Return-Path:    <"andrew@topdog.za.net"@xxxx.xxxx.co.za>
...
Sender:     "andrew@topdog.za.net"@xxxx.xxxx.co.za
...

To fix this you need to modify your acl_check_rcp acl and add sender_retain to control.

accept  authenticated = *
          control       = submission/sender_retain

Restart exim and you are good to go.

In this post i will describe how you can catch the mail that has slipped through your SMTP DNSBL checks.

To identify these messages i use Spamassassin's URIDNSBL plugin which extracts the uri's in an email and checks each of them against the DNSBL.

Create a file called ispa.cf in your Spamassassin configuration directory usually /etc/mail/spamassassin with the following contents

# /etc/mail/spamassassin/ispa.cf
urirhsbl        URIBL_BARUWA    ispa.rbl.baruwa.net.   A
body            URIBL_BARUWA    eval:check_uridnsbl('URIBL_BARUWA')
describe        URIBL_BARUWA    Contains a URL listed in the Baruwa blocklist
score           URIBL_BARUWA    7.0

Restart Spamassassin and email from those domains that by pass the DNSBL checks by using 3rd party senders should now be tagged as Spam by Spamassassin with a score of 7.0

Feedback is welcome, as Spam fighting is always an on going battle.

I extract the data from this web page and publish it in a DNSBL ispa.rbl.baruwa.net, i use this DNSBL in my SAAS mail security product. So anyone should be able to use it in a similar way to the other DNSBL's like spamhaus and spamcop etc.

Command line checking

You can check if a domain is on the list using the normal command line utilities

Using host:

host amazingresults.co.za.ispa.rbl.baruwa.net

Output:

amazingresults.co.za.ispa.rbl.baruwa.net has address 127.0.0.2

Using dig:

dig amazingresults.co.za.ispa.rbl.baruwa.net

Output:

;; QUESTION SECTION:
;amazingresults.co.za.ispa.rbl.baruwa.net. IN A

;; ANSWER SECTION:
amazingresults.co.za.ispa.rbl.baruwa.net. 1993 IN A 127.0.0.2

Checking the TXT output:

host -t txt amazingresults.co.za.ispa.rbl.baruwa.net

Output:

amazingresults.co.za.ispa.rbl.baruwa.net descriptive text 
"Domain amazingresults.co.za is listed in the ISPA Hall of Shame,
http://ispa.org.za/spam/hall-of-shame/"

Usage

Usage of the DNSBL in various MTA's is described below.

Exim

Add the following to your rcpt acl (acl_check_rcpt:).

drop    message       = REJECTED - $dnslist_text
        dnslists      = ispa.rbl.baruwa.net/$sender_address_domain

Postfix

Add to smtpd_recipient_restrictions after permit_mynetworks in your main.cf file

reject_rhsbl_client ispa.rbl.baruwa.net,
reject_rhsbl_sender ispa.rbl.baruwa.net,

Sendmail

Add to your mc file and rebuild the cf

FEATURE(rhsbl,`ispa.rbl.baruwa.net',`"550 Mail from domain " $`'&{RHS} " refused.
Domain is listed in the ISPA Hall of Shame -  http://ispa.org.za/spam/hall-of-shame/"')

How the data is extracted

The data is extracted using an automated custom web crawler written using Scrapy in Python. The crawler extracts both the domains and the email addresses, the domains are processed and added to the DNSBL, the emails addresses get processed and added to the email blacklists on our SAAS platform.

Update

Some of these domains have resorted to using third party senders, which means the smtp envelope is no longer the one listed on the hall of shame, i have written a followup post which describes how you can identify and flag as spam these messages that bypass the SMTP time DNSBL checks.

1: xxx.xxx.xxx.1
2: xxx.xxx.xxx.2
3: xxx.xxx.xxx.3
4: xxx.xxx.xxx.4

Set the transport to:

remote_smtp:
  driver = smtp
  interface = "${lookup {${randint:5}} lsearch {/etc/exim/ips.txt}}"

randint will return a random number between 1-4 which is then looked up in the file and used if you have more ip's just add to the list and increment the randint value to number ips + 1

exim -bP

Print the contents of the queue

exim -bp

Print the number of items in the queue

exim -bpc

Test addresses

exim -bt addresss

Print exim version and test configuration

exim -bV

Verify addresses

exim -bv address

Deliver a message

exim -M message-id

Add addresses to a message

exim -Mar message-id address address

Freeze messages to prevent delivery

exim -Mf message-id

Force delivery of a message

exim -Mg message-id

Remove a message from the queue

exim -Mrm message-id

Unfreeze a message

exim -Mt message-id

Display a message

exim -Mvc message-id

This how to describes the installation and configuration of a mail system on Centos 5.1 with selinux enabled for enhanced security. This system will be able to service HTTP, HTTPS, SMTP, TLS, SMTP-AUTH, IMAP, POP3 clients and is virtual enabled allowing more that one domain to be served from the system.

The webmail client imp will provide a feature rich interface with a webmail component, an address book, calendaring, and ability to reset passwords all with a highly configurable preference system to enable users to modify their look and feel as well as the operation of the interface.

The IMAP/POP3 system is the high performance cyrus-imapd system that runs as a sealed unit (mail users are not system users) and utilizes a high end/ performance back end for mail storage. The other cyrus-imapd features include, mail indexing for quick search operations using squat, a notification daemon that can be configured to notify via sms or email, sieve filtering system (auto response, mail filtering, notifications, filing), and built in quota system. This system will use pam_mysql via the SASL (saslauthd) mechanism to authenticate users against the Mysql database back end shared by all the components.

The exim system will be configured to enable users relay mail using TLS secured SMTP-AUTH, using the same database backend that is shared by all the components. Address verification will take place using SQL queries to the mysql backend before any mail is accepted for delivery to the cyrus-imapd mail store. Anti-virus checks are integrated into this system with the use of clamav via a Unix domain socket. Spam checks are also run at smtp time via a socket connection to the spamd spamassasin system messages scoring over 6 are automatically rejected with out being spooled to the system.

The mysql database will store the user authentication information encrypted using md5-hex as well as other information for the other webmail components.

This system is designed for high performance and security, cutting down on open ports and prefering to use unix domain sockets and running selinux in enforcing mode.

User account management takes place via the horde web interface allowing the admin easy access to add and remove accounts or to manage passwords, it is also possible to interact directly with the database table and make alterations there.

OS Installation notes

For the purpose of keeping this howto precise i will not take you through the actually installation of the Centos 5.1 system i will assume that you have a bare bones install, a kickstart to help you get a bare bones install is can be downloaded here

For this tutorial i will be using the static IP address 192.168.1.4 and the hostname mail.home.topdog-software.com with a domain of home.topdog- software.com, please feel free to make alterations to suite your environment. The working directory will be /usr/local/src all packages to be downloaded should be downloaded and extracted there.

Software installation

Install prerequisites

Update the system.

yum update

Configure rpmforge repo

rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

Disable the repo (such that base packages not overwritten) edit /etc/yum.d/rpmforge.repo and set the following option

enabled = 0

Install Apache

yum install httpd php php-mysql php-xml php-imap php-mbstring php-mcrypt \
php-pecl-Fileinfo php-pear-DB php-pear-File php-pear-Log php-pear-Mail-Mime \
php-pear-Auth-SASL php-pear-Date php-pear-HTTP-Request php-pear-Mail php-pear-Net-Sieve \
php-pear-Net-Socket php-pear-Net-SMTP openssl mod_ssl -y

Install Exim

yum install exim system-switch-mail -y

Install Mysql

yum install mysql mysql-server -y

Install Horde

yum install horde imp-h3 ingo-h3 turba-h3 kronolith-h3 -y
wget ftp://ftp.horde.org/pub/passwd/passwd-h3-3.0.1.tar.gz
tar xzvf passwd-h3-3.0.1.tar.gz -C /usr/share/horde
mv /usr/share/horde/passwd-h3-3.0.1 /usr/share/horde/passwd

Install cyrus-imapd

I will use the Invoca systems source rpm as it is more recent and support many features that the Centos build does not provide.

yum install db4-utils -y
rpm -Uvh http://www.topdog-software.com/oss/cyrus-imapd/cyrus-imapd-perl-2.3.11-3.i386.rpm
rpm -Uvh http://www.topdog-software.com/oss/cyrus-imapd/cyrus-imapd-utils-2.3.11-3.i386.rpm
rpm -Uvh http://www.topdog-software.com/oss/cyrus-imapd/cyrus-imapd-2.3.11-3.i386.rpm

Install Pam_mysql

rpm -Uvh http://www.topdog-software.com/oss/pam_mysql/pam_mysql-0.7RC1-1.i386.rpm

Install ClamAV

yum --enablerepo=rpmforge install clamav clamav-db clamd -y

Install Spamassassin

yum install spamassassin -y

Configuration

Configure Apache

Enable virtual hosting and create default virtualhost, edit /etc/httpd/conf/httpd.conf and add at the end

NameVirtualHost *:80
<VirtualHost *:80>
    ServerAdmin webmaster@home.topdog-software.com
</VirtualHost>

Create the virtual host for horde webmail add this under the above

<VirtualHost *:80>
        Servername mail.home.topdog-software.com
        DocumentRoot /usr/share/horde
        ErrorLog logs/mail-error_log
        CustomLog logs/mail-access_log common
</VirtualHost>

Enable horde security settings edit the file /etc/httpd/conf.d/horde.conf and set as below

#Alias /horde /usr/share/horde
<Directory /usr/share/horde>

    Options +FollowSymLinks
    php_admin_flag safe_mode off
    php_admin_flag magic_quotes_runtime off
    php_flag session.use_trans_sid off
    php_flag session.auto_start off
    php_admin_flag file_uploads on
    #php_admin_flag allow_url_fopen on

    php_value post_max_size 20M
    php_value upload_max_filesize 10M

    php_admin_value open_basedir "/usr/share/horde:/usr/share/horde/config:/usr/share/pear:/tmp"
    php_admin_flag register_globals off
</Directory>

<Directory /usr/share/horde/config>
    Order Deny,Allow
    Deny from all
</Directory>

<DirectoryMatch "^/usr/share/horde/(.*/)?(config|lib|locale|po|scripts|templates)/(.*)?">
    Order Deny,Allow
    Deny from all
</DirectoryMatch>

Increase PHP memory limit edit /etc/php.ini and change to below

memory_limit = 64M

Enable horde under SSL edit /etc/httpd/conf.d/ssl.conf and add the following to the default virtualhost between the tags

Servername mail.home.topdog-software.com:443
DocumentRoot /usr/share/horde

Configure Exim

Switch the MTA to exim

 system-switch-mail (select exim)

Anti-virus / Sanesecurity Checks

Configure Exim (/etc/exim/exim.conf) to use clamav to scan incoming mail and reject virus infected email and image and pdf spam at smtp time.

av_scanner = clamd:/var/run/clamav/clamd.sock

RBL's

Configure the RBL's under acl_check_rcpt:

drop    message       = REJECTED because $sender_host_address is in a black list spamhaus.org
           dnslists      = zen.spamhaus.org

drop    message       = REJECTED because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
           dnslists      = bl.spamcop.net

drop    message       = REJECTED because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
           dnslists      = dnsbl.sorbs.net

Anti Spam

If you want to reject messages from servers with no reverse dns add this under acl_check_rcpt:, it does have a exception list to which you can add domains where the acl should not be applied and trys to deliver a test message to sending address to verify if the sender is valid.

drop  message   = REJECTED - We don't accept messages from hosts without reverse DNS
        log_message = No reverse DNS
        domains = ! lsearch;/etc/exim/checks_exempt_hosts
        !verify = reverse_host_lookup
        !verify = sender/callout=2m,defer_ok
        !condition =  ${if eq{$sender_verify_failure}{}}

To reject messages from clients that dont provide a HELO/EHLO add this to acl_check_rcpt:

drop  message  = REFUSED - no HELO/EHLO greeting
        log_message = remote host did not present greeting
        condition = ${if def:sender_helo_name {false}{true}}

You can rate limit the connections to your server as well add this to acl_check_connect: to do so (read the exim docs on the parameters if you want to fine tune it for your site)

deny ratelimit = 250 / 15m / strict
       message = You can only send $sender_rate per $sender_rate_period
       log_message = RATE: $sender_rate/$sender_rate_period (max $sender_rate_limit)

accept

Stop rogue spam bots from trashing your machine

smtp_accept_max_nonmail = 30
smtp_max_unknown_commands = 1

Don't advertise pipelining

pipelining_advertise_hosts =

Enable Spamassassin checks

spamd_address = /var/run/spamassassin/spamd.sock

Reject all messages with score above 6 at smtp time. (acl_check_data)

accept  condition  = ${if >={$message_size}{100000} {1}}
        add_header = X-Spam-Note: SpamAssassin run bypassed due to message size

  warn    spam       = nobody/defer_ok
        add_header = X-Spam-Flag: YES

  accept  condition  = ${if !def:spam_score_int {1}}
        add_header = X-Spam-Note: SpamAssassin invocation failed

  warn    add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
#       X-Spam-Report: $spam_report

  drop    condition = ${if >{$spam_score_int}{60} {1}}
        message   = Your message scored $spam_score SpamAssassin point. Report follows:\n\
        $spam_report

Mail routing

Enable access to Mysql database

hide mysql_servers = localhost/horde/horde/hordepassword

Modify the local delivery router to deliver to cyrus but verify the email address of user before delivery (in routers section of exim.conf)

localuser:
  driver = accept
  local_parts = ${lookup mysql {SELECT REPLACE(user_uid,'${quote_mysql:@$domain}','') \
         as user FROM horde_users WHERE user_uid='${quote_mysql:$local_part@$domain}'}{$value}}
  transport = local_delivery
  cannot_route_message = Unknown user

Create a transport to deliver to cyrus via lmtp socket

local_delivery:
  driver = lmtp
  socket = /var/lib/imap/socket/lmtp
  batch_max = 50
  user = cyrus

SMTP Authentication

Add the following to the authentication section of /etc/exim/exim.conf

plain:
  driver = plaintext
  public_name = PLAIN
  server_prompts = :
  server_set_id = $2
  server_condition = ${if saslauthd{{$2}{$3}{pop}}{1}{0}}
  server_advertise_condition = true

login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = ${if saslauthd{{$1}{$2}{pop}}{1}{0}}
  server_set_id = $1
  server_advertise_condition = true

Full sample configuration

Download the full configuration file here

Configure Mysql

Disable TCP networking edit /etc/my.cnf and the following in the mysqld section

skip-networking

Set root password

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h impi password 'new-password' -p

Configure Horde

Edit the sql file and change the mysql password for the horde user

cp /usr/share/horde/scripts/sql/create.mysql.sql .
vi create.mysql.sql

REPLACE INTO user (host, user, password)
    VALUES (
        'localhost',
        'horde',
-- IMPORTANT: Change this password!
        PASSWORD('hordepassword')
);

Create the user and populate the horde database

mysql -p < create.mysql.sql

Create the tables for turba (Address book)

mysql -p horde < /usr/share/horde/turba/scripts/sql/turba_objects.mysql.sql

Create the tables for kronolith (calendering)

mysql -p horde < /usr/share/horde/kronolith/scripts/sql/kronolith.mysql.sql

Horde configuration

Create horde base configuration /usr/share/horde/config/conf.php

<?php
$conf['debug_level'] = E_ALL;
$conf['max_exec_time'] = 0;
$conf['compress_pages'] = true;
$conf['umask'] = 077;
$conf['use_ssl'] = 2;
$conf['server']['name'] = $_SERVER['SERVER_NAME'];
$conf['server']['port'] = $_SERVER['SERVER_PORT'];
$conf['session']['name'] = 'Horde';
$conf['session']['use_only_cookies'] = true;
$conf['session']['cache_limiter'] = 'nocache';
$conf['session']['timeout'] = 0;
$conf['cookie']['domain'] = $_SERVER['SERVER_NAME'];
$conf['cookie']['path'] = '/';
$conf['sql']['username'] = 'horde';
$conf['sql']['password'] = 'hordepassword';
$conf['sql']['socket'] = '/var/lib/mysql/mysql.sock';
$conf['sql']['protocol'] = 'unix';
$conf['sql']['database'] = 'horde';
$conf['sql']['charset'] = 'iso-8859-1';
$conf['sql']['phptype'] = 'mysqli';
$conf['auth']['admins'] = array('Administrator', 'andrew@home.topdog-software.com');
$conf['auth']['checkip'] = true;
$conf['auth']['checkbrowser'] = true;
$conf['auth']['alternate_login'] = false;
$conf['auth']['redirect_on_logout'] = false;
$conf['auth']['params']['driverconfig'] = 'horde';
$conf['auth']['params']['table'] = 'horde_users';
$conf['auth']['params']['username_field'] = 'user_uid';
$conf['auth']['params']['password_field'] = 'user_pass';
$conf['auth']['params']['encryption'] = 'md5-hex';
$conf['auth']['params']['show_encryption'] = false;
$conf['auth']['driver'] = 'sql';
$conf['signup']['allow'] = false;
$conf['log']['priority'] = PEAR_LOG_NOTICE;
$conf['log']['ident'] = 'HORDE';
$conf['log']['params'] = array();
$conf['log']['name'] = '/tmp/horde.log';
$conf['log']['params']['append'] = true;
$conf['log']['type'] = 'file';
$conf['log']['enabled'] = true;
$conf['log_accesskeys'] = false;
$conf['prefs']['params']['driverconfig'] = 'horde';
$conf['prefs']['driver'] = 'sql';
$conf['datatree']['params']['driverconfig'] = 'horde';
$conf['datatree']['driver'] = 'sql';
$conf['group']['driver'] = 'datatree';
$conf['cache']['default_lifetime'] = 1800;
$conf['cache']['params']['dir'] = Horde::getTempDir();
$conf['cache']['params']['gc'] = 86400;
$conf['cache']['driver'] = 'file';
$conf['token']['driver'] = 'none';
$conf['mailer']['params']['auth'] = '0';
$conf['mailer']['type'] = 'smtp';
$conf['vfs']['params']['driverconfig'] = 'horde';
$conf['vfs']['type'] = 'sql';
$conf['sessionhandler']['params']['persistent'] = false;
$conf['sessionhandler']['params']['rowlocking'] = true;
$conf['sessionhandler']['params']['socket'] = '/var/lib/mysql/mysql.sock';
$conf['sessionhandler']['params']['protocol'] = 'unix';
$conf['sessionhandler']['params']['hostspec'] = 'localhost';
$conf['sessionhandler']['params']['username'] = 'horde';
$conf['sessionhandler']['params']['password'] = 'hordepassword';
$conf['sessionhandler']['params']['database'] = 'horde';
$conf['sessionhandler']['type'] = 'mysql';
$conf['problems']['email'] = 'webmaster@home.topdog-software.com';
$conf['problems']['maildomain'] = 'home.topdog-software.com';
$conf['problems']['tickets'] = false;
$conf['menu']['apps'] = array();
$conf['menu']['always'] = true;
$conf['menu']['links']['help'] = 'authenticated';
$conf['menu']['links']['help_about'] = true;
$conf['menu']['links']['options'] = 'authenticated';
$conf['menu']['links']['problem'] = 'never';
$conf['menu']['links']['login'] = 'all';
$conf['menu']['links']['logout'] = 'authenticated';
$conf['hooks']['permsdenied'] = false;
$conf['hooks']['username'] = false;
$conf['hooks']['preauthenticate'] = false;
$conf['hooks']['postauthenticate'] = false;
$conf['hooks']['authldap'] = false;
$conf['portal']['fixed_blocks'] = array();
$conf['accounts']['driver'] = 'null';
$conf['imsp']['enabled'] = false;
$conf['kolab']['enabled'] = false;

Set horde preferences to make web mail the default application on logging in. Edit the file /usr/share/horde/config/prefs.php and modify $_prefs['initial_application'] to look as below

$_prefs['initial_application'] = array(
    'value' => 'imp',
    'locked' => true,
    'shared' => true,
    'type' => 'select',
    'desc' => sprintf(_("What application should %s display after login?"), $GLOBALS['registry']->get('name'))
);

Make horde work from within the default root of the web servers, edit /usr/share/horde/config/registry.php and modify $this→applications['horde'] as below

$this->applications['horde'] = array(
    'fileroot' => dirname(__FILE__) . '/..',
    'webroot' => '',
    'initial_page' => 'login.php',
    'name' => _("Horde"),
    'status' => 'active',
    'templates' => dirname(__FILE__) . '/../templates',
    'provides' => 'horde'
);

IMP configuration

Create imp base configuration /usr/share/horde/imp/config/conf.php

<?php
$conf['utils']['spellchecker'] = '/usr/bin/aspell';
$conf['utils']['gnupg'] = '/usr/bin/gpg';
$conf['utils']['gnupg_keyserver'] = array('pgp.mit.edu');
$conf['utils']['gnupg_timeout'] = '10';
$conf['utils']['openssl_cafile'] = '/etc/pki/tls/certs';
$conf['utils']['openssl_binary'] = '/usr/bin/openssl';
$conf['menu']['apps'] = array('ingo', 'kronolith', 'passwd', 'turba');
$conf['user']['select_sentmail_folder'] = false;
$conf['user']['allow_resume_all_in_drafts'] = true;
$conf['user']['allow_folders'] = true;
$conf['user']['allow_resume_all'] = false;
$conf['user']['allow_view_source'] = true;
$conf['user']['alternate_login'] = false;
$conf['user']['redirect_on_logout'] = false;
$conf['server']['change_server'] = false;
$conf['server']['change_port'] = false;
$conf['server']['change_protocol'] = false;
$conf['server']['change_smtphost'] = false;
$conf['server']['change_smtpport'] = false;
$conf['server']['server_list'] = 'none';
$conf['server']['sort_limit'] = '0';
$conf['server']['cache_folders'] = false;
$conf['server']['cache_msgbody'] = true;
$conf['mailbox']['show_attachments'] = false;
$conf['mailbox']['show_preview'] = false;
$conf['mailbox']['show_xpriority'] = false;
$conf['fetchmail']['show_account_colors'] = false;
$conf['fetchmail']['size_limit'] = '4000000';
$conf['msgsettings']['filtering']['words'] = './config/filter.txt';
$conf['msgsettings']['filtering']['replacement'] = '****';
$conf['spam']['reporting'] = false;
$conf['notspam']['reporting'] = false;
$conf['msg']['prepend_header'] = true;
$conf['msg']['append_trailer'] = true;
$conf['compose']['allow_cc'] = true;
$conf['compose']['allow_bcc'] = true;
$conf['compose']['allow_receipts'] = true;
$conf['compose']['special_characters'] = true;
$conf['compose']['use_vfs'] = false;
$conf['compose']['link_attachments'] = false;
$conf['compose']['add_maildomain_to_unexpandable'] = false;
$conf['compose']['attach_size_limit'] = '0';
$conf['compose']['attach_count_limit'] = '0';
$conf['hooks']['vinfo'] = false;
$conf['hooks']['signature'] = false;
$conf['hooks']['trailer'] = false;
$conf['hooks']['fetchmail_filter'] = false;
$conf['hooks']['mbox_redirect'] = false;
$conf['hooks']['mbox_icon'] = false;
$conf['hooks']['spam_bounce'] = false;
$conf['maillog']['use_maillog'] = true;
$conf['tasklist']['use_tasklist'] = true;
$conf['notepad']['use_notepad'] = true;

Create IMP servers configuration /usr/share/horde/imp/config/servers.php (remove all others) with content below

<?php

$servers['cyrus'] = array(
    'name' => 'localserver',
    'server' => 'localhost',
    'hordeauth' => 'full',
    'protocol' => 'imap/notls',
    'port' => 143,
    'maildomain' => '',
    'smtphost' => 'localhost',
    'smtpport' => 25,
    'realm' => '',
    'preferred' => '',
    'admin' => array(
        'params' => array(
            'login' => 'cyrus',
            'password' => '',
            'userhierarchy' => 'user.',
            'protocol' => 'imap/notls',
            'hostspec' => 'localhost',
            'port' => 143
        )
    ),
    'quota' => array(
        'driver' => 'cyrus',
        'params' => array(),
    ),
    'acl' => array(
        'driver' => 'rfc2086',
    ),
);

Prevent compose window from being a popup, edit /usr/share/horde/imp/config/prefs.php and change the variable $_prefs['compose_window'] to look like below

$_prefs['compose_popup'] = array(
    'value' => 0,
    'locked' => true,
    'shared' => true,
    'type' => 'checkbox',
    'desc' => _("Compose messages in a separate window?"));

Kronolith configuration

Create kronolith base configuration /usr/share/horde/kronolith/config/conf.php

<?php
$conf['calendar']['params']['table'] = 'kronolith_events';
$conf['calendar']['params']['driverconfig'] = 'horde';
$conf['calendar']['driver'] = 'sql';
$conf['storage']['params']['table'] = 'kronolith_storage';
$conf['storage']['params']['driverconfig'] = 'horde';
$conf['storage']['driver'] = 'sql';
$conf['metadata']['keywords'] = false;
$conf['reminder']['server_name'] = 'home.topdog-software.com';
$conf['reminder']['from_addr'] = 'postmaster@home.topdog-software.com';
$conf['autoshare']['shareperms'] = 'none';
$conf['menu']['print'] = true;
$conf['menu']['import_export'] = true;
$conf['menu']['apps'] = array('imp', 'ingo', 'kronolith', 'turba');

Turba configuration

Configure the turba base configuration /usr/share/horde/turba/config/conf.php

<?php
$conf['menu']['import_export'] = true;
$conf['menu']['apps'] = array('imp', 'ingo', 'kronolith', 'turba');
$conf['client']['addressbook'] = 'localsql';
$conf['comments']['allow'] = true;
$conf['documents']['type'] = 'horde';

Ingo configuration

Configure the ingo base configuration /usr/share/horde/ingo/config/conf.php

<?php
$conf['menu']['apps'] = array('imp', 'kronolith', 'turba');
$conf['storage']['driver'] = 'prefs';
$conf['storage']['maxblacklist'] = 0;
$conf['storage']['maxwhitelist'] = 0;
$conf['rules']['userheader'] = true;
$conf['rules']['usefolderapi'] = true

Configure the ingo backend to use timsieved in /usr/share/horde/ingo/config/backends.php (remove all other backends)

<?php
$backends['sieve'] = array(
    'driver' => 'timsieved',
    'preferred' => 'localhost',
    'hordeauth' => 'full',
    'params' => array(
        'hostspec' => 'localhost',
        'logintype' => 'PLAIN',
        'usetls' => true,
        'port' => 2000,
        'scriptname' => 'ingo',
    ),
    'script' => 'sieve',
    'scriptparams' => array()
);

Passwd configuration

Configure the passwd base configuration /usr/share/horde/passwd/config/conf.php

<?php
$conf['menu']['apps'] = array('imp', 'ingo', 'kronolith', 'turba');
$conf['backend']['backend_list'] = 'hidden';
$conf['user']['change'] = true;
$conf['user']['refused'] = array('root', 'bin', 'daemon', 'adm', 'lp', 'shutdown',
'halt', 'uucp', 'ftp', 'anonymous', 'nobody', 'httpd', 'operator',
'guest', 'diginext', 'bind', 'cyrus', 'courier', 'games', 'kmem',
'mailnull', 'man', 'mysql', 'news', 'postfix', 'sshd', 'tty', 'www');
$conf['password']['strengthtests'] = false;
$conf['hooks']['full_name'] = true;
$conf['hooks']['default_username'] = false;
$conf['hooks']['username'] = false;
$conf['hooks']['userdn'] = false;

Configure the passwd back end to use the horde mysql database in /usr/share/horde/passwd/config/backends.php (remove all others)

<?php
$backends['hordesql'] = array (
    'name' => 'Horde Authentication',
    'preferred' => '',
    'password policy' => array(
        'minLength' => 5,
        'maxLength' => 8,
        'maxSpace' => 0,
        'minUpper' => 1,
        'minLower' => 1,
        'minNumeric' => 1,
        'minSymbols' => 1
    ),
    'driver' => 'sql',
    'params' => array_merge($conf['sql'],
                            array('table' => 'horde_users',
                                  'user_col' => 'user_uid',
                                  'pass_col' => 'user_pass',
                                  'show_encryption' => false)),
);

Secure Horde installation

Secure the horde installation

 chown apache:root -R /usr/share/horde/config
 chown apache:root -R /usr/share/horde/*/config
 chmod -R go-rwx /usr/share/horde/config
 chmod -R go-rwx /usr/share/horde/*/config
 chown -R root:root /usr/share/horde/scripts
 chown -R root:root /usr/share/horde/*/scripts
 chmod -R go-rwx /usr/share/horde/scripts
 chmod -R go-rwx /usr/share/horde/*/scripts
 chmod a-rwx /usr/share/horde/test.php
 chmod a-rwx /usr/share/horde/*/test.php
 find /usr/share/horde/ -iname readme -exec rm -f {} \;
 find /usr/share/horde/ -iname todo -exec rm -vf {} \;
 find /usr/share/horde/ -iname license -exec rm -vf {} \;
 find /usr/share/horde/ -iname copying -exec rm -vf {} \;
 find /usr/share/horde/ -iname docs -exec rm -vrf {} \;

Configure Cyrus-imapd

The cyrus-imapd system will have virtual hosting enabled, sieve scripts, quota's set to 10MB, auto creation (& auto subscription) of the mailbox with these folders (INBOX,sent-mail,drafts,spam,trash). Authentication of users will take place aganist the Mysql database via SASL using the saslauthd daemon.

Create the configuration /etc/imapd.conf with the following content

configdirectory: /var/lib/imap
servername: TDS-IMAP/POP3
partition-default: /var/spool/imap
virtdomains: on
defaultdomain: localhost.localdomain
admins: andrew@home.topdog-software.com
postmaster: support@home.topdog-software.com
quotawarn: 85
lmtp_over_quota_perm_failure: 1
lmtp_strict_quota: 1
autocreatequota: 10240
createonpost: 1
autocreateinboxfolders: sent-mail|drafts|spam|trash
autosubscribeinboxfolders: sent-mail|drafts|spam|trash
autocreate_sieve_script: /etc/default_sieve
autocreate_sieve_compiledscript: /etc/default_sieve_script.bc
sievedir: /var/lib/imap/sieve
md5_dir: /var/lib/imap/md5
#sievenotifier: sms
#sendsms: /usr/bin/mysmsprog
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
allowplainwithouttls: 0
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
loglevel: info

Create the configuration /etc/cyrus.conf with the following content

START {
  # do not delete this entry!
  recover       cmd="ctl_cyrusdb -r"

  # this is only necessary if using idled for IMAP IDLE
  idled         cmd="idled"
  # replication
  # syncclient       cmd="/usr/lib/cyrus-imapd/sync_client -r"
}

# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
  # add or remove based on preferences
  imap          cmd="imapd" listen="imap" prefork=1 proto=tcp maxchild=100 maxfds=1000 provide_uuid=1
#  imaps                cmd="imapd -s" listen="imaps" prefork=1
  pop3          cmd="pop3d" listen="pop3" prefork=1 proto=tcp maxchild=100 maxfds=1000 provide_uuid=1
#  pop3s                cmd="pop3d -s" listen="pop3s" prefork=1
  sieve         cmd="timsieved" listen="localhost:sieve" prefork=0 proto=tcp maxfds=1000 provide_uuid=1

  # these are only necessary if receiving/exporting usenet via NNTP
#  nntp         cmd="nntpd" listen="nntp" prefork=3
#  nntps                cmd="nntpd -s" listen="nntps" prefork=1

  #fud
  # fud           cmd="fud" listen="fud" prefork=1 proto="udp"
  # at least one LMTP is required for delivery
#  lmtp         cmd="lmtpd" listen="lmtp" prefork=0
  lmtpunix      cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1 maxfds=1000 provide_uuid=1

  # this is only necessary if using notifications
  notify        cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" prefork=1
  # replication
}

EVENTS {
  # this is required
  checkpoint    cmd="ctl_cyrusdb -c" period=30 maxfds=1000

  # this is only necessary if using duplicate delivery suppression,
  # Sieve or NNTP
  delprune      cmd="cyr_expire -E 3" at=0400

  # this is only necessary if caching TLS sessions
  #tlsprune     cmd="tls_prune" at=0400
  squat         cmd="squatter"  period=30
}

Configure Pam_mysql

Pam_mysql will be used to authenticate the following cyrus-imapd services aganist the mysql database, IMAP,POP,SIEVE,LMTP,CSYNC.

Pam_mysql configuration

Enable pam_mysql for the services make the changes below.

/etc/pam.d/imap

auth       optional     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
account    required     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3

/etc/pam.d/pop

auth       optional     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
account    required     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3

/etc/pam.d/sieve

auth       optional     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
account    required     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3

/etc/pam.d/lmtp

auth       optional     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
account    required     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3

/etc/pam.d/csync

auth       optional     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
account    required     pam_mysql.so user=horde passwd=hordepassword \
host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3

Saslauthd configuration

Edit /etc/sysconfig/saslauthd and modify to below

SOCKETDIR=/var/run/saslauthd

# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled to use.
MECH=pam

# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
FLAGS="-r -n 0 -c"

Configure ClamAV

Add the clamav user to the exim group.

usermod -G exim clamav

Change the location of the socket and disable TCP. Make changes to /etc/clamd.conf

LocalSocket /var/run/clamav/clamd.socket
#TCPSocket 3310
#TCPAddr 127.0.0.1

Install sane security signatures

wget http://www.sanesecurity.co.uk/clamav/update_sanesecurity.txt -O /usr/local/bin/update_sanesecurity.sh
chmod +x /usr/local/bin/update_sanesecurity.sh
ln -s /usr/local/bin/update_sanesecurity.sh /etc/cron.hourly/
/usr/local/bin/update_sanesecurity.sh

Enable local selinux module for clamav, create file clamdlocal.te and add the following

module clamdlocal 1.0;

require {
        type proc_t;
        type var_t;
        type sysctl_kernel_t;
        type var_spool_t;
        type clamd_t;
        class dir { write search read remove_name add_name };
        class file { write getattr read lock create unlink };
}

#============= clamd_t ==============
allow clamd_t proc_t:file { read getattr };
allow clamd_t sysctl_kernel_t:dir search;
allow clamd_t sysctl_kernel_t:file read;
allow clamd_t var_spool_t:dir read;
allow clamd_t var_spool_t:file { read getattr };
allow clamd_t var_t:dir { write read add_name remove_name };
allow clamd_t var_t:file { write getattr read lock create unlink };

Compile and load the module

checkmodule -M -m -o clamdlocal.mod clamdlocal.te
semodule_package -o clamdlocal.pp -m clamdlocal.mod
semodule -i clamdlocal.pp

Configure Spamassassin

Modify the startup options edit /etc/sysconfig/spamassassin and modify as below

SPAMDOPTIONS=" -l -d -c -m5 -H -m 10 --socketpath=/var/run/spamassassin/spamd.sock --socketowner=exim"

Enable local spamd module for spamassassin, create file spamdlocal.te and add the following

module spamdlocal 1.0;

require {
        type spamd_t;
        type spamd_var_run_t;
        class capability { fowner chown kill };
        class sock_file { write create unlink getattr setattr };
}

#============= spamd_t ==============
allow spamd_t self:capability { fowner chown kill };
allow spamd_t spamd_var_run_t:sock_file { write create unlink getattr setattr };

Compile and install the module

checkmodule -M -m -o spamdlocal.mod spamdlocal.te
semodule_package -o spamdlocal.pp -m spamdlocal.mod
semodule -i spamdlocal.pp

Final touches

Disable services

Disable unwanted services, use this script

Enable services

chkconfig --level 234 exim on
chkconfig --level 234 mysqld on
chkconfig --level 234 spamassassin on
chkconfig --level 234 clamd on
chkconfig --level 234 httpd on
chkconfig --level 234 saslauthd on
chkconfig --level 234 cyrus-imapd on

service mysqld restart
service saslauthd restart
service spamassassin restart
service clamd restart
service exim restart
service cyrus-imapd restart
service httpd restart

Create admin user

Create a file admin.sql and add the following (modify the password to suite you)

USE horde;

REPLACE INTO horde_users (user_uid,user_pass)
    VALUES (
        'andrew@home.topdog-software.com',
-- Change this
        md5('verystrongpassword'),
);

Add user to database

mysql -p horde < admin.sql

Firewall

Add these rules in your configuration file /etc/sysconfig/iptables

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport -j ACCEPT --dports 80,443,25,110,143
-A INPUT -p icmp -m icmp -m limit --icmp-type 8 --limit 5/min -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.1.4 -j ACCEPT
COMMIT

Login

Phew ! you are done. Open your browser and go to https://192.168.1.4/ and login with the details above, you can the create other users under administration → users. You can test all the other features as well.

References

• http://www.horde.org
• http://wiki.horde.org/CentOS5InstallationNotes
• http://sanesecurity.co.uk/clamav/
• http://www.exim.org/
• http://cyrusimap.web.cmu.edu/imapd/install.html
• http://pam-mysql.sourceforge.net/
• http://dev.mysql.com/

This tutorial shows how to set up a CentOS 5.x server to offer all services needed by virtual web hosters. These include web hosting,smtp server with (SMTP-AUTH and TLS,SPF,DKIM,Domainkeys),DNS,FTP,MySQL,POP3/IMAP,Firewall,Webalizer for stats.

I will use the following software:

• Database Server: MySQL 5.0.22
• Mail Server: Postfix 2.3.3
• DNS Server: BIND9 9.3.3
• Web Server: Apache 2.2.3 / PHP 5.1.6
• FTP Server: Vsftpd 2.0.5
• POP3/IMAP server: Dovecot 1.0
• Webalizer: for site statistics 2.01_10
• Virtualmin: Control panel

OS installation

Requirements

To install the system you will need

• Centos 5.1 Install media
• A good internet connection

Install the Base system

• Boot from the DVD or CD media and at the boot prompt type linux text
• Skip the media test
• Select your language
• Select keyboard layout
• Configure your network, i will be using dhcp if you do not have dhcp you can use static entires
• Select Yes to initialize drive
• Select custom layout for partitioning type
• Create partitions
• Configure networking
• Set the timezone
• Set the root password
• Select server group and select customize software selection

• Package groups select as follows:

  • DNS name server
  • bind-chroot

• Editors

  • vim-enhanced
• FTP server

• Mail server

  • dovecot
  • spamassassin
  • postfix

• Mysql Database

  • mysql-server

• Web server

  • mod_ssl
  • webalizer
  • php
  • php-pear
  • http-suexec
  • php-mysql

Services to disable

To enhance security and free system resources on the system we need to disable any services that are not required. You can run this script to do this for you.

• acpid
• anacron
• apmd
• autofs
• bluetooth
• cups
• firstboot
• gpm
• haldaemon
• messagebus
• mdmonitor
• hidd
• ip6tables
• kudzu
• lvm2-monitor
• netfs
• nfslock
• pcscd
• portmap
• rpcgssd
• rpcidmad
• sendmail
• smartd
• yum-updatesd

Basics

We need to fix a few issues to prepare the system for configuration

Install updates

 # yum upgrade

Switch the mta to postfix

 # alternatives --config mta
 There are 2 programs which provide 'mta'.
   Selection    Command
 -----------------------------------------------
    1           /usr/sbin/sendmail.postfix
 *+ 2           /usr/sbin/sendmail.sendmail
 Enter to keep the current selection[+], or type selection number: 1

Install caching-nameserver config

 # yum install caching-nameserver

Install Build tools

 # yum install gcc cpp gcc-c++ automake automake14 automake15 automake16 automake17 openssl-devel subversion ncurses-devel -y

Configure network alias

 # cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0:1

Modify the file /etc/sysconfig/network-scripts/ifcfg-eth0:1 to look like this

DEVICE=eth0:1
BOOTPROTO=static
BROADCAST=192.168.1.255
IPADDR=192.168.1.6
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes

Install webmin / virtualmin

Import webmin pgp key

 # wget http://www.webmin.com/jcameron-key.asc
 # rpm --import jcameron-key.asc

Download the rpm

 # wget http://prdownloads.sourceforge.net/webadmin/webmin-1.390-1.noarch.rpm

Verify the rpm (should say OK or else download again)

 # rpm --checksig webmin-1.390-1.noarch.rpm

Install the rpm

 # rpm -Uvh webmin-1.390-1.noarch.rpm

Initial webmin config

We need to secure webmin by editing /etc/webmin/miniserv.conf and make the following changes

Using SSL only

ssl=1

Change the port to 443 and bind to the second nic only

port=443
bind=192.168.1.6

Disable UDP broadcasts

#listen=10000

Change host lockout on login failures to 3

blockhost_failures=3

Increase host lockout timeout to 120

blockhost_time=120

Change user lockout on login failures to 3

blockuser_failures=3

Change user lockout timeout to 120

blockuser_time=120

Change the realm to something else

realm=cpanel

Log logins to utmp

utmp=1

Install the webmin Tiger theme

• Login to webmin via https://192.168.1.5:10000 using root and your password
• Go to webmin → Configuration → webmin themes
• Select From ftp or http URL and enter http://www.stress-free.co.nz/files/theme-stressfree.tar.gz
• Click install theme
• Click “return to list themes”
• Select StressFree as the Current theme then click change

Install php-pear module

• Go to webmin → webmin configuration → webmin modules
• Select Third party module from and enter http://www.webmin.com/download/modules/php-pear.wbm.gz
• Click install module

Install virtualmin

• Go to webmin → webmin configuration → webmin modules
• Select install from ftp or http URL and enter http://download.webmin.com/download/virtualmin/virtual-server-3.51.gpl.wbm.gz
• Click install module

Remove unwanted modules Go to webmin → webmin configuration → delete and select the following

• ADSL client
• Bacula backup system
• CD Burner
• CVS Server
• Cluster change passwords
• Cluster copy files
• Cluster cron jobs
• Cluster shell commands
• Cluster software packages
• Cluster usermin servers
• Cluster users and groups
• Cluster webmin servers
• Command shell
• Configuration engine
• Custom commands
• DHCP server
• Fetchmail mail retrieval
• File manager
• Frox ftp proxy
• HTTP Tunnel
• Heartbeat monitor
• IPsec VPN
• Jabber IM server
• LDAP server
• Logical volume management
• Majordomo list manager
• NFS exports
• NIS client and server
• OpenSLP server
• PPP dialin server
• PPP dialup client
• PPTP vpn server
• PPTP vpn client
• Postgresql database server
• Printer admin
• ProFTPD server
• QMAIL mail server
• SMART drive status
• SSH / Telnet login
• SSL tunnels
• SAMBA windows file sharing
• Scheduled commands
• Sendmail mail server
• Shoreline firewall
• Squid analysis report generator
• Squid proxy server
• Voicemail server
• WU-FTP server
• Idmapd server

Restart webmin

 # service webmin restart

Configure rpmforge repo

 # rpm -Uhv http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

NOTE: If you are using a different architecture check on https://rpmrepo.org/RPMforge/Using for the correct rpm

Disable the repo (such that base packages not overwritten) edit /etc/yum.d/rpmforge.repo and set the following option

enabled = 0

Install extra required packages

Install clamav

 # yum --enablerepo=rpmforge install clamav clamav-db clamav-milter clamd -y
 # wget http://www.topdog-software.com/files/clamav-milter.patch
 # patch /etc/init.d/clamav-milter < clamav-milter.patch
 # chkconfig --del clamd
 # freshclam

Install sanesecurity signatures

 # wget http://www.sanesecurity.co.uk/clamav/update_sanesecurity.txt -O /usr/local/bin/update_sanesecurity.sh
 # chmod +x /usr/local/bin/update_sanesecurity.sh
 # ln -s /usr/local/bin/update_sanesecurity.sh /etc/cron.hourly/
 # /usr/local/bin/update_sanesecurity.sh

Install PHP eaccelerator

 # yum --enablerepo=rpmforge install php-eaccelerator

Install newer spamassassin package from rpmforge

 # yum --enablerepo=rpmforge upgrade spamassassin

Install spamass-milter

 # yum --enablerepo=rpmforge install spamass-milter

Install perl modules1) required by spamassassin

 # perl -MCPAN -e 'install Mail::SPF'
 # perl -MCPAN -e 'install Mail::SPF::Query' 
 # perl -MCPAN -e 'install Net::Ident'
 # perl -MCPAN -e 'install IP::Country::Fast'
 # perl -MCPAN -e 'install Mail::DomainKeys'
 # perl -MCPAN -e 'install Mail::DKIM'

Install fuzzyOCR

 # yum --enablerepo=rpmforge install netpbm-progs ocrad gocr gifsicle giflib-utils giflib -y
 # svn co https://svn.own-hero.net/fuzzyocr/trunk/devel/
 # cd devel/
 # perl -MCPAN -e 'install String::Approx'
 # perl -MCPAN -e 'install Time::HiRes'
 # perl -MCPAN -e 'install Log::Agent'
 # cp -rv {FuzzyOcr.cf,FuzzyOcr.scansets,FuzzyOcr.preps,FuzzyOcr.pm,FuzzyOcr.words,FuzzyOcr/} /etc/mail/spamassassin
 # chcon -R system_u:object_r:etc_mail_t /etc/mail/spamassassin/{FuzzyOcr.cf,FuzzyOcr.scansets,FuzzyOcr.preps,FuzzyOcr.pm,FuzzyOcr.words,FuzzyOcr/}
 # wget http://www.gbnetwork.co.uk/mailscanner/FuzzyOcr.words -O /etc/mail/spamassassin/FuzzyOcr.words

Install Razor

 # yum --enablerepo=rpmforge install razor-agents -y

Install roundcube

 # yum install php-imap
 # rpm -Uvh http://www.topdog-software.com/oss/roundcube/roundcube-0.1-rc2.noarch.rpm

Install imapproxy

 # wget http://imapproxy.org/downloads/up-imapproxy-1.2.6.tar.gz
 # rpmbuild -tb up-imapproxy-1.2.6.tar.gz
 # rpm -Uvh /usr/src/redhat/RPMS/i386/up-imapproxy-1.2.6-1.i386.rpm

Activate services

 # chkconfig --level 345 httpd on
 # chkconfig --level 345 postfix on
 # chkconfig --level 345 spamassassin on
 # chkconfig --level 345 spamass-milter on
 # chkconfig --level 345 clamav-milter on
 # chkconfig --level 345 mysqld on
 # chkconfig --level 345 named on
 # chkconfig --level 345 vsftpd on
 # chkconfig --level 345 dovecot on
 # chkconfig --level 345 imapproxy on

Configuration

Postfix

We will be setting up postfix with the following features

• Virtual hosting
• UCE prevention
• Anti virus
• SMTP authentication
• TLS
• RBLs
• SPF
• Attack mitigation

The adding of accounts and domains with be configured through virtualmin although it can be done manually as well. The setup is designed to be resource friendly so should be able to run on machines that are not over spec'ed so enabling the resources to be put to better use. To make it resource friendly we are not using external databases to store virtual user information like most other how-to's do as well as using milters for spam and virus checking as opposed to running amavisd-new.

The basics

To begin with we will configure the basics such as the hostname, mail origin, networks, hash maps spool directory. All these configuration options should be added to /etc/postfix/main.cf unless stated. Sample configuration files are available for download at the end of this page.

command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mydomain = example.com
myorigin = $mydomain
mynetworks = 127.0.0.0/8
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
canonical_maps = hash:/etc/postfix/canonical
sender_canonical_maps = hash:/etc/postfix/canonical
recipient_canonical_maps = hash:/etc/postfix/canonical
virtual_alias_maps = hash:/etc/postfix/virtual
mail_spool_directory = /var/spool/mail

Maildir

We will use the much improved maildir format as opposed to the default mbox format

home_mailbox = Maildir/

SASL

To perform SMTP authentication we will be using SASL, however we will not use the Cyrus SASL as that requires us to run the saslauthd daemon, we will instead use dovecot sasl since we will be running dovecot for IMAP and POP3 thus killing 2 birds with one stone.

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

TLS

We need TLS to ensure that the plain text passwords are not transmitted over the wire during SMTP authentication, servers that support TLS are also able to communicate with this server over a secured connection.

Instructions on creating your server certificate signed by cacert.org are can be found here

Set TLS random source

tls_random_source = dev:/dev/urandom

Enable server TLS

smtpd_use_tls = yes
smtpd_tls_key_file = /etc/pki/postfix/key.pem
smtpd_tls_cert_file = /etc/pki/postfix/server.pem
smtpd_tls_CAfile = /etc/pki/postfix/root.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache

Enable client TLS

smtp_use_tls = yes
smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_cache
smtp_tls_note_starttls_offer = yes

Spam prevention

Require a valid EHLO / HELO

smtpd_helo_required = yes

Prevent email address harvesting attacks

disable_vrfy_command = yes

Change reject codes to permanent (By default postfix issues 4xx error codes which implies temporary failure we need 5xx for permanent errors)

unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
unknown_local_recipient_reject_code = 550

Setup sender address verification

address_verify_map = btree:/var/spool/postfix/verify
smtpd_sender_restrictions = hash:/etc/postfix/sender_access

Create /etc/postfix/sender_access and add

#sample /etc/postfix/sender_access contains frequently spoofed domains
aol.com     reject_unverified_sender
hotmail.com reject_unverified_sender
yahoo.com reject_unverified_sender
gmail.com reject_unverified_sender
bigfoot.com reject_unverified_sender

Mitigate attacks from zombies and broken clients

smtpd_error_sleep_time = 5s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

Only allow pipelining from authenticated clients

smtpd_data_restrictions = reject_unauth_pipelining

Install postfix-policyd-spf-perl and enable SPF support

 # wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.005.tar.gz
 # tar xzvf postfix-policyd-spf-perl-2.005.tar.gz
 # cd postfix-policyd-spf-perl-2.005
 # cp postfix-policyd-spf-perl /etc/postfix/

Add this to /etc/postfix/master.cf

spfpolicy unix  -       n       n       -       -       spawn user=nobody argv=/usr/bin/perl /etc/postfix/postfix-policyd-spf-perl

Add DKIM support

Instructions on adding DKIM support can be found here

Add domainkeys support

Instructions on adding domainkeys support can be found here

Getting it all to work depends on the smtpd_recipient_restrictions option so we set it below

smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        check_recipient_access hash:/etc/postfix/access
        reject_unknown_recipient_domain
        reject_unknown_sender_domain
        reject_unverified_recipient
        reject_non_fqdn_recipient
        reject_non_fqdn_sender
        reject_invalid_hostname
        reject_rbl_client list.dsbl.org
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client l1.spews.dnsbl.sorbs.net
        reject_rbl_client combined.njabl.org
        reject_rbl_client bl.spamcop.net
        reject_rhsbl_sender dsn.rfc-ignorant.org
        reject_rhsbl_sender bogusmx.rfc-ignorant.org
        reject_rhsbl_sender rhsbl.sorbs.net
        reject_rhsbl_client dsn.rfc-ignorant.org
        reject_rhsbl_client bogusmx.rfc-ignorant.org
        reject_rhsbl_client rhsbl.sorbs.net
        check_policy_service unix:private/spfpolicy

Milters [spamassassin & clamav]

For your spam classification using spamassassin and virus scanning using clamav we will be using postfix's milter interface instead of using the resource intensive amavisd-new daemon. This is a very efficient way of doing it as we don't even have to run clamd the clamav milter does the scanning itself.

smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock
non_smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock

Create db files

 # postmap /etc/postfix/canonical
 # postmap /etc/postfix/access
 # postmap /etc/postfix/virtual
 # postmap /etc/postfix/sender_access

Sample configuration files

• main.cf
• master.cf
• canonical
• virtual

Dovecot

This will setup dovecot as our IMAP/POP3 server.

Basic configuration

We will setup dovecot for IMAP and POP3 and disable SSL.

protocols = imap pop3
listen = *
ssl_listen = *
ssl_disable = yes

Maildir

We will use the maildir format as opposed to the default mbox format.

mail_location = maildir:~/Maildir

Authentication & SASL

Configure dovecot to use LOGIN and PLAIN as the authentication mechanisims as many MS clients are unable to use encrypted authentication mechanisms. We also setup the SASL socket to enable postfix to authenticate SMTP connections using dovecot.

auth default {
  mechanisms = plain login
  passdb pam {
  }
  userdb passwd {
  }

  socket listen {
    client {
        path = /var/spool/postfix/private/auth
        mode = 0660
        user = postfix
        group = postfix
    }
  }
}

Client Issues

Some MS imap clients in the outlook family have issues with both thier IMAP and POP3 implementations so we need to accommodate them by setting up these work arounds

protocol imap {
 imap_client_workarounds = outlook-idle delay-newmail
}

protocol pop3 {
 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}

Run IMAP behind proxy

The imap server is configured to run on port 10143 such that port 143 is handled by the imap proxy server that will improve performance for your webmail by caching connections to the imap server. The listen option under protocol sets this up.

protocol imap {
 imap_client_workarounds = outlook-idle delay-newmail
 listen = 127.0.0.1:10143
}

Sample files

• dovecot.conf

Imapproxy

imapproxy was written to compensate for webmail clients that are unable to maintain persistent connections to an IMAP server. Most webmail clients need to log in to an IMAP server for nearly every single transaction. This behaviour can cause tragic performance problems on the IMAP server. imapproxy tries to deal with this problem by leaving server connections open for a short time after a webmail client logs out. When the webmail client connects again, imapproxy will determine if there's a cached connection available and reuse it if possible. - according to the imapproxy website.

Configuration

Make the following changes in the file /etc/imapproxy.conf

server_hostname 127.0.0.1
cache_size 3072
listen_port 143
server_port 10143
cache_expiration_time 900
proc_username nobody
proc_groupname nobody
stat_filename /var/run/pimpstats
protocol_log_filename /var/log/imapproxy_protocol.log
syslog_facility LOG_MAIL
send_tcp_keepalives no
enable_select_cache yes
foreground_mode no
force_tls no
enable_admin_commands no

Sample files

• imapproxy.conf

Bind

Bind will be setup chrooted to improve security we will also use views to prevent abuse of the dns server.

Basic configuration

The basic configuration disables by default, recursive queries and zone transfers. We also obscure the version of BIND we are running such that we are not hit by zero day vulnerabilities from script kiddies.

options {
        directory "/var/named";
        pid-file "/var/run/named/named.pid";
        listen-on {
                127.0.0.1;
                192.168.1.5;
                };
        version "just guess";
        allow-recursion { "localhost"; };
        allow-transfer { "none"; };
};

Logging

The logging is customized to remove the annoying “lame-server” and update errors that appear in the logs

logging {
        category update { null; };
        category update-security { null;        };
        category lame-servers{ null; };
};

Chroot

Ensure that this is set in the file /etc/sysconfig/named (its usually set by the bind-chroot package)

ROOTDIR=/var/named/chroot

Point server

Let the machine use this server for dns resolution edit /etc/resolv.conf and prepend

nameserver 127.0.0.1

Sample files

• named.conf
• /etc/sysconfig/named

Vsftp

We will use vsftpd as our ftp server. This has a better track record as opposed to the proftpd & wuftpd servers.

Basic setting

Our basic setup disables anonymous users, and enables local system users to connect to the ftp server

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
ftpd_banner=Welcome to example.com server
pam_service_name=vsftpd
tcp_wrappers=YES

Chroot

All users will be chrooted to their home directories (except usernames in the /etc/vsftpd/chroot_list file) meaning the cannot break out and see other users files.

chroot_list_enable=YES
chroot_local_user=YES
chroot_list_file=/etc/vsftpd/chroot_list

Banned users

Users added to the file /etc/vsftpd/user_list will not be allowed to login

userlist_enable=YES

Sample files

• vsftpd.conf
• user_list
• chroot_list

Clamav milter

Edit /etc/sysconfig/clamav-milter

  CLAMAV_FLAGS="
          --config-file=/etc/clamd.conf
          --force-scan
          --local
          --max-children=5
          --sendmail-cf=
          --outgoing
          --quiet
  "
  SOCKET_ADDRESS="local:/var/clamav/clmilter.socket"

Patch the init file to fix socket permissions

   # wget http://www.topdog-software.com/files/clamav-milter.patch
   # patch /etc/init.d/clamav-milter < clamav-milter.patch

Mysql

Basic config

listen only to the localhost, edit /etc/my.cnf under the mysqld section

bind-address = 127.0.0.1

Set root password

 # mysqladmin -u root password NEWPASSWORD

Start mysql

 # service mysqld start

Spamassassin

Basic config

required_hits 5
report_safe 0
rewrite_header Subject [SPAM]

Create mysql database

Create the database

# mysqladmin -p create bayes

Populate the database

 # mysql -p bayes < /usr/share/doc/spamassassin-$(rpm --qf %{VERSION} -q spamassassin)/sql/bayes_mysql.sql

Create the user

 # mysql -p
 mysql> GRANT ALL ON bayes.* TO bayes@localhost IDENTIFIED BY 'password';

Configure to use db

Edit the file /etc/mail/spamassassin/local.cf and add

bayes_store_module  Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn       DBI:mysql:bayes:localhost
bayes_sql_override_username bayes
bayes_sql_username  bayes
bayes_sql_password  password

Configure FuzzyOCR

We will be storing the image hashes in a mysql database to improve on performance such that images that we have already scanned do not get scanned again as OCR is a resource intense activity.

Create mysql Database

The sql script creates the database and tables and adds a user fuzzyocr with the password fuzzyocr

# mysql -p < /usr/local/src/devel/FuzzyOcr.mysql

Change the password

 # mysqladmin -u fuzzyocr -p fuzzyocr password

Basic settings

Edit /etc/mail/spamassassin/FuzzyOCR.cf and set the basic options

focr_path_bin /usr/bin:/usr/local/bin
focr_minimal_scanset 1
focr_autosort_scanset 1
focr_enable_image_hashing 3
focr_logfile /tmp/FuzzyOcr.log

Make FuzzyOCR use the database

Edit the file /etc/mail/spamassassin/FuzzyOcr.cf and add

focr_mysql_db FuzzyOcr
focr_mysql_hash Hash
focr_mysql_safe Safe
focr_mysql_user fuzzyocr
focr_mysql_pass password
focr_mysql_host localhost
focr_mysql_port 3306
focr_mysql_socket /var/lib/mysql/mysql.sock

SARE rule updates

Import the GPG key used to sign the rules

 # mkdir /etc/mail/spamassassin/sa-update-keys/
 # chmod 700 /etc/mail/spamassassin/sa-update-keys/
 # wget http://daryl.dostech.ca/sa-update/sare/GPG.KEY
 # sa-update --import GPG.KEY

Create the channels file /etc/mail/spamassassin/sare-sa-update-channels.txt

updates.spamassassin.org
72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net
70_sare_evilnum0.cf.sare.sa-update.dostech.net
70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net
70_sare_html0.cf.sare.sa-update.dostech.net
70_sare_html_eng.cf.sare.sa-update.dostech.net
70_sare_header0.cf.sare.sa-update.dostech.net
70_sare_header_eng.cf.sare.sa-update.dostech.net
70_sare_specific.cf.sare.sa-update.dostech.net
70_sare_adult.cf.sare.sa-update.dostech.net
72_sare_bml_post25x.cf.sare.sa-update.dostech.net
99_sare_fraud_post25x.cf.sare.sa-update.dostech.net
70_sare_spoof.cf.sare.sa-update.dostech.net
70_sare_random.cf.sare.sa-update.dostech.net
70_sare_oem.cf.sare.sa-update.dostech.net
70_sare_genlsubj0.cf.sare.sa-update.dostech.net
70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net
70_sare_unsub.cf.sare.sa-update.dostech.net
70_sare_uri0.cf.sare.sa-update.dostech.net
70_sare_obfu0.cf.sare.sa-update.dostech.net
70_sare_stocks.cf.sare.sa-update.dostech.net

Create an update script /usr/local/bin/update-sa

#!/bin/bash
#
#
sa-update -D --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt --gpgkey 856AA88A &>/var/log/sa-updates.log

Make it executable and add to cron

 # chmod +x /usr/local/bin/update-sa
 # ln -s /usr/local/bin/update-sa /etc/cron.daily/
 # ln -s /usr/local/bin/update-sa /etc/cron.hourly/

Spamassassin milter

Edit /etc/sysconfig/spamass-milter

SOCKET=/var/run/spamass.sock
EXTRA_FLAGS="-m -r 8"

Patch

We need to patch the init file to fix the permissions of the socket created such that postfix is able to use the socket.

 # wget http://www.topdog-software.com/files/spamass-milter.patch
 # patch /etc/rc.d/init.d/spamass-milter < spamass-milter.patch

Apache

Disable modules

We will disable some modules that we are not using thus freeing up memory and also improving security.

Edit /etc/httpd/conf/httpd.conf and comment out the modules as below.

#LoadModule ldap_module modules/mod_ldap.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule status_module modules/mod_status.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule cache_module modules/mod_cache.so
#LoadModule disk_cache_module modules/mod_disk_cache.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule mem_cache_module modules/mod_mem_cache.so

Edit /etc/httpd/conf.d/proxy_ajp.conf and comment out as below

#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

Listen to one ip for https

Apache has to be configured to listed to one address for port 443 as webmin will be using the same port. Edit /etc/httpd/conf.d/ssl

Listen 192,168.1.6:443

Enable gzip compression

We setup gzip compression via the mod_deflate module to improve web server performance and to cut down on bandwidth usage by compressing responses to the client.

SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png)$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary

Setup logging for the deflate module

DeflateFilterNote deflate_ratio
LogFormat "%v %h %l %u %t \"%r\" %>s %b mod_deflate: %{deflate_ratio}n pct." vhost_with_deflate_info
CustomLog logs/deflate_access_log vhost_with_deflate_info

Increase PHP max memory

Edit the file /etc/php.ini and set the following

memory_limit = 64M

Enable virtual hosting

NameVirtualHost *:80

Create default virtual host

This needs to be the first virtual host, it will be the default on the server the equivalent of the server with out virtual hosting.

<VirtualHost *:80>
        Servername localhost.localdomain
        Serveradmin root@localhost.localdomain
</Virtualhost>

Roundcube webmail

Create database

Create the database and add the roundcube user.

 # mysqladmin -p create roundcube
 # mysql -p
 # mysql> GRANT ALL ON roundcube.* TO roundcube@localhost IDENTIFIED BY 'password';

Initialize the database

 # mysql -u roundcube -p roundcube < /usr/share/doc/roundcube-0.1/SQL/mysql5.initial.sql

Basic config

Configure database DSN in /var/www/roundcube/config/db.inc.php

$rcmail_config['db_dsnw'] = 'mysql://roundcube:password@localhost/roundcube';

Configure roundcube in /var/www/roundcube/config/main.inc.php

$rcmail_config['default_host'] = 'localhost';
$rcmail_config['default_port'] = 143;
$rcmail_config['virtuser_file'] = '/etc/postfix/virtual';
$rcmail_config['smtp_server'] = 'localhost';
$rcmail_config['smtp_port'] = 25;
$rcmail_config['smtp_helo_host'] = 'localhost';

Setup catch all virtualhost

As we will be providing webmail for all domains that are created on the system we need to setup a catch all virtualhost that can display roundcube when ever a user accesses http://webmail.domainname

<VirtualHost *:80>
ServerName webmail.example.com
ServerAlias webmail.*
DocumentRoot /var/www/roundcube
<Directory /var/www/roundcube>
Options -Indexes IncludesNOEXEC FollowSymLinks
allow from all
</Directory>
</VirtualHost>

Iptables

This is a basic firewall it may not suit your needs, firewalling is an art so i recommend to read into it to improve on this basic one.

Basic config

Add these rules in your configuration file /etc/sysconfig/iptables

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m multiport -j ACCEPT --dports 80,443,25,110,143,53
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p icmp -m icmp -m limit --icmp-type 8 --limit 5/min -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.1.5 -j ACCEPT
-A OUTPUT -s 192.168.1.6 -j ACCEPT
COMMIT

Activate config

 # service iptables restart

Virtualmin

Virtualmin is a powerful and flexible hosting control panel that integrates with webmin. We will be using it to provide the virtual hosting functions such as creation of domains, accounts and maintaining configurations on the system.

Start services

You need to start up services that are required to be able to configure virtualmin. Start the following services

 # service named start
 # service spamassassin start
 # service spamass-milter start
 # service clamav-milter start
 # service postfix start
 # service dovecot start
 # service imapproxy start
 # service httpd start

Initial settings

Mysql

Webmin needs to be able to communicate with mysql since we have set a password for mysql we need to set that up in webmin, go to servers → mysql and enter this information

Configure Features

You need to enable the features and plugins that we want to use. On login this is the screen that you will see.

Enable the following features and save

• Home directory
• Administration user
• Mail for domain
• BIND DNS domain
• Apache website
• Webalizer reporting
• Log file rotation
• Mysql database
• Webmin user

Configure server templates

Server template are used to customize the services and to create packages for different hosting account types.

Apache template

You can make changes to the way apache virtual hosts are created by editing this template, The defaults however will do for purposes of this howto.

Domain owner template

This template is used to configure various server limits such as number of mailboxes,aliases,databases,virtual servers and other options like bandwidth limits, admin abilities. For this howto we will use the default values.

Home directory template

This template allows you to set a skel directory to hold setting for new users for this howto we will use the defaults

Administration user

This template lets you set the quota for the virtual server and the admin user for this howto we will use the default quota 1GB.

Mail for domain template

This template sets various mail related options, we will modify the email message sent on server creation to have to content below

The following virtual server has been set up successfully :

Domain name:             ${DOM}
Hosting server:          ${HOSTNAME}
${IF-VIRT}
Virtual IP address:      ${IP}
${ENDIF-VIRT}
Administration login:    ${USER}
Administration password: ${PASS}
${IF-WEBMIN}
Administration URL:      ${WEBMIN_PROTO}://www.${DOM}:${WEBMIN_PORT}/
${ENDIF-WEBMIN}

${IF-WEB}
Website:                 http://www.${DOM}/
${IF-WEBALIZER}
Webalizer log reporting: Enabled
${ELSE-WEBALIZER}
Webalizer log reporting: Disabled
${ENDIF-WEBALIZER}

${ENDIF-WEB}
${IF-MAIL}
Email domain:            ${DOM}
SMTP server:             mail.${DOM}
POP3 server:             mail.${DOM}
Webmail:                 webmail.${DOM}

${ENDIF-MAIL}
${IF-DNS}
DNS domain:              ${DOM}
Nameserver:              ${HOSTNAME}

${ENDIF-DNS}
${IF-MYSQL}
MySQL database:          ${DB}
MySQL login:             ${MYSQL_USER}
MySQL password:          ${PASS}

${ENDIF-MYSQL}
${IF-POSTGRES}
PostgreSQL database:     ${DB}
PostgreSQL login:        ${USER}
PostgreSQL password:     ${PASS}

${ENDIF-POSTGRES}

We will leave the other options as the defaults.

BIND DNS domain template

This template is used to customize the zones that will be created by virtualmin. The changes to be made are adding a spf record, add the following records to auto generated text box (replace ns1.home.topdog-software.com. with your slave server)

@     IN NS ns1.home.topdog-software.com. ;slave
admin IN A 192.168.1.6 ;virtualmin
webmail IN A 192.168.1.5 ;webmail

In the directives text box add the following with the ip address of your slave server such that the slave is allowed to do zone transfers.

allow-transfer { 192.168.1.2; };

Mysql Database template

Contains options on creation of databases by virtualmin, for the howto we will use the defaults.

Webmin login template

Contains option on creation of new users by virtualmin, for the howto we will use the defaults

Create virtual server

Finally we have a working virtual server system, lets create our first virtual server. Go to servers → virtualmin virtual servers and click add new virtual server, owned by new user.

Fill in the require fields and click create.

Add a mail user to the domain. click on the domain name, then click edit mail and FTP users, then add user and fill in the information.

Testing

Postfix

Test smtp

telnet 192.168.1.5 25
Connected to localhost.
Escape character is '^]'.
220 tds mail cluster
helo me
250 hosting1
mail from:address@yahoo.com
250 2.1.0 Ok
rcpt: andrew@example.com
250 2.1.0 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From:address@yahoo.com
To:andrew@example.com
Subject:This is a test
Hi
This is a test
.
250 2.0.0 Ok: queued as 4ACCC7C5A6

telnet 192.168.1.5 25
Trying 192.168.1.5...
Connected to localhost.
Escape character is '^]'.
220 tds mail cluster
ehlo me
250-hosting1
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Test dkim

Send a mail to autorespond+dkim@dk.elandsys.com

Test domainkeys

Send a mail to autorespond+dk@dk.elandsys.com

Dovecot

Test pop3

telnet 192.168.1.5 110
+OK Dovecot ready.
user andrew.example
+OK
pass password
+OK Logged in.
quit
+OK Logging out.

Test imap

telnet 192.168.1.5 143
* OK Dovecot ready.
01 login andrew.example password
01 OK User logged in
01 list "" "*"
* LIST (\HasNoChildren) "." "Trash"
* LIST (\HasNoChildren) "." "Drafts"
* LIST (\HasNoChildren) "." "Junk"
* LIST (\HasNoChildren) "." "Sent"
* LIST (\HasNoChildren) "." "INBOX"
01 OK List completed.
01 logout
* BYE LOGOUT received
01 OK Completed

Bind

dig example.com @127.0.0.1

Clamav-milter

We are using the test virus from www.eicar.org

telnet 192.168.1.5 25
Connected to localhost.
Escape character is '^]'.
220 tds mail cluster
helo me
250 hosting1
mail from:address@yahoo.com
250 2.1.0 Ok
rcpt: andrew@example.com
250 2.1.0 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
.
550 5.7.1 virus Eicar-Test-Signature detected by ClamAV - http://www.clamav.net
quit
221 2.0.0 Bye

Take a lot at your /var/log/maillog you should see something like this

73BC87C4E4: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]:
5.7.1 virus Eicar-Test-Signature detected by ClamAV - http://www.clamav.net; 
from=<address@yahoo.com> to=<andrew@example.com> proto=SMTP helo=<me>

Spamass-milter

We are using the test message from http://spamassassin.apache.org/gtube/

telnet 192.168.1.5 25
Connected to localhost.
Escape character is '^]'.
220 tds mail cluster
helo me
250 hosting1
mail from:address@yahoo.com
250 2.1.0 Ok
rcpt: andrew@example.com
250 2.1.0 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
.
550 5.7.1 Blocked by SpamAssassin
quit
221 2.0.0 Bye

You will see this in your log files

spamd: result: Y 1002 - AWL,GTUBE,MISSING_SUBJECT,TVD_SPACE_RATIO,UNPARSEABLE_RELAY scantime=0.5,size=723,user=root,uid=99,required_score=5.0,

Comments

Got any comments/bugs drop me a mail my contact info is on the home page.