10 MySQL (5.0)

To install MySQL 5.0, we simply run:

urpmi MySQL MySQL-client lib64mysql15-devel

By default, networking is not enabled in Mandriva 2009.0's MySQL package, but networking is required by ISPConfig. We can change this by commenting out the line skip-networking in /etc/my.cnf.

vi /etc/my.cnf

[...]
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
# if all processes that need to connect to mysqld run on the same host.
# All interaction with mysqld must be made via Unix sockets or named pipes.
# Note that using this option without enabling named pipes on Windows
# (via the "enable-named-pipe" option) will render mysqld useless!
#
#skip-networking
[...]

Afterwards, we create the system startup links for MySQL...

chkconfig mysqld on

... and start it:

/etc/init.d/mysqld start

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

[root@server1 var]# netstat -tap | grep mysql
tcp        0      0 *:mysql-im                  *:*                         LISTEN      3181/mysqlmanager
tcp        0      0 *:mysql                     *:*                         LISTEN      3190/mysqld
[root@server1 var]#

Next, run

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).

11 Postfix With SMTP-AUTH And TLS; Dovecot

Install the required packages (Postfix, cyrus-sasl, Dovecot, etc.) like this:

urpmi cyrus-sasl lib64sasl2 lib64sasl2-devel lib64sasl2-plug-plain lib64sasl2-plug-anonymous lib64sasl2-plug-crammd5 lib64sasl2-plug-digestmd5 lib64sasl2-plug-gssapi lib64sasl2-plug-login postfix dovecot

Then run:

postconf -e 'mydestination = /etc/postfix/local-host-names, localhost.$mydomain'
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'mynetworks = 127.0.0.0/8'
touch /etc/postfix/local-host-names

Then we set the hostname in our Postfix installation (make sure you replace server1 and example.com with your own settings):

postconf -e 'mydomain = example.com'
postconf -e 'myhostname = server1.$mydomain'

Edit /etc/sasl2/smtpd.conf. It should look like this:

vi /etc/sasl2/smtpd.conf

# SASL library configuration file for postfix
# all parameters are documented into:
# /usr/share/doc/cyrus-sasl/options.html
# The mech_list parameters list the sasl mechanisms to use,
# default being all mechs found.
mech_list:         plain login
# To authenticate using the separate saslauthd daemon, (e.g. for
# system or ldap users). Also see /etc/sysconfig/saslauthd.
pwcheck_method:    saslauthd
saslauthd_path:    /var/lib/sasl2/mux
# To authenticate against users stored in sasldb.
#pwcheck_method:    auxprop
#auxprop_plugin:    sasldb
#sasldb_path:       /var/lib/sasl2/sasl.db

The default authentication mechanism for saslauthd is pam, however on Mandriva 2009.0 there seems to be a bug. When you send an email, the first one goes through, and as soon as you try to send a second email, saslauthd dies. You can find messages like this one in /var/log/messages:

Oct  9 17:53:42 server1 saslauthd[4460]: server_exit     : master exited: 4460

I've found the following workaround: open /etc/sysconfig/saslauthd...

vi /etc/sysconfig/saslauthd

... and change SASL_AUTHMECH from pam to shadow:

# $Id: saslauthd.sysconfig,v 1.1 2001/05/02 10:55:48 wiget Exp $
# Authentications mechanism (for list see saslauthd -v)
SASL_AUTHMECH=shadow
# Hostname for remote IMAP server (if rimap auth mech is used)
# Ldap configuration file (if ldap auth mech is used)
SASL_MECH_OPTIONS=
# Extra options (for list see saslauthd -h)
SASLAUTHD_OPTS=

Create the SSL certificate needed for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

... and configure Postfix for TLS:

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

Next we must configure Dovecot to serve the protocols imap, imaps, pop3, and pop3s. Open /etc/dovecot.conf and adjust the following values:

vi /etc/dovecot.conf

[...]
# Protocols we want to be serving: imap imaps pop3 pop3s
# If you only want to use dovecot-auth, you can set this to "none".
protocols = imap imaps pop3 pop3s
[...]
disable_plaintext_auth = no
[...]
  pop3_uidl_format = %08Xu%08Xv
[...]

Now we must tell the system to start Dovecot only after ntpd has started because Dovecot isn't very forgiving if your system's time moves backwards while Dovecot is running (see http://wiki.dovecot.org/TimeMovedBackwards). This might cause errors like the following in your syslog:

Apr 9 19:29:18 server1 dovecot: Time just moved backwards by 17 seconds. This might cause a lot of problems, so I'll just kill myself now. http://wiki.dovecot.org/TimeMovedBackwards

Unfortunately, on Mandriva Dovecot is started before ntpd, so we change it like this:

cd /etc/rc3.d
mv S99ntpd S98ntpd
mv S54dovecot S99dovecot
cd /etc/rc4.d
mv S99ntpd S98ntpd
mv S54dovecot S99dovecot
cd /etc/rc5.d
mv S99ntpd S98ntpd
mv S54dovecot S99dovecot

Then we create the system startup links for Postfix...

chkconfig postfix on

... and (re)start Postfix, saslauthd, and Dovecot:

/etc/init.d/postfix restart
/etc/init.d/saslauthd restart
/etc/init.d/dovecot restart

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH PLAIN LOGIN

everything is fine:

[root@server1 rc5.d]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 server1.example.com ESMTP Postfix (2.5.5) (Mandriva Linux)
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@server1 rc5.d]#

Type

quit

to return to the system's shell.

11.1 Maildir

Dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir under Management -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration.

If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user's Maildir (you can also do this if you use ISPConfig - it doesn't hurt ;-)):

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart