CGP Prerequisites

1. DNS settings

@         IN  MX   10 mail
@         IN  TXT     "v=spf1 ip4:172.16.162.57 a:mail.ourdom.com mx -all"

mail      IN  A       172.16.162.57

mx        IN  CNAME   mail
cgpro     IN  CNAME   mail
smtp      IN  CNAME   mail
imap      IN  CNAME   mail
pop       IN  CNAME   mail
mailhub   IN  CNAME   vpn
mailhost  IN  CNAME   vpn
smarthost IN  CNAME   vpn<

1. The mail record has type A because MX does not tolerate CNAMEs.

2. Addresses that potentially allow SSL should have alias mail.ourdom.com because certificate uses this name.

3. About TXT records and spf read here< and here<.

2. Web Server Proxying

<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName cgpro.ourdom.com:443
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/pki/web/ourdom-web.crt
SSLCertificateKeyFile /etc/pki/web/private/ourdom-web.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown                     downgrade-1.0 force-response-1.0
ProxyRequests on
SSLProxyEngine on
ProxyPass           /   https://localhost:9010/  '''keepalive=On'''
ProxyPassReverse    /   https://localhost:9010/
</VirtualHost><

3. IP tables

Open ports 25 (SMTP), 465 (SMTPs), 993 (IMAPs), 995 (POPs), 5636 (CGP LDAPs):

-A FWL -m state --state NEW -p tcp -m multiport --dports 25,465,993,995,5636 -o ! tun+ -j ACCEPT<

4. Kernel tuning

Add this to /etc/sysctl.conf:

# -------- tune kernel for communigate --------
# max open files
fs.file-max = 131072
# kernel threads
kernel.threads-max = 131072
# socket buffers
net.core.wmem_default = 65536
net.core.wmem_max = 1048576
net.core.rmem_default = 65536
net.core.rmem_max = 1048576
# netdev backlog
net.core.netdev_max_backlog = 4096
# socket buckets
net.ipv4.tcp_max_tw_buckets = 131072
# port range
net.ipv4.ip_local_port_range = 16384 65535<