Version 9 (modified by 17 years ago) ( diff ) | ,
---|
Setup Debian Server for May First/People Link
Purchase an ssl certificate
- Generate a private key and certificate signing request.
openssl genrsa -out server.mayfirst.org.key 4096 openssl req -new -key server.mayfirst.org.key -out server.mayfirst.org.csr
- Change the domain@… email alias to point to your address.
- Go to Godaddy (which is a thawte reseller) for server.mayfirst.org. This will take a day or so to be generated.
- Concat the CRT and KEY file into a file called: server.mayfirst.org.pem (replace server with the name of the server being setup)
- Then add dh paramaters with:
openssl gendh >> server.mayfirst.org.pem
This file will be used by courier. Copy into /etc/courier/imapd.pem and /etc/courier/pop3d.pem
- Now, put each one in a separate file called: server.mayfirst.org.key and server.mayfirst.org.crt (these will be used by apache)
Use volatile for SA and clamav
- Edit /etc/apt/sources.list. Add the following:
# clamav (volatile) and spam assassin (volatile-sloppy) deb http://debian.domainmail.org/debian-volatile etch/volatile-sloppy main deb http://debian.domainmail.org/debian-volatile etch/volatile main
- Edit (or add) /etc/apt/preferences. Add the following
Package: spamassassin Pin: release a = etch-sloppy Pin-Priority: 991 Package: spamc Pin: release a = etch-sloppy Pin-Priority: 991
Install debian packages
$ sudo apt-get install apache2 libapache2-mod-suphp cvs amavisd-new clamav clamav-daemon spamassassin maildrop courier-imap-ssl courier-pop-ssl scponly logcheck logcheck-database cron-apt awstats razor libnet-dns-perl dcc-client phpmyadmin php5-mysql php5-imap php5-gd mysql-server-5.0 mysql-client-5.0 squirrelmail php-mail php-db fail2ban aspell aspell-en aspell-es php5-mcrypt php-auth iproute bzip2 imagemagick php-pear php-log imp4 turba2 ingol php-file
Configure HE routes
In order to route traffic directly from computer to computer (across different subnetworks) we need to add the different routes
- Create a file called add-he-routes with the following contents:
#!/bin/bash # add routes for alternate blocks in rack #ip route add 209.51.172.0/28 dev eth0 ip route add 209.51.169.80/28 dev eth0 #ip route add 209.51.163.192/28 dev eth0 ip route add 209.51.180.16/28 dev eth0 ip route add 209.51.163.0/27 dev eth0
- Comment out the line representing the network this server is on
- Save the file in /etc/network/if-up.d and chmod it to 755
- And add a corresponding file:
#!/bin/bash # remove routes for alternate blocks in rack ip route del 209.51.172.0/28 ip route del 209.51.169.80/28 ip route del 209.51.163.192/28 #ip route del 209.51.180.16/28 ip route del 209.51.163.0/27
- Save the file in /etc/network/if-down.d and chmod it to 755
Configure suPHP
- Use dpkg-statoverride to change the ownership of our common php web programs (horde, phpmyadmin, and squirrelmail). This script will do it all for you:
#!/bin/bash -e # # phpmyadmin # # use /var/lib/phpmyadmin as home dir because it already exists if [ -z $(getent passwd|grep phpmyadmin) ]; then adduser --system --disabled-login --quiet --home /var/lib/phpmyadmin --shell /bin/false -gid 65534 phpmyadmin fi #userdel phpmyadmin phpmyadmin_files =`dpkg -L phpmyadmin | grep '\.php'` for file in $phpmyadmin_files; do dpkg-statoverride --add --update --force --quiet phpmyadmin nogroup 444 $file # #dpkg-statoverride --remove $file done # # horde: share one user between horde and imp and any other horde apps # # use /var/log/horde as home directory because it already exists if [ -z $(getent passwd|grep horde) ]; then adduser --system --disabled-login --quiet --home /var/log/horde --shell /bin/false -gid 65534 horde fi #userdel horde # chown the directory recursively to get existing logs # it is written to by the web process chown -R horde /var/log/horde chown horde /etc/horde/horde3/conf.php #chmod 600 /etc/horde/horde3/conf.php # add it to the mix dpkg-statoverride --add --update --force --quiet horde nogroup 644 /var/log/horde #dpkg-statoverride --remove /var/log/horde # ack - this is not mainainable! perl -pi -e 's/www-data www-data/horde nogroup/g' /etc/logrotate.d/horde3 horde_files =`dpkg -L horde3 | grep '\.php'` imp_files =`dpkg -L imp4 | grep '\.php'` turba_files =`dpkg -L turba2 | grep '\.php'` ingo_files =`dpkg -L ingo1 | grep '\.php'` all_horde_files ="$horde_files $imp_files $turba_files $ingo_files" for file in $all_horde_files; do dpkg-statoverride --add --update --force --quiet horde nogroup 444 $file #dpkg-statoverride --remove $file done if [ -z $(getent passwd|grep squirrelmail) ]; then adduser --system --disabled-login --quiet --home /var/lib/squirrelmail/data --shell /bin/false -gid 65534 squirrelmail fi #userdel squirrelmail sm_files =`dpkg -L squirrelmail | grep '\.php'` chown -R squirrelmail:nogroup /var/lib/squirrelmail/data dpkg-statoverride --add --update --force --quiet squirrelmail nogroup 700 /var/lib/squirrelmail/data #dpkg-statoverride --remove /var/lib/squirrelmail/data for file in $sm_files; do dpkg-statoverride --update --add --force squirrelmail nogroup 444 $file #dpkg-statoverride --remove $file done
- Edit /etc/suphp/suphp.conf
[global] ;Path to logfile logfile =/var/log/suphp/suphp.log ;Loglevel loglevel = info ;User Apache is running as webserver_user = www-data ;Path all scripts have to be in docroot =/ ;Path to chroot() to before executing script ;chroot =/mychroot ; Security options ;allow_file_group_writeable = false allow_file_group_writeable = true ;allow_file_others_writeable = false allow_file_others_writeable = true ;allow_directory_group_writeable = false allow_directory_group_writeable = true ;allow_directory_others_writeable = false allow_directory_others_writeable = true ;Check wheter script is within DOCUMENT_ROOT ;check_vhost_docroot = true check_vhost_docroot = false ;Send minor error messages to browser errors_to_browser = false ;PATH environment variable env_path =/bin:/usr/bin ;Umask to set, specify in octal notation ;umask =0077 umask =0022 ; Minimum UID min_uid =100 ; Minimum GID min_gid =100 [handlers] ;Handler for php-scripts x-httpd-php = php:/usr/bin/php-cgi ;Handler for CGI-scripts x-suphp-cgi = execute:!self
Configure fail2ban
Create /etc/fail2ban/jail.local. Modify the following lines, by adding them to the jail.local file that you just created:
[DEFAULT] bantime = 200 action = iptables[name =%(__name__)s, port =%(port)s] mail-whois[name =%(__name__)s, dest =%(destemail)s]
Install Red
- Edit /etc/apt/sources.list - make sure non-free is there, e.g.: deb http://http.us.debian.org/debian stable main contrib non-free. If you are adding anything to this line, run sudo apt-get update afterwards.
$ sudo apt-get install ucspi-tcp-src $ sudo build-ucspi-tcp
- Create a user in the red database with (change sylvia to name of server):
GRANT SELECT on seso.* to 'red-sylvia'@'sylvia.mayfirst.org' identified by 'secret'; GRANT UPDATE on seso.red_item to 'red-sylvia'@'sylvia.mayfirst.org'; GRANT INSERT on seso.red_error_log to 'red-sylvia'@'sylvia.mayfirst.org';
- Download the source from cvs
- Copy and paste the following commands
$ cd /usr/local/share $ sudo cvs -d:ext:mayfirst@mayfirst.org:/srv/cvsroot co red $ sudo ln -s /usr/local/share/red/server/sbin/red_server_cli /usr/local/sbin/ $ sudo ln -s /usr/local/share/red/server/sbin/pinky /usr/local/sbin/ $ sudo chmod 755 /usr/local/share/red/server/sbin/red_server_cli $ sudo chmod 755 /usr/local/share/red/server/sbin/pinky $ sudo mkdir /usr/local/etc $ sudo mkdir /usr/local/etc/red $ cd /usr/local/share/red/server/etc/red $ sudo cp /usr/local/share/red/server/etc/red/* /usr/local/etc/red/ $ cd /usr/local/etc/red $ for file in `ls *.sample`; do sudo cp $file /usr/local/etc/red/${file%.sample}; done;
- Edit the file called pinky. Change ip address to machine's real ip address. also edit red_server.conf, to add the database user and password.
- Launch pinky with:
$ sudo /usr/local/sbin/pinky &
Postfix setup
- Create aliases in /etc/aliases
www: www-data www-data: apache@mayfirst.org root: root@mayfirst.org
- Don't forget to run newaliases!
- Create empty access, virtual_alias_maps and virtual_alias_domains files in /etc/postfix
sudo touch virtual_alias_maps virtual_alias_domains access
Create an empty access database (later we can add entries in access to restrict or allow senders):
sudo postmap access
- Create /var/lib/postfix (used by tls), owned by root
mkdir /var/lib/postfix
- Add the following to the bottom of the /etc/postfix/main.cf file (change SERVER to the server name)
# May First custom config # file based virtual hosting configuration # List of virtual domain names virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains # list of email address -> unix account mappings virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps # use maildir home_mailbox = Maildir/ # Added for maildrop mailbox_command = /usr/bin/maildrop maildrop_destination_recipient_limit = 1 # Added by jamie 6/10/04 to try to stem the tide of spam smtpd_sender_restrictions = hash:/etc/postfix/access, reject_non_fqdn_sender, reject_unknown_sender_domain, permit # Added for amavisd-new content_filter=smtp-amavis:[127.0.0.1]:10024 # to enable authentication for sending email # and postgrey (policy port 6000 line) smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:60000 # TLS Stuff here: tls_random_source = dev:/dev/urandom tls_daemon_random_source = dev:/dev/urandom # sever side tls - offer tls encryption when an smtp client # (either user email program or sending smtp server) can use it smtpd_tls_security_level = may smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_loglevel = 1 smtpd_tls_session_cache_database = sdbm:/var/lib/postfix/smtpd_scache # force people who want to authenticate to use tls - you can't authenticate # otherwise. This is important because passwords are sent in the clear smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem smtpd_tls_cert_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s # client side - when we send to a server that offers tls, we should # accept smtp_tls_security_level = may smtp_tls_CApath = /etc/ssl/certs smtp_tls_session_cache_database = sdbm:/var/lib/postfix/smtp_scache smtp_tls_loglevel = 1 # http://www.postfix.org/TLS_README.html recommends leaving these # lines commented out so we don't present a client certificate. # It is rare to be required to have a client certificate and presenting # one sometimes causes problems #smtp_tls_key_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem #smtp_tls_cert_file = /etc/postfix/ssl/SERVER.mayfirst.org.pem
- Copy the /etc/postfix/master.cf file from chavez to get the amavis settings (and for chroot to be turned off)
- Postfix as secure mail relay setup
- Install the sasl packages
sudo apt-get install sasl2-bin libsasl2-modules ca-certificates
- Configure sasl. Edit /etc/default/saslauthd
Uncomment START = yes Change MECHANISMS to read: MECHANISMS ="shadow"
- Add postfix to the sasl group
sudo addgroup postfix sasl
- Make the /etc/postfix/ssl directory and copy the pem files there
sudo mkdir /etc/postfix/ssl sudo cp /whereever/server.pem /etc/postfix/ssl/
- Edit main.cf
# to enable authentication for sending email smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination # TLS Stuff here: smtpd_use_tls = yes # force people who want to authenticate to use tls - you can't authenticate # otherwise. This is important because passwords are sent in the clear smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/ssl/your-server-key-here.pem smtpd_tls_cert_file = /etc/postfix/ssl/your-server-key-here.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
- Edit master.cf - uncomment the smtps and submission lines. In both lines change the chroot variable from "-" to "n"
- Create /etc/postfix/sasl/smtpd.conf
sudo mkdir /etc/postfix/sasl sudo vim /etc/postfix/sasl/smtpd.conf # add these lines: pwcheck_method: saslauthd mech_list: plain login
Setup Postgrey
Postgrey defers all mail for 5 minutes the first time it receives a message with a never before seen sender and recipient. This results in a lot of spam not being delivered.
- Install Postgrey
sudo apt-get install postgrey
- Edit /etc/default/postgrey adding the following line:
POSTGREY_TEXT ="Greylisted, see http://mayfirst.org/greylist"
- Restart postgrey
/etc/init.d/postgrey restart
- Edit /etc/postfix/main.cf, add the following to the end of the smtpd_recipient_restrictions stanza:
check_policy_service inet:127.0.0.1:60000
Setup Courier
- Create a shared/index file that is empty (to avoid getting error messages in the log)
mkdir /etc/courier/shared touch /etc/courier/index
- Setup ssl - copy the server pem file (which you got from dotster) to the /etc/courier directories:
cp server.mayfirst.org.pem /etc/courier/imapd.pem cp server.mayfirst.org.pem /etc/courier/pop3d.pem
If you are using Godaddy Certificates, copy the godaddy bundle to /etc/courier/ (you can download it here: http://mayfirst.org/node/452).
Then add this line to both imapd-ssl and pop3d-ssl:
TLS_TRUSTCERTS=/etc/courier/gd_intermediate_bundle.crt
Setup amavis
- Edit /etc/amavis/conf.d/50-user
Add the following lines
@bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); $final_banned_destiny = D_PASS; # D_REJECT when front-end MTA $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS;
- Add clamav to the amavis group with:
sudo addgroup clamav amavis
- Add AllowSupplementaryGroups to /etc/clamav/clamd.conf
- Add a cron job to clean out viruses and spam collected by amavis in /etc/cron.d called clean-up-virus with the contents:
# Find and delete all emails older than 14 days 2 4 * * * amavis find /var/lib/amavis/virusmails -mtime +14 -exec rm '{}' \;
Configure Spamassassin
- Install helper packages
sudo apt-get install razor dcc-client
- Add a new rule for spamassassin (debian etch or above only!)
- Create /usr/local/share/spamassassin/plugins
sudo mkdir /usr/local/share/spamassassin; sudo mkdir /usr/local/share/spamassassin/plugins
- Download the ImageInfo plugin to that directory
cd /usr/local/share/spamassassin/plugins sudo wget http://www.rulesemporium.com/plugins/ImageInfo.pm
- Add rule to /etc/spamassassin
cd /etc/spamassassin sudo wget http://www.rulesemporium.com/plugins/imageinfo.cf
- Edit /etc/spamassassin/init.pre. Add the following line:
loadplugin Mail::SpamAssassin::Plugin::ImageInfo /usr/local/share/spamassassin/plugins/ImageInfo.pm
</ul>
- Enable dcc - uncomment line in /etc/spamassassin/v310.pre the refers to dcc
- Turn on subject munging (uncomment line in /etc/spamassassin/local.cf)
- Add temporary work around to get spamassassin to properly tag messages sent to us via tls by adding this line to /etc/spamassassin/local.cf (change hostname, see http://wiki.apache.org/spamassassin/DynablockIssues):
header LOCAL_AUTH_RCVD Received =~ /\(using TLS.*\) by chavez\.mayfirst\.org / score LOCAL_AUTH_RCVD -20
- Turn off report safe (in /etc/spamassassin/local.cf set: report_safe 0)
- Edit /etc/default/spamassassin - enable spamassassin
- Setup sa-update
sudo apt-get install gnupg libnet-dns-perl libnet-ssleay-perl libnet-ident-perl # test with: sudo sa-update -D # make sure the above command exited cleanly # Create a file in /etc/cron.daily called "mfpl-sa-update" with: #!/bin/bash sa-update && /etc/init.d/spamassassin restart # always exit with 0 - sa-update will exit with 1 if no update is available # and we don't want cron to report that to us exit 0
Maildrop
Edit /etc/maildroprc and add the following lines:
DEFAULT ="$HOME/Maildir" # spamassassin xfilter "/usr/bin/spamc -u $LOGNAME"
Webmail setup
- Symlink the squirrelmail apache conf file:
$ ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf
- Edit the /etc/apache2/conf.d/horde.conf file. Add:
Redirect /webmail https://servername.mayfirst.org/horde3
- Copy the various /etc/horde/*/conf.conf files from chavez
- Edit /etc/horde/imp4/servers.php (see chavez for details)
- Run sudo /etc/squirrelmail/conf.pl
- Change 1: organizational preferences (org name, provider link, provider name)
- Change 2: server settings: A IMAP Settings (port: 993, secure imap: true,
server software: courier
- Plugins: install: delete_move_next,squirrelspell, filters,abook_take,listcommands,mail_fetch,gpg (you will need to download
this one from www.squirrelmail.org into the /usr/share/squirrelmail/plugins
- Gunzip/usr/share/doc/horde3/examples/scripts/sql/create.mysql.sql.gz into your home directory
- Edit - change the password to a good password
- Import into mysql: Directly import /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql with:
mysql -u root -p horde < /usr/share/doc/turba2/examples/scripts/sql/turba_objects.mysql.sql
Install Drupal
- Download from drupal.org into: /usr/local/share/
- Name the drupal directory after the version (i.e. drupal-4.7.3)
- Create a soft link to the version (i.e. sudo ln -s drupal-4.7.3 drupal-4.7)
- Tar up and copy all the files from wiwa /usr/local/share/drupal-modules-4.7 and place into the /usr/local/share/drupal-modules-4.7 on the target server.
Configure Apache
- In /etc/apache2/site-available/default change NameVirtualHost * to: NameVirtualHost *:80
- Change:
<VirtualHost *> to: <VirtualHost *:80> ServerAdmin apache@mayfirst.org DocumentRoot /srv/apache/web (create this directory and index.html file)
Configure logrotate
Create a file called apache2-red in the /etc/logrotate.d directory with:
/home/members/*/sites/*/logs/*.log { weekly missingok rotate 12 compress delaycompress notifempty create 644 root root sharedscripts postrotate if [ -f /var/run/apache2.pid ]; then /etc/init.d/apache2 restart > /dev/null fi endscript }
Configure logcheck
Copy from Wiwa to the server:
/etc/logcheck/logcheck.conf /etc/logcheck/ignore.d.server/local-*
Configure cron-apt
Edit /etc/cron-apt
Change line MAILON to MAILON ="upgrade"
Configure Awstats
- Copy /etc/awstats/awstats.conf.local from chavez to the target server's /etc/awstats directory
- Copy /usr/local/sbin/mf-awstats-create, /usr/local/sbin/mf-awstats-build-staticpages, and /usr/local/etc/awstats-create from
chavez to the target server.
- Copy /usr/share/doc/awstats/examples/awstats_buildstaticpages.pl to /usr/local/sbin/
- Copy /usr/share/doc/awstats/examples/apache.conf to /etc/apache2/conf.d/awstats
Configure Mutt
Create /etc/Muttrc.d and put a file named maildir.rc with
set mbox_type = Maildir set mbox =~/Maildir set spoolfile =~/Maildir set folder =~/Maildir
Change ssh
Make sure the following settings are set:
PermitRootLogin no AllowGroups sshusers # Required for Contribute. Grr. PasswordAuthentication yes
Congifure phpmyadmin
Copy the apache conf file from /etc/phpmyadmin to /etc/apach2/conf.d
cp /etc/phpmyadmin/apache.conf /etc/apache2/conf.d/phpmyadmin
Add the phpmyadmin alias:
echo "Alias /phpmyadmin /usr/share/phpmyadmin" >> /etc/apache2/conf.d/phpmyadmin
Setup Backup
- Copy the /usr/local/sbin/mf-backup and /etc/mf-backup.xml files from another server
- Edit /etc/mf-backup.xml as needed
- Be sure to grant the mysql backup user the proper permissions with:
GRANT SELECT,SHOW VIEW,LOCK TABLES ON *.* TO 'backup'@'localhost' identified by 'secret'