OpenBSD Mail Server - Part 7, Roundcube and httpd

1.  Finally, the last bit, and pretty much optional.  If a PHP webmail client is desired, install roundcubemail and php-fpm from packages.  I decided to use sqlite3 (which is in OpenBSD base) so I did not install any database.

2.  Read the docs in /usr/local/share/doc/pkg-readmes/roundcubemail-* and the install message and perform the steps listed to enable PHP etc.

3.  Roundcube installs to /var/www/roundcubemail.  Enable httpd by adding httpd_flags="" to /etc/rc.conf.local.  Add "php_fpm" to pkg_scripts in /etc/rc.conf.local.  Copy /etc/examples/httpd.conf to /etc/httpd.conf.

4.  Put something like the following in /etc/httpd.conf:

# cat /etc/httpd.conf
...
server "mail.example.com" {
 listen on $ext_addr ssl port 443
 root "/roundcubemail"
 directory index index.php
 
 location "*.php" {
 fastcgi socket "/run/php-fpm.sock"
 }
 ssl certificate "/etc/ssl/mail.example.com.crt"
 ssl key "/etc/ssl/private/mail.example.com.key"
}

5.  Create the sqlite3 database and give it proper permissions:

# cd /var/www/roundcubemail
# mkdir db
# sqlite3 -init SQL/sqlite.initial.sql db/sqlite.db
(type .exit to quit sqlite3)
# chown -R root:www db
# chmod 0775 db
# chmod 0660 db/sqlite.db

6.  Copy /etc/hosts to /var/www/etc/.  Open up port 443 in pf and then restart pf and start php_fpm and httpd.  May want to consider editing /etc/php-5.4.ini to set "allow_url_fopen = On" (roundcube says this is optional but recommended).

7.  Edit /var/www/roundcubemail/config/defaults.inc.php to enable the installer.  Edit /var/www/roundcubemail/config/config.inc.php so the following options are modified (the first fixes the path to the database, the second changes roundcube from using php mail to localhost, and the last bit enables two plugins, markasjunk and managesieve):

# cat /var/www/roundcubemail/config/config.inc.php
...
$config['db_dsnw'] = 'sqlite:////roundcubemail/db/sqlite.db?mode=0660';
...
$config['smtp_server'] = 'localhost';
...
// List of active plugins (in plugins/ directory)
$config['plugins'] = array(
'archive',
'zipdownload',
'markasjunk',
'managesieve',
);

8.  Go to https://mail.example.com/installer and go through the installer.  After that is complete, remove the installer directory from /var/www/roundcubemail and edit /var/www/roundcubemail/config/defaults.inc.php to disable the installer.

9.  At this point, everything should be working.  Go back and review security options, logging options, etc. and tighten things down.  Check out this wiki page on the httpd github repo about creating a "forbidden" directory and editing /etc/httpd.conf to point certain files and directories to the forbidden directory as a way of further locking things down.

OpenBSD Mail Server - Part 6, Dovecot and Dovecot-Pigeonhole

1.  Install dovecot and dovecot-pigeonhole from packages.

2.  Edit login.conf per the docs in /usr/local/share/doc/pkg-readmes/dovecot-*.

3.  Set up Dovecot certificates per dovecot install message.

4.  Open port 993 in pf.conf for remote IMAP access.

5.  Edit /etc/dovecot/conf.d/20-lmtp.conf and uncomment the “mail_plugins” line and add "sieve" at the end. Might need to edit /etc/dovecot/conf.d/10-mail.conf and set mail_location to Maildir (see comments for examples) and also /etc/dovecot/conf.d/15-lda.conf to set postmaster_address.  Personally, I also like to edit 15-mailboxes.conf and add "auto = subscribe" for the Drafts, Junk, Trash, and Sent mailboxes so they are automatically created and subscribed to.  Sometimes, I also like to add Maildir and a sieve script (perhaps with a rule to automatically drop emails that have been tagged as spam by SpamAssassin to the Junk mailbox) to /etc/skel so those are there when a new user is added.

6.  Add dovecot to pkg_scripts and start it up.

7.  Edit /etc/mail/smtpd.conf so mail is delivered to lmtp instead of ~/Maildir like the following and then restart smtpd:

# cat /etc/mail/smtpd.conf
pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"

listen on lo0
listen on lo0 port 10026 tag CLAM_IN # incoming mail
listen on lo0 port 10028 tag CLAM_OUT # outgoing mail
listen on lo0 port 10036 tag SPAM_IN # incoming mail
listen on lo0 port 10029 tag DKIM_OUT # outgoing mail
listen on egress tls pki mail.example.com auth-optional
listen on egress port submission tls-require pki mail.example.com auth

table aliases db:/etc/mail/aliases.db
table vusers file:/etc/mail/vusers
table vdomains file:/etc/mail/vdomains

accept for local alias <aliases> deliver to maildir

# tagged mail returned from dkimproxy_out relay out
accept tagged DKIM_OUT for any relay

# tagged mail returned from spampd deliver to lmtp
accept tagged SPAM_IN for domain <vdomains> virtual <vusers> deliver to lmtp "/var/dovecot/lmtp"

# tagged mail returned from clamsmtpd either send to spampd or dkimproxy_out
accept tagged CLAM_IN for any relay via smtp://127.0.0.1:10035 # send to spampd
accept tagged CLAM_OUT for any relay via smtp://127.0.0.1:10030 # send to dkimproxy_out

# start here - untagged mail is sent to clamsmtpd
accept from any for domain <vdomains> relay via smtp://127.0.0.1:10025 # incoming mail
accept from local for any relay via smtp://127.0.0.1:10027 # outgoing mail

8. So now here is what’s happening:

Incoming mail:

pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> -relay tagged CLAM_IN mail to spampd on port 10035 -> run it through SpamAssassin -> return to opensmtpd on lo0 port 10036 and tag it SPAM_IN -> deliver to dovecot/lmtp

Outoing mail (unchanged from last time):

opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay to dkimproxy on port 10030 -> add DKIM headers -> return to opensmtpd on lo0 port 10029 and tag it DKIM_OUT -> relay out

9.  Set up a sieve script in ~/.dovecot.sieve and send an email to the server in a way that triggers one of the sieve rules.  There will be something like this in /var/log/maillog:

Feb 3 22:35:34 server dovecot: lmtp(32707): Connect from local
Feb 3 22:35:34 server dovecot: lmtp(32707, joe): zyueLYaT0VTDfwAAfpiiTw: sieve: msgid=<1423020926.3895159.222819613.25E9282E@somedomain.com>: stored mail into mailbox 'Test'
Feb 3 22:35:34 server smtpd[5331]: delivery: Ok for 68ade8684466ea8c: from=<me@somedomain.com>, to=<joe@example.com>, user=joe, method=lmtp, delay=2s, stat=Delivered

10. For future reference, here is the output of "doveconf -n":

# 2.2.10: /etc/dovecot/dovecot.conf
# OS: OpenBSD 5.6 i386
first_valid_uid = 1000
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
mbox_write_locks = fcntl
mmap_disable = yes
namespace inbox {
 inbox = yes
 location =
 mailbox Drafts {
 special_use = \Drafts
 }
 mailbox Junk {
 special_use = \Junk
 }
 mailbox Sent {
 special_use = \Sent
 }
 mailbox "Sent Messages" {
 special_use = \Sent
 }
 mailbox Trash {
 special_use = \Trash
 }
 prefix =
}
passdb {
 driver = bsdauth
}
plugin {
 sieve = ~/.dovecot.sieve
 sieve_dir = ~/sieve
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
protocols = imap pop3 lmtp sieve
service managesieve-login {
 inet_listener sieve {
 port = 4190
 }
inet_listener sieve_deprecated {
 port = 2000
 }
}
ssl_cert = </etc/ssl/dovecotcert.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
 driver = passwd
}
protocol lmtp {
 mail_plugins = " sieve"
}

11.  There are other tweaks that can done with dovecot, such as disabling POP3, running SSL IMAP on a port other than 993, etc.