Patch System:
yum update
Include RPMForge Repository
rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
Disable the repo (such that base packages not overwritten) edit /etc/yum.d/rpmforge.repo and set the following option
enabled = 0
Install Apache
yum install httpd php php-mysql php-xml php-imap php-mbstring php-mcrypt \
php-pecl-Fileinfo php-pear-DB php-pear-File php-pear-Log php-pear-Mail-Mime \
php-pear-Auth-SASL php-pear-Date php-pear-HTTP-Request php-pear-Mail php-pear-Net-Sieve \
php-pear-Net-Socket php-pear-Net-SMTP openssl mod_ssl -y
Database Setup:
yum install mysql mysql-server -y
Mail Setup:
yum install exim system-switch-mail -y
pam_mysql
rpm -Uvh http://www.topdog-software.com/oss/pam_mysql/pam_mysql-0.7RC1-1.i386.rpm
Install Horde
yum install horde imp-h3 ingo-h3 turba-h3 kronolith-h3 -y
wget ftp://ftp.horde.org/pub/passwd/passwd-h3-3.0.1.tar.gz
tar xzvf passwd-h3-3.0.1.tar.gz -C /usr/share/horde
mv /usr/share/horde/passwd-h3-3.0.1 /usr/share/horde/passwd
Install cyrus-imapd
yum install db4-utils -y
rpm -Uvh http://www.topdog-software.com/oss/cyrus-imapd/cyrus-imapd-perl-2.3.11-3.i386.rpm
rpm -Uvh http://www.topdog-software.com/oss/cyrus-imapd/cyrus-imapd-utils-2.3.11-3.i386.rpm
rpm -Uvh http://www.topdog-software.com/oss/cyrus-imapd/cyrus-imapd-2.3.11-3.i386.rpm
Install pam_mysql
rpm -Uvh http://www.topdog-software.com/oss/pam_mysql/pam_mysql-0.7RC1-1.i386.rpm
Install clamav:
yum –enablerepo=rpmforge install clamav clamav-db clamd -y
Install spamassassin
yum install spamassassin -y
Enable virtual hosting and create default virtualhost, edit /etc/httpd/conf/httpd.conf and add at the end
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin webmaster@home.topdog-software.com
</VirtualHost>
Create the virtual host for horde webmail add this under the above
<VirtualHost *:80>
Servername mail.home.topdog-software.com
DocumentRoot /usr/share/horde
ErrorLog logs/mail-error_log
CustomLog logs/mail-access_log common
</VirtualHost>
Enable horde security settings edit the file /etc/httpd/conf.d/horde.conf and set as below
#Alias /horde /usr/share/horde
<Directory /usr/share/horde>
Options +FollowSymLinks
php_admin_flag safe_mode off
php_admin_flag magic_quotes_runtime off
php_flag session.use_trans_sid off
php_flag session.auto_start off
php_admin_flag file_uploads on
#php_admin_flag allow_url_fopen on
php_value post_max_size 20M
php_value upload_max_filesize 10M
php_admin_value open_basedir "/usr/share/horde:/usr/share/horde/config:/usr/share/pear:/tmp"
php_admin_flag register_globals off
</Directory>
<Directory /usr/share/horde/config>
Order Deny,Allow
Deny from all
</Directory>
<DirectoryMatch "^/usr/share/horde/(.*/)?(config|lib|locale|po|scripts|templates)/(.*)?">
Order Deny,Allow
Deny from all
</DirectoryMatch>
Increase PHP memory limit edit /etc/php.ini and change to below
memory_limit = 64M
Enable horde under SSL edit /etc/httpd/conf.d/ssl.conf and add the following to the default virtualhost between the <VirtualHost _default_:443><VirtualHost> tags
Servername mail.home.topdog-software.com:443
DocumentRoot /usr/share/horde
Switch the MTA to exim
system-switch-mail (select exim)
Anti-virus / Sanesecurity Checks
Configure Exim (/etc/exim/exim.conf) to use clamav to scan incoming mail and reject virus infected email and image and pdf spam at smtp time
av_scanner = clamd:/var/run/clamav/clamd.sock
RBL’s
Configure the RBL’s under acl_check_rcpt:
drop message = REJECTED because $sender_host_address is in a black list spamhaus.org
dnslists = zen.spamhaus.org
drop message = REJECTED because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
dnslists = bl.spamcop.net
drop message = REJECTED because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
dnslists = dnsbl.sorbs.net
Anti Spam
If you want to reject messages from servers with no reverse dns add this under acl_check_rcpt:, it does have a exception list to which you can add domains where the acl should not be applied and trys to deliver a test message to sending address to verify if the sender is valid.
drop message = REJECTED - We don't accept messages from hosts without reverse DNS
log_message = No reverse DNS
domains = ! lsearch;/etc/exim/checks_exempt_hosts
!verify = reverse_host_lookup
!verify = sender/callout=2m,defer_ok
!condition = ${if eq{$sender_verify_failure}{}}
To reject messages from clients that dont provide a HELO/EHLO add this to acl_check_rcpt:
drop message = REFUSED - no HELO/EHLO greeting
log_message = remote host did not present greeting
condition = ${if def:sender_helo_name {false}{true}}
You can rate limit the connections to your server as well add this to acl_check_connect: to do so (read the exim docs on the parameters if you want to fine tune it for your site)
deny ratelimit = 250 / 15m / strict
message = You can only send $sender_rate per $sender_rate_period
log_message = RATE: $sender_rate/$sender_rate_period (max $sender_rate_limit)
accept
Stop rogue spam bots from trashing your machine
smtp_accept_max_nonmail = 30
smtp_max_unknown_commands = 1
Don’t advertise pipelining
pipelining_advertise_hosts =
Enable Spamassassin checks
spamd_address = /var/run/spamassassin/spamd.sock
Reject all messages with score above 6 at smtp time. (acl_check_data)
accept condition = ${if >={$message_size}{100000} {1}}
add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
warn spam = nobody/defer_ok
add_header = X-Spam-Flag: YES
accept condition = ${if !def:spam_score_int {1}}
add_header = X-Spam-Note: SpamAssassin invocation failed
warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
# X-Spam-Report: $spam_report
drop condition = ${if >{$spam_score_int}{60} {1}}
message = Your message scored $spam_score SpamAssassin point. Report follows:\n\
$spam_report
Mail routing
Enable access to Mysql database
hide mysql_servers = localhost/horde/horde/hordepassword
Modify the local delivery router to deliver to cyrus but verify the email address of user before delivery (in routers section of exim.conf)
localuser:
driver = accept
local_parts = ${lookup mysql {SELECT REPLACE(user_uid,'${quote_mysql:@$domain}','') \
as user FROM horde_users WHERE user_uid='${quote_mysql:$local_part@$domain}'}{$value}}
transport = local_delivery
cannot_route_message = Unknown user
Create a transport to deliver to cyrus via lmtp socket
local_delivery:
driver = lmtp
socket = /var/lib/imap/socket/lmtp
batch_max = 50
user = cyrus
SMTP Authentication
Add the following to the authentication section of /etc/exim/exim.conf
plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_set_id = $2
server_condition = ${if saslauthd{{$2}{$3}{pop}}{1}{0}}
server_advertise_condition = true
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${if saslauthd{{$1}{$2}{pop}}{1}{0}}
server_set_id = $1
server_advertise_condition = true
Full sample configuration
Download the full configuration file here.
Configure Mysql
Disable TCP networking edit /etc/my.cnf and the following in the mysqld section
skip-networking
Set root password
/usr/bin/mysqladmin -u root password ‘new-password’
/usr/bin/mysqladmin -u root -h your_host_name password ‘new-password’ -p
Configure Horde
Edit the sql file and change the mysql password for the horde user
cp /usr/share/horde/scripts/sql/create.mysql.sql .
vi create.mysql.sql
REPLACE INTO user (host, user, password)
VALUES (
'localhost',
'horde',
-- IMPORTANT: Change this password!
PASSWORD('hordepassword')
);
Create the user and populate the horde database
mysql -p < create.mysql.sql
Create the tables for turba (Address book)
mysql -p horde < /usr/share/horde/turba/scripts/sql/turba_objects.mysql.sql
Create the tables for kronolith (calendering)
mysql -p horde < /usr/share/horde/kronolith/scripts/sql/kronolith.mysql.sql
Horde Configuration
Create horde base configuration /usr/share/horde/config/conf.php
<?php
$conf['debug_level'] = E_ALL;
$conf['max_exec_time'] = 0;
$conf['compress_pages'] = true;
$conf['umask'] = 077;
$conf['use_ssl'] = 2;
$conf['server']['name'] = $_SERVER['SERVER_NAME'];
$conf['server']['port'] = $_SERVER['SERVER_PORT'];
$conf['session']['name'] = 'Horde';
$conf['session']['use_only_cookies'] = true;
$conf['session']['cache_limiter'] = 'nocache';
$conf['session']['timeout'] = 0;
$conf['cookie']['domain'] = $_SERVER['SERVER_NAME'];
$conf['cookie']['path'] = '/';
$conf['sql']['username'] = 'horde';
$conf['sql']['password'] = 'hordepassword';
$conf['sql']['socket'] = '/var/lib/mysql/mysql.sock';
$conf['sql']['protocol'] = 'unix';
$conf['sql']['database'] = 'horde';
$conf['sql']['charset'] = 'iso-8859-1';
$conf['sql']['phptype'] = 'mysqli';
$conf['auth']['admins'] = array('Administrator', 'andrew@home.topdog-software.com');
$conf['auth']['checkip'] = true;
$conf['auth']['checkbrowser'] = true;
$conf['auth']['alternate_login'] = false;
$conf['auth']['redirect_on_logout'] = false;
$conf['auth']['params']['driverconfig'] = 'horde';
$conf['auth']['params']['table'] = 'horde_users';
$conf['auth']['params']['username_field'] = 'user_uid';
$conf['auth']['params']['password_field'] = 'user_pass';
$conf['auth']['params']['encryption'] = 'md5-hex';
$conf['auth']['params']['show_encryption'] = false;
$conf['auth']['driver'] = 'sql';
$conf['signup']['allow'] = false;
$conf['log']['priority'] = PEAR_LOG_NOTICE;
$conf['log']['ident'] = 'HORDE';
$conf['log']['params'] = array();
$conf['log']['name'] = '/tmp/horde.log';
$conf['log']['params']['append'] = true;
$conf['log']['type'] = 'file';
$conf['log']['enabled'] = true;
$conf['log_accesskeys'] = false;
$conf['prefs']['params']['driverconfig'] = 'horde';
$conf['prefs']['driver'] = 'sql';
$conf['datatree']['params']['driverconfig'] = 'horde';
$conf['datatree']['driver'] = 'sql';
$conf['group']['driver'] = 'datatree';
$conf['cache']['default_lifetime'] = 1800;
$conf['cache']['params']['dir'] = Horde::getTempDir();
$conf['cache']['params']['gc'] = 86400;
$conf['cache']['driver'] = 'file';
$conf['token']['driver'] = 'none';
$conf['mailer']['params']['auth'] = '0';
$conf['mailer']['type'] = 'smtp';
$conf['vfs']['params']['driverconfig'] = 'horde';
$conf['vfs']['type'] = 'sql';
$conf['sessionhandler']['params']['persistent'] = false;
$conf['sessionhandler']['params']['rowlocking'] = true;
$conf['sessionhandler']['params']['socket'] = '/var/lib/mysql/mysql.sock';
$conf['sessionhandler']['params']['protocol'] = 'unix';
$conf['sessionhandler']['params']['hostspec'] = 'localhost';
$conf['sessionhandler']['params']['username'] = 'horde';
$conf['sessionhandler']['params']['password'] = 'hordepassword';
$conf['sessionhandler']['params']['database'] = 'horde';
$conf['sessionhandler']['type'] = 'mysql';
$conf['problems']['email'] = 'webmaster@home.topdog-software.com';
$conf['problems']['maildomain'] = 'home.topdog-software.com';
$conf['problems']['tickets'] = false;
$conf['menu']['apps'] = array();
$conf['menu']['always'] = true;
$conf['menu']['links']['help'] = 'authenticated';
$conf['menu']['links']['help_about'] = true;
$conf['menu']['links']['options'] = 'authenticated';
$conf['menu']['links']['problem'] = 'never';
$conf['menu']['links']['login'] = 'all';
$conf['menu']['links']['logout'] = 'authenticated';
$conf['hooks']['permsdenied'] = false;
$conf['hooks']['username'] = false;
$conf['hooks']['preauthenticate'] = false;
$conf['hooks']['postauthenticate'] = false;
$conf['hooks']['authldap'] = false;
$conf['portal']['fixed_blocks'] = array();
$conf['accounts']['driver'] = 'null';
$conf['imsp']['enabled'] = false;
$conf['kolab']['enabled'] = false;
Set horde preferences to make web mail the default application on logging in. Edit the file /usr/share/horde/config/prefs.php and modify $_prefs[‘initial_application’] to look as below
$_prefs['initial_application'] = array(
'value' => 'imp',
'locked' => true,
'shared' => true,
'type' => 'select',
'desc' => sprintf(_("What application should %s display after login?"), $GLOBALS['registry']->get('name'))
);
Make horde work from within the default root of the web servers, edit /usr/share/horde/config/registry.php and modify $this→applications[‘horde’] as below
$this->applications['horde'] = array(
'fileroot' => dirname(__FILE__) . '/..',
'webroot' => '',
'initial_page' => 'login.php',
'name' => _("Horde"),
'status' => 'active',
'templates' => dirname(__FILE__) . '/../templates',
'provides' => 'horde'
);
IMP Configuration
Create imp base configuration /usr/share/horde/imp/config/conf.php
<?php
$conf['utils']['spellchecker'] = '/usr/bin/aspell';
$conf['utils']['gnupg'] = '/usr/bin/gpg';
$conf['utils']['gnupg_keyserver'] = array('pgp.mit.edu');
$conf['utils']['gnupg_timeout'] = '10';
$conf['utils']['openssl_cafile'] = '/etc/pki/tls/certs';
$conf['utils']['openssl_binary'] = '/usr/bin/openssl';
$conf['menu']['apps'] = array('ingo', 'kronolith', 'passwd', 'turba');
$conf['user']['select_sentmail_folder'] = false;
$conf['user']['allow_resume_all_in_drafts'] = true;
$conf['user']['allow_folders'] = true;
$conf['user']['allow_resume_all'] = false;
$conf['user']['allow_view_source'] = true;
$conf['user']['alternate_login'] = false;
$conf['user']['redirect_on_logout'] = false;
$conf['server']['change_server'] = false;
$conf['server']['change_port'] = false;
$conf['server']['change_protocol'] = false;
$conf['server']['change_smtphost'] = false;
$conf['server']['change_smtpport'] = false;
$conf['server']['server_list'] = 'none';
$conf['server']['sort_limit'] = '0';
$conf['server']['cache_folders'] = false;
$conf['server']['cache_msgbody'] = true;
$conf['mailbox']['show_attachments'] = false;
$conf['mailbox']['show_preview'] = false;
$conf['mailbox']['show_xpriority'] = false;
$conf['fetchmail']['show_account_colors'] = false;
$conf['fetchmail']['size_limit'] = '4000000';
$conf['msgsettings']['filtering']['words'] = './config/filter.txt';
$conf['msgsettings']['filtering']['replacement'] = '****';
$conf['spam']['reporting'] = false;
$conf['notspam']['reporting'] = false;
$conf['msg']['prepend_header'] = true;
$conf['msg']['append_trailer'] = true;
$conf['compose']['allow_cc'] = true;
$conf['compose']['allow_bcc'] = true;
$conf['compose']['allow_receipts'] = true;
$conf['compose']['special_characters'] = true;
$conf['compose']['use_vfs'] = false;
$conf['compose']['link_attachments'] = false;
$conf['compose']['add_maildomain_to_unexpandable'] = false;
$conf['compose']['attach_size_limit'] = '0';
$conf['compose']['attach_count_limit'] = '0';
$conf['hooks']['vinfo'] = false;
$conf['hooks']['signature'] = false;
$conf['hooks']['trailer'] = false;
$conf['hooks']['fetchmail_filter'] = false;
$conf['hooks']['mbox_redirect'] = false;
$conf['hooks']['mbox_icon'] = false;
$conf['hooks']['spam_bounce'] = false;
$conf['maillog']['use_maillog'] = true;
$conf['tasklist']['use_tasklist'] = true;
$conf['notepad']['use_notepad'] = true;
Create IMP servers configuration /usr/share/horde/imp/config/servers.php (remove all others) with content below
<?php
$servers['cyrus'] = array(
'name' => 'localserver',
'server' => 'localhost',
'hordeauth' => 'full',
'protocol' => 'imap/notls',
'port' => 143,
'maildomain' => '',
'smtphost' => 'localhost',
'smtpport' => 25,
'realm' => '',
'preferred' => '',
'admin' => array(
'params' => array(
'login' => 'cyrus',
'password' => '',
'userhierarchy' => 'user.',
'protocol' => 'imap/notls',
'hostspec' => 'localhost',
'port' => 143
)
),
'quota' => array(
'driver' => 'cyrus',
'params' => array(),
),
'acl' => array(
'driver' => 'rfc2086',
),
);
Prevent compose window from being a popup, edit /usr/share/horde/imp/config/prefs.php and change the variable $_prefs[‘compose_window’] to look like below
$_prefs['compose_popup'] = array(
'value' => 0,
'locked' => true,
'shared' => true,
'type' => 'checkbox',
'desc' => _("Compose messages in a separate window?"));
Kronolith Configuration
Create kronolith base configuration /usr/share/horde/kronolith/config/conf.php
<?php
$conf['calendar']['params']['table'] = 'kronolith_events';
$conf['calendar']['params']['driverconfig'] = 'horde';
$conf['calendar']['driver'] = 'sql';
$conf['storage']['params']['table'] = 'kronolith_storage';
$conf['storage']['params']['driverconfig'] = 'horde';
$conf['storage']['driver'] = 'sql';
$conf['metadata']['keywords'] = false;
$conf['reminder']['server_name'] = 'home.topdog-software.com';
$conf['reminder']['from_addr'] = 'postmaster@home.topdog-software.com';
$conf['autoshare']['shareperms'] = 'none';
$conf['menu']['print'] = true;
$conf['menu']['import_export'] = true;
$conf['menu']['apps'] = array('imp', 'ingo', 'kronolith', 'turba');
Turba Configuration
Configure the turba base configuration /usr/share/horde/turba/config/conf.php
<?php
$conf['menu']['apps'] = array('imp', 'kronolith', 'turba');
$conf['storage']['driver'] = 'prefs';
$conf['storage']['maxblacklist'] = 0;
$conf['storage']['maxwhitelist'] = 0;
$conf['rules']['userheader'] = true;
$conf['rules']['usefolderapi'] = true;
Ingo Configuration
Configure the ingo base configuration /usr/share/horde/ingo/config/conf.php
<?php
$conf['menu']['apps'] = array('imp', 'kronolith', 'turba');
$conf['storage']['driver'] = 'prefs';
$conf['storage']['maxblacklist'] = 0;
$conf['storage']['maxwhitelist'] = 0;
$conf['rules']['userheader'] = true;
$conf['rules']['usefolderapi'] = true
Configure the ingo backend to use timsieved in /usr/share/horde/ingo/config/backends.php (remove all other backends)
<?php
$backends['sieve'] = array(
'driver' => 'timsieved',
'preferred' => 'localhost',
'hordeauth' => 'full',
'params' => array(
'hostspec' => 'localhost',
'logintype' => 'PLAIN',
'usetls' => true,
'port' => 2000,
'scriptname' => 'ingo',
),
'script' => 'sieve',
'scriptparams' => array()
);
Passwd Configuration
Configure the passwd base configuration /usr/share/horde/passwd/config/conf.php
<?php
$conf['menu']['apps'] = array('imp', 'ingo', 'kronolith', 'turba');
$conf['backend']['backend_list'] = 'hidden';
$conf['user']['change'] = true;
$conf['user']['refused'] = array('root', 'bin', 'daemon', 'adm', 'lp', 'shutdown',
'halt', 'uucp', 'ftp', 'anonymous', 'nobody', 'httpd', 'operator', 'guest', 'diginext', 'bind', 'cyrus', 'courier', 'games', 'kmem', 'mailnull', 'man', 'mysql', 'news', 'postfix', 'sshd', 'tty', 'www');
$conf['password']['strengthtests'] = false;
$conf['hooks']['full_name'] = true;
$conf['hooks']['default_username'] = false;
$conf['hooks']['username'] = false;
$conf['hooks']['userdn'] = false;
Configure the passwd back end to use the horde mysql database in /usr/share/horde/passwd/config/backends.php (remove all others)
<?php
$backends['hordesql'] = array (
'name' => 'Horde Authentication',
'preferred' => '',
'password policy' => array(
'minLength' => 5,
'maxLength' => 8,
'maxSpace' => 0,
'minUpper' => 1,
'minLower' => 1,
'minNumeric' => 1,
'minSymbols' => 1
),
'driver' => 'sql',
'params' => array_merge($conf['sql'],
array('table' => 'horde_users',
'user_col' => 'user_uid',
'pass_col' => 'user_pass',
'show_encryption' => false)),
);
Secure Horde Installation
Secure the horde installation
chown apache:root -R /usr/share/horde/config
chown apache:root -R /usr/share/horde/*/config
chmod -R go-rwx /usr/share/horde/config
chmod -R go-rwx /usr/share/horde/*/config
chown -R root:root /usr/share/horde/scripts
chown -R root:root /usr/share/horde/*/scripts
chmod -R go-rwx /usr/share/horde/scripts
chmod -R go-rwx /usr/share/horde/*/scripts
chmod a-rwx /usr/share/horde/test.php
chmod a-rwx /usr/share/horde/*/test.php
find /usr/share/horde/ -iname readme -exec rm -f {} ;
find /usr/share/horde/ -iname todo -exec rm -vf {} ;
find /usr/share/horde/ -iname license -exec rm -vf {} ;
find /usr/share/horde/ -iname copying -exec rm -vf {} ;
find /usr/share/horde/ -iname docs -exec rm -vrf {} ;
Configure Cyrus-imapd
The cyrus-imapd system will have virtual hosting enabled, sieve scripts, quota’s set to 10MB, auto creation (& auto subscription) of the mailbox with these folders (INBOX,sent-mail,drafts,spam,trash). Authentication of users will take place aganist the Mysql database via SASL using the saslauthd daemon.
Create the configuration /etc/imapd.conf with the following content
configdirectory: /var/lib/imap
servername: TDS-IMAP/POP3
partition-default: /var/spool/imap
virtdomains: on
defaultdomain: localhost.localdomain
admins: andrew@home.topdog-software.com
postmaster: support@home.topdog-software.com
quotawarn: 85
lmtp_over_quota_perm_failure: 1
lmtp_strict_quota: 1
autocreatequota: 10240
createonpost: 1
autocreateinboxfolders: sent-mail|drafts|spam|trash
autosubscribeinboxfolders: sent-mail|drafts|spam|trash
autocreate_sieve_script: /etc/default_sieve
autocreate_sieve_compiledscript: /etc/default_sieve_script.bc
sievedir: /var/lib/imap/sieve
md5_dir: /var/lib/imap/md5
#sievenotifier: sms
#sendsms: /usr/bin/mysmsprog
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
allowplainwithouttls: 0
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
loglevel: info
Create the configuration /etc/cyrus.conf with the following content
START {
# do not delete this entry!
recover cmd="ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
idled cmd="idled"
# replication
# syncclient cmd="/usr/lib/cyrus-imapd/sync_client -r"
}
# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
# add or remove based on preferences
imap cmd="imapd" listen="imap" prefork=1 proto=tcp maxchild=100 maxfds=1000 provide_uuid=1
# imaps cmd="imapd -s" listen="imaps" prefork=1
pop3 cmd="pop3d" listen="pop3" prefork=1 proto=tcp maxchild=100 maxfds=1000 provide_uuid=1
# pop3s cmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="localhost:sieve" prefork=0 proto=tcp maxfds=1000 provide_uuid=1
# these are only necessary if receiving/exporting usenet via NNTP
# nntp cmd="nntpd" listen="nntp" prefork=3
# nntps cmd="nntpd -s" listen="nntps" prefork=1
#fud
# fud cmd="fud" listen="fud" prefork=1 proto="udp"
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1 maxfds=1000 provide_uuid=1
# this is only necessary if using notifications
notify cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" prefork=1
# replication
}
EVENTS {
# this is required
checkpoint cmd="ctl_cyrusdb -c" period=30 maxfds=1000
# this is only necessary if using duplicate delivery suppression,
# Sieve or NNTP
delprune cmd="cyr_expire -E 3" at=0400
# this is only necessary if caching TLS sessions
#tlsprune cmd="tls_prune" at=0400
squat cmd="squatter" period=30
}
Configure Pam_mysql
Pam_mysql will be used to authenticate the following cyrus-imapd services aganist the mysql database, IMAP,POP,SIEVE,LMTP,CSYNC.
Pam_mysql Configuration
Enable pam_mysql for the services make the changes below.
/etc/pam.d/imap
auth optional pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
account required pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
/etc/pam.d/pop
auth optional pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
account required pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
/etc/pam.d/sieve
auth optional pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
account required pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
/etc/pam.d/lmtp
auth optional pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
account required pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
/etc/pam.d/csync
auth optional pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
account required pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
Saslauthd Configuration
Edit /etc/sysconfig/saslauthd and modify to below
SOCKETDIR=/var/run/saslauthd
# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled to use.
MECH=pam
# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
FLAGS="-r -n 0 -c"
Configure ClamAV
Add the clamav user to the exim group.
usermod -G exim clamav
Change the location of the socket and disable TCP. Make changes to /etc/clamd.conf
LocalSocket /var/run/clamav/clamd.socket
#TCPSocket 3310
#TCPAddr 127.0.0.1
Install sane security signatures
wget http://www.sanesecurity.co.uk/clamav/update_sanesecurity.txt -O /usr/local/bin/update_sanesecurity.sh
chmod +x /usr/local/bin/update_sanesecurity.sh
ln -s /usr/local/bin/update_sanesecurity.sh /etc/cron.hourly/
/usr/local/bin/update_sanesecurity.sh
Enable local selinux module for clamav, create file clamdlocal.te and add the following
module clamdlocal 1.0;
require {
type proc_t;
type var_t;
type sysctl_kernel_t;
type var_spool_t;
type clamd_t;
class dir { write search read remove_name add_name };
class file { write getattr read lock create unlink };
}
#============= clamd_t ==============
allow clamd_t proc_t:file { read getattr };
allow clamd_t sysctl_kernel_t:dir search;
allow clamd_t sysctl_kernel_t:file read;
allow clamd_t var_spool_t:dir read;
allow clamd_t var_spool_t:file { read getattr };
allow clamd_t var_t:dir { write read add_name remove_name };
allow clamd_t var_t:file { write getattr read lock create unlink };
Compile and load the module
checkmodule -M -m -o clamdlocal.mod clamdlocal.te
semodule_package -o clamdlocal.pp -m clamdlocal.mod
semodule -i clamdlocal.pp
Configure Spamassassin
Modify the startup options edit /etc/sysconfig/spamassassin and modify as below
SPAMDOPTIONS=" -l -d -c -m5 -H -m 10 --socketpath=/var/run/spamassassin/spamd.sock --socketowner=exim"
Enable local spamd module for spamassassin, create file spamdlocal.te and add the following
module spamdlocal 1.0;
require {
type spamd_t;
type spamd_var_run_t;
class capability { fowner chown kill };
class sock_file { write create unlink getattr setattr };
}
#============= spamd_t ==============
allow spamd_t self:capability { fowner chown kill };
allow spamd_t spamd_var_run_t:sock_file { write create unlink getattr setattr };
Compile and install the module
checkmodule -M -m -o spamdlocal.mod spamdlocal.te
semodule_package -o spamdlocal.pp -m spamdlocal.mod
semodule -i spamdlocal.pp
Final Touches
Disable services
Disable unwanted services, use this script.
Enable services
chkconfig –level 234 exim on
chkconfig –level 234 mysqld on
chkconfig –level 234 spamassassin on
chkconfig –level 234 clamd on
chkconfig –level 234 httpd on
chkconfig –level 234 saslauthd on
chkconfig –level 234 cyrus-imapd on
service mysqld restart
service saslauthd restart
service spamassassin restart
service clamd restart
service exim restart
service cyrus-imapd restart
service httpd restart
Create Admin User
Create a file admin.sql and add the following (modify the password to suite you)
USE horde;
REPLACE INTO horde_users (user_uid,user_pass)
VALUES (
'andrew@home.topdog-software.com',
-- Change this
md5('verystrongpassword')
);
Add user to database
mysql -p horde < admin.sql
Firewall
Add these rules in your configuration file /etc/sysconfig/iptables
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport -j ACCEPT --dports 80,443,25,110,143
-A INPUT -p icmp -m icmp -m limit --icmp-type 8 --limit 5/min -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.1.4 -j ACCEPT
COMMIT
Login
Phew! you are done. Open your browser and go to https://192.168.1.4/ and log in with the details above, you can the create other users under administration → users. You can test all the other features as well.
References