| Version 1 (modified by , 17 years ago) ( diff ) |
|---|
=Purchase an ssl certificate=
Generate a private key and certificate signing request.
openssl genrsa -out server.mayfirst.org.key 4096 openssl req -new -key server.mayfirst.org.key -out server.mayfirst.org.csr
Change the domain@… email alias to point to your address.
Go to Dotster (which is a thawte reseller) for server.mayfirst.org (from Dotster home page click Other Products -> ssl, get the 123 certificate)
This will take a day or so to be generated.
Once generated, login to Dotster using the mayfirst username. Click on My Services. You should see the new ssl Cert listed.
Click Manage services.
Copy the CRT into a file called:
server.mayfirst.org.pem
(replace server with the name of the server being setup)
then add dh paramaters with:
openssl gendh >> server.mayfirst.org.pem
This file will be used by courier
Now, put each one in a separate file called:
server.mayfirst.org.key
server.mayfirst.org.crt
These will be used by apache
=Use volatile for SA and clamav=
- Edit /etc/apt/sources.list. Add the following:
# clamav (volatile) and spam assassin (volatile-sloppy) deb http://debian.domainmail.org/debian-volatile etch/volatile-sloppy main deb http://debian.domainmail.org/debian-volatile etch/volatile main
- Edit (or add) /etc/apt/preferences. Add the following
Package: spamassassin Pin: release a=etch-sloppy Pin-Priority: 991 Package: spamc Pin: release a=etch-sloppy Pin-Priority: 991
=Install debian packages=
$ sudo apt-get install apache2 libapache2-mod-suphp cvs amavisd-new clamav clamav-daemon spamassassin maildrop courier-imap-ssl courier-pop-ssl scponly logcheck logcheck-database cron-apt awstats razor libnet-dns-perl dcc-client phpmyadmin php5-mysql php5-imap php5-gd mysql-server-5.0 mysql-client-5.0 squirrelmail php-mail php-db fail2ban aspell aspell-en aspell-es php5-mcrypt php-auth iproute bzip2
Now, install php-pear and php-log. You must install these before installing imp4 or else imp4 will try to pull in un-needed php4 packages.
sudo apt-get install php-pear php-log
And now, imp4:
sudo apt-get install imp4 turba2 ingo1
Add the pear file package so that Turba (address book) can import address books. First try apt - but don't do it if it still tries to pull in php4 (which it is trying as of April 11, 2007)
sudo apt-get install php-file
If it is trying to pull in php4, then install it via pear:
sudo pear install -o File
=Configure HE routes=
In order to route traffic directly from computer to computer (across different subnetworks) we need to add the different routes
Create a file called add-he-routes with the following contents:
#!/bin/bash # add routes for alternate blocks in rack #ip route add 209.51.172.0/28 dev eth0 ip route add 209.51.169.80/28 dev eth0 #ip route add 209.51.163.192/28 dev eth0 ip route add 209.51.180.16/28 dev eth0
Comment out the line representing the network this server is on
Save the file in /etc/network/if-up.d chmod it to 755
And add a corresponding file:
#!/bin/bash # remove routes for alternate blocks in rack ip route del 209.51.172.0/28 ip route del 209.51.169.80/28 ip route del 209.51.163.192/28 #ip route del 209.51.180.16/28
Save the file in /etc/network/if-down.d chmod it to 755
=Configure suPHP=
- Use dpkg-statoverride to change the ownership of our common php web programs (horde, phpmyadmin, and squirrelmail). This script will do it all for you:
#!/bin/bash -e # # phpmyadmin # # use /var/lib/phpmyadmin as home dir because it already exists if [ -z $(getent passwd|grep phpmyadmin) ]; then adduser --system --disabled-login --quiet --home /var/lib/phpmyadmin --shell /bin/false -gid 65534 phpmyadmin fi #userdel phpmyadmin phpmyadmin_files=`dpkg -L phpmyadmin | grep '\.php'` for file in $phpmyadmin_files; do dpkg-statoverride --add --update --force --quiet phpmyadmin nogroup 444 $file # #dpkg-statoverride --remove $file done # # horde: share one user between horde and imp and any other horde apps # # use /var/log/horde as home directory because it already exists if [ -z $(getent passwd|grep horde) ]; then adduser --system --disabled-login --quiet --home /var/log/horde --shell /bin/false -gid 65534 horde fi #userdel horde # chown the directory recursively to get existing logs # it is written to by the web process chown -R horde /var/log/horde chown horde /etc/horde/horde3/conf.php #chmod 600 /etc/horde/horde3/conf.php # add it to the mix dpkg-statoverride --add --update --force --quiet horde nogroup 644 /var/log/horde #dpkg-statoverride --remove /var/log/horde # ack - this is not mainainable! perl -pi -e 's/www-data www-data/horde nogroup/g' /etc/logrotate.d/horde3 horde_files=`dpkg -L horde3 | grep '\.php'` imp_files=`dpkg -L imp4 | grep '\.php'` turba_files=`dpkg -L turba2 | grep '\.php'` ingo_files=`dpkg -L ingo1 | grep '\.php'` all_horde_files="$horde_files $imp_files $turba_files $ingo_files" for file in $all_horde_files; do dpkg-statoverride --add --update --force --quiet horde nogroup 444 $file #dpkg-statoverride --remove $file done if [ -z $(getent passwd|grep squirrelmail) ]; then adduser --system --disabled-login --quiet --home /var/lib/squirrelmail/data --shell /bin/false -gid 65534 squirrelmail fi #userdel squirrelmail sm_files=`dpkg -L squirrelmail | grep '\.php'` chown -R squirrelmail:nogroup /var/lib/squirrelmail/data dpkg-statoverride --add --update --force --quiet squirrelmail nogroup 700 /var/lib/squirrelmail/data #dpkg-statoverride --remove /var/lib/squirrelmail/data for file in $sm_files; do dpkg-statoverride --update --add --force squirrelmail nogroup 444 $file #dpkg-statoverride --remove $file done
- Edit /etc/suphp/suphp.conf
[global] ;Path to logfile logfile=/var/log/suphp/suphp.log ;Loglevel loglevel=info ;User Apache is running as webserver_user=www-data ;Path all scripts have to be in docroot=/ ;Path to chroot() to before executing script ;chroot=/mychroot ; Security options ;allow_file_group_writeable=false allow_file_group_writeable=true ;allow_file_others_writeable=false allow_file_others_writeable=true ;allow_directory_group_writeable=false allow_directory_group_writeable=true ;allow_directory_others_writeable=false allow_directory_others_writeable=true ;Check wheter script is within DOCUMENT_ROOT ;check_vhost_docroot=true check_vhost_docroot=false ;Send minor error messages to browser errors_to_browser=false ;PATH environment variable env_path=/bin:/usr/bin ;Umask to set, specify in octal notation ;umask=0077 umask=0022 ; Minimum UID min_uid=100 ; Minimum GID min_gid=100 [handlers] ;Handler for php-scripts x-httpd-php=php:/usr/bin/php-cgi ;Handler for CGI-scripts x-suphp-cgi=execute:!self
=Configure fail2ban=
Create /etc/fail2ban/jail.local. Modify the following lines, by adding them to the jail.local file that you just created:
[DEFAULT] bantime = 200 action = iptables[name=%(__name__)s, port=%(port)s] mail-whois[name=%(__name__)s, dest=%(destemail)s]
=Install Red=
- Edit /etc/apt/sources.list - make sure non-free is there, e.g.:
deb http://http.us.debian.org/debian stable main contrib non-free. If you are adding anything to this line, run sudo apt-get update afterwards.
$ sudo apt-get install ucspi-tcp-src $ sudo build-ucspi-tcp
- Create a user in the red database with (change sylvia to name of server):
GRANT SELECT on seso.* to 'red-sylvia'@'sylvia.mayfirst.org' identified by 'secret'; GRANT UPDATE on seso.red_item to 'red-sylvia'@'sylvia.mayfirst.org'; GRANT INSERT on seso.red_error_log to 'red-sylvia'@'sylvia.mayfirst.org';
- Download the source from cvs
copy and paste the following commands
$ cd /usr/local/share
$ sudo cvs -d:ext:mayfirst@mayfirst.org:/srv/cvsroot co red
$ sudo ln -s /usr/local/share/red/server/sbin/red_server_cli /usr/local/sbin/
$ sudo ln -s /usr/local/share/red/server/sbin/pinky /usr/local/sbin/
$ sudo chmod 755 /usr/local/share/red/server/sbin/red_server_cli
$ sudo chmod 755 /usr/local/share/red/server/sbin/pinky
$ sudo mkdir /usr/local/etc
$ sudo mkdir /usr/local/etc/red
$ cd /usr/local/share/red/server/etc/red
$ sudo cp /usr/local/share/red/server/etc/red/* /usr/local/etc/red/
$ cd /usr/local/etc/red
$ for file in `ls *.sample`; do sudo cp $file /usr/local/etc/red/${file%.sample}; done;
this last one, in case you are interested, copies all the files that end in .sample in this directory to files that strip the .sample part out.
- Edit the file called pinky. Change ip address to machine's real ip address. also edit red_server.conf, to add the database user and password.
- Launch pinky with:
$ sudo /usr/local/sbin/pinky &
=Postfix setup=
- Create aliases in /etc/aliases
www: www-data www-data: apache@mayfirst.org root: root@mayfirst.org
Don't forget to run newaliases!
- Create empty access, virtual_alias_maps and virtual_alias_domains files in
/etc/postfix
sudo touch virtual_alias_maps virtual_alias_domains access
Create an empty access database (later we can add entries in access to restrict or allow senders):
sudo postmap access
- Add the following to the bottom of the /etc/postfix/main.cf file:
# May First custom config # file based virtual hosting configuration # List of virtual domain names virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains # list of email address -> unix account mappings virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps # use maildir home_mailbox = Maildir/ # Added for maildrop mailbox_command = /usr/bin/maildrop maildrop_destination_recipient_limit = 1 # Added by jamie 6/10/04 to try to stem the tide of spam smtpd_sender_restrictions = hash:/etc/postfix/access, reject_non_fqdn_sender, reject_unknown_sender_domain, permit # Added for amavisd-new content_filter=smtp-amavis:[127.0.0.1]:10024
- Copy the /etc/postfix/master.cf file from chavez to get the amavis settings.
- Postfix as secure mail relay setup
- Install the sasl packages
sudo apt-get install sasl2-bin libsasl2-modules ca-certificates
- Configure sasl
sudo vim /etc/default/saslauthd
Uncomment START=yes Change MECHANISMS to read: MECHANISMS="shadow"
- Add postfix to the sasl group
sudo addgroup postfix sasl
- Make the /etc/postfix/ssl directory and copy the pem files there
sudo mkdir /etc/postfix/ssl sudo cp /whereever/server.pem /etc/postfix/ssl/
- Edit main.cf
# to enable authentication for sending email smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination # TLS Stuff here: smtpd_use_tls = yes # force people who want to authenticate to use tls - you can't authenticate # otherwise. This is important because passwords are sent in the clear smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/ssl/your-server-key-here.pem smtpd_tls_cert_file = /etc/postfix/ssl/your-server-key-here.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
- Edit master.cf - uncomment the smtps and submission lines. In both lines change the chroot variable from "-" to "n"
- Create /etc/postfix/sasl/smtpd.conf
sudo mkdir /etc/postfix/sasl sudo vim /etc/postfix/sasl/smtpd.conf # add these lines: pwcheck_method: saslauthd mech_list: plain login
=Setup Postgrey=
Postgrey defers all mail for 5 minutes the first time it receives a message with a never before seen sender and recipient. This results in a lot of spam not being delivered.
- Install Postgrey
sudo apt-get install postgrey
- Edit /etc/default/postgrey adding the following line:
POSTGREY_TEXT="Greylisted, see http://mayfirst.org/greylist"
- Restart postgrey
/etc/init.d/postgrey restart
- Edit /etc/postfix/main.cf, add the following to the end of the smtpd_recipient_restrictions stanza:
check_policy_service inet:127.0.0.1:60000
check_policy_service inet:127.0.0.1:60000
=Setup Courier=
- Create a shared/index file that is empty (to avoid getting error messages in the log)
mkdir /etc/courier/shared touch /etc/courier/index
- Setup ssl - copy the server pem file (which you got from dotster) to the /etc/courier directories:
cp server.mayfirst.org.pem /etc/courier/imapd.pem cp server.mayfirst.org.pem /etc/courier/pop3d.pem
=Setup amavis=
- Edit /etc/amavis/conf.d/50-user
Add the following lines @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); $final_banned_destiny = D_PASS; # D_REJECT when front-end MTA $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS;
- Add clamav to the amavis group with:
sudo addgroup clamav amavis
- Add AllowSupplementaryGroups to /etc/clamav/clamd.conf
- Add a cron job to clean out viruses and spam collected by amavis in /etc/cron.d called clean-up-virus with the contents:
# Find and delete all emails older than 14 days 2 4 * * * amavis find /var/lib/amavis/virusmails -mtime +14 -exec rm '{}' \;
=Configure Spamassassin=
- Install helper packages
sudo apt-get install razor dcc-client
- Add a new rule for spamassassin (debian etch or above only!)
<ul>
- Create /usr/local/share/spamassassin/plugins
sudo mkdir /usr/local/share/spamassassin; sudo mkdir /usr/local/share/spamassassin/plugins
- Download the ImageInfo plugin to that directory
cd /usr/local/share/spamassassin/plugins sudo wget http://www.rulesemporium.com/plugins/ImageInfo.pm
- Add rule to /etc/spamassassin
cd /etc/spamassassin sudo wget http://www.rulesemporium.com/plugins/imageinfo.cf
- Edit /etc/spamassassin/init.pre. Add the following line:
loadplugin Mail::SpamAssassin::Plugin::ImageInfo /usr/local/share/spamassassin/plugins/ImageInfo.pm
</ul>
- Enable dcc - uncomment line in /etc/spamassassin/v310.pre the refers to dcc
- Turn on subject munging (uncomment line in /etc/spamassassin/local.cf)
- Add temporary work around to get spamassassin to properly tag messages sent to us via tls by adding this line to /etc/spamassassin/local.cf:
header LOCAL_AUTH_RCVD Received =~ /\(using TLS.*\) by chavez\.mayfirst\.org / score LOCAL_AUTH_RCVD -20
(edit the host name) See: http://wiki.apache.org/spamassassin/DynablockIssues
- Turn off report safe (in /etc/spamassassin/local.cf set: report_safe 0
- Edit /etc/default/spamassassin - enable spamassassin
- Setup sa-update
sudo apt-get install gnupg libnet-dns-perl libnet-ssleay-perl libnet-ident-perl # test with: sudo sa-update -D # make sure the above command exited cleanly # Create a file in /etc/cron.daily called "mfpl-sa-update" with: #!/bin/bash sa-update && /etc/init.d/spamassassin restart # always exit with 0 - sa-update will exit with 1 if no update is available # and we don't want cron to report that to us exit 0
=Maildrop=
Edit /etc/maildroprc and add the following lines:
DEFAULT="$HOME/Maildir" # spamassassin xfilter "/usr/bin/spamc -u $LOGNAME"
=Webmail setup=
- Symlink the squirrelmail apache conf file:
$ ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf
- Edit the /etc/apache2/conf.d/horde.conf file. Add:
Redirect /webmail https://servername.mayfirst.org/horde3
- Copy the various /etc/horde/*/conf.conf files from chavez
- Edit /etc/horde/imp4/servers.php (see chavez for details)
- Run sudo /etc/squirrelmail/conf.pl
- Change 1: organizational preferences (org name, provider link, provider name)
- Change 2: server settings: A IMAP Settings (port: 993, secure imap: true,
server software: courier
- Plugins: install: delete_move_next,squirrelspell,
filters,abook_take,listcommands,mail_fetch,gpg (you will need to download this one from www.squirrelmail.org into the /usr/share/squirrelmail/plugins
- Gunzip/usr/share/doc/horde3/examples/scripts/sql/create.mysql.sql.gz into your home directory
- Edit - change the password to a good password
- Import into mysql
- Directly import /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql with:
mysql -u root -p horde < /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql
=Install Drupal=
- Download from drupal.org into: /usr/local/share/
- Name the drupal directory after the version (i.e. drupal-4.7.3)
- Create a soft link to the version (i.e. sudo ln -s drupal-4.7.3 drupal-4.7)
- Tar up and copy all the files from wiwa /usr/local/share/drupal-modules-4.7
and place into the /usr/local/share/drupal-modules-4.7 on the target server.
=Configure Apache=
- In /etc/apache2/site-available/default change NameVirtualHost * to: NameVirtualHost *:80
- Change:
<VirtualHost *> to: <VirtualHost *:80> ServerAdmin apache@… DocumentRoot /srv/apache/web (create this directory and index.html file)
=Configure logrotate=
Create a file called apache2-red in the /etc/logrotate.d directory with:
/home/members/*/sites/*/logs/*.log {
weekly
missingok
rotate 12
compress
delaycompress
notifempty
create 644 root root
sharedscripts
postrotate
if [ -f /var/run/apache2.pid ]; then
/etc/init.d/apache2 restart > /dev/null
fi
endscript
}
=Configure logcheck=
Copy from Wiwa to the server: /etc/logcheck/logcheck.conf /etc/logcheck/ignore.d.server/local-*
=Configure cron-apt=
Edit /etc/cron-apt Change line MAILON to MAILON="upgrade"
=Configure Awstats=
- Copy /etc/awstats/awstats.conf.local from chavez to the target server's /etc/awstats directory
- Copy /usr/local/sbin/mf-awstats-create, /usr/local/sbin/mf-awstats-build-staticpages, and /usr/local/etc/awstats-create from
chavez to the target server.
- Copy /usr/share/doc/awstats/examples/awstats_buildstaticpages.pl to /usr/local/sbin/
- Copy /usr/share/doc/awstats/examples/apache.conf to /etc/apache2/conf.d/awstats
=Configure Mutt=
Create /etc/Muttrc.d and put a file named maildir.rc with
set mbox_type=Maildir set mbox=~/Maildir set spoolfile=~/Maildir set folder=~/Maildir
=Change ssh=
Make sure the following settings are set:
PermitRootLogin no AllowGroups sshusers # Required for Contribute. Grr. PasswordAuthentication yes
=Congifure phpmyadmin=
Copy the apache conf file from /etc/phpmyadmin to /etc/apach2/conf.d
cp /etc/phpmyadmin/apache.conf /etc/apache2/conf.d/phpmyadmin
Add the phpmyadmin alias:
echo "Alias /phpmyadmin /usr/share/phpmyadmin" >> /etc/apache2/conf.d/phpmyadmin
=Setup Backup=
- Copy the /usr/local/sbin/mf-backup and /etc/mf-backup.xml files from another server
- Edit /etc/mf-backup.xml as needed
- Be sure to grant the mysql backup user the proper permissions with:
GRANT SELECT,SHOW VIEW,LOCK TABLES ON *.* TO 'backup'@'localhost' identified by 'secret'
