Building a Mailserver

This is a multi-part article. There are too many components to fit all of them into a single writeup. The first part will cover the FreeBSD install and initial setup of the OS.

I’ve discussed various components of mailservers before, but this will cover building one from the ground up. For simplicity, all this is done in VMware Fusion . It could just as easily be done with VirtualBox , Parallels , ESX , bhyve , or actual hardware. I’ve tried to arrange the sub topics in an order that facilitates testing the component(s) before moving forward. I’ve also made an effort to have as many services speaking over SSL as possible. Where something doesn’t speak over SSL, I will explicitly note it.

This is very much a self-contained box. It doesn’t have to be done this way, in fact, there could be good reasons to do it differently (you may want to have your web server on a different host, you might want to have your IMAP server on a different host). For the purpose of illustration, its easier to put it all in one box, but I’ve gone to some effort to construct it in such a way that you can move any of the components to other hosts. At the end is a diagram showing how services could be split up/broken out across a multitude of hosts, including some load balancers/proxies where appropriate.

Installation

The only shortcut I took was to provision a single disk. If you’re working with hardware, you would want some kind of redundancy (multiple disks) so ZFS can actually benefit you. Before taking this beyond a proof of concept, please ensure that you have sufficient redundancy in your storage, either directly through ZFS, or indirectly via your virtualization provider.

This is just a string of images. If you want more details about a FreeBSD install, check out a previous post on how to do a freebsd-install .

FreeBSD update

We start by updating the ports tree, and ensuring FreeBSD is up to date. The portsnap(8) program will fetch the current snapshot of the ports tree, and the freebsd-update(8) program will pull down patches for the current release of FreeBSD. After we’ve done the updates, its a good idea to reboot. Until we have sudo(8) installed, these have to be executed as root.

1freebsd-update fetch install
2portsnap fetch extract
3reboot

Basic System Setup

We won’t be needing X11 support, so we can disable that flag when we are building ports (this has the effect of, by default, excluding X11 support in packages we build from source). If you don’t already have an /etc/make.conf file, you can copy the example file from /usr/share/examples/etc/.

We also want to tell all ports to use the OpenSSL port, and then define the OpenSSL port as security/libressl.

1# Build ports without X11 support
2UNSET_OPTIONS=          X11
3# Build ports against security/openssl (replace openssl with libressl if you
4# nolonger have dependencies on openssl as they can't coexist)
5DEFAULT_VERSIONS+=ssl=openssl

We need to create the /usr/local dataset.

1zfs create zpool/usr/local

These are reasonable to include for our system (/etc/rc.conf). The only one I wouldn’t consider to be “default” is the ’local_unbound’, but since we’ll be doing lots of DNS lookups, a local cache makes sense.

 1dumpdev=             "AUTO"
 2hostname=            "mx.cryptomonkeys.net"
 3ifconfig_em0=        "192.168.3.60"
 4defaultrouter=       "192.168.3.1"
 5ifconfig_em0_ipv6=   "inet6 2001:db8::3:60/64"
 6defaultrouter_ipv6=  "2001:db8::3:1"
 7local_unbound_enable="YES"
 8ntpd_enable=         "YES"
 9ntpd_sync_on_start=  "YES"
10sshd_enable=         "YES"
11zfs_enable=          "YES"

I typically comment out the forwarder.conf line in /etc/unbound/unbound.conf. This causes unbound to make lookups against the root servers.

If you don’t make any other modifications to /etc/ssh/sshd_config, do this one. It restricts SSH to public key only. If you want more on securing SSH, see the footnotes section on Securing the Secure Shell.

1ChallengeResponseAuthentication no

pf firewall

Every box needs a firewall. It doesn’t have to be pf, but pf does offer lots of nice features. I’ve taken the sample from Calomel’s pf and modified it. You can also find more documentation in the FreeBSD Handbook .

Enable it with sysrc (which writes to /etc/rc.conf):

1sudo sysrc pf_enable=YES
2sudo sysrc pflog_enable=YES

Here is the /etc/pf.conf.

  1#
  2### Calomel.org pf.conf
  3#
  4################ FreeBSD pf.conf ##########################
  5# Required order: options, normalization, queueing, translation, filtering.
  6# Note: translation rules are first match while filter rules are last match.
  7################ Macros ###################################
  8
  9### Interfaces (ensure the correct interface or traffic will be dropped) ###
 10ExtIf ="vmx0"
 11
 12# Intnernal networks
 13CMHome_Net_v4 = "192.168.0.0/20"
 14CMHome_Net_v6 = "fc00:101:ca7::/48"
 15
 16# Internal networks excluding IoT subnet
 17CMHome_Net_v4_No_IoT = "{ 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24, 192.168.5.0/24, 192.168.6.0/24, 192.168.7.0/24, 192.168.8.0/24, 192.168.10.0/24, 192.168.11.0/24, 192.168.12.0/24, 192.168.13.0/24, 192.168.14.0/24, 192.168.15.0/24 }"
 18CMHome_Net_v6_No_IoT = "{ fc00:101:ca7::/64, fc00:101:ca7:1::/64, fc00:101:ca7:2::/64, fc00:101:ca7:3::/64, fc00:101:ca7:4::/64, fc00:101:ca7:5::/64, fc00:101:ca7:6::/64, fc00:101:ca7:7::/64, fc00:101:ca7:8::/64, fc00:101:ca7:10::/64 }"
 19
 20# Monitoring host
 21Zabbix_v4 ="{ 192.168.3.200/32, 192.168.3.10/32 }"
 22Zabbix_v6 ="{ fc00:101:ca7:3::200/128, fc00:101:ca7:3::10/128 }"
 23
 24# Salt host
 25Salt_v4 ="192.168.3.250/32"
 26Salt_v6 ="fc00:101:ca7:2::250/128"
 27
 28### States and Types ###
 29ICMP4_Types="{ echoreq, unreach }"
 30ICMP6_Types="{ 1, 2, 3, 4, 128, 129, 133, 134, 135, 136, 137 }"
 31SYN_State ="flags S/SA synproxy state"
 32TCP_State ="flags S/SA modulate state"
 33UDP_State ="keep state"
 34
 35### Ports ###
 36Anti_Scan_Port="{23, 24, 26:79, 6000:8000}"
 37Mail_Port="{ 25, 465, 587, 993, 995 }"
 38Web_Port="{ 80, 443 }"
 39UniFi_TCP_Port="{ 8080, 8443, 8880, 8843 }"
 40UniFi_UDP_Port="{ 3478, 10001 }"
 41Gogs_SSH_Port="2222"
 42DHCP4_Port="{ 67:68 }"
 43DHCP6_Port="{ 546:547 }"
 44DNS_Port="53"
 45Zabbix_Client_Port="10050"
 46Zabbix_Server_Port="{ 10051, 10052 }"
 47Salt_Server_Port="4506"
 48SSH_Port="22"
 49Syslog_Port="514"
 50Filebeat_Port="5044"
 51
 52### Stateful Tracking Options (STO) ###
 53Open_STO     ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
 54Mail_STO     ="(max 20000, source-track rule, max-src-conn 1000, max-src-nodes 512, max-src-conn-rate 500/100)"
 55SSH_STO      ="(max    20, source-track rule, max-src-conn   10, max-src-nodes 100, max-src-conn-rate 5/3,     overload <SSHGUARD>  flush global)"
 56Web_STO      ="(max  4096, source-track rule, max-src-conn   64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"
 57Anti_Scan_STO ="(max    60,  source-track rule, max-src-conn  1, max-src-nodes  60, max-src-conn-rate 1/60,    overload <BLACKLIST> flush global)"
 58
 59### Tables ###
 60table <SSHGUARD> counters
 61table <BLOCKTEMP> counters
 62table <BLOCKPERM> counters file "/etc/pf_block_permanent"
 63table <BLACKLIST> persist
 64table <WHITELIST> counters file "/etc/pf_whitelist"
 65
 66################ Options ######################################################
 67### Misc Options
 68set skip on lo
 69set debug urgent
 70set block-policy drop
 71set loginterface $ExtIf
 72set state-policy if-bound
 73set fingerprints "/etc/pf.os"
 74set ruleset-optimization none
 75
 76### Timeout Options
 77set optimization normal
 78set timeout { tcp.closing 60, tcp.established 7200}
 79
 80################ Normalization ###############################################
 81# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize-Throughput
 82scrub out log on $ExtIf all random-id min-ttl 15 set-tos 0x1c fragment reassemble
 83
 84################ Filtering ###################################################
 85# Rules are best (closest) match. Notice we optimized the rules so external
 86# interface parsing is first followed by the internal interface.
 87
 88### $ExtIf block abusive hosts in temp and perm tables
 89block drop in  log quick on $ExtIf           from <BLOCKPERM>   to any
 90block drop in  log quick on $ExtIf proto udp from <BLOCKTEMP>   to any
 91block drop in  log quick on $ExtIf proto tcp from <SSHGUARD>    to any
 92block drop in  log quick on $ExtIf proto tcp from <BLOCKTEMP>   to any port != $SSH_Port
 93block drop in  log quick on $ExtIf           from <BLACKLIST>   to any
 94
 95### $ExtIf default block with drop
 96block drop in  log       on $ExtIf
 97
 98### $ExtIf inbound
 99
100# Whitelist (is this necessary?)
101#pass in quick on $ExtIf inet   proto tcp   from <WHITELIST>     to ($ExtIf)                             $TCP_State
102#pass in quick on $ExtIf inet6  proto tcp   from <WHITELIST>     to ($ExtIf)                             $TCP_State
103
104# Zabbix Server queries
105#pass in quick on $ExtIf inet   proto tcp   from any             to ($ExtIf)   port $Zabbix_Server_Port  $TCP_State $Open_STO
106#pass in quick on $ExtIf inet6  proto tcp   from any             to ($ExtIf)   port $Zabbix_Server_Port  $TCP_State $Open_STO
107#pass in quick on $ExtIf inet   proto udp   from any             to ($ExtIf)   port $Zabbix_Server_Port  $UDP_State $Open_STO
108#pass in quick on $ExtIf inet6  proto udp   from any             to ($ExtIf)   port $Zabbix_Server_Port  $UDP_State $Open_STO
109
110# Salt Server ports
111#pass in quick on $ExtIf inet   proto tcp   from $CMHome_Net_v4  to $Salt_v4   port $Salt_Server_Port   $TCP_State $Open_STO
112#pass in quick on $ExtIf inet6  proto tcp   from $CMHome_Net_v6  to $Salt_v6   port $Salt_Server_Port   $TCP_State $Open_STO
113#pass in quick on $ExtIf inet   proto udp   from $CMHome_Net_v4  to $Salt_v4   port $Salt_Server_Port   $UDP_State $Open_STO
114#pass in quick on $ExtIf inet6  proto udp   from $CMHome_Net_v6  to $Salt_v6   port $Salt_Server_Port   $UDP_State $Open_STO
115
116# DNS/DHCP Server
117#pass in quick on $ExtIf inet   proto tcp   from any             to ($ExtIf)   port $DNS_Port            $TCP_State $Open_STO
118#pass in quick on $ExtIf inet6  proto tcp   from any             to ($ExtIf)   port $DNS_Port            $TCP_State $Open_STO
119#pass in quick on $ExtIf inet   proto udp   from any             to ($ExtIf)   port $DNS_Port            $UDP_State $Open_STO
120#pass in quick on $ExtIf inet6  proto udp   from any             to ($ExtIf)   port $DNS_Port            $UDP_State $Open_STO
121#pass in quick on $ExtIf inet   proto tcp   from any             to ($ExtIf)   port $DHCP4_Port          $TCP_State
122#pass in quick on $ExtIf inet   proto udp   from any             to ($ExtIf)   port $DHCP4_Port          $UDP_State
123#pass in quick on $ExtIf inet6  proto tcp   from any             to ($ExtIf)   port $DHCP6_Port          $TCP_State
124#pass in quick on $ExtIf inet6  proto udp   from any             to ($ExtIf)   port $DHCP6_Port          $UDP_State
125
126# Web services
127pass in       on $ExtIf inet   proto tcp   from !($ExtIf)       to ($ExtIf)   port $Web_Port            $TCP_State $Web_STO
128pass in       on $ExtIf inet6  proto tcp   from !($ExtIf)       to ($ExtIf)   port $Web_Port            $TCP_State $Web_STO
129#pass in       on $ExtIf inet   proto tcp   from !($ExtIf)       to ($ExtIf)   port $UniFi_TCP_Port      $TCP_State $Web_STO
130#pass in       on $ExtIf inet6  proto tcp   from !($ExtIf)       to ($ExtIf)   port $UniFi_TCP_Port      $TCP_State $Web_STO
131#pass in       on $ExtIf inet   proto udp   from !($ExtIf)       to ($ExtIf)   port $UniFi_UDP_Port      $UDP_State
132#pass in       on $ExtIf inet6  proto udp   from !($ExtIf)       to ($ExtIf)   port $UniFi_UDP_Port      $UDP_State
133
134# Gogs services
135#pass in       on $ExtIf inet   proto tcp   from !($ExtIf)       to ($ExtIf)   port $Gogs_SSH_Port       $TCP_State $SSH_STO
136#pass in       on $ExtIf inet6  proto tcp   from !($ExtIf)       to ($ExtIf)   port $Gogs_SSH_Port       $TCP_State $SSH_STO
137
138# Log collection
139#pass in       on $ExtIf inet   proto udp   from $CMHome_Net_v4  to ($ExtIf)   port $Syslog_Port         $UDP_State 
140#pass in       on $ExtIf inet6  proto udp   from $CMHome_Net_v6  to ($ExtIf)   port $Syslog_Port         $UDP_State 
141
142# Filebeat (logstash)
143#pass in       on $ExtIf inet   proto tcp   from !($ExtIf)       to ($ExtIf)   port $Filebeat_Port     $TCP_State $SSH_STO
144#pass in       on $ExtIf inet6  proto tcp   from !($ExtIf)       to ($ExtIf)   port $Filebeat_Port     $TCP_State $SSH_STO
145
146# Mail
147pass in       on $ExtIf inet   proto tcp   from !($ExtIf)       to ($ExtIf)   port $Mail_Port           $TCP_State $Mail_STO
148pass in       on $ExtIf inet6  proto tcp   from !($ExtIf)       to ($ExtIf)   port $Mail_Port           $TCP_State $Mail_STO
149
150### Shouldn't need to modify below here ###
151
152# Zabbix Client queries
153pass in quick on $ExtIf inet   proto tcp   from $Zabbix_v4      to ($ExtIf)   port $Zabbix_Client_Port  $TCP_State $Open_STO
154pass in quick on $ExtIf inet6  proto tcp   from $Zabbix_v6      to ($ExtIf)   port $Zabbix_Client_Port  $TCP_State $Open_STO
155pass in quick on $ExtIf inet   proto udp   from $Zabbix_v4      to ($ExtIf)   port $Zabbix_Client_Port  $UDP_State $Open_STO
156pass in quick on $ExtIf inet6  proto udp   from $Zabbix_v6      to ($ExtIf)   port $Zabbix_Client_Port  $UDP_State $Open_STO
157
158# SSH
159pass in       on $ExtIf inet   proto tcp   from !($ExtIf)       to ($ExtIf)   port $SSH_Port            $TCP_State $SSH_STO
160pass in       on $ExtIf inet6  proto tcp   from !($ExtIf)       to ($ExtIf)   port $SSH_Port            $TCP_State $SSH_STO
161
162# NTP Multicast
163pass  in       on $ExtIf inet6  proto udp  from any             to ff02::1010 port 123
164
165# mDNS
166pass  in       on $ExtIf inet6  proto udp  from any             to ff02::fb   port 5353
167
168# ICMP
169pass in       on $ExtIf inet   proto icmp       from !($ExtIf)  to any icmp-type  $ICMP4_Types          $UDP_State $Open_STO
170pass in       on $ExtIf inet6  proto ipv6-icmp  from any        to any icmp6-type $ICMP6_Types          $UDP_State
171pass in       on $ExtIf inet6  proto ipv6-icmp  from any        to FF02::/16                            $UDP_State
172pass in       on $ExtIf inet6  proto ipv6-icmp  from fe80::/10  to fe80::/10                            $UDP_State
173pass in       on $ExtIf inet6  proto ipv6-icmp  from fe80::/10  to ff02::/16                            $UDP_State
174
175# Antiscan bits
176pass in       on $ExtIf inet   proto tcp   from any             to any        port $Anti_Scan_Port      $TCP_State $Anti_Scan_STO
177pass in       on $ExtIf inet6  proto tcp   from any             to any        port $Anti_Scan_Port      $TCP_State $Anti_Scan_STO
178
179### $ExtIf outbound
180pass out      on $ExtIf inet   proto tcp   from ($ExtIf)        to any                                  $TCP_State $Open_STO
181pass out      on $ExtIf inet6  proto tcp   from ($ExtIf)        to any                                  $TCP_State $Open_STO
182pass out      on $ExtIf inet   proto udp   from ($ExtIf)        to any                                  $UDP_State $Open_STO
183pass out      on $ExtIf inet6  proto udp   from ($ExtIf)        to any                                  $UDP_State $Open_STO
184pass out      on $ExtIf inet   proto icmp  from ($ExtIf)        to any                                  $UDP_State $Open_STO
185pass out      on $ExtIf inet6  proto icmp6 from ($ExtIf)        to any                                  $UDP_State $Open_STO
186
187############# END of FreeBSD pf.conf https://calomel.org #######################

I’ve created a couple of persistent tables that you will need to create before pf will start.

  1. touch “/etc/pf_block_permanent”
  2. touch “/etc/pf_whitelist”

Now we can start pf with either:

  1. reboot
  2. service pf start

NOTE: If you choose the second, and you are connected over SSH, it will kill your connection. You will have to re-login.

What ports do we install?

There are a number of packages that need to be installed. Installing them will pull in many others as dependancies. My total list of installed ports is around 170.

I start off with a couple ports to make things easier.

1pkg install sudo tmux portmaster

Then I move on to install the rest of the ports that will be needed.

  1archivers/arc
  2archivers/arj
  3archivers/cabextract
  4archivers/freeze
  5archivers/lha
  6archivers/libarchive
  7archivers/liblz4
  8archivers/libmspack
  9archivers/libzip
 10archivers/lzo2
 11archivers/lzop
 12archivers/p5-Archive-Zip
 13archivers/p7zip
 14archivers/php56-bz2
 15archivers/php56-zip
 16archivers/php56-zlib
 17archivers/rar
 18archivers/rpm2cpio
 19archivers/unarj
 20archivers/unrar
 21archivers/unzoo
 22archivers/zoo
 23converters/libiconv
 24converters/p5-Convert-BinHex
 25converters/p5-Convert-TNEF
 26converters/p5-Convert-UUlib
 27converters/p5-Encode-Detect
 28converters/p5-JSON-PP
 29converters/php56-iconv
 30converters/php56-mbstring
 31converters/tnef
 32databases/db5
 33databases/gdbm
 34databases/p5-BerkeleyDB
 35databases/p5-DBD-Pg
 36databases/p5-DBI
 37databases/pgbouncer
 38databases/php56-pdo
 39databases/php56-pdo_pgsql
 40databases/php56-pgsql
 41databases/phppgadmin
 42databases/postgresql96-client
 43databases/py-gdbm
 44databases/py-sqlite3
 45databases/sqlite3
 46devel/apr1
 47devel/autoconf
 48devel/autoconf-wrapper
 49devel/automake
 50devel/automake-wrapper
 51devel/bison
 52devel/boehm-gc
 53devel/boost-jam
 54devel/boost-libs
 55devel/cmake
 56devel/cmake-modules
 57devel/gettext-runtime
 58devel/gettext-tools
 59devel/git
 60devel/glib20
 61devel/gmake
 62devel/icu
 63devel/jansson
 64devel/json-c
 65devel/jsoncpp
 66devel/libatomic_ops
 67devel/libedit
 68devel/libev
 69devel/libevent
 70devel/libffi
 71devel/libltdl
 72devel/libsigsegv
 73devel/libtool
 74devel/libunistring
 75devel/libuv
 76devel/llvm36
 77devel/m4
 78devel/nasm
 79devel/npth
 80devel/oniguruma5
 81devel/p5-Algorithm-C3
 82devel/p5-B-Hooks-EndOfScope
 83devel/p5-CPAN-Meta
 84devel/p5-Cache-FastMmap
 85devel/p5-Canary-Stability
 86devel/p5-Carp-Clan
 87devel/p5-Class-C3
 88devel/p5-Class-Data-Inheritable
 89devel/p5-Class-Inspector
 90devel/p5-Class-Method-Modifiers
 91devel/p5-Class-Singleton
 92devel/p5-Config-IniFiles
 93devel/p5-Data-OptList
 94devel/p5-Date-Calc
 95devel/p5-DateTime
 96devel/p5-DateTime-Format-Mail
 97devel/p5-DateTime-Locale
 98devel/p5-DateTime-TimeZone
 99devel/p5-Devel-GlobalDestruction
100devel/p5-Devel-StackTrace
101devel/p5-Dist-CheckConflicts
102devel/p5-Eval-Closure
103devel/p5-Exception-Class
104devel/p5-Exporter-Tiny
105devel/p5-File-ShareDir
106devel/p5-File-ShareDir-Install
107devel/p5-File-Slurp
108devel/p5-FileHandle-Unget
109devel/p5-IO-Multiplex
110devel/p5-IO-stringy
111devel/p5-IPC-Signal
112devel/p5-List-AllUtils
113devel/p5-List-SomeUtils
114devel/p5-List-SomeUtils-XS
115devel/p5-List-UtilsBy
116devel/p5-Locale-gettext
117devel/p5-Log-Dispatch
118devel/p5-Log-Log4perl
119devel/p5-MRO-Compat
120devel/p5-Module-Build
121devel/p5-Module-Implementation
122devel/p5-Module-Runtime
123devel/p5-Package-Stash
124devel/p5-Package-Stash-XS
125devel/p5-Params-Util
126devel/p5-Params-Validate
127devel/p5-Params-ValidationCompiler
128devel/p5-Proc-WaitStat
129devel/p5-Role-Tiny
130devel/p5-Specio
131devel/p5-Sub-Exporter
132devel/p5-Sub-Exporter-Progressive
133devel/p5-Sub-Identify
134devel/p5-Sub-Install
135devel/p5-Term-ANSIColor
136devel/p5-Test-NoWarnings
137devel/p5-Time-Local
138devel/p5-TimeDate
139devel/p5-Variable-Magic
140devel/p5-namespace-autoclean
141devel/p5-namespace-clean
142devel/pcre
143devel/pecl-intl
144devel/php56-json
145devel/pkgconf
146devel/py-Jinja2
147devel/py-babel
148devel/py-backports_abc
149devel/py-botocore
150devel/py-dateutil
151devel/py-enum34
152devel/py-futures
153devel/py-ioflo
154devel/py-jmespath
155devel/py-msgpack-python
156devel/py-pytz
157devel/py-singledispatch
158devel/py-six
159devel/py-yaml
160devel/py27-setuptools
161devel/re2c
162devel/readline
163devel/scons
164devel/t1lib
165dns/bind-tools
166dns/c-ares
167dns/idnkit
168dns/libidn
169dns/p5-Net-DNS
170dns/p5-Net-DNS-Resolver-Programmable
171dns/p5-Net-Domain-TLD
172dns/p5-Net-LibIDN
173editors/vim
174emulators/open-vm-tools-nox11
175emulators/tpm-emulator
176ftp/curl
177graphics/gd
178graphics/jbigkit
179graphics/jpeg-turbo
180graphics/p5-GD
181graphics/p5-GD-Graph
182graphics/p5-GD-Graph3d
183graphics/p5-GD-TextUtil
184graphics/php56-exif
185graphics/php56-gd
186graphics/png
187graphics/py-imagesize
188graphics/tiff
189lang/expect
190lang/gawk
191lang/p5-Error
192lang/p5-Scalar-List-Utils
193lang/p5-Try-Tiny
194lang/perl5.20
195lang/php56
196lang/python2
197lang/python27
198lang/ruby23
199lang/tcl86
200mail/dcc-dccd
201mail/dovecot2
202mail/dovecot2-antispam-plugin
203mail/dovecot2-pigeonhole
204mail/dspam
205mail/mb2md
206mail/mime-construct
207mail/opendkim
208mail/p5-Email-Valid
209mail/p5-MIME-Charset
210mail/p5-MIME-EncWords
211mail/p5-MIME-Tools
212mail/p5-MIME-Types
213mail/p5-Mail-DKIM
214mail/p5-Mail-Mbox-MessageParser
215mail/p5-Mail-MboxParser
216mail/p5-Mail-SPF
217mail/p5-Mail-Sender
218mail/p5-Mail-Sendmail
219mail/p5-Mail-Tools
220mail/p5-Net-SMTP-SSL
221mail/panda-cclient
222mail/pflogsumm
223mail/php56-imap
224mail/policyd2
225mail/postfix
226mail/postfixadmin
227mail/procmail
228mail/pyzor
229mail/razor-agents
230mail/roundcube
231mail/roundcube-sieverules
232mail/spamassassin
233math/gmp
234math/p5-Bit-Vector
235misc/compat10x
236misc/compat9x
237misc/dejagnu
238misc/getopt
239misc/help2man
240misc/py-progressbar
241net-mgmt/net-snmp
242net-mgmt/p5-Net-CIDR
243net-mgmt/p5-NetAddr-IP
244net-mgmt/zabbix32-agent
245net/GeoIP
246net/libdnet
247net/libzmq4
248net/mtr-nox11
249net/norm
250net/openldap24-client
251net/openpgm
252net/p5-Geo-IP
253net/p5-IO-Socket-INET6
254net/p5-IO-Socket-IP
255net/p5-Net-Server
256net/p5-Socket
257net/p5-Socket6
258net/p5-URI
259net/php56-xmlrpc
260net/py-libcloud
261net/py-pyzmq
262net/py-raet
263net/rsync
264ports-mgmt/dialog4ports
265ports-mgmt/pkg
266ports-mgmt/portmaster
267print/freetype2
268print/indexinfo
269print/libpaper
270print/texinfo
271security/amavisd-new
272security/apache-xml-security-c
273security/ca_root_nss
274security/clamav
275security/clamav-unofficial-sigs
276security/gnupg
277security/gnupg1
278security/gnutls
279security/heimdal
280security/libassuan
281security/libgcrypt
282security/libgpg-error
283security/libksba
284security/libmcrypt
285security/libsodium
286security/libtasn1
287security/logcheck
288security/nettle
289security/openssl
290security/p11-kit
291security/p5-Authen-SASL
292security/p5-Crypt-OpenSSL-Bignum
293security/p5-Crypt-OpenSSL-RSA
294security/p5-Crypt-OpenSSL-Random
295security/p5-Digest-HMAC
296security/p5-Digest-SHA1
297security/p5-GSSAPI
298security/p5-IO-Socket-SSL
299security/p5-Net-SSLeay
300security/php56-filter
301security/php56-mcrypt
302security/php56-openssl
303security/pinentry
304security/pinentry-tty
305security/py-certifi
306security/py-libnacl
307security/py-pycrypto
308security/rhash
309security/sudo
310security/trousers
311shells/bash
312shells/ksh93
313sysutils/apcupsd
314sysutils/beadm
315sysutils/colorize
316sysutils/file
317sysutils/fusefs-libs
318sysutils/lsof
319sysutils/p5-Unix-Syslog
320sysutils/php56-fileinfo
321sysutils/py-salt
322sysutils/tmux
323textproc/asciidoc
324textproc/aspell
325textproc/docbook
326textproc/docbook-sgml
327textproc/docbook-xml
328textproc/docbook-xsl
329textproc/expat2
330textproc/gsed
331textproc/iso8879
332textproc/libxml2
333textproc/libxslt
334textproc/libyaml
335textproc/p5-Net-IDN-Encode
336textproc/php56-ctype
337textproc/php56-dom
338textproc/php56-pspell
339textproc/php56-simplexml
340textproc/php56-xml
341textproc/py-MarkupSafe
342textproc/py-alabaster
343textproc/py-docutils
344textproc/py-pygments
345textproc/py-pygtail
346textproc/py-pystemmer
347textproc/py-snowballstemmer
348textproc/py-sphinx
349textproc/py-sphinx_rtd_theme
350textproc/ripole
351textproc/sdocbook-xml
352textproc/xerces-c3
353textproc/xmlcatmgr
354textproc/xmlcharent
355textproc/xmlto
356www/apache24
357www/h2o
358www/libnghttp2
359www/nghttp2
360www/p5-CGI
361www/p5-HTML-Parser
362www/p5-HTML-Tagset
363www/p5-HTTP-Date
364www/p5-Mozilla-CA
365www/php56-session
366www/py-requests
367www/py-tornado
368www/spdylay
369www/w3m
370x11-fonts/fontconfig

NOTE You can generate this list with

1pkg info -aoq

Because a number of these have custom options, I suggest building everything from source. The easiest way to install these is probably with portmaster (already installed).

Put this list into a text file. I called mine ‘installed-port-list’. Now that portmaster(8) is installed, you can run:

1sudo portmaster `cat /path/to/installed-port-list`

Optionally, you can install the VM tools pkg if you’re not running on actual hardware.

1sudo portmaster emulators/open-vm-tools-nox11

Don’t forget to add the following lines to /etc/rc.conf

1sudo sysrc vmware_guest_vmblock_enable=YES
2sudo sysrc vmware_guest_vmhgfs_enable=YES
3sudo sysrc vmware_guest_vmmemctl_enable=YES
4sudo sysrc vmware_guest_vmxnet_enable=YES
5sudo sysrc vmware_guestd_enable=YES

The ports that I made changes to the build options are shown below. Any port not shown was left as defaults. They are in no particular order.

Port Screenshot
databases/postgresql94-server port_config_postgresql
ftp/curl port_config_curl
mail/opendkim port_config_opendkim
mail/opendmarc port_config_opendkim
mail/panda-cclient port_config_panda-cclient
mail/php56-imap port_config_php56-imap
mail/policyd2 port_config_policyd2
mail/postfix-current port_config_postfix
mail/postfixadmin port_config_postfixadmin
www/roundcube port_config_roundcube

Next

The next article will start the process of configuring the various processes.

Footnotes and References

Copyright

Comments