Scalix mit Debian Etch
Vorbereitung
Etch Installation in XEN DomU
Ich starte mit der Installation auf einer frischen Etch-Installation unter XEN. Der Einfachheit halber benutze ich die xen-tools.
apt-get install xen-tools vi /etc/xen-tools/xen-tools.conf # # ... lvm = vg debootstrap = 1 # ## # Disk and Sizing options. ## # size = 4Gb # Disk image size. memory = 128Mb # Memory size swap = 128Mb # Swap size # noswap = 1 # Don't use swap at all for the new system. fs = ext3 # use the EXT3 filesystem for the disk image. dist = etch # Default distribution to install. image = sparse # Specify sparse vs. full disk images. dhcp = 1 # # Default kernel and ramdisk to use for the virtual servers # kernel = /boot/vmlinuz-2.6.18-4-xen-686 initrd = /boot/initrd.img-2.6.18-4-xen-686 # # The default mirror for debootstrap which can be used to install # Debian Sid, Sarge, and Etch. # mirror = http://ftp.de.debian.org/debian/ # ...
Etch-DomU Image erstellen und anschliessend starten
xen-create-image --hostname=scx vi /etc/xen/scx.cfg xm create -c /etc/xen/scx.cfg ... ethtool -K eth0 tx off vi /etc/network/interfaces # uncomment ethtool # post-up ethtool -K eth0 tx off
Zusätzliche Pakete installieren
Jetzt die notwendigen Pakete installieren:
- Apache, Sendmail
- Postgres
- Kerberos
- SASL2
- diverse Libraries
- Sun Java
- gawk, wget, elinks, ethtool, less, host
apt-get install -u apache2 sendmail sendmail-doc apt-get install -u postgresql apt-get install -u krb5-config krb5-doc krb5-user libkadm55 libkrb53 apt-get install -u saslauthd libsasl2-modules libsasl2-gssapi-mit sasl2-bin libssl0.9.7 apt-get install -u libxml2 libglib2.0-0 libstdc++2.10-glibc2.2 libstdc++5 apt-get install -u sun-java5-jre apt-get install -u gawk elinks wget w3m less ethtool host
Folgendes habe ich angepasst (siehe unten):
- Sendmail-Dual Konfiguration
- Smarthost
- Masquerading
- Amavisd-new integrieren
Ich fange mit Amavisd-new, Spamassassin und Clamav an.
Sendmail mit Amavisd-New konfigurieren
Nach der Installation muss Amavis die zentrale Spamassassin-Konfigurationsdatei etc/spamassassin/local.cf untergeschoben werden und dem Benutzer clamav die Gruppe amavis zugeordnet werden:
apt-get install -u amavisd-new clamav clamav-daemon spamassassin adduser clamav amavis mkdir ~amavis/.spamassassin ln -s /etc/spamassassin/local.cf \ ~amavis/.spamassassin/user_prefs
Die Amavisd Konfiguration wird angepasst, unter /etc/amavis/conf.d/50-user:
use strict; # # Place your configuration directives here. They will override those in # earlier files. # # See /usr/share/doc/amavisd-new/ for documentation and examples of # the directives you can use in this file # @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); $final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine) $final_banned_destiny = D_DISCARD; # D_REJECT when front-end MTA $final_spam_destiny = D_DISCARD; $final_bad_header_destiny = D_PASS; # False-positive prone (for spam) #------------ Do not modify anything below this line ------------- 1; # insure a defined return
Amavisd Neustart:
/etc/init.d/amavis restart
Sendmail-Dual-Konfiguration
Um Amavisd-New mit Spamassassin und Clamav in sendmail zu integrieren verwende ich das Sendmail-Dual Setup (welches der Konfiguration von Exim mit Amavisd-new entspricht).
Auszug aus /usr/share/doc/amavisd-new/README.sendmail-dual.gz:
The following setup is described in this document: ............................ ............................ : sendmail instance MTA-RX : : sendmail instance MTA-TX : : : : : 25 -----> \ (mqueue-rx) : : (mqueue) / -------> forward 587 -----> > -queue- : : -queue- ->-----+ : ^ : / | MAIL_HUB, : : | \ -------> local | : v SMART_HOST : : ^ : delivery msp ...........|................ ....|....................... | ^ loopback interface v | port 10025 loopback interf.| port 10024 | .....|.......................|............. : $inet_socket_port=10024 | : : | : : $forward_method='smtp:127.0.0.1:10025' : : $notify_method ='smtp:127.0.0.1:10025' : : : : amavisd-new : ...........................................
Die Sendmail Konfiguration ist unter /etc/mail/sendmail-rx.mc und /etc/mail/sendmail.mc definiert.
Sendmail-RX
/etc/mail/sendmail-rx.mc
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl VERSIONID(`$Id: sendmail-rx.mc, v 8.13.8-3 2006-12-08 20:21:10 neobiker Exp $') OSTYPE(`debian')dnl DOMAIN(`debian-mta')dnl dnl # dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS= dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE dnl # DAEMON_OPTIONS(`Family=inet, Name=MTA-RX, Port=smtp, Addr=127.0.0.1')dnl define(`confRUN_AS_USER',`smmta:smmsp')dnl FEATURE(`access_db', , `skip')dnl dnl # dnl FEATURE(`authinfo', `hash /etc/mail/auth/client-info')dnl dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl # include(`/etc/mail/sasl/sasl.m4')dnl include(`/etc/mail/tls/starttls.m4')dnl dnl # define(`confPID_FILE', `/var/run/sendmail/mta/sendmail-rx.pid')dnl Non-default pid file define(`STATUS_FILE', `/etc/mail/stat-rx')dnl Non-default stat file define(`QUEUE_DIR', `/var/spool/mqueue-rx')dnl Non-default queue area define(`confQUEUE_SORT_ORDER',`Modification')dnl Modif or Random are reasonable dnl # dnl # Match the number of queue runners (R=) to the number of amavisd-new child dnl # processes ($max_servers). 2 to 7 OK, 10 is plenty, 20 is too many QUEUE_GROUP(`mqueue', `P=/var/spool/mqueue-rx, R=2, F=f')dnl dnl # dnl # FEATURE(stickyhost)dnl define(`MAIL_HUB', `esmtp:[127.0.0.1]')dnl Forward all local mail to amavisd define(`SMART_HOST', `esmtp:[127.0.0.1]')dnl Forward all other mail to amavisd define(`LOCAL_RELAY',`esmtp:[127.0.0.1]')dnl define(`confDELIVERY_MODE',`q')dnl Delivery mode: queue only (a must, define(`ESMTP_MAILER_ARGS',`TCP $h 10024')dnl To tcp port 10024 instead of 25 define(`SMTP_MAILER_MAXMSGS',`10')dnl Max no. of msgs in a single connection define(`confTO_DATAFINAL',`20m')dnl 20 minute timeout for content checking MODIFY_MAILER_FLAGS(`ESMTP', `+z')dnl Speak LMTP (this is optional) dnl # MAILER(`smtp')dnl
Sendmail-TX
/etc/mail/sendmail.mc
define(`_USE_ETC_MAIL_')dnl include(`/usr/share/sendmail/cf/m4/cf.m4')dnl VERSIONID(`$Id: sendmail.mc, v 8.13.8-3 2006-12-08 20:21:10 neobiker Exp $') OSTYPE(`debian')dnl DOMAIN(`debian-mta')dnl dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS= dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE dnl # DAEMON_OPTIONS(`Family=inet, Name=MTA-TX, Port=10025, Addr=127.0.0.1')dnl dnl # define(`SMART_HOST', smtp.1und1.de)dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl FEATURE(`authinfo', `hash /etc/mail/auth/client-info')dnl dnl # FEATURE(`use_cw_file')dnl dnl FEATURE(`use_ct_file')dnl dnl FEATURE(`virtusertable')dnl dnl FEATURE(`access_db', , `skip')dnl dnl # include(`/etc/mail/sasl/sasl.m4')dnl include(`/etc/mail/tls/starttls.m4')dnl dnl # include(`/etc/mail/m4/dialup.m4')dnl include(`/etc/mail/m4/provider.m4')dnl dnl # dnl # dnl # Masquerading options dnl FEATURE(`always_add_domain')dnl MASQUERADE_AS(`DeineDomain.de')dnl MASQUERADE_DOMAIN(`scx.DeinLAN.de')dnl dnl FEATURE(`masquerade_entire_domain')dnl dnl FEATURE(`masquerade_envelope')dnl dnl FEATURE(`allmasquerade')dnl dnl # FEATURE(`no_default_msa')dnl FEATURE(`nocanonify')dnl Host/domain names are considered canonical define(`confREFUSE_LA',999)dnl Disable the feature, limiting belongs to MTA-RX define(`confMAX_DAEMON_CHILDREN',0)dnl Disable, limiting belongs to MTA-RX define(`confSMTP_LOGIN_MSG', `$w.tx.$m Sendmail $v/$Z; $b')dnl define(`confTO_IDENT', `0')dnl Disable IDENT dnl # dnl # MAILER_DEFINITIONS MAILER(scalix)dnl MAILER(`local')dnl MAILER(`smtp')dnl
Sendmail Routing
Die richtige (externe) Mail-Domain und die (internen) Mail-Domains des LAN trage ich im File /etc/mail/local-host-names ein, damit Mails dieser Domains (z.B. an root) nicht an den Smarthost gesendet werden:
localhost scx Zuhause.xx scx.Zuhause.xx Email-Domain.de
Die beiden Domains (hier: Zuhause.xx und Email-Domain.de) müssen Scalix als Lokale Domain definiert werden (SAC: Einstellungen - Administration - Lokale Domains).
Zusätzlich trage ich einen Alias ein, damit die internen Mails (z.B. für root) an meinen normalen Account auf dem Scalix Server gesendet werden:
# cd /etc/mail # vi aliases root: neobiker neobiker: ich@Zuhause.xx # make # /etc/init.d/sendmail restart
Der Smarthost für ausgehende Emails wird wie folgt definiert, entweder in sendmail.mc (oder z.B. unter /etc/mail/m4/provider.m4):
define(`SMART_HOST', `smtp.1und1.de')
Das Login / Passwort für den Smarthost definiert man unter /etc/mail/auth/client-info eingetragen:
AuthInfo:smtp.1und1.de "U:Login" "I:Login" "P:Passwort"
Ein anschliessendes makemap im Verzeichnis /etc/mail/auth erzeugt die zugehörige Hash-Datei /etc/mail/auth/client-info.db.
cd /etc/mail/auth makemap hash client-info <client-info
Sendmail konfigurieren und starten
cp -p /var/spool/mqueue /var/spool/mqueue-rx m4 /etc/mail/sendmail-rx.mc > /etc/mail/sendmail-rx.cf m4 /etc/mail/sendmail-tx.mc > /etc/mail/sendmail.cf /usr/sbin/sendmail -C /etc/mail/sendmail-rx.cf -L sm-mta-rx -bd -qp /usr/sbin/sendmail -L sm-mta-tx -bd -q15m /usr/sbin/sendmail -Ac -L sm-msp-queue -q10m
Sendmail-Dual Initscript
Ich habe das normale Sendmail-Initscript angepasst, damit der 2.te Sendmail-Prozess (MTA-RX zus. zu MTA-TX) berücksichtigt wird. Die Anpassungen sind im wesentlichen aus den normalen Prozeduren kopiert und angepasst. Im Original werden die Variablen MTAL_XXXX verwendet, ich habe für den zusätzlichen MTA-RX Prozess diese einfach als MTAR_XXXX wo nötig ergänzt und eingefügt.
Das Init-Script sendmail-dual steht hier zum Download. /etc/init.d/sendmail-dual -> Ich habe das normale /etc/init.d/sendmail File ersetzt.
Sendmail starten
Starten wie üblich, zum Debuggen den tail Befehl verwenden, monitoring mit ps:
# /etc/init.d/sendmail-dual start # ps aux|grep -v grep|grep sendmail root 5885 0.0 1.5 8344 2604 ? Ss 19:11 0:00 sendmail: MTA: accepting connections smmta 5886 0.0 1.0 8336 1764 ? S 19:11 0:00 sendmail: MTA: running queue: /var/spool/mqueue-rx root 5890 0.0 1.5 8332 2612 ? Ss 19:11 0:00 sendmail: MTA: accepting connections # # tail -f /var/log/mail.info &
Scalix Installation
Sourcen laden
Sourcen laden und unter /usr/src auspacken:
cd /usr/src wget http://downloads.scalix.com/.community/11.0.2.1/scalix-11.0.4-GA-debian-intel.tgz tar xvzf scalix-11.0.4-GA-debian-intel.tgz
Installieren
Das Pakage war bei mir korrupt, in einem Tomcat-Paket ist ein Syntaxfehler. Den beheben wir zuerst:
cd /usr/src/scalix-debian-11.0.4-GA/software/scalix_server mkdir -p new/DEBIAN old mv scalix-tomcat_5.5.16-263_all.deb old dpkg -x old/scalix-tomcat_5.5.16-263_all.deb new dpkg -e old/scalix-tomcat_5.5.16-263_all.deb new/DEBIAN vi new/DEBIAN/postinst # ... Zeile 21 die überflüssige ')' entfernen /opt/scalix-tomcat/bin/sxtomcat-create-instance "" # ... dpkg -b new scalix-tomcat_5.5.16-263_all_patched.deb
Jetzt könenn wir die Scalix-Pakete installieren:
cd /usr/src/scalix-debian-11.0.4-GA/software/scalix-server dpkg -i ../../third_party/libical/i386/libical*.deb dpkg -i scalix-server_*.deb export PATH=/opt/scalix/bin:$PATH echo -n "What should the name of your primary mailnode be? "; read mnode echo -n "Please enter the admin password for the Scalix admin user (sxadmin)? "; read admpwd echo -n "Please enter a password for the ldap query user? "; read ldappwd echo -n "Please enter a password for the db user? "; read dbpwd echo -n "Please enter the external ip address of your Scalix box? "; read ip ldomain=$(hostname -d) host=$(hostname) fqdn=$(hostname -f) short=${host:0:1}${host: -1:1} # Initialize the Scalix Message Store ommakeom # Set Generation Rules for Display Name, Login Name and Internet Address sxconfig --set -t general.usrl_cn_rule='S, G' sxconfig --set -t general.usrl_authid_rule='gs@' sxconfig --set -t orniasys.name_part_1='"C" <G.S>' -t orniasys.domain_part_1=$ldomain # Creating the Default Mailnode omaddmn -m $mnode # Starting the Server Daemons omrc -n # Creating the Default Admin User omaddu -n sxadmin/$mnode --class limited -c admin -p "$admpwd" sxadmin # Configuring the Admin User omconfenu -n "sxadmin/$mnode" omlimit -u "sxadmin/$mnode" -o -i 0 -m 0 # Creating the LDAP Query User omaddu -n sxqueryadmin/$mnode --class limited -c admin -p $ldappwd sxqueryadmin@$fqdn # Creating the Standard Scalix Admin Groups omaddpdl -l ScalixUserAdmins/$mnode omaddpdl -l ScalixUserAttributesAdmins/$mnode omaddpdl -l ScalixGroupAdmins/$mnode omaddpdl -l ScalixAdmins/$mnode cat >>/var/opt/scalix/${short}/s/sys/general.cfg <<EOF # # The CDA service (used for "type down" in some clients) is more # efficient if it can check the directory change log before attempting # to update the access tables that it uses. One slow machines, it may # also be worth uncommenting the CDA_CHECKTIME tweak to reduce the check # interval from five minutes to an hour. # CDA_USE_CHANGE_LOG=TRUE # CDA_CHECKTIME=60 # # These tweaks limit the number and rate of IMAP connections to the # server. The IMAP_CONNECTION_LIMIT simply restricts the total number of # connections to the server. Note that many IMAP clients have several # connections for each IMAP session. The IMAP_CONNRATE_LIMIT restricts # the rate at which clients can connect to the server, in this case, at # most 10 connections per second. If clients try to connect faster # than that, the IMAP server simply slows down the rate at which it will # accept new connections. # IMAP_CONNECTION_LIMIT=500 IMAP_CONNRATE_LIMIT=10 # # The IMAP_IDLE_TIMEOUT tweak is the maximum time an IMAP connection # will wait for a command before terminating the connection. The default # setting, and the minimum required setting, is 30 minutes. Some # clients "refresh" their connection once every thirty minutes # exactly -- but if they are a little bit late, the server drops their # connection. Setting a timeout of 31 minutes avoids this problem. # IMAP_IDLE_TIMEOUT=31 # # This tweak arranges for Local Delivery to automatically create a # message store for users created without one. # Users added with the bulk-add mechanism used by the # wizard do not have a message store. So setting this tweak allows # them to receive mail before they are initially signed on. # LD_CREATE_MESSAGE_STORE=TRUE # # These three tweaks allow users to sign on using an alias. Only # system-defined aliases are permitted and it the alias name is ignored # for the purposes of message creation and so on. # # Note that changing these settings normally requires restarting Scalix. # UAL_SIGNON_ALIAS=YES UAL_SIGNON_ALIAS_CONFIG=SYS UAL_USE_SIGNON_ALIAS=FALSE EOF # Starting Scalix Services omon -s all # Installing the Scalix Server package # ein Deb-Paket (scalix-tomcat_*.deb) hat einen Fehler im Install-Skript. # Der muss zuerst behoben werden (Deb auspacken, Syntax Error korrigieren, Deb-Paket neu erstellen) dpkg -i scalix-postgres_*.deb scalix-tomcat-connector_*.deb scalix-tomcat_*.deb \ scalix-mobile_*.deb scalix-platform_*.deb scalix-res_*.deb scalix-sac_*.deb \ scalix-sis_*.deb scalix-swa_*.deb # Setup DB /opt/scalix-postgres/bin/sxpsql-init # To create the database and tables /opt/scalix-postgres/bin/sxpsql-setpwd $dbpwd /opt/scalix-postgres/bin/sxpsql-whitelist 127.0.0.1 $ip # Setting up Scalix-Tomcat # vi /etc/opt/scalix-tomcat/scalix-tomcat.conf # Set RAM Usage to 50% of complete RAM (or other, e.g. 40M) # JAVA_OPTS="-server -Xms40m -Xmx40m" # Configure Scalix tomcatport=80 base=/var/opt/scalix/${short} files="$base/webmail/swa.properties \ $base/caa/scalix.res/config/ubermanager.properties \ $base/res/config/res.properties \ $base/platform/platform.properties \ $base/mobile/mobile.properties \ $base/sis/sis.properties" for file in $files; do sed -e "s;%LOCALDOMAIN%;$ldomain;g" \ -e "s;%LOCALHOST%;$fqdn;g" \ -e "s;%PLATFORMURL%;$fqdn;g" \ -e "s;__SECURED_MODE__;false;g" \ -e "s;ubermanager/__FQHN_HOST__@__KERBEROS_REALM__;;g" \ -e "s;__KERBEROS_REALM__;;g" \ -e "s;__FQHN_FOR_KDC_HOST__;;g" \ -e "s;__FQHN_QUERY_SERVER_NAME__;$fqdn;g" \ -e "s;__UBERMGR_USE_EXTERNAL_AUTH__;false;g" \ -e "s;__UBERMGR_ALLOW_EXTERNAL_AUTH__;false;g" \ -e "s;__UBERMGR_MAXLIST_SIZE__;100;g" \ -e "s;__UBERMGR_MAIL_DOMAINS_LIST__;$ldomain;g" \ -e "s;__UBERMGR_EXTERNAL_DOMAIN_AUTH_LIST__;;g" \ -e "s;__CONFIGURED__;true;g" \ -e "s;__FQHN_FOR_UBERMANAGER__;$fqdn;g" \ -e "s;__TOMCAT_PORT__;$tomcatport;g" \ -e "s;localhost;$fqdn;g" \ -e "s;%SIS-LANGUAGE%;German;g" \ -e "s;%INDEX-WHITELIST%;$fqdn;g" \ -e "s;%SEARCH-WHITELIST%;$fqdn;g" \ $file > $file.neu mv $file.neu $file done # Write Ldappassword to psdata cd ${base}/caa/scalix.res/config echo "$ldappwd" > psdata chown root:root psdata chmod 400 psdata cd # Restart Tomcat /etc/init.d/scalix-tomcat restart # Setup Apache ln -s /opt/scalix/global/httpd/scalix-web-client.conf /etc/apache2/conf.d cat << EOF > /etc/apache2/conf.d/scalix-access.conf <Location /> Allow from all </Location> EOF /etc/init.d/apache2 restart cat << EOT ##################################################### # You should now be able to access scalix at: # http://$fqdn/sac # http://$fqdn/webmail ##################################################### EOT
Jetzt sollte man sich in o.g. URL als sxadmin und dem vorher definierten Password einloggen können. Als sxadmin kann man in der Scalix Admin Console (SAC) neue User anlegen.
Um Ressourcen zu sparen, kann man den Speicherbedarf des Tomcat etwas zügeln: /etc/opt/scalix-tomcat/scalix-tomcat.conf
# Configuration file for Scalix Tomcat # The directory where Java is installed # (determined from /usr/bin/java managed by update-alternatives # by default, change to hardcoded path if needed): JAVA_HOME="`/opt/scalix-tomcat/bin/determine-java-home`" # Additional arguments to be passed to Java: JAVA_OPTS="-server -Xms40m -Xmx40m" # Maximum number of file descriptors ULIMIT_NUM_FILES="1000"
Quellen
[1] Scalix Wiki: Manuelle Installation unter Etch
[2] Linux Magazin Online: Mail Server