Setting up a FreeBSD mail server

Installing FreeBSD

/dev/aacd0s1a / 1gb /dev/aacd0s1b swap 4gb /dev/aacd0s1d /tmp 8gb /dev/aacd0s1f /usr 8gb /dev/aacd0s1e /var 8gb

The system was installed with the X-Kern-Devel options, which provide the computer kernel and userland source, including X11 libraries. Additionally the ports tree was installed. After installation, the cvsup and emacs packages were installed via pkg_add, providing the tool necessary to update the system, and a usable text editor. The tools were installed using the following commands:

pkg_add -vr emacs pkg_add -vr cvsup

Using CVSUP

*default host=cvsup5.freebsd.org
*default release=cvs tag=RELENG_5_3

The differences for the ports-supfile are as follows:

*default host=cvsup5.freebsd.org

Once the appropriate astro-supfile and ports-supfile were created, cvsup was used to update the system. A custom kernel was configured and installed as /usr/src/sys/i386/conf/MILTON, however a generic kernel would provide a fully functional system without SMP capabilities. The commands to cvsup the system and build a new system from the ground up were put into a script named /root/cvsup/update-world and /root/cvsup/update-ports. The contents of those scripts are as follows:

update-world #!/bin/sh # step 1: cvsup /usr/local/bin/cvsup /root/cvsup/astro-supfile # step 2: make world mv /usr/obj /usr/oldobj cd /usr/src make buildworld # step 3: make new kernel make buildkernel KERNCONF=MILTON # step 4: tell me what I need to do next since I'm an idiot and don't know echo To install the new kernel, go into /usr/src and run: echo echo make installkernel KERNCONF=MILTON echo echo To install the new system binaries, go into /usr/src and run: echo echo make installworld echo

update-ports #!/bin/sh # step 1: cvsup /usr/local/bin/cvsup /root/cvsup/ports-supfile

Please note that as of the time of this writing, checking out RELENG_5 did download 5.4-RC2, tagged as 5.4-STABLE. If you wish to use cvsup to upgrade to a newer minor version of FreeBSD, such as taking a FreeBSD 5.3 system to 5.4, you will probably want to use the mergemaster(8) utility to update the system init scripts and configuration files after you have installed the new system binaries and kernel.

cvsup does not update the installed ports, it only updates the ports tree. To update ports that have been installed on a FreeBSD system you can use a tool such as portupgrade.

After the system is rebuilt, you will need to manually install the system and kernel by following the directions given at the end of the update-world script.

Configuring FreeBSD

128.227.184.7 woodstock.astro.ufl.edu woodstock 128.227.184.2 polaris.astro.ufl.edu polaris

Next create a directory named /maildir and add the following mount options to the system fstab.

woodstock:/export/maildir /maildir nfs -U,-i,rw,-r=32768,-w=32768 0 0

Next edit the syslog.conf file and have it redirect the majority of the logs to woodstock. Here is a copy of the syslog.conf:

# $FreeBSD: src/etc/syslog.conf,v 1.26 2003/04/23 13:08:31 des Exp $ # # Spaces ARE valid field separators in this file. However, # other *nix-like systems still insist on using tabs as field # separators. If you are sharing this file between systems, you # may want to use only tabs as field separators here. # Consult the syslog.conf(5) manpage. *.err;kern.debug;auth.notice;mail.crit /dev/console *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.* @woodstock auth.info;authpriv.info @woodstock mail.info @woodstock lpr.info @woodstock ftp.info @woodstock cron.* /var/log/cron *.=debug /var/log/debug.log *.emerg * # uncomment this to log all writes to /dev/console to /var/log/console.log #console.info /var/log/console.log # uncomment this to enable logging of all log messages to /var/log/all.log # touch /var/log/all.log and chmod it to mode 600 before it will work #*.* /var/log/all.log # uncomment this to enable logging to a remote loghost named loghost #*.* @loghost # uncomment these if you're running inn # news.crit /var/log/news/news.crit # news.err /var/log/news/news.err # news.notice /var/log/news/news.notice !startslip *.* /var/log/slip.log !ppp *.* /var/log/ppp.log

Configuring TCP Wrappers

The default configuration allows complete unfettered access to all services running on the host machine. This opens up the machine to the risk of attack in the event that buffer overflows are discovered in various services, such as rpc. To reduce the risk of exploit, we have modified our /etc/hosts.allow file to allow access for some services, but restrict access for other services to the Astronomy network. Our /etc/hosts.allow follows:

# comment out the default entry which would expose this host to any exploits # ALL : ALL : allow # allow everything from our network to access this box. Including the # astronomy vpn. ALL : localhost : allow ALL : 127.0.0.1 : allow ALL: [::1] : allow ALL : 10.227.184.0/255.255.255.0 : allow ALL : 128.227.184.0/255.255.255.0 : allow ALL : 10.228.184.0/255.255.255.0 : allow # rpcbind is portmap and all of it's things. It's where rpc services register # their activity with. We really don't want people outside of our network # seeing which rpc services are running.. rpcbind : ALL : deny # NIS master server. Only local nets should have access ypserv : ALL : deny # Wrapping sshd(8) is not normally a good idea, but if you # need to do it, here's how #sshd : .evil.cracker.example.com : deny sshd : ALL : allow # Sendmail can help protect you against spammers and relay-rapers. # and everyone from outside should be speaking to our mx record. # however, on our mail server we would set it to allow. sendmail : ALL : deny # Berkeley LPD has been known to suffer from exploits. printer : ALL : deny # syslog local, nowhere else. syslog : ALL : deny # bind is good. we like bind on our name servers, but not other hosts. domain : ALL : deny # Provide a small amount of protection for ftpd # ftpd : .nice.guy.example.com : allow # ftpd : .evil.cracker.example.com : deny ftpd : ALL : deny # nfsd, lockd, important for local users. Not important for anyone else. nfsd : ALL : deny lockd : ALL : deny # web www : ALL : allow https : ALL : allow # anything else we explicitly forgot to mention can be protected by default # with the following statement. No other rule after this will work. ALL : ALL : deny

Discussion: With FreeBSD's implementation of TCP Wrappers, it's important to remember that once a host has been granted access through TCP wrappers, no deny rule later on in the recipe would work. The first step was to comment out the default entry which would have allowed access to all services, no matter what we would have entered later. The next section provides explicit allows for the Astronomy network. Any host that falls within the netmask/ranges listed would be granted access to all services. Note, this does not mean that they can actually perform tasks, it just means TCP wrappers will not prevent the host from trying to contact these services. The next set of rules deny services we know are running, but allows some we care about (sshd, sendmail, http). We could have just as easily set the rules to allow those three services, then let the final statement take care of the rest. The final rule is a catch-all that will deny any service that we may have forgotten to take care of.

Configuring and enabling NIS

nis_client_enable="YES" nisdomainname="astro.ufl.edu" nis_client_flags="-S astro.ufl.edu,woodstock.astro.ufl.edu,polaris.astro.ufl.edu" # ntpd ntpd_enable="YES"

You should also use this time to create an /etc/ntp.conf file with the following contents:

server time.clas.ufl.edu server ntps2-1.server.ufl.edu

Next manually enable NIS by issuing the following commands:

• domainname astro.ufl.edu
• ypbind -S astro.ufl.edu,woodstock.astro.ufl.edu

You can verify that NIS is working by issuing the command ypwhich and you should be given the response woodstock.astro.ufl.edu.

Note: If the system will be used by regular users, and depending on the backend NIS master, you may need to edit the file /etc/login.conf to change the default passwd_format from md5 to des. This will allow the yppasswd utility to work properly if your NIS master is a Solaris or Linux server.

The BSD's use a file, /etc/master.passwd, as the shadow password file. This contains all info on all accounts. The file standard password map, /etc/passwd is created by using the pwd_mkdb utility.

To make FreeBSD recognize NIS accounts, add the following entries to /etc/master.passwd:

+@admin::::::::: +@disabled:::::::::/usr/local/bin/security +:::::::::/usr/local/bin/sorry

Please note that on a regular interactive user machine, there would be no entry listed /usr/local/bin/sorry entry, instead it would just be +:::::::.

Netgroups

To create the initial netgroup file issue the command:

ypcat -k netgroup > /etc/netgroup

Then, make the following addition to the system crontab so that the netgroup file is generated every fifteen minutes.

# create the /etc/netgroup file every 15 minutes. 1,16,31,46 * * * * root ypcat -k netgroup > /etc/netgroup

After editing the /etc/master.passwd file and creating the netgroup files, you can generate a new /etc/passwd file which will be able to do password lookups from the NIS groups via compat mode. The command to regenerate the password file is:

pwd_mkdb /etc/master.passwd

+:*:0:

milton# finger ken Login: ken Name: Ken Sallot Directory: /astro/homes/ken Shell: /bin/tcsh Never logged in. No Mail. No Plan.

Configuring the Automounter

/astro
/astro/data
/astro/depot
/astro/homes

Next, create an AMD configuration file. Our /etc/amd.conf file follows:

# # UF Astronomy default config file # # check amd.conf(5) man page for details about options in this file # # GLOBAL OPTIONS SECTION [ global ] normalize_hostnames = no print_pid = yes pid_file = /var/run/amd.pid restart_mounts = yes auto_dir = /.automount log_file = syslog log_options = all #debug_options = all plock = no selectors_on_default = yes print_version = no # set map_type to "nis" for NIS maps, or comment it out to search for all # types map_type = file search_path = /etc browsable_dirs = yes # set browsable_dirs = yes if you want to cause a mount storm. show_statfs_entries = no fully_qualified_hosts = no cache_duration = 300 # DEFINE AN AMD MOUNT POINT [ /astro/homes ] map_name = amd.homes.map map_type = nis [ /astro/depot ] map_name = amd.depot.map map_type = nis [ /astro/data ] map_name = amd.data.map map_type = nis

After you have configured the automounter, you should tell FreeBSD to start AMD by adding the following two lines to the /etc/rc.conf configuration file.

amd_enable="YES" amd_flags="-F /etc/amd.conf"

You should then manually start the automounter by issuing the command:

amd -p -F /etc/amd.conf

Configuring SSH for HBA

The /etc/ssh/sshd_config file from our FreeBSD 5.3 boxes is as follows:

# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $ # $FreeBSD: src/crypto/openssh/sshd_config,v 1.40 2004/04/20 09:37:29 des Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. #VersionAddendum FreeBSD-20040419 Port 22 Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts RhostsRSAAuthentication yes # similar for protocol version 2 HostbasedAuthentication yes # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts no # Change to yes to enable built-in password authentication. PasswordAuthentication yes PermitEmptyPasswords no # Change to no to disable PAM authentication ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication (via challenge-response) # and session processing. #UsePAM yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes PrintMotd yes #PrintLastLog yes TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server

The /etc/ssh/ssh_config from our FreeBSD machines is as follows:

# $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $ # $FreeBSD: src/crypto/openssh/ssh_config,v 1.25 2004/04/20 09:37:28 des E xp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options #Host * # ForwardAgent no # ForwardX11 yes # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # BatchMode no # CheckHostIP no # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # EscapeChar ~ # VersionAddendum FreeBSD-20040419 Host * ForwardAgent yes ForwardX11 yes ForwardX11Trusted yes RhostsRSAAuthentication yes HostbasedAuthentication yes HostKeyAlgorithms ssh-rsa,ssh-dss EnableSSHKeysign yes

Additionally, a /etc/ssh/shosts.equiv and /root/.shosts file need to be created. This file specifies the netgroup entry that is required for hba. The contents should look like:

+@netgroup_entry

Please note, the actual entry for UF Astronomy is NOT +@netgroup_entry, but rather something else.

If users will be using this machine, and you wish to use HBA SSH control, you will need to setuid the utility /usr/libexec/ssh-keysign.

The final part of configuring SSH to use HBA is to copy over a set of authorized keys. The script /root/do-keys on woodstock will generate a master keylist and copy it to all of the hosts in the department.

At this point, basic configuration of the FreeBSD machine for the UF Astronomy network is now complete. The instructions that follow are specific recipes for setting up and configuring a mail system. As part of our normal procedures, we go ahead and check initial copies of /etc/fstab, /etc/crontab, /etc/rc.conf, and a few other configuration files into rcs.

Installing Mail Server Components

Discussion: All of the applications will be installed from the FreeBSD ports tree. By installing from ports, the system is easy to re-build from scratch, and upgrading the various components can be done cleanly and efficiently without worrying about dependency issues.

Installing p5-BerkeleyDB

To install this port, cd into the /usr/ports/databases/p5-BerkeleyDB directory and issue the command `make install WITH_BDB_VER=41'.

Installing cyrus-sasl2-saslauthd

To install this port, cd into the /usr/ports/security/cyrus-sasl2-saslauthd directory and issue the command `make install'. Once the port is installed you will need to enable it by adding the following lines to the /etc/rc.conf file:

saslauthd_enable="YES"
saslauthd_flags="-a getpwent"

You will also need to create the file /usr/local/lib/sasl2/smtpd.conf and it should have the following contents:

pwcheck_method: saslauthd
mechlist: plain login

Discussion: saslauthd supports multiple different mechanisms, including systems such as crammd5 and disgestmd5. However, we only care about the plain and login mechanisms, instead preferring to rely on SSL encrypted communications for password security.

Installing Dovecot

The port resides in /usr/ports/mail/dovecot. Change into that directory and issue the command `make install' to install the port.

Once the port is installed, I copied over the old self-signed certificates into the directory /etc/ssl/certs. The certificate we will care about is /etc/ssl/certs/imapd.pem.

To enable dovecot, you need to append the line `dovecot_enable="YES"' to the system /etc/rc.conf.

Our dovecot configuration, stored in the file /usr/local/etc/dovecot.conf, has the following differences from the default dovecot.conf.sample sample configuration file.

protocols = imap pop3 imaps pop3s ssl_disable = no ssl_cert_file = /etc/ssl/certs/imapd.pem ssl_key_file = /etc/ssl/certs/imapd.pem ssl_parameters_regenerate = 0 disable_plaintext_auth = no login_chroot = no login_max_processes_count = 250 login_max_logging_users = 256 max_mail_processes = 1024 first_valid_uid = 100 default_mail_env = maildir:/maildir/%u mail_full_filesystem_access = no maildir_stat_dirs = no mbox_locks = dotlock fcntl

Discussion: We currently support the imap, pop3, imaps, and pop3s protocols. At a future point in time we will terminate support for unencrypted protocols (imap and pop3). The disable_plaintext_auth option allows older IMAP and POP clients to authenticate without first switching to TLS. Although, as of 2002 the standard states that all clients must first switch to TLS, some e-mail clients, notably Eudora, appear to be broken. The default_mail_env macro specifies the users maildir storage in the directory /maildir/username.

Installing Procmail

Please note, because our mail storage is on an NFS server, running Solaris, and because there are never any real guarantees that locking between an NFS client running one operating system, and an NFS server running another operating system, I wanted to make sure our procmail installation would be built with dotlocking support. In order to do this, before running the make install, I made sure the /maildir spool was mounted, and created a directory called /maildir/flock-test. During the build for the port, when prompted to do so, I added the /maildir/flock-test directory to list of directories that locking tests would be performed on.

After the port was installed, I went ahead and made a symlink for procmail in the /usr/bin directory. The only reason I did this was in case anyone tried to call /usr/bin/procmail from their ~/.forward file; we had two people using this mechanism to get procmail working in the past.

The global procmail recipe is /usr/local/etc/procmailrc. The contents read:

# systemwide procmail. Drops priviledges to user, then drops the mail # in a maildir style mailbox # DROPPRIVS=yes DEFAULT="/maildir/$LOGNAME/"

SpamAssassin

Installation of the tool is done by issuing the command make install from within the port directory. Once it was installed, I manually symlink the directory /usr/local/etc/mail/spamassassin to /etc/mail/spamassassin to make it easy to find for future configuration changes.

To find out information on the various configuration flags and settings for SpamAssassin, you can issue the command `perldoc Mail::SpamAssassin::Conf' from a command line. I have not made any changes to the init.pre configuration file, but below is a copy of our local.cf configuration file. It includes several rules to try and beat attempts at bayesian pollution:

rewrite_header Subject *****SPAM***** lock_method nfssafe defang_mime 1 required_hits 5.0 spamcop_from_address admin@astro.ufl.edu clear_trusted_networks dns_available yes rawbody WORDWORD /(\b[a-z]{4,12}\s+){12}/ describe WORDWORD long string of random words score WORDWORD 2.0 score MICROSOFT_EXECUTABLE 2.5 2.5 2.5 2.5 # Default = 0.1 score RISK_FREE 3.5 # Default 2.787, let's throw it over the top score NIGERIAN_TRANSACTION_2 1.5 # default 0.070 score BIG_FONT 1.2 # default -0.3 # score NO_REAL_NAME 1.2 # default -0.3 # score RCVD_IN_SBL 4.0 4.0 4.0 4.0 # score RCVD_IN_UNCONFIRMED_DSBL 3.0 3.0 3.0 3.0 # score RCVD_IN_OSIRUSOFT_COM 0.0 0.0 0.0 0.0 # score RCVD_IN_ORBS 2.75 2.75 2.75 2.75 # whitelist's. we'll accept their mail # requested by Steve Gottesman, 12/31/2002 whitelist_from *@*.morningstar.net # added for David Clark, 2.20.2003 whitelist_from sbtreas@sg.ufl.edu # added for Debra Hunter, 5/8/2003 whitelist_from weightwatchers@info.weightwatchers.com whitelist_from no-reply@noticehost.abcdistributing.com whitelist_from hpshopping@aermail.com # whitelist_to == -6 points # whitelist_to oliver@astro.ufl.edu # add support for cyrillic fonts, mostly for ludmilla ok_locales en ru # enable bayesian filtering use_bayes 1 # tag all spam as "**** SPAM ****" rewrite_subject 1 # added longword rules body RM_bpt_longwords68a /\b(?:[a-z]{6,}\s+){8}/ describe RM_bpt_longwords68a Long string of long words score RM_bpt_longwords68a 1.666 # 7429s/2h of 91714 corpus (74113s/17601h) 01/23/04 # ham: userid list, # "improving compatibility between computer platforms demands certain levels " body RM_bpt_longwords69a /\b(?:[a-z]{6,}\s+){9}/ describe RM_bpt_longwords69a Long string of long words score RM_bpt_longwords69a 1.000 # type=max:1 (add to 59a,68a) - 6595s/1h of 91714 corpus (74113s/17601h) 01/23/04 # ham: userid list body RM_bpt_longwords78a /\b(?:[a-z]{7,}\s+){8}/ describe RM_bpt_longwords78a Long string of long words score RM_bpt_longwords78a 1.333 # type=max:2 (add to 68a) - 4163s/0h of 91714 corpus (74113s/17601h) 01/23/04 body RM_bpt_longwords59a /\b(?:[a-z]{5,}\s+){9}/ describe RM_bpt_longwords59a Long string of long words score RM_bpt_longwords59a 1.666 # 8753s/8h of 91714 corpus (74113s/17601h) 01/23/04 # ham: userid list body RM_bpt_longwords79a /\b(?:[a-z]{7,}\s+){9}/ describe RM_bpt_longwords79a Long string of long words score RM_bpt_longwords79a 1.000 # type=max:1 (add to 78a) - 2950s/0h of 91714 corpus (74113s/17601h) 01/23/04 body RM_bpt_longwords96a /\b(?:[a-z]{9,}\s+){6}/ describe RM_bpt_longwords96a Long string of long words score RM_bpt_longwords96a 2.333 # 1162s/0h of 91714 corpus (74113s/17601h) 01/23/04 body RM_bpt_longwords88a /\b(?:[a-z]{8,}\s+){8}/ describe RM_bpt_longwords88a Long string of long words score RM_bpt_longwords88a 2.333 # 1025s/0h of 91714 corpus (74113s/17601h) 01/23/04 body RM_bpt_longwords89a /\b(?:[a-z]{8,}\s+){9}/ describe RM_bpt_longwords89a Long string of long words score RM_bpt_longwords89a 1.000 # type=max:1 (add to 88a) - 590s/0h of 91714 corpus (74113s/17601h) 01/23/04 body RM_bpt_longwords97 /\b(?:\w{9,}\s+){7}/ describe RM_bpt_longwords97 Long string of long words score RM_bpt_longwords97 1.666 # 545s/0h of 91714 corpus (74113s/17601h) 01/23/04 body RM_bpt_longwords98 /\b(?:\w{9,}\s+){8}/ describe RM_bpt_longwords98 Long string of long words score RM_bpt_longwords98 1.000 # type=max:1 (add to 97) - 442s/0h of 91714 corpus (74113s/17601h) 01/23/04 body RM_bpt_longwords99 /\b(?:\w{9,}\s+){9}/ describe RM_bpt_longwords99 Long string of long words score RM_bpt_longwords99 1.000 # type=max:1 (add to 98) - 330s/0h of 91714 corpus (74113s/17601h) 01/23/04

Installing ClamAV

Enabling clam is done by adding the following line to the system /etc/rc.conf:

clamav_clamd_enable="YES"

Updates are pulled down through cron. We have the system-wide crontab pull down the updates once a day and email us the results. We have a second cron job that pulls down the updates on an hourly basis, but it does not send an email notification.

Our /usr/local/etc/clamd.conf configuration file has the following divergences from the default:

TemporaryDirectory /tmp
User vscan

Our /usr/local/etc/freshclam.conf file has the following divergences from the default:

DatabaseOwner vscan

After ClamAV has been installed, the following directories and files within the subdirectories have to have their ownership changed. We use the userid and groupid of vscan, however these accounts are only created by the amavis port, and the ownership should be changed only once the amavis port is installed. The following directories should have their uid/gid changed by issuing the command:

`chown -R vscan:vscan dirname'

/var/log/clamav
/var/run/clamav
/var/db/clamav

Installing and configuring Postfix

As of this writing, the version of postfix in the ports tree is version 2.2.2. The port resides in /usr/ports/mail/postfix. When you do a make, you will be prompted for a series of options, I enabled the options for SASL2 and SSL and TLS. During the make, when asked for additional SASL options I enabled NDBM, pwcheck_pam, and saslauthd. During the make install I said yes to the options which enabled postfix in the /etc/mail/mailer.conf.

After postfix was installed, it needs to be enabled by adding the following options to the system /etc/rc.conf:

sendmail_enable="YES" sendmail_flags="-bd" sendmail_pidfile="/var/spool/postfix/pid/master.pid" sendmail_outbound_enable="NO" sendmail_submit_enable="NO" sendmail_msp_queue_enable="NO"

You will also need to symlink /usr/local/sbin/postfix to /usr/local/etc/rc.d/postfix.sh.

The default FreeBSD daily periodic tools run a number of jobs to manage and clean-up sendmail processes. Since this machine is now running postfix, we can disable these daily sendmail jobs by editing the /etc/periodic.conf and adding the following entries:

daily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO"

Historically, in order to run efficiently, postfix may require additional sockets, nmbclusters, and files per process than a default FreeBSD installation would provide. At the time of this writing, I am unclear if this is as critical in FreeBSD 5, but to play it safe I went ahead and added the following options to the system /boot/loader.conf:

kern.ipc.nmbclusters="65536" kern.maxfiles="16384" kern.maxfilesperproc="16384"

Next I symlinked /usr/local/etc/postfix to /etc/postfix so that in the future the postfix configuration directory will be easy to find.

Configuration of postfix is done through the file main.cf. Below is a copy of the Astronomy main.cf:

# soft bounce returns a 450 if a user is not local, we want a hard 550. soft_bounce = no # locations of queue, postfix commands, and postfix daemons queue_directory = /var/spool/postfix command_directory = /usr/local/sbin daemon_directory = /usr/local/libexec/postfix # uid/gid of owner for spool, default priviledges used by local for # delivery. mail_owner = postfix default_privs = nobody # our domain, who we will accept mail for (note transport map also). myhostname = milton.astro.ufl.edu mydomain = astro.ufl.edu myorigin = $mydomain mydestination = $myhostname, localhost.$mydomain, $mydomain, mail.$mydomain, www.$mydomain, ftp.$mydomain, mailhost.$mydomain # handling local mail lookups. local_recipient_maps = unix:passwd.byname $alias_maps unknown_local_recipient_reject_code = 550 # permit relaying from UF Astronomy only, do not include the Astronomy VPN # (those users should use submission/smtp-auth). mynetworks = 128.227.184.0/24, 10.227.184.0/24, 127.0.0.0/8 # there are still a few devices at gemini and nasa that we need to provide # relaying support for. Eventually those devices should be reconfigured. relay_domains = $mydomain ufl.edu gemini.noao.edu gemini.edu noao.edu nasa.gov # transport maps handle how we deal with local mail delivery, domains, etc. transport_maps = hash:/usr/local/etc/postfix/transport alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases # please note, we should consider adding "." so "ken.sallot@astro" would # be usable. recipient_delimiter = + # spawn procmail for local delivery mailbox_command = /usr/bin/procmail # files we store regex recipes for checking all incoming mail header_checks = pcre:/etc/postfix/header_checks body_checks = pcre:/etc/postfix/body_checks body_checks_size_limit = 51200 smtpd_banner = $myhostname ESMTP $mail_name # we can run higher than the default because maildir doesn't suffer from the # sequential write issues that mbox suffers from. local_destination_concurrency_limit = 2 default_destination_concurrency_limit = 20 debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/local/sbin/sendmail newaliases_path = /usr/local/bin/newaliases mailq_path = /usr/local/bin/mailq setgid_group = maildrop manpage_directory = /usr/local/man # this setting doesn't really do anything with maildir anymore.. But it # previously limited the maximum size of an mbox style mailbox. mailbox_size_limit = 300000000 # use Spamhaus sbl-xbl maps_rbl_domains = sbl-xbl.spamhaus.org # accept mail from our network, smtp-auth authenticated machines, # block hosts in sbl-xbl, verify the destination is OK, check it against # the greylist server (sitting on local host port 10023), # and then allow if the message has met the criteria. # if you do not wish to use greylisting, remove the check_policy_service # line. smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_maps_rbl reject_unauth_destination check_policy_service inet:127.0.0.1:10023 permit # make tls work smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_use_tls = yes # only allow smtp-auth if the client has switched to tls mode smtpd_tls_auth_only = yes smtpd_sasl_auth_enable = yes # reject SASL-ANONYMOUS attempts smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_optiopns = $smtpd_sasl_security_options # hack to allow smtp auth to work properly with Outlook Express 4 and # other broken clients. broken_sasl_auth_clients = yes # route all messages through amavis, which sits on port 10024 of the local # host. Please note, it would be trivial to have a greylist/amavis server # on a seperate box (think milter to another host). content_filter =smtp-amavis:[127.0.0.1]:10024 # this is the default, will probably increase it later. Had to drop # down to 20 earlier when I was having problems with fopen() calls # rebooting the old milton. default_process_limit = 100

Discussion: Further information on the various configuration options which can be set in the main.cf can be found at the postfix.org web-site.

The postfix master daemon runs Postfix processes on demand. These daemons may send or receive mail via the network, take care of local mail delivery, or any of another of options. They are configured through the file /etc/postfix/master.cf. The Astronomy master.cf file follows:

# # Postfix master process configuration file. For details on the format # of the file, see the Postfix master(5) manual page. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd # permit smtps on port 465 smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes # permit submission on port 587 submission inet n - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp # -o fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # the next two options enable amavis smtp-amavis unix - - n - 3 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o receive_override_options=no_header_body_checks

Discussion: More details about configuring the master.cf file can be found at the postfix web-site. If you do not wish to use Amavis, the last few entries in the master.cf configuration file should be removed.

Transport maps are used to over-ride the default routing that is built into postfix. Although we have already defined the $mydestination flag to cover our domain, we explicitly include it in the transport map for the sake of being pedantic. Whenever you modify the transport map, make sure to run the command ``postmap /etc/postfix/transport'' to rebuild the hash table.

The Astronomy transport map for our mail server follows:

astro.ufl.edu local: .astro.ufl.edu local: milton.astro.ufl.edu local: localhost.astro.ufl.edu local: # # NOTE: on any machine that is not the mail server, the transport map # looks like: # # * smtp:mailhost.astro.ufl.edu

Discussion: Our SUSE workstations include postfix on them. We have specified in their transport maps to relay all mail through the host mailhost.astro.ufl.edu.

The final part of configuring postfix would be our regular expression rules for incoming mail messages. They are stored in the files /etc/postfix/header_checks and /etc/postfix/body_checks respectively. They contain basic rules to perform certain actions on all incoming mail. For example, the following rule will reject all Windows Media Player, Quicktime, or MP3 files:

/^.*filename=\"?(.*)\.(wmv|mov|mp3)\"?$/ REJECT We do not accept file attachments of this type.  Send a URL instead.

Installing and Configuring Amavis

The way our Amavis setup works is by having Amavis run on port 10024 of the mail server, all incoming messages are forwarded by postfix to the amavis port, and when the message has been processed by amavis, it is either tagged for local delivery or dropped from the queue.

The Amavis port resides in /usr/ports/security/amavisd-new. During the installation, no options were chosen. Once Amavis was installed, the following line was added to the system /etc/rc.conf to enable the service:

amavisd_enable="YES"

Additionally, aliases were created for the email addresses virusalert and spam.police in our postfix aliases file.

Configuration for Amvis is done through the file /usr/local/etc/amavisd.conf. The configuration file is in the form of a perl module. The Astronomy configuration file follows:

use strict; # @bypass_virus_checks_maps = (1); # uncomment to DISABLE anti-virus code # @bypass_spam_checks_maps = (1); # uncomment to DISABLE anti-spam code $max_servers = 4; # number of pre-forked children (2..15 is common) $daemon_user = 'vscan'; # (no default; customary: vscan or amavis) $daemon_group = 'vscan'; # (no default; customary: vscan or amavis) $mydomain = 'astro.ufl.edu'; # a convenient default for other settings $X_HEADER_TAG = 'X-Virus-Scanned'; $X_HEADER_LINE = 'by UF Astronomy Mail Virus Scanner ks/14/4/2005'; $MYHOME = '/var/amavis'; # a convenient default for other settings $TEMPBASE = "/tmp"; # working directory, needs to be created manually $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR $QUARANTINEDIR = '/var/virusmails'; @local_domains_maps = ( [".$mydomain"] ); $log_level = 0; # verbosity 0..5 $log_recip_templ = undef; # disable by-recipient level-0 log entries $DO_SYSLOG = 1; # log via syslogd (preferred) $SYSLOG_LEVEL = 'mail.debug'; $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) $enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1 $inet_socket_port = 10024; # listen on this local TCP port(s) (see $protocol) $sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level $sa_kill_level_deflt = 6.31; # triggers spam evasive actions $sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent $sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger $sa_local_tests_only = 0; # only tests which do not require internet access? $sa_auto_whitelist = 1; # turn on AWL in SA 2.63 or older (irrelevant # for SA 3.0, cf option is 'use_auto_whitelist') $virus_admin = "virusalert\@$mydomain"; # notifications recip. $mailfrom_notify_admin = "virusalert\@$mydomain"; # notifications sender $mailfrom_notify_recip = "virusalert\@$mydomain"; # notifications sender $mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender $mailfrom_to_quarantine = ''; # null return path; uses original sender if undef @addr_extension_virus_maps = ('virus'); @addr_extension_spam_maps = ('spam'); @addr_extension_banned_maps = ('banned'); @addr_extension_bad_header_maps = ('badh'); $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; $file = 'file'; # file(1) utility; use recent versions $gzip = 'gzip'; $bzip2 = 'bzip2'; $lzop = 'lzop'; $rpm2cpio = ['rpm2cpio.pl','rpm2cpio']; $cabextract = 'cabextract'; $uncompress = ['uncompress', 'gzip -d', 'zcat']; $unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat']; $arc = ['nomarch', 'arc']; $unarj = ['arj', 'unarj']; $unrar = ['rar', 'unrar']; $zoo = 'zoo'; $lha = 'lha'; $pax = 'pax'; $cpio = ['gcpio','cpio']; $ar = 'ar'; $ripole = 'ripole'; $dspam = 'dspam'; $MAXLEVELS = 14; $MAXFILES = 1500; $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) $MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) $sa_spam_subject_tag = '*****SPAM***** '; $defang_virus = 1; # MIME-wrap passed infected mail $defang_banned = 1; # MIME-wrap passed mail containing banned name $myhostname = 'mailhost.astro.ufl.edu'; # options are D_DISCARD, D_BOUNCE, D_REJECT, D_PASS. Bouncing viruses # is dumb these days. $final_virus_destiny = D_DISCARD; $final_banned_destiny = D_BOUNCE; $final_spam_destiny = D_BOUNCE; $final_bad_header_destiny = D_PASS; @viruses_that_fake_sender_maps = (new_RE( [qr'\bEICAR\b'i => 0], # av test pattern name [qr'^(WM97|OF97|Joke\.)'i => 0], # adjust names to match your AV scanner [qr/.*/ => 1], # true for everything else )); @keep_decoded_original_maps = (new_RE( # qr'^MAIL$', # retain full original message for virus checking (can be slow) qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, # qr'^Zip archive data', # don't trust Archive::Zip )); $banned_filename_re = new_RE( # block certain double extensions anywhere in the base name qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i, qr'^application/x-msdownload$'i, # block these MIME types qr'^application/x-msdos-program$'i, qr'^application/hta$'i, [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst| ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs| wmf|wsc|wsf|wsh)$'ix, # banned ext - long qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. qr'^\.(exe-ms)$', # banned file(1) types qr'^\.(exe|lha|tnef|cab|dll)$', # banned file(1) types ); @score_sender_maps = ({ # a by-recipient hash lookup table, # results from all matching recipient tables are summed '.' => [ # the _first_ matching sender determines the score boost new_RE( # regexp-type lookup table, just happens to be all soft-blacklist [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], [qr'^(your_friend|greatoffers)@'i => 5.0], [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], ), { # a hash-type lookup table (associative array) 'nobody@cert.org' => -3.0, 'cert-advisory@us-cert.gov' => -3.0, 'owner-alert@iss.net' => -3.0, 'slashdot@slashdot.org' => -3.0, 'bugtraq@securityfocus.com' => -3.0, 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, 'security-alerts@linuxsecurity.com' => -3.0, 'mailman-announce-admin@python.org' => -3.0, 'amavis-user-admin@lists.sourceforge.net'=> -3.0, 'notification-return@lists.sophos.com' => -3.0, 'owner-postfix-users@postfix.org' => -3.0, 'owner-postfix-announce@postfix.org' => -3.0, 'owner-sendmail-announce@lists.sendmail.org' => -3.0, 'sendmail-announce-request@lists.sendmail.org' => -3.0, 'donotreply@sendmail.org' => -3.0, 'ca+envelope@sendmail.org' => -3.0, 'noreply@freshmeat.net' => -3.0, 'owner-technews@postel.acm.org' => -3.0, 'ietf-123-owner@loki.ietf.org' => -3.0, 'cvs-commits-list-admin@gnome.org' => -3.0, 'rt-users-admin@lists.fsck.com' => -3.0, 'clp-request@comp.nus.edu.sg' => -3.0, 'surveys-errors@lists.nua.ie' => -3.0, 'emailnews@genomeweb.com' => -5.0, 'yahoo-dev-null@yahoo-inc.com' => -3.0, 'returns.groups.yahoo.com' => -3.0, 'clusternews@linuxnetworx.com' => -3.0, lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, # soft-blacklisting (positive score) 'sender@example.net' => 3.0, '.example.net' => 1.0, }, ], # end of site-wide tables }); @av_scanners = ( # ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], # # NOTE: the easiest is to run clamd under the same user as amavisd; match the # # socket name (LocalSocket) in clamav.conf to the socket name in this entry # # When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"], ); @av_scanners_backup = ( ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1], qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], ); 1; # insure a defined return

Discussion: As of April 19, 2005, the amount of chatter created by virus alerts that are sent to the account virusalerts at astro.ufl.edu has been fairly high since enabling this feature in amavis. Surprisingly, the number of spam alerts has been fairly low. This probably implies that greylisting, through the use of postgrey, is successful in reducing the number of spam messages, but that the virus propagation engines are more robust. During the summer I may disable the virus alerts to reduce the chatter.

Installing Postgrey

Greylisting works by temporarily making mail coming to a specific destination undeliverable with an error 450. After a specified period of time, they greylisting server will allow the message to be delivered if it is resent. The sending SMTP server, if it is RFC compliant and acknowledges what an error 450 means, will attempt to re-send the message at a later time. There is a known bug with the Groupwise MTA and Greylisting, but Novell has released a patch to correct this problem within Groupwise.

The port for postgrey is in /usr/ports/mail/postgrey. Because of BDB dependency issues, previously mentioned at the very beginning of this document, it is important to build and install postgrey with the following command:

make WITH_BDB_VER=41 install

Once postgrey is installed, you will need to add the following line to the system /etc/rc.conf to enable it:

postgrey_enable="YES"

You can manually whitelist both remote smtp servers (clients) or local users (recipients) by editing the contents of the files /usr/local/etc/postfix/postgrey_whitelist_clients.local and /usr/local/etc/postfix/postgrey_whitelist_recipients. The auto-whitelisting feature is enabled by default, to disable it you would need to add the command --auto-whitelist-clients=0 to the postgrey startup file, /usr/local/etc/rc.d/postgrey.sh.

Please note, Greylisting will only work if you have enabled it in your postfix main.cf file. The option to check postgrey through the check_policy_service mechanism must be in the smtpd_recipient_restrictions section. Our main.cf, which is above in the section on configuring postfix, contains the options for verifying access through postgrey.

Apache + PHP + modssl + Squirrelmail

apache_enable="YES"

During the installation of Apache + Mod-SSL, you are presented with a set of commands which would allow you to make self-signed certificates. I went ahead and generated a self-signed cert in 2004, and this is the same certificate we use to this day. The command to generate a new self-signed certificate is `make certificate' from within the port directory.

The port for Squirrelmail is located in /usr/ports/mail/squirrelmail. As part of the build process, PHP will get installed because it is a required dependency. Please note, PHP has had a bad track record in regards to security; you will probably need to update PHP at future times to keep the system secure.

Various configuration options for PHP are controlled through the file /usr/local/etc/php.ini. Our php.ini file follows:

[PHP] ; Enable the PHP scripting language engine under Apache. engine = On short_open_tag = On asp_tags = Off precision = 14 y2k_compliance = On output_buffering = 4096 zlib.output_compression = Off implicit_flush = Off unserialize_callback_func= serialize_precision = 100 allow_call_time_pass_reference = Off safe_mode = Off safe_mode_gid = Off safe_mode_include= safe_mode_exec_dir = safe_mode_allowed_env_vars = PHP_ safe_mode_protected_env_vars = LD_LIBRARY_PATH disable_functions = disable_classes = expose_php = On max_execution_time = 30 ; Maximum execution time of each script, in seconds max_input_time = 60 ; Maximum amount of time each script may spend parsing request data memory_limit = 8M ; Maximum amount of memory a script may consume (8MB) error_reporting = E_ALL display_errors = Off display_startup_errors = Off log_errors = On log_errors_max_len = 1024 ignore_repeated_errors = Off ignore_repeated_source = Off report_memleaks = On track_errors = Off variables_order = "GPCS" register_globals = Off register_argc_argv = Off post_max_size = 8M ; This directive is deprecated. Use variables_order instead. gpc_order = "GPC" magic_quotes_gpc = Off magic_quotes_runtime = Off magic_quotes_sybase = Off auto_prepend_file = auto_append_file = default_mimetype = "text/html" doc_root = user_dir = enable_dl = On file_uploads = On upload_tmp_dir = /tmp upload_max_filesize = 2M allow_url_fopen = On default_socket_timeout = 60 [Syslog] define_syslog_variables = Off [mail function] SMTP = localhost smtp_port = 25 [Java] [SQL] sql.safe_mode = Off [ODBC] odbc.allow_persistent = On odbc.check_persistent = On odbc.max_persistent = -1 odbc.max_links = -1 odbc.defaultlrl = 4096 odbc.defaultbinmode = 1 [PostgresSQL] pgsql.allow_persistent = On pgsql.auto_reset_persistent = Off pgsql.max_persistent = -1 pgsql.max_links = -1 pgsql.ignore_notice = 0 pgsql.log_notice = 0 [Session] session.save_handler = files session.use_cookies = 1 session.name = PHPSESSID session.auto_start = 1 session.cookie_lifetime = 0 session.cookie_path = / session.cookie_domain = astro.ufl.edu session.serialize_handler = php session.gc_probability = 1 session.gc_divisor = 1000 session.gc_maxlifetime = 1440 session.bug_compat_42 = 0 session.bug_compat_warn = 1 session.referer_check = session.entropy_length = 0 session.entropy_file = session.cache_limiter = nocache session.cache_expire = 180 session.use_trans_sid = 0 url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" [exif] ; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS. ; With mbstring support this will automatically be converted into the encoding ; given by corresponding encode setting. When empty mbstring.internal_encoding ; is used. For the decode settings you can distinguish between motorola and ; intel byte order. A decode setting cannot be empty. ;exif.encode_unicode = ISO-8859-15 ;exif.decode_unicode_motorola = UCS-2BE ;exif.decode_unicode_intel = UCS-2LE ;exif.encode_jis = ;exif.decode_jis_motorola = JIS ;exif.decode_jis_intel = JIS ; Local Variables: ; tab-width: 4 ; End:

Discussion: This php.ini file was created by taking the php.ini-recommended file that was installed in /usr/local/etc and changing the upload_tmp_dir, session.auto_start and session.cookie_domain settings. Unused stanzas, such as the MySQL sub-section, were removed.

After Squirrelmail has been installed, and PHP has been configured, you will need to configure Squirrelmail for use. To do this, cd into the /usr/local/www/squirrelmail directory and run the command ./configure.

Under Server Settings set the domain to astro.ufl.edu and the defaults for everything else should be sufficient. Additionally, I set the motd to be similar to the departmental /etc/motd. The final configuration for squirrelmail is to choose the option to save data.

The next step is to configure Apache to run Squirrelmail. Our Apache configuration file, /usr/local/etc/apache/httpd.conf file follows:

ServerType standalone ServerRoot "/usr/local" PidFile /var/run/httpd.pid ScoreBoardFile /var/run/httpd.scoreboard ResourceConfig /dev/null AccessConfig /dev/null Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 15 MinSpareServers 5 MaxSpareServers 10 StartServers 5 MaxClients 150 MaxRequestsPerChild 0 LoadModule mmap_static_module libexec/apache/mod_mmap_static.so LoadModule vhost_alias_module libexec/apache/mod_vhost_alias.so LoadModule env_module libexec/apache/mod_env.so LoadModule define_module libexec/apache/mod_define.so LoadModule config_log_module libexec/apache/mod_log_config.so LoadModule mime_magic_module libexec/apache/mod_mime_magic.so LoadModule mime_module libexec/apache/mod_mime.so LoadModule negotiation_module libexec/apache/mod_negotiation.so LoadModule status_module libexec/apache/mod_status.so LoadModule info_module libexec/apache/mod_info.so LoadModule includes_module libexec/apache/mod_include.so LoadModule autoindex_module libexec/apache/mod_autoindex.so LoadModule dir_module libexec/apache/mod_dir.so LoadModule cgi_module libexec/apache/mod_cgi.so LoadModule asis_module libexec/apache/mod_asis.so LoadModule imap_module libexec/apache/mod_imap.so LoadModule action_module libexec/apache/mod_actions.so LoadModule speling_module libexec/apache/mod_speling.so LoadModule userdir_module libexec/apache/mod_userdir.so LoadModule alias_module libexec/apache/mod_alias.so LoadModule rewrite_module libexec/apache/mod_rewrite.so LoadModule access_module libexec/apache/mod_access.so LoadModule auth_module libexec/apache/mod_auth.so LoadModule anon_auth_module libexec/apache/mod_auth_anon.so LoadModule db_auth_module libexec/apache/mod_auth_db.so LoadModule digest_module libexec/apache/mod_digest.so LoadModule proxy_module libexec/apache/libproxy.so LoadModule cern_meta_module libexec/apache/mod_cern_meta.so LoadModule expires_module libexec/apache/mod_expires.so LoadModule headers_module libexec/apache/mod_headers.so LoadModule usertrack_module libexec/apache/mod_usertrack.so LoadModule log_forensic_module libexec/apache/mod_log_forensic.so LoadModule unique_id_module libexec/apache/mod_unique_id.so LoadModule setenvif_module libexec/apache/mod_setenvif.so LoadModule ssl_module libexec/apache/libssl.so LoadModule php4_module libexec/apache/libphp4.so ClearModuleList AddModule mod_mmap_static.c AddModule mod_vhost_alias.c AddModule mod_env.c AddModule mod_define.c AddModule mod_log_config.c AddModule mod_mime_magic.c AddModule mod_mime.c AddModule mod_negotiation.c AddModule mod_status.c AddModule mod_info.c AddModule mod_include.c AddModule mod_autoindex.c AddModule mod_dir.c AddModule mod_cgi.c AddModule mod_asis.c AddModule mod_imap.c AddModule mod_actions.c AddModule mod_speling.c AddModule mod_userdir.c AddModule mod_alias.c AddModule mod_rewrite.c AddModule mod_access.c AddModule mod_auth.c AddModule mod_auth_anon.c AddModule mod_auth_db.c AddModule mod_digest.c AddModule mod_proxy.c AddModule mod_cern_meta.c AddModule mod_expires.c AddModule mod_headers.c AddModule mod_usertrack.c AddModule mod_log_forensic.c AddModule mod_unique_id.c AddModule mod_so.c AddModule mod_setenvif.c AddModule mod_ssl.c AddModule mod_php4.c Port 80 Listen 80 Listen 443 User www Group www ServerAdmin admin@astro.ufl.edu ServerName webmail.astro.ufl.edu DocumentRoot "/usr/local/www/data" <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory "/usr/local/www/data"> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny Allow from all </Directory> <IfModule mod_dir.c> <IfModule mod_php3.c> <IfModule mod_php4.c> DirectoryIndex index.php index.php3 index.html </IfModule> <IfModule !mod_php4.c> DirectoryIndex index.php3 index.html </IfModule> </IfModule> <IfModule !mod_php3.c> <IfModule mod_php4.c> DirectoryIndex index.php index.html </IfModule> <IfModule !mod_php4.c> DirectoryIndex index.html </IfModule> </IfModule> </IfModule> UseCanonicalName On <IfModule mod_mime.c> TypesConfig /usr/local/etc/apache/mime.types </IfModule> DefaultType text/plain <IfModule mod_mime_magic.c> MIMEMagicFile /usr/local/etc/apache/magic </IfModule> HostnameLookups Off ErrorLog "|/usr/local/sbin/rotatelogs /var/log/httpd-error.log 10080" LogLevel warn ServerSignature Off <IfModule mod_alias.c> Alias /icons/ "/usr/local/www/icons/" <Directory "/usr/local/www/icons"> Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all </Directory> </IfModule> <IfModule mod_autoindex.c> IndexOptions FancyIndexing AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip AddIconByType (TXT,/icons/text.gif) text/* AddIconByType (IMG,/icons/image2.gif) image/* AddIconByType (SND,/icons/sound2.gif) audio/* AddIconByType (VID,/icons/movie.gif) video/* AddIcon /icons/binary.gif .bin .exe AddIcon /icons/binhex.gif .hqx AddIcon /icons/tar.gif .tar AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip AddIcon /icons/a.gif .ps .ai .eps AddIcon /icons/layout.gif .html .shtml .htm .pdf AddIcon /icons/text.gif .txt AddIcon /icons/c.gif .c AddIcon /icons/p.gif .pl .py AddIcon /icons/f.gif .for AddIcon /icons/dvi.gif .dvi AddIcon /icons/uuencoded.gif .uu AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl AddIcon /icons/tex.gif .tex AddIcon /icons/bomb.gif core AddIcon /icons/back.gif .. AddIcon /icons/hand.right.gif README AddIcon /icons/folder.gif ^^DIRECTORY^^ AddIcon /icons/blank.gif ^^BLANKICON^^ DefaultIcon /icons/unknown.gif IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t </IfModule> <IfModule mod_mime.c> AddLanguage da .dk AddLanguage nl .nl AddLanguage en .en AddLanguage et .ee AddLanguage fr .fr AddLanguage de .de AddLanguage el .el AddLanguage he .he AddCharset ISO-8859-8 .iso8859-8 AddLanguage it .it AddLanguage ja .ja AddCharset ISO-2022-JP .jis AddLanguage kr .kr AddCharset ISO-2022-KR .iso-kr AddLanguage nn .nn AddLanguage no .no AddLanguage pl .po AddCharset ISO-8859-2 .iso-pl AddLanguage pt .pt AddLanguage pt-br .pt-br AddLanguage ltz .lu AddLanguage ca .ca AddLanguage es .es AddLanguage sv .sv AddLanguage cs .cz .cs AddLanguage ru .ru AddLanguage zh-TW .zh-tw AddCharset Big5 .Big5 .big5 AddCharset WINDOWS-1251 .cp-1251 AddCharset CP866 .cp866 AddCharset ISO-8859-5 .iso-ru AddCharset KOI8-R .koi8-r AddCharset UCS-2 .ucs2 AddCharset UCS-4 .ucs4 AddCharset UTF-8 .utf8 <IfModule mod_negotiation.c> LanguagePriority en da nl et fr de el it ja kr no pl pt pt-br ru ltz ca es sv tw </IfModule> AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps </IfModule> ### Section 3: Virtual Hosts # redirect all traffic sent on regular port 80 to 443. <VirtualHost *> Redirect / https://webmail.astro.ufl.edu </VirtualHost> <IfDefine SSL> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl </IfDefine> <IfModule mod_ssl.c> SSLPassPhraseDialog builtin SSLSessionCache dbm:/var/run/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/var/run/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLog /var/log/ssl_engine_log SSLLogLevel info </IfModule> <IfDefine SSL> ## ## SSL Virtual Host Context ## <VirtualHost _default_:443> DocumentRoot "/usr/local/www/squirrelmail" ServerName webmail.astro.ufl.edu ServerAdmin admin@astro.ufl.edu ErrorLog "|/usr/local/sbin/rotatelogs /var/log/httpsd-error.log 10080" TransferLog "|/usr/local/sbin/rotatelogs /var/log/httpsd-access.log 10080" SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/etc/apache/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server.key <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost> </IfDefine>

Discussion: Our Apache configuration redirects all traffic on port 80 to port 443. We enable support for php, so that squirrelmail will properly work. We pipe all of the log writing to the rotatelogs utility so that we do not run into a problem with Apache hanging if logs fill up a volume. User configuration data, such as preferences and addressbooks, are stored by default in /var/spool/squirrelmail/pref.