1

Topic: iRedMail on a Raspberry Pi

Hi,

I would like to report that I successfully installed iRedMail on a Raspberry Pi.

Patches to enable rPi support can be found here: https://bitbucket.org/nifgraup/iredmail and notes are kept in a wiki: https://bitbucket.org/nifgraup/iredmail/wiki/Home

The first issue is that ClamAV takes a lot of memory, would it be possible to make it an optional component during installation time?

2

Re: iRedMail on a Raspberry Pi

Thanks for sharing your experience.

bjorgvin wrote:

Patches to enable rPi support can be found here: https://bitbucket.org/nifgraup/iredmail

Someone tested iRedMail with Debian ARM platform and Respberry Pi before, and it works. Since not many users use those two platforms, so i didn't commit the patch. But this time, your patch was committed moment ago.

bjorgvin wrote:

and notes are kept in a wiki: https://bitbucket.org/nifgraup/iredmail/wiki/Home

I try to answer the questions in your wiki below:

bjorgvin wrote:

Possibly related to a failed installation when swap was not enabled: Dovecot package installation fails because IPv6 is not enabled by default on Raspbian. #listen = *, :: can be changed to Listen = * in /etc/dovecot/dovecot.conf to fix the issue. Or modprobe ipv6 and add ipv6 to /etc/modules. iRedMail does not configure IPv6, perhaps listen = * should be by default (until IPv6 is enabled by default of course)?

iRedMail has a sample config file for Dovecot-2.0.x, it enables IPv4 only, no IPv6. So i guess it's caused by Debian itself, it starts Dovecot service during package installation.

bjorgvin wrote:

ClamAV takes a lot of memory, to the point that the machine is swapping after a fresh install of iRedMail. It should not be installed, but the menu does not allow skipping Clam.

As clearly explained in iRedMail installation guide, in section "System Requirements", iRedMail requires at least 1GB memory for production use. Because Amavisd + SpamAssassin + ClamAV take lots of memory for content based spam/virus scanning.

But it's easy to fix your issue by disabling ClamAV in Amavisd config file, then stop ClamAV service. Both SpamAssassin and ClamAV are invoked by Amavisd, not running as a daemon service.

Also, i'm not sure items listed in "Before running iRedMail.sh" are required or just optional, i suggest you clearly mark them as "required" and "optional" to make things easier. Less steps leads to more success.

3

Re: iRedMail on a Raspberry Pi

ZhangHuangbin wrote:

Thanks for sharing your experience.

bjorgvin wrote:

Patches to enable rPi support can be found here: https://bitbucket.org/nifgraup/iredmail

Someone tested iRedMail with Debian ARM platform and Respberry Pi before, and it works. Since not many users use those two platforms, so i didn't commit the patch. But this time, your patch was committed moment ago.

Thanks for committing.

ZhangHuangbin wrote:
bjorgvin wrote:

ClamAV takes a lot of memory, to the point that the machine is swapping after a fresh install of iRedMail. It should not be installed, but the menu does not allow skipping Clam.

As clearly explained in iRedMail installation guide, in section "System Requirements", iRedMail requires at least 1GB memory for production use. Because Amavisd + SpamAssassin + ClamAV take lots of memory for content based spam/virus scanning.

I wrote a bit about system requirements.

ZhangHuangbin wrote:

But it's easy to fix your issue by disabling ClamAV in Amavisd config file, then stop ClamAV service. Both SpamAssassin and ClamAV are invoked by Amavisd, not running as a daemon service.

I noticed  that the clamd process was running so I removed it. I did not check if it was invoked by amavisd but it's possible that the dovecot package installation failure resulted in ClamAV being misconfigured and running without amavisd.

ZhangHuangbin wrote:

Also, i'm not sure items listed in "Before running iRedMail.sh" are required or just optional, i suggest you clearly mark them as "required" and "optional" to make things easier. Less steps leads to more success.

Clarified. But less steps could lead to worse security practices. For now I'm going list the security related steps as recommended but I might change the title to required later on.

---

I might work on this on and off, perhaps integrate the unattended installation of Raspbian with iRedMail installation and see if http://mailpile.is/ could be integrated with iRedMail in the future.

4

Re: iRedMail on a Raspberry Pi

Your wiki page now looks great.

bjorgvin wrote:

I might work on this on and off, perhaps integrate the unattended installation of Raspbian with iRedMail installation and see if http://mailpile.is/ could be integrated with iRedMail in the future.

Is there any difference between MailPile with Roundcube + PGP plugin?

5

Re: iRedMail on a Raspberry Pi

Mailpile will have PGP support built in and make important design decisions to help users to use encryption features correctly. It's still in early development.

Björgvin

6

Re: iRedMail on a Raspberry Pi

Hi!
Tried this but could not get it to work.
Followed your guide as much as I could bjorgvin, but when I try to log on to https://example.com/iredmail with postmaster@example.com and the password mentioned in iRedMail-0.8.5/iRedMail.tips it gives me the following error:

Error: Password of cn=vmailadmin is incorrect.

Any ideas?
I use a DD-WRT router in front of the Raspberry Pi, so mailserver.example.com and example.com leads to the same server. (SSL certificate is mailserver.example.com)

/var/log/openldap.log (logging level 256) says:
Aug 27 21:20:18 erpi slapd[3695]: conn=1004 fd=16 ACCEPT from IP=127.0.0.1:57213 (IP=0.0.0.0:389)
Aug 27 21:20:18 erpi slapd[3695]: conn=1004 op=0 BIND dn="cn=vmailadmin,dc=example,dc=com" method=128
Aug 27 21:20:18 erpi slapd[3695]: conn=1004 op=0 RESULT tag=97 err=49 text=
Aug 27 21:20:18 erpi slapd[3695]: conn=1004 op=1 UNBIND
Aug 27 21:20:18 erpi slapd[3695]: conn=1004 fd=16 closed

During install I found this, but no other errors whatsoever:
ldap_bind: Invalid credentials (49)

Searching for manager results in this:
/etc/ldap$ ldapsearch -x -W -D 'cn=Manager,dn=example,dn=com' -b "" -s base -H ldap://localhost
Enter LDAP Password:
ldap_bind: Invalid DN syntax (34)
        additional info: invalid DN

/etc/hosts look like this:
127.0.0.1     mailserver.example.com mailserver localhost localhost.localdomain

/etc/resolv.conf like this:
domain example.com
search example.com
nameserver 192.168.1.1

Naturally example.com is something else.
Cannot login to any phpldapadmin, mail, webmail or any other web interface.

A few questions:
Could DNS records have something to do with it?
What about router (ports are open according to http://www.iredmail.org/forum/topic209- … ports.html ) ?
I followed this before installing iRedMail, http://scruss.com/blog/2013/06/07/well- … generator/ , could that lead to generated keys the OpenLDAP cannot handle?

Thanks in advance!

7

Re: iRedMail on a Raspberry Pi

isr wrote:

Followed your guide as much as I could bjorgvin, but when I try to log on to https://example.com/iredmail with postmaster@example.com and the password mentioned in iRedMail-0.8.5/iRedMail.tips it gives me the following error:

Error: Password of cn=vmailadmin is incorrect.

Is password of 'cn=vmailadmin,dc=xx,dc=xx' set in /usr/share/apache2/iredadmin/settings.ini correct? Please verify it on command line or phpLDAPadmin (httpS://[your_server]/phpldapadmin/).

Seems your iRedMail was not successfully completed.

8

Re: iRedMail on a Raspberry Pi

Thanks for the quick reply.

The encrypted password in /usr/share/apache2/iredadmin/settings.ini matches the encrypted password at iRedMail.tips.
Tried logging on to phpldapadmin, but get the following error message:

Unable to connect to LDAP server My LDAP Server
Error: Invalid credentials (49) for user
error    Failed to Authenticate to server
Invalid Username or Password.

Irrelevant if using cn=Manager,dn=example,dn=com or vmailadmin. Tried both with and without the "dn" parts.

How do I verify it on the command line?
Any other ideas?

9

Re: iRedMail on a Raspberry Pi

You can re-install OS and iRedMail. This is the easiest way, but it takes some time.
if you don't want to do so, try below steps:

*) Set a new password for LDAP root dn (defined in parameter 'rootdn') in /etc/ldap/slapd.conf. For example, a plain password '123456' (without quotes, of course):

rootpw 123456

*) Restart OpenLDAP service, then login to phpLDAPadmin with ldap root dn (again, defined in parameter 'rootdn' in /etc/ldap/slapd.conf) with this new password.

*) After logging into phpLDApadmin, please check whether you have all mail domains and users created in OpenLDAP in left panel. If all accounts were created, you can reset their passwords to make it work. For example, find ldap object 'cn=vmail,dc=example,dc=com', click it and change its password in right panel.

*) If no ldap objects at all, that means you don't have iRedMail correctly installed. Find file 'conf/ldap_init.ldif' under iRedMail-0.8.5 directory (it's generated during installation), import it with 'ldapadd' command. For example:

# ldapadd -x -D 'cn=Manger,dc=example,dc=com' -f /root/iRedMail-0.8.5/conf/ldap_init.ldif

Then all components should start to work as expected. If not, try to re-install OS and iRedMail instead.

10

Re: iRedMail on a Raspberry Pi

Thanks again for helping me out.

Changing the password allowed me to enter phpLDAPadmin, but to the left I got the following message:
    Logged in as: cn=Manager,dc=example,dc=com
    dc=example,dc=com
    This base cannot be created with PLA.
So I could not search for any users.

Tried the ldapadd command you suggested, got the following result:
    ldap_bind: Server is unwilling to perform (53)
    additional info: unauthenticated bind (DN with no password) disallowed

So I added a -W, in order to get asked for a password, so the full command looked like this:
sudo ldapadd -x -D 'cn=Manager,dc=example,dc=com' -W -f /home/MyUser/iRedMail-0.8.5/conf/ldap_init.ldif

And now it works!
phpLDAPadmin is showing the full tree to the left, Manager password is restored to something more secure and iRedAdmin works fine!

Again, thanks a lot for your help!
Btw, saw the comment about Mailpile above, it definitely looks interesting.