Tags

  • 2 items are tagged with Apache
  • 3 items are tagged with CentOS
  • 1 items are tagged with ClamAV
  • 1 items are tagged with Cyrus
  • 2 items are tagged with ESX 3.5
  • 1 items are tagged with Exim
  • 1 items are tagged with FastSCP
  • 1 items are tagged with Horde
  • 1 items are tagged with LAMP
  • 3 items are tagged with Linux
  • 3 items are tagged with MySQL
  • 1 items are tagged with Pam-mysql
  • 3 items are tagged with PFsense
  • 1 items are tagged with PureFTPd

Tutoriales Destacados

Favourites Create PDF Email Print

Instalar Exim en CentOS

Author:
F. Javier Lancharro Ramiro
Date added:
Thursday, 02 April 2009
Last revised:
Wednesday, 01 April 2009
Hits:
1836
Rating:
 
Vote for this:
Good - Bad
favoured:
0 Favour

Answer

Instalar Servidor de Correo

En este tutorial instalaremos un servidor de correo basado en Exim, MySQL, Cyrus-Imapd y Horde. El sistema seá capaz de dar servicio HTTP, HTTPS, SMTP, TLS, SMTP-AUTH, IMAP,y clientes POP3, además de ser capaz de alojar y gestionar más de un dominio en el sistema.

El cliente de webmail IMP provee un potente interfaz con libreta de direcciones, calendario, y la habilidad de resetear las contraseñas, todo con un gran sistema de configuración, y la posibilidad de modificar la aparencia de la interfaz.

Lo primero que debemos de hacer es actualizar el sistema.

yum update

Para instalar los paquetes y dependencias necesarias debemos usar el repo de RPMforge, para ello debemos de ejecutar el siguiente comando.

rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

Lo mejor es dejar el repositorio desactivado y simplemente llamarlo cuando sea necesario. Esta operación la realizamos para que los paquetes que existan en los repositorios originales no sean "machacados" por los de RPMforge. 

vi /etc/yum.d/rpmforge.repo

Cambiar la linea que ponga enabled=1 por enabled=0

[...]
enabled=0

 

Instalar Apache

Debemos de instalar Apache con todos los servicios y dependencias necesarios para entrelazar los diferentes servicios y servidores.

yum install httpd php php-mysql php-xml php-imap php-mbstring php-mcrypt \
php-pecl-Fileinfo php-pear-DB php-pear-File php-pear-Log php-pear-Mail-Mime \
php-pear-Auth-SASL php-pear-Date php-pear-HTTP-Request php-pear-Mail php-pear-Net-Sieve \
php-pear-Net-Socket php-pear-Net-SMTP openssl mod_ssl -y

 

Instalar Exim

Debemos de instalar Exim y las dependencias necesarias.

yum install exim system-switch-mail -y
 
Instalar MySQL

Tenemos que instalar el Motor de Base de Datos MySQL.

yum install mysql mysql-server -y

 

Instalar Horde

Ahora instalaremos el interfaz web Horde y los módulos necesarios.

yum install horde imp-h3 ingo-h3 turba-h3 kronolith-h3 -y
wget ftp://ftp.horde.org/pub/passwd/passwd-h3-3.0.1.tar.gz
tar xzvf passwd-h3-3.0.1.tar.gz -C /usr/share/horde
mv /usr/share/horde/passwd-h3-3.0.1 /usr/share/horde/passwd

 

Instalar Cyrus-Imapd

Ahora instalaremos Cyrus-Imapd y sus dependencias.

yum install db4-utils cyrus-imapd cyrus-imapd-perl cyrus-imapd-utils -

Es preferible instalar las versiones rpm ya que contienen numerosas mejoras frente a las que se incluyen en los repositorios de CentOS o RPMforge. En nuestro caso por facilidad y sencillez hemos optado por instalar las estandard.

 
Instalar Pam-MySQL
rpm -Uvh http://www.topdog-software.com/oss/pam_mysql/pam_mysql-0.7RC1-1.i386.rpm

 

Instalar ClamAV
yum --enablerepo=rpmforge install clamav clamav-db clamd -y

 

Instalar Spamassassin
yum install spamassassin -y

 

Configurar Apache

Ahora lo primero que debemos hacer es habilitar el VirtualHost de Apache editando su archivo de configuración y crear el DefaultVirtualHost.

vi /etc/httpd/conf/httpd.conf
NameVirtualHost *:80
<VirtualHost *:80>
    ServerAdmin webmaster@home.topdog-software.com
</VirtualHost>

Debemos de crear un VirtualHost para el Horde.

<VirtualHost *:80>
        Servername mail.home.topdog-software.com
        DocumentRoot /usr/share/horde
        ErrorLog logs/mail-error_log
        CustomLog logs/mail-access_log common
</VirtualHost>

Debemos habilitar las opciones de seguridad de Horde que se encuentran en su archivo de configuración.

vi /etc/httpd/conf.d/horde.conf
#Alias /horde /usr/share/horde
<Directory /usr/share/horde>
    Options +FollowSymLinks
    php_admin_flag safe_mode off
    php_admin_flag magic_quotes_runtime off
    php_flag session.use_trans_sid off
    php_flag session.auto_start off
    php_admin_flag file_uploads on
    #php_admin_flag allow_url_fopen on
    php_value post_max_size 20M
    php_value upload_max_filesize 10M
    php_admin_value open_basedir "/usr/share/horde:/usr/share/horde/config:/usr/share/pear:/tmp"
    php_admin_flag register_globals off
</Directory>
<Directory /usr/share/horde/config>
    Order Deny,Allow
    Deny from all
</Directory>
<DirectoryMatch "^/usr/share/horde/(.*/)?(config|lib|locale|po|scripts|templates)/(.*)?">
    Order Deny,Allow
    Deny from all
</DirectoryMatch>

Y aumentar el limite de la menoria de PHP.

vi /etc/php.ini
memory_limit = 64M

Ahora habilitaremos el Horde para que use SSL añadiendo las siguientes lineas al Default VirtualHost entre <VirtualHost_default_:443><VirtualHost>

Servername mail.home.topdog-software.com:443
DocumentRoot /usr/share/horde

 

Configurar Exim

Debemos cambiar el sistema de mail de MTA a Exim, para ello lo haremos con el siguiente comando.

system-switch-mail (select exim)

 

Antivirus / Seguridad

Debemos de configurar Exim para que revise los correos entrantes y salientes en busca de virus con ClamAV.

vi /etc/exim/exim.conf
av_scanner = clamd:/var/run/clamav/clamd.sock

 

Configurar las Listas Negras

Se han de configurar bajo acl_check_rcpt

drop    message       = REJECTED because $sender_host_address is in a black list spamhaus.org
           dnslists      = zen.spamhaus.org
drop    message       = REJECTED because $sender_host_address is in a black list at 
$dnslist_domain\n$dnslist_text
           dnslists      = bl.spamcop.net
drop    message       = REJECTED because $sender_host_address is in a black list at 
$dnslist_domain\n$dnslist_text
           dnslists      = dnsbl.sorbs.net

 

Anti-Spam

Si deseamos rechazar los mensajes de aquellos servidores que no tengan configurado correctamente las DNS inversas, debemos de añadir las siguientes líneas bajo acl_check_rcpt

drop  message   = REJECTED - We don't accept messages from hosts without reverse DNS
        log_message = No reverse DNS
        domains = ! lsearch;/etc/exim/checks_exempt_hosts
        !verify = reverse_host_lookup
        !verify = sender/callout=2m,defer_ok
        !condition =  ${if eq{$sender_verify_failure}{}}

Si deseamos rechazar los mensajes de servidores que no respondan a las peticiones de HELO/EHLO debemos de añadir las siguientes líneas.

drop  message  = REFUSED - no HELO/EHLO greeting
        log_message = remote host did not present greeting
        condition = ${if def:sender_helo_name {false}{true}}

También puedes limitar la cantidad de conexiones de tu servidor añadiendo las siguentes líneas bajo acl_check_connect

deny ratelimit = 250 / 15m / strict
       message = You can only send $sender_rate per $sender_rate_period
       log_message = RATE: $sender_rate/$sender_rate_period (max $sender_rate_limit)
accept

Detener los robots de spam que buscan en el servidor.

smtp_accept_max_nonmail = 30
smtp_max_unknown_commands = 1

No avisar a los tuneles.

pipelining_advertise_hosts =

Habilitar las comprobaciones de Spamassassin

spamd_address = /var/run/spamassassin/spamd.sock

Rechazar todos los mensajes con una puntuación de 6 (acl_check_data)

accept  condition  = ${if >={$message_size}{100000} {1}}
        add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
  warn    spam       = nobody/defer_ok
        add_header = X-Spam-Flag: YES
  accept  condition  = ${if !def:spam_score_int {1}}
        add_header = X-Spam-Note: SpamAssassin invocation failed
  warn    add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
#       X-Spam-Report: $spam_report
  drop    condition = ${if >{$spam_score_int}{60} {1}}
        message   = Your message scored $spam_score SpamAssassin point. Report follows:\n\
        $spam_report

 

Enrutar Correo

Habilitar el acceso a la Base de Datos MySQL

hide mysql_servers = localhost/horde/horde/hordepassword

Modificar la ruta de entrega local a Cyrus verificando previamente que el usuario exista antes de entregar el correo. (exim.conf)

localuser:
  driver = accept
  local_parts = ${lookup mysql {SELECT REPLACE(user_uid,'${quote_mysql:@$domain}','') \
         as user FROM horde_users WHERE user_uid='${quote_mysql:$local_part@$domain}'}{$value}}
  transport = local_delivery
  cannot_route_message = Unknown user

Crear un transporte para entregar el correo a Cyrus a través de un socket lmpt

local_delivery:
  driver = lmtp
  socket = /var/lib/imap/socket/lmtp
  batch_max = 50
  user = cyrus

 

Autenticación SMTP

Añadir las siguientes líneas en la sección de authentication en /etc/exim/exim.conf

plain:
  driver = plaintext
  public_name = PLAIN
  server_prompts = :
  server_set_id = $2
  server_condition = ${if saslauthd{{$2}{$3}{pop}}{1}{0}}
  server_advertise_condition = true
login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = ${if saslauthd{{$1}{$2}{pop}}{1}{0}}
  server_set_id = $1
  server_advertise_condition = true

 

Archivos de Ejemplo de Configuración

Aquí encontrareis unos archivos de ejemplo de configuración de Exim.

Configurar MySQL

Deshabilitar TCP Networking en la sección de MySQL.

vi /etc/my.cnf
skip-networking

Asignar el password de root

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h your_host_name password 'new-password' -p

 

Configurar Horde

Editar el archivo sql y cambiar el password de MySQL para el usuario de Horde

cp /usr/share/horde/scripts/sql/create.mysql.sql .
vi create.mysql.sql
REPLACE INTO user (host, user, password)
    VALUES (
        'localhost',
        'horde',
-- IMPORTANT: Change this password!
        PASSWORD('hordepassword')
);

Crear el usuario de Horde en MySQL

mysql -p < create.mysql.sql

Crear las tablas para Turba (Libreta de Direcciones)

mysql -p horde < /usr/share/horde/turba/scripts/sql/turba_objects.mysql.sql

Crear las tablas para Kronolith (Calendario)

mysql -p horde < /usr/share/horde/kronolith/scripts/sql/kronolith.mysql.sql

Crear la configuración base de Horde

vi /usr/share/horde/config/conf.php
<?php
$conf['debug_level'] = E_ALL;
$conf['max_exec_time'] = 0;
$conf['compress_pages'] = true;
$conf['umask'] = 077;
$conf['use_ssl'] = 2;
$conf['server']['name'] = $_SERVER['SERVER_NAME'];
$conf['server']['port'] = $_SERVER['SERVER_PORT'];
$conf['session']['name'] = 'Horde';
$conf['session']['use_only_cookies'] = true;
$conf['session']['cache_limiter'] = 'nocache';
$conf['session']['timeout'] = 0;
$conf['cookie']['domain'] = $_SERVER['SERVER_NAME'];
$conf['cookie']['path'] = '/';
$conf['sql']['username'] = 'horde';
$conf['sql']['password'] = 'hordepassword';
$conf['sql']['socket'] = '/var/lib/mysql/mysql.sock';
$conf['sql']['protocol'] = 'unix';
$conf['sql']['database'] = 'horde';
$conf['sql']['charset'] = 'iso-8859-1';
$conf['sql']['phptype'] = 'mysqli';
$conf['auth']['admins'] = array('Administrator', 'andrew@home.topdog-software.com');
$conf['auth']['checkip'] = true;
$conf['auth']['checkbrowser'] = true;
$conf['auth']['alternate_login'] = false;
$conf['auth']['redirect_on_logout'] = false;
$conf['auth']['params']['driverconfig'] = 'horde';
$conf['auth']['params']['table'] = 'horde_users';
$conf['auth']['params']['username_field'] = 'user_uid';
$conf['auth']['params']['password_field'] = 'user_pass';
$conf['auth']['params']['encryption'] = 'md5-hex';
$conf['auth']['params']['show_encryption'] = false;
$conf['auth']['driver'] = 'sql';
$conf['signup']['allow'] = false;
$conf['log']['priority'] = PEAR_LOG_NOTICE;
$conf['log']['ident'] = 'HORDE';
$conf['log']['params'] = array();
$conf['log']['name'] = '/tmp/horde.log';
$conf['log']['params']['append'] = true;
$conf['log']['type'] = 'file';
$conf['log']['enabled'] = true;
$conf['log_accesskeys'] = false;
$conf['prefs']['params']['driverconfig'] = 'horde';
$conf['prefs']['driver'] = 'sql';
$conf['datatree']['params']['driverconfig'] = 'horde';
$conf['datatree']['driver'] = 'sql';
$conf['group']['driver'] = 'datatree';
$conf['cache']['default_lifetime'] = 1800;
$conf['cache']['params']['dir'] = Horde::getTempDir();
$conf['cache']['params']['gc'] = 86400;
$conf['cache']['driver'] = 'file';
$conf['token']['driver'] = 'none';
$conf['mailer']['params']['auth'] = '0';
$conf['mailer']['type'] = 'smtp';
$conf['vfs']['params']['driverconfig'] = 'horde';
$conf['vfs']['type'] = 'sql';
$conf['sessionhandler']['params']['persistent'] = false;
$conf['sessionhandler']['params']['rowlocking'] = true;
$conf['sessionhandler']['params']['socket'] = '/var/lib/mysql/mysql.sock';
$conf['sessionhandler']['params']['protocol'] = 'unix';
$conf['sessionhandler']['params']['hostspec'] = 'localhost';
$conf['sessionhandler']['params']['username'] = 'horde';
$conf['sessionhandler']['params']['password'] = 'hordepassword';
$conf['sessionhandler']['params']['database'] = 'horde';
$conf['sessionhandler']['type'] = 'mysql';
$conf['problems']['email'] = 'webmaster@home.topdog-software.com';
$conf['problems']['maildomain'] = 'home.topdog-software.com';
$conf['problems']['tickets'] = false;
$conf['menu']['apps'] = array();
$conf['menu']['always'] = true;
$conf['menu']['links']['help'] = 'authenticated';
$conf['menu']['links']['help_about'] = true;
$conf['menu']['links']['options'] = 'authenticated';
$conf['menu']['links']['problem'] = 'never';
$conf['menu']['links']['login'] = 'all';
$conf['menu']['links']['logout'] = 'authenticated';
$conf['hooks']['permsdenied'] = false;
$conf['hooks']['username'] = false;
$conf['hooks']['preauthenticate'] = false;
$conf['hooks']['postauthenticate'] = false;
$conf['hooks']['authldap'] = false;
$conf['portal']['fixed_blocks'] = array();
$conf['accounts']['driver'] = 'null';
$conf['imsp']['enabled'] = false;
$conf['kolab']['enabled'] = false;

Cambiar las preferencias de Horde para hacer que Webmail sea la aplicación por defecto.

vi /usr/share/horde/config/prefs.php

Modificar $_prefs['initial_application'] para que se parezca al código que sigue.

$_prefs['initial_application'] = array(
    'value' => 'imp',
    'locked' => true,
    'shared' => true,
    'type' => 'select',
    'desc' => sprintf(_("What application should %s display after login?"), 
$GLOBALS['registry']->get('name'))
);

Hacer que Horde trabaje desde fuera del directorio raiz del servidor web.

vi /usr/share/horde/config/registry.php

Modificar $this→applications['horde'] como sigue a continuación.

$this->applications['horde'] = array(
    'fileroot' => dirname(__FILE__) . '/..',
    'webroot' => '',
    'initial_page' => 'login.php',
    'name' => _("Horde"),
    'status' => 'active',
    'templates' => dirname(__FILE__) . '/../templates',
    'provides' => 'horde'
);

 

Configuración IMP

Crear la configuración base de IMP.

vi /usr/share/horde/imp/config/conf.php
<?php
$conf['utils']['spellchecker'] = '/usr/bin/aspell';
$conf['utils']['gnupg'] = '/usr/bin/gpg';
$conf['utils']['gnupg_keyserver'] = array('pgp.mit.edu');
$conf['utils']['gnupg_timeout'] = '10';
$conf['utils']['openssl_cafile'] = '/etc/pki/tls/certs';
$conf['utils']['openssl_binary'] = '/usr/bin/openssl';
$conf['menu']['apps'] = array('ingo', 'kronolith', 'passwd', 'turba');
$conf['user']['select_sentmail_folder'] = false;
$conf['user']['allow_resume_all_in_drafts'] = true;
$conf['user']['allow_folders'] = true;
$conf['user']['allow_resume_all'] = false;
$conf['user']['allow_view_source'] = true;
$conf['user']['alternate_login'] = false;
$conf['user']['redirect_on_logout'] = false;
$conf['server']['change_server'] = false;
$conf['server']['change_port'] = false;
$conf['server']['change_protocol'] = false;
$conf['server']['change_smtphost'] = false;
$conf['server']['change_smtpport'] = false;
$conf['server']['server_list'] = 'none';
$conf['server']['sort_limit'] = '0';
$conf['server']['cache_folders'] = false;
$conf['server']['cache_msgbody'] = true;
$conf['mailbox']['show_attachments'] = false;
$conf['mailbox']['show_preview'] = false;
$conf['mailbox']['show_xpriority'] = false;
$conf['fetchmail']['show_account_colors'] = false;
$conf['fetchmail']['size_limit'] = '4000000';
$conf['msgsettings']['filtering']['words'] = './config/filter.txt';
$conf['msgsettings']['filtering']['replacement'] = '****';
$conf['spam']['reporting'] = false;
$conf['notspam']['reporting'] = false;
$conf['msg']['prepend_header'] = true;
$conf['msg']['append_trailer'] = true;
$conf['compose']['allow_cc'] = true;
$conf['compose']['allow_bcc'] = true;
$conf['compose']['allow_receipts'] = true;
$conf['compose']['special_characters'] = true;
$conf['compose']['use_vfs'] = false;
$conf['compose']['link_attachments'] = false;
$conf['compose']['add_maildomain_to_unexpandable'] = false;
$conf['compose']['attach_size_limit'] = '0';
$conf['compose']['attach_count_limit'] = '0';
$conf['hooks']['vinfo'] = false;
$conf['hooks']['signature'] = false;
$conf['hooks']['trailer'] = false;
$conf['hooks']['fetchmail_filter'] = false;
$conf['hooks']['mbox_redirect'] = false;
$conf['hooks']['mbox_icon'] = false;
$conf['hooks']['spam_bounce'] = false;
$conf['maillog']['use_maillog'] = true;
$conf['tasklist']['use_tasklist'] = true;
$conf['notepad']['use_notepad'] = true;

Crear la configuración de servidores IMP. Eliminar el resto.

vi /usr/share/horde/imp/config/servers.php
<?php
$servers['cyrus'] = array(
    'name' => 'localserver',
    'server' => 'localhost',
    'hordeauth' => 'full',
    'protocol' => 'imap/notls',
    'port' => 143,
    'maildomain' => '',
    'smtphost' => 'localhost',
    'smtpport' => 25,
    'realm' => '',
    'preferred' => '',
    'admin' => array(
        'params' => array(
            'login' => 'cyrus',
            'password' => '',
            'userhierarchy' => 'user.',
            'protocol' => 'imap/notls',
            'hostspec' => 'localhost',
            'port' => 143
        )
    ),
    'quota' => array(
        'driver' => 'cyrus',
        'params' => array(),
    ),
    'acl' => array(
        'driver' => 'rfc2086',
    ),
);

Evitar que la ventana de composición aparezaca como una ventana emergente

vi /usr/share/horde/imp/config/prefs.php

Cambiar la variable $_prefs['compose_window'] para que quede como sigue.

$_prefs['compose_popup'] = array(
    'value' => 0,
    'locked' => true,
    'shared' => true,
    'type' => 'checkbox',
    'desc' => _("Compose messages in a separate window?"));

 

Configurar Kronolith

Crear el archivo de configuración base de Kronolith

vi /usr/share/horde/kronolith/config/conf.php
<?php
$conf['calendar']['params']['table'] = 'kronolith_events';
$conf['calendar']['params']['driverconfig'] = 'horde';
$conf['calendar']['driver'] = 'sql';
$conf['storage']['params']['table'] = 'kronolith_storage';
$conf['storage']['params']['driverconfig'] = 'horde';
$conf['storage']['driver'] = 'sql';
$conf['metadata']['keywords'] = false;
$conf['reminder']['server_name'] = 'home.topdog-software.com';
$conf['reminder']['from_addr'] = 'postmaster@home.topdog-software.com';
$conf['autoshare']['shareperms'] = 'none';
$conf['menu']['print'] = true;
$conf['menu']['import_export'] = true;
$conf['menu']['apps'] = array('imp', 'ingo', 'kronolith', 'turba');

 

Configuración de Turba

Configurar la configuración base de Turba.

vi /usr/share/horde/turba/config/conf.php
<?php
$conf['menu']['apps'] = array('imp', 'kronolith', 'turba');
$conf['storage']['driver'] = 'prefs';
$conf['storage']['maxblacklist'] = 0;
$conf['storage']['maxwhitelist'] = 0;
$conf['rules']['userheader'] = true;
$conf['rules']['usefolderapi'] = true;

 

Configurar Ingo

Configurar la configuración base de Ingo.

vi /usr/share/horde/ingo/config/conf.php
<?php
$conf['menu']['apps'] = array('imp', 'kronolith', 'turba');
$conf['storage']['driver'] = 'prefs';
$conf['storage']['maxblacklist'] = 0;
$conf['storage']['maxwhitelist'] = 0;
$conf['rules']['userheader'] = true;
$conf['rules']['usefolderapi'] = true

Configurar el Backend de Ingo para usar timsieved. Eliminar el resto de Backends

vi /usr/share/horde/ingo/config/backends.php
<?php
$backends['sieve'] = array(
    'driver' => 'timsieved',
    'preferred' => 'localhost',
    'hordeauth' => 'full',
    'params' => array(
        'hostspec' => 'localhost',
        'logintype' => 'PLAIN',
        'usetls' => true,
        'port' => 2000,
        'scriptname' => 'ingo',
    ),
    'script' => 'sieve',
    'scriptparams' => array()
);

 

Configurar Passwd

Configurar la configuración base de Passwd

vi /usr/share/horde/passwd/config/conf.php 
<?php
$conf['menu']['apps'] = array('imp', 'ingo', 'kronolith', 'turba');
$conf['backend']['backend_list'] = 'hidden';
$conf['user']['change'] = true;
$conf['user']['refused'] = array('root', 'bin', 'daemon', 'adm', 'lp', 'shutdown',
'halt', 'uucp', 'ftp', 'anonymous', 'nobody', 'httpd', 'operator', 'guest', 'diginext', 
'bind', 'cyrus', 'courier', 'games', 'kmem', 'mailnull', 'man', 'mysql', 'news', 
'postfix', 'sshd', 'tty', 'www');
$conf['password']['strengthtests'] = false;
$conf['hooks']['full_name'] = true;
$conf['hooks']['default_username'] = false;
$conf['hooks']['username'] = false;
$conf['hooks']['userdn'] = false;

Configurar el Backend de Passwd para usar la base de datos MySQL de Horde. Eliminar el resto.

vi /usr/share/horde/passwd/config/backends.php
<?php
$backends['hordesql'] = array (
    'name' => 'Horde Authentication',
    'preferred' => '',
    'password policy' => array(
        'minLength' => 5,
        'maxLength' => 8,
        'maxSpace' => 0,
        'minUpper' => 1,
        'minLower' => 1,
        'minNumeric' => 1,
        'minSymbols' => 1
    ),
    'driver' => 'sql',
    'params' => array_merge($conf['sql'],
                            array('table' => 'horde_users',
                                  'user_col' => 'user_uid',
                                  'pass_col' => 'user_pass',
                                  'show_encryption' => false)),
);

 

Asegurar la instalación de Horde
chown apache:root -R /usr/share/horde/config
chown apache:root -R /usr/share/horde/*/config
chmod -R go-rwx /usr/share/horde/config
chmod -R go-rwx /usr/share/horde/*/config
chown -R root:root /usr/share/horde/scripts
chown -R root:root /usr/share/horde/*/scripts
chmod -R go-rwx /usr/share/horde/scripts
chmod -R go-rwx /usr/share/horde/*/scripts
chmod a-rwx /usr/share/horde/test.php
chmod a-rwx /usr/share/horde/*/test.php
find /usr/share/horde/ -iname readme -exec rm -f {} ;
find /usr/share/horde/ -iname todo -exec rm -vf {} ;
find /usr/share/horde/ -iname license -exec rm -vf {} ;
find /usr/share/horde/ -iname copying -exec rm -vf {} ;
find /usr/share/horde/ -iname docs -exec rm -vrf {} ;

 

Configurar Cyrus-imapd

El sistema de cyrus-imapd viene con el VirtualHosting activado, scripts, quota fijada a 10MB, auto creación y auto suscripción de los buzones con las carpetas, etc.

Crear el archivo e configuración.

vi /etc/imapd.conf

Crear la configuración con el siguiente contenido.

configdirectory: /var/lib/imap
servername: TDS-IMAP/POP3
partition-default: /var/spool/imap
virtdomains: on
defaultdomain: localhost.localdomain
admins: andrew@home.topdog-software.com
postmaster: support@home.topdog-software.com
quotawarn: 85
lmtp_over_quota_perm_failure: 1
lmtp_strict_quota: 1
autocreatequota: 10240
createonpost: 1
autocreateinboxfolders: sent-mail|drafts|spam|trash
autosubscribeinboxfolders: sent-mail|drafts|spam|trash
autocreate_sieve_script: /etc/default_sieve
autocreate_sieve_compiledscript: /etc/default_sieve_script.bc
sievedir: /var/lib/imap/sieve
md5_dir: /var/lib/imap/md5
#sievenotifier: sms
#sendsms: /usr/bin/mysmsprog
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
allowplainwithouttls: 0
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
loglevel: info

Crear el archivo.

vi /etc/cyrus.conf

Crear el siguiente código.

START {
  # do not delete this entry!
  recover       cmd="ctl_cyrusdb -r"
  # this is only necessary if using idled for IMAP IDLE
  idled         cmd="idled"
  # replication
  # syncclient       cmd="/usr/lib/cyrus-imapd/sync_client -r"
}
# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
  # add or remove based on preferences
  imap          cmd="imapd" listen="imap" prefork=1 proto=tcp maxchild=100 maxfds=1000 provide_uuid=1
#  imaps                cmd="imapd -s" listen="imaps" prefork=1
  pop3          cmd="pop3d" listen="pop3" prefork=1 proto=tcp maxchild=100 maxfds=1000 provide_uuid=1
#  pop3s                cmd="pop3d -s" listen="pop3s" prefork=1
  sieve         cmd="timsieved" listen="localhost:sieve" prefork=0 proto=tcp maxfds=1000 provide_uuid=1
  # these are only necessary if receiving/exporting usenet via NNTP
#  nntp         cmd="nntpd" listen="nntp" prefork=3
#  nntps                cmd="nntpd -s" listen="nntps" prefork=1
  #fud
  # fud           cmd="fud" listen="fud" prefork=1 proto="udp"
  # at least one LMTP is required for delivery
#  lmtp         cmd="lmtpd" listen="lmtp" prefork=0
  lmtpunix      cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1 maxfds=1000 provide_uuid=1
  # this is only necessary if using notifications
  notify        cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" prefork=1
  # replication
}
EVENTS {
  # this is required
  checkpoint    cmd="ctl_cyrusdb -c" period=30 maxfds=1000
  # this is only necessary if using duplicate delivery suppression,
  # Sieve or NNTP
  delprune      cmd="cyr_expire -E 3" at=0400
  # this is only necessary if caching TLS sessions
  #tlsprune     cmd="tls_prune" at=0400
  squat         cmd="squatter"  period=30
}

 

Configurar Pam-mysql

Pam-mysql será usado para autenticar los servicios de Cyrus-imapd con la base de datos de MySQL.

Habilitar la configuración de los servicios realizando los siguientes cambios.

vi /etc/pam.d/imap
auth       optional     pam_mysql.so user=horde passwd=hordepassword 
=/var/lib/mysql/mysql.sock db=horde table=horde_users 
usercolumn=user_uid passwdcolumn=user_pass crypt=3
account    required     pam_mysql.so user=horde passwd=hordepassword 
host=/var/lib/mysql/mysql.sock db=horde table=horde_users 
usercolumn=user_uid passwdcolumn=user_pass crypt=3

vi /etc/pam.d/pop
auth       optional     pam_mysql.so user=horde passwd=hordepassword 
host=/var/lib/mysql/mysql.sock db=horde table=horde_users 
usercolumn=user_uid passwdcolumn=user_pass crypt=3
account    required     pam_mysql.so user=horde passwd=hordepassword 
host=/var/lib/mysql/mysql.sock db=horde table=horde_users 
usercolumn=user_uid passwdcolumn=user_pass crypt=3

vi /etc/pam.d/sieve
auth       optional     pam_mysql.so user=horde passwd=hordepassword 
host=/var/lib/mysql/mysql.sock db=horde table=horde_users 
usercolumn=user_uid passwdcolumn=user_pass crypt=3
account    required     pam_mysql.so user=horde passwd=hordepassword 
host=/var/lib/mysql/mysql.sock db=horde table=horde_users 
usercolumn=user_uid passwdcolumn=user_pass crypt=3

vi /etc/pam.d/lmtp
auth       optional     pam_mysql.so user=horde passwd=hordepassword 
host=/var/lib/mysql/mysql.sock db=horde table=horde_users 
usercolumn=user_uid passwdcolumn=user_pass crypt=3
account    required     pam_mysql.so user=horde passwd=hordepassword 
host=/var/lib/mysql/mysql.sock db=horde table=horde_users 
usercolumn=user_uid passwdcolumn=user_pass crypt=3

vi /etc/pam.d/csync
auth       optional     pam_mysql.so user=horde passwd=hordepassword 
host=/var/lib/mysql/mysql.sock db=horde table=horde_users 
usercolumn=user_uid passwdcolumn=user_pass crypt=3
account    required     pam_mysql.so user=horde passwd=hordepassword 
host=/var/lib/mysql/mysql.sock db=horde table=horde_users 
usercolumn=user_uid passwdcolumn=user_pass crypt=3

 

Configurar Saslauthd

Editar y modificar el siguiente archivo como sigue

vi /etc/sysconfig/saslauthd
SOCKETDIR=/var/run/saslauthd
# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled to use.
MECH=pam
# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
FLAGS="-r -n 0 -c"

 

Configurar ClamAV

Añadir el usuario de ClamAV al grupo de Exim

usermod -G exim clamav

Cambiar la localización del socket y deshabilitar el TCP

vi /etc/clamd.conf
LocalSocket /var/run/clamav/clamd.socket
#TCPSocket 3310
#TCPAddr 127.0.0.1

Instalar las firmas de seguridad

wget http://www.sanesecurity.co.uk/clamav/update_sanesecurity.txt -O /usr/local/bin/update_sanesecurity.sh
chmod +x /usr/local/bin/update_sanesecurity.sh
ln -s /usr/local/bin/update_sanesecurity.sh /etc/cron.hourly/
/usr/local/bin/update_sanesecurity.sh

Habilitar el módulo local selinux para ClamAV. Crear el archivo clamdlocal.te y añadir el siguiente código.

module clamdlocal 1.0;
require {
type proc_t;
type var_t;
type sysctl_kernel_t;
type var_spool_t;
type clamd_t;
class dir { write search read remove_name add_name };
class file { write getattr read lock create unlink };
}
#============= clamd_t ==============
allow clamd_t proc_t:file { read getattr };
allow clamd_t sysctl_kernel_t:dir search;
allow clamd_t sysctl_kernel_t:file read;
allow clamd_t var_spool_t:dir read;
allow clamd_t var_spool_t:file { read getattr };
allow clamd_t var_t:dir { write read add_name remove_name };
allow clamd_t var_t:file { write getattr read lock create unlink };

 Compilar y cargar el módulo.

checkmodule -M -m -o clamdlocal.mod clamdlocal.te
semodule_package -o clamdlocal.pp -m clamdlocal.mod
semodule -i clamdlocal.pp

 

Configurar Spamassassin

Modificar como sigue las opciones de inicio

vi /etc/sysconfig/spamassassin
SPAMDOPTIONS=" -l -d -c -m5 -H -m 10 
--socketpath=/var/run/spamassassin/spamd.sock --socketowner=exim"

Habilitar el módulo local spamd para spamassassin, crear el archivo spamdlocal.te y añadir lo siguiente.

module spamdlocal 1.0;
require {
        type spamd_t;
        type spamd_var_run_t;
        class capability { fowner chown kill };
        class sock_file { write create unlink getattr setattr };
}
#============= spamd_t ==============
allow spamd_t self:capability { fowner chown kill };
allow spamd_t spamd_var_run_t:sock_file { write create unlink getattr setattr };

Compilar e instalar el módulo.

checkmodule -M -m -o spamdlocal.mod spamdlocal.te
semodule_package -o spamdlocal.pp -m spamdlocal.mod
semodule -i spamdlocal.pp

 

Toques Finales

Deshabilitar los servicios innecesarios usando este script.Habilitar los servicios

chkconfig --level 234 exim on
chkconfig --level 234 mysqld on
chkconfig --level 234 spamassassin on
chkconfig --level 234 clamd on
chkconfig --level 234 httpd on
chkconfig --level 234 saslauthd on
chkconfig --level 234 cyrus-imapd on
service mysqld restart
service saslauthd restart
service spamassassin restart
service clamd restart
service exim restart
service cyrus-imapd restart
service httpd restart

Para crear el usuario Admin crear el archivo admin.sql y añadir el siguiente contenido.

USE horde;
REPLACE INTO horde_users (user_uid,user_pass)
    VALUES (
        'andrew@home.topdog-software.com',
-- Change this
        md5('verystrongpassword')
);

Modificar el password para que cumpla sus necesidades.Añadir el usuario a la base de datos.

mysql -p horde < admin.sql

Para el cortafuegos. Añadir las siguientes reglas.

vi /etc/sysconfig/iptables
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport -j ACCEPT --dports 80,443,25,110,143
-A INPUT -p icmp -m icmp -m limit --icmp-type 8 --limit 5/min -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.1.4 -j ACCEPT
COMMIT

 

Referencias

 

Category

CentOS

Tags for this item

Apache , CentOS , ClamAV , Cyrus , Exim , Horde , Linux , MySQL , Pam-mysql
Comentarios (1)add comment
feedRSS Comentarios

Santiago said:

...
Hola una consulta que defines en el archivo :/etc/exim/checks_exempt_hosts
 
marzo 04, 2010
Votos: +1

Escribir comentario

security image
Escribe los caracteres de la imagen


busy