TurnKey Linux Virtual Appliance Library

TKLPatch for iRedMail [UPDATED 28/09/2010]

[Updated 28/09/2010]

I changed the strategy with this patch to prevent the errors I was getting with the previous version. This is a summary of the changes:

* I installed all packages required for iRedMail installation. See point 5 for details.

* I changed when the iredmail script is executed: now it's been moved to a firstboot script. This makes more sense as it will create all the integration stuff including random pass on firstboot, making it different for each time the appliance is installed, and preventing the errors in the fs that the previous version had. As all the packages are already installed, the script itselfs runs very quick. Finally I start all services and repair the firewall rules. You can see a copy of the firstboot script here. NOTE: If you hit the Nameserver BUG in turnkeycore-beta1, the script will fail getting the postfix-policyd package and will end. You can fix your system just ssh'ing to it and running the script manually. This should not be a problem when the final turnkey core comes out. 

* I installed the available webmin modules for dovecot, postfix and mysql. This adds an extra gui for management, but I don't know if changing setting there could break the integration done by iRedMail. 

* Added the rewrite rules so if you miss the s at the end of http, you'll be redirected. 

[/Updated]

Hi everyone. This TKLPatch will apply the iRedMail script to a turnkey core lucid beta image and results in a nice mail appliance based only on opensource software. A mysql backend was selected during installation.

This patch attempts to resolves some of the issues with an earlier attempted iRedMail patch by Basil.

Features

iRedMail 0.6.1 (complete opensource mail stack)
RoundCube web mail:
        https://IP/webmail
        https://IP/mail
 
        user/pass: www@example.com/turnkey (check email for details of installation)
Postfixadmin:
        https://IP/postfixadmin (postmaster@example.com/turnkey)
Phpmyadmin:
        https://IP/phpmyadmin/ (root/turnkey)
Awstats:
        https://IP/awstats/awstats.pl (postmaster@example.com/turnkey)
Webmin modules configured for firewall, postfix, dovecot, and mysql. [Updated 28/09/2010]
Rewrite rule for http urls (to https) [Updated 28/09/2010]
               

What it does:               

 
1. Sets Hostname to mail 
HOSTNAME=mail
echo "$HOSTNAME" > /etc/hostname
sed -i "s|127.0.1.1 \(.*\)|127.0.1.1 $HOSTNAME.localdomain $HOSTNAME|" /etc/hosts
hostname mail
2. Update package information
apt-get update
 
3. Donwload and untar iRedMail 
apt-get -y install bzip2
wget http://iredmail.googlecode.com/files/iRedMail-0.6.1.tar.bz2
tar xf iRedMail-0.6.1.tar.bz2 -C /usr/local/src/
4. Run iRedMail get_all script (to get tars)
cd /usr/local/src/iRedMail-0.6.1/pkgs/
bash get_all.sh
cd ..
 
5. Install iRedMail required packages. I've installed all packages except postfix-policyd which has a bug and produces an error when running in non-interactive mode. See here for an explanation. 
 
install apache2 apache2-mpm-prefork apache2.2-common libapache2-mod-php5 libapache2-mod-auth-mysql php5-cli php5-imap php5-gd php5-mcrypt php5-mysql php5-ldap php5-common php-pear postfix postfix-pcre awstats mysql-server-5.1 mysql-client-5.1 postfix-mysql libapache2-mod-auth-mysql dovecot-imapd dovecot-pop3d amavisd-new libcrypt-openssl-rsa-perl libmail-dkim-perl clamav-freshclam clamav-daemon spamassassin altermime libmail-spf-perl acl patch cron tofrodos phpmyadmin webmin-dovecot webmin-postfix webmin-mysql
 
6. Enable rewrite modules (to rewrite http requests to https)
a2enmod rewrite
7. Run freshclam to ensure that it finishes before creating the cdroot. If not, when the patch is finishing, it starts to throw errors (freshclam still updating the clamav files)
freshclam
 
8. Stop all services
service apache2 stop
service mysql stop
service rsyslog stop
service postfix stop
service amavis stop
service cron stop
service dovecot stop 
service clamav-daemon stop
service clamav-freshclam stop
 
9. Fix awstats call in crontab. This seems to be a bug in iRedMail script. It lefts the cron job setting broken. So you start receiving emails with the error (not being able to run the cron job). I fixed the bad settings in the crontab. 
sed -i "s|/usr/lib/cgi-bin/awstats/awstats/awstats.pl|/usr/lib/cgi-bin/awstats/awstats.pl|" /var/spool/cron/crontabs/root
 
10. Clean apt cache. 
apt-get clean

Firstboot Script

Here is the installation script that gets executed once you start your system for the first time:

 

#!/bin/bash -e
# Run iRedMail installation on firstboot and correct firewall rules
# by Adrian Moya

#Run iRedMail using previously overlayed config file
echo "Installing iRedMail..."
cd /usr/local/src/iRedMail-0.6.1/
echo Y | bash iRedMail.sh

# Reestablish firewall rules for webmin and shellinabox
echo "Reconfiguring firewall..."
sed -i "s/COMMIT/# shellinabox/" /etc/default/iptables
echo "-A INPUT -p tcp -m tcp --dport 12320 -j ACCEPT" >> /etc/default/iptables
echo "" >> /etc/default/iptables
echo "# webmin" >> /etc/default/iptables
echo "-A INPUT -p tcp -m tcp --dport 12321 -j ACCEPT" >> /etc/default/iptables
echo "" >> /etc/default/iptables
echo "COMMIT" >> /etc/default/iptables

# Start services
echo "Restarting services"
for i in rsyslog apache2 postfix mysql postfix-policyd dovecot amavis clamav-daemon clamav-freshclam cron iptables; do service ${i

Comments welcome!

Liraz Siri's picture

Feedback and ideas on how to progress

I took a close look at this and attempted to reproduce the errors you reported, but there were none. The patch applied cleanly. What kind of errors did you get?

Just in case my hunch is right - remember that the Core system on which apply the patch shouldn't be running any of the server software the patch depends on (e.g., MySQL), otherwise processes may fail to start and complain that various ports are already bound.

A few comments:

Embrace iRedMail: iRedAdmin and iRedAPD are recommended by iRedMail but they are not included. I suspect you configured things this way on purpose, in response to earlier discussion. But after giving it a bit more thought I've come to the conclusion it would probably be best to call this appliance iRedMail and configure it as closely as possible to iRedMail's recommended configuration (e.g., iRedAdmin, iRedAPD policy daemon, etc.)

A couple of reasons:

  1. Foster a warm relationship between iRedMail and TurnKey. We'd rather not fork iRedMail and call it something else, but give credit where credit is due and collaborate with them in a way that adds value to both projects.
  2. Make it easier for our users to leverage iRedMail community assets such as documentation and support forums, which specialize in what is a particularly complex integration. By comparison the TurnKey community is thinly spread over many appliances.

So ideally, we should get some input from iRedMail developers on what they would recommend for a reference implementation / configuration.

Redirect HTTP to HTTPS for admin stuff: It's easy to accidentally try accessing Admin interfaces with HTTP instead of HTTPS. I did that and I couldn't understand why I couldn't access the postfixadmin interface. It would be nice to implement automatic redirection on those URLs.

Webmin modules: When available, it would be nice to include webmin modules for all the open source components that are used by iRedMail (e.g., postfix, mysql, apache, php, dovecot, clamav, spamassassin). They may compensate for intended limitations of iRedMail's community interfaces, but still allow users to use the community interfaces in ways that are sanctioned and officially documented by the iRedMail community.

Documenting credentials: We'll need to document what credentials are used where carefully. For example, it took me a few minutes to realize that Awstats authentication credentials were the same as the postfixadmin authentication credentials.

MySQL vs OpenDAP backend: Could you explain why you chose the MySQL backend over the OpenLDAP backend? What are the pros and cons?

To @Liraz Siri iRedAdmin &

To @Liraz Siri

iRedAdmin & iRedAPD is recommended for OpenLDAP backend. iRedAdmin is web-based admin panel, and iRedAPD is a simple postfix policy daemon. So if you choose MySQL backend, these two components won't be installed.

iRedMail is licensed under GPL v2, so you can certainly fork it. But, is it really what you want and what we expect?

About "Redirect HTTP to HTTPS for admin stuff", i will improve it in next release. Thanks for your suggestion. :)

About "Webmin modules", no plan to integrate it yet.

About "MySQL vs OpenDAP backend", OpenLDAP backend has more features, such as builtin mail list support, iRedAdmin (web-based admin panel, open source edition is feature limited, and we sell iRedAdmin-Pro to make iRedMail project continue existing), iRedAPD for better mail deliver restrictions, global ldap address book in webmail or MUA, and more.

But the most important point is, more people are familiar with SQL server, so they prefer to choose components/technology which they already have experience. And they can use PostfixAdmin as web admin panel.

It's strongly recommended that read iRedMail & iRedAdmin feature list before you choose backend:

iRedMail Features: http://www.iredmail.org/features.html

iRedAdmin-Pro Features: http://www.iredmail.org/admin_panel.html

Feel free to keep me informed for further discussion.

Forgot to mention that, we

Forgot to mention that, we have a kickstart file used to build iRedOS (customized CentOS 5.x), i think you can refer to it:

http://iredmail.googlecode.com/hg/extra/ks.cfg

We copy iRedMail files, RPM packages, source tarballs into ISO images, so that we don't need network connection during installation (but loop device (lo) is required for starting MySQL daemon).

My comments:

Errors: I'm getting errors not at patch-time, but during installation of the iso. Did you tried to install the iso? You should get a bunch of errors for files in the fs (I think there were on /var/spool but don't remember right now). So an email with important info is lost. Maybe due to a permission problem. 

iRedAdmin: As Zhang said, "if you choose MySQL backend, these two components won't be installed". I did not removed them on purpose, just selected the method I feel best for the Turnkey project. We are still using iRedMail in an official way, just not installing the iRedAdmin interface, which I found wonderful but don't like for a TKL Appliance. Why:

1. When you first login to iRedMail, you have a thin banner that says you are using an opensource version of iRedMail and invites you to see all features of Pro and buy. The banner (at least in my tests) keeps in there. This brings to TKL a feel of a commercial appliance. It's ok for them as this is how they are financing their work. But they are kindly giving us an alternative (point 2)

2. If iRedMail have an official installation based on pure open-source, why not take this way? It's also official and it should be documented. We are not removing things here, it's just the other way to install the same great script. 

Redirect http/https: I'll take a look at this, and maybe contribute them back with this simple change. I too was fooled by the http access of postfixadmin failing!

 

Webmin modules: My first thoughts on this were the following: If I add all webmin modules to manage every component from within webmin, wouldn't I end up with a webmin-based email appliance? would this be iRedMail? Now that I think more on the subject, it's a matter of options. We are leveraging the appliance giving more options, but we must test this very well. As you see, the script takes control of the firewall, but I was able to config webmin-firewall to use the files of the script. I'll try to integrate other modules and see what I can get in a second iteration, but if you could please check the errors first to try to apply some corrections on that issue, I feel those are more important to address right now.

Documenting credentials: Yes, all credentials are in the first mail you receive which is getting lost during the errors on installation. But yes, there are some passwords I didn't list on the features lists. 

MySQL vs OpenDAP backend: As I commented above, this choice was merely based on giving the most open-source approach to the appliance. 

Thanks for your comments, and to Zhang too for giving us a hand here! If you are one of the iRedMail devs, please check point 9 of this patch, where I had to fix awstats call in crontab (a minor bug in the script).

I'm core developer of

I'm core developer of iRedMail project. :)

I fixed incorrect file location of awstats.pl days ago, thanks for your feedback.

About iRedAdmin open source edition, we didn't realize that someone will build a applicance like turnkey, so we just write some words to promote iRedAdmin-Pro. Not sure whether we can have some cooperation about iRedAdmin-Pro or not.

PostfixAdmin is enough for basic using, so mysql backend is a good choice. But i believe users need a better web admin pane for mail server, and we're working on it.

Webmin + iRedAdmin-Pro sounds good as you mentioned :)

Zhang, is there a way to

Zhang, is there a way to easily convert a mysql-backend installation to an ldap-backend installation? if so, I'll be glad to add an script that users can use to convert the default appliance settings and change it to a ldap/iRedAdmin/etc installation. This I think could be a nice way of offering the alternative of having iRedAdmin panel for those who want to use it. The get_debs script downloads iredadmin and iredapd, but for this installation those are not used. But are present in the fs ready for use in the scenario I'm proposing. Comments are welcome!

No tool to convert

No tool to convert mysql-backend to ldap-backend yet.

No user request this migration, so we have no plan for this.

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)