Mail Server Setup With Exim, MySQL, Cyrus-Imapd, Horde Webmail On Centos 5.1 - Page 4

Configure Pam_mysql

Pam_mysql will be used to authenticate the following cyrus-imapd services aganist the mysql database, IMAP,POP,SIEVE,LMTP,CSYNC.

 

Pam_mysql Configuration

Enable pam_mysql for the services make the changes below.

• /etc/pam.d/imap

  auth       optional     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
  account    required     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
  

• /etc/pam.d/pop

  auth       optional     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
  account    required     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
  

• /etc/pam.d/sieve

  auth       optional     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
  account    required     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
  

• /etc/pam.d/lmtp

  auth       optional     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
  account    required     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
  

• /etc/pam.d/csync

  auth       optional     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
  account    required     pam_mysql.so user=horde passwd=hordepassword host=/var/lib/mysql/mysql.sock db=horde table=horde_users usercolumn=user_uid passwdcolumn=user_pass crypt=3
  

 

Saslauthd Configuration

• Edit /etc/sysconfig/saslauthd and modify to below

  SOCKETDIR=/var/run/saslauthd
  # Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
  # of which mechanism your installation was compiled to use.
  MECH=pam
  # Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
  # for the list of accepted flags.
  FLAGS="-r -n 0 -c"
  

 

Configure ClamAV

• Add the clamav user to the exim group.

  usermod -G exim clamav

• Change the location of the socket and disable TCP. Make changes to /etc/clamd.conf

  LocalSocket /var/run/clamav/clamd.socket
  #TCPSocket 3310
  #TCPAddr 127.0.0.1
  

• Install sane security signatures

  wget http://www.sanesecurity.co.uk/clamav/update_sanesecurity.txt -O /usr/local/bin/update_sanesecurity.sh
  chmod +x /usr/local/bin/update_sanesecurity.sh
  ln -s /usr/local/bin/update_sanesecurity.sh /etc/cron.hourly/
  /usr/local/bin/update_sanesecurity.sh

• Enable local selinux module for clamav, create file clamdlocal.te and add the following

  module clamdlocal 1.0;
  require {
          type proc_t;
          type var_t;
          type sysctl_kernel_t;
          type var_spool_t;
          type clamd_t;
          class dir { write search read remove_name add_name };
          class file { write getattr read lock create unlink };
  }
  #============= clamd_t ==============
  allow clamd_t proc_t:file { read getattr };
  allow clamd_t sysctl_kernel_t:dir search;
  allow clamd_t sysctl_kernel_t:file read;
  allow clamd_t var_spool_t:dir read;
  allow clamd_t var_spool_t:file { read getattr };
  allow clamd_t var_t:dir { write read add_name remove_name };
  allow clamd_t var_t:file { write getattr read lock create unlink };
  

• Compile and load the module

  checkmodule -M -m -o clamdlocal.mod clamdlocal.te
  semodule_package -o clamdlocal.pp -m clamdlocal.mod
  semodule -i clamdlocal.pp

 

Configure Spamassassin

• Modify the startup options edit /etc/sysconfig/spamassassin and modify as below

  SPAMDOPTIONS=" -l -d -c -m5 -H -m 10 --socketpath=/var/run/spamassassin/spamd.sock --socketowner=exim"
  

• Enable local spamd module for spamassassin, create file spamdlocal.te and add the following

  module spamdlocal 1.0;
  require {
          type spamd_t;
          type spamd_var_run_t;
          class capability { fowner chown kill };
          class sock_file { write create unlink getattr setattr };
  }
  #============= spamd_t ==============
  allow spamd_t self:capability { fowner chown kill };
  allow spamd_t spamd_var_run_t:sock_file { write create unlink getattr setattr };
  

• Compile and install the module

  checkmodule -M -m -o spamdlocal.mod spamdlocal.te
  semodule_package -o spamdlocal.pp -m spamdlocal.mod
  semodule -i spamdlocal.pp

 

Final Touches

Disable services

Disable unwanted services, use this script.

 

Enable services

chkconfig --level 234 exim on
chkconfig --level 234 mysqld on
chkconfig --level 234 spamassassin on
chkconfig --level 234 clamd on
chkconfig --level 234 httpd on
chkconfig --level 234 saslauthd on
chkconfig --level 234 cyrus-imapd on

service mysqld restart
service saslauthd restart
service spamassassin restart
service clamd restart
service exim restart
service cyrus-imapd restart
service httpd restart

 

Create Admin User

• Create a file admin.sql and add the following (modify the password to suite you)

  USE horde;
  REPLACE INTO horde_users (user_uid,user_pass)
      VALUES (
          'andrew@home.topdog-software.com',
  -- Change this
          md5('verystrongpassword')
  );
  

• Add user to database

  mysql -p horde < admin.sql

 

Firewall

Add these rules in your configuration file /etc/sysconfig/iptables

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport -j ACCEPT --dports 80,443,25,110,143
-A INPUT -p icmp -m icmp -m limit --icmp-type 8 --limit 5/min -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.1.4 -j ACCEPT
COMMIT

 

Login

Phew! you are done. Open your browser and go to https://192.168.1.4/ and log in with the details above, you can the create other users under administration ? users. You can test all the other features as well.

 

References

• http://www.horde.org
• http://wiki.horde.org/CentOS5InstallationNotes
• http://sanesecurity.co.uk/clamav/
• http://www.exim.org/
• http://cyrusimap.web.cmu.edu/imapd/install.html
• http://pam-mysql.sourceforge.net/
• http://dev.mysql.com/