wiki:configure_new_server

Context Navigation

Version 7 (modified by Jamie McClelland, 17 years ago) ( diff )
--

Setup Debian Server for May First/People Link

Purchase an ssl certificate

Generate a private key and certificate signing request.

openssl genrsa -out server.mayfirst.org.key 4096
openssl req -new -key server.mayfirst.org.key -out server.mayfirst.org.csr

Change the domain@… email alias to point to your address.

Go to Godaddy (which is a thawte reseller) for server.mayfirst.org. This will take a day or so to be generated.

Concat the CRT and KEY file into a file called: server.mayfirst.org.pem (replace server with the name of the server being setup)

Then add dh paramaters with:

openssl gendh >> server.mayfirst.org.pem

This file will be used by courier. Copy into /etc/courier/imapd.pem and /etc/courier/pop3d.pem

Now, put each one in a separate file called: server.mayfirst.org.key and server.mayfirst.org.crt (these will be used by apache)

Use volatile for SA and clamav

Edit /etc/apt/sources.list. Add the following:

# clamav (volatile) and spam assassin (volatile-sloppy)
deb http://debian.domainmail.org/debian-volatile etch/volatile-sloppy main
deb http://debian.domainmail.org/debian-volatile etch/volatile main

Edit (or add) /etc/apt/preferences. Add the following

Package: spamassassin
Pin: release a = etch-sloppy
Pin-Priority: 991

Package: spamc
Pin: release a = etch-sloppy
Pin-Priority: 991

Install debian packages

$ sudo apt-get install apache2 libapache2-mod-suphp cvs amavisd-new clamav clamav-daemon spamassassin maildrop courier-imap-ssl courier-pop-ssl scponly logcheck logcheck-database cron-apt awstats razor libnet-dns-perl dcc-client phpmyadmin php5-mysql php5-imap php5-gd mysql-server-5.0 mysql-client-5.0 squirrelmail php-mail php-db fail2ban aspell aspell-en aspell-es php5-mcrypt php-auth iproute  bzip2 imagemagick php-pear php-log imp4 turba2 ingol php-file

Configure HE routes

In order to route traffic directly from computer to computer (across different subnetworks) we need to add the different routes

Create a file called add-he-routes with the following contents:

#!/bin/bash
# add routes for alternate blocks in rack
#ip route add 209.51.172.0/28 dev eth0
ip route add 209.51.169.80/28 dev eth0
#ip route add 209.51.163.192/28 dev eth0
ip route add 209.51.180.16/28 dev eth0
ip route add 209.51.163.0/27 dev eth0

Comment out the line representing the network this server is on

Save the file in /etc/network/if-up.d and chmod it to 755

And add a corresponding file:

#!/bin/bash
# remove routes for alternate blocks in rack
ip route del 209.51.172.0/28
ip route del 209.51.169.80/28
ip route del 209.51.163.192/28
#ip route del 209.51.180.16/28
ip route del 209.51.163.0/27

Save the file in /etc/network/if-down.d and chmod it to 755

Configure suPHP

Use dpkg-statoverride to change the ownership of our common php web programs (horde, phpmyadmin, and squirrelmail). This script will do it all for you:

#!/bin/bash -e

#
# phpmyadmin
#
# use /var/lib/phpmyadmin as home dir because it already exists

if [ -z $(getent passwd|grep phpmyadmin) ]; then
adduser --system --disabled-login --quiet --home /var/lib/phpmyadmin --shell /bin/false -gid 65534 phpmyadmin
fi
#userdel phpmyadmin
phpmyadmin_files =`dpkg -L phpmyadmin | grep '\.php'`

for file in $phpmyadmin_files; do
dpkg-statoverride --add --update --force --quiet phpmyadmin nogroup 444 $file
# #dpkg-statoverride --remove $file
done

#
# horde: share one user between horde and imp and any other horde apps
#
# use /var/log/horde as home directory because it already exists
if [ -z $(getent passwd|grep horde) ]; then
adduser --system --disabled-login --quiet --home /var/log/horde --shell /bin/false -gid 65534 horde
fi
#userdel horde

# chown the directory recursively to get existing logs
# it is written to by the web process
chown -R horde /var/log/horde
chown horde /etc/horde/horde3/conf.php
#chmod 600 /etc/horde/horde3/conf.php

# add it to the mix
dpkg-statoverride --add --update --force --quiet  horde nogroup 644 /var/log/horde
#dpkg-statoverride --remove /var/log/horde

# ack - this is not mainainable!
perl -pi -e 's/www-data www-data/horde nogroup/g' /etc/logrotate.d/horde3

horde_files =`dpkg -L horde3 | grep '\.php'`
imp_files =`dpkg -L imp4 | grep '\.php'`
turba_files =`dpkg -L turba2 | grep '\.php'`
ingo_files =`dpkg -L ingo1 | grep '\.php'`
all_horde_files ="$horde_files $imp_files $turba_files $ingo_files"

for file in $all_horde_files; do
dpkg-statoverride --add --update --force --quiet horde nogroup 444 $file
#dpkg-statoverride --remove $file
done

if [ -z $(getent passwd|grep squirrelmail) ]; then
adduser --system --disabled-login --quiet --home /var/lib/squirrelmail/data --shell /bin/false -gid 65534 squirrelmail
fi
#userdel squirrelmail
sm_files =`dpkg -L squirrelmail | grep '\.php'`

chown -R squirrelmail:nogroup /var/lib/squirrelmail/data
dpkg-statoverride --add --update --force --quiet squirrelmail nogroup 700 /var/lib/squirrelmail/data

#dpkg-statoverride --remove /var/lib/squirrelmail/data

for file in $sm_files; do
dpkg-statoverride --update --add --force squirrelmail nogroup 444 $file
#dpkg-statoverride --remove $file
done

Edit /etc/suphp/suphp.conf

[global]
;Path to logfile
logfile =/var/log/suphp/suphp.log

;Loglevel
loglevel = info

;User Apache is running as
webserver_user = www-data

;Path all scripts have to be in
docroot =/

;Path to chroot() to before executing script
;chroot =/mychroot

; Security options
;allow_file_group_writeable = false
allow_file_group_writeable = true
;allow_file_others_writeable = false
allow_file_others_writeable = true
;allow_directory_group_writeable = false
allow_directory_group_writeable = true
;allow_directory_others_writeable = false
allow_directory_others_writeable = true

;Check wheter script is within DOCUMENT_ROOT
;check_vhost_docroot = true
check_vhost_docroot = false

;Send minor error messages to browser
errors_to_browser = false

;PATH environment variable
env_path =/bin:/usr/bin

;Umask to set, specify in octal notation
;umask =0077
umask =0022

; Minimum UID
min_uid =100

; Minimum GID
min_gid =100


[handlers]
;Handler for php-scripts
x-httpd-php = php:/usr/bin/php-cgi

;Handler for CGI-scripts
x-suphp-cgi = execute:!self

Configure fail2ban

Create /etc/fail2ban/jail.local. Modify the following lines, by adding them to the jail.local file that you just created:

[DEFAULT]
bantime  = 200

action = iptables[name =%(__name__)s, port =%(port)s]
mail-whois[name =%(__name__)s, dest =%(destemail)s]

Install Red

Edit /etc/apt/sources.list - make sure non-free is there, e.g.: deb http://http.us.debian.org/debian stable main contrib non-free. If you are adding anything to this line, run sudo apt-get update afterwards.
```
$ sudo apt-get install ucspi-tcp-src
$ sudo build-ucspi-tcp
```

Create a user in the red database with (change sylvia to name of server):

GRANT SELECT on seso.* to 'red-sylvia'@'sylvia.mayfirst.org' identified by 'secret';
GRANT UPDATE on seso.red_item to 'red-sylvia'@'sylvia.mayfirst.org';
GRANT INSERT on seso.red_error_log to 'red-sylvia'@'sylvia.mayfirst.org';

Download the source from cvs

Copy and paste the following commands

$ cd /usr/local/share
$ sudo cvs -d:ext:mayfirst@mayfirst.org:/srv/cvsroot co red
$ sudo ln -s /usr/local/share/red/server/sbin/red_server_cli /usr/local/sbin/
$ sudo ln -s /usr/local/share/red/server/sbin/pinky /usr/local/sbin/
$ sudo chmod 755 /usr/local/share/red/server/sbin/red_server_cli
$ sudo chmod 755 /usr/local/share/red/server/sbin/pinky
$ sudo mkdir /usr/local/etc
$ sudo mkdir /usr/local/etc/red
$ cd /usr/local/share/red/server/etc/red
$ sudo cp /usr/local/share/red/server/etc/red/* /usr/local/etc/red/
$ cd /usr/local/etc/red
$ for file in `ls *.sample`; do sudo cp $file /usr/local/etc/red/${file%.sample}; done;

Edit the file called pinky. Change ip address to machine's real ip address. also edit red_server.conf, to add the database user and password.

Launch pinky with:
```
$ sudo /usr/local/sbin/pinky &
```

Postfix setup

Create aliases in /etc/aliases

www: www-data
www-data: apache@mayfirst.org
root: root@mayfirst.org

Don't forget to run newaliases!

Create empty access, virtual_alias_maps and virtual_alias_domains files in /etc/postfix

sudo touch virtual_alias_maps virtual_alias_domains access

Create an empty access database (later we can add entries in access to restrict or allow senders):

sudo postmap access

Create /var/lib/postfix (used by tls), owned by root

mkdir /var/lib/postfix

Add the following to the bottom of the /etc/postfix/main.cf file (change SERVER to the server name)

# May First custom config
# file based virtual hosting configuration
# List of virtual domain names
virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains

# list of email address -> unix account mappings
virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps

# use maildir
home_mailbox = Maildir/

# Added for maildrop
mailbox_command = /usr/bin/maildrop
maildrop_destination_recipient_limit = 1

# Added by jamie 6/10/04 to try to stem the tide of spam
smtpd_sender_restrictions =
  hash:/etc/postfix/access,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  permit

# Added for amavisd-new
content_filter=smtp-amavis:[127.0.0.1]:10024

# to enable authentication for sending email
# and postgrey (policy port 6000 line)
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_pipelining,
  reject_non_fqdn_recipient,
  reject_invalid_hostname,
  reject_unknown_recipient_domain,
  reject_unauth_destination,
  check_policy_service inet:127.0.0.1:60000

# TLS Stuff here:
tls_random_source = dev:/dev/urandom
tls_daemon_random_source = dev:/dev/urandom

# sever side tls - offer tls encryption when an smtp client
# (either user email program or sending smtp server) can use it
smtpd_tls_security_level = may
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = sdbm:/var/lib/postfix/smtpd_scache
# force people who want to authenticate to use tls - you can't authenticate
# otherwise. This is important because passwords are sent in the clear
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem
smtpd_tls_cert_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s

# client side - when we send to a server that offers tls, we should
# accept
smtp_tls_security_level = may
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_session_cache_database = sdbm:/var/lib/postfix/smtp_scache
smtp_tls_loglevel = 1
# http://www.postfix.org/TLS_README.html recommends leaving these
# lines commented out so we don't present a client certificate.
# It is rare to be required to have a client certificate and presenting
# one sometimes causes problems
#smtp_tls_key_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem
#smtp_tls_cert_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem

Copy the /etc/postfix/master.cf file from chavez to get the amavis settings (and for chroot to be turned off)

Postfix as secure mail relay setup

Install the sasl packages

sudo apt-get install sasl2-bin libsasl2-modules ca-certificates

Configure sasl. Edit /etc/default/saslauthd

Uncomment START = yes
Change MECHANISMS to read:
MECHANISMS ="shadow"

Add postfix to the sasl group
```
sudo addgroup postfix sasl
```

Make the /etc/postfix/ssl directory and copy the pem files there

sudo mkdir /etc/postfix/ssl
sudo cp /whereever/server.pem /etc/postfix/ssl/

Edit main.cf

# to enable authentication for sending email
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

# TLS Stuff here:
smtpd_use_tls = yes
# force people who want to authenticate to use tls - you can't authenticate
# otherwise. This is important because passwords are sent in the clear
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/your-server-key-here.pem
smtpd_tls_cert_file = /etc/postfix/ssl/your-server-key-here.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Edit master.cf - uncomment the smtps and submission lines. In both lines change the chroot variable from "-" to "n"

Create /etc/postfix/sasl/smtpd.conf

sudo mkdir /etc/postfix/sasl
sudo vim /etc/postfix/sasl/smtpd.conf
# add these lines:
pwcheck_method: saslauthd
mech_list: plain login

Setup Postgrey

Postgrey defers all mail for 5 minutes the first time it receives a message with a never before seen sender and recipient. This results in a lot of spam not being delivered.

Install Postgrey
```
sudo apt-get install postgrey
```

Edit /etc/default/postgrey adding the following line:

POSTGREY_TEXT ="Greylisted, see http://mayfirst.org/greylist"

Restart postgrey
```
/etc/init.d/postgrey restart
```
Edit /etc/postfix/main.cf, add the following to the end of the smtpd_recipient_restrictions stanza:
```
check_policy_service inet:127.0.0.1:60000
```

Setup Courier

Create a shared/index file that is empty (to avoid getting error messages in the log)
```
mkdir /etc/courier/shared
touch /etc/courier/index
```

Setup ssl - copy the server pem file (which you got from dotster) to the /etc/courier directories:

cp server.mayfirst.org.pem /etc/courier/imapd.pem
cp server.mayfirst.org.pem /etc/courier/pop3d.pem

Setup amavis

Edit /etc/amavis/conf.d/50-user

Add the following lines @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); $final_banned_destiny = D_PASS; # D_REJECT when front-end MTA $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS;

Add clamav to the amavis group with:
```
sudo addgroup clamav amavis
```

Add AllowSupplementaryGroups to /etc/clamav/clamd.conf

Add a cron job to clean out viruses and spam collected by amavis in /etc/cron.d called clean-up-virus with the contents:

# Find and delete all emails older than 14 days
2 4 * * *       amavis  find /var/lib/amavis/virusmails -mtime +14  -exec rm '{}' \;

Configure Spamassassin

Install helper packages
```
sudo apt-get install razor dcc-client
```

Add a new rule for spamassassin (debian etch or above only!)

Create /usr/local/share/spamassassin/plugins

sudo mkdir /usr/local/share/spamassassin; sudo mkdir /usr/local/share/spamassassin/plugins

Download the ImageInfo plugin to that directory

cd /usr/local/share/spamassassin/plugins
sudo wget http://www.rulesemporium.com/plugins/ImageInfo.pm

Add rule to /etc/spamassassin

cd /etc/spamassassin
sudo wget http://www.rulesemporium.com/plugins/imageinfo.cf

Edit /etc/spamassassin/init.pre. Add the following line:

loadplugin Mail::SpamAssassin::Plugin::ImageInfo /usr/local/share/spamassassin/plugins/ImageInfo.pm

</ul>

Enable dcc - uncomment line in /etc/spamassassin/v310.pre the refers to dcc

Turn on subject munging (uncomment line in /etc/spamassassin/local.cf)

Add temporary work around to get spamassassin to properly tag messages sent to us via tls by adding this line to /etc/spamassassin/local.cf (change hostname, see http://wiki.apache.org/spamassassin/DynablockIssues):
```
header LOCAL_AUTH_RCVD    Received =~ /$using TLS.*$ by chavez\.mayfirst\.org /
score LOCAL_AUTH_RCVD -20
```

Turn off report safe (in /etc/spamassassin/local.cf set: report_safe 0)

Edit /etc/default/spamassassin - enable spamassassin

Setup sa-update

sudo apt-get install gnupg libnet-dns-perl libnet-ssleay-perl libnet-ident-perl
# test with:
sudo sa-update -D
# make sure the above command exited cleanly
# Create a file in /etc/cron.daily called "mfpl-sa-update" with:
#!/bin/bash
sa-update && /etc/init.d/spamassassin restart
# always exit with 0 - sa-update will exit with 1 if no update is available
# and we don't want cron to report that to us
exit 0

Maildrop

Edit /etc/maildroprc and add the following lines:

DEFAULT ="$HOME/Maildir"
# spamassassin
xfilter "/usr/bin/spamc -u $LOGNAME"

Webmail setup

Symlink the squirrelmail apache conf file:

$ ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf

Edit the /etc/apache2/conf.d/horde.conf file. Add:

Redirect /webmail https://servername.mayfirst.org/horde3

Copy the various /etc/horde/*/conf.conf files from chavez

Edit /etc/horde/imp4/servers.php (see chavez for details)

Run sudo /etc/squirrelmail/conf.pl

Change 1: organizational preferences (org name, provider link, provider name)

Change 2: server settings: A IMAP Settings (port: 993, secure imap: true,

server software: courier

Plugins: install: delete_move_next,squirrelspell, filters,abook_take,listcommands,mail_fetch,gpg (you will need to download

this one from www.squirrelmail.org into the /usr/share/squirrelmail/plugins

Gunzip/usr/share/doc/horde3/examples/scripts/sql/create.mysql.sql.gz into your home directory

Edit - change the password to a good password

Import into mysql: Directly import /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql with:

mysql -u root -p horde <  /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql

Install Drupal

Download from drupal.org into: /usr/local/share/

Name the drupal directory after the version (i.e. drupal-4.7.3)

Create a soft link to the version (i.e. sudo ln -s drupal-4.7.3 drupal-4.7)

Tar up and copy all the files from wiwa /usr/local/share/drupal-modules-4.7 and place into the /usr/local/share/drupal-modules-4.7 on the target server.

Configure Apache

In /etc/apache2/site-available/default change NameVirtualHost * to: NameVirtualHost *:80

Change:

<VirtualHost *> to: <VirtualHost *:80>
ServerAdmin apache@mayfirst.org
DocumentRoot /srv/apache/web (create this directory and index.html file)

Configure logrotate

Create a file called apache2-red in the /etc/logrotate.d directory with:

/home/members/*/sites/*/logs/*.log {
weekly
missingok
rotate 12
compress
delaycompress
notifempty
create 644 root root
sharedscripts
postrotate
if [ -f /var/run/apache2.pid ]; then
/etc/init.d/apache2 restart > /dev/null
fi
endscript
}

Configure logcheck

Copy from Wiwa to the server:

/etc/logcheck/logcheck.conf
/etc/logcheck/ignore.d.server/local-*

Configure cron-apt

Edit /etc/cron-apt

Change line MAILON to MAILON ="upgrade"

Configure Awstats

Copy /etc/awstats/awstats.conf.local from chavez to the target server's /etc/awstats directory
Copy /usr/local/sbin/mf-awstats-create, /usr/local/sbin/mf-awstats-build-staticpages, and /usr/local/etc/awstats-create from

chavez to the target server.

Copy /usr/share/doc/awstats/examples/awstats_buildstaticpages.pl to /usr/local/sbin/
Copy /usr/share/doc/awstats/examples/apache.conf to /etc/apache2/conf.d/awstats

Configure Mutt

Create /etc/Muttrc.d and put a file named maildir.rc with

set mbox_type = Maildir
set mbox =~/Maildir
set spoolfile =~/Maildir
set folder =~/Maildir

Change ssh

Make sure the following settings are set:

PermitRootLogin no
AllowGroups sshusers
# Required for Contribute. Grr.
PasswordAuthentication yes

Congifure phpmyadmin

Copy the apache conf file from /etc/phpmyadmin to /etc/apach2/conf.d

cp /etc/phpmyadmin/apache.conf /etc/apache2/conf.d/phpmyadmin

Add the phpmyadmin alias:

echo "Alias /phpmyadmin /usr/share/phpmyadmin" >> /etc/apache2/conf.d/phpmyadmin

Setup Backup

Copy the /usr/local/sbin/mf-backup and /etc/mf-backup.xml files from another server
Edit /etc/mf-backup.xml as needed

Be sure to grant the mysql backup user the proper permissions with:

GRANT SELECT,SHOW VIEW,LOCK TABLES ON *.* TO 'backup'@'localhost' identified by 'secret'

Note: See TracWiki for help on using the wiki.

Download in other formats:

Plain Text