[OpenBSDsupport]

OpenBSD mail server with spamassassin, amavisd-new, maia mailguard, apache, mysql


Here are my notes for installing an OpenBSD 3.6 mail server

spam filtering & anti-virus with web-based interface

postfix with dual mta (port 25 and port 10025)
amavisd-new (port 10024)  http://www.ijs.si/software/amavisd/
Maia Mailguard RC5_2 http://www.renaissoft.com/projects/maia/
clamav 0.80  http://www.fatbsd.com/openbsd
mysql
apache

mail is forwarded to my exchange server
external network checks 'dcc' & 'razor' are disabled in spamassassin
I haven't documented them yet, but will add them soon.

admin user is: info@mydomain.ca
e-mail domain is mydomain.ca

192.168.x.y  = IP address of the machine you are setting up
192.168.x.z  = IP address of exchange server


CREATE A BOOTABLE INSTALL FLOPPY DISK: # not sure why 3.6/tools doesn't have fdimage, but 3.5 works fine ftp://ftp.openbsd.org/pub/OpenBSD/3.6/i386/floppy36.fs ftp://ftp.openbsd.org/pub/OpenBSD/3.5/tools/fdimage.exe fdimage floppy36.fs a: INSTALL OPENBSD 3.6 USING FLOPPY DISK: Boot from floppy disk Press I to install Terminal type: vt220 Keyboard encoding table: no Proceed with Install: yes Root disk: wd0 Use all of disk: yes note: ideally you'd want to create separate partitions - see install FAQ label editor: (accept defaults unless indicated. ? = help) d a (delete partition a) a (add partition) b (b = swap) size: 256M (memsize) a (add partition) a (primary partition) mount point: / q (quit) write: yes proceed? yes hostname: mail configure network: yes IP address: 192.168.x.y Install sets located on: h (http server) Select 10. sunsite.ualberta.ca Following sets are available: File name? -g* (remove games) File name? done Install sets? yes 100%..... Install sets? done Start sshd by default? yes Run X Windows? no Change default console to com0? no Timezone: Canada/Pacific halt # remove floppy disk Configure Operating System # see man afterboot for new system recommendations # some of these are personal preferences vipw # changed root shell to sh # could be changed back to csh when finished install for better security # renamed Charlie root user to something more meaningful vi /etc/ssh/sshd_config # Set Protocol 2 # Set PermitRootLogin no vi /etc/motd ================================================================= Restricted Access - Authorized Users Only! All access is logged. This system contains private and confidential information. ================================================================= adduser myuser # add local user for login instead of root # add user to group wheel in /etc/group # visudo - uncomment # wheel access # create local files in /etc cp /etc/rc.conf /etc/rc.conf.local # remove last few lines of rc.conf.local to avoid looping chmod 444 /etc/rc /etc/rc.conf # modify /etc/rc.conf.local and set ntpd="" # and/or crontab -e # update time with ntp server 0 23 * * * /usr/sbin/rdate -ncv pool.ntp.org | logger -t NTP cp /etc/inetd.conf /etc/inetd.conf.orig # vi /etc/inetd.conf and remove unnecessary entries # swapped localhost entries in /etc/hosts: 127.0.0.1 localhost.mydomain.ca localhost ::1 localhost.mydomain.ca localhost # configure CVSROOT and download source vi /etc/profile export CVSROOT=anoncvs@anoncvs.ca.openbsd.org:/cvs # edit /etc/resolv.conf and add: domain mydomain.ca search mydomain.ca. # reboot server and log in as user # retrieve OpenBSD source code and ports tree cd /usr cvs -q get -rOPENBSD_3_6 -P src cvs -q get -rOPENBSD_3_6 -P ports # remove games from updates vi /usr/src/Makefile SUBDIR+= lib include bin libexec sbin usr.bin usr.sbin share INSTALL POSTFIX PACKAGE mkdir -p /usr/ports/packages/i386/all/ cd /usr/ports/packages/i386/all/ ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/postfix-2.1.4.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/pcre-4.5.tgz pkg_add postfix-2.1.4.tgz # edit rc.conf.local: # syslogd_flags="-a /var/spool/postfix/dev/log" # sendmail_flags="-bd -q30m" # replace sendmail with postfix you have to install a new mailer.conf /usr/local/sbin/postfix-enable # remove the "sendmail clientmqueue runner" from root's crontab. crontab -e vi /etc/postfix/main.cf soft_bounce = yes myhostname = mail.mydomain.ca mydomain = mydomain.ca myorigin = $mydomain mydestination = $myhostname, localhost.$mydomain, $mydomain, mail.$mydomain, local.$mydomain local_recipient_maps = hash:/etc/postfix/recipients # content_filter = smtp-amavis:[127.0.0.1]:10024 biff = no empty_address_recipient = MAILER-DAEMON queue_minfree = 8000000 transport_maps = hash:/etc/postfix/transport local_transport = local smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination notify_classes = 2bounce,policy,protocol,resource,software unknown_local_recipient_reject_code = 450 mynetworks = 192.168.x.0/24, 127.0.0.0/8 smtpd_banner = $myhostname ESMTP Welcome! # add forwarding mail server IP address to /etc/postfix/transport mydomain.ca smtp:[192.168.x.z] postmap /etc/postfix/transport # create /usr/local/bin/flush script /usr/local/sbin/postsuper -r ALL /usr/local/sbin/postfix reload # configure /etc/postfix/master.cf # set all services to chroot=y unless already marked "n" # add the secondary mta logic for amavisd using port 10025: # # The amavis interface # smtp-amavis unix - - y - 2 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - y - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 create /etc/postfix/recipients with something like: # user@domain.com whitespace OK # @domain.com includes all users abuse@mydomain.ca OK administrator@mydomain.ca OK info@mydomain.ca OK postmaster@mydomain.ca OK root@mydomain.ca OK /usr/local/sbin/postmap /etc/postfix/recipients ln -s /etc/mail/aliases /etc/aliases vi /etc/mail/aliases # set root: alias /usr/bin/newaliases # reboot and test: telnet localhost 25 telnet localhost 10025 telnet 192.168.x.y 25 telnet 192.168.x.y 10025 # should be refused FILTER CONFIGURATION - AMAVISD # create the amavisd user and group using adduser # and then verify using vipw and vi /etc/group /etc/passwd:_amavisd:*:509:509:amavisd-new daemon:/var/amavisd:/sbin/nologin /etc/group:_amavisd:*:509:_amavisd # install required ports (amavisd-new on filter) cd /usr/ports/archivers/unzip && make install cd /usr/ports/archivers/unrar && make install cd /usr/ports/archivers/unace && make install cd /usr/ports/archivers/unarj && make install cd /usr/ports/archivers/arc && make install cd /usr/ports/archivers/bzip2 && make install cd /usr/ports/archivers/lha && make install cd /usr/ports/archivers/zoo && make install # perl -MCPAN -e shell (if no cpan) cpan # initialize accepting defaults (except follow instead of ask) cpan -i Bundle::CPAN cpan -i MD5 cpan -i LWP # accept defaults cpan -i Mail::Internet cpan -i Archive::Zip cpan -i IO::Wrap cpan -i Unix::Syslog cpan -i MIME::Words cpan -i Net::DNS # DNS tests no cpan -i Net::LDAP # accept defaults cpan -i Net::LDAP # it fails - run again accepting defaults cpan -i Net::Server cpan -i Convert::TNEF cpan -i Convert::UUlib cpan -i Digest::Nilsimsa cpan -i Bit::Vector cpan -i Date::Calc cpan -i Crypt::Blowfish cpan -i Crypt::CBC # test (some were installed as dependants of above modules) perl use MD5; use LWP; use Mail::Internet; use Archive::Tar; use Archive::Zip; use IO::Wrap; use IO::Stringy; use Unix::Syslog; use MIME::Words; use MIME::Head; use MIME::Body; use MIME::Entity; use MIME::Parser; use Net::SMTP; use Net::DNS; use Net::Ping; use Net::LDAP; use Net::Server; use Net::Server::PreForkSimple; use Convert::TNEF; use Convert::UUlib; use MIME::Decoder::Base64; use MIME::Decoder::Binary; use MIME::Decoder::Gzip64; use MIME::Decoder::NBit; use MIME::Decoder::QuotedPrint; use MIME::Decoder::UU; use Time::HiRes; use Digest::SHA1; use Digest::Nilsimsa; use Getopt::Long; use File::Copy; use Bit::Vector; use Date::Calc; use Crypt::Blowfish; use Crypt::CBC; cpan -i Mail::SpamAssassin # network tests = no # modify /etc/mail/spamassassin/local.cf with: rewrite_subject 0 report_safe 0 use_terse_report 1 use_bayes 1 bayes_path /var/amavisd/.spamassassin/bayes auto_learn 1 skip_rbl_checks 1 use_razor2 0 use_dcc 0 use_pyzor 0 dns_available yes header LOCAL_RCVD Received =~ /.*\(\S+\.mydomain\.ca\s+\[.*\]\)/ describe LOCAL_RCVD Received: from mydomain.ca score LOCAL_RCVD -50 ## Optional Score Increases score BAYES_99 4.300 score BAYES_90 3.500 score BAYES_80 3.000 ---------- end of modify ------------ # setup the amavisd and spamassassin home directory for the amavisd user: mkdir -p /var/amavisd chown _amavisd._amavisd /var/amavisd chmod 750 /var/amavisd cd /var/amavisd mkdir .spamassassin touch .spamassassin/user_prefs chown -R _amavisd._amavisd .spamassassin # Install and Configure Amavisd-new # Copy the perl code file, set permissions and make it executable. # Maia likely has a custom version to replace this one mkdir -p /install cd /install lynx http://www.ijs.si/software/amavisd/amavisd-new-20030616-p10.tar.gz tar xvfz amavis*gz cd amavisd-new-20030616 cp amavisd /usr/local/sbin/ chown root.wheel /usr/local/sbin/amavisd chmod 550 /usr/local/sbin/amavisd cp -p amavisd.conf /etc/ chown root.wheel /etc/amavisd.conf chmod 644 /etc/amavisd.conf touch /var/amavisd/amavis.log chown _amavisd._amavisd /var/amavisd/amavis.log # edit /etc/amavisd.conf: $MYHOME = '/var/amavisd'; $mydomain = 'mydomain.ca'; $daemon_user = '_amavisd'; $daemon_group = '_amavisd'; $TEMPBASE = "$MYHOME/tmp"; $daemon_chroot_dir = $MYHOME; $forward_method = 'smtp:127.0.0.1:10025'; $notify_method = $forward_method; $inet_socket_bind = '127.0.0.1'; $log_level = 5; # (defaults to 0) $final_virus_destiny = D_DISCARD; $final_banned_destiny = D_DISCARD; $final_spam_destiny = D_DISCARD; $final_bad_header_destiny = D_DISCARD; @lookup_sql_dsn = ( ['DBI:mysql:database=maia;host=127.0.0.1;port=3306', 'amavisd', 'amavis-password'] ); # uncomment clamd anti-virus and use /tmp/clamd: ## http://clamav.elektrapro.com/ ['Clam Antivirus-clamd', \&ask_daemon, ["CONTSCAN {}\n", '/tmp/clamd'], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], $sa_debug = 1; # Next we need to create the directories used by amavisd: mkdir /var/amavisd/tmp chown _amavisd:_amavisd /var/amavisd/tmp chmod 750 /var/amavisd/tmp mkdir /var/amavisd/quarantine chown _amavisd:_amavisd /var/amavisd/quarantine chmod 750 /var/amavisd/quarantine # do everything needed to run amavisd-new in a chroot jail: cd /var/amavisd mkdir -p etc dev tmp var/run mkdir -p usr/bin usr/share/zoneinfo usr/lib usr/libexec mkdir -p usr/local/share/spamassassin etc/mail/spamassassin mknod dev/null c 2 2 # Setup a symbolic link so the chrooted process can refer to # /var/amavisd and still get the files in /var/amavisd (which would then be /) ln -s / var/amavisd # Copy some files we need from /usr/local/bin into our chroot /var/amavisd/usr/local/bin directory cp -p /usr/bin/file usr/bin cp -p /usr/bin/gzip usr/bin cp -p /usr/local/bin/arc usr/bin cp -p /usr/local/bin/bzip2 usr/bin cp -p /usr/local/bin/zoo usr/bin cp -p /usr/local/bin/unrar usr/bin cp -p /usr/local/bin/unarj usr/bin cp -p /usr/local/bin/lha usr/bin # Copy the configuration files for our system to our chroot etc directory. cp -p /etc/protocols etc cp -p /etc/services etc cp -p /etc/hosts etc cp -p /etc/magic etc cp -p /etc/resolv.conf etc # Copy the SpamAssassin files we need to our chroot directory cp -p /etc/mail/spamassassin/local.cf etc/mail/spamassassin/ cp -rp /usr/local/share/spamassassin usr/local/share # Set strict permissions. # Note that amavisd must own its home directory (/var/amavisd) chown -R root.wheel etc dev tmp usr var chown -R _amavisd:_amavisd .spamassassin # .razor quarantine var/dcc chmod 1777 tmp chmod 666 dev/null touch /var/amavisd/blacklist touch /var/amavisd/whitelist touch /var/amavisd/spam_lovers # create /var/amavisd/notify_spam_sender.txt: ------------- start of file ---------------- From: SpamAssassin Subject: **Message you sent blocked by our SPAM filter** [? %m |#|In-Reply-To: %m] Message-ID: Your message to: %R has triggered our SpamAssassin SPAM filters and has been rejected. The email you sent with the following subject has NOT BEEN DELIVERED: Subject: %j Our company uses a set of email filters to help block the delivery of unsolicited commercial email, otherwise known as SPAM. For more information on SPAM, please visit http://spam.abuse.net. If you believe that you have received this message in error, please accept our sincere apologies. We ask that you please reply to this email message. When we receive your reply, we will add your email address to our whitelist of approved senders so that in the future we can avoid making this mistake again. Please note that this is a manual process and is only done during business hours. The report below will help you determine why your message was flagged as SPAM. If you continue to have problems, please contact our Helpdesk at 800-555-1212. Thank you very much, Postmaster SpamAssassin report: [%A ]\ ------------- end of file ---------------- ClamAV antivirus mkdir -p /usr/ports/security/clamav cd /usr/ports/security/clamav # see http://www.fatbsd.com/openbsd/ warning about sourceforge: # vi /usr/ports/infrastructure/templates/network.conf.template MASTER_SITE_SOURCEFORGE+= \ add: http://easynews.dl.sourceforge.net/sourceforge/ \ lynx http://www.fatbsd.com/openbsd/clamav/download.php?file=clamav-0.80_3.6.tar.gz # save without a trailing ; tar xvzf ./clamav*.gz cd clamav-0.80 make make install [ ! -f /etc/clamd.conf ] && cp /usr/local/share/examples/clamav/clamd.conf /etc/ # edit /etc/clamd.conf with DatabaseDirectory /usr/local/share/clamav/ LogFile /var/log/clamd.log PidFile /var/run/clamd.pid TemporaryDirectory /var/tmp LocalSocket /tmp/clamd TCPAddr 127.0.0.1 StreamMaxLength 20M User _amavisd [ ! -f /etc/freshclam.conf ] && cp /usr/local/share/examples/clamav/freshclam.conf /etc/ # edit /etc/freshclam.conf with: DatabaseDirectory /usr/local/share/clamav UpdateLogFile /var/log/freshclam.log LogVerbose DatabaseOwner _amavisd NotifyClamd cd /var/amavisd/ # move real copies to amavisd/etc and link back to /etc [ ! -f etc/clamd.conf ] && mv /etc/clamd.conf etc/ ln -s /var/amavisd/etc/clamd.conf /etc/clamd.conf [ ! -f etc/freshclam.conf ] && mv /etc/freshclam.conf etc/ ln -s /var/amavisd/etc/freshclam.conf /etc/freshclam.conf mkdir usr/local/share/clamav mkdir usr/local/sbin mkdir usr/local/bin set `ldd /usr/local/sbin/clamd /usr/local/bin/freshclam | grep lib | awk '{print $NF}' | sort -u` for I in $* do mkdir -p `dirname /var/amavisd$I` cp -p $I /var/amavisd$I done cp -Rp /usr/local/share/clamav usr/local/share/ cp -p /usr/local/bin/freshclam usr/local/bin/ cp -p /usr/local/sbin/clamd usr/local/sbin/ mknod dev/urandom c 2 2 chown -R _amavisd:_amavisd /var/amavisd/usr/local/share/clamav chmod -R 750 /var/amavisd/usr/local/share/clamav # maybe 600 mkdir var/log var/tmp touch var/log/freshclam.log chown -R _amavisd._amavisd var/log var/tmp var/run chmod 744 var/log var/tmp var/run # get libs FILES=` find . -type f | grep "bin/"` set `for FILE in $FILES; do ldd $FILE; done | grep " /" | awk ' {print $NF}' | sort -u | cut -c2-` for LIB in $* do rm -rf $LIB echo "copying /$LIB..." mkdir -p `dirname $LIB` 2>/dev/null cp -p /$LIB $LIB done # if this is missing, it will randomly fail loading libraries mkdir -p var/run cp /var/run/ld.so.hints /var/amavisd/var/run/ # Start freshclam: chroot -u _amavisd /var/amavisd /usr/local/bin/freshclam -d # Start clamd: chroot -u _amavisd /var/amavisd /usr/local/sbin/clamd # Add these commands to /etc/rc.local: ----------------- rc.local ---------------- # Start clamd antivirus echo "Starting clamd antivirus...\c" chroot -u _amavisd /var/amavisd /usr/local/sbin/clamd && echo "OK\c" || echo "FAILED\c " for I in 1 2 3 4 5 do [ -S /var/amavisd/tmp/clamd ] && break echo ".\c" case "$I" in 5) echo "\n\nWarning: /etc/rc.local unable to find clamd socket!";; esac sleep 1 done echo # Start freshclam virus updater echo "Starting freshclam virus updater...\c" chroot -u _amavisd /var/amavisd /usr/local/bin/freshclam -d && echo OK || echo FAILED ----------------- rc.local ---------------- # this script that could be used to clean_amavisd folders in cron at 5:30am # maybe this is handled already by maia? find /var/amavisd/tmp -type d -name 'amavis-*' -prune -mtime +20 -exec rm -rf {} \; find /var/amavisd/tmp -name 'sa*' -mtime +20 -exec rm {} \; find /var/amavisd/quarantine -name 'virus-*' -mtime +20 -exec rm {} \; # run crontab -e and start at 5:30am # cleanup the amavisd temp files 30 5 * * * /usr/local/bin/clean_amavisd Install MySQL PHP and APACHE WEB SERVER # Apache is installed by default and just needs to be enabled: vi /etc/rc.conf.local # change httpd_flags="" mkdir /var/www/tmp mkdir /var/www/etc cp /etc/resolv.conf /var/www/etc/ cp /etc/services /var/www/etc/ # INSTALL MYSQL cd /install mkdir mysql cd mysql ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/mysql-client-4.0.20.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/mysql-server-4.0.20.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/p5-DBD-mysql-2.9004.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/p5-DBI-1.43.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/p5-Net-Daemon-0.38.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/p5-PlRPC-0.2018.tgz pkg_add mysql-server* # PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER ! # To do so, start the server, then issue the following commands: /usr/local/bin/mysqld_safe & /usr/local/bin/mysqladmin -u root password 'new-password' /usr/local/bin/mysqladmin -u root -h mail.mydomain.ca password 'new-password' # use 'mysql -p' to access mysql databases (-p prompts for a password) # Add the following code to /etc/rc.local to start mysqld on boot # start mysql server echo "Starting mysql server...\c" /usr/local/bin/mysqld_safe & sleep 2 # add the command to /etc/rc.local to start mysql during boot: ----------------- rc.local ---------------- # start mysql server echo "Starting mysql server...\c" /usr/local/bin/mysqld_safe & sleep 2 ----------------- rc.local ---------------- # INSTALL PHP cd /install mkdir php cd php ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/php4-core-4.3.8.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/php4-imap-4.3.8.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/php4-mysql-4.3.8.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/php4-pear-4.3.8.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/c-client-4.61.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/gettext-0.10.40p1.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/libiconv-1.9.1.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/recode-3.6p1.tgz pkg_add php4-core* # enable the php4 module with: /usr/local/sbin/phpxs -s vi /var/www/conf/httpd.conf AddType application/x-httpd-php .php ServerName www.mydomain.ca ServerAdmin info@mydomain.ca DirectoryIndex index.php index.html index.htm cp /usr/local/share/doc/php4/php.ini* /var/www/conf/ cp /var/www/conf/php.ini-dist /var/www/conf/php.ini # or use the tighter -recommended version # modify the include_path in php.ini vi /var/www/conf/php.ini include_path = ".:/pear/lib:/var/www/pear/lib:/pear:/var/www/pear" pkg_add php4-mysql* /usr/local/sbin/phpxs -a mysql pkg_add php4-imap* /usr/local/sbin/phpxs -a imap pkg_add php4-pear* # php gd library ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/php4-gd-4.3.8-no_x11.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/t1lib-5.0.0.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/jpeg-6b.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/png-1.2.5p5.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/tiff-3.6.1p1.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/freetype-1.3.1p1.tgz pkg_add php4-gd* /usr/local/sbin/phpxs -a gd # php mcrypt support ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/php4-mcrypt-4.3.8.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/libmcrypt-2.5.5.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/libtool-1.5.8.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/libltdl-1.5.8.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/mhash-0.9.1.tgz pkg_add php4-mcrypt* /usr/local/sbin/phpxs -a mcrypt # php ldap support ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/php4-ldap-4.3.8.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/openldap-client-2.1.30.tgz pkg_add php4-ldap-4.3.8.tgz /usr/local/sbin/phpxs -a ldap # jpgraph support # website is: http://www.aditus.nu/jpgraph/jpdownload.php cd /install mkdir jpgraph cd jpgraph lynx http://members.chello.se/jpgraph/jpgdownloads/jpgraph-1.17beta2.tgz tar xvfz jpgraph*tgz cd jpgraph-1.17beta2 mkdir /var/www/pear/jpgraph cp -p src/* /var/www/pear/jpgraph/ cpan -i DBI PEAR pear install PEAR pear install XML_RPC pear install PEAR pear install Archive_Tar pear install Console_Getopt pear install DB pear install HTTP pear install Mail pear install Net_Socket pear install Net_SMTP pear install XML_Parser pear install Mail_Mime pear install DB_Pager pear install Log pear list # should show these versions or higher: Package Version State Archive_Tar 1.2 stable Console_Getopt 1.2 stable DB 1.6.8 stable DB_Pager 0.7 stable HTTP 1.3.3 stable Log 1.8.6 stable Mail 1.1.4 stable Mail_Mime 1.2.1 stable Net_SMTP 1.2.6 stable Net_Socket 1.0.2 stable PEAR 1.3.3 stable XML_Parser 1.2.1 stable XML_RPC 1.1.0 stable pear upgrade-all # should return nothing # www cd /var/www mkdir -p var/www/pear chown -R www.daemon var tmp cp -r pear /var/www/var/www/ cd /install mkdir mime cd mime ftp http://search.cpan.org/CPAN/authors/id/E/ER/ERYQ/MIME-tools-6.200_02.tar.gz tar xvfz MIME-tools* cd MIME*02 # install pre-requisites: cpan -i Unicode::Map cpan -i Unicode::String perl Makefile.PL make && make test && make install INSTALLING FETCHMAIL # note: only required if you are retrieving pop3 e-mail accounts mkdir -p /install/fetchmail cd /install/fetchmail ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/fetchmail-6.2.5.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/gettext-0.10.40p1.tgz ftp ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/libiconv-1.9.1.tgz pkg_add fetchmail-6.2.5.tgz # edit rc.local and add: # startup fetchmail to grab pop3 mail from shaw every 60 sec. /usr/local/bin/fetchmail -f /etc/fetchmailrc -d 60 INSTALLING MAIA mkdir -p /install/maia cd /install/maia # svn checkout https://www.renaissoft.com/svn/maia/trunk svn checkout https://www.renaissoft.com/svn/maia/tags/V1_0_0_RC5_2 cd V1_0_0_RC5_2 if [ -f amavisd-maia ]; then cp /usr/local/sbin/amavisd /usr/local/sbin/amavisd.prev cp amavisd-maia /usr/local/sbin/amavisd else echo "Warning: I didn't find a copy of amavisd-maia to install" echo Press Enter: read key fi # Force re-creation of mysql maia database (optional if upgrading): echo "DROP DATABASE maia;" | mysql -u root --password=mypassword mysql echo "CREATE DATABASE maia;" | mysql -u root --password=mypassword mysql mysql -u root --password=mypassword maia < maia-mysql.sql echo "GRANT CREATE, DROP, ALTER, SELECT, INSERT, UPDATE, DELETE ON maia.* TO _amavisd IDENTIFIED BY 'amavis-password';" | mysql -u root --password=mypassword maia amavisd@localhost.mydomain.ca [ -d /var/www/maia.o ] && rm -rf /var/www/maia.o [ -d /var/www/maia ] && mv /var/www/maia /var/www/maia.o mkdir -p /var/www/maia/scripts cp -rp scripts/* /var/www/maia/scripts/ cd /var/www/maia/scripts for FILE in `grep -l "/var/amavisd/maia" *` do mv "$FILE" "$FILE.orig" sed 's!/var/amavisd/maia!/var/www/maia!g' "$FILE.orig" > "$FILE" done cd /install/maia/V1_0_0_RC5_2 mkdir /var/www/maia/templates cp -rp templates/* /var/www/maia/templates/ chown -R _amavisd._amavisd /var/www/maia chmod 644 /var/www/maia/templates/*.tpl* chmod 750 /var/www/maia/scripts/*.pl* cat > /var/www/maia/scripts/database.cfg << END # Database configuration for Maia Mailguard perl scripts # # IMPORTANT: Make sure this file is not world-readable! # Consider installing this file in a subdirectory beneath # your amavis directory, e.g. /var/amavisd/maia, and set # the owner and group of this directory to your amavis # user (e.g. "amavis"), and use chmod 750 for this file. # Configure your database DSN here dsn = "DBI:mysql:maia:127.0.0.1:3306" # Your database user's login name username = "_amavisd" # Your database user's password password = "amavis-password" END chmod 640 /var/www/maia/scripts/database.cfg* cd /var/www/maia/scripts ./load-sa-rules.pl [ -d /var/www/htdocs/mail.o ] && rm -rf /var/www/htdocs/mail.o [ -d /var/www/htdocs/mail ] && mv /var/www/htdocs/mail /var/www/htdocs/mail.o cd /install/maia/V1_0_0_RC5_2 mkdir /var/www/htdocs/mail cp -rp php/* /var/www/htdocs/mail/ cat /var/www/htdocs/mail/config.php.dist | sed 's!$maia_sql_dsn = "mysql://amavis:passwd@tcp(localhost:3306)/maia";!$maia_sql_dsn = "mysql://_amavisd:amavis-password@tcp(127.0.0.1:3306)/maia";!' >/var/www/htdocs/mail/config.php chown -R root.bin /var/www/htdocs/mail chmod -R og-w /var/www/htdocs/mail Verify Everything # verify everything is current and OK: cd /var/www/maia/scripts ./configtest.pl /usr/local/sbin/amavisd debug # scan for errors, ctrl-c when done # edit /etc/postfix/main.cf and uncomment the content filter for amavisd # add amavisd startup to /etc/rc.local: ----------------- rc.local ---------------- # Start amavisd spam filter echo "Starting amavisd...\c" /usr/local/sbin/amavisd && echo OK || echo FAILED ----------------- rc.local ---------------- # reboot and watch boot and review /var/logs try sending e-mail From a workstation, try accessing: http://192.168.x.y/mail/configtest.php CLEAN UP LOGGING /etc/amavisd.conf # $sa_debug = 1; $log_level = 2; # (defaults to 0) MAIA CONFIGURATION: # Based on my single domain with one admistrator for everything I do the following: http://192.168.x.y/main/internal-init.php template: /maia/templates/newuser.tpl login page: http://192.168.x.y/mail/login.php e-mail: info@mydomain.ca e-mail: info@mydomain.ca Check your e-mail for the password. Proceed to login page: http://192.168.x.y/mail/login.php?super=register login: info@mydomain.ca password: from your e-mail You'll be presented to the login page as usual, but if you login successfully and no other user in the database currently has super- administrator privileges, you'll be assigned these privileges. You only have to do this once; after that, you can login just like any other user, and your super-administrator privileges will be granted to you automatically. Only one user can be administrator. Assuming the user is info@mydomain.ca and it was the first user added with internal-init.php then you can reset the account at the mysql command prompt as follows: mysql -u root -p maia use maia; # change password: UPDATE maia_users SET user_name = "info@mydomain.ca", password = md5("newpassword") WHERE id = "2"; # set super-user: UPDATE maia_users SET user_name = "info@mydomain.ca", user_level = "S" WHERE id = "2"; Once logged in as admin user: Click on Admin button Click on System Administration Set the following: Enable auto-creation of accounts: Yes Auto-issue passwords: No Allow administrators to read user's mail: Yes Oversized items should be: Accepted Update Settings Return to Admin menu Click on Domains Click on System Default(@.) Set the following: Virus Scanning: Enabled Detected viruses: Discarded Spam Filtering: Enabled Detected spam: Quarantined score = 3.5 for each Attachment filtering: Enabled Detected Attachments: Quarantined Bad Header filtering: Enabled Detected Bad Headers: Quarantined Ham items cached: Yes Enabled auto user creation: Yes Update the domain defaults Click on Settings button Click on primary e-mail address Select the same settings here as the domain defaults Update all address settings. Return to settings Set the following miscellaneous settings (near bottom of page): Send quarantine reminder: No Add senders to whitelist? No Mail items displayed: 100 Update Miscellaneous settings Send an e-mail to each account that you want to be administered by the admin user. (or you can add the e-mail addresses in the Admin Click on the Admin button Click Users In the Link E-mail address/Alias section: For each e-mail address in the top that you want administered: click the address in the top click the admin address in the bottom box click the Link E-mail address button Done! To review spam click on the quarantine button. These items were not delivered. To deliver a message, mark it as Ham. To review the ham messages, click the Report Spam button. Spam messages can be marked as spam and will update spamassassin.