This document will attempt to summarize the other documents thrown together on the services installed on the server for 3d-Unlimited. All steps should be taken only by experienced UNIX administrator. DMZ Services takes no responsibility for any work or changes done with or without this manual by individuals or orginizations not-affiliated with DMZ Services. ****************** ****************** 3d-Unlimited Administration Manual 1) Administration url and passwords 2) System Software installed 3) Virtual Server Configuration 4) Virtual DNS Configuration 4a) Restart/Reset DNS Server - commit/execute changes 5) Create Virtual WWW 5a) Restart/Reset apache - commits/executes changes 6) Create FTP-Only account for virtual WWW 6a) Recopy FTP files into domain to correct permissions of other cp -r/chmod -R 7) Create Virtual e-mail server 7a) Create database 7b) Create table & populate 7c) Create cyrus & mail mysql accounts 7d) Create imapd.conf file 7e) Create partitions and spool directories for cyrus 7f) Configure inetd for 7g) Test cyrus function with administrator account 8) Virtual Web-Mail configuration 8a) Create mail files & configure for new domain 8b) Configure cyradm for new domain 8c) Virtual mail Vacation & Forward server configuration 8d) Restart Apache 8e) Create virtual-web&email account 8f) Delete virtual-web&email account 9) exim mail configuration 9a) exim.conf 9b) virtual-domains 10) Mysql configuration 10a) Creating Database 10b) Creating user account and restrict to only their database 10c) Reload mysql 10d) Apache .htaccess authentication through mysql ****************** ****************** 1) Administration url and passwords 3d-unlimited root : pop: 110 imap: 143 https://mail.3d-unlimited.com https://mail.3d-unlimited.com/vacation https://cyradm.3d-unlimited.com administrator : https://mysql.3d-unlimited.com ** Note mysql.*.* all point here root user: root : cyrus user: cyrus : webmail user: unlimtedmail : planetnukem.com pop: 1110 imap: 1143 https://mail.planetnukem.com https://mail.planetnukem.com/vacation https://cyradm.planetnukem.com administrator : https://mysql.planetnukem.com mysql cyrus user: pncyrus : mysql webmail user: pnmail : etc...: note each pop/imap increments so "outside" users can access virtual domain. If only using web interface, bind all to localhost so not accessable & use web config to connect... Definitions: - the domain pop: - pop port to access email for imap: - imap port to access email for https://mail. - the mailserver for https://mail./vacation - the vacation server for administrator : - administrator account used to access system to create/modify/delete mailboxes & accounts ** Note ** The /vacation information can be accessed via a link on the prefrences/password section of the web-mail interface ** Note ** https://cyradm. - cyrus mailbox administer page https://mysql. - mysql admin page - edit/use mysql db via web mysql cyrus user: - the user account used by cyrus-imapd to access the database with the userid/pw combination mysql mail user: - the user account used by the twig web-mail interface ** Note ** Unless you are adding a new virtual domain, the above information is all you will need. All the information below is on creating the system(s) and virtual systems within them. Except for (section 10) which is on standard mysql databases and (section 8e & 8f) on adding/deleting e-mail accounts ** Note ** ****************** ****************** 2) System Software installed The source code for all servers and applications are installed in /usr/local/src. The following servers and their source code archive are listed below: Apache apache_1.3.9.tar.gz Web server mod_auth_mysql mod_auth_mysql-2.20.tar.gz Authentication patch for apache to authentication w/mysql BenSSL openssl-0.9.4.tar.gz Secure Socket library for Apache PHP php-3.0.12.tar.gz PHP processor cgi & apache mod bind bind-2.8-6.i386.rpm Redhat Package for named Cyrus IMAPd cyrus-imapd-1.6.20.tar.gz E-mail server used for virtual emails. src patches from www.dmzs.com/~dmz/ for cyrus to support multi-config Cyrus SASL cyrus-sasl-1.5.13.tar.gz Cyrus Auth Library patches at www.dmzs.com/~dmz/ to support cyrus authentication through mysql phpcyradm php-cyradm-1.0.1.tar.gz Cyrus admin tools via php vacation/fwd php-mailsettings-2.0.2.tar.gz Imap auth vacation scripts for cyrus & exim Web Mail twig-2.1.0.tar.gz Web IMAP interface in php all virtual web interfaces build off this. latest cvs release as of 1/16/00 aspell aspell-.28.3.tar.gz Spelling checker used in twig web-mail Exim exim-3.12.tar.gz MTA mail server exim pop exim-pop.tar.Z Mail relay after valid POP auth gd library gd-1.7.3.tar.gz Graphics library for mrtg gdbm gdbm-1.8.0.tar.gz Database library for php & other kerberos kerb4-0.10.1.tar.gz Kerberos auth library for Cyrus mrtg mrtg-2.8.9.tar.gz Bandwidth monitor mysql mysql-3.22.27.tar.gz Mysql database Myadmin phpMyAdmin_2.0.5.tar.gz Web php interface to admin mysql database lib crypt libmcrypt-2.2.4.tar.gz Crypt for php & others ftp wu-ftpd-2.6.0.tar.gz FTP server, compile w/out anony --- The rest of the document assumes that the above packages are all installed and working fully. The steps needed to configure and install these package are beyond the scope of this manual and should only be done by an experienced UNIX administrator. --- ****************** ****************** 3) Virtual Server Configuration All following configurations assume that a base installation is working with 3d-unlimited.com. A base installation includes everything above working together. All configuration is done through the root account accessed via ssh. ** Note ** Order does matter in the configuration, apache won't work without dns updated first, etc... ** Note ** ****************** ****************** 4) DNS Configuration edit /etc/named.conf change zone name to match domain add a zone record using filename of new domain: ex: zone "3d-unlimited.com" { type master; file "db.3d-unlimited.com"; allow-transfer { none; }; }; cd /var/named cp -p db.3d-unlimited.com db. edit db.domainname change initial 3d-unlimited.com -> change $ORGIN 3d-unlimited.com -> ex: 3d-unlimited.com. 1W IN SOA linux646.dn.net. root.linux646.dn.net. ( $ORIGIN 3d-unlimited.com. Be sure to add entris for: www ftp mail cyradm mysql ** Note ** Be sure to increment serial # each time db. files are edited. The we just use a format of YYYYMMDD### for the serial number and just increment ### each time a file is edited in a day, and modify YYYYMMDD to match the day of the edit. This way it 1: increments the serial and 2: shows you last time you edited the file. ** Note ** Also, this will also work for subdomains, just be sure to not overlap or get wrong #'s. ex: zone "armageddon.3d-unlimited.com" { type master; file "db.armageddon.3d-unlimited.com"; allow-transfer { none; }; }; & modify db.file with ORIGIN, etc changed for subdomain armageddon.3d-unlimited.com. 1W IN SOA linux646.dn.net. root.linux646.dn.net. ( $ORIGIN armageddon.3d-unlimited.com. ** Note ** ****************** 4a) Restart/Reset DNS Server - commit/execute changes restart name server: killall -HUP named If you need to hard-start/stop the name server: /etc/rc.d/init.d/named stop /etc/rc.d/init.d/named start ****************** ****************** 5) Create Virtual WWW cd /usr/local/apache/htdocs mkdir add & settings to /usr/local/apache/conf/httpsd.conf ** Note ** the 3d-unlimited.pem has to be the same for any :443 ssl setups. The pem is the certificate & unique pem's require that the domain be on a unique ip# (ie 1pem / ip#) ** Note ** ex: modify 3d-unlimited.com -> # 3d-unlimited Options Indexes Includes FollowSymLinks AllowOverride AuthConfig Order allow,deny Allow from all # 3d-unlimited cgi-bin Options FollowSymLinks ExecCGI Includes AllowOverride AuthConfig Order allow,deny Allow from all # mail.3d-unlimited.com Options FollowSymLinks Indexes SSLRequireSSL AllowOverride AuthConfig Order allow,deny Allow from all # cyradm.3d-unlimited.com Options FollowSymLinks Indexes SSLRequireSSL AllowOverride AuthConfig Order allow,deny Allow from all ServerAdmin webmaster@3d-unlimited.com DocumentRoot /usr/local/apache/htdocs/3d-unlimited.com ServerName 3d-unlimited.com ServerAlias www.3d-unlimited.com ScriptAlias /cgi-bin/ /usr/local/apache/htdocs/3d-unlimited.com/cgi-bin/ ErrorLog logs/3d-unlimited.com-error_log CustomLog logs/3d-unlimited.com-access_log common SSLEnable SSLCertificateFile /usr/local/apache/conf/3d-unlimited.pem ServerAdmin webmaster@3d-unlimited.com DocumentRoot /usr/local/apache/htdocs/3d-unlimited.com ServerName 3d-unlimited.com ServerAlias www.3d-unlimited.com ScriptAlias /cgi-bin/ /usr/local/apache/htdocs/3d-unlimited.com/cgi-bin/ ErrorLog logs/3d-unlimited.com-error_log CustomLog logs/3d-unlimited.com-access_log common SSLEnable # requires it's own IP# for own pem #SSLCertificateFile /usr/local/apache/conf/mail.3d-unlimited.pem SSLCertificateFile /usr/local/apache/conf/3d-unlimited.pem ServerAdmin webmaster@3d-unlimited.com DocumentRoot /usr/local/apache/htdocs/3d-unlimited.com/mail ServerName mail.3d-unlimited.com ErrorLog logs/mail.3d-unlimited.com-error_log CustomLog logs/mail.3d-unlimited.com-access_log common SSLEnable SSLCertificateFile /usr/local/apache/conf/3d-unlimited.pem ServerAdmin webmaster@3d-unlimited.com DocumentRoot /usr/local/apache/htdocs/3d-unlimited.com/mail/cyradm ServerName cyradm.3d-unlimited.com ErrorLog logs/cyradm.3d-unlimited.com-error_log CustomLog logs/cyradm.3d-unlimited.com-access_log common ****************** 5a) Restart/Reset apache - commits/executes changes /usr/local/apache/bin/httpsdctl stop /usr/local/apache/bin/httpsdctl start ****************** ****************** 6) Create FTP-Only account for virtual WWW cd /usr/local/apache/htdocs/ cp -pr /home/ftp/* . rm -r pub welcome.msg adduser -G ftponly -d <directory>./ -s /bin/ftponly passwd rm .bash* rm .X* This will create an account that is accessable only by ftp with userid = , main group = and a member of group ftponly. If account needs to be in other groups, edit the file /etc/group and add to group. ** Note ** the ./ above is needed to function, see ex: below ** Note ** ex: [root@linux646 /]# cd /usr/local/apache/htdocs/3d-unlimited.com/ [root@linux646 3d-unlimited.com]# ls -l total 13 drwxrwxrwx 2 root root 1024 Jan 4 23:03 cgi-bin -rw-r--r-- 1 root root 10806 Jan 4 23:03 index.htm drwxrwxrwx 2 root root 1024 Jan 4 23:03 mail [root@linux646 3d-unlimited.com]# ls -l /home/ftp/ total 5 d--x--x--x 2 root root 1024 Jan 4 22:45 bin d--x--x--x 2 root root 1024 Jan 4 19:20 etc drwxr-xr-x 2 root root 1024 May 5 1999 lib drwxr-sr-x 2 root ftp 1024 Mar 21 1999 pub -rw-rw-r-- 1 root root 166 Jan 4 23:19 welcome.msg [root@linux646 3d-unlimited.com]# cp -pr /home/ftp/* . [root@linux646 3d-unlimited.com]# ls -l total 18 d--x--x--x 2 root root 1024 Jan 4 22:45 bin drwxrwxrwx 2 root root 1024 Jan 4 23:03 cgi-bin d--x--x--x 2 root root 1024 Jan 4 19:20 etc -rw-r--r-- 1 root root 10806 Jan 4 23:03 index.htm drwxr-xr-x 2 root root 1024 May 5 1999 lib drwxrwxrwx 2 root root 1024 Jan 4 23:03 mail drwxr-sr-x 2 root ftp 1024 Mar 21 1999 pub -rw-rw-r-- 1 root root 166 Jan 4 23:19 welcome.msg [root@linux646 3d-unlimited.com]# rm -r pub/ welcome.msg [root@linux646 3d-unlimited.com]# ls -l total 16 d--x--x--x 2 root root 1024 Jan 4 22:45 bin drwxrwxrwx 2 root root 1024 Jan 4 23:03 cgi-bin d--x--x--x 2 root root 1024 Jan 4 19:20 etc -rw-r--r-- 1 root root 10806 Jan 4 23:03 index.htm drwxr-xr-x 2 root root 1024 May 5 1999 lib drwxrwxrwx 2 root root 1024 Jan 4 23:03 mail [root@linux646 3d-unlimited.com]# /usr/sbin/adduser -G ftponly -dsr/local/apache/htdocs/3d-unlimited.com/./ -s /bin/ftponly staff3du [root@linux646 3d-unlimited.com]# passwd staff3du Changing password for user staff3du New UNIX password: ******** Retype new UNIX password: ******** passwd: all authentication tokens updated successfully [root@linux646 3d-unlimited.com]# rm .bash* .X* ****************** 6a) Recopy FTP files into domain to correct permissions of other cp -r/chmod -R This is done after any other steps above or below that say to cp -r a directory or chmod -R the directory. This is needed to ensure proper permissions and ownership for ftp applications to ensure security. cd rm -r bin rm -r etc rm -r lib rm welcome.msg cp -pr /home/ftp/* . rm -r pub welcome.msg cp /etc/group etc/group ****************** ****************** 7) Create Virtual e-mail server Ensure there are DNS entries for cyradm & mail for being worked on. (See section 4 above) ****************** 7a) Create database for virtual domain e-mail (see ex: or section 10a below) mysql --user=root -p mysql> create database mail ** Note ** can not have ./ ' ', etc in the name, for best practice choose simple name similar to domain ** Note ** __** Document change note **__ from here forward ex: are done with the domain console-unlimited.com __** Document change note **__ ex: [root@linux646 setup]# mysql --user=root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 337 to server version: 3.22.27 Type 'help' for help. mysql> create database consolemail; Query OK, 1 row affected (0.02 sec) mysql> quit Bye ****************** 7b) Create tables & populate with initial values cd /usr/local/etc/virtual/setup mysql --user=root --password= mail < twig.table.mysql Edit sqltable.auth.population and put value for admin password in administrator password mysql --user=root --password= mail < sqltable.auth.population mysql --user=root --password= mail < advanced.acl.population ex: [root@linux646 setup]# mysql --user=root --password= consolemail < twig.table.mysql [root@linux646 setup]# mysql --user=root --password= consolemail < sqltable.auth.population [root@linux646 setup]# mysql --user=root --password= consolemail < advanced.acl.population ****************** 7c) Create email server account & account web-mail user accounts in mysql ** Note goto http://www.mysql.com and read user guide to mysql Note ** goto https://mysql.3d-unlimited.com login as root select mysql database (on left), table user (in item that pops up on previous mysql database select) browse to look @ how other accounts are setup, then select insert and fill in, User accounts get NO for all privileges. Next we will add permission to sp ecific databases. ************* important note **************** you have to specify that the password row has PASSWORD selected in the func tion column. If you don't it will cause the database to hang up & have to be ma nually fixed. ************* important note **************** you need to insert 2 IDs, 1 for the cyrus-imap daemon, and another for the mail php web interface. look @ names used & make similar: cyrus mail ex: localhost cucyrus 48c26e995fbbf7f2 N N N N N N N N N N N N N N localhost cumail 391c96152e099f16 N N N N N N N N N N N N N N ** note ** if you see the plaintext password you typed in the password f ield edit the record immediatly and choose in the password function column P ASSWORD before your corrupt the database! ** note ** select mysql datbase, table db browse to look @ how they are filled in. Note all use localhost for server, and that there are the 2 account created above cyrus & mail where the cyrus gets select only on the mail database and the mail user gets full rights to the mail database insert records for each with these permissions. ex: localhost consolemail cucyrus Y N N N N N N N N N localhost consolemail cumail Y Y Y Y Y Y Y Y Y Y Reload Mysql: select Home & in window on right "Reload MySQL" **note** if you don't reload these accounts won't be activated ****************** 7d) Create imapd.conf file: cd /usr/local/etc/virtual cp -p imapd.conf.3d-unlimited.com imapd.conf. edit imapd.conf.3d-unlimited.com imapd.conf. : change configdirectory, default partition, news directories and partition- plus sievedir @ bottom. look @ others differences in them ** Note ** Special note, partition- needs to have defaultpartition: defined where is < 8 characters or nothing will work ** Note ** @ the bottom of imapd.conf are the mysql access options they need to be modified to use the cyrus mysql user id and password (non-encrypted) used to access the mail database. ex: configdirectory: /usr/local/spool/cyrusconsole defaultpartition: console partition-console: /usr/local/spool/cyrusconsole/console #** note ** ^^^ don't forget to change partition name here to match # defaultpartition partition-news: /usr/local/spool/cyrusconsole/news # .... etc... sievedir: /usr/local/spool/cyrusconsole/sieve sasl_mysqluser: cucyrus sasl_mysqlpasswd: sasl_mysqlhost: localhost sasl_mysqldatabase: consolemail make sure imapd.conf. is owned by cyrus group www-data: cd /usr/local/etc/virtual ls -l imapd.conf* if any not cyrus www-data: chown chrus.www-data imapd.conf. ex: [root@linux646 virtual]# ls -l imapd.conf.* -rw-rw---- 1 cyrus www-data 940 Jan 15 16:54 imapd.conf.3d-unl imited.com -rw-rw---- 1 root root 961 Jan 15 20:14 imapd.conf.consol e-unlimited.com -rw-rw---- 1 cyrus www-data 977 Jan 15 16:54 imapd.conf.planet nukem.com [root@linux646 virtual]# chown cyrus.www-data imapd.conf.console-unlimit ed.com [root@linux646 virtual]# !ls ls -l imapd.conf.* -rw-rw---- 1 cyrus www-data 940 Jan 15 16:54 imapd.conf.3d-unl imited.com -rw-rw---- 1 cyrus www-data 961 Jan 15 20:14 imapd.conf.consol e-unlimited.com -rw-rw---- 1 cyrus www-data 977 Jan 15 16:54 imapd.conf.planet nukem.com ****************** 7e) create config/spool directory specified in the imapd.conf cd /usr/local/etc/virtual/setup edit mkimap & replace imapd.conf with /usr/local/etc/virtual/imapd.conf. ./mkimap ex: [root@linux646 setup]# ./mkimap reading configure file... i will configure directory /usr/local/spool/cyrusconsole. i saw partition /usr/local/spool/cyrusconsole/console. i saw partition /usr/local/spool/cyrusconsole/news. you are using /usr/local/spool/cyrusconsole/sieve as your sieve director y. done creating /usr/local/spool/cyrusconsole... creating /usr/local/spool/cyrusconsole/sieve... done Change ownership of new mail partitions to cyrus.mail and make only readable b y them: cd /usr/local/spool chown -R cyrus.mail cyrus chmod 770 cyrus ex: [root@linux646 etc]# cd ../spool/ [root@linux646 spool]# ls -l total 5 drwxrwx--- 10 cyrus mail 1024 Jan 13 14:44 cyrus drwxr-xr-x 9 root root 1024 Jan 15 20:28 cyrusconsole drwxrwx--- 11 cyrus mail 1024 Jan 15 19:40 cyrusplanetnukem drwxr-x--- 5 mail mail 1024 Dec 29 10:32 exim drwxrwx--- 4 www-data mail 1024 Jan 15 19:14 vacation [root@linux646 spool]# chown -R cyrus.mail cyrusconsole/ [root@linux646 spool]# chmod -R 770 cyrusconsole/ [root@linux646 spool]# ls -l total 5 drwxrwx--- 10 cyrus mail 1024 Jan 13 14:44 cyrus drwxrwx--- 9 cyrus mail 1024 Jan 15 20:28 cyrusconsole drwxrwx--- 11 cyrus mail 1024 Jan 15 19:40 cyrusplanetnukem drwxr-x--- 5 mail mail 1024 Dec 29 10:32 exim drwxrwx--- 4 www-data mail 1024 Jan 15 19:14 vacation ****************** 7f) Configure inetd for new domain edit /etc/inetd.conf - follow examples there using new imapd.conf. f ile noting the pop/imap ports created - I suggest just using #110 / #143 for por ts as you can go up to 32768 ports on some systems, and that can even be increa sed. If you get greater than 320 virtual e-mail servers on this domain get a new machine with all that $$ :) restart inetd /etc/rc.d/init.d/inet stop /etc/rc.d/init.d/inet start ****************** 7g) Test cyrus allows administrator to logon cyradm -user administrator localhost ex: cyradm -user administrator localhost 2143 localhost> quit ** Note you shouldn't get ANY errors here, if you do go back & make sure all previous steps are working. examine logfiles and see where went wrong. Coul d be a typo in a password. cyradm can be used in the future, but from here forward use the web interface https://cyradm.. See (section 8e & 8f). ****************** ****************** 8) Virtual web-mail configuration The web interface is only necessary for the storing of the userid/password information for the cyrus-imapd authentication. However the full web interface (twig) offers full web enabled groupware for each domain. This all assumes that /usr/local/apache/htdocs/3d-unlimited/mail is preinstalled & working twig2.1 out of cvs and /mail/cyradm is the cyrus phpadmin tools, /mail/vacation is the phpmailsettings tools. All available in freshmeat (cyradm/cyrstatus are in same package) Also, all of these pages can be customized to fit look/feel of pages. Just do not change programming or config files, just syntax, headers, footers, etc. mail/config has all the mail header/footer/images /vacation & /cyradm similar structure php code. ****************** 8a) Create mail files & configure for new domain cd /usr/local/apache/htdocs/ mkdir mail cp -pr /usr/local/apache/htdocs/3d-unlimited.com/mail/* mail cd mail rm -r mail ln -s . mail cd .. chown -R . mail ** Note ^^ owner/group created in (section 6) ** Configure web e-mail for new domain cd /usr/local/apache/htdocs/mail/config edit config.inc.php3 modify: fromdomain imap_port edit dbconfig.inc.php3 modify: sqlusername sqlpassword defaultdb If not done above when configuring apache for virtual domain: Modify apache conf for mail. to require SSL and use the directory /mail as setup like others ****************** 8b) Configure cyradm for new domain cd /usr/local/apache/htdocs/mail/cyradm/config edit config.php3 modify: $IMAPPORT $IMAPCONFIGFILE $PWD_FILE ex: $IMAPPORT=2143; $IMAP_CONFIG_PATH="/usr/local/etc/virtual/imapd.conf.console-unl imited.com"; $PWD_FILE="/usr/local/apache/htdocs/consoleu/mail/cyradm/mailadm inpasswd"; Now set the password for cyadm access (this is the only place it is in a separate file from the database, if administrator user changes his/her password this step will NEED to be done again. cd .. /usr/local/apache/bin/htpasswd mailadminpasswd administrator password: If not done above when configuring apache for virtual domain: Modify apache conf for cyradm. to require SSL and use the directory /mail/cyradm as setup like others ** Note ** remember to goto https://cyradm..com and create an account for administrator after you reset apache below ****************** 8c) Virtual mail Vacation & Forward server configuration Configure the mail forwarding/vacation -- NOTE if this isn't done the e-mail server will die and noone's mail will work. cd /usr/local/apache/htdocs//mail/vacation/config edit config.php3 modify: $default->mail_domain $default->imap_port $default->aliases_file $default->status_dir $default->tmp_dir $default->vac_dir $default->vac_prog $default->logfile ex: $default->mail_domain = "console-unlimited.com"; /* maild omain */ $default->imap_port = 2143; /* imap-port * / /* ... further down ... */ $default->aliases_file = "/usr/local/etc/virtual/virtual-aliases-console -unlimited.com"; /* aliases file */ $default->status_dir = "/usr/local/spool/vacation/console-unlimited.co m/forward/status"; /* forward status directory */ $default->tmp_dir = "/usr/local/spool/vacation/console-unlimited.co m/forward/tmp"; /* temporary directory for authentication status */ $default->vac_template = "/usr/local/etc/virtual/vacation.templ"; /* vacation message template-file*/ $default->vac_dir = "/usr/local/spool/vacation/console-unlimited.co m/"; /* vacation stuff directory */ $default->vac_prog = "/usr/local/etc/virtual/vacationconsole-unlimit ed.pl"; /* vacation program */ $default->logfile = "/usr/local/spool/vacation/console-unlimited.co m/mailsettings.log"; /* logfile where th e actions are logged */ Create vacation/forward spool directory & files, match files set in cfg ab ove *** note failure to do any of these will cause the system to NOT work *** cd /usr/local/etc/virtual touch virtual-aliases-console-unlimited.com chown www-data.mail virtual-aliases-console-unlimited.com chmod 644 virtual-aliases-console-unlimited.com cp -p vacation3du.conf vacationconsole-unlimited.conf edit vacationconsole-unlimited.conf modify: $message_dir $rfrom ex: $message_dir='/usr/local/spool/vacation/console-unlimited.com'; $rfrom = '@console-unlimited.com'; cp -p vacation3du.pl vacationconsole-unlimited.pl edit vacationconsole-unlimited.pl modify: $conf -- near end , search for mail sent through the autoresponder change to ex: $conf='/etc/virtual/vacationconsole-unlimited.conf'; print MAIL "\n------ mail sent through the autoresponder on cons ole-unlimited.com -------\n"; create spool directory: cd /usr/local/spool/vacation mkdir mkdir /forward mkdir /forward/status mkdir /forward/tmp mkdir /logs chown -R www-data.mail chmod 770 ex: [root@linux646 vacation]# mkdir console-unlimited.com [root@linux646 vacation]# mkdir console-unlimited.com/forward [root@linux646 vacation]# mkdir console-unlimited.com/forward/st atus [root@linux646 vacation]# mkdir console-unlimited.com/forward/tm p [root@linux646 vacation]# mkdir console-unlimited.com/forward/lo gs [root@linux646 vacation]# chown -R www-data.mail console-unlimit ed.com/ [root@linux646 vacation]# chmod 770 console-unlimited.com/ Make sure www-data is in the group of the domain installed. edit /etc/groups modify : and add ,www-data ****************** 8d) Restart Apache Restart Apache : /usr/local/apache/bin/httpsdctl stop /usr/local/apache/bin/httpsdctl start or see (section 5a) use cyradm..com to add/delete user account once cyradm account created, use mail..com, logon as administrator to create accounts don't forget to add these users to the everybody group or they won't be able t o read their mail from the web interface. Remotely they can use imap or pop applications with access their mail, just us e the pop/imap ports created when doing the inetd.conf config. ****************** 8e) Create virtual-web&email account There are 2 steps involved in creating an e-mail account with one of the virtual e-mail servers. ** Note ** The mail works in 2 parts, the web mail is the userid/pw used to authenticate the user, the mailbox is the actual physical place the messages are stored. ** Note ** Create the mailbox: logon as administrator for on: https://cyradm. choose on left side "Add New User" on the right, after "user." add the userid ** Note ** the userid can not have any spaces, or special characters in it ** Note ** Create web-mail account for logon as administrator for on: https://mail. Choose "Administrator" from options Choose Feature "Accounts" and select "Go" Fillin "Username" and "Password" and select create ** Note ** If a group isn't chosen for the then the user will be able to use their email through pop/imap, but not through the web. Users need to be in group "Everyone" to be able to access the web-mail system ** Note** Add newly created to "Everyone" group in web-mail while still logged in mail. as administrator, in "Administraton" choose Feature "ACL's" and select "GO" in "Add User to ACL Group", select group "Everyone" and select new account created above and choose "Add" ****************** 8f) Delete virtual-web&email account If you want to just disable an account, just logon as administrator for in mail. and change the 's password so they can't signon. They will still receive mail, but won't be able to receive or send any through the server. Delete web-mail account for logon as administrator for on https://mail. Choose "Administrator" from options Choose Feature "Accounts" and select "Go" In listing @ bottom of screen, select "Delete" next to account wanted deleted ** Note ** If the web-mail account is deleted, but the mailbox isn't then the messages for that user will be stored. ** Note ** Delete mailbox for logon as administrator for on https://cyradm. Find to be deleted in listing on left side Select , then choose "Delete" from pulldown list on far right side and select "X/OK" ** Note ** Once a mailbox is deleted, it is perminantly gone ** Note ** ****************** ****************** 9) exim mail configuration The exim server is assumed to be preconfigured with the settings below. To add new domains for it's support modify the /usr/local/etc/virtual/virtual-domains file and add the new domains. Everything else works on a flag ${domain} that will use the config files specified by the domain, ex virtual-aliases-3d-unlimited.com. ****************** 9a) exim.conf notes to consider: #Main section# primary_hostname = 3d-unlimited.com qualify_domain = 3d-unlimited.com local_domains = /usr/local/etc/virtual/virtual-domains local_domains_include_host = true forbid_domain_literals = true never_users = root host_accept_relay = "localhost:linux646.dn.net:\ lsearch;/usr/local/etc/popauth" relay_domains_include_local_mx = true trusted_users = www-data:mail host_lookup = 0.0.0.0/0 receiver_verify = true rbl_domains = rbl.maps.vix.com:dul.maps.vix.com:relays.orbs.org #Transport section# local_delivery_cyrus: driver = pipe command = "/usr/cyrus/bin/deliver -c /usr/local/etc/virtual/imapd.conf.${domain} ${local_part}" return_path_add return_output log_output prefix="" suffix="" user = cyrus group = mail #directors section add before local delivery# virtual_aliases: driver = aliasfile file = /usr/local/etc/virtual/virtual-aliases-${domain} search_type = lsearch* user = www-data file_transport = address_file pipe_transport = address_pipe cyrususer: user = cyrus driver = smartuser suffix = .* suffix_optional = yes transport = local_delivery_cyrus ****************** 9b) virtual-domains localhost linux646.dn.net 3d-unlimited.com *.3d-unlimited.com net-unlimited.net *.net-unlimited.net quantum9.com *.quantum9.com console-unlimited.com *.console-unlimited.com planetnukem.com *.planetnukem.com saiyan.net *.saiyan.net vertigoextreme.com *.vertigoextreme.com ****************** ****************** 10) Mysql configuration Mysql is currently configured for minimal access. Individual accounts have been created for the specific access points needed: root: root user - has 100% access to everything www-data: web server - only access to tables needed for auth_mysql mysqladmin: phpmyadmin account - select mysql.users table only cyrus: virtual imap daemon - select mail.twig_users only mail: virtual twig web-mail - All priv on mail You can access mysql through: https://mysql. ex: https://mysql.3d-unlimited.com ** Note ** phpMysql (mysql.) will only show tables/database that the signed on user has access to. So, if user accounts created properly (as described in 10b) then all users can use mysql. to edit the databases they want to use on the system. Also, there is only 1 mysql database, so there are _NO_ options for "virtual" databases/dbusers. The user list for mysql is just 1 list for _all_ users ** Note ** Definitions: Select = choose/open specified db/table item mysql.users = . = mysql database, users table ****************** 10a) Creating Database You can follow the example in (section 7a) on creating a database from the command line, or logon as root on https://mysql. and choose create database from the window. database created now referred to as in following examples ****************** 10b) Creating user account and restrict to only their database Logon as root to https://mysql. Select mysql.users Choose Insert and fill in where: host = localhost user = password (function = PASSWORD) = N for all options Host is always localhost - do not setup ANY remote mysql accesses the passwords are cleartext and _VERY_ succeptable to sniffing User accounts get NO for all privileges. Next we will add permission to sp ecific databases. ************* important note **************** you have to specify that the password row has PASSWORD selected in the func tion column. If you don't it will cause the database to hang up & have to be ma nually fixed. ************* important note **************** Select mysql.db Choose Insert and fill in where host = localhost database = user = Choose permissions user should have (ie if they only need to view db, choose Y for select only), etc up to Y / N for any all options. ****************** 10c) Reload mysql Logon as root to https://mysql. Select "Reload MySQL" If not on screen in mysq. choose "Home" then reload **note** if you don't reload these accounts won't be activated ****************** 10d) Apache .htaccess authentication through mysql This will allow for user authentication through a mysql database. access will need to be granted for the www-data user to the database/table specified & the .htaccess file will need to be configured. logon as root to https://mysql. Select mysql.db Insert item where: host = localhost database = db where www-data/auth needs user = www-data Permissions: Y on select only, N for all else Follow steps in (section 10c) on reloading mysql to make active example .htaccess authenticating to unlimitedmail database: AuthName "3dUnlimited Crew" AuthType Basic Auth_MySQL_DB unlimitedmail Auth_MySQL_Password_Table twig_accounts Auth_MySQL_Username_Field username Auth_MySQL_Password_Field password Auth_MySQL_Empty_Passwords Off Auth_MySQL_Encrypted_Passwords off Auth_MySQL_Scrambled_Passwords off Auth_MYSQL on require user bigal dmz administrator Note, web-mail uses cleartext passwords so all Encrypted/Scrambled passwords are turned off. Also, user www-data will need to have access to select the database unlimitedmail.twig_accounts table Create http_auth table if not authenticating to maildatabase Logon as root to https://mysql. and give www-data user access to the wants to have http_auth in Logon as to https://mysql. Select the you want to add http_auth table to In "Run SQL query/queries on database test [Documentation]:" insert: CREATE TABLE http_auth ( username varchar(25) NOT NULL, passwd varchar(25) NOT NULL, groups varchar(25) NOT NULL, PRIMARY KEY (username) ); Insert userid/pw/group into new table for authentication Create .htaccess to access AuthName "Test Crew" AuthType Basic Auth_MySQL_DB Auth_MySQL_Password_Table http_auth Auth_MySQL_Username_Field username Auth_MySQL_Password_Field password Auth_MySQL_Empty_Passwords Off Auth_MySQL_Encrypted_Passwords off Auth_MySQL_Scrambled_Passwords on Auth_MYSQL on require user ** Doc from mod_auth_mysql ** mod_auth_mysql, like other apache authentication modules, is used in order to protect pages with username/password. The unique thing is that the passwords and usernames is stored in a MySQL database for much quicker access. Also, unlike the previous implementation of the module, SQL links are kept alive in between hits to acheive even better performance. Protecting a directory with a username/password is simple, and involves two steps: 1. Creating the necessary SQL information. 2. Telling apache to protect the page using that information. Creating the necessary SQL information -------------------------------------- You would generally need one table, that contains 3 fields - username, password, and group. In some cases the group wouldn't be required and in others you may want to have extra fields in that table for other usages. If you already have the database and table with the necessary fields, you can skip to the next phase. Otherwise: 1. Create a database to store the authentication table, e.g.: prompt> mysqladmin create http_auth NOTE: You *don't* have to have this table in a seperate database, you can skip creating a new database and use an existing database if it fits your needs. 2. Create the auth table, e.g.: prompt> mysql http_auth mysql> create table mysql_auth ( -> username char(25), -> passwd char(25), -> groups char(25), -> primary key (username) -> ); NOTE 1: You *don't* have to use a new table for this purpose; You can use existing fields in existing tables for this purpose. NOTE 2: All of the above names (the table name and field names) are the defaults the module looks for. They CAN be overriden using directives. NOTE 3: The username/passwd information and username/group information can be stored in seperate tables (using different table names for the password table and group table). This is useful if you want some users to have multiple (or no) groups. In order to do that, you should have one row in the username/passwd table, and multiple rows in the username/group table, one for each group the user is in. 3. Insert the information into the table. Both the username and group fields are plaintext, whereas the password field should contain standard UNIX DES encrypted passwords (this can be overriden using a directive as well, but the default is using encrypted passwords). (I) Protect your company's financial information (not recommended to put on the web:) to any user that's in the SQL auth table: AuthName My Company's Financial Information <-- the realm name, use som e informative name AuthType Basic <-- keep it that way require valid-user <-- allow any valid user to access (II) Allow access only to specific users: AuthName My Company's Financial Information <-- the realm name, use som e informative name AuthType Basic <-- keep it that way require user johndoe devnull <-- let only johndoe and dvnull access (III) Allow only members of group 'executives' access the information: AuthName My Company's Financial Information <-- the realm name, use som e informative name AuthType Basic <-- keep it that way require group executives <-- allow only members of t his group to access Note that with Apache 1.3, you would have to encapsulate the AuthName with double quotes if it contains spaces, e.g. AuthName "My Company's Financial Information" 4. Take a look at the following directives, and see if you need to use any of them any of these can be options in .htaccess: Auth_MySQL_DB The MySQL database to use. If you havne't specified Auth_MySQL_General_DB earlier, in the httpd.conf file, you *must* specify this directive. Example: Auth_MySQL_DB http_auth Auth_MySQL_Password_Table The name of the MySQL table that contains user:password pairs. By default it is 'mysql_auth'. Auth_MySQL_Group_Table The name of the MySQL table that contains user:group pairs. Typically you'd probably just want to triplets of user:password:group inside the same table, but you can use a different table for user:group pairs if you'd like. By default it is 'mysql_auth'. Auth_MySQL_Username_Field The field name of the username field. By default it is 'username'. Auth_MySQL_Password_Field The field name of the password field. By default it is 'passwd'. Auth_MySQL_Group_Field The field name of the group field. By default it is 'groups'. Auth_MySQL_Empty_Passwords on/off Whether or not to allow empty passwords. If the password field is empty (equals to '') and this is set to 'On', users would be able to access the page by just specifying their username without any password checking. If this is 'Off', they would be denied access. Default: On. Auth_MySQL_Encryption_Types [Plaintext, Crypt_DES, MySQL] This directive tells the authentication module which encryption type(s) to use. It overrides the Auth_MySQL_Scrambled_Passwords and Auth_MySQL_Encrypted_Passwords directives if it appears after them. More than one encryption type may be specified, to instruct the module to check each password through more than one encryption scheme. For example, Auth_MySQL_Encryption_Types Plaintext Crypt_DES will instruct the module to check each password both as-is, and through DES crypt. Auth_MySQL_Encrypted_Passwords on/off Whether or not to use standard UNIX DES encrypted passwords. If turned on, the module expects the password field to contain standard UNIX DES encrypted passwords (2 bytes salt plus 11 bytes encrypted data). If turned off, the passwords are expected to be plaintext, unless Auth_MySQL_Scrambled_Passwords is turned on. Use of this directive is not encouraged - use Auth_MySQL_Encryption_Types instead. Default: On. Auth_MySQL_Scrambled_Passwords on/off Whether or not to use passwords scrambled with MySQL's password() routine. If turned on, the module expects the password field to contain standard passwords encrypted with the SQL password() function in MySQL. If turned off, the passwords are expected to be plaintext, unless Auth_MySQL_Encrypted_Passwords is turned on. Use of this directive is not encouraged - use Auth_MySQL_Encryption_Types instead. Default: Off. Auth_MySQL_Authoritative on/off Whether or not to authenticate using other authentication modules after the user is successfully authenticated by the MySQL auth module. Default: On (i.e., don't pass on the request). Auth_MySQL_Non_Persistent on/off By turning on this option, you can tell the module to close the MySQL link after each authentication request. Note that I can't think of any good reason to do it, unless your platform makes MySQL go crazy when it has plenty of simultaneous threads (bad handling of file descriptor may cause that). In my opinion, one should increase the maximum number of simultaneous threads in MySQL and keep this option Off. Default: Off. Auth_MYSQL on/off Whether or not to enable MySQL authentication. If it's off, the MySQL authentication will pass on the authentication job to the other authentication modules (e.g. the flatfile auth module). If it's on, and a database name was specified - the MySQL module will be used for authentication. ****************** ****************** copyright (c) DMZ Services & 3d-Unlimited