= Setup Debian Server for May First/People Link = == Purchase an ssl certificate == * Generate a private key and certificate signing request. {{{ openssl genrsa -out server.mayfirst.org.key 4096 openssl req -new -key server.mayfirst.org.key -out server.mayfirst.org.csr }}} * Change the domain@mayfirst.org email alias to point to your address. * Go to Godaddy (which is a thawte reseller) for server.mayfirst.org. This will take a day or so to be generated. * Concat the CRT and KEY file into a file called: server.mayfirst.org.pem (replace server with the name of the server being setup) * Then add dh paramaters with: {{{ openssl gendh >> server.mayfirst.org.pem }}} This file will be used by courier. Copy into /etc/courier/imapd.pem and /etc/courier/pop3d.pem * Now, put each one in a separate file called: server.mayfirst.org.key and server.mayfirst.org.crt (these will be used by apache) == Use volatile for SA and clamav == * Edit /etc/apt/sources.list. Add the following: {{{ # clamav (volatile) and spam assassin (volatile-sloppy) deb http://debian.domainmail.org/debian-volatile etch/volatile-sloppy main deb http://debian.domainmail.org/debian-volatile etch/volatile main }}} * Edit (or add) /etc/apt/preferences. Add the following {{{ Package: spamassassin Pin: release a = etch-sloppy Pin-Priority: 991 Package: spamc Pin: release a = etch-sloppy Pin-Priority: 991 }}} == Install debian packages == {{{ $ sudo apt-get install apache2 libapache2-mod-suphp cvs amavisd-new clamav clamav-daemon spamassassin maildrop courier-imap-ssl courier-pop-ssl scponly logcheck logcheck-database cron-apt awstats razor libnet-dns-perl dcc-client phpmyadmin php5-mysql php5-imap php5-gd mysql-server-5.0 mysql-client-5.0 squirrelmail php-mail php-db fail2ban aspell aspell-en aspell-es php5-mcrypt php-auth iproute bzip2 imagemagick php-pear php-log imp4 turba2 ingol php-file }}} == Configure HE routes == In order to route traffic directly from computer to computer (across different subnetworks) we need to add the different routes * Create a file called add-he-routes with the following contents: {{{ #!/bin/bash # add routes for alternate blocks in rack #ip route add 209.51.172.0/28 dev eth0 ip route add 209.51.169.80/28 dev eth0 #ip route add 209.51.163.192/28 dev eth0 ip route add 209.51.180.16/28 dev eth0 ip route add 209.51.163.0/27 dev eth0 }}} * Comment out the line representing the network this server is on * Save the file in /etc/network/if-up.d and chmod it to 755 * And add a corresponding file: {{{ #!/bin/bash # remove routes for alternate blocks in rack ip route del 209.51.172.0/28 ip route del 209.51.169.80/28 ip route del 209.51.163.192/28 #ip route del 209.51.180.16/28 ip route del 209.51.163.0/27 }}} * Save the file in /etc/network/if-down.d and chmod it to 755 == Configure suPHP == * Use dpkg-statoverride to change the ownership of our common php web programs (horde, phpmyadmin, and squirrelmail). This script will do it all for you: {{{ #!/bin/bash -e # # phpmyadmin # # use /var/lib/phpmyadmin as home dir because it already exists if [ -z $(getent passwd|grep phpmyadmin) ]; then adduser --system --disabled-login --quiet --home /var/lib/phpmyadmin --shell /bin/false -gid 65534 phpmyadmin fi #userdel phpmyadmin phpmyadmin_files =`dpkg -L phpmyadmin | grep '\.php'` for file in $phpmyadmin_files; do dpkg-statoverride --add --update --force --quiet phpmyadmin nogroup 444 $file # #dpkg-statoverride --remove $file done # # horde: share one user between horde and imp and any other horde apps # # use /var/log/horde as home directory because it already exists if [ -z $(getent passwd|grep horde) ]; then adduser --system --disabled-login --quiet --home /var/log/horde --shell /bin/false -gid 65534 horde fi #userdel horde # chown the directory recursively to get existing logs # it is written to by the web process chown -R horde /var/log/horde chown horde /etc/horde/horde3/conf.php #chmod 600 /etc/horde/horde3/conf.php # add it to the mix dpkg-statoverride --add --update --force --quiet horde nogroup 644 /var/log/horde #dpkg-statoverride --remove /var/log/horde # ack - this is not mainainable! perl -pi -e 's/www-data www-data/horde nogroup/g' /etc/logrotate.d/horde3 horde_files =`dpkg -L horde3 | grep '\.php'` imp_files =`dpkg -L imp4 | grep '\.php'` turba_files =`dpkg -L turba2 | grep '\.php'` ingo_files =`dpkg -L ingo1 | grep '\.php'` all_horde_files ="$horde_files $imp_files $turba_files $ingo_files" for file in $all_horde_files; do dpkg-statoverride --add --update --force --quiet horde nogroup 444 $file #dpkg-statoverride --remove $file done if [ -z $(getent passwd|grep squirrelmail) ]; then adduser --system --disabled-login --quiet --home /var/lib/squirrelmail/data --shell /bin/false -gid 65534 squirrelmail fi #userdel squirrelmail sm_files =`dpkg -L squirrelmail | grep '\.php'` chown -R squirrelmail:nogroup /var/lib/squirrelmail/data dpkg-statoverride --add --update --force --quiet squirrelmail nogroup 700 /var/lib/squirrelmail/data #dpkg-statoverride --remove /var/lib/squirrelmail/data for file in $sm_files; do dpkg-statoverride --update --add --force squirrelmail nogroup 444 $file #dpkg-statoverride --remove $file done }}} * Edit /etc/suphp/suphp.conf {{{ [global] ;Path to logfile logfile =/var/log/suphp/suphp.log ;Loglevel loglevel = info ;User Apache is running as webserver_user = www-data ;Path all scripts have to be in docroot =/ ;Path to chroot() to before executing script ;chroot =/mychroot ; Security options ;allow_file_group_writeable = false allow_file_group_writeable = true ;allow_file_others_writeable = false allow_file_others_writeable = true ;allow_directory_group_writeable = false allow_directory_group_writeable = true ;allow_directory_others_writeable = false allow_directory_others_writeable = true ;Check wheter script is within DOCUMENT_ROOT ;check_vhost_docroot = true check_vhost_docroot = false ;Send minor error messages to browser errors_to_browser = false ;PATH environment variable env_path =/bin:/usr/bin ;Umask to set, specify in octal notation ;umask =0077 umask =0022 ; Minimum UID min_uid =100 ; Minimum GID min_gid =100 [handlers] ;Handler for php-scripts x-httpd-php = php:/usr/bin/php-cgi ;Handler for CGI-scripts x-suphp-cgi = execute:!self }}} == Configure fail2ban == Create /etc/fail2ban/jail.local. Modify the following lines, by adding them to the jail.local file that you just created: {{{ [DEFAULT] bantime = 200 action = iptables[name =%(__name__)s, port =%(port)s] mail-whois[name =%(__name__)s, dest =%(destemail)s] }}} == Install Red == * Edit /etc/apt/sources.list - make sure non-free is there, e.g.: deb !http://http.us.debian.org/debian stable main contrib non-free. If you are adding anything to this line, run sudo apt-get update afterwards. {{{ $ sudo apt-get install ucspi-tcp-src $ sudo build-ucspi-tcp }}} * Create a user in the red database with (change sylvia to name of server): {{{ GRANT SELECT on seso.* to 'red-sylvia'@'sylvia.mayfirst.org' identified by 'secret'; GRANT UPDATE on seso.red_item to 'red-sylvia'@'sylvia.mayfirst.org'; GRANT INSERT on seso.red_error_log to 'red-sylvia'@'sylvia.mayfirst.org'; }}} * Download the source from cvs * Copy and paste the following commands {{{ $ cd /usr/local/share $ sudo cvs -d:ext:mayfirst@mayfirst.org:/srv/cvsroot co red $ sudo ln -s /usr/local/share/red/server/sbin/red_server_cli /usr/local/sbin/ $ sudo ln -s /usr/local/share/red/server/sbin/pinky /usr/local/sbin/ $ sudo chmod 755 /usr/local/share/red/server/sbin/red_server_cli $ sudo chmod 755 /usr/local/share/red/server/sbin/pinky $ sudo mkdir /usr/local/etc $ sudo mkdir /usr/local/etc/red $ cd /usr/local/share/red/server/etc/red $ sudo cp /usr/local/share/red/server/etc/red/* /usr/local/etc/red/ $ cd /usr/local/etc/red $ for file in `ls *.sample`; do sudo cp $file /usr/local/etc/red/${file%.sample}; done; }}} * Edit the file called pinky. Change ip address to machine's real ip address. also edit red_server.conf, to add the database user and password. * Launch pinky with: {{{ $ sudo /usr/local/sbin/pinky & }}} == Postfix setup == * Create aliases in /etc/aliases {{{ www: www-data www-data: apache@mayfirst.org root: root@mayfirst.org }}} * Don't forget to run newaliases! * Create empty access, virtual_alias_maps and virtual_alias_domains files in /etc/postfix {{{ sudo touch virtual_alias_maps virtual_alias_domains access }}} Create an empty access database (later we can add entries in access to restrict or allow senders): {{{ sudo postmap access }}} * Create /var/lib/postfix (used by tls), owned by root {{{ mkdir /var/lib/postfix }}} * Add the following to the bottom of the /etc/postfix/main.cf file (change SERVER to the server name) {{{ # May First custom config # file based virtual hosting configuration # List of virtual domain names virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains # list of email address -> unix account mappings virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps # use maildir home_mailbox = Maildir/ # Added for maildrop mailbox_command = /usr/bin/maildrop maildrop_destination_recipient_limit = 1 # Added by jamie 6/10/04 to try to stem the tide of spam smtpd_sender_restrictions = hash:/etc/postfix/access, reject_non_fqdn_sender, reject_unknown_sender_domain, permit # Added for amavisd-new content_filter=smtp-amavis:[127.0.0.1]:10024 # to enable authentication for sending email # and postgrey (policy port 6000 line) smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:60000 # TLS Stuff here: tls_random_source = dev:/dev/urandom tls_daemon_random_source = dev:/dev/urandom # sever side tls - offer tls encryption when an smtp client # (either user email program or sending smtp server) can use it smtpd_tls_security_level = may smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_loglevel = 1 smtpd_tls_session_cache_database = sdbm:/var/lib/postfix/smtpd_scache # force people who want to authenticate to use tls - you can't authenticate # otherwise. This is important because passwords are sent in the clear smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem smtpd_tls_cert_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s # client side - when we send to a server that offers tls, we should # accept smtp_tls_security_level = may smtp_tls_CApath = /etc/ssl/certs smtp_tls_session_cache_database = sdbm:/var/lib/postfix/smtp_scache smtp_tls_loglevel = 1 # http://www.postfix.org/TLS_README.html recommends leaving these # lines commented out so we don't present a client certificate. # It is rare to be required to have a client certificate and presenting # one sometimes causes problems #smtp_tls_key_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem #smtp_tls_cert_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem }}} * Copy the /etc/postfix/master.cf file from chavez to get the amavis settings (and for chroot to be turned off) * Postfix as secure mail relay setup * Install the sasl packages {{{ sudo apt-get install sasl2-bin libsasl2-modules ca-certificates }}} * Configure sasl. Edit /etc/default/saslauthd {{{ Uncomment START = yes Change MECHANISMS to read: MECHANISMS ="shadow" }}} * Add postfix to the sasl group {{{ sudo addgroup postfix sasl }}} * Make the /etc/postfix/ssl directory and copy the pem files there {{{ sudo mkdir /etc/postfix/ssl sudo cp /whereever/server.pem /etc/postfix/ssl/ }}} * Edit main.cf {{{ # to enable authentication for sending email smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination # TLS Stuff here: smtpd_use_tls = yes # force people who want to authenticate to use tls - you can't authenticate # otherwise. This is important because passwords are sent in the clear smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/ssl/your-server-key-here.pem smtpd_tls_cert_file = /etc/postfix/ssl/your-server-key-here.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom }}} * Edit master.cf - uncomment the smtps and submission lines. In both lines change the chroot variable from "-" to "n" * Create /etc/postfix/sasl/smtpd.conf {{{ sudo mkdir /etc/postfix/sasl sudo vim /etc/postfix/sasl/smtpd.conf # add these lines: pwcheck_method: saslauthd mech_list: plain login }}} == Setup Postgrey == Postgrey defers all mail for 5 minutes the first time it receives a message with a never before seen sender and recipient. This results in a lot of spam not being delivered. * Install Postgrey {{{ sudo apt-get install postgrey }}} * Edit /etc/default/postgrey adding the following line: {{{ POSTGREY_TEXT ="Greylisted, see http://mayfirst.org/greylist" }}} * Restart postgrey {{{ /etc/init.d/postgrey restart }}} * Edit /etc/postfix/main.cf, add the following to the end of the smtpd_recipient_restrictions stanza: {{{ check_policy_service inet:127.0.0.1:60000 }}} == Setup Courier == * Create a shared/index file that is empty (to avoid getting error messages in the log) {{{ mkdir /etc/courier/shared touch /etc/courier/index }}} * Setup ssl - copy the server pem file (which you got from dotster) to the /etc/courier directories: {{{ cp server.mayfirst.org.pem /etc/courier/imapd.pem cp server.mayfirst.org.pem /etc/courier/pop3d.pem }}} If you are using Godaddy Certificates, copy the godaddy bundle to /etc/courier/ (you can download it here: http://mayfirst.org/node/452). Then add this line to both imapd-ssl and pop3d-ssl: {{{ TLS_TRUSTCERTS=/etc/courier/gd_intermediate_bundle.crt }}} == Setup amavis == * Edit /etc/amavis/conf.d/50-user Add the following lines {{{ @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); $final_banned_destiny = D_PASS; # D_REJECT when front-end MTA $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS; # *Don't* notify me about viruses. Please. $virus_admin = ''; }}} * Add clamav to the amavis group with: {{{ sudo addgroup clamav amavis }}} * Add AllowSupplementaryGroups to /etc/clamav/clamd.conf * Add a cron job to clean out viruses and spam collected by amavis in /etc/cron.d called clean-up-virus with the contents: {{{ # Find and delete all emails older than 14 days 2 4 * * * amavis find /var/lib/amavis/virusmails -mtime +14 -exec rm '{}' \; }}} == Configure Spamassassin == * Install helper packages {{{ sudo apt-get install razor dcc-client }}} * Add a new rule for spamassassin (debian etch or above only!) * Create /usr/local/share/spamassassin/plugins {{{ sudo mkdir /usr/local/share/spamassassin; sudo mkdir /usr/local/share/spamassassin/plugins }}} * Download the ImageInfo plugin to that directory {{{ cd /usr/local/share/spamassassin/plugins sudo wget http://www.rulesemporium.com/plugins/ImageInfo.pm }}} * Add rule to /etc/spamassassin {{{ cd /etc/spamassassin sudo wget http://www.rulesemporium.com/plugins/imageinfo.cf }}} * Edit /etc/spamassassin/init.pre. Add the following line: {{{ loadplugin Mail::SpamAssassin::Plugin::ImageInfo /usr/local/share/spamassassin/plugins/ImageInfo.pm }}} * Enable dcc - uncomment line in /etc/spamassassin/v310.pre the refers to dcc * Turn on subject munging (uncomment line in /etc/spamassassin/local.cf) * Add temporary work around to get spamassassin to properly tag messages sent to us via tls by adding this line to /etc/spamassassin/local.cf (change hostname, see http://wiki.apache.org/spamassassin/DynablockIssues): {{{ header LOCAL_AUTH_RCVD Received =~ /\(using TLS.*\) by chavez\.mayfirst\.org / score LOCAL_AUTH_RCVD -20 }}} * Turn off report safe (in /etc/spamassassin/local.cf set: report_safe 0) * Edit /etc/default/spamassassin - enable spamassassin * Setup sa-update {{{ sudo apt-get install gnupg libnet-dns-perl libnet-ssleay-perl libnet-ident-perl # test with: sudo sa-update -D # make sure the above command exited cleanly # Create a file in /etc/cron.daily called "mfpl-sa-update" with: #!/bin/bash sa-update && /etc/init.d/spamassassin restart # always exit with 0 - sa-update will exit with 1 if no update is available # and we don't want cron to report that to us exit 0 }}} == Maildrop == Edit /etc/maildroprc and add the following lines: {{{ DEFAULT ="$HOME/Maildir" # spamassassin xfilter "/usr/bin/spamc -u $LOGNAME" }}} == Webmail setup == * Symlink the squirrelmail apache conf file: {{{ $ ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf }}} * Edit the /etc/apache2/conf.d/horde.conf file. Add: {{{ Redirect /webmail https://servername.mayfirst.org/horde3 }}} * Copy the various /etc/horde/*/conf.conf files from chavez * Edit /etc/horde/imp4/servers.php (see chavez for details) * Run sudo /etc/squirrelmail/conf.pl * Change 1: organizational preferences (org name, provider link, provider name) * Change 2: server settings: A IMAP Settings (port: 993, secure imap: true, server software: courier * Plugins: install: delete_move_next,squirrelspell, filters,abook_take,listcommands,mail_fetch,gpg (you will need to download this one from www.squirrelmail.org into the /usr/share/squirrelmail/plugins * Gunzip/usr/share/doc/horde3/examples/scripts/sql/create.mysql.sql.gz into your home directory * Edit - change the password to a good password * Import into mysql: Directly import /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql with: {{{ mysql -u root -p horde < /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql }}} == Install Drupal == * Download from drupal.org into: /usr/local/share/ * Name the drupal directory after the version (i.e. drupal-4.7.3) * Create a soft link to the version (i.e. sudo ln -s drupal-4.7.3 drupal-4.7) * Tar up and copy all the files from wiwa /usr/local/share/drupal-modules-4.7 and place into the /usr/local/share/drupal-modules-4.7 on the target server. == Configure Apache == * In /etc/apache2/site-available/default change NameVirtualHost * to: NameVirtualHost *:80 * Change: {{{ to: ServerAdmin apache@mayfirst.org DocumentRoot /srv/apache/web (create this directory and index.html file) }}} == Configure logrotate == Create a file called apache2-red in the /etc/logrotate.d directory with: {{{ /home/members/*/sites/*/logs/*.log { weekly missingok rotate 12 compress delaycompress notifempty create 644 root root sharedscripts postrotate if [ -f /var/run/apache2.pid ]; then /etc/init.d/apache2 restart > /dev/null fi endscript } }}} == Configure logcheck == Copy from Wiwa to the server: {{{ /etc/logcheck/logcheck.conf /etc/logcheck/ignore.d.server/local-* }}} == Configure cron-apt == Edit /etc/cron-apt {{{ Change line MAILON to MAILON ="upgrade" }}} == Configure Awstats == * Copy /etc/awstats/awstats.conf.local from chavez to the target server's /etc/awstats directory * Copy /usr/local/sbin/mf-awstats-create, /usr/local/sbin/mf-awstats-build-staticpages, and /usr/local/etc/awstats-create from chavez to the target server. * Copy /usr/share/doc/awstats/examples/awstats_buildstaticpages.pl to /usr/local/sbin/ * Copy /usr/share/doc/awstats/examples/apache.conf to /etc/apache2/conf.d/awstats == Configure Mutt == Create /etc/Muttrc.d and put a file named maildir.rc with {{{ set mbox_type = Maildir set mbox =~/Maildir set spoolfile =~/Maildir set folder =~/Maildir }}} == Change ssh == Make sure the following settings are set: {{{ PermitRootLogin no AllowGroups sshusers # Required for Contribute. Grr. PasswordAuthentication yes }}} == Congifure phpmyadmin == Copy the apache conf file from /etc/phpmyadmin to /etc/apach2/conf.d {{{ cp /etc/phpmyadmin/apache.conf /etc/apache2/conf.d/phpmyadmin }}} Add the phpmyadmin alias: {{{ echo "Alias /phpmyadmin /usr/share/phpmyadmin" >> /etc/apache2/conf.d/phpmyadmin }}} == Setup Backup == * Copy the /usr/local/sbin/mf-backup and /etc/mf-backup.xml files from another server * Edit /etc/mf-backup.xml as needed * Be sure to grant the mysql backup user the proper permissions with: {{{ GRANT SELECT,SHOW VIEW,LOCK TABLES ON *.* TO 'backup'@'localhost' identified by 'secret' }}}