1

Topic: Step-by-step install:iRedMail099/FreeBSD12/Postgres11.5/PHP7.3/Perl5.3

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? standalone
- Linux/BSD distribution name and version: FreeBSD 12.0-RELEASE-p10
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

To All,
  I recently found and used iRedMail as an exercise to learn and put an email solution in production.
  The following is an on-the-fly recording/"documentation" of my steps.
  I did the installation (multiple times varying configurations) on both local VM-Ware guests and on a VPS in a cloud service.

  I do not guarantee this will work for anyone else, but I hope it serves as a reference, as this setup is not the most traditional people go for.
  Be sure to read and understand each step and instruction. Also, replace domain, IP, passwords and any other info the is particular to your installation.
  I am copying & pasting the whole text in Markdown format, and also uploading it as an attachment, as the formatting options in the forum are limited.

# MyDomain
## Virtual Server: server.mydomain.com
### Server Status
```
Running       Yes up for 0 days, 0:00
Ping          No
Location      Australia
Host Node     node01, up 36 days
Storage Local SSD
```
### Network
```
Public IP      99.99.99.10
Subnet Mask    255.255.255.0
Default Route  99.99.99.1
Network MTU    1500
Name Servers   1.1.1.1 8.8.8.8
IPv6           Disabled
LAN IP         192.168.10.10
Reverse DNS    server.mydomain.com
Port Blocking  Enabled
Cloud Firewall Enabled
```
### Disk
```
Allocation  20 GB
Last Backup None
Oper System Reinstall
```
### External Firewall
```
[
{"sourceaddr":"99.99.99.10,192.168.10.10","destaddr":"0.0.0.0/0","destport":"22,3389","action":"DROP","description":"Port Blocking Clone","protocol":"TCP"},
{"sourceaddr":"0.0.0.0/0","destaddr":"99.99.99.10","destport":"25","action":"ACCEPT","description":"Mail Server","protocol":"TCP"},
{"sourceaddr":"0.0.0.0/0","destaddr":"99.99.99.10","destport":"465,587","action":"ACCEPT","description":"Mail: SMTP Encrypt","protocol":"TCP"},
{"sourceaddr":"0.0.0.0/0","destaddr":"99.99.99.10","destport":"110,995","action":"ACCEPT","description":"Mail: pop3/pop3s","protocol":"TCP"},
{"sourceaddr":"0.0.0.0/0","destaddr":"99.99.99.10","destport":"143,993","action":"ACCEPT","description":"Mail: imap/imaps","protocol":"TCP"},
{"sourceaddr":"0.0.0.0/0","destaddr":"99.99.99.10","destport":"80,443","action":"ACCEPT","description":"WWW","protocol":"TCP"},
{"sourceaddr":"88.88.88.20","destaddr":"99.99.99.10","destport":"22","action":"ACCEPT","description":"Admin-vpn","protocol":"TCP"},
{"sourceaddr":"0.0.0.0/0","destaddr":"99.99.99.10","destport":"","action":"DROP","description":"Close","protocol":"ALL"}
]
```

### FreeBSD Install
#### FreeBSD Image
```
https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.0/FreeBSD-12.0-RELEASE-amd64-disc1.iso
```
#### Server Name
```
server.mydomain.com
```
#### Disk
```
vtdb0      20 GB   GPT
  vtdb0p1  512 KB  freebsd-boot
  vtdb0p2  18 GB   freebsd-ufs   /
  vtdb0p3  2.0 GB  freebsd-swap  none
```
#### Kernels
```
- base
- kernel
```
#### Users / Password
```
- `root` / `rootpass`
- `sysadmin` / `syspass`
```
#### Network
```
Public IP      99.99.99.10
Subnet Mask    255.255.255.0
Default Route  99.99.99.1
IPv6           Disabled
Name Servers   1.1.1.1 8.8.8.8
```
#### Services
```
- sshd
- ntpd
```
#### Config
- Edit `/etc/rc.conf`

```
# vi /etc/rc.conf
    #! append -tso -lro to ifconfig_vtnet0
```

- Edit `/etc/ssh/sshd_config`

```
# vi /etc/ssh/sshd_config

    PermitRootLogin no
```

- Edit `/etc/login.conf`

```
# vi /etc/login.conf

    # Change for your region/code
    default:\
            :charset=en_AU.UTF-8:\
            :lang=en_AU.UTF-8:\
            :setenv=LC_COLLATE=en_AU.UTF-8:\
    . . .
    root:\
            :charset=en_AU.UTF-8:\
            :lang=en_AU.UTF-8:\
            :setenv=LC_COLLATE=en_AU.UTF-8:\
    . . .
    postgres:\
            :charset=en_AU.UTF-8:\
            :lang=en_AU.UTF-8:\
            :setenv=LC_COLLATE=en_AU.UTF-8:\
            :tc=default:
```

- Update login db

```
# cap_mkdb /etc/login.conf
```

- Update FreeBSD

```
# freebsd-update fetch
# freebsd-update install
```

- Update FreeBSD Packages

```
# pkg update
# pkg upgrade
```

- Update Certificates

```
# pkg install -y ca_root_nss
# service ntpd onefetch
```

- Install Bash and AlterMime
    - **Note**: `Altermime` build is broken and has no maintainer, but still can be installed from the binary.

```
# pkg install -y bash
# pkg install -y altermime
```

- Install Ports

```
# portsnap fetch
# portsnap extract
# portsnap update
```

### iRedMail Install
#### References
- [iRedMail Documentation](https://docs.iredmail.org/index.html)
- [How to install iRedMail on FreeBSD](https://docs.iredmail.org/install.iredmail.on.freebsd.html)
- [iRedMail](https://www.iredmail.org/download.html)

#### Install Using:
- Dovecot 2.3  # default is 2.2
- OpenSSL 1.1.1  # default is LibreSSL, but it does not work with TLS1.3 yet
- Perl 5.30  # default is 5.20
- PHP 7.3  # default is 5.x
- PostGreSQL 11.5  # default is 9.5
- Python 2.7  # not working with python 3 yet
- RoundCube 1.3.9  # default is 1.3.8

#### Download iRedMail
- Copy `iRedMail` to the server

```
# curl https://bitbucket.org/zhb/iredmail/downloads/iRedMail-0.9.9.tar.bz2
# chown root:wheel iRedMail-0.9.9.tar.bz2
# tar xjf iRedMail-0.9.9.tar.bz2
# chown -R root:wheel iRedMail-0.9.9
```

#### Update the package

- Edit `./iRedMail/conf/*`

```
# vi ./conf/dovecot
    export DOVECOT_VERSION='2.3'
```
```
# vi ./conf/global
    export LC_ALL=en_AU.UTF-8
    export LC_CTYPE=en_AU.UTF-8
    export LANG=en_AU.UTF-8
```
```
# vi ./conf/postgresql
    export PGSQL_VERSION='11' # under FREEBSD
```
```
# vi ./conf/roundcube
    export RCM_VERSION='1.3.9'
```
```
# vi ./conf/web_server
    export HTTPD_DOCUMENTROOT='/usr/local/www/html'
```

    - **Note**: Attention to `DEFAULT_VERSIONS`
    - **Note**: Attention to `LICENSES_ACCEPTED`
    - **Note**: Don't install Altermime from source
    - **Note**: There is no php-mrypt in PHP 7.3

```
# vi ./iRedMail/functions/packages_freebsd.sh
    export PGSQL_VERSION='11'
    export PREFERRED_PHP_VER='73'
    . . .
    freebsd_make_conf_add 'DEFAULT_VERSIONS' 'ssl=openssl111 python=2.7 python2=2.7 pgsql=11 php=7.3'
    freebsd_make_conf_plus_option 'LICENSES_ACCEPTED' 'DCC'
    . . .
    OPTIONS_FILE_UNSET+=ALTERMIME
    . . .
    #! change references from perl5.20 to perl5.30
    . . .
    #! remove
    OPTIONS_FILE_SET+=MCRYPT
    . . .
    #! remove from the line `ALL_PORTS="${ALL_PORTS}...`
    security/php${PREFERRED_PHP_VER}-mcrypt
    . . .
    #! Remove from build (set to _UNSET), references to ALTERMIME, DOCS, MANPAGE, EXAMPLES
```

- **Note**: Update Nginx ssl syntax

```
# vi ./samples/nginx/sites-available/00-default-ssl.conf
    listen PH_HTTPS_PORT ssl http2;
```
```
# vi ./samples/nginx/templates/ssl.tmpl
    #! Remove the line with `ssl on;`
    ssl on;
```

- Check Flags

```
# grep -ER "(ALTERMIME|DOCS|MANPAGE|EXAMPLES)" * | grep _SET
```

- Correct Python syntax

```
# find . -name "*.py" -print -exec grep ", e:" {} \;
#! Replace `, e:` with ` as e:` in `except` clauses
```

#### Run Installer
```
# bash iRedMail.sh

Mail storage path      : /var/vmail
PostGreSQL password    : pgpass
First domain name      : mydomain.com
postmaster@mydomain.com: postpass
```
```
***************************** WARNING ***********************************
* Below file contains sensitive infomation (username/password), please  *
* do remember to *MOVE* it to a safe place after installation.          *
*                                                                       *
*   * /tmp/iRedMail-0.9.9/config
*************************************************************************

* Storage base directory:               /var/vmail
* Mailboxes:
* Daily backup of SQL/LDAP databases:
* Store mail accounts in:               PostgreSQL
* Web server:                           Nginx
* First mail domain name:               mydomain.com
* Mail domain admin:                    postmaster@mydomain.com
* Additional components:                iRedAdmin
```
#### Post Configurations
- Fix ownership and permissions

```
# chown -R iredadmin:iredadmin /usr/local/www/iRedAdmin-*
# chmod -R 555 /usr/local/www/iRedAdmin-*
```

- Edit `/etc/rc.conf.local`

```
# vi /etc/rc.conf.local

    postgresql_class="postgres"
```

- Remove Sogo references as is was not installed

```
# vi /var/vmail/backup/backup_pgsql.sh
    # export DATABASES='vmail roundcubemail amavisd iredadmin sogo iredapd'
    export DATABASES='vmail roundcubemail amavisd iredadmin iredapd'
```

## REBOOT

### SSL Certificate
#### References
- [Request a free cert from Let's Encrypt](https://docs.iredmail.org/letsencrypt.html)
- [certbot instructions](https://certbot.eff.org/lets-encrypt/freebsd-nginx)
- [How to secure Nginx Let's Encrypt. FreeBSD](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-letsencrypt-freebsd)
- [SPF - TXT Record](https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability)

#### DNS Records
- Summary

```
Subdomain        Record Type  IP Address/Hostname
@                CAA          128 issue "letsencrypt.org"
@                TXT          v=spf1 +ip4:99.99.99.10 ~all
dkim._domainkey  TXT          v=DKIM1; p=xxxxxxxxxx;
_dmarc           TXT          v=DMARC1; p=quarantine; adkim=s; aspf=s; rua=mailto:postmaster@mydomain.com; ruf=mailto:postmaster@mydomain.com;
```

#### Check DNS Zones
```
# whois mydomain.com
# drill mydomain.com
# drill mx mydomain.com
# drill server.mydomain.com
# drill www.mydomain.com
# drill mail.mydomain.com

# nslookup mydomain.com
# nslookup server.mydomain.com
# nslookup mail.mydomain.com
# nslookup www.mydomain.com
# nslookup -q=a mydomain.com
# nslookup -q=cname mydomain.com

```

#### Install
```
# pkg install -y py27-certbot

# certbot certonly --webroot --rsa-key-size 4096 -m postmaster@mydomain.com --agree-tos --preferred-challenges http-01 --hsts --staple-ocsp -w /usr/local/www/html -d mydomain.com -d server.mydomain.com -d www.mydomain.com -d mail.mydomain.com

# chmod 0755 /usr/local/etc/letsencrypt/{live,archive}
```

#### Check / Set Renewal
```
# certbot renew --dry-run

# crontab -e
    # Minute Hour DayOfMonth Month DayOfWeek Cmd
    # SSL certificate renewal with Let's Encrypt
      23     15   *          *     4         /usr/local/bin/certbot renew --post-hook 'service postfix restart; service nginx restart; service dovecot restart'
```

#### Use SSL Certificates
```
# rm -rf /etc/ssl/certs/iRedMail.crt
# ln -s /usr/local/etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/ssl/certs/iRedMail.crt

# rm -rf /etc/ssl/private/iRedMail.key
# ln -s /usr/local/etc/letsencrypt/live/mydomain.com/privkey.pem /etc/ssl/private/iRedMail.key
```

### Upgrade Modules
#### Upgrade iRedAdmin
- **Note**: Looks like a new build already points to 0.9.8

```
set old=0.9.6
set new=0.9.8
# curl https://dl.iredmail.org/yum/misc/iRedAdmin-${new}.tar.bz2 --output iRedAdmin-${new}.tar.bz2
# tar xjf iRedAdmin-${new}.tar.bz2
# cd iRedAdmin-${new}/tools/
# bash upgrade_iredadmin.sh | tee upgrade_iredadmin.tee.log
# ls -l /usr/local/www/iRedAdmin*
# rm -rf /usr/local/www/iRedAdmin-${old}
# chown -R iredadmin:iredadmin /usr/local/www/iRedAdmin-${new}
# chmod -R 555 /usr/local/www/iRedAdmin-${new}
use old
unset new
```
#### Upgrade iRedAPD
- **Note**: Looks like a new build already points to 3.1

```
set old=2.7
set new=3.1
# curl https://dl.iredmail.org/yum/misc/iRedAPD-${new}.tar.bz2 --output iRedAPD-${new}.tar.bz2
# tar xjf iRedAPD-${new}.tar.bz2
# cd iRedAPD-${new}/tools/
# bash upgrade_iredapd.sh | tee upgrade_iredapd.tee.log
# ls -l /opt/iRedAPD*
# rm -rf /opt/iRedAPD-${old}
use old
unset new
```
#### Upgrade mlmmjadmin
- **Note**: Just preparing for the future, current version is already the latest

```
set old=2.1
set new=2.1
# curl https://dl.iredmail.org/yum/misc/mlmmjadmin-${new}.tar.gz --output mlmmjadmin-${new}.tar.gz
# tar xzf mlmmjadmin-${new}.tar.gz
# cd mlmmjadmin-${new}.tar.gz
# bash upgrade_mlmmjadmin.sh | tee upgrade_mlmmjadmin.tee.log
# # ls -l /opt/mlmmjadmin*
# # rm -rf /opt/mlmmjadmin-${old}
use old
unset new
```

### Add Security
#### WWW
- References
    - [How to Implement Security HTTP Headers to Prevent Vulnerabilities?](https://geekflare.com/http-header-implementation/)
    - [Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)
    - [Feature-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy)

```
# vi /usr/local/etc/nginx/templates/ssl.tmpl
    ssl_protocols TLSv1.2 TLSv1.3;

    ssl_prefer_server_ciphers on;

    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:!DSS:!aNULL:!MD5";

    ssl_dhparam /etc/ssl/dh2048_param.pem;

    ssl_certificate /etc/ssl/certs/iRedMail.crt;
    ssl_certificate_key /etc/ssl/private/iRedMail.key;

    ssl_session_cache shared:le_nginx_SSL:1m;
    ssl_session_timeout 1440m;

    # More security
    ssl_ecdh_curve secp384r1;

    # Enable OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/etc/letsencrypt/live/mydomain.com/chain.pem;

    resolver 8.8.8.8 8.8.4.4 valid=300s ipv6=off;
    resolver_timeout 5s;
```
```
# vi /usr/local/etc/nginx/conf-available/headers.conf
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Origin "*" always;
add_header Content-Security-Policy "connect-src 'self' https:";
add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
add_header Content-Security-Policy "style-src 'self' 'unsafe-inline'";
add_header Content-Security-Policy upgrade-insecure-requests;
add_header Expect-CT "enforce, max-age=300, report-uri='https://mydomain.com/'";
add_header Feature-Policy "geolocation 'none';midi 'none';sync-xhr 'none';microphone 'none';camera 'none';speaker 'self';vibrate 'none';fullscreen 'self';payment 'none';";
add_header Referrer-Policy no-referrer;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Download-Options noopen;
add_header X-Frame-Options sameorigin;
add_header X-Permitted-Cross-Domain-Policies master-only;
add_header X-Robots-Tag none;
add_header X-XSS-Protection "1; mode=block";
```

## Restart Services
```
# service postfix restart
# service dovecot restart
# service nginx restart
# service postgresql restart

## OR restart server
# shutdown -r +10s
```

## Verification
- [Qualys-SSL Labs](https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.com)

### Tests
- [SSL Labs](https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.com)
- [MX Lookup](https://mxtoolbox.com/domain/mydomain.com/)

```
# openssl s_client -showcerts -connect mydomain.com:443
# curl -I http://mydomain.com
# curl -I https://mydomain.com
```

### Post Configuration
- [Testing Email Score and Placement](https://www.mail-tester.com): After creating PTR, SPF, DKIM records.

## Ports maintenance
### References
- [A closer look at portmaster](https://forums.freebsd.org/threads/guide-a-closer-look-at-portmaster.61826/)
- [How to use portmaster to update ports](https://www.iceflatline.com/2013/02/how-to-use-portmaster-to-update-ports/)

### Alternatives to `portmaster`
- poudriere
    - [Fresh ports](https://www.freshports.org/ports-mgmt/poudriere)
    - [homepage](https://github.com/freebsd/poudriere/wiki)
- synth
    - [Fresh ports](https://www.freshports.org/ports-mgmt/synth)
    - [homepage](https://subatomicsolutions.org/8-freebsd/15-synth-ports-mgmt-synth)
    - [github](https://github.com/jrmarino/synth)

### Install portmaster
```
# cd /usr/ports/ports-mgmt/portmaster
# make clean
# make config
# make install
# make clean
```
```
# cp /usr/local/etc/portmaster.rc.sample /usr/local/etc/portmaster.rc
# vi /usr/local/etc/portmaster.rc
    BACKUP=bopt
    PM_LOG=/var/log/portmaster.log
```
```
# portsnap fetch update
# portmaster -L | more
# portmaster -nadwv # dry-run
# portmaster -adwv
```
Post's attachments

iRedMail-099-FreeBSD-Pg-mydomain.md 15.29 kb, 1 downloads since 2019-10-03 

You don't have the permssions to download the attachments of this post.

2

Re: Step-by-step install:iRedMail099/FreeBSD12/Postgres11.5/PHP7.3/Perl5.3

Thanks for sharing. You should try iRedMail-1.0-beta1 instead, it supports FreeBSD 12 with latest ports tree.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

3

Re: Step-by-step install:iRedMail099/FreeBSD12/Postgres11.5/PHP7.3/Perl5.3

ZhangHuangbin wrote:

Thanks for sharing. You should try iRedMail-1.0-beta1 instead, it supports FreeBSD 12 with the latest ports tree.

I might give it a try in a development environment, but now the code is in production.

BTW: Is there a timeline / ETA for the release of 1.0?

Thanks

4

Re: Step-by-step install:iRedMail099/FreeBSD12/Postgres11.5/PHP7.3/Perl5.3

angeloklin wrote:

BTW: Is there a timeline / ETA for the release of 1.0?

Pretty close. We will release new iRedAPD-3.2 soon, and ship it in iRedMail-1.0-beta2.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

5

Re: Step-by-step install:iRedMail099/FreeBSD12/Postgres11.5/PHP7.3/Perl5.3

I am unable to install on Freebsd. It won't compile with Dovecot 2.3.8. I receive the error message about Dovecot not finding health-check.sh and an error code of 74. Any ideas?

6

Re: Step-by-step install:iRedMail099/FreeBSD12/Postgres11.5/PHP7.3/Perl5.3

dbetts22 wrote:

I am unable to install on Freebsd. It won't compile with Dovecot 2.3.8. I receive the error message about Dovecot not finding health-check.sh and an error code of 74. Any ideas?

I installed a few weeks ago.
Back then the Dovecot version was 2.3.7.2_1.
I would suggest to check Freshports (*) and see if there are any errors.
Check any FreeBSD and Dovecot forums also.
Always good to fetch/update pkg/ports (portsnap) to ensure you have the latest packages or info to compile the code.

(*) https://www.freshports.org/mail/dovecot

7

Re: Step-by-step install:iRedMail099/FreeBSD12/Postgres11.5/PHP7.3/Perl5.3

angeloklin wrote:
dbetts22 wrote:

I am unable to install on Freebsd. It won't compile with Dovecot 2.3.8. I receive the error message about Dovecot not finding health-check.sh and an error code of 74. Any ideas?

I installed a few weeks ago.
Back then the Dovecot version was 2.3.7.2_1.
I would suggest to check Freshports (*) and see if there are any errors.
Check any FreeBSD and Dovecot forums also.
Always good to fetch/update pkg/ports (portsnap) to ensure you have the latest packages or info to compile the code.

(*) https://www.freshports.org/mail/dovecot

Yep did that the port was just updated to 2.3.8 . Running iRedMail on Centos 7 but want to switch to Freebsd as my web server runs Freebsd.