Doku basiert auf dem Betriebssystem Ubuntu LTS 14.04

= Pakete =

== Repositories ==
Wir stellen auf Launchpad aktuelle Software Versionen für Dovecot und Mailman bereit.

<source lang='text'>
add-apt-repository ppa:freifunk-mwu/mail
</source>

== DNS ==
<source lang='text'>
apt-get install bind9 bind9-utils unbound dnsutils
</source>

== postfix ==
<source lang='text'>
apt-get install postfix postfix-doc postfix-cdb postfix-pcre postfix-mysql
</source>

== dovecot ==
<source lang='text'>
apt-get install dovecot dovecot-pigeonhole
</source>

== mailman ==
<source lang='text'>
apt-get install mailman
</source>

== amvavisd-new ==
<source lang='text'>
apt-get install amavisd-new arj unrar zoo nomarch lzop cabextract p7zip-full rpm unrar-free lhasa ripole zip unzip lrzip liblz4-tool tnef
</source>

== spamassassin ==
<source lang='text'>
apt-get install spamassassin sa-compile
</source>

== virus ==
<source lang='text'>
apt-get install clamav-base clamav-daemon clamav-freshclam
</source>

== web server ==
<source lang='text'>
apt-get install apache2 libapache2-mod-wsgi
</source>

== roundcube ==
<source lang='text'>
apt-get install libapache2-mod-php5 php5-mcrypt php5-intl php5-mysqlnd
</source>

== Modoboa ==
<source lang='text'>
apt-get install python-dev python-pip libxslt-dev libcairo2-dev libpango1.0-dev librrd-dev python-rrdtool python-mysqldb mysql-server
</source>

= DNS =
Ein Mail-Server verursacht für jede Mail, die ankommt und für jede Mail, die verschickt wird, eine Vielzahl an DNS-Abfragen.
Um die Bearbeitungszeit einer Mail so klein wie möglich zu halten, vorhandene DNS Server nicht unnötig stark zu belasten, wird auf dem Mail Server ein lokaler DNS Recursor installiert. Als Software kommt hier Unbound zum Einsatz.
Damit der Freifunk Mail Server die internen Freifunk Domains auflösen kann wird ein BIND Slave Server für interne Zonen konfiguriert. Dieser leitet alle Anfragen, die er selbst nicht beantworten kann, an den lokalen DNS Recursor weiter (Forwarder).

== Unbound ==
Den DNSSEC Trust Anchor Key aktualisieren
<source lang='text'>
unbound-anchor -a /var/lib/unbound/root.key
</source>

Wir lauschen auf localhost, TCP/UDP-Port 54. Die Konfiguration legen wir nach /etc/unbound/unbound.conf.d/freifunk-mwu.conf
<source lang='text'>
server:
port: 54
interface: 127.0.0.1
do-not-query-address: fe80::/10
</source>

== BIND ==

== resolvconf ==
Dem System sagen wir, dass als DNS Server "127.0.0.1" befragt werden soll. Als Fallback definieren wir zwei offene, externe DNS Server.

= Datenbanken =
Wir benötigen einige Datenbanken, die in der folgenden Tabelle beschrieben sind.

== Anlegen der Datenbanken und Benutzer ==
<source lang='text'>
mysql -u root -p

create database modoboa;
create database roundcubemail;

grant all privileges on modoboa.* to 'modoboa'@'localhost' identified by '<password>';
grant select on modoboa.* to 'postfix'@'localhost' identified by '<password>';
grant all privileges on modoboa.* to 'dovecot'@'localhost' identified by '<password>';
grant all privileges on roundcubemail.* to 'roundcube'@'localhost' IDENTIFIED BY '<password>';

flush privileges;
</source>

= System Benutzer =
Für die E-Mail Postfächer wird ein Systembenutzer eingerichtet, der Besitzer aller E-Mails wird.
<source lang='text'>
mkdir /srv/imap
chmod 0750 /srv/imap
groupadd -g 4242 vmail
useradd -g vmail -u 4242 vmail -d /srv/imap -M -s /bin/false
chown -R vmail:vmail /srv/imap
</source>

= Installation =
== Modoboa ==
<source lang='text'>
sudo pip install modoboa

# deploy modoboa
cd /srv
modoboa-admin.py deploy --collectstatic --dburl default:mysql://modoboa:<password>@localhost:3306/modoboa amavis:mysql://modoboa:<password>@localhost:3306/amavis --timezone Europe/Berlin --domain mailadmin.freifunk-mwu.de ffmwu_mailadmin
</source>

=== Apache Config ===

Wir benötigen vHosts für:
* mailadmin.freifunk-mwu.de (Modoboa - HTTPS)
* lists.freifunk-mwu.de (Mailman - HTTPS)
* webmail.freifunk-mwu.de (Roundcube- HTTPS)
* autoconfig (Thunderbird Autokonfiguration - HTTP)
** autoconfig.freifunk-mwu.de
** autoconfig.freifunk-mainz.de
** autoconfig.freifunk-wiesbaden.de
* autodiscover (Outlook Autokonfiguration - HTTPS)
** autodiscover.freifunk-mwu.de
** autodiscover.freifunk-mainz.de
** autodiscover.freifunk-wiesbaden.de

/etc/apache2/sites-available/modoboa.conf
<source lang='text'>
<VirtualHost *:80>
ServerName mailadmin.freifunk-mwu.de

Redirect permanent / https://mailadmin.freifunk-mwu.de
</VirtualHost>

<VirtualHost *:443>
ServerAdmin webmaster@freifunk-mwu.de
ServerName mailadmin.freifunk-mwu.de
DocumentRoot /srv/ffmwu_mailadmin

<Directory /srv/ffmwu_mailadmin>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

Alias /media/ /srv/ffmwu_mailadmin/media/
<Directory /srv/ffmwu_mailadmin/media>
Order deny,allow
Allow from all
</Directory>

Alias /sitestatic/ /srv/ffmwu_mailadmin/sitestatic/
<Directory /srv/ffmwu_mailadmin/sitestatic>
Order deny,allow
Allow from all
</Directory>

WSGIScriptAlias / /srv/ffmwu_mailadmin/ffmwu_mailadmin/wsgi.py
WSGIDaemonProcess freifunk-mwu.de python-path=/srv/ffmwu_mailadmin
WSGIProcessGroup freifunk-mwu.de

#LogLevel info ssl:warn

#ErrorLog ${APACHE_LOG_DIR}/error.log
#CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLCertificateFile /etc/ssl/certs/wildcard.freifunk-mwu.de_cert.pem
SSLCertificateKeyFile /etc/ssl/private/wildcard.freifunk-mwu.de_private.key
</VirtualHost>
</source>

/etc/apache2/sites-available/autoconfig.conf
<source lang='text'>
<VirtualHost *:80>
ServerName autoconfig.freifunk-mwu.de

DocumentRoot "/srv/http/autoconfig/freifunk-mwu"
<Directory "/srv/http/autoconfig/freifunk-mwu">
Options Indexes
AllowOverride None
Require all granted
</Directory>
</VirtualHost>

<VirtualHost *:80>
ServerName autoconfig.freifunk-mainz.de

DocumentRoot "/srv/http/autoconfig/freifunk-mainz"
<Directory "/srv/http/autoconfig/freifunk-mainz">
Options Indexes
AllowOverride None
Require all granted
</Directory>
</VirtualHost>

<VirtualHost *:80>
ServerName autoconfig.freifunk-wiesbaden.de

DocumentRoot "/srv/http/autoconfig/freifunk-wiesbaden"
<Directory "/srv/http/autoconfig/freifunk-wiesbaden">
Options Indexes
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
</source>

/etc/apache2/sites-available/autodiscover-freifunk-mwu.conf
<source lang='text'>
<VirtualHost *:80>
ServerName autodiscover.freifunk-mwu.de

Redirect permanent / https://autodiscover.freifunk-mwu.de
</VirtualHost>

<VirtualHost *:443>
ServerAdmin webmaster@freifunk-mwu.de
ServerName autodiscover.freifunk-mwu.de
DocumentRoot /srv/http/autodiscover/freifunk-mwu

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

<Directory "/srv/http/autodiscover/freifunk-mwu">
SSLOptions +StdEnvVars
Options None
AllowOverride all
Require all granted
</Directory>

#ErrorLog ${APACHE_LOG_DIR}/error.log
#CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLCertificateFile /etc/ssl/certs/wildcard.freifunk-mwu.de_cert.pem
SSLCertificateKeyFile /etc/ssl/private/wildcard.freifunk-mwu.de_private.key
</VirtualHost>
</source>

/etc/apache2/sites-available/autodiscover-freifunk-mainz.conf
<source lang='text'>
<VirtualHost *:80>
ServerName autodiscover.freifunk-mainz.de

Redirect permanent / https://autodiscover.freifunk-mainz.de
</VirtualHost>

<VirtualHost *:443>
ServerAdmin webmaster@freifunk-mwu.de
ServerName autodiscover.freifunk-mainz.de
DocumentRoot /srv/http/autodiscover/freifunk-mainz

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

<Directory "/srv/http/autodiscover/freifunk-mainz">
SSLOptions +StdEnvVars
Options None
AllowOverride all
Require all granted
</Directory>

#ErrorLog ${APACHE_LOG_DIR}/error.log
#CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLCertificateFile /etc/ssl/certs/wildcard.freifunk-mainz.de_cert.pem
SSLCertificateKeyFile /etc/ssl/private/wildcard.freifunk-mainz.de_private.key
</VirtualHost>
</source>

/etc/apache2/sites-available/autodiscover-freifunk-wiesbaden.conf
<source lang='text'>
<VirtualHost *:80>
ServerName autodiscover.freifunk-wiesbaden.de

Redirect permanent / https://autodiscover.freifunk-wiesbaden.de
</VirtualHost>

<VirtualHost *:443>
ServerAdmin webmaster@freifunk-mwu.de
ServerName autodiscover.freifunk-wiesbaden.de
DocumentRoot /srv/http/autodiscover/freifunk-wiesbaden

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

<Directory "/srv/http/autodiscover/freifunk-wiesbaden">
SSLOptions +StdEnvVars
Options None
AllowOverride all
Require all granted
</Directory>

#ErrorLog ${APACHE_LOG_DIR}/error.log
#CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLCertificateFile /etc/ssl/certs/wildcard.freifunk-wiesbaden.de_cert.pem
SSLCertificateKeyFile /etc/ssl/private/wildcard.freifunk-wiesbaden.de_private.key
</VirtualHost>
</source>

/etc/apache2/sites-available/mailman.conf
<source lang='text'>
<VirtualHost *:80>
ServerName lists.freifunk-mwu.de
Redirect permanent / https://lists.freifunk-mwu.de/
</VirtualHost>

<VirtualHost *:443>
ServerAdmin webmaster@freifunk-mwu.de
ServerName lists.freifunk-mwu.de
DocumentRoot /srv/http/mailman

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# We can find mailman here:
ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/
# And the public archives:
Alias /pipermail/ /var/lib/mailman/archives/public/
# Logos:
Alias /images/mailman/ /usr/share/images/mailman/
ScriptAlias / /usr/lib/cgi-bin/mailman/listinfo/

<Directory /usr/lib/cgi-bin/mailman/>
AllowOverride None
Options Indexes FollowSymlinks ExecCGI
AddHandler cgi-script .cgi
Require all granted
</Directory>

<Directory /var/lib/mailman/archives/public/>
Options FollowSymlinks
AllowOverride None
Require all granted
</Directory>

<Directory /usr/share/images/mailman/>
AllowOverride None
Require all granted
</Directory>

<Directory /srv/http/mailman>
Options None
AllowOverride None
Require all granted
</Directory>

#ErrorLog ${APACHE_LOG_DIR}/error.log
#CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLCertificateFile /etc/ssl/certs/wildcard.freifunk-mwu.de_cert.pem
SSLCertificateKeyFile /etc/ssl/private/wildcard.freifunk-mwu.de_private.key
</VirtualHost>
</source>

/etc/apache2/sites-available/webmail.conf
<source lang='text'>
<VirtualHost *:80>
ServerName webmail.freifunk-mwu.de

Redirect permanent / https://webmail.freifunk-mwu.de
</VirtualHost>

<VirtualHost *:443>
ServerAdmin webmaster@freifunk-mwu.de
ServerName webmail.freifunk-mwu.de
DocumentRoot /srv/http/roundcubemail-1.2.0

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

<Directory "/srv/http/roundcubemail-1.2.0">
SSLOptions +StdEnvVars
Options FollowSymLinks
AllowOverride all
Require all granted
</Directory>

#ErrorLog ${APACHE_LOG_DIR}/error.log
#CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLCertificateFile /etc/ssl/certs/wildcard.freifunk-mwu.de_cert.pem
SSLCertificateKeyFile /etc/ssl/private/wildcard.freifunk-mwu.de_private.key
SSLCertificateChainFile /etc/ssl/certs/sub.class2.server.ca.pem
</VirtualHost>
</source>



<source lang='text'>
</source>