User Tools

Site Tools


Scalix Installon Debian

I prefer Exim for spam filtering. We will configure Scalix to listen on port 587 and require SMTP Authentication. Incoming mail will flow to Exim on port 25 and be sent to port 26 (Scalix) for local delivery.

<toc><ul><li><link topicref=“2”>Create a fake &quot;sendmail&quot; package</link></li><li><link topicref=“3”>Continue with the installation</link></li><li><link topicref=“4”>&quot;Too many open files&quot;</link></li><li><link topicref=“5”>Add scheduled maintenance jobs</link></li><li><link topicref=“6”>Maintenance Commands</link></li><li><link topicref=“7”>Connect Scalix to OpenLDAP via PAM</link></li><li><link topicref=“8”>Configure Exim and Scalix to work together</link></li><li><link topicref=“9”>Reload modified properties files</link></li><li><link topicref=“10”>Backups of Scalix using Bacula</link></li><li><link topicref=“11”>Migration from an existing qmail-ldap server</link></li><li><link topicref=“12”>Mailbox rules</link><ul><li><link topicref=“13”>Add a filtering rule to file SPAM into a spam folder</link></li><li><link topicref=“14”>Redirect (forward without modifying the message) a copy of the message received</link></li><li><link topicref=“15”>Redirect (forward-only without modifying the message) the message received</link></li><li><link topicref=“16”>View Rules</link></li></ul></li><li><link topicref=“17”>Upgrades</link><ul><li><link topicref=“18”>Make a backup of your properties files first</link></li><li><link topicref=“19”>Re-deploy upgraded scalix-tomcat webapps</link></li><li><link topicref=“20”>Re-index mailboxes</link></li></ul></li><li><link topicref=“21”>References</link></li></ul></toc>

Create a fake &quot;sendmail&quot; package

I created an empty package called sendmail-fake which meets the dependencies of scalix-server*.deb but does not conflict with exim4-config.

cd /root
mkdir -p sendmail-fake/DEBIAN
vi sendmail-fake/DEBIAN/control


Package: sendmail-fake
Version: 1.0.0
Section: base
Priority: optional
Architecture: all
Depends: bash (&gt;= 2.05a-11), awk, grep (&gt;= 2.4.2-3)
Maintainer: Ian Samuel &lt;[email protected]&gt;
Provides: sendmail,sendmail-cf
Description: Fake sendmail package to make Scalix happy
dpkg-deb --build sendmail-fake /root/
dpkg -i sendmail-fake_1.0.0_all.deb

Continue with the installation

aptitude install sun-java5-jre postgresql-8.1 apache2 libssl0.9.7
aptitude install gawk libglib2.0-0 libstdc++2.10-glibc2.2 libxml2 libstdc++5 w3m libsasl2-modules

dpkg -i ./third_party/libical/i386/libical_0.24.RC4.20050413_i386.deb

mv /opt /usr
ln -s /usr/opt /opt

/usr/sbin/groupadd -g 99 scalix
/usr/sbin/useradd -u 99 -g scalix -m -k /dev/null -c &quot;Scalix&quot; -d /opt/scalix -s /bin/true scalix

dpkg -i ./software/scalix_server/scalix-server_11.1.0.10849_i386.deb

export PATH=$PATH:/opt/scalix/bin
sxconfig --set -t general.usrl_cn_rule='G S'
sxconfig --set -t general.usrl_authid_rule='f@'

sxconfig --set -t orniasys.name_part_1='&quot;C&quot; &lt;f&gt;' -t orniasys.domain_part_1=''

Continue with the manual install here:

<uri strref=“”/>

&quot;Too many open files&quot;

Although fixed for other linux distributions, the same fix doesn't seem to have been applied to the 'debian' section of the start-up script

elif [ &quot;$DISTRIBUTION&quot; = &quot;debian&quot; ] ; then

start() {
        # Clear out any temporary files, especially lock files.
        test -n &quot;$CATALINA_BASE&quot; &amp;&amp; rm -f $CATALINA_BASE/temp/* &gt;/dev/null 2&gt;&amp;1
        echo -n &quot;Starting Tomcat service ($SCALIX_INSTANCE)&quot;
+        if [ ! -z &quot;$ULIMIT_NUM_FILES&quot; ]; then
+            ulimit -SHn ${ULIMIT_NUM_FILES}
+        fi

Add scheduled maintenance jobs

<tt>crontab -e -u root</tt>:

@daily /opt/scalix/bin/ommon

Maintenance Commands

View the Scalix queue summary:

echo A$(($(date +%d) + 10))E | /opt/scalix/diag/omqdump -s

Connect Scalix to OpenLDAP via PAM

In my case, because I was migrating users from an existing <link idref=“9”></link> system, I need to use OpenLDAP again for authentication of users via PAM.

I followed highlights of this document, with the exception that I used a different configuration of the scalix PAM. <p> <uri strref=“”/></p>

aptitude install libpam-ldap

<list><ul><li> <tt>~/sys/ual.remote</tt>: Allows Outlook and SWA users to authenticate against an external authentication server.</li><li> <tt>~/sys/omslapdeng</tt>: Allows SWA personal contacts to be searched. The Scalix Admin Console (SAC) also uses the file omslapdeng.</li><li> <tt>~/sys/smtpd.auth</tt>: Allows users coming in through SMTPD to authenticate against an external authentication server.</li><li> <tt>~/sys/pop3</tt>: Allows POP3 users to authenticate against an external authentication server.</li></ul></list> <strong><em>var/opt/scalix</em>??/s/sys/pam.d/pamcheck</strong> (and others):

auth required om_ldap user_unknown=ignore
auth optional om_auth nullok use_first_pass
account required om_auth
password required om_om2authid
password required /lib/security/

You may also need to update your slapd.conf to allow for anonymous searches (Scalix needs them to convert from uid=XYZ to the full dn for authenticating).

access to dn.base=&quot;&quot; by * read
access to dn.base=&quot;cn=Subschema&quot; by * read
access to attr=userpassword
      by dn=&quot;cn=qmail, o=mrzesty&quot; read
      by anonymous auth
access to *
      by * read

Configure Exim and Scalix to work together

Exim is configured to only accept mail for an address found using LDAP to query the Scalix user directory.

Configure SpamAssassin: <link idref=“41”></link>

aptitude install sa-exim
gpasswd -a clamav Debian-exim


# Enable relaying through port 587

#RELAY accept



  # Insist that any other recipient address that we accept is either in one of
  # our local domains, or is in a domain for which we explicitly allow
  # relaying. Any other domain is rejected as being unacceptable for relaying.
    message = relay not permitted
    condition = ${lookup ldap {ldap:///o=Scalix?mail?sub?(&amp;(mail=$local_part@$domain)(!(omMailnode=internet)))}{true}{false}}


  debug_print = &quot;R: scalix for $domain&quot;
  driver = manualroute
  condition = ${lookup ldap {ldap:///o=Scalix?mail?sub?(&amp;(mail=$local_part@$domain)(!(omMailnode=internet)))}{true}{false}}
  same_domain_copy_routing = yes
  self = send
  route_list = * localhost::26
  transport = remote_smtp

Install a certificate and key for TLS

openssl genrsa -rand /etc/passwd:/var/log/messages -out /etc/exim4/exim.key
openssl req -new -key /etc/exim4/exim.key -out /etc/exim4/exim.csr
openssl x509 -req -days 3650 -in /etc/exim4/exim.csr -signkey /etc/exim4/exim.key -out /etc/exim4/exim.crt

Disable logging from the omslapd process


 # client requests will be queued until some threads have finished.
 # NOTE: higher limit may require more engines to be configured (see below).
 threadlimit                    64
+loglevel                       0

Reload modified properties files

Reload scalix-tomcat *.properties files without restarting all of tomcat (can be disruptive to users).

find /var/opt/scalix/?? -name web.xml | xargs touch

Backups of Scalix using Bacula

The easy way to back up scalix is using a binary backup, suspending scalix before and resuming scalix after bacula has run:


Job {
  ClientRunBeforeJob = &quot;/etc/bacula/scripts/;
  ClientRunAfterJob  = &quot;/opt/scalix/bin/omsuspend -r&quot;

<strong>/etc/bacula/scripts/</strong> on the client:

echo &quot;/opt/scalix/bin/omsuspend -s 299&quot; | at now

Note: due to limitations of the omsuspend utility this only allows 5 minutes for the backup to complete before Scalix resumes. This is probably not enough time for a system in production. Consider using the omsuspend which you grab an LVM snapshot and back that up instead, or if your backup window allows stop Scalix completely (omshut) and start it after the backup is finished (omrc).

Migration from an existing qmail-ldap server



        $lc=ldap_connect(&quot;ldap1.local&quot;) or die (&quot;Cannot connect&quot;);

        ldap_bind($lc,&quot;cn=manager,o=mrzesty&quot;,&quot;ldappass&quot;) or die (&quot;Cannot bind&quot;);






        foreach ($results as $result) {
                print &quot;\n&quot;;

From your CSV file containing <tt>emailaddress,cn,userpassword</tt>

awk -F[,@] '{system(&quot;/opt/scalix/bin/omaddu -n \&quot;&quot;$3&quot;/mrzesty/INTERNET-ADDR=\\\&quot;&quot;$3&quot;\\\&quot; &lt;&quot;$1&quot;@&quot;$2&quot;&gt;=\\\&quot;&quot;$3&quot;\\\&quot; &lt;&quot;$1&quot;@sx1.&quot;$2&quot;&gt;\&quot; --class limited -p temppass &quot;$1&quot;@&quot;$2)}' mrzesty.csv



        $lc=ldap_connect(&quot;ldap1.local&quot;) or die (&quot;Cannot connect&quot;);

        ldap_bind($lc,&quot;cn=manager,o=mrzesty&quot;,&quot;ldappass&quot;) or die (&quot;Cannot bind&quot;);





        foreach ($results as $result) {
                $password='{crypt}' . crypt( &quot;temppassold&quot; );
                print &quot;\n&quot;;



The tool <tt>imapsync</tt> is very customizable for migrating between namespaces of different types:

<uri strref=“”/> <p>Copy mail from courier-imap to Scalix:</p>

imapsync --host1 --user1 [email protected] --password1 temppassold --expunge1 --host2 localhost --user2 [email protected] --password2 temppass --exclude '^INBOX\.INBOX$'

Copy mail from courier-imap to a Scalix subfolder:

imapsync --host1 --user1 [email protected] --password1 temppassold --expunge1 --host2 localhost --user2 [email protected] --password2 temppass --exclude '^INBOX\.INBOX$' --prefix2 OldMailbox/ --regextrans2 's/^INBOX/OldMailbox/'
awk -F, '{system(&quot;imapsync --host1 --user1 &quot; $1 &quot; --password1 temppassold --host2 localhost --user2 &quot; $2 &quot; --password2 temppass --exclude \&quot;^INBOX\.INBOX$\&quot;&quot;)}' domain.csv
echo &quot;dn:,ou=People,dc=mrzesty,dc=net
objectClass: organizationalUnit
objectClass: top
&quot; &gt; mrzesty.ldif

awk -F, '{print &quot;dn: uid=&quot;$1&quot;,,ou=People,dc=mrzesty,dc=net\nuid: &quot;$1&quot;\nuserPassword: &quot;$3&quot;\nobjectClass: top\nobjectClass: account\nobjectClass: simpleSecurityObject\n&quot;}' mrzesty.csv &gt;&gt; mrzesty.ldif

ldapadd -xv -D &quot;cn=admin,dc=mrzesty,dc=net&quot; -w ldappass -f mrzesty.ldif

Mailbox rules

<h2>Add a filtering rule to file SPAM into a spam folder</h2>

/opt/scalix/bin/sxaa --user [email protected] --file spam --header &quot;X-Spam-Level: ***&quot;

<h2>Redirect (forward without modifying the message) a copy of the message received</h2>

/opt/scalix/bin/sxaa --user username --redirect [email protected] --retain

<h2>Redirect (forward-only without modifying the message) the message received</h2>

/opt/scalix/bin/sxaa --user username --redirect [email protected]

<h2>View Rules</h2>

/opt/scalix/bin/sxaa --user username


<h2>Make a backup of your properties files first</h2> Installing upgrades will overwrite your customized *.properties files

ci -l /var/opt/scalix/??/webmail/
ci -l /var/opt/scalix/??/caa/scalix.res/config/
ci -l /var/opt/scalix/??/caa/scalix.res/config/psdata
ci -l /var/opt/scalix/??/res/config/
ci -l /var/opt/scalix/??/platform/
ci -l /var/opt/scalix/??/mobile/
ci -l /var/opt/scalix/??/sis/

<h2>Re-deploy upgraded scalix-tomcat webapps</h2>

rm -r /var/opt/scalix/??/tomcat/webapps/*
rm -r /var/opt/scalix/??/tomcat/work/*

<h2>Re-index mailboxes</h2> <uri strref=“”/>


Integration of Exim <uri strref=“”/>

Mailbox Rules Administration Tool <uri strref=“”/>

scalixinstallondebian.txt · Last modified: 2020/02/13 22:55 (external edit)

free spam filter