|
Absolutely no warranty, use entirely at your own risk. See the disclaimer at
http://verchick.com/mecham/public_html/spam/
If you would like an even more automated approach to setting up a new spam and virus filtering gateway e-mail server using Maia Mailguard, use this instead: http://verchick.com/mecham/public_html/spam/ubuntu1204-maia-fast.html This document assumes you already have Postfix, amavisd-new, ClamAV and SpamAssassin installed, configured and working properly and Postfix is using amavisd-new as a content_filter on port 10024. If you have not already done this, it is up to you to find documentation to accomplish this. This may help: http://verchick.com/mecham/public_html/spam/spamfilter2.html. This document also assumes you have at least 1GB RAM installed. You will notice later that I'm logged in as root. I simply prefer it. If you are not familiar with turning the root login on and off on Ubuntu, I'm sure you can find documentation on that elsewhere. This document is a departure from previous Maia installations as far as paths go. This is due to numerous changes made to Maia after build 1518, so this document is considered experimental. It cannot be used to install older (possibly more stable) versions. Also, the Maia user name will now be 'maia' instead of the previously typical 'amavis'. Maia's home directory is now /var/lib/maia and the config files are now stored in an /etc/maia directory. Save this document to your computer. If using Internet Explorer, save as "Web Page, HTML only (*.htm,*,html)" then use a plain text editor - like WordPad for example, and replace the text maia_password with a password of your choice. You also need to replace the text sfa with the hostname of your server, and the text example.com with the domain name of your server. Lastly, replace the text Widgits Inc. with the name for your company. Once completed, open this page from the copy you saved. Do not replace these items more than once. This HOWTO is a quick and dirty guide on migrating from amavisd-new to Maia Mailguard installed on a Ubuntu 12.04 or Debian squeeze email server that was originally built using Postfix, amavisd-new, ClamAV and SpamAssassin. This guide is designed to get someone past the initial brain damage of getting the right programs and files in the right place. You should glance through https://www.maiamailguard.com/maia/wiki/Install to get an idea of what we are trying to accomplish (but the documentation may not apply to this version of Maia). Keep in mind that Maia will replace amavisd-new. Maia and amavisd-new are two different programs and only one or the other can be used - not both. This guide does not cover important configuration settings that need to be made once the software is in place; it just gets you to the point where you can log into Maia. This guide does not explain how to use Maia Mailguard, it merely gets it up and running. It uses many of the default settings (which may not filter mail). I don't use Maia myself, so I cannot be helpful regarding the configuration or use of the program. I also don't use Apache, and I am not skilled at MySQL. There is no support for this document. For help with Maia, you should join the Maia users mailing list http://www.renaissoft.com/cgi-bin/mailman/listinfo/maia-users. We want to turn off automatic upgrades of amavisd-new, so we place the package on hold:
echo "amavisd-new hold" | dpkg --set-selections
Change the default shell from dash to bash:
dpkg-reconfigure dash
Answer: Use dash as the default system shell (/bin/sh)? <No> On a Ubuntu machine, in order for ClamAV to work correctly, remove AppArmor:
/etc/init.d/apparmor stop
Download revision 1581 Maia 1.0.3. I also install vim as that is my preferred editor. You can browse https://www.maiamailguard.com/svn/branches/1.0 and make a note of the revision of the trunk you may choose to install today. Also see https://www.maiamailguard.com/maia/browser/branches/1.0. You can pick another revision, but be aware that this document is based on revision 1581. OK, let's get started:
apt-get update
If you choose a revision other than 1581, keep the number handy:
svn -r 1581 checkout https://www.maiamailguard.com/svn/branches/1.0
Answer (p) if it asks... If you ever use this method to download Maia again, you should first move the old downloaded files to another directory to avoid overwriting them. Read this thread. Now, install MySQL 5.1 (if you do not have MySQL installed):
apt-get install mysql-server
Supply a password for root when prompted - and remember it! If you need to manually set the password: Change the roots_password entry to a password of your choice and make sure the host name is correct:
mysql
Out of the box, MySQL is poorly tuned for use with InnoDB databases like Maia uses. I will assume you have at least 1GB of RAM. In the [mysqld] section of /etc/mysql/my.cnf we need to add some entries. By default, innodb_buffer_pool_size is only 8MB. This makes data access with InnoDB very slow. You can set this at somewhere around 25% of physical RAM. Then, innodb_log_file_size should be set to 25% of innodb_buffer_pool_size. Here I'm going to use 128MB for innodb_buffer_pool_size and 32MB for innodb_log_file_size. The change to innodb_log_file_size will not have any effect however until we have MySQL create new logs. Therefore, we have to shut MySQL down, rename the logs and then let MySQL create new logs. Also, we need to set max_allowed_packet to the maximum size of a message that will be allowed into our system. Here I'm setting it at a reasonably large 20MB. Before deleting the log files, to avoid loss of data, log into MySQL and verify that innodb_fast_shutdown is set to 1:
mysql -p
If it is not set to 1, you would have to edit /etc/mysql/my.cnf and find where this has been changed from the default, then restart MySQL. Edit /etc/mysql/my.cnf and place these entries (after adjusting if needed) in the location shown: vi /etc/mysql/my.cnf # InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. # Read the manual for more InnoDB related options. There are many! # innodb_data_home_dir = /var/lib/mysql innodb_data_file_path = ibdata1:10M:autoextend innodb_log_group_home_dir = /var/lib/mysql innodb_buffer_pool_size = 256M innodb_additional_mem_pool_size = 20M innodb_log_file_size = 64M innodb_log_buffer_size = 8M max_allowed_packet = 20M # * Security FeaturesSave and exit the file, then restart MySQL:
/etc/init.d/mysql restart
Now shut down MySQL and rename and rebuild the log files (assuming MySQL restarted without errors):
/etc/init.d/mysql stop
Install more needed programs:
apt-get install patch libossp-uuid-perl libtemplate-perl libtext-csv-perl libwww-perl cabextract libmail-dkim-perl libencode-detect-perl libforks-perl
Install PHP5, Pear and some additional Pear modules (watch for errors - WARNINGS are not fatal):
apt-get install php5 php-pear php5-common php5-mysql php5-gd php5-sqlite smarty
When the time comes you want to view Pie charts, enable them with Settings (the gear)->Miscellaneous Settings->Display graphic charts?
AFTER you "Enable graphical charts?" in the Charts section in Admin (the key)->System configuration.
Install Apache2
apt-get install apache2 libapache2-mod-php5
You should now be able to open a browser and browse to the IP address of the server. I recommend adding the IP address and FQDN hostname of the server to your hosts file, so you can browse the server using the hostname instead of the IP address. Of course, eventually you will need to set up the host in DNS if you have not already done so. If this is a production server, obviously you already have. We need to create some directories and copy some files per the INSTALL instructions:
adduser --group --system --home /var/lib/maia --shell /bin/sh maia
Add the clamav user to the maia group and restart clamav-daemon:
gpasswd -a clamav maia
Now we need to edit maia.conf to reflect what our URL will be. We are going to place our files in a /mail directory under the www root: vi /etc/maia/maia.conf
Save and exit the file. We need to log into MySQL and create the maia database:
mysql -p
Be careful that the next command points to the correct location of "maia-mysql.sql":
SOURCE /usr/local/src/maia/1.0/maia-mysql.sql;
You should have seen a number of lines similar to "Query OK, 1 row affected (0.01 sec)" scroll by. Now we create the maia user and then quit (there are 3 commands here):
GRANT CREATE, DROP, ALTER, SELECT, INSERT, UPDATE, DELETE ON maia.* TO maia@localhost IDENTIFIED BY 'maia_password';
Let's see if our configuration looks OK so far:
cd /var/lib/maia/scripts/
This should result in something like:Application/Module Version Status ======================================================================== Perl : 5.10.1 : OK file(1) : 5.04 : OK Archive::Tar : 1.52 : OK Archive::Zip : 1.30 : OK BerkeleyDB : 0.43 : OK Compress::Zlib : 2.02 : OK Convert::TNEF : 0.17 : OK Convert::UUlib : 1.33 : OK Crypt::Blowfish : N/A : NOT INSTALLED (Maia Mailguard's optional ... Crypt::CBC : N/A : NOT INSTALLED (Maia Mailguard's optional ... Crypt::OpenSSL::RSA : 0.25 : OK Data::UUID : 1.0602 : OK DB_File : 1.82 : OK DBD::mysql : 4.016 : OK DBD::Pg : N/A : NOT INSTALLED (required if you use PostgreSQL ... DBI : 1.612 : OK Digest::MD5 : 2.39 : OK Digest::SHA : 5.47 : OK Digest::SHA1 : 2.13 : OK Encode::Detect : 1.01 : OK File::Spec : 3.3 : OK forks : 0.34 : OK HTML::Parser : 3.68 : OK HTTP::Date : 5.831 : OK IO::Stringy : 2.110 : OK IO::Socket::INET6 : 2.65 : OK IO::Zlib : 1.09 : OK IP::Country::Fast : N/A : NOT INSTALLED (SpamAssassin's optional ... libdb : 5.1 : OK LWP : 5.837 : OK Mail::Address : 2.06 : OK Mail::DKIM : 0.38 : OK Mail::Internet : 2.06 : OK Mail::SpamAssassin : 3.3.1 : OK Mail::SPF : 2.007 : OK MIME::Base64 : 3.08 : OK MIME::Parser : 5.427 : OK MIME::QuotedPrint : 3.08 : OK Net::CIDR::Lite : 0.21 : OK Net::Cmd : 2.29 : OK Net::DNS : 0.66 : OK Net::Server : 0.99 : OK Net::SMTP : 2.31 : OK NetAddr::IP : 4.038 : OK Pod::Usage : 1.36 : OK Razor2::Client::Agent : 2.84 : OK Template : 2.22 : OK Time::HiRes : 1.9719 : OK Unix::Syslog : 1.1 : OK URI : 1.56 : OK Text::CSV : 1.21 : OK MySQL Server : 5.1.54 : OK Database DSN test : PASSEDWe do not need the four items shown as NOT INSTALLED. We don't use PostgreSQL, so we don't need DBD::Pg. On a Debian machine 'forks' (libforks-perl) may be an older version. Upgrade instructions will follow later. You may have noticed a note about a patch. If you did, then follow the instructions, which in this case are:
wget http://www.maiamailguard.com/maia/raw-attachment/ticket/565/mysql-bug-46675.patch
Now we copy SpamAssassin's rules to the MySQL database (make sure 'spamassassin --lint' does not return any errors; if it does, repair the errors before you continue):
su maia -c 'spamassassin --lint'
Configure Pyzor:
su maia -c 'pyzor discover'
Configure Vupil's Razor:
cd
Create user_prefs:
cd /var/lib/maia
Since we are using SpamAssassin 3.1.1 or greater we can use the new sa-update feature:
sa-update
You should have seen something like "2011-06-11 14:45:26 Maia: [load-sa-rules] 976 new rules added (976 rules total), all scores updated." If not, then check that this ./load-sa-rules.pl script points to the correct directories (you edited it earlier). Now we will copy the web interface files to the web site. We also need to make 'themes' writable by the www-data user (and maia):
mkdir /var/www/mail
mkdir /var/www/mail/purifier_cache
Now you browse to configtest.php to test the installation, for example: http://192.168.1.222/mail/admin/configtest.php (or) http://sfa.example.com/mail/admin/configtest.php The result should look something like this. Note: if you need the IMAP, LDAP or MCrypt libraries you are free to apt-get install php5-imap php5-ldap php5-mcrypt (but only as needed). Note that encrypting mail in the database is NOT recommended. By default Maia will use built in authentication, but you can configure it later to use IMAP or LDAP if required. I do not cover that in this document. Also, remember to stop and start apache2 if you make changes. You should ensure the database schema is up to date: http://sfa.example.com/mail/admin/upgrade.php Assuming you are using the original init script supplied by the amavisd-new package, make a change to the amavis init script so it will not complain about having an amavisd.conf file laying around:
sed -i "s/ \tcheck_noncompatible_upgrade/# \tcheck_noncompatible_upgrade/" /etc/init.d/amavis
If running Ubuntu 12.04:
sed -i "s/ --name \${DAEMONNAME}//" /etc/init.d/amavis
You should vi /etc/init.d/amavis and ensure that the two lines shown below are commented out and that the comment mark is at the beginning of each line:
fixdirs
# check_noncompatible_upgrade
if start-stop-daemon ${START} -- ${PARAMS} start >/dev/null ; then
.....
fixdirs
# check_noncompatible_upgrade
exec ${DAEMON} ${PARAMS} "${mode}"
....
Now we make a few changes to maiad.conf (one of two Maia configuration files):
cd /etc/maia
Please review maiad.conf:
vi /etc/maia/maiad.conf
I suggest you place the SVN release number of Maia in a comment in this file. Make sure your $max_servers setting matches the maxproc setting for the smtp-amavis transport in /etc/postfix/master.cf. If you have not configured this maiad.conf in the past, at the very least you need check $mydomain. I also suggest you check $myhostname. Note that you may also wish to temporarily set $log_level to 5 when we send a few test messages through, examining /var/log/mail.log for signs of trouble. Save and exit the file, and then make a backup copy:
cp /etc/maia/maiad.conf /etc/maia/maiad.conf-backup
Now, when you want to try Maia as your program, you first stop amavisd-new:
/etc/init.d/amavis stop
Download a Maia init scrip from me:
cp -r /etc/init.d /etc/init.d-original
Disable amavis and enable maia script:
update-rc.d -f amavis remove
Then you start up maiad (actually, the first time you start it up it would be a good idea to do so with 'maiad debug'):
/etc/init.d/maia start
You can keep an eye out for errors by using:
tail -f /var/log/mail.log
Send a few test messages through and look for errors. Since the system has not been configured, the default is to pass everything (including viruses and executables). If you need to revert to amavisd-new for some reason, first you would stop maiad, then turn the init scripts off and on like this: /etc/init.d/maia stop update-rc.d -f maia remove chown root:amavis /etc/spamassassin/local.cf update-rc.d amavis defaults /etc/init.d/amavis start Then to switch back to Maia: /etc/init.d/amavis stop update-rc.d -f amavis remove chown root:maia /etc/spamassassin/local.cf update-rc.d maia defaults /etc/init.d/maia start At this point, nothing is set up in Maia, so If I am correct, all mail will simply pass. I believe the default behavior is to bypass all checks for recipients (or domains) not in the database so you will quickly want to add and configure your users and/or domains. I suggest configuring domains first in order to set up what you believe are acceptable domain wide defaults. Continue on by going to https://www.maiamailguard.com/maia/wiki/Install and start reading from "14. Login and become the super-administrator". You want to use your email address as the "E-mail address your login credentials should be mailed to:" (so an account is created for you). Hopefully you have configured this system as a working SMTP server so mail sent to that address from this server will end up in a mailbox you have access to. My internal-init.php page looked similar to this example. Since you are starting out using the "Internal" authentication method, run the http://sfa.example.com/mail/internal-init.php script before running the http://sfa.example.com/mail/login.php?super=register script. If internal-init.php runs properly, you will get a "250 Ok" response on the screen and your password in a message in your inbox. Don't forget you need to set up DNS (if you have not done so) so your users can use your server's FQDN to access Maia. |
|
Now, please realize you should read the Maia documentation (though some may not apply to this version), and you MUST set up some cron jobs to run the maintenance scripts: https://www.maiamailguard.com/maia/wiki/MaintenanceScripts. I know that for example, you will need to set the full path to reminder.tpl (/etc/maia/templates/reminder.tpl) in the System Configuration or you will get an error when running send-quarantine-reminders.pl. You will need to run process-quarantine.pl hourly and expire-quarantine-cache.pl daily. Other scripts may need to be configured to run also. I do give examples below. You will want to remove the admin scripts from the website (you will have a backup in /usr/local/src/maia/1.0/php/admin/):
rm -r /var/www/mail/admin/
Once logged in as the super user, click on the Key icon, go into System Configuration and provide the full path to "E-mail reminder template file:", which is /etc/maia/templates/reminder.tpl. The SQL based Bayes tables have been created for you. You can enable them by placing this in /etc/spamassassin/local.cf: So, vi /etc/spamassassin/local.cf bayes_store_module Mail::SpamAssassin::BayesStore::MySQL bayes_sql_dsn DBI:mysql:maia:localhost bayes_sql_username maia bayes_sql_password maia_password bayes_sql_override_username maiaSave and exit the file, then hide the password:
chmod 0640 /etc/spamassassin/local.cf
Make sure the AWL plugin is disabled:
sed -i "s/^loadplugin Mail::SpamAssassin::Plugin::AWL/#loadplugin Mail::SpamAssassin::Plugin::AWL/" /etc/spamassassin/v310.pre
Then test with:
cd /var/lib/maia
It should show our nspam (number of spam) count is 1, and --lint should be clean.
The bayes_seen table grows forever, so we will make a change to the table so we have a means of cleaning up old data: mysql -p
We continue by adding a bayes_seen maintenance script (watch for errors):
cd /etc
Your crontab entries (crontab -e) for the Maia maintenance scripts may look something like this: # Minute Hour Day of Month Month Day of Week Command # (0-59) (0-23) (1-31) (1-12 or Jan-Dec) (0-6 or Sun-Sat) 30 * * * * /bin/su maia -c '/var/lib/maia/scripts/process-quarantine.pl --learn --report' 10 1 * * * /bin/su maia -c '/var/lib/maia/scripts/expire-quarantine-cache.pl --quiet' 10 2 * * 3 /bin/su maia -c '/var/lib/maia/scripts/send-quarantine-reminders.pl' */5 * * * * /bin/su maia -c '/var/lib/maia/scripts/send-quarantine-digests.pl' 0 * * * * /bin/su maia -c '/var/lib/maia/scripts/stats-snapshot.pl' >/nullYour site is at http://sfa.example.com/mail |
This assumes you do not already other have web sites and/or certificates set up on this machine.
If you do, I would hate to see you mess that up.
apt-get install openssl
Every client that connects to this server will need to be able to resolve the hostname of the server. Hopefully you have already create an A record and an MX record for the server. We are going to be our own Certificate Authority and sign our own certificates. These commands are dependent on /etc/ssl/openssl.cnf as supplied by Debian. We start by making a small change to /etc/ssl/openssl.cnf. We make it so by default our certificates are good for 10 years instead of 1:
sed -i 's/= 365\t/= 3653\t/' /etc/ssl/openssl.cnf
We will set up a common place to put our certificates:
cd /root
Create a Root Certificate:
openssl req -new -x509 -extensions v3_ca -keyout demoCA/private/cakey.pem -out cacert.pem -days 3653
Enter a passphrase when prompted. You will need this passphrase in the future. What I mean is: make it unique and don't ever loose it. You will be asked questions. Sample answers follow. Be sure to use the full name for your state or province name and the Common Name should be something that describes you as an authority (like Widgits Inc. RootCA):
Country Name US
This process produces two files as output: a private key in demoCA/private/cakey.pem and a root CA certificate in cacert.pem. Any and all key files we produce will need to be protected from unauthorized persons reading them, and must not be lost for the next 10 years. Also realize that the CA you created can sign any number of certificates (until it expires 10 years from now) so you only need to (or want to) create the CA once. We will copy our cert and our key to something more descriptive:
cp -i demoCA/private/cakey.pem demoCA/private/cakey.example.com.pem
We will copy the root CA certificate to the web server so we can install it on clients by having them browse to it:
cp -i cacert.example.com.crt /var/www/
We copy the root CA certificate to /usr/share/ca-certificates/self:
mkdir /usr/share/ca-certificates/self
Now, run dpkg-reconfigure ca-certificates, answer yes to "Trust new certificates from certificate authorities?" and then scroll down to self/cacert.example.com.crt, use the spacebar to select it, Tab to Ok, and press Enter to finish the job. This will create a sym-link to our CA certificate in /etc/ssl/certs:
dpkg-reconfigure ca-certificates
The cacert.example.com.pem and cacert.example.com.crt are copies of our certificate and are the files that can be distributed and installed on the client's machines. Windows clients would use the .crt file. On my Windows 2000 system, double clicking this file would install it in Internet Explorer (which is exactly what want). Simply browsing to our server will give us the opportunity to install the web server certificate we will create (this will be the Common Name sfa.example.com) but this is not the same as installing the CA certificate in the Trusted Root Certification Authorities store (seen as the Common Name you entered above). Just in case you are not familiar, in IE6 it's Tools->Internet Options->Content->Certificates->Trusted Root Certification Authorities. Outlook and Outlook Express use the same certificate store as Internet Explorer. In Mozilla Thunderbird it's Tools->Options->Privacy->Security->View Certificates->Authorities. In Firefox it's Tools->Options->Advanced->Encryption->View Certificates->Authorities->Import. If you go through this process more than once while testing, don't install duplicate certificates. Delete any old 'test' certificate you previously installed before adding your new one that replaces it. In my old version of The Bat! I add a new contact in the "Trusted Root CA" section of the address book and import the certificate from there. I suggest using WinSCP to transfer the cacert.example.com.crt certificate to your machine. I think the worst part of getting this server set up is getting the CA certificates installed on the clients. Sometimes it's worth it to buy a certificate from a well known commercial CA that is already in the Trusted Root Certification Authorities store. OK, we are a certificate authority. We have the ability to sign our own certificates. We are now going to create a request for a certificate from the CA (which is us - but could be a commercial CA if you like). Everyone that connects to us will connect to the hostname of this machine. The Secure Web server, Secure IMAP server, Secure POP server and Postfix Secure SMTP server will all be sfa.example.com, so the Common Name MUST BE our FQDN hostname when we create the request. The Organization name needs to be the same as the one in the CA cert. Do not enter your email address, challenge password or an optional company name when generating the CSR:
openssl req -new -nodes -out req.pem
Country Name US
This process produces two files as output, a private key in privkey.pem and a certificate signing request in req.pem. These files should be kept. The private key is of course necessary for SSL encryption. We will make backup copies of these files with more descriptive names:
cp -i privkey.pem privkey.sfa.example.com.pem
Sign the Certificate (you will be asked for the pass phrase):
openssl ca -out cert.pem -cert cacert.pem -infiles req.pem
This process updates the CA database and produces two files as output, a certificate in cert.pem and a copy of the certificate in demoCA/newcerts/ named xx.pem, where xx is the serial number. We will copy the cert to a more descriptive name. The certificate has both the encoded version and a human-readable version in the same file. We want to strip off the human-readable portion as follows:
mv -i cert.pem temp.cert.sfa.example.com.pem
Postfix will want the cert and the key in two separate files, apache2 will want the two combined (but can use two separate files if configured to do so).
cat privkey.sfa.example.com.pem cert.sfa.example.com.pem >key-cert.pem
After those steps, you have three installable components (and some more descriptive backup copies): A private key in privkey.pem (with a copy in privkey.sfa.example.com.pem) A certificate in cert.pem (with a copy in cert.sfa.example.com.pem) A combined private key and certificate in key-cert.pem (with a copy in key-cert.sfa.example.com.pem) Now give a copy of the combined certificate to Apache2. We will configure sfa.example.com in Apache2 to use /etc/apache2/key-cert.sfa.example.com.pem:
/etc/init.d/apache2 restart
Now we will configure Apache2. First enable the SSL module, and we will also enable the rewrite module so we can optionally redirect port 80 requests to port 443:
a2enmod ssl
We will make a copy of the default site. This copy will be used for configuration of the SSL site:
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
Now edit /etc/apache2/sites-available/default:
vi /etc/apache2/sites-available/default
And change: <VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/To:
<VirtualHost *:80>
ServerAdmin webmaster@example.com
ServerName sfa.example.com
DocumentRoot /var/www/
Now edit /etc/apache2/sites-available/ssl:
vi /etc/apache2/sites-available/ssl
And change: <VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
To:<VirtualHost *:443>
ServerAdmin webmaster@example.com
ServerName sfa.example.com
SSLEngine on
SSLCertificateFile /etc/apache2/key-cert.sfa.example.com.pem
DocumentRoot /var/www/
Once the files have been edited, enable the new site we called ssl, and restart Apache2:
a2ensite ssl
If you did it like I did it, you should have no errors when it shuts down or starts up. If it does not start up, you can disable the ssl site with 'a2dissite ssl'. See /var/log/apache2/error.log for clues to the problem. Now you should be able to browse to both: http://sfa.example.com/mail and https://sfa.example.com/mail. If you have not already installed the Root CA certificate on your computer, see if you can install it by downloading it via your browser at http://sfa.example.com/cacert.example.com.crt Note that if you created a root certificate and installed it on your computer, and then started this process over and created a new one with the same name, you would have to remove the duplicate "test" certificate and install the new certificate. I have enabled port 80 only as a convenience. We don't want people to connect to our site without using SSL, so I am going to set up redirection. This is optional, but highly recommended. Edit /etc/apache2/sites-available/default once again:
vi /etc/apache2/sites-available/default
And insert these additional items in the location shown: <VirtualHost *:80>
RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
RewriteLog "/var/log/apache2/rewrite.log"
RewriteLogLevel 2Then
restart Apache2:
/etc/init.d/apache2 restart
Now, if you close down the browser window for http://sfa.example.com and then browse to it again, you should be redirected to the SSL site. This is a bit wasteful however as twice as many processes are required to maintain both port 80 and port 443. If you like, you can optionally prevent Apache2 from starting up processes on port 80 by editing /etc/apache2/ports.conf and commenting out 'Listen 80' then restarting Apache2. Of course, then your users will always have to remember to use the https:// URL. BTW, personally I use lsof -P | grep LISTEN to show what ports are in use. Note that I am an Apache noob. If you want to host multiple http sites with multiple certificates, I leave it up to you to figure out how to do it. I can tell you that you can create and sign as many certificates as you want, just make sure you do not create a new certificate authority. The one and only certificate authority you created can sign all your certificates. And from what I understand, if more than one site uses SSL, each site will need a different IP address. Google is your friend. To be clear, you can host as many email domains as you need, but in my setup, I access all of them through one and only one http interface. Let's continue on... Tell Postfix where to find the certificates (and set a couple other TLS parameters). We also make a backup of main.cf before we modify it for the first time:
cd /root/CA/
And make sure Postfix is still working OK. Running some of these commands again will result in overwriting keys and certificates. That may not be good. Some files will necessarily be overwritten if additional certificates are requested, signed and created. That is expected, and is the reason we make host-specific copies of everything as we go along. Just be careful not to overwrite any host-specific files we have created. And remember, only one Root Certificate Authority needs creation. Make a backup of the session, both on and off the system (transfer the directory via WinSCP).
cp -r /root/CA /root/CA-11jun2011
|
|
PS: Here is a hint if you would like to change the password used by amavis to access the MySQL database. The default MySQL password for the amavis user is 'passwd'. Stop Apache2: /etc/init.d/apache2 stopStop Maia: /etc/init.d/amavis stopLocate and change the $maia_sql_dsn password in config.php: vi /var/www/mail/config.phpLocate and change the @lookup_sql_dsn password in maiad.conf: vi /etc/maia/maiad.confLocate and change the password in /etc/maia/maia.conf: vi /etc/maia/maia.confLocate and change the password in /etc/spamassassin/local.cf: vi /etc/spamassassin/local.cfLocate and change the password in /usr/sbin/maia-trim-bayes vi /usr/sbin/maia-trim-bayesLog in to mysql and change the password there, obviously, replace NEW-passwd with the new password: mysql -p
Run configtest.pl to make sure the "Database DSN test" passes:/var/lib/maia/scripts/configtest.plStart Maia: /etc/init.d/amavis startStart Apache2: /etc/init.d/apache2 startIt would be a good idea to run configtest.php: http://sfa.example.com/mail/admin/configtest.php
|
cd /usr/local/src
Note the use of <Tab> completion on the last line (the .deb file name will differ depending on architecture). Only select up to the underscore, then <Tab> and <Enter>.
dpkg-source -x libforks-perl_0.34-1.dsc <Tab>
|