Scalix install on Debian

I prefer Exim for spam filtering. We will configure Scalix to listen on port 587 and require SMTP Authentication. Incoming mail will flow to Exim on port 25 and be sent to port 26 (Scalix) for local delivery.

• Create a fake "sendmail" package
• Continue with the installation
• "Too many open files"
• Add scheduled maintenance jobs
• Maintenance Commands
• Connect Scalix to OpenLDAP via PAM
• Configure Exim and Scalix to work together
• Reload modified properties files
• Backups of Scalix using Bacula
• Migration from an existing qmail-ldap server
• Mailbox rules
  • Add a filtering rule to file SPAM into a spam folder
  • Redirect (forward without modifying the message) a copy of the message received
  • Redirect (forward-only without modifying the message) the message received
  • View Rules
• Upgrades
  • Make a backup of your properties files first
  • Re-deploy upgraded scalix-tomcat webapps
  • Re-index mailboxes
• References

Create a fake "sendmail" package

I created an empty package called sendmail-fake which meets the dependencies of scalix-server*.deb but does not conflict with exim4-config.

cd /root
mkdir -p sendmail-fake/DEBIAN
vi sendmail-fake/DEBIAN/control

/root/sendmail-fake/DEBIAN/control:

Package: sendmail-fake
Version: 1.0.0
Section: base
Priority: optional
Architecture: all
Depends: bash (>= 2.05a-11), awk, grep (>= 2.4.2-3)
Maintainer: Ian Samuel <scalix@mrzesty.net>
Provides: sendmail,sendmail-cf
Description: Fake sendmail package to make Scalix happy

dpkg-deb --build sendmail-fake /root/
dpkg -i sendmail-fake_1.0.0_all.deb

Continue with the installation

aptitude install sun-java5-jre postgresql-8.1 apache2 libssl0.9.7
aptitude install gawk libglib2.0-0 libstdc++2.10-glibc2.2 libxml2 libstdc++5 w3m libsasl2-modules

dpkg -i ./third_party/libical/i386/libical_0.24.RC4.20050413_i386.deb

mv /opt /usr
ln -s /usr/opt /opt

/usr/sbin/groupadd -g 99 scalix
/usr/sbin/useradd -u 99 -g scalix -m -k /dev/null -c "Scalix" -d /opt/scalix -s /bin/true scalix

dpkg -i ./software/scalix_server/scalix-server_11.1.0.10849_i386.deb

export PATH=$PATH:/opt/scalix/bin

sxconfig --set -t general.usrl_cn_rule='G S'
sxconfig --set -t general.usrl_authid_rule='f@'

sxconfig --set -t orniasys.name_part_1='"C" <f>' -t orniasys.domain_part_1='mycompany.com'

Continue with the manual install here:

http://www.scalix.com/wiki/index.php?tit ... _the_Initial_Scalix_Server_Instance

"Too many open files"

Although fixed for other linux distributions, the same fix doesn't seem to have been applied to the 'debian' section of the start-up script

elif [ "$DISTRIBUTION" = "debian" ] ; then

start() {
        # Clear out any temporary files, especially lock files.
        test -n "$CATALINA_BASE" && rm -f $CATALINA_BASE/temp/* >/dev/null 2>&1
        echo -n "Starting Tomcat service ($SCALIX_INSTANCE)"
+        if [ ! -z "$ULIMIT_NUM_FILES" ]; then
+            ulimit -SHn ${ULIMIT_NUM_FILES}
+        fi
        $startup
        RETVAL=$?
}

Add scheduled maintenance jobs

crontab -e -u root:

@daily /opt/scalix/bin/ommon

Maintenance Commands

View the Scalix queue summary:

echo A$(($(date +%d) + 10))E | /opt/scalix/diag/omqdump -s

Connect Scalix to OpenLDAP via PAM

In my case, because I was migrating users from an existing qmail-ldap system, I need to use OpenLDAP again for authentication of users via PAM.

I followed highlights of this document, with the exception that I used a different configuration of the scalix PAM.

http://www.scalix.com/wiki/index.php?title=HowTos/Using_OpenLDAP_for_password_management

aptitude install libpam-ldap

• ~/sys/ual.remote: Allows Outlook and SWA users to authenticate against an external authentication server.
• ~/sys/omslapdeng: Allows SWA personal contacts to be searched. The Scalix Admin Console (SAC) also uses the file omslapdeng.
• ~/sys/smtpd.auth: Allows users coming in through SMTPD to authenticate against an external authentication server.
• ~/sys/pop3: Allows POP3 users to authenticate against an external authentication server.

var/opt/scalix??/s/sys/pam.d/pamcheck (and others):

auth required om_ldap user_unknown=ignore
auth optional om_auth nullok use_first_pass
account required om_auth
password required om_om2authid
password required /lib/security/pam_ldap.so

You may also need to update your slapd.conf to allow for anonymous searches (Scalix needs them to convert from uid=XYZ to the full dn for authenticating).

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to attr=userpassword
      by dn="cn=qmail, o=mrzesty" read
      by anonymous auth
access to *
      by * read

Configure Exim and Scalix to work together

Exim is configured to only accept mail for an address found using LDAP to query the Scalix user directory.

Configure SpamAssassin: SpamAssassin on Debian

aptitude install sa-exim
gpasswd -a clamav Debian-exim

s/sys/smtpd.cfg:

# Enable relaying through port 587
SUBMIT=ON

#RELAY accept .mrzesty.net

LISTEN=0.0.0.0:26

/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:

  # Insist that any other recipient address that we accept is either in one of
  # our local domains, or is in a domain for which we explicitly allow
  # relaying. Any other domain is rejected as being unacceptable for relaying.
  require
    message = relay not permitted
    condition = ${lookup ldap {ldap:///o=Scalix?mail?sub?(&(mail=$local_part@$domain)(!(omMailnode=internet)))}{true}{false}}

/etc/exim4/conf.d/router/175_exim4-config_scalix:

scalix:
  debug_print = "R: scalix for $domain"
  driver = manualroute
  condition = ${lookup ldap {ldap:///o=Scalix?mail?sub?(&(mail=$local_part@$domain)(!(omMailnode=internet)))}{true}{false}}
  same_domain_copy_routing = yes
  self = send
  route_list = * localhost::26
  transport = remote_smtp

Install a certificate and key for TLS

openssl genrsa -rand /etc/passwd:/var/log/messages -out /etc/exim4/exim.key
openssl req -new -key /etc/exim4/exim.key -out /etc/exim4/exim.csr
openssl x509 -req -days 3650 -in /etc/exim4/exim.csr -signkey /etc/exim4/exim.key -out /etc/exim4/exim.crt

Disable logging from the omslapd process

/s/sys/slapd.conf

 # client requests will be queued until some threads have finished.
 # NOTE: higher limit may require more engines to be configured (see below).
 threadlimit                    64
+loglevel                       0
 #
 # --OMSLAPDDATABASEDEFS--
 #

Reload modified properties files

Reload scalix-tomcat *.properties files without restarting all of tomcat (can be disruptive to users).

find /var/opt/scalix/?? -name web.xml | xargs touch

Backups of Scalix using Bacula

The easy way to back up scalix is using a binary backup, suspending scalix before and resuming scalix after bacula has run:

bacula-dir.conf:

Job {
 ...
  ClientRunBeforeJob = "/etc/bacula/scripts/pre-bacula.sh"
  ClientRunAfterJob  = "/opt/scalix/bin/omsuspend -r"
}

/etc/bacula/scripts/pre-bacula.sh on the client:

echo "/opt/scalix/bin/omsuspend -s 299" | at now

Note: due to limitations of the omsuspend utility this only allows 5 minutes for the backup to complete before Scalix resumes. This is probably not enough time for a system in production. Consider using the omsuspend which you grab an LVM snapshot and back that up instead, or if your backup window allows stop Scalix completely (omshut) and start it after the backup is finished (omrc).

Migration from an existing qmail-ldap server

ldap2csv.php:

#!/usr/bin/php
<?php

        $lc=ldap_connect("ldap1.local") or die ("Cannot connect");

        ldap_bind($lc,"cn=manager,o=mrzesty","ldappass") or die ("Cannot bind");

        $attribs=array("uid","sn","userpassword");

        $sr=ldap_search($lc,"o=mrzesty","(mail=*@mrzesty.net)",$attribs);

        $results=ldap_get_entries($lc,$sr);

        ldap_unbind($lc);

        array_shift($results);

        foreach ($results as $result) {
                printf('%s,%s,%s',$result[uid][0],$result[sn][0],$result[userpassword][0]);
                print "\n";
        }
?>

From your CSV file containing emailaddress,cn,userpassword

awk -F[,@] '{system("/opt/scalix/bin/omaddu -n \""$3"/mrzesty/INTERNET-ADDR=\\\""$3"\\\" <"$1"@"$2">=\\\""$3"\\\" <"$1"@sx1."$2">\" --class limited -p temppass "$1"@"$2)}' mrzesty.csv

ldapforwards.php:

#!/usr/bin/php
<?php

        $lc=ldap_connect("ldap1.local") or die ("Cannot connect");

        ldap_bind($lc,"cn=manager,o=mrzesty","ldappass") or die ("Cannot bind");

        $attribs=array("uid","sn","userpassword","mail");

        $sr=ldap_search($lc,"o=mrzesty","(mail=*@mrzesty.net)",$attribs);

        $results=ldap_get_entries($lc,$sr);

        array_shift($results);

        foreach ($results as $result) {
                $dn=$result[dn];
                $forward=ereg_replace("@","@sx1.",$result["mail"][0]);
                $password='{crypt}' . crypt( "temppassold" );
                $info["deliveryMode"]="nolocal";
                $info["mailForwardingAddress"]=$forward;
                $info["userPassword"]=$password;
                print($dn);
                print_r($info);
                ldap_modify($lc,$dn,$info);
                print "\n";
        }

        ldap_unbind($lc);

?>

The tool imapsync is very customizable for migrating between namespaces of different types:

http://www.linux-france.org/prj/imapsync/FAQ

Copy mail from courier-imap to Scalix:

imapsync --host1 old.server.com --user1 user@mrzesty.net --password1 temppassold --expunge1 --host2 localhost --user2 user@mrzesty.net --password2 temppass --exclude '^INBOX\.INBOX$'

Copy mail from courier-imap to a Scalix subfolder:

imapsync --host1 old.server.com --user1 user@mrzesty.net --password1 temppassold --expunge1 --host2 localhost --user2 user@mrzesty.net --password2 temppass --exclude '^INBOX\.INBOX$' --prefix2 OldMailbox/ --regextrans2 's/^INBOX/OldMailbox/'

awk -F, '{system("imapsync --host1 old.server.com --user1 " $1 " --password1 temppassold --host2 localhost --user2 " $2 " --password2 temppass --exclude \"^INBOX\.INBOX$\"")}' domain.csv

echo "dn: ou=mrzesty.net,ou=People,dc=mrzesty,dc=net
ou: mrzesty.net
objectClass: organizationalUnit
objectClass: top
" > mrzesty.ldif

awk -F, '{print "dn: uid="$1",ou=mrzesty.net,ou=People,dc=mrzesty,dc=net\nuid: "$1"\nuserPassword: "$3"\nobjectClass: top\nobjectClass: account\nobjectClass: simpleSecurityObject\n"}' mrzesty.csv >> mrzesty.ldif

ldapadd -xv -D "cn=admin,dc=mrzesty,dc=net" -w ldappass -f mrzesty.ldif

Mailbox rules

Add a filtering rule to file SPAM into a spam folder

/opt/scalix/bin/sxaa --user mailbox@mrzesty.net --file spam --header "X-Spam-Level: ***"

Redirect (forward without modifying the message) a copy of the message received

/opt/scalix/bin/sxaa --user username --redirect remote@domain.com --retain

Redirect (forward-only without modifying the message) the message received

/opt/scalix/bin/sxaa --user username --redirect remote@domain.com

View Rules

/opt/scalix/bin/sxaa --user username

Upgrades

Make a backup of your properties files first

Installing upgrades will overwrite your customized *.properties files

ci -l /var/opt/scalix/??/webmail/swa.properties
ci -l /var/opt/scalix/??/caa/scalix.res/config/ubermanager.properties
ci -l /var/opt/scalix/??/caa/scalix.res/config/psdata
ci -l /var/opt/scalix/??/res/config/res.properties
ci -l /var/opt/scalix/??/platform/platform.properties
ci -l /var/opt/scalix/??/mobile/mobile.properties
ci -l /var/opt/scalix/??/sis/sis.properties

Re-deploy upgraded scalix-tomcat webapps

rm -r /var/opt/scalix/??/tomcat/webapps/*
rm -r /var/opt/scalix/??/tomcat/work/*

Re-index mailboxes

http://www.scalix.com/wiki/index.php?title=HowTos/RebuildIndex

References

Integration of Exim http://www.scalix.com/forums/viewtopic.php?t=4770

Mailbox Rules Administration Tool http://www.scalix.com/ceraw/download/pub/admin_resource_kit/sxaa.readme