|
|
Installation Instruction
- All the comments, bug fixing, etc are welcome!
- Excuse my English please. I am not native english speaker.
- Following this installation you DO NOT NEED to make any compilations, gcc, make etc.
- I suppose here that we build multiple domain configuration.
- This instruction is supposed to be as detailed as possible.
- SSL/TLS (OpenSSH) topics are mostly not yet covered here.
- SmartPost can be implemented on any operating system that supports all the parts of SmartPost. But in this document I am orienting on Linux RedHAT 9.
Optional (not necessitate) installation steps are marked with 
Please, don't follow blind this instruction! Always remember about your particular configuration.
All this is about FRESH INSTALLATION.
If you have already the XMail server with users database then go through steps 2,3,5, and 6 of this instraction, download and run xmail2smartpost script that will transfer your current XMail database to SmartPost infrastructure.
Currently only Linux RedHAT9 installation notes are available.
Installation for other Linux/UNIX operating systems be about the same.
 1.1 All the unwanted demons should be stopped ...
1.2 All the unwanted packages should be uninstalled ...
Here is the final list of my packages after cleaning the installation rpms.txt
Total installation (excluding users mail boxes) for RedHat9 takes approximately 500Mb of disk space.
Users mail boxes on Linux operating systems are stored in /var/MailRoot/domains
1.3 Prepare packages that we need
RPM packages that come with RedHAT distribution are marked with 
Check please for the new available versions of all software.
SmartPost
Last version of SmartPost
1.4 Unpack SmartPost package
I suppose that SmartPost is unpacked to the /root/soft/smartpost directory
We need some files from this archive in the next sections.
2.1 Check if Apache and PHP packages are installed in the system
If not you should install this packages manually
Use #rpm -ihv httpd-2.0.40-8.rpm etc.
2.2 Apache configuration
Apache configuration file on RedHAT /etc/httpd/conf/httpd.conf
Set ServerName variable here to 127.0.0.1:80
ServerName 127.0.0.1:80
Thus Apache can resolve the name through the local hosts file.
2.3 PHP configuration
PHP configuration file is /etc/php.ini
Save old php.ini to php.ini.old #cp /etc/php.ini /etc/php.ini.old
In php.ini the following variables are important for us
Check you session.save_path variable points to /tmp that should be at least Apache writable.
mysql.default_socket = "/var/lib/mysql/mysql.sock" is for RedHAT.
Check where you have mysql.sock
3.1 Check if MySQL packages are installed in the system
mysql-x.xx.xx-x
mysql-server-x.xx.xx-x
If not you should install this packages manually
Use #rpm -ihv mysql-x.xx.xx-x.rpm etc.
After installation check your /etc/my.cnf MySQL config file. Here is my (it is short as a rule)
3.2 Set password for root account of MySQL
We do not need to create root account for MySQL. It is always created there with an empty password by default. Let's set the new password for root
#mysqladmin -u root -p password '*****' password here without qoutes
You will be asked to enter old password, as it's empty in the beginning just press [Enter].
Don't use your real system root password here!
To change password use command
#mysqladmin -u root -p password '******' new password here without qoutes (you will be asked to enter your old password)
3.3 Database creation
Create empty database
My database's name is "mail". You can choose any other name. Just remember this name and change your configs according this name.
Login to MySQL
#mysql -u root -p (you will be asked to enter password)
Create database mysql> create database mail;
Create tables inside mail database
We have unpacked our SmartPost package to /root/soft/smartpost (see 1.4)
There is a file smartpost.sql inside /other-files directory. It contains SQL commands to create tables for our mail database. To import these commands to MySQL use
#mysql -u root -p mail</root/soft/smartpost/other-files/smartpost.sql
Where mail is your mail database name. You will be asked for MySQL's root password.
3.4 Create MySQL accounts to rule our system
Use mysql_setpermission interactive program.
This nice program can create accounts that we need and give priveleges to this new created accounts.
All this accounts below should have an access to database only from localhost for security reasons.
mailadmin account
This account has full control only over mail database.
Use mysql_setpermission program choise 3
Choose mail database and localhost.
Choose password for mailadmin account. Don't forget this password.
We can use ordinary MySQL command line interface
GRANT ALL PRIVILEGES ON mail.* TO mailadmin.localhost IDENTIFIED BY '*****'
Note localhost here and password inside quotes (enter your password inside qoute marks).
It's pretty strange, but once I tried to use the same password as loginname for mailadmin account I could not log in to mysql.
You can use the same account to rule mail database trough the mysql command line or from web-interface of phpMyAdmin.
Check all new created accounts
Use command mysqlaccess. It has syntax
#mysqlaccess -U root -P password NAME DBASE
where password (without any quotemarks) is your root MySQL password from 3.2 of this instruction.
Note -U and -P are big letters here.
NAME and DBASE are account name and database name to ckeck permissions.
For example
3.5 phpMyAdmin installation
This is optional software but it can be extremly useful during the installation and testing our mail system. phpMyAdmin is really powerfull tool that can manage a whole MySQL server as well as a single database.
See phpMyAdmin documentation for more details.
Remember, phpMyAdmin is a powerfull tool. Use it carefully. You can find a link to documentation on the welcome screen.
It is probably not bad idea to disable phpMyAdmin (for security reasons) after the installation and tuning of whole mail system is done.
4.1 XMail installation
Official XMail documentation is here.
Use ordinary .rpm package (see in download section)
| xmail installation in |
/var/MailRoot |
| xmail documentation |
/var/MailRoot/docs |
| configuration files |
/var/MailRoot/ |
| binary files |
/var/MailRoot/bin |
| mail boxes |
/var/MailRoot/domains |
Set MAIL_ROOT system variabel
# export MAIL_ROOT=/var/MailRoot
Or set it permanently inside /etc/profile
Check this variabel
# set | grep MAIL_ROOT
4.2 XMail configuration
You can find a nice article about XMail configuration here. Note that we do not need to configure alaises.tab, domainaliases.tab, mailusers.tab etc manually. We can do this later through our web interface of SmartPost.
finger.ipmap.tab , domains.tab , ctrl.ipmap.tab, smtp.ipmap.tab
- Deny access to finger in finger.ipmap.tab file
"0.0.0.0"[tab]"0.0.0.0"[tab]"DENY"[tab]"1"[newline]
- Allow control access to XMail only from localhost in ctrl.ipmap.tab file
"0.0.0.0"[tab]"0.0.0.0"[tab]"DENY"[tab]"1"[newline]
"127.0.0.1"[tab]"255.0.0.0"[tab]"ALLOW"[tab]"2"[newline]
- Allow all access to SMTP in smtp.ipmap.tab file
"0.0.0.0"[tab]"0.0.0.0"[tab]"ALLOW"[tab]"1"[newline]
- Allow all access to POP3 in pop3.ipmap.tab file
"0.0.0.0"[tab]"0.0.0.0"[tab]"ALLOW"[tab]"1"[newline]
- Clear domains.tab file, because we are going to support mail for many domains
Create administrator account - ctrlaccounts.tab
All XMail administrators accounts are registered in ctrlaccounts.tab file.
In form "accountname"[TAB]"accountspass_MD5_crypt"[newline]
First we use utilite XMCrypt from /var/MailRoot/bin. This utilite can crypt any string line using MD5 cryptering algoritm.
Like this #./XMCrypt yourpassword
Insert the string you get into your ctrlaccounts.tab.
You will login to SmartPost server administrator interface using this account (see 6.4).
Server configuration - server.tab
There are some variables to control here.
Because of multidomain configuration place your most important domain here.
Enable XMail statistics
SmartPost includes statistics modules. To make them work we should enable statistics for XMail through the command line.
To start XMail demon with particular command line parameters we have to edit
/etc/rc.d/init.d/xmail
In the beginning of this file find the spesial variabel XMAIL_CMD_LINE
Set this variabel like this
XMAIL_CMD_LINE="-Mr 24 -Pl -Sl -Ql -Fl -Cl -Ll"
Where
-Mr hours. Set log rotate hours step. 24 hours is one day to enable dayli logs.
-Pl Enable POP3 logging.
-Sl Enable SMTP logging.
-Ql Enable SMAIL logging.
-Fl Enable FINGER logging.
-Cl Enable CTRL logging.
-Ll Enable local mail logging.
For more details see XMail documentation command line section.
Restart XMail after all
# service xmail restart
5.1 Courier-IMAP installation
I use rpm packages to install Courier-IMAP. The are available in download section
courier-imap-2.0.0-1.9.i386.rpm
courier-imap-mysql-2.0.0-1.9.i386.rpm
If Courier says that he needs something like
libcrypto.so.xxx
libssl.so.xxx
libfam.so.xxx
You should install openssl-xxx.rpm and fam-xxx.rpm packages. Both packages come with RedHat Linux distributive .
5.2 Courier-IMAP configuration
Courier-IMAP config files are situated in /usr/lib/courier-imap/etc
copy config files
Take this two files from /smartpost/other-files/courier-configs directory where SmartPost was unpacked.
See section 1.4 of this instruction.
authdaemonrc
authmysqlrc
Copy this two files to Courier's config area in /usr/lib/courier-imap/etc
authmysqlrc
Check variables here to meet your config
MYSQL_SERVER localhost MySQL server
MYSQL_USERNAME mailadminpass administrators loginname (see section 3.4)
MYSQL_PASS mailadmin administrators password
MYSQL_DATABASE mail database name (section 3.3)
Set ADDRESS in imapd config file
Set ADDRESS=0 here
Disable SSL support in imapd-ssl config file
Since SmartPost does not support SSL/TLS yet we should disable SSL for Courier.
Otherwise SmartPost can't access users mail boxes through IMAP protocol.
Set to "NO" two variables
imapdsslstart=NO
imapdstarttls=NO
Disable POP3 in pop3d and pop3d_ssl config files
XMail MTA hase it's own POP3 demon. Thus we should disable POP3 part of Courier.
- /usr/lib/courier-imap/etc/pop3d go down to the bottom of file and set
POP3DSTART=NO
- /usr/lib/courier-imap/etc/pop3d-ssl in the middle of file set
POP3_STARTTLS=NO
POP3DSSLSTART=NO
Restart Courier-IMAP
After this configuration SMTP and POP3 services are provided by XMail, and IMAP is provided by Courier-IMAP.
Original Courier-IMAP software has two special problems in a combination with XMail MTA.
How to solve this problem see Post-installation section at the end of this document.
6.1 SmartPost installation
We have unpacked SmartPost package to /root/soft/smartpost directory. See section 1.4 of this instruction.
Copy now the contents of this directory to /var/www/smartpost
Copy verdana.ttf font file (this file comes with smartpost package) to /usr/local/fonts/ttf
After all we should check that /var/www/smartpost/temp directory is at least Apache writable.
6.2 Apache virtual catalog
Apache config file on RedHat is /etc/httpd/conf/httpd.conf
In Alias subsection of this file add alias to SmartPost installation directory. For example:
Restart Apache after all
#service httpd restart on RedHAT or
#apachectl restart on other UNIX's operating systems.
6.3 SmartPost configuration
confglobal.php config file
SmartPost hase just one config file, this is confglobal.php file inside main SmartPost directory.
Just edit this file to feet your configs.
Quota Monitor configuration
Quota Monitor runs according to some shedule and creates reports about mail boxs sizes.
Since Quota Monitor is an external perl module (thanks Shawn Anderson for this module) it needs some special configurations.
Quota Monitor is situated in the ../scripts subdirectory of SmartPost installation
There are 4 files there:
The only difference between hourly and weekly scripts is that weekly script sends reports to administrator account. And hourly script does not to escape annoying.
See this variables inside the XMQuotaMonitor.xxxx.pl scripts
To configure this scripts to make them work correctly check this variables inside just in the beginning of perl program
- Configure cron demon to run our scripts periodically.
First create file named 'root' in /var/spool/cron
This file should contains cron's demon instructions
I know that this is the sequrity issue to run this scripts from root account, but only root by default (and I don't know how to change this) has an access to users mail boxes.
Here is an example of /var/spool/cron/root
By the way take a look at your /etc/crontab
There is a MAILTO variable inside.
You can either empty them or set to your real e-mail address.
But don't set them simply to 'root' or other username (because then mail notifications from cron demon go to nowhere and just lie in spool forever).
Besides we can monitor cron demon activity in /var/log/cron
Garbage Eraser configuration
If a user is aborting a mail but has uploaded some attachments to it
the files will be lying around the /temp
directory forever if we do not remove them.
To fix this, it is recommended to create a cron job that deletes everything
in the attachment directory.
We have a special script /scripts/GarbageEraser.sh that does this for us. This script delete files that where not accessed for the last 30 days.
To run this script daily we should edit our /var/spool/cron/root file and add there
30 3 * * * /var/www/smartpost/scripts/GarbageEraser.sh
6.4 Test your installation
Point your web browser to :
| Users web mail client interface |
http://YourServerNameOrIP/webmail |
| Mail domains admin interface |
http://YourServerNameOrIP/webmail/admin |
| Server admin interface |
http://YourServerNameOrIP/webmail/sadmin |
Login to the server administartor interface using XMail control account created in 4.2
You can create now mail domains and users accounts inside this domains.
After domains creation you can login to domain administration interface to manage your domains.
It is possible to use as a web-mail user interface any other web-mail clients like Squirrelmail and IMP-Horde. But features related to XMail like black lists will not be available.
Security configuration is optional but strongly reccomendet.
The ports are supposed to be opened on our mail server
7.1 Internal part
The network security level can be improved using internal UNIX firewall system
netfilter
- I have realised that lokkit program (comes with RedHAT) creates a config file that is NOT compleetly correct.
I do _NOT_ reccomend to use lokkit for SMTP server's firewall configuration.
On RedHAT operating system netfilter configuration is stored in /etc/sysconfig/iptables
Here is the iptables config file that I use for my installations.
You can just take this file and copy them over your /etc/sysconfig/iptables
But do not forget to change 192.168.1.1 there to your real IP.
- Use #iptables -L to list all chains and to check your config.
Disable telnet, use always SSH instead.
Check all ports are listening with #netstat -ln and #netstat -lnp
Check all open ports from external system with nmon program
To improve security level, use any sniffer software.
Sniffer gives the possibility to listen to the all traffic on server's network interfaces,
and logs this traffic for later analysis. Sniffer's configuration is a special and
complicated topic.
I like snort. The Pig lives here www.snort.org
Other useful software are tcpdump (www.tcpdump.org) and ettercap (ettercap.sourceforge.net)
7.2 External part
Configure access lists to filter IP traffic on routers, switches or other
outstanding connection devices.
Here is the example of such configuration.
Suppose, that our server has an IP address 158.39.26.110 and is connected to the
Ethernet interface 0 of Cisco router.
In this example packets are filtered before they exit an interface, after the routing decision.
In terms of Cisco IOS, the trivial extended access list's configuration
looks something like this (without SSL)
Remember, if a packet does not match any of access list statements, the packet will be blocked. Thus, we do not need to use [deny any any] at the end of the list.
During the installation process we have made some special accounts in the system.
Here is the list of this accounts with comments.
Operating System accounts
root the most important account in operating system
MySQL database accounts (see 3.4)
mailadmin this account has administrative rights over our mail database
XMail MTA control account and SmartPost server admin login
(see 4.2 administrator account)
xmailadmin account to control XMail MTA. It is stored in /var/MailRoot/ctrlaccounts.tab and hase MD5 crypted password.
Login using this account with your browser to http://YourServerName/webmail/sadmin
(see 6.4)
Original Courier-IMAP software has two special problems in a combination with XMail MTA.
These problems are a kind of incapability.
- Courier-IMAP can not deal on the right way with XMail mail files format (this is the problem of <CRLF> end of lines). As a consequence massagies can be unreadable in some MUAs through IMAP protocol.
- Courier-IMAP marks mail files in a special order. And this marked files are read by XMail like new mail files. As a consequence users can get double and triple copies of the same message through POP protocol after previous IMAP access.
This problems are not critical, but can irritate users.
To solve this you can use patched Linux binary versions of XMail 1.17 and Courier-IMAP demon v2.0.0 from download section.
This binary replacements are ONLY FOR XMail 1.17 and Courier-IMAP 2.0.0 !
Patches can be implemented separately. They are independed.
- To solve 'double POP messages problem'
Replace your /var/MailRoot/bin/XMail file with the file from xmail117-patched.zip archive.
-To solve '<CRLF> problem'
Replace your /usr/lib/courier-imap/bin/imapd file with the file from
imapd200-patched.zip archive.
Patches source codes are in download section.
You can find some other materials how to tune your new mail server on How To page
- How to close an open relay
- How to configure max size of file attachments
- How to implement anti-virus filters
- How to implement open-relay-databases and black lists checks
|
|
|
