Configurations required for Arch compared to Ubuntu App Compile Settings
Never very good at recording the steps I took to setup my server. Bit silly given every so often I might need to do it again (for whatever reason). This new setup is because I am moving my server from my home system to a VPS out there on the net.
The main bits that I am concerned with at the moment are:
Each of those things has a bunch of sub steps that need to be taken care of.
The base system I selected was Ubuntu Gutsy 7.10, this was partly because of familiarity and partly because of the easy update of the software.
Mail server is actually made up of two different parts:
In my original setup, the Imap server was Courier-Imap (Courier-Auth & Courier-Pop) and the SMTP server was Exim which was connected to Vexim to provide virtual users & multiple domains.
Going into my new setup I am changing over from Courier-Imap to Dovecot for a coupe of reasons. Partly for a change, partly because it is claimed to be faster with large folders (which I have) and partly because its a little easier to work with. The downside of this is that for moving the mails over I have two options:
Other changes happening are moving from Spamassassin to DSPAM for Spam filtering, adding greylisting, SPF, possibly Domain Keys, and looking at what Antivirus solution I am using (clamav is wasting a TON of memory).
The transfer of the database to the new server went fine. However there was a problem with the orginal SQL used to connected to the Vexim database to authenticate the users.
driver = mysql connect = host=localhost dbname=vexim user=vexim password=!vexim* default_pass_scheme = PLAIN password_query = SELECT clear AS password FROM users WHERE username = '%u' AND type = 'local' AND enabled = '1' user_query = SELECT smtp AS maildir, uid, gid FROM users WHERE username = '%u' AND type = 'local' AND enabled = '1'
The problem is that two of my users (oddly enough my accounts) use the type “piped” rather than “local” to run procmail for mail filtering.
In an effort to make it a bit easier for Tarasis users to log into their accounts, they only need to specify their username without the domain.
user @ domain
This is done by setting auth_default_realm = to the domain you require in dovecot.conf
Also I have used SQL Database Prefetch with Dovecot to hit the DB only once rather than twice. I suspect this would be premature optimization though. Given there are few users and at present limited db hits.
First install dpsam and its dependencies
install dspam dspam-doc dspam-webui libdspam7-drv-mysql
On completion of install it will ask to configure libdspam7-drv-mysql with db-config. Answer Yes
Then specify a password for the dspam “user”.
Then supply the password of the DB admin so that it can log in and create the relevant data. (I got this wrong the first couple of times)
Create dpsamdb database
Create dspam user, grant all permissions on dspamdb
Import tables
mysql -u dspam -p -D dspamdb < /usr/share/doc/libdspam7-drv-mysql/mysql_objects-speed.sql mysql -u dspam -p -D dspamdb < /usr/share/doc/libdspam7-drv-mysql/virtual_users.sql
Set 5 tables to InnoDB (not MyISAM which is default – if not can cause corruption) (did this by hand using PHPMyAdmin - Select DB, Select Table, Select Operations, Change Storage Engine type and then Go. )
dspam_preferences dspam_signature_data dspam_stats dspam_token_data dspam_virtual_uids
Configure BLAH
Set it to auto start, edit /etc/default/dspam changing
set START=no to set START=yes
Oh God, skipped writing a ton. Had to do tweaking of dspam configs:
Move mysql.conf into dspam.d (possibly also purge.sql) Change permissions Changed trusted deliverer to exim rather than procmail Enabled spamassasin for the user (thought I had done it when creating user but entry in database said off)
Need to setup FCGI for Perl – use here with minor tweaks NGINX English Wiki - NginxSimpleCGI
Hmm while that works to get DSPAM loaded, need to get auth working and by the looks of it that isn'T possible with an SQL database. Looks like I will need to proxy site to an instance of apache2. Grr was hoping to avoid that.
sudo dpkg-reconfigure exim4-config # select internet site; mail is sent and received directly using SMTP # set mail name to tarasis.net # set listen ip to 127.0.0.1 # leave other destinations for which mail is accepted # leave Domains to relay mail for blank # leave Machines to relay mail for blank # set Keep number of DNS-queries minimal (Dial-on-Demand) to NO # set Delivery method for local mail to Maildir format in home directory # set Maildir format in home directory to NO # set Root and postmaster mail recipient to robertm # THATS IT
Okay, lets eschew either of the configs that Ubuntu comes with as default. Either their split files setup, or there littered single file with Macrodefs. Copy the example config from the Vexim docs
sudo cp ~/sources/vexim2/docs/*.conf configure /etc/exim4/ sudo mv /etc/exim4/configure /etc/exim4/exim4.conf
I am commenting out all references to Mailman because I have no need for them at this moment in time.
First set the IP address
MY_IP = IP-ADDRESS
Then remove pear.silverwratch.com from
domainlist local_domains = @ : pear.silverwraith.com : ${lookup mysql{VIRTUAL_DOMAINS}} : ${lookup mysql{ALIAS_DOMAINS}}
Change trusted_users
trusted_users = avleen:www to trusted_users = vmail:www-data
Uncomment the hide mysql_servers line, fix the location of the mysql socket and add the required password for the vexim DB.
#hide mysql_servers = localhost::(/tmp/mysql.sock)/vexim/vexim/CHANGE to hide mysql_servers = localhost::(/var/run/mysqld/mysqld.sock)/vexim/vexim/PASSWORD
Change the av_scanner line to reflect clamav's real file
av_scanner = clamd:/var/run/clamav/clamd to av_scanner = clamd:/var/run/clamav/clamd.ctl
Next change the exim user & group
exim_user = mailnull exim_group = mail to exim_user = Debian-exim exim_group = Debian-exim
Change all of the Vexim configuration include lines to reflect location in /etc/exim4 and not /usr/local/etc/exim/
.include /etc/exim4/vexim-acl-check-spf.conf .include /etc/exim4/vexim-acl-check-helo.conf .include /etc/exim4/vexim-acl-check-rcpt.conf .include /etc/exim4/vexim-acl-check-content.conf .include /etc/exim4/vexim-group-router.conf
In the system_aliases section change
user = mailnull group = mail to user = Debian-exim group = Debian-exim
Locate the mailmain_transport transport and comment it out
#mailman_transport:
# driver = pipe
# command = MAILMAN_WRAP \
# '${if def:local_part_suffix \
# {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
# {post}}' \
# $local_part
# current_directory = MAILMAN_HOME
# home_directory = MAILMAN_HOME
# user = MAILMAN_USER
# group = MAILMAN_GROUP
Locate the mailman_router and comment it out
# mailman_router: # driver = accept # require_files = MAILMAN_HOME/lists/$local_part/config.pck # local_part_suffix_optional # local_part_suffix = -bounces : -bounces+* : \ # -confirm+* : -join : -leave : \ # -owner : -request : -admin # headers_remove = X-Spam-Score:X-Spam-Report # transport = mailman_transport
Finally, lets check our changes so far. The following command will check our new configuration file for syntactical correctness.
exim -C /etc/exim4/exim4.conf -bV
Next in /etc/exim4/vexim-acl-check-content.conf, change the following line (which appears twice):
spam = maildeliver:true to spam = vmail:true
You can now start exim
/etc/init.d/exim4 restart
NOTE You may get a alert notice on startup: ALERT: exim paniclog /var/log/exim4/paniclog has non-zero size, mail system possibly broken if you get this check the paniclog. It is likely warnings from when you tested the exim4.conf (assuming you made any typos). If they are, safely delete them and restart exim.
Now lets remove the references to Spamassain & spamd in favour of DSPAM. Note the following is based on this thread Vexim+DSPAM from the archives of the Vexim mailing list.
Remove / comment out the ditch_spam router and replace it with
.include /etc/exim4/vexim-router-dspam.conf
Next before the virtual_delivery transport add
.include /etc/exim4/vexim-transport-dspam.conf
Comment out
spamd_address = 127.0.0.1 783
In the virtual_domains route, remove the add / remove headers section based on value of $spam_score_int
rmcg TODO
In vexim-transport-dspam.conf change all references of
user = maildeliver group = mail to user = Debian-exim group = Debian-exim
Note had to disable the following lines from vexim-acl-check-rcpt.conf because my home IP is currently listed in zen.spamhaus.org. Need to look into options around this.
# deny message = DNSBL listed at $dnslist_domain\n$dnslist_text # dnslists = zen.spamhaus.org:list.dsbl.org
If you get the following error you need to add clamav to the Debian-exim group in /etc/group and then restart clamav-daemon process.
malware acl condition: clamd: ClamAV returned /var/spool/exim4/scan/1JM6uk-0000ye-Bt: lstat() failed. ERROR
In vexim-acl-check-content.conf, change the following from warn to deny to reject any messages that contain a virus.
NOTE Some sites (namely Yahoo Groups) will block your email address from recieving any more messages if you reject a message.
# Reject virus infested messages.
deny message = This message contains malware ($malware_name)
malware = *
log_message = This message contains malware ($malware_name)
Add requirement for SSL connection for SMTP
First generate a certificate. NOTE That the certificate only takes ONE Common Name (a domain name) so in a virtual host setup other domains will have to accept a certificate for a site that is likely not their mail domain. Not really an issue in the grand scheme of things.
$ openssl req -x509 -newkey rsa:1024 -keyout exim.key -out exim.crt -days 9999 -nodes
Now, add the following lines somewhere near the top of your exim.conf. QUESTION Does the top line mean that anything sent locally (like via webmail) will be required to use SSL?
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
tls_advertise_hosts = *
tls_certificate = /usr/share/ssl/certs/exim.crt
tls_privatekey = /usr/share/ssl/private/exim.key
I use Roundcube for its looks and general speed.
First download the latest released version
http://mesh.dl.sourceforge.net/sourceforge/roundcubemail/roundcubemail-0.1-rc2.tar.gz
Unpack it
tar zxf roundcubemail-0.1-rc2.tar.gz
Make folder for it on the server
mkdir -p /home/sites/rc.tarasis.net/{public,private,logs,backup}
Copy the files across
cp -a * /home/sites/rc.tarasis.net/public/
Change file ownership to webserver
sudo chown -R www-data logs temp
Create a new database, database user and tables
mysql -u root -p mysql> CREATE DATABASE roundcubemail DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci; mysql> GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY 'A PASSWORD -- CHANGE THIS'; mysql> quit mysql -u root -p roundcubemail < SQL/mysql5.initial.sql
Next edit db.inc.php in the config directory. Edit rcmail_config to the name of the name, user & password specified above.
$rcmail_config['db_dsnw'] = 'mysql://roundcube:A PASSWORD -- CHANGE THIS@localhost/roundcubemail';
Lets set the config for Nginx up next
tarasis /usr/local/nginx/conf/sites-available: sudo vim rc.tarasis.net
With the content …
tarasis /usr/local/nginx/conf/sites-available: sudo ln -s /usr/local/nginx/conf/sites-available/rc.tarasis.net /usr/local/nginx/conf/sites-enabled/
Christ, missed a few changes to the config main.php.inc and had to import DB from oldsetup because of a error. Need to log that.
Next, given that Apaches .htaccess files are not used we need to protect certain locations against direct access. So in your rc.tarasis.net add the following BEFORE, <b>NOTE BEFORE</b>, the location directive for php files
location ~ ^/(bin|config|logs|SQL|temp)/ {
allow 192.168.0.0/32;
deny all;
}
Also add the following to disable access to the .htaccess files
# deny access to .htaccess files
location ~ /\.ht {
deny all;
}
Info on creating SSL certificates
If you want SSL for logins you need to listen on both port 80 & port 443
Create DB
Run install.php via web, get some errors for things that aren't mentioned in the getting_started.html file
STOP! Before you go any further, you must complete the following steps: CHMOD chyrp.htaccess to 777 and rename it to .htaccess Rename /includes/database.yml.stock to /includes/database.yml.php and CHMOD it to 777 Rename /includes/config.yml.stock to /includes/config.yml.php and CHMOD it to 777
So
tarasis /home/sites/blog.tarasis.net/public: chmod 777 chyrp.htaccess tarasis /home/sites/blog.tarasis.net/public: mv chyrp.htaccess .htaccess tarasis /home/sites/blog.tarasis.net/public: cp includes/database.yml.stock includes/database. tarasis /home/sites/blog.tarasis.net/public: cp includes/database.yml.stock includes/database.yml.php tarasis /home/sites/blog.tarasis.net/public: cp includes/config.yml.stock includes/config.yml.php tarasis /home/sites/blog.tarasis.net/public: chmod 777 includes/config.yml.php includes/database.yml.php
Fill in DB details
On next page give it a name, check the URL and specify a time difference (HOW?)
Then
chmod 755 .htaccess mv install.php install.php-old
Done, NOW WHAT THE FUCK IS A SLUG? (in advanced post or page options)
Finding Clamav making randomish increases in memory. Looks like there might be a bug of sorts. More info
Having been good and writing everything up while doing the ARCH install it highlights how poor the doc is for the Ubuntu setup. Here are somethings that need to be done:
If using fastcgi_param HTTPS on; you need to explicitly supply the following in your nginx vhost config file. They are ignored from a previously included fastcgi_params file in the http section of nginx.conf. It appears to be re included again. (SPENT A LOT OF TIME BANGING MY HEAD ON THIS)
fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param HTTPS on; include conf/fastcgi_params;
Upgrade went mostly fine. Couple of problems
1) Permissions on dspam mysql config file 2) Had to install mod_auth_mysql, for whatever reason the default installed version was crashing talking to the database. Connected then died. At first tried offical mod_auth_mysql version 3.0.0 but it wouldn#t compile. Then tried the version with phpass support patched in, available from Wordpress http://barry.wordpress.com/2008/05/19/mod_auth_mysql-and-phpass/, that is now working.