MINI-HOWTO: Installing Cyrus IMAP on OpenBSD 3.3

Configuring OpenBSD

Change default shell for root to /bin/sh
vipw
Login again.
Add user USER (change "USER" to your preferred user name)
groupadd -g 500 USER useradd -s /bin/sh -g USER -G wheel -m -d /home/USER -u 500 USER passwd USER
Allow users in group 'wheel' to sudo:
visudo # uncomment first line that starts with "#%wheel"
Add the following lines to /home/USER/.profile and /root/.profile
alias ll='ls -al' alias pu='rm -fr *~ .*~'
Check for correct IP address in /etc/hosts
Edit boot configuration:
vi /etc/rc.conf ntpdate_flags="swisstime.ethz.ch" wsmoused_flags="" pf=YES
Mount data partition (this is where I keep all data that should survive an OS upgrade):
mkdir /data echo "/dev/wd0h /data ffs rw,nodev,nosuid 1 2" >> /etc/fstab
I want to power down on halt:
vi /etc/rc.shutdown powerdown=YES
Reboot
Login remotely as USER and su to root

Extracting and updating OpenBSD source and ports tree

Put OpenBSD CD-ROM in CD drive.
Extract OpenBSD source:
mount -t cd9660 /dev/cd0a /mnt cd /usr/src tar xvzfp /mnt/3.3/src.tar.gz tar xvzfp /mnt/3.3/sys.tar.gz cd /usr tar xvzfp /mnt/3.3/ports.tar.gz umount /mnt
Remove CD-ROM from CD drive.
Update source and ports to the latest version:
export CVS_RSH=/usr/bin/ssh cd /usr/src cvs -d anoncvs@anoncvs.ca.openbsd.org:/cvs -q update -dP -rOPENBSD_3_3 . cd /usr/ports cvs -d anoncvs@anoncvs.ca.openbsd.org:/cvs -q update -dP -rOPENBSD_3_3 .
Make sure object files are not created on the /usr partition:
mkdir /data/obj mkdir -p /data/ports/obj mkdir /data/ports/distfiles mkdir /data/ports/packages chgrp -R wsrc /data/ports /data/obj rmdir /usr/obj ln -s /data/obj /usr/obj cat > /etc/mk.conf << EOF WRKOBJDIR=/data/ports/obj DISTDIR=/data/ports/distfiles PACKAGES=/data/ports/packages EOF
Initialize object tree:
cd /usr/src find . -type l -name obj |xargs rm make cleandir rm -rf /usr/obj/* make obj cd /usr/src/etc && make DESTDIR=/ distrib-dirs

Upgrading to latest OpenBSD RAID kernel and system

Create RAID kernel:
mkdir /data/kernel cd /data/kernel cp /usr/src/sys/arch/i386/conf/GENERIC GENERIC_RAID vi GENERIC_RAID option RAID_AUTOCONFIG pseudo-device raid 4 # RAIDframe disk driver config -s /usr/src/sys -b . GENERIC_RAID make clean && make
Install RAID kernel:
cd /data/kernel mv /bsd /bsd.old cp bsd / reboot
If things didn't work out, enter bsd.old at the boot prompt in order to boot from the original kernel.
Build and install the system:
cd /usr/src make build
Check if /etc is up-to-date
cd /usr/ports/sysutils/mergemaster/ make install make clean /usr/local/sbin/mergemaster -v

Installing useful ports

bash2
cd /usr/ports/shells/bash2 FLAVOR=static make install FLAVOR=static make clean echo "/usr/local/bin/bash" >> /etc/shells
autoconf
cd /usr/ports/devel/autoconf/ make install make clean
automake
cd /usr/ports/devel/automake/ make install make clean
libtool
cd /usr/ports/devel/libtool/ make install make clean
ncftp
cd /usr/ports/net/ncftp make install make clean
ntp
cd /usr/ports/net/ntp make install make clean
wget
cd /usr/ports/net/wget make install make clean cd /usr/ports/devel/gmake/ make clean cd /usr/ports/devel/gettext/ make clean cd /usr/ports/converters/libiconv/ make clean
XEmacs21
cd /usr/ports/editors/xemacs21 FLAVOR=no_x11 make install FLAVOR=no_x11 make clean cd /usr/ports/devel/metaauto/ make clean cd /usr/ports/editors/xemacs21-sumo make install make clean cd /usr/ports/archivers/bzip2/ make clean

Installing and configuring SNMP

Install the ucd-snmp port:
cd /usr/ports/net/ucd-snmp make install make clean
Create configuration file:
mkdir /usr/local/etc cp /usr/local/share/examples/ucd-snmp/EXAMPLE.conf /etc/snmpd.conf ln -s /etc /usr/local/etc
Edit configuration file "/etc/snmpd.conf" in your favourite editor:
[...] #### # First, map the community name (COMMUNITY) into a security name # sec.name source community com2sec local localhost change_me com2sec mynw_internal 10.0.0.0/24 change_me com2sec mynw_dmz 10.0.1.0/24 change_me #### # Second, map the security names into group names: # sec.model sec.name group MyRWGroup v1 local group MyRWGroup v2c local group MyRWGroup usm local group MyROGroup v1 mynw_internal group MyROGroup v2c mynw_internal group MyROGroup usm mynw_internal group MyROGroup v1 mynw_dmz group MyROGroup v2c mynw_dmz group MyROGroup usm mynw_dmz [...] ############################################################################### # System contact information # [...] syslocation Zurich/Switzerland syscontact SNMP Admin <snmpadmin@domain.com [...] ############################################################################### # Process checks. # [...] # Make sure at least one sendmail, but less than or equal to 10 are running. proc sendmail 10 1 [...] ############################################################################### # disk checks # [...] disk / 50% disk /tmp 5% disk /var 20% disk /data 20% disk /home 30% disk /usr 20% [...] ############################################################################### # load average checks # [...] # Check for loads: load 12 14 14 [...]
Make sure the SNMP daemon is started at boot time:
vi /etc/rc.local # uncomment the 'snmp' lines

Installing and configuring slave OpenLDAP

Install the port:
cd /usr/ports/databases/openldap/ SUBPACKAGE=-server make install SUBPACKAGE=-server make clean
Add ldap user and group:
groupadd -g 55 ldap useradd -s /sbin/nologin -c "LDAP Server" -g ldap -m -d /var/ldap -u 55 ldap rm /var/ldap/.*
Copy the original slapd.conf and schema files to /etc/openldap/.
Edit the slapd.conf
vi /etc/openldap/slapd.conf # create pid file pidfile /var/ldap/slapd.pid # fix TLSCertificateFile and TLSCertificateKeyFile # fix directory line: directory /var/ldap # remove line "replogfile" # remove lines starting with "replica" # add update lines: updatedn "cn=replicator,ou=Accounts,dc=CHANGE,dc=ME" updateref "ldaps://ldap-master:636/"
Setup logging:
touch /var/log/ldap.log echo "/var/log/ldap.log root:wheel 640 7 250 * Z" >> /etc/newsyslog.conf vi /etc/syslog.conf local4.* /var/log/ldap.log kill -HUP `cat /var/run/syslog.pid`
Export original LDAP directory:
1. ldap-master: stop slapd and slurpd, e.g.
  /etc/init.d/ldap stop
2. ldap-master: export directory into an LDIF file:
  slapcat -l ldap.ldif
3. copy ldap.ldif to ldap-slave
4. ldap-slave: import directory
  /usr/local/sbin/slapadd -v -c -f /etc/openldap/slapd.conf -b "dc=CHANGE,dc=ME" -l ldap.ldif chown ldap.ldap /var/ldap/*
5. ldap-slave: start slapd:
  /usr/local/libexec/slapd -u ldap -h "ldap://localhost:389/ ldaps://ldap-slave:636/"
6. ldap-master: restart ldap
  /etc/init.d/ldap start
Start slapd on boot and stop on shutdown:
vi /etc/rc.local # OpenLDAP Daemon if [ -x /usr/local/libexec/slapd ]; then echo -n ' slapd'; /usr/local/libexec/slapd -u ldap -h "ldap://localhost:389/ ldap://ldap-slave:389/ ldaps://ldap-slave:636/" fi vi /etc/rc.shutdown # stop OpenLDAP slapd if [ -r /var/ldap/slapd.pid ]; then kill `cat /var/ldap/slapd.pid | head -1` fi

Installing LDAP authentication for users

Install port:
cd /usr/ports/sysutils/login_ldap make install ./w-login_ldap-3.3/fake-i386/usr/local/bin/enable-login_ldap make clean chmod u+s /usr/libexec/auth/login_-lda
Add ldap authentication to login.conf:
vi /etc/login.conf # # LDAP Specs # ldap:\ :requirehome@:\ :auth=-ldap:\ :x-ldap-server=ldap-slave:\ :x-ldap-server-alt=ldap-master:\ :x-ldap-port=636:\ :x-ldap-basedn=ou=Users,dc=CHANGE,dc=ME:\ :x-ldap-binddn=cn=lookup,ou=Accounts,dc=CHANGE,dc=ME:\ :x-ldap-bindpw=YOUR_SECRET:\ :x-ldap-uscope=subtree:\ :x-ldap-noreferrals:\ :x-ldap-filter=(&(objectClass=posixAccount)(uid=%u)):\ :x-ldap-gscope=base:\ :x-ldap-groupdn=cn=unixAccount,ou=THE_MACHINE,ou=Roles,dc=CHANGE,dc=ME:\ :x-ldap-groupfilter=(|(&(objectClass=posixGroup)(memberUid=%u))(&(objectClass=groupOfUniqueNames)(uniqueMember=%d))):
reboot
Change users to LDAP authentication:
vipw # for each user you want LDAP access, insert "ldap" between the colons in '::0:0:'
Open a new console and try to login using an LDAP based account.

Installing Cyrus SASL2 with LDAP patch

Go to the port directory:
cd /usr/ports/security/cyrus-sasl2 /code>


      Two possible ways to do get LDAP group support into Cyrus SASL2:

	(1) Use the current port as of writing (version 2.1.11) and apply my
	LDAP patch:

	
	  Check the Makefile for "cyrus-sasl-2.1.11", as the patch is
	    against that version.

	    
	      grep DISTNAME Makefile

	      DISTNAME=      cyrus-sasl-2.1.11

	    
	  
	  Download the LDAP patch:

	    wget http://www.abstrakt.ch/unix/cyrus-sasl-2.1.11-ldap-patch

	  
	  Check its checksum:

	    
	      md5 cyrus-sasl-2.1.11-ldap-patch

	      MD5 (cyrus-sasl-2.1.11-ldap-patch) = e1ef9066bc780e4d6431ce01a6fd7f76

	    
	  
	  Move LDAP patch to the correct location:

	    mv cyrus-sasl-2.1.11-ldap-patch patches/patch-ldap

	  
	
	(2) Update the port to use at least version 2.1.13, which includes a
	variant of my patch:

	
	  Edit Makefile

	    
	      vi Makefile

	       DISTNAME=      cyrus-sasl-2.1.13

	    
	  
	  Adapt checksum for new archive:

	    
	      cat > distinfo <<EOF

	      
		MD5 (cyrus-sasl-2.1.13.tar.gz) = 1114d59d970791932e96de8557472672

		RMD160 (cyrus-sasl-2.1.13.tar.gz) = 70e43b6aeb62ba172526ec02fb2309f7f6e25bc4

		SHA1 (cyrus-sasl-2.1.13.tar.gz) = fccd1650b5b540380c4c5f87c6de76633a30bdca

	      
	      EOF

	    
	  
	  TO BE FINISHED
	
      
      Build and install the port:

	
	  CONFIGURE_ARGS=--with-ldap=/usr/local make

	  make install

	  make clean

	
      
      Create a link to the SASL2 library in /usr/lib/ (this fixes an error during bootup with sendmail and vi.recover):

	ln -s /usr/local/lib/libsasl2.so.2.11 /usr/lib/

      
      Create saslauthd.conf:

	
	  cat > /etc/saslauthd.conf << EOF

	  
	    ldap_servers: ldap://localhost/

	    ldap_bind_dn: cn=imap,ou=Accounts,dc=CHANGE,dc=ME

	    ldap_bind_pw: secret

	    ldap_scope: sub

	    ldap_search_base: ou=Accounts,dc=CHANGE,dc=ME

	    ldap_auth_method: bind

	    #ldap_filter: (&(uid=%u)(|(role=mailUser)(role=mailAdmin)))

	    ldap_group_dn: cn=%s,ou=MAILROLE,ou=Roles,dc=CHANGE,dc=ME

	  
	  EOF

	
      
      Start the SASL2 authentication daemon on boot:

	
	  vi /etc/rc.local

	  
	    # Cyrus SASL Authentication Daemon

	    if [ -x /usr/local/sbin/saslauthd ]; then

	      echo -n ' saslauthd'; /usr/local/sbin/saslauthd -a ldap

	    fi

	  
	
      
      And stop it during shutdown:

	
	  vi /etc/rc.shutdown

	  
	    # Stop Cyrus SASL Authentication Daemon

	    if [ -r /var/sasl2/mux.pid ]; then

	      kill `cat /var/sasl2/mux.pid | head -1`

	    fi



    Installing Berkeley DB4-1  (requirement for Cyrus IMAP)
    
      Note: you don't have to be root for this section.

      Retrieve Berkeley DB 4.1.25 and patches from http://www.sleepycat.com/download/

	
	  cd /tmp

	  wget http://www.sleepycat.com/update/snapshot/db-4.1.25.tar.gz

	  wget http://www.sleepycat.com/update/4.1.25/patch.4.1.25.1

	
      
      Extract db:

	tar xvzf db-4.1.25.tar.gz
      
      Patch db:

	
	  cd db-4.1.25

	  patch < ../patch.4.1.25.1

	
      
      Configure and make it:

	
	  cd build_unix

	  ../dist/configure \

	          --enable-compat185 \

	          --enable-dump185 \

	          --enable-cxx

	  make

	
      
      Install it (by switching to root using 'sudo'):

	sudo make install

      
      You should now have a Berkeley DB 4.1 installed in /usr/local/BerkeleyDB.4.1/
    

     Installing Cyrus IMAP Server
    
      Note: you don't have to be root for this section
      Retrieve the Cyrus IMAP Server tarball from: ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/

	
	  cd /tmp

	  ncftpget ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-imapd-2.1.13.tar.gz

	
      
      Extract the tarball:

	tar xvzf cyrus-imapd-2.1.13.tar.gz

      
      As OpenBSD doesn't have a makedepend binary, make and install the one included in the Cyrus package:

	
	  cd cyrus-imapd-2.1.13/makedepend

	  ./configure

	  make

	  sudo cp makedepend /usr/local/bin/

	  cd ..

	
      
      In order for "imtest" to work properly, change the following lines in the file "imtest/imtest.c":

	
	  line 79: from "#ifdef HAVE_SSL" to "/* #ifdef HAVE_SSL */"
	  line 86: from "#else /* HAVE_SSL */" to "/* #else HAVE_SSL */"
	  line 94: from "#endif /* HAVE_SSL */" to "/* #endif HAVE_SSL */"
	
      
      Configure and build the IMAP server:

	
	  ./configure \

	          --with-openssl=/usr \

	          --with-cyrus-user=cyrus \

	          --with-cyrus-group=mail \

	          --with-auth=unix \

	          --with-notify=no \

	          --with-idle=idled \

	         
	  --with-dbdir=/usr/local/BerkeleyDB.4.1 \

	          --with-sasl=/usr/local \

	          --without-ucdsnmp \

	          --disable-gssapi

	  make depend

	  make all CFLAGS=-O2

	
      
      If all went well, switch to the root user:

	su

      
      [root] Install the server:

	make install

      
      [root] Add the cyrus user and the mail group (you can use different ids, mine match with the RedHat mail/mail user/group for historical reasons):

	
	  groupadd -g 12 mail

	  useradd -s /bin/sh -g mail -G daemon -d /usr/cyrus -u 8 cyrus

      
      [root] Add the logging to /etc/syslog.conf and create inital logfile:

	
	  touch /var/log/imapd

	  echo "/var/log/imapd       root:wheel      640  7    250  *     Z" >> /etc/newsyslog.conf

	  vi /etc/syslog.conf

	  
	    # Cyrus IMAP

	    local6.debug     /var/log/imapd

	  
	  kill -HUP `cat /var/run/syslog.pid`

	
      
      [root] Create Cyrus IMAP config file:

	cat > /etc/imapd.conf << EOF

     configdirectory: /data/cyrus/imap

partition-default: /data/cyrus/partition

admins: mailadm

sasl_pwcheck_method: saslauthd

sendmail: /usr/sbin/sendmail

sievedir: /data/cyrus/sieve

# --- uncomment the following lines if you have a valid certificate for
the mail server

#tls_ca_file: /data/certs/cacert.pem

#tls_cert_file: /data/certs/mail.CHANGE.ME.cert.pem

#tls_key_file: /data/certs/certs/mail.CHANGE.ME.key.pem

     EOF

    
  [root] Create spool and other directories:

    mkdir -p /data/cyrus/partition /data/cyrus/imap
/data/cyrus/sieve

chown -R cyrus.mail /data/cyrus/*

chmod 750 /data/cyrus/imap

chmod 750 /data/cyrus/sieve

ln -s /data/cyrus/imap /var/imap

ln -s /data/cyrus/sieve /var/sieve

ln -s /data/cyrus/partition /var/spool/imap

     
  [root] Initialize directories as user 'cyrus':

     su cyrus

tools/mkimap

exit

  
  [root] Create master daemon config file:

     cp master/conf/prefork.conf /etc/cyrus.conf

  
  [root] Append additional mail services to /etc/services:

     cat >> /etc/services << EOF

     #

# Cyrus IMAP additional services

#

imsp           
406/tcp

acap           
674/tcp

sieve          
2000/tcp

lmtp           
2003/tcp

fud            
4201/udp

     EOF

     
  [root] Start the Cyrus master daemon on boot:

     vi /etc/rc.local

     # Cyrus IMAP Master Daemon

if [ -x /usr/cyrus/bin/master ]; then

  echo -n ' master'; /usr/cyrus/bin/master &

fi

     
  [root] Make it stop during shutdown:

    vi /etc/rc.shutdown

     # Stop Cyrus IMAP Master Daemon

PID=`ps -axuwww | grep master | grep -v grep | awk '{print $2}'`

if [ "X$PID" != "X" ]; then

  kill $PID

fi

    
  [root] Start master daemon by hand:

    /usr/cyrus/bin/master &

  
   [root] Create the root mailbox:

    cyradm --user mailadm --auth login localhost

    IMAP Password: <enter your mailadm password here>

    localhost> cm user.root

    localhost> exit

    
  [root] And finally, we're done as root:

    exit

  


Compiling and installing Sendmail with SASL2 and Milter

  Note: this section is easier if you're root...
  Go to the sendmail source:

    cd /usr/src/gnu/usr.sbin/sendmail

    
  Make sure we're starting clean:

    make clean

  
  Add SASL libraries etc to the Makefile by executing the following
lines:

    cat >> Makefile.inc << EOF

    .if defined(WANT_SASL)

ENVDEF+= -DSASL -D_FFR_UNSAFE_SASL

LDADD+= -lsasl2 -ldb

CFLAGS+= -I/usr/local/include -I/usr/local/include/sasl

LDFLAGS+=-L/usr/local/lib -L/usr/local/BerkeleyDB.4.1/lib

.endif

    EOF

echo >> /etc/mk.conf "WANT_SASL=1"

  
  Tell make to include Milter support:

    echo >> /etc/mk.conf "WANT_LIBMILTER=1"

  
  Compile libmilter:

    cd libmilter

make

cd ..

    
  Compile and install new Sendmail:

    make

make install

make clean

  
  Create Sendmail.conf file for SASL2:

    echo "pwcheck_method: saslauthd" >
/usr/local/lib/sasl2/Sendmail.conf

  
  Create an empty Kerberos server tab (I don't remember, why I
needed this...):

    touch /etc/kerberosIV/srvtab

  


Installing NAI McAfee AntiVirus (uvscan)

  Go to the ports directory:

cd /usr/ports/security/uvscan


  
  The version used in this port didn't work for me, I had to upgrade to the newest:

vi Makefile

VERSION=    4.24.0

DISTNAME=   vlnx424e

MASTER_SITES=  http://download.nai.com/products/evaluation/virusscan/english/cmdline/linux/version_4.24/intel/

.for file in unxadmin.pdf e4240upg.pdf license.txt readme.txt


  
  Fix checksum file:

echo > distinfo "SHA1 (vlnx424e.tar.Z) = ab60091a790e5ac2f7c343158a2b599894f61c2e"

  
  Fix package list:

vi pkg/PLIST


share/doc/uvscan/unxadmin.pdf

share/doc/uvscan/e4240upg.pdf


  
  Make and install uvscan:

make install

make clean

cd ../uvscan_dat

make clean

cd /usr/ports/emulators/redhat/

make clean

  
  Create script that updates the Virus signature (DAT) files:

mkdir /data/scripts

vi /data/scripts/update_virus_dat.sh

#!/bin/sh



echo "===================================================="

echo -n "Retrieving newest virus DAT file..."

cd /usr/local/libexec/uvscan/dat

/usr/local/bin/ncftpget ftp://ftpeur.nai.com/pub/datfiles/english/dat-*.tar > /dev/null 2> /dev/null

echo "done"



cd /usr/local/libexec/uvscan

DAT_FILE=`find /usr/local/libexec/uvscan/dat -type f -cmin -60`

if [ "X$DAT_FILE" == "X" ]; then

  echo "No new virus DAT file to install. Listing DAT files:"

  echo "===================================================="

  ls -al dat

  echo "===================================================="

  exit

fi



echo "===================================================="

echo "Extracting virus DAT file '$DAT_FILE'..."

tar xvf $DAT_FILE



# removing trash

rm -fr *.ini *.txt file_id.diz packing.lst validate.exe

chown root.bin *



echo "===================================================="

echo "Newest virus DAT file installed."

echo "===================================================="

chmod 755 /data/scripts/update_virus_dat.sh

  
  Retrieve the newest DAT file:

/data/scripts/update_virus_dat.sh

====================================================

Retrieving newest virus DAT file...done

====================================================

Extracting virus DAT file '/usr/local/libexec/uvscan/dat/dat-4262.tar'...

clean.dat

file_id.diz

names.dat

packing.lst

pkgdesc.ini

reseller.txt

scan.dat

validate.exe

readme.txt

internet.dat

====================================================

Newest virus DAT file installed.

====================================================

  
  Make sure you have always an updated Virus signature file:

mkdir /usr/local/libexec/uvscan/dat

crontab -e

#
# update virus DAT every day @ 6
0       6       *       *       *       /data/scripts/update_virus_dat.sh 2>&1 | mail -s "`/bin/hostname` daily virus update" root

  


Installing and configuring SpamAssassin

  Note: you want to be root for this section
  Install required ports:

# ---- archivers

cd /usr/ports/archivers/unzip

make install && make clean

cd ../bzip2

# is already installed make install && make clean

cd ../lha

make install && make clean

cd ../unarj

make install && make clean

cd ../unrar

make install && make clean

cd ../zoo

make install && make clean

# ---- perl packages ports

cd ../p5-Compress-Zlib

make install && make clean

cd ../p5-Archive-Tar

make install && make clean

cd ../p5-Archive-Zip

make install && make clean

cd /usr/ports/converters/p5-Convert-TNEF

make install && make clean

cd /usr/ports/converters/p5-Convert-UUlib

make install && make clean

cd /usr/ports/devel/p5-Net-Server

make install && make clean

cd /usr/ports/mail/p5-SMTP-Server

make install && make clean

cd /usr/ports/security/p5-MD5

make install && make clean

  
  Install additional Perl packages used by AMaViS, Razor, SpamAssassin:

perl -MCPAN -e shell

# ---- you might have to answer a couple of questions -- answer them ;-)

install Bundle::libnet

install Bundle::LWP

# ---- you don't want to install lwp-request, lwp-mirror, lwp-rget, lwp-download
install Bundle::CPAN

install Digest::HMAC

install Digest::MD5

install Digest::Nilsimsa

install Digest::SHA1

install IO::Stringy

install MIME::Base64

install MIME::Parser

install Net::SMTP

install Net::Ping

install Net::DNS

install Time::HiRes

install URI

install Mail::Internet

install Mail::SpamAssassin


  
  Add users and groups:

vipw

_amavisd:*:100:100::0:0:Amavis Mail Scanner Daemon:/var/amavis:/sbin/nologin

spam:*:101:101::0:0:Spam Bayes Learner:/var/empty:/sbin/nologin

notspam:*:102:102::0:0:Not Spam Bayes Learner:/var/empty:/sbin/nologin

vi /etc/group

_amavisd:*:100:

spam:*:101:

notspam:*:102:

  Setup directories:

mkdir -p /var/amavis

chown _amavisd._amavisd /var/amavis

chmod 750 /var/amavis

cd /var/amavis

mkdir .spamassassin

touch .spamassassin/user_prefs

chown -R _amavisd._amavisd .spamassassin




Installing Razor

  Get, extract and install Razor agents:

cd /tmp

wget http://switch.dl.sourceforge.net/sourceforge/razor/razor-agents-2.22.tar.gz

tar xvzf razor-agents-2.22.tar.gz

cd razor-agents-2.22

perl Makefile.PL

make

make test

make install


  
  Create the default configuration files in /etc/razor:

razor-client

razor-admin -create


  
  Register yourself with the razor network. Substitute CHANGE.ME with your correct domain:

razor-admin -register -user postmaster@CHANGE.ME

  
  Copy the razor config files to the chroot directory:

cp -r /root/.razor /var/amavis

chown -R _amavisd._amavisd /var/amavis/.razor


  
Install Razor/SpamAssassin patch:

cd /usr/local/libdata/perl5/site_perl/i386-openbsd/Razor2/Client

wget http://www.ijs.si/software/amavisd/Razor2.patch

wget http://www.ijs.si/software/amavisd/Razor2.patch2

patch < Razor2.patch

patch < Razor2.patch2


  
  Turn off logging for Razor, as it doesn't rotate the logfile:

vi /var/amavis/.razor/razor-agent.conf

debuglevel    = 0

  

Installing DCC (Distributed Checksum Clearinghouse)

  Get, extract and install DCC daemon:

cd /tmp

wget http://www.dcc-servers.net/dcc/source/dcc-dccd.tar.Z

tar xvzf dcc-dccd.tar.Z

cd cd dcc-dccd-1.1.36/

./configure

make

make install

  
  Check if it's working (allow outgoing UDP on port 6277):

/usr/local/bin/cdcc 'info'

# 05/11/03 11:14:08 CEST  /var/dcc/map
# Will re-resolve names after 13:12:36
#  169.67 ms chosen delay  9 total addresses  8 working
IPv6 off

dcc.dcc-servers.net,-      RTT+0 ms    anon
# * 137.118.60.88,-        dccpub1.neonova.net        neonova server-ID 1127
#     100% of  1 requests ok  169.67+0 ms RTT           51 ms queue wait
#   153.19.44.233,-        coral.ely.pg.gda.pl        WEiAPG server-ID 1072
#     100% of  1 requests ok  321.18+0 ms RTT          246 ms queue wait
[...more lines like these...]

  
  Install DCC into AMaViS chroot directory:

mkdir -p /var/amavis/var /var/amavis/usr/bin /var/amavis/usr/libexec /var/amavis/var/dcc

mkdir -p /var/amavis/usr/lib /var/amavis/bin

cp -r /var/dcc /var/amavis/var/

cp /usr/local/bin/dccproc /var/amavis/usr/bin

cp /usr/libexec/ld.so /var/amavis/usr/libexec

cp /usr/lib/libc.so.29.0 /var/amavis/usr/lib

cp /usr/lib/libm.so.1.0 /var/amavis/usr/lib

)chown -R _amavisd._amavisd /var/amavis/var/dcc

cp /bin/sh /var/amavis/bin

  


Installing and configuring AMaViS
    
      Retrieve amavisd-new and check its MD5 checksum:

	
	  cd /tmp

	  wget http://www.ijs.si/software/amavisd/amavisd-new-20030314-p2.tar.gz

	  md5 amavisd-new-20030314-p2.tar.gz

	  MD5 (amavisd-new-20030314-p2.tar.gz) = a6c5c52237e3bc352bc2db07fface5af

	
      
      Extract and install amavisd-new:

	
	  tar xvzf amavisd-new-20030314-p2.tar.gz

	  cd amavisd-new-20030314

	  cp amavisd /usr/local/sbin/

	  chown root.wheel /usr/local/sbin/amavisd

	  chmod 550 /usr/local/sbin/amavisd

	  cp amavisd.conf /etc

	  chown root.wheel /etc/amavisd.conf

	  chmod 644 /etc/amavisd.conf

	  touch /var/amavis/amavis.log

	  chown _amavisd._amavisd /var/amavis/amavis.log

	
      
      Change the following lines in the amavis config file (don't touch the others):

	
	  vi /etc/amavisd.conf

	  
	    #

	    # Section I
	    #

	    $MYHOME = '/var/amavis';

	    $mydomain = "CHANGE.ME";

	    $daemon_user  = '_amavisd';

	    $daemon_group = '_amavisd';

	    $TEMPBASE = "$MYHOME/tmp";

	    $helpers_home = $MYHOME;

	    $daemon_chroot_dir = $MYHOME;

	    $pid_file  = "$MYHOME/amavisd.pid";

	    $lock_file = "$MYHOME/amavisd.lock";

	    

	    # SENDMAIL MILTER, using amavis-milter.c helper program:

	    $forward_method = undef;

	    $notify_method = 'pipe:flags=q argv=/usr/sbin/sendmail -Ac -i -odd -f ${sender} -- ${recipient}';

	    

	    read_hash(\%local_domains, '/var/amavis/local_domains');

	    

	    #

	    # Section II - MTA specific (defaults should be ok)

	    #

	    $relayhost_is_client = 1;
	    $inet_socket_bind = '127.0.0.1';

	    

	    #

	    # Section III - Logging

	    #

	    $log_level = 5; # NOTE: change this to something more reasonable after testing

	    

	    #
 
	    # Section IV - Notifications/DSN, BOUNCE/REJECT/DROP/PASS destiny, quarantine

	    #

	    $virus_admin = "virusalert\@$mydomain";

	    $QUARANTINEDIR = '$MYHOME/virusmails';

	    

	    #

	    # Section V - Per-recipient and per-sender handling, whitelisting, etc.

	    #

	    # -- SQL is in this section

	    

	    #

	    # Section VII - External programs, virus scanners

	    #

	    

	    # SpamAssassin settings

	    # $sa_local_tests_only = 1;

	    $sa_spam_subject_tag = '***SPAM*** ';

	  
	
      
      Compile and install milter:

	
	  cd helper-progs

	  ./configure --with-milterinc=/usr/src/gnu/usr.sbin/sendmail/include --with-milterlib=/usr/lib

	  make

	  make install