= Setup Debian Server for May First/People Link = == Purchase an ssl certificate == * Generate a private key and certificate signing request. {{{ openssl genrsa -out server.mayfirst.org.key 4096 openssl req -new -key server.mayfirst.org.key -out server.mayfirst.org.csr }}} * Change the domain@mayfirst.org email alias to point to your address. * Go to Godaddy (which is a thawte reseller) for server.mayfirst.org. This will take a day or so to be generated. * Concat the CRT and KEY file into a file called: server.mayfirst.org.pem (replace server with the name of the server being setup) * Then add dh paramaters with: {{{ openssl gendh >> server.mayfirst.org.pem }}} This file will be used by courier. Copy into /etc/courier/imapd.pem and /etc/courier/pop3d.pem * Now, put each one in a separate file called: server.mayfirst.org.key and server.mayfirst.org.crt (these will be used by apache) == Use volatile for SA and clamav == * Edit /etc/apt/sources.list. Add the following: {{{ # clamav (volatile) and spam assassin (volatile-sloppy) deb http://debian.domainmail.org/debian-volatile etch/volatile-sloppy main deb http://debian.domainmail.org/debian-volatile etch/volatile main }}} * Edit (or add) /etc/apt/preferences. Add the following {{{ Package: spamassassin Pin: release a = etch-sloppy Pin-Priority: 991 Package: spamc Pin: release a = etch-sloppy Pin-Priority: 991 }}} == Install debian packages == {{{ $ sudo apt-get install apache2 libapache2-mod-suphp cvs amavisd-new clamav clamav-daemon spamassassin maildrop courier-imap-ssl courier-pop-ssl scponly logcheck logcheck-database cron-apt awstats razor libnet-dns-perl dcc-client phpmyadmin php5-mysql php5-imap php5-gd mysql-server-5.0 mysql-client-5.0 squirrelmail php-mail php-db fail2ban aspell aspell-en aspell-es php5-mcrypt php-auth iproute bzip2 imagemagick php-pear php-log imp4 turba2 ingol php-file }}} == Configure HE routes == In order to route traffic directly from computer to computer (across different subnetworks) we need to add the different routes * Create a file called add-he-routes with the following contents. Replace CANONICAL-IP with the IP that you want the server to use as it's src ip. It should be the same as the IP you use when setting up the host DNS record. {{{ #!/bin/bash # add routes for alternate blocks in rack src CANONICAL-IP #ip route add 209.51.172.0/28 dev eth0 src CANONICAL-IP ip route add 209.51.169.80/28 dev eth0 src CANONICAL-IP #ip route add 209.51.163.192/28 dev eth0 src CANONICAL-IP ip route add 209.51.180.16/28 dev eth0 src CANONICAL-IP ip route add 209.51.163.0/27 dev eth0 src CANONICAL-IP }}} * Comment out the line representing the network this server is on * Save the file in /etc/network/if-up.d and chmod it to 755 * And add a corresponding file: {{{ #!/bin/bash # remove routes for alternate blocks in rack ip route del 209.51.172.0/28 ip route del 209.51.169.80/28 ip route del 209.51.163.192/28 #ip route del 209.51.180.16/28 ip route del 209.51.163.0/27 }}} * Save the file in /etc/network/if-down.d and chmod it to 755 == Configure suPHP == * Use dpkg-statoverride to change the ownership of our common php web programs (horde, phpmyadmin, and squirrelmail). This script will do it all for you: {{{ #!/bin/bash -e # # phpmyadmin # # use /var/lib/phpmyadmin as home dir because it already exists if ! (getent passwd phpmyadmin) ; then adduser --system --disabled-login --quiet --home /var/lib/phpmyadmin --shell /bin/false -gid 65534 phpmyadmin fi #userdel phpmyadmin phpmyadmin_files =`dpkg -L phpmyadmin | grep '\.php'` for file in $phpmyadmin_files; do dpkg-statoverride --add --update --force --quiet phpmyadmin nogroup 444 $file # #dpkg-statoverride --remove $file done # # horde: share one user between horde and imp and any other horde apps # # use /var/log/horde as home directory because it already exists if ! (getent passwd horde) ; then adduser --system --disabled-login --quiet --home /var/log/horde --shell /bin/false -gid 65534 horde fi #userdel horde # chown the directory recursively to get existing logs # it is written to by the web process chown -R horde /var/log/horde chown horde /etc/horde/horde3/conf.php #chmod 600 /etc/horde/horde3/conf.php # add it to the mix dpkg-statoverride --add --update --force --quiet horde nogroup 644 /var/log/horde #dpkg-statoverride --remove /var/log/horde # ack - this is not mainainable! perl -pi -e 's/www-data www-data/horde nogroup/g' /etc/logrotate.d/horde3 horde_files =`dpkg -L horde3 | grep '\.php'` imp_files =`dpkg -L imp4 | grep '\.php'` turba_files =`dpkg -L turba2 | grep '\.php'` ingo_files =`dpkg -L ingo1 | grep '\.php'` all_horde_files ="$horde_files $imp_files $turba_files $ingo_files" for file in $all_horde_files; do dpkg-statoverride --add --update --force --quiet horde nogroup 444 $file #dpkg-statoverride --remove $file done if ! (getent passwd|grep squirrelmail) ; then adduser --system --disabled-login --quiet --home /var/lib/squirrelmail/data --shell /bin/false -gid 65534 squirrelmail fi #userdel squirrelmail sm_files =`dpkg -L squirrelmail | grep '\.php'` chown -R squirrelmail:nogroup /var/lib/squirrelmail/data dpkg-statoverride --add --update --force --quiet squirrelmail nogroup 700 /var/lib/squirrelmail/data #dpkg-statoverride --remove /var/lib/squirrelmail/data for file in $sm_files; do dpkg-statoverride --update --add --force squirrelmail nogroup 444 $file #dpkg-statoverride --remove $file done }}} * Edit /etc/suphp/suphp.conf {{{ [global] ;Path to logfile logfile =/var/log/suphp/suphp.log ;Loglevel loglevel = info ;User Apache is running as webserver_user = www-data ;Path all scripts have to be in docroot =/ ;Path to chroot() to before executing script ;chroot =/mychroot ; Security options ;allow_file_group_writeable = false allow_file_group_writeable = true ;allow_file_others_writeable = false allow_file_others_writeable = true ;allow_directory_group_writeable = false allow_directory_group_writeable = true ;allow_directory_others_writeable = false allow_directory_others_writeable = true ;Check wheter script is within DOCUMENT_ROOT ;check_vhost_docroot = true check_vhost_docroot = false ;Send minor error messages to browser errors_to_browser = false ;PATH environment variable env_path =/bin:/usr/bin ;Umask to set, specify in octal notation ;umask =0077 umask =0022 ; Minimum UID min_uid =100 ; Minimum GID min_gid =100 [handlers] ;Handler for php-scripts x-httpd-php = php:/usr/bin/php-cgi ;Handler for CGI-scripts x-suphp-cgi = execute:!self }}} == Configure fail2ban == Create /etc/fail2ban/jail.local. Modify the following lines, by adding them to the jail.local file that you just created: {{{ [DEFAULT] bantime = 200 action = iptables[name =%(__name__)s, port =%(port)s] mail-whois[name =%(__name__)s, dest =%(destemail)s] }}} == Install Red == * Edit /etc/apt/sources.list - make sure non-free is there, e.g.: deb !http://http.us.debian.org/debian stable main contrib non-free. If you are adding anything to this line, run sudo apt-get update afterwards. {{{ $ sudo apt-get install ucspi-tcp-src $ sudo build-ucspi-tcp }}} * Create a user in the red database with (change sylvia to name of server): {{{ GRANT SELECT on seso.* to 'red-sylvia'@'sylvia.mayfirst.org' identified by 'secret'; GRANT UPDATE on seso.red_item to 'red-sylvia'@'sylvia.mayfirst.org'; GRANT INSERT on seso.red_error_log to 'red-sylvia'@'sylvia.mayfirst.org'; }}} * Download the source from cvs * Copy and paste the following commands {{{ $ cd /usr/local/share $ sudo cvs -d:ext:mayfirst@mayfirst.org:/srv/cvsroot co red $ sudo ln -s /usr/local/share/red/server/sbin/red_server_cli /usr/local/sbin/ $ sudo ln -s /usr/local/share/red/server/sbin/pinky /usr/local/sbin/ $ sudo chmod 755 /usr/local/share/red/server/sbin/red_server_cli $ sudo chmod 755 /usr/local/share/red/server/sbin/pinky $ sudo mkdir /usr/local/etc $ sudo mkdir /usr/local/etc/red $ cd /usr/local/share/red/server/etc/red $ sudo cp /usr/local/share/red/server/etc/red/* /usr/local/etc/red/ $ cd /usr/local/etc/red $ for file in `ls *.sample`; do sudo cp $file /usr/local/etc/red/${file%.sample}; done; }}} * Edit the file called pinky. Change ip address to machine's real ip address. also edit red_server.conf, to add the database user and password. * Launch pinky with: {{{ $ sudo /usr/local/sbin/pinky & }}} == Postfix setup == * Create aliases in /etc/aliases {{{ www: www-data www-data: apache@mayfirst.org root: root@mayfirst.org }}} * Don't forget to run newaliases! * Create empty access, virtual_alias_maps and virtual_alias_domains files in /etc/postfix {{{ sudo touch virtual_alias_maps virtual_alias_domains access }}} Create an empty access database (later we can add entries in access to restrict or allow senders): {{{ sudo postmap access }}} * Create /var/lib/postfix (used by tls), owned by root {{{ mkdir /var/lib/postfix }}} * Add the following to the bottom of the /etc/postfix/main.cf file (change SERVER to the server name) {{{ # May First custom config # file based virtual hosting configuration # List of virtual domain names virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains # list of email address -> unix account mappings virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps # use maildir home_mailbox = Maildir/ # Added for maildrop mailbox_command = /usr/bin/maildrop maildrop_destination_recipient_limit = 1 # Added by jamie 6/10/04 to try to stem the tide of spam smtpd_sender_restrictions = hash:/etc/postfix/access, reject_non_fqdn_sender, reject_unknown_sender_domain, permit # Added for amavisd-new content_filter=smtp-amavis:[127.0.0.1]:10024 # to enable authentication for sending email # and postgrey (policy port 6000 line) smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:60000 # TLS Stuff here: tls_random_source = dev:/dev/urandom tls_daemon_random_source = dev:/dev/urandom # sever side tls - offer tls encryption when an smtp client # (either user email program or sending smtp server) can use it smtpd_tls_security_level = may smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_loglevel = 1 smtpd_tls_session_cache_database = sdbm:/var/lib/postfix/smtpd_scache # force people who want to authenticate to use tls - you can't authenticate # otherwise. This is important because passwords are sent in the clear smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem smtpd_tls_cert_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s # client side - when we send to a server that offers tls, we should # accept smtp_tls_security_level = may smtp_tls_CApath = /etc/ssl/certs smtp_tls_session_cache_database = sdbm:/var/lib/postfix/smtp_scache smtp_tls_loglevel = 1 # http://www.postfix.org/TLS_README.html recommends leaving these # lines commented out so we don't present a client certificate. # It is rare to be required to have a client certificate and presenting # one sometimes causes problems #smtp_tls_key_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem #smtp_tls_cert_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem }}} * Copy the /etc/postfix/master.cf file from chavez to get the amavis settings (and for chroot to be turned off) * Postfix as secure mail relay setup * Install the sasl packages {{{ sudo apt-get install sasl2-bin libsasl2-modules ca-certificates }}} * Configure sasl. Edit /etc/default/saslauthd {{{ Uncomment START = yes Change MECHANISMS to read: MECHANISMS ="shadow" }}} * Add postfix to the sasl group {{{ sudo addgroup postfix sasl }}} * Make the /etc/postfix/ssl directory and copy the pem files there {{{ sudo mkdir /etc/postfix/ssl sudo cp /whereever/server.pem /etc/postfix/ssl/ }}} * Edit main.cf {{{ # to enable authentication for sending email smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination # TLS Stuff here: smtpd_use_tls = yes # force people who want to authenticate to use tls - you can't authenticate # otherwise. This is important because passwords are sent in the clear smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/ssl/your-server-key-here.pem smtpd_tls_cert_file = /etc/postfix/ssl/your-server-key-here.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom }}} * Edit master.cf - uncomment the smtps and submission lines. In both lines change the chroot variable from "-" to "n" * Create /etc/postfix/sasl/smtpd.conf {{{ sudo mkdir /etc/postfix/sasl sudo vim /etc/postfix/sasl/smtpd.conf # add these lines: pwcheck_method: saslauthd mech_list: plain login }}} == Setup Postgrey == Postgrey defers all mail for 5 minutes the first time it receives a message with a never before seen sender and recipient. This results in a lot of spam not being delivered. * Install Postgrey {{{ sudo apt-get install postgrey }}} * Edit /etc/default/postgrey adding the following line: {{{ POSTGREY_TEXT ="Greylisted, see http://mayfirst.org/greylist" }}} * Restart postgrey {{{ /etc/init.d/postgrey restart }}} * Edit /etc/postfix/main.cf, add the following to the end of the smtpd_recipient_restrictions stanza: {{{ check_policy_service inet:127.0.0.1:60000 }}} == Setup Courier == * Create a shared/index file that is empty (to avoid getting error messages in the log) {{{ mkdir /etc/courier/shared touch /etc/courier/index }}} * Setup ssl - copy the server pem file (which you got from dotster) to the /etc/courier directories: {{{ cp server.mayfirst.org.pem /etc/courier/imapd.pem cp server.mayfirst.org.pem /etc/courier/pop3d.pem }}} If you are using Godaddy Certificates, copy the godaddy bundle to /etc/courier/ (you can download it here: http://mayfirst.org/node/452). Then add this line to both imapd-ssl and pop3d-ssl: {{{ TLS_TRUSTCERTS=/etc/courier/gd_intermediate_bundle.crt }}} == Setup amavis == * Edit /etc/amavis/conf.d/50-user Add the following lines {{{ @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); $final_banned_destiny = D_PASS; # D_REJECT when front-end MTA $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS; # *Don't* notify me about viruses. Please. $virus_admin = ''; }}} * Add clamav to the amavis group with: {{{ sudo addgroup clamav amavis }}} * Add AllowSupplementaryGroups to /etc/clamav/clamd.conf * Add a cron job to clean out viruses and spam collected by amavis in /etc/cron.d called clean-up-virus with the contents: {{{ # Find and delete all emails older than 14 days 2 4 * * * amavis find /var/lib/amavis/virusmails -mtime +14 -exec rm '{}' \; }}} == Configure Spamassassin == * Install helper packages {{{ sudo apt-get install razor dcc-client }}} * Add a new rule for spamassassin (debian etch or above only!) * Create /usr/local/share/spamassassin/plugins {{{ sudo mkdir /usr/local/share/spamassassin; sudo mkdir /usr/local/share/spamassassin/plugins }}} * Download the ImageInfo plugin to that directory {{{ cd /usr/local/share/spamassassin/plugins sudo wget http://www.rulesemporium.com/plugins/ImageInfo.pm }}} * Add rule to /etc/spamassassin {{{ cd /etc/spamassassin sudo wget http://www.rulesemporium.com/plugins/imageinfo.cf }}} * Edit /etc/spamassassin/init.pre. Add the following line: {{{ loadplugin Mail::SpamAssassin::Plugin::ImageInfo /usr/local/share/spamassassin/plugins/ImageInfo.pm }}} * Enable dcc - uncomment line in /etc/spamassassin/v310.pre the refers to dcc * Turn on subject munging (uncomment line in /etc/spamassassin/local.cf) * Add temporary work around to get spamassassin to properly tag messages sent to us via tls by adding this line to /etc/spamassassin/local.cf (change hostname, see http://wiki.apache.org/spamassassin/DynablockIssues): {{{ header LOCAL_AUTH_RCVD Received =~ /\(using TLS.*\) by chavez\.mayfirst\.org / score LOCAL_AUTH_RCVD -20 }}} * Turn off report safe (in /etc/spamassassin/local.cf set: report_safe 0) * Edit /etc/default/spamassassin - enable spamassassin * Setup sa-update {{{ sudo apt-get install gnupg libnet-dns-perl libnet-ssleay-perl libnet-ident-perl # test with: sudo sa-update -D # make sure the above command exited cleanly # Create a file in /etc/cron.daily called "mfpl-sa-update" with: #!/bin/bash sa-update && /etc/init.d/spamassassin restart # always exit with 0 - sa-update will exit with 1 if no update is available # and we don't want cron to report that to us exit 0 }}} == Maildrop == Edit /etc/maildroprc and add the following lines: {{{ DEFAULT ="$HOME/Maildir" # spamassassin xfilter "/usr/bin/spamc -u $LOGNAME" }}} == Webmail setup == * Symlink the squirrelmail apache conf file: {{{ $ ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf }}} * Edit the /etc/apache2/conf.d/horde.conf file. Add: {{{ Redirect /webmail https://servername.mayfirst.org/horde3 }}} * Copy the various /etc/horde/*/conf.conf files from chavez * Edit /etc/horde/imp4/servers.php (see chavez for details) * Run sudo /etc/squirrelmail/conf.pl * Change 1: organizational preferences (org name, provider link, provider name) * Change 2: server settings: A IMAP Settings (port: 993, secure imap: true, server software: courier * Plugins: install: delete_move_next,squirrelspell, filters,abook_take,listcommands,mail_fetch,gpg (you will need to download this one from www.squirrelmail.org into the /usr/share/squirrelmail/plugins * Gunzip/usr/share/doc/horde3/examples/scripts/sql/create.mysql.sql.gz into your home directory * Edit - change the password to a good password * Import into mysql: Directly import /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql with: {{{ mysql -u root -p horde < /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql }}} == Install Drupal == * Download from drupal.org into: /usr/local/share/ * Name the drupal directory after the version (i.e. drupal-4.7.3) * Create a soft link to the version (i.e. sudo ln -s drupal-4.7.3 drupal-4.7) * Tar up and copy all the files from wiwa /usr/local/share/drupal-modules-4.7 and place into the /usr/local/share/drupal-modules-4.7 on the target server. == Configure Apache == * In /etc/apache2/site-available/default change NameVirtualHost * to: NameVirtualHost *:80 * Change: {{{ to: ServerAdmin apache@mayfirst.org DocumentRoot /srv/apache/web (create this directory and index.html file) }}} == Configure logrotate == Create a file called apache2-red in the /etc/logrotate.d directory with: {{{ /home/members/*/sites/*/logs/*.log { weekly missingok rotate 12 compress delaycompress notifempty create 644 root root sharedscripts postrotate if [ -f /var/run/apache2.pid ]; then /etc/init.d/apache2 restart > /dev/null fi endscript } }}} == Configure logcheck == Copy from Wiwa to the server: {{{ /etc/logcheck/logcheck.conf /etc/logcheck/ignore.d.server/local-* }}} == Configure cron-apt == Edit /etc/cron-apt {{{ Change line MAILON to MAILON ="upgrade" }}} == Configure Awstats == * Copy /etc/awstats/awstats.conf.local from chavez to the target server's /etc/awstats directory * Copy /usr/local/sbin/mf-awstats-create, /usr/local/sbin/mf-awstats-build-staticpages, and /usr/local/etc/awstats-create from chavez to the target server. * Copy /usr/share/doc/awstats/examples/awstats_buildstaticpages.pl to /usr/local/sbin/ * Copy /usr/share/doc/awstats/examples/apache.conf to /etc/apache2/conf.d/awstats == Configure Mutt == Create /etc/Muttrc.d and put a file named maildir.rc with {{{ set mbox_type = Maildir set mbox =~/Maildir set spoolfile =~/Maildir set folder =~/Maildir }}} == Change ssh == Make sure the following settings are set: {{{ PermitRootLogin no AllowGroups sshusers # Required for Contribute. Grr. PasswordAuthentication yes }}} == Congifure phpmyadmin == Copy the apache conf file from /etc/phpmyadmin to /etc/apach2/conf.d {{{ cp /etc/phpmyadmin/apache.conf /etc/apache2/conf.d/phpmyadmin }}} Add the phpmyadmin alias: {{{ echo "Alias /phpmyadmin /usr/share/phpmyadmin" >> /etc/apache2/conf.d/phpmyadmin }}} == Setup Backup == * Copy the /usr/local/sbin/mf-backup and /etc/mf-backup.xml files from another server * Edit /etc/mf-backup.xml as needed * Be sure to grant the mysql backup user the proper permissions with: {{{ GRANT SELECT,SHOW VIEW,LOCK TABLES ON *.* TO 'backup'@'localhost' identified by 'secret' }}}