Varnish is a state-of-the-art, high-performance HTTP accelerator, used by sites such as Facebook and Twitter.

You can enable Varnish for your site by following these steps:

1.) Download Varnish from: http://sourceforge.net/projects/varnish/files/

% wget "http://downloads.sourceforge.net/project/varnish/varnish/2.1.2/varnish-2.1.2.tar.gz"

2.) Untar, install:

% tar xvfz varnish-2.1.2.tar.gz
% cd varnish-2.1.2
% ./configure --prefix=/usr/local/varnish/
% make && make install

3.) Open up your /usr/local/varnish/etc/varnish/default.vcl, and set this line block:

 backend default {
.host = "127.0.0.1";
.port = "8080";
}

This will set the hostname and the port where your webserver will stay. This will be the connection details for your webserver. In this case, we will use a local webserver running on port 8080.

4.) Open up your Apache configuration file. Find:

Listen 80

5.) Change to your preferred alternate port:

Listen 8080

6.) Restart Apache:

% apachectl restart

7.) Start Varnish:

% /usr/local/varnish/sbin/varnishd -a :80 -b localhost:8080 -T localhost:8090 -s file,/usr/local/varnish/varnish.cache,4G

To explain the settings briefly:

-a :80 defines the port for Varnish to run on.
-b localhost:8080 defines the port and host of the webserver you want to cache
-T localhost:8090 defines the port and host for the Varnish terminal to run in
-s file,/usr/local/varnish/varnish.cache,4G defines the cache file, and the size limit.

Congratulations! You now have Varnish running.

For more information about Varnish Cache, see: http://varnish-cache.org

Fail2Ban is a great utility which can be found via: http://www.fail2ban.org. It checks for the output of various log files, and assigns an action to take, based on the IP address in the log file.

This can be handy for introducing lockouts for various services. In this scenario, we will use Fail2Ban to create a lockout time for 3 consecutive failed logins to Courier-IMAP, via IP tables.

Prerequisites:

- IPTables

- Python 2.3 or newer

Steps:

1.) Download Fail2Ban for your distribution via: http://www.fail2ban.org/wiki/index.php/Downloads

2.) If using the source version, untar the file, then install:

% tar xvfj fail2ban-0.8.3.tar.bz2
% cd fail2ban-0.8.3
% python setup.py install

3.) This will create the fail2ban binary. To check if everything is running fine, run:

% fail2ban-client -h

This will have an output similar to:

% fail2ban-client -h
Usage: /usr/bin/fail2ban-client [OPTIONS]

Fail2Ban v0.8.3 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

4.) Download the jail.conf and courierlogin.conf files from the following links:

- http://atmail.com/kb/attach/courierlogin.conf

- http://atmail.com/kb/attach/jail.conf

5.) Place jail.conf in /etc/fail2ban/. Place courierlogin.conf in /etc/fail2ban/filter.d/.

6.) Start the fail2ban service:

% fail2ban-client start

7.) You can further alter the parameters. By default, if a user fails to login to Courier for three times, the user is blocked from port 143 for about 10 minutes. Should you want to change this behaviour, open the /etc/fail2ban/jail.conf file, and find the following lines:

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

8.) So should you wish to  set it so that the user can fail to login for five times in the span of 20 minutes, before banning the IP for an hour, the settings will look like:

# "bantime" is the number of seconds that a host is banned.
bantime  = 3600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 1200

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

9.) Stop and start Fail2Ban afterwards:

% fail2ban-client stop
% fail2ban-client start

If you are using an external MySQL server, and an AtMail installation on an operating system that has SELinux enabled, you might experience the following:

- the installation fails when connecting to the MySQL server
- connecting manually using the mysql command succeeds.

In this case, you need to set SELinux so that it allows HTTP modules to connect to the network. This can be done by executing the following command:

% /usr/sbin/setsebool -P httpd_can_network_connect true 

Retry the installation afterwards.

Creating smarthosts with Exim is easy, but you may want to enable SMTP authentication during transactions for additional security. Just go through the following steps:

1.) Open up your /usr/local/atmail/mailserver/configure file, and find:

dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

2.) Comment out this line so it looks like:

#dnslookup:
# driver = dnslookup
# domains = ! +local_domains
# transport = remote_smtp
# ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
# no_more

3.) Add this line below:

divertnonlocal:
driver = manualroute
domains = ! +local_domains
transport = remote_smtp
route_list = * 192.168.0.6
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

4.) Replace "192.168.0.6" with your SMTP relay host (your smarthost destination).

5.) Find this line afterwards:

remote_smtp:
driver = smtp

6.) Change it to:

remote_smtp:
driver = smtp
 hosts_require_auth = 192.168.0.6
hosts_try_auth = 192.168.0.6

7.) Change "192.168.0.6" to your smarthost server.

8.) At the bottom of the file, find this line:

begin authenticators

9.) Below this, add:

login:

driver = plaintext

public_name = LOGIN

 (more...)

	

Since Atmail 5.5 DKIM support is added to the mail-server version of the software.
DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message while it is in transit. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. This can assist with marking your emails as "trusted" and guarantee a greater level of delivery and less false positives with spam-filters. Providers such as Gmail and other large ISP's validate DKIM headers, and we recommend admins adopt this practice to help with message integrity.
Should you wish for all outgoing messages sent from your server to be DKIM signed, follow the steps below.

1: Make sure you are running Atmail 5.5, otherwise upgrade your copy to the latest version. Verify your server has DKIM support compiled into Exim:

/usr/local/atmail//mailserver/bin/exim -dd 2>&1 | grep Experimental_DKIM

This should return:

Support for: crypteq iconv() OpenSSL Content_Scanning Experimental_DKIM

2: Create a new private/public pair key via the cmd-line:

openssl genrsa -out /usr/local/atmail/mailserver/dkim.key 1024
openssl rsa -in /usr/local/atmail/mailserver/dkim.key -out /usr/local/atmail/mailserver/dkim.public -pubout -outform PEM

3: View the contents of /usr/local/atmail/mailserver/dkim.public

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEYVlzEzrHH1ile+IYBZasjVTi
n+kacOvmpiJGhxNuGKhTmOCrvLh4Z+eQp1Dvj7kJNUU3EF5nEbFl7WTb/Z3uxxET
MImk47xX2eJdr/q98c+gJurZvlbpFuTT9JhXRmA8kkHZrARHUpsWZMsNt69ewgQK
XaAKH1MH5I4y0+JsqQIDAQAB
-----END PUBLIC KEY-----

4: Remove the --BEGIN and --END tags, and remove line breaks so the public key spans a single line. Add the following to your DNS server zone file:

mail._domainkey.yourdomain.com. IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQE............KXaAKH1MH5I4y0+JsqQIDAQAB"

5: Open the Exim configure file, locate the transport "remote_smtp" and append the following.

remote_smtp:
driver = smtp
#
dkim_domain=yourdomain.com
dkim_selector=mail
dkim_private_key=/usr/local/atmail/mailserver/dkim.key
#

6: Restart your nameserver and the Atmail services ( /etc/init.d/atmailserver restart )

7: Via Webmail or an external mail-client, send a message via SMTP to an outside address. View the headers of the email and if successful, you will see the header lines:

Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;d=yourdomain.com; s=mail; h=MIME-Version:Message-ID:To:Reply-To:Content-Type:Date:Subject:From; bh=4WWVzoOsUWW0f4BYC2VHYfz2dQAB9PwjbTcHsvaaHrY=; b=GvkmrnJM1f2MhkRxZjTwKIPWTYmVUm//P2hqSw4eJ7izAo0GFunTddhlZ4UOWfBiObJj7+E8OGcVjyoMKj+4bNVhPqaMEi3Iidzexn8uqYbM+1vGCUf7b1tg10C+dzfdnsQIiGrkAYYlMvWGefhDlRhFq0OQfI1sDYN7pMMoqeQ=
You can also test the DKIM header is successful by emailing dkimtest@atmail.org , on success you will receive an autoreply, otherwise a returned mail "Bad DKIM header"

--

This will be natively supported in Atmail 5.6 due Dec 2008 - In the meantime these changes can be made to any existing Atmail 5.5 installation with DKIM support.

This is a tutorial on how to setup AtMail with public-folders. An example scenario, your a company with over 10 employees and you need a global Support and Sales folder.

This folder should be shared and accessible to selected users, with the ability to use IMAP or Webmail to access the shared folders.

Public folders are vital to improve work flow, help consolidate email messages from clients, and provide a central repstitory of messages that can be searched.

So how do we do this in AtMail?

Pre-requirements:

Step 1:

Define a CSV file of users you wish to share a public folder with, e.g

publicfolder.csv:

Support, ben@company.org
Support, jason@company.org
Support, andyg@company.org

Where the above user@company.org is a real user on AtMail, has an account and mailbox already created.Upload the CSV file to the server and execute the script batch-publicfolder.php

cd /usr/local/atmail/webmail/modules/
php batch-publicfolder.php < /tmp/publicfolder.csv

Once executed, for each user on the system the following will be returned.

Creating public folder for Support for user@company.org
Creating PublicFolder /usr/local/atmail/users/shared/.Support
Adding maildir /usr/local/atmail/users/shared/.Support
Adding maildir /usr/local/atmail//users/u/s/user@company.org/shared-folders/SharedFolder/Support
Creating Symlink  /usr/local/atmail//users/u/s/user@company.org/shared-folders/SharedFolder/Support to  /usr/local/atmail//users/u/s/user@company.org/.Support
Adding  /usr/local/atmail//users/u/s/user@company.org/SharedFolder/PremiumSupport/shared

Step 2:

Once the public-folder is created, an email alias must be setup to direct the messages into the public folder created.

Visit the AtMail Webadmin > Email > Email Aliases and define the alias-name, and the directory of the new public folder ( In this example, the directory is named /usr/local/atmail/users/shared/.Support )

Step 3:

Once the alias and public folders are created, simply email the support@company.org email, and messages will be stored on the Shared folder.

Each user that logs in via IMAP or Webmail will analyze the shared folder, and symlink each message to the users personal maildir. This is required to keep message flags ( unread/read/replied ) status for each user, while simply referring to the public-folder email on disk via a symlink.

This article will detail the procedures required to install and configure the APC opcode cache on your server. This article does not cover setting up APC on Windows servers.

What is APC?

From php.net:

"The Alternative PHP Cache (APC) is a free and open opcode cache for PHP. It was conceived of to provide a free, open, and robust framework for caching and optimizing PHP intermediate code."
So basically we can use APC to squeeze even better performance out of @Mail.

Installing APC

APC is a PHP PECL extension so I will cover using the pecl command to insall APC. If you find that pecl is not available on your system performing the following command for your system should install it:

You will also need the apache apxs tool. If apxs is not on your system you can install it as such:

Once you have pecl and apxs installed perform the following command:

# pecl install apc

Once the compile and installation is complete you will need to enable the extension by adding the following line to your php.ini:

extension=apc.so

You can test that the APC module is installed by using the 'php -m' command. This will list the installed PHP modules and APC should be near the top:

# php -m
[PHP Modules]
apc
bcmath
bz2
calendar
ctype
date
dba
...etc

Once you have enabled APC in php.ini, in order to load APC for the Apache PHP module simply restart Apache, usually

apachectl restart

or

apache2ctl restart

Now APC is ready and waiting to spice up performance.

Configuring APC

APC has several settings you can tweak according to your setup and desired functionality. The first two settings you should consider are

apc.shm_size

and

apc.stat

These two settings adjust how much shared memory you want to set aside for APC and whether you want APC to check for file modification on every request, respectively.

First lets consider

apc.shm_size

How large a memory segment you can assign to APC depends on amount of available RAM and your OS type and configuration. The amount is specified in MB and the default is 30. In my testing with APC and @Mail I maxed out at 8.895MB of memory usage for the APC cache so I'd suggest the recommended minimum setting for a server running @Mail is about 10MB. If the server is running other php scripts via apache then you will need to either increase this value or use the technique described in the "Conditional Caching" section.

This setting determines whether APC checks for file modification on every request. The default is 'On', and APC will check each script for modification upon each request. If the script has been modified then it will not use the cached version, but recompile and re-cache the new version. Also with apc.stat

on, with every request made APC will have to find absolute paths for all files included or required with a relative path. This obviously adds some overhead.

Changing apc.stat to 'Off' can produce a significant performance gain and simply means if you modify any @Mail files you will need to restart Apache before the changes will come into effect. Not a big deal on a production server where files stay static for long periods.

Conditional Caching

If the server running @Mail is also serving other PHP scripts then you may want to limit the caching to @Mail scripts only in order to reduce the chance of running out of cache slots or allocated RAM. You can do this by using the following settings: apc.cache_by_default

apc.cache_by_default is On by default and means all php scripts served by Apache are cached. If you want to cache only @Mail scripts then you will need to set apc.cache_by_default = Off

in your php.ini or apc.ini file.

Once you have turned apc.cache_by_default off then you can use a .htaccess file in @Mail's web-root to turn it back on for @Mail only. If you have other scripts/apps you would like to enable caching for then simply add the .htaccess file to their web-root also. The .htaccess file should contain just this line:

php_value apc.cache_by_default On

Once you have the .htaccess file in place all @Mail scripts will be cached. You will also need to restart Apache for the main apc.cache_by_default = Off setting to take.

How Can I Tell What is Currently Cached?

A simple solution is to create a short php script with this in it:

print_r(apc_cache_info());

Save it to a file that is web readable and load it within your web browser. This will give you some information on the current state of your APC cache, including what files are cached. Here is an excerpt of the output given after having used @Mail:

Array
(
[num_slots] => 2000
[ttl] => 0
[num_hits] => 11
[num_misses] => 35
[start_time] => 1214447228
[expunges] => 0
[mem_size] => 4645714
[num_entries] => 35
[num_inserts] => 35
[file_upload_progress] => 1
[memory_type] => mmap
[locking_type] => pthread mutex
[cache_list] => Array
(
[0] => Array
(
[filename] => /usr/local/atmailphp/webmail/libs/PEAR/Mail/mime.php
[device] => 2051
[inode] => 261912
[type] => file
[num_hits] => 0
[mtime] => 1203282990
[creation_time] => 1214447477
[deletion_time] => 0
[access_time] => 1214447477
[ref_count] => 0
[mem_size] => 125640
)

[1] => Array
(
[filename] => /usr/local/atmailphp/webmail/libs/PEAR/Mail/RFC822.php
[device] => 2051
[inode] => 261911
[type] => file
[num_hits] => 0
[mtime] => 1207549212
[creation_time] => 1214447477
[deletion_time] => 0
[access_time] => 1214447477
[ref_count] => 0
[mem_size] => 120242
)

[2] => Array
(
[filename] => /usr/local/atmailphp/webmail/libs/PEAR/Mail/mimePart.php
[device] => 2051
[inode] => 261908
[type] => file
[num_hits] => 0
[mtime] => 1203282990
[creation_time] => 1214447477
[deletion_time] => 0
[access_time] => 1214447477
[ref_count] => 0
[mem_size] => 58013
)

Final Words

There are several other APC settings that you may wish to tweak for your system. More information on these settings can be found here: http://php.net/manual/en/apc.configuration.php

You should place all these setting in your php.ini, or alternatively if you have a directory on your system that php will read .ini files from then create a file in there called apc.ini and place the APC settings in it.

You should find that @Mail and APC work just fine together and you should see improved performance, especially on busier servers - of course if you have any feedback or experience problems let us know.

When you recieve an error like this, when compiling ClamAV:

../libclamav/.libs/libclamav.so: undefined reference to `mpz_powm'
../libclamav/.libs/libclamav.so: undefined reference to `mpz_get_ui'

Just do the following:

(more...)

Should you want to disable SpamAssassin for some domains or users, just do the following:

- open up your /usr/local/atmail/mailserver/configure
- find the following lines:

domains = ${lookup mysql {MYSQL_CHECKSPAM}{$value}}

(more...)

When using @Mail with the inbuilt ClamAV module, if you receive the warning message via the @Mail Webadmin -> AV settings:

"Security warning: No support for digital signatures"

This is just a warning that GMP development headers/libs are missing from your compiled Clam. These are used for verfiying the digital signature of the download AV definition files.

(more...)