Tuesday, February 10, 2015

OpenBSD Mail Server - Part 7, Roundcube and httpd

1.  Finally, the last bit, and pretty much optional.  If a PHP webmail client is desired, install roundcubemail and php-fpm from packages.  I decided to use sqlite3 (which is in OpenBSD base) so I did not install any database.

2.  Read the docs in /usr/local/share/doc/pkg-readmes/roundcubemail-* and the install message and perform the steps listed to enable PHP etc.

3.  Roundcube installs to /var/www/roundcubemail.  Enable httpd by adding httpd_flags="" to /etc/rc.conf.local.  Add "php_fpm" to pkg_scripts in /etc/rc.conf.local.  Copy /etc/examples/httpd.conf to /etc/httpd.conf.

4.  Put something like the following in /etc/httpd.conf:

# cat /etc/httpd.conf
...
server "mail.example.com" {
 listen on $ext_addr ssl port 443
 root "/roundcubemail"
 directory index index.php
 
 location "*.php" {
 fastcgi socket "/run/php-fpm.sock"
 }
 ssl certificate "/etc/ssl/mail.example.com.crt"
 ssl key "/etc/ssl/private/mail.example.com.key"
}

5.  Create the sqlite3 database and give it proper permissions:

# cd /var/www/roundcubemail
# mkdir db
# sqlite3 -init SQL/sqlite.initial.sql db/sqlite.db
(type .exit to quit sqlite3)
# chown -R root:www db
# chmod 0775 db
# chmod 0660 db/sqlite.db

6.  Copy /etc/hosts to /var/www/etc/.  Open up port 443 in pf and then restart pf and start php_fpm and httpd.  May want to consider editing /etc/php-5.4.ini to set "allow_url_fopen = On" (roundcube says this is optional but recommended).

7.  Edit /var/www/roundcubemail/config/defaults.inc.php to enable the installer.  Edit /var/www/roundcubemail/config/config.inc.php so the following options are modified (the first fixes the path to the database, the second changes roundcube from using php mail to localhost, and the last bit enables two plugins, markasjunk and managesieve):

# cat /var/www/roundcubemail/config/config.inc.php
...
$config['db_dsnw'] = 'sqlite:////roundcubemail/db/sqlite.db?mode=0660';
...
$config['smtp_server'] = 'localhost';
...
// List of active plugins (in plugins/ directory)
$config['plugins'] = array(
'archive',
'zipdownload',
'markasjunk',
'managesieve',
);

8.  Go to https://mail.example.com/installer and go through the installer.  After that is complete, remove the installer directory from /var/www/roundcubemail and edit /var/www/roundcubemail/config/defaults.inc.php to disable the installer.

9.  At this point, everything should be working.  Go back and review security options, logging options, etc. and tighten things down.  Check out this wiki page on the httpd github repo about creating a "forbidden" directory and editing /etc/httpd.conf to point certain files and directories to the forbidden directory as a way of further locking things down.

No comments:

Post a Comment