server config part-1: logging, move backup files and users, mysql, procmail, bogofilter, sasl2, dovecot, sendmail

17 files changed, 1694 insertions, 0 deletions

diff --git a/server/setup/05-service-settings/README.txt b/server/setup/05-service-settings/README.txt
new file mode 100644
index 0000000..2cf28cc
--- /dev/null
+++ b/server/setup/05-service-settings/README.txt
@@ -0,0 +1,108 @@
+All template files are .. underneath in ./etc
+
+Debian 7.00 (Wheezy)
+
+01 stop all running services ..
+    /etc/init.d/apache2 stop
+    /etc/init.d/sendmail stop
+    /etc/init.d/dovecot stop
+    /etc/init.d/mysql stop
+    /etc/init.d/saslauthd stop
+
+01 logging
+    - firewall logging:
+      /etc/rsyslog.conf: firewall rules, kern.debug / kern.=!debug
+      /etc/init.d/rsyslog restart
+
+    - logrotate
+      /etc/logrotate.conf: compress, 48 weeks
+      /etc/logrotate.d/rsyslog: Add /var/log/firewall and /var/log/dovecot.log
+      
+03 move all users
+    - mv /data/backup/home/* /home/
+    - for all groups: groupadd -g GID groupname
+    - for all users:  useradd -M -N -u UID -g GID username
+    - for all users:  usermod -a -G GID1,GID2,.. username
+    - cd /data/backup/var/spool/mail ; (check names, remove unused ..) ; mv * /var/spool/mail/
+
+04 move other stuff
+    - Old Logs
+        - mv /data/backup/var/log /var/log/old_logs
+
+    - MySQL
+        - old server: backup DB
+          - run backup-mysql.sh on old server, result is e.g. backup-mysqldb-20130605162509.sql
+
+        - new server: import DB
+          - get backup backup-mysqldb-20130605162509.sql
+          - /etc/init.d/mysql start
+          - backup-1: backup-mysql.sh
+          - mysql --user=root --password  < backup-mysqldb-20130605162509.sql
+          - backup-2: backup-mysql.sh
+          - mysqlcheck --user=root --password --all-databases
+
+    - Services
+        - mv /data/backup/srv/* /srv/
+
+05 config procmail
+    copy /etc/procmailrc
+
+06 bogofilter
+    copy /etc/bogofilter.cf
+    Init empty wordlist.db:
+        touch nope
+        cat nope  | bogoutil -l /var/spool/bogofilter/wordlist.db
+        rm nope
+
+07 sasl2
+    /etc/sasl2/Sendmail.conf
+    /etc/default/saslauthd: start=yes
+    /etc/init.d/saslauthd start
+
+08 dovecot 2.1.7-7
+    - features:
+      - requires ssl
+      - ipv4 / ipv6
+      - smtps
+      - pop3s
+      - sieve (tls)
+
+    - Sync config files in /etc/dovecot/
+      with etc/dovecot/dovecot.conf.diff and etc/dovecot/conf.d.diff
+
+    - mkdir -p /var/lib/dovecot/sieve/global/
+    - chmod ugo+rx /var/lib/dovecot
+    - copy /var/lib/dovecot/sieve/global/default.sieve
+        - cd /var/lib/dovecot/sieve/global ; sievec default.sieve
+    - copy /var/lib/dovecot/sieve/prologue.sieve
+        - cd /var/lib/dovecot/sieve ; sievec prologue.sieve
+
+    - migrate old INBOX:
+        for each user:
+          dsync mirror mbox:~/mail:INBOX=/var/mail/USERNAME
+          su dstrohlein -c "dsync mirror mbox:~/mail:INBOX=/var/mail/dstrohlein ; echo OK"
+
+    - /etc/init.d/dovecot start
+
+
+09 sendmail 8.14.4-4
+    - features:
+      - requires ssl for auth
+      - ipv4 / ipv6
+
+    - /etc/mail
+    - Sync config files in /etc/mail with: etc/mail/mail.diff
+        - sendmail.mc
+        - submit.mc
+        - access
+        - local-host-names
+        - virtusertable
+
+    - /etc
+        - aliases
+
+    - cd /etc/mail
+        - make
+
+    /etc/init.d/sendmail start
+    
diff --git a/server/setup/05-service-settings/backup-mysql.sh b/server/setup/05-service-settings/backup-mysql.sh
new file mode 100644
index 0000000..0490e3b
--- /dev/null
+++ b/server/setup/05-service-settings/backup-mysql.sh
@@ -0,0 +1,8 @@
+#! /bin/sh
+
+fname="/data/backup/backup-mysqldb-`date +%Y%m%d%H%M%S`.sql"
+mysqldump --verbose --user=root --password --all-databases > $fname
+echo dumped to $fname
+
+# 1076  mysql --user=root --password < bugzilla_db_clean.sql 
+
diff --git a/server/setup/05-service-settings/etc/bogofilter.cf b/server/setup/05-service-settings/etc/bogofilter.cf
new file mode 100644
index 0000000..84ac4bc
--- /dev/null
+++ b/server/setup/05-service-settings/etc/bogofilter.cf
@@ -0,0 +1,282 @@
+########### Sample BOGOFILTER Configuration File ###########################
+
+# $Id: bogofilter.cf.example 6811 2009-02-21 20:32:50Z relson $
+
+# Default settings (as defined in the bogofilter source code) 
+# have a single hash mark at the beginning of the line.
+
+# Alternate values have two hash marks.
+
+# Comment lines MUST have their hash mark in the leftmost column.
+# Comments can be added at the end of any line (after whitespace and a '#').
+# Blank lines are allowed.
+
+########### General Settings ########################################
+
+#### BOGOFILTER_DIR
+#
+#	directory for wordlists
+#
+#bogofilter_dir=~/.bogofilter
+bogofilter_dir=/var/spool/bogofilter
+
+#### name/location of user config file
+#
+#user_config_file=~/.bogofilter.cf
+##user_config_file=~/.bogofilterrc
+user_config_file=~/.bogofilter/config
+
+#### TRANSACTIONS: enable/disable database transactions
+#
+#	boolean indicating whether transactions
+#	should be enabled (yes) or disabled (no)
+#
+db_transaction=no		# default
+##db_transaction=yes		# (alternate)
+
+#### WORDLIST: define additional word lists
+#
+#	char type: 'r' (regular) or 'i' (ignore)
+#	char *name: name of list, e.g. "system", "user", "ignore"
+#	char *path: absolute path to file or
+#		    file name (relative to bogofilter_dir)
+#	int  order - once found, skip higher numbered lists
+#
+##wordlist i,ignore,~/ignorelist.db,1
+##wordlist r,wordlist,~/wordlist.db,2
+
+#### SPAM_HEADER_NAME
+#
+#	used in reporting spamicity and
+#	in removing already existing headers
+#
+spam_header_name=X-Bogosity
+
+#### SPAM_HEADER_PLACE
+#
+#	used in placing the SPAM_HEADER_NAME line
+#
+#spam_header_place=DomainKey-Signature
+
+#### SPAM_SUBJECT_TAG
+#
+#	tag added to "Subject: " line for identifying spam or unsure
+#	default is to add nothing.
+#
+##spam_subject_tag=***SPAM***
+##unsure_subject_tag=???UNSURE???
+
+#### STATS_IN_HEADER
+#
+#	non-zero (default):  put spamicity info in message header
+#	zero:  put spamicity info in message body
+#	can use "bool" values of True, False, Yes, No, 1, or 0
+#
+stats_in_header=Yes		# default
+##stats_in_header=No		# (alternate)
+
+#### DB_CACHESIZE
+#
+#	non-zero: set this as DB cache size (in Mbytes)
+#	zero:     use DB default cache size (.25 Mbyte in 4.0.14)
+#
+#	note that Berkeley DB increases any buffer size below 500 MB
+#	by 25%!
+#	This helps most when doing massive changes to the data base that
+#	involve a lot of overwrites, such as registering mail boxes,
+#	whereas it is mostly a waste of memory for read-only
+#	applications such as scoring.
+#	WARNING: If you set this too large, bogofilter will fail.
+#
+db_cachesize=0			# default
+##db_cachesize=16		# (alternate)
+
+#### DB_LOG_AUTOREMOVE
+#
+#	boolean indicating whether auto-removing of
+#	logs should be enabled (yes) or disabled (no)
+#
+#db_log_autoremove=yes		# default
+##db_log_autoremove=no		# (alternate)
+
+#### TIMESTAMP
+#
+#	enables or disables token timestamps
+#
+timestamp=Yes
+
+#### Format of spamicity output
+#
+# for two-state output the third entry is not needed and not used
+#
+spamicity_tags = Spam, Ham, Unsure
+spamicity_formats = %0.6f, %0.6f, %0.6f
+#
+##spamicity_tags = Yes, No, Unsure
+##spamicity_formats = %0.6f, %0.6f, %0.6f
+
+#### Format of SPAM_HEADER
+#
+#	formatting characters:
+#
+#	    h - spam_header_name, e.g. "X-Bogosity"
+#
+#	    c - classification, e.g. Yes/No, Spam/Ham/Unsure, +/-/?
+#
+#	    D - date, fixed ISO-8601 format for Universal Time ("GMT")
+#
+#	    e - spamicity as 'e' format
+#	    f - spamicity as 'f' format
+#	    g - spamicity as 'g' format
+#
+#	    A - IP address (from first Received: statement having one)
+#		Not guaranteed to be the originating address of the message.
+#	    I - Message ID
+#	    Q - Queue ID (from first id tag found in Received: headers)
+#
+#	    l - logging tag (from '-l' option)
+#
+#	    o - spam_cutoff, ex. cutoff=%o
+#
+#	    p - spamicity value
+#	    d - if ham or unsure, the spamicity
+#		if spam, difference of spamicity from 1.0
+#
+#	    r - runtype
+#	        w - word count
+#	        m - message count
+#
+#	    u - username - this will either be the login from getlogin(),
+#			   if that is empty, the pw_name obtained from
+#			   the password database, or the user id
+#			   prefixed by #, for instance, #1003
+#
+#	    v - version
+#
+#    customizable messages:
+#
+#	header_format - the "X-Bogosity" line that '-p' adds to
+#		the message header and '-v' outputs.
+#	terse_format - an abbreviated form of header_format;
+#		selected by command line option '-t'
+#	log_header_format - written to syslog by '-u' option
+#		when classifying messages.
+#	log_update_format - written to syslog by '-u' option
+#		when registering messages.
+#
+#
+header_format = %h: %c, tests=bogofilter, spamicity=%p, version=%v
+terse_format = %1.1c %f
+#log_header_format = %h: %c, spamicity=%p, version=%v
+#log_update_format = register-%r, %w words, %m messages
+##log_header_format = %h: %c, spamicity=%f, ipaddr=%A, queueID=%Q, msgID=%I, version=%v
+
+#### TERSE
+#
+#	if enabled, format the X-Bogosity using the 'terse_format' specificaton.
+#
+terse=no			# default
+##terse=yes			# (alternate)
+
+
+########### Tokenizer Settings ######################################
+
+#### BLOCK ON SUBNETS
+#
+#	convert IPADDRs into a special token, url:1.2.3.4,
+#	and also return url:1.2.3, url:1.2, and url:1
+#	to allow identifying spammers by ip address / subnets.
+#
+#block_on_subnets=no
+
+#### CHARSET handling
+#
+#	specify default charset
+#
+charset_default=iso-8859-1		# default
+#charset_default=us-ascii		# (alternate)
+##charset_default=cp866			# for Russian
+
+#### REPLACE_NONASCII_CHARACTERS
+#
+#	replace non-7bit chars with '?'
+#
+#replace_nonascii_characters=N		# default
+##replace_nonascii_characters=Y		# (alternate)
+
+#### UNICODE handling
+#
+#	boolean indicating whether raw storage (no) or unicode (yes)
+#	is the default encoding for the wordlist
+#
+#unicode=yes				# default
+##unicode=no				# (alternate)
+
+#### lexer parameters
+#
+#	minimum and maximum lengths for single tokens
+#
+#min-token-len=3			# default
+#max-token-len=30			# default
+#
+#	count and length for multi-word tokens
+#	Note: if length not specified, defaults to
+#	      multi-token-count * max-token-len (approx)
+#
+#multi-token-count=1			# default
+#max-multi-token-len=0			# default
+
+########### Classification Constants Settings #######################
+#
+# See man page for a more detailled description of the parameters.
+
+#### MINIMUM DEVIATION
+#
+#	if token spamicity closer to EVEN_ODDS (0.5)
+#	than MIN_DEV, don't use the word in the
+#	spamicity calculation
+#
+#min_dev=0.375				# default
+
+#### Robinson Constants
+#
+#	floating point values for
+#	Robinson S and X coefficients.
+#
+#robs=0.0178				# default
+#robx=0.52				# default
+
+#### CUTOFF Values
+#
+#	both ham_cutoff and spam_cutoff are allowed.
+#	setting ham_cutoff to a non-zero value will
+#	enable tri-state results (Spam/Ham/Unsure).
+#
+#ham_cutoff = 0.45			# default
+#spam_cutoff= 0.99			# default
+#
+#	for two-state classification:
+#
+##ham_cutoff  = 0.00			# default
+##spam_cutoff = 0.99			# default
+
+#### Effective Size Factor Values
+#
+#ns_esf = 1.000				# default
+#sp_esf = 1.000				# default
+
+#### Auto-update threshold
+#
+#	Skip autoupdating if the spamicity is within this value
+#	of 0.000000 (surely ham) or 1.000000 (surely spam).
+#
+## thresh_update=0.01			# (optional)
+
+#### token count parameters
+#
+#	coerce the number of tokens used to score a message
+#	Note: zero means no coercing
+#
+##token_count=0				# default
+##token_count_min=0			# default
+##token_count_max=0			# default
diff --git a/server/setup/05-service-settings/etc/dovecot/conf.d.diff b/server/setup/05-service-settings/etc/dovecot/conf.d.diff
new file mode 100644
index 0000000..2e617cf
--- /dev/null
+++ b/server/setup/05-service-settings/etc/dovecot/conf.d.diff
@@ -0,0 +1,355 @@
+diff -Nur conf.d.orig/10-auth.conf conf.d/10-auth.conf
+--- conf.d.orig/10-auth.conf	2013-02-05 02:03:27.000000000 +0100
++++ conf.d/10-auth.conf	2013-06-05 22:38:44.722493000 +0200
+@@ -6,20 +6,20 @@
+ # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
+ # matches the local IP (ie. you're connecting from the same computer), the
+ # connection is considered secure and plaintext authentication is allowed.
+-#disable_plaintext_auth = yes
++disable_plaintext_auth = yes
+ 
+ # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
+ # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
+-#auth_cache_size = 0
++auth_cache_size = 10M
+ # Time to live for cached data. After TTL expires the cached record is no
+ # longer used, *except* if the main database lookup returns internal failure.
+ # We also try to handle password changes automatically: If user's previous
+ # authentication was successful, but this one wasn't, the cache isn't used.
+ # For now this works only with plaintext authentication.
+-#auth_cache_ttl = 1 hour
++auth_cache_ttl = 1 hour
+ # TTL for negative hits (user not found, password mismatch).
+ # 0 disables caching them completely.
+-#auth_cache_negative_ttl = 1 hour
++auth_cache_negative_ttl = 1 hour
+ 
+ # Space separated list of realms for SASL authentication mechanisms that need
+ # them. You can leave it empty if you don't want to support multiple realms.
+diff -Nur conf.d.orig/10-logging.conf conf.d/10-logging.conf
+--- conf.d.orig/10-logging.conf	2013-02-05 02:03:27.000000000 +0100
++++ conf.d/10-logging.conf	2013-06-05 22:38:44.722879000 +0200
+@@ -5,6 +5,7 @@
+ # Log file to use for error messages. "syslog" logs to syslog,
+ # /dev/stderr logs to stderr.
+ #log_path = syslog
++log_path = /var/log/dovecot.log
+ 
+ # Log file to use for informational messages. Defaults to log_path.
+ #info_log_path = 
+@@ -14,14 +15,14 @@
+ # Syslog facility to use if you're logging to syslog. Usually if you don't
+ # want to use "mail", you'll use local0..local7. Also other standard
+ # facilities are supported.
+-#syslog_facility = mail
++syslog_facility = mail
+ 
+ ##
+ ## Logging verbosity and debugging.
+ ##
+ 
+ # Log unsuccessful authentication attempts and the reasons why they failed.
+-#auth_verbose = no
++auth_verbose = yes
+ 
+ # In case of password mismatches, log the attempted password. Valid values are
+ # no, plain and sha1. sha1 can be useful for detecting brute force password
+diff -Nur conf.d.orig/10-mail.conf conf.d/10-mail.conf
+--- conf.d.orig/10-mail.conf	2013-02-05 02:03:27.000000000 +0100
++++ conf.d/10-mail.conf	2013-06-05 22:44:18.646267000 +0200
+@@ -27,7 +27,10 @@
+ #
+ # <doc/wiki/MailLocation.txt>
+ #
+-mail_location = mbox:~/mail:INBOX=/var/mail/%u
++# mail_location = mbox:~/mail:INBOX=/var/mail/%u
++# mail_location = 
++# mail_location = mbox:~/mail:INBOX=/var/mail/%u
++mail_location = mdbox:~/mdbox
+ 
+ # If you need to set multiple mailbox locations or want to change default
+ # namespace settings, you can do it by defining namespace sections.
+@@ -41,7 +44,7 @@
+ # on filesystem level to do so.
+ namespace inbox {
+   # Namespace type: private, shared or public
+-  #type = private
++  type = private
+ 
+   # Hierarchy separator to use. You should use the same separator for all
+   # namespaces or some clients get confused. '/' is usually a good one.
+@@ -65,38 +68,51 @@
+   # useful when converting from another server with different namespaces which
+   # you want to deprecate but still keep working. For example you can create
+   # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
+-  #hidden = no
++  hidden = no
+ 
+   # Show the mailboxes under this namespace with LIST command. This makes the
+   # namespace visible for clients that don't support NAMESPACE extension.
+   # "children" value lists child mailboxes, but hides the namespace prefix.
+-  #list = yes
++  list = yes
+ 
+   # Namespace handles its own subscriptions. If set to "no", the parent
+   # namespace handles them (empty prefix should always have this as "yes")
+-  #subscriptions = yes
++  subscriptions = yes
++}
++
++namespace local {
++  type = private
++  separator = /
++  prefix = Maildir/
++  location = maildir:~/Maildir
++  inbox = no
++  hidden = no
++  list = yes
++  subscriptions = no
+ }
+ 
+ # Example shared namespace configuration
+-#namespace {
+-  #type = shared
+-  #separator = /
++namespace {
++  type = shared
++  separator = /
+ 
+   # Mailboxes are visible under "shared/user@domain/"
+   # %%n, %%d and %%u are expanded to the destination user.
+-  #prefix = shared/%%u/
++  prefix = shared/%%u/
+ 
+   # Mail location for other users' mailboxes. Note that %variables and ~/
+   # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
+   # destination user's data.
+   #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
++  location = mdbox:%%h/mdbox/
+ 
+   # Use the default namespace for saving subscriptions.
+-  #subscriptions = no
++  subscriptions = no
+ 
+   # List the shared/ namespace only if there are visible shared mailboxes.
+-  #list = children
+-#}
++  list = children
++}
++
+ # Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
+ #mail_shared_explicit_inbox = yes
+ 
+@@ -116,7 +132,7 @@
+ # dangerous to set these if users can create symlinks (e.g. if "mail" group is
+ # set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
+ # mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
+-#mail_access_groups =
++mail_access_groups = mail
+ 
+ # Allow full filesystem access to clients. There's no access checks other than
+ # what the operating system does for the active UID/GID. It works with both
+@@ -194,14 +210,14 @@
+ 
+ # UNIX socket path to master authentication server to find users.
+ # This is used by imap (for shared users) and lda.
+-#auth_socket_path = /var/run/dovecot/auth-userdb
++auth_socket_path = /var/run/dovecot/auth-userdb
+ 
+ # Directory where to look up mail plugins.
+ #mail_plugin_dir = /usr/lib/dovecot/modules
+ 
+ # Space separated list of plugins to load for all services. Plugins specific to
+ # IMAP, LDA, etc. are added to this list in their own .conf files.
+-#mail_plugins = 
++mail_plugins = acl
+ 
+ ##
+ ## Mailbox handling optimizations
+diff -Nur conf.d.orig/10-master.conf conf.d/10-master.conf
+--- conf.d.orig/10-master.conf	2013-02-05 02:03:27.000000000 +0100
++++ conf.d/10-master.conf	2013-06-06 00:25:02.628967000 +0200
+@@ -17,10 +17,11 @@
+ service imap-login {
+   inet_listener imap {
+     #port = 143
++    port = 0
+   }
+   inet_listener imaps {
+-    #port = 993
+-    #ssl = yes
++    port = 993
++    ssl = yes
+   }
+ 
+   # Number of connections to handle before starting a new process. Typically
+@@ -38,10 +39,11 @@
+ service pop3-login {
+   inet_listener pop3 {
+     #port = 110
++    port = 0
+   }
+   inet_listener pop3s {
+-    #port = 995
+-    #ssl = yes
++    port = 995
++    ssl = yes
+   }
+ }
+ 
+@@ -62,6 +64,7 @@
+   # Most of the memory goes to mmap()ing files. You may need to increase this
+   # limit if you have huge mailboxes.
+   #vsz_limit = $default_vsz_limit
++  vsz_limit = 2048M
+ 
+   # Max. number of IMAP processes (connections)
+   #process_limit = 1024
+diff -Nur conf.d.orig/10-ssl.conf conf.d/10-ssl.conf
+--- conf.d.orig/10-ssl.conf	2013-02-05 02:03:27.000000000 +0100
++++ conf.d/10-ssl.conf	2013-06-06 00:30:58.227832000 +0200
+@@ -4,13 +4,16 @@
+ 
+ # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+ #ssl = yes
++ssl = required
+ 
+ # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+ # dropping root privileges, so keep the key file unreadable by anyone but
+ # root. Included doc/mkcert.sh can be used to easily generate self-signed
+ # certificate, just make sure to update the domains in dovecot-openssl.cnf
+-ssl_cert = </etc/dovecot/dovecot.pem
+-ssl_key = </etc/dovecot/private/dovecot.pem
++#ssl_cert = </etc/dovecot/dovecot.pem
++#ssl_key = </etc/dovecot/private/dovecot.pem
++ssl_cert = </etc/ssl/local/jogamp2013-hostcert.pem
++ssl_key = </etc/ssl/local/jogamp2013-hostkey.mail.pem
+ 
+ # If key file is password protected, give the password here. Alternatively
+ # give it when starting dovecot with -p parameter. Since this file is often
+@@ -22,6 +25,7 @@
+ # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
+ # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
+ #ssl_ca = 
++ssl_ca = </etc/ssl/local/thawte-SSL123_CA_Bundle.pem
+ 
+ # Require that CRL check succeeds for client certificates.
+ #ssl_require_crl = yes
+diff -Nur conf.d.orig/15-lda.conf conf.d/15-lda.conf
+--- conf.d.orig/15-lda.conf	2013-02-05 02:03:27.000000000 +0100
++++ conf.d/15-lda.conf	2013-06-05 22:38:44.724403000 +0200
+@@ -37,12 +37,12 @@
+ #lda_original_recipient_header =
+ 
+ # Should saving a mail to a nonexistent mailbox automatically create it?
+-#lda_mailbox_autocreate = no
++lda_mailbox_autocreate = yes
+ 
+ # Should automatically created mailboxes be also automatically subscribed?
+-#lda_mailbox_autosubscribe = no
++lda_mailbox_autosubscribe = yes
+ 
+ protocol lda {
+   # Space separated list of plugins to load (default is global mail_plugins).
+-  #mail_plugins = $mail_plugins
++  mail_plugins = $mail_plugins sieve
+ }
+diff -Nur conf.d.orig/20-imap.conf conf.d/20-imap.conf
+--- conf.d.orig/20-imap.conf	2013-02-05 02:03:27.000000000 +0100
++++ conf.d/20-imap.conf	2013-06-05 22:38:44.724715000 +0200
+@@ -14,6 +14,7 @@
+ 
+   # Space separated list of plugins to load (default is global mail_plugins).
+   #mail_plugins = $mail_plugins
++  mail_plugins = $mail_plugins imap_acl
+ 
+   # IMAP logout format string:
+   #  %i - total number of bytes read from client
+diff -Nur conf.d.orig/20-lmtp.conf conf.d/20-lmtp.conf
+--- conf.d.orig/20-lmtp.conf	2013-02-05 02:03:27.000000000 +0100
++++ conf.d/20-lmtp.conf	2013-06-05 22:38:44.725026000 +0200
+@@ -12,5 +12,5 @@
+ 
+ protocol lmtp {
+   # Space separated list of plugins to load (default is global mail_plugins).
+-  #mail_plugins = $mail_plugins
++  mail_plugins = $mail_plugins sieve
+ }
+diff -Nur conf.d.orig/20-managesieve.conf conf.d/20-managesieve.conf
+--- conf.d.orig/20-managesieve.conf	2013-02-05 02:03:27.000000000 +0100
++++ conf.d/20-managesieve.conf	2013-06-06 01:10:53.662647000 +0200
+@@ -4,7 +4,7 @@
+ 
+ # Service definitions
+ 
+-#service managesieve-login {
++service managesieve-login {
+   #inet_listener sieve {
+   #  port = 4190
+   #}
+@@ -23,16 +23,16 @@
+ 
+   # If you set service_count=0, you probably need to grow this.
+   #vsz_limit = 64M
+-#}
++}
+ 
+-#service managesieve {
++service managesieve {
+   # Max. number of ManageSieve processes (connections)
+   #process_count = 1024
+-#}
++}
+ 
+ # Service configuration
+ 
+-#protocol sieve {
++protocol sieve {
+   # Maximum ManageSieve command line length in bytes. ManageSieve usually does
+   # not involve overly long command lines, so this setting will not normally
+   # need adjustment 
+@@ -70,4 +70,4 @@
+ 
+   # Refer to 90-sieve.conf for script quota configuration and configuration of 
+   # Sieve execution limits. 
+-#}
++}
+diff -Nur conf.d.orig/90-acl.conf conf.d/90-acl.conf
+--- conf.d.orig/90-acl.conf	2013-02-05 02:03:27.000000000 +0100
++++ conf.d/90-acl.conf	2013-06-05 23:41:19.326258000 +0200
+@@ -9,7 +9,7 @@
+ # specifies how many seconds to wait between stat()ing dovecot-acl file
+ # to see if it changed.
+ plugin {
+-  #acl = vfile:/etc/dovecot/global-acls:cache_secs=300
++  acl = vfile:/etc/dovecot/global-acls:cache_secs=300
+ }
+ 
+ # To let users LIST mailboxes shared by other users, Dovecot needs a
+diff -Nur conf.d.orig/90-sieve.conf conf.d/90-sieve.conf
+--- conf.d.orig/90-sieve.conf	2013-02-05 02:03:27.000000000 +0100
++++ conf.d/90-sieve.conf	2013-06-05 22:38:44.726032000 +0200
+@@ -17,6 +17,7 @@
+   # --> See sieve_before fore executing scripts before the user's personal
+   #     script.
+   #sieve_default = /var/lib/dovecot/sieve/default.sieve
++  sieve_default = /var/lib/dovecot/sieve/global/default.sieve
+ 
+   # Directory for :personal include scripts for the include extension. This
+   # is also where the ManageSieve service stores the user's scripts.
+@@ -24,6 +25,7 @@
+ 
+   # Directory for :global include scripts for the include extension. 
+   #sieve_global_dir =
++  sieve_global_dir = /var/lib/dovecot/sieve/global/
+ 
+   # Path to a script file or a directory containing script files that need to be
+   # executed before the user's script. If the path points to a directory, all
+@@ -34,6 +36,7 @@
+   #sieve_before =
+   #sieve_before2 =
+   #sieve_before3 = (etc...)
++  sieve_before = /var/lib/dovecot/sieve/prologue.sieve
+ 
+   # Identical to sieve_before, only the specified scripts are executed after the
+   # user's script (only when keep is still in effect!). Multiple script file or
diff --git a/server/setup/05-service-settings/etc/dovecot/dovecot.conf.diff b/server/setup/05-service-settings/etc/dovecot/dovecot.conf.diff
new file mode 100644
index 0000000..d37ff28
--- /dev/null
+++ b/server/setup/05-service-settings/etc/dovecot/dovecot.conf.diff
@@ -0,0 +1,19 @@
+--- dovecot.conf.orig	2013-02-05 02:03:27.000000000 +0100
++++ dovecot.conf	2013-06-05 22:36:52.290033000 +0200
+@@ -18,6 +18,7 @@
+ 
+ # Enable installed protocols
+ !include_try /usr/share/dovecot/protocols.d/*.protocol
++# protocols = imaps pop3s sieve lmtp
+ 
+ # A comma separated list of IPs or hosts where to listen in for connections. 
+ # "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
+@@ -35,7 +36,7 @@
+ #instance_name = dovecot
+ 
+ # Greeting message for clients.
+-#login_greeting = Dovecot ready.
++login_greeting = jogamp.org is ready.
+ 
+ # Space separated list of trusted network ranges. Connections from these
+ # IPs are allowed to override their IP addresses and ports (for logging and
diff --git a/server/setup/05-service-settings/etc/logrotate.conf b/server/setup/05-service-settings/etc/logrotate.conf
new file mode 100644
index 0000000..3860fd4
--- /dev/null
+++ b/server/setup/05-service-settings/etc/logrotate.conf
@@ -0,0 +1,32 @@
+# see "man logrotate" for details
+# rotate log files weekly
+weekly
+
+# keep 48 weeks (a year) worth of backlogs
+rotate 48
+
+# create new (empty) log files after rotating old ones
+create
+
+# uncomment this if you want your log files compressed
+compress
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# no packages own wtmp, or btmp -- we'll rotate them here
+/var/log/wtmp {
+    missingok
+    monthly
+    create 0664 root utmp
+    rotate 1
+}
+
+/var/log/btmp {
+    missingok
+    monthly
+    create 0660 root utmp
+    rotate 1
+}
+
+# system-specific logs may be configured here
diff --git a/server/setup/05-service-settings/etc/logrotate.d/rsyslog b/server/setup/05-service-settings/etc/logrotate.d/rsyslog
new file mode 100644
index 0000000..cb5d25f
--- /dev/null
+++ b/server/setup/05-service-settings/etc/logrotate.d/rsyslog
@@ -0,0 +1,39 @@
+/var/log/syslog
+{
+	rotate 7
+	daily
+	missingok
+	notifempty
+	delaycompress
+	compress
+	postrotate
+		invoke-rc.d rsyslog rotate > /dev/null
+	endscript
+}
+
+/var/log/mail.info
+/var/log/mail.warn
+/var/log/mail.err
+/var/log/mail.log
+/var/log/daemon.log
+/var/log/kern.log
+/var/log/auth.log
+/var/log/user.log
+/var/log/lpr.log
+/var/log/cron.log
+/var/log/debug
+/var/log/messages
+/var/log/firewall
+/var/log/dovecot.log
+{
+	rotate 4
+	weekly
+	missingok
+	notifempty
+	compress
+	delaycompress
+	sharedscripts
+	postrotate
+		invoke-rc.d rsyslog rotate > /dev/null
+	endscript
+}
diff --git a/server/setup/05-service-settings/etc/mail/access b/server/setup/05-service-settings/etc/mail/access
new file mode 100644
index 0000000..b5f0643
--- /dev/null
+++ b/server/setup/05-service-settings/etc/mail/access
@@ -0,0 +1,145 @@
+# /etc/mail/access
+# Copyright (c) 1998,2004 Richard Nelson <[email protected]>.
+# Time-stamp: <1998/10/27 10:00:00 cowboy>
+# GPL'd config file, please feed any gripes, suggestions, etc. to me
+#
+# Function:
+#	 Access Control for this smtp server - determines:
+#		 * Who we accept mail from
+#		 * Who we accept relaying from
+#		 * Who we will not send to
+#
+# Usage:
+#	 FEATURE(access_db[, type [-o] /etc/mail/access])dnl
+#	 makemap hash access < access
+#
+# Format:
+#	 lhs:
+#		 email addr		 <user@[host.domain]>
+#		 domain name	 unless  FEATURE(relay_hosts_only) is used,
+#			 then this is a fqdn - and relay-domains ($=R)
+#			 must also be fqdns.
+#		 network number  must end on an octet boundary, or
+#			 you're stuck going the longwinded way ;-{
+#	 rhs:
+#		 OK				 accept mail even if other rules in the
+#						 running ruleset would reject it.
+#		 RELAY			 Allow domain to relay through your SMTP
+#						 server.  RELAY also serves an implicit
+#						 OK for the other checks.
+#		 REJECT			 reject the sender/recipient with a general
+#						 purpose message that can be customized.
+#						 confREJECT_MSG [550 Access denied] will be issued
+#		 DISCARD		 discard the message completely using
+#						 the $#discard mailer.
+#		 ### any text	 where ### is an RFC 821 compliant error code
+#				 and "any text" is a message to return for
+#			 the command
+# Examples:
+#	[email protected]			REJECT
+#	FREE.STEALTH.MAILER@	550 Spam not accepted
+#
+# Notes:
+#	With FEATURE(blacklist_recipients) this is also possible:
+#	badlocaluser				 550 Mailbox disabled for this username
+#	host.mydomain.com			 550 That host does not accept mail
+#	[email protected]  550 Mailbox disabled for this recipient
+#
+# Related:
+#	 define(`confREJECT_MSG', `550 Access denied')dnl
+#	 define(`confCR_FILE', `-o /etc/mail/relay-domains')dnl <<- $=R
+#	 FEATURE(relay_hosts_only)dnl
+#	 FEATURE(relay_entire_domain)dnl <<- relays any host in the $=m class
+#	 FEATURE(relay_based_on_MX)dnl <<- relaying for boxes MX'd to you
+#	 FEATURE(blacklist_recipients)dnl
+#	 FEATURE(rbl[,alternate server])dnl
+#	 FEATURE(orbs[,alternate server])dnl   <<- Debian addition
+#	 FEATURE(orca[,alternate server])dnl   <<- Debian addition
+#	 FEATURE(accept_unqualified_senders)dnl
+#	 FEATURE(accept_unresolvable_domains)dnl
+#
+# Local addresses 10.x.x.x, 127.x.x.x, 172.16-31.x.x 192.168.x.x can relay
+# Note Well! You *must* make sure these address can't be spoofed externally
+# Note, outbound relaying is controlled by connection and/or auth
+#	If you're not firewalled, and you don't have a lan, comment these out
+#	If you're not firewalled, and you have a lan, get firewalled *NOW*
+# GreetPause - delay to check for spammers
+# Client Connection rate (and #) control
+Connect:localhost		RELAY
+GreetPause:localhost	0
+ClientRate:localhost	0
+ClientConn:localhost	0
+#Connect:10				RELAY
+#GreetPause:10			0
+#ClientRate:10			0
+#ClientConn:10			0
+Connect:127				RELAY
+GreetPause:127			0
+ClientRate:127			0
+ClientConn:127			0
+Connect:IPv6:::1		RELAY
+GreetPause:IPv6:::1		0
+ClientRate:IPv6:::1		0
+ClientConn:IPv6:::1		0
+#Connect:172.16			RELAY
+#Connect:172.17			RELAY
+#Connect:172.18			RELAY
+#Connect:172.19			RELAY
+#Connect:172.20			RELAY
+#Connect:172.21			RELAY
+#Connect:172.22			RELAY
+#Connect:172.23			RELAY
+#Connect:172.24			RELAY
+#Connect:172.25			RELAY
+#Connect:172.26			RELAY
+#Connect:172.27			RELAY
+#Connect:172.28			RELAY
+#Connect:172.29			RELAY
+#Connect:172.30			RELAY
+#Connect:172.31			RELAY
+#Connect:192.168			RELAY
+#GreetPause:192.168		0
+#ClientRate:192.168		0
+#ClientConn:192.168		0
+
+Connect:144.76.84.102           RELAY
+Connect:2a01:4f8:192:1165::2	RELAY
+GreetPause:144.76.84.102        0
+GreetPause:2a01:4f8:192:1165::2 0
+
+# Defaults
+GreetPause:				5000
+ClientRate:				10
+ClientConn:				10
+#
+# Don't offer AUTH on local network
+#SRV_Features:192.168.1	A
+#
+# Hosts with to allow relaying
+#
+#
+# Hosts that validly forward to me
+#GreetPause:<ip>		0
+#ClientRate:<ip>		30
+#ClientConn:<ip>		0
+#
+# Whitelisted users
+#
+Spam:postmaster@	FRIEND
+Spam:abuse@		FRIEND
+Spam:spam@		FRIEND
+#
+# Blacklisted users
+#
+#Connect:rampellsoft.com 554 Email directly, not through didtheyreadit.com
+reject@			REJECT
+#cyberpromo.com	REJECT
+#From:[email protected] REJECT
+#
+# Block invalid IPs
+#
+#Connect:0      REJECT whilst invalid, this also blocks sendmail -bs -Am
+Connect:169.254 REJECT
+Connect:192.0.2 REJECT
+Connect:224		REJECT
+Connect:255		REJECT
diff --git a/server/setup/05-service-settings/etc/mail/local-host-names b/server/setup/05-service-settings/etc/mail/local-host-names
new file mode 100644
index 0000000..5261b0b
--- /dev/null
+++ b/server/setup/05-service-settings/etc/mail/local-host-names
@@ -0,0 +1,10 @@
+localhost
+jausoft.com
+mail.jausoft.com
+mcp.jausoft.com
+www.jausoft.com
+www.jausoft.org
+www.jausoft.net
+jausoft.com
+jausoft.org
+jausoft.net
diff --git a/server/setup/05-service-settings/etc/mail/mail.diff b/server/setup/05-service-settings/etc/mail/mail.diff
new file mode 100644
index 0000000..f8d0331
--- /dev/null
+++ b/server/setup/05-service-settings/etc/mail/mail.diff
@@ -0,0 +1,213 @@
+--- mail.orig/access	2013-06-05 13:30:08.812083000 +0200
++++ mail/access	2013-06-06 01:52:31.460642000 +0200
+@@ -101,6 +101,12 @@
+ #GreetPause:192.168		0
+ #ClientRate:192.168		0
+ #ClientConn:192.168		0
++
++Connect:144.76.84.101           RELAY
++Connect:2a01:4f8:192:1164::2	RELAY
++GreetPause:144.76.84.101        0
++GreetPause:2a01:4f8:192:1164::2 0
++
+ # Defaults
+ GreetPause:				5000
+ ClientRate:				10
+--- mail.orig/local-host-names	2013-06-05 13:30:08.803772000 +0200
++++ mail/local-host-names	2013-06-06 00:06:50.857480000 +0200
+@@ -1,2 +1,4 @@
+ localhost
++mail.jogamp.org
++www.jogamp.org
+ jogamp.org
+--- mail.orig/sendmail.mc	2013-06-05 13:30:07.254441000 +0200
++++ mail/sendmail.mc	2013-06-06 01:51:45.426125000 +0200
+@@ -40,6 +40,34 @@
+ undefine(`confHOST_STATUS_DIRECTORY')dnl        #DAEMON_HOSTSTATS=
+ dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
+ dnl #
++
++dnl # default logging level is 9, you might want to set it higher to
++dnl # debug the configuration
++dnl #
++dnl define(`confLOG_LEVEL', `9')dnl
++dnl define(`confLOG_LEVEL', `22')dnl
++dnl #
++
++dnl #
++dnl # Uncomment and edit the following line if your outgoing mail needs to
++dnl # be sent out through an external mail server:
++dnl #
++dnl define(`SMART_HOST', `smtp.your.provider')dnl
++dnl define(`SMART_HOST',	`smtp:mail.jogamp.org')dnl
++dnl define(`RELAY_MAILER_ARGS', `TCP $h 26')dnl
++dnl #
++define(`confDEF_USER_ID', ``8:12'')dnl
++dnl define(`confAUTO_REBUILD')dnl
++define(`confTO_CONNECT', `1m')dnl
++define(`confTO_COMMAND', `2m')dnl
++define(`confTRY_NULL_MX_LIST', `True')dnl
++define(`confDONT_PROBE_INTERFACES', `True')dnl
++define(`UUCP_MAILER_MAX', `2000000')dnl
++define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
++dnl #
++define(`ALIAS_FILE', `/etc/aliases')dnl
++define(`STATUS_FILE', `/var/log/mail/statistics')dnl
++
+ dnl # General defines
+ dnl #
+ dnl # SAFE_FILE_ENV: [undefined] If set, sendmail will do a chroot()
+@@ -52,15 +80,72 @@
+ dnl # Remove `, Addr=' clauses to receive from any interface
+ dnl # If you want to support IPv6, switch the commented/uncommentd lines
+ dnl #
++
+ FEATURE(`no_default_msa')dnl
+-dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl
++
++DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl
++DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=2a01:4f8:192:1164::2')dnl
+ DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl
+-dnl DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, M=Ea, Addr=::1')dnl
++DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp, Addr=144.76.84.101')dnl
++
++DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, M=Ea, Addr=::1')dnl
+ DAEMON_OPTIONS(`Family=inet,  Name=MSP-v4, Port=submission, M=Ea, Addr=127.0.0.1')dnl
++
++DAEMON_OPTIONS(`Family=inet6, Name=TLSMTA-v6, Port=smtps, M=Eas, Addr=::1')dnl
++DAEMON_OPTIONS(`Family=inet6, Name=TLSMTA-v6, Port=smtps, M=Eas, Addr=2a01:4f8:192:1164::2')dnl
++DAEMON_OPTIONS(`Family=inet,  Name=TLSMTA-v4, Port=smtps, M=Eas, Addr=127.0.0.1')dnl
++DAEMON_OPTIONS(`Family=inet,  Name=TLSMTA-v4, Port=smtps, M=Eas, Addr=144.76.84.101')dnl
++
+ dnl #
+ dnl # Be somewhat anal in what we allow
+ define(`confPRIVACY_FLAGS',dnl
+ `needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
++dnl # define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,novrfy,noexpn,noetrn,noverb,restrictqrun')dnl
++
++dnl define(`confAUTH_OPTIONS', `A')dnl
++dnl #
++dnl # The following allows relaying if the user authenticates, and disallows
++dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
++dnl #
++dnl define(`confAUTH_OPTIONS', `A p')dnl
++define(`confAUTH_OPTIONS', `Apy')dnl
++dnl # 
++dnl # PLAIN is the preferred plaintext authentication method and used by
++dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
++dnl # use LOGIN. Other mechanisms should be used if the connection is not
++dnl # guaranteed secure.
++dnl # Please remember that saslauthd needs to be running for AUTH. 
++dnl #
++dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
++dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
++TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
++define(`confAUTH_MECHANISMS', `GSSAPI LOGIN PLAIN')dnl
++
++dnl #
++dnl # Rudimentary information on creating certificates for sendmail TLS:
++dnl #     cd /usr/share/ssl/certs; make sendmail.pem
++dnl # Complete usage:
++dnl #     make -C /usr/share/ssl/certs usage
++dnl #
++define(`confCACERT_PATH', `/etc/ssl/local')dnl
++dnl define(`confCACERT', `/etc/ssl/local/ca-my.crt')dnl
++dnl define(`confCRL', `/etc/ssl/local/ca-my.crl')dnl
++dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
++dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
++define(`confCACERT', `/etc/ssl/local/thawte-SSL123_CA_Bundle.pem')dnl
++define(`confSERVER_CERT', `/etc/ssl/local/jogamp2013-hostcert.pem')dnl
++define(`confSERVER_KEY', `/etc/ssl/local/jogamp2013-hostkey.mail.pem')dnl
++define(`confCLIENT_CERT', `/etc/ssl/local/jogamp2013-hostcert.pem')dnl
++define(`confCLIENT_KEY', `/etc/ssl/local/jogamp2013-hostcert.pem')dnl
++dnl #
++dnl define(`confTO_QUEUEWARN', `4h')dnl
++dnl define(`confTO_QUEUERETURN', `5d')dnl
++dnl define(`confQUEUE_LA', `12')dnl
++dnl define(`confREFUSE_LA', `18')dnl
++define(`confQUEUE_LA', `12')dnl
++define(`confREFUSE_LA', `18')dnl
++define(`confTO_IDENT', `0')dnl
++
+ dnl #
+ dnl # Define connection throttling and window length
+ define(`confCONNECTION_RATE_THROTTLE', `15')dnl
+@@ -68,15 +153,43 @@
+ dnl #
+ dnl # Features
+ dnl #
++
++dnl FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
++FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
++FEATURE(redirect)dnl
++FEATURE(always_add_domain)dnl
++dnl # Masquerading options
++MASQUERADE_AS(`jogamp.org')dnl
++dnl FEATURE(`allmasquerade')dnl
++FEATURE(`masquerade_envelope')dnl
++FEATURE(`masquerade_entire_domain')dnl
++
+ dnl # use /etc/mail/local-host-names
+ FEATURE(`use_cw_file')dnl
++dnl
++dnl # use /etc/mail/trusted-users
++dnl
++FEATURE(use_ct_file)dnl
++dnl #
++
++# define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
++# FEATURE(local_procmail, `', `/usr/bin/procmail -t -Y -a $h -d $u')dnl
++dnl #
++dnl # dovecot
++dnl #
++dnl FEATURE(local_procmail, `/usr/lib/dovecot/dovecot-lda', `/usr/lib/dovecot/dovecot-lda -d $u')dnl
++dnl MODIFY_MAILER_FLAGS(`LOCAL', `-f')dnl
++ 
+ dnl #
+ dnl # The access db is the basis for most of sendmail's checking
+-FEATURE(`access_db', , `skip')dnl
++dnl # FEATURE(`access_db', , `skip')dnl
++FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
+ dnl #
+ dnl # The greet_pause feature stops some automail bots - but check the
+ dnl # provided access db for details on excluding localhosts...
+-FEATURE(`greet_pause', `1000')dnl 1 seconds
++dnl # configured in file: access
++dnl FEATURE(`greet_pause', `1000')dnl 1 seconds
++FEATURE(`blacklist_recipients')dnl
+ dnl #
+ dnl # Delay_checks allows sender<->recipient checking
+ FEATURE(`delay_checks', `friend', `n')dnl
+@@ -97,8 +210,16 @@
+ include(`/etc/mail/m4/dialup.m4')dnl
+ include(`/etc/mail/m4/provider.m4')dnl
+ dnl #
++dnl # The following example makes mail from this host and any additional
++dnl # specified domains appear to be sent from mydomain.com
++dnl #
+ dnl # Default Mailer setup
+ MAILER_DEFINITIONS
+ MAILER(`local')dnl
+ MAILER(`smtp')dnl
++MAILER(`procmail')dnl
+ 
++dnl define(`FAX_MAILER_PATH',`/usr/bin/faxmail')dnl
++dnl define(`FAX_MAILER_ARGS',`faxmail -d -n -t done -R -s a4 -p 12pt $u@$h $f')dnl
++dnl define(`FAX_MAILER_MAX',`100000000')dnl
++dnl MAILER(`fax')dnl
+--- mail.orig/submit.mc	2013-06-05 13:30:07.256640000 +0200
++++ mail/submit.mc	2013-06-06 00:05:36.459064992 +0200
+@@ -44,6 +44,7 @@
+ dnl MASQUERADE_AS()dnl
+ dnl FEATURE(`masquerade_envelope')dnl
+ dnl #
++FEATURE(`use_ct_file')dnl
+ dnl #---------------------------------------------------------------------
+ dnl # The real reason we're here: the FEATURE(msp)
+ dnl # NOTE WELL:  MSA (587) should have M=Ea, so we need to use stock 25
+--- mail.orig/virtusertable	1970-01-01 01:00:00.000000000 +0100
++++ mail/virtusertable	2013-06-06 02:02:58.162920000 +0200
+@@ -0,0 +1,3 @@
[email protected] mediastream
++
[email protected]     nirvana
diff --git a/server/setup/05-service-settings/etc/mail/sendmail.mc b/server/setup/05-service-settings/etc/mail/sendmail.mc
new file mode 100644
index 0000000..32ec569
--- /dev/null
+++ b/server/setup/05-service-settings/etc/mail/sendmail.mc
@@ -0,0 +1,228 @@
+divert(-1)dnl
+#-----------------------------------------------------------------------------
+# $Sendmail: debproto.mc,v 8.14.4 2013-02-11 11:12:33 cowboy Exp $
+#
+# Copyright (c) 1998-2010 Richard Nelson.  All Rights Reserved.
+#
+# cf/debian/sendmail.mc.  Generated from sendmail.mc.in by configure.
+#
+# sendmail.mc prototype config file for building Sendmail 8.14.4
+#
+# Note: the .in file supports 8.7.6 - 9.0.0, but the generated
+#	file is customized to the version noted above.
+#
+# This file is used to configure Sendmail for use with Debian systems.
+#
+# If you modify this file, you will have to regenerate /etc/mail/sendmail.cf
+# by running this file through the m4 preprocessor via one of the following:
+#	* make   (or make -C /etc/mail)
+#	* sendmailconfig 
+#	* m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
+# The first two options are preferred as they will also update other files
+# that depend upon the contents of this file.
+#
+# The best documentation for this .mc file is:
+# /usr/share/doc/sendmail-doc/cf.README.gz
+#
+#-----------------------------------------------------------------------------
+divert(0)dnl
+#
+#   Copyright (c) 1998-2005 Richard Nelson.  All Rights Reserved.
+#
+#  This file is used to configure Sendmail for use with Debian systems.
+#
+define(`_USE_ETC_MAIL_')dnl
+include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
+VERSIONID(`$Id: sendmail.mc, v 8.14.4-4 2013-02-11 11:12:33 cowboy Exp $')
+OSTYPE(`debian')dnl
+DOMAIN(`debian-mta')dnl
+dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
+undefine(`confHOST_STATUS_DIRECTORY')dnl        #DAEMON_HOSTSTATS=
+dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
+dnl #
+
+dnl # default logging level is 9, you might want to set it higher to
+dnl # debug the configuration
+dnl #
+dnl define(`confLOG_LEVEL', `9')dnl
+dnl define(`confLOG_LEVEL', `22')dnl
+dnl #
+
+dnl #
+dnl # Uncomment and edit the following line if your outgoing mail needs to
+dnl # be sent out through an external mail server:
+dnl #
+dnl define(`SMART_HOST', `smtp.your.provider')dnl
+dnl define(`SMART_HOST',	`smtp:mail.jausoft.com')dnl
+dnl define(`RELAY_MAILER_ARGS', `TCP $h 26')dnl
+dnl #
+define(`confDEF_USER_ID', ``8:12'')dnl
+dnl define(`confAUTO_REBUILD')dnl
+define(`confTO_CONNECT', `1m')dnl
+define(`confTO_COMMAND', `2m')dnl
+define(`confTRY_NULL_MX_LIST', `True')dnl
+define(`confDONT_PROBE_INTERFACES', `True')dnl
+define(`UUCP_MAILER_MAX', `2000000')dnl
+define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
+dnl #
+define(`ALIAS_FILE', `/etc/aliases')dnl
+define(`STATUS_FILE', `/var/log/mail/statistics')dnl
+
+dnl # General defines
+dnl #
+dnl # SAFE_FILE_ENV: [undefined] If set, sendmail will do a chroot()
+dnl #	into this directory before writing files.
+dnl #	If *all* your user accounts are under /home then use that
+dnl #	instead - it will prevent any writes outside of /home !
+dnl #   define(`confSAFE_FILE_ENV',             `')dnl
+dnl #
+dnl # Daemon options - restrict to servicing LOCALHOST ONLY !!!
+dnl # Remove `, Addr=' clauses to receive from any interface
+dnl # If you want to support IPv6, switch the commented/uncommentd lines
+dnl #
+
+FEATURE(`no_default_msa')dnl
+
+DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl
+DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=2a01:4f8:192:1165::2')dnl
+DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl
+DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp, Addr=144.76.84.102')dnl
+
+DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, M=Ea, Addr=::1')dnl
+DAEMON_OPTIONS(`Family=inet,  Name=MSP-v4, Port=submission, M=Ea, Addr=127.0.0.1')dnl
+
+DAEMON_OPTIONS(`Family=inet6, Name=TLSMTA-v6, Port=smtps, M=Eas, Addr=::1')dnl
+DAEMON_OPTIONS(`Family=inet6, Name=TLSMTA-v6, Port=smtps, M=Eas, Addr=2a01:4f8:192:1165::2')dnl
+DAEMON_OPTIONS(`Family=inet,  Name=TLSMTA-v4, Port=smtps, M=Eas, Addr=127.0.0.1')dnl
+DAEMON_OPTIONS(`Family=inet,  Name=TLSMTA-v4, Port=smtps, M=Eas, Addr=144.76.84.102')dnl
+
+dnl #
+dnl # Be somewhat anal in what we allow
+define(`confPRIVACY_FLAGS',dnl
+`needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
+dnl # define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,novrfy,noexpn,noetrn,noverb,restrictqrun')dnl
+
+dnl define(`confAUTH_OPTIONS', `A')dnl
+dnl #
+dnl # The following allows relaying if the user authenticates, and disallows
+dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
+dnl #
+dnl define(`confAUTH_OPTIONS', `A p')dnl
+define(`confAUTH_OPTIONS', `Apy')dnl
+dnl # 
+dnl # PLAIN is the preferred plaintext authentication method and used by
+dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
+dnl # use LOGIN. Other mechanisms should be used if the connection is not
+dnl # guaranteed secure.
+dnl # Please remember that saslauthd needs to be running for AUTH. 
+dnl #
+dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
+dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
+TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
+define(`confAUTH_MECHANISMS', `GSSAPI LOGIN PLAIN')dnl
+
+dnl #
+dnl # Rudimentary information on creating certificates for sendmail TLS:
+dnl #     cd /usr/share/ssl/certs; make sendmail.pem
+dnl # Complete usage:
+dnl #     make -C /usr/share/ssl/certs usage
+dnl #
+define(`confCACERT_PATH', `/etc/ssl/local')dnl
+dnl define(`confCACERT', `/etc/ssl/local/ca-my.crt')dnl
+dnl define(`confCRL', `/etc/ssl/local/ca-my.crl')dnl
+dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
+dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
+define(`confCACERT', `/etc/ssl/local/thawte-SSL123_CA_Bundle.pem')dnl
+define(`confSERVER_CERT', `/etc/ssl/local/jausoft2013-hostcert.pem')dnl
+define(`confSERVER_KEY', `/etc/ssl/local/jausoft2013-hostkey.mail.pem')dnl
+define(`confCLIENT_CERT', `/etc/ssl/local/jausoft2013-hostcert.pem')dnl
+define(`confCLIENT_KEY', `/etc/ssl/local/jausoft2013-hostcert.pem')dnl
+dnl #
+dnl define(`confTO_QUEUEWARN', `4h')dnl
+dnl define(`confTO_QUEUERETURN', `5d')dnl
+dnl define(`confQUEUE_LA', `12')dnl
+dnl define(`confREFUSE_LA', `18')dnl
+define(`confQUEUE_LA', `12')dnl
+define(`confREFUSE_LA', `18')dnl
+define(`confTO_IDENT', `0')dnl
+
+dnl #
+dnl # Define connection throttling and window length
+define(`confCONNECTION_RATE_THROTTLE', `15')dnl
+define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
+dnl #
+dnl # Features
+dnl #
+
+dnl FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
+FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
+FEATURE(redirect)dnl
+FEATURE(always_add_domain)dnl
+dnl # Masquerading options
+MASQUERADE_AS(`jausoft.com')dnl
+dnl MASQUERADE_AS(`jausoft.net')dnl
+dnl MASQUERADE_DOMAIN(`jordan.goethel.localnet')dnl
+dnl MASQUERADE_DOMAIN(`goethel.localnet')dnl
+dnl FEATURE(`allmasquerade')dnl
+FEATURE(`masquerade_envelope')dnl
+FEATURE(`masquerade_entire_domain')dnl
+
+dnl # use /etc/mail/local-host-names
+FEATURE(`use_cw_file')dnl
+dnl
+dnl # use /etc/mail/trusted-users
+dnl
+FEATURE(use_ct_file)dnl
+dnl #
+
+# define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
+# FEATURE(local_procmail, `', `/usr/bin/procmail -t -Y -a $h -d $u')dnl
+dnl #
+dnl # dovecot
+dnl #
+dnl FEATURE(local_procmail, `/usr/lib/dovecot/dovecot-lda', `/usr/lib/dovecot/dovecot-lda -d $u')dnl
+dnl MODIFY_MAILER_FLAGS(`LOCAL', `-f')dnl
+ 
+dnl #
+dnl # The access db is the basis for most of sendmail's checking
+dnl # FEATURE(`access_db', , `skip')dnl
+FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
+dnl #
+dnl # The greet_pause feature stops some automail bots - but check the
+dnl # provided access db for details on excluding localhosts...
+dnl # configured in file: access
+dnl FEATURE(`greet_pause', `1000')dnl 1 seconds
+FEATURE(`blacklist_recipients')dnl
+dnl #
+dnl # Delay_checks allows sender<->recipient checking
+FEATURE(`delay_checks', `friend', `n')dnl
+dnl #
+dnl # If we get too many bad recipients, slow things down...
+define(`confBAD_RCPT_THROTTLE',`3')dnl
+dnl #
+dnl # Stop connections that overflow our concurrent and time connection rates
+FEATURE(`conncontrol', `nodelay', `terminate')dnl
+FEATURE(`ratecontrol', `nodelay', `terminate')dnl
+dnl #
+dnl # If you're on a dialup link, you should enable this - so sendmail
+dnl # will not bring up the link (it will queue mail for later)
+dnl define(`confCON_EXPENSIVE',`True')dnl
+dnl #
+dnl # Dialup/LAN connection overrides
+dnl #
+include(`/etc/mail/m4/dialup.m4')dnl
+include(`/etc/mail/m4/provider.m4')dnl
+dnl #
+dnl # The following example makes mail from this host and any additional
+dnl # specified domains appear to be sent from mydomain.com
+dnl #
+dnl # Default Mailer setup
+MAILER_DEFINITIONS
+MAILER(`local')dnl
+MAILER(`smtp')dnl
+MAILER(`procmail')dnl
+
+dnl define(`FAX_MAILER_PATH',`/usr/bin/faxmail')dnl
+dnl define(`FAX_MAILER_ARGS',`faxmail -d -n -t done -R -s a4 -p 12pt $u@$h $f')dnl
+dnl define(`FAX_MAILER_MAX',`100000000')dnl
+dnl MAILER(`fax')dnl
diff --git a/server/setup/05-service-settings/etc/mail/submit.mc b/server/setup/05-service-settings/etc/mail/submit.mc
new file mode 100644
index 0000000..a304f44
--- /dev/null
+++ b/server/setup/05-service-settings/etc/mail/submit.mc
@@ -0,0 +1,58 @@
+divert(-1)dnl
+#-----------------------------------------------------------------------------
+# $Sendmail: submit.mc,v 8.14.4 2013-02-11 11:12:33 cowboy Exp $
+#
+# Copyright (c) 2000-2010 Richard Nelson.  All Rights Reserved.
+#
+# cf/debian/submit.mc.  Generated from submit.mc.in by configure.
+#
+# submit.mc prototype config file for building Sendmail 8.14.4
+#
+# Note: the .in file supports 8.7.6 - 9.0.0, but the generated
+#	file is customized to the version noted above.
+#
+# This file is used to configure Sendmail for use with Debian systems.
+#
+# If you modify this file, you will have to regenerate /etc/mail/submit.cf
+# by running this file through the m4 preprocessor via one of the following:
+#	* make  (or make -C /etc/mail)
+#	* sendmailconfig
+#	* m4 /etc/mail/submit.mc > /etc/mail/submit.cf
+# The first two options are preferred as they will also update other files
+# that depend upon the contents of this file.
+#
+# The best documentation for this .mc file is:
+# /usr/share/doc/sendmail-doc/cf.README.gz
+#
+#-----------------------------------------------------------------------------
+divert(0)dnl
+#
+#   Copyright (c) 2000-2002 Richard Nelson.  All Rights Reserved.
+#
+#  This file is used to configure Sendmail for use with Debian systems.
+#
+define(`_USE_ETC_MAIL_')dnl
+include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
+VERSIONID(`$Id: submit.mc, v 8.14.4-4 2013-02-11 11:12:33 cowboy Exp $')
+OSTYPE(`debian')dnl
+DOMAIN(`debian-msp')dnl
+dnl #
+dnl #---------------------------------------------------------------------
+dnl # Masquerading information, if needed, should go here
+dnl # You likely will not need this, as the MTA will do it
+dnl #---------------------------------------------------------------------
+dnl MASQUERADE_AS()dnl
+dnl FEATURE(`masquerade_envelope')dnl
+dnl #
+FEATURE(`use_ct_file')dnl
+dnl #---------------------------------------------------------------------
+dnl # The real reason we're here: the FEATURE(msp)
+dnl # NOTE WELL:  MSA (587) should have M=Ea, so we need to use stock 25
+dnl #---------------------------------------------------------------------
+FEATURE(`msp', `[127.0.0.1]', `25')dnl
+dnl #
+dnl #---------------------------------------------------------------------
+dnl # Some minor cleanup from FEATURE(msp)
+dnl #---------------------------------------------------------------------
+dnl #
+dnl #---------------------------------------------------------------------
diff --git a/server/setup/05-service-settings/etc/mail/virtusertable b/server/setup/05-service-settings/etc/mail/virtusertable
new file mode 100644
index 0000000..af7dcd0
--- /dev/null
+++ b/server/setup/05-service-settings/etc/mail/virtusertable
@@ -0,0 +1,33 @@
[email protected]     sgothel
[email protected]        sgothel
[email protected]  sgothel
[email protected]   sgothel
[email protected]        sgothel
[email protected]       sgothel
[email protected]        sgothel
[email protected]      sgothel
+
[email protected]        sgothel
[email protected] sgothel
[email protected]     sgothel
[email protected]   sgothel
[email protected]   sgothel
[email protected]   sgothel
[email protected]   sgothel
[email protected]         sgothel
[email protected]      sgothel
[email protected]         sgothel
+
[email protected]     qgothel
[email protected]      qgothel
[email protected]         qgothel
+
[email protected]     kgothel
[email protected]  kgothel
[email protected] kgothel
+
[email protected]    rsantina
[email protected]    wbaumann
+
[email protected]    nirvana
[email protected]     nirvana
diff --git a/server/setup/05-service-settings/etc/procmailrc b/server/setup/05-service-settings/etc/procmailrc
new file mode 100644
index 0000000..08c0492
--- /dev/null
+++ b/server/setup/05-service-settings/etc/procmailrc
@@ -0,0 +1,29 @@
+# file: /etc/procmailrc
+# system-wide settings for procmail
+SHELL="/bin/bash"
+SENDMAIL="/usr/sbin/sendmail -oi -t"
+LOGFILE="/var/log/procmail.log"
+DELIVER="/usr/lib/dovecot/deliver"
+
+# filter mail through bogofilter, tagging it as Ham, Spam, or Unsure,
+# and updating the wordlist
+:0fw
+| /usr/bin/bogofilter -uep
+
+# if bogofilter failed, return the mail to the queue;
+# the MTA will retry to deliver it later
+# 75 is the value for EX_TEMPFAIL in /usr/include/sysexits.h
+:0e
+{ EXITCODE=75 HOST }
+
+# deliver to dovecot
+#
+:0 w
+| $DELIVER -d $LOGNAME
+
+# if deliver failed, return the mail to the queue;
+# the MTA will retry to deliver it later
+# 75 is the value for EX_TEMPFAIL in /usr/include/sysexits.h
+:0e
+{ EXITCODE=75 HOST }
+
diff --git a/server/setup/05-service-settings/etc/rsyslog.conf b/server/setup/05-service-settings/etc/rsyslog.conf
new file mode 100644
index 0000000..e4bf2cd
--- /dev/null
+++ b/server/setup/05-service-settings/etc/rsyslog.conf
@@ -0,0 +1,123 @@
+#  /etc/rsyslog.conf	Configuration file for rsyslog.
+#
+#			For more information see
+#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+
+
+#################
+#### MODULES ####
+#################
+
+$ModLoad imuxsock # provides support for local system logging
+$ModLoad imklog   # provides kernel logging support
+#$ModLoad immark  # provides --MARK-- message capability
+
+# provides UDP syslog reception
+#$ModLoad imudp
+#$UDPServerRun 514
+
+# provides TCP syslog reception
+#$ModLoad imtcp
+#$InputTCPServerRun 514
+
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Where to place spool and state files
+#
+$WorkDirectory /var/spool/rsyslog
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+
+###############
+#### RULES ####
+###############
+
+kern.debug          -/var/log/firewall
+
+#
+# First some standard log files.  Log by facility.
+#
+auth,authpriv.*			/var/log/auth.log
+*.*;auth,authpriv.none;kern.!=debug;mail.none	-/var/log/syslog
+#cron.*				/var/log/cron.log
+daemon.*			-/var/log/daemon.log
+kern.*;;kern.!=debug    -/var/log/kern.log
+lpr.*				-/var/log/lpr.log
+mail.*				-/var/log/mail.log
+user.*				-/var/log/user.log
+
+#
+# Logging for the mail system.  Split it up so that
+# it is easy to write scripts to parse these files.
+#
+mail.info			-/var/log/mail.info
+mail.warn			-/var/log/mail.warn
+mail.err			/var/log/mail.err
+
+#
+# Logging for INN news system.
+#
+news.crit			/var/log/news/news.crit
+news.err			/var/log/news/news.err
+news.notice			-/var/log/news/news.notice
+
+#
+# Some "catch-all" log files.
+#
+*.=debug;kern.!=debug;\
+	auth,authpriv.none;\
+	news.none;mail.none	-/var/log/debug
+*.=info;*.=notice;*.=warn;\
+	auth,authpriv.none;\
+	cron,daemon.none;\
+	mail,news.none		-/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg				:omusrmsg:*
+
+#
+# I like to have messages displayed on the console, but only on a virtual
+# console I usually leave idle.
+#
+#daemon,mail.*;\
+#	news.=crit;news.=err;news.=notice;\
+#	*.=debug;*.=info;\
+#	*.=notice;*.=warn	/dev/tty8
+
+# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
+# you must invoke `xconsole' with the `-file' option:
+# 
+#    $ xconsole -file /dev/xconsole [...]
+#
+# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
+#      busy site..
+#
+daemon.*;mail.*;\
+	news.err;\
+	*.=debug;*.=info;\
+	*.=notice;*.=warn	|/dev/xconsole
diff --git a/server/setup/05-service-settings/var/lib/dovecot/sieve/global/default.sieve b/server/setup/05-service-settings/var/lib/dovecot/sieve/global/default.sieve
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/server/setup/05-service-settings/var/lib/dovecot/sieve/global/default.sieve
@@ -0,0 +1 @@
+
diff --git a/server/setup/05-service-settings/var/lib/dovecot/sieve/prologue.sieve b/server/setup/05-service-settings/var/lib/dovecot/sieve/prologue.sieve
new file mode 100644
index 0000000..c66db85
--- /dev/null
+++ b/server/setup/05-service-settings/var/lib/dovecot/sieve/prologue.sieve
@@ -0,0 +1,11 @@
+require ["copy", "fileinto", "mailbox"];
+
+#
+# Spam First
+#
+if header :matches "X-Bogosity" "Spam*" {
+   fileinto :create "0-Spam";
+} elsif header :matches "X-Bogosity" "Unsure*" {
+   fileinto :create :copy "0-Spam-unsure-copy";
+}
+