Konfigurasi Server Debian Lenny
description
Transcript of Konfigurasi Server Debian Lenny
Konfigurasi network# vi /etc/network/interfaces
# This file describes the network interfaces available on your system# and how to activate them. For more information, see interfaces(5).
# The loopback network interfaceauto loiface lo inet loopback
# The primary network interface#allow-hotplug eth0#iface eth0 inet dhcpauto eth0iface eth0 inet static address 192.168.0.100 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255
gateway 192.168.0.1
/etc/init.d/networking restart
vi /etc/hosts
127.0.0.1 localhost.localdomain localhost192.168.0.100 server1.example.com server1
# The following lines are desirable for IPv6 capable hosts::1 localhost ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allroutersff02::3 ip6-allhosts
run now
echo server1.example.com > /etc/hostname/etc/init.d/hostname.sh start
Afterwards, run
hostnamehostname -f
8 Synchronize the System ClockIt is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run
apt-get install ntp ntpdate
and your system time will always be in sync.
9 Install Postfix, Dovecot, MySQL, phpMyAdmin, rkhunter, binutilsWe can install Postfix, Dovecot, MySQL, phpMyAdmin, rkhunter, and binutils with a single command:
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d sudo
You will be asked the following questions:
New password for the MySQL "root" user: <-- yourrootsqlpasswordRepeat password for the MySQL "root" user: <-- yourrootsqlpasswordGeneral type of mail configuration: <-- Internet SiteSystem mail name: <-- server1.example.com
We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:
vi /etc/mysql/my.cnf
[...]# Instead of skip-networking the default is now to listen only on# localhost which is more compatible and is not less secure.#bind-address = 127.0.0.1
[...]
Then we restart MySQL:
/etc/init.d/mysql restart
Now check that networking is enabled. Run
netstat -tap | grep mysql
The output should look like this:
server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 7431/
mysqld
server1:~#
10 Install Amavisd-new, SpamAssassin, And ClamavTo install amavisd-new, SpamAssassin, and ClamAV, we run
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
11 Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt can be installed as follows:
apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libopenssl-ruby libapache2-mod-ruby
You will see the following question:
Web server to reconfigure automatically: <-- apache2
Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include (plus dav, dav_fs, and auth_digest if you want to use WebDAV):
a2enmod suexec rewrite ssl actions include
a2enmod dav_fs dav auth_digest
Restart Apache afterwards:
/etc/init.d/apache2 restart
12 Install PureFTPd And Quota PureFTPd and quota can be installed with the following command:
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
Edit the file /etc/default/pure-ftpd-common...
vi /etc/default/pure-ftpd-common
... and change the start mode from inetd to standalone and set VIRTUALCHROOT=true:
[...]STANDALONE_OR_INETD=standalone[...]VIRTUALCHROOT=true[...]
Edit the file /etc/inetd.conf to prevent inetd from trying to start ftp:
vi /etc/inetd.conf
Comment out the line beginning with ftp stream tcp:
[...]
#:STANDARD: These are standard services.#ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/pure-ftpd-wrapper[...]
Restart inetd afterwards:
/etc/init.d/openbsd-inetd restart
Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.
If you want to allow FTP and TLS sessions, run
echo 1 > /etc/pure-ftpd/conf/TLS
In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:
mkdir -p /etc/ssl/private/
Afterwards, we can generate the SSL certificate as follows:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.Locality Name (eg, city) []: <-- Enter your City.Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").Email Address []: <-- Enter your Email Address.
Change the permissions of the SSL certificate:
chmod 600 /etc/ssl/private/pure-ftpd.pem
Then restart PureFTPd:
/etc/init.d/pure-ftpd-mysql restart
Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /):
vi /etc/fstab
# /etc/fstab: static file system information.## <file system> <mount point> <type> <options> <dump> <pass>proc /proc proc defaults 0 0/dev/sda1 / ext3 errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0 1/dev/sda5 none swap sw 0 0/dev/hda /media/cdrom0 udf,iso9660 user,noauto 0 0/dev/fd0 /media/floppy0 auto rw,user,noauto 0 0
To enable quota, run these commands:
touch /aquota.user /aquota.groupchmod 600 /aquota.*mount -o remount /
quotacheck -avugmquotaon -avug
13 Install BIND DNS Server
BIND can be installed as follows:
apt-get install bind9 dnsutils
14 Install Vlogger, Webalizer, And AWstatsVlogger, webalizer, and AWstats can be installed as follows:
apt-get install vlogger webalizer awstats
mkdir -p /usr/share/awstats/tools/cp -prf /usr/share/doc/awstats/examples/awstats_buildstaticpages.pl /usr/share/awstats/tools/awstats_buildstaticpages.pl
15 Install JailkitJailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):
apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper
cd /tmpwget http://olivier.sessink.nl/jailkit/jailkit-2.12.tar.gztar xvfz jailkit-2.12.tar.gzcd jailkit-2.12./debian/rules binarycd ..dpkg -i jailkit_2.12-1_*.debrm -rf jailkit-2.12*
16 Install fail2banThis is optional but recommended, because the ISPConfig monitor tries to show the log:
apt-get install fail2ban
17 Install SquirrelMailTo install the SquirrelMail webmail client, run
apt-get install squirrelmail
Then create the following symlink...
ln -s /usr/share/squirrelmail/ /var/www/webmail
... and configure SquirrelMail:
squirrelmail-configure
We must tell SquirrelMail that we are using Courier-IMAP/-POP3:
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color on
S Save data
Q Quit
Command >> <-- D
SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.
Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.
Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
quit = Do not change anything
Command >> <-- dovecot
SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.
Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.
Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
quit = Do not change anything
Command >> dovecot
imap_server_type = courier
default_folder_prefix = INBOX.
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = .
delete_folder = true
Press any key to continue... <-- press a key
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color on
S Save data
Q Quit
Command >> <-- S
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color on
S Save data
Q Quit
Command >> <-- Q
Afterwards you can access SquirrelMail under http://server1.example.com/webmail or http://192.168.0.100/webmail:
18 Install ISPConfig 3To install ISPConfig 3 from the latest released version, do this:
cd /tmpwget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gztar xfz ISPConfig-3-stable.tar.gzcd ispconfig3_install/install/
The next step is to run
php -q install.php
This will start the ISPConfig 3 installer. The installer will configure all services like Postfix, Dovecot, etc. for you. A manual setup as required for ISPConfig 2 (perfect setup guides) is not necessary.
server1:/tmp/ispconfig3_install/install# php -q install.php
--------------------------------------------------------------------------------
_____ ___________ _____ __ _ ____
|_ _/ ___| ___ \ / __ \ / _(_) /__ \
| | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ /
| | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ |
_| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \
\___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/
__/ |
|___/
--------------------------------------------------------------------------------
>> Initial configuration
Operating System: Debian Lenny or compatible
Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.
Select language (en,de) [en]: <-- ENTER
Installation mode (standard,expert) [standard]: <-- ENTER
Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.
com]: <-- ENTER
MySQL server hostname [localhost]: <-- ENTER
MySQL root username [root]: <-- ENTER
MySQL root password []: <-- yourrootsqlpassword
MySQL database to create [dbispconfig]: <-- ENTER
MySQL charset [utf8]: <-- ENTER
Generating a 2048 bit RSA private key
.............................................................................+++
...............................................+++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER State or Province Name (full name) [Some-State]: <-- ENTER Locality Name (eg, city) []: <-- ENTER Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER Organizational Unit Name (eg, section) []: <-- ENTER Common Name (eg, YOUR name) []: <-- ENTER Email Address []: <-- ENTER Configuring Jailkit
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Firewall
Installing ISPConfig
ISPConfig Port [8080]: <-- ENTER
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Stopping MySQL database server: mysqld.
Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..
Stopping Postfix Mail Transport Agent: postfix.
Starting Postfix Mail Transport Agent: postfix.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
Stopping ClamAV daemon: clamd.
Starting ClamAV daemon: clamd .
Restarting IMAP/POP3 mail server: dovecot.
Restarting web server: apache2 ... waiting .
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/
etc/pure-ftpd/db/mysql.conf -l pam -Y 1 -E -A -D -H -u 1000 -O clf:/var/log/pure-
ftpd/transfer.log -b -B
Installation completed.
server1:/tmp/ispconfig3_install/install#
The installer automatically configures all underlying services, so no manual configuration is needed.
Afterwards you can access ISPConfig 3 under http://server1.example.com:8080/ or http://192.168.0.100:8080/. Log in with the username admin and the password admin (you should change the default password after your first login):
The system is now ready to be used.
18.1 ISPConfig 3 Manual
In order to learn how to use ISPConfig 3, I strongly recommend to download the ISPConfig 3 Manual.
On nearly 300 pages, it covers the concept behind ISPConfig (admin, resellers, clients), explains how to install and update ISPConfig 3, includes a reference for all forms and form fields in ISPConfig together with examples of valid inputs, and provides tutorials for the most common tasks in ISPConfig 3. It also lines out how to make your server more secure and comes with a troubleshooting section at the end.
19 Additional NotesIf the Debian server that you've just set up in this tutorial is an OpenVZ container (virtual machine), you should do this on the host system (I'm assuming that the ID of the OpenVZ container is 101 - replace it with the correct VPSID on your system):
VPSID=101for CAP in CHOWN DAC_READ_SEARCH SETGID SETUID NET_BIND_SERVICE NET_ADMIN SYS_CHROOT SYS_NICE CHOWN DAC_READ_SEARCH SETGID SETUID NET_BIND_SERVICE NET_ADMIN SYS_CHROOT SYS_NICEdo vzctl set $VPSID --capability ${CAP}:on --savedone
20 Links Debian: http://www.debian.org/ ISPConfig: http://www.ispconfig.org/
How To Configure PureFTPd To Accept TLS Sessions On Debian Lenny
Version 1.0 Author: Falko Timme <ft [at] falkotimme [dot] com>
Follow me on TwitterLast edited 10/06/2010
FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. This article explains how to configure PureFTPd to accept TLS sessions on a Debian Lenny server.
I do not issue any guarantee that this will work for you!
1 Preliminary NoteYou should have a working PureFTPd setup on your Debian Lenny server, e.g. as shown in this tutorial: Virtual Hosting With PureFTPd And MySQL (Incl. Quota And Bandwidth Management) On Debian Lenny.
2 Installing OpenSSL OpenSSL is needed by TLS; to install OpenSSL, we simply run:
aptitude install openssl
3 Configuring PureFTPdIf you want to allow FTP and TLS sessions, run
echo 1 > /etc/pure-ftpd/conf/TLS
If you want to accept TLS sessions only (no FTP), run
echo 2 > /etc/pure-ftpd/conf/TLS
instead.
To not allow TLS at all (only FTP), either delete /etc/pure-ftpd/conf/TLS or run
echo 0 > /etc/pure-ftpd/conf/TLS
4 Creating The SSL Certificate For TLSIn order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:
mkdir -p /etc/ssl/private/
Afterwards, we can generate the SSL certificate as follows:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.Locality Name (eg, city) []: <-- Enter your City.Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").Email Address []: <-- Enter your Email Address.
Change the permissions of the SSL certificate:
chmod 600 /etc/ssl/private/pure-ftpd.pem
Finally restart PureFTPd:
/etc/init.d/pure-ftpd-mysql restart
That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS - see the next chapter how to do this with FileZilla.
5 Configuring FileZilla For TLSIn order to use FTP with TLS, you need an FTP client that supports TLS, such as FileZilla.
In FileZilla, open the Server Manager:
Select the server that uses PureFTPd with TLS; in the Server Type drop-down menu, select FTPES instead of normal FTP:
Now you can connect to the server. If you do this for the first time, you must accept the server's new SSL certificate:
If everything goes well, you should now be logged in on the server:
How To Integrate ClamAV (Through mod_clamav) Into ProFTPd For
Virus Scanning On Debian Lenny
Version 1.0 Author: Falko Timme <ft [at] falkotimme [dot] com>
Follow me on TwitterLast edited 10/01/2010
This tutorial explains how you can integrate ClamAV into ProFTPd for virus scanning on a Debian Lenny system. This is achieved through mod_clamav. In the end, whenever a file gets uploaded through ProFTPd, ClamAV will check the file and delete it if it is malware.
I do not issue any guarantee that this will work for you!
1 Preliminary NoteYou should have a working ProFTPd setup on your Debian Lenny server.
2 Installing ClamAVClamAV can be installed as follows:
aptitude install clamav clamav-daemon libclamav-dev
Now we must reconfigure ClamAV so that Clamd uses TCP connections instead of a local Unix socket. It is highly recommended that Unix socket connections are avoided when using the Chroot feature of ProFTPd (DefaultRoot ~). The reason is that if mod_clamav needs to connect to Clamd, the Unix socket is not available in the chroot environment.
Run
dpkg-reconfigure clamav-base
... and answer these questions as follows (accept the default values for all other questions):
Socket type: <-- TCPTCP port clamd will listen on: <-- 3310IP address clamd will listen on: <-- 127.0.0.1
Then restart Clamd and freshclam:
/etc/init.d/clamav-daemon restart/etc/init.d/clamav-freshclam restart
Now run
netstat -tap | grep clamd
... and you should see that Clamd is listening on localhost through TCP:
server1:~# netstat -tap | grep clamd
tcp 0 0 localhost.localdom:3310 *:* LISTEN 29430/
clamd
server1:~#
3 Rebuilding ProFTPdUnfortunately mod_clamav isn't part of ProFTPd by default, and there's no Debian package for mod_clamav, so we have to rebuild ProFTPd with mod_clamav. I will use the Debian source package of ProFTPd and build new ProFTPd .deb packages with mod_clamav support.
First we install all packages that are needed to rebuild ProFTPd:
aptitude build-dep proftpd
We also need the following package (which doesn't get installed by the previous command for some reason...):
aptitude install libpam-dev
Now we download the ProFTPd source package to /usr/src:
cd /usr/srcapt-get source proftpd
Next we download mod_clamav to /usr/src and unpack it:
wget --no-check-certificate https://secure.thrallingpenguin.com/redmine/attachments/download/1/mod_clamav-0.11rc.tar.gztar xzvf mod_clamav-0.11rc.tar.gz
Then we copy the mod_clamav-0.11rc/mod_clamav.* files to the proftpd-dfsg-1.3.1/contrib directory...
cp mod_clamav-0.11rc/mod_clamav.* proftpd-dfsg-1.3.1/contrib
... and patch the ProFTPd sources:
cd proftpd-dfsg-1.3.1patch -p1 < ../mod_clamav-0.11rc/proftpd.patch
Next we must edit debian/rules:
vi debian/rules
Search the CONF_ARGS section and add --with-modules=mod_clamav to it:
[...]CONF_ARGS := --prefix=/usr \ --with-includes=$(shell pg_config --includedir):$(shell mysql_config --include|sed -e 's/-I//') \ --mandir=/usr/share/man --sysconfdir=/etc/$(NAME) --localstatedir=/var/run --libexecdir=/usr/lib/$(NAME) \ --enable-sendfile --enable-facl --enable-dso --enable-autoshadow --enable-ctrls --with-modules=mod_readme \ --enable-ipv6 --enable-nls --with-modules=mod_clamav[...]
Now we can rebuild ProFTPd:
dpkg-buildpackage
Now we go one directory up, that's where the new .deb packages have been created:
cd ..
The command
ls -l
shows you the available packages:
server1:/usr/src# ls -l
total 5472
drwxr-xr-x 2 501 501 4096 2009-04-20 10:22 mod_clamav-0.11rc
-rw-r--r-- 1 root src 5115 2010-10-01 03:28 mod_clamav-0.11rc.tar.gz
-rw-r--r-- 1 root src 195066 2010-10-01 03:32 proftpd_1.3.1-17lenny4_all.deb
-rw-r--r-- 1 root src 690228 2010-10-01 03:32 proftpd-basic_1.3.1-17lenny4_i386.deb
drwxr-xr-x 13 root root 4096 2010-10-01 03:32 proftpd-dfsg-1.3.1
-rw-r--r-- 1 root src 107998 2010-10-01 03:29 proftpd-dfsg_1.3.1-17lenny4.diff.gz
-rw-r--r-- 1 root src 1103 2010-10-01 03:29 proftpd-dfsg_1.3.1-17lenny4.dsc
-rw-r--r-- 1 root src 3305 2010-10-01 03:32 proftpd-dfsg_1.3.1-
17lenny4_i386.changes
-rw-r--r-- 1 root src 2662056 2007-10-16 01:02 proftpd-dfsg_1.3.1.orig.tar.gz
-rw-r--r-- 1 root src 1255660 2010-10-01 03:32 proftpd-doc_1.3.1-17lenny4_all.deb
-rw-r--r-- 1 root src 213004 2010-10-01 03:32 proftpd-mod-ldap_1.3.1-
17lenny4_i386.deb
-rw-r--r-- 1 root src 203562 2010-10-01 03:32 proftpd-mod-mysql_1.3.1-
17lenny4_i386.deb
-rw-r--r-- 1 root src 203512 2010-10-01 03:32 proftpd-mod-pgsql_1.3.1-
17lenny4_i386.deb
server1:/usr/src#
We can install the new ProFTPd .deb packages as follows:
dpkg -i proftpd*.deb
4 Configuring ProFTPdNow we must configure ProFTPd to use mod_clamav whenever a file is uploaded. Open /etc/proftpd/proftpd.conf...
vi /etc/proftpd/proftpd.conf
... and add the stanza
<IfModule mod_clamav.c>
ClamAV on
ClamServer 127.0.0.1
ClamPort 3310
</IfModule>
somewhere, e.g. below the
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
section:
[...]<IfModule mod_ctrls_admin.c>AdminControlsEngine off</IfModule>
<IfModule mod_clamav.c> ClamAV on ClamServer 127.0.0.1 ClamPort 3310</IfModule>
## Alternative authentication frameworks##Include /etc/proftpd/ldap.confInclude /etc/proftpd/sql.conf[...]
Restart ProFTPd:
/etc/init.d/proftpd restart
Now check if mod_clamav is loaded by running:
proftpd -vv
mod_clamav should be listed in the output:
server1:~# proftpd -vv
- ProFTPD Version: 1.3.1 (stable)
- Scoreboard Version: 01040002
- Built: Fri Oct 1 03:31:03 CEST 2010
- Module: mod_core.c
- Module: mod_xfer.c
- Module: mod_auth_unix.c
- Module: mod_auth_file/0.8.3
- Module: mod_auth.c
- Module: mod_ls.c
- Module: mod_log.c
- Module: mod_site.c
- Module: mod_delay/0.6
- Module: mod_dso/0.4
- Module: mod_auth_pam/1.0.1
- Module: mod_clamav.c
- Module: mod_cap/1.0
- Module: mod_ctrls/0.9.4
- Module: mod_lang/0.8
server1:~#
That's it! Now whenever someone tries to upload malware to your server through ProFTPd, the "bad" file(s) will be deleted. You can test that by downloading the Eicar test virus from http://www.eicar.org/anti_virus_test_file.htm; try to upload it to your ProFTPd server, and if all goes well, it should be deleted:
How To Set Up MySQL Database Replication With SSL Encryption On
Debian Lenny
Version 1.0 Author: Falko Timme <ft [at] falkotimme [dot] com>
Follow me on TwitterLast edited 08/18/2010
This tutorial describes how to set up database replication in MySQL using an SSL connection for encryption (to make it impossible for hackers to sniff out passwords and data transferred between the master and slave). MySQL replication allows you to have an exact copy of a database from a master server on another server (slave), and all updates to the database on the master server are immediately replicated to the database on the slave server so that both databases are in sync. This is not a backup policy because an accidentally issued DELETE command will also be carried out on the slave; but replication can help protect against hardware failures though.
I do not issue any guarantee that this will work for you!
1 Preliminary NoteIn this tutorial I will show how to replicate the database exampledb from the server server1.example.com (master) with the IP address 192.168.0.100 to the server server2.example.com (slave) with the IP address 192.168.0.101. Both systems are running Debian Lenny; however, the configuration should apply to almost all distributions with little or no modifications. The database exampledb with tables and data is already existing on the master, but not on the slave.
I'm running all the steps in this tutorial with root privileges, so make sure you're logged in as root.
2 Installing MySQL 5 And Enabling SSL Support If MySQL 5 isn't already installed on server1 and server2, install it now:
server1/server2:
aptitude install mysql-server mysql-client
You will be asked to provide a password for the MySQL root user - this password is valid for the user root@localhost as well as [email protected] / [email protected], so we don't have to specify a MySQL root password manually later on:
New password for the MySQL "root" user: <-- yourrootsqlpasswordRepeat password for the MySQL "root" user: <-- yourrootsqlpassword
Now we must check if both MySQL server support SSL connections. Log into MySQL...
mysql -u root -p
... and run the following command on the MySQL shell:
show variables like '%ssl%';
If the output is as follows (both have_openssl and have_ssl show DISABLED)...
mysql> show variables like '%ssl%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+----------+
7 rows in set (0.00 sec)
mysql>
... it means that MySQL was compiled with SSL support, but it's currently not enabled. To enable it, leave the MySQL shell first...
quit;
... and open /etc/mysql/my.cnf:
vi /etc/mysql/my.cnf
Scroll down to the * Security Features section (within the [mysqld] section) and add a line with the word ssl to it:
[...]# * Security Features## Read the manual, too, if you want chroot!# chroot = /var/lib/mysql/## For generating SSL certificates I recommend the OpenSSL GUI "tinyca".ssl# ssl-ca=/etc/mysql/cacert.pem# ssl-cert=/etc/mysql/server-cert.pem# ssl-key=/etc/mysql/server-key.pem[...]
Restart MySQL...
/etc/init.d/mysql restart
... and check again if SSL is now enabled:
mysql -u root -p
show variables like '%ssl%';
Output should be as follows which means that SSL is now enabled:
mysql> show variables like '%ssl%';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+-------+
7 rows in set (0.00 sec)
mysql>
Type...
quit;
... to leave the MySQL shell.
3 Configuring The Master To make sure that the replication can work, we must make MySQL listen on all interfaces on the master (server1), therefore we comment out the line bind-address = 127.0.0.1 in /etc/mysql/my.cnf:
server1:
vi /etc/mysql/my.cnf
[...]# Instead of skip-networking the default is now to listen only on# localhost which is more compatible and is not less secure.#bind-address = 127.0.0.1[...]
Restart MySQL afterwards:
/etc/init.d/mysql restart
Then check with
netstat -tap | grep mysql
that MySQL is really listening on all interfaces on the master:
server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 3771/
mysqld
server1:~#
Now we create the CA, server, and client certificates that we need for the SSL connections. I create these certificates in the directory /etc/mysql/newcerts which I have to create first:
mkdir /etc/mysql/newcerts && cd /etc/mysql/newcerts
Make sure that openssl is installed:
aptitude install openssl
Create CA certificate:
openssl genrsa 2048 > ca-key.pemopenssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem
Create server certificate:
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pemopenssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
Create client certificate:
openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pemopenssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
The output of...
ls -l
... should now look as follows:
server1:/etc/mysql/newcerts# ls -l
total 32
-rw-r--r-- 1 root root 1346 2010-08-18 20:13 ca-cert.pem
-rw-r--r-- 1 root root 1675 2010-08-18 20:13 ca-key.pem
-rw-r--r-- 1 root root 1099 2010-08-18 20:14 client-cert.pem
-rw-r--r-- 1 root root 1675 2010-08-18 20:14 client-key.pem
-rw-r--r-- 1 root root 956 2010-08-18 20:14 client-req.pem
-rw-r--r-- 1 root root 1099 2010-08-18 20:14 server-cert.pem
-rw-r--r-- 1 root root 1679 2010-08-18 20:14 server-key.pem
-rw-r--r-- 1 root root 956 2010-08-18 20:14 server-req.pem
server1:/etc/mysql/newcerts#
We must now transfer ca-cert.pem, client-cert.pem, and client-key.pem to the slave (server2); before we do this, we create the directory /etc/mysql/newcerts on server2:
server2:
mkdir /etc/mysql/newcerts
Back on server1, we can transfer the three files to server2 as follows:
server1:
scp /etc/mysql/newcerts/ca-cert.pem [email protected]:/etc/mysql/newcerts
scp /etc/mysql/newcerts/client-cert.pem [email protected]:/etc/mysql/newcerts
scp /etc/mysql/newcerts/client-key.pem [email protected]:/etc/mysql/newcerts
Next, open /etc/mysql/my.cnf...
vi /etc/mysql/my.cnf
... and modify the * Security Features section; uncomment the ssl-ca, ssl-cert, and ssl-key lines and fill in the correct values:
[...]# * Security Features## Read the manual, too, if you want chroot!# chroot = /var/lib/mysql/## For generating SSL certificates I recommend the OpenSSL
GUI "tinyca".sslssl-ca=/etc/mysql/newcerts/ca-cert.pemssl-cert=/etc/mysql/newcerts/server-cert.pemssl-key=/etc/mysql/newcerts/server-key.pem[...]
Restart MySQL:
/etc/init.d/mysql restart
Now we set up a replication user slave_user that can be used by server2 to access the MySQL database on server1:
mysql -u root -p
On the MySQL shell, run the following commands:
GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'%' IDENTIFIED BY 'slave_password' REQUIRE SSL;
The REQUIRE SSL string is optional; if you leave it out, slave_user will be allowed to connect through encrypted and also unencrypted connections. If you use REQUIRE SSL, then only encrypted connections are allowed.
(If you've already set up a replication user, and now want to modify it so that it can only connect through SSL, you can modify the user as follows:
GRANT USAGE ON *.* TO 'slave_user'@'%' REQUIRE SSL;
)
FLUSH PRIVILEGES;quit;
Furthermore we have to tell MySQL for which database it should write logs (these logs are used by the slave to see what has changed on the master), which log file it should use, and we have to specify that this MySQL server is the master. We want to replicate the database exampledb, so we add/enable the following lines in /etc/mysql/my.cnf (in the [mysqld]section):
vi /etc/mysql/my.cnf
[...]# The following can be used as easy to replay backup logs or for replication.# note: if you are setting up a replication slave, see README.Debian about# other settings you may need to change.server-id = 1log_bin = /var/log/mysql/mysql-bin.logexpire_logs_days = 10max_binlog_size = 100Mbinlog_do_db = exampledb[...]
Then restart MySQL:
/etc/init.d/mysql restart
Next we lock the exampledb database on server1, find out about the master status of server1, create an SQL dump of exampledb (that we will import into exampledb on server2 so that both databases contain the same data), and unlock the database so that it can be used again:
mysql -u root -p
On the MySQL shell, run the following commands:
USE exampledb;FLUSH TABLES WITH READ LOCK;SHOW MASTER STATUS;
The last command should show something like this (please write it down, we'll need it later on):
mysql> SHOW MASTER STATUS;
+------------------+----------+--------------+------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+------------------+----------+--------------+------------------+
| mysql-bin.000001 | 98 | exampledb | |
+------------------+----------+--------------+------------------+
1 row in set (0.00 sec)
mysql>
Now don't leave the MySQL shell, because if you leave it, the database lock will be removed, and this is not what we want right now because we must create a database dump now. While the MySQL shell is still open, we open a second command line window where we create the SQL dump snapshot.sql and transfer it to server2 (using scp; again, make sure that the root account is enabled on server2):
server1:
cd /tmpmysqldump -u root -pyourrootsqlpassword --opt exampledb > snapshot.sqlscp snapshot.sql [email protected]:/tmp
Afterwards, you can close the second command line window. On the first command line window, we can now unlock the database and leave the MySQL shell:
server1:
UNLOCK TABLES; quit;
4 Configuring The Slave Now we must configure the slave. Open /etc/mysql/my.cnf and make sure you have the following settings in the [mysqld] section:
server2:
vi /etc/mysql/my.cnf
[...]server-id=2master-connect-retry=60replicate-do-db=exampledb[...]
The value of server-id must be unique and thus different from the one on the master!
Restart MySQL afterwards:
/etc/init.d/mysql restart
Before we start setting up the replication, we create an empty database exampledb on server2:
mysql -u root -p
CREATE DATABASE exampledb;quit;
On server2, we can now import the SQL dump snapshot.sql like this:
/usr/bin/mysqladmin --user=root --password=yourrootsqlpassword stop-slavecd /tmpmysql -u root -pyourrootsqlpassword exampledb < snapshot.sql
Now connect to MySQL again...
mysql -u root -p
... and run the following command to make server2 a slave of server1 (it is important that you replace the values in the following command with the values you got from the SHOW MASTER STATUS; command that we ran on server1!):
CHANGE MASTER TO MASTER_HOST='192.168.0.100', MASTER_USER='slave_user', MASTER_PASSWORD='slave_password', MASTER_LOG_FILE='mysql-bin.000001', MASTER_LOG_POS=98, MASTER_SSL=1, MASTER_SSL_CA = '/etc/mysql/newcerts/ca-cert.pem', MASTER_SSL_CERT = '/etc/mysql/newcerts/client-cert.pem', MASTER_SSL_KEY = '/etc/mysql/newcerts/client-key.pem';
MASTER_HOST is the IP address or hostname of the master (in this example it is 192.168.0.100).
MASTER_USER is the user we granted replication privileges on the master. MASTER_PASSWORD is the password of MASTER_USER on the master. MASTER_LOG_FILE is the file MySQL gave back when you ran SHOW MASTER STATUS; on the
master. MASTER_LOG_POS is the position MySQL gave back when you ran SHOW MASTER STATUS; on the
master. MASTER_SSL makes the slave use an SSL connection to the master.
MASTER_SSL_CA is the path to the ca-cert.pem file on the slave. MASTER_SSL_CERT is the path to the client-cert.pem file on the slave. MASTER_SSL_KEY is the path to the client-key.pem file on the slave.
Finally start the slave:
START SLAVE;
Then check the slave status:
SHOW SLAVE STATUS \G
It is important that both Slave_IO_Running and Slave_SQL_Running have the value Yes in the output (otherwise something went wrong, and you should check your setup again and take a look at /var/log/syslog to find out about any errors); as you're using an SSL connection now, you should also find values in the fields Master_SSL_Allowed, Master_SSL_CA_File, Master_SSL_Cert, and Master_SSL_Key:
mysql> SHOW SLAVE STATUS \G
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.0.100
Master_User: slave_user
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin.000001
Read_Master_Log_Pos: 98
Relay_Log_File: mysqld-relay-bin.000002
Relay_Log_Pos: 235
Relay_Master_Log_File: mysql-bin.000001
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB: exampledb
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 98
Relay_Log_Space: 235
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: Yes
Master_SSL_CA_File: /etc/mysql/newcerts/ca-cert.pem
Master_SSL_CA_Path:
Master_SSL_Cert: /etc/mysql/newcerts/client-cert.pem
Master_SSL_Cipher:
Master_SSL_Key: /etc/mysql/newcerts/client-key.pem
Seconds_Behind_Master: 0
1 row in set (0.00 sec)
mysql>
Afterwards, you can leave the MySQL shell on server2:
quit;
That's it! Now whenever exampledb is updated on the master, all changes will be replicated to exampledb on the slave. Test it!
Installing A Multiserver Setup With Dedicated Web, Email, DNS And
MySQL Database Servers On Debian 5.0 With ISPConfig 3
1 Installing The Five Debian Base Systems In this setup there will be one master server (which runs the web server and ISPConfig control panel interface) and four slave servers for database, email and DNS.
To install the clustered setup, we need five servers (or virtual servers) with a Debian 5.0 minimal install. The base setup is described in the following tutorial in the steps 1 - 6:
http://www.howtoforge.com/perfect-server-debian-lenny-ispconfig3
Install only steps 1 - 6 of the perfect server tutorial and not the other steps as they differ for a clustered setup!
In my example I use the following hostnames and IP addresses for the five servers:
Web Server
Hostname: web.example.tldIP address: 192.168.0.105
Mail Server
Hostname: mail.example.tldIP address: 192.168.0.106
DB Server
Hostname: db.example.tldIP address: 192.168.0.107
DNS Server (primary)
Hostname: ns1.example.tldIP address: 192.168.0.108
DNS Server (secondary)
Hostname: ns2.example.tldIP address: 192.168.0.109
Whereever these hostnames or IP addresses occur in the next installation steps you will have to change them to match the IP's and hostnames of your servers.
2 Installing The Web Server
Edit the hosts file and add the IP addresses and hostnames for all servers. The hostnames and IP addresses have to be adjusted to match your setup.
vi /etc/hosts
127.0.0.1 localhost
192.168.0.105 web.example.tld
192.168.0.106 mail.example.tld
192.168.0.107 db.example.tld
192.168.0.108 ns1.example.tld
192.168.0.109 ns2.example.tld
# The following lines are desirable for IPv6 capable
hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
Set the hostname of the server:
echo web.example.tld > /etc/hostname/etc/init.d/hostname.sh start
Edit the sources.list file...
vi /etc/apt/sources.list
... and ensure that it contains the following line to enable the volatile repository.
deb http://volatile.debian.org/debian-volatile
lenny/volatile main contrib non-free
Run...
apt-get update
... to update the apt package database; then run...
apt-get upgrade
... to install the latest updates (if there are any).
It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run...
apt-get -y install ntp ntpdate
... and your system time will always be in sync.
Install the MySQL server. A MySQL server instance is necessary on every server as ISPConfig uses it to sync the configuration between the servers.
apt-get -y install mysql-client mysql-server
Enter the new password for MySQL when requested by the installer.
We want MySQL to listen on all interfaces on the master server, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:
vi /etc/mysql/my.cnf
[...]
# Instead of skip-networking the default is now to listen
only on
# localhost which is more compatible and is not less
secure.
#bind-address = 127.0.0.1
[...]
Then restart MySQL:
/etc/init.d/mysql restart
Now install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt as follows:
apt-get -y install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libopenssl-ruby libapache2-mod-ruby sudo
You will see the following question:
Web server to reconfigure automatically: <-- apache2
Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include:
a2enmod suexec rewrite ssl actions include ruby dav_fs dav auth_digest
PureFTPd and quota can be installed with the following command:
apt-get -y install pure-ftpd-common pure-ftpd-mysql quota quotatool
Edit /etc/fstab. Mine looks like this (I added ,usrquota,grpquota to the partition with the mount point /):
vi /etc/fstab
# /etc/fstab: static file system information.
# # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc defaults 0 0 /dev/sda1 / ext3 errors=remount-ro,usrquota,grpquota 0 1 /dev/sda5 none swap sw 0 0 /dev/hda /media/cdrom0 udf,iso9660 user,noauto 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto 0 0
To enable quota, run these commands:
touch /quota.user /quota.groupchmod 600 /quota.*mount -o remount /
quotacheck -avugmquotaon -avug
Install vlogger, webalizer, and awstats:
apt-get -y install vlogger webalizer awstats
Install Jailkit: Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):
apt-get -y install build-essential autoconf automake1.9 libtool flex bison
cd /tmpwget http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gztar xvfz jailkit-2.11.tar.gzcd jailkit-2.11./configuremakemake installcd ..rm -rf jailkit-2.11*
Install fail2ban: This is optional but recommended, because the ISPConfig monitor tries to show the log:
apt-get install fail2ban
Next we will install ISPConfig 3. To get the download URL of the latest ISPConfig 3 stable release, please visit the ISPConfig website: http://www.ispconfig.org/ispconfig-3/download/
This server is the master server in our setup which runs the ISPConfig control panel interface. To allow the other MySQL instances to connect to the MySQL database on this node during installation, we have to add MySQL root user records in the master database for every slave server hostname and IP address. The easiest way to do this is to use the web based phpmyadmin administration tool that we installed already. Open the URL http://192.168.0.105/phpmyadmin in a web browser, log in as MySQL root user and execute these MySQL queries:
CREATE USER 'root'@'192.168.0.106' IDENTIFIED BY 'myrootpassword';GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.106' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
CREATE USER 'root'@'192.168.0.107' IDENTIFIED BY 'myrootpassword';GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.107' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
CREATE USER 'root'@'192.168.0.108' IDENTIFIED BY 'myrootpassword';GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.108' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
CREATE USER 'root'@'192.168.0.109' IDENTIFIED BY 'myrootpassword';GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.109' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
CREATE USER 'root'@'mail.example.tld' IDENTIFIED BY 'myrootpassword';GRANT ALL PRIVILEGES ON * . * TO 'root'@'mail.example.tld' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
CREATE USER 'root'@'db.example.tld' IDENTIFIED BY 'myrootpassword';GRANT ALL PRIVILEGES ON * . * TO 'root'@'db.example.tld' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
CREATE USER 'root'@'ns1.example.tld' IDENTIFIED BY 'myrootpassword';GRANT ALL PRIVILEGES ON * . * TO 'root'@'ns1.example.tld' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
CREATE USER 'root'@'ns2.example.tld' IDENTIFIED BY 'myrootpassword';GRANT ALL PRIVILEGES ON * . * TO 'root'@'ns2.example.tld' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
In the above sql commands, replace the IP adresses (192.168.0.106 - 192.168.0.109) with the IP addresses of your servers and replace mail.example.tld, db.example.tld, ns1.example.tld and ns2.example.tld with the hostnames of your servers and myrootpassword with the desired root password.
Click on the reload permissions button or restart MySQL. Then close phpmyadmin.
Go back to the shell of server1.example.tld and download the latest ISPConfig 3 stable release:
cd /tmpwget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gztar xfz ISPConfig-3-stable.tar.gzcd ispconfig3_install/install/
Then start the install script:
php -q install.php
Select language (en,de) [en]: <-- enInstallation mode (standard,expert) [standard]: <-- expert Full qualified hostname (FQDN) of the server, eg server2.domain.tld [web.example.tld]: <-- web.example.tldMySQL server hostname [localhost]: <-- localhostMySQL root username [root]: <-- rootMySQL root password []: <-- Enter your MySQL root password hereMySQL database to create [dbispconfig]: <-- dbispconfigMySQL charset [utf8]: <-- utf8Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- nConfigure Mail (y,n) [y]: <-- n Configure Jailkit (y,n) [y]: <-- yConfigure FTP Server (y,n) [y]: <-- yConfigure DNS Server (y,n) [y]: <-- n Configure Apache Server (y,n) [y]: <-- yConfigure Firewall Server (y,n) [y]: <--y
Install ISPConfig Web-Interface (y,n) [y]: <--yISPConfig Port [8080]: <-- 8080
Clean up the install directories:
rm -rf /tmp/ispconfig3_install/installrm -f /tmp/ISPConfig-3-stable.tar.gz
3 Installing The Mail Server Edit the hosts file and add the IP addresses and hostnames for all servers. The hostnames and IP addresses have to be adjusted to match your setup.
vi /etc/hosts
127.0.0.1 localhost
192.168.0.105 web.example.tld
192.168.0.106 mail.example.tld
192.168.0.107 db.example.tld
192.168.0.108 ns1.example.tld
192.168.0.109 ns2.example.tld
# The following lines are desirable for IPv6 capable
hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
Set the hostname of the server:
echo mail.example.tld > /etc/hostnameecho mail.example.tld > /etc/mailname/etc/init.d/hostname.sh start
Edit the sources.list file...
vi /etc/apt/sources.list
... and ensure that it contains the following line to enable the volatile repository.
deb http://volatile.debian.org/debian-volatile
lenny/volatile main contrib non-free
Run...
apt-get update
... to update the apt package database; then run...
apt-get upgrade
... to install the latest updates (if there are any).
It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run...
apt-get -y install ntp ntpdate
... and your system time will always be in sync.
Install postfix, dovecot and MySQL with one single command:
apt-get -y install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d
Enter the new password for mysql when requested by the installer and answer the next questions as decsribed below:
Create directories for web-based administration ? <-- NoGeneral type of configuration? <-- Internet siteMail name? <-- mail.mydomain.tldSSL certificate required <-- Ok
To install amavisd-new, SpamAssassin, and ClamAV, we run:
apt-get -y install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
Then install install the commandline version of PHP to be able to run PHP-based shell scripts for ISPConfig:
apt-get -y install php5-cli php5-mysql php5-mcrypt mcrypt
Install fail2ban: This is optional but recommended, because the ISPConfig monitor tries to show the log:
apt-get install fail2ban
Now I will install ISPConfig 3 on this server. To get the download URL of the latest ISPConfig 3 stable release, please visit the ISPConfig website: http://www.ispconfig.org/ispconfig-3/download/
Download the latest ISPConfig 3 stable release:
cd /tmpwget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gztar xfz ISPConfig-3-stable.tar.gzcd ispconfig3_install/install/
Then s tart the install script:
php -q install.php
Select language (en,de) [en]: <-- enInstallation mode (standard,expert) [standard]: <-- expert Full qualified hostname (FQDN) of the server, eg server1.domain.tld
[mail.example.tld]: <-- mail.example.tldMySQL server hostname [localhost]: <-- localhostMySQL root username [root]: <-- rootMySQL root password []: <-- Enter your MySQL root password hereMySQL database to create [dbispconfig]: <-- dbispconfigMySQL charset [utf8]: <-- utf8Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- yMySQL master server hostname []: <-- web.example.tldMySQL master server root username [root]: <-- rootMySQL master server root password []: <-- Enter the root password of the master server hereMySQL master server database name [dbispconfig]: <-- dbispconfigConfigure Mail (y,n) [y]: <-- y
Country Name (2 letter code) [AU]: <-- DE (Enter the ISO country code where you live here) State or Province Name (full name) [Some-State]: <-- Niedersachsen (Enter the state where you live here) Locality Name (eg, city) []: <-- Lueneburg (Enter the city here)Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER Organizational Unit Name (eg, section) []: <-- ENTER Common Name (eg, YOUR name) []: <-- ENTER Email Address []: <-- ENTER
Configure Jailkit (y,n) [y]: <-- n Configure FTP Server (y,n) [y]: <-- n Configure DNS Server (y,n) [y]: <-- n Configure Apache Server (y,n) [y]: <-- n Configure Firewall Server (y,n) [y]: <--yInstall ISPConfig Web-Interface (y,n) [y]: <--n
Run...
rm -f /var/www/ispconfig
... to remove the ISPConfig interface link in the /var/www directory.
Clean up the install directories:
rm -rf /tmp/ispconfig3_install/installrm -f /tmp/ISPConfig-3-stable.tar.gz
4 Installing The MySQL Database Server Edit the hosts file and add the IP addresses and hostnames for all servers. The hostnames and IP addresses have to be adjusted to match your setup.
vi /etc/hosts
127.0.0.1 localhost
192.168.0.105 web.example.tld
192.168.0.106 mail.example.tld
192.168.0.107 db.example.tld
192.168.0.108 ns1.example.tld
192.168.0.109 ns2.example.tld
# The following lines are desirable for IPv6 capable
hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
Set the hostname of the server:
echo db.example.tld > /etc/hostname/etc/init.d/hostname.sh start
Edit the sources.list file...
vi /etc/apt/sources.list
... and ensure that it contains the following line to enable the volatile repository.
deb http://volatile.debian.org/debian-volatile
lenny/volatile main contrib non-free
Run...
apt-get update
... to update the apt package database; then run...
apt-get upgrade
... to install the latest updates (if there are any).
It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run...
apt-get -y install ntp ntpdate
... and your system time will always be in sync.
Install MySQL client and server:
apt-get -y install mysql-client mysql-server
Enter the new password for MySQL when requested by the installer.
We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:
vi /etc/mysql/my.cnf
[...]
# Instead of skip-networking the default is now to listen
only on
# localhost which is more compatible and is not less
secure.
#bind-address = 127.0.0.1
[...]
Then restart MySQL:
/etc/init.d/mysql restart
Then install install the commandline version of PHP to be able to run PHP-based shell scripts for ISPConfig:
apt-get -y install php5-cli php5-mysql php5-mcrypt mcrypt
Install fail2ban: This is optional but recommended, because the ISPConfig monitor tries to show the log:
apt-get install fail2ban
Next install ISPConfig 3 on this server. To get the download URL of the latest ISPConfig 3 stable release, please visit the ISPConfig website: http://www.ispconfig.org/ispconfig-3/download/
Download the latest ISPConfig 3 stable release:
cd /tmpwget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gztar xfz ISPConfig-3-stable.tar.gzcd ispconfig3_install/install/
Then start the install script:
php -q install.php
Select language (en,de) [en]: <-- enInstallation mode (standard,expert) [standard]: <-- expert Full qualified hostname (FQDN) of the server, eg server1.domain.tld [db.example.tld]: <-- db.example.tldMySQL server hostname [localhost]: <-- localhostMySQL root username [root]: <-- rootMySQL root password []: <-- Enter your MySQL root password hereMySQL database to create [dbispconfig]: <-- dbispconfigMySQL charset [utf8]: <-- utf8Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- yMySQL master server hostname []: <-- web.example.tldMySQL master server root username [root]: <-- rootMySQL master server root password []: <-- Enter the root password of the master server hereMySQL master server database name [dbispconfig]: <-- dbispconfigConfigure Mail (y,n) [y]: <-- nConfigure Jailkit (y,n) [y]: <-- n Configure FTP Server (y,n) [y]: <-- n Configure DNS Server (y,n) [y]: <-- n Configure Apache Server (y,n) [y]: <-- n Configure Firewall Server (y,n) [y]: <--yInstall ISPConfig Web-Interface (y,n) [y]: <--n
Run...
rm -f /var/www/ispconfig
... to remove the ISPConfig interface link in the /var/www directory.
Clean up the install directories:
rm -rf /tmp/ispconfig3_install/installrm -f /tmp/ISPConfig-3-stable.tar.gz
5 Installing The Primary DNS Server Edit the hosts file and add the IP addresses and hostnames for all servers. The hostnames and IP addresses have to be adjusted to match your setup.
vi /etc/hosts
127.0.0.1 localhost
192.168.0.105 web.example.tld
192.168.0.106 mail.example.tld
192.168.0.107 db.example.tld
192.168.0.108 ns1.example.tld
192.168.0.109 ns2.example.tld
# The following lines are desirable for IPv6 capable
hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
Set the hostname of the server:
echo ns1.example.tld > /etc/hostname/etc/init.d/hostname.sh start
Edit the sources.list file...
vi /etc/apt/sources.list
... and ensure that it contains the following line to enable the volatile repository.
deb http://volatile.debian.org/debian-volatile
lenny/volatile main contrib non-free
Run...
apt-get update
... to update the apt package database; then run...
apt-get upgrade
... to install the latest updates (if there are any).
It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run...
apt-get -y install ntp ntpdate
... and your system time will always be in sync.
Install MySQL client and server:
apt-get -y install mysql-client mysql-server
Enter the new password for MySQL when requested by the installer.
Then install install the commandline version of PHP to be able to run PHP-based shell scripts for ISPConfig:
apt-get -y install php5-cli php5-mysql php5-mcrypt mcrypt
Install BIND DNS Server:
apt-get -y install bind9 dnsutils
Next install ISPConfig 3 on the dns server. To get the download URL of the latest ISPConfig 3 stable release, please visit the ISPConfig website: http://www.ispconfig.org/ispconfig-3/download/
Download the latest ISPConfig 3 stable release:
cd /tmpwget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gztar xfz ISPConfig-3-stable.tar.gzcd ispconfig3_install/install/
Then start the install script:
php -q install.php
Select language (en,de) [en]: <-- enInstallation mode (standard,expert) [standard]: <-- expert Full qualified hostname (FQDN) of the server, eg server2.domain.tld [ns1.example.tld]: <-- ns1.example.tldMySQL server hostname [localhost]: <-- localhostMySQL root username [root]: <-- rootMySQL root password []: <-- Enter your MySQL root password hereMySQL database to create [dbispconfig]: <-- dbispconfigMySQL charset [utf8]: <-- utf8Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- yMySQL master server hostname []: <-- web.example.tldMySQL master server root username [root]: <-- rootMySQL master server root password []: <-- Enter the root password of the master server hereMySQL master server database name [dbispconfig]: <-- dbispconfigConfigure Mail (y,n) [y]: <-- nConfigure Jailkit (y,n) [y]: <-- n Configure FTP Server (y,n) [y]: <-- n Configure DNS Server (y,n) [y]: <-- y Configure Apache Server (y,n) [y]: <-- n Configure Firewall Server (y,n) [y]: <--yInstall ISPConfig Web-Interface (y,n) [y]: <--n
Run...
rm -f /var/www/ispconfig
... to remove the ISPConfig interface link in the /var/www directory.
Clean up the install directories:
rm -rf /tmp/ispconfig3_install/installrm -f /tmp/ISPConfig-3-stable.tar.gz
6 Installing The Secondary DNS Server Edit the hosts file and add the IP addresses and hostnames for all servers. The hostnames and IP addresses have to be adjusted to match your setup.
vi /etc/hosts
127.0.0.1 localhost
192.168.0.105 web.example.tld
192.168.0.106 mail.example.tld
192.168.0.107 db.example.tld
192.168.0.108 ns1.example.tld
192.168.0.109 ns2.example.tld
# The following lines are desirable for IPv6 capable
hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
Set the hostname of the server:
echo ns2.example.tld > /etc/hostname/etc/init.d/hostname.sh start
Edit the sources.list file...
vi /etc/apt/sources.list
... and ensure that it contains the following line to enable the volatile repository.
deb http://volatile.debian.org/debian-volatile
lenny/volatile main contrib non-free
Run...
apt-get update
... to update the apt package database; then run...
apt-get upgrade
... to install the latest updates (if there are any).
It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run...
apt-get -y install ntp ntpdate
... and your system time will always be in sync.
Install MySQL client and server:
apt-get -y install mysql-client mysql-server
Enter the new password for MySQL when requested by the installer.
Then install install the commandline version of PHP to be able to run PHP-based shell scripts for ISPConfig:
apt-get -y install php5-cli php5-mysql php5-mcrypt mcrypt
Install BIND DNS Server:
apt-get -y install bind9 dnsutils
Next install ISPConfig 3 on the dns server. To get the download URL of the latest ISPConfig 3 stable release, please visit the ISPConfig website: http://www.ispconfig.org/ispconfig-3/download/
Download the latest ISPConfig 3 stable release:
cd /tmpwget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gztar xfz ISPConfig-3-stable.tar.gzcd ispconfig3_install/install/
Then start the install script:
php -q install.php
Select language (en,de) [en]: <-- enInstallation mode (standard,expert) [standard]: <-- expert Full qualified hostname (FQDN) of the server, eg server2.domain.tld [ns2.example.tld]: <-- ns2.example.tldMySQL server hostname [localhost]: <-- localhostMySQL root username [root]: <-- rootMySQL root password []: <-- Enter your MySQL root password hereMySQL database to create [dbispconfig]: <-- dbispconfigMySQL charset [utf8]: <-- utf8Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- yMySQL master server hostname []: <-- web.example.tldMySQL master server root username [root]: <-- rootMySQL master server root password []: <-- Enter the root password of the master server hereMySQL master server database name [dbispconfig]: <-- dbispconfigConfigure Mail (y,n) [y]: <-- nConfigure Jailkit (y,n) [y]: <-- n Configure FTP Server (y,n) [y]: <-- n Configure DNS Server (y,n) [y]: <-- y
Configure Apache Server (y,n) [y]: <-- n Configure Firewall Server (y,n) [y]: <--yInstall ISPConfig Web-Interface (y,n) [y]: <--n
Run...
rm -f /var/www/ispconfig
... to remove the ISPConfig interface link in the /var/www directory.
Clean up the install directories:
rm -rf /tmp/ispconfig3_install/installrm -f /tmp/ISPConfig-3-stable.tar.gz
7 Adjust The Server Settings In ISPConfigLog into ISPConfig on the master server with a web browser:
http://192.168.0.105:8080
Click on System > Server services > web.example.tld and disable all checkboxes except of the Webserver and Fileserver checkbox and click on Save.
Click on System > Server services > mail.example.tld and disable all checkboxes except of the Mailserver checkbox and click on Save.
Click on System > Server services > db.example.tld and disable all checkboxes except of the DB-Server checkbox and click on Save.
Click on System > Server services > ns1.example.tld and disable all checkboxes except of the DNS-Server checkbox and click on Save.
Click on System > Server services > ns2.example.tld and disable all checkboxes except of the DNS-Server checkbox and select ns1.example.com in the Is mirror of Server selectbox and click on Save.
8 Links
Caching With Apache's mod_cache On Debian Lenny
Version 1.0 Author: Falko Timme <ft [at] falkotimme [dot] com>
Follow me on TwitterLast edited 04/21/2010
This article explains how you can cache your web site contents with Apache's mod_cache on Debian Lenny. If you have a high-traffic dynamic web site that generates lots of database queries on each request, you can decrease the server load dramatically by caching your content for a few minutes or more (that depends on how often you update your content).
I do not issue any guarantee that this will work for you!
1 Preliminary Note I'm assuming that you have a working Apache2 setup (Apache 2.2.x - prior to that version, mod_cache is considered experimental) from the Debian repositories - the Apache version in the Debian Lenny repositories is 2.2.9 so you should be good to go.
I'm using the document root /var/www here for my test vhost - you must adjust this if your document root differs.
2 Enabling mod_cachemod_cache has two submodules that manage the cache storage, mod_disk_cache (for storing contents on the hard drive) and mod_mem_cache (for storing contents in memory which is faster than disk caching). Decide which one you want to use and continue either with chapter 2.1 (mod_disk_cache) or 2.2 (mod_mem_cache).
2.1 mod_disk_cache
The mod_disk_cache configuration is stored in /etc/apache2/mods-available/disk_cache.conf, so let's edit that one:
vi /etc/apache2/mods-available/disk_cache.conf
Make sure you uncomment the CacheEnable disk / line, so that the minimal configuration looks as follows:
<IfModule mod_disk_cache.c># cache cleaning is done by htcacheclean, which can be configured in# /etc/default/apache2## For further information, see the comments in that file,# /usr/share/doc/apache2.2-common/README.Debian, and the htcacheclean(8)# man page.
# This path must be the same as the one in /etc/default/apache2 CacheRoot /var/cache/apache2/mod_disk_cache
# This will also cache local documents. It usually makes more sense to # put this into the configuration for just one virtual host.
CacheEnable disk /
CacheDirLevels 5 CacheDirLength 3</IfModule>
You can find explanations for these configuration options and further configuration options on http://httpd.apache.org/docs/2.2/mod/mod_disk_cache.html.
Now we can enable mod_cache and mod_disk_cache:
a2enmod cachea2enmod disk_cache
/etc/init.d/apache2 restart
To make sure that our cache directory /var/cache/apache2/mod_disk_cache doesn't fill up over time, we have to clean it with the htcacheclean command. That command is part of the apache2-utils package which we install as follows:
aptitude install apache2-utils
Afterwards, we can start htcacheclean as a daemon like this:
htcacheclean -d30 -n -t -p /var/cache/apache2/mod_disk_cache -l 100M -i
This will clean our cache directory every 30 minutes and make sure that it will not get bigger than 100MB. To learn more about htcacheclean, take a look at
man htcacheclean
Of course, you don't want to start htcacheclean manually each time you reboot the server - therefore we edit /etc/rc.local...
vi /etc/rc.local
... and add the following line to it, right before the exit 0 line:
[...]/usr/sbin/htcacheclean -d30 -n -t -p /var/cache/apache2/mod_disk_cache -l 100M -i[...]
This will start htcacheclean automatically each time you start the server.
2.2 mod_mem_cache
The mod_mem_cache configuration is located in /etc/apache2/mods-available/mem_cache.conf:
vi /etc/apache2/mods-available/mem_cache.conf
<IfModule mod_mem_cache.c> CacheEnable mem / MCacheSize 4096 MCacheMaxObjectCount 100 MCacheMinObjectSize 1 MCacheMaxObjectSize 2048</IfModule>
This is the default configuration - if you like you can modify it. A list of configuration directives for mod_mem_cache is available here: http://httpd.apache.org/docs/2.2/mod/mod_mem_cache.html
Now let's enable mod_cache and mod_mem_cache as follows:
a2enmod cachea2enmod mem_cache
/etc/init.d/apache2 restart
That's it already! With mod_mem_cache, you don't have to clean up any cache directories.
3 TestingUnfortunately mod_cache doesn't provide any logging functionalities which is bad if you want to know if logging is working. Therefore I create a small PHP test file, /var/www/cachetest.php, that sends out HTTP headers that tell mod_cache that it should cache the file for 300 seconds, and that simply prints the timestamp:
vi /var/www/cachetest.php
<?phpheader("Cache-Control: must-revalidate, max-age=300");header("Vary: Accept-Encoding");echo time()."<br>";?>
Now call that file in a browser - it should display the current time stamp. Then click in the browser's address bar and press ENTER so that the page gets loaded again (don't press F5 or the reload button - this will always fetch a fresh copy from the server instead of the cache!) - if all goes well, you should still see the old, cached timestamp. If you wait 300 seconds, you should get a fresh copy from the server instead of the cache.
4 HTTP HeadersCaching doesn't work out-of-the-box - you must modify your web application so that caching can work (it is possible that your web application already supports caching - please consult the documentation of your application to find out). mod_cache will cache web pages only if the HTTP headers sent out by your web application tell it to do so.
Here are some examples of headers that tell mod_cache not to cache:
Expires headers with a date in the past: "Expires: Sun, 19 Nov 1978 05:00:00 GMT"
Certain Cache-Control headers: "Cache-Control: no-store, no-cache, must-revalidate" or "Cache-Control: must-revalidate, max-age=0"
Set-Cookie headers: a page will not be cached if a cookie is set. So if you want mod_cache to cache your pages, modify your application to not send out such headers.
If you want mod_cache to cache your pages, you can set an Expires header with a date in the future, but the recommended way is to use max-age:
"Cache-Control: must-revalidate, max-age=300"
This tells mod_cache to cache the page for 300 seconds (max-age) - unfortunately mod_cache doesn't know the s-maxage option (see http://www.mnot.net/cache_docs/#CACHE-CONTROL), that's why we must use the max-age option (which also tells your browser to cache - please keep this in mind if you get unexpected results!). If mod_cache knew the s-maxage option, we could use "Cache-Control: must-revalidate, max-age=0, s-maxage=300" which would tell mod_cache, but not the browser, to cache the page.
Of course, this header is useless if you send out one of the non-caching headers (Expires in the past, Set-Cookie, etc.) from above at the same time!
Another very important header for caching is this one:
"Vary: Accept-Encoding"
This makes mod_cache keep two copies of each cached page, one compressed (gzip) and one uncompressed so that it can deliver the right version depending on the capabilities of the user-agent/browser. Some user-agents don't understand gzip compression, so they should get the uncompressed version.
So here's the summary: use the following two headers if you want mod_cache to cache:
"Cache-Control: must-revalidate, max-age=300"
"Vary: Accept-Encoding"
and make sure that no Expires with a date in the past, cookies, etc. are sent.
If your application is written in PHP, you can use PHP's header() function to send out HTTP headers, e.g. like this:
header("Cache-Control: must-revalidate, max-age=300");
header("Vary: Accept-Encoding");
This page is a must-read if you want to learn more about HTTP headers and caching: http://www.mnot.net/cache_docs/
Disk Backup With Amanda On Debian Lenny
1. Introduction Amanda is an open source client/server solution to back up filesystems. Backups are triggered by the backup server, backup definitions are located on the servers but exclusion lists are located on the client. Amanda is not yet to the level of backup solutions like IBM TSM/TDP or Legato Networker but it is the best open source solution I found so far.
2. Landscapebckserver.mydomain.com (Debian lenny): The backup server that hosts amanda server.
bckclient.mydomain.com (Debian lenny): The backup client is a web server with a MySQL version 5.0 database (no replication). The mysql backup is done with zrm version 2.2. I did not create a howto for zrm since the product is fairly easy to use and the zmanda Quick setup guide and user manual are really easy to follow. My biggest regret with zrm: it does not backup to amanda tapes.
An ISCSI SAN as a library. backup to virtual tapes (disks)
3. AMANDA
3.1 Backup Server
3.1.1 Installation
As user root install the amanda-server package and ... the amanda-client package or you will not be able to do restores from the bckclient.
# apt-get update
# apt-get install amanda-server amanda-client xinetd gawk gnuplot readline-common openssh-server
Accept the additional packages required when prompted.
3.1.2 (If Applicable) Comment Amanda Entries In Inetd Configuration File
The packages configure both inetd and xinetd. In this howto we only use xinetd.
Edit /etc/inetd.conf and comment amanda related lines:
#:OTHER: Other services
#amandaidx stream tcp nowait backup /usr/sbin/tcpd
/usr/lib/amanda/amindexd amindexd -auth=bsdtcp amdump
amindexd amidxtaped
#amidxtape stream tcp nowait backup /usr/sbin/tcpd
/usr/lib/amanda/amidxtaped amidxtaped -auth=bsdtcp amdump
amindexd amidxtaped
#amanda dgram udp wait backup /usr/sbin/tcpd
/usr/lib/amanda/amandad -auth=bsd amdump amindexd
amidxtaped
3.1.3 Modify Amanda Daemons To Use auth bsdtcp
For details check the wiki.
Edit amanda, amidxtape and amandaidx files in /etc/xinetd.d/ to match the following:
# cat /etc/xinetd.d/amanda| grep -v "^#"
service amanda
{
socket_type = stream protocol = tcp wait = no user = backup
group = backup
groups = yes
server = /usr/lib/amanda/amandad
server_args = -auth=bsdtcp amdump amindexd amidxtaped
disable = no
}
# cat /etc/xinetd.d/amidxtape | grep -v "^#"
service amidxtape
{
socket_type = stream protocol = tcp wait = no user = backup
group = backup
groups = yes
server = /usr/lib/amanda/amidxtaped
server_args = -auth=bsdtcp amdump amindexd amidxtaped disable = no}
# cat /etc/xinetd.d/amandaidx | grep -v "^#"
service amandaidx
{
socket_type = stream protocol = tcp wait = no user = backup
group = backup
groups = yes
server = /usr/lib/amanda/amindexd
server_args = -auth=bsdtcp amdump amindexd amidxtaped disable = no
}
Enable the changes:
# /etc/init.d/xinetd restart
3.1.4 Backup Configuration
We will define daily backups and the configuration will be called DailySet1.
The backup user configured by default at the installation is:
user name: backup
user group: backup
home dir: /var/backups
# su backup -c "mkdir /etc/amanda/DailySet1"
We create a minimum configuration file amanda.conf for DailySet1:
vi /etc/amanda/DailySet1/amanda.conf
org "DailySet1" # your organization name for
reports
mailto "[email protected]" # space
separated list of operators at your site
dumpuser "backup" # the user to run dumps under
logdir "/etc/amanda/DailySet1/logs" # log
directory
infofile "/etc/amanda/DailySet1/curinfo" #
database filename
indexdir "/etc/amanda/DailySet1/index" # index
directory
tapelist "/etc/amanda/DailySet1/tapelist" # list of
used tapes
tapecycle 9 tapes
tapetype DISK
tpchanger "chg-disk"
changerfile "/etc/amanda/DailySet1/changer" # needed by
amlabel
tapedev "file:/space/vtapes/DailySet1/slots"
define tapetype DISK {
comment "Backup to HD"
length 5 gbytes
}
# comment holding disk section if needed
holdingdisk hd1 {
directory "/dumps/"
}
# to be used by any other dumptype
define dumptype global {
comment "Global definitions"
index yes
record yes
auth "bsdtcp"
}
define dumptype daily {
global
comment "daily dumptype"
compress client fast
program "GNUTAR"
strategy standard
priority high
exclude list "/etc/amanda/DailySet1/global-debian-
exclude.list"
}
Quick explanation:
- we plan to use 9 tapes of 5 GigaBytes. We recycle tapes after 9 backups.
- we plan to back up everything on the bckclient with some exceptions (ref exclude list section 3.2.6).
Check the amanda.conf man page for details on syntax.
Create the database repository for DailySet1 as specified in amanda.conf.
# su backup -c "mkdir /etc/amanda/DailySet1/logs"
# su backup -c "mkdir /etc/amanda/DailySet1/index"
# touch /etc/amanda/DailySet1/tapelist
# su backup -c "mkdir /etc/amanda/DailySet1/curinfo"
3.1.5 (Optional) Configure Holding Disks
The holding disk is used as a cache to store backup data from all Amanda clients (ref).
If you do not intend to use holding disks, review the amanda.conf file.
# comment holding disk section if needed
#holdingdisk hd1 {
# directory "/dumps/"
#}
and skip this section.
If you plan to use holding disks:
# su backup -c "mkdir /dumps"
# chmod 750 /dumps
I use here a local disk. The details are not covered by this document.
# cat /etc/fstab | grep LABEL
LABEL=holdingdisk /dumps ext3
defaults 0
LABEL=backup /space xfs _netdev 0
0
3.1.6 Configure Virtual Tapes
# mkdir -p /space/
I use my ISCSI SAN disks here. Check this ISCSI howto for details.
# mkdir -p /space/vtapes/DailySet1/slots
# chown backup:backup -R /space/
# chmod 750 /space/vtapes
# su - backup
$ cd /space/vtapes/DailySet1/slots
Create the tapes:
$ for ((i=1; $i<=9; i++)); do mkdir slot$i;done
Initialize tape changer:
$ ln -s slot1 data
Test the virtual tapes:
$ ammt -f file:/space/vtapes/DailySet1/slots status
file:/space/vtapes/DailySet1/slots status: ONLINE
Label the tapes:
$ for ((i=1; $i<=9;i++)); do amlabel DailySet1 DailySet1-0$i slot $i; done
Note: If you plan to use more than nine tapes (say 25 for example), do run a second amlabel command:
$ for ((i=10; $i<=25;i++)); do amlabel DailySet1 DailySet1-$i slot $i; done
Reset the virtual tape changer back to the first slot.
$ amtape DailySet1 reset
amtape: changer is reset, slot 1 is loaded.
$ ls -l data
lrwxrwxrwx 1 backup backup 35 jun 7 02:27 data ->
/space/vtapes/DailySet1/slots/slot1
3.1.7 Backup Definition: Disklist
In this section you specify for each backup client, what disks you intend to back up.
On the backup client:
As user root issue mount on the backup client to list mounted disks:
# mount
/dev/mapper/debian-root on / type xfs
/dev/sda1 on /boot type ext2 (rw)
/dev/sdb1 on /var/www/www.mysite.com type ext3
On the backup server:
$ vi /etc/amanda/DailySet1/disklist
bckclient.mydomain.com /var/www/www.mysite.com/ daily
bckclient.mydomain.com / daily
bckclient.mydomain.com /boot/ daily
syntax: client.fqdn path dumptype (ref amanda.conf)
Note: Since we use fully qualified domain names, your name resolution (/etc/hosts or DNS and reverse DNS) must be correctly set up and tested. If you are unsure use IP addresses.
3.1.8 Authorization: amandahost
This file is used to authorize client or server connections:
$ vi /etc/amandahosts
bckserver.mydomain.com root amindexd amidxtaped
bckserver.mydomain.com backup amdump
bckclient.mydomain.com root amindexd amidxtaped
The line: "bckclient.mydomain.com root amindexd amidxtaped" allows user root from bckclient to perform restores.
The line "bckserver.mydomain.com backup amdump" allows user backup from bckserver to run backups on bckserver.
Details on file syntax and authentification here.
Note: Since we use fully qualified domain names, your name resolution (/etc/hosts or DNS and reverse DNS) must be correctly set up and tested. If you are unsure use IP addresses.
# ln -s /var/backups/.amandahosts /etc/amandahosts
# chmod 400 etc/amandahosts
# ls -l /etc/amandahosts
-r-------- 1 backup backup 157 mai 27 02:12 /etc/amandahosts
# ls -l /var/backups/.amandahosts
lrwxrwxrwx 1 root root 16 mai 17 00:41 /var/backups/.amandahosts -> /etc/amandahosts
3.2 Backup Client
3.2.1 Installation
As user root install the amanda-client package.
# apt-get update
# apt-get install amanda-client xinetd openssh-server
Accept the additional packages required when prompted.
3.2.2 (If Applicable) Comment Amanda Entries In Inetd Configuration File
The packages configure both inetd and xinetd. In this howto we only use xinetd.
Edit /etc/inetd.conf and comment amanda related lines:
#:OTHER: Other services
#amanda dgram udp wait backup /usr/sbin/tcpd
/usr/lib/amanda/amandad -auth=bsd amdump amindexd
amidxtaped
3.2.3 Modify Amanda Daemons To Use auth bsdtcp
For details check the wiki.
Edit amanda, amidxtape and amandaidx files in /etc/xinetd.d/ to match the following:
# cat /etc/xinetd.d/amanda| grep -v "^#"
service amanda
{
socket_type = stream protocol = tcp wait = no user = backup
group = backup
groups = yes
server = /usr/lib/amanda/amandad
server_args = -auth=bsdtcp amdump amindexd amidxtaped disable = no
}
Enable changes:
# /etc/init.d/xinetd restart
3.2.4 Client Configuration: amanda-client.conf
# vi /etc/amanda/amanda-client.conf
conf "DailySet1" # your config name
index_server "bckserver.mydomain.com" # your amindexd
server
tape_server "bckserver.mdomain.com" # your amidxtaped
server
auth "bsdtcp"
3.2.5 Authorizations: amandahosts
Edit the amandahosts file to allow backups from bckserver:
# vi /etc/amanda/amandahosts
bckserver.mydomain.com backup amdump
The line "bckserver.mydomain.com backup amdump" allows user backup from bckserver to run backups on bckclient.
Details on file syntax and authentification here.
Note: Since we use fully qualified domain names, your name resolution (/etc/hosts or DNS and reverse DNS) must be correctly set up and tested. If you are unsure use IP addresses.
# ls -la /var/backups/.amandahosts
lrwxrwxrwx 1 root root 23 mai 25 11:19 /var/backups/.amandahosts ->
/etc/amanda/amandahosts
3.2.6 Exclude List
As user backup create an exclude list. Bare in mind paths are relative. More details here.
$ vi /etc/amanda/DailySet1/global-debian-exclude.list
./proc
./media
./mnt
./dev
chmod 644 /etc/amanda/DailySet1/global-debian-exclude.list
Note: in my example the exclude list applies to the 3 filesystems. If you want to avoid this, define different exclude lists related to differents dumptypes and modify disklist file accordingly.
3.3 Tests
3.3.1 Config Test
Log on as user backup on bckserver and issue the following command:
$ amcheck DailySet1
Amanda Tape Server Host Check ----------------------------- Holding disk /dumps/: 48800396 kB disk space available, using 48800396 kB slot 2: read label `DailySet1-02', date `20100607' cannot overwrite active tape DailySet1-02 slot 3: read label `DailySet1-03', date `X' NOTE: skipping tape-writable test Tape DailySet1-03 label ok NOTE: host info dir /etc/amanda/DailySet1/curinfo/bckclient.mydomain.com does not
exist NOTE: it will be created on the next run. NOTE: index dir /etc/amanda/DailySet1/index/bckclient.mydomainman .com does not exist NOTE: it will be created on the next run. Server check took 0.115 seconds
Amanda Backup Client Hosts Check -------------------------------- Client check: 1 host checked in 0.132 seconds, 0 problems found
(brought to you by Amanda 2.5.2p1)
3.3.2 Backup Test
Log on as user backup on bckserver and issue the following command:
$ amdump DailySet1
Note: to force a full backup issue the follwing command before the amdump:
$ amadmin DailySet1 force bckclient.mydomain.com
On completion check [email protected] mails for a backup notification.
Hostname: bckserver
Org : DailySet1
Config : DailySet1
Date : June 7, 2010
These dumps were to tape DailySet1-03.
The
next tape Amanda expects to use is: a new tape.
The next new tape
already labelled is: DailySet1-04.
STATISTICS:
Total Full Incr.
-------- -------- --------
Estimate Time (hrs:min) 0:00
Run Time (hrs:min) 0:06
Dump Time (hrs:min) 0:05 0:05 0:00
Output Size (meg) 766.7 766.7 0.0
Original Size (meg) 1363.0 1363.0 0.0
Avg Compressed Size 56.3 56.3 --
Filesystems Dumped 1 1 0
Avg Dump Rate (k/s) 2730.3 2730.3 --
Tape Time (hrs:min) 0:01 0:01 0:00
Tape Size (meg) 766.8 766.8 0.0
Tape Used 15.0 15.0 0.0
Filesystems Taped 1 1 0
Chunks Taped 0 0 0
Avg Tp Write Rate (k/s) 9490.5 9490.5 --
USAGE BY TAPE:
Label Time Size % Nb Nc
DailySet1-03 0:01 785152k 15.0 1 0
NOTES:
planner: tapecycle (9) <= runspercycle (10)
planner: Adding new disk bckclient.mydomain.com:/.
driver: WARNING: This is not the first amdump run
today. Enable the usetimestamps option in the
configuration file if you want to run amdump more than
once per calendar
day.
taper: tape DailySet1-03 kb 785184 fm 1 [OK]
small estimate: bckclient.mydomain.com / 0
est: 697920k out 785152k
DUMP SUMMARY:
DUMPER STATS TAPER STATS
HOSTNAME DISK L ORIG-kB OUT-kB COMP% MMM:SS
KB/s MMM:SS KB/s
--------------------------
------------------------------------- -------------
bckclient / 0 1395720 785152 56.3 4:48
2730.3 1:23 9490.4
bckclient /boot 0 16320 15520 95.1 0:04
4324.4 0:00 98858.5
bckclient -mysite.com 0 34750 11488 33.1 0:09
1228.3 0:01 16425.6
(brought to you by Amanda version 2.5.2p1)
$ amadmin DailySet1 find
date host disk
lv tape or file file part status
2010-06-07 bckclient.mydomain.com /
1 DailySet1-04 1 -- OK
2010-06-07 bckclient.mydomain.com /
1 DailySet1-05 1 -- OK
2010-06-07 bckclient.mydomain.com /
1 DailySet1-06 1 -- OK
2010-06-07 bckclient.mydomain.com /
0 DailySet1-01 0 -- FAILED (dumper) [port open:
Connection timed out]
2010-06-07 bckclient.mydomain.com /
0 DailySet1-01 0 -- FAILED (dumper) [port open:
Connection timed out]
2010-06-07 bckclient.mydomain.com /
0 DailySet1-02 0 -- FAILED (dumper) [port open:
Connection timed out]
2010-06-07 bckclient.mydomain.com /
0 DailySet1-02 0 -- FAILED (dumper) [port open:
Connection timed out]
2010-06-07 bckclient.mydomain.com /
0 DailySet1-03 1 -- OK
2010-06-07 bckclient.mydomain.com /
0 DailySet1-07 1 -- OK
2010-06-07 bckclient.mydomain.com /
0 DailySet1-08 3 -- OK
2010-06-07 bckclient.mydomain.com /boot
0 DailySet1-08 1 -- OK
2010-06-07 bckclient.mydomain.com
/var/www/www.mysite.com 0 DailySet1-08 2 -- OK
3.4 Backup Scheduling
Daily backup every day at 1:00AM:
# su backup -c "crontab -e"
0 1 * * 1-7 /usr/sbin/amdump DailySet1
3.5 Restore
3.5.1 Backup Client Configuration
Log on as user root on the bckclient.
Create an amanda-client.conf file:
# su backup -c "mkdir /etc/amanda"
# vi /etc/amanda/amanda-client.conf
conf "DailySet1" # your config name (used for restore)
index_server "bckserver.mydomain.com" # your amindexd
server
tape_server "bckserver.mydomain.com" # your amidxtaped
server
auth "bsdtcp"
# ls -ltr /etc/amanda/DailySet1/amanda-client.conf
lrwxrwxrwx 1 root root 30 mai 25 17:50 /etc/amanda/DailySet1/amanda-client.conf ->
/etc/amanda/amanda-client.conf
Note: If you mix weekly (long retention) and daily backups (short retention) for the same backup client you will have to specify the right conf (WeeklySet1 or DailySet1) for restore.
3.5.2 Recover
As user root on bckclient cd to a suitable place for restore (/tmp for example) and issue the following command:
# amrecover
AMRECOVER Version 2.5.2p1. Contacting server on bckserver.mydomain.com ...
220 bckserver AMANDA index server (2.5.2p1) ready.
Setting restore date to today (2010-06-07)
200 Working date set to 2010-06-07.
200 Config set to DailySet1.
501 Host bckclient is not in your disklist.
Trying host bckclient.mydomain.com ...
200 Dump host set to bckclient.mydomain.com.
Use the setdisk command to choose dump disk to recover
amrecover> listdisk
200- List of disk for host bckclient.mydomain.com
201- /
201- /var/www/www.mysite.com201- /boot
amrecover> setdisk /var/www/www.mysite.com
200 Disk set to /var/www/www.mysite.com.
amrecover> ls
2010-06-07 xmlrpc/ 2010-06-07 tmp/ 2010-06-07 templates/ 2010-06-07 robots.txt 2010-06-07 plugins/ 2010-06-07 modules/ 2010-06-07 logs/ 2010-06-07 libraries/ 2010-06-07 language/ 2010-06-07 index2.php 2010-06-07 index.php 2010-06-07 includes/ 2010-06-07 images/ 2010-06-07 htaccess.txt 2010-06-07 configuration.php-dist 2010-06-07 configuration.php 2010-06-07 components/ 2010-06-07 cache/ 2010-06-07 aicontactsafe/ 2010-06-07 administrator/ 2010-06-07 LICENSES.php 2010-06-07 LICENSE.php 2010-06-07 INSTALL.php 2010-06-07 CREDITS.php
2010-06-07 COPYRIGHT.php 2010-06-07 CHANGELOG.php 2010-06-07 .htaccess 2010-06-07 .
amrecover> add *
Added dir /xmlrpc/ at date 2010-06-07
Added dir /tmp/ at date 2010-06-07
Added dir /templates/ at date 2010-06-07
Added file /robots.txt
Added dir /plugins/ at date 2010-06-07
Added dir /modules/ at date 2010-06-07
Added dir /logs/ at date 2010-06-07
Added dir /libraries/ at date 2010-06-07
Added dir /language/ at date 2010-06-07
Added file /index2.php
Added file /index.php
Added dir /includes/ at date 2010-06-07
Added dir /images/ at date 2010-06-07
Added file /htaccess.txt
Added file /configuration.php-dist
Added file /configuration.php
Added dir /components/ at date 2010-06-07
Added dir /cache/ at date 2010-06-07
Added dir /aicontactsafe/ at date 2010-06-07
Added dir /administrator/ at date 2010-06-07
Added file /LICENSES.php
Added file /LICENSE.php
Added file /INSTALL.php
Added file /CREDITS.php
Added file /COPYRIGHT.php
Added file /CHANGELOG.php
Added file /.htaccess
amrecover> extract
Extracting files using tape drive chg-disk on host bckserver.mydomain.com. The following tapes are needed: DailySet1-08
Restoring files into directory /tmp
Continue [?/Y/n]? y
Extracting files using tape drive chg-disk on host bckserver.mydomain.com. Load tape DailySet1-08 now
Continue [?/Y/n/s/t]? y
./administrator/
./administrator/backups/
Note:
tree navigation with cd
time navigation with setdate.
restore to another host with sethost
How To Set Up An SSL Vhost Under Apache2 On Ubuntu 9.10/Debian
Lenny
Version 1.0Author: Falko Timme <ft [at] falkotimme [dot] com>
Follow me on TwitterLast edited 01/18/2010
This article explains how you can set up an SSL vhost under Apache2 on Ubuntu 9.10 and Debian Lenny so that you can access the vhost over HTTPS (port 443). SSL is short for Secure Sockets Layer and is a cryptographic protocol that provides security for communications over networks by encrypting segments of network connections at the transport layer end-to-end. We use the mod_ssl Apache module here to provide strong cryptography for Apache2 via SSL by the help of the Open Source SSL toolkit OpenSSL.
This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!
1 Preliminary NoteI'm assuming that you have a working LAMP setup on your Ubuntu 9.10 or Debian Lenny box, as shown in these tutorials:
Installing Apache2 With PHP5 And MySQL Support On Debian Lenny (LAMP) Installing Apache2 With PHP5 And MySQL Support On Ubuntu 9.10 (LAMP)
I will set up SSL for my vhost www.hostmauritius.com in this tutorial - hostmauritius.com is a domain that I own - replace it with your own domain. I will show how to use a self-signed certificate (this will result in a browser warning when you access https://www.hostmauritius.com) and how to
get a certificate from a trusted certificate authority (CA) such as Verisign, Thawte, Comodo, etc. - with a certificate from a trusted CA, your visitors won't see any browser warnings, as is the case with a self-signed certificate. I will use a certificate from CAcert.org - these certificates are free, but are not recognized by all browsers, but it should give you the idea how to install a certificate from a trusted CA.
It is important to know that you can have just one SSL vhost per IP address - if you want to host multiple SSL vhost, you need multiple IP addresses!
I'm running all the steps in this tutorial with root privileges, so make sure you're logged in as root. On Ubuntu, run
sudo su
to become the root user.
2 Enabling mod_sslTo enable apache's SSL module, run...
a2enmod ssl
... and restart Apache:
/etc/init.d/apache2 restart
Apache should now be listening on port 443 (HTTPS):
netstat -tap | grep https
root@server1:~# netstat -tap | grep https
tcp6 0 0 [::]:https [::]:* LISTEN 1238/
apache2
root@server1:~#
3 Setting Up The VhostI will now create the vhost www.hostmauritius.com with the document root /var/www/www.hostmauritius.com. First I create that directory:
mkdir /var/www/www.hostmauritius.com
Apache comes with a default SSL vhost configuration in the file /etc/apache2/sites-available/default-ssl. We use that file as a template for the www.hostmauritius.com vhost...
cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/www.hostmauritius.com-ssl
... and open /etc/apache2/sites-available/www.hostmauritius.com-ssl:
vi /etc/apache2/sites-available/www.hostmauritius.com-ssl
Make sure you use the correct IP address in the <VirtualHost xxx.xxx.xxx.xxx:443> line (192.168.0.100 in this example); Also fill in the correct ServerAdmin email address and add the ServerName line. Adjust the paths in the DocumentRoot line and in the <Directory > directives, if necessary:
<IfModule mod_ssl.c><VirtualHost 192.168.0.100:443> ServerAdmin [email protected] ServerName www.hostmauritius.com:443 DocumentRoot /var/www/www.hostmauritius.com <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/www.hostmauritius.com/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all
</Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/ssl_access.log combined Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt # Certificate Authority (CA):
# Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/ssl/certs/ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache2/ssl.crl/ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. #<Location /> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location> # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive
operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl
waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0</VirtualHost></IfModule>
As you see, this vhost uses the default self-signed snakeoil certificate that comes with Ubuntu/Debian:
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Now disable the default SSL vhost (if it is enabled), enable the www.hostmauritius.com vhost and reload apache:
a2dissite default-ssla2ensite www.hostmauritius.com-ssl/etc/init.d/apache2 reload
Now open a browser and go to your new SSL vhost (https://www.hostmauritius.com in this case). Because we are using Debian's/Ubuntu's default self-signed certificates, we should get a warning that the connection is untrusted (to use that web site anyway, click on I Understand the Risks and follow the instructions in your browser):
4 Creating A Self-Signed CertificateUntil now, we've used Debian's/Ubuntu's default self-signed certificate. I will now show you how to create your own self-signed certificate. With this certificate, you will still get browser warnings, but this certificate is required to get a trusted certificate from a trusted CA later on.
Make sure that the package ssl-cert is installed:
aptitude install ssl-cert
You can now create a self-signed certificate for www.hostmauritius.com as follows:
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/www.hostmauritius.com.crt
You will be asked for the hostname:
Host name: <-- www.hostmauritius.com
This will create the self-signed certificate and the private key in one file, /etc/ssl/private/www.hostmauritius.com.crt:
cat /etc/ssl/private/www.hostmauritius.com.crt
-----BEGIN RSA PRIVATE KEY-----MIICXgIBAAKBgQDWuQUCXjDucCdKnowwclux0Tb392+I/KSLkqp4bY577U4EcS0VJ28eWIYOTiA38UDteLMXZSFyzWtq1QREzU0sPeQXWjJ/r6sDGSNlOFxnBJlg/ll22JHTeMZQZ4QoLejaS8SBU2v8mQFIZrvT+/RUsAyFNVvfVA+dm5bQS9dH5QIDAQABAoGBAMBwsfydTl1kRtKpphsFYwjK6Ojz6hJr20z79axZBAotdG6mwDDlVsFrtTm860M4BWjPdDLTgFbTpCHrKBhBp5cJqgSXntd2i2JjOFpIQSlinGJ6HncFEC3AAxeEPVTH77k2sVckwQ5tnOVX6gGuYt5E5wd3J43mLyyHCpFXz4dBAkEA/O4q2CpCXlT0Mklt/8rlzzIhxyoOuPI3WH+lr5tO3LSNpLbzW74l/lTvFhCbQCKsb3eyZVhzE+f+9ZJM+ao5kwJBANlUJPyc2bYpY2124c83rYtK6Xth9c+sxxUdWbkkyEdaF1ixlR+r8Qoze+ISHBr9DCZWbQGZirwoX/+qufvFA6cCQHECcT44U4MWbi1xxaY+n8Od4J2+Wumjv7rY/cyile/i9E6eN8nMAenLRTAUp2lWlLkRQDIr/O7t/2r1vVLoDeUCQQCO5R+opS0U9CO27srMZ+yIwMnB4Ygxc4Y24OSEsqWpHJhrLeBCQdir/2v+GjA2oplhf8QOoDkzPEzamxPMch7TAkEAyLke88CR1awZQQnTGKho6g5npdGgntjBVO+ZEl18PfCIyGk5bsLrAsprgS+Xp5SSQfAG2fUatpXqsYGBO8q2dA==-----END RSA PRIVATE KEY----------BEGIN CERTIFICATE-----MIIBqzCCARQCCQDDCFjQ7Ii1gjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wHhcNMTAwMTEyMTY1NDI2WhcNMjAwMTEwMTY1NDI2WjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANa5BQJeMO5wJ0qejDByW7HRNvf3b4j8pIuSqnhtjnvtTgRxLRUnbx5Yhg5OIDfxQO14sxdlIXLNa2rVBETNTSw95BdaMn+vqwMZI2U4XGcEmWD+WX
bYkdN4xlBnhCgt6NpLxIFTa/yZAUhmu9P79FSwDIU1W99UD52bltBL10flAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAJ/tYRc3CImo2c4FyG+UJTUIgu+p8IcMH9egGaMc335a5IwA2BBsiS3YAux8mteE2N03Nae6wTVbgEl8J68z1XyzklGtC/EG7ygtnOlfFTJWnU5HMaGOGBvOnFViF4e/DuBs7VPePKzqF2mmKIeAvoMA5GTH/iA4yJIFlgHhCMU8=-----END CERTIFICATE-----
I will now split up that file in two, the private key /etc/ssl/private/www.hostmauritius.com.key and the self-signed certificate /etc/ssl/certs/www.hostmauritius.com.pem:
vi /etc/ssl/private/www.hostmauritius.com.key
This file must contain the part beginning with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY-----:
-----BEGIN RSA PRIVATE KEY-----MIICXgIBAAKBgQDWuQUCXjDucCdKnowwclux0Tb392+I/KSLkqp4bY577U4EcS0VJ28eWIYOTiA38UDteLMXZSFyzWtq1QREzU0sPeQXWjJ/r6sDGSNlOFxnBJlg/ll22JHTeMZQZ4QoLejaS8SBU2v8mQFIZrvT+/RUsAyFNVvfVA+dm5bQS9dH5QIDAQABAoGBAMBwsfydTl1kRtKpphsFYwjK6Ojz6hJr20z79axZBAotdG6mwDDlVsFrtTm860M4BWjPdDLTgFbTpCHrKBhBp5cJqgSXntd2i2JjOFpIQSlinGJ6HncFEC3AAxeEPVTH77k2sVckwQ5tnOVX6gGuYt5E5wd3J43mLyyHCpFXz4dBAkEA/O4q2CpCXlT0Mklt/8rlzzIhxyoOuPI3WH+lr5tO3LSNpLbzW74l/lTvFhCbQCKsb3eyZVhzE+f+9ZJM+ao5kwJBANlUJPyc2bYpY2124c83rYtK6Xth9c+sxxUdWbkkyEdaF1ixlR+r8Qoze+ISHBr9DCZWbQGZirwoX/+qufvFA6cCQHECcT44U4MWbi1xxaY+n8Od4J2+Wumjv7rY/cyile/i9E6eN8nMAenLRTAUp2lWlLkRQDIr/O7t/2r1vVLoDeUCQQCO5R+opS0U9CO27srMZ+yIwMnB4Ygxc4Y24OSEsqWpHJhrLeBCQdir/2v+GjA2oplhf8QOoDkzPEzamxPMch7TAkEAyLke88CR1awZQQnTGKho6g5npdGgntjBVO+ZEl18
PfCIyGk5bsLrAsprgS+Xp5SSQfAG2fUatpXqsYGBO8q2dA==-----END RSA PRIVATE KEY-----
The key must be readable and writable by root only:
chmod 600 /etc/ssl/private/www.hostmauritius.com.key
vi /etc/ssl/certs/www.hostmauritius.com.pem
This file must contain the part beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----:
-----BEGIN CERTIFICATE-----MIIBqzCCARQCCQDDCFjQ7Ii1gjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wHhcNMTAwMTEyMTY1NDI2WhcNMjAwMTEwMTY1NDI2WjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANa5BQJeMO5wJ0qejDByW7HRNvf3b4j8pIuSqnhtjnvtTgRxLRUnbx5Yhg5OIDfxQO14sxdlIXLNa2rVBETNTSw95BdaMn+vqwMZI2U4XGcEmWD+WXbYkdN4xlBnhCgt6NpLxIFTa/yZAUhmu9P79FSwDIU1W99UD52bltBL10flAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAJ/tYRc3CImo2c4FyG+UJTUIgu+p8IcMH9egGaMc335a5IwA2BBsiS3YAux8mteE2N03Nae6wTVbgEl8J68z1XyzklGtC/EG7ygtnOlfFTJWnU5HMaGOGBvOnFViF4e/DuBs7VPePKzqF2mmKIeAvoMA5GTH/iA4yJIFlgHhCMU8=-----END CERTIFICATE-----
Now we can delete the /etc/ssl/private/www.hostmauritius.com.crt file:
rm -f /etc/ssl/private/www.hostmauritius.com.crt
Next we adjust our SSL vhost to use the new private key and the self-signed certificate:
vi /etc/apache2/sites-available/www.hostmauritius.com-ssl
[...] # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/ssl/certs/www.hostmauritius.com.pem SSLCertificateKeyFile /etc/ssl/private/www.hostmauritius.com.key[...]
Reload Apache:
/etc/init.d/apache2 reload
The SSL vhost will now use your new private key and self-signed certificate for encryption (but because it is a self-signed certificate, you will still get the browser warning when you access https://www.hostmauritius.com).
5 Creating A Certificate Signing Request (CSR) To request a trusted certificate from a trusted CA such as Verisign, Thawte or Comodo, we must generate a certificate signing request (CSR) from our private key and send it to the CA which then creates a trusted certificate from it with which we replace our self-signed certificate.
I will create the CSR in the directory /etc/ssl/csr, so we have to create it first:
mkdir /etc/ssl/csr
Now we can create the CSR /etc/ssl/csr/www.hostmauritius.com.csr from our private key /etc/ssl/private/www.hostmauritius.com.key as follows:
openssl req -new -key /etc/ssl/private/www.hostmauritius.com.key -out /etc/ssl/csr/www.hostmauritius.com.csr
You will be asked a few questions. Please fill in your details, they will be used for creating the trusted certificate and can be seen by your visitors when they choose to view the details of your certificate in
their browsers. The most important thing is the Common Name - this must be the domain or hostname of your SSL vhost (www.hostmauritius.com in this case)!
root@server1:~# openssl req -new -key /etc/ssl/private/www.hostmauritius.com.key -
out /etc/ssl/csr/www.hostmauritius.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- DEState or Province Name (full name) [Some-State]: <-- Lower SaxonyLocality Name (eg, city) []: <-- LueneburgOrganization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Example LtdOrganizational Unit Name (eg, section) []: <-- ITCommon Name (eg, YOUR name) []: <-- www.hostmauritius.comEmail Address []: <-- [email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <-- ENTER An optional company name []: <-- ENTER root@server1:~#
Afterwards, you should have a CSR in /etc/ssl/csr/www.hostmauritius.com.csr, e.g. as follows:
cat /etc/ssl/csr/www.hostmauritius.com.csr
-----BEGIN CERTIFICATE REQUEST-----MIIB9jCCAV8CAQAwgbUxCzAJBgNVBAYTAkRFMRUwEwYDVQQIEwxMb3dlciBTYXhvbnkxEjAQBgNVBAcTCUx1ZW5lYnVyZzEtMCsGA1UEChMkSW50ZXJuZXRkaWVuc3RsZWlzdHVuZ2VuIEZhbGtvIFRpbW1lMQswCQYDVQQLEwJJVDEeMBwGA1UEAxMVd3d3Lmhvc3RtYXVyaXRpdXMuY29tMR8wHQYJKoZIhvcNAQkBFhBmdEBmYWxrb3RpbW1lLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1A0hAy/N/hw637BCBRqhf
ngcxrulgFQJ5ftlWv2wBuouRILQtUZAeJCNMn6d0JS+sXxP60AFEBzLsdkV/OqeFvD/vZlvUM39Qg/98yWwkvFIvz4qtJz/N0IO/KrER2+mUSfgAtFuqZWVwKLrwcVcp/bsGwkp5TqJuQs9NbuQMEQIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEADzJWSOyakJ5ccQ2TlB3SxUBXtCAZ0aomlqdjkvBu2L1yAAOT4Xv/eKoYlSHjF1vyjtN36ERfcklyFmtS64xxerGSqdW+wxjLyicK5sTplsea2F6yROaj7zxQ+By033HO/QEozU80Ox/Kx1hc+K31wsor35pz8qxVFRegn2cgCYc=-----END CERTIFICATE REQUEST-----
6 Getting A Trusted CertificateTo get a trusted certificate, you have to take your certificate signing request (CSR) to a certificate authority (CA) such as Verisign, Thawte, or Comodo (please note that you have to pay for a trusted certificate). Certificates issued by such a CA are trusted by all browsers which means you won't see any browser warnings anymore.
Setting Up An NFS Server And Client On Debian Lenny
Version 1.0 Author: Falko Timme <ft [at] falkotimme [dot] com> Last edited 03/12/2009
This guide explains how to set up an NFS server and an NFS client on Debian Lenny. NFS stands for Network File System; through NFS, a client can access (read, write) a remote share on an NFS server as if it was on the local hard disk.
I do not issue any guarantee that this will work for you!
1 Preliminary NoteI'm using two Debian systems here:
NFS Server: server.example.com, IP address: 192.168.0.100 NFS Client: client.example.com, IP address: 192.168.0.101
2 Installing NFSserver:
On the NFS server we run:
apt-get install nfs-kernel-server nfs-common portmap
client:
On the client we can install NFS as follows:
apt-get install nfs-common portmap
3 Exporting Directories On The Serverserver:
I'd like to make the directories /home and /var/nfs accessible to the client; therefore we must "export" them on the server.
When a client accesses an NFS share, this normally happens as the user nobody. Usually the /home directory isn't owned by nobody (and I don't recommend to change its ownership to nobody!), and because we want to read and write on /home, we tell NFS that accesses should be made as root (if our /home share was read-only, this wouldn't be necessary). The /var/nfs directory doesn't exist, so we can create it and change its ownership to nobody and nogroup:
mkdir /var/nfschown nobody:nogroup /var/nfs
Now we must modify /etc/exports where we "export" our NFS shares. We specify /home and /var/nfs as NFS shares and tell NFS to make accesses to /home as root (to learn more about /etc/exports, its format and available options, take a look at
man 5 exports
)
vi /etc/exports
# /etc/exports: the access control list for filesystems which may be exported# to NFS clients. See exports(5).## Example for NFSv2 and NFSv3:# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
## Example for NFSv4:# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)#/home 192.168.0.101(rw,sync,no_root_squash,no_subtree_check)/var/nfs 192.168.0.101(rw,sync,no_subtree_check)
(The no_root_squash option makes that /home will be accessed as root.)
Whenever we modify /etc/exports, we must run
exportfs -a
afterwards to make the changes effective.
4 Mounting The NFS Shares On The Clientclient:
First we create the directories where we want to mount the NFS shares, e.g.:
mkdir -p /mnt/nfs/homemkdir -p /mnt/nfs/var/nfs
Afterwards, we can mount them as follows:
mount 192.168.0.100:/home /mnt/nfs/homemount 192.168.0.100:/var/nfs /mnt/nfs/var/nfs
You should now see the two NFS shares in the outputs of
df -h
client:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg0-root 19G 676M 17G 4% /
tmpfs 253M 0 253M 0% /lib/init/rw
udev 10M 80K 10M 1% /dev
tmpfs 253M 0 253M 0% /dev/shm
/dev/sda1 471M 20M 427M 5% /boot
192.168.0.100:/home 29G 684M 27G 3% /mnt/nfs/home
192.168.0.100:/var/nfs
29G 684M 27G 3% /mnt/nfs/var/nfs
client:~#
and
mount
client:~# mount
/dev/mapper/vg0-root on / type ext3 (rw,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
192.168.0.100:/home on /mnt/nfs/home type nfs (rw,addr=192.168.0.100)
192.168.0.100:/var/nfs on /mnt/nfs/var/nfs type nfs (rw,addr=192.168.0.100)
client:~#
5 TestingOn the client, you can now try to create test files on the NFS shares:
client:
touch /mnt/nfs/home/test.txttouch /mnt/nfs/var/nfs/test.txt
Now go to the server and check if you can see both test files:
server:
ls -l /home/
server:~# ls -l /home/
total 4
drwxr-xr-x 2 administrator administrator 4096 2009-02-16 13:18 administrator
-rw-r--r-- 1 root root 0 2009-03-12 17:08 test.txt
server:~#
ls -l /var/nfs
server:~# ls -l /var/nfs
total 0
-rw-r--r-- 1 nobody nogroup 0 2009-03-12 17:08 test.txt
server:~#
(Please note the different ownerships of the test files: the /home NFS share gets accessed as root, therefore /home/test.txt is owned by root; the /var/nfs share gets accessed as nobody, therefore /var/nfs/test.txt is owned by nobody.)
6 Mounting NFS Shares At Boot TimeInstead of mounting the NFS shares manually on the client, you could modify /etc/fstab so that the NFS shares get mounted automatically when the client boots.
client:
Open /etc/fstab and append the following lines:
vi /etc/fstab
[...]192.168.0.100:/home /mnt/nfs/home nfs rw,sync,hard,intr 0 0192.168.0.100:/var/nfs /mnt/nfs/var/nfs nfs rw,sync,hard,intr 0 0
Instead of rw,sync,hard,intr you can use different mount options. To learn more about available options, take a look at
man nfs
To test if your modified /etc/fstab is working, reboot the client:
reboot
After the reboot, you should find the two NFS shares in the outputs of
df -h
client:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg0-root 19G 676M 17G 4% /
tmpfs 253M 0 253M 0% /lib/init/rw
udev 10M 80K 10M 1% /dev
tmpfs 253M 0 253M 0% /dev/shm
/dev/sda1 471M 20M 427M 5% /boot
192.168.0.100:/home 29G 684M 27G 3% /mnt/nfs/home
192.168.0.100:/var/nfs
29G 684M 27G 3% /mnt/nfs/var/nfs
client:~#
and
mount
client:~# mount
/dev/mapper/vg0-root on / type ext3 (rw,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
192.168.0.100:/home on /mnt/nfs/home type nfs (rw,sync,hard,intr,addr=192.168.0.100)
192.168.0.100:/var/nfs on /mnt/nfs/var/nfs type nfs
(rw,sync,hard,intr,addr=192.168.0.100)
client:~#
Installing MyDNS-NG & MyDNSConfig 3 On Debian Lenny
Version 1.0 Author: Falko Timme <ft [at] falkotimme [dot] com> Last edited 04/06/2009
In this tutorial I will describe how to install and configure MyDNS-NG and MyDNSConfig 3 on Debian Lenny. MyDNS-NG (based on MyDNS originally writen by Don Moore - http://mydns.bboy.net/) is a DNS server that uses a MySQL database as backend instead of configuration files like, for example, Bind or djbdns. The advantage is that MyDNS simply reads the records from the database, and it does not have to be restarted/reloaded when DNS records change or zones are created/edited/deleted. A secondary nameserver can be easily set up by installing a second instance of MyDNS that accesses the same database or, to be more redundant, uses the MySQL master / slave replication features to replicate the data to the secondary nameserver.
MyDNSConfig is an easy to use web-based interface to MyDNS-NG. MyDNSConfig can create all types of DNS records that are available in MyDNS and adds features like user management and access privileges.
I do not issue any guarantee that this will work for you!
1 Preliminary NoteIn this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100. These settings might differ for you, so you have to replace them where appropriate.
2 Installing MySQL
We can install MySQL as follows:
aptitude install mysql-client mysql-server
You will be asked the following questions:
New password for the MySQL "root" user: <-- yourrootsqlpasswordRepeat password for the MySQL "root" user: <-- yourrootsqlpassword
3 Installing Apache2, PHP, phpMyAdminMyDNSConfig needs a web server with PHP support; therefore I install Apache2. I also install phpMyAdmin so that I can access the database later on over a web interface (although this is optional):
aptitude install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick vlogger
You will see the following question:
Web server to reconfigure automatically: <-- apache2
Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include:
a2enmod suexec rewrite ssl actions include
Secure phpMyAdmin by deleting the /etc/phpmyadmin/htpasswd.setup file...
rm -f /etc/phpmyadmin/htpasswd.setup
... and remove or comment out the following section in /etc/phpmyadmin/apache.conf:
vi /etc/phpmyadmin/apache.conf
[...]# # Authorize for setup# <Files setup.php># # For Apache 1.3 and 2.0# <IfModule mod_auth.c># AuthType Basic# AuthName "phpMyAdmin Setup"# AuthUserFile /etc/phpmyadmin/htpasswd.setup# </IfModule># # For Apache 2.2# <IfModule mod_authn_file.c># AuthType Basic# AuthName "phpMyAdmin Setup"# AuthUserFile /etc/phpmyadmin/htpasswd.setup# </IfModule># Require valid-user# </Files>[...]
Restart Apache afterwards:
/etc/init.d/apache2 restart
You can now access phpMyAdmin under http://server1.example.com/phpmyadmin/ or http://192.168.0.100/phpmyadmin/.
4 Installing MyDNSBefore we install MyDNS, we need to install a few prerequisites:
aptitude install g++ libc6 gcc gawk make texinfo libmysqlclient15-dev
MyDNS is not available in the Debian Lenny repositories, therefore we have to build it ourselves as follows:
cd /tmpwget http://heanet.dl.sourceforge.net/sourceforge/mydns-ng/mydns-1.2.8.27.tar.gztar xvfz mydns-1.2.8.27.tar.gz
cd mydns-1.2.8./configuremakemake install
Next we create the start/stop script for MyDNS:
vi /etc/init.d/mydns
#! /bin/sh## mydns Start the MyDNS server## Author: Philipp Kern <[email protected]>.# Based upon skeleton 1.9.4 by Miquel van Smoorenburg# <[email protected]> and Ian Murdock <[email protected]>.#
set -e
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/binDAEMON=/usr/local/sbin/mydnsNAME=mydnsDESC="DNS server"
SCRIPTNAME=/etc/init.d/$NAME
# Gracefully exit if the package has been removed.test -x $DAEMON || exit 0
case "$1" in start) echo -n "Starting $DESC: $NAME" start-stop-daemon --start --quiet \ --exec $DAEMON -- -b echo "." ;; stop) echo -n "Stopping $DESC: $NAME" start-stop-daemon --stop --oknodo --quiet \
--exec $DAEMON echo "." ;; reload|force-reload) echo -n "Reloading $DESC configuration..." start-stop-daemon --stop --signal HUP --quiet \ --exec $DAEMON echo "done." ;; restart) echo -n "Restarting $DESC: $NAME" start-stop-daemon --stop --quiet --oknodo \ --exec $DAEMON sleep 1 start-stop-daemon --start --quiet \ --exec $DAEMON -- -b echo "." ;; *) echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 exit 1 ;;esac
exit 0
Then we make the script executable and create the system startup links for it:
chmod +x /etc/init.d/mydnsupdate-rc.d mydns defaults
5 Installing MyDNSConfig 3 We can install MyDNSConfig 3 as follows:
cd /tmpwget http://downloads.sourceforge.net/mydnsconfig/MyDNSConfig-3.0.1.tar.gz?use_mirror=tar xvfz MyDNSConfig-3.0.1.tar.gzcd mydnsconfig/install/php -q install.php
This will start the MyDNSConfig 3 installer:
server1:/tmp/mydnsconfig/install# php -q install.php
--------------------------------------------------------------------------------
__ __ _____ _ _ _____ _____ __ _
| \/ | | __ \| \ | |/ ____|/ ____| / _(_)
| \ / |_ _| | | | \| | (___ | | ___ _ __ | |_ _ __ _
| |\/| | | | | | | | . ` |\___ \| | / _ \| '_ \| _| |/ _` |
| | | | |_| | |__| | |\ |____) | |___| (_) | | | | | | | (_| |
|_| |_|\__, |_____/|_| \_|_____/ \_____\___/|_| |_|_| |_|\__, |
__/ | __/ |
|___/ |___/
--------------------------------------------------------------------------------
>> Initial configuration
Operating System: Debian Lenny/Sid or compatible
Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.
Select language (en,de) [en]: <-- ENTER
Installation mode (standard,expert) [standard]: <-- ENTER
Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.
com]: <-- ENTER
MySQL server hostname [localhost]: <-- ENTER
MySQL root username [root]: <-- ENTER
MySQL root password []: <-- yourrootsqlpassword
MySQL database to create [dbmydnsconfig]: <-- ENTER
MySQL charset [utf8]: <-- ENTER
Configuring MyDNS
Configuring Apache
Configuring Firewall
Installing MyDNSConfig
MyDNSConfig Port [8080]: <-- ENTER
Installing Crontab
no crontab for root
Restarting services ...
Restarting web server: apache2 ... waiting .
Installation completed.
server1:/tmp/mydnsconfig/install#
The installer automatically configures all underlying services, so no manual configuration is needed.
Afterwards you can access MyDNSConfig 3 under http://server1.example.com:8080/ or http://192.168.0.100:8080/. Log in with the username admin and the password admin (you should change the default password after your first login):
6 Using MyDNSConfig 3 The DNS tab is the most important part of MyDNSConfig because that's where you can create zones and records, so I will focus on that tab.
To create a new zone, click on the Add new DNS Zone (SOA) button:
Now you can fill in the details of the zone, e.g. the domain name, the primary nameserver, and the email address of the zone administrator (please note that you must replace the @ sign with a dot!); these three details must end with a dot! You can leave the other details as they are. You can now save the zone or go directly to the Records tab (this will save the zone details automatically):
On the records tab, you can now create all kinds of DNS records (A, CNAME, MX, NS, TXT, etc.) - just click on the appropriate button:
For example, here's the form for creating NS records (please keep in mind that if you write full hostnames, they must end with a dot!):
Here's the overview - as you see, I've created some more records:
7 Updating MyDNSConfig 3Whenever there's a newer MyDNSConfig 3 release, you can update your MyDNSConfig 3 installation as follows:
mydnsconfig_update.sh
This will bring up the update wizard. PLEASE NOTE: you can upgrade to the latest stable version and to the svn version. It is highly recommended to upgrade to the latest stable version as the svn version is used for development and might contain bugs. YOU HAVE BEEN WARNED!!!
8 Upgrading From MyDNSConfig 1.x To MyDNSConfig 3.xThere's no direct upgrade path from MyDNSConfig 1.x to MyDNSConfig 3.x, however it is easy to import the DNS records from MyDNSConfig 1.x into MyDNSConfig 3.x.
In this chapter I assume that your old MyDNSConfig 1.x uses the database table mydns, and that your new MyDNSConfig 3 installation uses the database dbmydnsconfig.
First install MyDNSConfig 3 as follows:
cd /tmpwget http://downloads.sourceforge.net/mydnsconfig/MyDNSConfig-3.0.1.tar.gz?use_mirror=tar xvfz MyDNSConfig-3.0.1.tar.gzcd mydnsconfig/install/php -q install.php
Follow the installation wizard. After the installation has finished (and BEFORE you create any records in the MyDNSConfig 3 web interface!!!), open phpMyAdmin or a MySQL shell and execute the following MySQL queries (as the MySQL root user) to import the DNS records from your old MyDNSConfig 1.x installation into MyDNSConfig 3 (make sure you use the correct database names - you must replace `mydns` and `dbmydnsconfig` if your database names differ!):
ALTER TABLE `mydns`.`rr` ADD `server_id` int(11) NOT NULL default '1',ADD `active` enum('N','Y') NOT NULL default 'Y',ADD `stamp` timestamp NOT NULL default CURRENT_TIMESTAMP,ADD `serial` int(10) unsigned default NULL;
ALTER TABLE `mydns`.`rr` MODIFY `sys_userid` int(11) unsigned NOT NULL AFTER `id`,MODIFY `sys_groupid` int(11) unsigned NOT NULL AFTER `sys_userid`,MODIFY `sys_perm_user` varchar(5) NOT NULL AFTER `sys_groupid`,MODIFY `sys_perm_group` varchar(5) NOT NULL AFTER `sys_perm_user`,MODIFY `sys_perm_other` varchar(5) NOT NULL AFTER `sys_perm_group`,MODIFY `server_id` int(11) NOT NULL default '1' AFTER `sys_perm_other`;
INSERT INTO `dbmydnsconfig`.`dns_rr`SELECT *FROM `mydns`.`rr`;
UPDATE `dbmydnsconfig`.`dns_rr` SET `sys_userid` = 1,`sys_groupid` = 0,`sys_perm_user` = 'riud',`sys_perm_group` = 'riud',`sys_perm_other` = '',`server_id` = 1;
ALTER TABLE `mydns`.`soa` ADD `server_id` int(11) NOT NULL default '1';
ALTER TABLE `mydns`.`soa` MODIFY `sys_userid` int(11) unsigned NOT NULL AFTER `id`,MODIFY `sys_groupid` int(11) unsigned NOT NULL AFTER `sys_userid`,MODIFY `sys_perm_user` varchar(5) NOT NULL AFTER `sys_groupid`,MODIFY `sys_perm_group` varchar(5) NOT NULL AFTER `sys_perm_user`,
MODIFY `sys_perm_other` varchar(5) NOT NULL AFTER `sys_perm_group`,MODIFY `server_id` int(11) NOT NULL default '1' AFTER `sys_perm_other`;
INSERT INTO `dbmydnsconfig`.`dns_soa`SELECT *FROM `mydns`.`soa`;
UPDATE `dbmydnsconfig`.`dns_soa` SET `sys_userid` = 1,`sys_groupid` = 0,`sys_perm_user` = 'riud',`sys_perm_group` = 'riud',`sys_perm_other` = '',`server_id` = 1;
Afterwards, you can access MyDNSConfig 3 on port 8080 (e.g. http://server1.example.com:8080 or http://192.168.0.100:8080); the default login is username admin and password admin.
Please note that these MySQL queries make that all zones are owned by admin. If you have zones that should be owned by someone else, create a client for each user in MyDNSConfig 3 and go to the DNS tab and select the correct client for the zones.
Virtual Users And Domains With Postfix, Courier, MySQL And
SquirrelMail (Debian Lenny)
Version 1.0 Author: Falko Timme <ft [at] falkotimme [dot] com> Last edited 02/20/2009
This tutorial is Copyright (c) 2009 by Falko Timme. It is derived from a tutorial from Christoph Haas which you can find at http://workaround.org. You are free to use this tutorial under the Creative Commons license 2.5 or any later version.
This document describes how to install a Postfix mail server that is based on virtual users and domains, i.e. users and domains that are in a MySQL database. I'll also demonstrate the installation and configuration of Courier (Courier-POP3, Courier-IMAP), so that Courier can authenticate against the same MySQL database Postfix uses.
The resulting Postfix server is capable of SMTP-AUTH and TLS and quota (quota is not built into Postfix by default, I'll show how to patch your Postfix appropriately). Passwords are stored in encrypted form in the database (most documents I found were dealing with plain text passwords which is a security risk). In addition to that, this tutorial covers the installation of Amavisd, SpamAssassin and ClamAV so that emails will be scanned for spam and viruses. I will also show how to install SquirrelMail as a webmail interface so that users can read and send emails and change their passwords.
The advantage of such a "virtual" setup (virtual users and domains in a MySQL database) is that it is far more performant than a setup that is based on "real" system users. With this virtual setup your mail server can handle thousands of domains and users. Besides, it is easier to administrate because you only have to deal with the MySQL database when you add new users/domains or edit existing ones. No more postmap commands to create db files, no more reloading of Postfix, etc. For the administration of the MySQL database you can use web based tools like phpMyAdmin which will also be installed in this howto. The third advantage is that users have an email address as user name (instead of a user name + an email address) which is easier to understand and keep in mind.
This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.
This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!
1 Preliminary NoteThis tutorial is based on Debian Lenny, so you should set up a basic Debian Lenny server installation before you continue with this tutorial (e.g. as shown in the chapters 1 -7 of this tutorial: The Perfect Server - Debian Lenny (Debian 5.0) [ISPConfig 2]). The system should have a static IP address. I use 192.168.0.100 as my IP address in this tutorial and server1.example.com as the hostname.
2 Install Postfix, Courier, Saslauthd, MySQL, phpMyAdminTo install Postfix, Courier, Saslauthd, MySQL, and phpMyAdmin, we simply run
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl postfix-tls libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl phpmyadmin apache2 libapache2-mod-php5 php5 php5-mysql libpam-smbpass
You will be asked a few questions:
New password for the MySQL "root" user: <-- yourrootsqlpasswordRepeat password for the MySQL "root" user: <-- yourrootsqlpasswordCreate directories for web-based administration? <-- NoGeneral type of mail configuration: <-- Internet SiteSystem mail name: <-- server1.example.comSSL certificate required <-- OkWorkgroup/Domain Name: <-- WORKGROUPModify smb.conf to use WINS settings from DHCP? <-- NoWeb server to reconfigure automatically: <-- apache2
3 Apply The Quota Patch To PostfixWe have to get the Postfix sources, patch it with the quota patch, build new Postfix .deb packages and install those .deb packages:
apt-get build-dep postfix
cd /usr/srcapt-get source postfix
(Make sure you use the correct Postfix version in the following commands. I have Postfix 2.5.5 installed. You can find out your Postfix version by running
postconf -d | grep mail_version
The output should look like this:
server1:/usr/src# postconf -d | grep mail_version
mail_version = 2.5.5
milter_macro_v = $mail_name $mail_version
server1:/usr/src#
)
wget http://vda.sourceforge.net/VDA/postfix-2.5.5-vda-ng.patch.gzgunzip postfix-2.5.5-vda-ng.patch.gzcd postfix-2.5.5patch -p1 < ../postfix-2.5.5-vda-ng.patchdpkg-buildpackage
You might see a warning like this at the end of the dpkg-buildpackage command:
dpkg-buildpackage: warning: Failed to sign .dsc and .changes file
You can ignore this message.
Now we go one directory up, that's where the new .deb packages have been created:
cd ..
The command
ls -l
shows you the available packages:
server1:/usr/src# ls -l
total 5880
drwxr-xr-x 19 root root 4096 2009-02-20 14:15 postfix-2.5.5
-rw-r--r-- 1 root src 236910 2009-02-20 14:12 postfix_2.5.5-1.1.diff.gz
-rw-r--r-- 1 root src 1178 2009-02-20 14:12 postfix_2.5.5-1.1.dsc
-rw-r--r-- 1 root src 3695 2009-02-20 14:17 postfix_2.5.5-1.1_i386.changes
-rw-r--r-- 1 root src 1233138 2009-02-20 14:17 postfix_2.5.5-1.1_i386.deb
-rw-r--r-- 1 root src 3157877 2008-09-02 23:18 postfix_2.5.5.orig.tar.gz
-rw-r--r-- 1 root src 58389 2008-09-06 05:02 postfix-2.5.5-vda-ng.patch
-rw-r--r-- 1 root src 41572 2009-02-20 14:17 postfix-cdb_2.5.5-1.1_i386.deb
-rw-r--r-- 1 root src 141394 2009-02-20 14:17 postfix-dev_2.5.5-1.1_all.deb
-rw-r--r-- 1 root src 915978 2009-02-20 14:17 postfix-doc_2.5.5-1.1_all.deb
-rw-r--r-- 1 root src 48934 2009-02-20 14:17 postfix-ldap_2.5.5-1.1_i386.deb
-rw-r--r-- 1 root src 43512 2009-02-20 14:17 postfix-mysql_2.5.5-1.1_i386.deb
-rw-r--r-- 1 root src 43448 2009-02-20 14:17 postfix-pcre_2.5.5-1.1_i386.deb
-rw-r--r-- 1 root src 43586 2009-02-20 14:17 postfix-pgsql_2.5.5-1.1_i386.deb
server1:/usr/src#
Pick the postfix and postfix-mysql packages and install them like this:
dpkg -i postfix_2.5.5-1.1_i386.deb postfix-mysql_2.5.5-1.1_i386.deb
4 Create The MySQL Database For Postfix/CourierNow we create a database called mail:
mysqladmin -u root -p create mail
Next, we go to the MySQL shell:
mysql -u root -p
On the MySQL shell, we create the user mail_admin with the passwort mail_admin_password (replace it with your own password) who has SELECT,INSERT,UPDATE,DELETE privileges on the mail database. This user will be used by Postfix and Courier to connect to the mail database:
GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost' IDENTIFIED BY 'mail_admin_password';GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost.localdomain' IDENTIFIED BY 'mail_admin_password';FLUSH PRIVILEGES;
Still on the MySQL shell, we create the tables needed by Postfix and Courier:
USE mail;
CREATE TABLE domains (domain varchar(50) NOT NULL,PRIMARY KEY (domain) )TYPE=MyISAM;
CREATE TABLE forwardings (source varchar(80) NOT NULL,destination TEXT NOT NULL,PRIMARY KEY (source) )TYPE=MyISAM;
CREATE TABLE users (email varchar(80) NOT NULL,password varchar(20) NOT NULL,quota bigint(20) DEFAULT '10485760',PRIMARY KEY (email)) TYPE=MyISAM;
CREATE TABLE transport (domain varchar(128) NOT NULL default '',transport varchar(128) NOT NULL default '',UNIQUE KEY domain (domain)) TYPE=MyISAM;
quit;
As you may have noticed, with the quit; command we have left the MySQL shell and are back on the Linux shell.
The domains table will store each virtual domain that Postfix should receive emails for (e.g. example.com).
domain example.com The forwardings table is for aliasing one email address to another, e.g. forward emails for [email protected] to [email protected].
source destination [email protected]
The users table stores all virtual users (i.e. email addresses, because the email address and user name is the same) and passwords (in encrypted form!) and a quota value for each mail box (in this example the default value is 10485760 bytes which means 10MB).
email password quota
No9.E4skNvGa. ("secret" in encrypted form)
10485760
The transport table is optional, it is for advanced users. It allows to forward mails for single users, whole domains or all mails to another server. For example,
domain transport example.com smtp:[1.2.3.4] would forward all emails for example.com via the smtp protocol to the server with the IP address 1.2.3.4 (the square brackets [] mean "do not make a lookup of the MX DNS record" (which makes sense for IP addresses...). If you use a fully qualified domain name (FQDN) instead you would not use the square brackets.).
BTW, (I'm assuming that the IP address of your mail server system is 192.168.0.100) you can access phpMyAdmin over http://192.168.0.100/phpmyadmin/ in a browser and log in as mail_admin. Then you can have a look at the database. Later on you can use phpMyAdmin to administrate your mail server.
5 Configure PostfixNow we have to tell Postfix where it can find all the information in the database. Therefore we have to create six text files. You will notice that I tell Postfix to connect to MySQL on the IP address 127.0.0.1 instead of localhost. This is because Postfix is running in a chroot jail and does not have access to the MySQL socket which it would try to connect if I told Postfix to use localhost. If I use 127.0.0.1 Postfix uses TCP networking to connect to MySQL which is no problem even in a chroot jail (the alternative would be to move the MySQL socket into the chroot jail which causes some other problems).
Please make sure that /etc/mysql/my.cnf contains the following line:
vi /etc/mysql/my.cnf
[...]bind-address = 127.0.0.1[...]
If you had to modify /etc/mysql/my.cnf, please restart MySQL now:
/etc/init.d/mysql restart
Run
netstat -tap | grep mysql
to make sure that MySQL is listening on 127.0.0.1 (localhost.localdomain):
server1:/usr/src# netstat -tap | grep mysql
tcp 0 0 localhost.localdo:mysql *:* LISTEN 4559/
mysqld
server1:/usr/src#
Now let's create our six text files.
vi /etc/postfix/mysql-virtual_domains.cf
user = mail_adminpassword = mail_admin_passworddbname = mailquery = SELECT domain AS virtual FROM domains WHERE domain='%s'hosts = 127.0.0.1
vi /etc/postfix/mysql-virtual_forwardings.cf
user = mail_adminpassword = mail_admin_passworddbname = mailquery = SELECT destination FROM forwardings WHERE source='%s'hosts = 127.0.0.1
vi /etc/postfix/mysql-virtual_mailboxes.cf
user = mail_adminpassword = mail_admin_passworddbname = mailquery = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM users WHERE email='%s'hosts = 127.0.0.1
vi /etc/postfix/mysql-virtual_email2email.cf
user = mail_adminpassword = mail_admin_passworddbname = mailquery = SELECT email FROM users WHERE email='%s'hosts = 127.0.0.1
vi /etc/postfix/mysql-virtual_transports.cf
user = mail_adminpassword = mail_admin_passworddbname = mailquery = SELECT transport FROM transport WHERE domain='%s'hosts = 127.0.0.1
vi /etc/postfix/mysql-virtual_mailbox_limit_maps.cf
user = mail_adminpassword = mail_admin_passworddbname = mailquery = SELECT quota FROM users WHERE email='%s'hosts = 127.0.0.1
Then change the permissions and the group of these files:
chmod o= /etc/postfix/mysql-virtual_*.cfchgrp postfix /etc/postfix/mysql-virtual_*.cf
Now we create a user and group called vmail with the home directory /home/vmail. This is where all mail boxes will be stored.
groupadd -g 5000 vmailuseradd -g vmail -u 5000 vmail -d /home/vmail -m
Next we do some Postfix configuration. Go sure that you replace server1.example.com with a valid FQDN, otherwise your Postfix might not work properly!
postconf -e 'myhostname = server1.example.com'postconf -e 'mydestination = server1.example.com, localhost, localhost.localdomain'postconf -e 'mynetworks = 127.0.0.0/8'postconf -e 'message_size_limit = 30720000'postconf -e 'virtual_alias_domains ='postconf -e 'virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf'postconf -e 'virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf'postconf -e 'virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf'postconf -e 'virtual_mailbox_base = /home/vmail'postconf -e 'virtual_uid_maps = static:5000'postconf -e 'virtual_gid_maps = static:5000'postconf -e 'smtpd_sasl_auth_enable = yes'postconf -e 'broken_sasl_auth_clients = yes'postconf -e 'smtpd_sasl_authenticated_header = yes'postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination'postconf -e 'smtpd_use_tls = yes'postconf -e 'smtpd_tls_cert_file = /etc/postfix/smtpd.cert'postconf -e 'smtpd_tls_key_file = /etc/postfix/smtpd.key'postconf -e 'transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf'postconf -e 'virtual_create_maildirsize = yes'postconf -e 'virtual_maildir_extended = yes'postconf -e 'virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf'postconf -e 'virtual_mailbox_limit_override = yes'postconf -e 'virtual_maildir_limit_message = "The user you are trying to reach is over quota."'postconf -e 'virtual_overquota_bounce = yes'postconf -e 'proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps'
Afterwards we create the SSL certificate that is needed for TLS:
cd /etc/postfixopenssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City.Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").Email Address []: <-- Enter your Email Address.
Then change the permissions of the smtpd.key:
chmod o= /etc/postfix/smtpd.key
6 Configure SaslauthdFirst run
mkdir -p /var/spool/postfix/var/run/saslauthd
Then edit /etc/default/saslauthd. Set START to yes and change the line OPTIONS="-c -m /var/run/saslauthd" to OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r":
vi /etc/default/saslauthd
## Settings for saslauthd daemon# Please read /usr/share/doc/sasl2-bin/README.Debian for details.#
# Should saslauthd run automatically on startup? (default: no)START=yes
# Description of this saslauthd instance. Recommended.# (suggestion: SASL Authentication Daemon)DESC="SASL Authentication Daemon"
# Short name of this saslauthd instance. Strongly recommended.# (suggestion: saslauthd)NAME="saslauthd"
# Which authentication mechanisms should saslauthd use? (default: pam)## Available options in this Debian package:# getpwent -- use the getpwent() library function# kerberos5 -- use Kerberos 5# pam -- use PAM# rimap -- use a remote IMAP server# shadow -- use the local shadow password file# sasldb -- use the local sasldb database file# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)## Only one option may be used at a time. See the saslauthd man page# for more information.## Example: MECHANISMS="pam"MECHANISMS="pam"
# Additional options for this mechanism. (default: none)# See the saslauthd man page for information about mech-specific options.MECH_OPTIONS=""
# How many saslauthd processes should we run? (default: 5)# A value of 0 will fork a new process for each connection.THREADS=5
# Other options (default: -c -m /var/run/saslauthd)# Note: You MUST specify the -m option or saslauthd won't run!## WARNING: DO NOT SPECIFY THE -d OPTION.# The -d option will cause saslauthd to run in the foreground instead of as# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish# to run saslauthd in debug mode, please run it by hand to be safe.
## See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.# See the saslauthd man page and the output of 'saslauthd -h' for general# information about these options.## Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"#OPTIONS="-c -m /var/run/saslauthd"OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
Then create the file /etc/pam.d/smtp. It should contain only the following two lines (go sure to fill in your correct database details):
vi /etc/pam.d/smtp
auth required pam_mysql.so user=mail_admin passwd=mail_admin_password host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1account sufficient pam_mysql.so user=mail_admin passwd=mail_admin_password host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
Next create the file /etc/postfix/sasl/smtpd.conf. It should look like this:
vi /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthdmech_list: plain loginallow_plaintext: trueauxprop_plugin: mysqlsql_hostnames: 127.0.0.1sql_user: mail_adminsql_passwd: mail_admin_passwordsql_database: mailsql_select: select password from users where email = '%u'
Next add the postfix user to the sasl group (this makes sure that Postfix has the permission to access saslauthd):
adduser postfix sasl
Then restart Postfix and Saslauthd:
/etc/init.d/postfix restart/etc/init.d/saslauthd restart
7 Configure CourierNow we have to tell Courier that it should authenticate against our MySQL database. First, edit /etc/courier/authdaemonrc and change the value of authmodulelist so that it reads:
vi /etc/courier/authdaemonrc
[...]authmodulelist="authmysql"[...]
Then make a backup of /etc/courier/authmysqlrc and empty the old file:
cp /etc/courier/authmysqlrc /etc/courier/authmysqlrc_origcat /dev/null > /etc/courier/authmysqlrc
Then open /etc/courier/authmysqlrc and put the following lines into it:
vi /etc/courier/authmysqlrc
MYSQL_SERVER localhostMYSQL_USERNAME mail_adminMYSQL_PASSWORD mail_admin_passwordMYSQL_PORT 0MYSQL_DATABASE mailMYSQL_USER_TABLE usersMYSQL_CRYPT_PWFIELD password#MYSQL_CLEAR_PWFIELD passwordMYSQL_UID_FIELD 5000
MYSQL_GID_FIELD 5000MYSQL_LOGIN_FIELD emailMYSQL_HOME_FIELD "/home/vmail"MYSQL_MAILDIR_FIELD CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/')#MYSQL_NAME_FIELDMYSQL_QUOTA_FIELD quota
During the installation, the SSL certificates for IMAP-SSL and POP3-SSL are created with the hostname localhost. To change this to the correct hostname (server1.example.com in this tutorial), delete the certificates...
cd /etc/courierrm -f /etc/courier/imapd.pemrm -f /etc/courier/pop3d.pem
... and modify the following two files; replace CN=localhost with CN=server1.example.com (you can also modify the other values, if necessary):
vi /etc/courier/imapd.cnf
[...]CN=server1.example.com[...]
vi /etc/courier/pop3d.cnf
[...]CN=server1.example.com[...]
Then recreate the certificates...
mkimapdcertmkpop3dcert
... and restart Courier:
/etc/init.d/courier-authdaemon restart/etc/init.d/courier-imap restart/etc/init.d/courier-imap-ssl restart/etc/init.d/courier-pop restart/etc/init.d/courier-pop-ssl restart
By running
telnet localhost pop3
you can see if your POP3 server is working correctly. It should give back +OK Hello there. (Type quit to get back to the Linux shell.)
server1:/etc/courier# telnet localhost pop3
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK Hello there.
quit
+OK Better luck next time.
Connection closed by foreign host.
server1:/etc/courier#
8 Modify /etc/aliasesNow we should open /etc/aliases. Make sure that postmaster points to root and root to your own username or your email address, e.g. like this:
vi /etc/aliases
[...]postmaster: rootroot: [email protected][...]
or like this (if administrator is your own username):
[...]
postmaster: rootroot: administrator[...]
Whenever you modify /etc/aliases, you must run
newaliases
afterwards and restart Postfix:
/etc/init.d/postfix restart
9 Install amavisd-new, SpamAssassin, And ClamAVTo install amavisd-new, spamassassin and clamav, run the following command:
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 libnet-ph-perl libnet-snpp-perl libnet-telnet-perl nomarch lzop pax
Afterwards we must configure amavisd-new. The configuration is split up in various files which reside in the /etc/amavis/conf.d directory. Take a look at each of them to become familiar with the configuration. Most settings are fine, however we must modify three files:
First we must enable ClamAV and SpamAssassin in /etc/amavis/conf.d/15-content_filter_mode by uncommenting the @bypass_virus_checks_maps and the @bypass_spam_checks_maps lines:
vi /etc/amavis/conf.d/15-content_filter_mode
The file should look like this:
use strict;
# You can modify this file to re-enable SPAM checking through spamassassin# and to re-enable antivirus checking.
## Default antivirus checking mode# Uncomment the two lines below to enable it back
#
@bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
## Default SPAM checking mode# Uncomment the two lines below to enable it back#
@bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
1; # ensure a defined return
And then you should take a look at the spam settings and the actions for spam-/virus-mails in /etc/amavis/conf.d/20-debian_defaults. There's no need to change anything if the default settings are ok for you. The file contains many explanations so there's no need to explain the settings here:
vi /etc/amavis/conf.d/20-debian_defaults
[...]$QUARANTINEDIR = "$MYHOME/virusmails";$quarantine_subdir_levels = 1; # enable quarantine dir hashing
$log_recip_templ = undef; # disable by-recipient level-0 log entries$DO_SYSLOG = 1; # log via syslogd (preferred)$syslog_ident = 'amavis'; # syslog ident tag, prepended to all messages$syslog_facility = 'mail';$syslog_priority = 'debug'; # switch to info to drop debug output, etc
$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
$inet_socket_port = 10024; # default listening socket
$sa_spam_subject_tag = '***SPAM*** ';$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level$sa_kill_level_deflt = 6.31; # triggers spam evasive actions$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent[...]$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine)$final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA$final_spam_destiny = D_BOUNCE;$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)[...]
Finally, edit /etc/amavis/conf.d/50-user and add the line $pax='pax'; in the middle:
vi /etc/amavis/conf.d/50-user
use strict;
## Place your configuration directives here. They will override those in# earlier files.## See /usr/share/doc/amavisd-new/ for documentation and examples of# the directives you can use in this file#
$pax='pax';
#------------ Do not modify anything below this line -------------1; # ensure a defined return
Afterwards, run these commands to add the clamav user to the amavis group and to restart amavisd-new and ClamAV:
adduser clamav amavis/etc/init.d/amavis restart/etc/init.d/clamav-daemon restart/etc/init.d/clamav-freshclam restart
Now we have to configure Postfix to pipe incoming email through amavisd-new:
postconf -e 'content_filter = amavis:[127.0.0.1]:10024'postconf -e 'receive_override_options = no_address_mappings'
Afterwards append the following lines to /etc/postfix/master.cf:
vi /etc/postfix/master.cf
[...]amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_bind_address=127.0.0.1
Then restart Postfix:
/etc/init.d/postfix restart
Now run
netstat -tap
and you should see Postfix (master) listening on port 25 (smtp) and 10025, and amavisd-new on port 10024:
server1:/etc/courier# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/
Program name
tcp 0 0 localhost.localdoma:800 *:* LISTEN 5288/
famd
tcp 0 0 localhost.localdo:10024 *:* LISTEN 20746/
amavisd (mast
tcp 0 0 localhost.localdo:10025 *:* LISTEN 21718/
master
tcp 0 0 localhost.localdo:mysql *:* LISTEN 4559/
mysqld
tcp 0 0 *:58219 *:* LISTEN 1486/
rpc.statd
tcp 0 0 *:sunrpc *:* LISTEN 1475/
portmap
tcp 0 0 *:ssh *:* LISTEN 1709/
sshd
tcp 0 0 *:smtp *:* LISTEN 21718/
master
tcp 0 148 server1.example.com:ssh localhost:3389 ESTABLISHED 2055/0
tcp6 0 0 [::]:imaps [::]:* LISTEN 18254/
couriertcpd
tcp6 0 0 [::]:pop3s [::]:* LISTEN 18282/
couriertcpd
tcp6 0 0 [::]:pop3 [::]:* LISTEN 18265/
couriertcpd
tcp6 0 0 [::]:imap2 [::]:* LISTEN 18237/
couriertcpd
tcp6 0 0 [::]:www [::]:* LISTEN 4818/
apache2
tcp6 0 0 [::]:ssh [::]:* LISTEN 1709/
sshd
server1:/etc/courier#
10 Install Razor, Pyzor And DCC And Configure SpamAssassinRazor, Pyzor and DCC are spamfilters that use a collaborative filtering network. To install Razor and Pyzor, run
apt-get install razor pyzor
DCC isn't available in the Debian Lenny repositories, so we install it as follows:
cd /tmpwget http://www.dcc-servers.net/dcc/source/dcc-dccproc.tar.Ztar xzvf dcc-dccproc.tar.Zcd dcc-dccproc-1.3.102./configure --with-uid=amavismakemake installchown -R amavis:amavis /var/dccln -s /var/dcc/libexec/dccifd /usr/local/bin/dccifd
Now we have to tell SpamAssassin to use these three programs. Edit /etc/spamassassin/local.cf and add the following lines to it:
vi /etc/spamassassin/local.cf
[...]#dccuse_dcc 1dcc_path /usr/local/bin/dccproc
#pyzoruse_pyzor 1pyzor_path /usr/bin/pyzor
#razoruse_razor2 1razor_config /etc/razor/razor-agent.conf
#bayesuse_bayes 1use_bayes_rules 1bayes_auto_learn 1
Then we must enable the DCC plugin in SpamAssassin. Open /etc/spamassassin/v310.pre and uncomment the loadplugin Mail::SpamAssassin::Plugin::DCC line:
vi /etc/spamassassin/v310.pre
[...]# DCC - perform DCC message checks.## DCC is disabled here because it is not open source. See the DCC# license for more details.#loadplugin Mail::SpamAssassin::Plugin::DCC[...]
You can check your SpamAssassin configuration by executing:
spamassassin --lint
It shouldn't show any errors.
Restart amavisd-new afterwards:
/etc/init.d/amavis restart
Now we update our SpamAssassin rulesets as follows:
sa-update --no-gpg
(Next we are going to create a cron job. By default, the crontab -e command launches the nano editor on Debian Lenny. If you are used to vi, you might want to change this:
update-alternatives --config editor
Select your favourite editor:
server1:/tmp/dcc-dccproc-1.3.102# update-alternatives --config editor
There are 4 alternatives which provide `editor'.
Selection Alternative
-----------------------------------------------
1 /bin/ed
*+ 2 /bin/nano
3 /usr/bin/vim.tiny
4 /usr/bin/vim.nox
Press enter to keep the default[*], or type selection number: <-- 4Using '/usr/bin/vim.nox' to provide 'editor'.
server1:/tmp/dcc-dccproc-1.3.102#
)
We create a cron job so that the rulesets will be updated regularly. Run
crontab -e
to open the cron job editor. Create the following cron job:
23 4 */2 * * /usr/bin/sa-update --no-gpg &> /dev/null
This will update the rulesets every second day at 4.23h.
11 Quota Exceedance NotificationsIf you want to get notifications about all the email accounts that are over quota, then do this:
cd /usr/local/sbin/wget http://puuhis.net/vhcs/quota.txtmv quota.txt quota_notifychmod 755 quota_notify
Open /usr/local/sbin/quota_notify and edit the variables at the top. Further down in the file (towards the end) there are two lines where you should add a % sign:
vi /usr/local/sbin/quota_notify
[...]my $POSTFIX_CF = "/etc/postfix/main.cf";my $MAILPROG = "/usr/sbin/sendmail -t";my $WARNPERCENT = 80;my @POSTMASTERS = ('[email protected]');my $CONAME = 'My Company';my $COADDR = '[email protected]';my $SUADDR = '[email protected]';my $MAIL_REPORT = 1;my $MAIL_WARNING = 1;[...] print "Subject: WARNING: Your mailbox is $lusers{$luser}% full.\n";[...] print "Your mailbox: $luser is $lusers{$luser}% full.\n\n";[...]
Run
crontab -e
to create a cron job for that script:
0 0 * * * /usr/local/sbin/quota_notify &> /dev/null
12 Test PostfixTo see if Postfix is ready for SMTP-AUTH and TLS, run
telnet localhost 25
After you have established the connection to your Postfix mail server type
ehlo localhost
If you see the lines
250-STARTTLS
and
250-AUTH LOGIN PLAIN
everything is fine:
server1:~# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 server1.example.com ESMTP Postfix (Debian/GNU)
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
server1:~#
Type
quit
to return to the system shell.
13 Populate The Database And TestTo populate the database you can use the MySQL shell:
mysql -u root -p
USE mail;
At least you have to create entries in the tables domains and users:
INSERT INTO `domains` (`domain`) VALUES ('example.com');INSERT INTO `users` (`email`, `password`, `quota`) VALUES ('[email protected]', ENCRYPT('secret'), 10485760);
(Please take care that you use the ENCRYPT syntax in the second INSERT statement in order to encrypt the password!)
If you want to make entries in the other two tables, that would look like this:
INSERT INTO `forwardings` (`source`, `destination`) VALUES ('[email protected]', '[email protected]');INSERT INTO `transport` (`domain`, `transport`) VALUES ('example.com', 'smtp:mail.example.com');
To leave the MySQL shell, type
quit;
For most people it is easier if they have a graphical front-end to MySQL; therefore you can also use phpMyAdmin (in this example under http://192.168.0.100/phpmyadmin/ or http://server1.example.com/phpmyadmin/) to administrate the mail database. Again, when you create a user, go sure that you use the ENCRYPT function to encrypt the password:
I do not think I have to explain the domains and users table further.
The forwardings table can have entries like the following:
source destination [email protected]
[email protected] Redirects emails for [email protected] to [email protected]
@example.com [email protected] Creates a Catch-All account for
[email protected]. All emails to example.com will arrive at [email protected], except those that exist in the users table (i.e., if [email protected] exists in the users table, mails to [email protected] will still arrive at [email protected]).
@example.com @anotherdomain.tld This redirects all emails to example.com to the same user at anotherdomain.tld. E.g., emails to [email protected] will be forwarded to [email protected].
[email protected], [email protected]
Forward emails for [email protected] to two or more email addresses. All listed email addresses under destination receive a copy of the email.
The transport table can have entries like these:
domain transport example.com : Delivers emails for example.com locally. This is
as if this record would not exist in this table at all.
example.com smtp:mail.anotherdomain.tld Delivers all emails for example.com via smtp to the server mail.anotherdomain.com.
example.com smtp:mail.anotherdomain.tld:2025 Delivers all emails for example.com via smtp to the server mail.anotherdomain.com, but on port 2025, not 25 which is the default port for smtp.
example.com smtp:[1.2.3.4] smtp:[1.2.3.4]:2025 smtp:[mail.anotherdomain.tld]
The square brackets prevent Postfix from doing lookups of the MX DNS record for the address in square brackets. Makes sense for IP addresses.
.example.com smtp:mail.anotherdomain.tld Mail for any subdomain of example.com is delivered to mail.anotherdomain.tld.
* smtp:mail.anotherdomain.tld All emails are delivered to mail.anotherdomain.tld.
smtp:mail.anotherdomain.tld Emails for [email protected] are delivered to mail.anotherdomain.tld.
See
man transport
for more details.
Please keep in mind that the order of entries in the transport table is important! The entries will be followed from the top to the bottom.
Important: Postfix uses a caching mechanism for the transports, therefore it might take a while until you changes in the transport table take effect. If you want them to take effect immediately, run
postfix reload
after you have made your changes in the transport table.
14 Send A Welcome Email For Creating MaildirWhen you create a new email account and try to fetch emails from it (with POP3/IMAP) you will probably get error messages saying that the Maildir doesn't exist. The Maildir is created automatically when the first email arrives for the new account. Therefore it's a good idea to send a welcome email to a new account.
First, we install the mailx package:
apt-get install mailx
To send a welcome email to [email protected], we do this:
mailx [email protected]
You will be prompted for the subject. Type in the subject (e.g. Welcome), then press ENTER, and in the next line type your message. When the message is finished, press ENTER again so that you are in a new line, then press CTRL+D; if you don't want to cc the mail, press ENTER again:
root@server1:/usr/local/sbin# mailx [email protected]
Subject: Welcome <-- ENTERWelcome! Have fun with your new mail account. <-- ENTER<-- CTRL+DCc: <-- ENTERroot@server1:/usr/local/sbin#
15 Installing SquirrelMailSquirrelMail is a webmail interface that will let your users send and receive emails in a browser. This chapter shows how to install it and adjust it to our setup so that users can even change their email account password from the SquirrelMail interface.
To install SquirrelMail, we run:
apt-get install squirrelmail php-pear
Next we copy the Apache configuration that comes with the SquirrelMail package to the /etc/apache2/conf.d directory and restart Apache:
cp /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf/etc/init.d/apache2 restart
SquirrelMail comes with some pre-installed plugins, unfortunately none of them is capable of letting us change our email password in our MySQL database. But there's the Change SQL Password plugin which we can install manually:
The plugin depends on the Pear-DB package so we install it:
pear install DB
Then we install the Change SQL Password plugin itself:
cd /usr/share/squirrelmail/pluginswget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fchange_sqlpass-3.3-1.2.tar.gztar xvfz change_sqlpass-3.3-1.2.tar.gzcd change_sqlpasscp config.php.sample config.php
Now we must edit config.php and adjust it to our setup. Please adjust the $csp_dsn, $lookup_password_query, $password_update_queries, $password_encryption, $csp_salt_static, and $csp_delimiter variables as follows and comment out $csp_salt_query (please make sure to make no syntax error while you edit the file - if you do, you will get a blank page after the SquirrelMail login!):
vi config.php
[...]$csp_dsn = 'mysql://mail_admin:mail_admin_password@localhost/mail';[...]$lookup_password_query = 'SELECT count(*) FROM users WHERE email = "%1" AND password = %4';[...]$password_update_queries = array('UPDATE users SET password = %4 WHERE email = "%1"');[...]$password_encryption = 'MYSQLENCRYPT';
[...]$csp_salt_static = 'LEFT(password, 2)';[...]//$csp_salt_query = 'SELECT salt FROM users WHERE username = "%1"';[...]$csp_delimiter = '@';[...]
The complete file looks as follows:
<?php
/** * SquirrelMail Change SQL Password Plugin * Copyright (C) 2001-2002 Tyler Akins * 2002 Thijs Kinkhorst <[email protected]> * 2002-2005 Paul Lesneiwski <[email protected]> * This program is licensed under GPL. See COPYING for details * * @package plugins * @subpackage Change SQL Password * */
// Global Variables, don't touch these unless you want to break the plugin // global $csp_dsn, $password_update_queries, $lookup_password_query, $force_change_password_check_query, $password_encryption, $csp_salt_query, $csp_salt_static, $csp_secure_port, $csp_non_standard_http_port, $csp_delimiter, $csp_debug, $min_password_length, $max_password_length, $include_digit_in_password, $include_uppercase_letter_in_password, $include_lowercase_letter_in_password, $include_nonalphanumeric_in_password;
// csp_dsn // // Theoretically, any SQL database supported by Pear should be supported // here. The DSN (data source name) must contain the information needed // to connect to your database backend. A MySQL example is included below. // For more details about DSN syntax and list of supported database types, // please see: // http://pear.php.net/manual/en/package.database.db.intro-dsn.php // //$csp_dsn = 'mysql://user:password@localhost/email_users'; $csp_dsn = 'mysql://mail_admin:mail_admin_password@localhost/mail';
// lookup_password_query // // This plugin will always verify the user's old password // against their login password, but an extra check can also // be done against the database for more security if you // desire. If you do not need the extra password check, // make sure this setting is empty. // // This is a query that returns a positive value if a user // and password pair are found in the database. // // This query should return one value (one row, one column), the // value being ideally a one or a zero, simply indicating that // the user/password pair does in fact exist in the
database. // // %1 in this query will be replaced with the full username // (including domain), such as "[email protected]" // %2 in this query will be replaced with the username (without // any domain portion), such as "jose" // %3 in this query will be replaced with the domain name, // such as "example.com" // %4 in this query will be replaced with the current (old) // password in whatever encryption format is needed per other // plugin configuration settings (Note that the syntax of // the password will be provided depending on your encryption // choices, so you NEVER need to provide quotes around this // value in the query here.) // %5 in this query will be replaced with the current (old) // password in unencrypted plain text. If you do not use any // password encryption, %4 and %5 will be the same values, // except %4 will have double quotes around it and %5 will not. // //$lookup_password_query = ''; // TERRIBLE SECURITY: $lookup_password_query = 'SELECT count(*) FROM users WHERE username = "%1" AND plain_password = "%5"'; //$lookup_password_query = 'SELECT count(*) FROM users WHERE username = "%1" AND crypt_password = %4'; $lookup_password_query = 'SELECT count(*) FROM users WHERE email = "%1" AND password = %4';
// password_update_queries // // An array of SQL queries that will all be executed // whenever a password change attempt is made.
// // Any number of queries may be included here. // The queries will be executed in the order given here. // // %1 in all queries will be replaced with the full username // (including domain), such as "[email protected]" // %2 in all queries will be replaced with the username (without // any domain portion), such as "jose" // %3 in all queries will be replaced with the domain name, // such as "example.com" // %4 in all queries will be replaced with the new password // in whatever encryption format is needed per other // plugin configuration settings (Note that the syntax of // the password will be provided depending on your // encryption choices, so you NEVER need to provide quotes // around this value in the queries here.) // %5 in all queries will be replaced with the new password // in unencrypted plain text - BEWARE! If you do not use // any password encryption, %4 and %5 will be the same // values, except %4 will have double quotes around it // and %5 will not. //// $password_update_queries = array(// 'UPDATE users SET crypt_password = %4 WHERE username = "%1"',// 'UPDATE user_flags SET force_change_pwd = 0 WHERE username = "%1"',// 'UPDATE users SET crypt_password = %4, force_change_pwd = 0 WHERE username = "%1"',// ); $password_update_queries = array('UPDATE users SET password = %4 WHERE email = "%1"');
// force_change_password_check_query // // A query that checks for a flag that indicates if a user // should be forced to change their password. This query // should return one value (one row, one column) which is // zero if the user does NOT need to change their password, // or one if the user should be forced to change it now. // // This setting should be an empty string if you do not wish // to enable this functionality. // // %1 in this query will be replaced with the full username // (including domain), such as "[email protected]" // %2 in this query will be replaced with the username (without // any domain portion), such as "jose" // %3 in this query will be replaced with the domain name, // such as "example.com" // //$force_change_password_check_query = 'SELECT IF(force_change_pwd = "yes", 1, 0) FROM users WHERE username = "%1"'; //$force_change_password_check_query = 'SELECT force_change_pwd FROM users WHERE username = "%1"'; $force_change_password_check_query = '';
// password_encryption // // What encryption method do you use to store passwords // in your database? Please use one of the following, // exactly as you see it: // // NONE Passwords are stored as plain text only // MYSQLPWD Passwords are stored using the MySQL
password() function // MYSQLENCRYPT Passwords are stored using the MySQL encrypt() function // PHPCRYPT Passwords are stored using the PHP crypt() function // MD5CRYPT Passwords are stored using encrypted MD5 algorithm // MD5 Passwords are stored as MD5 hash // //$password_encryption = 'MYSQLPWD'; $password_encryption = 'MYSQLENCRYPT';
// csp_salt_query // csp_salt_static // // Encryption types that need a salt need to know where to get // that salt. If you have a constant, known salt value, you // should define it in $csp_salt_static. Otherwise, leave that // value empty and define a value for the $csp_salt_query. // // Leave both values empty if you do not need (or use) salts // to encrypt your passwords. // // The query should return one value (one row, one column) which // is the salt value for the current user's password. This // query is ignored if $csp_salt_static is anything but empty. // // %1 in this query will be replaced with the full username // (including domain), such as "[email protected]" // %2 in this query will be replaced with the username (without // any domain portion), such as "jose" // %3 in this query will be replaced with the domain name, // such as "example.com" //
//$csp_salt_static = 'LEFT(crypt_password, 2)'; //$csp_salt_static = '"a4"'; // use this format with MYSQLENCRYPT //$csp_salt_static = '$2$blowsomefish$'; // use this format with PHPCRYPT //$csp_salt_static = ''; $csp_salt_static = 'LEFT(password, 2)';
//$csp_salt_query = 'SELECT SUBSTRING_INDEX(crypt_password, '$', 1) FROM users WHERE username = "%1"'; //$csp_salt_query = 'SELECT SUBSTRING(crypt_password, (LENGTH(SUBSTRING_INDEX(crypt_password, '$', 2)) + 2)) FROM users WHERE username = "%1"'; //$csp_salt_query = 'SELECT salt FROM users WHERE username = "%1"'; //$csp_salt_query = '';
// csp_secure_port // // You may ensure that SSL encryption is used during password // change by setting this to the port that your HTTPS is served // on (443 is typical). Set to zero if you do not wish to force // an HTTPS connection when users are changing their passwords. // // You may override this value for certain domains, users, or // service levels through the Virtual Host Login (vlogin) plugin // by setting a value(s) for $vlogin_csp_secure_port in the vlogin // configuration. // $csp_secure_port = 0; //$csp_secure_port = 443;
// csp_non_standard_http_port //
// If you serve standard HTTP web requests on a non-standard // port (anything other than port 80), you should specify that // port number here. Set to zero otherwise. // // You may override this value for certain domains, users, or // service levels through the Virtual Host Login (vlogin) plugin // by setting a value(s) for $vlogin_csp_non_standard_http_port // in the vlogin configuration. // //$csp_non_standard_http_port = 8080; $csp_non_standard_http_port = 0;
// min_password_length // max_password_length // include_digit_in_password // include_uppercase_letter_in_password // include_lowercase_letter_in_password // include_nonalphanumeric_in_password // // You can set the minimum and maximum password lengths that // you accept or leave those settings as zero to indicate that // no limit should be applied. // // Turn on any of the other settings here to check that the // new password contains at least one digit, upper case letter, // lower case letter and/or one non-alphanumeric character. // $min_password_length = 6; $max_password_length = 0; $include_digit_in_password = 0; $include_uppercase_letter_in_password = 0; $include_lowercase_letter_in_password = 0; $include_nonalphanumeric_in_password = 0;
// csp_delimiter // // if your system has usernames with something other than // an "@" sign separating the user and domain portion, // specify that character here // //$csp_delimiter = '|'; $csp_delimiter = '@';
// debug mode // $csp_debug = 0;
?>
The Change SQL Password plugin also depends on the Compatibility plugin which we install as follows:
15 Installing SquirrelMailSquirrelMail is a webmail interface that will let your users send and receive emails in a browser. This chapter shows how to install it and adjust it to our setup so that users can even change their email account password from the SquirrelMail interface.
To install SquirrelMail, we run:
apt-get install squirrelmail php-pear
Next we copy the Apache configuration that comes with the SquirrelMail package to the /etc/apache2/conf.d directory and restart Apache:
cp /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf/etc/init.d/apache2 restart
SquirrelMail comes with some pre-installed plugins, unfortunately none of them is capable of letting us change our email password in our MySQL database. But there's the Change SQL Password plugin which we can install manually:
The plugin depends on the Pear-DB package so we install it:
pear install DB
Then we install the Change SQL Password plugin itself:
cd /usr/share/squirrelmail/pluginswget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fchange_sqlpass-3.3-1.2.tar.gztar xvfz change_sqlpass-3.3-1.2.tar.gzcd change_sqlpasscp config.php.sample config.php
Now we must edit config.php and adjust it to our setup. Please adjust the $csp_dsn, $lookup_password_query, $password_update_queries, $password_encryption, $csp_salt_static, and $csp_delimiter variables as follows and comment out $csp_salt_query (please make sure to make no syntax error while you edit the file - if you do, you will get a blank page after the SquirrelMail login!):
vi config.php
[...]$csp_dsn = 'mysql://mail_admin:mail_admin_password@localhost/mail';[...]$lookup_password_query = 'SELECT count(*) FROM users WHERE email = "%1" AND password = %4';[...]$password_update_queries = array('UPDATE users SET password = %4 WHERE email = "%1"');[...]$password_encryption = 'MYSQLENCRYPT';[...]$csp_salt_static = 'LEFT(password, 2)';[...]//$csp_salt_query = 'SELECT salt FROM users WHERE username = "%1"';[...]$csp_delimiter = '@';[...]
The complete file looks as follows:
<?php
/** * SquirrelMail Change SQL Password Plugin * Copyright (C) 2001-2002 Tyler Akins * 2002 Thijs Kinkhorst <[email protected]> * 2002-2005 Paul Lesneiwski <[email protected]> * This program is licensed under GPL. See COPYING for details * * @package plugins * @subpackage Change SQL Password * */
// Global Variables, don't touch these unless you want to break the plugin // global $csp_dsn, $password_update_queries, $lookup_password_query, $force_change_password_check_query, $password_encryption, $csp_salt_query, $csp_salt_static, $csp_secure_port, $csp_non_standard_http_port, $csp_delimiter, $csp_debug, $min_password_length, $max_password_length, $include_digit_in_password, $include_uppercase_letter_in_password, $include_lowercase_letter_in_password, $include_nonalphanumeric_in_password;
// csp_dsn // // Theoretically, any SQL database supported by Pear should be supported // here. The DSN (data source name) must contain the information needed // to connect to your database backend. A MySQL example is included below. // For more details about DSN syntax and list of
supported database types, // please see: // http://pear.php.net/manual/en/package.database.db.intro-dsn.php // //$csp_dsn = 'mysql://user:password@localhost/email_users'; $csp_dsn = 'mysql://mail_admin:mail_admin_password@localhost/mail';
// lookup_password_query // // This plugin will always verify the user's old password // against their login password, but an extra check can also // be done against the database for more security if you // desire. If you do not need the extra password check, // make sure this setting is empty. // // This is a query that returns a positive value if a user // and password pair are found in the database. // // This query should return one value (one row, one column), the // value being ideally a one or a zero, simply indicating that // the user/password pair does in fact exist in the database. // // %1 in this query will be replaced with the full username // (including domain), such as "[email protected]" // %2 in this query will be replaced with the username (without // any domain portion), such as "jose" // %3 in this query will be replaced with the domain name, // such as "example.com" // %4 in this query will be replaced with the current
(old) // password in whatever encryption format is needed per other // plugin configuration settings (Note that the syntax of // the password will be provided depending on your encryption // choices, so you NEVER need to provide quotes around this // value in the query here.) // %5 in this query will be replaced with the current (old) // password in unencrypted plain text. If you do not use any // password encryption, %4 and %5 will be the same values, // except %4 will have double quotes around it and %5 will not. // //$lookup_password_query = ''; // TERRIBLE SECURITY: $lookup_password_query = 'SELECT count(*) FROM users WHERE username = "%1" AND plain_password = "%5"'; //$lookup_password_query = 'SELECT count(*) FROM users WHERE username = "%1" AND crypt_password = %4'; $lookup_password_query = 'SELECT count(*) FROM users WHERE email = "%1" AND password = %4';
// password_update_queries // // An array of SQL queries that will all be executed // whenever a password change attempt is made. // // Any number of queries may be included here. // The queries will be executed in the order given here. // // %1 in all queries will be replaced with the full username // (including domain), such as "[email protected]" // %2 in all queries will be replaced with the username (without // any domain portion), such as "jose" // %3 in all queries will be replaced with the domain
name, // such as "example.com" // %4 in all queries will be replaced with the new password // in whatever encryption format is needed per other // plugin configuration settings (Note that the syntax of // the password will be provided depending on your // encryption choices, so you NEVER need to provide quotes // around this value in the queries here.) // %5 in all queries will be replaced with the new password // in unencrypted plain text - BEWARE! If you do not use // any password encryption, %4 and %5 will be the same // values, except %4 will have double quotes around it // and %5 will not. //// $password_update_queries = array(// 'UPDATE users SET crypt_password = %4 WHERE username = "%1"',// 'UPDATE user_flags SET force_change_pwd = 0 WHERE username = "%1"',// 'UPDATE users SET crypt_password = %4, force_change_pwd = 0 WHERE username = "%1"',// ); $password_update_queries = array('UPDATE users SET password = %4 WHERE email = "%1"');
// force_change_password_check_query // // A query that checks for a flag that indicates if a user // should be forced to change their password. This query // should return one value (one row, one column) which is // zero if the user does NOT need to change their password, // or one if the user should be forced to change it
now. // // This setting should be an empty string if you do not wish // to enable this functionality. // // %1 in this query will be replaced with the full username // (including domain), such as "[email protected]" // %2 in this query will be replaced with the username (without // any domain portion), such as "jose" // %3 in this query will be replaced with the domain name, // such as "example.com" // //$force_change_password_check_query = 'SELECT IF(force_change_pwd = "yes", 1, 0) FROM users WHERE username = "%1"'; //$force_change_password_check_query = 'SELECT force_change_pwd FROM users WHERE username = "%1"'; $force_change_password_check_query = '';
// password_encryption // // What encryption method do you use to store passwords // in your database? Please use one of the following, // exactly as you see it: // // NONE Passwords are stored as plain text only // MYSQLPWD Passwords are stored using the MySQL password() function // MYSQLENCRYPT Passwords are stored using the MySQL encrypt() function // PHPCRYPT Passwords are stored using the PHP crypt() function // MD5CRYPT Passwords are stored using encrypted MD5 algorithm // MD5 Passwords are stored as MD5 hash // //$password_encryption = 'MYSQLPWD'; $password_encryption = 'MYSQLENCRYPT';
// csp_salt_query // csp_salt_static // // Encryption types that need a salt need to know where to get // that salt. If you have a constant, known salt value, you // should define it in $csp_salt_static. Otherwise, leave that // value empty and define a value for the $csp_salt_query. // // Leave both values empty if you do not need (or use) salts // to encrypt your passwords. // // The query should return one value (one row, one column) which // is the salt value for the current user's password. This // query is ignored if $csp_salt_static is anything but empty. // // %1 in this query will be replaced with the full username // (including domain), such as "[email protected]" // %2 in this query will be replaced with the username (without // any domain portion), such as "jose" // %3 in this query will be replaced with the domain name, // such as "example.com" // //$csp_salt_static = 'LEFT(crypt_password, 2)'; //$csp_salt_static = '"a4"'; // use this format with MYSQLENCRYPT //$csp_salt_static = '$2$blowsomefish$'; // use this format with PHPCRYPT //$csp_salt_static = ''; $csp_salt_static = 'LEFT(password, 2)';
//$csp_salt_query = 'SELECT SUBSTRING_INDEX(crypt_password, '$', 1) FROM users WHERE username = "%1"'; //$csp_salt_query = 'SELECT SUBSTRING(crypt_password,
(LENGTH(SUBSTRING_INDEX(crypt_password, '$', 2)) + 2)) FROM users WHERE username = "%1"'; //$csp_salt_query = 'SELECT salt FROM users WHERE username = "%1"'; //$csp_salt_query = '';
// csp_secure_port // // You may ensure that SSL encryption is used during password // change by setting this to the port that your HTTPS is served // on (443 is typical). Set to zero if you do not wish to force // an HTTPS connection when users are changing their passwords. // // You may override this value for certain domains, users, or // service levels through the Virtual Host Login (vlogin) plugin // by setting a value(s) for $vlogin_csp_secure_port in the vlogin // configuration. // $csp_secure_port = 0; //$csp_secure_port = 443;
// csp_non_standard_http_port // // If you serve standard HTTP web requests on a non-standard // port (anything other than port 80), you should specify that // port number here. Set to zero otherwise. // // You may override this value for certain domains, users, or // service levels through the Virtual Host Login (vlogin) plugin // by setting a value(s) for $vlogin_csp_non_standard_http_port
// in the vlogin configuration. // //$csp_non_standard_http_port = 8080; $csp_non_standard_http_port = 0;
// min_password_length // max_password_length // include_digit_in_password // include_uppercase_letter_in_password // include_lowercase_letter_in_password // include_nonalphanumeric_in_password // // You can set the minimum and maximum password lengths that // you accept or leave those settings as zero to indicate that // no limit should be applied. // // Turn on any of the other settings here to check that the // new password contains at least one digit, upper case letter, // lower case letter and/or one non-alphanumeric character. // $min_password_length = 6; $max_password_length = 0; $include_digit_in_password = 0; $include_uppercase_letter_in_password = 0; $include_lowercase_letter_in_password = 0; $include_nonalphanumeric_in_password = 0;
// csp_delimiter // // if your system has usernames with something other than // an "@" sign separating the user and domain portion, // specify that character here // //$csp_delimiter = '|'; $csp_delimiter = '@';
// debug mode // $csp_debug = 0;
?>
The Change SQL Password plugin also depends on the Compatibility plugin which we install as follows:
cd /usr/share/squirrelmail/pluginswget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fcompatibility-2.0.14-1.0.tar.gztar xvfz compatibility-2.0.14-1.0.tar.gz
Now we must go into the SquirrelMail configuration and tell SquirrelMail that we use Courier as our POP3 and IMAP server and enable the Change SQL Password and the Compatibility plugins:
/usr/sbin/squirrelmail-configure
You'll see the following menu. Navigate through it as indicated:
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color on
S Save data
Q Quit
Command >> <-- D
SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.
Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.
Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
quit = Do not change anything
Command >> <-- courier
SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.
Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.
Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
quit = Do not change anything
Command >> courier
imap_server_type = courier
default_folder_prefix = INBOX.
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = .
delete_folder = true
Press any key to continue... <-- press a key
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color on
S Save data
Q Quit
Command >> <-- 8
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Plugins
Installed Plugins
Available Plugins:
1. abook_take
2. administrator
3. bug_report
4. calendar
5. change_sqlpass
6. compatibility
7. delete_move_next
8. demo
9. filters
10. fortune
11. info
12. listcommands
13. mail_fetch
14. message_details
15. newmail
16. sent_subfolders
17. spamcop
18. squirrelspell
19. test
20. translate
R Return to Main Menu
C Turn color on
S Save data
Q Quit
Command >> <-- 6 (or whatever number the compatibility plugin has - it's needed by the change_sqlpa
ss plugin)
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Plugins
Installed Plugins
1. compatibility
Available Plugins:
2. abook_take
3. administrator
4. bug_report
5. calendar
6. change_sqlpass
7. delete_move_next
8. demo
9. filters
10. fortune
11. info
12. listcommands
13. mail_fetch
14. message_details
15. newmail
16. sent_subfolders
17. spamcop
18. squirrelspell
19. test
20. translate
R Return to Main Menu
C Turn color on
S Save data
Q Quit
Command >> <-- 6 (the number of the change_sqlpass plugin)
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Plugins
Installed Plugins
1. compatibility
2. change_sqlpass
Available Plugins:
3. abook_take
4. administrator
5. bug_report
6. calendar
7. delete_move_next
8. demo
9. filters
10. fortune
11. info
12. listcommands
13. mail_fetch
14. message_details
15. newmail
16. sent_subfolders
17. spamcop
18. squirrelspell
19. test
20. translate
R Return to Main Menu
C Turn color on
S Save data
Q Quit
Command >> <-- S
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Plugins
Installed Plugins
1. compatibility
2. change_sqlpass
Available Plugins:
3. abook_take
4. administrator
5. bug_report
6. calendar
7. delete_move_next
8. demo
9. filters
10. fortune
11. info
12. listcommands
13. mail_fetch
14. message_details
15. newmail
16. sent_subfolders
17. spamcop
18. squirrelspell
19. test
20. translate
R Return to Main Menu
C Turn color on
S Save data
Q Quit
Command >> S
Data saved in config.php
Press enter to continue... <-- ENTER
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Plugins
Installed Plugins
1. compatibility
2. change_sqlpass
Available Plugins:
3. abook_take
4. administrator
5. bug_report
6. calendar
7. delete_move_next
8. demo
9. filters
10. fortune
11. info
12. listcommands
13. mail_fetch
14. message_details
15. newmail
16. sent_subfolders
17. spamcop
18. squirrelspell
19. test
20. translate
R Return to Main Menu
C Turn color on
S Save data
Q Quit
Command >> <-- Q
Now you can type in http://server1.example.com/squirrelmail or http://192.168.0.100/squirrelmail in your browser to access SquirrelMail.
Log in with your email address (e.g. [email protected]) and your password:
You should find the welcome email in your inbox:
To change your password, go to Options and then select Change Password:
Type in your current password and then your new password twice:
SquirrelMail will tell you if the password has been changed successfully:
How To Block Spammers/Hackers With Apache2's mod_spamhaus
(Debian Etch)
mod_spamhaus is an Apache module that uses DNSBL in order to block spam relay via web forms, preventing URL injection, block http DDoS attacks from bots and generally protecting your web service denying access to a known bad IP address.
1. InstallationIn order to compile mod_spamhaus, you must have apxs2 (APache eXtenSion tool) tool installed.
The follow command will install it:
apt-get install apache2-prefork-dev
Now we need to download the source package present at http://sourceforge.net/projects/mod-spamhaus/ or download it using wget application and this direct link to the repository:
wget http://kent.dl.sourceforge.net/sourceforge/mod-spamhaus/mod_spamhaus05.tar.gz
Next open archive, compile and install module with those commands:
tar zxvf mod_spamhaus05.tar.gzcd mod-spamhausmakemake install
You must add LoadModule directive to the main config file of you're web server to load mod_spamhaus module.
vi /etc/apache2/httpd.conf
[...]LoadModule spamhaus_module /usr/lib/apache2/modules/mod_spamhaus.so
2. ConfigurationBefore we are able to write our configuration, we should known what directives are supported by mod_spamhaus:
MS_Methods - If the httpd's method used by the visitor match, module verify user's ip
address
MS_WhiteList - A simple whitelist file where you can put ip address to bypass
MS_DNS - DNSBL to use. Usefull if you want make a local rbldnsd instance
MS_CacheSize - Number of cached addresses
Now we open config file of our web server in order to write a basic configuration:
vi /etc/apache2/apache2.conf
[...]<IfModule mod_spamhaus.c>MS_METHODS POST,PUT,OPTIONS,CONNECTMS_WhiteList /etc/spamhaus.wlMS_CacheSize 256</IfModule>[...]
Next we create an empty whitelist file:
touch /etc/spamhaus.wl
Finally we restart Apache2:
/etc/init.d/apache2 restart
That's all!
Installing ISP-fw (Firewall) On Linux
ISP-fW is a firewall script that provides port forwarding, packet filtering, stateful packet inspection, port redirection, masquerading, SNAT/ DNAT, TOS, and never the last it generates htb rules for bandwidth management. With ISP-fw, you can turn a PC into a gateway with shaping capabilities.
Let's begin:
I will assume that you have installed Linux on your box. I use a Debian machine so this tutorial will be for Debian Linux but should not differ much from the rest of the distros.
1. Requirements:
- GNU/Linux distribution; - GCC 3.4.6 compiler; - Iproute2 (the latest version is recommended (http://linux-net.osdl.org/index.php/Iproute2); - Linux Kernel 2.4.32 or 2.6.16 (www.kernel.org); - dialog (the latest version from http://invisible-island.net/dialog/); - flex version 2.5.4a; (not above) - iptables v1.2.11 or above; - DHCP (the latest version from ftp://ftp.isc.org/isc/dhcp/); - Apache and php (required for webISP); - ZendOptimizer 3.x (required for webISP); - mySQL 4.x (required for webISP); - MRTG (required for webISP); - IPFM (required for webISP).
For shaping you have to enable QoS for your kernel; this the list for 2.4.x and 2.6.x:
Linux Kernel 2.4.32 ( http://www.kernel.org )----------------------------------------------
If you compile the Kernel from the sources, you will need to select the following options:
#
# QoS and/or fair queuing
#
CONFIG_NET_SCHED=y
CONFIG_NET_SCH_CBQ=m
CONFIG_NET_SCH_HTB=m
CONFIG_NET_SCH_CSZ=m
CONFIG_NET_SCH_HFSC=m
CONFIG_NET_SCH_PRIO=m
CONFIG_NET_SCH_RED=m
CONFIG_NET_SCH_SFQ=m
CONFIG_NET_SCH_TEQL=m
CONFIG_NET_SCH_TBF=m
CONFIG_NET_SCH_GRED=m
CONFIG_NET_SCH_NETEM=m
CONFIG_NET_SCH_DSMARK=m
CONFIG_NET_SCH_INGRESS=m
CONFIG_NET_QOS=y
CONFIG_NET_ESTIMATOR=y
CONFIG_NET_CLS=y
CONFIG_NET_CLS_TCINDEX=m
CONFIG_NET_CLS_ROUTE4=m
CONFIG_NET_CLS_ROUTE=y
CONFIG_NET_CLS_FW=m
CONFIG_NET_CLS_U32=m
CONFIG_NET_CLS_RSVP=m
CONFIG_NET_CLS_RSVP6=m
CONFIG_NET_CLS_POLICE=y
Linux Kernel 2.6.16 ( http://www.kernel.org )------------------------------------------------
If you compile the kernel from the sources, you will need to select the following options:
#
# QoS and/or fair queuing
#
CONFIG_NET_SCHED=y
CONFIG_NET_SCH_CLK_JIFFIES=y
# CONFIG_NET_SCH_CLK_GETTIMEOFDAY is not set
# CONFIG_NET_SCH_CLK_CPU is not set
#
# Queuing/Scheduling
#
CONFIG_NET_SCH_CBQ=m
CONFIG_NET_SCH_HTB=m
CONFIG_NET_SCH_HFSC=m
CONFIG_NET_SCH_PRIO=m
CONFIG_NET_SCH_RED=m
CONFIG_NET_SCH_SFQ=m
CONFIG_NET_SCH_TEQL=m
CONFIG_NET_SCH_TBF=m
CONFIG_NET_SCH_GRED=m
CONFIG_NET_SCH_DSMARK=m
CONFIG_NET_SCH_NETEM=m
CONFIG_NET_SCH_INGRESS=m
#
# Classification
#
CONFIG_NET_CLS=y
CONFIG_NET_CLS_BASIC=m
CONFIG_NET_CLS_TCINDEX=m
CONFIG_NET_CLS_ROUTE4=y
CONFIG_NET_CLS_ROUTE=y
CONFIG_NET_CLS_FW=m
CONFIG_NET_CLS_U32=m
CONFIG_CLS_U32_PERF=y
CONFIG_CLS_U32_MARK=y
CONFIG_NET_CLS_RSVP=m
CONFIG_NET_CLS_RSVP6=m
CONFIG_NET_EMATCH=y
CONFIG_NET_EMATCH_STACK=32
CONFIG_NET_EMATCH_CMP=m
CONFIG_NET_EMATCH_NBYTE=m
CONFIG_NET_EMATCH_U32=m
CONFIG_NET_EMATCH_META=m
CONFIG_NET_EMATCH_TEXT=m
CONFIG_NET_CLS_ACT=y
CONFIG_NET_ACT_POLICE=m
CONFIG_NET_ACT_GACT=y
CONFIG_GACT_PROB=y
CONFIG_NET_ACT_MIRRED=m
CONFIG_NET_ACT_IPT=m
CONFIG_NET_ACT_PEDIT=m
CONFIG_NET_ACT_SIMP=m
CONFIG_NET_CLS_IND=y
CONFIG_NET_ESTIMATOR=y
!!! NOTE !!! To successfully use mark_in_u32 you MUST use at least the kernel 2.6.16.
2. Download and install isp-fw from http://isp-fw.sourceforge.net
root@htb:~# wget http://kent.dl.sourceforge.net/sourceforge/isp-fw/ispfw-9.5-rc1.deb
root@htb:~# mysql -u user -p passwordType 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> create database ispfw;Query OK, 1 row affected (0.00 sec)
mysql> quitBye
root@htb:~# dpkg -i ispfw-9.5-rc1.deb
SQL host [localhost]:
SQL user [root]: ispfw
SQL pass [changeme]: ****
SQL db [ispfw]: ispfw
Admin user for webpage [admin]: admin
Admin password for webpage [changeme]: ****
Installation successful.
Edit /var/www/webisp/include/config.php.
Change in php.ini session.auto_start to 1
Note that you need to install zendOptimizer
http://www.zend.com/free_download/optimizer
You're done installing ISP-fW. Let's go to the configuration.
3. Configure ISP-fW
Edit /etc/isp-fw/firewall.conf to your needs (you can use isped fireconfig from the console to trigger the file). A more explained example can be found in the docs or http://isp-fw.wiki.sourceforge.net/Config-Examples.
#generated by setup, see docs/cfg/
network_name = Example
domain = example.com
default_editor = vi
default_ipt_policy = ACCEPT
net_interface = eth0
lan_interface = eth1
net_ip = 45.93.203.4
clone_mac = no
gateway = 45.93.203.1
subnet = 255.255.255.0
fake_mac = 00:0D:A1:D9:D2:DA
download = start
upload = start
bandwith = 2048 kbps
burst = 0
qdisc = sfq
bgp_file = none
htb_mode = none
ssh_all = no
#I set ssh_all to no, if so you have to enter a list of
ips in /etc/isp-fw/ssh.allow
ssh_port = 22
use_squid = no
squid_port = 3128
load_custom = no
masquerade = yes
update_hosts = yes
optimize = yes
opt_conntrack = auto
mac_filter = no
auto_redirect = no
my_web = 1234
block_traceroute = no
flood = no
no_port_scan = no
ping_protection = yes
max_conn_per_port =
use_dhcp = yes
#DHCP section
class = 10.10.10.0/255.255.255.0
router = 10.10.10.1
range = 10.10.10.1 10.10.10.254
broadcast = 10.10.10.255
dns = 10.10.10.1, 10.10.10.2
wins = 10.10.10.2
/etc/isp-fw/spam.conf - here you enter blacklisted IP(s)/etc/isp-fw/badports.conf - here you enter blacklisted port(s)/etc/isp-fw/port.allow - here you enter port(s) that you want to accept/etc/isp-fw/ssh.allow - here you enter ip(s) that you want to allow to ssh
4. Adding clients to ISP-fW
You can add files by using the command isped clienti:
root@htb:~# isped clienti
Now if you have NAT on your network be sure to have the option masquerade = yes, here's how the file looks:
#CAUTION dont leave blank fields! See docs/cfg/clienti.*
for more info
#MAC IP-LAN IP-NET MINE/MAXE/MINM/MAXM
NAME
00:0E:2E:1F:E7:FA 10.10.10.2 0.0.0.0
16/128/1024/1024 Tom
00:0E:2E:1F:E1:AA 10.10.10.3 0.0.0.0
16/512/1024/1024 Britney
#00:01:1A:1A:AA:AA 10.10.10.4 0.0.0.0
16/512/1024/1024 Alice
#END
If have your own class of IPs from arin or any other registrant be sure to set masquerade = no.
For this example will assume that we have the class 9.10.11.0/24 allocated.
#CAUTION dont leave blank fields! See docs/cfg/clienti.*
for more info
00:0E:2E:1F:E7:FA 0.0.0.0 9.10.11.2 16/32/128/1024 Tom
00:02:AA:11:B2:AC 0.0.0.0 9.10.11.3 16/32/256/2048
Britney
#00:01:AA:03:04:05 0.0.0.0 9.10.11.4 16/32/256/2048 Alice
#END
Tips
The "16/32/128/1024" means that Tom has for external bandwidth 16 kbps minimum guaranteed and 32 kbps maximum; for metropolitan networks 128kbps minimum and 1024 kbps maximum.
The "#" sign means that the client is disabled, therefore it doesn't have internet access.
The "#>" sign means that the client is redirected to your customized suspended web page
Now to start the program just type
ispfw start