Topic: Step-by-step install:iRedMail099/FreeBSD12/Postgres11.5/PHP7.3/Perl5.3
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? standalone
- Linux/BSD distribution name and version: FreeBSD 12.0-RELEASE-p10
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
To All,
I recently found and used iRedMail as an exercise to learn and put an email solution in production.
The following is an on-the-fly recording/"documentation" of my steps.
I did the installation (multiple times varying configurations) on both local VM-Ware guests and on a VPS in a cloud service.
I do not guarantee this will work for anyone else, but I hope it serves as a reference, as this setup is not the most traditional people go for.
Be sure to read and understand each step and instruction. Also, replace domain, IP, passwords and any other info the is particular to your installation.
I am copying & pasting the whole text in Markdown format, and also uploading it as an attachment, as the formatting options in the forum are limited.
# MyDomain
## Virtual Server: server.mydomain.com
### Server Status
```
Running Yes up for 0 days, 0:00
Ping No
Location Australia
Host Node node01, up 36 days
Storage Local SSD
```
### Network
```
Public IP 99.99.99.10
Subnet Mask 255.255.255.0
Default Route 99.99.99.1
Network MTU 1500
Name Servers 1.1.1.1 8.8.8.8
IPv6 Disabled
LAN IP 192.168.10.10
Reverse DNS server.mydomain.com
Port Blocking Enabled
Cloud Firewall Enabled
```
### Disk
```
Allocation 20 GB
Last Backup None
Oper System Reinstall
```
### External Firewall
```
[
{"sourceaddr":"99.99.99.10,192.168.10.10","destaddr":"0.0.0.0/0","destport":"22,3389","action":"DROP","description":"Port Blocking Clone","protocol":"TCP"},
{"sourceaddr":"0.0.0.0/0","destaddr":"99.99.99.10","destport":"25","action":"ACCEPT","description":"Mail Server","protocol":"TCP"},
{"sourceaddr":"0.0.0.0/0","destaddr":"99.99.99.10","destport":"465,587","action":"ACCEPT","description":"Mail: SMTP Encrypt","protocol":"TCP"},
{"sourceaddr":"0.0.0.0/0","destaddr":"99.99.99.10","destport":"110,995","action":"ACCEPT","description":"Mail: pop3/pop3s","protocol":"TCP"},
{"sourceaddr":"0.0.0.0/0","destaddr":"99.99.99.10","destport":"143,993","action":"ACCEPT","description":"Mail: imap/imaps","protocol":"TCP"},
{"sourceaddr":"0.0.0.0/0","destaddr":"99.99.99.10","destport":"80,443","action":"ACCEPT","description":"WWW","protocol":"TCP"},
{"sourceaddr":"88.88.88.20","destaddr":"99.99.99.10","destport":"22","action":"ACCEPT","description":"Admin-vpn","protocol":"TCP"},
{"sourceaddr":"0.0.0.0/0","destaddr":"99.99.99.10","destport":"","action":"DROP","description":"Close","protocol":"ALL"}
]
```
### FreeBSD Install
#### FreeBSD Image
```
https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.0/FreeBSD-12.0-RELEASE-amd64-disc1.iso
```
#### Server Name
```
server.mydomain.com
```
#### Disk
```
vtdb0 20 GB GPT
vtdb0p1 512 KB freebsd-boot
vtdb0p2 18 GB freebsd-ufs /
vtdb0p3 2.0 GB freebsd-swap none
```
#### Kernels
```
- base
- kernel
```
#### Users / Password
```
- `root` / `rootpass`
- `sysadmin` / `syspass`
```
#### Network
```
Public IP 99.99.99.10
Subnet Mask 255.255.255.0
Default Route 99.99.99.1
IPv6 Disabled
Name Servers 1.1.1.1 8.8.8.8
```
#### Services
```
- sshd
- ntpd
```
#### Config
- Edit `/etc/rc.conf`
```
# vi /etc/rc.conf
#! append -tso -lro to ifconfig_vtnet0
```
- Edit `/etc/ssh/sshd_config`
```
# vi /etc/ssh/sshd_config
PermitRootLogin no
```
- Edit `/etc/login.conf`
```
# vi /etc/login.conf
# Change for your region/code
default:\
:charset=en_AU.UTF-8:\
:lang=en_AU.UTF-8:\
:setenv=LC_COLLATE=en_AU.UTF-8:\
. . .
root:\
:charset=en_AU.UTF-8:\
:lang=en_AU.UTF-8:\
:setenv=LC_COLLATE=en_AU.UTF-8:\
. . .
postgres:\
:charset=en_AU.UTF-8:\
:lang=en_AU.UTF-8:\
:setenv=LC_COLLATE=en_AU.UTF-8:\
:tc=default:
```
- Update login db
```
# cap_mkdb /etc/login.conf
```
- Update FreeBSD
```
# freebsd-update fetch
# freebsd-update install
```
- Update FreeBSD Packages
```
# pkg update
# pkg upgrade
```
- Update Certificates
```
# pkg install -y ca_root_nss
# service ntpd onefetch
```
- Install Bash and AlterMime
- **Note**: `Altermime` build is broken and has no maintainer, but still can be installed from the binary.
```
# pkg install -y bash
# pkg install -y altermime
```
- Install Ports
```
# portsnap fetch
# portsnap extract
# portsnap update
```
### iRedMail Install
#### References
- [iRedMail Documentation](https://docs.iredmail.org/index.html)
- [How to install iRedMail on FreeBSD](https://docs.iredmail.org/install.iredmail.on.freebsd.html)
- [iRedMail](https://www.iredmail.org/download.html)
#### Install Using:
- Dovecot 2.3 # default is 2.2
- OpenSSL 1.1.1 # default is LibreSSL, but it does not work with TLS1.3 yet
- Perl 5.30 # default is 5.20
- PHP 7.3 # default is 5.x
- PostGreSQL 11.5 # default is 9.5
- Python 2.7 # not working with python 3 yet
- RoundCube 1.3.9 # default is 1.3.8
#### Download iRedMail
- Copy `iRedMail` to the server
```
# curl https://bitbucket.org/zhb/iredmail/downloads/iRedMail-0.9.9.tar.bz2
# chown root:wheel iRedMail-0.9.9.tar.bz2
# tar xjf iRedMail-0.9.9.tar.bz2
# chown -R root:wheel iRedMail-0.9.9
```
#### Update the package
- Edit `./iRedMail/conf/*`
```
# vi ./conf/dovecot
export DOVECOT_VERSION='2.3'
```
```
# vi ./conf/global
export LC_ALL=en_AU.UTF-8
export LC_CTYPE=en_AU.UTF-8
export LANG=en_AU.UTF-8
```
```
# vi ./conf/postgresql
export PGSQL_VERSION='11' # under FREEBSD
```
```
# vi ./conf/roundcube
export RCM_VERSION='1.3.9'
```
```
# vi ./conf/web_server
export HTTPD_DOCUMENTROOT='/usr/local/www/html'
```
- **Note**: Attention to `DEFAULT_VERSIONS`
- **Note**: Attention to `LICENSES_ACCEPTED`
- **Note**: Don't install Altermime from source
- **Note**: There is no php-mrypt in PHP 7.3
```
# vi ./iRedMail/functions/packages_freebsd.sh
export PGSQL_VERSION='11'
export PREFERRED_PHP_VER='73'
. . .
freebsd_make_conf_add 'DEFAULT_VERSIONS' 'ssl=openssl111 python=2.7 python2=2.7 pgsql=11 php=7.3'
freebsd_make_conf_plus_option 'LICENSES_ACCEPTED' 'DCC'
. . .
OPTIONS_FILE_UNSET+=ALTERMIME
. . .
#! change references from perl5.20 to perl5.30
. . .
#! remove
OPTIONS_FILE_SET+=MCRYPT
. . .
#! remove from the line `ALL_PORTS="${ALL_PORTS}...`
security/php${PREFERRED_PHP_VER}-mcrypt
. . .
#! Remove from build (set to _UNSET), references to ALTERMIME, DOCS, MANPAGE, EXAMPLES
```
- **Note**: Update Nginx ssl syntax
```
# vi ./samples/nginx/sites-available/00-default-ssl.conf
listen PH_HTTPS_PORT ssl http2;
```
```
# vi ./samples/nginx/templates/ssl.tmpl
#! Remove the line with `ssl on;`
ssl on;
```
- Check Flags
```
# grep -ER "(ALTERMIME|DOCS|MANPAGE|EXAMPLES)" * | grep _SET
```
- Correct Python syntax
```
# find . -name "*.py" -print -exec grep ", e:" {} \;
#! Replace `, e:` with ` as e:` in `except` clauses
```
#### Run Installer
```
# bash iRedMail.sh
Mail storage path : /var/vmail
PostGreSQL password : pgpass
First domain name : mydomain.com
postmaster@mydomain.com: postpass
```
```
***************************** WARNING ***********************************
* Below file contains sensitive infomation (username/password), please *
* do remember to *MOVE* it to a safe place after installation. *
* *
* * /tmp/iRedMail-0.9.9/config
*************************************************************************
* Storage base directory: /var/vmail
* Mailboxes:
* Daily backup of SQL/LDAP databases:
* Store mail accounts in: PostgreSQL
* Web server: Nginx
* First mail domain name: mydomain.com
* Mail domain admin: postmaster@mydomain.com
* Additional components: iRedAdmin
```
#### Post Configurations
- Fix ownership and permissions
```
# chown -R iredadmin:iredadmin /usr/local/www/iRedAdmin-*
# chmod -R 555 /usr/local/www/iRedAdmin-*
```
- Edit `/etc/rc.conf.local`
```
# vi /etc/rc.conf.local
postgresql_class="postgres"
```
- Remove Sogo references as is was not installed
```
# vi /var/vmail/backup/backup_pgsql.sh
# export DATABASES='vmail roundcubemail amavisd iredadmin sogo iredapd'
export DATABASES='vmail roundcubemail amavisd iredadmin iredapd'
```
## REBOOT
### SSL Certificate
#### References
- [Request a free cert from Let's Encrypt](https://docs.iredmail.org/letsencrypt.html)
- [certbot instructions](https://certbot.eff.org/lets-encrypt/freebsd-nginx)
- [How to secure Nginx Let's Encrypt. FreeBSD](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-letsencrypt-freebsd)
- [SPF - TXT Record](https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability)
#### DNS Records
- Summary
```
Subdomain Record Type IP Address/Hostname
@ CAA 128 issue "letsencrypt.org"
@ TXT v=spf1 +ip4:99.99.99.10 ~all
dkim._domainkey TXT v=DKIM1; p=xxxxxxxxxx;
_dmarc TXT v=DMARC1; p=quarantine; adkim=s; aspf=s; rua=mailto:postmaster@mydomain.com; ruf=mailto:postmaster@mydomain.com;
```
#### Check DNS Zones
```
# whois mydomain.com
# drill mydomain.com
# drill mx mydomain.com
# drill server.mydomain.com
# drill www.mydomain.com
# drill mail.mydomain.com
# nslookup mydomain.com
# nslookup server.mydomain.com
# nslookup mail.mydomain.com
# nslookup www.mydomain.com
# nslookup -q=a mydomain.com
# nslookup -q=cname mydomain.com
```
#### Install
```
# pkg install -y py27-certbot
# certbot certonly --webroot --rsa-key-size 4096 -m postmaster@mydomain.com --agree-tos --preferred-challenges http-01 --hsts --staple-ocsp -w /usr/local/www/html -d mydomain.com -d server.mydomain.com -d www.mydomain.com -d mail.mydomain.com
# chmod 0755 /usr/local/etc/letsencrypt/{live,archive}
```
#### Check / Set Renewal
```
# certbot renew --dry-run
# crontab -e
# Minute Hour DayOfMonth Month DayOfWeek Cmd
# SSL certificate renewal with Let's Encrypt
23 15 * * 4 /usr/local/bin/certbot renew --post-hook 'service postfix restart; service nginx restart; service dovecot restart'
```
#### Use SSL Certificates
```
# rm -rf /etc/ssl/certs/iRedMail.crt
# ln -s /usr/local/etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/ssl/certs/iRedMail.crt
# rm -rf /etc/ssl/private/iRedMail.key
# ln -s /usr/local/etc/letsencrypt/live/mydomain.com/privkey.pem /etc/ssl/private/iRedMail.key
```
### Upgrade Modules
#### Upgrade iRedAdmin
- **Note**: Looks like a new build already points to 0.9.8
```
set old=0.9.6
set new=0.9.8
# curl https://dl.iredmail.org/yum/misc/iRedAdmin-${new}.tar.bz2 --output iRedAdmin-${new}.tar.bz2
# tar xjf iRedAdmin-${new}.tar.bz2
# cd iRedAdmin-${new}/tools/
# bash upgrade_iredadmin.sh | tee upgrade_iredadmin.tee.log
# ls -l /usr/local/www/iRedAdmin*
# rm -rf /usr/local/www/iRedAdmin-${old}
# chown -R iredadmin:iredadmin /usr/local/www/iRedAdmin-${new}
# chmod -R 555 /usr/local/www/iRedAdmin-${new}
use old
unset new
```
#### Upgrade iRedAPD
- **Note**: Looks like a new build already points to 3.1
```
set old=2.7
set new=3.1
# curl https://dl.iredmail.org/yum/misc/iRedAPD-${new}.tar.bz2 --output iRedAPD-${new}.tar.bz2
# tar xjf iRedAPD-${new}.tar.bz2
# cd iRedAPD-${new}/tools/
# bash upgrade_iredapd.sh | tee upgrade_iredapd.tee.log
# ls -l /opt/iRedAPD*
# rm -rf /opt/iRedAPD-${old}
use old
unset new
```
#### Upgrade mlmmjadmin
- **Note**: Just preparing for the future, current version is already the latest
```
set old=2.1
set new=2.1
# curl https://dl.iredmail.org/yum/misc/mlmmjadmin-${new}.tar.gz --output mlmmjadmin-${new}.tar.gz
# tar xzf mlmmjadmin-${new}.tar.gz
# cd mlmmjadmin-${new}.tar.gz
# bash upgrade_mlmmjadmin.sh | tee upgrade_mlmmjadmin.tee.log
# # ls -l /opt/mlmmjadmin*
# # rm -rf /opt/mlmmjadmin-${old}
use old
unset new
```
### Add Security
#### WWW
- References
- [How to Implement Security HTTP Headers to Prevent Vulnerabilities?](https://geekflare.com/http-header-implementation/)
- [Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)
- [Feature-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy)
```
# vi /usr/local/etc/nginx/templates/ssl.tmpl
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:!DSS:!aNULL:!MD5";
ssl_dhparam /etc/ssl/dh2048_param.pem;
ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
# More security
ssl_ecdh_curve secp384r1;
# Enable OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/etc/letsencrypt/live/mydomain.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s ipv6=off;
resolver_timeout 5s;
```
```
# vi /usr/local/etc/nginx/conf-available/headers.conf
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Origin "*" always;
add_header Content-Security-Policy "connect-src 'self' https:";
add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
add_header Content-Security-Policy "style-src 'self' 'unsafe-inline'";
add_header Content-Security-Policy upgrade-insecure-requests;
add_header Expect-CT "enforce, max-age=300, report-uri='https://mydomain.com/'";
add_header Feature-Policy "geolocation 'none';midi 'none';sync-xhr 'none';microphone 'none';camera 'none';speaker 'self';vibrate 'none';fullscreen 'self';payment 'none';";
add_header Referrer-Policy no-referrer;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Download-Options noopen;
add_header X-Frame-Options sameorigin;
add_header X-Permitted-Cross-Domain-Policies master-only;
add_header X-Robots-Tag none;
add_header X-XSS-Protection "1; mode=block";
```
## Restart Services
```
# service postfix restart
# service dovecot restart
# service nginx restart
# service postgresql restart
## OR restart server
# shutdown -r +10s
```
## Verification
- [Qualys-SSL Labs](https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.com)
### Tests
- [SSL Labs](https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.com)
- [MX Lookup](https://mxtoolbox.com/domain/mydomain.com/)
```
# openssl s_client -showcerts -connect mydomain.com:443
# curl -I http://mydomain.com
# curl -I https://mydomain.com
```
### Post Configuration
- [Testing Email Score and Placement](https://www.mail-tester.com): After creating PTR, SPF, DKIM records.
## Ports maintenance
### References
- [A closer look at portmaster](https://forums.freebsd.org/threads/guide-a-closer-look-at-portmaster.61826/)
- [How to use portmaster to update ports](https://www.iceflatline.com/2013/02/how-to-use-portmaster-to-update-ports/)
### Alternatives to `portmaster`
- poudriere
- [Fresh ports](https://www.freshports.org/ports-mgmt/poudriere)
- [homepage](https://github.com/freebsd/poudriere/wiki)
- synth
- [Fresh ports](https://www.freshports.org/ports-mgmt/synth)
- [homepage](https://subatomicsolutions.org/8-freebsd/15-synth-ports-mgmt-synth)
- [github](https://github.com/jrmarino/synth)
### Install portmaster
```
# cd /usr/ports/ports-mgmt/portmaster
# make clean
# make config
# make install
# make clean
```
```
# cp /usr/local/etc/portmaster.rc.sample /usr/local/etc/portmaster.rc
# vi /usr/local/etc/portmaster.rc
BACKUP=bopt
PM_LOG=/var/log/portmaster.log
```
```
# portsnap fetch update
# portmaster -L | more
# portmaster -nadwv # dry-run
# portmaster -adwv
```----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.