Month: August 2010

1. Objectives:

Our goal is to implement Horde (feature rich e-mail, time tracking, calendar and  task system). We have to design underlying infrastructure as  well. That system should have web based access, should be capable to filter e-mail messages for spam and viruses, should integrate user management with existing MSAD. As we need modular, suitable for small to mid-sized organizations design, easy to test and deploy we decided to split mail filter (mailfilter), mail store (mail), web access(www) and MSAD(dc1) on different servers. We also decided to build mailfilter, mail and www servers as guest servers (vservers) running on top of linux-vserver host machine. Some of positives are:

• There is no overhead at all. Easy to set as test system or learning lab. Easy to install, remove and manage  vservers.
• Increased security.
• Guests are almost hardware independent.
• As load grows or when we have hardware failures, we can easily move a guest from one host to another.

2. Install Linux-Vserver (optional)

We use Gentoo Linux as our primary distribution both as host and guests [1].

You will need:

2.1. Kernel support.(all distributions)

# Obtain vserver patch

wget http://vserver.13thfloor.at/Experimental/patch-2.6.27.6-vs2.3.0.36.1.diff

# Obtain kernel sources

wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.27.6.tar.bz2

#

tar -xjvf linux-2.6.27.7.tar.bz2

#

cd linux-2.6.27.7

# Configure your kernel. This step is important!

make menuconfig

#patch your kernel

patch -p1 < ../patch-2.6.27.6-vs2.3.0.36.1.diff

#enable linux-vserver code

make menuconfig

#compile

make

#install kernel and moddules

make modules_install

cp ./arch/your_arch/bzImage /boot/whatever

 

 

2.2. Vserver utils(all distributions)

(on Gentoo)

emerge -pv util-vserver

rc-update add vservers.default default

/etc/init.d/vservers.default start

(on Debian)

apt-get install util-vserver

2.3. Guest images.(all distributions)

(all distributions)

# note –initstyle parameter, possible value ‘plain’

(on Gentoo)

#Obtain vserver image

wget http://people.linux-vserver.org/~hollow/stages/stage4-i686-20070905.tar.bz2

# Build mailfilter

vserver mailfilter build \

–context 16 \

–hostname mailfilter \

–interface eth0:192.168.55.16/24 \

–initstyle gentoo \ (replace if needed)

-m template — \

-d gentoo \

-t /path/to/stage4-i686-20070905.tar.bz2

# Build mail

vserver mail build \

–context 17 \

–hostname mail \

–interface eth0:192.168.55.17/24 \

–initstyle gentoo \ (replace if needed)

-m template — \

-d gentoo \

-t /path/to/stage4-i686-20070905.tar.bz2

# Build www

vserver www build \

–context 18 \

–hostname www \

–interface eth0:192.168.55.18/24 \

–initstyle gentoo \ (replace if needed)

-m template — \

-d gentoo \

-t /path/to/stage4-i686-20070905.tar.bz2

#start vservers

vserver mailfilter start

vserver mail start

vserver www start

#(optiomal) update (each) vservers

vserver www enter

emerge -pvu system

emerge -pvu world

revdep-rebuild -pv

3. Configure Mailfilter.

Emerge (install) postfix and MailScanner.

#Adjust needed use flags

USE=”clamav f-prot postfix spamassassin” ACCEPT_KEYWORDS=”~x86″ emerge -pv MailScanner

#open /etc/MailScanner/MailScanner.conf

#and edit according your needs

#open /etc/postfix/main.cnf

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

data_directory = /var/lib/postfix

mail_owner = postfix

relay_domains = example.com

relayhost = mail.example.com

header_checks = regexp:/etc/postfix/header_checks

;smtpd_delay_reject = yes

;smtpd_helo_required = yes

;smtpd_helo_restrictions =

;     permit_mynetworks,

;     check_helo_access

;           hash:/etc/postfix/hello_access,

;reject_non_fqdn_hostname,

;    reject_invalid_hostname,

;    permit

;smtpd_sender_restrictions =

;    permit_sasl_authenticated,

;    permit_mynetworks,

;    reject_non_fqdn_sender,

;    reject_unknown_sender_domain,

;    permit

;smtpd_recipient_restrictions =

;   reject_unauth_pipelining,

;   reject_non_fqdn_recipient,

;   reject_unknown_recipient_domain,

;   permit_mynetworks,

;   permit_sasl_authenticated,

;   reject_unauth_destination,

;   permit

#run

postmap hello_access

# Create file

echo “/^Received:/ HOLD”>>/etc/postfix/header_checks

 

 

# Edit /etc/postfix/master.cf

#We set host name to be mail, not mailfilter in smtp greeting message

#change following line

#localhost:smtp      inet  n       –       n       –       –       smtpd

#to

#localhost:smtp      inet  n       –       n       –       –       smtpd -o myhostname=mail

#remove postfix from default run level

rc-update del postfix default

#add MailScanner to default run level

rc-update add MailScanner default

#and run it

/etc/init.d/MailScanner start

#on debian based distribution use update-rc.d command

#

#emerge spf

;ACCEPT_KEYWORDS=”~x86″ emerge -v pypolicyd-spf

#

# Add following to master.cf

;policyd-spf  unix  –       n       n       –       0       spawn

;                   user=nobody argv=/usr/bin/python /usr/bin/policyd-spf

# Add following ot main.cf

;                  reject_unauth_destination

;                   check_policy_service unix:private/policyd-spf

;

# emerge postgrey

;emerge -pv postgrey

; add to run level

;rc-update add postgrey default

4. Configure Mail.

4.1. Emerge (install) postfix and  dovecot with sasl and ldap support. Process will vary depending of your Linux flavor. On Gentoo:

USE=”ssl ldap sasl sieve” emerge -pv postfix dovecot

4.2. Create vmail user[2].

Quote from [2]: “Create a new user, we will call it vmail. Change the Login Shell to /sbin/nologin, this user account should not be used for logging in. Take note of the User ID and Home Directory of vmail. Note the Group ID of vmail. We’ll be needing all of them later.“

4.3. Create a user ‘qu’ (or any other name) in MSAD with bigstrongpassword.

Note that user name , login and person name must all be the same. We will use this account information for querying ldap server only.

4.3. Configure postfix[2].

# create /etc/postfix/ldap_users.cf

server_host = dc1.example.com

search_base = dc=example,dc=com

version = 3

query_filter=(&(objectclass=person)(|(mail=%s)(othermailbox=%s)))

result_attribute=sAMAccountName

result_format=%s/.maildir/

bind=yes

bind_dn=qu@example.com

bind_pw=bigstrongpassword

# Create /etc/postfix/ldap-groups.cf [3]

server_host = dc1.example.com

search_base = dc=example,dc=com

version = 3

query_filter=(&(objectclass=group)(mail=%s))

leaf_result_attribute= mail

special_result_attribute = member

bind=yes

bind_dn=qu@example.com

bind_pw=bigstrongpassword

# Create /etc/postfix/ldap-forward.cf

server_host = dc1.example.com

search_base = dc=example,dc=com

version = 3

query_filter=(&(objectclass=person)(|(mail=%s)))

result_attribute=wWWHomePage

bind=yes

bind_dn=qu@example.com

bind_pw=bigstrongpassword

#edit /etc/postfix/main.cf

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

data_directory = /var/lib/postfix

mail_owner = postfix

myhostname =mail.example.com

mydomain = example.com

mydestination = $myhostname, localhost.$mydomain, localhost

virtual_mailbox_domains = $mydomain

virtual_mailbox_base=/home/vmail/

virtual_mailbox_maps=ldap:/etc/postfix/ldap-users.cf

virtual_uid_maps=static:1000

virtual_gid_maps=static:1000

virtual_alias_maps=ldap:/etc/postfix/ldap-groups.cf

recipient_bcc_maps=ldap:/etc/postfix/ldap-forward.cf

virtual_transport=dovecot

dovecot_destination_recipient_limit=1

message_size_limit=102400000

unknown_local_recipient_reject_code = 550

mynetworks = 192.168.1.0/24, 127.0.0.0/8,172.16.55.0/24

smtpd_sasl_auth_enable = yes

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_recipient_restrictions=   permit_mynetworks,permit_sasl_authenticated,reject

smtpd_tls_security_level = may

smtpd_tls_auth_only = yes

smtp_tls_note_starttls_offer = yes

smtpd_tls_key_file = /etc/ssl/private/mail2.key

smtpd_tls_cert_file =  /etc/ssl/private/mail2.crt

smtpd_tls_CAfile =  /etc/ssl/private/ca.crt

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

html_directory = /usr/share/doc/postfix-2.5.5/html

manpage_directory = /usr/share/man

sample_directory = /etc/postfix

readme_directory = /usr/share/doc/postfix-2.5.5/readme

home_mailbox = .maildir/

#Edit /etc/postfix/master.cf

#add dovecot transport and comment old local transport

local   unix  –       n       n       –       –       pipe

flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver2 ${user}

;#move

;mv /usr/lib/postfix/local /usr/lib/postfix/localp

#create filе /usr/lib/postfix/local

#!/bin/bash

HOME=”/home/vmail/$1/” /usr/libexec/dovecot/deliver

 

 

4.4. Configure dovecot[2]

#edit (create)  /etc/dovecot/dovecot-ldap.conf

hosts = dc1.example.com

dn = qu

dnpass = bigstrongpassword

auth_bind = yes

auth_bind_userdn =EXAMPLE\%u

ldap_version = 3

base =  dc=example, dc=com

pass_filter = (&(objectClass=person)(uid=%u))

#edit /etc/dovecot/dovecot.conf

listen = [::]

disable_plaintext_auth = no

ssl_cert_file = /etc/ssl/private/mail2.crt

ssl_key_file = /etc/ssl/private/mail2.key

ssl_ca_file = /etc/ssl/private/ca.crt

mail_location = maildir:~/.maildir

protocol imap {

}

protocol pop3 {

}

protocol lda {

postmaster_address = postmaster@example.com

log_path = /home/vmail/dovecot-deliver.log

mail_plugins = cmusieve

sieve_global_dir = /home/vmail/

sieve_global_path=/home/vmail/global.sieve

}

auth_debug = yes

auth default {

mechanisms = plain

passdb pam {

args = “*”

}

passdb ldap {

args = /etc/dovecot/dovecot-ldap.conf

}

userdb passwd {

}

userdb static {

args = uid=1000 gid=1000 home=/home/vmail/%u

}

user = root

socket listen {

client {

path = /var/spool/postfix/private/auth

mode = 0660

user = postfix

group = postfix

}

}

}

dict {

}

plugin {

}

#create file /home/vmail/global.sieve

require [“fileinto”];

# Move spam to spam folder

if header :contains “X-Spam-Status” [“YES”] {

fileinto “spam”;

stop;

}

X-Spam-StatusTYESspam

 

5. Configure Horde.

5.1. Emerge (insall) Horde

USE=”crypt ldap mysql” ACCEPT_KEYWORDS=”~x86″ emerge -pv horde-webmail

5.2. Run setup

/var/www/localhost/htdocs/horde/scripts/setup.php

 

 

[1]Linux Vserver on Gentoo -useful on other distribution too:

http://www.gentoo.org/proj/en/vps/vserver-howto.xml

[2]Postfix and Dovecot ldap (MSAD) integration:

http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/

[3]Active directory mailing list

http://www.linuxmail.info/postfix-active-directory-ldap-lookup-howto/

[4]

 

 

 

 

 

 

 

wget http://vserver.13thfloor.at/Experimental/patch-2.6.27.8-vs2.3.0.36.2.diff

wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.27.8.tar.bz2

tar -xjvf linux-2.6.27.8.tar.bz2

cd linux-2.6.27.8

make menuconfig

patch –dry-run -p1 <../patch-2.6.27.8-vs2.3.0.36.2.diff

patch -p1 <../patch-2.6.27.8-vs2.3.0.36.2.diff

 

mail postfix-out # cd /

mail / # postfix -c /etc/postfix-out check

postfix: fatal: chdir(/var/spool/postfix-out): No such file or directory

mail / # mkdir /var/spool/postfix-out

mail / # postfix -c /etc/postfix-out check

 

USE=”crypt ldap mysql apache2 bcmath ctype curl exif ftp gd gmp imap inifile hash simplexml snmp soap truetype xml zip xmlreader imap ssl session xml nls iconv gd ftp ldapcrypt mysql mysqli” ACCEPT_KEYWORDS=”~amd64″ emerge -v php horde-webmail