| 1 | =Purchase an ssl certificate= |
| 2 | |
| 3 | Generate a private key and certificate signing request. |
| 4 | |
| 5 | {{{ |
| 6 | openssl genrsa -out server.mayfirst.org.key 4096 |
| 7 | openssl req -new -key server.mayfirst.org.key -out server.mayfirst.org.csr |
| 8 | }}} |
| 9 | |
| 10 | Change the domain@mayfirst.org email alias to point to your address. |
| 11 | |
| 12 | Go to Dotster (which is a thawte reseller) for server.mayfirst.org (from Dotster home page click Other Products -> ssl, get the 123 certificate) |
| 13 | |
| 14 | This will take a day or so to be generated. |
| 15 | |
| 16 | Once generated, login to Dotster using the mayfirst username. Click on My Services. You should see the new ssl Cert listed. |
| 17 | |
| 18 | Click Manage services. |
| 19 | |
| 20 | Copy the CRT into a file called: |
| 21 | |
| 22 | server.mayfirst.org.pem |
| 23 | |
| 24 | (replace server with the name of the server being setup) |
| 25 | |
| 26 | then add dh paramaters with: |
| 27 | |
| 28 | {{{ |
| 29 | openssl gendh >> server.mayfirst.org.pem |
| 30 | }}} |
| 31 | |
| 32 | This file will be used by courier |
| 33 | |
| 34 | Now, put each one in a separate file called: |
| 35 | |
| 36 | server.mayfirst.org.key |
| 37 | |
| 38 | server.mayfirst.org.crt |
| 39 | |
| 40 | These will be used by apache |
| 41 | |
| 42 | =Use volatile for SA and clamav= |
| 43 | |
| 44 | |
| 45 | * Edit /etc/apt/sources.list. Add the following: |
| 46 | {{{ |
| 47 | # clamav (volatile) and spam assassin (volatile-sloppy) |
| 48 | deb http://debian.domainmail.org/debian-volatile etch/volatile-sloppy main |
| 49 | deb http://debian.domainmail.org/debian-volatile etch/volatile main |
| 50 | }}} |
| 51 | * Edit (or add) /etc/apt/preferences. Add the following |
| 52 | {{{ |
| 53 | Package: spamassassin |
| 54 | Pin: release a=etch-sloppy |
| 55 | Pin-Priority: 991 |
| 56 | |
| 57 | Package: spamc |
| 58 | Pin: release a=etch-sloppy |
| 59 | Pin-Priority: 991 |
| 60 | }}} |
| 61 | |
| 62 | |
| 63 | =Install debian packages= |
| 64 | |
| 65 | {{{ |
| 66 | $ sudo apt-get install apache2 libapache2-mod-suphp cvs amavisd-new clamav clamav-daemon spamassassin maildrop courier-imap-ssl courier-pop-ssl scponly logcheck logcheck-database cron-apt awstats razor libnet-dns-perl dcc-client phpmyadmin php5-mysql php5-imap php5-gd mysql-server-5.0 mysql-client-5.0 squirrelmail php-mail php-db fail2ban aspell aspell-en aspell-es php5-mcrypt php-auth iproute bzip2 |
| 67 | }}} |
| 68 | |
| 69 | Now, install php-pear and php-log. You must install these before installing imp4 or else imp4 will try to pull in un-needed php4 packages. |
| 70 | |
| 71 | {{{ |
| 72 | sudo apt-get install php-pear php-log |
| 73 | }}} |
| 74 | |
| 75 | And now, imp4: |
| 76 | |
| 77 | {{{ |
| 78 | sudo apt-get install imp4 turba2 ingo1 |
| 79 | }}} |
| 80 | |
| 81 | Add the pear file package so that Turba (address book) can import address books. First try apt - but don't do it if it still tries to pull in php4 (which it is trying as of April 11, 2007) |
| 82 | |
| 83 | {{{ |
| 84 | sudo apt-get install php-file |
| 85 | }}} |
| 86 | |
| 87 | If it is trying to pull in php4, then install it via pear: |
| 88 | |
| 89 | {{{ |
| 90 | sudo pear install -o File |
| 91 | }}} |
| 92 | |
| 93 | =Configure HE routes= |
| 94 | |
| 95 | In order to route traffic directly from computer to computer (across different subnetworks) we need to add the different routes |
| 96 | |
| 97 | Create a file called add-he-routes with the following contents: |
| 98 | |
| 99 | {{{ |
| 100 | #!/bin/bash |
| 101 | # add routes for alternate blocks in rack |
| 102 | #ip route add 209.51.172.0/28 dev eth0 |
| 103 | ip route add 209.51.169.80/28 dev eth0 |
| 104 | #ip route add 209.51.163.192/28 dev eth0 |
| 105 | ip route add 209.51.180.16/28 dev eth0 |
| 106 | }}} |
| 107 | |
| 108 | Comment out the line representing the network this server is on |
| 109 | |
| 110 | Save the file in /etc/network/if-up.d |
| 111 | chmod it to 755 |
| 112 | |
| 113 | And add a corresponding file: |
| 114 | |
| 115 | {{{ |
| 116 | |
| 117 | #!/bin/bash |
| 118 | # remove routes for alternate blocks in rack |
| 119 | ip route del 209.51.172.0/28 |
| 120 | ip route del 209.51.169.80/28 |
| 121 | ip route del 209.51.163.192/28 |
| 122 | #ip route del 209.51.180.16/28 |
| 123 | }}} |
| 124 | |
| 125 | Save the file in /etc/network/if-down.d |
| 126 | chmod it to 755 |
| 127 | |
| 128 | =Configure suPHP= |
| 129 | |
| 130 | |
| 131 | * Use dpkg-statoverride to change the ownership of our common php web programs (horde, phpmyadmin, and squirrelmail). This script will do it all for you: |
| 132 | {{{ |
| 133 | #!/bin/bash -e |
| 134 | |
| 135 | # |
| 136 | # phpmyadmin |
| 137 | # |
| 138 | # use /var/lib/phpmyadmin as home dir because it already exists |
| 139 | |
| 140 | if [ -z $(getent passwd|grep phpmyadmin) ]; then |
| 141 | adduser --system --disabled-login --quiet --home /var/lib/phpmyadmin --shell /bin/false -gid 65534 phpmyadmin |
| 142 | fi |
| 143 | #userdel phpmyadmin |
| 144 | phpmyadmin_files=`dpkg -L phpmyadmin | grep '\.php'` |
| 145 | |
| 146 | for file in $phpmyadmin_files; do |
| 147 | dpkg-statoverride --add --update --force --quiet phpmyadmin nogroup 444 $file |
| 148 | # #dpkg-statoverride --remove $file |
| 149 | done |
| 150 | |
| 151 | # |
| 152 | # horde: share one user between horde and imp and any other horde apps |
| 153 | # |
| 154 | # use /var/log/horde as home directory because it already exists |
| 155 | if [ -z $(getent passwd|grep horde) ]; then |
| 156 | adduser --system --disabled-login --quiet --home /var/log/horde --shell /bin/false -gid 65534 horde |
| 157 | fi |
| 158 | #userdel horde |
| 159 | |
| 160 | # chown the directory recursively to get existing logs |
| 161 | # it is written to by the web process |
| 162 | chown -R horde /var/log/horde |
| 163 | chown horde /etc/horde/horde3/conf.php |
| 164 | #chmod 600 /etc/horde/horde3/conf.php |
| 165 | |
| 166 | # add it to the mix |
| 167 | dpkg-statoverride --add --update --force --quiet horde nogroup 644 /var/log/horde |
| 168 | #dpkg-statoverride --remove /var/log/horde |
| 169 | |
| 170 | # ack - this is not mainainable! |
| 171 | perl -pi -e 's/www-data www-data/horde nogroup/g' /etc/logrotate.d/horde3 |
| 172 | |
| 173 | horde_files=`dpkg -L horde3 | grep '\.php'` |
| 174 | imp_files=`dpkg -L imp4 | grep '\.php'` |
| 175 | turba_files=`dpkg -L turba2 | grep '\.php'` |
| 176 | ingo_files=`dpkg -L ingo1 | grep '\.php'` |
| 177 | all_horde_files="$horde_files $imp_files $turba_files $ingo_files" |
| 178 | |
| 179 | for file in $all_horde_files; do |
| 180 | dpkg-statoverride --add --update --force --quiet horde nogroup 444 $file |
| 181 | #dpkg-statoverride --remove $file |
| 182 | done |
| 183 | |
| 184 | if [ -z $(getent passwd|grep squirrelmail) ]; then |
| 185 | adduser --system --disabled-login --quiet --home /var/lib/squirrelmail/data --shell /bin/false -gid 65534 squirrelmail |
| 186 | fi |
| 187 | #userdel squirrelmail |
| 188 | sm_files=`dpkg -L squirrelmail | grep '\.php'` |
| 189 | |
| 190 | chown -R squirrelmail:nogroup /var/lib/squirrelmail/data |
| 191 | dpkg-statoverride --add --update --force --quiet squirrelmail nogroup 700 /var/lib/squirrelmail/data |
| 192 | |
| 193 | #dpkg-statoverride --remove /var/lib/squirrelmail/data |
| 194 | |
| 195 | for file in $sm_files; do |
| 196 | dpkg-statoverride --update --add --force squirrelmail nogroup 444 $file |
| 197 | #dpkg-statoverride --remove $file |
| 198 | done |
| 199 | }}} |
| 200 | * Edit /etc/suphp/suphp.conf |
| 201 | {{{ |
| 202 | [global] |
| 203 | ;Path to logfile |
| 204 | logfile=/var/log/suphp/suphp.log |
| 205 | |
| 206 | ;Loglevel |
| 207 | loglevel=info |
| 208 | |
| 209 | ;User Apache is running as |
| 210 | webserver_user=www-data |
| 211 | |
| 212 | ;Path all scripts have to be in |
| 213 | docroot=/ |
| 214 | |
| 215 | ;Path to chroot() to before executing script |
| 216 | ;chroot=/mychroot |
| 217 | |
| 218 | ; Security options |
| 219 | ;allow_file_group_writeable=false |
| 220 | allow_file_group_writeable=true |
| 221 | ;allow_file_others_writeable=false |
| 222 | allow_file_others_writeable=true |
| 223 | ;allow_directory_group_writeable=false |
| 224 | allow_directory_group_writeable=true |
| 225 | ;allow_directory_others_writeable=false |
| 226 | allow_directory_others_writeable=true |
| 227 | |
| 228 | ;Check wheter script is within DOCUMENT_ROOT |
| 229 | ;check_vhost_docroot=true |
| 230 | check_vhost_docroot=false |
| 231 | |
| 232 | ;Send minor error messages to browser |
| 233 | errors_to_browser=false |
| 234 | |
| 235 | ;PATH environment variable |
| 236 | env_path=/bin:/usr/bin |
| 237 | |
| 238 | ;Umask to set, specify in octal notation |
| 239 | ;umask=0077 |
| 240 | umask=0022 |
| 241 | |
| 242 | ; Minimum UID |
| 243 | min_uid=100 |
| 244 | |
| 245 | ; Minimum GID |
| 246 | min_gid=100 |
| 247 | |
| 248 | |
| 249 | [handlers] |
| 250 | ;Handler for php-scripts |
| 251 | x-httpd-php=php:/usr/bin/php-cgi |
| 252 | |
| 253 | ;Handler for CGI-scripts |
| 254 | x-suphp-cgi=execute:!self |
| 255 | }}} |
| 256 | |
| 257 | |
| 258 | =Configure fail2ban= |
| 259 | |
| 260 | Create /etc/fail2ban/jail.local. Modify the following lines, by adding them to the jail.local file that you just created: |
| 261 | {{{ |
| 262 | [DEFAULT] |
| 263 | bantime = 200 |
| 264 | |
| 265 | action = iptables[name=%(__name__)s, port=%(port)s] |
| 266 | mail-whois[name=%(__name__)s, dest=%(destemail)s] |
| 267 | |
| 268 | }}} |
| 269 | |
| 270 | =Install Red= |
| 271 | |
| 272 | |
| 273 | * Edit /etc/apt/sources.list - make sure non-free is there, e.g.: |
| 274 | deb http://http.us.debian.org/debian stable main contrib non-free. If you are adding anything to this line, run sudo apt-get update afterwards. |
| 275 | {{{ |
| 276 | $ sudo apt-get install ucspi-tcp-src |
| 277 | $ sudo build-ucspi-tcp |
| 278 | }}} |
| 279 | |
| 280 | * Create a user in the red database with (change sylvia to name of server): |
| 281 | |
| 282 | {{{ |
| 283 | GRANT SELECT on seso.* to 'red-sylvia'@'sylvia.mayfirst.org' identified by 'secret'; |
| 284 | GRANT UPDATE on seso.red_item to 'red-sylvia'@'sylvia.mayfirst.org'; |
| 285 | GRANT INSERT on seso.red_error_log to 'red-sylvia'@'sylvia.mayfirst.org'; |
| 286 | }}} |
| 287 | |
| 288 | * Download the source from cvs |
| 289 | |
| 290 | copy and paste the following commands |
| 291 | |
| 292 | {{{ |
| 293 | $ cd /usr/local/share |
| 294 | $ sudo cvs -d:ext:mayfirst@mayfirst.org:/srv/cvsroot co red |
| 295 | $ sudo ln -s /usr/local/share/red/server/sbin/red_server_cli /usr/local/sbin/ |
| 296 | $ sudo ln -s /usr/local/share/red/server/sbin/pinky /usr/local/sbin/ |
| 297 | $ sudo chmod 755 /usr/local/share/red/server/sbin/red_server_cli |
| 298 | $ sudo chmod 755 /usr/local/share/red/server/sbin/pinky |
| 299 | $ sudo mkdir /usr/local/etc |
| 300 | $ sudo mkdir /usr/local/etc/red |
| 301 | $ cd /usr/local/share/red/server/etc/red |
| 302 | $ sudo cp /usr/local/share/red/server/etc/red/* /usr/local/etc/red/ |
| 303 | $ cd /usr/local/etc/red |
| 304 | $ for file in `ls *.sample`; do sudo cp $file /usr/local/etc/red/${file%.sample}; done; |
| 305 | }}} |
| 306 | |
| 307 | this last one, in case you are interested, copies all the files that end in .sample in this directory to files that strip the .sample part out. |
| 308 | |
| 309 | * Edit the file called pinky. Change ip address to machine's real ip address. also edit red_server.conf, to add the database user and password. |
| 310 | * Launch pinky with: |
| 311 | {{{ |
| 312 | $ sudo /usr/local/sbin/pinky & |
| 313 | }}} |
| 314 | |
| 315 | |
| 316 | =Postfix setup= |
| 317 | |
| 318 | |
| 319 | |
| 320 | * Create aliases in /etc/aliases |
| 321 | |
| 322 | {{{ |
| 323 | www: www-data |
| 324 | www-data: apache@mayfirst.org |
| 325 | root: root@mayfirst.org |
| 326 | }}} |
| 327 | |
| 328 | Don't forget to run newaliases! |
| 329 | |
| 330 | * Create empty access, virtual_alias_maps and virtual_alias_domains files in |
| 331 | /etc/postfix |
| 332 | |
| 333 | {{{ |
| 334 | sudo touch virtual_alias_maps virtual_alias_domains access |
| 335 | }}} |
| 336 | |
| 337 | Create an empty access database (later we can add entries in access to restrict or allow senders): |
| 338 | |
| 339 | {{{ |
| 340 | sudo postmap access |
| 341 | }}} |
| 342 | |
| 343 | * Add the following to the bottom of the /etc/postfix/main.cf file: |
| 344 | |
| 345 | {{{ |
| 346 | # May First custom config |
| 347 | # file based virtual hosting configuration |
| 348 | |
| 349 | # List of virtual domain names |
| 350 | virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains |
| 351 | |
| 352 | # list of email address -> unix account mappings |
| 353 | virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps |
| 354 | |
| 355 | # use maildir |
| 356 | home_mailbox = Maildir/ |
| 357 | |
| 358 | # Added for maildrop |
| 359 | mailbox_command = /usr/bin/maildrop |
| 360 | maildrop_destination_recipient_limit = 1 |
| 361 | |
| 362 | # Added by jamie 6/10/04 to try to stem the tide of spam |
| 363 | smtpd_sender_restrictions = |
| 364 | hash:/etc/postfix/access, |
| 365 | reject_non_fqdn_sender, |
| 366 | reject_unknown_sender_domain, |
| 367 | permit |
| 368 | |
| 369 | # Added for amavisd-new |
| 370 | content_filter=smtp-amavis:[127.0.0.1]:10024 |
| 371 | }}} |
| 372 | |
| 373 | * Copy the /etc/postfix/master.cf file from chavez to get the amavis settings. |
| 374 | |
| 375 | |
| 376 | * Postfix as secure mail relay setup |
| 377 | |
| 378 | * Install the sasl packages |
| 379 | {{{ |
| 380 | sudo apt-get install sasl2-bin libsasl2-modules ca-certificates |
| 381 | }}} |
| 382 | |
| 383 | * Configure sasl |
| 384 | {{{ |
| 385 | sudo vim /etc/default/saslauthd |
| 386 | }}} |
| 387 | |
| 388 | Uncomment START=yes |
| 389 | Change MECHANISMS to read: |
| 390 | MECHANISMS="shadow" |
| 391 | |
| 392 | * Add postfix to the sasl group |
| 393 | {{{ |
| 394 | sudo addgroup postfix sasl |
| 395 | }}} |
| 396 | |
| 397 | * Make the /etc/postfix/ssl directory and copy the pem files there |
| 398 | {{{ |
| 399 | sudo mkdir /etc/postfix/ssl |
| 400 | sudo cp /whereever/server.pem /etc/postfix/ssl/ |
| 401 | }}} |
| 402 | |
| 403 | * Edit main.cf |
| 404 | {{{ |
| 405 | # to enable authentication for sending email |
| 406 | smtpd_sasl_auth_enable = yes |
| 407 | smtpd_sasl_security_options = noanonymous |
| 408 | smtpd_sasl_local_domain = $myhostname |
| 409 | broken_sasl_auth_clients = yes |
| 410 | smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination |
| 411 | |
| 412 | # TLS Stuff here: |
| 413 | smtpd_use_tls = yes |
| 414 | # force people who want to authenticate to use tls - you can't authenticate |
| 415 | # otherwise. This is important because passwords are sent in the clear |
| 416 | smtpd_tls_auth_only = yes |
| 417 | smtpd_tls_key_file = /etc/postfix/ssl/your-server-key-here.pem |
| 418 | smtpd_tls_cert_file = /etc/postfix/ssl/your-server-key-here.pem |
| 419 | smtpd_tls_received_header = yes |
| 420 | smtpd_tls_session_cache_timeout = 3600s |
| 421 | tls_random_source = dev:/dev/urandom |
| 422 | }}} |
| 423 | |
| 424 | * Edit master.cf - uncomment the smtps and submission lines. In both lines change the chroot variable from "-" to "n" |
| 425 | |
| 426 | * Create /etc/postfix/sasl/smtpd.conf |
| 427 | |
| 428 | {{{ |
| 429 | sudo mkdir /etc/postfix/sasl |
| 430 | sudo vim /etc/postfix/sasl/smtpd.conf |
| 431 | # add these lines: |
| 432 | pwcheck_method: saslauthd |
| 433 | mech_list: plain login |
| 434 | }}} |
| 435 | |
| 436 | |
| 437 | =Setup Postgrey= |
| 438 | |
| 439 | Postgrey defers all mail for 5 minutes the first time it receives a message with a never before seen sender and recipient. This results in a lot of spam not being delivered. |
| 440 | |
| 441 | * Install Postgrey |
| 442 | {{{ |
| 443 | sudo apt-get install postgrey |
| 444 | }}} |
| 445 | * Edit /etc/default/postgrey adding the following line: |
| 446 | {{{ |
| 447 | POSTGREY_TEXT="Greylisted, see http://mayfirst.org/greylist" |
| 448 | }}} |
| 449 | * Restart postgrey |
| 450 | {{{ |
| 451 | /etc/init.d/postgrey restart |
| 452 | }}} |
| 453 | * Edit /etc/postfix/main.cf, add the following to the end of the smtpd_recipient_restrictions stanza: |
| 454 | {{{ |
| 455 | check_policy_service inet:127.0.0.1:60000 |
| 456 | }}} |
| 457 | |
| 458 | |
| 459 | check_policy_service inet:127.0.0.1:60000 |
| 460 | |
| 461 | =Setup Courier= |
| 462 | |
| 463 | |
| 464 | * Create a shared/index file that is empty (to avoid getting error messages in the log) |
| 465 | {{{ |
| 466 | mkdir /etc/courier/shared |
| 467 | touch /etc/courier/index |
| 468 | }}} |
| 469 | * Setup ssl - copy the server pem file (which you got from dotster) to the /etc/courier directories: |
| 470 | {{{ |
| 471 | cp server.mayfirst.org.pem /etc/courier/imapd.pem |
| 472 | cp server.mayfirst.org.pem /etc/courier/pop3d.pem |
| 473 | }}} |
| 474 | |
| 475 | =Setup amavis= |
| 476 | |
| 477 | |
| 478 | |
| 479 | * Edit /etc/amavis/conf.d/50-user |
| 480 | |
| 481 | Add the following lines |
| 482 | @bypass_virus_checks_maps = ( |
| 483 | \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); |
| 484 | $final_banned_destiny = D_PASS; # D_REJECT when front-end MTA |
| 485 | $final_spam_destiny = D_PASS; |
| 486 | $final_bad_header_destiny = D_PASS; |
| 487 | |
| 488 | * Add clamav to the amavis group with: |
| 489 | {{{ |
| 490 | sudo addgroup clamav amavis |
| 491 | }}} |
| 492 | |
| 493 | * Add AllowSupplementaryGroups to /etc/clamav/clamd.conf |
| 494 | * Add a cron job to clean out viruses and spam collected by amavis in /etc/cron.d called clean-up-virus with the contents: |
| 495 | # Find and delete all emails older than 14 days |
| 496 | 2 4 * * * amavis find /var/lib/amavis/virusmails -mtime +14 -exec rm '{}' \; |
| 497 | |
| 498 | |
| 499 | |
| 500 | =Configure Spamassassin= |
| 501 | |
| 502 | |
| 503 | * Install helper packages |
| 504 | {{{ |
| 505 | sudo apt-get install razor dcc-client |
| 506 | }}} |
| 507 | |
| 508 | * Add a new rule for spamassassin (debian etch or above only!) |
| 509 | |
| 510 | <ul> |
| 511 | * Create /usr/local/share/spamassassin/plugins |
| 512 | {{{ |
| 513 | sudo mkdir /usr/local/share/spamassassin; sudo mkdir /usr/local/share/spamassassin/plugins |
| 514 | }}} |
| 515 | |
| 516 | * Download the ImageInfo plugin to that directory |
| 517 | {{{ |
| 518 | cd /usr/local/share/spamassassin/plugins |
| 519 | sudo wget http://www.rulesemporium.com/plugins/ImageInfo.pm |
| 520 | }}} |
| 521 | * Add rule to /etc/spamassassin |
| 522 | {{{ |
| 523 | cd /etc/spamassassin |
| 524 | sudo wget http://www.rulesemporium.com/plugins/imageinfo.cf |
| 525 | }}} |
| 526 | * Edit /etc/spamassassin/init.pre. Add the following line: |
| 527 | {{{ |
| 528 | loadplugin Mail::SpamAssassin::Plugin::ImageInfo /usr/local/share/spamassassin/plugins/ImageInfo.pm |
| 529 | }}} |
| 530 | </ul> |
| 531 | |
| 532 | * Enable dcc - uncomment line in /etc/spamassassin/v310.pre the refers to dcc |
| 533 | |
| 534 | * Turn on subject munging (uncomment line in /etc/spamassassin/local.cf) |
| 535 | * Add temporary work around to get spamassassin to properly tag messages sent to us via tls by adding this line to /etc/spamassassin/local.cf: |
| 536 | {{{ |
| 537 | header LOCAL_AUTH_RCVD Received =~ /\(using TLS.*\) by chavez\.mayfirst\.org / |
| 538 | score LOCAL_AUTH_RCVD -20 |
| 539 | }}} |
| 540 | (edit the host name) |
| 541 | See: http://wiki.apache.org/spamassassin/DynablockIssues |
| 542 | * Turn off report safe (in /etc/spamassassin/local.cf set: report_safe 0 |
| 543 | * Edit /etc/default/spamassassin - enable spamassassin |
| 544 | * Setup sa-update |
| 545 | {{{ |
| 546 | sudo apt-get install gnupg libnet-dns-perl libnet-ssleay-perl libnet-ident-perl |
| 547 | # test with: |
| 548 | sudo sa-update -D |
| 549 | # make sure the above command exited cleanly |
| 550 | # Create a file in /etc/cron.daily called "mfpl-sa-update" with: |
| 551 | #!/bin/bash |
| 552 | sa-update && /etc/init.d/spamassassin restart |
| 553 | # always exit with 0 - sa-update will exit with 1 if no update is available |
| 554 | # and we don't want cron to report that to us |
| 555 | exit 0 |
| 556 | }}} |
| 557 | |
| 558 | |
| 559 | |
| 560 | =Maildrop= |
| 561 | |
| 562 | Edit /etc/maildroprc and add the following lines: |
| 563 | |
| 564 | {{{ |
| 565 | DEFAULT="$HOME/Maildir" |
| 566 | # spamassassin |
| 567 | xfilter "/usr/bin/spamc -u $LOGNAME" |
| 568 | }}} |
| 569 | |
| 570 | =Webmail setup= |
| 571 | |
| 572 | |
| 573 | |
| 574 | * Symlink the squirrelmail apache conf file: |
| 575 | |
| 576 | {{{ |
| 577 | $ ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf |
| 578 | }}} |
| 579 | |
| 580 | * Edit the /etc/apache2/conf.d/horde.conf file. Add: |
| 581 | {{{ |
| 582 | Redirect /webmail https://servername.mayfirst.org/horde3 |
| 583 | }}} |
| 584 | * Copy the various /etc/horde/*/conf.conf files from chavez |
| 585 | * Edit /etc/horde/imp4/servers.php (see chavez for details) |
| 586 | * Run sudo /etc/squirrelmail/conf.pl |
| 587 | |
| 588 | * Change 1: organizational preferences (org name, provider link, provider name) |
| 589 | * Change 2: server settings: A IMAP Settings (port: 993, secure imap: true, |
| 590 | server software: courier |
| 591 | * Plugins: install: delete_move_next,squirrelspell, |
| 592 | filters,abook_take,listcommands,mail_fetch,gpg (you will need to download |
| 593 | this one from www.squirrelmail.org into the /usr/share/squirrelmail/plugins |
| 594 | |
| 595 | * Gunzip/usr/share/doc/horde3/examples/scripts/sql/create.mysql.sql.gz into your home directory |
| 596 | * Edit - change the password to a good password |
| 597 | * Import into mysql |
| 598 | * Directly import /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql with: |
| 599 | {{{ |
| 600 | mysql -u root -p horde < /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql |
| 601 | }}} |
| 602 | |
| 603 | |
| 604 | =Install Drupal= |
| 605 | |
| 606 | |
| 607 | * Download from drupal.org into: /usr/local/share/ |
| 608 | |
| 609 | * Name the drupal directory after the version (i.e. drupal-4.7.3) |
| 610 | |
| 611 | * Create a soft link to the version (i.e. sudo ln -s drupal-4.7.3 drupal-4.7) |
| 612 | |
| 613 | * Tar up and copy all the files from wiwa /usr/local/share/drupal-modules-4.7 |
| 614 | and place into the /usr/local/share/drupal-modules-4.7 on the target server. |
| 615 | |
| 616 | |
| 617 | |
| 618 | =Configure Apache= |
| 619 | |
| 620 | |
| 621 | |
| 622 | * In /etc/apache2/site-available/default change NameVirtualHost * to: NameVirtualHost *:80 |
| 623 | |
| 624 | * Change: |
| 625 | <VirtualHost *> to: <VirtualHost *:80> |
| 626 | ServerAdmin apache@mayfirst.org |
| 627 | DocumentRoot /srv/apache/web (create this directory and index.html file) |
| 628 | |
| 629 | |
| 630 | =Configure logrotate= |
| 631 | |
| 632 | Create a file called apache2-red in the /etc/logrotate.d directory with: |
| 633 | |
| 634 | {{{ |
| 635 | /home/members/*/sites/*/logs/*.log { |
| 636 | weekly |
| 637 | missingok |
| 638 | rotate 12 |
| 639 | compress |
| 640 | delaycompress |
| 641 | notifempty |
| 642 | create 644 root root |
| 643 | sharedscripts |
| 644 | postrotate |
| 645 | if [ -f /var/run/apache2.pid ]; then |
| 646 | /etc/init.d/apache2 restart > /dev/null |
| 647 | fi |
| 648 | endscript |
| 649 | } |
| 650 | }}} |
| 651 | |
| 652 | =Configure logcheck= |
| 653 | |
| 654 | Copy from Wiwa to the server: |
| 655 | /etc/logcheck/logcheck.conf |
| 656 | /etc/logcheck/ignore.d.server/local-* |
| 657 | |
| 658 | =Configure cron-apt= |
| 659 | |
| 660 | Edit /etc/cron-apt |
| 661 | Change line MAILON to MAILON="upgrade" |
| 662 | |
| 663 | =Configure Awstats= |
| 664 | |
| 665 | |
| 666 | * Copy /etc/awstats/awstats.conf.local from chavez to the target server's /etc/awstats directory |
| 667 | * Copy /usr/local/sbin/mf-awstats-create, /usr/local/sbin/mf-awstats-build-staticpages, and /usr/local/etc/awstats-create from |
| 668 | chavez to the target server. |
| 669 | * Copy /usr/share/doc/awstats/examples/awstats_buildstaticpages.pl to /usr/local/sbin/ |
| 670 | * Copy /usr/share/doc/awstats/examples/apache.conf to /etc/apache2/conf.d/awstats |
| 671 | |
| 672 | |
| 673 | =Configure Mutt= |
| 674 | |
| 675 | Create /etc/Muttrc.d and put a file named maildir.rc with |
| 676 | |
| 677 | {{{ |
| 678 | set mbox_type=Maildir |
| 679 | set mbox=~/Maildir |
| 680 | set spoolfile=~/Maildir |
| 681 | set folder=~/Maildir |
| 682 | }}} |
| 683 | |
| 684 | =Change ssh= |
| 685 | |
| 686 | Make sure the following settings are set: |
| 687 | {{{ |
| 688 | PermitRootLogin no |
| 689 | AllowGroups sshusers |
| 690 | # Required for Contribute. Grr. |
| 691 | PasswordAuthentication yes |
| 692 | }}} |
| 693 | |
| 694 | =Congifure phpmyadmin= |
| 695 | |
| 696 | Copy the apache conf file from /etc/phpmyadmin to /etc/apach2/conf.d |
| 697 | |
| 698 | {{{ |
| 699 | cp /etc/phpmyadmin/apache.conf /etc/apache2/conf.d/phpmyadmin |
| 700 | }}} |
| 701 | |
| 702 | Add the phpmyadmin alias: |
| 703 | |
| 704 | {{{ |
| 705 | echo "Alias /phpmyadmin /usr/share/phpmyadmin" >> /etc/apache2/conf.d/phpmyadmin |
| 706 | }}} |
| 707 | |
| 708 | =Setup Backup= |
| 709 | |
| 710 | * Copy the /usr/local/sbin/mf-backup and /etc/mf-backup.xml files from another server |
| 711 | * Edit /etc/mf-backup.xml as needed |
| 712 | * Be sure to grant the mysql backup user the proper permissions with: |
| 713 | {{{ |
| 714 | GRANT SELECT,SHOW VIEW,LOCK TABLES ON *.* TO 'backup'@'localhost' identified by 'secret' |
| 715 | }}} |
| 716 | |