Mail Server Setup With Exim, MySQL, Cyrus-Imapd, Horde Webmail On Centos 5.1 - Page 4
Configure Pam_mysql
Pam_mysql will be used to authenticate the following cyrus-imapd services aganist the mysql database, IMAP,POP,SIEVE,LMTP,CSYNC.
Pam_mysql Configuration
Enable pam_mysql for the services make the changes below.
- /etc/pam.d/imap
auth optional pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3 account required pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
- /etc/pam.d/pop
auth optional pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3 account required pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
- /etc/pam.d/sieve
auth optional pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3 account required pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
- /etc/pam.d/lmtp
auth optional pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3 account required pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
- /etc/pam.d/csync
auth optional pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3 account required pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
Saslauthd Configuration
- Edit /etc/sysconfig/saslauthd and modify to below
SOCKETDIR=/var/run/saslauthd # Mechanism to use when checking passwords. Run "saslauthd -v" to get a list # of which mechanism your installation was compiled to use. MECH=pam # Additional flags to pass to saslauthd on the command line. See saslauthd(8) # for the list of accepted flags. FLAGS="-r -n 0 -c"
Configure ClamAV
- Add the clamav user to the exim group.
usermod -G exim clamav
- Change the location of the socket and disable TCP. Make changes to /etc/clamd.conf
LocalSocket /var/run/clamav/clamd.socket #TCPSocket 3310 #TCPAddr 127.0.0.1
- Install sane security signatures
wget http://www.sanesecurity.co.uk/clamav/update_sanesecurity.txt -O /usr/local/bin/update_sanesecurity.sh
chmod +x /usr/local/bin/update_sanesecurity.sh
ln -s /usr/local/bin/update_sanesecurity.sh /etc/cron.hourly/
/usr/local/bin/update_sanesecurity.sh - Enable local selinux module for clamav, create file clamdlocal.te and add the following
module clamdlocal 1.0; require { type proc_t; type var_t; type sysctl_kernel_t; type var_spool_t; type clamd_t; class dir { write search read remove_name add_name }; class file { write getattr read lock create unlink }; } #============= clamd_t ============== allow clamd_t proc_t:file { read getattr }; allow clamd_t sysctl_kernel_t:dir search; allow clamd_t sysctl_kernel_t:file read; allow clamd_t var_spool_t:dir read; allow clamd_t var_spool_t:file { read getattr }; allow clamd_t var_t:dir { write read add_name remove_name }; allow clamd_t var_t:file { write getattr read lock create unlink };
- Compile and load the module
checkmodule -M -m -o clamdlocal.mod clamdlocal.te
semodule_package -o clamdlocal.pp -m clamdlocal.mod
semodule -i clamdlocal.pp
Configure Spamassassin
- Modify the startup options edit /etc/sysconfig/spamassassin and modify as below
SPAMDOPTIONS=" -l -d -c -m5 -H -m 10 --socketpath=/var/run/spamassassin/spamd.sock --socketowner=exim"
- Enable local spamd module for spamassassin, create file spamdlocal.te and add the following
module spamdlocal 1.0; require { type spamd_t; type spamd_var_run_t; class capability { fowner chown kill }; class sock_file { write create unlink getattr setattr }; } #============= spamd_t ============== allow spamd_t self:capability { fowner chown kill }; allow spamd_t spamd_var_run_t:sock_file { write create unlink getattr setattr };
- Compile and install the module
checkmodule -M -m -o spamdlocal.mod spamdlocal.te
semodule_package -o spamdlocal.pp -m spamdlocal.mod
semodule -i spamdlocal.pp
Final Touches
Disable services
Disable unwanted services, use this script.
Enable services
chkconfig --level 234 exim on
chkconfig --level 234 mysqld on
chkconfig --level 234 spamassassin on
chkconfig --level 234 clamd on
chkconfig --level 234 httpd on
chkconfig --level 234 saslauthd on
chkconfig --level 234 cyrus-imapd on
service mysqld restart
service saslauthd restart
service spamassassin restart
service clamd restart
service exim restart
service cyrus-imapd restart
service httpd restart
Create Admin User
- Create a file admin.sql and add the following (modify the password to suite you)
USE horde; REPLACE INTO horde_users (user_uid,user_pass) VALUES ( '[email protected]', -- Change this md5('verystrongpassword') );
- Add user to database
mysql -p horde < admin.sql
Firewall
Add these rules in your configuration file /etc/sysconfig/iptables
*raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *filter :FORWARD DROP [0:0] :INPUT DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m multiport -j ACCEPT --dports 80,443,25,110,143 -A INPUT -p icmp -m icmp -m limit --icmp-type 8 --limit 5/min -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -s 192.168.1.4 -j ACCEPT COMMIT
Login
Phew! you are done. Open your browser and go to https://192.168.1.4/ and log in with the details above, you can the create other users under administration ? users. You can test all the other features as well.