RedirectMatch 301 ^/technotes/users/edit.* /technotes/articles/69

Get Python

Boost Build

• Get the boost source from http://sourceforge.net/projects/boost/files/
• Also, get the Windows bjam .exe, currently rev'd at: http://sourceforge.net/projects/boost/files/boost-jam/boost-jam-3.1.17-1-ntx86.zip/download
• Make your dev dirs. I use cygwin, you can easily translate to the Windows command shell. Unless you have tar, though, make sure you download the zip distro of boost. Also, I use the cygpath of "http://morison.biz/" instead of "http://morison.biz/cygdrive", i.e., I run mount -s --change-cygdrive-prefix /

  cd "http://morison.biz/c/Documents and Settings/Rod/My Documents"
  mkdir -p Devel/local
  cd Devel/local
  mkdir bin lib src tmp
  cd src
  tar jxf ~/Downloads/boost_1_39_0.tar.bz2 
  cd ../bin
  unzip ~/Downloads/boost-jam-3.1.17-1-ntx86.zip 
  mv boost-jam-3.1.17-1-ntx86/bjam.exe  .
  chmod +x bjam.exe
  rm -rf boost-jam-3.1.17-1-ntx86/

• Add the Devel/local/bin path to your Windows path variable (Control Panel->System, Advanced Tab, Environment Variables Button):
  
  
• Start a Visual C++ command shell, i.e., menu to something like:
  
  

  Setting environment for using Microsoft Visual Studio 2008 x86 tools.
  C:/Users/rod/KlickFu/Devel/local/src/boost_1_39_0>bjam --build-dir=../../tmp/boost --prefix=../.. --toolset=msvc --threading=multi --runtime-link=static  link=static debug release install

  Actually, I'm currently building with...

  C:Develboost_1_43_0>bjam --build-dir=../tmp --prefix=../boost --build-type=complete runtime-link=static --without-graph --without-graph_parallel --without-mpi --without-wave msvc install

NOTE: The latest version of VirtualBox, 3.0.2 at this time, puts a few things in different places, particularly the VT-x/AMD-V and Nested Paging settings. Check the latest VirtualBox docs for more info

sudo apt-get install apache2 mysql-server php5 php5-cli
sudo apt-get install php5-mysql libapache2-mod-php5

sudo mkdir /var/www/vhosts
sudo chmod 777 /var/www/vhosts
sudo vi /etc/fstab

sudo mount vhosts
df -h /var/www/vhosts

Filesystem            Size  Used Avail Use% Mounted on
vhosts                269G  174G   96G  65% /var/www/vhosts

I tried Gnutls for SSL Name Vhosting...I'll spare the details, but give it a pass.

auto eth1:0
iface eth1:0 inet static
name Ethernet alias LAN card
address 192.168.56.11
netmask 255.255.255.0
broadcast 192.168.56.255
network 192.168.56.0

auto eth1:1
iface eth1:1 inet static
name Ethernet alias LAN card
address 192.168.56.12
netmask 255.255.255.0
broadcast 192.168.56.255
network 192.168.56.0

auto eth1:2
iface eth1:2 inet static
name Ethernet alias LAN card
address 192.168.56.13
netmask 255.255.255.0
broadcast 192.168.56.255
network 192.168.56.0

sudo update-rc.d -f networking remove
sudo update-rc.d networking defaults
sudo /etc/init.d/networking restart
ifconfig

eth0      Link encap:Ethernet  HWaddr 08:00:27:41:86:02  
          inet addr:10.0.2.15  Bcast:10.0.2.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe41:8602/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:30837 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15654 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:46594350 (46.5 MB)  TX bytes:853804 (853.8 KB)
          Interrupt:11 Base address:0xc020 

eth1      Link encap:Ethernet  HWaddr 08:00:27:ff:f6:55  
          inet6 addr: fe80::a00:27ff:feff:f655/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:298 errors:0 dropped:0 overruns:0 frame:0
          TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:48980 (48.9 KB)  TX bytes:6287 (6.2 KB)
          Interrupt:10 Base address:0xc240 

eth1:0    Link encap:Ethernet  HWaddr 08:00:27:ff:f6:55  
          inet addr:192.168.56.11  Bcast:192.168.56.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:10 Base address:0xc240 

eth1:1    Link encap:Ethernet  HWaddr 08:00:27:ff:f6:55  
          inet addr:192.168.56.12  Bcast:192.168.56.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:10 Base address:0xc240 

eth1:2    Link encap:Ethernet  HWaddr 08:00:27:ff:f6:55  
          inet addr:192.168.56.13  Bcast:192.168.56.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:10 Base address:0xc240 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:40 errors:0 dropped:0 overruns:0 frame:0
          TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3290 (3.2 KB)  TX bytes:3290 (3.2 KB)

192.168.56.10   myhost
192.168.56.11   dev.mysite1.com
192.168.56.12   dev.mysite2.com
192.168.56.13   dev.mysite3.com

192.168.56.10   myhost
192.168.56.11   dev.mysite1.com
192.168.56.12   dev.mysite2.com
192.168.56.13   dev.mysite3.com

sudo a2enmod ssl
sudo mkdir -p /var/www/vhosts/mysite1.com/httpdocs
sudo mkdir -p /var/www/vhosts/mysite1.com/log/
sudo vi /etc/apache2/sites-available/dev.mysite1.com

The certs are Ubuntu standard issue. If you're on a different distro...

<VirtualHost 192.168.56.11:80>
	ServerName   dev.mysite1.com
	ServerAdmin  "me@mysite1.com"
	DocumentRoot /var/www/vhosts/mysite1.com/httpdocs
	CustomLog  /var/www/vhosts/mysite1.com/log/access_log combined
	ErrorLog  /var/www/vhosts/mysite1.com/log/error_log

	<IfModule mod_ssl.c>
		SSLEngine off
	</IfModule>

	<Directory /var/www/vhosts/mysite1.com/httpdocs>
	    <IfModule mod_php5.c>
		php_admin_flag engine on
		php_admin_flag safe_mode off
	    </IfModule>
	    Options +Includes +ExecCGI
	</Directory>

</VirtualHost>


<VirtualHost 192.168.56.11:443>
	ServerName   dev.mysite1.com:443
	ServerAdmin  "me@mysite1.com"
	DocumentRoot /var/www/vhosts/mysite1.com/httpdocs
	CustomLog  /var/www/vhosts/mysite1.com/log/ssl_access_log combined
	ErrorLog  /var/www/vhosts/mysite1.com/log/ssl_error_log

	SSLEngine on
	SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
	SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

	<Directory /var/www/vhosts/mysite1.com/httpdocs>
	    <IfModule mod_php5.c>
		php_admin_flag engine on
		php_admin_flag safe_mode off
	    </IfModule>
	    Options +Includes +ExecCGI
	</Directory>

</VirtualHost>

sudo a2ensite dev.mysite1.com
sudo /etc/init.d/apache2 restart
[/snippet[
and a nice bit of housekeeping <code>sudo vi apache2.conf</code>, find and after the ServerRoot directive add
[snippet]
ServerName "MySite"

echo >/var/www/vhosts/mysite1.com/httpdocs/phpinfo.php '<?php
    phpinfo();
?>'

• Install mysql tools on the guest:

  sudo apt-get install mysql-admin mysql-query-browser

• Setup the PhpEd debugger extension on the guest, configure a Website Project under vhosts/mysite1.com on the host, and debug from host to guest. When you edit and save files on the host side, they're already in place for Apache running in the guest, thanks to the vhosts mount.
• Tune down the mysql & apache params for dev loads, make your VM a little more host friendly. Linode has a nice guide to this end.
• While you're tuning mysql, you may want to enable slow query logging. In /etc/mysql/my.cnf uncomment

  log_slow_queries        = /var/log/mysql/mysql-slow.log
  long_query_time = 2
  log-queries-not-using-indexes

• Also in /etc/mysql/my.cnf change the bind-address for access from the windows host:

  bind-address            = 0.0.0.0

• If you're using it, make InnoDB the default storage engine sudo echo >/etc/mysql/conf.d/default_storage_engine.cnf "[mysqld] default-storage-engine = InnoDB"

To use Wondershaper, you'll have to use a Linux computer as your router. Afaik, most basic broadband routers don't provide traffic limiting features. Setting up a Linux router for your broadband is not a good first-time Linux project. For more info, perhaps look at http://en.wikipedia.org/wiki/List_of_router_or_firewall_distributions or http://www.stanford.edu/~fenn/linux/ . It's not terribly difficult to do with a standard Ubuntu Server distro, which is what I use.

sudo apt-get install wondershaper

Postscript: For those interested, a good bit of research has been done on this problem, particularly under the name of FastTCP. http://fastsoft.com is commercial spinoff of that project and has some pertinent white papers on the subject.

openssl x509 -in morison.org.crt -out morison.org.der -outform DER
openssl x509 -in morison.org.der -inform DER -out morison.org.pem -outform PEM
sudo cp ./morison.org.pem /etc/ssl/certs/
sudo /etc/init.d/cyrus2.2 restart
sudo /etc/init.d/postfix restart

$ sudo apt-get install dkms
$ sudo sh /cdrom/VBoxLinuxAdditions-x86.run #look for the amd64 if that's your linux guest install
$ sudo reboot

• Install on Ubuntu 8.10

$ sudo apt-get install postgresql-8.3 postgresql-server-dev-8.3
$ sudo vi /etc/postgresql/8.3/main/postgresql.conf 
# uncomment the listen_addresses = 'localhost' line
# optional: change localhost to machine hostaddr if you want outside access
$ sudo /etc/init.d/postgresql-8.3 restart

• Give the "root" db user a password, create a new dbuser and a database with access privs for that new dbuser. Also, give the new dbuser perms to create more databases.

$ sudo -u postgres psql template1
template1=# ALTER USER postgres WITH UNENCRYPTED PASSWORD 'P8ss';
ALTER ROLE
template1=# CREATE USER user1 CREATEDB;
CREATE ROLE
template1=# ALTER USER user1 WITH UNENCRYPTED PASSWORD 'P9ss';
ALTER ROLE
template1=# CREATE DATABASE db1 WITH OWNER user1;
CREATE DATABASE
template1=# q

• To suck a sqldump into that database

$ zcat /PathToDbDump/DbDump.sql.gz | psql -h localhost -U postgres -d user1

• Logging in as non-postgres user (this bit baffled me originally, until I decoded the postgres init settings): /etc/postgresql/8.3/main/pg_hba.conf has security settings that say, "If connected via unix socket then require the db username match the process owner name." By default psql uses the unix socket. That's fine for the "root" db user (postgres), but not how you want access other dbs. However, for network socket connections pg_hba.conf is set to use only password check against it's user table. Yay. So access through the socket, which is the general case in production systems anyway, as the db is on a dedicated machine.
• Log in as the user1 and create a db.

psql --username user1 --password -h localhost template1
CREATE DATABASE db2 WITH OWNER user1;

• if you don't put a db name on the psql command line, it will assume the db name is the same as the user
• postgres provides an easily scripted command, createdb, that does most of what the CREATE DATABASE command does.
• read the postgres docs for encrypted passwords, recommended for production

cd c:\Python26
copy python.exe python-backup.exe
copy pythonw.exe pythonw-backup.exe
mt -inputresource:python.exe;#1 -manifest \PathToWxPySrc\src\winxp.vc9.manifest  -outputresource:python.exe;#1
mt -inputresource:pythonw.exe;#1 -manifest \PathToWxPySrc\src\winxp.vc9.manifest  -outputresource:pythonw.exe;#1

References

Tips & Tricks

sudo apt-get install mailutils
mail rod@moleculemedia.net -s test
Cc: rod@morison.org
test
^D

sudo bash
cd /var/spool/cyrus/sieve
ls domain
mkdir domain
cp -a [a-z] domain/
chown cyrus:mail domain
chmod o-rwx domain

IP & DNS Setup

Checklist

1. A static IP, from your access or hosting provider
2. An 'A' record pointing to a name to your static ip, using a name something like "mailserver.example.domain". In this guide we'll use example.domain as a placeholder for your own domain.
3. An MX record for example.domain which points at mailserver.example.domain
4. CNAME or A records for mail.example.domain, smtp.example.domain and webmail.example.domain. If you use CNAME's, point them at mailserver.example.domain, if A use your static IP.

Next Step: Ubuntu Install

1. Install the Goods

   sudo apt-get install amavisd-new spamassassin clamav-daemon
   sudo apt-get install pyzor razor python-policyd-spf
   sudo apt-get install arj cabextract cpio lha nomarch pax rar unrar unzip unzoo zip zoo

2. Add clamav to amavis group

   sudo adduser clamav amavis

3. Enable SpamAssassin -

   sudo vi /etc/default/spamassassin

   and change line 8 to ENABLED=1
4. Tell Amavis to Virus & Spam Check

   sudo vi /etc/amavis/conf.d/15-content_filter_mode

   and uncomment the virus & spam check lines as shown:

   @bypass_virus_checks_maps = (
      %bypass_virus_checks, @bypass_virus_checks_acl, $bypass_virus_checks_re);

   ...

   @bypass_spam_checks_maps = (
      %bypass_spam_checks, @bypass_spam_checks_acl, $bypass_spam_checks_re);

5. Set Local Policy Prefs

   sudo vi /etc/amavis/conf.d/50-user

   My policy is to tag, but pass all spam. Viruses are not delivered, but the postmaster is notified and the email is quarantined, such that it can be recovered if need be. You may want to study the Amavis docs and customize here.
   
   Change example.domain to yours. My 50-user reads

   use strict;
   
   #
   # Place your configuration directives here.  They will override those in
   # earlier files.
   #
   # See /usr/share/doc/amavisd-new/ for documentation and examples of
   # the directives you can use in this file
   #
   
   $log_level = 0;
   
   @local_domains_maps =
      ( [ ".$mydomain", 'example.domain' ] ); 
   
   $sa_spam_subject_tag = '*SPAM* ';
   $sa_tag_level_deflt  = -999;  # add spam info headers if at, or above that level
   $sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
   $sa_kill_level_deflt = 999; # triggers spam evasive actions
   $sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
   
   $virus_admin = "postmaster@$mydomain"; # due to D_DISCARD default
   $spam_admin = "postmaster@$mydomain";
   $dsn_bcc = "maildebug@$mydomain";
   
   $mailfrom_notify_admin     = "virusalert@$mydomain";
   $mailfrom_notify_recip     = "virusalert@$mydomain";
   $mailfrom_notify_spamadmin = "spamalert@$mydomain";
   
   $final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
   $final_banned_destiny     = D_REJECT;   # D_REJECT when front-end MTA
   $final_spam_destiny       = D_PASS;
   $final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
   
   #------------ Do not modify anything below this line -------------
   1;  # ensure a defined return

6. Integrate Amavisd into Postfix

   sudo vi /etc/postfix/main.cf

   Add the following to the bottom of /etc/postfix/main.cf

   # Amavis ClamAV+SpamAssassin
   content_filter = smtp-amavis:[127.0.0.1]:10024
   
   # Postfix behavior/content controls
   #body_checks = regexp:/etc/postfix/body_checks
   #header_checks = regexp:/etc/postfix/header_checks
   smtpd_helo_required = yes
   disable_vrfy_command = yes
   smtpd_delay_reject = yes
   smtpd_helo_required = yes
   smtpd_error_sleep_time = 15s
   smtpd_soft_error_limit = 10
   smtpd_hard_error_limit = 20

7. /etc/postfix/master.cf

   sudo vi /etc/postfix/master.cf

   Add the two "-o" lines shown under the line beginning with "pickup", to read:

   pickup    fifo  n       -       -       60      1       pickup
            -o content_filter=
            -o receive_override_options=no_header_body_checks

   Then add the following to the bottom of /etc/postfix/master.cf

   smtp-amavis     unix    -       -       -       -       2       smtp
           -o smtp_data_done_timeout=1200
           -o smtp_send_xforward_command=yes
           -o disable_dns_lookups=yes
           -o max_use=20
   
   127.0.0.1:10025 inet    n       -       -       -       -       smtpd
           -o content_filter=
           -o local_recipient_maps=
           -o relay_recipient_maps=
           -o smtpd_restriction_classes=
           -o smtpd_delay_reject=no
           -o smtpd_client_restrictions=permit_mynetworks,reject
           -o smtpd_helo_restrictions=
           -o smtpd_sender_restrictions=
           -o smtpd_recipient_restrictions=permit_mynetworks,reject
           -o smtpd_data_restrictions=reject_unauth_pipelining
           -o smtpd_end_of_data_restrictions=
           -o mynetworks=127.0.0.0/8
           -o smtpd_error_sleep_time=0
           -o smtpd_soft_error_limit=1001
           -o smtpd_hard_error_limit=1000
           -o smtpd_client_connection_count_limit=0
           -o smtpd_client_connection_rate_limit=0
           -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

8. SPF in Postfix - SPF is already a part of SpamAssassin's scoring scheme. We can further utilize SPF in Postfix to reflect sites that disapprove certain usage and reject those messages outright. I recommend a read through of materials on the SPF site and relevant discussion lists.
   
   You can omit this step if you choose.

   sudo vi /etc/postfix/main.cf

   Add a comma to the end of the last line of the smtpd_recipient_restrictions settings and on a new line add

   check_policy_service unix:private/policyd-spf

   followed by

   policyd-spf_time_limit = 3600

   This section of your main.cf should look something like

   smtpd_recipient_restrictions =
           permit_sasl_authenticated,
           permit_mynetworks,
           reject_unauth_destination,
           reject_invalid_hostname,
           reject_non_fqdn_hostname,
           reject_non_fqdn_sender,
           reject_non_fqdn_recipient,
           reject_unknown_sender_domain,
           reject_unknown_recipient_domain,
           reject_unauth_pipelining
           reject_rbl_client bl.spamcop.net,
           reject_rbl_client sbl-xbl.spamhaus.org,
           reject_rbl_client list.dsbl.org,
           check_policy_service unix:private/policyd-spf
   policyd-spf_time_limit = 3600

   In master.cf:

   sudo vi /etc/postfix/master.cf

   At the bottom, add

   policyd-spf  unix  -       n       n       -       0 spawn
           user=nobody argv=/usr/bin/python /usr/bin/policyd-spf

9. Start/Restart All Concerned

   sudo /etc/init.d/postfix restart
   sudo /etc/init.d/amavis restart
   sudo /etc/init.d/clamav-daemon restart
   sudo /etc/init.d/spamassassin start

10. Test and Check - Try another mail send and watch the log.

    tail -f /var/log/mail.log

    Look for the logfile line

    Sep 29 13:50:25 mailserver amavis[8449]: (08449-01) Passed CLEAN, LOCAL [192.168.66.194] [192.168.66.194] <test@mailserver.morison.org> -> <test@mailserver.morison.org>, Message-ID: <48E13F6D.1010202@mailserver.morison.org>, mail_id: 8HLb1RzoY+ZW, Hits: -1.44, size: 564, queued_as: EC77724624, 3852 ms

    for anti-spam action. Try it with a spam file (I'm sure you can find one.) You'll see

    Sep 29 13:52:55 mailserver amavis[8454]: (08454-01) Passed SPAMMY, LOCAL [192.168.66.194] [192.168.66.194] <test@mailserver.morison.org> -> <test@mailserver.morison.org>, Message-ID: <48E13FFB.7000908@mailserver.morison.org>, mail_id: moC25mDhimPK, Hits: 8.824, size: 649, queued_as: 4B5E624624, 12174 ms

    and look at the mail headers in your mail client:

    X-Virus-Scanned: Debian amavisd-new at mailserver.morison.org
    X-Spam-Flag: YES
    X-Spam-Score: 8.824
    X-Spam-Level: ****
    X-Spam-Status: Yes, score=8.824 tagged_above=-999 required=5
    	tests=[ALL_TRUSTED=-1.44, AWL=-10.264, DIGEST_MULTIPLE=0.001,
    	PYZOR_CHECK=2.834, RAZOR2_CF_RANGE_51_100=0.5,
    	RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5,
    	RAZOR2_CHECK=0.5, URIBL_AB_SURBL=1.613, URIBL_JP_SURBL=2.857,
    	URIBL_OB_SURBL=2.132, URIBL_SBL=2.468, URIBL_SC_SURBL=2.523,
    	URIBL_WS_SURBL=2.1]

    Finally, try sending a test virus from (the virus is dead, of course, but it triggers a ClamAV find):
    
    http://www.eicar.org/download/eicar.com http://www.eicar.org/download/eicar_com.zip http://www.eicar.org/download/eicarcom2.zip
    
    Look for

    Sep 29 14:07:56 mailserver amavis[8449]: (08449-02) Blocked INFECTED (Eicar-Test-Signature), LOCAL [192.168.66.194] [192.168.66.194] <test@mailserver.morison.org> -> <test@mailserver.morison.org>, quarantine: J/virus-JfYri+IcyuAB, Message-ID: <48E1438B.5060502@mailserver.morison.org>, mail_id: JfYri+IcyuAB, Hits: -, size: 1062, 934 ms

    and check your postmaster email.

Epilogue

Preliminaries

1. MySQL "root" user - Don't run MySQL without a root user password. The installer will ask for it. Note that this is a database user, internal to MySQL and having nothing to do with login users or mail users.
2. MySQL "mail" user - Another MySQL user, for accessing the soon to be created mail database.
3. Web-Cyradm "cyrus" user - When we configured /etc/cyrus.conf we designated "cyrus" as an admin user. Web-Cyradm will need this user, and we'll set the password when we configure Web-Cyradm. This user is internal to the Web-Cyradm app.
4. Web-Cyradm "admin" user - This is the initial admin user once the website is up and running.

Apache + PHP

1. Install apache2 with php

   sudo apt-get install apache2 php5 libapache2-mod-php5 php5-cli php5-mysql

2. PEAR & imap support - Used by Web-Cyradm & webmail apps

   sudo apt-get install php-db php5-imap

3. Open Port 80

   sudo ufw allow http

4. Test Apache+PHP

   
   echo "
   <?php
   print_r (phpinfo());
   ?>" >/tmp/phpinfo.php
   sudo mv /tmp/phpinfo.php /var/www
   sudo /etc/init.d/apache2 restart
   

   Browse to http://mailserver.example.domain/phpinfo.php
5. Clean up

   sudo rm /var/www/phpinfo.php

MySQL with PAM & Postfix Config

1. Install MySQL Server - The installer will ask for that MySQL root password.

   sudo apt-get install mysql-server

2. Relocate MySQL Socket to Postfix Chroot - Just like we tweaked the saslauthd socket, we need the same for Postfix to access MySQL. Stop MySQL first, as it gets confused when these files change underneath it.

   sudo /etc/init.d/mysql stop
   sudo vi /etc/mysql/my.cnf

   and prepend all of the references to /var/run/mysqld to read /var/spool/postfix/var/run/mysqld. In the current config that affects lines 21, 28, 43 & 44. Lines 19-44 should look like

   [client]
   port            = 3306
   socket          = /var/spool/postfix/var/run/mysqld/mysqld.sock
   
   # Here is entries for some specific programs
   # The following values assume you have at least 32M ram
   
   # This was formally known as [safe_mysqld]. Both versions are currently parsed.
   [mysqld_safe]
   socket          = /var/spool/postfix/var/run/mysqld/mysqld.sock
   nice            = 0
   
   [mysqld]
   #
   # * Basic Settings
   #
   
   #
   # * IMPORTANT
   #   If you make changes to these settings and your system uses apparmor, you may
   #   also need to also adjust /etc/apparmor.d/usr.sbin.mysqld.
   #
   
   user            = mysql
   pid-file        = /var/spool/postfix/var/run/mysqld/mysqld.pid
   socket          = /var/spool/postfix/var/run/mysqld/mysqld.sock

3. Update /etc/mysql/debian.cnf

   sudo vi /etc/mysql/debian.cnf

   and change the "socket" lines to the new location, e.g.,

   # Automatically generated for Debian scripts. DO NOT TOUCH!
   [client]
   host     = localhost
   user     = debian-sys-maint
   password = 8JCDXsC4cUmDn8Pm
   socket   = /var/spool/postfix/var/run/mysqld/mysqld.sock
   [mysql_upgrade]
   user     = debian-sys-maint
   password = 8JCDXsC4cUmDn8Pm
   socket   = /var/spool/postfix/var/run/mysqld/mysqld.sock
   basedir  = /usr

4. Update apparmor

   sudo vi /etc/apparmor.d/usr.sbin.mysqld

   and make the appropriate mods to the /var/run/mysqld lines at the bottom:

   /var/spool/postfix/var/run/mysqld/mysqld.pid w,
     /var/spool/postfix/var/run/mysqld/mysqld.sock w,
   }

   Then reload the apparmor profile

   sudo /etc/init.d/apparmor restart

5. Start MySQL and Fix Sockets - Remember that /etc/init.d/fix-postfix-chroot init script we installed? MySQL wasn't running when we ran it, so after MySQL starts, we need to run it again.

   sudo /etc/init.d/mysql restart
   sudo /etc/init.d/fix-postfix-chroot start
   sudo ls -l /var/run/saslauthd /var/run/mysqld

   should give you

   lrwxrwxrwx 1 root root 33 2008-09-29 12:55 /var/run/mysqld -> /var/spool/postfix/var/run/mysqld
   lrwxrwxrwx 1 root root 36 2008-09-29 12:55 /var/run/saslauthd -> /var/spool/postfix/var/run/saslauthd

6. Configure PAM for mail DB - /etc/pam.d/common-mysqlmail is a new PAM file, to include in other service files.

   sudo apt-get install libpam-mysql
   sudo vi /etc/pam.d/common-mysqlmail

   Then copy the following into this new file, updating the mysql mail user password from changeme:

   #
   # MySQL Web-Cyradm mail database authorization
   #
   auth sufficient pam_mysql.so user=mail passwd=changeme host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host logpidcolumn=pid logtimecolumn=time
   
   account required pam_mysql.so user=mail passwd=changeme host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host logpidcolumn=pid logtimecolumn=time

7. Update PAM services - To use the MySQL mail auth

   sudo vi /etc/pam.d/imap /etc/pam.d/pop /etc/pam.d/sieve

   In each of these files, comment out the @include common-auth and @include common-account lines. Add a @include common-mysqlmail below them. The last 3 lines should read

   #@include common-auth
   #@include common-account
   @include common-mysqlmail

   Add those same 3 lines to a new PAM file, /etc/pam.d/smtp

   sudo vi /etc/pam.d/smtp

8. Configure Postfix for mail DB

   sudo apt-get install postfix-mysql

9. Update main.cf

   sudo vi /etc/postfix/main.cf

   The setting for virtual_mailbox_maps below is critical to avoid getting tagged as a spammer due to backscatter spam.

   and at the bottom add the lines

   # Mysql glue
   virtual_alias_maps =
           mysql:/etc/postfix/mysql-virtual.cf
   virtual_mailbox_maps = 
           mysql:/etc/postfix/mysql-virtual.cf
   virtual_mailbox_domains =
           mysql:/etc/postfix/mysql-mydestination.cf
   sender_canonical_maps =
           mysql:/etc/postfix/mysql-canonical.cf

   The following 3 MySQL scripts are from http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/html/postfix-config.html here.

10. Create /etc/postfix/mysql-virtual.cf

    sudo vi /etc/postfix/mysql-virtual.cf

    ...adding the following and setting "changeme" to the MySQL mail user password:

    #
    # mysql config file for alias lookups on postfix
    # comments are ok.
    #
    
    # the user name and password to log into the mysql server
    hosts = localhost
    user = mail
    password = changeme
    
    # the database name on the servers
    dbname = mail
    
    # the table name
    table = virtual
    
    #
    select_field = dest
    where_field = alias
    additional_conditions = and status = '1'

11. Create /etc/postfix/mysql-mydestination.cf

    sudo vi /etc/postfix/mysql-mydestination.cf

    ...adding the following and setting "changeme" to the MySQL mail user password:

    # mysql config file for local domain (like sendmail's sendmail.cw) lookups on postfix
    # comments are ok.
    #
    
    # the user name and password to log into the mysql server
    hosts = localhost
    user = mail
    password = changeme
    
    # the database name on the servers
    dbname = mail
    
    # the table name
    table = domain
    #
    select_field = domain_name
    where_field = domain_name

12. Create /etc/postfix/mysql-canonical.cf

    sudo vi /etc/postfix/mysql-canonical.cf

    ...adding the following and setting "changeme" to the MySQL mail user password:

    # mysql config file for canonical lookups on postfix
    # comments are ok.
    #
    
    # the user name and password to log into the mysql server
    hosts = localhost
    user = mail
    password = changeme
    
    # the database name on the servers
    dbname = mail
    
    # the table name
    table = virtual
    #
    select_field = alias
    where_field = username
    # Return the first match only
    additional_conditions = and status = '1' limit 1

13. Restart postfix - ...and make sure it started clean.

    sudo /etc/init.d/postfix restart
    tail /var/log/mail.log

Update Cyrus & Saslauthd configs

1. /etc/default/saslauthd - Add a -r flag to the last line, so that it reads:

   OPTIONS="-r -c -m /var/spool/postfix/var/run/saslauthd"

2. /etc/imapd.conf - Scroll down to the virtdomains setting and uncomment the line so it reads

   virtdomains: userid

3. Restart cyrus & saslauthd

   sudo /etc/init.d/saslauthd restart
   sudo /etc/init.d/cyrus2.2 restart

Web-Cyradm

1. Place Web-Cyradm

   wget http://www.web-cyradm.org/web-cyradm-svn-0.5.5.tar.gz
   cd /var/www
   sudo tar xzf ~/web-cyradm-svn-0.5.5.tar.gz

2. Put Passwords in SQL Init Scripts

   cd web-cyradm-svn-0.5.5/
   sudo vi scripts/insertuser_mysql.sql
   sudo vi scripts/create_mysql.sql

3. insertuser_mysql.sql, line 2 - change the 'secret' text on line 2 to the password for the MySQL mail db user. This line creates that user with that password.
4. create_mysql.sql, line 135 - change 'test' at line 135 to the password for the Web-Cyradm admin account (not the cyrus account, btw.) This will be your first login id for Web-Cyradm when you browse to it, i.e., admin/adminpassword. This line creates that user with that password.
5. create_mysql.sql, line 137 - change 'secret' to the password for the cyrus user in the Web-Cyradm 'mail' database. This password will be used in the Web-Cyradm config (covered later.) This line creates that user with that password.
6. Run SQL init scripts - You'll need your MySQL root password for the first command, and your MySQL mail db password for the second.

   mysql -u root -p <scripts/insertuser_mysql.sql
   mysql mail -u mail -p <scripts/create_mysql.sql

7. Web-Cyradm App Config

   cd /var/www/web-cyradm-svn-0.5.5/config
   sudo cp conf.php.dist conf.php
   sudo vi conf.php

   and edit the following
8. conf.php, line 19 - replace secret with the cyrus password (see create_mysql.sql, line 137).
9. conf.php, line 37 - replace secret with the mysql mail password (see insertuser_mysql.sql, line 2).
10. conf.php, line 89, set $DOMAIN_AS_PREFIX = 1
11. conf.php, line 100, set $FQUN = 1

Mailadmin Site Config

1. Get the Apache mailadmin config file File - ...install and enable

   sudo wget http://morison.biz/technotes/file-fetch/7-mailadmin.conf
   sudo cp 7-mailadmin.conf /etc/apache2/sites-available/mailadmin
   sudo a2ensite mailadmin
   sudo /etc/init.d/apache2 restart

2. Browse and Login - with the admin password (from create_mysql.sql, line 135) to http://mailserver.example.domain/mailadmin

Create a Domain, Email Account & Test

Web-Cyradm Browse Domains Screen

1. Add a Domain - Click on the "Add New Domain" link. In this form be sure to update "Domainname", "Maximum Accounts" (or your account limit for the domain will be zero) and "Standard Folders". "Standard Folders is important, to create the default folders most mail clients expect. This field should read

   Drafts,Sent,Junk,Trash

   
   
   Set the "Default Quota" up or down, as you require and submit the form. Your form should look something like (modified fields circled in red)
   
   Web-Cyradm Add New Domain Screen
2. Create an Account - from the Browse Domains screen, click "accounts" in the domain list.
3. Test - Tail the mail log, send email to/from the account, retrieve it via imap and/or pop, and reply (with your favorite mail client.) Try with and without TLS.

   tail -f /var/log/mail.log

   you should see something like

   Sep 29 13:03:07 mailserver postfix/smtpd[5639]: connect from unknown[192.168.66.194]
   Sep 29 13:03:07 mailserver postfix/smtpd[5639]: 8BB0B245F2: client=unknown[192.168.66.194], sasl_method=PLAIN, sasl_username=test@mailserver.morison.org
   Sep 29 13:03:07 mailserver postfix/cleanup[5645]: 8BB0B245F2: message-id=<48E1345C.7020804@mailserver.morison.org>
   Sep 29 13:03:07 mailserver postfix/qmgr[4654]: 8BB0B245F2: from=<test@mailserver.morison.org>, size=564, nrcpt=1 (queue active)
   Sep 29 13:03:07 mailserver cyrus/lmtpunix[5657]: accepted connection
   Sep 29 13:03:07 mailserver cyrus/lmtpunix[5657]: lmtp connection preauth'd as postman
   Sep 29 13:03:07 mailserver cyrus/lmtpunix[5657]: WARNING: sieve script /var/spool/cyrus/sieve/domain/m/mailserver.morison.org/t/test/defaultbc doesn't exist: No such file or directory
   Sep 29 13:03:07 mailserver cyrus/lmtpunix[5657]: duplicate_check: <48E1345C.7020804@mailserver.morison.org> mailserver.morison.org!user.test 0
   Sep 29 13:03:07 mailserver postfix/smtpd[5639]: disconnect from unknown[192.168.66.194]
   Sep 29 13:03:07 mailserver cyrus/lmtpunix[5657]: duplicate_check: <48E1345C.7020804@mailserver.morison.org> mailserver.morison.org!user.test 0
   Sep 29 13:03:07 mailserver cyrus/lmtpunix[5657]: mystore: starting txn 2147483660
   Sep 29 13:03:07 mailserver cyrus/lmtpunix[5657]: mystore: committing txn 2147483660
   Sep 29 13:03:07 mailserver cyrus/lmtpunix[5657]: duplicate_mark: <48E1345C.7020804@mailserver.morison.org> mailserver.morison.org!user.test 1222718587 2
   Sep 29 13:03:07 mailserver cyrus/lmtpunix[5657]: Delivered: <48E1345C.7020804@mailserver.morison.org> to mailbox: mailserver.morison.org!user.test
   Sep 29 13:03:07 mailserver postfix/lmtp[5649]: 8BB0B245F2: to=<test@mailserver.morison.org>, relay=mailserver.morison.org[/var/run/cyrus/socket/lmtp], delay=0.2, delays=0.09/0/0.01/0.1, dsn=2.1.5, status=sent (250 2.1.5 Ok)
   Sep 29 13:03:07 mailserver postfix/qmgr[4654]: 8BB0B245F2: removed

You're Up and Running!

Ssh Access

ssh -p 9999 loginid@mailserver.example.domain

Postfix Install & Config

1. Install the Postfix Package

   sudo apt-get install postfix

   The package installer will bring up 3 screens. Ok the first one, choose Internet Site for the second, and make sure the full name, with domain part (the FQDN) is in the 3rd screen.
   
   Postfix Package Config Postfix Config Type Postfix Mail Name
2. main.cf config

   sudo vi /etc/postfix/main.cf

   Find the "# TLS parameters" line and right underneath it add

   smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

   This file doesn't exist yet, but we'll install it later. It's not necessary for self-signed certs, like the snakeoil automatically generated cert, but getting this in place now makes referencing a CA signed cert a snap later.
   
   Next, add the following to the end of the file:

   # SASL parameters
   smtpd_sasl_local_domain =
   smtpd_sasl_auth_enable = yes
   smtpd_sasl_security_options = noanonymous
   broken_sasl_auth_clients = yes
   
   # Client & recipient restrictions
   smtpd_recipient_restrictions =
           permit_sasl_authenticated,
           permit_mynetworks,
           reject_unauth_destination,
           reject_invalid_hostname,
           reject_non_fqdn_hostname,
           reject_non_fqdn_sender,
           reject_non_fqdn_recipient,
           reject_unknown_sender_domain,
           reject_unknown_recipient_domain,
           reject_unauth_pipelining
           reject_rbl_client bl.spamcop.net,
           reject_rbl_client sbl-xbl.spamhaus.org,
           reject_rbl_client list.dsbl.org
   smtpd_client_restrictions = permit_mynetworks,
           check_client_access hash:/etc/postfix/access
   smtpd_sender_restrictions = 
           reject_non_fqdn_sender,
           check_sender_access hash:/etc/postfix/access,
           check_sender_mx_access hash:/etc/postfix/access
   
   # LMTP
   message_size_limit = 20480000
   mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
   virtual_transport = lmtp:unix:/var/run/cyrus/socket/lmtp

   Some things to look at and possibly modify in your setup:

   • The SASL setup is for authentication. We'll install SASL with Cyrus.
   • smtpd_recipient_restrictions settings are set to a strong anti-spam policy, e.g., rejecting anything from any of the 3 RBLs. It is definitely worth understanding this and the 2 following parameters which control whether Postfix accepts or rejects mail. See the Postfix docs on the subject. It's also worth reading up on RBLs if you're not familiar with how they work.
   • LMTP is how Postfix will hand off mail for delivery to mailboxes...the Cyrus LMTP service will listen on the other end. I use a large setting, 20MB, for message_size_limit because it suits my email user base. Choose your poison here.

3. Copy in (or create an empty) access file - The references to /etc/postfix/access above are for an in-house blacklist. Up until 2006 I diligently fished out the sending mail IP from spam and added it to an access file. I'm providing my copy of this file; though no longer updated, it still manages to block a batch of spams every day, and I haven't had a complaint in years about a false positive. To use this file, copy it to your /etc/postfix directory and run. If you'd rather not, just use touch to create a blank file...you might want the feature someday.
   
   Postfix "blacklist" access db

   sudo touch /etc/postfix/access
   sudo cp access.txt /etc/postfix/access #skip if not using
   sudo postmap /etc/postfix/access

4. master.cf config

   sudo vi /etc/postfix/master.cf

   Look for the first uncommented line starting with smtp and add a "-d" at the end. This flag will turn on debug messages in the log, useful at this stage of the game.

   smtp      inet  n       -       -       -       -       smtpd -d

   Then scroll down to the line beginning with lmtp and change the 3rd dash to read "n". This will make lmtp not run in chroot jail. As a security issue it's acceptably minor, as lmtp runs behind postfix, i.e., isn't exposed to outside access, plus we'll use unix sockets for the Cyrus interface.

   lmtp      unix  -       -       n       -       -       lmtp

5. Add postfix user to mail group - I would have expected the installer package to do this. Needed so Cyrus and Postfix can share the LMTP socket, which will use group file access bits.

   sudo adduser postfix mail

6. Restart Postfix

   sudo /etc/init.d/postfix restart

Cyrus Install & Config

1. Install Cyrus Packages

   sudo apt-get install cyrus-admin-2.2 cyrus-clients-2.2 cyrus-imapd-2.2 sasl2-bin cyrus-pop3d-2.2

2. Move & Fix Cyrus Dirs - Two things to change, one is a matter of taste, the other a show-stopper installer mistake. The matter of taste is the storage for Sieve, Cyrus's server side mail filtering technology (and one of the reasons I like Cyrus). Ubuntu puts that storage in /var/spool/sieve and mailbox storage in /var/spool/cyrus/mail. I like to keep it under one roof, so we'll move Sieve storage under cyrus and update the appropriate config file.
   
   The stopper is the perms on the cyrus dirs. Try ls -la /var/spool/cyrus and you'll see

   total 16
   drwxr-xr-x  4 cyrus mail 4096 2008-09-28 13:28 .
   drwxr-xr-x  6 root  root 4096 2008-09-28 13:28 ..
   drwxr-x--- 29 root  root 4096 2008-09-28 13:28 mail
   drwxr-x--- 29 root  root 4096 2008-09-28 13:28 news

   The dirs under /var/spool/cyrus are all owned by root:root and 750. (If 750 doesn't ring a bell, it's worth reading some docs on Linux file perms.) Hence, the cyrus programs, which will run under cyrus:mail, can't write to the mail storage. I'd call that a bug. Same deal with /var/lib/cyrus: Once Cyrus tries to do something useful, like put mail in a mailbox, it barfs because it can't read/write it's working files.
   
   Oh, and because we're going to change perms to something only cyrus & root users can see, we'll go into "perma-root" mode temporarily. I recommend getting out of the root shell when done with this step.

   sudo bash
   cd /var/spool/cyrus/
   mv /var/spool/sieve/ .
   chown -R cyrus:mail .
   chmod -R o-rwx .
   ls -la
   cd /var/lib/cyrus/
   chown -R cyrus:mail .
   ls -la
   exit

3. /etc/cyrus.conf - Cyrus, like Postfix, runs with a master daemon that dispatches other programs to handle different services. /etc/cyrus.conf is where the master is configured. (Fyi, once you're up and running try ps axu | grep master and you should see both master processes.)

   sudo vi /etc/cyrus.conf

   Move down to the SERVICES section, uncomment the imaps and pop3s services. These will give you secure pop3 and imap, over ssl. Comment out the nntp service (unless you want to run the old "netnews" service, not covered further here; anyone remember "alt"?.) Also, verify that the lmtpunix line is not commented, and the lmtp line is. The top of your SERVICES section should look like

   SERVICES {
           # --- Normal cyrus spool, or Murder backends ---
           # add or remove based on preferences
           imap            cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100
           imaps           cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100
           pop3            cmd="pop3d -U 30" listen="pop3" prefork=0 maxchild=50
           pop3s           cmd="pop3d -s -U 30" listen="pop3s" prefork=0 maxchild=50
           #nntp           cmd="nntpd -U 30" listen="nntp" prefork=0 maxchild=100
           #nntps          cmd="nntpd -s -U 30" listen="nntps" prefork=0 maxchild=100
   
           # At least one form of LMTP is required for delivery
           # (you must keep the Unix socket name in sync with imap.conf)
           #lmtp           cmd="lmtpd" listen="localhost:lmtp" prefork=0 maxchild=20
           lmtpunix        cmd="lmtpd" listen="http://morison.biz/var/run/cyrus/socket/lmtp" prefork=0 maxchild=20

4. Enable Squatter - This step is optional, depending on your application. Squatter is a full-text indexing daemon that will speed up "Search Entire Message" requests by 10x or more. If you run a smaller number of more demanding users (like I do), enable as shown. If you're running a horde of freebie accounts on limited resources, skip this step. It will add processing load to your system, but only if your mail and user activity is very high. If in doubt, try it, and disable it from this file if necessary.
   
   Again, in /etc/cyrus.conf move down to the "EVENTS" section and uncomment the two "squatter" lines to read

   # reindex changed mailboxes (fulltext) approximately every other hour
           squatter_1      cmd="http://morison.biz/usr/bin/nice -n 19 /usr/sbin/squatter -s" period=120
   
           # reindex all mailboxes (fulltext) daily
           squatter_a      cmd="http://morison.biz/usr/sbin/squatter" at=0517

   With or without squatter, save and exit /etc/cyrus.conf
5. /etc/imapd.conf - The service specific settings for imap, pop3, lmtp, sieve, etc. are in /etc/imapd.conf

   sudo vi /etc/imapd.conf

   First, find the "unixhierarchysep" line (approx line 28) and change the setting to "yes". Using this feature gives a more natural syntax which will correlate with how we config Web-Cyradm. The line should read

   unixhierarchysep: yes

   Continue down to the line that reads "#admins: cyrus". Web-cyradm will use this ID for privileged mailbox operations (like creating & deleting mailboxes). There is also a command line interface that can use this ID, cyradm, which should only be needed for debugging. The line should read:

   admins: cyrus

   On down to the line beginning "sievedir", which we change to correspond to the new location:

   sievedir: /var/spool/cyrus/sieve

   Now, look for "sasl_mech_list". This setting defines what imap, pop3 and smtp password formats are available. Uncomment, and set to "PLAIN LOGIN".

   Yes, these are both unencrypted formats. There are PAM issues upcoming that force this hand. That said, if you use the encrypted services: imaps, pop3s and smtp/tls with your email client, no readable passwords are exposed.

   The line should read

   sasl_mech_list: PLAIN LOGIN

   Continue to the line beginning "sasl_pwcheck_method". Change this to "saslauthd", a daemon which will, in turn, use pam authentication machinery. The line should read:

   sasl_pwcheck_method: saslauthd

   Next, go to "tls_cert_file" and uncomment this line and the "tls_key_file" line, leaving this setting pointing to the default, self signed "snakeoil" key for your machine. If you obtain a CA signed cert, change the .pem and .key file locations here. These lines should read.

   # File containing the global certificate used for ALL services (imap, pop3,
   # lmtp, sieve)
   tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
   
   # File containing the private key belonging to the global server certificate.
   tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key

   Finally, go to the line with "tls_ca_file" and uncomment. changing the value to "http://morison.biz/etc/ssl/certs/ca-certificates.crt". This file isn't needed for self-signed certs. We'll install it later, though, so when CA'd certs come in, we just repoint the cert and key settings. This line should read:

   tls_ca_file: /etc/ssl/certs/ca-certificates.crt

   Save and exit /etc/imapd.conf and restart Cyrus

   sudo /etc/init.d/cyrus2.2 restart

Saslauthd Config

1. /etc/default/saslauthd

   sudo vi /etc/default/saslauthd

   Change the "START=no" line to read

   START=yes

   And, down at the bottom of the file update the sasl unix socket to run inside Postfix jail. Change the last line to read

   OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

2. etc/postfix/sasl/smtpd.conf - Create a new file, /etc/postfix/sasl/smtpd.conf, i.e.,

   sudo vi /etc/postfix/sasl/smtpd.conf

   with the following contents:

   pwcheck_method: saslauthd
   mech_list: plain login

3. Add postfix to the sasl group - For socket access

   sudo adduser postfix sasl

4. Start saslauthd

   sudo /etc/init.d/saslauthd start

SSL Bits

sudo adduser cyrus ssl-cert
sudo adduser postfix ssl-cert
sudo apt-get install ca-certificates

If you do install a CA supplied cert, you'll probably have a .crt you need to convert to a .pem file mail apps. Here's the trick:

openssl x509 -in mydomain.crt -out mydomain.der -outform der
openssl x509 -in mydomain.der -inform der -out mydomain.pem -outform pem

Postfix Chroot Jail Fix

1. Create /etc/init.d/fix-postfix-chroot

   sudo vi /etc/init.d/fix-postfix-chroot

   and add the lines:

   #!/bin/sh -e
   # Fixup socket paths in /var/run because of moves to postfix chroot @ /var/spool/postfix
   #
   
   # BEGIN INIT INFO
   # Provides:          fixes in /var/run
   # Required-Start:    $local_fs $remote_fs
   # Required-Stop:     $local_fs $remote_fs
   # Should-Start:      saslauthd mysql postfix
   # Should-Stop:       saslauthd mysql postfix
   # Default-Start:     2 3 4 5
   # Default-Stop:      0 1 6
   # Short-Description: Fixup socket paths in /var/run because of moves to postfix chroot @ /var/spool/postfix
   # Description:
   # END INIT INFO
   
   PATH=/bin:/usr/bin:/sbin:/usr/sbin
   TZ=
   unset TZ
   
   . /lib/lsb/init-functions
   #DISTRO=$(lsb_release -is 2>/dev/null || echo Debian)
   
   case "$1" in
       start)
           log_daemon_msg "Try to fix sockets in postfix chroot"
           if [ ! -e "http://morison.biz/var/run/mysqld" ] && [ -e /var/spool/postfix/var/run/mysqld ] ; then
                   log_daemon_msg "ln -s /var/spool/postfix/var/run/mysqld /var/run"
                   ln -s /var/spool/postfix/var/run/mysqld /var/run
           fi
           if [ ! -e "http://morison.biz/var/run/saslauthd" ] && [ -e /var/spool/postfix/var/run/saslauthd ] ; then
                   log_daemon_msg "ln -s /var/spool/postfix/var/run/saslauthd /var/run"
                   ln -s /var/spool/postfix/var/run/saslauthd /var/run
           fi
       ;;  
   
       stop)
           log_daemon_msg "Cleaning up sockets in postfix chroot"
           if [ -h "http://morison.biz/var/run/mysqld" ]; then
                   log_daemon_msg "rm /var/run/mysqld"
                   rm /var/run/mysqld
           fi
           if [ -h "http://morison.biz/var/run/saslauthd" ]; then
                   log_daemon_msg "rm /var/run/saslauthd"
                   rm /var/run/saslauthd
           fi
       ;;  
   esac    
   
   exit 0

2. Setup fix-postfix-chroot - Remove the old /var/run/saslauthd and setup the init script:

   sudo rmdir /var/run/saslauthd
   sudo chmod +x /etc/init.d/fix-postfix-chroot
   sudo update-rc.d fix-postfix-chroot multiuser 90
   sudo /etc/init.d/fix-postfix-chroot start
   sudo ls -l /var/run/saslauthd/

Root & Postmaster Aliases

1. Add Admin Email Addresses - Edit /etc/aliases to read

   root:   myeverydaymailaddress
   postmaster: myeverydaymailaddress
   
   clamav:                  postmaster
   webmaster:               postmaster
   maildebug:               postmaster
   virusalert:              postmaster
   spamalert:               postmaster

2. Run newaliases & reload Postfix

   sudo newaliases 
   sudo postfix reload

Test the Machinery

1. IMAP

   imtest -a mylogin

   and you should get an imap handshake and a password prompt. Use your shell login password

   WARNING: no hostname supplied, assuming localhost
   
   S: * OK mailserver Cyrus IMAP4 v2.2.13-Debian-2.2.13-13ubuntu3 server ready
   C: C01 CAPABILITY
   S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS
   S: C01 OK Completed
   Please enter your password: 
   C: L01 LOGIN rod {8}
   S: + go ahead
   C: <omitted>
   S: L01 OK User logged in
   Authenticated.
   Security strength factor: 0

   ^C out of this and check the log file

   tail /var/log/mail.log

   for something like

   Sep 29 01:41:24 mailserver cyrus/imap[18380]: accepted connection
   Sep 29 01:41:28 mailserver cyrus/imap[18380]: login: localhost [127.0.0.1] rod plaintext User logged in

2. smtptest - Do the same with smtptest. Stop here and get things working before going on.

Open the Firewall

sudo ufw allow smtp
sudo ufw allow pop3
sudo ufw allow pop3s
sudo ufw allow imap
sudo ufw allow imaps
sudo ufw status

sudo reboot

Epilogue

1. Get the Ubuntu iso - First step, download and burn an Ubuntu server CD. Follow the links from http://releases.ubuntu.com/8.04/ to a mirror. Be sure to get the correct server iso for your install, most likely the ubuntu-8.04.1-server-i386.iso (or newer release in the 8.04 series).
2. Ready the Hardware - Get your machine ready to boot, and networked to your switch. This doc assumes you'll boot initially on a private network with DHCP, then move the box to its public static IP after the firewall is setup.
   
   You'll need a monitor and a keyboard for the install on the console (a KVM is handy for this). You don't need anything fancy, though. It will all be text screens and when your finished, the server shouldn't need the monitor. You may still need the keyboard, however: many non-server motherboards won't boot without a keyboard plugged in.
3. Boot the CD - Be sure to do any bios configs at this point, typically configuring a hardware raid and/or setting the CD to boot before any other devices. After loading a kernel, the CD will walk you through a series of screens on the console.
4. Language - The CD will boot into the Ubuntu install menu, and immediately ask what language you would like to work in. Use arrow keys to select and hit return. Initial Language Select
5. Install Menu - Select Install Ubuntu Server from this screen. Note the Rescue a broken system though, which is a valuable tool for inspecting a broken system. Ubuntu Install Menu
6. Choose Language - After "Loading Linux Kernel" completes and the installer is loaded, you'll get another language select. In this case you'll select the default language for the server. Choose Default Language
7. Choose Language Pt 2 - Select a country. Choose Country
8. Keyboard layout - Either let the installer detect your keyboard type or nav through the menus to select. Detect Keyboard Layout
9. Detect and Load - The installer will now detect your hardware and load more software off the CD. Detect Hardware Load Additional Components
10. Hostname - Enter the hostname, not including the domain part, in this case "mailserver". Set Host Name
11. Time Zone - Choose the time zone this server will run in. Select Time Zone
12. Partition - After detecting disks, the installer will offer to guide you through partitioning. If you're not experienced with partitioning, take the simple, default, single partition+swap setup (shown here.) Experienced users may setup LVM, software RAID and other customizations in the following few screens. For the simple case, choose "Guided - use entire disk" Partition Disks
13. Guided Partitioning Step 1 - Select the disk to partition. If you have a single disk, that's all there is to select. Select Disk
14. Guided Partitioning Step 2 - Accept the default partition and select "Yes". This setup gives a swap 3x the size of physical RAM and the remainder on a single partition, "http://morison.biz/" (read that "slash", the root of the Linux file system.) Write Partitions to Disk
15. Partition & Install - The installer will proceed with the partitioning and base package installation. You'll have time to a get coffee while it installs.
    
    Partitions Formatting Installing System
16. Setup Users - Enter the full name of the "initial" user doing the install, then a login ID, then a password. Access to root, i.e., the admin account, will be on a command by command basis via the sudo program. Even during installations, it's preferred to take root credentials only as needed, and not be logged in for long stretches as root. User Full Name User ID User Password User Password Confirm
17. Configure apt-get - The program apt-get will install Ubuntu software packages, usually from an Ubuntu fileserver or mirror. It is the primary and preferred way to install and update software on the system. If you need to go through an http proxy to browse, enter the info here so apt-get can do the same. Most users can leave this blank. Configure apt-get Proxy
18. Software Selection - The next screen will ask what services should be installed. We'll only install the OpenSSH server at this point, for command line access over a network. The remaining packages we'll install with apt-get once the system is up, running, and networked. Arrow down to the OpenSSH selection, hit space, tab to continue, and hit return. Install OpenSSH
19. Installation Complete - Hit Continue to reboot the system and get a login prompt. Installation Complete Login Prompt
20. Login - Login with the user credentials created previously.
21. Config ssh - There are quite a few scanners out there that try to guess passwords for user IDs like "guest", "test", "root", "www", etc. Because all of these that I've encountered work the standard ssh port, 22, I make it a practice to change ssh to a high numbered port. We'll use 9999. You can choose your own, but keep it above 1023 (see http://en.wikipedia.org/wiki/Well_known_ports). Or, you can skip this step and keep it at the standard port 22.

    sudo vi /etc/ssh/sshd_config
    [sudo] password for rod:

    The sudo program will run the command given on the same line as the root user. As configured on Ubuntu server, sudo requests the invoking user's password, not root's password. This arrangement is a good thing, btw, making it easier to give or revoke root privs, compared to handing out the root password. Also, sudo can fine grain access to specific commands by user ID, group, etc. For more information, man sudo and inspect the settings in /etc/sudoers (for which you will need...sudo.) Sudo vi /etc/ssh/sshd_config

    It's assumed you can edit text files. The vi editor is used in these examples; pico is also installed, and is a little more intuitive for those that didn't grow up with vi. Run man vi or man pico or google around for more info.

22. Set the Port - Edit the line Port 22 and change the 22 to your new ssh port. Save and exit. Change ssh Port
23. Restart the ssh server.

    sudo /etc/init.d/ssh restart

24. Setup the Firewall - Ufw initNow we'll configure the Ubuntu ufw firewall...it's easy to use and has just enough configuration for this mail server setup. For docs on ufw and a list of more powerful firewall options, see the Ubuntu Server Manual Firewall section. We'll start ufw in it's most restrictive form (block everything) and then open the ssh port configured above.

    sudo ufw default deny
    sudo ufw enable
    sudo ufw allow 9999
    sudo ufw status

25. Config Static IP - Assuming you installed on a net with DHCP, you should see something like the following when you type /sbin/ifconfig:

    rod@mailserver:~$ /sbin/ifconfig
    eth0      Link encap:Ethernet  HWaddr 00:0c:29:a5:2f:f1  
              inet addr:192.168.1.101  Bcast:192.168.1.255  Mask:255.255.255.0
              inet6 addr: fe80::20c:29ff:fea5:2ff1/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:1586 errors:0 dropped:0 overruns:0 frame:0
              TX packets:54 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:138577 (135.3 KB)  TX bytes:7227 (7.0 KB)
              Interrupt:16 Base address:0x2000 
    
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

    That means your assigned address is 192.168.1.101. (If you're not seeing that, then I'm note sure how you got this far! ) Fyi sudo ethtool eth0 is handy and will tell you if your adapter detects a link to the switch.)

    Skip or modify the rest of this step if your building an experimental system that will stay on your private network

    Edit the network config file

    sudo vi /etc/network/interfaces

    and edit the eth0 section from the word "dhcp" so that it reads

    iface eth0 inet static
            address xx.xx.xx.xx
            netmask yy.yy.yy.yy
            gateway zz.zz.zz.zz

    replacing xx.xx.xx.xx with your static IP, yy.yy.yy.yy with the netmask, and zz.zz.zz.zz with the gateway IP (these should have come with the static.)
26. Edit DNS

    Skip this step if you're staying on the DHCP provided address.

    sudo vi /etc/resolv.conf

    to read

    search mydomain
    nameserver nameserverIP1
    nameserver nameserverIP2

    where mydomain is your domain name, e.g., foobar.com, and nameserver1 and nameserver2 are two namerserver IP addresses, usually given by your access provider, along with the static IP.
27. Turn on the Static IP - Run

    sudo ifdown eth0 ; sudo ifup eth0

    to pick up the new settings.
28. Ping-Check Your Work - At this point, you'll have to recable (and perhaps move) your server outside your private IP router (or put it in the router DMZ.) Check for link status, and try pinging a few things.

    sudo ethtool eth0

    and you should see

    Settings for eth0:
            Current message level: 0x00000007 (7)
            Link detected: yes

    Then, ping the gateway (from /etc/network/interfaces) and a DNS server (from /etc/resolv.conf), hitting control-C when you've seen enough

    ping 64.81.45.2
    PING 64.81.45.2 (64.81.45.2) 56(84) bytes of data.
    64 bytes from 64.81.45.2: icmp_seq=1 ttl=62 time=27.2 ms
    64 bytes from 64.81.45.2: icmp_seq=2 ttl=62 time=33.0 ms
    64 bytes from 64.81.45.2: icmp_seq=3 ttl=62 time=69.1 ms
    
    --- 64.81.45.2 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2002ms
    rtt min/avg/max/mdev = 27.290/43.133/69.109/18.515 ms

    Finally, try pinging Google, which will verify that your /etc/resolv.conf settings are good

    ping google.com
    PING google.com (64.233.187.99) 56(84) bytes of data.
    64 bytes from jc-in-f99.google.com (64.233.187.99): icmp_seq=1 ttl=247 time=97.5 ms
    64 bytes from jc-in-f99.google.com (64.233.187.99): icmp_seq=2 ttl=247 time=96.2 ms
    64 bytes from jc-in-f99.google.com (64.233.187.99): icmp_seq=3 ttl=247 time=98.3 ms
    
    --- google.com ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2003ms
    rtt min/avg/max/mdev = 96.248/97.380/98.370/0.943 ms

29. Ntp - Ok, one last thing and we've got a nicely stocked, vanilla Ubuntu server: an NTP daemon.

    It's quite important that mail servers (all servers, really) have very accurate time. When you need to debug across machines, verify mail headers...and computer clocks will drift. Plus, you really want to be able to say, "You can trust the datestamps in my mail headers" at the next party you go to.
    The NTP daemon on your will check regularly with a NTP server that is tied into regional or international standard time servers. See http://www.ntp.org/ntpfaq/NTP-a-faq.htm if you're interested.
    
    Run

    sudo apt-get install ntp

    and you should see

    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    Suggested packages:
      ntp-doc
    The following NEW packages will be installed:
      ntp
    0 upgraded, 1 newly installed, 0 to remove and 22 not upgraded.
    Need to get 432kB of archives.
    After this operation, 1069kB of additional disk space will be used.
    Get:1 http://us.archive.ubuntu.com hardy/main ntp 1:4.2.4p4+dfsg-3ubuntu2 [432kB]
    Fetched 432kB in 1s (220kB/s)
    Selecting previously deselected package ntp.
    (Reading database ... 15320 files and directories currently installed.)
    Unpacking ntp (from .../ntp_1%3a4.2.4p4+dfsg-3ubuntu2_i386.deb) ...
    Setting up ntp (1:4.2.4p4+dfsg-3ubuntu2) ...
     * Starting NTP server ntpd                                              [ OK ]

30. Update NTP Servers - It's highly advisable to configure ntp to talk to several regional servers. First, visit http://www.pool.ntp.org/, click on your region (should be top right of the page, under Active Servers). At the top of the page you should see something that begins, "To use this pool zone, add the following to your ntp.conf file:". Copy or type that text into /etc/ntp.conf. That is, run

    sudo vi /etc/ntp.conf

    and a few lines down, where you see server ntp.ubuntu.com, remove the Ubuntu server and replace it with your regional pool servers. For North America, the first dozen or so lines of the /etc/ntp.conf file looks like

    # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
    
    driftfile /var/lib/ntp/ntp.drift
    
    
    # Enable this if you want statistics to be logged.
    #statsdir /var/log/ntpstats/
    
    statistics loopstats peerstats clockstats
    filegen loopstats file loopstats type day enable
    filegen peerstats file peerstats type day enable
    filegen clockstats file clockstats type day enable
    
    
    # You do need to talk to an NTP server or two (or three).
    server 0.north-america.pool.ntp.org
    server 1.north-america.pool.ntp.org
    server 2.north-america.pool.ntp.org
    server 3.north-america.pool.ntp.org

31. Restart ntp

    sudo /etc/init.d/ntp restart