MINI-HOWTO: Installing Cyrus IMAP + OpenLDAP + Sendmail + SASL on an OpenBSD 3.3 box.
This MINI-HOWTOO is a work in progress. Explanations are not given and I make a lot of assumptions about your knowledge of the different software used herein , as well as about already installed additional systems like a working LDAP master somewhere on your network. I won't take any responsibility on what can go wrong on using the information given here. It's for sure not foolproof and not 100% secure, but hey, as I said, it's a work in progress... You've been warned.
Configuring OpenBSD
- Change default shell for root to /bin/sh
vipw
- Login again.
- Add user bobak
groupadd -g 500 bobak
useradd -s /bin/sh -g bobak -G wheel -m -d /home/bobak -u 500 bobak
passwd bobak
visudo
# uncomment first line that starts with "#%wheel"
- Add the following lines to /home/bobak/.profile and /root/.profile
alias ll='ls -al'
alias pu='rm -fr *~ .*~'
- Check for correct IP address in /etc/hosts
- Edit boot configuration:
vi /etc/rc.conf
ntpdate_flags="swisstime.ethz.ch"
wsmoused_flags=""
pf=YES
- Mount data partition (this is where I keep all data that should
survive an OS upgrade):
mkdir /data
echo "/dev/wd0h /data ffs rw,nodev,nosuid 1 2" >> /etc/fstab
- I want to power down on halt:
vi /etc/rc.shutdown
powerdown=YES
- Reboot
- Login remotely as bobak and su to root
Extracting and updating OpenBSD source and ports tree
- Put OpenBSD CD-ROM in CD drive.
- Extract OpenBSD source:
mount -t cd9660 /dev/cd0a /mnt
cd /usr/src
tar xvzfp /mnt/3.3/src.tar.gz
tar xvzfp /mnt/3.3/sys.tar.gz
cd /usr
tar xvzfp /mnt/3.3/ports.tar.gz
umount /mnt
- Remove CD-ROM from CD drive.
- Update source and ports to the latest version:
export CVS_RSH=/usr/bin/ssh
cd /usr/src
cvs -d anoncvs@anoncvs.ca.openbsd.org:/cvs -q update -dP -rOPENBSD_3_3 .
cd /usr/ports
cvs -d anoncvs@anoncvs.ca.openbsd.org:/cvs -q update -dP -rOPENBSD_3_3 .
- Make sure object files are not created on the /usr partition:
mkdir /data/obj
mkdir -p /data/ports/obj
mkdir /data/ports/distfiles
mkdir /data/ports/packages
chgrp -R wsrc /data/ports /data/obj
rmdir /usr/obj
ln -s /data/obj /usr/obj
cat > /etc/mk.conf << EOF
WRKOBJDIR=/data/ports/obj
DISTDIR=/data/ports/distfiles
PACKAGES=/data/ports/packages
EOF
- Initialize object tree:
cd /usr/src
find . -type l -name obj |xargs rm
make cleandir
rm -rf /usr/obj/*
make obj
cd /usr/src/etc && make DESTDIR=/ distrib-dirs
Upgrading to latest OpenBSD RAID kernel and system
- Create RAID kernel:
mkdir /data/kernel
cd /data/kernel
cp /usr/src/sys/arch/i386/conf/GENERIC GENERIC_RAID
vi GENERIC_RAID
option
RAID_AUTOCONFIG
pseudo-device
raid
4 # RAIDframe disk driver
config -s /usr/src/sys -b . GENERIC_RAID
make clean && make
- Install RAID kernel:
cd /data/kernel
mv /bsd /bsd.old
cp bsd /
reboot
- If things didn't work out, enter bsd.old
at the boot prompt in order to boot from the original kernel.
- Build and install the system:
cd /usr/src
make build
- Check if /etc is up-to-date
cd /usr/ports/sysutils/mergemaster/
make install
make clean
/usr/local/sbin/mergemaster -v
Installing useful ports
- bash2
cd /usr/ports/shells/bash2
FLAVOR=static make install
FLAVOR=static make clean
echo "/usr/local/bin/bash" >> /etc/shells
- autoconf
cd /usr/ports/devel/autoconf/
make install
make clean
- automake
cd /usr/ports/devel/automake/
make install
make clean
- libtool
cd /usr/ports/devel/libtool/
make install
make clean
- ncftp
cd /usr/ports/net/ncftp
make install
make clean
- wget
cd /usr/ports/net/wget
make install
make clean
cd /usr/ports/devel/gmake/
make clean
cd /usr/ports/devel/gettext/
make clean
cd /usr/ports/converters/libiconv/
make clean
- XEmacs21
cd /usr/ports/editors/xemacs21
FLAVOR=no_x11 make install
FLAVOR=no_x11 make clean
cd /usr/ports/devel/metaauto/
make clean
cd /usr/ports/editors/xemacs21-sumo
make install
make clean
cd /usr/ports/archivers/bzip2/
make clean
Installing and configuring SNMP
- Install the ucd-snmp port:
cd /usr/ports/net/ucd-snmp
make install
make clean
- Create configuration file:
mkdir /usr/local/etc
cp /usr/local/share/examples/ucd-snmp/EXAMPLE.conf /etc/snmpd.conf
ln -s /etc /usr/local/etc
- Edit configuration file "/etc/snmpd.conf" in your favourite
editor:
[...]
####
# First, map the community name (COMMUNITY) into a security name
# sec.name
source community
com2sec local
localhost change_me
com2sec mynw_internal 10.0.0.0/24 change_me
com2sec mynw_dmz
10.0.1.0/24 change_me
####
# Second, map the security names into group names:
#
sec.model sec.name
group MyRWGroup v1 local
group MyRWGroup v2c local
group MyRWGroup usm local
group MyROGroup v1
mynw_internal
group MyROGroup v2c
mynw_internal
group MyROGroup usm
mynw_internal
group MyROGroup v1
mynw_dmz
group MyROGroup v2c mynw_dmz
group MyROGroup usm mynw_dmz
[...]
###############################################################################
# System contact information
#
[...]
syslocation Zurich/Switzerland
syscontact SNMP Admin <snmpadmin@abstrakt.ch
[...]
###############################################################################
# Process checks.
#
[...]
# Make sure at least one sendmail, but less than or equal to 10
are running.
proc sendmail 10 1
[...]
###############################################################################
# disk checks
#
[...]
disk / 50%
disk /tmp 5%
disk /var 20%
disk /data 20%
disk /home 30%
disk /usr 20%
[...]
###############################################################################
# load average checks
#
[...]
# Check for loads:
load 12 14 14
[...]
- Make sure the SNMP daemon is started at boot time:
vi /etc/rc.local
# uncomment the 'snmp' lines
Installing and configuring slave OpenLDAP
- Install the port:
cd /usr/ports/databases/openldap/
SUBPACKAGE=-server make install
SUBPACKAGE=-server make clean
- Add ldap user and group:
groupadd -g 55 ldap
useradd -s /sbin/nologin -c "LDAP Server" -g ldap -m -d /var/ldap -u 55
ldap
rm /var/ldap/.*
- Copy the original slapd.conf and schema files to /etc/openldap/.
- Edit the slapd.conf
vi /etc/openldap/slapd.conf
# create pid file
pidfile /var/ldap/slapd.pid
# fix TLSCertificateFile and TLSCertificateKeyFile
# fix directory line:
directory /var/ldap
# remove line "replogfile"
# remove lines starting with "replica"
# add update lines:
updatedn
"cn=replicator,ou=Accounts,dc=CHANGE,dc=ME"
updateref "ldaps://ldap-master:636/"
- Setup logging:
touch /var/log/ldap.log
vi /etc/syslog.conf
local4.* /var/log/ldap.log
kill -HUP `cat /var/run/syslog.pid`
- Export original LDAP directory:
- ldap-master: stop slapd and slurpd, e.g.
/etc/init.d/ldap stop
- ldap-master: export directory into an LDIF file:
slapcat -l ldap.ldif
- copy ldap.ldif to ldap-slave
- ldap-slave: import directory
/usr/local/sbin/slapadd -v -c -f /etc/openldap/slapd.conf
-b "dc=CHANGE,dc=ME" -l ldap.ldif
chown ldap.ldap /var/ldap/*
- ldap-slave: start slapd:
/usr/local/libexec/slapd -u ldap -h
"ldap://localhost:389/ ldaps://ldap-slave:636/"
- ldap-master: restart ldap
/etc/init.d/ldap start
- Start slapd on boot and stop on shutdown:
vi /etc/rc.local
# OpenLDAP Daemon
if [ -x /usr/local/libexec/slapd ]; then
echo -n ' slapd'; /usr/local/libexec/slapd -u ldap -h
"ldap://localhost:389/ ldap://ldap-slave:389/ ldaps://ldap-slave:636/"
fi
vi /etc/rc.shutdown
# stop OpenLDAP slapd
if [ -r /var/ldap/slapd.pid ]; then
kill `cat /var/ldap/slapd.pid | head -1`
fi
Installing LDAP authentication for users
- Install port:
cd /usr/ports/sysutils/login_ldap
make install
./w-login_ldap-3.3/fake-i386/usr/local/bin/enable-login_ldap
make clean
chmod u+s /usr/libexec/auth/login_-lda
- Add ldap authentication to login.conf:
vi /etc/login.conf
#
# LDAP Specs
#
ldap:\
:requirehome@:\
:auth=-ldap:\
:x-ldap-server=ldap-slave:\
:x-ldap-server-alt=ldap-master:\
:x-ldap-port=636:\
:x-ldap-basedn=ou=Users,dc=CHANGE,dc=ME:\
:x-ldap-binddn=cn=lookup,ou=Accounts,dc=CHANGE,dc=ME:\
:x-ldap-bindpw=YOUR_SECRET:\
:x-ldap-uscope=subtree:\
:x-ldap-noreferrals:\
:x-ldap-filter=(&(objectClass=posixAccount)(uid=%u)):\
:x-ldap-gscope=base:\
:x-ldap-groupdn=cn=unixAccount,ou=THE_MACHINE,ou=Roles,dc=CHANGE,dc=ME:\
:x-ldap-groupfilter=(|(&(objectClass=posixGroup)(memberUid=%u))(&(objectClass=groupOfUniqueNames)(uniqueMember=%d))):
- reboot
- Change users to LDAP authentication:
vipw
# for each user you want LDAP access, insert "ldap" between
the colons in '::0:0:'
- Open a new
console and try to login using an LDAP based account.
Installing Cyrus SASL2 with LDAP patch
- Go to the port directory:
cd /usr/ports/security/cyrus-sasl2
- Two possible ways to do get LDAP group support into Cyrus SASL2:
(1) Use the current port as of writing (version 2.1.11) and apply my
LDAP patch:
- Check the Makefile for "cyrus-sasl-2.1.11", as the patch is
against that version.
grep DISTNAME Makefile
DISTNAME=
cyrus-sasl-2.1.11
- Download the LDAP
patch:
wget
http://www.abstrakt.ch/unix/cyrus-sasl-2.1.11-ldap-patch
- Check its checksum:
md5 cyrus-sasl-2.1.11-ldap-patch
MD5 (cyrus-sasl-2.1.11-ldap-patch) =
e1ef9066bc780e4d6431ce01a6fd7f76
- Move LDAP patch to the correct location:
mv cyrus-sasl-2.1.11-ldap-patch patches/patch-ldap
(2) Update the port to use at least version 2.1.13, which includes a
variant of my patch:
- Edit Makefile
vi Makefile
DISTNAME=
cyrus-sasl-2.1.13
- Adapt checksum for new archive:
cat > distinfo <<EOF
MD5 (cyrus-sasl-2.1.13.tar.gz) = 1114d59d970791932e96de8557472672
RMD160 (cyrus-sasl-2.1.13.tar.gz) =
70e43b6aeb62ba172526ec02fb2309f7f6e25bc4
SHA1 (cyrus-sasl-2.1.13.tar.gz) =
fccd1650b5b540380c4c5f87c6de76633a30bdca
EOF
- TO BE FINISHED
- Build and install the port:
CONFIGURE_ARGS=--with-ldap=/usr/local make
make install
make clean
- Create saslauthd.conf:
cat > /etc/saslauthd.conf << EOF
ldap_servers: ldap://localhost/
ldap_bind_dn: cn=imap,ou=Accounts,dc=CHANGE,dc=ME
ldap_bind_pw: secret
ldap_scope: sub
ldap_search_base: ou=Accounts,dc=CHANGE,dc=ME
ldap_auth_method: bind
#ldap_filter: (&(uid=%u)(|(role=mailUser)(role=mailAdmin)))
ldap_group_dn: cn=%s,ou=MAILROLE,ou=Roles,dc=CHANGE,dc=ME
EOF
- Start the SASL2 authentication daemon on boot:
vi /etc/rc.local
# Cyrus SASL Authentication Daemon
if [ -x /usr/local/sbin/saslauthd ]; then
echo -n ' saslauthd'; /usr/local/sbin/saslauthd -a ldap
fi
- And stop it during shutdown:
vi /etc/rc.shutdown
# Stop Cyrus SASL Authentication Daemon
if [ -r /var/sasl2/mux.pid ]; then
kill `cat /var/sasl2/mux.pid | head -1`
fi
Installing Berkeley DB4-1 (requirement for Cyrus IMAP)
- Note: you don't have to be root for this section.
- Retrieve Berkeley DB 4.1.25 and patches from http://www.sleepycat.com/download/
cd /tmp
wget http://www.sleepycat.com/update/snapshot/db-4.1.25.tar.gz
wget http://www.sleepycat.com/update/4.1.25/patch.4.1.25.1
- Extract db:
tar xvzf db-4.1.25.tar.gz
- Patch db:
cd db-4.1.25
patch < ../patch.4.1.25.1
- Configure and make it:
cd build_unix
../dist/configure \
--enable-compat185 \
--enable-dump185 \
--enable-cxx
make
- Install it (by switching to root using 'sudo'):
sudo make install
- You should now have a Berkeley DB 4.1 installed in
/usr/local/BerkeleyDB.4.1/
Installing Cyrus IMAP Server
- Note: you don't have to be root for this section
- Retrieve the Cyrus IMAP Server tarball from: ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
cd /tmp
ncftpget
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-imapd-2.1.13.tar.gz
- Extract the tarball:
tar xvzf cyrus-imapd-2.1.13.tar.gz
- As OpenBSD doesn't have a makedepend binary, make and install the
one included in the Cyrus package:
cd cyrus-imapd-2.1.13/makedepend
./configure
make
sudo cp makedepend /usr/local/bin/
cd ..
- In order for "imtest" to work properly, change the following
lines in the file "imtest/imtest.c":
- line 79: from "#ifdef HAVE_SSL" to "/*
#ifdef HAVE_SSL */"
- line 86: from "#else /* HAVE_SSL */" to "/*
#else HAVE_SSL */"
- line 94: from "#endif /* HAVE_SSL */" to "/*
#endif HAVE_SSL */"
- Configure and build the IMAP server:
./configure \
--with-openssl=/usr \
--with-cyrus-user=cyrus \
--with-cyrus-group=mail \
--with-auth=unix \
--with-notify=no \
--with-idle=idled \
--with-dbdir=/usr/local/BerkeleyDB.4.1 \
--with-sasl=/usr/local \
--without-ucdsnmp \
--disable-gssapi
make depend
make all CFLAGS=-O2
- If all went well, switch to the root user:
su
- [root] Install the server:
make install
- [root] Add the cyrus user and the mail group (you can use
different ids, mine match with the RedHat mail/mail user/group for
historical reasons):
groupadd -g 12 mail
useradd -s /bin/sh -g mail -G daemon -d /usr/cyrus -u 8 cyrus
- [root] Add the logging to /etc/syslog.conf and create inital
logfile:
touch /var/log/imapd
vi /etc/syslog.conf
# Cyrus IMAP
local6.debug /var/log/imapd
kill -HUP `cat /var/run/syslog.pid`
- [root] Create Cyrus IMAP config file:
cat > /etc/imapd.conf << EOF
configdirectory: /data/cyrus/imap
partition-default: /data/cyrus/partition
admins: mailadm
sasl_pwcheck_method: saslauthd
sendmail: /usr/sbin/sendmail
sievedir: /data/cyrus/sieve
# --- uncomment the following lines if you have a valid certificate for
the mail server
#tls_ca_file: /data/certs/cacert.pem
#tls_cert_file: /data/certs/mail.CHANGE.ME.cert.pem
#tls_key_file: /data/certs/certs/mail.CHANGE.ME.key.pem
EOF
- [root] Create spool and other directories:
mkdir -p /data/cyrus/partition /data/cyrus/imap
/data/cyrus/sieve
chown -R cyrus.mail /data/cyrus/*
chmod 750 /data/cyrus/imap
chmod 750 /data/cyrus/sieve
ln -s /data/cyrus/imap /var/imap
ln -s /data/cyrus/sieve /var/sieve
ln -s /data/cyrus/partition /var/spool/imap
- [root] Initialize directories as user 'cyrus':
su cyrus
tools/mkimap
exit
- [root] Create master daemon config file:
cp master/conf/prefork.conf /etc/cyrus.conf
- [root] Append additional mail services to /etc/services:
cat >> /etc/services << EOF
#
# Cyrus IMAP additional services
#
imsp
406/tcp
acap
674/tcp
sieve
2000/tcp
lmtp
2003/tcp
fud
4201/udp
EOF
- [root] Start the Cyrus master daemon on boot:
vi /etc/rc.local
# Cyrus IMAP Master Daemon
if [ -x /usr/cyrus/bin/master ]; then
echo -n ' master'; /usr/cyrus/bin/master &
fi
- [root] Make it stop during shutdown:
vi /etc/rc.shutdown
# Stop Cyrus IMAP Master Daemon
PID=`ps -axuwww | grep master | grep -v grep | awk '{print $2}'`
if [ "X$PID" != "X" ]; then
kill $PID
fi
- [root] Start master daemon by hand:
/usr/cyrus/bin/master &
- [root] Create the root mailbox:
cyradm --user mailadm --auth login localhost
IMAP Password: <enter your mailadm password here>
localhost> cm user.root
localhost> exit
- [root] And finally, we're done as root:
exit
Making and Installing Sendmail with SASL2 and Milter
- Note: this section is easier if you're root...
- Go to the sendmail source:
cd /usr/src/gnu/usr.sbin/sendmail
- Make sure we're starting clean:
make clean
- Add SASL libraries etc to the Makefile by executing the following
lines:
cat >> Makefile.inc << EOF
.if defined(WANT_SASL)
ENVDEF+= -DSASL -D_FFR_UNSAFE_SASL
LDADD+= -lsasl2 -ldb
CFLAGS+= -I/usr/local/include -I/usr/local/include/sasl
LDFLAGS+=-L/usr/local/lib -L/usr/local/BerkeleyDB.4.1/lib
.endif
EOF
echo >> /etc/mk.conf "WANT_SASL=1"
- Tell make to include Milter support:
echo >> /etc/mk.conf "WANT_LIBMILTER=1"
- Compile libmilter:
cd libmilter
make
cd ..
- Compile and install new Sendmail:
make
make install
make clean
- Create Sendmail.conf file for SASL2:
echo "pwcheck_method: saslauthd" >
/usr/local/lib/sasl2/Sendmail.conf
- Create an empty Kerberos server tab (I don't remember, why I
needed this...):
touch /etc/kerberosIV/srvtav
Installing Amavis and SpamAssassin
Posted by bobak at May 10, 2003 05:26 PM
| TrackBack