Scalix mit Debian Etch: Unterschied zwischen den Versionen

Aus Neobikers Wiki
Zur Navigation springen Zur Suche springen
Zeile 328: Zeile 328:
<pre>
<pre>
cd /usr/src
cd /usr/src
wget http://downloads.scalix.com/.community/11.0.2.1/scalix-11.0.4-GA-debian-intel.tgz
wget http://downloads.scalix.com/.community/11.0.4/scalix-11.0.4-GA-debian-intel.tgz
tar xvzf scalix-11.0.4-GA-debian-intel.tgz
tar xvzf scalix-11.0.4-GA-debian-intel.tgz
</pre>
</pre>

Version vom 31. Mai 2007, 18:54 Uhr

Vorbereitung

Etch Installation in XEN DomU

Ich starte mit der Installation auf einer frischen Etch-Installation unter XEN. Der Einfachheit halber benutze ich die xen-tools.

apt-get install xen-tools
vi /etc/xen-tools/xen-tools.conf
#
# ...
lvm = vg
debootstrap = 1
#
##
#  Disk and Sizing options.
##
#
size   = 4Gb      # Disk image size.
memory = 128Mb    # Memory size
swap   = 128Mb    # Swap size
# noswap = 1      # Don't use swap at all for the new system.
fs     = ext3     # use the EXT3 filesystem for the disk image.
dist   = etch     # Default distribution to install.
image  = sparse   # Specify sparse vs. full disk images.
dhcp = 1
#
# Default kernel and ramdisk to use for the virtual servers
#
kernel = /boot/vmlinuz-2.6.18-4-xen-686
initrd = /boot/initrd.img-2.6.18-4-xen-686
#
# The default mirror for debootstrap which can be used to install
# Debian Sid, Sarge, and Etch.
#
mirror = http://ftp.de.debian.org/debian/
# ...

Etch-DomU Image erstellen und anschliessend starten

xen-create-image --hostname=scx
vi /etc/xen/scx.cfg
xm create -c /etc/xen/scx.cfg
...
ethtool -K eth0 tx off
vi /etc/network/interfaces
# uncomment ethtool
# post-up ethtool -K eth0 tx off

Zusätzliche Pakete installieren

Jetzt die notwendigen Pakete installieren:

  • Apache, Sendmail
  • Postgres
  • Kerberos
  • SASL2
  • diverse Libraries
  • Sun Java
  • gawk, wget, elinks, ethtool, less, host
apt-get install -u apache2 sendmail sendmail-doc
apt-get install -u postgresql
apt-get install -u krb5-config krb5-doc krb5-user libkadm55 libkrb53
apt-get install -u saslauthd libsasl2-modules libsasl2-gssapi-mit sasl2-bin libssl0.9.7
apt-get install -u libxml2 libglib2.0-0 libstdc++2.10-glibc2.2 libstdc++5
apt-get install -u sun-java5-jre
apt-get install -u gawk elinks wget w3m less ethtool host

Folgendes habe ich angepasst (siehe unten):

  • Sendmail-Dual Konfiguration
  • Smarthost
  • Masquerading
  • Amavisd-new integrieren

Ich fange mit Amavisd-new, Spamassassin und Clamav an.

Sendmail mit Amavisd-New konfigurieren

Nach der Installation muss Amavis die zentrale Spamassassin-Konfigurationsdatei etc/spamassassin/local.cf untergeschoben werden und dem Benutzer clamav die Gruppe amavis zugeordnet werden:

apt-get install -u amavisd-new clamav clamav-daemon spamassassin
adduser clamav amavis
mkdir ~amavis/.spamassassin
ln -s /etc/spamassassin/local.cf \
~amavis/.spamassassin/user_prefs

Die Amavisd Konfiguration wird angepasst, unter /etc/amavis/conf.d/50-user:

use strict;

#
# Place your configuration directives here.  They will override those in
# earlier files.
#
# See /usr/share/doc/amavisd-new/ for documentation and examples of
# the directives you can use in this file
#

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

$final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
$final_banned_destiny     = D_DISCARD;  # D_REJECT when front-end MTA
$final_spam_destiny       = D_DISCARD;
$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)

#------------ Do not modify anything below this line -------------
1;  # insure a defined return

Amavisd Neustart:

/etc/init.d/amavis restart

Sendmail-Dual-Konfiguration

Um Amavisd-New mit Spamassassin und Clamav in sendmail zu integrieren verwende ich das Sendmail-Dual Setup (welches der Konfiguration von Exim mit Amavisd-new entspricht).

Auszug aus /usr/share/doc/amavisd-new/README.sendmail-dual.gz:

The following setup is described in this document:

      ............................   ............................
      : sendmail instance MTA-RX :   : sendmail instance MTA-TX :
      :                          :   :                          :
 25 -----> \ (mqueue-rx)         :   : (mqueue)          / -------> forward
587 ----->  > -queue-            :   : -queue-   ->-----+       :
 ^    :    /     | MAIL_HUB,     :   :   |               \ -------> local
 |    :          v SMART_HOST    :   :   ^                      :  delivery
msp   ...........|................   ....|.......................
                 |                       ^ loopback interface
                 v                       | port 10025
 loopback interf.| port 10024            |
            .....|.......................|.............
            : $inet_socket_port=10024    |            :
            :                            |            :
            : $forward_method='smtp:127.0.0.1:10025'  :
            : $notify_method ='smtp:127.0.0.1:10025'  :
            :                                         :
            :    amavisd-new                          :
            ...........................................

Die Sendmail Konfiguration ist unter /etc/mail/sendmail-rx.mc und /etc/mail/sendmail.mc definiert.

Sendmail-RX

/etc/mail/sendmail-rx.mc

include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail-rx.mc, v 8.13.8-3 2006-12-08 20:21:10 neobiker Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
dnl #
dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
undefine(`confHOST_STATUS_DIRECTORY')dnl        #DAEMON_HOSTSTATS=
dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
dnl #
DAEMON_OPTIONS(`Family=inet, Name=MTA-RX, Port=smtp, Addr=127.0.0.1')dnl
define(`confRUN_AS_USER',`smmta:smmsp')dnl
FEATURE(`access_db', , `skip')dnl
dnl #
dnl FEATURE(`authinfo', `hash /etc/mail/auth/client-info')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
include(`/etc/mail/sasl/sasl.m4')dnl
include(`/etc/mail/tls/starttls.m4')dnl
dnl #
define(`confPID_FILE', `/var/run/sendmail/mta/sendmail-rx.pid')dnl  Non-default pid file
define(`STATUS_FILE', `/etc/mail/stat-rx')dnl    Non-default stat file
define(`QUEUE_DIR', `/var/spool/mqueue-rx')dnl   Non-default queue area
define(`confQUEUE_SORT_ORDER',`Modification')dnl Modif or Random are reasonable
dnl #
dnl # Match the number of queue runners (R=) to the number of amavisd-new child
dnl # processes ($max_servers). 2 to 7 OK, 10 is plenty, 20 is too many
QUEUE_GROUP(`mqueue', `P=/var/spool/mqueue-rx, R=2, F=f')dnl
dnl #
dnl #
FEATURE(stickyhost)dnl
define(`MAIL_HUB',   `esmtp:[127.0.0.1]')dnl  Forward all local mail to amavisd
define(`SMART_HOST', `esmtp:[127.0.0.1]')dnl  Forward all other mail to amavisd
define(`LOCAL_RELAY',`esmtp:[127.0.0.1]')dnl
define(`confDELIVERY_MODE',`q')dnl     Delivery mode: queue only (a must,
define(`ESMTP_MAILER_ARGS',`TCP $h 10024')dnl  To tcp port 10024 instead of 25
define(`SMTP_MAILER_MAXMSGS',`10')dnl  Max no. of msgs in a single connection
define(`confTO_DATAFINAL',`20m')dnl    20 minute timeout for content checking
MODIFY_MAILER_FLAGS(`ESMTP', `+z')dnl  Speak LMTP (this is optional)
dnl #
MAILER(`smtp')dnl
Sendmail-TX

/etc/mail/sendmail.mc

define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc, v 8.13.8-3 2006-12-08 20:21:10 neobiker Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
undefine(`confHOST_STATUS_DIRECTORY')dnl        #DAEMON_HOSTSTATS=
dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
dnl #
DAEMON_OPTIONS(`Family=inet, Name=MTA-TX, Port=10025, Addr=127.0.0.1')dnl
dnl #
define(`SMART_HOST', smtp.1und1.de)dnl
FEATURE(`authinfo', `hash /etc/mail/auth/client-info')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl FEATURE(`virtusertable')dnl
FEATURE(`use_cw_file')dnl
dnl FEATURE(`access_db', , `skip')dnl
dnl #
include(`/etc/mail/sasl/sasl.m4')dnl
include(`/etc/mail/tls/starttls.m4')dnl
dnl #
include(`/etc/mail/m4/dialup.m4')dnl
include(`/etc/mail/m4/provider.m4')dnl
dnl #
dnl #
dnl # Masquerading options
dnl FEATURE(`always_add_domain')dnl
MASQUERADE_AS(`Meine-Domain.de')dnl
FEATURE(`masquerade_envelope')dnl
dnl MASQUERADE_DOMAIN(`scx.Zuhause.de')dnl
dnl FEATURE(`masquerade_entire_domain')dnl
dnl FEATURE(`allmasquerade')dnl
dnl #
FEATURE(`no_default_msa')dnl
FEATURE(`nocanonify')dnl      Host/domain names are considered canonical
define(`confREFUSE_LA',999)dnl  Disable the feature, limiting belongs to MTA-RX
define(`confMAX_DAEMON_CHILDREN',0)dnl  Disable, limiting belongs to MTA-RX
define(`confSMTP_LOGIN_MSG', `$w.tx.$m Sendmail $v/$Z; $b')dnl
define(`confTO_IDENT', `0')dnl  Disable IDENT
dnl #
dnl #
dnl # Default Mailer setup
MAILER_DEFINITIONS
MAILER(scalix)dnl
MAILER(`local')dnl
MAILER(`smtp')dnl

Sendmail Routing

Lokale Emails (z.B. root) und die Mails meiner externen Mail-Domain (z.B. ich@neobiker.de) sollen nicht an den Smarthost gesendet werden, sondern lokal an den Scalix-Mail-Server zugestellt werden. Die richtige (externe) Mail-Domain und die (internen) Mail-Domains des LAN trage ich deshalb im File /etc/mail/local-host-names ein:

localhost
scx
Zuhause.xx
scx.Zuhause.xx
Email-Domain.de

Die beiden Domains (hier: Zuhause.xx und Email-Domain.de) müssen in Scalix als Lokale Domain definiert werden (SAC: Einstellungen - Administration - Lokale Domains).

Der Smarthost für ausgehende Emails wird wie folgt definiert, entweder in sendmail.mc (oder z.B. unter /etc/mail/m4/provider.m4):

define(`SMART_HOST', `smtp.1und1.de')

Das Login / Passwort für den Smarthost definiert man unter /etc/mail/auth/client-info eingetragen:

AuthInfo:smtp.1und1.de "U:Login" "I:Login" "P:Passwort"

Ein anschliessendes makemap im Verzeichnis /etc/mail/auth erzeugt die zugehörige Hash-Datei /etc/mail/auth/client-info.db.

cd /etc/mail/auth
makemap hash client-info <client-info

Zusätzlich trage ich einen Alias ein, damit die internen Mails (z.B. für root) an meinen normalen Account auf dem Scalix Server gesendet werden:

# cd /etc/mail
# vi aliases
root:     neobiker
neobiker: ich@Zuhause.xx

Sendmail starten

Für den zusätzlichen MTA-RX Prozess muss eine Queue-Verzeichnis angelegt werden:

cp -p /var/spool/mqueue /var/spool/mqueue-rx

Anschliessend kann Sendmail gestartet werden, vorher zur Sicherheit die Konfigdateien aktualisieren:

cd /etc/mail
make
m4 /etc/mail/sendmail-rx.mc > /etc/mail/sendmail-rx.cf
m4 /etc/mail/sendmail.mc    > /etc/mail/sendmail.cf

/usr/sbin/sendmail -C /etc/mail/sendmail-rx.cf -L sm-mta-rx -bd -qp
/usr/sbin/sendmail                             -L sm-mta-tx -bd -q15m
/usr/sbin/sendmail -Ac                         -L sm-msp-queue -q10m

Sendmail-Dual Initscript

Ich habe das normale Sendmail-Initscript angepasst, damit der 2.te Sendmail-Prozess (MTA-RX zus. zu MTA-TX) berücksichtigt wird. Die Anpassungen sind im wesentlichen aus den normalen Prozeduren kopiert und angepasst. Im Original werden die Variablen MTAL_XXXX verwendet, ich habe für den zusätzlichen MTA-RX Prozess diese einfach als MTAR_XXXX wo nötig ergänzt und eingefügt.

Das Init-Script sendmail-dual steht hier zum Download. /etc/init.d/sendmail-dual -> Ich habe das normale /etc/init.d/sendmail File ersetzt.

Sendmail starten

Starten wie üblich, zum Debuggen den tail Befehl verwenden, monitoring mit ps:

# /etc/init.d/sendmail-dual start
# ps aux|grep -v grep|grep sendmail
root      5885  0.0  1.5   8344  2604 ?        Ss   19:11   0:00 sendmail: MTA: accepting connections
smmta     5886  0.0  1.0   8336  1764 ?        S    19:11   0:00 sendmail: MTA: running queue: /var/spool/mqueue-rx
root      5890  0.0  1.5   8332  2612 ?        Ss   19:11   0:00 sendmail: MTA: accepting connections
#
# tail -f /var/log/mail.info &

Scalix Installation

Sourcen laden

Sourcen laden und unter /usr/src auspacken:

cd /usr/src
wget http://downloads.scalix.com/.community/11.0.4/scalix-11.0.4-GA-debian-intel.tgz
tar xvzf scalix-11.0.4-GA-debian-intel.tgz

Installieren

Das Pakage war bei mir korrupt, in einem Tomcat-Paket ist ein Syntaxfehler. Den beheben wir zuerst:

cd /usr/src/scalix-debian-11.0.4-GA/software/scalix_server
mkdir -p new/DEBIAN old
mv scalix-tomcat_5.5.16-263_all.deb old 
dpkg -x old/scalix-tomcat_5.5.16-263_all.deb new
dpkg -e old/scalix-tomcat_5.5.16-263_all.deb new/DEBIAN

vi new/DEBIAN/postinst
# ... Zeile 21 die überflüssige ')' entfernen
    /opt/scalix-tomcat/bin/sxtomcat-create-instance ""
# ...

dpkg -b new scalix-tomcat_5.5.16-263_all_patched.deb

Jetzt kann man die Scalix-Pakete installieren:

cd /usr/src/scalix-debian-11.0.4-GA/software/scalix-server

dpkg -i ../../third_party/libical/i386/libical*.deb
dpkg -i scalix-server_*.deb

export PATH=/opt/scalix/bin:$PATH

echo -n "What should the name of your primary mailnode be? "; read mnode
echo -n "Please enter the admin password for the Scalix admin user (sxadmin)? "; read admpwd
echo -n "Please enter a password for the ldap query user? "; read ldappwd
echo -n "Please enter a password for the db user? "; read dbpwd
echo -n "Please enter the external ip address of your Scalix box? "; read ip

ldomain=$(hostname -d)
host=$(hostname)
fqdn=$(hostname -f)
short=${host:0:1}${host: -1:1}

# Initialize the Scalix Message Store 
ommakeom

# Set Generation Rules for Display Name, Login Name and Internet Address
sxconfig --set -t general.usrl_cn_rule='S, G'
sxconfig --set -t general.usrl_authid_rule='gs@'
sxconfig --set -t orniasys.name_part_1='"C" <G.S>' -t orniasys.domain_part_1=$ldomain

# Creating the Default Mailnode 
omaddmn -m $mnode

# Starting the Server Daemons
omrc -n

# Creating the Default Admin User
omaddu -n sxadmin/$mnode --class limited -c admin -p "$admpwd" sxadmin

# Configuring the Admin User
omconfenu -n "sxadmin/$mnode"
omlimit -u "sxadmin/$mnode" -o -i 0 -m 0

# Creating the LDAP Query User
omaddu -n sxqueryadmin/$mnode --class limited -c admin -p $ldappwd sxqueryadmin@$fqdn

# Creating the Standard Scalix Admin Groups
omaddpdl -l ScalixUserAdmins/$mnode
omaddpdl -l ScalixUserAttributesAdmins/$mnode
omaddpdl -l ScalixGroupAdmins/$mnode
omaddpdl -l ScalixAdmins/$mnode

cat >>/var/opt/scalix/${short}/s/sys/general.cfg <<EOF
#
# The CDA service (used for "type down" in some clients) is more
# efficient if it can check the directory change log before attempting
# to update the access tables that it uses.   One slow machines, it may
# also be worth uncommenting the CDA_CHECKTIME tweak to reduce the check
# interval from five minutes to an hour.
#
CDA_USE_CHANGE_LOG=TRUE
# CDA_CHECKTIME=60
#
# These tweaks limit the number and rate of IMAP connections to the
# server. The IMAP_CONNECTION_LIMIT simply restricts the total number of
# connections to the server. Note that many IMAP clients have several
# connections for each IMAP session. The IMAP_CONNRATE_LIMIT restricts
# the rate at which clients can connect to the server, in this case, at
# most 10 connections per second. If clients try to connect faster
# than that, the IMAP server simply slows down the rate at which it will
# accept new connections.
#
IMAP_CONNECTION_LIMIT=500
IMAP_CONNRATE_LIMIT=10
#
# The IMAP_IDLE_TIMEOUT tweak is the maximum time an IMAP connection
# will wait for a command before terminating the connection. The default
# setting, and the minimum required setting, is 30 minutes. Some
# clients "refresh" their connection once every thirty minutes
# exactly -- but if they are a little bit late, the server drops their
# connection. Setting a timeout of 31 minutes avoids this problem.
#
IMAP_IDLE_TIMEOUT=31
#
# This tweak arranges for Local Delivery to automatically create a
# message store for users created without one.
# Users added with the bulk-add mechanism used by the
# wizard do not have a message store. So setting this tweak allows
# them to receive mail before they are initially signed on.
#
LD_CREATE_MESSAGE_STORE=TRUE
#
# These three tweaks allow users to sign on using an alias. Only
# system-defined aliases are permitted and it the alias name is ignored
# for the purposes of message creation and so on.
# 
# Note that changing these settings normally requires restarting Scalix.
#
UAL_SIGNON_ALIAS=YES
UAL_SIGNON_ALIAS_CONFIG=SYS
UAL_USE_SIGNON_ALIAS=FALSE
EOF


# Starting Scalix Services
omon -s all

# Installing the Scalix Server package
# ein Deb-Paket (scalix-tomcat_*.deb) hat einen Fehler im Install-Skript.
# Der muss zuerst behoben werden (Deb auspacken, Syntax Error korrigieren, Deb-Paket neu erstellen)
dpkg -i scalix-postgres_*.deb scalix-tomcat-connector_*.deb scalix-tomcat_*.deb \
        scalix-mobile_*.deb scalix-platform_*.deb scalix-res_*.deb scalix-sac_*.deb \
        scalix-sis_*.deb scalix-swa_*.deb

# Setup DB
/opt/scalix-postgres/bin/sxpsql-init                  # To create the database and tables
/opt/scalix-postgres/bin/sxpsql-setpwd $dbpwd
/opt/scalix-postgres/bin/sxpsql-whitelist 127.0.0.1 $ip

# Setting up Scalix-Tomcat
# vi /etc/opt/scalix-tomcat/scalix-tomcat.conf
# Set RAM Usage to 50% of complete RAM (or other, e.g. 40M)
# JAVA_OPTS="-server -Xms40m -Xmx40m"

# Configure Scalix
tomcatport=80
base=/var/opt/scalix/${short}
files="$base/webmail/swa.properties \
       $base/caa/scalix.res/config/ubermanager.properties \
       $base/res/config/res.properties \
       $base/platform/platform.properties \
       $base/mobile/mobile.properties \
       $base/sis/sis.properties"

for file in $files; do
sed -e "s;%LOCALDOMAIN%;$ldomain;g" \
    -e "s;%LOCALHOST%;$fqdn;g" \
    -e "s;%PLATFORMURL%;$fqdn;g" \
    -e "s;__SECURED_MODE__;false;g" \
    -e "s;ubermanager/__FQHN_HOST__@__KERBEROS_REALM__;;g" \
    -e "s;__KERBEROS_REALM__;;g" \
    -e "s;__FQHN_FOR_KDC_HOST__;;g" \
    -e "s;__FQHN_QUERY_SERVER_NAME__;$fqdn;g" \
    -e "s;__UBERMGR_USE_EXTERNAL_AUTH__;false;g" \
    -e "s;__UBERMGR_ALLOW_EXTERNAL_AUTH__;false;g" \
    -e "s;__UBERMGR_MAXLIST_SIZE__;100;g" \
    -e "s;__UBERMGR_MAIL_DOMAINS_LIST__;$ldomain;g" \
    -e "s;__UBERMGR_EXTERNAL_DOMAIN_AUTH_LIST__;;g" \
    -e "s;__CONFIGURED__;true;g" \
    -e "s;__FQHN_FOR_UBERMANAGER__;$fqdn;g" \
    -e "s;__TOMCAT_PORT__;$tomcatport;g" \
    -e "s;localhost;$fqdn;g" \
    -e "s;%SIS-LANGUAGE%;German;g" \
    -e "s;%INDEX-WHITELIST%;$fqdn;g" \
    -e "s;%SEARCH-WHITELIST%;$fqdn;g" \
    $file > $file.neu
mv $file.neu $file

done

# Write Ldappassword to psdata
cd ${base}/caa/scalix.res/config
echo "$ldappwd" > psdata
chown root:root psdata
chmod 400 psdata
cd

# Restart Tomcat
/etc/init.d/scalix-tomcat restart

# Setup Apache
ln -s /opt/scalix/global/httpd/scalix-web-client.conf /etc/apache2/conf.d
cat << EOF > /etc/apache2/conf.d/scalix-access.conf
<Location />
        Allow from all
</Location>
EOF
/etc/init.d/apache2 restart

cat << EOT
#####################################################
# You should now be able to access scalix at:
# http://$fqdn/sac
# http://$fqdn/webmail
#####################################################
EOT

Jetzt sollte man sich in o.g. URL als sxadmin und dem vorher definierten Password einloggen können. Als sxadmin kann man in der Scalix Admin Console (SAC) neue User anlegen.

Zuerst sollte man dem Scalix Mailserver zusätzlich die richtige (externe) Mail-Domain beibringen. Das trägt man unter "Einstellungen - Administration - Lokale Domains" ein. Bei mir sind 2 Einträge vorhanden

  • neobiker.de
  • Zuhause.xx


Um Ressourcen zu sparen, kann man den Speicherbedarf des Tomcat etwas zügeln: /etc/opt/scalix-tomcat/scalix-tomcat.conf

# Configuration file for Scalix Tomcat

# The directory where Java is installed
# (determined from /usr/bin/java managed by update-alternatives
# by default, change to hardcoded path if needed):
JAVA_HOME="`/opt/scalix-tomcat/bin/determine-java-home`"

# Additional arguments to be passed to Java:
JAVA_OPTS="-server -Xms40m -Xmx40m"

# Maximum number of file descriptors
ULIMIT_NUM_FILES="1000"

Webmail per DMZ-Proxy und SSL-Zugriff

Gesicherten Zugriff auf den Webmail Client von Scalix realisierte ich über einen Apache-Server in meiner DMZ. Hierzu installiert man das scalix-tomcat-connector Paket in der DMZ. In der Firewall muss Port 8009 von der DMZ zum Scalix-Server freigeschaltet werden.

dpkg -i scalix-tomcat-connector_11.0.4.25_all.deb

Standardmässig verwende ich SSL, das erzwinge ich mit einer Rewriting Regel in der Standardkonfiguration /etc/apache2/sites-enabled/000-default

NameVirtualHost *:80
<VirtualHost *:80>
...
        <IfModule mod_rewrite.c>
          <IfModule mod_ssl.c>
            <Location /Hild>
              RewriteEngine on
              RewriteCond %{HTTPS} !^on$ [NC]
              RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]
            </Location>
          </IfModule>
        </IfModule>
...

</VirtualHost>


/etc/apache2/sites-enabled/000-default-ssl

NameVirtualHost *:443
<VirtualHost *:443>
        ServerName www-dmz.neobiker.net
        ServerAdmin webmaster@friedrichnet.de
        DocumentRoot /var/www/

        SSLEngine on
        # meine eigenen Certifikate meiner Server-CA
        SSLCertificateFile /etc/ssl/certs/dmz1_wwwCert.pem
        SSLCertificateKeyFile /etc/ssl/private/dmz1_www-Key.pem
        #SSLCertificateFile /etc/apache2/ssl/apache.pem
        #SSLCertificateKeyFile /etc/apache2/ssl/apache.pem

        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride AuthConfig
                Order allow,deny
                allow from all
                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                RedirectMatch ^/$ /apache2-default/
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined

        <IfModule mod_proxy_ajp.c>
                Include /etc/opt/scalix-tomcat/connector/ajp/app-scx.*.conf
        </IfModule>

</VirtualHost>

Die Scalix-Proxy Konfiguration: /etc/opt/scalix-tomcat/connector/ajp/app-scx.*.conf

        ProxyPass /sac ajp://scx.neobiker.lan:8009/sac

/etc/opt/scalix-tomcat/connector/ajp/app-scx.*.conf

        ProxyPass /webmail ajp://scx.neobiker.lan:8009/webmail

Unter Etch wird das Apache Modul mod_jk nicht mehr benötigt, da es von mod_proxy_ajp abgelöst wurde. Da ich letzteres Modul selber in der SSL-Konfiguration includiere, kommentiere ich es hier aus: /etc/apache2/conf.d/scalix-tomcat-connector.conf

# ---------------------------------------------------------------------------
# Configure on-the-fly deflate compression of the pages:
# ---------------------------------------------------------------------------

<Location />
  AddOutputFilterByType DEFLATE text/xml text/html text/css
  AddOutputFilterByType DEFLATE application/x-javascript
</Location>

# ---------------------------------------------------------------------------
# mod_proxy_ajp connector configuration
# ---------------------------------------------------------------------------

#<IfModule mod_proxy_ajp.c>
#  Include /etc/opt/scalix-tomcat/connector/ajp/instance-*.conf
#</IfModule>

# ---------------------------------------------------------------------------
# mod_jk connector configuration (part common to all platforms)
# ---------------------------------------------------------------------------

# Setup JK connector needed to run Tomcat under Apache server:

<IfModule mod_jk.c>

# Set the jk log level [debug/error/info]
JkLogLevel          info
# Select the log format
JkLogStampFormat   "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicate to send SSL KEY SIZE,
JkOptions          +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format
JkRequestLogFormat "%w %V %T"

Include /etc/opt/scalix-tomcat/connector/jk/instance-*.conf
Include /etc/opt/scalix-tomcat/connector/jk/workers.conf

</IfModule>

# ---------------------------------------------------------------------------
# mod_jk connector configuration (part specific to Debian)
# ---------------------------------------------------------------------------

<IfModule mod_jk.c>
# Where to put jk logs
# Update this path to match your logs directory location
# (put mod_jk.log next to access_log)
JkLogFile     /var/log/apache2/mod_jk.log
</IfModule>

Quellen

[1] Scalix Wiki: Manuelle Installation unter Etch

[2] Linux Magazin Online: Mail Server