Context Navigation

Changes between Version 19 and Version 20 of configure_new_server

Timestamp:: Nov 29, 2007, 5:44:23 PM (16 years ago)
Author:: Jamie McClelland
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

configure_new_server

-              v19
+              v20
 = Setup Debian Server for May First/People Link =
+NOTE: This page is currently deprecated as I work on [ticket:241 writing a script to do these things]. I'm making small modifications to the script and not reflecting them on this page. Stay tuned for the updated (and much shorter) instructions.
+== Purchase an ssl certificate ==
+ * Generate a private key and certificate signing request.
+The process for setting up a new MFPL shared server is now automated via [source:trunk/pumpkin pumpkin]. To setup a new server, cd into the root directory and type:
 {{{
+openssl genrsa -out server.mayfirst.org.key 4096
+openssl req -new -key server.mayfirst.org.key -out server.mayfirst.org.csr
+aptitude install svn
+svn co https://svn.mayfirst.org/mfpl/trunk/pumpkin
+cd pumpkin
+./setup-new-server [server-name] /
 }}}
- * Change the domain@mayfirst.org email alias to point to your address.
- * Go to RapidSSL to purchase a certificate for server.mayfirst.org. This will take a day or so to be generated.
- * Concat the CRT and KEY file into a file called: server.mayfirst.org.pem (replace server with the name of the server being setup)
- * Then add dh paramaters with:
-{{{
-openssl gendh >> server.mayfirst.org.pem
-}}}
- * Copy into /etc/ssl/private/
- * Copy the .crt file to /etc/ssl/
-== Use volatile for SA and clamav ==
- * Edit /etc/apt/sources.list. Add the following:
-{{{
-# clamav (volatile) and spam assassin (volatile-sloppy)
-deb http://volatile.debian.org/debian-volatile etch/volatile main
-deb http://volatile.debian.org/debian-volatile etch/volatile-sloppy main
-}}}
-== Install debian packages ==
-{{{
-$ sudo apt-get install apache2 libapache2-mod-suphp cvs amavisd-new clamav clamav-daemon spamassassin maildrop courier-imap-ssl courier-pop-ssl scponly logcheck logcheck-database cron-apt awstats razor libnet-dns-perl dcc-client phpmyadmin php5-mysql php5-imap php5-gd mysql-server-5.0 mysql-client-5.0 squirrelmail php-mail php-db fail2ban aspell aspell-en aspell-es php5-mcrypt php-auth iproute  bzip2 imagemagick php-pear php-log imp4 turba2 ingol php-file
-}}}
-== Configure HE routes ==
-In order to route traffic directly from computer to computer (across different subnetworks) we need to add the different routes
- * Create a file called add-he-routes with the following contents. Replace CANONICAL-IP with the IP that you want the server to use as it's src ip. It should be the same as the IP you use when setting up the host DNS record.
-{{{
-#!/bin/bash
-# add routes for alternate blocks in rack src CANONICAL-IP
-#ip route add 209.51.172.0/28 dev eth0 src CANONICAL-IP
-ip route add 209.51.169.80/28 dev eth0 src CANONICAL-IP
-#ip route add 209.51.163.192/28 dev eth0 src CANONICAL-IP
-ip route add 209.51.180.16/28 dev eth0 src CANONICAL-IP
-ip route add 209.51.163.0/27 dev eth0 src CANONICAL-IP
-}}}
- * Comment out the line representing the network this server is on
- * Save the file in /etc/network/if-up.d and chmod it to 755
- * And add a corresponding file:
-{{{
-#!/bin/bash
-# remove routes for alternate blocks in rack
-ip route del 209.51.172.0/28
-ip route del 209.51.169.80/28
-ip route del 209.51.163.192/28
-#ip route del 209.51.180.16/28
-ip route del 209.51.163.0/27
-}}}
- * Save the file in /etc/network/if-down.d and chmod it to 755
-== Configure suPHP ==
- * Use dpkg-statoverride to change the ownership of our common php web programs (horde, phpmyadmin, and squirrelmail). This script will do it all for you:
-{{{
-#!/bin/bash -e
+#
-# phpmyadmin
+#
-# use /var/lib/phpmyadmin as home dir because it already exists
-if ! (getent passwd phpmyadmin) ; then
-adduser --system --disabled-login --quiet --home /var/lib/phpmyadmin --shell /bin/false -gid 65534 phpmyadmin
-fi
-#userdel phpmyadmin
-phpmyadmin_files =`dpkg -L phpmyadmin | grep '\.php'`
-for file in $phpmyadmin_files; do
-dpkg-statoverride --add --update --force --quiet phpmyadmin nogroup 444 $file
-# #dpkg-statoverride --remove $file
-done
+#
-# horde: share one user between horde and imp and any other horde apps
+#
-# use /var/log/horde as home directory because it already exists
-if ! (getent passwd horde) ; then
-adduser --system --disabled-login --quiet --home /var/log/horde --shell /bin/false -gid 65534 horde
-fi
-#userdel horde
-# chown the directory recursively to get existing logs
-# it is written to by the web process
-chown -R horde /var/log/horde
-chown horde /etc/horde/horde3/conf.php
-#chmod 600 /etc/horde/horde3/conf.php
-# add it to the mix
-dpkg-statoverride --add --update --force --quiet  horde nogroup 644 /var/log/horde
-#dpkg-statoverride --remove /var/log/horde
-# ack - this is not mainainable!
-perl -pi -e 's/www-data www-data/horde nogroup/g' /etc/logrotate.d/horde3
-horde_files =`dpkg -L horde3 | grep '\.php'`
-imp_files =`dpkg -L imp4 | grep '\.php'`
-turba_files =`dpkg -L turba2 | grep '\.php'`
-ingo_files =`dpkg -L ingo1 | grep '\.php'`
-all_horde_files ="$horde_files $imp_files $turba_files $ingo_files"
-for file in $all_horde_files; do
-dpkg-statoverride --add --update --force --quiet horde nogroup 444 $file
-#dpkg-statoverride --remove $file
-done
-if ! (getent passwd|grep squirrelmail) ; then
-adduser --system --disabled-login --quiet --home /var/lib/squirrelmail/data --shell /bin/false -gid 65534 squirrelmail
-fi
-#userdel squirrelmail
-sm_files =`dpkg -L squirrelmail | grep '\.php'`
-chown -R squirrelmail:nogroup /var/lib/squirrelmail/data
-dpkg-statoverride --add --update --force --quiet squirrelmail nogroup 700 /var/lib/squirrelmail/data
-#dpkg-statoverride --remove /var/lib/squirrelmail/data
-for file in $sm_files; do
-dpkg-statoverride --update --add --force squirrelmail nogroup 444 $file
-#dpkg-statoverride --remove $file
-done
-}}}
- * Edit /etc/suphp/suphp.conf
-{{{
-[global]
-;Path to logfile
-logfile =/var/log/suphp/suphp.log
-;Loglevel
-loglevel = info
-;User Apache is running as
-webserver_user = www-data
-;Path all scripts have to be in
-docroot =/
-;Path to chroot() to before executing script
-;chroot =/mychroot
-; Security options
-;allow_file_group_writeable = false
-allow_file_group_writeable = true
-;allow_file_others_writeable = false
-allow_file_others_writeable = true
-;allow_directory_group_writeable = false
-allow_directory_group_writeable = true
-;allow_directory_others_writeable = false
-allow_directory_others_writeable = true
-;Check wheter script is within DOCUMENT_ROOT
-;check_vhost_docroot = true
-check_vhost_docroot = false
-;Send minor error messages to browser
-errors_to_browser = false
-;PATH environment variable
-env_path =/bin:/usr/bin
-;Umask to set, specify in octal notation
-;umask =0077
-umask =0022
-; Minimum UID
-min_uid =100
-; Minimum GID
-min_gid =100
-[handlers]
-;Handler for php-scripts
-x-httpd-php = php:/usr/bin/php-cgi
-;Handler for CGI-scripts
-x-suphp-cgi = execute:!self
-}}}
-== Configure fail2ban ==
-Create /etc/fail2ban/jail.local. Modify the following lines, by adding them to the jail.local file that you just created:
-{{{
-[DEFAULT]
-bantime  = 200
-action = iptables[name =%(__name__)s, port =%(port)s]
-mail-whois[name =%(__name__)s, dest =%(destemail)s]
-}}}
-== Install Red ==
- * Edit /etc/apt/sources.list - make sure non-free is there, e.g.: deb !http://http.us.debian.org/debian stable main contrib non-free. If you are adding anything to this line, run sudo apt-get update afterwards.
-{{{
-$ sudo apt-get install ucspi-tcp-src
-$ sudo build-ucspi-tcp
-}}}
- * Create a user in the red database with (change sylvia to name of server):
-{{{
-GRANT SELECT on seso.* to 'red-sylvia'@'sylvia.mayfirst.org' identified by 'secret';
-GRANT UPDATE on seso.red_item to 'red-sylvia'@'sylvia.mayfirst.org';
-GRANT INSERT on seso.red_error_log to 'red-sylvia'@'sylvia.mayfirst.org';
-}}}
- * Download the source from cvs
- * Copy and paste the following commands
-{{{
-$ cd /usr/local/share
-$ sudo cvs -d:ext:mayfirst@mayfirst.org:/srv/cvsroot co red
-$ sudo ln -s /usr/local/share/red/server/sbin/red_server_cli /usr/local/sbin/
-$ sudo ln -s /usr/local/share/red/server/sbin/pinky /usr/local/sbin/
-$ sudo chmod 755 /usr/local/share/red/server/sbin/red_server_cli
-$ sudo chmod 755 /usr/local/share/red/server/sbin/pinky
-$ sudo mkdir /usr/local/etc
-$ sudo mkdir /usr/local/etc/red
-$ cd /usr/local/share/red/server/etc/red
-$ sudo cp /usr/local/share/red/server/etc/red/* /usr/local/etc/red/
-$ cd /usr/local/etc/red
-$ for file in `ls *.sample`; do sudo cp $file /usr/local/etc/red/${file%.sample}; done;
-}}}
- * Edit the file called pinky. Change ip address to machine's real ip address. also edit red_server.conf, to add the database user and password.
- * Launch pinky with:
-{{{
-$ sudo /usr/local/sbin/pinky &
-}}}
-== Postfix setup ==
- * Create aliases in /etc/aliases
-{{{
-www: www-data
-www-data: apache@mayfirst.org
-root: root@mayfirst.org
-}}}
- * Don't forget to run newaliases!
- * Create empty access, virtual_alias_maps and virtual_alias_domains files in /etc/postfix
-{{{
-sudo touch virtual_alias_maps virtual_alias_domains access
-}}}
-Create an empty access database (later we can add entries in access to restrict or allow senders):
-{{{
-sudo postmap access
-}}}
- * Create /var/lib/postfix (used by tls), owned by root
-{{{
-mkdir /var/lib/postfix
-}}}
- * Add the following to the bottom of the /etc/postfix/main.cf file (change SERVER to the server name)
-{{{
-# May First custom config
-# file based virtual hosting configuration
-# List of virtual domain names
-virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains
-# list of email address -> unix account mappings
-virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps
-# use maildir
-home_mailbox = Maildir/
-# Added for maildrop
-mailbox_command = /usr/bin/maildrop
-maildrop_destination_recipient_limit = 1
-# Added by jamie 6/10/04 to try to stem the tide of spam
-smtpd_sender_restrictions =
-  hash:/etc/postfix/access,
-  reject_non_fqdn_sender,
-  reject_unknown_sender_domain,
-  permit
-# Added for amavisd-new
-content_filter=smtp-amavis:[127.0.0.1]:10024
-# to enable authentication for sending email
-# and postgrey (policy port 6000 line)
-smtpd_sasl_auth_enable = yes
-smtpd_sasl_security_options = noanonymous
-smtpd_sasl_local_domain = $myhostname
-broken_sasl_auth_clients = yes
-smtpd_recipient_restrictions =
-  permit_sasl_authenticated,
-  permit_mynetworks,
-  reject_unauth_pipelining,
-  reject_non_fqdn_recipient,
-  reject_invalid_hostname,
-  reject_unknown_recipient_domain,
-  reject_unauth_destination,
-  check_policy_service inet:127.0.0.1:60000
-smtpd_sasl_authenticated_header = yes
-# TLS Stuff here:
-tls_random_source = dev:/dev/urandom
-tls_daemon_random_source = dev:/dev/urandom
-# sever side tls - offer tls encryption when an smtp client
-# (either user email program or sending smtp server) can use it
-smtpd_tls_security_level = may
-smtpd_tls_CApath = /etc/ssl/certs
-smtpd_tls_loglevel = 1
-smtpd_tls_session_cache_database = sdbm:/var/lib/postfix/smtpd_scache
-# force people who want to authenticate to use tls - you can't authenticate
-# otherwise. This is important because passwords are sent in the clear
-smtpd_tls_auth_only = yes
-smtpd_tls_key_file = /etc/ssl/private/SERVER.mayfirst.org.pem
-smtpd_tls_cert_file = /etc/ssl/SERVER.mayfirst.org.crt
-smtpd_tls_received_header = yes
-smtpd_tls_session_cache_timeout = 3600s
-# client side - when we send to a server that offers tls, we should
-# accept
-smtp_tls_security_level = may
-smtp_tls_CApath = /etc/ssl/certs
-smtp_tls_session_cache_database = sdbm:/var/lib/postfix/smtp_scache
-smtp_tls_loglevel = 1
-# http://www.postfix.org/TLS_README.html recommends leaving these
-# lines commented out so we don't present a client certificate.
-# It is rare to be required to have a client certificate and presenting
-# one sometimes causes problems
-#smtp_tls_key_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem
-#smtp_tls_cert_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem
-}}}
- * Copy the /etc/postfix/master.cf file from chavez to get the amavis settings (and for chroot to be turned off)
- * Postfix as secure mail relay setup
- * Install the sasl packages
-{{{
-sudo apt-get install sasl2-bin libsasl2-modules ca-certificates
-}}}
- * Configure sasl. Edit /etc/default/saslauthd
-{{{
-Uncomment START = yes
-Change MECHANISMS to read:
-MECHANISMS ="shadow"
-}}}
- * Add postfix to the sasl group
-{{{
-sudo addgroup postfix sasl
-}}}
- * Make the /etc/postfix/ssl directory and copy the pem files there
-{{{
-sudo mkdir /etc/postfix/ssl
-sudo cp /whereever/server.pem /etc/postfix/ssl/
-}}}
- * Edit main.cf
-{{{
-# to enable authentication for sending email
-smtpd_sasl_auth_enable = yes
-smtpd_sasl_security_options = noanonymous
-smtpd_sasl_local_domain = $myhostname
-broken_sasl_auth_clients = yes
-smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
-# TLS Stuff here:
-smtpd_use_tls = yes
-# force people who want to authenticate to use tls - you can't authenticate
-# otherwise. This is important because passwords are sent in the clear
-smtpd_tls_auth_only = yes
-smtpd_tls_key_file = /etc/postfix/ssl/your-server-key-here.pem
-smtpd_tls_cert_file = /etc/postfix/ssl/your-server-key-here.pem
-smtpd_tls_received_header = yes
-smtpd_tls_session_cache_timeout = 3600s
-tls_random_source = dev:/dev/urandom
-}}}
- * Edit master.cf - uncomment the smtps and submission lines. In both lines change the chroot variable from "-" to "n"
- * Create /etc/postfix/sasl/smtpd.conf
-{{{
-sudo mkdir /etc/postfix/sasl
-sudo vim /etc/postfix/sasl/smtpd.conf
-# add these lines:
-pwcheck_method: saslauthd
-mech_list: plain login
-}}}
-== Setup Postgrey ==
-Postgrey defers all mail for 5 minutes the first time it receives a message with a never before seen sender and recipient. This results in a lot of spam not being delivered.
- * Install Postgrey
-{{{
-sudo apt-get install postgrey
-}}}
- * Edit /etc/default/postgrey adding the following line:
-{{{
-POSTGREY_TEXT ="Greylisted, see http://mayfirst.org/greylist"
-}}}
- * Restart postgrey
-{{{
-/etc/init.d/postgrey restart
-}}}
- * Edit /etc/postfix/main.cf, add the following to the end of the smtpd_recipient_restrictions stanza:
-{{{
-check_policy_service inet:127.0.0.1:60000
-}}}
-== Setup Courier ==
- * Create a shared/index file that is empty (to avoid getting error messages in the log)
-{{{
-mkdir /etc/courier/shared
-touch /etc/courier/index
-}}}
- * Edit both imapd-ssl and pop3d-ssl:
-{{{
-TLS_CERTFILE=/etc/ssl/private/SERVER.mayfirst.org.pem
-}}}
-== Setup amavis ==
- * Edit /etc/amavis/conf.d/50-user
-Add the following lines
-{{{
-@bypass_virus_checks_maps = (
-\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
-$final_banned_destiny     = D_PASS;   # D_REJECT when front-end MTA
-$final_spam_destiny       = D_PASS;
-$final_bad_header_destiny = D_PASS;
-# *Don't* notify me about viruses. Please.
-$virus_admin = '';
-}}}
- * Add clamav to the amavis group with:
-{{{
-sudo addgroup clamav amavis
-}}}
- * Add AllowSupplementaryGroups to /etc/clamav/clamd.conf
- * Add a cron job to clean out viruses and spam collected by amavis in /etc/cron.d called clean-up-virus with the contents:
-{{{
-# Find and delete all emails older than 14 days
-4 * * *       amavis  find /var/lib/amavis/virusmails -mtime +14  -exec rm '{}' \;
-}}}
-== Configure Spamassassin ==
- * Install helper packages
-{{{
-sudo apt-get install razor dcc-client
-}}}
- * Enable dcc - uncomment line in /etc/spamassassin/v310.pre the refers to dcc
- * Turn on subject munging (uncomment line in /etc/spamassassin/local.cf)
- * Turn off report safe (in /etc/spamassassin/local.cf set: report_safe 0)
- * Edit /etc/default/spamassassin - enable spamassassin
-== Maildrop ==
-Edit /etc/maildroprc and add the following lines:
-{{{
-DEFAULT ="$HOME/Maildir"
-# spamassassin
-xfilter "/usr/bin/spamc -u $LOGNAME"
-`test -d $HOME/Maildir/`
-if( $RETURNCODE == 1 )
+{
-  `/usr/bin/maildirmake $HOME/Maildir/`
+}
-}}}
-== Webmail setup ==
- * Symlink the squirrelmail apache conf file:
-{{{
-$ ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf
-}}}
- * Edit the /etc/apache2/conf.d/horde.conf file. Add:
-{{{
-Redirect /webmail https://servername.mayfirst.org/horde3
-}}}
- * Copy the various /etc/horde/*/conf.conf files from chavez
- * Edit /etc/horde/imp4/servers.php (see chavez for details)
- * Run sudo /etc/squirrelmail/conf.pl
- * Change 1: organizational preferences (org name, provider link, provider name)
- * Change 2: server settings: A IMAP Settings (port: 993, secure imap: true,
-server software: courier
- * Plugins: install: delete_move_next,squirrelspell, filters,abook_take,listcommands,mail_fetch,gpg (you will need to download
-this one from www.squirrelmail.org into the /usr/share/squirrelmail/plugins
- * Gunzip/usr/share/doc/horde3/examples/scripts/sql/create.mysql.sql.gz into your home directory
- * Edit - change the password to a good password
- * Import into mysql: Directly import /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql with:
-{{{
-mysql -u root -p horde <  /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql
-}}}
-== Install Drupal ==
- * Download from drupal.org into: /usr/local/share/
- * Name the drupal directory after the version (i.e. drupal-4.7.3)
- * Create a soft link to the version (i.e. sudo ln -s drupal-4.7.3 drupal-4.7)
- * Tar up and copy all the files from wiwa /usr/local/share/drupal-modules-4.7 and place into the /usr/local/share/drupal-modules-4.7 on the target server.
-== Configure Apache ==
- * In /etc/apache2/site-available/default change NameVirtualHost * to: NameVirtualHost *:80
- * Change:
-{{{
-<VirtualHost *:80>
-ServerAdmin apache@mayfirst.org
-DocumentRoot /srv/apache/web (create this directory and index.html file)
-}}}
- * Add:
-{{{
-<VirtualHost *:443>
-        ServerName SERVER.mayfirst.org
-        ServerAlias www.SERVER.mayfirst.org
-        DocumentRoot /srv/apache/web
-        CustomLog /var/log/apache2/access.ssl.log combined
-        SSLEngine On
-        SSLCertificateFile /etc/apache2/ssl/SERVER.mayfirst.org.crt
-        SSLCertificateKeyFile /etc/apache2/ssl/SERVER.mayfirst.org.key
-        ErrorLog /var/log/apache2/error.log
-</VirtualHost>
-}}}
-== Configure logrotate ==
-Create a file called apache2-red in the /etc/logrotate.d directory with:
-{{{
-/home/members/*/sites/*/logs/*.log {
-weekly
-missingok
-rotate 12
-compress
-delaycompress
-notifempty
-create 644 root root
-sharedscripts
-postrotate
-if [ -f /var/run/apache2.pid ]; then
-/etc/init.d/apache2 restart > /dev/null
-fi
-endscript
+}
-}}}
-== Configure logcheck ==
-Copy from Wiwa to the server:
-{{{
-/etc/logcheck/logcheck.conf
-/etc/logcheck/ignore.d.server/local-*
-}}}
-== Configure cron-apt ==
-Edit /etc/cron-apt
-{{{
-Change line MAILON to MAILON ="upgrade"
-}}}
-== Configure Awstats ==
- * Copy /etc/awstats/awstats.conf.local from chavez to the target server's /etc/awstats directory
- * Copy /usr/local/sbin/mf-awstats-create, /usr/local/sbin/mf-awstats-build-staticpages, and /usr/local/etc/awstats-create from
-chavez to the target server.
- * Copy /usr/share/doc/awstats/examples/awstats_buildstaticpages.pl to /usr/local/sbin/
- * Copy /usr/share/doc/awstats/examples/apache.conf to /etc/apache2/conf.d/awstats
-== Configure Mutt ==
-Create /etc/Muttrc.d and put a file named maildir.rc with
-{{{
-set mbox_type = Maildir
-set mbox =~/Maildir
-set spoolfile =~/Maildir
-set folder =~/Maildir
-}}}
-== Change ssh ==
-Make sure the following settings are set:
-{{{
-PermitRootLogin no
-AllowGroups sshusers
-# Required for Contribute. Grr.
-PasswordAuthentication yes
-}}}
-== Congifure phpmyadmin ==
-Copy the apache conf file from /etc/phpmyadmin to /etc/apach2/conf.d
-{{{
-cp /etc/phpmyadmin/apache.conf /etc/apache2/conf.d/phpmyadmin
-}}}
-Add the phpmyadmin alias:
-{{{
-echo "Alias /phpmyadmin /usr/share/phpmyadmin" >> /etc/apache2/conf.d/phpmyadmin
-}}}
-== Setup Backup ==
- * Copy the /usr/local/sbin/mf-backup and /etc/mf-backup.xml files from another server
- * Edit /etc/mf-backup.xml as needed
- * Be sure to grant the mysql backup user the proper permissions with:
-{{{
-GRANT SELECT,SHOW VIEW,LOCK TABLES ON *.* TO 'backup'@'localhost' identified by 'secret'
-}}}