Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to set up an email server with postfix/cyrus
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Wed Apr 27, 2011 1:40 am    Post subject: Reply with quote

Reckon my example might help.
This is /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Code:

<IfDefine SSL>
  <IfDefine SSL_DEFAULT_VHOST>
    <IfModule ssl_module>

      Listen 443
      NameVirtualHost *:443

      <VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/ssl/apache2/bauer.crt
        SSLCertificateKeyFile /etc/ssl/apache2/bauer.key

        ServerName whitehathouston.com
        ServerAlias www.whitehathouston.com
        SSLOptions StrictRequire
        SSLProtocol all -SSLv2

        DocumentRoot /www/whitehathouston.com/htdocs
        <Directory /www/whitehathouston.com/htdocs/>
          SSLRequireSSL
          Order Deny,Allow
          Allow from All
        </Directory>
      </VirtualHost>

      <VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/ssl/apache2/bauer.crt
        SSLCertificateKeyFile /etc/ssl/apache2/bauer.key

        ServerName mail.whitehathouston.com
        SSLOptions StrictRequire
        SSLProtocol all -SSLv2

        DocumentRoot /www/mail.whitehathouston.com/htdocs
        <Directory /www/mail.whitehathouston.com/htdocs/>
          SSLRequireSSL
          Order Deny,Allow
          Allow from All
        </Directory>
      </VirtualHost>
   </IfModule>
 </IfDefine>
</IfDefine>


This is the only file in which I have anything SSL-related defined
It may well be possible one/some of your other SSL-related .conf files, if you have any, are conflicting.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6319
Location: /usr/lib64/lv2

PostPosted: Wed Apr 27, 2011 1:55 am    Post subject: Reply with quote

Thanks, that helped a lot. :)

The only thing now is that my second SSL virtual host is getting a "you don't have permission to access / on this server" message.

EDIT: Which I solved with a chmod -R +x (second virtual host dir).

EDIT++: And now I see:

Code:

Fatal error: Unknown: Failed opening required '/var/www/db/htdocs/setup/index.php' (include_path='.:/usr/share/php5:/usr/share/php') in Unknown on line 0


The path to index.php is correct. 8O

EDIT: Solved with a chown to apache.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Wed Apr 27, 2011 2:09 am    Post subject: Reply with quote

honestly, I'd cd to one level below your htdocs directory and do:

Code:

chown -R apache:apache htdocs/


First thing I do immediately after untarring a webapp and getting files where they need to be

if you still find yourself getting issues you think are related to permissions, cd to the htdocs directory and:

Code:

find . -type d -print0 |xargs -0 chmod 755
find . -type f -print0 |xargs -0 chmod 644
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6319
Location: /usr/lib64/lv2

PostPosted: Wed Apr 27, 2011 2:18 am    Post subject: Reply with quote

Thanks for the tip.

I've got my site up, mail, webmail, db web app behind SSL (I know you don't recommend it. Actually, I would like to have MySQL Workbench access it but not sure how to configure MySQL to allow it) and mod_auth_imap2 (hey, it's good for more than just mail!), and I'll soon do the same for my private little chat server.

This is a real nice setup. I take my hat off to you, sir. :D
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Wed Apr 27, 2011 4:17 am    Post subject: Reply with quote

audiodef wrote:
Thanks for the tip.

I've got my site up, mail, webmail, db web app behind SSL (I know you don't recommend it. Actually, I would like to have MySQL Workbench access it but not sure how to configure MySQL to allow it) and mod_auth_imap2 (hey, it's good for more than just mail!), and I'll soon do the same for my private little chat server.

This is a real nice setup. I take my hat off to you, sir. :D


if your db webapp is password-protected, i wouldnt worry about it. For some people having to give login info to Apache is too annoying, so they do without it, and it's this I have a bigger problem with. If someone has to first get past a username/pass prompt before they can attack your webapp, that's fine.

As far as giving mysql access to anything, done with a 'grant' statement followed by a 'flush privileges', e.g. "grant all privileges on *.* to 'username'@'whateverhostorIP' identified by 'whateverpass'; flush privileges;"

not sure about a chat server. I ran an ircd (inspircd + anope if i recall correctly) here a while back, but nobody used it so I killed the box. It's a bit tenuous to set up *correctly*. Don't have any particularly recent knowledge there.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6319
Location: /usr/lib64/lv2

PostPosted: Wed Apr 27, 2011 1:39 pm    Post subject: Reply with quote

cach0rr0 wrote:

not sure about a chat server. I ran an ircd (inspircd + anope if i recall correctly) here a while back, but nobody used it so I killed the box. It's a bit tenuous to set up *correctly*. Don't have any particularly recent knowledge there.


I'm actually all set there. I've been using a nice little program called Moha Chat. What I like is that it uses TLS - hard-coded. So it may not be necessary to put it behind SSL, but I'm going to do that anyway, plus slap a new coat of mod_auth_imap2 on it because it's just for me and my gf to use while she's at work, since I can't use a phone if I need to get a hold of her. With mod_auth_imap2, no one else will be able to wander by and sign up for shits and giggles.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6319
Location: /usr/lib64/lv2

PostPosted: Wed Apr 27, 2011 1:54 pm    Post subject: Reply with quote

I thought I needed cname entries to set up subdomains with my setup, but apparently not!
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6319
Location: /usr/lib64/lv2

PostPosted: Wed Apr 27, 2011 3:42 pm    Post subject: Reply with quote

I noticed that in squirrelmail, the configure script is accessible in a browser (e.g. https://mail.domain.com/configure). It doesn't actually do anything, but assuming a cracker gets past mod_auth_imap2 on SSL, I would think he could do some damage with that.

Or not? What do you think?
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Wed Apr 27, 2011 6:31 pm    Post subject: Reply with quote

audiodef wrote:
I thought I needed cname entries to set up subdomains with my setup, but apparently not!


well, there are two ways you can do it from a DNS perspective

-add a new A record for sub.domain.com, which will point to an IP
-add a CNAME for sub.domain.com that points to a hostname, domain.com

I normally choose the latter, but, that was a habit I picked up mainly from the days I had a dynamic IP - when my IP changed, I didn't have to make but one single DNS change (even though my "dynamic DNS updater client" supposedly would have done it automagically, I'd rather not rely on that to be running 24/7)

It is, technically, fractionally quicker for non-cached lookups to do it the first way, as the DNS client only has to do a single lookup as opposed to looking up a hostname, getting a hostname as a reply, then having to look up the reply hostname's IP.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Wed Apr 27, 2011 6:38 pm    Post subject: Reply with quote

audiodef wrote:
It doesn't actually do anything, but assuming a cracker gets past mod_auth_imap2 on SSL, I would think he could do some damage with that.

Or not? What do you think?


since apache doesnt know what to do with that script, it cant be executed from the web.

now, if someone can upload their own arbitrary file, they could upload a file that executes that configure script - but then again, if they can upload an arbitrary file, they can do far more damage than that.

So just as I wouldnt worry about it, there's no harm in removing it either.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6319
Location: /usr/lib64/lv2

PostPosted: Wed Apr 27, 2011 9:27 pm    Post subject: Reply with quote

cach0rr0 wrote:


So just as I wouldnt worry about it, there's no harm in removing it either.


Cool, thanks.

I'm not going to worry about CNAME's either, except for subdomains that are publicly accessible. At the moment, I have none.

Hey, is "cover off" Texas slang? Just curious.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Thu Apr 28, 2011 1:42 am    Post subject: Reply with quote

audiodef wrote:

Hey, is "cover off" Texas slang? Just curious.


I have no idea. At this stage my accent, colloquialisms, slang, everything, is completely shot to hell. Some weird mix of things that've rubbed off on me between living abroad for a few years for work and having predominately foreign colleagues even when I while in the US.

Even now that I've been back for ~2 years, just as things were starting to normalize, I ended up in a job where I spend the first half of my day speaking best I can in Spanish, or speaking intentionally choppy English that I know plugs well into a translator - by the time I start talking to regular old English speakers again in the late afternoon I have to gradually work my way up from "caveman English" to normal English :lol:

Not that it's a significant hurdle, but you'll notice it - before about 2PM, unless I pay special attention you get caveman English, couple hours later it goes back to normal.

NB: talking someone else through that guide at the moment. He exported it to PDF, the damn thing is 34 pages!

Might as well have just written a damn book
Back to top
View user's profile Send private message
CurtE
Guru
Guru


Joined: 17 Apr 2004
Posts: 364
Location: Minneapolis, MN

PostPosted: Thu Apr 28, 2011 4:54 am    Post subject: Reply with quote

We can always change the font and make it 17 pages. LOL
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Thu Apr 28, 2011 6:49 am    Post subject: Reply with quote

CurtE wrote:
We can always change the font and make it 17 pages. LOL


well, to make matters worse, the whole thing was written just with vi
no fancy GUI text editor, no html editor. Just plain old vi
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6319
Location: /usr/lib64/lv2

PostPosted: Thu Apr 28, 2011 2:11 pm    Post subject: Reply with quote

cach0rr0 wrote:

Even now that I've been back for ~2 years, just as things were starting to normalize, I ended up in a job where I spend the first half of my day speaking best I can in Spanish, or speaking intentionally choppy English that I know plugs well into a translator - by the time I start talking to regular old English speakers again in the late afternoon I have to gradually work my way up from "caveman English" to normal English :lol:



:lol:

I tend to allow linguistic influence into my speech patterns, too, having had friends from all over. You'll notice it in my spelling (colour, favour, etc.) and sometimes in my choice of words (diggy instead of trunk).

Good day for it, mate. Cheers.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
costel78
Guru
Guru


Joined: 20 Apr 2007
Posts: 337

PostPosted: Thu Apr 28, 2011 4:26 pm    Post subject: Reply with quote

I am not very confident to store users's email passwords as plain text in database. From postfix SASL Howto:
Quote:
Cyrus SASL plugin infrastructure - auxprop .... send credentials encrypted but their verification process requires the password to be available in plaintext. Consequently passwords cannot (!) be stored in encrypted form.

So, passwords are not send unencrypted over network, right ?
I see several scenarios:
1. User type the password in mail client app, the client encrypt it and sens it to server. The server read password from database via sasl encrypt it, too and then compare passwords in encrypted form.
2. User type the password in mail client app, the password it's send unecrypted over network, but with tls enforced, it won't walk over net in pure plain text.
3. The password is send over network in plain text - WORST case scenario.
Of course, there are situations when password it's send over network in plain text, web app for example, where you can enforce https protocol.

Bottom line, except database beeing exposed and password stolen, are there any others security flaws ?

The second question:
For a little more structured setup, what about a second table for domain list ?

Code:
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_domains.conf
and
Code:
user = maildb
password = vwwP0q2I5UmM6
hosts = localhost
dbname = maildb
query = SELECT domain FROM domains WHERE domain='%s'
structure
Code:
CREATE TABLE domains (domain VARCHAR(255) CHARACTER SET utf8 COLLATE utf8_bin PRIMARY KEY);

_________________
Sorry for my English. I'm still learning this language.
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Thu Apr 28, 2011 6:27 pm    Post subject: Reply with quote

costel78 wrote:
I am not very confident to store users's email passwords as plain text in database. Consequently passwords cannot (!) be stored in encrypted form.
<snip>
So, passwords are not send unencrypted over network, right ?
<snip>
Bottom line, except database beeing exposed and password stolen, are there any others security flaws ?


Consider the attack vectors.
-allowing unencrypted IMAP/POP connections, while strongly NOT recommended, risks compromise of ONLY that one single user's password.
-what access does someone need in order to even be able to read the database? They need to know either the root pass, or the password for the user you've set up for DB access.
-someone should NOT be allowing external connections to their mysql daemon. If at all possible, it should listen exclusively on localhost (skip networking). If it has to listen on the interface/real IP, iptables should be configured such that only specific hosts have access to connect.

The real risk in storing passwords plaintext in the database is this: if your system becomes otherwise compromised, and someone gains control of your box, they can now go in and retrieve your users' passwords. If your system doesn't become compromised, though, you're just not really anywhere you need to worry about it. And even then, if it's unsalted MD5 (which it'd need to be given the limitations of postfix/cyrus-imap), chances are on a compromised system you'd be able to recover passwords from the hash.

costel78 wrote:

The second question:
For a little more structured setup, what about a second table for domain list ?

Code:
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_domains.conf
and
Code:
user = maildb
password = vwwP0q2I5UmM6
hosts = localhost
dbname = maildb
query = SELECT domain FROM domains WHERE domain='%s'
structure
Code:
CREATE TABLE domains (domain VARCHAR(255) CHARACTER SET utf8 COLLATE utf8_bin PRIMARY KEY);


You absolutely can do this. I specifically wanted to avoid doing this, though, in the interest of both simplicity, and minimizing lookups to mysql (though, isn't the "proxy:" nomenclature deprecated, or is it still around?)

For running a personal mail system, this is an unnecessary layer of complexity.

Since I'm still inclined to avoid database lookups, even if needs grow, I'd probably do something like regexp:/etc/postfix/domain_regex
For my own system, I don't use a database of any sort.

If I needed some external tool (e.g. some webapp) to be able to add/delete/update domains, I might opt for mysql for storage.
Then again, if we're talking about an enterprise environment, I'd be more inclined to tie all of this into LDAP

At any rate, you could easily move this, and many other portions of configuration, into a database. Part of the goal of the documentation was to show simplistic, functional examples, and along the way show the user not only how to do this exact setup, but how to deviate from this type of setup if they need to do so. One other thing to keep in mind here, this database is one that can be used by both Postfix AND Cyrus-IMAP. Instead of going a more complex route, here we have one database, with only one table, that serves only one purpose. I want people with no real prior knowledge of databases to be able to understand how to do this, and how everything ties together, just as easily as a seasoned DBA. Therefore, I want the user's interaction with the database to be as infrequent as possible, and when they DO need to do so, they only have to run one type of query.

Not sure if that makes sense. Still not quite awake.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6319
Location: /usr/lib64/lv2

PostPosted: Thu Apr 28, 2011 7:20 pm    Post subject: Reply with quote

Hey, it makes sense to me. You even avoided Caveman English! :D
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
costel78
Guru
Guru


Joined: 20 Apr 2007
Posts: 337

PostPosted: Thu Apr 28, 2011 8:07 pm    Post subject: Reply with quote

It makes perfectly sense. Thank you very much for your help!
I don't enable/use POP3, so allowing only encrypted IMAP conections, and http secure for webmail should be enought.
And yes, mysql daemon listen only on localhost.
Code:
skip-networking
bind-address = 127.0.0.1


Regarding database, you are perfectly right. MySQL it's more than sufficient. But I plan to migrate from a existing configuration to your (great tutorial by the way). The facts are:
1. I am not a sysadmin, I am a hobbyst. I just help two friends to keep their server's alive, in good condition. It's not the best aproach, but there are not plenty of founds so it's about friendship until they start to make more money :)
2. They plan to use a single server for both of them (5 domains in total).
3. They need a free syncml implementation - I chosed egroupware with funambol clients for smartphones, it's working but I still make tests to avoid surprises.
4. The persons in charge with mail accounts are used with postfixadmin, so I need to provide them a similar interface. Of course, I could store data in plain text files, but there are few reports to generate montly, so I stick to mysql, to reuse the code. As you can guest, LDAP it's out of the question, since number of accounts are under 40.

I still make tests, thinking of scenarios and trying to improve the all setup. I plan to live the setup in beta state for one month and, if there are no problems, to give it green light for daily production use.

Thank you very much for your support.
_________________
Sorry for my English. I'm still learning this language.
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Thu Apr 28, 2011 11:01 pm    Post subject: Reply with quote

costel78 wrote:

4. The persons in charge with mail accounts are used with postfixadmin, so I need to provide them a similar interface.


This is the only one I don't know about. I haven't looked at postfixadmin in ages.

The little example PHP script I provided on this doc was made mainly just as an example, but if you need to have multiple administrators that have access to edit settings *only* for their own domains, it will not work. I would have to do much more coding in PHP than I'm really comfortable with in order to make a workable solution :) (maybe one day, but my job keeps me too busy to spend much time on a big project)

Postfixadmin might work, but I don't know how well it will play with this database schema. I avoided it actually, for this reason: as helpful as it is to have tools like postfixadmin, what very often happens, there ends up being a layer of obfuscation between what you're doing in the interface, and *exactly* what happens in Postfix configuration. So people reading would basically have to "hope and pray" it works, because if it doesn't, they will not know how to troubleshoot. I want people reading the guide to understand not just "how do i make it work?", but "what effect does the change I just made have on my system?", because they may want to change their installation slightly, and with a "magic" tool that makes it "just work", they don't learn that. And if something isn't working quite right? They know where to look. (Plus, I don't want Apache to be a requirement in order to have a functional, easily-maintained mail system - but that's another matter)

If you get stuck on this project, give a shout - I will help as much as my time/knowledge permits.

Postfix especially, is a very powerful MTA. With any luck one day I'll have the time to write a different HOWTO that's targeted more towards multi-company or multi-administrator environments. It's a shame it's not already well enough documented for people to be able to roll out "free filtering" on a large scale, because the product itself is perfectly capable (and it even has an easy interface for commercial vendors to plug their filtering system into Postfix). Like I said, one day when I am rich, I will write it myself :lol:
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
costel78
Guru
Guru


Joined: 20 Apr 2007
Posts: 337

PostPosted: Fri Apr 29, 2011 9:04 am    Post subject: Reply with quote

I won't use postfixadmin anymore. The main disadvantage of it is it autocreate mailbox - this feature is no longer required.
It's development is somehow slow, and, before of all, I need to implement some basic reports in admin web interface.
I'll post here the app when it will be ready. I still wait for full specifications to finish server configuration.

It seem that forum doesn't like very long post so I removed autocreate and autosieve patches.

There are a new possible problem that concern me.
Latest version of cyrus-imapd it's 2.4.8 - http://www.cyrusimap.org/ and the latest autocreate official patch it's for 2.3.16 lauched at the end of 2009 - http://email.uoa.gr/projects/cyrus/autocreate/
My first tought was autocreate was integrated in main project, but it's not yet. Anyway, cyrus bugzilla mention it and postponed for 2.5 branch - http://bugzilla.cyrusimap.org/bugzilla3/show_bug.cgi?id=355
If autocreate feature won't be supported in the future, I will have a problem :D

So, what I did:
I started a new ebuild for 2.4.8 version.
Found ported patches for 2.4.4 version here: http://blog.vx.sk/archives/13-Autocreate-and-autosieve-patches-for-Cyrus-IMAP-Server-24.html By replace 2.4.4 with 2.4.8 the patch apply clean on 2.4.8 version.
I also included autosieve patch, just in case there will be required to sort mails in multiple folders.
The main ebuild modifications: xversion problem present in 2.3.x was solved, also parallel build (at least I didn't encouter it), listext it's not supported anymore by configure and db-5.0 patch didn't apply clean, but it's still required.
Well, the ebuild compile fine and it's working, but I'm not sure I covered all aspects. Perhaps someone with more experience than me will take a look at it and make required corrections.
The first obivious mistake is SRC_URI for patches, as they are not available anywhere for 2.4.8 version. As apply a patch for a patch doesn't sound right, maybe they should be included in files dir ?

cyrus-imapd-2.4.8.ebuild
Code:
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-mail/cyrus-imapd/cyrus-imapd-2.3.16.ebuild,v 1.3 2011/03/19 17:00:38 eras Exp $

EAPI=1

inherit autotools db-use eutils flag-o-matic ssl-cert fixheadtails pam multilib

MY_P=${P/_/}

DESCRIPTION="The Cyrus IMAP Server."
HOMEPAGE="http://asg.web.cmu.edu/cyrus/imapd/"
AUTOCREATE_VER="0.10-0"
AUTOCREATE_PATCH="${P}-autocreate-${AUTOCREATE_VER}.diff"
AUTOSIEVE_VER="0.6.0"
AUTOSIEVE_PATCH="${P}-autosieve-${AUTOSIEVE_VER}.diff"
SRC_URI="ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/${MY_P}.tar.gz
      autocreate? ( http://email.uoa.gr/download/cyrus/${P}/${AUTOCREATE_PATCH} )
      autosieve? ( http://email.uoa.gr/download/cyrus/${P}/${AUTOSIEVE_PATCH} )"
LIBWRAP_PATCH_VER="2.2"

LICENSE="as-is"
SLOT="0"
KEYWORDS="~amd64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86"
IUSE="autocreate autosieve idled kerberos nntp pam replication +sieve snmp ssl tcpd"

RDEPEND=">=sys-libs/db-3.2
   >=dev-libs/cyrus-sasl-2.1.13
   pam? (
         virtual/pam
         >=net-mail/mailbase-1
      )
   kerberos? ( virtual/krb5 )
   snmp? ( >=net-analyzer/net-snmp-5.2.2-r1 )
   ssl? ( >=dev-libs/openssl-0.9.6 )
   tcpd? ( >=sys-apps/tcp-wrappers-7.6 )
   nntp? ( !net-nntp/leafnode )"

DEPEND="$RDEPEND
   sys-devel/libtool
   >=sys-devel/autoconf-2.58
   sys-devel/automake"

# get rid of old style virtual - bug 350792
# all blockers really needed?
RDEPEND="${RDEPEND}
   !net-mail/dovecot
   !mail-mta/courier
   !net-mail/bincimap
   !net-mail/courier-imap
   !net-mail/uw-imap"

new_net-snmp_check() {
   # tcpd USE flag check. Bug #68254.
   if use tcpd ; then
      if has_version net-analyzer/net-snmp && ! built_with_use net-analyzer/net-snmp tcpd ; then
         eerror "You are emerging this package with USE=\"tcpd\""
         eerror "but \"net-analyzer/net-snmp\" has been emerged with USE=\"-tcpd\""
         fail_msg
      fi
   else
      if has_version net-analyzer/net-snmp && built_with_use net-analyzer/net-snmp tcpd ; then
         eerror "You are emerging this package with USE=\"-tcpd\""
         eerror "but \"net-analyzer/net-snmp\" has been emerged with USE=\"tcpd\""
         fail_msg
      fi
   fi
   # DynaLoader check. Bug #67411

   if [ -x "$(type -p net-snmp-config)" ]; then
      einfo "$(type -p net-snmp-config) is found and executable."
      NSC_AGENTLIBS="$(net-snmp-config --agent-libs)"
      einfo "NSC_AGENTLIBS=\""${NSC_AGENTLIBS}"\""
      if [ -z "$NSC_AGENTLIBS" ]; then
         eerror "NSC_AGENTLIBS is null"
         einfo "please report this to bugs.gentoo.org"
      fi
      for i in ${NSC_AGENTLIBS}; do
         # check for the DynaLoader path.
         if [ "$(expr "$i" : '.*\(DynaLoader\)')" == "DynaLoader" ] ; then
            DYNALOADER_PATH="$i"
            einfo "DYNALOADER_PATH=\""${DYNALOADER_PATH}"\""
            if [[ ! -f "${DYNALOADER_PATH}" ]]; then
               eerror "\""${DYNALOADER_PATH}"\" is not found."
               einfo "Have you upgraded \"perl\" after"
               einfo "you emerged \"net-snmp\". Please re-emerge"
               einfo "\"net-snmp\" then try again. Bug #67411."
               die "\""${DYNALOADER_PATH}"\" is not found."
            fi
         fi
      done
   else
      eerror "\"net-snmp-config\" not found or not executable!"
      die "You have \"net-snmp\" installed but \"net-snmp-config\" is not found or not executable. Please re-emerge \"net-snmp\" and try again!"
   fi
}

fail_msg() {
   eerror "enable "snmp" USE flag for this package requires"
   eerror "that net-analyzer/net-snmp and this package both build with"
   eerror "\"tcpd\" or \"-tcpd\". Bug #68254"
   die "sanity check failed."
}

pkg_setup() {
   use snmp && new_net-snmp_check
   enewuser cyrus -1 -1 /usr/cyrus mail
}

S=${WORKDIR}/${MY_P}

src_unpack() {
   unpack ${A} && cd "${S}"

   # ht_fix_file "${S}"/imap/xversion.sh

   # Fix prestripped binaries
   epatch "${FILESDIR}/${PN}-strip.patch"

   epatch "${FILESDIR}/${P}+db-5.0.patch"

   # Add libwrap defines as we don't have a dynamicly linked library.
   use tcpd && epatch "${FILESDIR}/${PN}-${LIBWRAP_PATCH_VER}-libwrap.patch"

   # Apply autocreate patch if USE enabled
   if use autocreate ; then
      epatch "${DISTDIR}/${AUTOCREATE_PATCH}" || die "epatch failed"
   fi

   # Apply autosieve patch if USE enabled
   if use autosieve ; then
      epatch "${DISTDIR}/${AUTOSIEVE_PATCH}" || die "epatch failed"
   fi

   # Fix master(8)->cyrusmaster(8) manpage.
   for i in `grep -rl -e 'master\.8' -e 'master(8)' "${S}"` ; do
      sed -i -e 's:master\.8:cyrusmaster.8:g' \
         -e 's:master(8):cyrusmaster(8):g' \
         "${i}" || die "sed failed" || die "sed failed"
   done
   mv man/master.8 man/cyrusmaster.8 || die "mv failed"
   sed -i -e "s:MASTER:CYRUSMASTER:g" \
      -e "s:Master:Cyrusmaster:g" \
      -e "s:master:cyrusmaster:g" \
      man/cyrusmaster.8 || die "sed failed"

   # Remove unwanted m4 files
   rm "cmulocal/ax_path_bdb.m4" || die "Failed to remove cmulocal/ax_path_bdb.m4"

   # Recreate configure.
   WANT_AUTOCONF="2.5"
   AT_M4DIR="cmulocal" eautoreconf

   # When linking with rpm, you need to link with more libraries.
   sed -i -e "s:lrpm:lrpm -lrpmio -lrpmdb:" configure || die "sed failed"

}

src_compile() {
   local myconf
   myconf="${myconf} $(use_with ssl openssl)"
   myconf="${myconf} $(use_with snmp ucdsnmp)"
   myconf="${myconf} $(use_with tcpd libwrap)"
   myconf="${myconf} $(use_enable kerberos gssapi) $(use_enable kerberos krb5afspts)"
   myconf="${myconf} $(use_enable idled)"
   myconf="${myconf} $(use_enable nntp)"
   myconf="${myconf} $(use_enable replication)"

   if use kerberos; then
      myconf="${myconf} --with-krb=$(krb5-config --prefix) --with-krbdes=no"
   else
      myconf="${myconf} --with-krb=no"
   fi

# --enable-listext is no longer supported
   econf \
      --enable-murder \
      --enable-netscapehack \
      --with-service-path=/usr/$(get_libdir)/cyrus \
      --with-cyrus-user=cyrus \
      --with-cyrus-group=mail \
      --with-com_err=yes \
      --without-perl \
      --with-bdb=$(db_libname) \
      ${myconf} || die "econf failed"

   # -j1 for #222529
   cd "${S}"
   emake ${MAKEOPTS} || die "compile problem"
}

src_install() {
   local SUBDIRS

   if use sieve; then
      SUBDIRS="master imap imtest timsieved notifyd sieve"
   else
      SUBDIRS="master imap imtest"
   fi

   dodir /usr/bin /usr/lib
   for subdir in ${SUBDIRS}; do
      make -C "${subdir}" DESTDIR="${D}" install || die "make install failed"
   done

   # Link master to cyrusmaster (postfix has a master too)
   dosym /usr/lib/cyrus/master /usr/lib/cyrus/cyrusmaster

   if ! use nntp ; then
      rm man/fetchnews.8 man/syncnews.8 man/nntpd.8 man/nntptest.1
      rm "${D}"/usr/bin/nntptest
   fi

   doman man/*.[0-8]
   dodoc COPYRIGHT README*
   dohtml doc/*.html doc/murder.png
   cp doc/cyrusv2.mc "${D}/usr/share/doc/${PF}/html"
   cp -r contrib tools "${D}/usr/share/doc/${PF}"
   find "${D}/usr/share/doc" -name CVS -print0 | xargs -0 rm -rf

   insinto /etc
   doins "${FILESDIR}/cyrus.conf" "${FILESDIR}/imapd.conf"

   newinitd "${FILESDIR}/cyrus.rc6" cyrus
   newconfd "${FILESDIR}/cyrus.confd" cyrus
   newpamd "${FILESDIR}/cyrus.pam-include" sieve

   for subdir in imap/{,db,log,msg,proc,socket,sieve} spool/imap/{,stage.} ; do
      keepdir "/var/${subdir}"
      fowners cyrus:mail "/var/${subdir}"
      fperms 0750 "/var/${subdir}"
   done
   for subdir in imap/{user,quota,sieve} spool/imap ; do
      for i in a b c d e f g h i j k l m n o p q r s t v u w x y z ; do
         keepdir "/var/${subdir}/${i}"
         fowners cyrus:mail "/var/${subdir}/${i}"
         fperms 0750 "/var/${subdir}/${i}"
      done
   done
}

pkg_postinst() {
   # do not install server.{key,pem) if they are exist.
   use ssl && {
      if [ ! -f "${ROOT}"etc/ssl/cyrus/server.key ]; then
         install_cert /etc/ssl/cyrus/server
         chown cyrus:mail "${ROOT}"etc/ssl/cyrus/server.{key,pem}
   fi
   }

   if df -T /var/imap | grep -q ' ext2 ' ; then
      ebegin "Making /var/imap/user/* and /var/imap/quota/* synchronous."
      chattr +S /var/imap/{user,quota}{,/*}
      eend $?
   fi

   if df -T /var/spool/imap | grep -q ' ext2 ' ; then
      ebegin "Making /var/spool/imap/* synchronous."
      chattr +S /var/spool/imap{,/*}
      eend $?
   fi

   ewarn "If the queue directory of the mail daemon resides on an ext2"
   ewarn "filesystem you need to set it manually to update"
   ewarn "synchronously. E.g. 'chattr +S /var/spool/mqueue'."
   echo

   elog "For correct logging add the following to /etc/syslog.conf:"
   elog "    local6.*         /var/log/imapd.log"
   elog "    auth.debug       /var/log/auth.log"
   echo

   elog "You have to add user cyrus to the sasldb2. Do this with:"
   elog "    saslpasswd2 cyrus"
}


cyrus-imapd-2.4.8+db-5.0.patch
Code:
--- cmulocal/cyrus.m4.orig   2011-04-29 18:50:00.689998576 +0300
+++ cmulocal/cyrus.m4   2011-04-29 18:50:06.680998575 +0300
@@ -11,35 +11,12 @@
 dnl (so the runpath for shared libraries is set).
 AC_DEFUN([CMU_ADD_LIBPATH], [
   # this is CMU ADD LIBPATH
-  if test "$andrew_cv_runpath_switch" = "none" ; then
-   LDFLAGS="-L$1 ${LDFLAGS}"
-  else
-   LDFLAGS="-L$1 $andrew_cv_runpath_switch$1 ${LDFLAGS}"
-  fi
+LDFLAGS="-L$1 ${LDFLAGS}"
 ])
 
 dnl add -L(1st arg), and possibly (runpath switch)(1st arg), to (2nd arg)
 dnl (so the runpath for shared libraries is set).
 AC_DEFUN([CMU_ADD_LIBPATH_TO], [
   # this is CMU ADD LIBPATH TO
-  if test "$andrew_cv_runpath_switch" = "none" ; then
-   $2="-L$1 ${$2}"
-  else
-   $2="-L$1 ${$2} $andrew_cv_runpath_switch$1"
-  fi
+$2="-L$1 ${$2}"
 ])
-
-dnl runpath initialization
-AC_DEFUN([CMU_GUESS_RUNPATH_SWITCH], [
-   # CMU GUESS RUNPATH SWITCH
-  AC_CACHE_CHECK(for runpath switch, andrew_cv_runpath_switch, [
-    # first, try -R
-    SAVE_LDFLAGS="${LDFLAGS}"
-    LDFLAGS="-R /usr/lib"
-    AC_TRY_LINK([],[],[andrew_cv_runpath_switch="-R"], [
-     LDFLAGS="-Wl,-rpath,/usr/lib"
-    AC_TRY_LINK([],[],[andrew_cv_runpath_switch="-Wl,-rpath,"],
-    [andrew_cv_runpath_switch="none"])
-    ])
-  LDFLAGS="${SAVE_LDFLAGS}"
-  ])])


Relevant bugzilla entries: #308941 and #350013
Cyrus changelog: http://www.cyrusimap.org/docs/cyrus-imapd/2.4.8/changes.php
As list of change include numerous new features I have to repeat:
I am not sure I covered all aspects. I am NOT an expert. So precautions are required. Feel free to take a look and improve the ebuild.
_________________
Sorry for my English. I'm still learning this language.


Last edited by costel78 on Fri Apr 29, 2011 5:43 pm; edited 1 time in total
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Fri Apr 29, 2011 9:02 pm    Post subject: Reply with quote

yep. that's why I went with the 2.3.16 version :)

Cyrus is looking to incorporate this ability into 2.5 - 2.5 is not out yet
There are no 2.4 ebuilds in portage, and no "official" autocreate patches for 2.4 anywhere (rather, they aren't on the University of Athens website)
There is an autocreate patch for 2.3.14, and 2.3.16, but not for 2.3.15

So I decided to just document a specific version of Cyrus, and have people add the ebuild to a local overlay

I was going to file a bug @ gentoo bugzilla with updated ebuilds for 2.3.x so that we could get autocreate officially into portage (they stopped including this patch after 2.3.12)
But I think without a 2.3.15 patch, they will probably not include it in official portage update - so I just host the ebuild myself.
There is a patch out there for 2.3.15, but it is not provided by the same people - so this is another concern, having to maintain an ebuild where the AUTOCREATE_URI is different for every single version.

Actually I am happy to host these files for 2.4 on my server. It will be alive unless my hardware dies, my connection dies, or we get hit with another hurricane that takes out our electricity for 3 weeks!

However this ebuild should not work for 2.4.4, because:

Code:

autocreate? ( http://email.uoa.gr/download/cyrus/${P}/${AUTOCREATE_PATCH} )
      autosieve? ( http://email.uoa.gr/download/cyrus/${P}/${AUTOSIEVE_PATCH} )


email.uoa.gr does not host these patches for 2.4.4, so the above two URL's will be a "404 - Not Found"

so it should be a failed fetch for these patches

When I have some more time I will look at this in more detail, see if I can fix a few things, and put the files up on my server.

NB: for files that are too large for a post, you can just go to pastebin(.com) and paste them there, then share the link.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Fri Apr 29, 2011 9:41 pm    Post subject: Reply with quote

http://whitehathouston.com/downloads/gentoo/ebuilds/cyrus/net-mail/cyrus-imapd/

Only remaining problem, aside from some small cosmetic/style things, is that db patch.

The ebuild is useless unless you can find a way to get that patch to apply, or find an updated patch.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sat Apr 30, 2011 2:20 am    Post subject: Reply with quote

ok
config.m4 doesn't even exist
so why are we trying to patch it?

I removed that from the ebuild, and it unpacks/patches fine for both autosieve and autocreate (on 2.4.8, havent tested 2.4.4 yet)
The source also compiles perfectly fine (I'm not going to install it - 2.3.16 is stable, so I'm sticking with that)

So there ya go. The ebuild I put up, based on your modification, seems to work fine. Haven't yet run repoman on it to see if it's "proper syntax", but it's workable.

EDIT: updated from EAPI=1 to EAPI=2, removed 'built_with_use' in favor of 'has_version ${somevar}[flagname]', and things put in their proper functions (e.g. src_prepare, src_configure added and things moved accordingly). Passes repoman with flying colors, compiles successfully, patches fine, etc
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
costel78
Guru
Guru


Joined: 20 Apr 2007
Posts: 337

PostPosted: Sat Apr 30, 2011 7:22 am    Post subject: Reply with quote

Hello,

Regarding autocreate and autosieve patches you are prefectly right. Maybe by including them in $FILESDIR the problem will be solved.
I am confused about cyrus-imapd-2.4.8+db-5.0.patch. The patch I posted apply clean via ebuild. It's a slighty modified version from the one from portage. Without it, the ebuild fail to install. But, I think there is the catch, I don't use db-5.0. My version is 4.8.30. cyrus.m4 it's present in ftp://ftp.cyrusimap.org/cyrus-imapd/cyrus-imapd-2.4.8.tar.gz in cyrus-imapd-2.4.8/cmulocal.
Perhaps you say that with >=sys-libs/db-5.* the things are not going well ? I think there is something I didn't catch :)

Anyway, in fact it's doesn't matter at all since you did a great work and ported the ebuild to EAPI 2. I'll try it today (they promise to give me full specifications in few hours) and I will start to code the web app for database administration.
I don't have enough words to thank you. I learn a lot from your 34 pages pdf :) The previous setup I used since few years ago (courier-imap and postfixadmin) was proved to have glitches until to fix old things remaining in tutorial. Your works perfectly from first try an setup it's more secure and clean. Thank you!
_________________
Sorry for my English. I'm still learning this language.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Page 6 of 8

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum