wiki:configure_new_server

Version 3 (modified by Jamie McClelland, 13 years ago) (diff)

--

Setup Debian Server for May First/People Link

Purchase an ssl certificate

Generate a private key and certificate signing request.

openssl genrsa -out server.mayfirst.org.key 4096
openssl req -new -key server.mayfirst.org.key -out server.mayfirst.org.csr

Change the domain@… email alias to point to your address.

Go to Dotster (which is a thawte reseller) for server.mayfirst.org (from Dotster home page click Other Products -> ssl, get the 123 certificate)

This will take a day or so to be generated.

Once generated, login to Dotster using the mayfirst username. Click on My Services. You should see the new ssl Cert listed.

Click Manage services.

Copy the CRT into a file called:

server.mayfirst.org.pem

(replace server with the name of the server being setup)

then add dh paramaters with:

openssl gendh >> server.mayfirst.org.pem

This file will be used by courier

Now, put each one in a separate file called:

server.mayfirst.org.key

server.mayfirst.org.crt

These will be used by apache

Use volatile for SA and clamav

  • Edit /etc/apt/sources.list. Add the following:
    # clamav (volatile) and spam assassin (volatile-sloppy)
    deb http://debian.domainmail.org/debian-volatile etch/volatile-sloppy main
    deb http://debian.domainmail.org/debian-volatile etch/volatile main
    
  • Edit (or add) /etc/apt/preferences. Add the following
    Package: spamassassin
    Pin: release a = etch-sloppy
    Pin-Priority: 991
    
    Package: spamc
    Pin: release a = etch-sloppy
    Pin-Priority: 991
    

Install debian packages

$ sudo apt-get install apache2 libapache2-mod-suphp cvs amavisd-new clamav clamav-daemon spamassassin maildrop courier-imap-ssl courier-pop-ssl scponly logcheck logcheck-database cron-apt awstats razor libnet-dns-perl dcc-client phpmyadmin php5-mysql php5-imap php5-gd mysql-server-5.0 mysql-client-5.0 squirrelmail php-mail php-db fail2ban aspell aspell-en aspell-es php5-mcrypt php-auth iproute  bzip2

Now, install php-pear and php-log. You must install these before installing imp4 or else imp4 will try to pull in un-needed php4 packages.

sudo apt-get install php-pear php-log

And now, imp4:

sudo apt-get install imp4 turba2 ingo1

Add the pear file package so that Turba (address book) can import address books. First try apt - but don't do it if it still tries to pull in php4 (which it is trying as of April 11, 2007)

sudo apt-get install php-file

If it is trying to pull in php4, then install it via pear:

sudo pear install -o File

Configure HE routes

In order to route traffic directly from computer to computer (across different subnetworks) we need to add the different routes

Create a file called add-he-routes with the following contents:

#!/bin/bash
# add routes for alternate blocks in rack
#ip route add 209.51.172.0/28 dev eth0
ip route add 209.51.169.80/28 dev eth0
#ip route add 209.51.163.192/28 dev eth0
ip route add 209.51.180.16/28 dev eth0

Comment out the line representing the network this server is on

Save the file in /etc/network/if-up.d chmod it to 755

And add a corresponding file:

#!/bin/bash
# remove routes for alternate blocks in rack
ip route del 209.51.172.0/28
ip route del 209.51.169.80/28
ip route del 209.51.163.192/28
#ip route del 209.51.180.16/28

Save the file in /etc/network/if-down.d chmod it to 755

Configure suPHP

  • Use dpkg-statoverride to change the ownership of our common php web programs (horde, phpmyadmin, and squirrelmail). This script will do it all for you:
    #!/bin/bash -e
    
    #
    # phpmyadmin
    #
    # use /var/lib/phpmyadmin as home dir because it already exists
    
    if [ -z $(getent passwd|grep phpmyadmin) ]; then
    adduser --system --disabled-login --quiet --home /var/lib/phpmyadmin --shell /bin/false -gid 65534 phpmyadmin
    fi
    #userdel phpmyadmin
    phpmyadmin_files =`dpkg -L phpmyadmin | grep '\.php'`
    
    for file in $phpmyadmin_files; do
    dpkg-statoverride --add --update --force --quiet phpmyadmin nogroup 444 $file
    # #dpkg-statoverride --remove $file
    done
    
    #
    # horde: share one user between horde and imp and any other horde apps
    #
    # use /var/log/horde as home directory because it already exists
    if [ -z $(getent passwd|grep horde) ]; then
    adduser --system --disabled-login --quiet --home /var/log/horde --shell /bin/false -gid 65534 horde
    fi
    #userdel horde
    
    # chown the directory recursively to get existing logs
    # it is written to by the web process
    chown -R horde /var/log/horde
    chown horde /etc/horde/horde3/conf.php
    #chmod 600 /etc/horde/horde3/conf.php
    
    # add it to the mix
    dpkg-statoverride --add --update --force --quiet  horde nogroup 644 /var/log/horde
    #dpkg-statoverride --remove /var/log/horde
    
    # ack - this is not mainainable!
    perl -pi -e 's/www-data www-data/horde nogroup/g' /etc/logrotate.d/horde3
    
    horde_files =`dpkg -L horde3 | grep '\.php'`
    imp_files =`dpkg -L imp4 | grep '\.php'`
    turba_files =`dpkg -L turba2 | grep '\.php'`
    ingo_files =`dpkg -L ingo1 | grep '\.php'`
    all_horde_files ="$horde_files $imp_files $turba_files $ingo_files"
    
    for file in $all_horde_files; do
    dpkg-statoverride --add --update --force --quiet horde nogroup 444 $file
    #dpkg-statoverride --remove $file
    done
    
    if [ -z $(getent passwd|grep squirrelmail) ]; then
    adduser --system --disabled-login --quiet --home /var/lib/squirrelmail/data --shell /bin/false -gid 65534 squirrelmail
    fi
    #userdel squirrelmail
    sm_files =`dpkg -L squirrelmail | grep '\.php'`
    
    chown -R squirrelmail:nogroup /var/lib/squirrelmail/data
    dpkg-statoverride --add --update --force --quiet squirrelmail nogroup 700 /var/lib/squirrelmail/data
    
    #dpkg-statoverride --remove /var/lib/squirrelmail/data
    
    for file in $sm_files; do
    dpkg-statoverride --update --add --force squirrelmail nogroup 444 $file
    #dpkg-statoverride --remove $file
    done
    
  • Edit /etc/suphp/suphp.conf
    [global]
    ;Path to logfile
    logfile =/var/log/suphp/suphp.log
    
    ;Loglevel
    loglevel = info
    
    ;User Apache is running as
    webserver_user = www-data
    
    ;Path all scripts have to be in
    docroot =/
    
    ;Path to chroot() to before executing script
    ;chroot =/mychroot
    
    ; Security options
    ;allow_file_group_writeable = false
    allow_file_group_writeable = true
    ;allow_file_others_writeable = false
    allow_file_others_writeable = true
    ;allow_directory_group_writeable = false
    allow_directory_group_writeable = true
    ;allow_directory_others_writeable = false
    allow_directory_others_writeable = true
    
    ;Check wheter script is within DOCUMENT_ROOT
    ;check_vhost_docroot = true
    check_vhost_docroot = false
    
    ;Send minor error messages to browser
    errors_to_browser = false
    
    ;PATH environment variable
    env_path =/bin:/usr/bin
    
    ;Umask to set, specify in octal notation
    ;umask =0077
    umask =0022
    
    ; Minimum UID
    min_uid =100
    
    ; Minimum GID
    min_gid =100
    
    
    [handlers]
    ;Handler for php-scripts
    x-httpd-php = php:/usr/bin/php-cgi
    
    ;Handler for CGI-scripts
    x-suphp-cgi = execute:!self
    

Configure fail2ban

Create /etc/fail2ban/jail.local. Modify the following lines, by adding them to the jail.local file that you just created:

[DEFAULT]
bantime  = 200

action = iptables[name =%(__name__)s, port =%(port)s]
mail-whois[name =%(__name__)s, dest =%(destemail)s]

Install Red

  • Edit /etc/apt/sources.list - make sure non-free is there, e.g.:

deb http://http.us.debian.org/debian stable main contrib non-free. If you are adding anything to this line, run sudo apt-get update afterwards.

$ sudo apt-get install ucspi-tcp-src
$ sudo build-ucspi-tcp
  • Create a user in the red database with (change sylvia to name of server):
GRANT SELECT on seso.* to 'red-sylvia'@'sylvia.mayfirst.org' identified by 'secret';
GRANT UPDATE on seso.red_item to 'red-sylvia'@'sylvia.mayfirst.org';
GRANT INSERT on seso.red_error_log to 'red-sylvia'@'sylvia.mayfirst.org';
  • Download the source from cvs

copy and paste the following commands

$ cd /usr/local/share
$ sudo cvs -d:ext:mayfirst@mayfirst.org:/srv/cvsroot co red
$ sudo ln -s /usr/local/share/red/server/sbin/red_server_cli /usr/local/sbin/
$ sudo ln -s /usr/local/share/red/server/sbin/pinky /usr/local/sbin/
$ sudo chmod 755 /usr/local/share/red/server/sbin/red_server_cli
$ sudo chmod 755 /usr/local/share/red/server/sbin/pinky
$ sudo mkdir /usr/local/etc
$ sudo mkdir /usr/local/etc/red
$ cd /usr/local/share/red/server/etc/red
$ sudo cp /usr/local/share/red/server/etc/red/* /usr/local/etc/red/
$ cd /usr/local/etc/red
$ for file in `ls *.sample`; do sudo cp $file /usr/local/etc/red/${file%.sample}; done;

this last one, in case you are interested, copies all the files that end in .sample in this directory to files that strip the .sample part out.

  • Edit the file called pinky. Change ip address to machine's real ip address. also edit red_server.conf, to add the database user and password.
  • Launch pinky with:
    $ sudo /usr/local/sbin/pinky &
    

Postfix setup

  • Create aliases in /etc/aliases
www: www-data
www-data: apache@mayfirst.org
root: root@mayfirst.org

Don't forget to run newaliases!

  • Create empty access, virtual_alias_maps and virtual_alias_domains files in

/etc/postfix

sudo touch virtual_alias_maps virtual_alias_domains access

Create an empty access database (later we can add entries in access to restrict or allow senders):

sudo postmap access
  • Add the following to the bottom of the /etc/postfix/main.cf file:
# May First custom config
# file based virtual hosting configuration

# List of virtual domain names
virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains

# list of email address -> unix account mappings
virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps

# use maildir
home_mailbox = Maildir/

# Added for maildrop
mailbox_command = /usr/bin/maildrop
maildrop_destination_recipient_limit = 1

# Added by jamie 6/10/04 to try to stem the tide of spam
smtpd_sender_restrictions ==
hash:/etc/postfix/access,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit

# Added for amavisd-new
content_filter = smtp-amavis:[127.0.0.1]:10024
  • Copy the /etc/postfix/master.cf file from chavez to get the amavis settings.
  • Postfix as secure mail relay setup
  • Install the sasl packages
    sudo apt-get install sasl2-bin libsasl2-modules ca-certificates
    
  • Configure sasl
    sudo vim /etc/default/saslauthd
    

Uncomment START = yes Change MECHANISMS to read: MECHANISMS ="shadow"

  • Add postfix to the sasl group
    sudo addgroup postfix sasl
    
  • Make the /etc/postfix/ssl directory and copy the pem files there
    sudo mkdir /etc/postfix/ssl
    sudo cp /whereever/server.pem /etc/postfix/ssl/
    
  • Edit main.cf
    # to enable authentication for sending email
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain = $myhostname
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
    
    # TLS Stuff here:
    smtpd_use_tls = yes
    # force people who want to authenticate to use tls - you can't authenticate
    # otherwise. This is important because passwords are sent in the clear
    smtpd_tls_auth_only = yes
    smtpd_tls_key_file = /etc/postfix/ssl/your-server-key-here.pem
    smtpd_tls_cert_file = /etc/postfix/ssl/your-server-key-here.pem
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    
  • Edit master.cf - uncomment the smtps and submission lines. In both lines change the chroot variable from "-" to "n"
  • Create /etc/postfix/sasl/smtpd.conf
sudo mkdir /etc/postfix/sasl
sudo vim /etc/postfix/sasl/smtpd.conf
# add these lines:
pwcheck_method: saslauthd
mech_list: plain login

Setup Postgrey

Postgrey defers all mail for 5 minutes the first time it receives a message with a never before seen sender and recipient. This results in a lot of spam not being delivered.

  • Install Postgrey
    sudo apt-get install postgrey
    
  • Edit /etc/default/postgrey adding the following line:
    POSTGREY_TEXT ="Greylisted, see http://mayfirst.org/greylist"
    
  • Restart postgrey
    /etc/init.d/postgrey restart
    
  • Edit /etc/postfix/main.cf, add the following to the end of the smtpd_recipient_restrictions stanza:
    check_policy_service inet:127.0.0.1:60000
    

check_policy_service inet:127.0.0.1:60000

Setup Courier

  • Create a shared/index file that is empty (to avoid getting error messages in the log)
    mkdir /etc/courier/shared
    touch /etc/courier/index
    
  • Setup ssl - copy the server pem file (which you got from dotster) to the /etc/courier directories:
    cp server.mayfirst.org.pem /etc/courier/imapd.pem
    cp server.mayfirst.org.pem /etc/courier/pop3d.pem
    

Setup amavis

  • Edit /etc/amavis/conf.d/50-user

Add the following lines @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); $final_banned_destiny = D_PASS; # D_REJECT when front-end MTA $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS;

  • Add clamav to the amavis group with:
    sudo addgroup clamav amavis
    
  • Add AllowSupplementaryGroups to /etc/clamav/clamd.conf
  • Add a cron job to clean out viruses and spam collected by amavis in /etc/cron.d called clean-up-virus with the contents:

# Find and delete all emails older than 14 days 2 4 * * * amavis find /var/lib/amavis/virusmails -mtime +14 -exec rm '{}' \;

Configure Spamassassin

  • Install helper packages
    sudo apt-get install razor dcc-client
    
  • Add a new rule for spamassassin (debian etch or above only!)

<ul>

  • Create /usr/local/share/spamassassin/plugins
    sudo mkdir /usr/local/share/spamassassin; sudo mkdir /usr/local/share/spamassassin/plugins
    
  • Download the ImageInfo plugin to that directory
    cd /usr/local/share/spamassassin/plugins
    sudo wget http://www.rulesemporium.com/plugins/ImageInfo.pm
    
  • Add rule to /etc/spamassassin
    cd /etc/spamassassin
    sudo wget http://www.rulesemporium.com/plugins/imageinfo.cf
    
  • Edit /etc/spamassassin/init.pre. Add the following line:
    loadplugin Mail::SpamAssassin::Plugin::ImageInfo /usr/local/share/spamassassin/plugins/ImageInfo.pm
    

</ul>

  • Enable dcc - uncomment line in /etc/spamassassin/v310.pre the refers to dcc
  • Turn on subject munging (uncomment line in /etc/spamassassin/local.cf)
  • Add temporary work around to get spamassassin to properly tag messages sent to us via tls by adding this line to /etc/spamassassin/local.cf:
    header LOCAL_AUTH_RCVD    Received =~ /\(using TLS.*\) by chavez\.mayfirst\.org /
    score LOCAL_AUTH_RCVD -20
    

(edit the host name) See: http://wiki.apache.org/spamassassin/DynablockIssues

  • Turn off report safe (in /etc/spamassassin/local.cf set: report_safe 0
  • Edit /etc/default/spamassassin - enable spamassassin
  • Setup sa-update
    sudo apt-get install gnupg libnet-dns-perl libnet-ssleay-perl libnet-ident-perl
    # test with:
    sudo sa-update -D
    # make sure the above command exited cleanly
    # Create a file in /etc/cron.daily called "mfpl-sa-update" with:
    #!/bin/bash
    sa-update && /etc/init.d/spamassassin restart
    # always exit with 0 - sa-update will exit with 1 if no update is available
    # and we don't want cron to report that to us
    exit 0
    

Maildrop

Edit /etc/maildroprc and add the following lines:

DEFAULT ="$HOME/Maildir"
# spamassassin
xfilter "/usr/bin/spamc -u $LOGNAME"

Webmail setup

  • Symlink the squirrelmail apache conf file:
$ ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf
  • Edit the /etc/apache2/conf.d/horde.conf file. Add:
    Redirect /webmail https://servername.mayfirst.org/horde3
    
  • Copy the various /etc/horde/*/conf.conf files from chavez
  • Edit /etc/horde/imp4/servers.php (see chavez for details)
  • Run sudo /etc/squirrelmail/conf.pl
  • Change 1: organizational preferences (org name, provider link, provider name)
  • Change 2: server settings: A IMAP Settings (port: 993, secure imap: true,

server software: courier

  • Plugins: install: delete_move_next,squirrelspell,

filters,abook_take,listcommands,mail_fetch,gpg (you will need to download this one from www.squirrelmail.org into the /usr/share/squirrelmail/plugins

  • Gunzip/usr/share/doc/horde3/examples/scripts/sql/create.mysql.sql.gz into your home directory
  • Edit - change the password to a good password
  • Import into mysql
  • Directly import /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql with:
    mysql -u root -p horde <  /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql
    

Install Drupal

  • Download from drupal.org into: /usr/local/share/
  • Name the drupal directory after the version (i.e. drupal-4.7.3)
  • Create a soft link to the version (i.e. sudo ln -s drupal-4.7.3 drupal-4.7)
  • Tar up and copy all the files from wiwa /usr/local/share/drupal-modules-4.7

and place into the /usr/local/share/drupal-modules-4.7 on the target server.

Configure Apache

  • In /etc/apache2/site-available/default change NameVirtualHost * to: NameVirtualHost *:80
  • Change:

<VirtualHost *> to: <VirtualHost *:80> ServerAdmin apache@… DocumentRoot /srv/apache/web (create this directory and index.html file)

Configure logrotate

Create a file called apache2-red in the /etc/logrotate.d directory with:

/home/members/*/sites/*/logs/*.log {
weekly
missingok
rotate 12
compress
delaycompress
notifempty
create 644 root root
sharedscripts
postrotate
if [ -f /var/run/apache2.pid ]; then
/etc/init.d/apache2 restart > /dev/null
fi
endscript
}

Configure logcheck

Copy from Wiwa to the server: /etc/logcheck/logcheck.conf /etc/logcheck/ignore.d.server/local-*

Configure cron-apt

Edit /etc/cron-apt Change line MAILON to MAILON ="upgrade"

Configure Awstats

  • Copy /etc/awstats/awstats.conf.local from chavez to the target server's /etc/awstats directory
  • Copy /usr/local/sbin/mf-awstats-create, /usr/local/sbin/mf-awstats-build-staticpages, and /usr/local/etc/awstats-create from

chavez to the target server.

  • Copy /usr/share/doc/awstats/examples/awstats_buildstaticpages.pl to /usr/local/sbin/
  • Copy /usr/share/doc/awstats/examples/apache.conf to /etc/apache2/conf.d/awstats

Configure Mutt

Create /etc/Muttrc.d and put a file named maildir.rc with

set mbox_type = Maildir
set mbox =~/Maildir
set spoolfile =~/Maildir
set folder =~/Maildir

Change ssh

Make sure the following settings are set:

PermitRootLogin no
AllowGroups sshusers
# Required for Contribute. Grr.
PasswordAuthentication yes

Congifure phpmyadmin

Copy the apache conf file from /etc/phpmyadmin to /etc/apach2/conf.d

cp /etc/phpmyadmin/apache.conf /etc/apache2/conf.d/phpmyadmin

Add the phpmyadmin alias:

echo "Alias /phpmyadmin /usr/share/phpmyadmin" >> /etc/apache2/conf.d/phpmyadmin

Setup Backup

  • Copy the /usr/local/sbin/mf-backup and /etc/mf-backup.xml files from another server
  • Edit /etc/mf-backup.xml as needed
  • Be sure to grant the mysql backup user the proper permissions with:
    GRANT SELECT,SHOW VIEW,LOCK TABLES ON *.* TO 'backup'@'localhost' identified by 'secret'