On 2014-09-08 13:57, Robert Moskowitz wrote:
On 09/08/2014 08:13 AM, Gordan Bobic wrote:
On 2014-09-08 12:50, Robert Moskowitz wrote:
Last year I worked on a replacement for my current mailserver, but
never put it in production. I now want to go through the steps and
rebuild it with RSEL.
Basically I followed:
http://campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServer
http://wiki.centos.org/HowTos/Amavisd
So I use:
Postfix
mysql
postfixadmin (from sourceforge)
dovecot
roundcubemail
amavisd-new
clamav
spamassassin
Those are the highlights and I hope to work on it off and on over the
next month. Meetings and Holidays will stretch out the work.
Are there any challenges with availablity of any of these components
for RSEL?
I am concerned about no selinux, as there are a lot of php scripts,
and eventhough I worked a lot on the security settings (got into some
real rows on the various lists), I still worry.
I would be willing to share my notes with anyone that wants a similar
setup, and perhaps we can work this out together...
Base Repository:
Postfix
mysql
dovecot
spamassassin
EPEL:
clamav
amavisd
You're on your own with postfixadmin and roundcube. No idea what the
former
is. If it is come kind of a web administration interface, I always
recommend
against anything of such description for security reasons, and if you
absolutely have to have it, make sure it only listens on loopback, so
you
can only access it by ssh-ing into the machine with -D, then using the
ssh
session as a socks proxy to reach the admin interface.
http://sourceforge.net/projects/postfixadmin/
cd /usr/share
tar -xzvf /home/rgm/Downloads/postfixadmin-2.91.tar.gz
mv postfixadmin-2.3.6/ postfixadmin
cat <<EOF>/etc/httpd/conf.d/postfixadmin.conf || exit 1
alias /mailadmin /usr/share/postfixadmin
<Directory "/usr/share/postfixadmin">
AllowOverride AuthConfig
</Directory>
EOF
That should at the very least be wrapped into a virtual host that
only listens on 127.0.0.1.
You use it for your account admin. I really need to look into running
it on another port that I limit to my local network. Its config has
the mysql password for mailserv hardcoded. That is what I really don't
like; how you have to put mysql passwords all over in various places.
That's unfortunately inevitable, unless you want to have to have the
operator enter many passwords to get the machines running after
every reboot.
IIRC RoundCube only requires PHP and MySQL, both of which are
available.
It is in the EPEL 6 repo as: roundcubemail-0.9.5-1.el6.noarch.rpm
That's quite an old version. RoundCube cleared the 1.x threshold some
time ago. I suggest you get the latest one from roundcube.net.
But I don't see it in the arm EPEL 6 repo. What would it take to get
it there? I don't have any records of any dependencies it needed.
Installing and using something like that from an RPM is, IMO, dangerous,
in the same way that running WP from a rpm package. Either you keep
up with the updates and just keep dropping them in place, rendering
the packaging useless, or you have to keep rolling your own rpm
update to re-invent the wheel and hope that an old config file doesn't
get clobbered in the process.
The default setup for Roundcube has some major php security flaws that
I argued against on the list. The change was trivial, but the keepers
refused to make the change. I have my notes of what I did.
But Roundcube looked like the best Webmail offering at that time.
It is. What security configuration issue do you actually have in mind?
Gordan
_______________________________________________
users mailing list
[email protected]
http://lists.redsleeve.org/mailman/listinfo/users
