It is still under construction and content may change. Do not rely on the information on this page.
Summary
The goal of this howto is to install a mail server based on cyrus with a webmail based on horde (version 4)
Inside the server the different component
Initialisation and pre requis
Open a terminal and connect as Root and used-it for all different operation
> su -
First operation to do is to install all the loads from repository (fedora and rpmfusion)
> yum install httpd horde imp ingo kronolith turba mysql-server php-mysql 389-ds 389-ds-base 389-ds-console policycoreutils-gui
cyrus-imapd cyrus-imapd-utils cyrus-sasl-ldap postfix fetchmail aspell php-pear-MDB2-Driver-mysql
php-pear-Mail-mimeDecode php-pear-Date-Holidays php-pear-HTTP-Request php-idn php-libpuzzle php-facedetect php-pecl-imagick php-pecl-geoip
php-pecl-lzf php-mbstring php-mcrypt php-pear-Services-Weather php-pear-Net-DNS openssl mod_ssl
Define in “/etc/php.ini“ the value of date.timezone. If you don’t do that you will a lot of error in the http log (for example : date.timezone = Europe/Paris)
Change SELINUX right to authorise external connection: TBD (for the moment deactivate by using IHM TBD)
We will consider in the next part of the document the different password
| User or application | Password |
|---|---|
| root | Pass-root |
| Mysql (Application) | Pass-mySql |
| Horde (inside mySql) | Pass-horde-DB |
| 389 DS administration | Pass-389-admin |
| 389 DS Directory Manager | Pass-389-dir-man |
| user1 | Pass-user1 |
| user2 | Pass-user2 |
| admin | pass-admin |
We will also consider that your are located in the domain “domain.com” and the server is name”comp1”. The computer name and domain shall be correctly defined (can be check by command hostname) or the configuration will not be work correctly
And finally for security reason, we will used as possible crypted connection. For example LDAPS instead of LDAP. So for that we need to have a certificat First create the private certificate
> mkdir /etc/certificate > chmod 700 /etc/certificate > cd /etc/certificate > openssl genrsa -des3 -out server.key 1024
when the command ask you “Enter pass phrase for server.key: ” enter a sentence 'phrase' and remember it. Now create the csr file (Certificate Signing Request)
> cd /etc/certificate > openssl req -new -key server.key -out server.csr
- Enter pass phrase for server.key: :==> 'phrase'
- Country Name (2 letter code) [XX]: :==> answer it
- State or Province Name (full name) []: :==> answer it
- Locality Name (eg, city) [Default City]: :==> answer it
- Organization Name (eg, company) [Default Company Ltd]: :==> answer it
- Organizational Unit Name (eg, section) []: :==> answer it
- Common Name (eg, your name or your server's hostname) []:==> domain.com
- Email Address []: :==> admin@domain.com
- A challenge password []: :==> empty
- An optional company name []: :==> empty
Remove Passphrase from Key
> cd /etc/certificate > cp server.key server.key.org > openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org: :==> 'phrase'
Generating a Self-Signed Certificate for 365 days (so you need to renew it each year, it's more secure)
> cd /etc/certificate > openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Comment definition of port 80 (non secure access) in http.conf files
> gedit /etc/httpd/conf/httpd.conf
Add # before line “Listen 80” Co,nfigure ssl acces (port 443)
> gedit /etc/httpd/conf.d
/ssl.conf set line SSLCertificateFile /etc/certificate/server.crt SSLCertificateKeyFile /etc/certificate/server.key
edit the horde server part
> gedit /etc/httpd/conf.d/horde.conf
Add after “Allow from 127.0.0.1” the line “Allow from YouExternalIP”
Start the web server for the current session and added to the list of process to be started at init
> /sbin/chkconfig httpd on > /etc/init.d/httpd start
Mysql configuration
Start the DB server for the current session and added to the list of process to be started at init
> /sbin/chkconfig mysqld on > /etc/init.d/mysqld start
Configure mysql
> mysql_secure_installation
Enter current password for root (enter for none):==> Pass-root Change the root password? [Y/n] ==> y New password: ==> Pass-mySql Remove anonymous users? [Y/n] ==> Y Disallow root login remotely? [Y/n] ==> Y Remove test database and access to it? [Y/n] ==> Y Reload privilege tables now? [Y/n] ==> Y
Add in the DB the different tables for the used with horde First edit in the file “/usr/share/horde/scripts/sql/create.mysql.sql” and change the password (line after “-- IMPORTANT: Change this password.”) with “Pass-horde-BD“.
> gedit /usr/share/horde/scripts/sql/create.mysql.sql > cd /usr/share/horde/scripts/sql/ > mysql -u root -p < create.mysql.sql
Used password : “Pass-mySql”
> cd /usr/share/horde/kronolith/scripts/sql/ > mysql -u root -p horde < kronolith.mysql.sql
Used password : “Pass-mySql“.
389 DS configuration
Initialisation of the server
The configuration of LDAP is more difficult and the chose on a fedora box is to use 389 DS instead (thank to the 389-console tool)
Add schema for Horde
> gedit /usr/share/horde/turba/scripts/ldap/rfc2739.schema
Change /usr/share/horde/turba/scripts/ldap/rfc2739.schema in "attribute" by "attributetype"
> cd /usr/lib/dirsrv/perl > wget Http://directory.fedoraproject.org/download/ol-schema-migrate.pl > chmod 700 ol-schema-migrate.pl > ./ol-schema-migrate.pl -b /usr/share/horde/scripts/ldap/horde.schema > /etc/dirsrv/schema/60horde.ldif > ./ol-schema-migrate.pl -b /usr/share/horde/turba/scripts/ldap/rfc2739.schema > /etc/dirsrv/schema/05rfc2739.ldif
Configure 389 DS
> setup-ds-admin.pl -u
Would you like to continue with set up? [yes]:==> yes Do you agree to the license terms? [no]: ==> yes Would you like to continue? [no]: ==> yes (With the use of 386 DS for personal usage, the limit is OK) Choose a setup type [2]: ==> 2 Computer name [comp1.domain.com]: ==> comp1.domain.com System User [nobody]: ==> nobody (User ‘nobody’ already exist in based fedora install) System Group [nobody]: ==> nobody Do you want to register this software with an existing configuration directory server? [no]: ==> no administrator ID [admin]: ==> admin Password: ==> Pass-389-admin Password (confirm): ==> Pass-389-admin Administration Domain [domain.com]: ==> domain.com Directory server network port [389]: ==> 389 Directory server identifier [comp1]: ==> comp1 Suffix [dc=domain, dc=com]: ==> dc=domain, dc=com Directory Manager DN [cn=Directory Manager]: ==> cn=Directory Manager Password: ==> Pass-389-dir-man Password (confirm): ==> Pass-389-dir-man Administration port [9830]: ==> 9830 Are you ready to set up your servers? [yes]: ==> yes
Add the certificate so the LDAP server will be secure
> cd /etc/dirsrv/slapd-comp1 binary > openssl pkcs12 -export -inkey /etc/certificate/server.key -in /etc/certificate/server.crt -out /tmp/crt.p12 -nodes -name 'Server-Cert'
Enter Export Password: :==> none Verifying - Enter Export Password: :==> none
> pk12util -i /tmp/crt.p12 -d .
Enter new password: :==> none Re-enter password: :==> none Enter password for PKCS12 file: :==> none • certutil -d . -A -n "My Local CA" -t CT,, -a -i /etc/certificate/server.crt
Now we will update the configuration to use the secure port only (636) for that create 2 files
First /tmp/ssl_enable.ldif dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: on - replace: nsSSLClientAuth nsSSLClientAuth: required - add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha,-rc4,-rc4export,-rc2,-rc2export,-des,-desede3
dn: cn=config changetype: modify add: nsslapd-security nsslapd-security: on - replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: off - replace: nsslapd-port nsslapd-port: 0
And /tmp/addRSA.ldif dn: cn=RSA,cn=encryption,cn=config changetype: add objectclass: top objectclass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: Server-Cert nsSSLToken: internal (software) nsSSLActivation: on
insert this file in the LDAP server
> /usr/lib/mozldap/ldapmodify -D "cn=directory manager" -w - -f /tmp/ssl_enable.ldif > /usr/lib/mozldap/ldapmodify -D "cn=directory manager" -w - -a -f /tmp/addRSA.ldif
Each time used the password : Pass-389-dir-man
Start the 389 DS for the current session and added to the list of process to be started at init
> /sbin/chkconfig dirsrv on > /etc/init.d/dirsrv restart
Directory service filling
With admin tool
insert the certificate in admin tool
> cd /etc/dirsrv/admin-serv > certutil -A -d . -n "CA certificate" -t "CT,," -a -i /etc/certificate/server.crt
Start the 389 DS admin server for the current session. When the tool is needed (change of LDAP database) this action is needed to used it
> /etc/init.d/dirsrv-admin start
Start the tool Name: “admin” Password: “Pass-389-admin” Server: “http://comp1.domain.com:9830”
> /usr/bin/389-console
(TBD)
create admin et root account
Direct import
(TBD)