Ubuntu 14.04

Install Ubuntu 14.04 LTS

• download an Ubuntu Server ISO
• install as appropriate for your [virtual] machine.
  • (I accepted all the defaults, assuming the Ubuntu packagers know better than I do what reasonable defaults are.)
• Software selection:
  • OpenSSH server

Apply updates

apt-get update

Customize $EDITOR

Get rid of that awful nano default editor:

sudo update-alternatives --config editor

Prereq services

Note that any of these [optional] services can be installed and run in other [virtual] machines and accessed over the network. For large installs, where clustering is likely, isolating these services makes it easier to scale the system by applying additional resources exactly where they're needed.

Install Unbound

Mail servers need a fast, reliable and DNS server. Unbound is all of that and more.

apt-get install -y unbound

Install ClamAV

ClamAV is a virus scanner. Haraka will use it via the clamd plugin.

apt-get install -y clamav-daemon
dpkg-reconfigure clamav-base

clamav non-default settings

• Socket type: TCP
• System logger: Yes

service clamav-daemon start

Install SpamAssassin

SpamAssassin is a spam scanning engine. It's written in perl, needs lots of resources, but is still very helpful. It is called via the spamassassin plugin.

apt-get install -y spamassassin
sed -i.bak -e 's/ENABLED=0/ENABLED=1/' /etc/default/spamassassin
sed -i.bak -e 's/CRON=0/CRON=1/' /etc/default/spamassassin
update-rc.d spamassassin enable
service spamassassin start

Install Haraka

Haraka prereqs

apt-get install -y nodejs npm redis-server
ln -s /usr/bin/nodejs /usr/bin/node

Haraka

npm install -g Haraka
haraka -i /etc/haraka
export HARAKA_CONF=/etc/haraka/config
sed -i.bak -e 's/;nodes=cpus/nodes=cpus/' $HARAKA_CONF/smtp.ini
sed -i.bak -e 's/;daemonize=true/daemonize=true/' $HARAKA_CONF/smtp.ini

Configure Haraka startup

export HARAKA_INSTALL=/usr/local/lib/node_modules/Haraka
cp $HARAKA_INSTALL/contrib/haraka.conf /etc/init/
sed -i.bak -e 's/\/var\/haraka\/fwdmx/\/etc\/haraka/' /etc/init/haraka.conf
initctl start haraka

Log to syslog

sed -i.bak -e 's/# log.syslog/log.syslog/' $HARAKA_CONF/plugins
sed -i.bak -e 's/always_ok=false/always_ok=true/' $HARAKA_CONF/log.syslog.ini

Enable TLS/SSL

openssl req -x509 -nodes -days 2190 -newkey rsa:2048 \
   -keyout $HARAKA_CONF/tls_key.pem -out $HARAKA_CONF/tls_cert.pem
sed -i.bak -e 's/# tls/tls/' $HARAKA_CONF/plugins

Enable connection info plugins

Enable p0f, GeoIP, FCrDNS, SPF, bounce, data.headers, URIBL, clamd, spamassassin, and karma plugins.

perl -pi -e 's/^access$/access\nconnect.geoip\nconnect.fcrdns/' $HARAKA_CONF/plugins
perl -pi -e 's/^mail_from.is_resolvable$/mail_from.is_resolvable\nspf/' $HARAKA_CONF/plugins
perl -pi -e 's/^rcpt_to.in_host_list$/rcpt_to.in_host_list\n\n# DATA\nbounce\ndata.headers\ndata.uribl\nclamd\nspamassassin\nkarma/' $HARAKA_CONF/plugins

p0f

Ubuntu installs p0f 2 and the Haraka plugin only supports version 3. You'll have to manually install p0f v3 to use it.

~~apt-get install -y p0f~~
/usr/sbin/p0f &
echo '@reboot /usr/sbin/p0f -i eth0 -Q /tmp/.p0f_socket -t -o /tmp/p0f.log -d "dst port 25 or dst port 587 or dst port 465"' >> /etc/crontab

GeoIP

npm install -g maxmind-geolite-mirror
mkdir -p /usr/local/share/GeoIP
/usr/local/bin/maxmind-geolite-mirror
ln -s /usr/local/bin/maxmind-geolite-mirror /etc/cron.weekly/

More

npm install -g ws express