Adrian Moya's picture

[Updated 28/09/2010]

I changed the strategy with this patch to prevent the errors I was getting with the previous version. This is a summary of the changes:

* I installed all packages required for iRedMail installation. See point 5 for details.

* I changed when the iredmail script is executed: now it's been moved to a firstboot script. This makes more sense as it will create all the integration stuff including random pass on firstboot, making it different for each time the appliance is installed, and preventing the errors in the fs that the previous version had. As all the packages are already installed, the script itselfs runs very quick. Finally I start all services and repair the firewall rules. You can see a copy of the firstboot script here. NOTE: If you hit the Nameserver BUG in turnkeycore-beta1, the script will fail getting the postfix-policyd package and will end. You can fix your system just ssh'ing to it and running the script manually. This should not be a problem when the final turnkey core comes out. 

* I installed the available webmin modules for dovecot, postfix and mysql. This adds an extra gui for management, but I don't know if changing setting there could break the integration done by iRedMail. 

* Added the rewrite rules so if you miss the s at the end of http, you'll be redirected. 

[/Updated]

Hi everyone. This TKLPatch will apply the iRedMail script to a turnkey core lucid beta image and results in a nice mail appliance based only on opensource software. A mysql backend was selected during installation.

This patch attempts to resolves some of the issues with an earlier attempted iRedMail patch by Basil.

Features

iRedMail 0.6.1 (complete opensource mail stack)
RoundCube web mail:
        https://IP/webmail
        https://IP/mail
 
        user/pass: www@example.com/turnkey (check email for details of installation)
Postfixadmin:
Phpmyadmin:
        https://IP/phpmyadmin/ (root/turnkey)
Awstats:
Webmin modules configured for firewall, postfix, dovecot, and mysql. [Updated 28/09/2010]
Rewrite rule for http urls (to https) [Updated 28/09/2010]
               

What it does:               

 
1. Sets Hostname to mail 
HOSTNAME=mail
echo "$HOSTNAME" > /etc/hostname
sed -i "s|127.0.1.1 \(.*\)|127.0.1.1 $HOSTNAME.localdomain $HOSTNAME|" /etc/hosts
hostname mail
2. Update package information
apt-get update
 
3. Donwload and untar iRedMail 
apt-get -y install bzip2
wget http://iredmail.googlecode.com/files/iRedMail-0.6.1.tar.bz2
tar xf iRedMail-0.6.1.tar.bz2 -C /usr/local/src/
4. Run iRedMail get_all script (to get tars)
cd /usr/local/src/iRedMail-0.6.1/pkgs/
bash get_all.sh
cd ..
 
5. Install iRedMail required packages. I've installed all packages except postfix-policyd which has a bug and produces an error when running in non-interactive mode. See here for an explanation. 
 
install apache2 apache2-mpm-prefork apache2.2-common libapache2-mod-php5 libapache2-mod-auth-mysql php5-cli php5-imap php5-gd php5-mcrypt php5-mysql php5-ldap php5-common php-pear postfix postfix-pcre awstats mysql-server-5.1 mysql-client-5.1 postfix-mysql libapache2-mod-auth-mysql dovecot-imapd dovecot-pop3d amavisd-new libcrypt-openssl-rsa-perl libmail-dkim-perl clamav-freshclam clamav-daemon spamassassin altermime libmail-spf-perl acl patch cron tofrodos phpmyadmin webmin-dovecot webmin-postfix webmin-mysql
 
6. Enable rewrite modules (to rewrite http requests to https)
a2enmod rewrite
7. Run freshclam to ensure that it finishes before creating the cdroot. If not, when the patch is finishing, it starts to throw errors (freshclam still updating the clamav files)
freshclam
 
8. Stop all services
service apache2 stop
service mysql stop
service rsyslog stop
service postfix stop
service amavis stop
service cron stop
service dovecot stop 
service clamav-daemon stop
service clamav-freshclam stop
 
9. Fix awstats call in crontab. This seems to be a bug in iRedMail script. It lefts the cron job setting broken. So you start receiving emails with the error (not being able to run the cron job). I fixed the bad settings in the crontab. 
sed -i "s|/usr/lib/cgi-bin/awstats/awstats/awstats.pl|/usr/lib/cgi-bin/awstats/awstats.pl|" /var/spool/cron/crontabs/root
 
10. Clean apt cache. 
apt-get clean

Firstboot Script

Here is the installation script that gets executed once you start your system for the first time:

 

#!/bin/bash -e
# Run iRedMail installation on firstboot and correct firewall rules
# by Adrian Moya

#Run iRedMail using previously overlayed config file
echo "Installing iRedMail..."
cd /usr/local/src/iRedMail-0.6.1/
echo Y | bash iRedMail.sh

# Reestablish firewall rules for webmin and shellinabox
echo "Reconfiguring firewall..."
sed -i "s/COMMIT/# shellinabox/" /etc/default/iptables
echo "-A INPUT -p tcp -m tcp --dport 12320 -j ACCEPT" >> /etc/default/iptables
echo "" >> /etc/default/iptables
echo "# webmin" >> /etc/default/iptables
echo "-A INPUT -p tcp -m tcp --dport 12321 -j ACCEPT" >> /etc/default/iptables
echo "" >> /etc/default/iptables
echo "COMMIT" >> /etc/default/iptables

# Start services
echo "Restarting services"
for i in rsyslog apache2 postfix mysql postfix-policyd dovecot amavis clamav-daemon clamav-freshclam cron iptables; do service ${i

Comments welcome!

Forum: 
Tags: 
Liraz Siri's picture

I took a close look at this and attempted to reproduce the errors you reported, but there were none. The patch applied cleanly. What kind of errors did you get?

Just in case my hunch is right - remember that the Core system on which apply the patch shouldn't be running any of the server software the patch depends on (e.g., MySQL), otherwise processes may fail to start and complain that various ports are already bound.

A few comments:

Embrace iRedMail: iRedAdmin and iRedAPD are recommended by iRedMail but they are not included. I suspect you configured things this way on purpose, in response to earlier discussion. But after giving it a bit more thought I've come to the conclusion it would probably be best to call this appliance iRedMail and configure it as closely as possible to iRedMail's recommended configuration (e.g., iRedAdmin, iRedAPD policy daemon, etc.)

A couple of reasons:

  1. Foster a warm relationship between iRedMail and TurnKey. We'd rather not fork iRedMail and call it something else, but give credit where credit is due and collaborate with them in a way that adds value to both projects.
  2. Make it easier for our users to leverage iRedMail community assets such as documentation and support forums, which specialize in what is a particularly complex integration. By comparison the TurnKey community is thinly spread over many appliances.

So ideally, we should get some input from iRedMail developers on what they would recommend for a reference implementation / configuration.

Redirect HTTP to HTTPS for admin stuff: It's easy to accidentally try accessing Admin interfaces with HTTP instead of HTTPS. I did that and I couldn't understand why I couldn't access the postfixadmin interface. It would be nice to implement automatic redirection on those URLs.

Webmin modules: When available, it would be nice to include webmin modules for all the open source components that are used by iRedMail (e.g., postfix, mysql, apache, php, dovecot, clamav, spamassassin). They may compensate for intended limitations of iRedMail's community interfaces, but still allow users to use the community interfaces in ways that are sanctioned and officially documented by the iRedMail community.

Documenting credentials: We'll need to document what credentials are used where carefully. For example, it took me a few minutes to realize that Awstats authentication credentials were the same as the postfixadmin authentication credentials.

MySQL vs OpenDAP backend: Could you explain why you chose the MySQL backend over the OpenLDAP backend? What are the pros and cons?

Adrian Moya's picture

Errors: I'm getting errors not at patch-time, but during installation of the iso. Did you tried to install the iso? You should get a bunch of errors for files in the fs (I think there were on /var/spool but don't remember right now). So an email with important info is lost. Maybe due to a permission problem. 

iRedAdmin: As Zhang said, "if you choose MySQL backend, these two components won't be installed". I did not removed them on purpose, just selected the method I feel best for the Turnkey project. We are still using iRedMail in an official way, just not installing the iRedAdmin interface, which I found wonderful but don't like for a TKL Appliance. Why:

1. When you first login to iRedMail, you have a thin banner that says you are using an opensource version of iRedMail and invites you to see all features of Pro and buy. The banner (at least in my tests) keeps in there. This brings to TKL a feel of a commercial appliance. It's ok for them as this is how they are financing their work. But they are kindly giving us an alternative (point 2)

2. If iRedMail have an official installation based on pure open-source, why not take this way? It's also official and it should be documented. We are not removing things here, it's just the other way to install the same great script. 

Redirect http/https: I'll take a look at this, and maybe contribute them back with this simple change. I too was fooled by the http access of postfixadmin failing!

 

Webmin modules: My first thoughts on this were the following: If I add all webmin modules to manage every component from within webmin, wouldn't I end up with a webmin-based email appliance? would this be iRedMail? Now that I think more on the subject, it's a matter of options. We are leveraging the appliance giving more options, but we must test this very well. As you see, the script takes control of the firewall, but I was able to config webmin-firewall to use the files of the script. I'll try to integrate other modules and see what I can get in a second iteration, but if you could please check the errors first to try to apply some corrections on that issue, I feel those are more important to address right now.

Documenting credentials: Yes, all credentials are in the first mail you receive which is getting lost during the errors on installation. But yes, there are some passwords I didn't list on the features lists. 

MySQL vs OpenDAP backend: As I commented above, this choice was merely based on giving the most open-source approach to the appliance. 

Thanks for your comments, and to Zhang too for giving us a hand here! If you are one of the iRedMail devs, please check point 9 of this patch, where I had to fix awstats call in crontab (a minor bug in the script).

Adrian Moya's picture

Zhang, is there a way to easily convert a mysql-backend installation to an ldap-backend installation? if so, I'll be glad to add an script that users can use to convert the default appliance settings and change it to a ldap/iRedAdmin/etc installation. This I think could be a nice way of offering the alternative of having iRedAdmin panel for those who want to use it. The get_debs script downloads iredadmin and iredapd, but for this installation those are not used. But are present in the fs ready for use in the scenario I'm proposing. Comments are welcome!

Add new comment