-
You'll need a registered domain name and a VPS (Virtual Private Server) provider that allows uploading of iso images for the OS.
I use namecheap to get my registered domain names.
I use contabo.com as my VPS provider, and they work great for this, and have improved a lot over the past year. Contabo allows uploading of ISO and Qcow2 custom
images to use for your OS. If you get a VPS at contabo for setting up a mailserver I'd highly recommend getting a VPS with a minimum of 16gb memory and 6 CPU
cores. I've tried the cheaper VPS with 8gb memory and 4 CPU cores, and it was pretty sluggish for a mailserver.
Note! Been having trouble lately with Contabo. I Just ordered another VPS from them, and custom images will not work properly on this new VPS. I think it's because
they changed something about how the new VPS's work with custom images. I got Contabo support to help, but they couldn't fix it. I've got 3 other VPS's with Contabo
that work perfect with custom images. Hopefully they will get this fixed soon.
netcup.com didn't workout for me. Their prices were great, and their VPS and Root Servers were great, but to use their nameservers you have to get your domain through
them. I've got too many domains already, and don't want or need anymore. Netcup seems like a very eccentric company to me, they have their own way of doing things,
but you may want to check them out. They do have some very good servers to choose from, and you'll probably get twice the performance for the same money as Contabo.
After you have your domain name and a VPS go to the DNS Zone Management panel at your domain name or VPS provider and setup the DNS records for the server.
This includes the SPF records, DMARC records, and DKIM key.
Note! - I switched back to using Contabo's nameservers, because Namecheap's nameservers are open resolvers, which means anyone can use them, and open resolvers
will not work with spamhaus for filtering spam.
Resource record TTL Type Priority Data
---------------------------------------------------------------------
mail.example.org 3600 A 0 ip.address
example.org 3600 A 0 ip.address
www.example.org 3600 A 0 ip.address
example.org 3600 MX 10 mail.example.org
example.org 3600 TXT 0 v=spf1 mx -all
_dmarc.example.org 3600 TXT 0 v=DMARC1;p=quarantine;pct=100;fo=1;rua=mailto:admin@example.org
dkim._domainkey.example.org 3600 TXT 0 v=DKIM1;p=dkim.public.key
You will have to wait until SlackerMail-FreeBSD is installed to retrieve and enter the DKIM key in your DNS Zone Management.
Then setup the reverse DNS at your VPS provider with:
IP Address PTR Record
----------------------------------------------
your.server.ip.address mail.example.org
-
Install FreeBSD
a. Qcow2 Install - (Alternative to ISO Install)
This is the fastest and easiest method to setup FreeBSD at your VPS provider, if they support it. Contabo does support Qcow2 images, and it's the method I always
use. I have two FreeBSD qcow2 images below. One uses the UFS filesystem, and the other uses the ZFS filesystem. They both have a 10gb partition, but can easily be
resized to use the full hard drive of your server. These FreeBSD images are for a command line server only, no X-Windows. I've installed packages that will be needed
by the SlackerMail mail server.
These qcow2 FreeBSD images have the PF firewall enabled and running. The /etc/pf.conf file is where you configure the PF firewall. I think I have the PF firewall setup
properly now. I'm new to PF, so it took some RTFM to get it setup.
Important! - Make sure to read this How-To for directions on how to set these qcow2 images up properly at your provider!
After you have uploaded one of the two qcow2 images below to your VPS provider as a custom image, you can initiate the install to your VPS. You'll need a VNC client
to logon to the server with the VNC ip the provider provided you. I use TigerVNC for my VNC client. TigerVNC is availible for Windows, Mac, Linux, and FreeBSD.
The qcow2 image below uses the ufs filesystem.
FreeBSD-14.3-p5-vps-ufs-12072025.qcow2 (2.73gb) SHA256: 9ca94b25387df72f6adededea967836366378bd31e2e07f0c5547340fe3e70d4
The qcow2 image below uses the zfs filesystem.
FreeBSD-14.3-p5-vps-zfs-12072025.qcow2 (3.44gb) SHA256: 099c2538692ddc35ba075e85a924e9be946849ac921bc2423eeb0a4eef52748c
After you install one of the above qcow2 images at your VPS provider, and have followed the How-To on how to set them up, you can go directly to the SlackerMail-FreeBSD
install script if you want to install SlackerMail. This script is not ready yet, but you can do the manual SlackerMail install starting below, until the install script is ready.
b. ISO Install - (Traditional Install)
Upload the FreeBSD-14.3-RELEASE-amd64-dvd1.iso (4.16gb) image to your VPS provider as a custom image.
After the FreeBSD 14.3 ISO has been uploaded to your provider, initiate the install process in their control panel. Then you'll need to VNC to the ip address given for VNC
access to your FreeBSD server. I use TigerVNC for my VNC client. TigerVNC is availible for Windows, Mac, Linux, and FreeBSD.
FreeBSD-14.3 is the easiest and fastest OS install I've ever seen. When you VNC to your FreeBSD server you'll be met with the install menus below.
01. Welcome - I choose "Install".
02. Keymap Selection - Pick your proper regional keymap.
03. Set Hostname - Enter your FQDN (Fully Qualified Doman Name) eg. mail.example.org.
04. Distribution Select - Choose what you want to install. The default selection looks good, but we'll also need to install "src" and
"ports" because you may need to recompile the kernel at some point, and we'll need to build some ports for the SlackerMail mail server.
05. Partitioning - Pick your preferred disk setup. I pick either "Auto (ZFS)" or "Auto (UFS)", then I choose "Entire Disk", then I choose
"GPT GUID Partition Table"
06. ZFS Configuration - I accept the defaults, and in the next dialog box I choose "Stripe", because I have only 1 disk. Then I choose
"da0 QEMU QEMU HARDDISK" to create the zpool on, and lastly I enter "Yes" to create the drive.
07. FreeBSD is installed
08. Setting the root password - Set a password for root.
09. Network Configuration - I Choose my network interface, then I choose "Yes" to configure IPv4, then "Yes" to configure "DHCP", then
"No" to configure IPv6. Lastly is the network "Resolver Configuration", and if all looks well choose "OK".
10. Time Zone Selector - Choose your time zone.
11. System Configuration - Choose what services will be started at boot. I pick sshd, moused, ntpd, and ntpd_sync_on_start.
12. System Hardening - I leave all of these unchecked.
13. Add User Accounts - Enter Username, then Full name. I then just hit enter for all the default selections, except for "Invite user
into other groups?", I enter "wheel", because you'll need to be in the wheel group to be able to su to root. Lastly you'll need to
enter a password for the user.
14. Final Configuration - If everything looks okay, Exit, to apply configuration and exit installer.
15. Reboot - Reboot and logon to your server using PuTTY with the user you added during install, then to become root run "su - root",
and enter the root password.
Now that FreeBSD is installed, you've rebooted, and logged in with PuTTY, there are a couple files you may want to edit. If you want to be able to login as root, then
you'll need to edit /etc/ssh/sshd_config and change "#PermitRootLogin no" to "PermitRootLogin yes". You'll probably want to edit /boot/defaults/loader.conf, and
change "#autoboot_delay="10"" to "autoboot_delay="0"", so the bootup is faster.
You can edit with "vi" or with "mc -u". "mc -u" (Midnight Commander) is a very nice command line filemanager, and a lot easier to edit with, but you'll have to
install the "mc" package first. If you want to install mc, first run "pkg update", then run "pkg install mc". After mc is installed you can then run "mc -u" to search
for and edit files.
-
FreeBSD Server Initial Setup
Now ssh to your new FreeBSD server with the ip address given to you by your VPS provider, with PuTTY or other ssh client.
You've probably already setup your hostname on the install, but if you didn't you need to do that now. Run the command
below to set your hostname, and adjust for your actual FQDN:
sysrc hostname="mail.example.org"
Then run the echo command below to set your /etc/hosts file, and of course adjust for your actual FQDN:
echo "127.0.0.1 mail.example.org mail localhost" > /etc/hosts
Next we need to do a system update:
pkg update
pkg upgrade
freebsd-update fetch
freebsd-update install
If your system was updated, then do a reboot:
reboot
Next we need to install some needed packages:
pkg install -y gcc gmake cmake python php84 php84-pecl-imagick bind-tools 7-zip m4 git gnupg \
openssl mc htop bash neofetch gzip unzip shared-mime-info ca_root_nss bzip2-1.0.8_1 sudo
Then update your ntpd leapsecond file:
service ntpd fetch
Then do a reboot:
reboot
-
PF Firewall Setup
First download the PF config file and move it to the /etc directory:
fetch https://the-slacker.com/download/pf.conf
mv -f pf.conf /etc/
Run "ifconfig" at the command prompt, and take note of the interface name at the very top line. If it doesn't say "vtnet0",
then edit /etc/pf.conf and change "ext_if = "vtnet0"" to the actual name of your device.
Next enable PF firewall and logging to be started at boot, then reboot:
service pf enable
service pflog enable
reboot
After the reboot check the status of PF:
pfctl -s info
To read the pflog run the below command:
tcpdump -n -e -ttt -r /var/log/pflog
We are now ready to install SlackerMail with the SlackerMail-FreeBSD install script at this point. The SlackerMail-FreeBSD install script
is not ready yet, and it will take some time to finish it.
You can also setup SlackerMail by hand by following all the directions below. It takes about 5 minutes to install from the script. It will take
1-2 days to install by hand, but it's a good learning experience.
-
Install Webmin as the server control panel - Optional
First we need to install some required perl modules needed by Webmin. Just copy, paste, and run the entire block below into PuTTY:
pkg install -y p5-DateTime-Locale p5-DateTime-TimeZone p5-Data-Dumper p5-Digest-MD5 p5-Digest-SHA p5-Encode-Detect p5-File-Path p5-Time-HiRes \
p5-Time-Local p5-Time-Piece p5-Authen-PAM p5-Net-SSLeay p5-IO-Tty gzip unzip shared-mime-info p5-Mail-DKIM p5-DBD-mysql
Install Webmin:
pkg install webmin
then run:
/usr/local/lib/webmin/setup.sh
Make sure to answer:
Use SSL (y/n): y
Then enable webmin to start at boot:
service webmin enable
Then start webmin:
service webmin start
I edit /usr/local/etc/webmin/miniserv.conf and add the line "allow=your.ip.address" # Do this if you
want to only allow your ip address to login with Webmin.
You should now be able to reach your Webmin control panel at https://example.org:10000.
The reason I install Webmin so early into the setup is because it makes editing files and reading logs so easy.
It'll save you many hours over using just the console, and is safe if you add the line "allow=your.ip.address"
in /usr/local/etc/webmin/miniserv.conf.
*Notice
Webmin doesn't recognize the FreeBSD ZFS filesystem, so it doesn't report a disk.
-
Apache or Nginx Web Server
Note! - This is a bit of a confusing mess, the way I have the Apache and Nginx config files setup. I'm going to
try to neaten it up like iRedMail has it.
First off we need to secure PHP, since the web server and other services use it.
Copy the entire block below, then paste it in Putty and run it.
sed -i '' 's/disable_functions =/disable_functions = system,posix_uname,eval,pcntl_wexitstatus,posix_getpwuid,xmlrpc_entity_decode,pcntl_wifstopped,pcntl_wifexited,pcntl_wifsignaled,phpAds_XmlRpc,pcntl_strerror,ftp_exec,pcntl_wtermsig,mysql_pconnect,proc_nice,pcntl_sigtimedwait,posix_kill,pcntl_sigprocmask,fput,phpinfo,phpAds_remoteInfo,ftp_login,inject_code,posix_mkfifo,highlight_file,escapeshellcmd,show_source,pcntl_wifcontinued,fp,pcntl_alarm,pcntl_wait,ini_alter,posix_setpgid,parse_ini_file,ftp_raw,pcntl_waitpid,pcntl_getpriority,ftp_connect,pcntl_signal_dispatch,pcntl_wstopsig,ini_restore,ftp_put,passthru,proc_terminate,posix_setsid,pcntl_signal,pcntl_setpriority,phpAds_xmlrpcEncode,pcntl_exec,ftp_nb_fput,ftp_get,phpAds_xmlrpcDecode,pcntl_sigwaitinfo,shell_exec,pcntl_get_last_error,ftp_rawlist,pcntl_fork,posix_setuid/g' /usr/local/etc/php.ini
Then we need to create a Diffie–Hellman key exchange (DH) that we will use in our webserver, postfix, dovecot, etc.
openssl dhparam -out dh2048_param.pem 2048
mv -f dh2048_param.pem /etc/ssl/
Next we need to download and install the php-fpm config file:
fetch https://the-slacker.com/download/www.conf.freebsd
mv -f www.conf.freebsd /usr/local/etc/php-fpm.d/www.conf
Next we need to setup a web server. Take your choice from Apache or Nginx, both are fine web servers.
Apache:
First we need to install Apache:
pkg install apache24
Then download and install a preconfigured httpd.conf file:
fetch https://the-slacker.com/download/freebsd-httpd.conf
mv -f freebsd-httpd.conf /usr/local/etc/apache24/httpd.conf
Then edit /usr/local/etc/apache24/httpd.conf:
Change ServerAdmin to your email address.
Change ServerName to your domain name.
Then edit /usr/local/etc/rc.d/apache24:
Change the NO to YES in the line apache24_http_accept_enable="NO"
This allows the use of a kernel module that can help the performance of Apache.
Then enable Apache in the rc.conf file:
service apache24 enable
Then enable the needed php-fpm service:
service php_fpm enable
Then start Apache and php-fpm:
service apache24 onestart
service php_fpm start
You should be able to reach your server with eg. http://example.org
If you want to install a robots.txt file that is set to allow good robots and disallow bad robots, then download and install the following:
fetch https://the-slacker.com/download/robots.txt
mv -f robots.txt /usr/local/www/apache24/data/
Apache will not work like we need it to yet without SSL certs. In the next section we'll get free Let's Encrypt certs.
Nginx:
If you want to use the Nginx web server instead of Apache follow instructions below.
First we need to install Nginx:
pkg install nginx
Then enable Nginx and php-fpm:
service nginx enable
service php_fpm enable
Then start Nginx and php-fpm:
service nginx start
service php_fpm start
You should be able to reach your server with eg. http://example.org
If you want to install a robots.txt file that is set to allow good robots and disallow bad robots, then download and install the following:
fetch https://the-slacker.com/download/robots.txt
mv -f robots.txt /usr/local/www/nginx/
Nginx will not work like we need it to yet without SSL certs. In the next section we'll get free Let's Encrypt certs.
-
Let's Encrypt SSL Certs
Apache and Nginx are not configured for SSL out of the box, so we need to change that.
First we'll need to install "certbot", so we can aquire and update our SSL Certificates:
pkg install py311-certbot
Let's Encrypt setup with Apache web server
First prepare for the Let’s Encrypt’s verification challenge:
mkdir -p /usr/local/www/apache24/data/.well-known/acme-challenge
Then make sure Apache is running and you can reach your server:
http://example.org # Adjust for your actual domain name.
Then run Certbot to aquire your SSL certificates:
Adjust the below command to match your actual FQDN and domain name.
certbot certonly --webroot -w /usr/local/www/apache24/data -d mail.example.org -d www.example.org -d example.org
If the Let's Encrypt certs were installed successfully, then edit /usr/local/etc/apache24/httpd.conf:
Down at the bottom of the file:
Uncomment #Include etc/apache24/extra/httpd-ssl.conf
Download and install a preconfigured httpd-ssl.conf:
fetch https://the-slacker.com/download/freebsd-httpd-ssl.conf
mv -f freebsd-httpd-ssl.conf /usr/local/etc/apache24/extra/httpd-ssl.conf
Edit /usr/local/etc/apache24/extra/httpd-ssl.conf
Change ServerName to match your domain name.
Change ServerAdmin to match your email.
Uncomment and change to match your Let's Encrypt certs.
#SSLCertificateFile "/usr/local/etc/letsencrypt/live/mail.example.org/fullchain.pem"
#SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/mail.example.org/privkey.pem"
If you want to redirect all http traffic to https, then edit /usr/local/etc/apache24/httpd.conf:
Put the following just below Listen 80:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Restart Apache:
service apache24 restart
Hopefully you can now reach your server at https://example.org.
Lastly, set certbot to check every week if a renew is needed for the Let's Encrpyt certs.
Copy, paste, and run the echo command below to enable the weekly renew check:
echo -e '#!/bin/sh
#500.certbot
weekly_certbot_enable="YES"
weekly_certbot_post_hook="service apache24 restart"' > /usr/local/etc/periodic.conf
Note! You'll want to restart all the services that use the Let's Encrypt certs. For example:
echo -e '#!/bin/sh
#500.certbot
weekly_certbot_enable="YES"
weekly_certbot_post_hook="service apache24 restart && service postfix restart && service dovecot restart && service webmin restart"' > /usr/local/etc/periodic.conf
Then enable the certbot weekly renew script:
chmod 0755 /usr/local/etc/periodic/weekly/500.certbot-3.11
That should do it for now with Let's Encrypt setup for Apache.
Let's Encrypt setup with Nginx web server
First prepare for the Let’s Encrypt’s verification challenge:
mkdir -p /usr/local/www/nginx/.well-known/acme-challenge
Then make sure Nginx is running and you can reach your server:
http://example.org # Adjust for your actual domain name.
Then run Certbot to aquire your SSL certificates:
Adjust the below command to match your actual FQDN and domain name.
certbot certonly --webroot -w /usr/local/www/nginx -d mail.example.org -d www.example.org -d example.org
If the Let's Encrypt certs were installed successfully, then you need to download and install the preconfigured Nginx
config files:
fetch https://the-slacker.com/download/nginx.freebsd.conf
mv -f nginx.freebsd.conf /usr/local/etc/nginx/nginx.conf
mkdir -p /usr/local/etc/nginx/conf.d
fetch https://the-slacker.com/download/mailserver.freebsd.conf
mv -f mailserver.freebsd.conf /usr/local/etc/nginx/conf.d/mailserver.conf
Edit /usr/local/etc/nginx/conf.d/mailserver.conf:
Uncomment and change to match your domain:
#ssl_certificate /usr/local/etc/letsencrypt/live/mail.example.org/fullchain.pem;
#ssl_certificate_key /usr/local/etc/letsencrypt/live/mail.example.org/privkey.pem;
Restart Nginx:
service nginx restart
Hopefully you can now reach your server at https://example.org.
Lastly, set certbot to check every week if a renew is needed for the Let's Encrpyt certs.
Copy, paste, and run the echo command below to enable the weekly renew check:
echo -e '#!/bin/sh
#500.certbot
weekly_certbot_enable="YES"
weekly_certbot_post_hook="service nginx restart"' > /usr/local/etc/periodic.conf
Note! You'll want to restart all the services that use the Let's Encrypt certs. For example:
echo -e '#!/bin/sh
#500.certbot
weekly_certbot_enable="YES"
weekly_certbot_post_hook="service nginx restart && service postfix restart && service dovecot restart && service webmin restart"' > /usr/local/etc/periodic.conf
Then enable the certbot weekly renew script:
chmod 0755 /usr/local/etc/periodic/weekly/500.certbot-3.11
That should do it for now with Let's Encrypt setup for Nginx.
Use Let's Encrypt certs with Webmin
If you installed Webmin, then you can use the Let's Encrypt ssl certs to avoid having to add an exception to get to the login.
Edit the /usr/local/etc/webmin/miniserv.conf file. Delete the "keyfile=" line, and add the following:
Of course adjust for your domain.
keyfile=/usr/local/etc/letsencrypt/live/mail.example.org/privkey.pem
certfile=/usr/local/etc/letsencrypt/live/mail.example.org/fullchain.pem
Then restart Webmin:
service webmin restart
That should do it for Let's Encrypt for now.
-
MySQL (Oracle)
Install MySQL (Oracle):
Notice!
Oracle MySQL isn't the same as MariaDB MySQL. FreeBSD defaults to Oracle MySQL, so prebuilt FreeBSD packages that
are built with MySQL support are built with Oracle MySQL support. I'll be installing and using Oracle MySQL, so I can use
the FreeBSD prebuilt packages.
pkg install mysql80-server mysql80-client
Enable MySQL to start at boot and start it:
service mysql-server enable
service mysql-server start
Secure the MySQL Installation:
mysql_secure_installation
Test it to see if it's working properly:
mysql -u root -p
We'll need to add php mysql support:
pkg install php84-pdo_mysql
Add the 4 lines below in the [mysqld] section of the /usr/local/etc/mysql/my.cnf file:
Turning performance_schema off can save memory, and isn't really needed.
performance_schema = 0
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci
log-error = /var/log/mysql/mysql.log
Delete the line below in the [mysqld] section of the /usr/local/etc/mysql/my.cnf file:
It uses too much memory set at 1G. The smaller default value of 134M is good enough.
innodb_buffer_pool_size = 1G
Create the mysql log directory:
mkdir /var/log/mysql
chown mysql:mysql /var/log/mysql
Restart mysql-server:
service mysql-server restart
That should do it for MySQL for now.
-
Dovecot
First we'll need to create the MySQL vmail user and database that we'll need for Dovecot, Postfix, Postfixadmin, and
Roundcube. Make it a strong password with only upper and lower case letters and numbers, no special characters.
mysql -u root -p
CREATE DATABASE vmail;
CREATE USER 'vmail'@'localhost' IDENTIFIED BY 'vmailpassword';
GRANT ALL PRIVILEGES ON vmail.* TO 'vmail'@'localhost';
FLUSH PRIVILEGES;
QUIT;
Next we create the vmail group and user with the following commands:
pw groupadd -n vmail -g 150
pw useradd -n vmail -d /var/vmail -s /usr/sbin/nologin -u 150 -g 150
mkdir /var/vmail
chmod 770 /var/vmail
chown vmail:vmail /var/vmail
Then we'll need to install Dovecot with builtin MySQL support:
pkg install dovecot-mysql
Install the needed Dovecot config files:
cp -R /usr/local/etc/dovecot/example-config/* /usr/local/etc/dovecot
Then we create a new /usr/local/etc/dovecot/conf.d/10-ssl.conf file. Make sure to change the ssl certs to match your domain.
Copy and paste the full echo command below into PuTTY and run it:
echo -e "ssl_min_protocol = TLSv1.2
ssl = required
verbose_ssl = no
ssl_cert = </usr/local/etc/letsencrypt/live/mail.example.org/fullchain.pem
ssl_key = </usr/local/etc/letsencrypt/live/mail.example.org/privkey.pem
ssl_dh = </etc/ssl/dh2048_param.pem
# Fix 'The Logjam Attack'
ssl_cipher_list = EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH
ssl_prefer_server_ciphers = yes" > /usr/local/etc/dovecot/conf.d/10-ssl.conf
Enable and start Dovecot:
service dovecot enable
service dovecot start
Then we create a new /usr/local/etc/dovecot/dovecot-sql.conf.ext file with:
Copy and paste the full echo command below into PuTTY and run it.
echo -e "driver = mysql
connect = host=127.0.0.1 port=3306 dbname=vmail user=vmail password=vmailpassword
default_pass_scheme = SHA512-CRYPT
password_query = \\
SELECT username as user, password, '/var/vmail/%d/%n' as \\
userdb_home, 'maildir:/var/vmail/%d/%n' as userdb_mail, \\
150 as userdb_uid, 150 as userdb_gid \\
FROM mailbox WHERE username = '%u' AND active = '1'
user_query = \\
SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' \\
as vmail, 150 AS uid, 150 AS gid, \\
concat('dirsize:storage=', quota) AS quota \\
FROM mailbox WHERE username = '%u' AND active = '1'" > /usr/local/etc/dovecot/dovecot-sql.conf.ext
Make sure to edit /usr/local/etc/dovecot/dovecot-sql.conf.ext with the vmail password you made earlier.
Then set secure permissions on /usr/local/etc/dovecot/dovecot-sql.conf.ext with:
chmod 0600 /usr/local/etc/dovecot/dovecot-sql.conf.ext
Next create a new /usr/local/etc/dovecot/conf.d/10-auth.conf file with:
echo -e 'disable_plaintext_auth = yes
auth_mechanisms = plain login
!include auth-sql.conf.ext' > /usr/local/etc/dovecot/conf.d/10-auth.conf
Next append to the /usr/local/etc/dovecot/conf.d/10-mail.conf file with the following:
echo -e 'mail_location = maildir:/var/vmail/%d/%n
mail_uid = vmail
mail_gid = vmail
first_valid_uid = 150
last_valid_uid = 150' >> /usr/local/etc/dovecot/conf.d/10-mail.conf
Next we download a preconfigured Dovecot 10-master.conf file, and move it to /usr/local/etc/dovecot/conf.d/:
fetch https://the-slacker.com/download/10-master.conf
mv -f 10-master.conf /usr/local/etc/dovecot/conf.d/
Next append the following to /usr/local/etc/dovecot/conf.d/10-logging.conf file with the following echo command,
and direct the log files to the /var/log/dovecot directory:
First make /var/log/dovecot directory:
mkdir -p /var/log/dovecot
Then run echo command below:
echo -e '## Log destination.
##
log_path = /var/log/dovecot/dovecot.log
info_log_path = /var/log/dovecot/dovecot-info.log' >> /usr/local/etc/dovecot/conf.d/10-logging.conf
Dovecot Pigeonhole for Sieve and ManageSieve support.
Install dovecot-pigeonhole with MySQL support:
pkg install dovecot-pigeonhole-mysql
Next we'll need to copy the following example configuration files into the /usr/local/etc/dovecot/conf.d directory:
cp /usr/local/share/doc/dovecot/example-config/conf.d/90-sieve.conf /usr/local/etc/dovecot/conf.d/
cp /usr/local/share/doc/dovecot/example-config/conf.d/90-sieve-extprograms.conf /usr/local/etc/dovecot/conf.d/
cp /usr/local/share/doc/dovecot/example-config/conf.d/20-managesieve.conf /usr/local/etc/dovecot/conf.d/
We will need to create the following Dovecot configuration files now:
Create new /usr/local/etc/dovecot/conf.d/20-lmtp.conf file with the following echo command, and edit for your domain.
echo -e 'protocol lmtp {
postmaster_address = admin@example.org
mail_plugins = $mail_plugins sieve quota
log_path = /var/log/dovecot/dovecot-lmtp-errors.log
info_log_path = /var/log/dovecot/dovecot-lmtp.log
}' > /usr/local/etc/dovecot/conf.d/20-lmtp.conf
Create new /usr/local/etc/dovecot/conf.d/15-lda.conf file with the following echo command, and edit for your domain.
echo -e 'protocol lda {
postmaster_address = admin@example.org
mail_plugins = $mail_plugins sieve quota
auth_socket_path = /var/run/dovecot/auth-master
log_path = /var/log/dovecot/dovecot-lda-errors.log
info_log_path = /var/log/dovecot/dovecot-lda.log
}' > /usr/local/etc/dovecot/conf.d/15-lda.conf
Append the following to the /usr/local/etc/dovecot/conf.d/10-mail.conf file with this echo command.
echo -e 'mail_home = /var/vmail/%d/%n/sieve' >> /usr/local/etc/dovecot/conf.d/10-mail.conf
Create new /usr/local/etc/dovecot/conf.d/20-managesieve.conf file with the following echo command:
echo -e 'protocols = $protocols sieve
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
service managesieve {
process_limit = 1024
}
protocol sieve {
log_path = /var/log/dovecot/dovecot-sieve-errors.log
info_log_path = /var/log/dovecot/dovecot-sieve.log
managesieve_max_line_length = 65536
managesieve_implementation_string = Dovecot Pigeonhole
}' > /usr/local/etc/dovecot/conf.d/20-managesieve.conf
Create new /usr/local/etc/dovecot/conf.d/90-sieve.conf file with the following echo command:
echo -e 'plugin {
sieve = file:/var/vmail/%d/%n/sieve;active=/var/vmail/%d/%n/sieve/.dovecot.sieve
sieve_default = /usr/local/etc/dovecot/sieve/default.sieve
sieve_global = /usr/local/etc/dovecot/sieve/global/
}
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes' > /usr/local/etc/dovecot/conf.d/90-sieve.conf
Now we need to create some directories that are needed for our configuration to work:
mkdir -p /usr/local/etc/dovecot/sieve/global
chown -R vmail:vmail /usr/local/etc/dovecot/sieve/
mkdir /var/log/dovecot
chown vmail:vmail /var/log/dovecot
Then create the file /usr/local/etc/dovecot/sieve/default.sieve with the following commands.
It will send Spam to the Junk folder.
echo -e 'require "fileinto";
if header :contains "X-Spam-Flag" "YES" {
fileinto "Junk";
}' > /usr/local/etc/dovecot/sieve/default.sieve
chown vmail:vmail /usr/local/etc/dovecot/sieve/default.sieve
Add www to the vmail group:
pw groupmod vmail -m www
That's it for Dovecot for now. Don't restart until after Postfix is setup.
-
Postfix
Install Postfix with MySQL support:
pkg install postfix-mysql
Then enable postfix and disable sendmail:
sysrc postfix_enable="YES"
sysrc sendmail_enable="NONE"
Then install the mailer.conf file for postfix:
install -d /usr/local/etc/mail
install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf
We'll need to make a mysql directory for postfix:
mkdir -p /usr/local/etc/postfix/mysql
Now we'll create the 5 needed mysql map files with the needed content.
First the /usr/local/etc/postfix/mysql/mysql_virtual_alias_domainaliases_maps.cf file:
echo -e "user = vmail
password = vmailpassword
hosts = 127.0.0.1:3306
dbname = vmail
query = SELECT goto FROM alias,alias_domain
WHERE alias_domain.alias_domain = '%d'
AND alias.address=concat('%u', '@', alias_domain.target_domain)
AND alias.active = 1" > /usr/local/etc/postfix/mysql/mysql_virtual_alias_domainaliases_maps.cf
Second the /usr/local/etc/postfix/mysql/mysql_virtual_alias_maps.cf file:
echo -e "user = vmail
password = vmailpassword
hosts = 127.0.0.1:3306
dbname = vmail
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'" > /usr/local/etc/postfix/mysql/mysql_virtual_alias_maps.cf
Third the /usr/local/etc/postfix/mysql/mysql_virtual_domains_maps.cf file:
echo -e "user = vmail
password = vmailpassword
hosts = 127.0.0.1:3306
dbname = vmail
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'" > /usr/local/etc/postfix/mysql/mysql_virtual_domains_maps.cf
Fourth the /usr/local/etc/postfix/mysql/mysql_virtual_mailbox_domainaliases_maps.cf file:
echo -e "user = vmail
password = vmailpassword
hosts = 127.0.0.1:3306
dbname = vmail
query = SELECT maildir FROM mailbox, alias_domain
WHERE alias_domain.alias_domain = '%d'
AND mailbox.username=concat('%u', '@', alias_domain.target_domain )
AND mailbox.active = 1" > /usr/local/etc/postfix/mysql/mysql_virtual_mailbox_domainaliases_maps.cf
Fifth the /usr/local/etc/postfix/mysql/mysql_virtual_mailbox_maps.cf file:
echo -e "user = vmail
password = vmailpassword
hosts = 127.0.0.1:3306
dbname = vmail
table = mailbox
select_field = CONCAT(domain, '/', local_part)
where_field = username
additional_conditions = and active = '1'" > /usr/local/etc/postfix/mysql/mysql_virtual_mailbox_maps.cf
Make sure to set your vmail database password created earlier in the 5 files just created.
Then set secure permissions on all the /etc/postfix/mysql/* files with:
chmod 0600 /usr/local/etc/postfix/mysql/*
Next download and install the /usr/local/etc/postfix/main.cf file that I use for this how-to, and of course adjust
for your domain and Let's Encrypt ssl certs:
fetch https://the-slacker.com/download/main.cf.freebsd
mv -f main.cf.freebsd /usr/local/etc/postfix/main.cf
Then download and install the needed aliases file for this mail serever, then run newaliases at the prompt.
Notice! - Before you run newaliases at the prompt, make sure to adjust the bottom line of the aliases file to
match the email address that gets root's mail.
fetch https://the-slacker.com/download/aliases
mv -f aliases /usr/local/etc/postfix/
Edit /usr/local/etc/postfix/aliases - At the bottom of the file change admin@example.org
to the address you want to get root's mail, then run:
newaliases
Then download and install the /usr/local/etc/postfix/master.cf file that I use for this how-to. Shouldn't have to make
any adjustments here:
fetch https://the-slacker.com/download/master.cf.freebsd
mv -f master.cf.freebsd /usr/local/etc/postfix/master.cf
Add Postfix to the Dovecot group with:
pw groupmod dovecot -m postfix
Restart Postfix:
service postfix start
service dovecot restart
That should do it for Postfix for now.
-
PostfixAdmin:
PostfixAdmin will be our mail admin panel. We will install it with:
pkg install postfixadmin33-php84
cd /usr/local/www
ln -s postfixadmin33 postfixadmin
cd postfixadmin
mkdir -p templates_c
chown www:www templates_c
Make a copy of config.inc.php to config.local.php and make your changes there:
cp /usr/local/www/postfixadmin/config.inc.php /usr/local/www/postfixadmin/config.local.php
chown root:www /usr/local/www/postfixadmin/config.local.php
chmod 0640 /usr/local/www/postfixadmin/config.local.php
Then we'll create the setup_password for postfixadmin. Copy, paste, and run all 7 lines of code
below at once to get postfixadmin setup and hashed setup passwords. The postfixadmin setup
password will be in the /root/SlackerMail/postfixadmin_setup.pass file, and the hashed password
that we use in config.local.php file will be in the /root/SlackerMail/postfixadmin_hashed.pass file.
mkdir -p /root/SlackerMail
PASSWD=$(cat /dev/urandom | LC_CTYPE=C tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n 1)
echo $PASSWD > /root/SlackerMail/postfixadmin_setup.pass
SETUPPASS=$(cat /root/SlackerMail/postfixadmin_setup.pass)
HASHPASS=$(doveadm pw -p $SETUPPASS)
echo $HASHPASS | cut -c 8- > /root/SlackerMail/postfixadmin_setup_hashed.pass
chmod 0600 /root/SlackerMail/postfixadmin_setup.pass /root/SlackerMail/postfixadmin_setup_hashed.pass
Then enter the hashed password from /root/SlackerMail/postfixadmin_setup_hashed.pass in the
setup_password field in /usr/local/www/postfixadmin/config.local.php like below. I left all settings at
default values except what I changed below, and of course adjust for your domain and passwords.
Here are the settings I set in config.local.php:
$CONF['configured'] = true;
$CONF['setup_password'] = 'hashed-setup-password-here';
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'vmail';
$CONF['database_password'] = "vmailpassword";
$CONF['database_name'] = 'vmail';
$CONF['database_port'] = '3306';
//$CONF['database_socket'] = ''; Comment out, since we are using port instead of socket.
$CONF['admin_email'] = 'admin@example.org';
$CONF['encrypt'] = 'dovecot:SHA512-CRYPT';
$CONF['dovecotpw'] = "/usr/local/bin/doveadm pw"; # FreeBSD
$CONF['default_aliases'] = array (
'abuse' => 'admin@example.org',
'hostmaster' => 'admin@example.org',
'postmaster' => 'admin@example.org',
'webmaster' => 'admin@example.org',
'virusalert' => 'admin@example.org',
'root' => 'admin@example.org'
);
$CONF['domain_path'] = 'NO';
$CONF['domain_in_mailbox'] = 'YES';
$CONF['footer_text'] = 'Return to example.org';
$CONF['footer_link'] = 'https://example.org';
$CONF['emailcheck_resolve_domain']='NO';
$CONF['password_expiration'] = 'NO';
Next create the needed postfixadmin tables for the vmail mysql database with:
php /usr/local/www/postfixadmin/public/upgrade.php
Then create the superadmin user for postfixadmin. The password and password2 must be the same
password that you want for the superadmin login of postfixadmin. The reason for entering the same
password twice is because of the postfixadmin setup script asking to confirm password.
chmod 0755 /usr/local/www/postfixadmin/scripts/postfixadmin-cli
/usr/local/www/postfixadmin/scripts/postfixadmin-cli admin add admin@example.org --superadmin 1 --active 1 --password admin-password --password2 admin-password
Then add your domain to postfixadmin. You can adjust --aliases, --mailboxes, and --description to whatever you want.
/usr/local/www/postfixadmin/scripts/postfixadmin-cli domain add example.org --aliases 100 --mailboxes 1000 --active 1 --description example.org
Lastly add the mailbox for admin@example.org, and again enter the same password twice. You can adjust --name and --quota to your liking.
/usr/local/www/postfixadmin/scripts/postfixadmin-cli mailbox add admin@example.org --name admin --quota 0 --active 1 --password roundcube-mailbox-password --password2 roundcube-mailbox-password
If Apache is your webserver:
service apache24 restart
service php_fpm restart
If Nginx is your webserver:
service nginx restart
service php_fpm restart
Now you should be able to login to postfixadmin at https://example.org/postfixadmin as admin@example.org
with your admin-password. After Roundcubemail is setup you will be able to login to your admin@example.org
mailbox with your roundcube-mailbox-password.
-
Roundcube Webmail Client:
Important! - Don't use any special characters in the roundcubemail database password, just upper and lower
case letters and numbers.
You can use the following commands to create a roundcube database password for you, or you can make up your
own password in the mysql creation of the roundcubemail database. You can adjust the length of the password by
changing "fold -w 24" to any number you want. The resulting password will be at:
/root/SlackerMail/roundcube_password.pass
PASSWD=$(cat /dev/urandom | LC_CTYPE=C tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n 1)
echo $PASSWD > /root/SlackerMail/roundcube_password.pass
chmod 0600 /root/SlackerMail/roundcube_password.pass
We'll need to create the mysql database for roundcubemail with:
mysql -u root -p
CREATE DATABASE roundcubemail CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'roundcube'@'localhost' IDENTIFIED BY 'roundcube_password';
GRANT ALL PRIVILEGES ON roundcubemail.* TO 'roundcube'@'localhost';
FLUSH PRIVILEGES;
QUIT;
Then we'll install Roundcube with:
Note! Make sure to put your roundcube_password in the bottom mysql command directly after the -p without any quotes.
pkg install roundcube-php84 php84-gd php84-curl
Then run:
chown -R www /usr/local/www/roundcube
Then run the following:
cd /usr/local/www/roundcube
mysql -u roundcube roundcubemail -proundcube_password < SQL/mysql.initial.sql
Next I had to create a postfix file that roundcube expects:
echo '#submission header checks file' >> /usr/local/etc/postfix/submission_header_checks
You can setup Roundcube with the installer wizard, but it's easier for me to do it manually.
First we need to generate the 24 character Des-Key that Roundcube needs with:
DESKEY=$(cat /dev/urandom | LC_CTYPE=C tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n 1)
echo $DESKEY > /root/SlackerMail/roundcubemail.deskey
The 24-character-Des-Key will be at the /root/SlackerMail/roundcubemail.deskey.
Then download the needed /usr/local/www/roundcube/config/config.inc.php file, and adjust
for your domain, roudcube password, and 24-character-DES-Key with the following:
fetch https://the-slacker.com/download/config.inc.php.rcm.freebsd
mv -f config.inc.php.rcm.freebsd /usr/local/www/roundcube/config/config.inc.php
chown www:www /usr/local/www/roundcube/config/config.inc.php
chmod 0600 /usr/local/www/roundcube/config/config.inc.php
You'll need to edit the following fields in /usr/local/www/roundcube/config/config.inc.php:
$config['db_dsnw'] = 'mysql://roundcube:roundcube-password-here@localhost/roundcubemail';
$config['support_url'] = 'https://example.org';
$config['des_key'] = '24-character-Des-Key';
Now you need to download and setup the roundcubemail password plugin configuration file, so users can change passwords:
fetch https://the-slacker.com/download/config.inc.php.rcmp.freebsd
mv -f config.inc.php.rcmp.freebsd /usr/local/www/roundcube/plugins/password/config.inc.php
chmod 0600 /usr/local/www/roundcube/plugins/password/config.inc.php
chown www /usr/local/www/roundcube/plugins/password/config.inc.php
Then edit /usr/local/www/roundcube/plugins/password/config.inc.php and put the vmail mysql database password created earlier:
$config['password_db_dsn'] = 'mysql://vmail:mysql-vmail-database-password-here@localhost/vmail';
Your password plugin should be working now.
Note! - There are many options in the config file you may want to change to your liking, but this setup should have it working.
Lastly you'll need to remove the /usr/local/www/roundcube/installer directory for security reasons:
rm -rf /usr/local/www/roundcube/installer
Next restart nginx and php-fpm:
service nginx restart
service php_fpm restart
You should be able to login to Roundcube at https://example.org/mail.
Username: admin@example.org Password: admin@example.org mailbox password you created earlier while installing Postfixadmin.
-
Amavisd with ClamAV and SpamAssassin:
Install amavisd-new and enable:
pkg install amavisd-new
service amavisd enable
Download and install a preconfigured /usr/local/etc/amavisd.conf file:
fetch https://the-slacker.com/download/amavisd.freebsd.conf
mv -f amavisd.freebsd.conf /usr/local/etc/amavisd.conf
chown root:vscan /usr/local/etc/amavisd.conf
chmod 0640 /usr/local/etc/amavisd.conf
Edit /usr/local/etc/amavisd.conf, and change to match your domain and vmail database password.
Spamassassin is installed with Amavisd-New, so we need to update it's database:
sa-update
sa-compile
Install ClamAV:
pkg install clamav
After ClamAV is installed run the following sed command to set LocalSocketGroup vscan:
sed -i '' 's/#LocalSocketGroup virusgroup/LocalSocketGroup vscan/g' /usr/local/etc/clamd.conf
Then enable clamav and freshclam:
service clamav_freshclam enable
service clamav_clamd enable
Next add vscan to the clamav group and clamav to the vscan group:
pw groupmod clamav -m vscan
pw groupmod vscan -m clamav
Then start clamav_freshclam and clamav_clamd:
service clamav_freshclam start
Wait for about 1 minute, then:
service clamav_clamd start
We'll be using the DKIM perl module to verify and sign emails.
We'll first need to make our private and public keys (adjust for your domain) with:
openssl genrsa -out example.org.priv 2048
openssl rsa -in example.org.priv -pubout > example.org.pub
Then we'll install the DKIM keys:
mkdir -p /usr/local/etc/ssl/example.org
mv -f example.org.priv /usr/local/etc/ssl/example.org/example.org.pem
mv -f example.org.pub /usr/local/etc/ssl/example.org/
chown vscan:vscan /usr/local/etc/ssl/example.org/example.org.pem /usr/local/etc/ssl/example.org/example.org.pub
chmod 600 /usr/local/etc/ssl/example.org/example.org.pem
chmod 644 /usr/local/etc/ssl/example.org/example.org.pub
Edit /usr/local/etc/amavisd.conf:
Uncomment the dkim_key line, and change for your domain.
#dkim_key('example.org', 'dkim', '/usr/local/etc/ssl/example.org/example.org.pem');
Run the following line of piped commands to format your example.org.pub file for entering into a DNS Zone Record
for DKIM, and of course adjust for your domain:
sed '1d;$d' "/usr/local/etc/ssl/example.org/example.org.pub" | sed '1s/.*/v=DKIM1;p=&/' | tr -d '\n' > /root/SlackerMail/example.org.pub.txt
Then reboot to see if it's working:
reboot
It's coming around. At this point you can test the mail server out, and see how it's doing:
mail-tester.com - Great place to check if your mail server is sending mail properly. With this server I get a 10/10 score.
SSL Labs - Great place to check how your SSL implementation is working. I get a score of A+ with this server. You can
do this test with Let's Encrypt certs, but not self signed certs.
-
Fail2ban - Optional:
Fail2ban will limit malicious attacks to various services on your server by limiting the number of attempts from an ip
within a set amount of time, and then ban that ip for a set amount of time.
First we need to setup our PF firewall to work with Fail2ban. Edit /etc/pf.conf and put the following:
And of course adjust "vtnet0" to match your network interface.
ext_if = "vtnet0"
icmp_types = "{ echoreq unreach }"
table <fail2ban> persist
table <bruteforce> persist
table <rfc6890> { 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.0.0/29 192.0.2.0/24 192.88.99.0/24 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 \
240.0.0.0/4 255.255.255.255/32 }
set skip on lo
scrub in all fragment reassemble max-mss 1440
antispoof for $ext_if
block in on $ext_if from <rfc6890>
block return out on egress to <rfc6890>
block all
block quick proto tcp from <fail2ban> to any
pass in on $ext_if proto tcp to ($ext_if) port { 22 25 80 110 143 443 587 993 995 10000 } keep state
pass out all keep state
pass inet proto icmp icmp-type $icmp_types
pass log quick proto tcp from any to any port { 22,25,80,443 }
Then we need to install and enable Fail2ban:
pkg install py311-fail2ban
service fail2ban enable
Next we setup fail2ban. First we need to create the local fail2ban config files where we put our settings in.
Create the /etc/fail2ban/fail2ban.local file with needed content with the following echo command:
echo "[Definition]
# Option: loglevel. Default is ERROR
# Available options: CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG
loglevel = INFO
# Set the log target
logtarget = /var/log/fail2ban.log" > /usr/local/etc/fail2ban/fail2ban.local
Create the /etc/fail2ban/jail.local file with needed content with the following echo command:
Adjust to your liking.
echo "[DEFAULT]
# time is in seconds. 3600 = 1 hour, 86400 = 24 hours (1 day)
findtime = 3600
bantime = 604800
maxretry = 3
action = %(action_)s
banaction = pf
ignoreip = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" > /usr/local/etc/fail2ban/jail.local
You'll probably want to put your ip address at the end of the ignoreip line so fail2ban will ignore it, and of course you
can make changes to the "findtime", "bantime", and "maxretry" settings as you want.
Now we'll make a sshd fail2ban jail with the echo command below:
echo "[sshd]
enabled = true
port = ssh
filter = sshd" > /usr/local/etc/fail2ban/jail.d/sshd.conf
Then we'll need to replace the /usr/local/etc/fail2ban/filter.d/sshd.conf file with a sshd.conf file that will work with our
system.
fetch https://the-slacker.com/download/freebsd-fail2ban-sshd.conf
mv -f freebsd-fail2ban-sshd.conf /usr/local/etc/fail2ban/filter.d/sshd.conf
Now reboot to see if it's working:
reboot
After reboot check the /var/log/fail2ban.log to see if it's banning ip's.
Fail2ban Alternative:
I tried FreeBSD's blacklistd, but really couldn't get it to do what I wanted, plus it hasn't been maintained for 8 years. I
really don't like Fail2ban, so I'm going to see if I can do what I need to do without it. I may have to go back to fail2ban,
but maybe not.
1. SSHD - Optional:
Note! - The easiest and best way to prevent about 80%+ of sshd attacks is to change the port from 22 to some other port,
6000 for instance. I knew a guy that was a server provider for 20+ years, and that's the first thing he would do, and he proved
to me how well it worked.
Fail2ban will prevent malicious sshd attacks by limiting the number of sshd login attempts from an ip within a set amount
of time, and then ban them for a set amount of time. What I'm going to do with sshd is only allow a specific ip, or specific
ip's, to be able to ssh the server.
You'll need to edit /etc/host.allow:
At the top of the file comment:
#ALL : ALL : allow
Then somewhere below that add:
# sshd
sshd : 192.201.2.241 : allow
sshd : 127.0.0.1 : allow
sshd : ALL : deny
If you have multiple ip's you want to be able to access sshd, then enter a line for each one.
That's it for sshd. No need at all for Fail2ban with sshd. Nice and simple!
2. Postfix and Dovecot:
I've got the settings in the Postfix and Dovecot config files so they will prevent many attacks. I'm sure there are attacks I don't
have covered, but I'm going to try it like this without using Fail2ban to see how it goes.
3. Roundcube - Optional:
To prevent anyone but my ip address to access Roundcube I added some php code to /usr/local/www/roundcube/index.php:
Add the below code to the top of /usr/local/www/roundcube/index.php, just below <?php
$allowed_ip = '11.222.33.444'; // Replace with your allowed IP address
// Get the user's IP address
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$user_ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
$user_ip = $_SERVER['HTTP_CLIENT_IP'];
} else {
$user_ip = $_SERVER['REMOTE_ADDR'];
}
// Check if the user's IP matches the allowed IP
if ($user_ip !== $allowed_ip) {
die("Access denied."); // Stop script execution if IP does not match
}
Note! - I'll have to change this so multiple ip's can access Roundcube, so your email users can have access.
4. Postfixadmin - Optional:
To prevent anyone but my ip address to access Postfixadmin I added some php code to /usr/local/www/postfixadmin/public/index.php:
Add the below code to the top of /usr/local/www/postfixadmin/public/index.php, just below <?php
$allowed_ip = '11.222.33.444'; // Replace with your allowed IP address
// Get the user's IP address
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$user_ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
$user_ip = $_SERVER['HTTP_CLIENT_IP'];
} else {
$user_ip = $_SERVER['REMOTE_ADDR'];
}
// Check if the user's IP matches the allowed IP
if ($user_ip !== $allowed_ip) {
die("Access denied."); // Stop script execution if IP does not match
}
This is all I'm going to do with the "Fail2ban Alternative" for now.
-
Logwatch - Optional:
Logwatch parses through your system's logs and creates a report analyzing areas that you specify. It will send you an emailed
report daily.
Install logwatch:
pkg install logwatch
Copy, paste, and run the following echo cammand to create the daily running of logwatch:
echo '#!/bin/sh
/usr/local/sbin/logwatch.pl --output mail' > /usr/local/etc/periodic/daily/logwatch
Then make /usr/local/etc/periodic/daily/logwatch executable:
chmod 0755 /usr/local/etc/periodic/daily/logwatch
You can test to see if Logwatch is working by running the following:
periodic daily
You should get an email from Logwatch with your daily report.
That should do it for Logwatch.
-
Postgrey - Optional:
Postgrey is a tool used to help prevent spam. It will greylist incoming email from new senders, which means it will deny the
email initially for about 5 minutes, so the sender will have to reattempt before it is accepted. Most spammers don't reattempt.
Install Postgrey:
pkg install postgrey
Copy, paste, and run the below Sed command to activate Postgrey in Postfix:
sed -i '' 's/smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit/smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit/g' /usr/local/etc/postfix/main.cf
Enable Postgrey:
service postgrey enable
Restart Postfix:
service postfix restart
That should do it for Postgrey.
-
Netdata - Optional:
Netdata is a monitoring and troubleshooting tool with a very nice web based graphical interface. It has tons of info about your
server that you can use to troubleshoot problems. FreeBSD installs an older version of Netdata, so you'll see a warning to that
effect from Netdata.
Install Netdata:
First we need to install a required python package:
pkg install py311-mysql-connector-python-9.4.0
Then install Netdata:
pkg install netdata
Create Netdata database:
Create a netdata mysql user, and grant netdata ALL PRIVILEGES. Put your chosen password in the "mysql-netdata-password" field.
mysql -u root -p
CREATE USER 'netdata'@'localhost' IDENTIFIED BY 'mysql-netdata-password';
GRANT ALL PRIVILEGES ON *.* TO 'netdata'@'localhost';
FLUSH PRIVILEGES;
QUIT;
Setup Netdata user password:
I have Netdata set so authentication is required to sign into netdata, so you'll need to create a netdata.users file with username
and password. I have the user name set to netdata as you can see in the printf command below, but feel free to change that if
you want. You'll need to put the password you want in the password field in the printf command. The password will be hashed
in the /usr/local/etc/apache24/netdata.users or /usr/local/etc/nginx/netdata.users file.
For Apache webserver run the following:
printf "netdata:$(openssl passwd -apr1 password)" > /usr/local/etc/apache24/netdata.users
chown www:www /usr/local/etc/apache24/netdata.users
chmod 0400 /usr/local/etc/apache24/netdata.users
For Nginx webserver run the following:
printf "netdata:$(openssl passwd -apr1 password)" > /usr/local/etc/nginx/netdata.users
chown www:www /usr/local/etc/nginx/netdata.users
chmod 0400 /usr/local/etc/nginx/netdata.users
Next enable and start Netdata:
service netdata enable
service netdata start
I am now able to get to netdata at https://example.org/netdata.
nginx:
Got nginx to show up in netdata by doing the following:
touch /usr/local/etc/netdata/go.d/nginx.conf
chown netdata:netdata /usr/local/etc/netdata/go.d/nginx.conf
chmod 0640 /usr/local/etc/netdata/go.d/nginx.conf
Add the following to /usr/local/etc/netdata/go.d/nginx.conf
jobs:
- name: local
url: https://127.0.0.1/stub_status
tls_skip_verify: yes
apache:
Got apache to show up in netdata by doing the following:
touch /usr/local/etc/netdata/go.d/apache.conf
chown netdata:netdata /usr/local/etc/netdata/go.d/apache.conf
chmod 0640 /usr/local/etc/netdata/go.d/apache.conf
Add the following to /usr/local/etc/netdata/go.d/apache.conf
jobs:
- name: local
url: https://127.0.0.1/server-status?auto
tls_skip_verify: yes
mysql:
Got mysql to show up in netdata by doing the following:
touch /usr/local/etc/netdata/go.d/mysql.conf
chown netdata:netdata /usr/local/etc/netdata/go.d/mysql.conf
chmod 0400 /usr/local/etc/netdata/go.d/mysql.conf
Add the following to /usr/local/etc/netdata/go.d/mysql.conf with the mysql netdata password you created earlier:
jobs:
- name: local
dsn: netdata:mysql-netdata-password@tcp(127.0.0.1:3306)/
php-fpm:
Got php-fpm to show up in netdata by doing the following:
touch /usr/local/etc/netdata/go.d/phpfpm.conf
chown netdata:netdata /usr/local/etc/netdata/go.d/phpfpm.conf
chmod 0640 /usr/local/etc/netdata/go.d/phpfpm.conf
Add the following to /usr/local/etc/netdata/go.d/phpfpm.conf:
jobs:
- name: local
url: https://127.0.0.1/status
tls_skip_verify: yes
Restart Netdata to see if it's working properly:
service netdata restart
That should do it for Netdata for now.
-
SlackerMail-FreeBSD Install Script:
I haven't started on the install script yet, but will start on it soon. I'll do the manual install a few more times to work out any bugs,
then I'll start on the install script.
