FreeBSD 9 and Mail Toaster 6 in a VM

From The Network People, Inc. - Wiki
Jump to: navigation, search

Create VM

Each virtualization environment is different. Tweak the components below as necessary.

  • Download the FreeBSD 9.1-RELEASE-amd64 DVD ISO (from here) and transfer it to your VM server.
  • Create a new VM:
    • CPU: dual-socket or dual-core (minimum)
    • RAM: 2GB (minimum)
    • Network: Intel e1000 (bridged)
    • Create a 50GB primary disk (ide/scsi)
    • Add FreeBSD 9.1-RELEASE-amd64 DVD ISO as an optical drive (ide/scsi).

Install FreeBSD

  • Power on the VM.
  • It should boot to the FreeBSD 9.1-RELEASE-amd64 DVD ISO.
  • System Components: Add "src".
  • Disks: Guided, use entire disk.
  • Network: Use ipv4 only (unless you also use ipv6).
  • Services: Add ntpd.
  • This should leave you with FreeBSD 9.1-RELEASE-amd64 installed on the 50GB VHD.
  • Shut down the VM after installation.
  • Remove the ISO from the VM's optical drive (set to empty).
  • Verify the VM's boot order is set to use the primary VHD first.

First Boot

  • Power on the VM and log in as root.
  • Set the time:
ntpdate -s
  • Update the system:
freebsd-update fetch
freebsd-update install
  • Reboot

Configure Virtual IO Drivers

Each hypervisor has it's own way of getting the best I/O between a VM and the host. These drivers primarily improve block (disk) and network performance, however, other VM functions (such as memory and video) can also be improved.

KVM/QEMU on Proxmox

For KVM/QEMU on ProxmoxVE, follow the virtio steps here.


For VMware, install VMware Tools or Open VM Tools.

  • Install Perl
cd /usr/ports/lang/perl5.16 && make install clean
  • attach the 'VM guest tools', often with a '[Re]install VMware Tools' menu item
  • mount_cd9660 /dev/cd0 /mnt
  • cd /tmp && tar -xzf /mnt/vmware-freebsd-tools.tar.gz
  • cd /tmp/vmware-tools-distrib && perl


For Xen, be sure to install FreeBSD 9.0+ amd64, a XENHVM kernel, and the two xen ports: xen-tools & xen-guest-utilities

  • echo 'KERNCONF=XENHVM' >> /etc/make.conf
  • cd /usr/src/ && make kernel
  • cd /usr/ports/sysutils/xen-tools/ && make install clean
  • cd /usr/ports/sysutils/xe-guest-utilities/ && make install clean
  • echo 'xenguest_enable="YES"' >> /etc/rc.conf

Install Mail-Toaster

Note: This section was written and tested with mail-toaster 5.41. It will be updated when mail-toaster 6 is released.

perl -v
cd /usr/ports/lang/perl5.16 && make install clean
mkdir -p /usr/local/src
cd /usr/local/src
tar -xzf Mail-Toaster.tar.gz
cd Mail-Toaster-N-NN
perl Makefile.PL
make deps **
make test
make install
bin/ -s ports
bin/ -s portmaster
  • Log out and back in (to update $PATH) and update installed ports:
portmaster -a
Note: Enable MySQL support. You must enter passwords for all DBs!
bin/ -s config
bin/ -s ssl
bin/ -s pre
bin/ -s mysql
bin/ -s ucspi
bin/ -s ezmlm
bin/ -s vpopmail
bin/ -s qmail
bin/ -s maildrop
bin/ -s dovecot
bin/ -s webmail
bin/ -s lighttpd
bin/ -s qmailadmin
bin/ -s squirrelmail  --> IMPORTANT: Edit /usr/ports/mail/squirrelmail/Makefile and comment out IGNORE_WITH_PHP=5 first.
bin/ -s roundcube
bin/ -s filter
  • Enable mail filtering:
    • Edit /usr/local/etc/toaster-watcher.conf
    • Set "filtering_method" to "smtp"
    • Set "smtpd_qmail_queue" to "/var/qmail/bin/simscan"
    • Save and exit the file.
    • Run (or wait 5m) and filtering will be enabled.
  • Install logging:
bin/ -s maillogs
bin/ -s supervise

Test Mail-Toaster

bin/ -s test

Recommended Tweaks

Set Time Zone in PHP

  • Edit the php config file: /usr/local/etc/php.ini
  • Look for date.timezone and change it to your server's timezone
  • Example:
date.timezone = America/New_York

Configure Squirrelmail for Dovecot IMAP

The folder prefix that Dovecot uses is not the same as Squirrelmail's default.

  • Run the Squirrelmail config:
cd /usr/local/www/squirrelmail
  • Press "D" [enter]
  • Type "dovecot" [enter]
  • [enter]
  • Press "S" [enter]

Configure SpamAssassin Per-User Settings

(Click the title above to go to SpamAssassin setup page)

Configure a Signed SSL Cert

This gets rid of the self-signed SSL cert warning in all web browsers by setting your server up with a "proper" SSL vendor signed certificate.

  • Create certificate storage:
mkdir -p /usr/local/etc/lighttpd/certs
chown root:wheel /usr/local/etc/lighttpd/certs
chmod 770 /usr/local/etc/lighttpd/certs
  • Copy your domain SSL keys and certs into the new certs directory. Set restrictive permissions on them:
cd /usr/local/etc/lighttpd/certs
chown root * 
chmod 600 *
  • Merge both the (passwordless) SSL private key and the signed SSL cert into a single PEM file:
cat domain.key domain.crt > domain.pem
  • Edit lighttpd config /usr/local/etc/lighttpd/vhosts.d/mail-toaster.conf
  • Look for ssl.pemfile and set it to:
ssl.pemfile = "/usr/local/etc/lighttpd/certs/domain.pem"
  • Optional: Add a line if your ssl cert requires a chain cert. Example: = "/usr/local/etc/lighttpd/certs/gd_bundle.crt"
  • Restart lighttpd:
service lighttpd configtest
service lighttpd stop
service lighttpd start