DTC-Xen Installation

DTC-Xen / Dom0 Howtos

DTC-Xen / DomU Howtos


DTC Howtos




Devel docs

Wiki - i18n

Wiki - Meta

HOWTO: Setup DTC on FreeBSD

This is a really rough draft which isn't near completed yet. Most of this is based off of the current FreeBSD release at the time, dtc- It is HIGHLY recommended that you skip down to the instructions on working with the git copy.

1. Install the latest DTC FreeBSD ports

There's an issue with getting the version of DTC in the ports tree updated through normal channels so we first must do this by hand.

   cd /usr/ports
   tar -zxf dtcBSDport- && rm dtcBSDport-

1/29/12 the above appears to be unnecessary, just have your ports tree up to date,

        it is probably best to use portsnap to do so.

2. Choose your POP/IMAP agent

You now have 3 ports to choose from which varies by which mail agent DTC will use. If you don't want to choose dependencies "by hand" you can use dtc-postfix-courier or dtc-toaster. The "normal" DTC, with all the tools enabled, is the third option.

  • dtc-postfix-courier
   cd /usr/ports/sysutils/dtc-postfix-courier
   make install
  • dtc-toaster, which, for FreeBSD, currently uses Cyrus
   cd /usr/ports/sysutils/dtc-toaster
   make install
  • "normal" DTC

Note as 1/29/12 the ports only contain sysutils/dtc, there are no dtc-postfix-courier

    or dtc-toaster that I can find. While the below make etc lines will work,
    installing either portupgrade or portmaster from the /usr/ports/port-mgmt
    is almost a must, it will make working with FreeBSD ports much easier see: sites)

First setup the mail agents, maildrop:

   cd /usr/ports/mail/maildrop
   make install WITH_AUTHLIB=yes NO_MAILWRAPPER=yes && make clean

With courier-imap, when prompted, select MySQL and userdb support.

   cd /usr/ports/mail/courier-imap
   make install clean

Now for DTC with some tools:

   cd /usr/ports/sysutils/dtc

3. Setup the daemons and start your MySQL server

Add the following to your /etc/rc.conf (depending on the daemon that you want to use):


and issue the following command:

   /usr/local/etc/rc.d/mysql-server start

4. Start the 2nd stage DTC installer


5. Configure BIND

By default, FreeBSD runs BIND in a jail, as any good admin would, and DTC is written without taking this into consideration so we must now hack things up a bit. First, lets setup some jailed directories.

  cd /var/named && mkdir usr && mkdir usr/local && mkdir usr/local/var
  mkdir usr/local/var/dtc && mkdir usr/local/var/dtc/etc
  mkdir usr/local/var/dtc/etc/zones 

  cd usr/local/var/dtc
  chown dtc:dtcgrp etc/
  cd etc/
  chown bind:dtcgrp zones/

In "/var/named/etc/namedb/named.conf" DTC tries to load a file which is outside of the jail so let's start to fix this:

  cd /var/named/etc/namedb/
  mv named.conf DTC-BROKE.named.conf
  cat DTC-BROKE.named.conf | sed 's/\/usr\/local\/var\/dtc\/etc\//dtc./' > named.conf

Now let's go to the DTC directory outside of the jail, fix some permissions (change 0750 to 0664 on ASCII configuration files), and symlink what we need into the jail.

  cd /usr/local/var/dtc/etc

  chmod 0664 named.conf
  cp named.conf /var/named/etc/namedb/dtc.named.conf
  chown bind:dtcgrp /var/named/etc/namedb/dtc.named.conf
  mv named.conf BROKE.named.conf

  chmod 0664 zones/*
  cp zones/* /var/named/usr/local/var/dtc/etc/zones
  chown bind:dtcgrp /var/named/usr/local/var/dtc/etc/zones/*
  mv zones BROKE.zones

  chmod 0777 .
  sudo -u bind ln -s /var/named/etc/namedb/dtc.named.conf named.conf
  sudo -u bind ln -s /var/named/usr/local/var/dtc/etc/zones zones
  chmod 0755 .

Finally, this might not be needed, but it can't hurt anything and it might prevent some things from breaking. Locate your zone file in "/var/named/usr/local/var/dtc/etc/zones/" and edit it to contain an A record for the hostname of your system. Of course, this assumes you've used the same domain for DTC that you used as the hostname of your system. Be sure to increment the serial number of BIND will ignore your changes.

Now, restart BIND and make sure it looks good.

  /etc/rc.d/named restart
  tail /var/log/messages

WARNING!!! This is how I, GregMo, got mine working, but this just gets BIND running again. I can all but assure you this isn't complete, and I caution you that I wrote this AFTER I did this to my system. Translation, I may have made an error somewhere or left something out. Use this BIND configuration section at your own peril.

6. Configure Apache

  • Fixing the SSL Certificate

Several people have posted in the forums an error with the SSL certificate that DTC makes. To fix this, do the following:

  cd /usr/local/var/dtc/etc/ssl/

  rm new.cert.* && rm privkey.pem

  openssl genrsa -des3 -out new.cert.key 1024
  openssl req -new -key new.cert.key -out new.cert.csr
  openssl x509 -req -days 365 -in new.cert.csr -signkey new.cert.key -out new.cert.cert

  chown dtc new.*

If generated properly, as it should be now, Apache won't complain. What it will do, however, is prompt you for the pass phrase every time you start Apache. If your server is rebooted for whatever reason (such as a power failure) and you're not at the helm, Apache will not start as is. Since most of us aren't likely to buy a "real" cert for the dtc.* subdomain then the security of a pass phrase isn't important. Thusly, let's remove the pass phrase from the cert:

  cp new.cert.key
  openssl rsa -in -out new.cert.key 
  • Not listening to ANY external network interfaces?

Now that we've got Apache running again, you might run into this issue. To check, first run this command:

  netstat -an |grep -i listen

This will show all the ports that are open on your server. In my case, the only interface listening on ports 80 or 443 was lo0 (the loopback device, aka This means that only you, only at the server, can access Apache. If we look at...

  cat /usr/local/etc/apache22/httpd.conf.DTC.backup |grep -i listen

...we see that, assuming we were working off of a default Apache install, we did have:

  Listen 80

However, now if we look at...

  cat /usr/local/etc/apache22/httpd.conf |grep -i listen

...we see that for some reason DTC has done this:

  #Listen 80

This is because DTC wants to configure apache to bind ONLY to the IPs that you have configured in the control panel. So this is ABSOLUTELY the NORMAL behavior, don't touch this.


  cat /usr/local/var/dtc/etc/vhosts.conf |grep -i listen



that means that Apache is listening on the port 80 for all IPs with a directive like:

   Listen *:80


   Listen 80

What you want to do is disable these listen directive in the main apache configuration.

Restart Apache and at the least you should now be able to get a response from it.

  • Finally

You need to find the following lines in your /usr/local/etc/httpd.conf and comment them out, otherwise you will get a forbidden access:

   <Directory />
       AllowOverride AuthConfig FileInfo Limit Indexes
       Order deny,allow
       Deny from all

7. Fixing Email

As stated at the start of this Wiki, this isn't complete. I'm posting here as I try to hack it up to work on FreeBSD.

One of the first issues we're going to have with email is NSS. DTC adds the following lines to /etc/nsswitch.conf which from what I've gleaned from the net, is "okay" configuration, but not on FreeBSD.

  # Configured by DTC 0.21 : please do not touch this line !
  passwd:         compat mysql 
  group:          compat mysql 
  shadow:         compat mysql 
  # End of DTC configuration : please don't touch this line !

Change /etc/nsswitch.conf to:

  # Configured by DTC 0.21 : please do not touch this line !
  passwd:         files mysql 
  group:          files mysql 
  shadow:         files mysql 
  # End of DTC configuration : please don't touch this line !

and replace next queries in /usr/local/etc/libnss-mysql.cfg

  getpwnam    SELECT login,crypt,uid,gid,'','default','DTC User',homedir,shell,2145916000
FROM ssh_access WHERE login='%1$s' LIMIT 1 getpwuid SELECT login,'*',uid,gid,'DTC User',homedir,shell
FROM ssh_access WHERE uid='%1$u' LIMIT 1 getpwent SELECT login,'*',uid,gid,'DTC User',homedir,shell FROM ssh_access getgrnam SELECT group_name,group_password,group_id
FROM ssh_groups WHERE group_name='%1$s' LIMIT 1 getgrgid SELECT group_name,group_password,group_id FROM ssh_groups WHERE group_id='%1$u' LIMIT 1 getgrent SELECT group_name,group_password,group_id FROM ssh_groups memsbygid SELECT login FROM ssh_access WHERE gid='%1$u' gidsbymem SELECT gid FROM ssh_access WHERE login='%1$s' getspnam SELECT login,crypt,UNIX_TIMESTAMP() - 10,1,2,7,-1,-1,0
FROM ssh_access WHERE ssh_access.login='%1$s' LIMIT 1 getspent SELECT login,crypt,UNIX_TIMESTAMP() - 10,1,2,7,-1,-1,0 FROM ssh_access

Next in /var/log/maillog we have this to contend with:

  myhost authdaemond: failed to connect to mysql server (, ...
  myhost imapd: LOGIN FAILED,, ip=[]
  myhost imapd: authentication error: Input/output error

Somewhere along the line, "authmysqlrc" in "/usr/local/etc/authlib" got renamed to "authmysqlrc.bak" and "authmysqlrc.dist" was copied back to "authmysqlrc". Easy enough to fix.

We can now login to the server, let's do some testing. First, let's send an email to Assuming you're not using a catch-all DNS server like OpenDNS this email will bounce and should be returned to your mail box by MAILER-DAEMON. Instead, we now have this issue:

  somebox authdaemond: Authenticated: sysusername=<null>, sysuserid=1004, sysgroupid=1004,
    homedir=/usr/local/www/sites/username/, ...
  somebox maildrop[59553]: Unable to open mailbox.
  somebox postfix/pipe[59552]: BBE245E4E: to=<>, relay=maildrop,
    delay=0.17, delays=0.01/0.02/0/0.14, dsn=4.3.0, status=deferred (temporary
    failure. Command output: /usr/local/bin/maildrop: Unable to open mailbox. )

Now, first step in debugging maildrop is to look to the userdb file. From the install of courier-imap-4.2.1 we have --with-userdb=/usr/local/etc/userdb which is what you would expect it to be on a FreeBSD system, but userdb is not there. Let's see if we can fix that and make it so that DTC can find it:

  cd /usr/local/etc
  /usr/local/sbin/pw2userdb > userdb
  sed '/toor/ d' userdb > userdb
  chmod 600 userdb

  cd /etc && mkdir courier && cd courier
  ln -s /usr/local/etc/userdb userdb
  ln -s /usr/local/etc/userdb.dat userdb.dat
  ln -s /usr/local/etc/userdb.lock userdb.lock
  ln -s /usr/local/etc/userdbshadow.dat userdbshadow.dat

Next we have to add some more links so the DTC cron will hopefully work as it should.

  cd /usr/share
  ln -s /usr/local/www/dtc/ dtc

  cd /usr/bin
  ln -s /usr/local/bin/php php
  ln -s /usr/local/bin/php-cgi php-cgi
  ln -s /usr/local/bin/php-config php-config
  ln -s /usr/local/bin/phpize phpize

Now... According to this post, DTC is broke in using SASL2. Let's start fixing this by:

  cd /usr/local/lib/sasl2
  ln -s /usr/local/etc/postfix/sasl/smtpd.conf smtpd.conf

And you need to edit this file, commenting out what's already in it, and adding these lines:

  pwcheck_method: auxprop
  auxprop_plugin: sql
  sql_engine: mysql
  sql_hostnames: localhost
  sql_user: dtcdaemons
  sql_passwd: <dtcdaemons password>
  sql_database: dtc
  password_format: crypt
  sql_select: SELECT crypt FROM pop_access WHERE fullemail = '%u@%r'
  sql_update: UPDATE pop_access SET crypt = '%v' WHERE fullemail = '%u@%r'
  sql_verbose: yes

Where the <dtcdaemons password> can be found with:

  cat /usr/local/var/dtc/etc/dtcdb_passwd

Next, try again to send an email to If you still don't get a bounce back then do this:

  echo "------  Checking for postfix/pipe & maildirmake problems" >> /var/log/maillog

...send another email to bounce and then check:

  cat /var/log/maillog |grep postfix\/pipe |grep maildirmake

If you have maildrop trying to maildirmake in "/var/mail" then you need to look at:


It likely contains this line:

  `[ -d $DEFAULT ] || maildirmake $DEFAULT`

Not sure what adds this line, or why, but it's the problem. For now, just comment it out.

Next, if your mail still isn't working, as mine wasn't, then create a file in "/usr/local/etc" named "maildroprc" with these lines:

  logfile "/var/log/maildrop.log"
  log " "
  log "========================="
  log " "
  `echo HOME=$HOME >> /var/log/maildrop.log`
  `echo DEFAULT=$DEFAULT >> /var/log/maildrop.log`
  `echo PATH=$PATH >> /var/log/maildrop.log`
  `echo SENDMAIL=$SENDMAIL >> /var/log/maildrop.log`
  `echo SHELL=$SHELL >> /var/log/maildrop.log`
  to "/usr/local/www/sites/<cust_name>/<>/Mailboxs/<emailuser>/Maildir"

Naturally, replacing the "to" line with a valid path, and do this:

  touch /var/log/maildrop.log
  chmod 666 /var/log/maildrop.log

Send another bounce and then check this new log file. You'll see that the $DEFAULT from above is "/var/mail" which is incorrect.

Anyways, the way that I finally got it working from this point was to send an email back to myself. For some reason, this fixed whatever it was that was still broke and all the previously deferred emails came through.


If you want to use the Git version, here's how:


1. The Basics

We're going to assume that anyone looking to use DTC is a semi-competent sys-admin, one that would keep their ports tree up to date, among other things. To undertake this, git needs to be installed.

   cd /usr/ports/devel/git
   make install clean

2. Grab a fresh clone from the repository

   cd /usr/ports/distfiles && mkdir work && cd work
   git clone

3. Making port & package

   cd dtc
   gmake bsd-ports-packages

4. Copying package to distfiles & installing port

   cd ..
   mv dtc-*.tar.gz ..
   mv dtcBSDport-*.tar.gz ../..
   cd ../..
   tar zxf dtcBSDport-*.tar.gz && rm dtcBSDport-*.tar.gz
   cd sysutils/dtc

If you've had DTC previously installed you must do:

   make clean
   make deinstall

Your mileage may vary here, but on some systems when "make deinstall" is ran, the paths are wrong. In at least one case, all the paths we're prefixed with "/usr/local/" so that, as an example, "/usr/local/www/dtc/" became "/usr/local//usr/local/www/dtc/". If this happens you must go in and delete the files shown in the error output by hand.


   make install

FreeBSD fixes required for operation

  • you must also ensure that along with everything else, gawk, php5-gettext and php5-posix are installed for the installer to work without problems. (fixed in devel version 2008-08-20)

Editing this page means accepting its license.

Page last modified on February 02, 2012, at 03:48 AM EST