Old Installation of Exim4, DoveCot, SquirrelMails, Debian 5, Debian 6
Debian 5/6, there is a new installation instruction for Debian 7: Installation of Exim4, DoveCot, SquirrelMails
Original installation instructions
First of all, this is really just a composition of the links which I list at the bottom.
Goals
- Exim 4 on a debian 5.0 (6.x) virtual machine
- DoveCot as IMAP-Server
- SquirrelMails as WebInterface via self signed SSL
- The whole thing for two domains at once
Exim 4
apt-get install exim4-daemon-heavy eximon4 exim4-doc-info gnutls-bin openssl file libmail-spf-query-perl swaks bsd-mailx ca-certificates dpkg-reconfigure exim4-config
- ::1 is 127.0.0.1 in ip6
- not mbox but maildir!
- split files
- Error: socket bind() to port 25 for address ::1 failed: Cannot assign requested address: daemon abandoned
- redo "dpkg-reconfigure exim4-config" but don't use ::1
- Test the server with
echo "hello" | mail -s "a test email" yourMail@yourDomain.com
- Read mail with
TLS for SMTP
- install openssl (for certificate) and swaks (for tests) and libnet-ssleay-perl
apt-get install openssl swaks libnet-ssleay-perl
- create the certificat (change DAYS depending on your wishes)
/usr/share/doc/exim4-base/examples/exim-gencert
- create file /etc/exim4/conf.d/main/001_local with
MAIN_TLS_ENABLE = 1
- test the server with
swaks -f yourMail@YourDomain.com -t yourMail@YourDomain.com -tls -s localhost
disable ipv6
add to /etc/exim4/update-exim4.conf.conf
disable_ipv6='true'
add to /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 net.ipv6.conf.eth0.disable_ipv6 = 1
restart the server
shutdown -r now
DoveCot
- Install it
apt-get install dovecot-imapd
- edit /etc/dovecot/dovecot.conf
protocols = imap sieve mail_location = maildir:~/mail
- and perhaps, not sure about it
# Number of authentication processes to create count = 1
This will set ~/mail/ as the directoy for the mail
- require ssl in conf.d/10-ssl.conf
ssl = required
LDA
Search for "protocol lda" and enable the following code
grep -r lda /etc/dovecot/*
protocol lda { postmaster_address = postmaster@<yourDomain.com> mail_plugins = sieve }
Disable plaintext authentication
Uncomment
#disable_plaintext_auth = yes
Enable the authenticator socket
Look for this line in the default configuration, and uncomment the socket section below it.
socket listen { master { path = /var/run/dovecot/auth-master mode = 0600 } client { path = /var/run/dovecot/auth-client mode = 0666 } }
- restart dovecot
Create a Dovecot transport for Exim
- create /etc/exim4/conf.d/transport/20_dovecot
dovecot: driver = pipe command = /usr/lib/dovecot/deliver message_prefix = message_suffix = log_output delivery_date_add envelope_to_add return_path_add temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
Configure Exim to use the Dovecot transport for local deliveries
I am not sure about this. I think you should not use it !
- edit /etc/exim4/conf.d/router/900_exim4-config_local_user
change
transport = LOCAL_DELIVERY
to
transport = dovecot
- edit /etc/exim4/conf.d/auth/30_exim4-config_examples (or if know where to do it right...) and add
plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 login: driver = dovecot public_name = LOGIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1
- make sure other plain/login sections are disabled
Apache 2
- install it
apt-get install apache2 apache2-doc
- enable SSL
a2enmod ssl
- diable http site
a2dissite default
- enable https site
a2ensite default-ssl
- Edit the file /etc/apache2/ports.conf. Comment out the following two lines:
NameVirtualHost *:80 Listen 80
- edit /etc/apache2/sites-available/default-ssl
from
<VirtualHost _default_:443>
to
<VirtualHost *:443>
- set the ServerName sub.domain.xx (/etc/apache2/sites-available/default-ssl)
- restart apache
- connect to https://domain (don't forget your firewall)
Point to new certs
edit /etc/apache2/sites-enabled/default-ssl (or whatever you use) change
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
to
SSLCertificateFile /etc/exim4/exim.crt SSLCertificateKeyFile /etc/exim4/exim.key
Configure Apache to authenticate local users (not working for Debian 5 - only from 6 !)
- install it
apt-get install libapache2-mod-authnz-external
- activate it
a2enmod authnz_external
Edit /etc/apache2/sites-available/default-ssl and add a block like this near to the top. (There's a full example configuration file you can see below).
AddExternalAuth pwauth /usr/sbin/pwauth SetExternalAuthMethod pwauth pipe <Location /> AuthBasicProvider external AuthExternal pwauth AuthName Hinterlands AuthType basic Require valid-user </Location>
Restart Apache and reload the page you visited before, and you should now be prompted for your username and password. Everything transmitted is encrypted, so you should feel reasonable secure in sending your credentials along, browsers caches and password managers excepted.
SquirrelMail
- install it
apt-get install squirrelmail squirrelmail-secure-login squirrelmail-compatibility squirrelmail-decode avelsieve wngerman wamerican-large php-gettext php-xml-parser aspell spellutils emacsen-common php5-mhash aspell-doc ispell
- check /usr/share/squirrelmail/plugins/secure_login/functions.php ca. line 391, look for code like
if ( $serverPort == $targetHttpsPort && $secure_logoff_count == 0)
below that look for
$location = 'http:// ....
If you find it, replace it with
$location = 'https:// ....
- call /etc/squirrelmail/conf.pl
Options you will definitely need to check are:
(Options are listed by main menu, then sub menu number. So "1 1" refers to option 1, sub option 1. And so on.) Use ports 25 and 143.
- 1 1 - Set your own organisation name.
- 2 3 - SMTP
- 2 A 4 - localhost
- 2 A 5 - 25
- 2 A 6 - login
- 2 A 7 - true
- 2 A 8 - dovecot
Plugins
- get new plugins from [1] and unzip them to /usr/share/squirrelmail/plugins/
and activate them with
/etc/squirrelmail/conf.pl
Check in /etc/php5/apache2/php.ini:
- post_max_size
- upload_max_filesize
Tests
openssl s_client -connect 127.0.0.1:993 -showcerts echo "hello" | mail -s "a test email" yourMail@yourDomain.com swaks -f yourMail@YourDomain.com -t yourMail@YourDomain.com -tls -s localhost
pk12
- create a pk12 key:
openssl pkcs12 -export -in /etc/exim4/exim.crt -inkey /etc/exim4/exim.key \ -out <your-domain>.p12 -name "<something to recognize>"
Thunderbird
Perhaps you will have to give Thunderbird wrong data when you create the account. Tell him the real ports, but protocols and passwords are plain. No idea, why I had to do that.
Spam Assassin
the following is from sysadmin world
- install spamassassin and the exim filter
apt-get install sa-exim spamassassin
- start on each boot: /etc/default/spamassassin
ENABLED=1
- start
service spamassassin start
- in /etc/exim4/exim4.conf.template at the top in MAIN CONFIGURATION SETTINGS add:
local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so
- enable the connector in /etc/exim4/sa-exim.conf. Please be careful, there are some lines with SAEximRunCond but only one with SAEximRunCond: 0. Comment this line out.
#SAEximRunCond: 0
Logging:
SAEximDebug: 0
- activate changes in /etc/exim4/exim4.conf.template
/usr/sbin/update-exim4.conf
- restart exim
/etc/init.d/exim4 restart
Dovecot certificate recreate
- create key
openssl genrsa -out /etc/ssl/private/dovecot.pem 1024
- create cert
openssl req -new -x509 -key /etc/ssl/private/dovecot.pem -out /etc/ssl/certs/dovecot.pem -days 4500
Outlook
In the dovecot config file make sure you have allowed "login"
mechanisms = plain login