$HOME

Step 0: What do we want to achi

In this document, I will describe the installation of a DSPAM server 'from scratch'
At the end of this guide, your new mailserver will be able to offer SMTP, POP3, IMAP4.

If you simply require a mailserver which relays the mail - after scanning - onto another server, this is also possible.

This guide will build all the packages from source and therefore will not be distrubution-specific.
his guide is based on Slackware, v10.2 and where possible
I will try to deal with the distribution differences (i.e. primary paths).

The following programs will be used in this guide:
* ClamAV 0.88.5 (http://www.clamav.net) #
* SpamAssassin 3.1.5 (http://spamassassin.apache.org) #
* MySQL 5.0.24a (http://www.mysql.org) #
* DSpam 3.6.8 (http://dspam.nuclearelephant.com) #
* Exim 4.63 (http://www.exim.org) #
* Courier Authentication Library 0.58 (http://www.courier-mta.org/authlib/) #
* Courier-IMAP 4.1.1 (http://www.courier-mta.org/imap/ #
* Apache 2.0.59 (http://httpd.apache.org) #
* mod_auth_mysql 3.0.0 (http://sourceforge.net/projects/modauthmysql)


Other references:
Thanks to Ian Armstrong for his example of DSPAM / Exim with local users: www.openmail.cc.
Step 1: Preparation of the system

We will be using the following users for this installation. You will need to create these users if they do not exist.

UserGroupErklaerungHome
eximmailDer Exim User/var/spool/exim
couriermailDer Courier User/home/mail
dspammailDer DSpam User/ome/dspam
spamdmailDer SpamAssassin User/tmp
clamavmailDer ClamAV User/tmp
mysqlmysqlDer MySQL User/home/mysql
nobodynogroupDer Apache User/home/apache

If you are setting up a relay only server, the user courier is not required.
Step 2: Incidental remarks

I assume the reader of this document knows how to download and unpack source tarballs.
I also assume the reader of this document can add new users to the system,
and be able to use a text editor to adapt scripts if necessary.
If this is not the case, then this document is unfortunately unsuitable.

Before we proceed to the installation guide, a few remarks:
Do not simply Cut & Paste the examples without knowing what they will do.

The user should download the source tarballs to the following directory /usr/src/tarballs
and all directory references in this document will point to /usr/src.
$HOME

Step 3: Clam Antivirus Installation

First off we install the virus scanner with the following configuration:

root@box:/usr/src # tar xzf tarballs/clamav-0.88.5.tar.gz
root@box:/usr/src # cd clamav-0.88.5/
root@box:/usr/src # ./configure --prefix=/usr/local/clamav-0.88.5 --sysconfdir=/etc/clamav --with-libcurl --with-user=clamav --with-group=mail --with-dbdir=/home/clamav --disable-clamuko
root@box:/usr/src # make
root@box:/usr/src # make install

Explanation of the commands:
I prefer each program that I install 'specially' to reside in its own directory,
so that I always have an overview of the installed versions/programs by simply listing the contents of /usr/local.
In this case the virus scanner is installed into the directory /usr/local/clamav-0.88.4.
The configuration file for ClamAV is found in /etc/clamav and the program runs as the user clamav.
Step 3a: Creating the necessary directories

root@box:/usr/src # mkdir /var/log/clamav
root@box:/usr/src # mkdir /var/run/clamav
root@box:/usr/src # chown clamav.mail /var/log/clamav
root@box:/usr/src # chown clamav.mail /var/run/clamav
Step 3b: Edit the configuration files

The configuration files from ClamAV are clamd.conf and freshclam.conf
use the following options for configuring ClamAV in clamd.conf:

LogFile /var/log/clamav/clamd.log
LogTime
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /tmp
LocalSocket /tmp/clamd
SelfCheck 600
User clamav
ScanPE
DetectBrokenExecutables
ScanOLE2
ScanMail
ScanHTML
ScanArchive
ScanRAR

Freshclam keeps the virus scanner upto date and I use the following options in freshclam.conf.

UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose
PidFile /var/run/clamav/freshclam.pid
DatabaseOwner clamav
DNSDatabaseInfo current.cvd.clamav.net
# db.XY.clamav.net - corresponds to the TLD: http://www.iana.org/cctld/cctld-whois.htm
DatabaseMirror db.de.clamav.net
DatabaseMirror database.clamav.net
Checks 24
NotifyClamd
Step 3c: Start / Stop Scripts

Here is a script which I use to start and stop ClamAV. It resides in the /etc/rc.d.
All scripts in the /etc/rc.d directory have the prefix rc.,
which makes this file rc.clamv and it has the following contents:
#!/bin/sh

_start() {
/usr/local/clamav-0.88.5/sbin/clamd
/usr/local/clamav-0.88.5/bin/freshclam -d
}

_stop() {
if [ -r /var/run/clamav/clamav.pid ]; then
kill `cat /var/run/clamav/clamav.pid`
else
killall clamd
fi

if [ -r /var/run/clamav/freshclam.pid ]; then
kill `cat /var/run/clamav/freshclam.pid`
else
killall freshclam
fi
}

_restart() {
_stop
sleep 1
_start
}

case "$1" in
'start')
_start
;;
'stop')
_stop
;;
'restart')
_restart
;;
*)
echo "usage $0 start|stop|restart"
esac

root@box:/usr/src # ls -all /etc/rc.d/rc.clamav
-rwxr--r-- 1 root root 540 2006-08-28 10:57 /etc/rc.d/rc.clamav
Step 3d: Final word

The virus scanner keeps its logfiles in /var/log/clamav and writes the PID file to /var/run/clamav.
It also creates a socket in the /tmp directory.
Now ClamAV is finished, lets move onto Spamassassin.
$HOME

Step 4: Spamassass Installation

Spamassassin is best installed over cpan with the following instruction:
root@box:/usr/src # cpan -i Mail::SpamAssassin
If all the necessary packages are found, the installation should be problem free.
If however the installation is not problem free, you may need to install some of the packages required by Spamassassin:

Digest::SHA1
HTML::Parser
Net::DNS
Mail::SPF::Query
IP::Country
Net::Ident
IO::Socket::INET6
IO::Socket::SSL
LWP::UserAgent
HTTP::Date
Archive::Tar
IO::Zlib

These packages can be installed manually with the following command:
root@box:/usr/src # cpan -i Digest::SHA1 HTML::Parser Net::DNS Mail::SPF::Query IP::Country Net::Ident IO::Socket::INET6 IO::Socket::SSL LWP::UserAgent HTTP::Date Archive::Tar IO::Zlib Module::Signature

Die meisten dieser Pakete haben eigene Abhaengigkeiten, diese werden aber im Laufe des Installationsvorganges abgeprueft und
gegebenenfalls mitinstalliert.
Once these complete, you should now be able to install Spamassassin:
root@box:/usr/src # cpan -i Mail::SpamAssassin
Step 4a: Creating the necessary directories

SpamAssassin functions sufficiently, so that this step can be skipped.
Step 4b: Start / Stop Scripts

This script has the name rc.spamd and contains the following:

#!/bin/sh

_start() {
/usr/bin/spamd -d -i 127.0.0.1 -r /var/run/spamd.pid -u spamd -g mail -x --socketpath=/tmp/spamd
}

_stop() {
if [ -r /var/run/spamd.pid ]; then
kill `cat /var/run/spamd.pid`
else
killall spamd
fi
}

_restart() {
_stop
sleep 1
_start
}

case "$1" in
'start')
_start
;;
'stop')
_stop
;;
'restart')
_restart
;;
*)
echo "usage $0 start|stop|restart"
esac

root@box:/usr/src # ls -all /etc/rc.d/rc.spamd
-rwxr--r-- 1 root root 414 2006-08-28 11:24 /etc/rc.d/rc.spamd
Step 4c: Final word

Spamassassin runs as the user spamd, puts its PID file in /var/run and creates a socket in /tmp.
Now Spamassassin is finished, lets move onto MySQL..
$HOME

Step 5: MySQL Installation

MySQL can be installed with the following configuration:

root@box:/usr/src # tar xzf tarballs/mysql-5.0.24.tar.gz
root@box:/usr/src # cd mysql-5.0.24
root@box:/usr/src # ./configure --prefix=/usr/local/mysql-5.0.24 --sysconfdir=/etc/mysql --enable-assembler --with-unix-socket-path=/tmp/mysql --with-openssl --without-debug --with-mysqld-user=mysql --without-bench --without-docs --without-man
Sollten Datenbank- und Mailserver auf verschiedenen Servern laufen, so wird fuer den Mailserver natuerlich nicht das volle Paket benoetigt,
es reichen bereits die Client-Libs:
root@box:/usr/src # ./configure --prefix=/usr/local/mysql-5.0.24 --sysconfdir=/etc/mysql --enable-assembler --with-unix-socket-path=/tmp/mysql --with-openssl --without-debug --with-mysqld-user=mysql --without-bench --without-docs --without-man --without-server
root@box:/usr/src # make
root@box:/usr/src # make install

Step 5a: Creating the necessary directories

root@box:/usr/src # mkdir /var/log/mysql
root@box:/usr/src # mkdir /var/run/mysql
root@box:/usr/src # mkdir /home/mysql
root@box:/usr/src # mkdir /etc/mysql
root@box:/usr/src # chown mysql.mysql /var/log/mysql
root@box:/usr/src # chown mysql.mysql /var/run/mysql
root@box:/usr/src # chown mysql.mysql /home/mysql

Step 5b: Edit the configuration files

The configuration file for the MySQL server is /etc/mysql/my.cnf and contains the following:

[client]
port = 3306
socket = /tmp/mysql
[mysqld]
port = 3306
socket = /tmp/mysql
skip-locking
key_buffer = 16M
max_allowed_packet = 1M
table_cache = 64
sort_buffer_size = 512K
net_buffer_length = 8K
read_buffer_size = 256K
read_rnd_buffer_size = 512K
myisam_sort_buffer_size = 8M
skip-networking
datadir = /home/mysql
basedir = /usr/local/mysql-5.0.24
[mysqldump]
quick
max_allowed_packet = 16M
[mysql]
no-auto-rehash
[isamchk]
key_buffer = 20M
sort_buffer_size = 20M
read_buffer = 2M
write_buffer = 2M
[myisamchk]
key_buffer = 20M
sort_buffer_size = 20M
read_buffer = 2M
write_buffer = 2M
[mysqlhotcopy]
interactive-timeout
Step 5c: Create the database

root@box:/usr/src # /usr/local/mysql-5.0.24/bin/mysql_install_db
root@box:/usr/src # chown mysql.mysql /home/mysql -R

The MySQL database files can now be found in /home/mysql/mysql.
Step 5d: Start / Stop Scripts

This scripts has the name rc.mysql and contains the following:

#!/bin/sh

_start() {
/usr/local/mysql-5.0.24/bin/mysqld_safe --pid-file=/var/run/mysql/mysql.pid &
}

_stop() {
if [ -r /var/run/mysql/mysql.pid ]; then
kill `cat /var/run/mysql/mysql.pid`
else
killall mysqld_safe
fi
}

_restart() {
_stop
sleep 1
_start
}

case "$1" in
'start')
_start
;;
'stop')
_stop
;;
'restart')
_restart
;;
*)
echo "usage $0 start|stop|restart"
esac

root@box:/usr/src # ls -all /etc/rc.d/rc.mysql
-rwxr--r-- 1 root root 413 2006-08-28 11:43 /etc/rc.d/rc.mysql
Step 5e: Setting the root password

In order to set a root password, start the MySQL server and then use the mysqladmin command to set the password:
root@box:/usr/src # /usr/local/mysql-5.0.24/bin/mysqladmin -u root password 'new-password'

You should replace 'new-password' with your own chosen password.
Step 5f: Final word

So that other programs can find the MySQL library files, the file /etc/ld.so.conf must be edited with the following entry:
/usr/local/mysql-5.0.24/lib/mysql/
Now update the system configuration:
root@box:/usr/src # ldconfig

The MySQL server runs as the user mysql, puts its PID file in /var/run/mysql and creates a socket in /tmp.
Now MySQL is finished, lets move onto DSPAM.
$HOME

Step 6: DSPAM Installation

DSPAM can be installed with the following configuration:

root@box:/usr/src # tar xzf tarballs/dspam-3.6.8.tar.gz
root@box:/usr/src # cd dspam-3.6.8/
root@box:/usr/src # ./configure --sysconfdir=/etc/mail/dspam --prefix=/usr/local/dspam-3.6.8 --enable-daemon --enable-syslog --enable-long-usernames --enable-large-scale --enable-virtual-users --with-dspam-home=/home/dspam --with-dspam-home-owner=dspam --with-dspam-home-group=mail --with-logfile=/var/log/dspam/dspam.log --with-logdir=/var/log/dspam --with-storage-driver=mysql_drv --with-mysql-includes=/usr/local/mysql-5.0.24/include/mysql --with-mysql-libraries=/usr/local/mysql-5.0.24/lib/mysql --enable-preferences-extension
root@box:/usr/src # make
root@box:/usr/src # make install
Step 6a: Creating the necessary directories

root@box:/usr/src # mkdir /var/run/dspam
root@box:/usr/src # chown dspam.mail /var/run/dspam
root@box:/usr/src # cp -a /usr/src/dspam-3.6.8/txt /home/dspam
root@box:/usr/src # chown dspam.mail /home/dspam -R
root@box:/usr/src # rm /home/dspam/txt/Makefile*
Step 6b: Edit the configuration files

The configuration file for DSPAM is /etc/mail/dspamand contains the following:

Home /home/dspam
StorageDriver /usr/local/dspam-3.6.8/lib/libmysql_drv.so
TrustedDeliveryAgent "/usr/local/exim-4.63/bin/exim -oMr spam-scanned"
DeliveryHost 127.0.0.1
DeliveryPort 25
OnFail error
Trust root
Trust dspam
Trust exim
TrainingMode teft
TestConditionalTraining on
Feature chained
Feature whitelist
Algorithm graham burton
PValue graham
ImprobabilityDrive on
Preference "spamAction=quarantine"
Preference "signatureLocation=message"
Preference "showFactors=on"
AllowOverride trainingMode
AllowOverride spamAction spamSubject
AllowOverride statisticalSedation
AllowOverride enableBNR
AllowOverride enableWhitelist
AllowOverride signatureLocation
AllowOverride showFactors
AllowOverride optIn optOut
AllowOverride whitelistThreshold
MySQLServer /tmp/mysql
MySQLPort
MySQLUser dspam
MySQLPass 'dspam-password'
MySQLDb dspam
MySQLCompress true
MySQLConnectionCache 10
MySQLVirtualTable dspam_virtual_uids
MySQLVirtualUIDField uid
MySQLVirtualUsernameField username
MySQLUIDInSignature on
HashRecMax 98317
HashAutoExtend on
HashMaxExtents 0
HashExtentSize 49157
HashMaxSeek 100
HashConnectionCache 10
Notifications on
PurgeSignatures 14
PurgeNeutral 90
PurgeUnused 90
PurgeHapaxes 30
PurgeHits1S 15
PurgeHits1I 15
LocalMX 127.0.0.1
SystemLog on
UserLog on
Opt out
ServerPID /var/run/dspam/dspam.pid
ServerMode dspam
ServerDomainSocketPath "/tmp/dspam"
ClientHost /tmp/dspam
ProcessorBias on

The password 'dspam-password' is the password DSPAM uses to connect to the database.
In this configuration, DSPAM writes the signature in the body of the email.
If you wish the signature to be in the headers, simply change this line:
Preference "signatureLocation=message"
to this:
Preference "signatureLocation=headers"
Step 6c: Create the databases

root@box:/usr/src/dspam-3.6.8/src/tools.mysql_drv # /usr/local/mysql-5.0.24/bin/mysql -u root --password='new-password'
mysql> create database dspam;
mysql> grant all on dspam.* to dspam@localhost identified by 'dspam-password';
mysql> use dspam;
mysql> source mysql_objects-4.1.sql;
mysql> source virtual_users.sql;
mysql> quit;

Notes:
'new-password' is the password which you set in step 5e.
'dspam-password' is the password you set in the configuration file (see step 6b).
Step 6d: Start / Stop Scripts

This scripts has the name rc.dspam and contains the following:

#!/bin/sh

_start() {
/usr/local/dspam-3.6.8/bin/dspam --daemon &
}

_stop() {
if [ -r /var/run/dspam/dspam.pid ]; then
kill `cat /var/run/dspam/dspam.pid`
else
killall dspam
fi
}

_restart() {
_stop
sleep 1
_start
}

case "$1" in
'start')
_start
;;
'stop')
_stop
;;
'restart')
_restart
;;
*)
echo "usage $0 start|stop|restart"
esac

root@box:/usr/src # ls -all /etc/rc.d/rc.dspam
-rwxr--r-- 1 root root 269 2006-08-28 12:13 /etc/rc.d/rc.dspam
Step 6e: Edit the crontab

root@box:/usr/src/dspam-3.6.8 # cp -a src/tools.mysql_drv/purge-4.1.sql /home/dspam/
Place the following in the cron file for the dspam user:
2 * * * * /usr/local/dspam-3.6.8/bin/dspam_logrotate -a 30 /var/log/dspam/system.log `find /home/dspam/data -name "*.log"`
2 * * * * /usr/local/mysql-5.0.24/bin/mysql -u dspam -p'dspam-password' dspam < /home/dspam/purge-4.1.sql
2 * * * * /usr/local/mysql-5.0.24/bin/mysql -u dspam -p'dspam-password' dspam -e 'optimize table dspam_signature_data, dspam_token_data;'

With these two entries each night at 2 o'clock in the morning the logs are deleted and the MySQL database is purged.
So that these scripts can run, you must replace 'dspam-password' with the actual password DSPAM uses to access the database.

Der erste Eintrag loescht in der History der DSpam-Benutzer alle Eintraege, die aelter sind als 30 Tage.
Damit das auch problemlos funktioniert, muss dieser Befehl als Benutzer dspam ausgefuehrt werden.
Step 6f: Final modifications

DSPAM can send various emails to the user after certain events.
/home/dspam/txt/firstrun.txt - The user is informed after the first email is processed by DSPAM
/home/dspam/txt/firstspam.txt.txt - The user is informed after the first spam is recognised by DSPAM
/home/dspam/txt/quarantinefull.txt - The user is informed their quarantine area is full and needs attention

Note: These only happen is the variable Notifications is set to on in the configuration file.

Step 6g: Final word

The DSPAM server runs as the user dspam, puts its PID file in /var/run/dspam and creates a socket in /tmp.
Now DSPAM is finished, lets move onto Exim.
$HOME

Schritt 7: Exim Installation

Exim does not compile in the same way as the other packages here do. Firstly, unpack the source and move to the directory:
root@box:/usr/src # tar xzf tarballs/exim-4.63.tar.gz
root@box:/usr/src # cd exim-4.63/

Here the characteristic of Exim comes into play. Exim processes a single file called Makefile.
Copy the version from the src directory and the Local directory and edit with the following settings:
root@box:/usr/src/exim-4.63 # cp -a src/EDITME Local/Makefile
Since the configfile is documented, so here is my (minimal, working) one:

BIN_DIRECTORY=/usr/local/exim-4.63/bin
CONFIGURE_FILE=/etc/mail/exim.conf
EXIM_USER=exim
EXIM_GROUP=mail
SPOOL_DIRECTORY=/var/spool/exim
INCLUDE=-I/usr/include/db4/
DBMLIB = -ldb4
ROUTER_ACCEPT=yes
ROUTER_DNSLOOKUP=yes
ROUTER_IPLITERAL=yes
ROUTER_MANUALROUTE=yes
ROUTER_QUERYPROGRAM=yes
ROUTER_REDIRECT=yes
TRANSPORT_APPENDFILE=yes
TRANSPORT_AUTOREPLY=yes
TRANSPORT_PIPE=yes
TRANSPORT_SMTP=yes
TRANSPORT_LMTP=yes
SUPPORT_MAILDIR=yes
SUPPORT_MAILSTORE=yes
SUPPORT_MBX=yes
LOOKUP_DBM=yes
LOOKUP_LSEARCH=yes
LOOKUP_MYSQL=yes
LOOKUP_INCLUDE=-I/usr/local/mysql-5.0.24/include/mysql
LOOKUP_LIBS=-L/usr/local/mysql-5.0.24/lib/mysql -lmysqlclient
WITH_CONTENT_SCAN=yes
WITH_OLD_DEMIME=yes
FIXED_NEVER_USERS=root
AUTH_CRAM_MD5=yes
AUTH_PLAINTEXT=yes
HEADERS_CHARSET="ISO-8859-1"
SUPPORT_TLS=yes
TLS_LIBS=-lssl -lcrypto
LOG_FILE_PATH=/var/log/exim/%s.log
SYSLOG_LOG_PID=yes
EXICYCLOG_MAX=10
COMPRESS_COMMAND=/usr/bin/gzip
COMPRESS_SUFFIX=gz
ZCAT_COMMAND=/usr/bin/zcat
SYSTEM_ALIASES_FILE=/etc/aliases
TMPDIR="/tmp"

We can now run the 'make' and 'make install' commands. Providing we don't get any errors, Exim will then be installed:
root@box:/usr/src # make
root@box:/usr/src # make install
Schritt 7a: Creating symlinks and directories.

root@box:/usr/src # mkdir /var/log/exim
root@box:/usr/src # mkdir /home/mail
root@box:/usr/src # chown exim.mail /var/log/exim
root@box:/usr/src # chown courier.mail /home/mail
root@box:/usr/src # ln -s /usr/local/exim-4.63/bin/exim /usr/bin/sendmail
root@box:/usr/src # ln -s /usr/local/exim-4.63/bin/exim /usr/sbin/sendmail
root@box:/usr/src # ln -s /usr/local/exim-4.63/bin/exim /usr/sbin/mailq
root@box:/usr/src # ln -s /usr/local/exim-4.63/bin/exim /usr/sbin/runq
Schritt 7b: Editing the configuration file.

Note: There is an adapted version of the configurations for the enterprise as well as a Confixx Frontend.
Fuer Support / Installation hierzu wenden Dich bitte an einen Dienstleister Deines Vertrauens, z.B. MAS - User Services.

The configuration file of Exim is very extensiv, therefore here is a link to my version.
This version also includes a database backend and here is the SQL Script to create the database.

Mit der vorgegebenen Konfiguration muss die Pruefung durch DSpam explizit per User eingeschaltet werden, dafuer dient das Feld has_dspam.

nstallation of the Exim database:

root@box:/usr/src # wget http://dspam.wahlfaelschung.de/exim-dspam.sql
root@box:/usr/src # /usr/local/mysql-5.0.24/bin/mysql -u root --password='new-password'
mysql> source exim-dspam.sql;
mysql> grant select on vserver.* to exim@localhost identified by 'exim-password';
mysql> quit;

root@box:/etc/mail # wget http://dspam.wahlfaelschung.de/exim-dspam.conf
root@box:/etc/mail # mv exim-dspam.conf exim.conf

The following changes must be made in any case in the configuration file (denoted by ### AENDERN ### marks):

hide mysql_servers = localhost/vserver/exim/exim-password
This section defines the username/password/database to use.
The loginname and the password were specified above in the grant - instruction.

qualify_domain = qualifiziert
The domain, which is used, in order to complete addresses without domain portion.

#system_filter = /etc/mail/exim.filter
This file will remove the transmitters: from the email.
The file has the following contents:
headers remove "Sender: <dspam@qualifiziert>"
(The domain must be adapted accordingly, if the value of qualify_domain were changed.)

#tls_advertise_hosts = *
#tls_certificate = /etc/cert/server.pem
#tls_privatekey = /etc/cert/server.pem

FIf the server is to support TLS/SSL, then for it a certificate must be provided.
Such certificates can either provided (self-signed), or bought.
Providing such a certificate goes beyond the scope of this document, so see at part2 or your prefered searchengine.

timezone = Europe/Berlin
Set the timezone of the mailserver to ensure accurate logs.

condition = ${if match {$sender_helo_name}{\N^(mail\.mas-user-services\.de)$\N}{yes}{no}}
Reject any host who is using our DNS name to forge sending email. Each server should have their own unique DNS name.

condition = ${if >{$spam_score_int}{120}{1}{0}}
The value of 120 corresponds to a spamassassin value of 12.0 points. Any mail scoring more than this will be rejected.
Meiner Erfahrung nach ist sogar ein Wert von 100 (10.0 Punkten) sinnvoll, die meisten gewuenschten E-Mails kommen auf maximal 50,
also (5.0 Punkte).

{eq {$domain}{mas-user-services\.de}} \
The DSpam server is to react with the Retraining only to mails which were sent to the domain of the server.
This attitude is matter of taste, if the server is to react to all domains, then this line must be deleted.

directory = /home/mail/$local_part/Maildir
Emails, which are accepted, are put down under /home/mail in the Maildirformat.

If the server is to serve as a relay server (e.g. for an Exchange Internet server), a few changes must be made.
Firstly, Courier-IMAP is not required. Next the transport should be modified in exim.conf:

Vorher:
mysql_local_user:
driver = accept
condition = "${if and { \
{eq {$domain}{$qualify_domain}} \
{!eq {$received_protocol}{''}} \
{eq {$local_part}{MD_LOCAL_USER}} \
} \
{1}{0}}"
transport = mysql_local_user_transporter

Nachher:
mysql_local_user:
driver = manualroute
condition = "${if and { \
{eq {$domain}{$qualify_domain}} \
{!eq {$received_protocol}{''}} \
{eq {$local_part}{MD_LOCAL_USER}} \
} \
{1}{0}}"
transport = remote_smtp
domains = +local_domains
route_list = * 127.0.0.1 bydns
Wobei 127.0.0.1 durch die IP des Exchange-Servers zu ersetzen ist.
Schritt 7c: Anlegen des Start/Stop-Scriptes

Das Script traegt den Namen rc.exim und hat den folgenden Inhalt:

#!/bin/sh

_start() {
/usr/local/exim-4.63/bin/exim -bd -q30m
}

_stop() {
if [ -r /var/run/exim.pid ]; then
kill `cat /var/run/exim.pid`
else
killall exim
fi
}

_restart() {
_stop
sleep 1
_start
}

case "$1" in
'start')
_start
;;
'stop')
_stop
;;
'restart')
_restart
;;
*)
echo "usage $0 start|stop|restart"
esac

root@box:/usr/src # ls -all /etc/rc.d/rc.exim
-rwxr--r-- 1 root root 354 2006-08-28 10:43 /etc/rc.d/rc.exim
Schritt 7d: Final words

The Exim server runs as the user exim, puts its PID file in /var/run and creates a socket in /tmp.
Now Exim is finished, lets move onto Courier Authentication Library.
$HOME

Schritt 8: nstallation of Courier Authentication Library

The LIBRARY can be unpacked and installed with the following comands:

root@box:/usr/src # tar xjf tarballs/courier-authlib-0.58.tar.bz2
root@box:/usr/src # cd courier-authlib-0.58/
root@box:/usr/src # ./configure --prefix=/usr/local/courier-authlib-0.58 --sysconfdir=/etc/mail --without-authuserdb --without-authpam --without-authldap --without-authpwd --without-authshadow --without-authvchkpw --without-authpgsql --with-authmysqlrc=/etc/mail/authmysqlrc --with-mysql-libs=/usr/local/mysql-5.0.24/lib/mysql --with-mysql-includes=/usr/local/mysql-5.0.24/include/mysql --without-authcustom --without-authpipe --with-authdaemonrc=/etc/mail/authdaemonrc --with-mailuser=courier --with-mailgroup=mail
root@box:/usr/src # make
root@box:/usr/src # make install
root@box:/usr/src # make install-migrate
root@box:/usr/src # make install-configure

So that other programs can find the Courier Authentication LIBRARY files, you should edit /etc/ld.so.conf and add the following line:
/usr/local/courier-authlib-0.58/lib/courier-authlib
Save and update the configuration with:
root@box:/usr/src # ldconfig
Schritt 8a: Creating the directories

Not necessary.
Schritt 8b: Edit the configuration files

The configuration files for Courier Authentication Library are authmysqlrc and authdaemonrc, located in /etc/mail.
The file authmysqlrc configures access to the MySQL database. Here is an example of mine:

MYSQL_SERVER localhost
MYSQL_USERNAME courier
MYSQL_PASSWORD courier-passwd
MYSQL_DATABASE vserver
MYSQL_USER_TABLE user
MYSQL_CRYPT_PWFIELD password
MYSQL_LOGIN_FIELD login
MYSQL_MAILDIR_FIELD CONCAT('/home/mail/', login, '/Maildir') AS maildir
MYSQL_UID_FIELD 24
# the UID field of the user "courier"
MYSQL_GID_FIELD 12
# the GID field of the group "mail"
MYSQL_HOME_FIELD CONCAT('/home/mail/', login) AS home
MYSQL_SOCKET /tmp/mysql
MYSQL_OPT 0

The file authdaemonrc configures the behaviour of the Authdaemons. Here is an example of mine:

authmodulelist="authmysql"
authmodulelistorig="authmysql"
daemons=5
authdaemonvar=/usr/local/courier-authlib-0.58/var/spool/authdaemon
DEBUG_LOGIN=0
DEFAULTOPTIONS=""
LOGGEROPTS=""

Now give authdaemon access to the MySQL database:

root@box:/usr/src # /usr/local/mysql-5.0.24/bin/mysql -u root --password='new-password'
mysql> grant select on vserver.* to courier@localhost identified by 'courier-password';
mysql> quit;
Schritt 8c: Start / Stop Scripts

Create a symlink to the file authdaemond, called rc.authdaemond located in /etc/rc.d:

root@box:/usr/src # ln -s /usr/local/courier-authlib-0.58/sbin/authdaemond /etc/rc.d/rc.authdaemond
root@box:/usr/src # ls -all /etc/rc.d/rc.authdaemond
lrwxrwxrwx 1 root root 48 2006-09-06 14:56 /etc/rc.d/rc.authdaemond -> /usr/local/courier-authlib-0.58/sbin/authdaemond
Schritt 8d: Final Word

Courier Authenticaion puts its PID file and socket in/usr/local/courier-authlib-0.58/var/spool/authdaemon.
Note: The authdaemon does not expect passwords, which were coded with the MySQL function "encrypt",
but MD5/SHA1/Password-Hashes.

Now lets move on to Courier-IMAP.
$HOME

Schritt 9: Installation of Courier IMAP

The server can be unpacked and installed with the following:

root@box:/usr/src # tar xjf tarballs/courier-imap-4.1.1.tar.bz2
root@box:/usr/src # cd courier-imap-4.1.1/
root@box:/usr/src # export COURIERAUTHCONFIG=/usr/local/courier-authlib-0.58/bin/courierauthconfig; export CPPFLAGS=-I/usr/local/courier-authlib-0.58/include/;./configure --prefix=/usr/local/courier-imap-4.1.1 --sysconfdir=/etc/mail --without-ipv6 --with-piddir=/var/run --enable-workarounds-for-imap-client-bugs --disable-root-check
root@box:/usr/src # make
root@box:/usr/src # make install
root@box:/usr/src # make install-configure

Since Courier Authentication Library was not installed in the path ($PATH), we need to specify the location using COURIERAUTHCONFIG.
We also need to do this for the Include files.
Schritt 9a: Creating the directories

Not necessary, see Step 7a.
Schritt 9b: Edit the configuration

Courier-IMAP consists of four configuration files: imapd, imapd-ssl, pop3d and pop3d-ssl.
The files with the suffix -sslsupport services over SSL,
the ones without the suffix support normal services.

Examples of imapd and imapd-ssl:

ADDRESS=0
PORT=143
MAXDAEMONS=50
MAXPERIP=5
PIDFILE=/var/run/imapd.pid
TCPDOPTS="-nodnslookup -noidentlookup"
LOGGEROPTS="-name=imapd"
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE"
IMAP_KEYWORDS=1
IMAP_ACL=1
IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"
IMAP_PROXY=0
IMAP_PROXY_FOREIGN=0
IMAP_IDLE_TIMEOUT=60
IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN"
IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN"
IMAP_DISABLETHREADSORT=0
IMAP_CHECK_ALL_FOLDERS=0
IMAP_OBSOLETE_CLIENT=0
IMAP_UMASK=022
IMAP_ULIMITD=65536
IMAP_USELOCKS=1
IMAP_SHAREDINDEXFILE=/etc/mail/shared/index
IMAP_ENHANCEDIDLE=0
IMAP_TRASHFOLDERNAME=Trash
IMAP_EMPTYTRASH=Trash:7
IMAP_MOVE_EXPUNGE_TO_TRASH=0
SENDMAIL=/usr/bin/sendmail
HEADERFROM=X-IMAP-Sender
IMAPDSTART=YES
MAILDIRPATH=Maildir

SSLPORT=993
SSLADDRESS=0
SSLPIDFILE=/var/run/imapd-ssl.pid
SSLLOGGEROPTS="-name=imapd-ssl"
IMAPDSSLSTART=NO
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=0
COURIERTLS=/usr/local/courier-imap-4.1.1/bin/couriertls
TLS_PROTOCOL=SSL3
TLS_STARTTLS_PROTOCOL=TLS1
TLS_CERTFILE=/etc/cert/server.pem
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/usr/local/courier-imap-4.1.1/var/couriersslcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir

Examples of pop3d and pop3d-ssl:

PIDFILE=/var/run/pop3d.pid
MAXDAEMONS=50
MAXPERIP=5
POP3AUTH=""
POP3AUTH_ORIG="PLAIN LOGIN CRAM-MD5 CRAM-SHA1 CRAM-SHA256"
POP3AUTH_TLS=""
POP3AUTH_TLS_ORIG="LOGIN PLAIN"
POP3_PROXY=0
PORT=110
ADDRESS=0
TCPDOPTS="-nodnslookup -noidentlookup"
LOGGEROPTS="-name=pop3d"
POP3DSTART=YES
MAILDIRPATH=Maildir

SSLPORT=995
SSLADDRESS=0
SSLPIDFILE=/var/run/pop3d-ssl.pid
SSLLOGGEROPTS="-name=pop3d-ssl"
POP3DSSLSTART=NO
POP3_STARTTLS=YES
POP3_TLS_REQUIRED=0
COURIERTLS=/usr/local/courier-imap-4.1.1/bin/couriertls
TLS_PROTOCOL=SSL3
TLS_STARTTLS_PROTOCOL=TLS1
TLS_CERTFILE=/etc/cert/server.pem
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/usr/local/courier-imap-4.1.1/var/couriersslcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir

In order to use IMAP / POP3 over SSL, IMAPDSSLSTART and/or POP3DSSLSTART must be set to YES
and you should have the necessary SSL certificates installed (see step 7b).
Schritt 9c: Start / Stop Scripts

Courier-IMAP provides it's own start / stop scripts, so we only need to link them (as in step 8c)

root@box:/usr/src # ln -s /usr/local/courier-imap-4.1.1/libexec/imapd.rc /etc/rc.d/rc.imapd
root@box:/usr/src # ln -s /usr/local/courier-imap-4.1.1/libexec/imapd-ssl.rc /etc/rc.d/rc.imapd-ssl
root@box:/usr/src # ln -s /usr/local/courier-imap-4.1.1/libexec/pop3d /etc/rc.d/rc.pop3d
root@box:/usr/src # ln -s /usr/local/courier-imap-4.1.1/libexec/pop3d-ssl.rc /etc/rc.d/rc.pop3d-ssl

root@box:/usr/src # ls -all /etc/rc.d/rc.imapd
lrwxrwxrwx 1 root root 46 2006-09-06 14:56 /etc/rc.d/rc.imapd -> /usr/local/courier-imap-4.1.1/libexec/imapd.rc

The others should look the same.
Schritt 9d: Final word

In theory you should have a function server even if the administration is pedantic:
The DSpam server cannot be trained yet and users need to be added to the MySQL database.

Lets move onto the Apache Webserver.
$HOME

Schritt 10: nstallation of Apache Webserver

The webserver can be unpacked and configured using the following:

root@box:/usr/src # tar xzf tarballs/httpd-2.0.59.tar.gz
root@box:/usr/src # cd httpd-2.0.59/
root@box:/usr/src # ./configure --prefix=/usr/local/httpd-2.0.59 --sysconfdir=/etc/apache --enable-modules=most --enable-mods-shared=all --enable-ssl --enable-suexec --with-suexec-caller=nobody --with-suexec-docroot=/home/--with-suexec-uidmin=20 --with-suexec-gidmin=12 --with-suexec-logfile=/var/log/apache/suexec.log
root@box:/usr/src # make
root@box:/usr/src # make install

Depending upon the UID/GID of the dspam the parameter --with-suexec-uidmin and --with-suexec-gidmin may need to be changed.
Schritt 10a: Creating the directories

root@box:/usr/src # mkdir /var/log/apache
root@box:/usr/src # mkdir /home/apache
root@box:/usr/src # chown nobody.nogroup /var/log/apache
root@box:/usr/src # chown nobody.nogroup /home/apache
Schritt 10b: Editing the configuration

With over 300 lines to the configuration, I have provided an example hier already,
setup with configuration for the DSpam WebUI (see setp 11)..

The following changes must be made to the configuration file regardless (denoted by ### AENDERN ### marks):

ServerAdmin webmaster@localhost
This is the E-Mail address, which is indicated to the user in case of a server error, therefore should there an useful address.
ServerName 127.0.0.1:80
The name of the server, which is indicated in case of an error.

ServerName 127.0.0.1
This entry is located in the virtual host section and should be changed accordingly.

Note: The paths and directories within this configuration file have been modified for this document.
If you have installed something differently, you will have to make the necessary changes.
Schritt 10c: Start / Stop Scripts

This script is called rc.apache and contains the following:

#!/bin/sh

_start() {
/usr/local/httpd-2.0.59/bin/apachectl -k start
}

_stop() {
/usr/local/httpd-2.0.59/bin/apachectl -k stop
}

_restart() {
/usr/local/httpd-2.0.59/bin/apachectl -k restart
}

case "$1" in
'start')
_start
;;
'stop')
_stop
;;
'restart')
_restart
;;
*)
echo "usage $0 start|stop|restart"
esac

root@box:/usr/src # ls -all /etc/rc.d/rc.apache
-rwxr--r-- 1 root root 312 2006-08-28 10:43 /etc/rc.d/rc.apache
Schritt 11:Configuration of WebUI for DSpam Server

Create the following directory and copy the following files:
root@box:/usr/src # mkdir /home/apache/dspam
root@box:/usr/src # cp -a /usr/src/dspam-3.6.8/webui/htdocs/base.css /home/apache/dspam
root@box:/usr/src # cp -a /usr/src/dspam-3.6.8/webui/htdocs/dspam-logo-small.gif /home/apache/dspam
root@box:/usr/src # cp -a /usr/src/dspam-3.6.8/webui/cgi-bin/* /home/apache/dspam
root@box:/usr/src # rm /home/apache/dspam/Makefile* /home/apache/dspam/configure.pl.in
root@box:/usr/src # chown dspam.mail /home/apache/dspam -R

In order for the WebUI to function properly, you must protect it (using .htaccess).
For this there are two methods. One is to use .htpasswd which is requires constant maintenance.
The other method is to use mod_auth_mysql which allows users to authenticate using their email details.

There are plenty of examples on the internet regarding htpasswd. I will therefore concentrate on using mod_aut_mysql.
The installation and configuration is rather simple:
root@box:/usr/src # tar xzf tarballs/mod_auth_mysql-3.0.0.tar.gz
root@box:/usr/src # cd mod_auth_mysql-3.0.0/
root@box:/usr/src # /usr/local/httpd-2.0.59/bin/apxs -c -L/usr/local/mysql-5.0.24/lib/mysql -I/usr/local/mysql-5.0.24/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c
root@box:/usr/src # /usr/local/httpd-2.0.59/bin/apxs -i mod_auth_mysql.la
root@box:/usr/src # /usr/local/mysql-5.0.24/bin/mysql -u root --password='new-password'
mysql> grant select on vserver.* to apache@localhost identified by 'apache-password';
mysql> quit;

You now need to modify the apache start / stop scripts:
On the line /usr/local/httpd-2.0.59/bin/apachectl -k start insert -D AUTHMYSQL before the -k start
so the line looks like /usr/local/httpd-2.0.59/bin/apachectl -D AUTHMYSQL -k start.

Now we need to create the .htaccessfile in the /home/apache/dspam directory with the following contents:
AuthType Basic
AuthName "DSpam WebUI"
require valid-user

The WebUI is now functional, but not yet complete. Graphics have not yet been probably installed.
To setup the graphics, we need to install the following perl modules:

The GD Graphics Library (http://www.boutell.com/gd/) is normally provided by the distribution.

GD
GD::Graph3d
GD::Graph
GD::Text
CGI

root@box:/usr/src # cpan -i GD GD::Text GD::Graph GD::Graph3d CGI

The installation may fail because the file "libXpm.so.4" cannot be found, therefore we need to install libgd.
root@box:/usr/src/tarballs # wget http://www.boutell.com/gd/http/gd-2.0.33.tar.gz
root@box:/usr/src/tarballs # cd ..
root@box:/usr/src # tar xzf tarballs/gd-2.0.33.tar.gz
root@box:/usr/src # cd gd-2.0.33/
root@box:/usr/src # ./configure && make && make install

Afterwards install the perl modules again:
root@box:/usr/src # cpan -i GD GD::Text GD::Graph GD::Graph3d CGI
These should now install without any errors.
If everything is correct, you should now be able to see graphics within the WebUI.
Schritt 12: Supplement

As the server stands at the moment, it is function, however administration is somewhat crude and uncomfortable.
In order to simplify this, there will be a zweiten Teilpart covering the installation of PHP5, PHPMyAdmin, SSL and PureFTPd.
$HOME