Ubuntu 14.04

Install Ubuntu 14.04 LTS

Written and tested against Haraka 2.6.0.

• download an Ubuntu Server ISO
• install as appropriate for your [virtual] machine.
  • (I accepted all the defaults, assuming the Ubuntu packagers know better than I do what reasonable defaults are.)
• Software selection:
  • OpenSSH server

Apply updates

apt-get update

Customize $EDITOR

Get rid of that awful nano default editor:

sudo update-alternatives --config editor

Install Unbound

Mail servers need a fast and reliable DNS server. Unbound is all that and more.

apt-get install -y unbound

Install Haraka

Haraka prereqs

apt-get install -y nodejs npm redis-server
ln -s /usr/bin/nodejs /usr/bin/node

Haraka

npm install -g Haraka
haraka -i /etc/haraka
export HARAKA_CONF=/etc/haraka/config

Enable cluster mode

sed -i.bak -e 's/;nodes=cpus/nodes=cpus/' $HARAKA_CONF/smtp.ini

Log to syslog

This is not required, but if you don't switch to syslog, make sure to set up proper log rotation for haraka.log, before it consumes all your disk.

sed -i.bak -e 's/# log.syslog/log.syslog/' $HARAKA_CONF/plugins
sed -i.bak -e 's/always_ok=false/always_ok=true/' $HARAKA_CONF/log.syslog.ini

Configure Haraka startup

The upstart config expects Haraka to have the daemonize plugin enabled. If you choose not to enable daemonize, then be sure to edit haraka.conf and comment out the export fork line.

sed -i.bak -e 's/;daemonize=true/daemonize=true/' $HARAKA_CONF/smtp.ini
export HARAKA_INSTALL=/usr/local/lib/node_modules/Haraka
cp $HARAKA_INSTALL/contrib/ubuntu-upstart/haraka.conf /etc/init/
initctl start haraka

Enable TLS/SSL

If you have a $igned TLS certificate, install it here instead. See also this note on CA certificates.

openssl req -x509 -nodes -days 2190 -newkey rsa:2048 \
   -keyout $HARAKA_CONF/tls_key.pem -out $HARAKA_CONF/tls_cert.pem
sed -i.bak -e 's/# tls/tls/' $HARAKA_CONF/plugins

Install ClamAV

ClamAV is a virus scanner. Haraka will use it via the clamd plugin.

apt-get install -y clamav-daemon
dpkg-reconfigure clamav-base

clamav non-default settings

• Socket type: TCP
• System logger: Yes

service clamav-daemon start
sed -i.bak -e 's/#clamd/clamd/' $HARAKA_CONF/plugins

Install SpamAssassin

SpamAssassin is a spam scanning engine. It's written in perl, needs lots of resources, but is still very helpful. It is called via the spamassassin plugin.

apt-get install -y spamassassin
sed -i.bak -e 's/ENABLED=0/ENABLED=1/' /etc/default/spamassassin
sed -i.bak -e 's/CRON=0/CRON=1/' /etc/default/spamassassin
update-rc.d spamassassin enable
service spamassassin start
perl -pi -e 's/^rcpt_to.in_host_list$/rcpt_to.in_host_list\n\nspamassassin' $HARAKA_CONF/plugins

Enable connection info plugins

Enable FCrDNS, SPF, bounce, data.headers, URIBL, and karma plugins.

perl -pi -e 's/^access$/access\nconnect.geoip\nconnect.fcrdns/' $HARAKA_CONF/plugins
perl -pi -e 's/^mail_from.is_resolvable$/mail_from.is_resolvable\nspf/' $HARAKA_CONF/plugins
perl -pi -e 's/^rcpt_to.in_host_list$/rcpt_to.in_host_list\n\n# DATA\nbounce\ndata.headers\ndata.uribl\nclamd\nkarma/' $HARAKA_CONF/plugins

p0f

Ubuntu installs p0f 2 and the Haraka plugin only supports version 3. You'll have to manually install p0f v3 to use it.

apt-get install -y p0f libpcap-dev
mkdir ~/p0f && cd ~/p0f
curl -O http://lcamtuf.coredump.cx/p0f3/releases/p0f-3.08b.tgz
tar -xzf p0f-3.08b.tgz 
cd p0f-3.08b/
./build.sh
cp p0f /usr/sbin/p0f 
cp p0f.fp /etc/p0f/p0f.fp
perl -pi -e 's/^access$/access\nconnect.p0f/' $HARAKA_CONF/plugins

GeoIP

Enable GeoIP location lookups for mail connections.

npm install -g maxmind-geolite-mirror
mkdir -p /usr/local/share/GeoIP
/usr/local/bin/maxmind-geolite-mirror
ln -s /usr/local/bin/maxmind-geolite-mirror /etc/cron.weekly/
perl -pi -e 's/^access$/access\nconnect.geoip/' $HARAKA_CONF/plugins

http-server

apt-get install -y git
npm install -g ws express bower grunt-cli
mkdir -p /etc/haraka/http/html
cd /etc/haraka/http
export GITHUB_HTTP="https://raw.githubusercontent.com/msimerson/Haraka/http-server"
curl -o html/index.html $GITHUB_HTTP/http/html/index.html
curl -O $GITHUB_HTTP/http/package.json
curl -O $GITHUB_HTTP/http/bower.json
curl -O $GITHUB_HTTP/http/Gruntfile.js
npm install
grunt
curl -o /usr/local/lib/node_modules/Haraka/server.js $GITHUB_HTTP/server.js
curl -o $HARAKA_CONF/http.ini https://raw.githubusercontent.com/msimerson/Haraka/http-server/config/http.ini
sed -i.bak -e 's/; listen=/listen=/' $HARAKA_CONF/http.ini
mv html ../

watch

Watch depends on the http-server being installed.

TODO

Configure RCPT

Haraka needs to know who is accepts mail for. There are a variety of plugins (flat file, qmail-deliverabled, LDAP) that check recipient users and/or hosts against data sources to determine if Haraka should accept mail for them. The default plugin is rcpt_to.in_host_list and matches on domain names.

echo 'my-domain-name.tld' > $HARAKA_CONF/host_list

Now Haraka will accept messages for [email protected].

Set up queue

Haraka does not include a mail store, which means you need to configure one. The default queue plugin is smtp_forward, which forwards the messages on to a mail store.

$EDITOR $HARAKA_CONF/smtp_forward.ini

Test

From another host, send test messages:

swaks -server my.haraka.host -to [email protected] -from [email protected]