• Installation Instruction
  • print ver[back to normal view]
    - All the comments, bug fixing, etc are welcome!
    - Excuse my English please. I am not native english speaker.
    - Following this installation you DO NOT NEED to make any compilations, gcc, make etc.
    - I suppose here that we build multiple domain configuration.
    - This instruction is supposed to be as detailed as possible.
    - SSL/TLS (OpenSSH) topics are mostly not yet covered here.
    - SmartPost can be implemented on any operating system that supports all the parts of SmartPost. But in this document I am orienting on Linux RedHAT 9.

    Optional (not necessitate) installation steps are marked with

    Please, don't follow blind this instruction! Always remember about your particular configuration.

    All this is about FRESH INSTALLATION.
    If you have already the XMail server with users database then go through steps 2,3,5, and 6 of this instraction, download and run xmail2smartpost script that will transfer your current XMail database to SmartPost infrastructure.



    0. Operating system
    Currently only Linux RedHAT9 installation notes are available.
    Installation for other Linux/UNIX operating systems be about the same.


    1. Preparations
    1.1 All the unwanted demons should be stopped ...

    1.2 All the unwanted packages should be uninstalled ...
    Here is the final list of my packages after cleaning the installation rpms.txt
    Total installation (excluding users mail boxes) for RedHat9 takes approximately 500Mb of disk space.
    Users mail boxes on Linux operating systems are stored in /var/MailRoot/domains

    1.3 Prepare packages that we need
    RPM packages that come with RedHAT distribution are marked with
    Check please for the new available versions of all software.
  • MySQL

  • mysql-xxx.rpm  
    mysql-server-xxx.rpm  

  • Apache and PHP

  • Apache:
    httpd-xxx.rpm 
    Apache modules:
    mod_ssl-xxx.rpm 
    mod_auth_mysql-xxx.rpm 
    PHP:
    php-xxx.rpm 
    php-mysql-xxx.rpm 
    php-imap-xxx.rpm 

  • XMail

  • xmail-1.17-1.i386.rpm

  • Courier IMAP

  • courier-imap-2.0.0-1.9.i386.rpm
    courier-imap-mysql-2.0.0-1.9.i386.rpm

  • SmartPost

  • Last version of SmartPost

    1.4 Unpack SmartPost package
    I suppose that SmartPost is unpacked to the /root/soft/smartpost  directory
    We need some files from this archive in the next sections.


    2. Apache & PHP
    2.1 Check if Apache and PHP packages are installed in the system

    If not you should install this packages manually
    Use  #rpm -ihv httpd-2.0.40-8.rpm  etc.

    2.2 Apache configuration
    Apache configuration file on RedHAT /etc/httpd/conf/httpd.conf
    Set ServerName variable here to 127.0.0.1:80
     ServerName 127.0.0.1:80 
    Thus Apache can resolve the name through the local hosts file.

    2.3 PHP configuration
    PHP configuration file is /etc/php.ini
    Save old php.ini to php.ini.old  #cp /etc/php.ini /etc/php.ini.old 

    In php.ini the following variables are important for us

    Check you session.save_path variable points to /tmp that should be at least Apache writable.
    mysql.default_socket = "/var/lib/mysql/mysql.sock" is for RedHAT.
    Check where you have mysql.sock

    3. MySQL
    3.1 Check if MySQL packages are installed in the system
    mysql-x.xx.xx-x
    mysql-server-x.xx.xx-x

    If not you should install this packages manually
    Use  #rpm -ihv mysql-x.xx.xx-x.rpm  etc.

    After installation check your /etc/my.cnf  MySQL config file. Here is my (it is short as a rule)


    3.2 Set password for root account of MySQL
    We do not need to create root account for MySQL. It is always created there with an empty password by default. Let's set the new password for root
     #mysqladmin -u root -p password '*****' password here without qoutes
    You will be asked to enter old password, as it's empty in the beginning just press [Enter].
    Don't use your real system root password here!

    To change password use command
     #mysqladmin -u root -p password '******'  new password here without qoutes (you will be asked to enter your old password)


    3.3 Database creation
  • Create empty database

  • My database's name is "mail". You can choose any other name. Just remember this name and change your configs according this name.
    Login to MySQL
     #mysql -u root -p  (you will be asked to enter password)

    Create database  mysql> create database mail;

  • Create tables inside mail database

  • We have unpacked our SmartPost package to /root/soft/smartpost  (see 1.4)
    There is a file smartpost.sql inside /other-files directory. It contains SQL commands to create tables for our mail database. To import these commands to MySQL use
     #mysql -u root -p mail</root/soft/smartpost/other-files/smartpost.sql 
    Where mail is your mail database name. You will be asked for MySQL's root password.


    3.4 Create MySQL accounts to rule our system
    Use mysql_setpermission interactive program.
    This nice program can create accounts that we need and give priveleges to this new created accounts.
    All this accounts below should have an access to database only from localhost for security reasons.

  • mailadmin account

  • This account has full control only over mail database.
    Use mysql_setpermission program choise 3
    Choose mail database and localhost.
    Choose password for mailadmin account. Don't forget this password.
    We can use ordinary MySQL command line interface
    GRANT ALL PRIVILEGES ON mail.* TO mailadmin.localhost IDENTIFIED BY '*****'
    Note localhost here and password inside quotes (enter your password inside qoute marks).

    It's pretty strange, but once I tried to use the same password as loginname for mailadmin account  I could not log in to mysql.
    You can use the same account to rule mail database trough the mysql command line or from web-interface of phpMyAdmin.

  • Check all new created accounts

  • Use command mysqlaccess. It has syntax
     #mysqlaccess -U root -P password NAME DBASE 
    where password (without any quotemarks) is your root MySQL password from 3.2 of this instruction.
    Note -U and -P are big letters here.
    NAME and DBASE are account name and database name to ckeck permissions.

    For example


    3.5 phpMyAdmin installation
    This is optional software but it can be extremly useful during the installation and testing our mail system. phpMyAdmin is really powerfull tool that can manage a whole MySQL server as well as a single database. See phpMyAdmin documentation for more details.

    Remember, phpMyAdmin is a powerfull tool. Use it carefully. You can find a link to documentation on the welcome screen.
    It is probably not bad idea to disable phpMyAdmin (for security reasons) after the installation and tuning of whole mail system is done.



    4. SMTP server - MTA XMail

    4.1 XMail installation
    Official XMail documentation is here.
  • Use ordinary .rpm package (see in download section)

  • xmail installation in /var/MailRoot
    xmail documentation /var/MailRoot/docs
    configuration files /var/MailRoot/
    binary files /var/MailRoot/bin
    mail boxes /var/MailRoot/domains
  • Set MAIL_ROOT system variabel

  •  # export MAIL_ROOT=/var/MailRoot 
    Or set it permanently inside /etc/profile
    Check this variabel
     # set | grep MAIL_ROOT 

    4.2 XMail configuration
    You can find a nice article about XMail configuration here. Note that we do not need to configure alaises.tab, domainaliases.tab, mailusers.tab etc manually. We can do this later through our web interface of SmartPost.

  • finger.ipmap.tab , domains.tab , ctrl.ipmap.tab, smtp.ipmap.tab

  • - Deny access to finger in finger.ipmap.tab file
    "0.0.0.0"[tab]"0.0.0.0"[tab]"DENY"[tab]"1"[newline]

    - Allow control access to XMail only from localhost in ctrl.ipmap.tab file
    "0.0.0.0"[tab]"0.0.0.0"[tab]"DENY"[tab]"1"[newline]
    "127.0.0.1"[tab]"255.0.0.0"[tab]"ALLOW"[tab]"2"[newline]

    - Allow all access to SMTP in smtp.ipmap.tab file
    "0.0.0.0"[tab]"0.0.0.0"[tab]"ALLOW"[tab]"1"[newline]

    - Allow all access to POP3 in pop3.ipmap.tab file
    "0.0.0.0"[tab]"0.0.0.0"[tab]"ALLOW"[tab]"1"[newline]

    - Clear domains.tab file, because we are going to support mail for many domains

  • Create administrator account - ctrlaccounts.tab

  • All XMail administrators accounts are registered in ctrlaccounts.tab file.
    In form  "accountname"[TAB]"accountspass_MD5_crypt"[newline] 
    First we use utilite XMCrypt from /var/MailRoot/bin. This utilite can crypt any string line using MD5 cryptering algoritm.
    Like this  #./XMCrypt yourpassword
    Insert the string you get into your ctrlaccounts.tab.
    You will login to SmartPost server administrator interface using this account (see 6.4).

  • Server configuration - server.tab

  • There are some variables to control here.

    Because of multidomain configuration place your most important domain here.


  • Enable XMail statistics

  • SmartPost includes statistics modules. To make them work we should enable statistics for XMail through the command line.
    To start XMail demon with particular command line parameters we have to edit
    /etc/rc.d/init.d/xmail
    In the beginning of this file find the spesial variabel XMAIL_CMD_LINE
    Set this variabel like this
    XMAIL_CMD_LINE="-Mr 24 -Pl -Sl -Ql -Fl -Cl -Ll"
    Where
    -Mr hours. Set log rotate hours step. 24 hours is one day to enable dayli logs.
    -Pl Enable POP3 logging.
    -Sl Enable SMTP logging.
    -Ql Enable SMAIL logging.
    -Fl Enable FINGER logging.
    -Cl Enable CTRL logging.
    -Ll Enable local mail logging.
    For more details see XMail documentation command line section.

  • Restart XMail after all

  •  # service xmail restart 

    5. Courier IMAP

    5.1 Courier-IMAP installation
    I use rpm packages to install Courier-IMAP. The are available in download section
    courier-imap-2.0.0-1.9.i386.rpm
    courier-imap-mysql-2.0.0-1.9.i386.rpm

    If Courier says that he needs something like
    libcrypto.so.xxx
    libssl.so.xxx
    libfam.so.xxx
    You should install openssl-xxx.rpm and fam-xxx.rpm packages. Both packages come with RedHat Linux distributive .

    5.2 Courier-IMAP configuration
    Courier-IMAP config files are situated in /usr/lib/courier-imap/etc

  • copy config files

  • Take this two files from /smartpost/other-files/courier-configs directory where SmartPost was unpacked.
    See section 1.4 of this instruction.
    authdaemonrc
    authmysqlrc
    Copy this two files to Courier's config area in /usr/lib/courier-imap/etc

  • authmysqlrc

  • Check variables here to meet your config
     MYSQL_SERVER localhost   MySQL server
     MYSQL_USERNAME mailadminpass  administrators loginname (see section 3.4)
     MYSQL_PASS mailadmin  administrators password
     MYSQL_DATABASE mail  database name (section 3.3)

  • Set ADDRESS in imapd config file

  • Set ADDRESS=0 here

  • Disable SSL support in imapd-ssl config file

  • Since SmartPost does not support SSL/TLS yet we should disable SSL for Courier.
    Otherwise SmartPost can't access users mail boxes through IMAP protocol.
    Set to "NO" two variables
    imapdsslstart=NO
    imapdstarttls=NO

  • Disable POP3 in pop3d and pop3d_ssl config files

  • XMail MTA hase it's own POP3 demon. Thus we should disable POP3 part of Courier.
    - /usr/lib/courier-imap/etc/pop3d go down to the bottom of file and set
    POP3DSTART=NO
    - /usr/lib/courier-imap/etc/pop3d-ssl in the middle of file set
    POP3_STARTTLS=NO
    POP3DSSLSTART=NO

  • Restart Courier-IMAP


  • After this configuration SMTP and POP3 services are provided by XMail, and IMAP is provided by Courier-IMAP.

    Original Courier-IMAP software has two special problems in a combination with XMail MTA.
    How to solve this problem see Post-installation section at the end of this document.


    6. SmartPost web-client
    6.1 SmartPost installation
    We have unpacked SmartPost package to /root/soft/smartpost directory. See section 1.4 of this instruction.
    Copy now the contents of this directory to /var/www/smartpost

    Copy verdana.ttf font file (this file comes with smartpost package) to /usr/local/fonts/ttf

    After all we should check that /var/www/smartpost/temp  directory is at least Apache writable.

    6.2 Apache virtual catalog
    Apache config file on RedHat is /etc/httpd/conf/httpd.conf
    In Alias subsection of this file add alias to SmartPost installation directory. For example:

    Restart Apache after all
         #service httpd restart   on RedHAT or
         #apachectl restart   on other UNIX's operating systems.

    6.3 SmartPost configuration
  • confglobal.php config file

  • SmartPost hase just one config file, this is confglobal.php file inside main SmartPost directory.
    Just edit this file to feet your configs.

  • Quota Monitor configuration

  • Quota Monitor runs according to some shedule and creates reports about mail boxs sizes.
    Since Quota Monitor is an external perl module (thanks Shawn Anderson for this module) it needs some special configurations.
    Quota Monitor is situated in the ../scripts subdirectory of SmartPost installation
    There are 4 files there: The only difference between hourly and weekly scripts is that weekly script sends reports to administrator account. And hourly script does not to escape annoying.
    See this variables inside the XMQuotaMonitor.xxxx.pl scripts

    To configure this scripts to make them work correctly check this variables inside just in the beginning of perl program

    - Configure cron demon to run our scripts periodically.
    First create file named 'root' in /var/spool/cron
    This file should contains cron's demon instructions
    I know that this is the sequrity issue to run this scripts from root account, but only root by default (and I don't know how to change this) has an access to users mail boxes.
    Here is an example of /var/spool/cron/root

    By the way take a look at your /etc/crontab
    There is a MAILTO variable inside.
    You can either empty them or set to your real e-mail address.
    But don't set them simply to 'root' or other username (because then mail notifications from cron demon go to nowhere and just lie in spool forever).
    Besides we can monitor cron demon activity in /var/log/cron

  • Garbage Eraser configuration

  • If a user is aborting a mail but has uploaded some attachments to it the files will be lying around the /temp directory forever if we do not remove them. To fix this, it is recommended to create a cron job that deletes everything in the attachment directory.
    We have a special script /scripts/GarbageEraser.sh  that does this for us. This script delete files that where not accessed for the last 30 days.
    To run this script daily we should edit our /var/spool/cron/root file and add there
     30 3 * * * /var/www/smartpost/scripts/GarbageEraser.sh 

    6.4 Test your installation
    Point your web browser to :
    Users web mail client interface http://YourServerNameOrIP/webmail
    Mail domains admin interface http://YourServerNameOrIP/webmail/admin
    Server admin interface http://YourServerNameOrIP/webmail/sadmin

    Login to the server administartor interface using XMail control account created in 4.2
    You can create now mail domains and users accounts inside this domains.
    After domains creation you can login to domain administration interface to manage your domains.

    It is possible to use as a web-mail user interface any other web-mail clients like Squirrelmail and IMP-Horde. But features related to XMail like black lists will not be available.



    7. Basic Network Security Configuration

    Security configuration is optional but strongly reccomendet.
    The ports are supposed to be opened on our mail server

    7.1 Internal part
  • The network security level can be improved using internal UNIX firewall system


  • netfilter
    - I have realised that lokkit  program (comes with RedHAT) creates a config file that is NOT compleetly correct.
    I do _NOT_ reccomend to use lokkit for SMTP server's firewall configuration.
    On RedHAT operating system netfilter configuration is stored in /etc/sysconfig/iptables

    Here is the iptables  config file that I use for my installations.
    You can just take this file and copy them over your /etc/sysconfig/iptables
    But do not forget to change 192.168.1.1 there to your real IP.

    - Use  #iptables -L  to list all chains and to check your config.

  • Disable telnet, use always SSH instead.
  • Check all ports are listening with  #netstat -ln  and  #netstat -lnp
  • Check all open ports from external system with nmon  program
  • To improve security level, use any sniffer software.
    Sniffer gives the possibility to listen to the all traffic on server's network interfaces, and logs this traffic for later analysis. Sniffer's configuration is a special and complicated topic.
    I like snort. The Pig lives here www.snort.org
    Other useful software are tcpdump (www.tcpdump.org) and ettercap (ettercap.sourceforge.net)


  • 7.2 External part
    Configure access lists to filter IP traffic on routers, switches or other outstanding connection devices.
    Here is the example of such configuration.
    Suppose, that our server has an IP address 158.39.26.110 and is connected to the Ethernet interface 0 of Cisco router. In this example packets are filtered before they exit an interface, after the routing decision. In terms of Cisco IOS, the trivial extended access list's configuration looks something like this (without SSL)

    Remember, if a packet does not match any of access list statements, the packet will be blocked. Thus, we do not need to use [deny any any] at the end of the list.


    8. Accounts list

    During the installation process we have made some special accounts in the system.
    Here is the list of this accounts with comments.

  • Operating System accounts

  • root the most important account in operating system

  • MySQL database accounts (see 3.4)

  • mailadmin this account has administrative rights over our mail database

  • XMail MTA control account and SmartPost server admin login
    (see 4.2 administrator account)

  • xmailadmin account to control XMail MTA. It is stored in /var/MailRoot/ctrlaccounts.tab and hase MD5 crypted password.
    Login using this account with your browser to http://YourServerName/webmail/sadmin
    (see 6.4)




    9. Post-installation tuning and configuration

  • Original Courier-IMAP software has two special problems in a combination with XMail MTA.

  • These problems are a kind of incapability.

    - Courier-IMAP can not deal on the right way with XMail mail files format (this is the problem of <CRLF> end of lines). As a consequence massagies can be unreadable in some MUAs through IMAP protocol.

    - Courier-IMAP marks mail files in a special order. And this marked files are read by XMail like new mail files. As a consequence users can get double and triple copies of the same message through POP protocol after previous IMAP access.

    This problems are not critical, but can irritate users.
    To solve this you can use patched Linux binary versions of XMail 1.17 and Courier-IMAP demon v2.0.0 from download section.
    This binary replacements are ONLY FOR XMail 1.17 and Courier-IMAP 2.0.0 !

    Patches can be implemented separately. They are independed.

    - To solve 'double POP messages problem'
    Replace your /var/MailRoot/bin/XMail  file with the file from xmail117-patched.zip archive.

    -To solve '<CRLF> problem'
    Replace your /usr/lib/courier-imap/bin/imapd  file with the file from
    imapd200-patched.zip archive.
    Patches source codes are in download section.

  • You can find some other materials how to tune your new mail server on How To page

  •   - How to close an open relay
      - How to configure max size of file attachments
      - How to implement anti-virus filters
      - How to implement open-relay-databases and black lists checks