Thursday, December 7, 2017

IndiMail Queue Mechanism

Indimail has the ability of configuring multiple local and remote queues. A queue is a location on your hard disk where email are deposited before actual delivery. When you have massive injecting rates, your software may place multiple files in a single directory. This drastically reduces file system performance. IndiMail avoids this by injecting your email in a queue consisting of multiple directories and mails distributed as evenly as possible across these directories.


Balancing of emails across multiple queues is achieved by the program qmail-multi(8), which is actuall just a qmail-queue(8) replacement. Any qmail-queue frontend can use qmail-multi. The list of qmail-queue frontends in IndiMail are
  1. sendmail
  2. qmail-inject
  3. qmail-smtpd
  4. qmail-qmqpd
  5. qmail-qmtpd
  6. qreceipt
  7. condredirect
  8. dotforward
  9. fastforward
  10. forward
  11. maildirserial
  12. new-inject
  13. ofmipd
  14. replier
  15. rrforward



You just need to configure the following environment variables to have the qmail-queue(8) frontends using qmail-multi(8)
1. QUEUE_BASE – Base directory where all queues will be placed
2. QUEUE_COUNT – number of queues
3. QUEUE_START – numeric prefix of the first queue
e.g. If you want IndiMail to use 10 queues, this is what you will do

% su
# for i in qmail-smtpd.25 qmail-smtpd.465 qmail-smtpd.587 qmail-send.25 \
> qmail-qmqpd.628 qmail-qmtpd.209
> do
> echo 10 > /service/$i/variables/QUEUE_COUNT
> echo “/var/indimail/queue” > /service/$i/variables/QUEUE_BASE
> echo “1” > /service/$i/variables/QUEUE_START
> done
#

You also need to make sure that you have ten queues in /var/indimail/queue.

% su
# for i 1 2 3 4 5 6 7 8 9 10
> do
> /usr/bin/queue-fix /var/indimail/queue/queue”$i” > /dev/null
> done
# exit
% ls -ld var/indimail/queue/queue*
drwxr-x---. 12 qmailq qmail 4096 Mar 30 2017 /var/indimail/queue/queue1
drwxr-x---. 12 qmailq qmail 4096 Dec 7 10:45 /var/indimail/queue/queue10
drwxr-x---. 12 qmailq qmail 4096 Mar 30 2017 /var/indimail/queue/queue2
drwxr-x---. 12 qmailq qmail 4096 Mar 30 2017 /var/indimail/queue/queue3
drwxr-x---. 12 qmailq qmail 4096 Mar 30 2017 /var/indimail/queue/queue4
drwxr-x---. 12 qmailq qmail 4096 Mar 30 2017 /var/indimail/queue/queue5
drwxr-x---. 12 qmailq qmail 4096 Dec 7 10:45 /var/indimail/queue/queue6
drwxr-x---. 12 qmailq qmail 4096 Dec 7 10:45 /var/indimail/queue/queue7
drwxr-x---. 12 qmailq qmail 4096 Dec 7 10:45 /var/indimail/queue/queue8
drwxr-x---. 12 qmailq qmail 4096 Dec 7 10:45 /var/indimail/queue/queue9

Now all you need is restart of all services to use the new QUEUE_BASE, QUEUE_COUNT, QUEUE_START environment variables

% sudo svc -d /service/qmail smtpd* /service/qmail-send.25 /service/qmail-qm?pd.*
% sudo svc -u /service/qmail smtpd* /service/qmail send.25 /service/qmail-qm?pd.*

Monday, December 4, 2017

RoundCube with IndiMail


These instructions will work on CentOS, RHEL, Fedora. For Debian/Ubuntu and other distros, please use your knowledge to make changes accordingly. In this guide, replace indimail.org with your own hostname.

Non SSL Version Install/Configuration

(look below for SSL config)
  1. Install RoundCube. On older systems, use the yum command
$ sudo dnf -y install roundcubemail php-mysqlnd



  1. Connect to MySQL using a privileged user. IndiMail installation creates a privileged mysql user 'mysql'. It does not have the user 'root'. Look at the variable PRIV_PASS in /usr/sbin/svctool to know the password.
$ /usr/bin/mysql -u mysql -p mysql
MySQL> create database RoundCube_db;
MySQL> create user roundcube identified by 'subscribed';
MySQL> GRANT ALL PRIVILEGES on RoundCube_db.* to roundcube;
MySQL> FLUSH PRIVILEGES;
MySQL> QUIT;
$ /usr/bin/mysql -u mysql -p RoundCube_db < /usr/share/roundcubemail/SQL/mysql.initial.sql



  1. Copy /etc/roundcube/config.inc.php.sample to /etc/roundcube.inc.php
$ sudo cp /etc/roundcube/config.inc.php.sample /etc/roundcubemail/config.inc.php



Edit the lines in /etc/roundcube/config.inc.php
$config['db_dsnw'] = 'mysql://roundcube:subscribed@localhost/RoundCube_db';
$config['smtp_server'] = 'localhost';
$config['smtp_port'] = 587;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['support_url'] = 'http://indimail.sourceforge.net';
$config['product_name'] = 'IndiMail Webmail';
$config['plugins'] = array(
'archive',
'sauserprefs',
'markasjunk2',
'iwebadmin',
);
NOTE: the iwebadmin plugin will not work for postmaster account or IndiMail users having QA_ADMIN privileges. man vmoduser(1)
This file should have read permission for apache group
$ sudo chown root:apache /etc/roundcube/config.inc.php
$ sudo chmod 640 /etc/roundcube/config.inc.php



For markasjunk2 to work you need to set permission for apache to write /etc/indimail/spamignore
$ sudo chown apache:indimail /etc/indimail/spamignore
$ sudo chmod 644 /etc/indimail/spamignore


  1. Edit the lines in /etc/roundcube/defaults.inc.php
$config['db_dsnw'] = 'mysql://roundcube:subscribed@localhost/RoundCube_db';$config['imap_auth_type'] = 'LOGIN';
$config['smtp_auth_type'] = 'LOGIN';
This file should have read permission for apache group
$ sudo chown root:apache /etc/roundcube/defaults.inc.php
$ sudo chmod 640 /etc/roundcube/defaults.inc.php



  1. Change iwebadmin path in /usr/share/roundcubemail/iwebadmin/config.inc.php
$rcmail_config['iwebadmin_path'] = 'http://127.0.0.1/cgi-bin/iwebadmin';



  1. Change sauserprefs_db_dsnw in /usr/share/roundcubemail/sauserprefs/config.inc.php
$rcmail_config['sauserprefs_db_dsnw'] = 'mysql://roundcube:subscribed@localhost/RoundCube_db';



  1. Restore indimail plugins for roundcube

$ sudo yum install ircube


or
$ cd /tmp
$ wget http://downloads.sourceforge.net/indimail/indimail-roundcube-1.0.tar.gz # This file
$ cd /
$ sudo tar xvfz /tmp/indimail-roundcube-1.0.tar.gz usr/share/roundcubemail/plugins
$ /usr/bin/mysql -u mysql -p RoundCube_db < /usr/share/roundcubemail/sauserprefs/sauserprefs.sql



  1. change pdo_mysql.default_socket /etc/php.ini
For some reason pdo_mysql uses wrong mysql socket on some systems. Uses /var/lib/mysql/mysql.sock instead of /var/run/mysqld/mysqld.sock. You need to edit the file /etc/php.ini and define pdo_mysql.default_socket
pdo_mysql.default_socket= /var/run/mysqld/mysqld.sock


You can verify if the path has been correctly entered by executing the below command. The command should return without any error
$ php -r "new PDO('mysql:host=localhost;dbname=RoundCube_db', 'roundcube', 'subscribed');"



  1. HTTPD config
    1. Edit file /etc/httpd/conf.d/roundcubemail.conf and edit the following lines
#
# Round Cube Webmail is a browser-based multilingual IMAP client
#Alias /indimail /usr/share/roundcubemail
# Define who can access the Webmail
# You can enlarge permissions once configured
# Apache 2.4
Require ip 127.0.0.1
Require all granted
Require local
# Apache 2.2
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1


This file should be owned by root
$ sudo chown root:root /etc/httpd/conf.d/roundcubemail.conf
$ sudo chmod 644 /etc/httpd/conf.d/roundcubemail.conf


    1. Restart httpd

$ sudo service httpd restart



  1. Login to webmail at http://localhost/indimail

SSL / TLS Version




  1. Install RoundCube. On older systems, use the yum command
$ sudo dnf -y install roundcubemail php-mysqlnd



  1. Connect to MySQL using a privileged user. IndiMail installation creates a privileged mysql user 'mysql'. It does not have the user 'root'. Look at the variable PRIV_PASS in /usr/sbin/svctool to know the password.
$ /usr/bin/mysql -u mysql -p mysql
MySQL> create database RoundCube_db;
MySQL> create user roundcube identified by 'subscribed';
MySQL> GRANT ALL PRIVILEGES on RoundCube_db.* to roundcube;
MySQL> FLUSH PRIVILEGES;
MySQL> QUIT;
$ /usr/bin/mysql -u mysql -p RoundCube_db < /usr/share/roundcubemail/SQL/mysql.initial.sql



  1. Copy /etc/roundcube/config.inc.php.sample to /etc/roundcube.inc.php

$ sudo cp /etc/roundcube/config.inc.php.sample /etc/roundcubemail/config.inc.php


Edit the lines in /etc/roundcube/config.inc.php
$config['db_dsnw'] = 'mysql://roundcube:subscribed@localhost/RoundCube_db';
$config['default_host'] = 'ssl://indimail.org';
$config['smtp_server'] = 'localhost';
$config['smtp_port'] = 587;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['support_url'] = 'http://indimail.sourceforge.net';
$config['product_name'] = 'IndiMail Webmail';
$config['plugins'] = array(
'archive',
'sauserprefs',
'markasjunk2',
'iwebadmin',
);
NOTE: the iwebadmin plugin will not work for postmaster account or IndiMail users having QA_ADMIN privileges. man vmoduser(1)
This file should have read permissions for apache group
$ sudo chown root:apache /etc/roundcube/config.inc.php
$ sudo chmod 640 /etc/roundcube/config.inc.php



  1. Edit the lines in /etc/roundcube/defaults.inc.php i.e.
$config['db_dsnw'] = 'mysql://roundcube:subscribed@localhost/RoundCube_db';
$config['default_host'] = 'ssl://indimail.org';
$config['default_port'] = 993;
$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
),
);
$config['imap_auth_type'] = 'LOGIN';
$config['smtp_auth_type'] = 'LOGIN';
$config['force_https'] = true;
$config['product_name'] = 'IndiMail Webmail';
$config['useragent'] = 'IndiMail Webmail/'.RCMAIL_VERSION;


This file should have read permission for apache group$config['force_https'] = true;
$ sudo chown root:apache /etc/roundcube/defaults.inc.php
$ sudo chmod 640 /etc/roundcube/defaults.inc.php


  1. Change iwebadmin path in /usr/share/roundcubemail/iwebadmin/config.inc.php
$rcmail_config['iwebadmin_path'] = 'https://127.0.0.1/cgi-bin/iwebadmin';
  1. Change sauserprefs_db_dsnw in /usr/share/roundcubemail/sauserprefs/config.inc.php
$rcmail_config['sauserprefs_db_dsnw'] = 'mysql://roundcube:subscribed@localhost/RoundCube_db';
  1. Restore indimail plugins for roundcube
$ cd /tmp
$ wget http://downloads.sourceforge.net/indimail/indimail-roundcube-ssl-1.0.tar.gz # This file
$ cd /
$ sudo tar xvfz /tmp/indimail-roundcube-ssl-1.0.tar.gz usr/share/roundcubemail/plugins
$ /usr/bin/mysql -u mysql -p RoundCube_db < /usr/share/roundcubemail/sauserprefs/sauserprefs.sql



  1. Change pdo_mysql.default_socket /etc/php.ini
For some reason pdo_mysql uses wrong mysql socket on some systems. Uses /var/lib/mysql/mysql.sock instead of /var/run/mysqld/mysqld.sock. You need to edit the file /etc/php.ini and define pdo_mysql.default_socket
pdo_mysql.default_socket= /var/run/mysqld/mysqld.sock



You can verifiy if the path has been correctly entered by executing the below command. The command should return without any error
php -r "new PDO('mysql:host=localhost;dbname=RoundCube_db', 'roundcube', 'subscribed');"



  1. HTTPD config
    1. Edit file /etc/httpd/conf.d/roundcubemail.conf and edit the following lines
#
# Round Cube Webmail is a browser-based multilingual IMAP client
#Alias /indimail /usr/share/roundcubemail
# Define who can access the Webmail
# You can enlarge permissions once configured
# Apache 2.4
Require ip 127.0.0.1
Require all granted
Require local
# Apache 2.2
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1


This file should be owned by root
$ sudo chown root:root /etc/httpd/conf.d/roundcubemail.conf
$ sudo chmod 644 /etc/httpd/conf.d/roundcubemail.conf


    1. This is assuming you have already generated indimail cert after indimail installation. If not execute the following command. We will assume that your host is indimail.org
$ sudo /usr/sbin/svctool --postmaster=postmaster@indimail.org –config=cert"
--common_name=indimail.org
Edit the file /etc/httpd/conf.d/ssl.conf i.e.
ServerName indimail.org:443
SSLCertificateFile /etc/indimail/certs/servercert.pem


Now apache server needs access to servercert.pem. Add apache user to the qmail group. You can chose either of the below two options (Options 2 is less secure, as it gives httpd access to qmail files).
Option 1
$ sudo chown indimail:apache /etc/indimail/certs/servercert.pem
$ sudo chmod 640 /etc/indimail/certs/servercert.pem


Option 2
$ sudo usermod -aG qmail apache


Now you should see apache getting qmail group access
$ grep "qmail:x:" /etc/group
qmail:x:1002:qscand,apache


    1. Edit file /etc/php.ini. For some funny reason, the cert needs to be mentioned. i.e.
openssl.cafile=/etc/indimail/certs/servercert.pem
openssl.capath=/etc/pki/tls/certs
        Run the following command to get the cert locations. [ini_cafile] should point to servercert.pem location.
$ php -r "print_r(openssl_get_cert_locations());"
Array
(
[default_cert_file] => /etc/pki/tls/cert.pem
[default_cert_file_env] => SSL_CERT_FILE
[default_cert_dir] => /etc/pki/tls/certs
[default_cert_dir_env] => SSL_CERT_DIR
[default_private_dir] => /etc/pki/tls/private
[default_default_cert_area] => /etc/pki/tls
[ini_cafile] => /etc/indimail/certs/servercert.pem
[ini_capath] => /etc/pki/tls/certs
)


    1. Follow instructions to setup https
https://wiki.centos.org/HowTos/Https


    1. Restart httpd

$ sudo service httpd restart


    1. It appears that in PHP 5.6.0, functions are now validating SSL certificates(in a variety of ways). First, it appears to fail for untrusted certificates (i.e. no matching CA trusted locally), and secondly, it appears to fail for mismatched hostnames in the request and certificate. Verify that php is using the correct certificate with proper CN. Use the program testssl.php download from the location you downloaded this README/INSTALL file. In Step 9ii you created a certificate with common_name as indimail.org. Use the same host that you gave when creating the certificate.

$ php ./testssl.php indimail.org
Success



  1. Login to webmail
    1. edit /etc/hosts and edit the line for localhost i.e.
127.0.0.1 localhost indimail.org
    1. Restart httpd
$ sudo service httpd restart
    1. Login to webmail at https://indimail.org/indimail
      NOTE: Replace indimail.org with domain that you have configured

IndiMail Queue Mechanism

Indimail has the ability of configuring multiple local and remote queues. A queue is a location on your hard disk where email are deposited ...