Author: Blaine Simpson. blaine.simpson@admc.com
$Revision: 1.16 $
Run-time remote graphical Email Administration for an Exim mail server.
Features similar to the Exim Monitor, but has a light-weight front end. The front end requires a web browser instead of a UNIX X Server.
There is no front end installation. The mail server host needs Java 1.4 and a Java servlet container, like Tomcat. Exim Webapp is distributed as a war file that you deploy into a servlet container.
Instead of me describing the features, just go to the test server I have running at http://admc.com:8080/exim-webapp/.
In its current state, Exim Webapp it makes mail queue maintenance very easy. There are other Exim administrative actions that others or myself could add to Exim Webapp in the future.
The following features would be particularly easy for me to add if anybody says that they want them. Some I'll be adding regardless because I want them for my own use.
The Exim Webapp version is shown in the <display-name> element in
the web.xml file.
You will need a JDK of Java 1.4 (i.e., the Development kit, not just a Runtime) and Ant 1.6.0 or newer to build Exim Webapp from source. (I use nested build files, so Ant 1.5.x or earlier won't do).
The top level directory has the Exim Webapp version in its name.
After you unzip it, just run ant -projecthelp inside of the
top-level directory.
If anybody would like to help with development of Exim Webapp, definitely email me at blaine.simpson@admc.com.
If you use a UNIX variant with poor startup scripts, like a *BSD or SCO, things will be more difficult (this doesn't apply to Exim Webapp more than any other application). If you run Linux or Solaris, this will be a snap.
I don't want to clutter up this section with stuff about security, since a common scenario is to get things working in a secured environment and open the server up to the public only after you get it working and tightened down. If your target server is open to the public right now, then read the Security section before this section.
If you are savvy enough to be using CATALINA_BASE, then
you should know when to use CATALINA_HOME and when to
use CATALINA_BASE, otherwise, always use CATALINA_HOME.
If you are running a Tomcat distribution that sets up owners and init scripts for you, then skip this paragraph. Choose/create a Tomcat user and group, fix permissions up, then run it. Example.
groupadd tomcat
useradd tomcat
cd /usr/local
unzip /path/to/...jakarta-tomcat*.zip
mv jakarta-tomcat* tomcat-5.0.16
cd tomcat-5.0.16
chown -R tomcat:tomcat conf logs temp webapps work
If you're running a binary Tomcat distro for *BSD or SCO, you'll have to figure out Tomcat environment setup on your own, because I've wasted enough of my life catering to idiosyncracies of those systems.
For mainstream UNIXes, just create a file CATALINA_HOME/bin/setenv.sh with contents like
JAVA_HOME=/usr/java/j2sdk1.4.2_02 # User your real Java home dir.
umask 02
cd $CATALINA_HOME # Type it in exactly like this.
(You don't need to make setenv.sh executable since it is
sourced, not executed.
(The umask command permits developers in the Tomcat group to
modify logs and web applications).
Note that you don't need to export JAVA_HOME.
The cd is needed so log files specified in commons/log4j config files
can use relative paths.
Edit CATALINA_HOME/conf/tomcat-users.xml and add an account
for yourself with role manager.
/etc/init.d/tomcat start.
(Like I said, *BSD and SCO users are on your own).
If you have no init script, then run catalina.sh as the Tomcat user.
bin/catalina.sh start
OR
su tomcat -c "/path/to/CATALINA_HOME/bin/catalina.sh start"
(If you have locked down the Tomcat account, you will need to enable
logins in order to su).
With my several exiscan installations, this is easily accomplished by adding the user Tomcat to the privileged Exim OS group. If you have a less accommodating or an older Exim build, you may have to set up the privileged group settings in Exim before this will work.
Do a ls -l on the logging directory.
Most often the logs are group-readable to the same privileged
group as above.
If it is some other group, then you will need to add the Tomcat
user to that group too.
The definitive test to verify that your permissions are all set up is to su to the account and verify.
su - tomcat
tail /path/to/main/exim/main.log.file
/path/to/exim -bp
(If you have locked down the Tomcat account, you will need to enable
logins in order to su).
If the tail and the exim commands succeed, you're all set.
@emailadmin.emailaddr@
TO
youremailaddr@somewhere.com
See the Security section below for how to add usernames/passwords.
Restart your Tomcat server, like
/etc/init.d/tomcat restart
OR
/path/to/CATALINA_HOME/bin/catalina.stop &&
/path/to/CATALINA_HOME/bin/catalina.start
To access your web interface to Exim, use a browser to go to http://localhost:8080/exim-webapp/, or /exim at whatever host and port you are running Tomcat on.
You can tell what version of Exim Webapp you're running in three different ways. It's in the display-name in the web.xml file. It's shown in the Tomcat Application Manager applications listing (by virtue of the display-name). It's shown in the footer of most of the pages for the application.
If you like Exim Webapp, It'd be cool if you could put a link to this Howto on your web site, if you have one. (Besides direct publicity, this moves the Howto up in search engine ratings).
This application is intended to be run in a secured environment. Unauthenticated user's can't make changes or view individual messages, but they can view the log and the queue list.
To perform administrative actions on messages, you need to log in to Exim Webapp. The user/password file location is specified in the web.xml file. Juse enter usernames/passwords like
myusername|mypassword
With bar as delimiter.
I plan to support encrypted passwords before long.
See the suggestions below regarding this file.
If you don't use a command shell as the Tomcat user, you should disable logins to that account. Two common ways to do this are
usermod -L tomcat
and
usermod -s /bin/false tomcat
(With *BSD the shell can be changed with pw usermod tomcat -s /bin/false.
I'm sure there's also an easy way to Lock an account on *BSD...
shoot me an email if you know how.)
It is possible that with some weird Unix or old variant, locking down
the account may break a su... -c... command in an init script.
In any case, test things by stopping and starting Tomcat after making
these changes.
Evertyhing in this section applies equally to your the Exim, Clamav, and other daemon user accounts.
Email me at blaine.simpson@admc.com if you want me to address any problems.
Tomcat logs are at CATALINA_HOME/logs by default. Exim Webapp logs are at CATALINA_HOME/logs/exim by default. (Exim logging can be fine tuned by editing the log4j config file at CATALINA_HOME/webapps/exim/WEB-INF/classes/log4j.xml. See http://logging.apache.org/log4j/docs/ for instructions on the many things you can do with the logs.
If you prefer old-fashioned "properties" log4j config files instead of the newer xml style, you can replace log4j.xml with your own log4j.properties file.
Next time I do a build, I plan to get rid of the dependency on
the invoker servlet altogether. This problem will then not
occur for anybody.
My recommended workaround is
If you like Ant, then you can very easily install and build from source.
When you build the war from source, your web.xml changes are preserved.
Just run "ant" and it will tell you what entries you need to add to the
build.xml file.
See the Resources section of this doc.
If you just downloaded the war recently and still see no version, then
that's my fault-- in the Installation section of this document I
neglected to update a link.
That link continued to point to a version 0 war until I just noticed it
and fixed it.
If you're using the Tomcat Web App Manager, it's very easy to undeploy
a Web App and then deploy the war again.
Don't forget to copy off your web.xml file and restore it (see previous
item).