Mail Server Setup With Exim, MySQL, Cyrus-Imapd, Horde Webmail On Centos 5.1 - Page 4

Configure Pam_mysql

Pam_mysql will be used to authenticate the following cyrus-imapd services aganist the mysql database, IMAP,POP,SIEVE,LMTP,CSYNC.

 

Pam_mysql Configuration

Enable pam_mysql for the services make the changes below.

  • /etc/pam.d/imap
    auth       optional     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    account    required     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    
  • /etc/pam.d/pop
    auth       optional     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    account    required     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    
  • /etc/pam.d/sieve
    auth       optional     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    account    required     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    
  • /etc/pam.d/lmtp
    auth       optional     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    account    required     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    
  • /etc/pam.d/csync
    auth       optional     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    account    required     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
    

 

Saslauthd Configuration

  • Edit /etc/sysconfig/saslauthd and modify to below
    SOCKETDIR=/var/run/saslauthd
    # Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
    # of which mechanism your installation was compiled to use.
    MECH=pam
    # Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
    # for the list of accepted flags.
    FLAGS="-r -n 0 -c"
    

 

Configure ClamAV

  • Add the clamav user to the exim group.

    usermod -G exim clamav

  • Change the location of the socket and disable TCP. Make changes to /etc/clamd.conf
    LocalSocket /var/run/clamav/clamd.socket
    #TCPSocket 3310
    #TCPAddr 127.0.0.1
    
  • Install sane security signatures

    wget http://www.sanesecurity.co.uk/clamav/update_sanesecurity.txt -O /usr/local/bin/update_sanesecurity.sh
    chmod +x /usr/local/bin/update_sanesecurity.sh
    ln -s /usr/local/bin/update_sanesecurity.sh /etc/cron.hourly/
    /usr/local/bin/update_sanesecurity.sh

  • Enable local selinux module for clamav, create file clamdlocal.te and add the following
    module clamdlocal 1.0;
    require {
            type proc_t;
            type var_t;
            type sysctl_kernel_t;
            type var_spool_t;
            type clamd_t;
            class dir { write search read remove_name add_name };
            class file { write getattr read lock create unlink };
    }
    #============= clamd_t ==============
    allow clamd_t proc_t:file { read getattr };
    allow clamd_t sysctl_kernel_t:dir search;
    allow clamd_t sysctl_kernel_t:file read;
    allow clamd_t var_spool_t:dir read;
    allow clamd_t var_spool_t:file { read getattr };
    allow clamd_t var_t:dir { write read add_name remove_name };
    allow clamd_t var_t:file { write getattr read lock create unlink };
    
  • Compile and load the module

    checkmodule -M -m -o clamdlocal.mod clamdlocal.te
    semodule_package -o clamdlocal.pp -m clamdlocal.mod
    semodule -i clamdlocal.pp

 

Configure Spamassassin

  • Modify the startup options edit /etc/sysconfig/spamassassin and modify as below
    SPAMDOPTIONS=" -l -d -c -m5 -H -m 10 --socketpath=/var/run/spamassassin/spamd.sock --socketowner=exim"
    
  • Enable local spamd module for spamassassin, create file spamdlocal.te and add the following
    module spamdlocal 1.0;
    require {
            type spamd_t;
            type spamd_var_run_t;
            class capability { fowner chown kill };
            class sock_file { write create unlink getattr setattr };
    }
    #============= spamd_t ==============
    allow spamd_t self:capability { fowner chown kill };
    allow spamd_t spamd_var_run_t:sock_file { write create unlink getattr setattr };
    
  • Compile and install the module

    checkmodule -M -m -o spamdlocal.mod spamdlocal.te
    semodule_package -o spamdlocal.pp -m spamdlocal.mod
    semodule -i spamdlocal.pp

 

Final Touches

Disable services

Disable unwanted services, use this script.

 

Enable services

chkconfig --level 234 exim on
chkconfig --level 234 mysqld on
chkconfig --level 234 spamassassin on
chkconfig --level 234 clamd on
chkconfig --level 234 httpd on
chkconfig --level 234 saslauthd on
chkconfig --level 234 cyrus-imapd on

service mysqld restart
service saslauthd restart
service spamassassin restart
service clamd restart
service exim restart
service cyrus-imapd restart
service httpd restart

 

Create Admin User

  • Create a file admin.sql and add the following (modify the password to suite you)
    USE horde;
    REPLACE INTO horde_users (user_uid,user_pass)
        VALUES (
            'andrew@home.topdog-software.com',
    -- Change this
            md5('verystrongpassword')
    );
    
  • Add user to database

    mysql -p horde < admin.sql

 

Firewall

Add these rules in your configuration file /etc/sysconfig/iptables

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport -j ACCEPT --dports 80,443,25,110,143
-A INPUT -p icmp -m icmp -m limit --icmp-type 8 --limit 5/min -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.1.4 -j ACCEPT
COMMIT

 

Login

Phew! you are done. Open your browser and go to https://192.168.1.4/ and log in with the details above, you can the create other users under administration ? users. You can test all the other features as well.

 

References

Share this page:

8 Comment(s)

Add comment

Comments

From: at: 2008-02-19 20:45:56

The link (http://www.topdog-software.com/files/barebones.ks) for the kickstart returns permission denied.

From: at: 2008-02-20 09:52:29

My apologies, the link should work now.

From: nguyenlaman at: 2008-11-20 13:32:08

  • Create a file admin.sql and add the following (modify the password to suite you)
USE horde;
REPLACE INTO horde_users (user_uid,user_pass)
    VALUES (
        'andrew@onet.com.vn',
        md5('vnevn123@123a'),
);
  • Add user to database

mysql -p horde < admin.sql

Error , so i must add user to horde_users table by phpmyadmin but , still error

A fatal error has occurred

Could not connect to database for SQL SessionHandler.

Details have been logged for the administrator.

 

 

From: jacek at: 2009-01-26 23:26:04

Good stuff, excellent tutorial!!!

From: Gilad Menachem at: 2012-12-25 09:06:45

unfortently i cant finish this tutorial becuse i didnt find those component download

if some one got it or have i will glad for help

cyrus-imapd-perl-2.3.11-3.i386.rpm
cyrus-imapd-utils-2.3.11-3.i386.rpm
cyrus-imapd-2.3.11-3.i386.rpm

 

 

From: at: 2008-08-28 14:30:56

I believe the correct blacklist for spamhaus.org is:

zen.spamhaus.org

not xen.  xen is the virtual host hypervisor thingy.  If you use the incorrect host name for that DNSBL, spamhaus will give you an answer for every query.  That means you will reject every single IP address.

Other than that, excellent article!

From: at: 2008-08-29 09:31:50

Well sported, it has been fixed.

From: at: 2009-09-18 07:04:48

The full configuration file of Exim listed in your how to is  in .gz format and is not readable after unzipping.Pls recheck  whether the file is in correct format.Other wise how can i open in a readable format??

Thank you