====== Scalix Installon Debian ====== I prefer Exim for spam filtering. We will configure Scalix to listen on port 587 and require SMTP Authentication. Incoming mail will flow to Exim on port 25 and be sent to port 26 (Scalix) for local delivery. ====== Create a fake "sendmail" package ====== I created an empty package called sendmail-fake which meets the dependencies of scalix-server*.deb but does not conflict with exim4-config. cd /root mkdir -p sendmail-fake/DEBIAN vi sendmail-fake/DEBIAN/control /root/sendmail-fake/DEBIAN/control: Package: sendmail-fake Version: 1.0.0 Section: base Priority: optional Architecture: all Depends: bash (>= 2.05a-11), awk, grep (>= 2.4.2-3) Maintainer: Ian Samuel <scalix@mrzesty.net> Provides: sendmail,sendmail-cf Description: Fake sendmail package to make Scalix happy dpkg-deb --build sendmail-fake /root/ dpkg -i sendmail-fake_1.0.0_all.deb ====== Continue with the installation ====== aptitude install sun-java5-jre postgresql-8.1 apache2 libssl0.9.7 aptitude install gawk libglib2.0-0 libstdc++2.10-glibc2.2 libxml2 libstdc++5 w3m libsasl2-modules dpkg -i ./third_party/libical/i386/libical_0.24.RC4.20050413_i386.deb mv /opt /usr ln -s /usr/opt /opt /usr/sbin/groupadd -g 99 scalix /usr/sbin/useradd -u 99 -g scalix -m -k /dev/null -c "Scalix" -d /opt/scalix -s /bin/true scalix dpkg -i ./software/scalix_server/scalix-server_11.1.0.10849_i386.deb export PATH=$PATH:/opt/scalix/bin sxconfig --set -t general.usrl_cn_rule='G S' sxconfig --set -t general.usrl_authid_rule='f@' sxconfig --set -t orniasys.name_part_1='"C" <f>' -t orniasys.domain_part_1='mycompany.com' Continue with the manual install here: ====== "Too many open files" ====== Although fixed for other linux distributions, the same fix doesn't seem to have been applied to the 'debian' section of the start-up script elif [ "$DISTRIBUTION" = "debian" ] ; then start() { # Clear out any temporary files, especially lock files. test -n "$CATALINA_BASE" && rm -f $CATALINA_BASE/temp/* >/dev/null 2>&1 echo -n "Starting Tomcat service ($SCALIX_INSTANCE)" + if [ ! -z "$ULIMIT_NUM_FILES" ]; then + ulimit -SHn ${ULIMIT_NUM_FILES} + fi $startup RETVAL=$? } ====== Add scheduled maintenance jobs ====== crontab -e -u root: @daily /opt/scalix/bin/ommon ====== Maintenance Commands ====== View the Scalix queue summary: echo A$(($(date +%d) + 10))E | /opt/scalix/diag/omqdump -s ====== Connect Scalix to OpenLDAP via PAM ====== In my case, because I was migrating users from an existing system, I need to use OpenLDAP again for authentication of users via PAM. I followed highlights of this document, with the exception that I used a different configuration of the scalix PAM.

aptitude install libpam-ldap var/opt/scalix??/s/sys/pam.d/pamcheck (and others): auth required om_ldap user_unknown=ignore auth optional om_auth nullok use_first_pass account required om_auth password required om_om2authid password required /lib/security/pam_ldap.so You may also need to update your slapd.conf to allow for anonymous searches (Scalix needs them to convert from uid=XYZ to the full dn for authenticating). access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attr=userpassword by dn="cn=qmail, o=mrzesty" read by anonymous auth access to * by * read ====== Configure Exim and Scalix to work together ====== Exim is configured to only accept mail for an address found using LDAP to query the Scalix user directory. Configure SpamAssassin: aptitude install sa-exim gpasswd -a clamav Debian-exim s/sys/smtpd.cfg: # Enable relaying through port 587 SUBMIT=ON #RELAY accept .mrzesty.net LISTEN=0.0.0.0:26 /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt: # Insist that any other recipient address that we accept is either in one of # our local domains, or is in a domain for which we explicitly allow # relaying. Any other domain is rejected as being unacceptable for relaying. require message = relay not permitted condition = ${lookup ldap {ldap:///o=Scalix?mail?sub?(&(mail=$local_part@$domain)(!(omMailnode=internet)))}{true}{false}} /etc/exim4/conf.d/router/175_exim4-config_scalix: scalix: debug_print = "R: scalix for $domain" driver = manualroute condition = ${lookup ldap {ldap:///o=Scalix?mail?sub?(&(mail=$local_part@$domain)(!(omMailnode=internet)))}{true}{false}} same_domain_copy_routing = yes self = send route_list = * localhost::26 transport = remote_smtp Install a certificate and key for TLS openssl genrsa -rand /etc/passwd:/var/log/messages -out /etc/exim4/exim.key openssl req -new -key /etc/exim4/exim.key -out /etc/exim4/exim.csr openssl x509 -req -days 3650 -in /etc/exim4/exim.csr -signkey /etc/exim4/exim.key -out /etc/exim4/exim.crt Disable logging from the omslapd process /s/sys/slapd.conf # client requests will be queued until some threads have finished. # NOTE: higher limit may require more engines to be configured (see below). threadlimit 64 +loglevel 0 # # --OMSLAPDDATABASEDEFS-- # ====== Reload modified properties files ====== Reload scalix-tomcat *.properties files without restarting all of tomcat (can be disruptive to users). find /var/opt/scalix/?? -name web.xml | xargs touch ====== Backups of Scalix using Bacula ====== The easy way to back up scalix is using a binary backup, suspending scalix before and resuming scalix after bacula has run: bacula-dir.conf: Job { ... ClientRunBeforeJob = "/etc/bacula/scripts/pre-bacula.sh" ClientRunAfterJob = "/opt/scalix/bin/omsuspend -r" } /etc/bacula/scripts/pre-bacula.sh on the client: echo "/opt/scalix/bin/omsuspend -s 299" | at now Note: due to limitations of the omsuspend utility this only allows 5 minutes for the backup to complete before Scalix resumes. This is probably not enough time for a system in production. Consider using the omsuspend which you grab an LVM snapshot and back that up instead, or if your backup window allows stop Scalix completely (omshut) and start it after the backup is finished (omrc). ====== Migration from an existing qmail-ldap server ====== ldap2csv.php: #!/usr/bin/php <?php $lc=ldap_connect("ldap1.local") or die ("Cannot connect"); ldap_bind($lc,"cn=manager,o=mrzesty","ldappass") or die ("Cannot bind"); $attribs=array("uid","sn","userpassword"); $sr=ldap_search($lc,"o=mrzesty","(mail=*@mrzesty.net)",$attribs); $results=ldap_get_entries($lc,$sr); ldap_unbind($lc); array_shift($results); foreach ($results as $result) { printf('%s,%s,%s',$result[uid][0],$result[sn][0],$result[userpassword][0]); print "\n"; } ?> From your CSV file containing emailaddress,cn,userpassword awk -F[,@] '{system("/opt/scalix/bin/omaddu -n \""$3"/mrzesty/INTERNET-ADDR=\\\""$3"\\\" <"$1"@"$2">=\\\""$3"\\\" <"$1"@sx1."$2">\" --class limited -p temppass "$1"@"$2)}' mrzesty.csv ldapforwards.php: #!/usr/bin/php <?php $lc=ldap_connect("ldap1.local") or die ("Cannot connect"); ldap_bind($lc,"cn=manager,o=mrzesty","ldappass") or die ("Cannot bind"); $attribs=array("uid","sn","userpassword","mail"); $sr=ldap_search($lc,"o=mrzesty","(mail=*@mrzesty.net)",$attribs); $results=ldap_get_entries($lc,$sr); array_shift($results); foreach ($results as $result) { $dn=$result[dn]; $forward=ereg_replace("@","@sx1.",$result["mail"][0]); $password='{crypt}' . crypt( "temppassold" ); $info["deliveryMode"]="nolocal"; $info["mailForwardingAddress"]=$forward; $info["userPassword"]=$password; print($dn); print_r($info); ldap_modify($lc,$dn,$info); print "\n"; } ldap_unbind($lc); ?> The tool imapsync is very customizable for migrating between namespaces of different types:

Copy mail from courier-imap to Scalix:

imapsync --host1 old.server.com --user1 user@mrzesty.net --password1 temppassold --expunge1 --host2 localhost --user2 user@mrzesty.net --password2 temppass --exclude '^INBOX\.INBOX$' Copy mail from courier-imap to a Scalix subfolder: imapsync --host1 old.server.com --user1 user@mrzesty.net --password1 temppassold --expunge1 --host2 localhost --user2 user@mrzesty.net --password2 temppass --exclude '^INBOX\.INBOX$' --prefix2 OldMailbox/ --regextrans2 's/^INBOX/OldMailbox/' awk -F, '{system("imapsync --host1 old.server.com --user1 " $1 " --password1 temppassold --host2 localhost --user2 " $2 " --password2 temppass --exclude \"^INBOX\.INBOX$\"")}' domain.csv echo "dn: ou=mrzesty.net,ou=People,dc=mrzesty,dc=net ou: mrzesty.net objectClass: organizationalUnit objectClass: top " > mrzesty.ldif awk -F, '{print "dn: uid="$1",ou=mrzesty.net,ou=People,dc=mrzesty,dc=net\nuid: "$1"\nuserPassword: "$3"\nobjectClass: top\nobjectClass: account\nobjectClass: simpleSecurityObject\n"}' mrzesty.csv >> mrzesty.ldif ldapadd -xv -D "cn=admin,dc=mrzesty,dc=net" -w ldappass -f mrzesty.ldif ====== Mailbox rules ======

Add a filtering rule to file SPAM into a spam folder

/opt/scalix/bin/sxaa --user mailbox@mrzesty.net --file spam --header "X-Spam-Level: ***"

Redirect (forward without modifying the message) a copy of the message received

/opt/scalix/bin/sxaa --user username --redirect remote@domain.com --retain

Redirect (forward-only without modifying the message) the message received

/opt/scalix/bin/sxaa --user username --redirect remote@domain.com

View Rules

/opt/scalix/bin/sxaa --user username ====== Upgrades ======

Make a backup of your properties files first

Installing upgrades will overwrite your customized *.properties files ci -l /var/opt/scalix/??/webmail/swa.properties ci -l /var/opt/scalix/??/caa/scalix.res/config/ubermanager.properties ci -l /var/opt/scalix/??/caa/scalix.res/config/psdata ci -l /var/opt/scalix/??/res/config/res.properties ci -l /var/opt/scalix/??/platform/platform.properties ci -l /var/opt/scalix/??/mobile/mobile.properties ci -l /var/opt/scalix/??/sis/sis.properties

Re-deploy upgraded scalix-tomcat webapps

rm -r /var/opt/scalix/??/tomcat/webapps/* rm -r /var/opt/scalix/??/tomcat/work/*

Re-index mailboxes

====== References ====== Integration of Exim Mailbox Rules Administration Tool