I prefer Exim for spam filtering. We will configure Scalix to listen on port 587 and require SMTP Authentication. Incoming mail will flow to Exim on port 25 and be sent to port 26 (Scalix) for local delivery.
<toc><ul><li><link topicref=“2”>Create a fake "sendmail" package</link></li><li><link topicref=“3”>Continue with the installation</link></li><li><link topicref=“4”>"Too many open files"</link></li><li><link topicref=“5”>Add scheduled maintenance jobs</link></li><li><link topicref=“6”>Maintenance Commands</link></li><li><link topicref=“7”>Connect Scalix to OpenLDAP via PAM</link></li><li><link topicref=“8”>Configure Exim and Scalix to work together</link></li><li><link topicref=“9”>Reload modified properties files</link></li><li><link topicref=“10”>Backups of Scalix using Bacula</link></li><li><link topicref=“11”>Migration from an existing qmail-ldap server</link></li><li><link topicref=“12”>Mailbox rules</link><ul><li><link topicref=“13”>Add a filtering rule to file SPAM into a spam folder</link></li><li><link topicref=“14”>Redirect (forward without modifying the message) a copy of the message received</link></li><li><link topicref=“15”>Redirect (forward-only without modifying the message) the message received</link></li><li><link topicref=“16”>View Rules</link></li></ul></li><li><link topicref=“17”>Upgrades</link><ul><li><link topicref=“18”>Make a backup of your properties files first</link></li><li><link topicref=“19”>Re-deploy upgraded scalix-tomcat webapps</link></li><li><link topicref=“20”>Re-index mailboxes</link></li></ul></li><li><link topicref=“21”>References</link></li></ul></toc>
I created an empty package called sendmail-fake which meets the dependencies of scalix-server*.deb but does not conflict with exim4-config.
cd /root mkdir -p sendmail-fake/DEBIAN vi sendmail-fake/DEBIAN/control
<tt>/root/sendmail-fake/DEBIAN/control</tt>:
Package: sendmail-fake Version: 1.0.0 Section: base Priority: optional Architecture: all Depends: bash (>= 2.05a-11), awk, grep (>= 2.4.2-3) Maintainer: Ian Samuel <[email protected]> Provides: sendmail,sendmail-cf Description: Fake sendmail package to make Scalix happy
dpkg-deb --build sendmail-fake /root/ dpkg -i sendmail-fake_1.0.0_all.deb
aptitude install sun-java5-jre postgresql-8.1 apache2 libssl0.9.7 aptitude install gawk libglib2.0-0 libstdc++2.10-glibc2.2 libxml2 libstdc++5 w3m libsasl2-modules dpkg -i ./third_party/libical/i386/libical_0.24.RC4.20050413_i386.deb mv /opt /usr ln -s /usr/opt /opt /usr/sbin/groupadd -g 99 scalix /usr/sbin/useradd -u 99 -g scalix -m -k /dev/null -c "Scalix" -d /opt/scalix -s /bin/true scalix dpkg -i ./software/scalix_server/scalix-server_11.1.0.10849_i386.deb export PATH=$PATH:/opt/scalix/bin
sxconfig --set -t general.usrl_cn_rule='G S' sxconfig --set -t general.usrl_authid_rule='f@' sxconfig --set -t orniasys.name_part_1='"C" <f>' -t orniasys.domain_part_1='mycompany.com'
Continue with the manual install here:
<uri strref=“http://www.scalix.com/wiki/index.php?title=Scalix_CE_Raw/Installation#Creating_and_Configuring_the_Initial_Scalix_Server_Instance”/>
Although fixed for other linux distributions, the same fix doesn't seem to have been applied to the 'debian' section of the start-up script
elif [ "$DISTRIBUTION" = "debian" ] ; then
start() {
# Clear out any temporary files, especially lock files.
test -n "$CATALINA_BASE" && rm -f $CATALINA_BASE/temp/* >/dev/null 2>&1
echo -n "Starting Tomcat service ($SCALIX_INSTANCE)"
+ if [ ! -z "$ULIMIT_NUM_FILES" ]; then
+ ulimit -SHn ${ULIMIT_NUM_FILES}
+ fi
$startup
RETVAL=$?
}
<tt>crontab -e -u root</tt>:
@daily /opt/scalix/bin/ommon
View the Scalix queue summary:
echo A$(($(date +%d) + 10))E | /opt/scalix/diag/omqdump -s
In my case, because I was migrating users from an existing <link idref=“9”></link> system, I need to use OpenLDAP again for authentication of users via PAM.
I followed highlights of this document, with the exception that I used a different configuration of the scalix PAM. <p> <uri strref=“http://www.scalix.com/wiki/index.php?title=HowTos/Using_OpenLDAP_for_password_management”/></p>
aptitude install libpam-ldap
<list><ul><li> <tt>~/sys/ual.remote</tt>: Allows Outlook and SWA users to authenticate against an external authentication server.</li><li> <tt>~/sys/omslapdeng</tt>: Allows SWA personal contacts to be searched. The Scalix Admin Console (SAC) also uses the file omslapdeng.</li><li> <tt>~/sys/smtpd.auth</tt>: Allows users coming in through SMTPD to authenticate against an external authentication server.</li><li> <tt>~/sys/pop3</tt>: Allows POP3 users to authenticate against an external authentication server.</li></ul></list> <strong><em>var/opt/scalix</em>??/s/sys/pam.d/pamcheck</strong> (and others):
auth required om_ldap user_unknown=ignore auth optional om_auth nullok use_first_pass account required om_auth password required om_om2authid password required /lib/security/pam_ldap.so
You may also need to update your slapd.conf to allow for anonymous searches (Scalix needs them to convert from uid=XYZ to the full dn for authenticating).
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to attr=userpassword
by dn="cn=qmail, o=mrzesty" read
by anonymous auth
access to *
by * read
Exim is configured to only accept mail for an address found using LDAP to query the Scalix user directory.
Configure SpamAssassin: <link idref=“41”></link>
aptitude install sa-exim gpasswd -a clamav Debian-exim
<tt>s/sys/smtpd.cfg</tt>:
# Enable relaying through port 587 SUBMIT=ON #RELAY accept .mrzesty.net LISTEN=0.0.0.0:26
<tt>/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt</tt>:
# Insist that any other recipient address that we accept is either in one of
# our local domains, or is in a domain for which we explicitly allow
# relaying. Any other domain is rejected as being unacceptable for relaying.
require
message = relay not permitted
condition = ${lookup ldap {ldap:///o=Scalix?mail?sub?(&(mail=$local_part@$domain)(!(omMailnode=internet)))}{true}{false}}
<tt>/etc/exim4/conf.d/router/175_exim4-config_scalix</tt>:
scalix:
debug_print = "R: scalix for $domain"
driver = manualroute
condition = ${lookup ldap {ldap:///o=Scalix?mail?sub?(&(mail=$local_part@$domain)(!(omMailnode=internet)))}{true}{false}}
same_domain_copy_routing = yes
self = send
route_list = * localhost::26
transport = remote_smtp
Install a certificate and key for TLS
openssl genrsa -rand /etc/passwd:/var/log/messages -out /etc/exim4/exim.key openssl req -new -key /etc/exim4/exim.key -out /etc/exim4/exim.csr openssl x509 -req -days 3650 -in /etc/exim4/exim.csr -signkey /etc/exim4/exim.key -out /etc/exim4/exim.crt
Disable logging from the omslapd process
/s/sys/slapd.conf
# client requests will be queued until some threads have finished. # NOTE: higher limit may require more engines to be configured (see below). threadlimit 64 +loglevel 0 # # --OMSLAPDDATABASEDEFS-- #
Reload scalix-tomcat *.properties files without restarting all of tomcat (can be disruptive to users).
find /var/opt/scalix/?? -name web.xml | xargs touch
The easy way to back up scalix is using a binary backup, suspending scalix before and resuming scalix after bacula has run:
<strong>bacula-dir.conf</strong>:
Job {
...
ClientRunBeforeJob = "/etc/bacula/scripts/pre-bacula.sh"
ClientRunAfterJob = "/opt/scalix/bin/omsuspend -r"
}
<strong>/etc/bacula/scripts/pre-bacula.sh</strong> on the client:
echo "/opt/scalix/bin/omsuspend -s 299" | at now
Note: due to limitations of the omsuspend utility this only allows 5 minutes for the backup to complete before Scalix resumes. This is probably not enough time for a system in production. Consider using the omsuspend which you grab an LVM snapshot and back that up instead, or if your backup window allows stop Scalix completely (omshut) and start it after the backup is finished (omrc).
<strong>ldap2csv.php</strong>:
#!/usr/bin/php
<?php
$lc=ldap_connect("ldap1.local") or die ("Cannot connect");
ldap_bind($lc,"cn=manager,o=mrzesty","ldappass") or die ("Cannot bind");
$attribs=array("uid","sn","userpassword");
$sr=ldap_search($lc,"o=mrzesty","(mail=*@mrzesty.net)",$attribs);
$results=ldap_get_entries($lc,$sr);
ldap_unbind($lc);
array_shift($results);
foreach ($results as $result) {
printf('%s,%s,%s',$result[uid][0],$result[sn][0],$result[userpassword][0]);
print "\n";
}
?>
From your CSV file containing <tt>emailaddress,cn,userpassword</tt>
awk -F[,@] '{system("/opt/scalix/bin/omaddu -n \""$3"/mrzesty/INTERNET-ADDR=\\\""$3"\\\" <"$1"@"$2">=\\\""$3"\\\" <"$1"@sx1."$2">\" --class limited -p temppass "$1"@"$2)}' mrzesty.csv
<strong>ldapforwards.php</strong>:
#!/usr/bin/php
<?php
$lc=ldap_connect("ldap1.local") or die ("Cannot connect");
ldap_bind($lc,"cn=manager,o=mrzesty","ldappass") or die ("Cannot bind");
$attribs=array("uid","sn","userpassword","mail");
$sr=ldap_search($lc,"o=mrzesty","(mail=*@mrzesty.net)",$attribs);
$results=ldap_get_entries($lc,$sr);
array_shift($results);
foreach ($results as $result) {
$dn=$result[dn];
$forward=ereg_replace("@","@sx1.",$result["mail"][0]);
$password='{crypt}' . crypt( "temppassold" );
$info["deliveryMode"]="nolocal";
$info["mailForwardingAddress"]=$forward;
$info["userPassword"]=$password;
print($dn);
print_r($info);
ldap_modify($lc,$dn,$info);
print "\n";
}
ldap_unbind($lc);
?>
The tool <tt>imapsync</tt> is very customizable for migrating between namespaces of different types:
<uri strref=“http://www.linux-france.org/prj/imapsync/FAQ”/> <p>Copy mail from courier-imap to Scalix:</p>
imapsync --host1 old.server.com --user1 [email protected] --password1 temppassold --expunge1 --host2 localhost --user2 [email protected] --password2 temppass --exclude '^INBOX\.INBOX$'
Copy mail from courier-imap to a Scalix subfolder:
imapsync --host1 old.server.com --user1 [email protected] --password1 temppassold --expunge1 --host2 localhost --user2 [email protected] --password2 temppass --exclude '^INBOX\.INBOX$' --prefix2 OldMailbox/ --regextrans2 's/^INBOX/OldMailbox/'
awk -F, '{system("imapsync --host1 old.server.com --user1 " $1 " --password1 temppassold --host2 localhost --user2 " $2 " --password2 temppass --exclude \"^INBOX\.INBOX$\"")}' domain.csv
echo "dn: ou=mrzesty.net,ou=People,dc=mrzesty,dc=net
ou: mrzesty.net
objectClass: organizationalUnit
objectClass: top
" > mrzesty.ldif
awk -F, '{print "dn: uid="$1",ou=mrzesty.net,ou=People,dc=mrzesty,dc=net\nuid: "$1"\nuserPassword: "$3"\nobjectClass: top\nobjectClass: account\nobjectClass: simpleSecurityObject\n"}' mrzesty.csv >> mrzesty.ldif
ldapadd -xv -D "cn=admin,dc=mrzesty,dc=net" -w ldappass -f mrzesty.ldif
<h2>Add a filtering rule to file SPAM into a spam folder</h2>
/opt/scalix/bin/sxaa --user [email protected] --file spam --header "X-Spam-Level: ***"
<h2>Redirect (forward without modifying the message) a copy of the message received</h2>
/opt/scalix/bin/sxaa --user username --redirect [email protected] --retain
<h2>Redirect (forward-only without modifying the message) the message received</h2>
/opt/scalix/bin/sxaa --user username --redirect [email protected]
<h2>View Rules</h2>
/opt/scalix/bin/sxaa --user username
<h2>Make a backup of your properties files first</h2> Installing upgrades will overwrite your customized *.properties files
ci -l /var/opt/scalix/??/webmail/swa.properties ci -l /var/opt/scalix/??/caa/scalix.res/config/ubermanager.properties ci -l /var/opt/scalix/??/caa/scalix.res/config/psdata ci -l /var/opt/scalix/??/res/config/res.properties ci -l /var/opt/scalix/??/platform/platform.properties ci -l /var/opt/scalix/??/mobile/mobile.properties ci -l /var/opt/scalix/??/sis/sis.properties
<h2>Re-deploy upgraded scalix-tomcat webapps</h2>
rm -r /var/opt/scalix/??/tomcat/webapps/* rm -r /var/opt/scalix/??/tomcat/work/*
<h2>Re-index mailboxes</h2> <uri strref=“http://www.scalix.com/wiki/index.php?title=HowTos/RebuildIndex”/>
Integration of Exim <uri strref=“http://www.scalix.com/forums/viewtopic.php?t=4770”/>
Mailbox Rules Administration Tool <uri strref=“http://www.scalix.com/ceraw/download/pub/admin_resource_kit/sxaa.readme”/>