1. Objectives:
Our goal is to implement Horde (feature rich e-mail, time tracking, calendar and task system). We have to design underlying infrastructure as well. That system should have web based access, should be capable to filter e-mail messages for spam and viruses, should integrate user management with existing MSAD. As we need modular, suitable for small to mid-sized organizations design, easy to test and deploy we decided to split mail filter (mailfilter), mail store (mail), web access(www) and MSAD(dc1) on different servers. We also decided to build mailfilter, mail and www servers as guest servers (vservers) running on top of linux-vserver host machine. Some of positives are:
- There is no overhead at all. Easy to set as test system or learning lab. Easy to install, remove and manage vservers.
- Increased security.
- Guests are almost hardware independent.
- As load grows or when we have hardware failures, we can easily move a guest from one host to another.
2. Install Linux-Vserver (optional)
We use Gentoo Linux as our primary distribution both as host and guests [1].
You will need:
2.1. Kernel support.(all distributions)
# Obtain vserver patch
wget http://vserver.13thfloor.at/Experimental/patch-2.6.27.6-vs2.3.0.36.1.diff
# Obtain kernel sources
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.27.6.tar.bz2
#
tar -xjvf linux-2.6.27.7.tar.bz2
#
cd linux-2.6.27.7
# Configure your kernel. This step is important!
make menuconfig
#patch your kernel
patch -p1 < ../patch-2.6.27.6-vs2.3.0.36.1.diff
#enable linux-vserver code
make menuconfig
#compile
make
#install kernel and moddules
make modules_install
cp ./arch/your_arch/bzImage /boot/whatever
2.2. Vserver utils(all distributions)
(on Gentoo)
emerge -pv util-vserver
rc-update add vservers.default default
/etc/init.d/vservers.default start
(on Debian)
apt-get install util-vserver
2.3. Guest images.(all distributions)
(all distributions)
# note –initstyle parameter, possible value ‘plain’
(on Gentoo)
#Obtain vserver image
wget http://people.linux-vserver.org/~hollow/stages/stage4-i686-20070905.tar.bz2
# Build mailfilter
vserver mailfilter build \
–context 16 \
–hostname mailfilter \
–interface eth0:192.168.55.16/24 \
–initstyle gentoo \ (replace if needed)
-m template — \
-d gentoo \
-t /path/to/stage4-i686-20070905.tar.bz2
# Build mail
vserver mail build \
–context 17 \
–hostname mail \
–interface eth0:192.168.55.17/24 \
–initstyle gentoo \ (replace if needed)
-m template — \
-d gentoo \
-t /path/to/stage4-i686-20070905.tar.bz2
# Build www
vserver www build \
–context 18 \
–hostname www \
–interface eth0:192.168.55.18/24 \
–initstyle gentoo \ (replace if needed)
-m template — \
-d gentoo \
-t /path/to/stage4-i686-20070905.tar.bz2
#start vservers
vserver mailfilter start
vserver mail start
vserver www start
#(optiomal) update (each) vservers
vserver www enter
emerge -pvu system
emerge -pvu world
revdep-rebuild -pv
3. Configure Mailfilter.
Emerge (install) postfix and MailScanner.
#Adjust needed use flags
USE=”clamav f-prot postfix spamassassin” ACCEPT_KEYWORDS=”~x86″ emerge -pv MailScanner
#open /etc/MailScanner/MailScanner.conf
#and edit according your needs
#open /etc/postfix/main.cnf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
relay_domains = example.com
relayhost = mail.example.com
header_checks = regexp:/etc/postfix/header_checks
;smtpd_delay_reject = yes
;smtpd_helo_required = yes
;smtpd_helo_restrictions =
; permit_mynetworks,
; check_helo_access
; hash:/etc/postfix/hello_access,
;reject_non_fqdn_hostname,
; reject_invalid_hostname,
; permit
;smtpd_sender_restrictions =
; permit_sasl_authenticated,
; permit_mynetworks,
; reject_non_fqdn_sender,
; reject_unknown_sender_domain,
; permit
;smtpd_recipient_restrictions =
; reject_unauth_pipelining,
; reject_non_fqdn_recipient,
; reject_unknown_recipient_domain,
; permit_mynetworks,
; permit_sasl_authenticated,
; reject_unauth_destination,
; permit
#run
postmap hello_access
# Create file
echo “/^Received:/ HOLD”>>/etc/postfix/header_checks
# Edit /etc/postfix/master.cf
#We set host name to be mail, not mailfilter in smtp greeting message
#change following line
#localhost:smtp inet n – n – – smtpd
#to
#localhost:smtp inet n – n – – smtpd -o myhostname=mail
#remove postfix from default run level
rc-update del postfix default
#add MailScanner to default run level
rc-update add MailScanner default
#and run it
/etc/init.d/MailScanner start
#on debian based distribution use update-rc.d command
#
#emerge spf
;ACCEPT_KEYWORDS=”~x86″ emerge -v pypolicyd-spf
#
# Add following to master.cf
;policyd-spf unix – n n – 0 spawn
; user=nobody argv=/usr/bin/python /usr/bin/policyd-spf
# Add following ot main.cf
; reject_unauth_destination
; check_policy_service unix:private/policyd-spf
;
# emerge postgrey
;emerge -pv postgrey
; add to run level
;rc-update add postgrey default
4. Configure Mail.
4.1. Emerge (install) postfix and dovecot with sasl and ldap support. Process will vary depending of your Linux flavor. On Gentoo:
USE=”ssl ldap sasl sieve” emerge -pv postfix dovecot
4.2. Create vmail user[2].
Quote from [2]: “Create a new user, we will call it vmail. Change the Login Shell to /sbin/nologin, this user account should not be used for logging in. Take note of the User ID and Home Directory of vmail. Note the Group ID of vmail. We’ll be needing all of them later.“
4.3. Create a user ‘qu’ (or any other name) in MSAD with bigstrongpassword.
Note that user name , login and person name must all be the same. We will use this account information for querying ldap server only.
4.3. Configure postfix[2].
# create /etc/postfix/ldap_users.cf
server_host = dc1.example.com
search_base = dc=example,dc=com
version = 3
query_filter=(&(objectclass=person)(|(mail=%s)(othermailbox=%s)))
result_attribute=sAMAccountName
result_format=%s/.maildir/
bind=yes
bind_dn=qu@example.com
bind_pw=bigstrongpassword
# Create /etc/postfix/ldap-groups.cf [3]
server_host = dc1.example.com
search_base = dc=example,dc=com
version = 3
query_filter=(&(objectclass=group)(mail=%s))
leaf_result_attribute= mail
special_result_attribute = member
bind=yes
bind_dn=qu@example.com
bind_pw=bigstrongpassword
# Create /etc/postfix/ldap-forward.cf
server_host = dc1.example.com
search_base = dc=example,dc=com
version = 3
query_filter=(&(objectclass=person)(|(mail=%s)))
result_attribute=wWWHomePage
bind=yes
bind_dn=qu@example.com
bind_pw=bigstrongpassword
#edit /etc/postfix/main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname =mail.example.com
mydomain = example.com
mydestination = $myhostname, localhost.$mydomain, localhost
virtual_mailbox_domains = $mydomain
virtual_mailbox_base=/home/vmail/
virtual_mailbox_maps=ldap:/etc/postfix/ldap-users.cf
virtual_uid_maps=static:1000
virtual_gid_maps=static:1000
virtual_alias_maps=ldap:/etc/postfix/ldap-groups.cf
recipient_bcc_maps=ldap:/etc/postfix/ldap-forward.cf
virtual_transport=dovecot
dovecot_destination_recipient_limit=1
message_size_limit=102400000
unknown_local_recipient_reject_code = 550
mynetworks = 192.168.1.0/24, 127.0.0.0/8,172.16.55.0/24
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_recipient_restrictions= permit_mynetworks,permit_sasl_authenticated,reject
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/ssl/private/mail2.key
smtpd_tls_cert_file = /etc/ssl/private/mail2.crt
smtpd_tls_CAfile = /etc/ssl/private/ca.crt
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = /usr/share/doc/postfix-2.5.5/html
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = /usr/share/doc/postfix-2.5.5/readme
home_mailbox = .maildir/
#Edit /etc/postfix/master.cf
#add dovecot transport and comment old local transport
local unix – n n – – pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver2 ${user}
;#move
;mv /usr/lib/postfix/local /usr/lib/postfix/localp
#create filе /usr/lib/postfix/local
#!/bin/bash
HOME=”/home/vmail/$1/” /usr/libexec/dovecot/deliver
4.4. Configure dovecot[2]
#edit (create) /etc/dovecot/dovecot-ldap.conf
hosts = dc1.example.com
dn = qu
dnpass = bigstrongpassword
auth_bind = yes
auth_bind_userdn =EXAMPLE\%u
ldap_version = 3
base = dc=example, dc=com
pass_filter = (&(objectClass=person)(uid=%u))
#edit /etc/dovecot/dovecot.conf
listen = [::]
disable_plaintext_auth = no
ssl_cert_file = /etc/ssl/private/mail2.crt
ssl_key_file = /etc/ssl/private/mail2.key
ssl_ca_file = /etc/ssl/private/ca.crt
mail_location = maildir:~/.maildir
protocol imap {
}
protocol pop3 {
}
protocol lda {
postmaster_address = postmaster@example.com
log_path = /home/vmail/dovecot-deliver.log
mail_plugins = cmusieve
sieve_global_dir = /home/vmail/
sieve_global_path=/home/vmail/global.sieve
}
auth_debug = yes
auth default {
mechanisms = plain
passdb pam {
args = “*”
}
passdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
userdb passwd {
}
userdb static {
args = uid=1000 gid=1000 home=/home/vmail/%u
}
user = root
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
dict {
}
plugin {
}
#create file /home/vmail/global.sieve
require [“fileinto”];
# Move spam to spam folder
if header :contains “X-Spam-Status” [“YES”] {
fileinto “spam”;
stop;
}
X-Spam-StatusTYESspam
5. Configure Horde.
5.1. Emerge (insall) Horde
USE=”crypt ldap mysql” ACCEPT_KEYWORDS=”~x86″ emerge -pv horde-webmail
5.2. Run setup
/var/www/localhost/htdocs/horde/scripts/setup.php
[1]Linux Vserver on Gentoo -useful on other distribution too:
http://www.gentoo.org/proj/en/vps/vserver-howto.xml
[2]Postfix and Dovecot ldap (MSAD) integration:
http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/
[3]Active directory mailing list
http://www.linuxmail.info/postfix-active-directory-ldap-lookup-howto/
[4]
wget http://vserver.13thfloor.at/Experimental/patch-2.6.27.8-vs2.3.0.36.2.diff
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.27.8.tar.bz2
tar -xjvf linux-2.6.27.8.tar.bz2
cd linux-2.6.27.8
make menuconfig
patch –dry-run -p1 <../patch-2.6.27.8-vs2.3.0.36.2.diff
patch -p1 <../patch-2.6.27.8-vs2.3.0.36.2.diff
mail postfix-out # cd /
mail / # postfix -c /etc/postfix-out check
postfix: fatal: chdir(/var/spool/postfix-out): No such file or directory
mail / # mkdir /var/spool/postfix-out
mail / # postfix -c /etc/postfix-out check
USE=”crypt ldap mysql apache2 bcmath ctype curl exif ftp gd gmp imap inifile hash simplexml snmp soap truetype xml zip xmlreader imap ssl session xml nls iconv gd ftp ldapcrypt mysql mysqli” ACCEPT_KEYWORDS=”~amd64″ emerge -v php horde-webmail
