Email Server/Horde
Views:
Part of the Email Server documentation
Contents |
Introduction
This page shows how to install and configure the Horde application framework with several applications, for use with a Virtual Domains Email Server.
Horde is a web application used for web mail and calendaring - amongst other things
Some of the Horde software is included with CentOS 5, if it's not included with your distro, it's very easy to download from the horde web site and then just follow the rest of the instuctions.
Horde Applications
We're using several Horde applications to provide web mail, calendar, tasks, etc, and to allow users to control their spam settings.
Horde
Horde proper is an application framework, used by all of the other Horde Applications. Alone it isn't that much use to users. The horde framework provides configuration, templating, authentication etc to the Horde Applications
Imp
Imp is the web mail program for horde. It's very powerful and has lots of options. It can fully handle HTML mail, attachments, signatures, searching, folders, message flags etc, and has a number of ad-on applications enhance the user's web mail experience even further.
Turba
Address Book
Kronolith
Kronolith is an online calendar program
Nag
Tasklist
Mnemo
Notes
Ingo
Filtering and Forwarding
Sam
Sam is the "Spam Assassin Manager" and lets user choose how the want spam, file attachments and virus scanning handled. The Sam settings are picked up by Amavisd-new
Installation
On a CentOS 5 box you can install most of the Horde software from the repository. Other distros may need you to check the software out of the Horde CVS Tree.
There is an issue with the CentOs version of Ingo, it has some bugs we can really do with out so we need to make sure this isn't installed and get our own copy from Horde's CVS repository.
# yum install horde imp-h3 kronolith-h3 nag-h3 mnemo-h3 turba-h3 ingo-h3 # yum remove ingo-h3
If you don't already cvs installed, it can be installed via yum
# yum install cvs
Now we need to finish installing and get on with configuration
# cd /usr/local/src # ftp://ftp.horde.org/pub/ingo/ingo-h3-1.2.tar.gz # tar zxvf ingo-h3-1.2.tar.gz # cp -rp ingo-h3-1.2 /usr/share/horde/ # cd /usr/share/horde # export CVSROOT=:pserver:cvsread@anoncvs.horde.org:/repository # cvs login # (password: horde) # cvs co sam
Horde needs to have an area out side of the web root to store/edit files. I've never liked having /usr/ areas writable, especially not to a web server. So, we need to create a directory structure for all of hordes variable files in the /var tree.
# mkdir /var/lib/horde # mkdir /var/lib/horde/tmp # mkdir /var/lib/horde/vfs # mkdir /var/lib/horde/cache # mkdir /var/lib/horde/maildropfilters # mkdir /var/lib/horde/sessions # chown -R apache /var/lib/horde # chmod -R u+w,g-rwx,o-rwx /var/lib/horde # mkdir /var/log/horde # touch /var/log/horde/horde.log # touch /var/log/horde/php_errors # chown -R apache /var/log/horde # chmod -R u+w,g-rwx,o-rwx /var/log/horde
Configuration
Apache Configuration
When you configure apache, make sure to set the session.save_path to /var/lib/horde/sessions and also that you have enabled overrides - horde uses htaccess files to set permissions inside apache. Also, if you are using Suhosin then you should make use the the
This configuration file will load horde for and host name that begins "webmail" so webmail.example.com, webmail.foobah.example.com and webmail.example.net would all be considered alias names for the virtual host. You might decide you'd rather have horde at a single virtual host name.
<VirtualHost *:80>
DocumentRoot /usr/share/horde/
Alias /horde/ /usr/share/horde/
ServerName webmail
ServerAlias webmail.*
UseCanonicalName Off
<Directory /usr/share/horde>
php_admin_flag magic_quotes_gpc off
php_admin_flag safe_mode off
php_admin_value session.save_path "/var/lib/horde/sessions/"
php_value upload_tmp_dir "/var/lib/horde/tmp"
php_admin_value error_log "/var/log/horde/php_errors"
php_value include_path "/usr/share/horde:/usr/share/horde/lib:/usr/share/pear:."
php_admin_value memory_limit "128M"
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Horde Configuration
Make sure that the horde configuration is set to use /var/log/horde/horde.log for logging, and the folders under /var/lib/horde and are appropriately for VFS, caching, temporary files and sessions.
Drop the example configuration files provided in to /usr/share/horde/config /usr/share/horde/imp/config /usr/share/horde/ingo/config /usr/share/horde/kronolith/config /usr/share/horde/mnemo/config /usr/share/horde/nag/config /usr/share/horde/turba/config Tweak them to suit your needs, or configure them through horde it's self.
Database
At the very least you will need to create the database, useraccount and password for use by the horde appliation.
The default database schema lives in /usr/share/horde/scripts/sql/create.mysql.sql. WARNING: The name of the database is hard coded in this script, if you are performing a migration from an existing horde install (e.g. you are trying to go beyond Plesk) you will need to choose an alternative name for the database or risk YOUR EXISTING DATABASE BEING *DROPPED*!
Once checked and prepared, source /usr/share/horde/scripts/sql/create.mysql.sql in to the mysql console, create your user and password, then use the database and source the schema files for each horde componet
/usr/share/horde/kronolith/scripts/sql/kronolith.mysql.sql /usr/share/horde/mnemo/scripts/sql/mnemo.sql /usr/share/horde/nag/scripts/sql/nag.sql /usr/share/horde/turba/scripts/sql/turba.mysql.sql
For sam (Spam Assassin Manager), you need to create a new database, user and password
# mysql -u root -p > create database amavisd > use amavisd > source /usr/share/horde/sam/scripts/sql/amavisd_sql.mysql.sql > grant insert,select,update,delete on amavisd.* to 'amavisd'@'localhost' identified by '<password>';
Securing Horde
The apache configuration and the location of horde's variable file should provide you with decent security. You'll also want to sort out the filesystem permissions for the web site it's self.
Once you have setup horde, you should block the test files from use and set the config directories to read-only
# cd /usr/share/horde # chmod -R u-ws,g-rwxs,o-rwx /usr/share/horde # chown -R apache:root /usr/share/horde # chown -R root /usr/share/horde/scripts /usr/share/horde/*/scripts # chown -R root /usr/share/horde/test.php /usr/share/horde/*/test.php # find . -name 'config' | xargs chmod -R a-w # find . -name 'test.php' | xargs chmod o-rwx
Horde has a good reputation for being a secure web application, but never the less it won't hurt to tighten up the PHP environment and any potential leaks about the version of horde you are running.
You can prevent someone sniffing around in the docs folder by adding the following to the apache configuration for your horde vhost:
<Directory /usr/share/horde/docs>
Order allow,deny
deny from all
</Directory>
You should limit the PHP environment by restricting which paths PHP may access and disabling risky functions.
<Directory /usr/share/horde>
...
php_value open_basedir "/var/lib/horde:/usr/share/horde:/usr/share/horde/lib:/usr/share/pear/:/var/tmphorde:/var/log/horde:/usr/sbin/sendmail:/usr/share/file/"
...
</Directory>
You can disable functions in your PHP ini file, but this will apply to all php scripts run on your server. Using Suhosin will allow you to have more granular control:
<Directory /usr/share/horde>
...
php_admin_value suhosin.executor.func.blacklist "exec,create_function,passthru,system,shell_exec,p_open,proc_close,proc_get_status,proc_open,proc_terminate"
...
</Directory>
