FreeBSD 12: Mail Server Installation

QMail HOWTO (2016)

$ pkg install mysql57-server
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 11 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        mysql57-server: 5.7.26_1
        perl5: 5.28.2
        curl: 7.65.1
        libnghttp2: 1.39.1
        ca_root_nss: 3.45
        protobuf: 3.7.1,1
        libevent: 2.1.10
        libedit: 3.1.20190324,1
        mysql57-client: 5.7.26
        cyrus-sasl: 2.1.27
        liblz4: 1.9.1,1

Number of packages to be installed: 11

The process will require 285 MiB more space.
35 MiB to be downloaded.

Proceed with this action? [y/N]:

[...]

Message from ca_root_nss-3.45:

********************************* WARNING *********************************

FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.

Assessment and verification of trust is the complete responsibility of the
system administrator.

*********************************** NOTE **********************************

This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.

This enables SSL Certificate Verification by client software without manual
intervention.

If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.

  * /etc/ssl/cert.pem
  * /usr/local/etc/ssl/cert.pem
  * /usr/local/openssl/cert.pem

***************************************************************************
Message from perl5-5.28.2:

The /usr/bin/perl symlink has been removed starting with Perl 5.20.
For shebangs, you should either use:

#!/usr/local/bin/perl

or

#!/usr/bin/env perl

The first one will only work if you have a /usr/local/bin/perl,
the second will work as long as perl is in PATH.
Message from cyrus-sasl-2.1.27:

You can use sasldb2 for authentication, to add users use:

        saslpasswd2 -c username

If you want to enable SMTP AUTH with the system Sendmail, read
Sendmail.README

NOTE: This port has been compiled with a default pwcheck_method of
      auxprop.  If you want to authenticate your user by /etc/passwd,
      PAM or LDAP, install ports/security/cyrus-sasl2-saslauthd and
      set sasl_pwcheck_method to saslauthd after installing the
      Cyrus-IMAPd 2.X port.  You should also check the
      /usr/local/lib/sasl2/*.conf files for the correct
      pwcheck_method.
      If you want to use GSSAPI mechanism, install
      ports/security/cyrus-sasl2-gssapi.
      If you want to use SRP mechanism, install
      ports/security/cyrus-sasl2-srp.
      If you want to use LDAP auxprop plugin, install
      ports/security/cyrus-sasl2-ldapdb.
Message from mysql57-client-5.7.26:

* * * * * * * * * * * * * * * * * * * * * * * *

This is the mysql CLIENT without the server.
for complete server and client, please install databases/mysql57-server

* * * * * * * * * * * * * * * * * * * * * * * *
Message from mysql57-server-5.7.26_1:

*****************************************************************************

Remember to run mysql_upgrade the first time you start the MySQL server
after an upgrade from an earlier version.

Initial password for first time use of MySQL is saved in $HOME/.mysql_secret
ie. when you want to use "mysql -u root -p" first you should see password
in /root/.mysql_secret

MySQL57 has a default %%ETCDIR%%/my.cnf,
remember to replace it wit your own
or set `mysql_optfile="$YOUR_CNF_FILE` in rc.conf.

*****************************************************************************


$ cat /etc/rc.conf
[...]
mysql_enable="YES"
mysql_dbdir="/db/mysql"
[...]

$ service mysql-server start
/usr/local/etc/rc.d/mysql-server: WARNING: failed precmd routine for mysql
$ mkdir /db
$ mkdir /db/mysql
$ service mysql-server start
Starting mysql.

How to Install MariaDB 10.3 on FreeBSD 12
MySQL unter FreeBSD: Installation

===> Creating groups.
Using existing group 'mysql'.
===> Creating users
Using existing user 'mysql'.
[5/5] Extracting mariadb104-server-10.4.6: 100%
Message from mariadb104-client-10.4.6:

************************************************************************

MariaDB respects hier(7) and doesn't check /etc and /etc/mysql for
my.cnf. Please move existing my.cnf files from those paths to
/usr/local/etc and /usr/local/etc/mysql.

************************************************************************
Message from mariadb104-server-10.4.6:

************************************************************************

Remember to run mysql_upgrade (with the optional --datadir=<dbdir> flag)
the first time you start the MySQL server after an upgrade from an
earlier version.

MariaDB respects hier(7) and doesn't check /etc and /etc/mysql for
my.cnf. Please move existing my.cnf files from those paths to
/usr/local/etc and /usr/local/etc/mysql.

This port does NOT include the mytop perl script, this is included in
the MariaDB tarball but the most recent version can be found in the
databases/mytop port

************************************************************************

 service mysql-server start
Installing MariaDB/MySQL system tables in '/var/db/mysql' ...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system


Two all-privilege accounts were created.
One is root@localhost, it has no password, but you need to
be system 'root' user to connect. Use, for example, sudo mysql
The second is root@localhost, it has no password either, but
you need to be the system 'root' user to connect.
After connecting you can set the password, if you would need to be
able to connect as any of these users with a password and without sudo

See the MariaDB Knowledgebase at http://mariadb.com/kb or the
MySQL manual for more instructions.

You can start the MariaDB daemon with:
cd '/usr/local' ; /usr/local/bin/mysqld_safe --datadir='/var/db/mysql'

You can test the MariaDB daemon with mysql-test-run.pl
cd '/usr/local/mysql-test' ; perl mysql-test-run.pl

Please report any problems at http://mariadb.org/jira

The latest information about MariaDB is available at http://mariadb.org/.
You can find additional information about the MySQL part at:
http://dev.mysql.com
Consider joining MariaDB's strong and vibrant community:
Get Involved
Starting mysql. # mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and haven't set the root password yet, you should just press enter here. Enter current password for root (enter for none): OK, successfully used password, moving on... Setting the root password or using the unix_socket ensures that nobody can log into the MariaDB root user without the proper authorisation. You already have your root account protected, so you can safely answer 'n'. Switch to unix_socket authentication [Y/n] n ... skipping. You already have your root account protected, so you can safely answer 'n'. Change the root password? [Y/n] y New password: Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] y ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] n ... skipping. By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] y - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] y ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB!

1. Installation

/head/mail/qmail-tls/Makefile

=============================================

ATTENTION

Add the following line to your /etc/make.conf
QMAIL_SLAVEPORT=tls

=============================================

install  -m 0644 /usr/ports/mail/qmail-tls/work/qmail.conf /usr/ports/mail/qmail-tls/work/stage/usr/local/etc/man.d/qmail.conf
===> Fixing plist for /var/qmail ownership
/bin/rm -f -r /usr/ports/mail/qmail-tls/work/stage/var/qmail/queue/
====> Compressing man pages (compress-man)
===>  Installing for netqmail-tls-1.06.20160918_2
===>  Checking if netqmail-tls is already installed
===>   Registering installation for netqmail-tls-1.06.20160918_2
pkg-static: Warning: @exec is deprecated, please use @[pre|post][un]exec
Installing netqmail-tls-1.06.20160918_2...
===> Creating groups.
Creating group 'qmail' with gid '82'.
Creating group 'qnofiles' with gid '81'.
===> Creating users
Creating user 'alias' with uid '81'.
Creating user 'qmaild' with uid '82'.
Creating user 'qmaill' with uid '83'.
Creating user 'qmailp' with uid '84'.
Creating user 'qmailq' with uid '85'.
Creating user 'qmailr' with uid '86'.
Creating user 'qmails' with uid '87'.
Your hostname is samsung-bsd.
hard error
Sorry, I couldn't find your host's canonical name in DNS.
You will have to set up control/me yourself.
        ATTENTION:

Do not forget to read /var/qmail/doc/TLS.readme. After all,
this is NOT our old stock qmail.

You can enable qmail as your default mailer executing:
> /var/qmail/scripts/enable-qmail

==> As you need to provide a working certificate in /var/qmail/control/cert.pem :

# makes a self-signed certificate
3) do "make certificate"

# makes a certificate request
4) do "make certificate-req"

===> SECURITY REPORT:
      This port has installed the following binaries which execute with
      increased privileges.
/var/qmail/bin/qmail-queue

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage:
http://inoa.net/qmail-tls/

=============================================

$ make certificate

${OPENSSLBASE}/bin/openssl req -new -x509 -nodes \
    -out ${WRKDIR}/servercert.pem -days 366 \
    -keyout ${WRKDIR}/servercert.pem ; \
${INSTALL} -o qmaild -g qmail -m 0640 ${WRKDIR}/servercert.pem ${PREFIX}/control/servercert.pem ; \
${OPENSSLBASE}/bin/openssl ciphers > ${QMAIL_PREFIX}/control/tlsclientciphers ; \
${OPENSSLBASE}/bin/openssl ciphers > ${QMAIL_PREFIX}/control/tlsserverciphers ; \


=============================================

sendmail_enable="NONE"

vs.

sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

===>   NOTICE:

The ucspi-tcp port currently does not have a maintainer. As a result, it is
more likely to have unresolved issues, not be up-to-date, or even be removed in
the future. To volunteer to maintain this port, please create an issue at:

https://bugs.freebsd.org/bugzilla

More information about port maintainership is available at:

https://www.freebsd.org/doc/en/articles/contributing/ports-contributing.html#maintain-port

[...]

===>   NOTICE:

The ucspi-tcp port currently does not have a maintainer. As a result, it is
more likely to have unresolved issues, not be up-to-date, or even be removed in
the future. To volunteer to maintain this port, please create an issue at:

https://bugs.freebsd.org/bugzilla

More information about port maintainership is available at:

https://www.freebsd.org/doc/en/articles/contributing/ports-contributing.html#maintain-port

===> SECURITY REPORT:
      This port has installed the following files which may act as network
      servers and may therefore pose a remote security risk to the system.
/usr/local/bin/tcpserver

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage:
http://cr.yp.to/ucspi-tcp.html
Installing dovecot-2.3.7_4...
===> Creating groups.
Creating group 'dovecot' with gid '143'.
Creating group 'dovenull' with gid '144'.
===> Creating users
Creating user 'dovecot' with uid '143'.
Creating user 'dovenull' with uid '144'.
---------------------------------------------------------------------

 You must create the configuration files yourself. Copy them over
 to /usr/local/etc/dovecot and edit them as desired:

        cp -R /usr/local/etc/dovecot/example-config/* \
                /usr/local/etc/dovecot

 The default configuration includes IMAP and POP3 services, will
 authenticate users agains the system's passwd file, and will use
 the default /var/mail/$USER mbox files.

 Next, enable dovecot in /etc/rc.conf:

        dovecot_enable="YES"


---------------------------------------------------------------------

 To avoid a risk of mailbox corruption, do not set the
 security.bsd.see_other_uids or .see_other_gids sysctls to 0
 if Dovecot is storing mail for multiple concurrent users (PR 218392).

---------------------------------------------------------------------

 If you want to be able to search within attachments using the
 decode2text plugin, you'll need to install textproc/catdoc, and
 one of graphics/xpdf or graphics/poppler-utils.

---------------------------------------------------------------------

 There are some potentially breaking changes in Dovecot 2.3. If you
 are upgrading from Dovecot 2.2:

   * Read https://wiki2.dovecot.org/Upgrading/2.3
   * Merge the configuration file changes from
     /usr/local/etc/dovecot/examples-config/

---------------------------------------------------------------------

===> SECURITY REPORT:
      This port has installed the following files which may act as network
      servers and may therefore pose a remote security risk to the system.
/usr/local/lib/dovecot/libdovecot.so.0.0.0
/usr/local/lib/dovecot/libdovecot.a(net.o)

      This port has installed the following startup scripts which may cause
      these network services to be started at boot time.
/usr/local/etc/rc.d/dovecot

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage:
http://www.dovecot.org/
===>  Cleaning for pkgconf-1.6.1,1
===>  Cleaning for dovecot-2.3.7_4
===>  Installing for spamassassin-3.4.2_3
===>  Checking if spamassassin is already installed
===>   Registering installation for spamassassin-3.4.2_3
Installing spamassassin-3.4.2_3...
===> Creating groups.
Creating group 'spamd' with gid '58'.
===> Creating users
Creating user 'spamd' with uid '58'.
==========================================================================

You should complete the following post-installation tasks:

        1) Read /usr/local/share/doc/spamassassin/INSTALL
           and /usr/local/share/doc/spamassassin/UPGRADE
           BEFORE enabling SpamAssassin for important changes

        2) Edit the configuration in /usr/local/etc/mail/spamassassin,
           in particular /usr/local/etc/mail/spamassassin/init.pre
           You may get lots of annoying (but harmless) error messages
           if you skip this step.

        3) To run spamd, add the following to /etc/rc.conf:
           spamd_enable="YES"

        4) If this is a new installation, you should run sa-update
           and sa-compile. If this isn't a new installation, you
           should probably run those commands on a regular basis
           anyway.

        5) Install mail/spamass-rules if you want some third-party
           spam-catching rulesets

SECURITY NOTE:
By default, spamd runs as root (the AS_ROOT option). If you wish
to change this, add the following to /etc/rc.conf:

        spamd_flags="-u spamd -H /var/spool/spamd"

==========================================================================

$ /usr/local/bin/sa-update
$ /usr/local/bin/sa-compile

					

Leave a Reply

Your email address will not be published. Required fields are marked *