Overview

Installation prerequisites
--------------------------

## Mercurial

### CentOS

yum update

rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt

wget & rpm -i:

CentOS 6:

i686   http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm 
x86_64 http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

CentOS 5:

i386   http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm 
x86_64 http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm

### Debian

apt-get install mercurial

-- or --

wget http://mercurial.selenic.com/release/mercurial-2.0.tar.gz

unpack & make install


Problems compiling cyrus-sasl
-----------------------------

If pkgsrc outputs fPIC-related warnings, do

cd  pkgsrc/security/cyrus-saslauthd
bmake clean-depends
echo 'CFLAGS += -fPIC' >> pkg/etc/mk.conf

and rebuild again


curl complains abt self-signed certificates while installing rvm
----------------------------------------------------------------

apt-get install libwww-perl
cd sup
./mk-ca-bundle.pl
export CURL_CA_BUNDLE=$PWD/ca-bundle.crt

<retry make>


exim cannot send mails: unable to set gid=9999 or uid=9999 (euid=8)
-------------------------------------------------------------------

exim binary has suid bit.

mount -o suid,remount /data

Filesystem Encryption
---------------------

Use encfs when running inside VPS -- better than nothing. Requires fuse only.
mkdir /data; chmod 0755 /data
Choose 'standard' mode when creating encfs.
mount: encfs --public /.data /data


Usage
-----

make                   => show available targets
make <target>          => deploy selected target
make <target>-options  => show build options (if available)
                       WITH_ options are boolean, any other need explicit value

Examples:

make syslog
WITH_LDAP=1 make mail
LOGIN='bob@company.com' make change-mail-password


Filesystem layout
-----------------

$BASEDIR/         => encrypted fs
         apps     => software installed w/out pkgsrc
         logs/    => applications & system logs 
             system  => syslog logging
                     E.g. dovecot logging goes to $BASEDIR/logs/system/mail/current
             kernel  => kernel logging
         mail     => mailboxes
         pkg      => everything installed by pkgsrc 
         pkgsrc   => pkgsrc tree (updateable by cvs)
         sv       => enabled runit services (symlinks from .sv)
         .sv      => all available runit scripts
         tmp/.deployment/flags => dpl task flags (remove to re-make tasks)
         var/db/pkg            => pkgsrc database (installed packages info)
 

LDAP schema & conventions
-------------------------

Note: you have to run $OPENDJ_HOME/setup --cli before initializing LDAP tree.

## Directory structure

ou=Mail,dc=company,dc=com        => virtual mail accounts
ou=People,dc=company,dc=com      => user accounts 
ou=Services,dc=company,dc=com    => daemons bind accounts (exim etc)
ou=Groups,dc=company,dc=com      => groups

## Disable user access to services: jabber, vpn, ssh (NOT mail)

Set 'accountStatus' attr to 'off' for the object in ou=People

## Disable mailbox

Set 'accountStatus' attr to 'off' for the object in ou=Mailboxes

NOTE: mailbox remains active from point of view of MTA (new mails will arrive)

## Create mailbox

Here we'll create new mailbox 'rob@company.com'.

In Apache Directory Studio, navigate to ou=Mail.
Navigate to domain container (e.g. ou=Mail,ou=company.com,...).
In context menu, choose New -> New Entry -> Create from scratch.
Add 'qmailUser' object class.
Add 'inetOrgPerson' object class.
Next.
RDN: uid=rob@company.com
Next.
mail: rob@company.com
sn: <any data>
cn: rob (corresponding account uid from ou=People)
Finish.

Add new attr 'accountStatus' with value 'on'.
Now set password for this mail account by adding attribute 'userPassword'.
Use 'plain' password scheme.

## Create mail alias

Example: admins@company.com -> rob@company.com, pike@company.com

will be

dn: uid=rob@company.com,ou=company.com,ou=Mail,dc=company,dc=com
mail: rob@company.com
mailAlternateAddress: admins@company.com

dn: uid=pike@company.com,ou=company.com,ou=Mail,dc=company,dc=com
mail: pike@company.com
mailAlternateAddress: admins@company.com

### Create account with access to vpn

Create account object in ou=People (inetOrgPerson, qmailUser).
Set accountStatus=on.
Set password.
Navigate to cn=vpn,ou=Groups,(...).
Add value to attr uniqueMember, e.g. 'uid=scott,ou=People,dc=company,dc=com'.

### LDAP failover

Multiple LDAP servers entries are allowed in:

saslauthd.conf
openvpn/ldap.conf