoluteUri'] = 'http://xxx.xxx.xxx.xxx/myadmin/'; your IP address here and path to phpMyAdmin - Servers configuraton $cfg['Servers'][1] array - we have only one server. Note [1] here! MySQL hostname, port and socket $cfg['Servers'][$i]['host'] = 'localhost'; $cfg['Servers'][$i]['port'] = '3306'; $cfg['Servers'][$i]['socket'] = '/var/lib/mysql/mysql.sock'; As authentication method choose 'cookie' $cfg['Servers'][$i]['auth_type'] = 'cookie'; MySQL control user settings. We just have created this account (see 3.4) $cfg['Servers'][$i]['controluser'] = 'dbcontroluser'; $cfg['Servers'][$i]['controlpass'] = 'dbcontroluser'; Point your browser to http://YourServerNameOrAddress/myadmin Login as dbadmin to control all MySQL system. Login as mailadmin to control mail database. Remember, phpMyAdmin is a powerfull tool. Use it carefully. You can find a link to documentation on the welcome screen. It is probably not bad idea to disable phpMyAdmin (for security reasons) after the installation and tuning of whole mail system is done. 4. SMTP server - MTA XMail 4.1 XMail installation Official XMail documentation is here.
# export MAIL_ROOT=/var/MailRoot Or set it permanently inside /etc/profile Check this variabel # set | grep MAIL_ROOT 4.2 XMail configuration You can find a nice article about XMail configuration here. Note that we do not need to configure alaises.tab, domainaliases.tab, mailusers.tab etc manually. We can do this later through our web interface of SmartPost. - Deny access to finger in finger.ipmap.tab file "0.0.0.0"[tab]"0.0.0.0"[tab]"DENY"[tab]"1"[newline] - Allow control access to XMail only from localhost in ctrl.ipmap.tab file "0.0.0.0"[tab]"0.0.0.0"[tab]"DENY"[tab]"1"[newline] "127.0.0.1"[tab]"255.0.0.0"[tab]"ALLOW"[tab]"2"[newline] - Allow all access to SMTP in smtp.ipmap.tab file "0.0.0.0"[tab]"0.0.0.0"[tab]"ALLOW"[tab]"1"[newline] - Allow all access to POP3 in pop3.ipmap.tab file "0.0.0.0"[tab]"0.0.0.0"[tab]"ALLOW"[tab]"1"[newline] - Clear domains.tab file, because we are going to support mail for many domains All XMail administrators accounts should be inserted into ctrlaccounts.tab file. In form "accountname"[TAB]"accountspass_MD5_crypt"[newline] First we use utilite XMCrypt from /var/MailRoot/bin. This utilite can crypt any string line using MD5 cryptering algoritm. Like this #./XMCrypt yourpassword Insert the string you get into your ctrlaccounts.tab. There are some variables to control here.
SmartPost includes statistics modules. To make them work we should enable statistics for XMail through the command line. To start XMail demon with particular command line parameters we have to edit /etc/rc.d/init.d/xmail In the beginning of this file find the spesial variabel XMAIL_CMD_LINE Set this variabel like this XMAIL_CMD_LINE="-Mr 24 -Pl -Sl -Ql -Fl -Cl -Ll" Where -Mr hours. Set log rotate hours step. 24 hours is one day to enable dayli logs. -Pl Enable POP3 logging. -Sl Enable SMTP logging. -Ql Enable SMAIL logging. -Fl Enable FINGER logging. -Cl Enable CTRL logging. -Ll Enable local mail logging. For more details see XMail documentation command line section. # service xmail restart 5. Courier IMAP 5.1 Courier-IMAP installation I use rpm packages to install Courier-IMAP. courier-imap-2.0.0-1.9.i386.rpm (373k) courier-imap-mysql-2.0.0-1.9.i386.rpm (32k) If Courier says that he needs something like libcrypto.so.xxx libssl.so.xxx libfam.so.xxx You should install openssl-xxx.rpm and fam-xxx.rpm packages. Both packages come with RedHat Linux distributive . 5.2 Courier-IMAP configuration Courier-IMAP config files are situated in /usr/lib/courier-imap/etc Take this two files from /smartpost/other-files/courier-configs directory where SmartPost was unpacked. See section 1.4 of this instruction. authdaemonrc authmysqlrc Copy this two files to Courier's config area in /usr/lib/courier-imap/etc Check variables here to meet your config MYSQL_SERVER localhost MySQL server MYSQL_USERNAME mailadminpass administrators loginname (see section 3.4) MYSQL_PASS mailadmin administrators password MYSQL_DATABASE mail database name (section 3.3) Set ADDRESS=0 here Since SmartPost does not support SSL/TLS yet we should disable SSL for Courier. Otherwise SmartPost can't access users mail boxes through IMAP protocol. Set to "NO" two variables imapdsslstart=NO imapdstarttls=NO XMail MTA hase it's own POP3 demon. Thus we should disable POP3 part of Courier. - /usr/lib/courier-imap/etc/pop3d go down to the bottom of file and set POP3DSTRT=NO - /usr/lib/courier-imap/etc/pop3d-ssl in the middle of file set POP3_STARTTLS=NO POP3DSSLSTART=NO
After this configuration SMTP and POP3 services are provided by XMail, and IMAP is provided by Courier-IMAP. Original Courier-IMAP software has two special problems in a combination with XMail MTA. How to solve this problem see Post-installation section at the end of this document. 6. SmartPost web-client 6.1 SmartPost installation We have unpacked SmartPost package to /root/soft/smartpost directory. See section 1.4 of this instruction. Copy now the contents of this directory to /var/www/smartpost Copy verdana.ttf font file (this file comes with smartpost package) to /usr/local/fonts/ttf
After all we should check that /var/www/smartpost/temp directory is at least Apache writable. 6.2 Apache virtual catalog Apache config file on RedHat is /etc/httpd/conf/httpd.conf In Alias subsection of this file add alias to SmartPost installation directory. For example:
Restart Apache after all #service httpd restart on RedHAT or #apachectl restart on other UNIX's operating systems. 6.3 SmartPost configuration SmartPost hase just one config file, this is confglobal.php file inside main SmartPost directory. Just edit this file to feet your configs. Quota Monitor runs according to some shedule and creates reports about mail boxs sizes. Since Quota Monitor is an external perl module (thanks Shawn Anderson for this module) it needs some special configurations. Quota Monitor is situated in the ../scripts subdirectory of SmartPost installation There are 4 files there:
See this variables inside the XMQuotaMonitor.xxxx.pl scripts
To configure this scripts to make them work correctly check this variables inside just in the beginning of perl program
- Configure cron demon to run our scripts periodically. First create file named 'root' in /var/spool/cron This file should contains cron's demon instructions I know that this is the sequrity issue to run this scripts from root account, but only root by default (and I don't know how to change this) has an access to users mail boxes. Here is an example of /var/spool/cron/root
By the way take a look at your /etc/crontab There is a MAILTO variable inside. You can either empty them or set to your real e-mail address. But don't set them simply to 'root' or other username (because then mail notifications from cron demon go to nowhere and just lie in spool forever). Besides we can monitor cron demon activity in /var/log/cron If a user is aborting a mail but has uploaded some attachments to it the files will be lying around the /temp directory forever if we do not remove them. To fix this, it is recommended to create a cron job that deletes everything in the attachment directory. We have a special script /scripts/GarbageEraser.sh that does this for us. This script delete files that where not accessed for the last 30 days. To run this script daily we should edit our /var/spool/cron/root file and add there 30 3 * * * /var/www/smartpost/scripts/GarbageEraser.sh 6.4 Test your installation Point your web browser to :
Login to the server administartor interface using login: serveradmin password: nobodyknows Change this password immidiately after your first login. You can create now mail domains and users accounts inside this domains. After domains creation you can login to domain administration interface to manage your domains. It is possible to use as a web user interface any other web-mail clients like Squirrelmail and IMP-Horde. But when other than SmartPost web-client is in use, web-portal statistics are not updated. 7. Basic Network Security Configuration Security configuration is optional but strongly reccomendet. The ports are supposed to be opened on our mail server
7.1 Internal part netfilter - I have realised that lokkit program (comes with RedHAT) creates a config file that is NOT compleetly correct. I do _NOT_ reccomend to use lokkit for SMTP server's firewall configuration. On RedHAT operating system netfilter configuration is stored in /etc/sysconfig/iptables Here is the iptables config file that I use for my installations. You can just take this file and copy them over your /etc/sysconfig/iptables - Use #iptables -L to list all chains and to check your config. Sniffer gives the possibility to listen to the all traffic on server's network interfaces, and logs this traffic for later analysis. Sniffer's configuration is a special and complicated topic. I like snort. The Pig lives here www.snort.org Other useful software are tcpdump (www.tcpdump.org) and ettercap (ettercap.sourceforge.net) 7.2 External part Configure access lists to filter IP traffic on routers, switches or other outstanding connection devices. Here is the example of such configuration. Suppose, that our server has an IP address 158.39.26.110 and is connected to the Ethernet interface 0 of Cisco router. In this example packets are filtered before they exit an interface, after the routing decision. In terms of Cisco IOS, the trivial extended access list's configuration looks something like this (without SSL)
Remember, if a packet does not match any of access list statements, the packet will be blocked. Thus, we do not need to use [deny any any] at the end of the list. 8. Accounts list During the installation process we have made some special accounts in the system. Here is the list of this accounts with comments and default passwords. Under construction. root the most important account in operating system dbadmin this account is used to rule MySQL system through web. It has full control premission over mysql and mail databases. dbcontroluser it is needed by phpMyAdmin mailadmin this account has administrative rights over our mail database xmailadmin account to control XMail MTA. This is stored in /var/MailRoot/ctrlaccounts.tab and hase MD5 crypted password. serveradmin account to control SmartPost server configuration. Login using this account with your browser to http://YourServerName/webmail/sadmin This account is stored in mail database serveradmin table. For the first login it has password 'nobodyknows'. (see 6.4) Change this password after your first login. 9. Post-installation tuning and configuration This problems are a kind of incapability. - Courier-IMAP can not deal on the right way with XMail mail files format (this is the problem of <CRLF> end of lines). As a consequence massagies can be unreadable in some MUAs through IMAP protocol. - Courier-IMAP marks mail files in a special order. And this marked files are read by XMail like new mail files. As a consequence users can get double and triple copies of the same message through POP protocol after previous IMAP access. This problems are not critical, but can irritate users. To solve this you can use patched Linux binary versions of XMail 1.17 and Courier-IMAP demon v2.0.0 from download section. This binary replacements are ONLY FOR XMail 1.17 and Courier-IMAP 2.0.0 ! Patches can be implemented separately. They are independed. - To solve 'double POP messages problem' Replace your /var/MailRoot/bin/XMail file with the file from xmail117-patched.zip archive. -To solve '<CRLF> problem' Replace your /usr/lib/courier-imap/bin/imapd file with the file from imapd200-patched.zip archive. Patches source codes are in download section. - How to close an open relay - How to configure max size of file attachments - How to implement anti-virus filters - How to implement open-relay-databases and black lists checks |