![[OpenBSDsupport]](images/smalltitle-support.png)
OpenBSD mail server with spamassassin, amavisd-new, maia mailguard, apache, mysql
Here are my notes for installing an OpenBSD 3.6 mail server
spam filtering & anti-virus with web-based interface
postfix with dual mta (port 25 and port 10025)
amavisd-new (port 10024) http://www.ijs.si/software/amavisd/
Maia Mailguard RC5_2 http://www.renaissoft.com/projects/maia/
clamav 0.80 http://www.fatbsd.com/openbsd
mysql
apache
mail is forwarded to my exchange server
external network checks 'dcc' & 'razor' are disabled in spamassassin
I haven't documented them yet, but will add them soon.
admin user is: info@mydomain.ca
e-mail domain is mydomain.ca
192.168.x.y = IP address of the machine you are setting up
192.168.x.z = IP address of exchange server
CREATE A BOOTABLE INSTALL FLOPPY DISK:
# not sure why 3.6/tools doesn't have fdimage, but 3.5 works fine
ftp://ftp.openbsd.org/pub/OpenBSD/3.6/i386/floppy36.fs
ftp://ftp.openbsd.org/pub/OpenBSD/3.5/tools/fdimage.exe
fdimage floppy36.fs a:
INSTALL OPENBSD 3.6 USING FLOPPY DISK:
Boot from floppy disk
Press I to install
Terminal type: vt220
Keyboard encoding table: no
Proceed with Install: yes
Root disk: wd0
Use all of disk: yes
note: ideally you'd want to create separate partitions - see install FAQ
label editor: (accept defaults unless indicated. ? = help)
d a (delete partition a)
a (add partition)
b (b = swap)
size: 256M (memsize)
a (add partition)
a (primary partition)
mount point: /
q (quit)
write: yes
proceed? yes
hostname: mail
configure network: yes
IP address: 192.168.x.y
Install sets located on: h (http server)
Select 10. sunsite.ualberta.ca
Following sets are available:
File name? -g* (remove games)
File name? done
Install sets? yes
100%.....
Install sets? done
Start sshd by default? yes
Run X Windows? no
Change default console to com0? no
Timezone: Canada/Pacific
halt
# remove floppy disk
Configure Operating System
# see man afterboot for new system recommendations
# some of these are personal preferences
vipw
# changed root shell to sh
# could be changed back to csh when finished install for better security
# renamed Charlie root user to something more meaningful
vi /etc/ssh/sshd_config
# Set Protocol 2
# Set PermitRootLogin no
vi /etc/motd
=================================================================
Restricted Access - Authorized Users Only! All access is logged.
This system contains private and confidential information.
=================================================================
adduser myuser
# add local user for login instead of root
# add user to group wheel in /etc/group
# visudo - uncomment # wheel access
# create local files in /etc
cp /etc/rc.conf /etc/rc.conf.local
# remove last few lines of rc.conf.local to avoid looping
chmod 444 /etc/rc /etc/rc.conf
# modify /etc/rc.conf.local and set ntpd=""
# and/or
crontab -e
# update time with ntp server
0 23 * * * /usr/sbin/rdate -ncv pool.ntp.org | logger -t NTP
cp /etc/inetd.conf /etc/inetd.conf.orig
# vi /etc/inetd.conf and remove unnecessary entries
# swapped localhost entries in /etc/hosts:
127.0.0.1 localhost.mydomain.ca localhost
::1 localhost.mydomain.ca localhost
# configure CVSROOT and download source
vi /etc/profile
export CVSROOT=anoncvs@anoncvs.ca.openbsd.org:/cvs
# edit /etc/resolv.conf and add:
domain mydomain.ca
search mydomain.ca.
# reboot server and log in as user
# retrieve OpenBSD source code and ports tree
cd /usr
cvs -q get -rOPENBSD_3_6 -P src
cvs -q get -rOPENBSD_3_6 -P ports
# remove games from updates
vi /usr/src/Makefile
SUBDIR+= lib include bin libexec sbin usr.bin usr.sbin share
INSTALL POSTFIX PACKAGE
mkdir -p /usr/ports/packages/i386/all/
cd /usr/ports/packages/i386/all/
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/postfix-2.1.4.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/pcre-4.5.tgz
pkg_add postfix-2.1.4.tgz
# edit rc.conf.local:
# syslogd_flags="-a /var/spool/postfix/dev/log"
# sendmail_flags="-bd -q30m"
# replace sendmail with postfix you have to install a new mailer.conf
/usr/local/sbin/postfix-enable
# remove the "sendmail clientmqueue runner" from root's crontab.
crontab -e
vi /etc/postfix/main.cf
soft_bounce = yes
myhostname = mail.mydomain.ca
mydomain = mydomain.ca
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, $mydomain,
mail.$mydomain, local.$mydomain
local_recipient_maps = hash:/etc/postfix/recipients
# content_filter = smtp-amavis:[127.0.0.1]:10024
biff = no
empty_address_recipient = MAILER-DAEMON
queue_minfree = 8000000
transport_maps = hash:/etc/postfix/transport
local_transport = local
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
notify_classes = 2bounce,policy,protocol,resource,software
unknown_local_recipient_reject_code = 450
mynetworks = 192.168.x.0/24, 127.0.0.0/8
smtpd_banner = $myhostname ESMTP Welcome!
# add forwarding mail server IP address to /etc/postfix/transport
mydomain.ca smtp:[192.168.x.z]
postmap /etc/postfix/transport
# create /usr/local/bin/flush script
/usr/local/sbin/postsuper -r ALL
/usr/local/sbin/postfix reload
# configure /etc/postfix/master.cf
# set all services to chroot=y unless already marked "n"
# add the secondary mta logic for amavisd using port 10025:
#
# The amavis interface
#
smtp-amavis unix - - y - 2 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - y - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
create /etc/postfix/recipients with something like:
# user@domain.com whitespace OK
# @domain.com includes all users
abuse@mydomain.ca OK
administrator@mydomain.ca OK
info@mydomain.ca OK
postmaster@mydomain.ca OK
root@mydomain.ca OK
/usr/local/sbin/postmap /etc/postfix/recipients
ln -s /etc/mail/aliases /etc/aliases
vi /etc/mail/aliases # set root: alias
/usr/bin/newaliases
# reboot and test:
telnet localhost 25
telnet localhost 10025
telnet 192.168.x.y 25
telnet 192.168.x.y 10025 # should be refused
FILTER CONFIGURATION - AMAVISD
# create the amavisd user and group using adduser
# and then verify using vipw and vi /etc/group
/etc/passwd:_amavisd:*:509:509:amavisd-new daemon:/var/amavisd:/sbin/nologin
/etc/group:_amavisd:*:509:_amavisd
# install required ports (amavisd-new on filter)
cd /usr/ports/archivers/unzip && make install
cd /usr/ports/archivers/unrar && make install
cd /usr/ports/archivers/unace && make install
cd /usr/ports/archivers/unarj && make install
cd /usr/ports/archivers/arc && make install
cd /usr/ports/archivers/bzip2 && make install
cd /usr/ports/archivers/lha && make install
cd /usr/ports/archivers/zoo && make install
# perl -MCPAN -e shell (if no cpan)
cpan # initialize accepting defaults (except follow instead of ask)
cpan -i Bundle::CPAN
cpan -i MD5
cpan -i LWP # accept defaults
cpan -i Mail::Internet
cpan -i Archive::Zip
cpan -i IO::Wrap
cpan -i Unix::Syslog
cpan -i MIME::Words
cpan -i Net::DNS # DNS tests no
cpan -i Net::LDAP # accept defaults
cpan -i Net::LDAP # it fails - run again accepting defaults
cpan -i Net::Server
cpan -i Convert::TNEF
cpan -i Convert::UUlib
cpan -i Digest::Nilsimsa
cpan -i Bit::Vector
cpan -i Date::Calc
cpan -i Crypt::Blowfish
cpan -i Crypt::CBC
# test (some were installed as dependants of above modules)
perl
use MD5;
use LWP;
use Mail::Internet;
use Archive::Tar;
use Archive::Zip;
use IO::Wrap;
use IO::Stringy;
use Unix::Syslog;
use MIME::Words;
use MIME::Head;
use MIME::Body;
use MIME::Entity;
use MIME::Parser;
use Net::SMTP;
use Net::DNS;
use Net::Ping;
use Net::LDAP;
use Net::Server;
use Net::Server::PreForkSimple;
use Convert::TNEF;
use Convert::UUlib;
use MIME::Decoder::Base64;
use MIME::Decoder::Binary;
use MIME::Decoder::Gzip64;
use MIME::Decoder::NBit;
use MIME::Decoder::QuotedPrint;
use MIME::Decoder::UU;
use Time::HiRes;
use Digest::SHA1;
use Digest::Nilsimsa;
use Getopt::Long;
use File::Copy;
use Bit::Vector;
use Date::Calc;
use Crypt::Blowfish;
use Crypt::CBC;
cpan -i Mail::SpamAssassin # network tests = no
# modify /etc/mail/spamassassin/local.cf with:
rewrite_subject 0
report_safe 0
use_terse_report 1
use_bayes 1
bayes_path /var/amavisd/.spamassassin/bayes
auto_learn 1
skip_rbl_checks 1
use_razor2 0
use_dcc 0
use_pyzor 0
dns_available yes
header LOCAL_RCVD Received =~ /.*\(\S+\.mydomain\.ca\s+\[.*\]\)/
describe LOCAL_RCVD Received: from mydomain.ca
score LOCAL_RCVD -50
## Optional Score Increases
score BAYES_99 4.300
score BAYES_90 3.500
score BAYES_80 3.000
---------- end of modify ------------
# setup the amavisd and spamassassin home directory for the amavisd user:
mkdir -p /var/amavisd
chown _amavisd._amavisd /var/amavisd
chmod 750 /var/amavisd
cd /var/amavisd
mkdir .spamassassin
touch .spamassassin/user_prefs
chown -R _amavisd._amavisd .spamassassin
# Install and Configure Amavisd-new
# Copy the perl code file, set permissions and make it executable.
# Maia likely has a custom version to replace this one
mkdir -p /install
cd /install
lynx http://www.ijs.si/software/amavisd/amavisd-new-20030616-p10.tar.gz
tar xvfz amavis*gz
cd amavisd-new-20030616
cp amavisd /usr/local/sbin/
chown root.wheel /usr/local/sbin/amavisd
chmod 550 /usr/local/sbin/amavisd
cp -p amavisd.conf /etc/
chown root.wheel /etc/amavisd.conf
chmod 644 /etc/amavisd.conf
touch /var/amavisd/amavis.log
chown _amavisd._amavisd /var/amavisd/amavis.log
# edit /etc/amavisd.conf:
$MYHOME = '/var/amavisd';
$mydomain = 'mydomain.ca';
$daemon_user = '_amavisd';
$daemon_group = '_amavisd';
$TEMPBASE = "$MYHOME/tmp";
$daemon_chroot_dir = $MYHOME;
$forward_method = 'smtp:127.0.0.1:10025';
$notify_method = $forward_method;
$inet_socket_bind = '127.0.0.1';
$log_level = 5; # (defaults to 0)
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_DISCARD;
$final_spam_destiny = D_DISCARD;
$final_bad_header_destiny = D_DISCARD;
@lookup_sql_dsn = ( ['DBI:mysql:database=maia;host=127.0.0.1;port=3306', 'amavisd', 'amavis-password'] );
# uncomment clamd anti-virus and use /tmp/clamd:
## http://clamav.elektrapro.com/
['Clam Antivirus-clamd',
\&ask_daemon, ["CONTSCAN {}\n", '/tmp/clamd'],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
$sa_debug = 1;
# Next we need to create the directories used by amavisd:
mkdir /var/amavisd/tmp
chown _amavisd:_amavisd /var/amavisd/tmp
chmod 750 /var/amavisd/tmp
mkdir /var/amavisd/quarantine
chown _amavisd:_amavisd /var/amavisd/quarantine
chmod 750 /var/amavisd/quarantine
# do everything needed to run amavisd-new in a chroot jail:
cd /var/amavisd
mkdir -p etc dev tmp var/run
mkdir -p usr/bin usr/share/zoneinfo usr/lib usr/libexec
mkdir -p usr/local/share/spamassassin etc/mail/spamassassin
mknod dev/null c 2 2
# Setup a symbolic link so the chrooted process can refer to
# /var/amavisd and still get the files in /var/amavisd (which would then be /)
ln -s / var/amavisd
# Copy some files we need from /usr/local/bin into our chroot /var/amavisd/usr/local/bin directory
cp -p /usr/bin/file usr/bin
cp -p /usr/bin/gzip usr/bin
cp -p /usr/local/bin/arc usr/bin
cp -p /usr/local/bin/bzip2 usr/bin
cp -p /usr/local/bin/zoo usr/bin
cp -p /usr/local/bin/unrar usr/bin
cp -p /usr/local/bin/unarj usr/bin
cp -p /usr/local/bin/lha usr/bin
# Copy the configuration files for our system to our chroot etc directory.
cp -p /etc/protocols etc
cp -p /etc/services etc
cp -p /etc/hosts etc
cp -p /etc/magic etc
cp -p /etc/resolv.conf etc
# Copy the SpamAssassin files we need to our chroot directory
cp -p /etc/mail/spamassassin/local.cf etc/mail/spamassassin/
cp -rp /usr/local/share/spamassassin usr/local/share
# Set strict permissions.
# Note that amavisd must own its home directory (/var/amavisd)
chown -R root.wheel etc dev tmp usr var
chown -R _amavisd:_amavisd .spamassassin # .razor quarantine var/dcc
chmod 1777 tmp
chmod 666 dev/null
touch /var/amavisd/blacklist
touch /var/amavisd/whitelist
touch /var/amavisd/spam_lovers
# create /var/amavisd/notify_spam_sender.txt:
------------- start of file ----------------
From: SpamAssassin
Subject: **Message you sent blocked by our SPAM filter**
[? %m |#|In-Reply-To: %m]
Message-ID:
Your message to: %R
has triggered our SpamAssassin SPAM filters and has been rejected. The email you sent with the following subject has NOT BEEN DELIVERED:
Subject: %j
Our company uses a set of email filters to help block the delivery of unsolicited commercial email, otherwise known as SPAM. For more information on SPAM, please visit http://spam.abuse.net.
If you believe that you have received this message in error, please accept our sincere apologies. We ask that you please reply to this email message. When we receive your reply, we will add your email address to our whitelist of approved senders so that in the future we can avoid making this mistake again. Please note that this is a manual process and is only done during business hours.
The report below will help you determine why your message was flagged as SPAM. If you continue to have problems, please contact our Helpdesk at 800-555-1212.
Thank you very much,
Postmaster
SpamAssassin report:
[%A
]\
------------- end of file ----------------
ClamAV antivirus
mkdir -p /usr/ports/security/clamav
cd /usr/ports/security/clamav
# see http://www.fatbsd.com/openbsd/ warning about sourceforge:
# vi /usr/ports/infrastructure/templates/network.conf.template
MASTER_SITE_SOURCEFORGE+= \
add: http://easynews.dl.sourceforge.net/sourceforge/ \
lynx http://www.fatbsd.com/openbsd/clamav/download.php?file=clamav-0.80_3.6.tar.gz # save without a trailing ;
tar xvzf ./clamav*.gz
cd clamav-0.80
make
make install
[ ! -f /etc/clamd.conf ] &&
cp /usr/local/share/examples/clamav/clamd.conf /etc/
# edit /etc/clamd.conf with
DatabaseDirectory /usr/local/share/clamav/
LogFile /var/log/clamd.log
PidFile /var/run/clamd.pid
TemporaryDirectory /var/tmp
LocalSocket /tmp/clamd
TCPAddr 127.0.0.1
StreamMaxLength 20M
User _amavisd
[ ! -f /etc/freshclam.conf ] &&
cp /usr/local/share/examples/clamav/freshclam.conf /etc/
# edit /etc/freshclam.conf with:
DatabaseDirectory /usr/local/share/clamav
UpdateLogFile /var/log/freshclam.log
LogVerbose
DatabaseOwner _amavisd
NotifyClamd
cd /var/amavisd/
# move real copies to amavisd/etc and link back to /etc
[ ! -f etc/clamd.conf ] && mv /etc/clamd.conf etc/
ln -s /var/amavisd/etc/clamd.conf /etc/clamd.conf
[ ! -f etc/freshclam.conf ] && mv /etc/freshclam.conf etc/
ln -s /var/amavisd/etc/freshclam.conf /etc/freshclam.conf
mkdir usr/local/share/clamav
mkdir usr/local/sbin
mkdir usr/local/bin
set `ldd /usr/local/sbin/clamd /usr/local/bin/freshclam | grep lib | awk '{print $NF}' | sort -u`
for I in $*
do
mkdir -p `dirname /var/amavisd$I`
cp -p $I /var/amavisd$I
done
cp -Rp /usr/local/share/clamav usr/local/share/
cp -p /usr/local/bin/freshclam usr/local/bin/
cp -p /usr/local/sbin/clamd usr/local/sbin/
mknod dev/urandom c 2 2
chown -R _amavisd:_amavisd /var/amavisd/usr/local/share/clamav
chmod -R 750 /var/amavisd/usr/local/share/clamav # maybe 600
mkdir var/log var/tmp
touch var/log/freshclam.log
chown -R _amavisd._amavisd var/log var/tmp var/run
chmod 744 var/log var/tmp var/run
# get libs
FILES=` find . -type f | grep "bin/"`
set `for FILE in $FILES; do ldd $FILE; done | grep " /" | awk ' {print $NF}' | sort -u | cut -c2-`
for LIB in $*
do
rm -rf $LIB
echo "copying /$LIB..."
mkdir -p `dirname $LIB` 2>/dev/null
cp -p /$LIB $LIB
done
# if this is missing, it will randomly fail loading libraries
mkdir -p var/run
cp /var/run/ld.so.hints /var/amavisd/var/run/
# Start freshclam:
chroot -u _amavisd /var/amavisd /usr/local/bin/freshclam -d
# Start clamd:
chroot -u _amavisd /var/amavisd /usr/local/sbin/clamd
# Add these commands to /etc/rc.local:
----------------- rc.local ----------------
# Start clamd antivirus
echo "Starting clamd antivirus...\c"
chroot -u _amavisd /var/amavisd /usr/local/sbin/clamd && echo "OK\c" || echo "FAILED\c
"
for I in 1 2 3 4 5
do
[ -S /var/amavisd/tmp/clamd ] && break
echo ".\c"
case "$I" in
5) echo "\n\nWarning: /etc/rc.local unable to find clamd socket!";;
esac
sleep 1
done
echo
# Start freshclam virus updater
echo "Starting freshclam virus updater...\c"
chroot -u _amavisd /var/amavisd /usr/local/bin/freshclam -d && echo OK || echo FAILED
----------------- rc.local ----------------
# this script that could be used to clean_amavisd folders in cron at 5:30am
# maybe this is handled already by maia?
find /var/amavisd/tmp -type d -name 'amavis-*' -prune -mtime +20 -exec rm -rf {} \;
find /var/amavisd/tmp -name 'sa*' -mtime +20 -exec rm {} \;
find /var/amavisd/quarantine -name 'virus-*' -mtime +20 -exec rm {} \;
# run crontab -e and start at 5:30am
# cleanup the amavisd temp files
30 5 * * * /usr/local/bin/clean_amavisd
Install MySQL PHP and APACHE WEB SERVER
# Apache is installed by default and just needs to be enabled:
vi /etc/rc.conf.local # change httpd_flags=""
mkdir /var/www/tmp
mkdir /var/www/etc
cp /etc/resolv.conf /var/www/etc/
cp /etc/services /var/www/etc/
# INSTALL MYSQL
cd /install
mkdir mysql
cd mysql
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/mysql-client-4.0.20.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/mysql-server-4.0.20.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/p5-DBD-mysql-2.9004.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/p5-DBI-1.43.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/p5-Net-Daemon-0.38.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/p5-PlRPC-0.2018.tgz
pkg_add mysql-server*
# PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
# To do so, start the server, then issue the following commands:
/usr/local/bin/mysqld_safe &
/usr/local/bin/mysqladmin -u root password 'new-password'
/usr/local/bin/mysqladmin -u root -h mail.mydomain.ca password 'new-password'
# use 'mysql -p' to access mysql databases (-p prompts for a password)
# Add the following code to /etc/rc.local to start mysqld on boot
# start mysql server
echo "Starting mysql server...\c"
/usr/local/bin/mysqld_safe &
sleep 2
# add the command to /etc/rc.local to start mysql during boot:
----------------- rc.local ----------------
# start mysql server
echo "Starting mysql server...\c"
/usr/local/bin/mysqld_safe &
sleep 2
----------------- rc.local ----------------
# INSTALL PHP
cd /install
mkdir php
cd php
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/php4-core-4.3.8.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/php4-imap-4.3.8.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/php4-mysql-4.3.8.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/php4-pear-4.3.8.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/c-client-4.61.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/gettext-0.10.40p1.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/libiconv-1.9.1.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/recode-3.6p1.tgz
pkg_add php4-core*
# enable the php4 module with:
/usr/local/sbin/phpxs -s
vi /var/www/conf/httpd.conf
AddType application/x-httpd-php .php
ServerName www.mydomain.ca
ServerAdmin info@mydomain.ca
DirectoryIndex index.php index.html index.htm
cp /usr/local/share/doc/php4/php.ini* /var/www/conf/
cp /var/www/conf/php.ini-dist /var/www/conf/php.ini
# or use the tighter -recommended version
# modify the include_path in php.ini
vi /var/www/conf/php.ini
include_path = ".:/pear/lib:/var/www/pear/lib:/pear:/var/www/pear"
pkg_add php4-mysql*
/usr/local/sbin/phpxs -a mysql
pkg_add php4-imap*
/usr/local/sbin/phpxs -a imap
pkg_add php4-pear*
# php gd library
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/php4-gd-4.3.8-no_x11.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/t1lib-5.0.0.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/jpeg-6b.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/png-1.2.5p5.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/tiff-3.6.1p1.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/freetype-1.3.1p1.tgz
pkg_add php4-gd*
/usr/local/sbin/phpxs -a gd
# php mcrypt support
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/php4-mcrypt-4.3.8.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/libmcrypt-2.5.5.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/libtool-1.5.8.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/libltdl-1.5.8.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/mhash-0.9.1.tgz
pkg_add php4-mcrypt*
/usr/local/sbin/phpxs -a mcrypt
# php ldap support
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/php4-ldap-4.3.8.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/openldap-client-2.1.30.tgz
pkg_add php4-ldap-4.3.8.tgz
/usr/local/sbin/phpxs -a ldap
# jpgraph support
# website is: http://www.aditus.nu/jpgraph/jpdownload.php
cd /install
mkdir jpgraph
cd jpgraph
lynx http://members.chello.se/jpgraph/jpgdownloads/jpgraph-1.17beta2.tgz
tar xvfz jpgraph*tgz
cd jpgraph-1.17beta2
mkdir /var/www/pear/jpgraph
cp -p src/* /var/www/pear/jpgraph/
cpan -i DBI
PEAR
pear install PEAR
pear install XML_RPC
pear install PEAR
pear install Archive_Tar
pear install Console_Getopt
pear install DB
pear install HTTP
pear install Mail
pear install Net_Socket
pear install Net_SMTP
pear install XML_Parser
pear install Mail_Mime
pear install DB_Pager
pear install Log
pear list # should show these versions or higher:
Package Version State
Archive_Tar 1.2 stable
Console_Getopt 1.2 stable
DB 1.6.8 stable
DB_Pager 0.7 stable
HTTP 1.3.3 stable
Log 1.8.6 stable
Mail 1.1.4 stable
Mail_Mime 1.2.1 stable
Net_SMTP 1.2.6 stable
Net_Socket 1.0.2 stable
PEAR 1.3.3 stable
XML_Parser 1.2.1 stable
XML_RPC 1.1.0 stable
pear upgrade-all # should return nothing
# www
cd /var/www
mkdir -p var/www/pear
chown -R www.daemon var tmp
cp -r pear /var/www/var/www/
cd /install
mkdir mime
cd mime
ftp http://search.cpan.org/CPAN/authors/id/E/ER/ERYQ/MIME-tools-6.200_02.tar.gz
tar xvfz MIME-tools*
cd MIME*02
# install pre-requisites:
cpan -i Unicode::Map
cpan -i Unicode::String
perl Makefile.PL
make && make test && make install
INSTALLING FETCHMAIL
# note: only required if you are retrieving pop3 e-mail accounts
mkdir -p /install/fetchmail
cd /install/fetchmail
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/fetchmail-6.2.5.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/gettext-0.10.40p1.tgz
ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/libiconv-1.9.1.tgz
pkg_add fetchmail-6.2.5.tgz
# edit rc.local and add:
# startup fetchmail to grab pop3 mail from shaw every 60 sec.
/usr/local/bin/fetchmail -f /etc/fetchmailrc -d 60
INSTALLING MAIA
mkdir -p /install/maia
cd /install/maia
# svn checkout https://www.renaissoft.com/svn/maia/trunk
svn checkout https://www.renaissoft.com/svn/maia/tags/V1_0_0_RC5_2
cd V1_0_0_RC5_2
if [ -f amavisd-maia ]; then
cp /usr/local/sbin/amavisd /usr/local/sbin/amavisd.prev
cp amavisd-maia /usr/local/sbin/amavisd
else
echo "Warning: I didn't find a copy of amavisd-maia to install"
echo Press Enter:
read key
fi
# Force re-creation of mysql maia database (optional if upgrading):
echo "DROP DATABASE maia;" | mysql -u root --password=mypassword mysql
echo "CREATE DATABASE maia;" | mysql -u root --password=mypassword mysql
mysql -u root --password=mypassword maia < maia-mysql.sql
echo "GRANT CREATE, DROP, ALTER, SELECT, INSERT, UPDATE, DELETE ON maia.* TO _amavisd IDENTIFIED BY 'amavis-password';" | mysql -u root --password=mypassword maia
amavisd@localhost.mydomain.ca
[ -d /var/www/maia.o ] && rm -rf /var/www/maia.o
[ -d /var/www/maia ] && mv /var/www/maia /var/www/maia.o
mkdir -p /var/www/maia/scripts
cp -rp scripts/* /var/www/maia/scripts/
cd /var/www/maia/scripts
for FILE in `grep -l "/var/amavisd/maia" *`
do
mv "$FILE" "$FILE.orig"
sed 's!/var/amavisd/maia!/var/www/maia!g' "$FILE.orig" > "$FILE"
done
cd /install/maia/V1_0_0_RC5_2
mkdir /var/www/maia/templates
cp -rp templates/* /var/www/maia/templates/
chown -R _amavisd._amavisd /var/www/maia
chmod 644 /var/www/maia/templates/*.tpl*
chmod 750 /var/www/maia/scripts/*.pl*
cat > /var/www/maia/scripts/database.cfg << END
# Database configuration for Maia Mailguard perl scripts
#
# IMPORTANT: Make sure this file is not world-readable!
# Consider installing this file in a subdirectory beneath
# your amavis directory, e.g. /var/amavisd/maia, and set
# the owner and group of this directory to your amavis
# user (e.g. "amavis"), and use chmod 750 for this file.
# Configure your database DSN here
dsn = "DBI:mysql:maia:127.0.0.1:3306"
# Your database user's login name
username = "_amavisd"
# Your database user's password
password = "amavis-password"
END
chmod 640 /var/www/maia/scripts/database.cfg*
cd /var/www/maia/scripts
./load-sa-rules.pl
[ -d /var/www/htdocs/mail.o ] && rm -rf /var/www/htdocs/mail.o
[ -d /var/www/htdocs/mail ] && mv /var/www/htdocs/mail /var/www/htdocs/mail.o
cd /install/maia/V1_0_0_RC5_2
mkdir /var/www/htdocs/mail
cp -rp php/* /var/www/htdocs/mail/
cat /var/www/htdocs/mail/config.php.dist |
sed 's!$maia_sql_dsn = "mysql://amavis:passwd@tcp(localhost:3306)/maia";!$maia_sql_dsn = "mysql://_amavisd:amavis-password@tcp(127.0.0.1:3306)/maia";!' >/var/www/htdocs/mail/config.php
chown -R root.bin /var/www/htdocs/mail
chmod -R og-w /var/www/htdocs/mail
Verify Everything
# verify everything is current and OK:
cd /var/www/maia/scripts
./configtest.pl
/usr/local/sbin/amavisd debug
# scan for errors, ctrl-c when done
# edit /etc/postfix/main.cf and uncomment the content filter for amavisd
# add amavisd startup to /etc/rc.local:
----------------- rc.local ----------------
# Start amavisd spam filter
echo "Starting amavisd...\c"
/usr/local/sbin/amavisd && echo OK || echo FAILED
----------------- rc.local ----------------
# reboot and watch boot and review /var/logs
try sending e-mail
From a workstation, try accessing:
http://192.168.x.y/mail/configtest.php
CLEAN UP LOGGING
/etc/amavisd.conf
# $sa_debug = 1;
$log_level = 2; # (defaults to 0)
MAIA CONFIGURATION:
# Based on my single domain with one admistrator for everything I do the following:
http://192.168.x.y/main/internal-init.php
template: /maia/templates/newuser.tpl
login page: http://192.168.x.y/mail/login.php
e-mail: info@mydomain.ca
e-mail: info@mydomain.ca
Check your e-mail for the password.
Proceed to login page:
http://192.168.x.y/mail/login.php?super=register
login: info@mydomain.ca
password: from your e-mail
You'll be presented to the login page as usual, but if you login
successfully and no other user in the database currently has super-
administrator privileges, you'll be assigned these privileges. You only
have to do this once; after that, you can login just like any other user,
and your super-administrator privileges will be granted to you
automatically.
Only one user can be administrator.
Assuming the user is info@mydomain.ca and it was the first user added with internal-init.php then you can reset the account at the mysql command prompt as follows:
mysql -u root -p maia
use maia;
# change password:
UPDATE maia_users SET user_name = "info@mydomain.ca", password = md5("newpassword") WHERE id = "2";
# set super-user:
UPDATE maia_users SET user_name = "info@mydomain.ca", user_level = "S" WHERE id = "2";
Once logged in as admin user:
Click on Admin button
Click on System Administration
Set the following:
Enable auto-creation of accounts: Yes
Auto-issue passwords: No
Allow administrators to read user's mail: Yes
Oversized items should be: Accepted
Update Settings
Return to Admin menu
Click on Domains
Click on System Default(@.)
Set the following:
Virus Scanning: Enabled
Detected viruses: Discarded
Spam Filtering: Enabled
Detected spam: Quarantined
score = 3.5 for each
Attachment filtering: Enabled
Detected Attachments: Quarantined
Bad Header filtering: Enabled
Detected Bad Headers: Quarantined
Ham items cached: Yes
Enabled auto user creation: Yes
Update the domain defaults
Click on Settings button
Click on primary e-mail address
Select the same settings here as the domain defaults
Update all address settings.
Return to settings
Set the following miscellaneous settings (near bottom of page):
Send quarantine reminder: No
Add senders to whitelist? No
Mail items displayed: 100
Update Miscellaneous settings
Send an e-mail to each account that you want to be administered by the admin user.
(or you can add the e-mail addresses in the Admin
Click on the Admin button
Click Users
In the Link E-mail address/Alias section:
For each e-mail address in the top that you want administered:
click the address in the top
click the admin address in the bottom box
click the Link E-mail address button
Done!
To review spam click on the quarantine button.
These items were not delivered.
To deliver a message, mark it as Ham.
To review the ham messages, click the Report Spam button.
Spam messages can be marked as spam and will update spamassassin.