Mail Server Setup With Exim, MySQL, Cyrus-Imapd, Horde Webmail On Centos 5.1 - Page 4

Configure Pam_mysql

Pam_mysql will be used to authenticate the following cyrus-imapd services aganist the mysql database, IMAP,POP,SIEVE,LMTP,CSYNC.

 

Pam_mysql Configuration

Enable pam_mysql for the services make the changes below.

  • /etc/pam.d/imap
    auth       optional     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    account    required     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    
  • /etc/pam.d/pop
    auth       optional     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    account    required     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    
  • /etc/pam.d/sieve
    auth       optional     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    account    required     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    
  • /etc/pam.d/lmtp
    auth       optional     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    account    required     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    
  • /etc/pam.d/csync
    auth       optional     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    account    required     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    

 

Saslauthd Configuration

  • Edit /etc/sysconfig/saslauthd and modify to below
    SOCKETDIR=/var/run/saslauthd
    # Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
    # of which mechanism your installation was compiled to use.
    MECH=pam
    # Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
    # for the list of accepted flags.
    FLAGS="-r -n 0 -c"
    

 

Configure ClamAV

  • Add the clamav user to the exim group.

    usermod -G exim clamav

  • Change the location of the socket and disable TCP. Make changes to /etc/clamd.conf
    LocalSocket /var/run/clamav/clamd.socket
    #TCPSocket 3310
    #TCPAddr 127.0.0.1
    
  • Install sane security signatures

    wget http://www.sanesecurity.co.uk/clamav/update_sanesecurity.txt -O /usr/local/bin/update_sanesecurity.sh
    chmod +x /usr/local/bin/update_sanesecurity.sh
    ln -s /usr/local/bin/update_sanesecurity.sh /etc/cron.hourly/
    /usr/local/bin/update_sanesecurity.sh

  • Enable local selinux module for clamav, create file clamdlocal.te and add the following
    module clamdlocal 1.0;
    require {
            type proc_t;
            type var_t;
            type sysctl_kernel_t;
            type var_spool_t;
            type clamd_t;
            class dir { write search read remove_name add_name };
            class file { write getattr read lock create unlink };
    }
    #============= clamd_t ==============
    allow clamd_t proc_t:file { read getattr };
    allow clamd_t sysctl_kernel_t:dir search;
    allow clamd_t sysctl_kernel_t:file read;
    allow clamd_t var_spool_t:dir read;
    allow clamd_t var_spool_t:file { read getattr };
    allow clamd_t var_t:dir { write read add_name remove_name };
    allow clamd_t var_t:file { write getattr read lock create unlink };
    
  • Compile and load the module

    checkmodule -M -m -o clamdlocal.mod clamdlocal.te
    semodule_package -o clamdlocal.pp -m clamdlocal.mod
    semodule -i clamdlocal.pp

 

Configure Spamassassin

  • Modify the startup options edit /etc/sysconfig/spamassassin and modify as below
    SPAMDOPTIONS=" -l -d -c -m5 -H -m 10 --socketpath=/var/run/spamassassin/spamd.sock --socketowner=exim"
    
  • Enable local spamd module for spamassassin, create file spamdlocal.te and add the following
    module spamdlocal 1.0;
    require {
            type spamd_t;
            type spamd_var_run_t;
            class capability { fowner chown kill };
            class sock_file { write create unlink getattr setattr };
    }
    #============= spamd_t ==============
    allow spamd_t self:capability { fowner chown kill };
    allow spamd_t spamd_var_run_t:sock_file { write create unlink getattr setattr };
    
  • Compile and install the module

    checkmodule -M -m -o spamdlocal.mod spamdlocal.te
    semodule_package -o spamdlocal.pp -m spamdlocal.mod
    semodule -i spamdlocal.pp

 

Final Touches

Disable services

Disable unwanted services, use this script.

 

Enable services

chkconfig --level 234 exim on
chkconfig --level 234 mysqld on
chkconfig --level 234 spamassassin on
chkconfig --level 234 clamd on
chkconfig --level 234 httpd on
chkconfig --level 234 saslauthd on
chkconfig --level 234 cyrus-imapd on

service mysqld restart
service saslauthd restart
service spamassassin restart
service clamd restart
service exim restart
service cyrus-imapd restart
service httpd restart

 

Create Admin User

  • Create a file admin.sql and add the following (modify the password to suite you)
    USE horde;
    REPLACE INTO horde_users (user_uid,user_pass)
        VALUES (
            '[email protected]',
    -- Change this
            md5('verystrongpassword')
    );
    
  • Add user to database
    mysql -p horde < admin.sql

 

Firewall

Add these rules in your configuration file /etc/sysconfig/iptables

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport -j ACCEPT --dports 80,443,25,110,143
-A INPUT -p icmp -m icmp -m limit --icmp-type 8 --limit 5/min -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.1.4 -j ACCEPT
COMMIT

 

Login

Phew! you are done. Open your browser and go to https://192.168.1.4/ and log in with the details above, you can the create other users under administration ? users. You can test all the other features as well.

 

References

Share this page:

0 Comment(s)