wiki:configure_new_server

Version 5 (modified by Jamie McClelland, 12 years ago) (diff)

--

Setup Debian Server for May First/People Link

Purchase an ssl certificate

  • Generate a private key and certificate signing request.
openssl genrsa -out server.mayfirst.org.key 4096
openssl req -new -key server.mayfirst.org.key -out server.mayfirst.org.csr
  • Change the domain@… email alias to point to your address.
  • Go to Dotster (which is a thawte reseller) for server.mayfirst.org (from Dotster home page click Other Products -> ssl, get the 123 certificate). This will take a day or so to be generated.
  • Once generated, login to Dotster using the mayfirst username. Click on My Services. You should see the new ssl Cert listed.

  • Click Manage services.
  • Copy the CRT into a file called: server.mayfirst.org.pem (replace server with the name of the server being setup)
  • Then add dh paramaters with:
openssl gendh >> server.mayfirst.org.pem

This file will be used by courier

  • Now, put each one in a separate file called: server.mayfirst.org.key and server.mayfirst.org.crt (these will be used by apache)

Use volatile for SA and clamav

  • Edit /etc/apt/sources.list. Add the following:
    # clamav (volatile) and spam assassin (volatile-sloppy)
    deb http://debian.domainmail.org/debian-volatile etch/volatile-sloppy main
    deb http://debian.domainmail.org/debian-volatile etch/volatile main
    
  • Edit (or add) /etc/apt/preferences. Add the following
    Package: spamassassin
    Pin: release a = etch-sloppy
    Pin-Priority: 991
    
    Package: spamc
    Pin: release a = etch-sloppy
    Pin-Priority: 991
    

Install debian packages

$ sudo apt-get install apache2 libapache2-mod-suphp cvs amavisd-new clamav clamav-daemon spamassassin maildrop courier-imap-ssl courier-pop-ssl scponly logcheck logcheck-database cron-apt awstats razor libnet-dns-perl dcc-client phpmyadmin php5-mysql php5-imap php5-gd mysql-server-5.0 mysql-client-5.0 squirrelmail php-mail php-db fail2ban aspell aspell-en aspell-es php5-mcrypt php-auth iproute  bzip2 imagemagick php-pear php-log imp4 turba2 ingol php-file

Configure HE routes

In order to route traffic directly from computer to computer (across different subnetworks) we need to add the different routes

  • Create a file called add-he-routes with the following contents:
#!/bin/bash
# add routes for alternate blocks in rack
#ip route add 209.51.172.0/28 dev eth0
ip route add 209.51.169.80/28 dev eth0
#ip route add 209.51.163.192/28 dev eth0
ip route add 209.51.180.16/28 dev eth0
ip route add 209.51.163.0/27 dev eth0
  • Comment out the line representing the network this server is on
  • Save the file in /etc/network/if-up.d and chmod it to 755
  • And add a corresponding file:
#!/bin/bash
# remove routes for alternate blocks in rack
ip route del 209.51.172.0/28
ip route del 209.51.169.80/28
ip route del 209.51.163.192/28
#ip route del 209.51.180.16/28
ip route del 209.51.163.0/27
  • Save the file in /etc/network/if-down.d and chmod it to 755

Configure suPHP

  • Use dpkg-statoverride to change the ownership of our common php web programs (horde, phpmyadmin, and squirrelmail). This script will do it all for you:
    #!/bin/bash -e
    
    #
    # phpmyadmin
    #
    # use /var/lib/phpmyadmin as home dir because it already exists
    
    if [ -z $(getent passwd|grep phpmyadmin) ]; then
    adduser --system --disabled-login --quiet --home /var/lib/phpmyadmin --shell /bin/false -gid 65534 phpmyadmin
    fi
    #userdel phpmyadmin
    phpmyadmin_files =`dpkg -L phpmyadmin | grep '\.php'`
    
    for file in $phpmyadmin_files; do
    dpkg-statoverride --add --update --force --quiet phpmyadmin nogroup 444 $file
    # #dpkg-statoverride --remove $file
    done
    
    #
    # horde: share one user between horde and imp and any other horde apps
    #
    # use /var/log/horde as home directory because it already exists
    if [ -z $(getent passwd|grep horde) ]; then
    adduser --system --disabled-login --quiet --home /var/log/horde --shell /bin/false -gid 65534 horde
    fi
    #userdel horde
    
    # chown the directory recursively to get existing logs
    # it is written to by the web process
    chown -R horde /var/log/horde
    chown horde /etc/horde/horde3/conf.php
    #chmod 600 /etc/horde/horde3/conf.php
    
    # add it to the mix
    dpkg-statoverride --add --update --force --quiet  horde nogroup 644 /var/log/horde
    #dpkg-statoverride --remove /var/log/horde
    
    # ack - this is not mainainable!
    perl -pi -e 's/www-data www-data/horde nogroup/g' /etc/logrotate.d/horde3
    
    horde_files =`dpkg -L horde3 | grep '\.php'`
    imp_files =`dpkg -L imp4 | grep '\.php'`
    turba_files =`dpkg -L turba2 | grep '\.php'`
    ingo_files =`dpkg -L ingo1 | grep '\.php'`
    all_horde_files ="$horde_files $imp_files $turba_files $ingo_files"
    
    for file in $all_horde_files; do
    dpkg-statoverride --add --update --force --quiet horde nogroup 444 $file
    #dpkg-statoverride --remove $file
    done
    
    if [ -z $(getent passwd|grep squirrelmail) ]; then
    adduser --system --disabled-login --quiet --home /var/lib/squirrelmail/data --shell /bin/false -gid 65534 squirrelmail
    fi
    #userdel squirrelmail
    sm_files =`dpkg -L squirrelmail | grep '\.php'`
    
    chown -R squirrelmail:nogroup /var/lib/squirrelmail/data
    dpkg-statoverride --add --update --force --quiet squirrelmail nogroup 700 /var/lib/squirrelmail/data
    
    #dpkg-statoverride --remove /var/lib/squirrelmail/data
    
    for file in $sm_files; do
    dpkg-statoverride --update --add --force squirrelmail nogroup 444 $file
    #dpkg-statoverride --remove $file
    done
    
  • Edit /etc/suphp/suphp.conf
    [global]
    ;Path to logfile
    logfile =/var/log/suphp/suphp.log
    
    ;Loglevel
    loglevel = info
    
    ;User Apache is running as
    webserver_user = www-data
    
    ;Path all scripts have to be in
    docroot =/
    
    ;Path to chroot() to before executing script
    ;chroot =/mychroot
    
    ; Security options
    ;allow_file_group_writeable = false
    allow_file_group_writeable = true
    ;allow_file_others_writeable = false
    allow_file_others_writeable = true
    ;allow_directory_group_writeable = false
    allow_directory_group_writeable = true
    ;allow_directory_others_writeable = false
    allow_directory_others_writeable = true
    
    ;Check wheter script is within DOCUMENT_ROOT
    ;check_vhost_docroot = true
    check_vhost_docroot = false
    
    ;Send minor error messages to browser
    errors_to_browser = false
    
    ;PATH environment variable
    env_path =/bin:/usr/bin
    
    ;Umask to set, specify in octal notation
    ;umask =0077
    umask =0022
    
    ; Minimum UID
    min_uid =100
    
    ; Minimum GID
    min_gid =100
    
    
    [handlers]
    ;Handler for php-scripts
    x-httpd-php = php:/usr/bin/php-cgi
    
    ;Handler for CGI-scripts
    x-suphp-cgi = execute:!self
    

Configure fail2ban

Create /etc/fail2ban/jail.local. Modify the following lines, by adding them to the jail.local file that you just created:

[DEFAULT]
bantime  = 200

action = iptables[name =%(__name__)s, port =%(port)s]
mail-whois[name =%(__name__)s, dest =%(destemail)s]

Install Red

  • Edit /etc/apt/sources.list - make sure non-free is there, e.g.: deb http://http.us.debian.org/debian stable main contrib non-free. If you are adding anything to this line, run sudo apt-get update afterwards.
    $ sudo apt-get install ucspi-tcp-src
    $ sudo build-ucspi-tcp
    
  • Create a user in the red database with (change sylvia to name of server):
GRANT SELECT on seso.* to 'red-sylvia'@'sylvia.mayfirst.org' identified by 'secret';
GRANT UPDATE on seso.red_item to 'red-sylvia'@'sylvia.mayfirst.org';
GRANT INSERT on seso.red_error_log to 'red-sylvia'@'sylvia.mayfirst.org';
  • Download the source from cvs
  • Copy and paste the following commands
$ cd /usr/local/share
$ sudo cvs -d:ext:mayfirst@mayfirst.org:/srv/cvsroot co red
$ sudo ln -s /usr/local/share/red/server/sbin/red_server_cli /usr/local/sbin/
$ sudo ln -s /usr/local/share/red/server/sbin/pinky /usr/local/sbin/
$ sudo chmod 755 /usr/local/share/red/server/sbin/red_server_cli
$ sudo chmod 755 /usr/local/share/red/server/sbin/pinky
$ sudo mkdir /usr/local/etc
$ sudo mkdir /usr/local/etc/red
$ cd /usr/local/share/red/server/etc/red
$ sudo cp /usr/local/share/red/server/etc/red/* /usr/local/etc/red/
$ cd /usr/local/etc/red
$ for file in `ls *.sample`; do sudo cp $file /usr/local/etc/red/${file%.sample}; done;
  • Edit the file called pinky. Change ip address to machine's real ip address. also edit red_server.conf, to add the database user and password.
  • Launch pinky with:
    $ sudo /usr/local/sbin/pinky &
    

Postfix setup

  • Create aliases in /etc/aliases
www: www-data
www-data: apache@mayfirst.org
root: root@mayfirst.org
  • Don't forget to run newaliases!
  • Create empty access, virtual_alias_maps and virtual_alias_domains files in /etc/postfix
sudo touch virtual_alias_maps virtual_alias_domains access

Create an empty access database (later we can add entries in access to restrict or allow senders):

sudo postmap access
  • Add the following to the bottom of the /etc/postfix/main.cf file (change SERVER to the server name)
# May First custom config
# file based virtual hosting configuration
# List of virtual domain names
virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains

# list of email address -> unix account mappings
virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps

# use maildir
home_mailbox = Maildir/

# Added for maildrop
mailbox_command = /usr/bin/maildrop
maildrop_destination_recipient_limit = 1

# Added by jamie 6/10/04 to try to stem the tide of spam
smtpd_sender_restrictions =
  hash:/etc/postfix/access,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  permit

# Added for amavisd-new
content_filter=smtp-amavis:[127.0.0.1]:10024

# to enable authentication for sending email
# and postgrey (policy port 6000 line)
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_pipelining,
  reject_non_fqdn_recipient,
  reject_invalid_hostname,
  reject_unknown_recipient_domain,
  reject_unauth_destination,
  check_policy_service inet:127.0.0.1:60000

# TLS Stuff here:
tls_random_source = dev:/dev/urandom
tls_daemon_random_source = dev:/dev/urandom

# sever side tls - offer tls encryption when an smtp client
# (either user email program or sending smtp server) can use it
smtpd_tls_security_level = may
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = sdbm:/var/lib/postfix/smtpd_scache
# force people who want to authenticate to use tls - you can't authenticate
# otherwise. This is important because passwords are sent in the clear
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem
smtpd_tls_cert_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s

# client side - when we send to a server that offers tls, we should
# accept
smtp_tls_security_level = may
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_session_cache_database = sdbm:/var/lib/postfix/smtp_scache
smtp_tls_loglevel = 1
# http://www.postfix.org/TLS_README.html recommends leaving these
# lines commented out so we don't present a client certificate.
# It is rare to be required to have a client certificate and presenting
# one sometimes causes problems
#smtp_tls_key_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem
#smtp_tls_cert_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem

  • Copy the /etc/postfix/master.cf file from chavez to get the amavis settings (and for chroot to be turned off)
  • Postfix as secure mail relay setup
  • Install the sasl packages
    sudo apt-get install sasl2-bin libsasl2-modules ca-certificates
    
  • Configure sasl. Edit /etc/default/saslauthd
    Uncomment START = yes
    Change MECHANISMS to read:
    MECHANISMS ="shadow"
    
  • Add postfix to the sasl group
    sudo addgroup postfix sasl
    
  • Make the /etc/postfix/ssl directory and copy the pem files there
    sudo mkdir /etc/postfix/ssl
    sudo cp /whereever/server.pem /etc/postfix/ssl/
    
  • Edit main.cf
    # to enable authentication for sending email
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain = $myhostname
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
    
    # TLS Stuff here:
    smtpd_use_tls = yes
    # force people who want to authenticate to use tls - you can't authenticate
    # otherwise. This is important because passwords are sent in the clear
    smtpd_tls_auth_only = yes
    smtpd_tls_key_file = /etc/postfix/ssl/your-server-key-here.pem
    smtpd_tls_cert_file = /etc/postfix/ssl/your-server-key-here.pem
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    
  • Edit master.cf - uncomment the smtps and submission lines. In both lines change the chroot variable from "-" to "n"
  • Create /etc/postfix/sasl/smtpd.conf
sudo mkdir /etc/postfix/sasl
sudo vim /etc/postfix/sasl/smtpd.conf
# add these lines:
pwcheck_method: saslauthd
mech_list: plain login

Setup Postgrey

Postgrey defers all mail for 5 minutes the first time it receives a message with a never before seen sender and recipient. This results in a lot of spam not being delivered.

  • Install Postgrey
    sudo apt-get install postgrey
    
  • Edit /etc/default/postgrey adding the following line:
    POSTGREY_TEXT ="Greylisted, see http://mayfirst.org/greylist"
    
  • Restart postgrey
    /etc/init.d/postgrey restart
    
  • Edit /etc/postfix/main.cf, add the following to the end of the smtpd_recipient_restrictions stanza:
    check_policy_service inet:127.0.0.1:60000
    

Setup Courier

  • Create a shared/index file that is empty (to avoid getting error messages in the log)
    mkdir /etc/courier/shared
    touch /etc/courier/index
    
  • Setup ssl - copy the server pem file (which you got from dotster) to the /etc/courier directories:
    cp server.mayfirst.org.pem /etc/courier/imapd.pem
    cp server.mayfirst.org.pem /etc/courier/pop3d.pem
    

Setup amavis

  • Edit /etc/amavis/conf.d/50-user

Add the following lines @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); $final_banned_destiny = D_PASS; # D_REJECT when front-end MTA $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS;

  • Add clamav to the amavis group with:
    sudo addgroup clamav amavis
    
  • Add AllowSupplementaryGroups to /etc/clamav/clamd.conf
  • Add a cron job to clean out viruses and spam collected by amavis in /etc/cron.d called clean-up-virus with the contents:
    # Find and delete all emails older than 14 days
    2 4 * * *       amavis  find /var/lib/amavis/virusmails -mtime +14  -exec rm '{}' \;
    

Configure Spamassassin

  • Install helper packages
    sudo apt-get install razor dcc-client
    
  • Add a new rule for spamassassin (debian etch or above only!)
  • Create /usr/local/share/spamassassin/plugins
    sudo mkdir /usr/local/share/spamassassin; sudo mkdir /usr/local/share/spamassassin/plugins
    
  • Download the ImageInfo plugin to that directory
    cd /usr/local/share/spamassassin/plugins
    sudo wget http://www.rulesemporium.com/plugins/ImageInfo.pm
    
  • Add rule to /etc/spamassassin
    cd /etc/spamassassin
    sudo wget http://www.rulesemporium.com/plugins/imageinfo.cf
    
  • Edit /etc/spamassassin/init.pre. Add the following line:
    loadplugin Mail::SpamAssassin::Plugin::ImageInfo /usr/local/share/spamassassin/plugins/ImageInfo.pm
    

</ul>

  • Enable dcc - uncomment line in /etc/spamassassin/v310.pre the refers to dcc
  • Turn on subject munging (uncomment line in /etc/spamassassin/local.cf)
  • Add temporary work around to get spamassassin to properly tag messages sent to us via tls by adding this line to /etc/spamassassin/local.cf (change hostname, see http://wiki.apache.org/spamassassin/DynablockIssues):
    header LOCAL_AUTH_RCVD    Received =~ /\(using TLS.*\) by chavez\.mayfirst\.org /
    score LOCAL_AUTH_RCVD -20
    
  • Turn off report safe (in /etc/spamassassin/local.cf set: report_safe 0)
  • Edit /etc/default/spamassassin - enable spamassassin
  • Setup sa-update
    sudo apt-get install gnupg libnet-dns-perl libnet-ssleay-perl libnet-ident-perl
    # test with:
    sudo sa-update -D
    # make sure the above command exited cleanly
    # Create a file in /etc/cron.daily called "mfpl-sa-update" with:
    #!/bin/bash
    sa-update && /etc/init.d/spamassassin restart
    # always exit with 0 - sa-update will exit with 1 if no update is available
    # and we don't want cron to report that to us
    exit 0
    

Maildrop

Edit /etc/maildroprc and add the following lines:

DEFAULT ="$HOME/Maildir"
# spamassassin
xfilter "/usr/bin/spamc -u $LOGNAME"

Webmail setup

  • Symlink the squirrelmail apache conf file:
$ ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf
  • Edit the /etc/apache2/conf.d/horde.conf file. Add:
    Redirect /webmail https://servername.mayfirst.org/horde3
    
  • Copy the various /etc/horde/*/conf.conf files from chavez
  • Edit /etc/horde/imp4/servers.php (see chavez for details)
  • Run sudo /etc/squirrelmail/conf.pl
  • Change 1: organizational preferences (org name, provider link, provider name)
  • Change 2: server settings: A IMAP Settings (port: 993, secure imap: true,

server software: courier

  • Plugins: install: delete_move_next,squirrelspell, filters,abook_take,listcommands,mail_fetch,gpg (you will need to download

this one from www.squirrelmail.org into the /usr/share/squirrelmail/plugins

  • Gunzip/usr/share/doc/horde3/examples/scripts/sql/create.mysql.sql.gz into your home directory
  • Edit - change the password to a good password
  • Import into mysql: Directly import /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql with:
mysql -u root -p horde <  /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql

Install Drupal

  • Download from drupal.org into: /usr/local/share/
  • Name the drupal directory after the version (i.e. drupal-4.7.3)
  • Create a soft link to the version (i.e. sudo ln -s drupal-4.7.3 drupal-4.7)
  • Tar up and copy all the files from wiwa /usr/local/share/drupal-modules-4.7 and place into the /usr/local/share/drupal-modules-4.7 on the target server.

Configure Apache

  • In /etc/apache2/site-available/default change NameVirtualHost * to: NameVirtualHost *:80
  • Change:
    <VirtualHost *> to: <VirtualHost *:80>
    ServerAdmin apache@mayfirst.org
    DocumentRoot /srv/apache/web (create this directory and index.html file)
    

Configure logrotate

Create a file called apache2-red in the /etc/logrotate.d directory with:

/home/members/*/sites/*/logs/*.log {
weekly
missingok
rotate 12
compress
delaycompress
notifempty
create 644 root root
sharedscripts
postrotate
if [ -f /var/run/apache2.pid ]; then
/etc/init.d/apache2 restart > /dev/null
fi
endscript
}

Configure logcheck

Copy from Wiwa to the server:

/etc/logcheck/logcheck.conf
/etc/logcheck/ignore.d.server/local-*

Configure cron-apt

Edit /etc/cron-apt

Change line MAILON to MAILON ="upgrade"

Configure Awstats

  • Copy /etc/awstats/awstats.conf.local from chavez to the target server's /etc/awstats directory
  • Copy /usr/local/sbin/mf-awstats-create, /usr/local/sbin/mf-awstats-build-staticpages, and /usr/local/etc/awstats-create from

chavez to the target server.

  • Copy /usr/share/doc/awstats/examples/awstats_buildstaticpages.pl to /usr/local/sbin/
  • Copy /usr/share/doc/awstats/examples/apache.conf to /etc/apache2/conf.d/awstats

Configure Mutt

Create /etc/Muttrc.d and put a file named maildir.rc with

set mbox_type = Maildir
set mbox =~/Maildir
set spoolfile =~/Maildir
set folder =~/Maildir

Change ssh

Make sure the following settings are set:

PermitRootLogin no
AllowGroups sshusers
# Required for Contribute. Grr.
PasswordAuthentication yes

Congifure phpmyadmin

Copy the apache conf file from /etc/phpmyadmin to /etc/apach2/conf.d

cp /etc/phpmyadmin/apache.conf /etc/apache2/conf.d/phpmyadmin

Add the phpmyadmin alias:

echo "Alias /phpmyadmin /usr/share/phpmyadmin" >> /etc/apache2/conf.d/phpmyadmin

Setup Backup

  • Copy the /usr/local/sbin/mf-backup and /etc/mf-backup.xml files from another server
  • Edit /etc/mf-backup.xml as needed
  • Be sure to grant the mysql backup user the proper permissions with:
    GRANT SELECT,SHOW VIEW,LOCK TABLES ON *.* TO 'backup'@'localhost' identified by 'secret'