Changes between Initial Version and Version 1 of configure_new_server

Timestamp:

Aug 23, 2007, 1:22:38 AM (17 years ago)

Author:

Jamie McClelland

Comment:

--

configure_new_server

@@ +1 @@
+=Purchase an ssl certificate=
+
+Generate a private key and certificate signing request.
+
+{{{
+openssl genrsa -out server.mayfirst.org.key 4096
+openssl req -new -key server.mayfirst.org.key -out server.mayfirst.org.csr
+}}}
+
+Change the domain@mayfirst.org email alias to point to your address.
+
+Go to Dotster (which is a thawte reseller) for server.mayfirst.org (from Dotster home page click Other Products -> ssl, get the 123 certificate)
+
+This will take a day or so to be generated.
+
+Once generated, login to Dotster using the mayfirst username. Click on My Services. You should see the new ssl Cert listed.
+
+Click Manage services.
+
+Copy the CRT into a file called:
+
+server.mayfirst.org.pem
+
+(replace server with the name of the server being setup)
+
+then add dh paramaters with:
+
+{{{
+openssl gendh >> server.mayfirst.org.pem
+}}}
+
+This file will be used by courier
+
+Now, put each one in a separate file called:
+
+server.mayfirst.org.key
+
+server.mayfirst.org.crt
+
+These will be used by apache
+
+=Use volatile for SA and clamav=
+
+
+ * Edit /etc/apt/sources.list. Add the following:
+{{{
+# clamav (volatile) and spam assassin (volatile-sloppy)
+deb http://debian.domainmail.org/debian-volatile etch/volatile-sloppy main
+deb http://debian.domainmail.org/debian-volatile etch/volatile main
+}}}
+ * Edit (or add) /etc/apt/preferences. Add the following
+{{{
+Package: spamassassin
+Pin: release a=etch-sloppy
+Pin-Priority: 991
+
+Package: spamc
+Pin: release a=etch-sloppy
+Pin-Priority: 991
+}}}
+
+
+=Install debian packages=
+
+{{{
+$ sudo apt-get install apache2 libapache2-mod-suphp cvs amavisd-new clamav clamav-daemon spamassassin maildrop courier-imap-ssl courier-pop-ssl scponly logcheck logcheck-database cron-apt awstats razor libnet-dns-perl dcc-client phpmyadmin php5-mysql php5-imap php5-gd mysql-server-5.0 mysql-client-5.0 squirrelmail php-mail php-db fail2ban aspell aspell-en aspell-es php5-mcrypt php-auth iproute  bzip2
+}}}
+
+Now, install php-pear and php-log. You must install these before installing imp4 or else imp4 will try to pull in un-needed php4 packages.
+
+{{{
+sudo apt-get install php-pear php-log
+}}}
+
+And now, imp4:
+
+{{{
+sudo apt-get install imp4 turba2 ingo1
+}}}
+
+Add the pear file package so that Turba (address book) can import address books. First try apt - but don't do it if it still tries to pull in php4 (which it is trying as of April 11, 2007)
+
+{{{
+sudo apt-get install php-file
+}}}
+
+If it is trying to pull in php4, then install it via pear:
+
+{{{
+sudo pear install -o File
+}}}
+
+=Configure HE routes=
+
+In order to route traffic directly from computer to computer (across different subnetworks) we need to add the different routes
+
+Create a file called add-he-routes with the following contents:
+
+{{{
+#!/bin/bash
+# add routes for alternate blocks in rack
+#ip route add 209.51.172.0/28 dev eth0
+ip route add 209.51.169.80/28 dev eth0
+#ip route add 209.51.163.192/28 dev eth0
+ip route add 209.51.180.16/28 dev eth0
+}}}
+
+Comment out the line representing the network this server is on
+
+Save the file in /etc/network/if-up.d
+chmod it to 755
+
+And add a corresponding file:
+
+{{{
+
+#!/bin/bash
+# remove routes for alternate blocks in rack
+ip route del 209.51.172.0/28
+ip route del 209.51.169.80/28
+ip route del 209.51.163.192/28
+#ip route del 209.51.180.16/28
+}}}
+
+Save the file in /etc/network/if-down.d
+chmod it to 755
+
+=Configure suPHP=
+
+
+ * Use dpkg-statoverride to change the ownership of our common php web programs (horde, phpmyadmin, and squirrelmail). This script will do it all for you:
+{{{
+#!/bin/bash -e
+
+#
+# phpmyadmin
+#
+# use /var/lib/phpmyadmin as home dir because it already exists
+
+if [ -z $(getent passwd|grep phpmyadmin) ]; then
+adduser --system --disabled-login --quiet --home /var/lib/phpmyadmin --shell /bin/false -gid 65534 phpmyadmin
+fi
+#userdel phpmyadmin
+phpmyadmin_files=`dpkg -L phpmyadmin | grep '\.php'`
+
+for file in $phpmyadmin_files; do
+dpkg-statoverride --add --update --force --quiet phpmyadmin nogroup 444 $file
+# #dpkg-statoverride --remove $file
+done
+
+#
+# horde: share one user between horde and imp and any other horde apps
+#
+# use /var/log/horde as home directory because it already exists
+if [ -z $(getent passwd|grep horde) ]; then
+adduser --system --disabled-login --quiet --home /var/log/horde --shell /bin/false -gid 65534 horde
+fi
+#userdel horde
+
+# chown the directory recursively to get existing logs
+# it is written to by the web process
+chown -R horde /var/log/horde
+chown horde /etc/horde/horde3/conf.php
+#chmod 600 /etc/horde/horde3/conf.php
+
+# add it to the mix
+dpkg-statoverride --add --update --force --quiet  horde nogroup 644 /var/log/horde
+#dpkg-statoverride --remove /var/log/horde
+
+# ack - this is not mainainable!
+perl -pi -e 's/www-data www-data/horde nogroup/g' /etc/logrotate.d/horde3
+
+horde_files=`dpkg -L horde3 | grep '\.php'`
+imp_files=`dpkg -L imp4 | grep '\.php'`
+turba_files=`dpkg -L turba2 | grep '\.php'`
+ingo_files=`dpkg -L ingo1 | grep '\.php'`
+all_horde_files="$horde_files $imp_files $turba_files $ingo_files"
+
+for file in $all_horde_files; do
+dpkg-statoverride --add --update --force --quiet horde nogroup 444 $file
+#dpkg-statoverride --remove $file
+done
+
+if [ -z $(getent passwd|grep squirrelmail) ]; then
+adduser --system --disabled-login --quiet --home /var/lib/squirrelmail/data --shell /bin/false -gid 65534 squirrelmail
+fi
+#userdel squirrelmail
+sm_files=`dpkg -L squirrelmail | grep '\.php'`
+
+chown -R squirrelmail:nogroup /var/lib/squirrelmail/data
+dpkg-statoverride --add --update --force --quiet squirrelmail nogroup 700 /var/lib/squirrelmail/data
+
+#dpkg-statoverride --remove /var/lib/squirrelmail/data
+
+for file in $sm_files; do
+dpkg-statoverride --update --add --force squirrelmail nogroup 444 $file
+#dpkg-statoverride --remove $file
+done
+}}}
+ * Edit /etc/suphp/suphp.conf
+{{{
+[global]
+;Path to logfile
+logfile=/var/log/suphp/suphp.log
+
+;Loglevel
+loglevel=info
+
+;User Apache is running as
+webserver_user=www-data
+
+;Path all scripts have to be in
+docroot=/
+
+;Path to chroot() to before executing script
+;chroot=/mychroot
+
+; Security options
+;allow_file_group_writeable=false
+allow_file_group_writeable=true
+;allow_file_others_writeable=false
+allow_file_others_writeable=true
+;allow_directory_group_writeable=false
+allow_directory_group_writeable=true
+;allow_directory_others_writeable=false
+allow_directory_others_writeable=true
+
+;Check wheter script is within DOCUMENT_ROOT
+;check_vhost_docroot=true
+check_vhost_docroot=false
+
+;Send minor error messages to browser
+errors_to_browser=false
+
+;PATH environment variable
+env_path=/bin:/usr/bin
+
+;Umask to set, specify in octal notation
+;umask=0077
+umask=0022
+
+; Minimum UID
+min_uid=100
+
+; Minimum GID
+min_gid=100
+
+
+[handlers]
+;Handler for php-scripts
+x-httpd-php=php:/usr/bin/php-cgi
+
+;Handler for CGI-scripts
+x-suphp-cgi=execute:!self
+}}}
+
+
+=Configure fail2ban=
+
+Create /etc/fail2ban/jail.local. Modify the following lines, by adding them to the jail.local file that you just created:
+{{{
+[DEFAULT]
+bantime  = 200
+
+action = iptables[name=%(__name__)s, port=%(port)s]
+mail-whois[name=%(__name__)s, dest=%(destemail)s]
+
+}}}
+
+=Install Red=
+
+
+ * Edit /etc/apt/sources.list - make sure non-free is there, e.g.:
+deb http://http.us.debian.org/debian stable main contrib non-free. If you are adding anything to this line, run sudo apt-get update afterwards.
+{{{
+$ sudo apt-get install ucspi-tcp-src
+$ sudo build-ucspi-tcp
+}}}
+
+ * Create a user in the red database with (change sylvia to name of server):
+
+{{{
+GRANT SELECT on seso.* to 'red-sylvia'@'sylvia.mayfirst.org' identified by 'secret';
+GRANT UPDATE on seso.red_item to 'red-sylvia'@'sylvia.mayfirst.org';
+GRANT INSERT on seso.red_error_log to 'red-sylvia'@'sylvia.mayfirst.org';
+}}}
+
+ * Download the source from cvs
+
+copy and paste the following commands
+
+{{{
+$ cd /usr/local/share
+$ sudo cvs -d:ext:mayfirst@mayfirst.org:/srv/cvsroot co red
+$ sudo ln -s /usr/local/share/red/server/sbin/red_server_cli /usr/local/sbin/
+$ sudo ln -s /usr/local/share/red/server/sbin/pinky /usr/local/sbin/
+$ sudo chmod 755 /usr/local/share/red/server/sbin/red_server_cli
+$ sudo chmod 755 /usr/local/share/red/server/sbin/pinky
+$ sudo mkdir /usr/local/etc
+$ sudo mkdir /usr/local/etc/red
+$ cd /usr/local/share/red/server/etc/red
+$ sudo cp /usr/local/share/red/server/etc/red/* /usr/local/etc/red/
+$ cd /usr/local/etc/red
+$ for file in `ls *.sample`; do sudo cp $file /usr/local/etc/red/${file%.sample}; done;
+}}}
+
+this last one, in case you are interested, copies all the files that end in .sample in this directory to files that strip the .sample part out.
+
+ * Edit the file called pinky. Change ip address to machine's real ip address. also edit red_server.conf, to add the database user and password.
+ * Launch pinky with:
+{{{
+$ sudo /usr/local/sbin/pinky &
+}}}
+
+
+=Postfix setup=
+
+
+
+ * Create aliases in /etc/aliases
+
+{{{
+www: www-data
+www-data: apache@mayfirst.org
+root: root@mayfirst.org
+}}}
+
+Don't forget to run newaliases!
+
+ * Create empty access, virtual_alias_maps and virtual_alias_domains files in
+/etc/postfix
+
+{{{
+sudo touch virtual_alias_maps virtual_alias_domains access
+}}}
+
+Create an empty access database (later we can add entries in access to restrict or allow senders):
+
+{{{
+sudo postmap access
+}}}
+
+ * Add the following to the bottom of the /etc/postfix/main.cf file:
+
+{{{
+# May First custom config
+# file based virtual hosting configuration
+
+# List of virtual domain names
+virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains
+
+# list of email address -> unix account mappings
+virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps
+
+# use maildir
+home_mailbox = Maildir/
+
+# Added for maildrop
+mailbox_command = /usr/bin/maildrop
+maildrop_destination_recipient_limit = 1
+
+# Added by jamie 6/10/04 to try to stem the tide of spam
+smtpd_sender_restrictions =
+hash:/etc/postfix/access,
+reject_non_fqdn_sender,
+reject_unknown_sender_domain,
+permit
+
+# Added for amavisd-new
+content_filter=smtp-amavis:[127.0.0.1]:10024
+}}}
+
+ * Copy the /etc/postfix/master.cf file from chavez to get the amavis settings.
+
+
+ * Postfix as secure mail relay setup
+
+ * Install the sasl packages
+{{{
+sudo apt-get install sasl2-bin libsasl2-modules ca-certificates
+}}}
+
+ * Configure sasl
+{{{
+sudo vim /etc/default/saslauthd
+}}}
+
+Uncomment START=yes
+Change MECHANISMS to read:
+MECHANISMS="shadow"
+
+ * Add postfix to the sasl group
+{{{
+sudo addgroup postfix sasl
+}}}
+
+ * Make the /etc/postfix/ssl directory and copy the pem files there
+{{{
+sudo mkdir /etc/postfix/ssl
+sudo cp /whereever/server.pem /etc/postfix/ssl/
+}}}
+
+ * Edit main.cf
+{{{
+# to enable authentication for sending email
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_security_options = noanonymous
+smtpd_sasl_local_domain = $myhostname
+broken_sasl_auth_clients = yes
+smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
+
+# TLS Stuff here:
+smtpd_use_tls = yes
+# force people who want to authenticate to use tls - you can't authenticate
+# otherwise. This is important because passwords are sent in the clear
+smtpd_tls_auth_only = yes
+smtpd_tls_key_file = /etc/postfix/ssl/your-server-key-here.pem
+smtpd_tls_cert_file = /etc/postfix/ssl/your-server-key-here.pem
+smtpd_tls_received_header = yes
+smtpd_tls_session_cache_timeout = 3600s
+tls_random_source = dev:/dev/urandom
+}}}
+
+ * Edit master.cf - uncomment the smtps and submission lines. In both lines change the chroot variable from "-" to "n"
+
+ * Create /etc/postfix/sasl/smtpd.conf
+
+{{{
+sudo mkdir /etc/postfix/sasl
+sudo vim /etc/postfix/sasl/smtpd.conf
+# add these lines:
+pwcheck_method: saslauthd
+mech_list: plain login
+}}}
+
+
+=Setup Postgrey=
+
+Postgrey defers all mail for 5 minutes the first time it receives a message with a never before seen sender and recipient. This results in a lot of spam not being delivered.
+
+ * Install Postgrey
+{{{
+sudo apt-get install postgrey
+}}}
+ * Edit /etc/default/postgrey adding the following line:
+{{{
+POSTGREY_TEXT="Greylisted, see http://mayfirst.org/greylist"
+}}}
+ * Restart postgrey
+{{{
+/etc/init.d/postgrey restart
+}}}
+ * Edit /etc/postfix/main.cf, add the following to the end of the smtpd_recipient_restrictions stanza:
+{{{
+check_policy_service inet:127.0.0.1:60000
+}}}
+
+
+check_policy_service inet:127.0.0.1:60000
+
+=Setup Courier=
+
+
+ * Create a shared/index file that is empty (to avoid getting error messages in the log)
+{{{
+mkdir /etc/courier/shared
+touch /etc/courier/index
+}}}
+ * Setup ssl - copy the server pem file (which you got from dotster) to the /etc/courier directories:
+{{{
+cp server.mayfirst.org.pem /etc/courier/imapd.pem
+cp server.mayfirst.org.pem /etc/courier/pop3d.pem
+}}}
+
+=Setup amavis=
+
+
+
+ * Edit /etc/amavis/conf.d/50-user
+
+Add the following lines
+@bypass_virus_checks_maps = (
+\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+$final_banned_destiny     = D_PASS;   # D_REJECT when front-end MTA
+$final_spam_destiny       = D_PASS;
+$final_bad_header_destiny = D_PASS;
+
+ * Add clamav to the amavis group with:
+{{{
+sudo addgroup clamav amavis
+}}}
+
+ * Add AllowSupplementaryGroups to /etc/clamav/clamd.conf
+ * Add a cron job to clean out viruses and spam collected by amavis in /etc/cron.d called clean-up-virus with the contents:
+# Find and delete all emails older than 14 days
+2 4 * * *       amavis  find /var/lib/amavis/virusmails -mtime +14  -exec rm '{}' \;
+
+
+
+=Configure Spamassassin=
+
+
+ * Install helper packages
+{{{
+sudo apt-get install razor dcc-client
+}}}
+
+ * Add a new rule for spamassassin (debian etch or above only!)
+
+<ul>
+ * Create /usr/local/share/spamassassin/plugins
+{{{
+sudo mkdir /usr/local/share/spamassassin; sudo mkdir /usr/local/share/spamassassin/plugins
+}}}
+
+ * Download the ImageInfo plugin to that directory
+{{{
+cd /usr/local/share/spamassassin/plugins
+sudo wget http://www.rulesemporium.com/plugins/ImageInfo.pm
+}}}
+ * Add rule to /etc/spamassassin
+{{{
+cd /etc/spamassassin
+sudo wget http://www.rulesemporium.com/plugins/imageinfo.cf
+}}}
+ * Edit /etc/spamassassin/init.pre. Add the following line:
+{{{
+loadplugin Mail::SpamAssassin::Plugin::ImageInfo /usr/local/share/spamassassin/plugins/ImageInfo.pm
+}}}
+</ul>
+
+ * Enable dcc - uncomment line in /etc/spamassassin/v310.pre the refers to dcc
+
+ * Turn on subject munging (uncomment line in /etc/spamassassin/local.cf)
+ * Add temporary work around to get spamassassin to properly tag messages sent to us via tls by adding this line to /etc/spamassassin/local.cf:
+{{{
+header LOCAL_AUTH_RCVD    Received =~ /\(using TLS.*\) by chavez\.mayfirst\.org /
+score LOCAL_AUTH_RCVD -20
+}}}
+(edit the host name)
+See: http://wiki.apache.org/spamassassin/DynablockIssues
+ * Turn off report safe (in /etc/spamassassin/local.cf set: report_safe 0
+ * Edit /etc/default/spamassassin - enable spamassassin
+ * Setup sa-update
+{{{
+sudo apt-get install gnupg libnet-dns-perl libnet-ssleay-perl libnet-ident-perl
+# test with:
+sudo sa-update -D
+# make sure the above command exited cleanly
+# Create a file in /etc/cron.daily called "mfpl-sa-update" with:
+#!/bin/bash
+sa-update && /etc/init.d/spamassassin restart
+# always exit with 0 - sa-update will exit with 1 if no update is available
+# and we don't want cron to report that to us
+exit 0
+}}}
+
+
+
+=Maildrop=
+
+Edit /etc/maildroprc and add the following lines:
+
+{{{
+DEFAULT="$HOME/Maildir"
+# spamassassin
+xfilter "/usr/bin/spamc -u $LOGNAME"
+}}}
+
+=Webmail setup=
+
+
+
+ * Symlink the squirrelmail apache conf file:
+
+{{{
+$ ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf
+}}}
+
+ * Edit the /etc/apache2/conf.d/horde.conf file. Add:
+{{{
+Redirect /webmail https://servername.mayfirst.org/horde3
+}}}
+ * Copy the various /etc/horde/*/conf.conf files from chavez
+ * Edit /etc/horde/imp4/servers.php (see chavez for details)
+ * Run sudo /etc/squirrelmail/conf.pl
+
+ * Change 1: organizational preferences (org name, provider link, provider name)
+ * Change 2: server settings: A IMAP Settings (port: 993, secure imap: true,
+server software: courier
+ * Plugins: install: delete_move_next,squirrelspell,
+filters,abook_take,listcommands,mail_fetch,gpg (you will need to download
+this one from www.squirrelmail.org into the /usr/share/squirrelmail/plugins
+
+ * Gunzip/usr/share/doc/horde3/examples/scripts/sql/create.mysql.sql.gz into your home directory
+ * Edit - change the password to a good password
+ * Import into mysql
+ * Directly import /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql with:
+{{{
+mysql -u root -p horde <  /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql
+}}}
+
+
+=Install Drupal=
+
+
+ * Download from drupal.org into: /usr/local/share/
+
+ * Name the drupal directory after the version (i.e. drupal-4.7.3)
+
+ * Create a soft link to the version (i.e. sudo ln -s drupal-4.7.3 drupal-4.7)
+
+ * Tar up and copy all the files from wiwa /usr/local/share/drupal-modules-4.7
+and place into the /usr/local/share/drupal-modules-4.7 on the target server.
+
+
+
+=Configure Apache=
+
+
+
+ * In /etc/apache2/site-available/default change NameVirtualHost * to: NameVirtualHost *:80
+
+ * Change:
+<VirtualHost *> to: <VirtualHost *:80>
+ServerAdmin apache@mayfirst.org
+DocumentRoot /srv/apache/web (create this directory and index.html file)
+
+
+=Configure logrotate=
+
+Create a file called apache2-red in the /etc/logrotate.d directory with:
+
+{{{
+/home/members/*/sites/*/logs/*.log {
+weekly
+missingok
+rotate 12
+compress
+delaycompress
+notifempty
+create 644 root root
+sharedscripts
+postrotate
+if [ -f /var/run/apache2.pid ]; then
+/etc/init.d/apache2 restart > /dev/null
+fi
+endscript
+}
+}}}
+
+=Configure logcheck=
+
+Copy from Wiwa to the server:
+/etc/logcheck/logcheck.conf
+/etc/logcheck/ignore.d.server/local-*
+
+=Configure cron-apt=
+
+Edit /etc/cron-apt
+Change line MAILON to MAILON="upgrade"
+
+=Configure Awstats=
+
+
+ * Copy /etc/awstats/awstats.conf.local from chavez to the target server's /etc/awstats directory
+ * Copy /usr/local/sbin/mf-awstats-create, /usr/local/sbin/mf-awstats-build-staticpages, and /usr/local/etc/awstats-create from
+chavez to the target server.
+ * Copy /usr/share/doc/awstats/examples/awstats_buildstaticpages.pl to /usr/local/sbin/
+ * Copy /usr/share/doc/awstats/examples/apache.conf to /etc/apache2/conf.d/awstats
+
+
+=Configure Mutt=
+
+Create /etc/Muttrc.d and put a file named maildir.rc with
+
+{{{
+set mbox_type=Maildir
+set mbox=~/Maildir
+set spoolfile=~/Maildir
+set folder=~/Maildir
+}}}
+
+=Change ssh=
+
+Make sure the following settings are set:
+{{{
+PermitRootLogin no
+AllowGroups sshusers
+# Required for Contribute. Grr.
+PasswordAuthentication yes
+}}}
+
+=Congifure phpmyadmin=
+
+Copy the apache conf file from /etc/phpmyadmin to /etc/apach2/conf.d
+
+{{{
+cp /etc/phpmyadmin/apache.conf /etc/apache2/conf.d/phpmyadmin
+}}}
+
+Add the phpmyadmin alias:
+
+{{{
+echo "Alias /phpmyadmin /usr/share/phpmyadmin" >> /etc/apache2/conf.d/phpmyadmin
+}}}
+
+=Setup Backup=
+
+ * Copy the /usr/local/sbin/mf-backup and /etc/mf-backup.xml files from another server
+ * Edit /etc/mf-backup.xml as needed
+ * Be sure to grant the mysql backup user the proper permissions with:
+{{{
+GRANT SELECT,SHOW VIEW,LOCK TABLES ON *.* TO 'backup'@'localhost' identified by 'secret'
+}}}
+