From Campworld

LinuxServersF8: HOWTO Fedora 8 Internet Server

History / Status

• NOT Done - testing and cleanup

Introduction

There are times when one physical server will meet your needs. This howto will describe setting up a server to do the following.
- Virtual web hosting
- Virtual mail hosting
- Spam filtering (optional)
- Security Camera Monitoring (optional)

Setting Up The Base Server

In this section I'll cover the initial server setup.

Initial Install

Boot the install DVD.

The graphical install loads and we're ready to go.

• Choose your language and keyboard.
• The first complaint it will have is about your hard drive. When it asks you about partitioning your drive select "Remove all partitions on selected drive and create default layout".
• Click the checkbox to review and modify the layout.
• Make changes if necessary.
• Rename the logical volumes if you like.
• At this point you can modify any other settings you like.
• Grub and networking should already be set.
• Choose your time zone.
• set the root password.
• We don't like their default installation selections. Uncheck the check boxes and select customize now. Place a check next to webserver.
• Under desktop env. uncheck everything.
• Under applications only leave checked text-based internet.
• Under servers uncheck printing support. Put check marks by 'DNS Name Server', 'FTP Server', and 'MySQL Database'.
• Under base system uncheck 'dialup networking', 'administrative tools', 'fonts', 'legacy fonts', and 'x windows'.
• Click next. Sit back and watch the install go.

First boot

Reboot the machine when the install finishes. The OS will boot. Let the config screen time out. Then log in.

Now we need to disable selinux.

1. Edit /boot/grub/grub.conf and add selinux=0 to the kernel line. Here's an example grub file with the change.

 
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
#          initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Fedora (2.6.23.1-42.fc8)
        root (hd0,0)
        kernel /vmlinuz-2.6.23.1-42.fc8 ro root=/dev/VolGroup00/LogVol00 selinux=0
        initrd /initrd-2.6.23.1-42.fc8.img

2. Edit /etc/selinux/config and change SELINUX=enforcing to SELINUX=disabled
3. now reboot the server.

The Second Boot

Login and type:
> yum upgrade
Agree to what it wants to do then set back and wait. when done reboot.

Installing Additional Packages

• I have some rpms that are not in the standard repos or they need to be recompiled. So we need setup a new repo. Here is the repo I created.
  > cd /etc/yum.repos.d/
  > wget http://www.campworld.net/repos/FC8/campworld.repo
• Now we'll load some php modules.
  > yum install php-gd php-ncurses php-snmp php-mbstring
• Lets install postfix and get rid of sendmail.
  > yum install postfix
  > yum remove sendmail
• Some misc packages
  > yum install createrepo ncftp
• We need SSL support in perl. Setup is easier if you get this installed before webmin.
  > yum -y install perl-Net-SSLeay
• Now lets install webmin.
  > yum -y install webmin
• its time to get the webmin service going.
  > service webmin start
• Now run setup and disable the firewall.
  > setup

Removing Software

There are a couple of packages we don't need. So type the following.
> yum remove cups squid

Webmin Configuration

• Connct to the webmin server. Use the ip assigned to your server. An example URL would be https://192.168.2.2:10000
• Now configure your server.

Installing phpMyAdmin

I perfer to phpMyAdmin to manage my MySQL databases. There is no rpm for this package. This package is easy to install.

1. If you haven't already done so, start MySQL.
2. Its time to set the root password.
   > /usr/bin/mysqladmin -u root password 'thepassword'
   > /usr/bin/mysqladmin -p -u root -h localhost.localdomain password 'thepassword'
3. Download the latest version of phpMyAdmin from www.phpmyadmin.net
   > wget http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.11.2.1-english.tar.gz?download
4. unpack the package
   > tar -xzvf phpMyAdmin.tar.gz
5. Move it to the appropriate place.
   > mv phpMyAdmin /usr/share/
6. Create the apache config file for phpmyadmin and restart apache.
   > echo "alias /webdb /usr/share/phpMyAdmin" > /etc/httpd/conf.d/phpMyAdmin.conf
   > service httpd restart
7. Configure phpMyAdmin
   > cd /usr/share/phpMyAdmin
   > cp libraries/config.default.php config.inc.php
   > nano -w config.inc.php
8. Locate each of the following lines and be sure each has the following settings.
   $cfg['Servers'][$i]['auth_type'] = 'http'; // Authentication method (con$
   $cfg['Servers'][$i]['user'] = 'root'; // MySQL user
   $cfg['Servers'][$i]['password'] = ''; // MySQL password (only nee$
9. Save the file.
10. now test it out.

Getting root's and other's mail

You need to get some local system user's mail. We'll use postfix's virtual file to get the emails to the right place.

1. Add the following to /etc/postfix/virtual

 
root       admin@yourdomain.com
postmaster admin@yourdomain.com
abuse      admin@yourdomain.com

2. Now add the configuration option to main.cf
> postconf -e "virtual_alias_maps = hash:/etc/postfix/virtual"
3. Just a couple commands to wrap everything up.
> postmap /etc/postfix/virtual
> /etc/init.d/postfix restart

Setting Up Virtual Web Hosting With Apache MYSQL and ProFTPD

There are many ways to do virtual websites under linux. The technique I am going to use is multiple domains on one ip address. I also didn't want to use system users for the virtual hosts. So I decided to use a mysql database to store the virtual user information.

Install Softwre

We need to install is proftpd with mysql support. Type:
> yum remove vsftpd
> yum install proftpd proftpd-mysql

Now lets download and install proftpd admin.
> wget http://downloads.sourceforge.net/proftpd-adm/proftpd_admin_v1.2.tar.gz?modtime=1163855596&big_mirror=0
> tar -xzvf proftpd_admin_v1.2.tar.gz
> mv proftpd_admin_v1.2 /usr/share/proftpd_admin

Configuring Apache

1. First thing is to create a linux user to hold all the virtual directories. Log in to webmin and create a user called virtwww.
2. Create the virtual host config file. We will use the name the brouser passes to us to determin the website to load. Type
   > echo "UseCanonicalName Off" > /etc/httpd/conf.d/virtual.conf
   > echo "VirtualDocumentRoot /home/virtwww/%0" >> /etc/httpd/conf.d/virtual.conf
3. restart apache
   > service httpd restart
4. Make a directory with your server's ipaddress as its name. Example
   > mkdir /home/virtwww/192.168.1.100
5. create a test index.html page in your new directory.

Configuring ProFTPD

1. Create the following proftpd config file
   > mv proftpd.conf proftpd.conf.old
   > nano -w /etc/proftpd.conf

 
# This is the ProFTPD configuration file

# Load modules for sql support
LoadModule mod_sql.c
LoadModule mod_sql_mysql.c

ServerName                      "Servername"
ServerType                      standalone
ServerIdent                     on              "Servers identifying string"
DeferWelcome                    off
DefaultServer                   on
DefaultRoot                     ~ !adm
AllowOverwrite                  on
UseReverseDNS                   off
IdentLookups                    off

Port                            21
Umask                           022
MaxInstances                    15
MaxClientsPerHost               3               "Only %m connections per host allowed"
MaxClients                      10              "Only %m total simultanious logins allowed"
MaxHostsPerUser                 1

User                            ftp
Group                           ftp

ScoreboardFile                  /var/run/proftpd.score

# Some logging formats
LogFormat                       default         "%h %l %u %t \"%r\" %s %b"
LogFormat                       auth            "%v [%P] %h %t \"%r\" %s"
LogFormat                       write           "%h %l %u %t \"%r\" %s %b"

# Define log-files to use
TransferLog                     /var/log/proftpd/xferlog
ExtendedLog                     /var/log/proftpd/access_log    WRITE,READ write
ExtendedLog                     /var/log/proftpd/auth_log      AUTH auth
ExtendedLog                     /var/log/proftpd/paranoid_log  ALL default
SQLLogFile                      /var/log/proftpd/mysql

# Set up authentication via SQL
# ===========
AuthOrder                       mod_sql.c
SQLAuthTypes                    Backend
SQLConnectInfo                  proftpd_admin@localhost proftpd password
SQLUserInfo                     usertable userid passwd uid gid homedir shell 
SQLGroupInfo                    grouptable groupname gid members 
SQLUserWhereClause              "disabled=0 and (NOW()<=expiration or expiration=-1 or expiration=0)"
SQLHomedirOnDemand  on

# Log the user logging in
SQLLog PASS counter
SQLNamedQuery counter UPDATE "lastlogin=now(), count=count+1 WHERE userid='%u'" usertable

# logout log
SQLLog EXIT time_logout
SQLNamedQuery time_logout UPDATE "lastlogout=now() WHERE userid='%u'" usertable

# display last login time when PASS command is given
SQLNamedQuery login_time SELECT "lastlogin from usertable where userid='%u'"
SQLShowInfo PASS "230" "Last login was: %{login_time}"

# xfer Log in mysql
SQLLog RETR,STOR transfer1
SQLNamedQuery  transfer1 INSERT "'%u', '%f', '%b', '%h', '%a', '%m', '%T', now(), 'c', NULL" xfer_stat
SQLLOG ERR_RETR,ERR_STOR transfer2
SQLNamedQuery  transfer2 INSERT "'%u', '%f', '%b', '%h', '%a', '%m', '%T', now(), 'i', NULL" xfer_stat

AllowStoreRestart               on
AllowRetrieveRestart            on
RequireValidShell               off
#RootLogin off

# Normally, we want users to do a few things.
<Global>
  AllowOverwrite yes
  <Limit ALL SITE_CHMOD>
    AllowAll
  </Limit>
</Global>

1. For security reasons we need to limit access to the file.
   > chmod o-rwx proftpd.conf

Configuring ProFTPD Administrator

First lets create the apache config file and restart apache. The file has been set to only allow access from the local host. Change the access to meet your needs.

/etc/httpd/conf.d/proftpd_admin.conf

 
alias /webadmin /usr/share/proftpd_admin

<Location /webadmin>
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1
    Allow from ::1
    # Allow from .example.com
</Location>

> service httpd restart

Edit the file /usr/share/proftpd_admin/misc/database_structure_mysql/db_structure.sql
Skip to the last three lines. Enter the desired password in these three lines.

Lets create the database and tables. Type the following.
> mysql -u root -p < /usr/share/proftpd_admin/misc/database_structure_mysql/db_structure.sql

Now type the following to do a little housekeeping for php5.
> chmod o+w /usr/share/proftpd_admin/configuration.xml

Now go to the web interface configuration screen http://yourserver.tld/webadmin/configure.php
You will need to configure database access and some other settings.

Now start proftpd.
> service proftpd start

The virtwww directory needs to be world writeable.
> chmod a+w /home/virtwww

Notes

Proftpd Admin dose almost everything we need. You will need to create links for multiple host names pointing to the same directory. For example if your directory is '/home/virtwww/yourdomain.com' and you want www.yourdomain.com to work then you'll have to create a link called '/home/virtwww/www.yourdomain.com/' which points to '/home/virtwww/yourdomain.com'.

Setting Up Virtual Mail Hosting Using Postfix MySQL Dovecot And Postfix Admin

This is an advanced email server configuration. This configuration will allow you to serve multiple domains on one server. You will get the following features:

• Postfix: the workhorse behind the mail delivery
• smtp authentication
• secure smtp using TLS
• Dovecot: imap and pop3 mailbox service
• secure imap and pop3
• mysql: handles all the virtual domains and users
• PostfixAdmin: GUI for domain administration
• squirrelmail: web mail access

Lets get started

Installing The Software

We'll start with the yum installs.
> yum install dovecot dovecot-mysql squirrelmail cyrus-sasl-devel cyrus-sasl-sql subversion

Postfix.Admin doesn't have an rpm so we need to download it and put it where we want it. Wouldn't you know it but the 2.1.0 release has problems with mysql 5. So we need to download the verson from svn.
> svn co https://postfixadmin.svn.sourceforge.net/svnroot/postfixadmin/trunk postfixadmin
> mv postfixadmin /usr/share/

Configuring The Server

Configuring Postfix Admin

Create the apache config file for postfixadmin and restart apache.
/etc/httpd/conf.d/postfixadmin.conf

 
alias /mailadmin /usr/share/postfixadmin
<Directory "/usr/share/postfixadmin">
  AllowOverride AuthConfig
</Directory>

> service httpd restart

Now we need to setup the mysql database for postfixadmin. An sql file is provided in the postfixadmin directory. You'll need to edit the file and set the desired passwords for the database users postfix and postfixadmin. Be sure to uncomment the 'INSERT' lines between the 'CREATE' line and the 'FLUSH PRIVILEGES' line. Here's the commands.
> cd /usr/share/postfixadmin
> nano -w DATABASE_MYSQL.TXT
> mysql -u root -p < DATABASE_MYSQL.TXT

Now its time to setup the config file. Don't forget to set your password. Find the following items and change them.
> nano -w config.inc.php

 
// Postfix Admin Path
// Set the location to your Postfix Admin installation here.
$CONF['postfix_admin_url'] = '/mailadmin/';


 
// Database Config
// mysql = MySQL 3.23 and 4.0
// mysqli = MySQL 4.1
// pgsql = PostgreSQL
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfixadmin';
$CONF['database_password'] = 'postfixadmin';
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = '';


 
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['encrypt'] = 'cleartext';

Log into the web interface and follow the directions.
http://yourdomain.tld/mailadmin/

NOTE: Don't forget to remove /usr/lib/postfixadmin/setup.php. Postfixadmin will complain until you do.

Configuring Postfix

Here we go with more config files. You'll have to be sure to change some settings to match your host. The config files will have sections commented out. Don't worry about it. These sections are for spam/virus/sympa configuration. Just copy and past to create the config files. Whatever you see here replaces what already exists.

The main postfix config files.
/etc/postfix/main.cf

 
# postfix config file

# uncomment for debugging if needed
#soft_bounce=yes

# postfix main
mail_owner = postfix
setgid_group = postdrop
delay_warning_time = 4

# postfix paths
html_directory = no
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
queue_directory = /var/spool/postfix
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.2.2/samples
readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES

# network settings
inet_interfaces = all
mydomain = yourdomain.com
myhostname = host.yourdomain.com
mynetworks = 192.168.0.0/16,
        127.0.0.0/24,
        69.239.170.72/29
mydestination = $myhostname, 
        localhost.$mydomain, 
        localhost 
relay_domains = $mydestination

# mail delivery
recipient_delimiter = + 

# mappings
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#local_recipient_maps = 

# virtual setup
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_alias_maps.cf,
                regexp:/etc/postfix/virtual_regexp
virtual_gid_maps = static:89
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_minimum_uid = 89
virtual_transport = virtual
virtual_uid_maps = static:89

# debugging
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

# authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes

# tls config
smtp_use_tls = yes
smtpd_use_tls = yes 
smtp_tls_note_starttls_offer = yes 
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# rules restrictions 
# smtpd_client_restrictions = reject_rbl_client sb1.spamhaus.org
smtpd_helo_restrictions = permit_sasl_authenticated,
        permit_mynetworks,
        reject_non_fqdn_hostname
smtpd_sender_restrictions = reject_non_fqdn_sender, 
        reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_sasl_authenticated, 
        permit_mynetworks, 
        reject_unauth_destination,
        reject_non_fqdn_recipient, 
        reject_unknown_recipient_domain
smtpd_helo_required = yes
unknown_local_recipient_reject_code = 550
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining

/etc/postfix/master.cf

 
#
# Postfix master process configuration file.  For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#  -o content_filter=smtp-amavis:127.0.0.1:10024
#  -o receive_override_options=no_address_mappings
#submission inet n      -       n       -       -       smtpd
#       -o smtpd_etrn_restrictions=reject
#       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps    inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission   inet    n       -       n       -       -       smtpd
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
  -o content_filter= 
  -o receive_override_options=no_header_body_checks
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
# spam/virus section
#
#smtp-amavis  unix  -    -       y       -       2       smtp
#  -o smtp_data_done_timeout=1200
#  -o disable_dns_lookups=yes
#  -o smtp_send_xforward_command=yes
#127.0.0.1:10025 inet n  -       y       -       -       smtpd
#  -o content_filter=
#  -o smtpd_helo_restrictions=
#  -o smtpd_sender_restrictions=
#  -o smtpd_recipient_restrictions=permit_mynetworks,reject
#  -o mynetworks=127.0.0.0/8
#  -o smtpd_error_sleep_time=0
#  -o smtpd_soft_error_limit=1001
#  -o smtpd_hard_error_limit=1000
#  -o receive_override_options=no_header_body_checks
#  -o smtpd_bind_address=127.0.0.1
#  -o smtpd_helo_required=no
#  -o smtpd_client_restrictions=
#  -o smtpd_restriction_classes=
#  -o disable_vrfy_command=no
#  -o strict_rfc821_envelopes=yes
#

The postfix / mysql config files.
/etc/postfix/mysql-virtual_alias_maps.cf

 
hosts = localhost
user = postfix
password = postfix
dbname = postfix
table = alias
select_field = goto
where_field = address

/etc/postfix/mysql-virtual_domains_maps.cf

 
hosts = localhost
user = postfix
password = postfix
dbname = postfix
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = '0' and active = '1'

/etc/postfix/mysql-virtual_mailbox_maps.cf

 
hosts = localhost
user = postfix
password = postfix
dbname = postfix
table = mailbox
select_field = maildir
where_field = username

Now for the sasl auth configuration.
/usr/lib/sasl2/smtpd.conf

 
pwcheck_method: auxprop
mech_list: PLAIN LOGIN
auxprop_plugin: sql
sql_verbose: yes
sql_engine: mysql
sql_hostnames: localhost
sql_user: postfix
sql_passwd: postfix
sql_database: postfix
sql_select: select password from mailbox where username = '%u@%r'

Now generate an SSL certificate for postfix to have TLS support.
> mkdir /etc/postfix/ssl
> cd /etc/postfix/ssl
> openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650

We need to touch a file. So type the follwoing.
> touch /etc/postfix/virtual_regexp

Finally we'll configure the mail store directory. We put it in the /home directory to make backups and other item easy. So type the following.
> mkdir /home/vmail
> chmod 770 /home/vmail
> chown postfix:postfix /home/vmail

Configuring Dovecot

Lets start off with the main config file. Just replace the default one with whats below.
/etc/dovecot.conf

 
# Dovecot config file
auth default {
  userdb sql {
    args = /etc/dovecot-mysql.conf
  }
  passdb sql {
    args = /etc/dovecot-mysql.conf
  }
}
first_valid_uid = 89
default_mail_env = maildir:/home/vmail/%d/%n
protocols =  imaps imap pop3s pop3
ssl_cert_file = /etc/postfix/ssl/smtpd.pem
ssl_key_file = /etc/postfix/ssl/smtpd.pem

Next we configure Dovecot to access mysql. Create the following file.
/etc/dovecot-mysql.conf

 
driver = mysql
connect = host=localhost dbname=postfix user=postfix password=yourpassword
default_pass_scheme = PLAIN
password_query = SELECT password FROM mailbox WHERE username = '%u'
user_query = SELECT maildir, 89 AS uid, 89 AS gid FROM mailbox WHERE username = '%u'

Finally set Dovecot to boot at startup.

Configuring SquirrelMail

We should next give our users a web interface to their mail. This is an optional install.

Lets start configurating SquirrelMail. Luckilly squirrelMail has a configuration utility. So type: > /usr/share/squirrelmail/config/conf.pl

Here's the settings to be changed

• Under server settings change sendmail to SMTP
• Under update IMAP settings change the software to dovecot.
• Other config changes are optional.

Now go to your browser and test squirrelmail. the url is http://yourdomein.com/webmail/src/configtest.php

You should now be able to login to your mailserver. The usr would be 'host.domain.com/webmail'. Remember your username is in the format: user@domain.com

Configuring the Little Things That Drive You MAD

Be sure your /etc/hosts looks similar to the following.

 
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost
192.168.11.21   host.domain.com

Preparing and Testing the Postoffice

First things first. Reboot the system. If everything went well we all should be at the same point.

No errors? Lets keep going.

Setup a test domain and account. Setup your favorite mail client and send some test emails.

Notes About Security And Clear Text Passwords

My howto has been written to use clear text passwords. This can and does cause security problems. There are 2 issues at hand: Database security and sending of clear text passwords through the internet.

Lets start with database security. With my configuration passwords are stored in clear text in the database. As long as the database is kept secure passwords in the clear won't cause a problem. If you want the passwords encrypted then all the software must be configured for it.

Now for the problem of clear text passwords over the internet. If you use SSL/TLS then the passwords are encrypted in the SSL connection. POPS, IMAPS and SMTPS all use SSL/TLS connection. So as long as your client supports secure connections to the mail server your clear text passwords will be secure.

Notes

With a bit of work you come out with a robust server.

Setting Up Incoming Mail Filtering Using Postfix Spamassassin Amavisd-new ClamAV SQLgrey:)

This section covers setting up email filtering for out server.

Lets get started

Installing The Software

We will start out installing the needed software. This will install the items needed to filter mail.
> yum install amavisd-new clamav clamav-update spamassassin sqlgrey

Configuring The Server

Configure Postfix

Here we go with config files. You'll have to be sure to change some settings to match your host. The config files will have sections commented out. Don't worry about it. Just copy and past to create the config files. What ever you see here replaces what already exists. Don't forget to backup the original files.

The master.cf file you created earlier is not much different from the one below. The original file had the content filtering commented out.

/etc/postfix/master.cf

 
#
# Postfix master process configuration file.  For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
  -o content_filter=smtp-amavis:127.0.0.1:10024
  -o receive_override_options=no_address_mappings
#submission inet n      -       n       -       -       smtpd
#       -o smtpd_etrn_restrictions=reject
#       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps    inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission   inet    n       -       n       -       -       smtpd
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
  -o content_filter= 
  -o receive_override_options=no_header_body_checks
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
# spam/virus section
#
smtp-amavis  unix  -    -       y       -       2       smtp
  -o smtp_data_done_timeout=1200
  -o disable_dns_lookups=yes
  -o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n  -       y       -       -       smtpd
  -o content_filter=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o receive_override_options=no_header_body_checks
  -o smtpd_bind_address=127.0.0.1
  -o smtpd_helo_required=no
  -o smtpd_client_restrictions=
  -o smtpd_restriction_classes=
  -o disable_vrfy_command=no
  -o strict_rfc821_envelopes=yes

Configuring ClamAV

Type
> nano -w /etc/freshclam.conf
The line that has the word example on it needs to be commented out or deleted. The config file explaines.

Let's bring the virus definiations up to date.
> freshclam

Configuring Razor

You need to register to use Razor. So type the following.
> razor-admin -register -user=some_user -pass=somepass

Configuring Amavisd-new

You need to edit /etc/amavisd/amavisd.conf
Here is a list of items you should change. just scroll through the file to find each item.

• $mydomain = 'example.com'; # set to your domain name
• $log_level = 1; # set the log leve to one
• $sa_tag_level_deflt = -99; # i want to see the headers so change to -99
• $sa_tag2_level_deflt = 5.0; # start with 5
• $sa_kill_level_deflt = 9; # change to 9
• $sa_dsn_cutoff_level = 9; # change to 9
• $sa_quarantine_cutoff_level = 50; # remove the starting # and change to 50
• $myhostname = 'lightning.campworld.net'; # remove the starting # and enter your host name
• $notify_method = 'smtp:[127.0.0.1]:10025'; # uncomment the line
• $forward_method = 'smtp:[127.0.0.1]:10025'; # uncomment the line
• $final_banned_destiny = D_DISCARD; # change to D_DISCARD

Here are some settings I added in. Use them if you wish.

 
# added in settings RC
@whitelist_sender_maps = read_hash("$MYHOME/white.lst");
@blacklist_sender_maps = read_hash("$MYHOME/black.lst");
$spam_quarantine_to = "spam\@$mydomain";
$virus_quarantine_to = "virus\@$mydomain";
$banned_quarantine_to = "spam\@$mydomain";
$hdrfrom_notify_admin = "Content Filter <postmaster\@$mydomain>";

Since I have white and black list files they need to be created.
> touch /var/spool/amavisd/black.lst
> touch /var/spool/amavisd/white.lst
> chown amavis:amavis /var/spool/amavisd/black.lst
> chown amavis:amavis /var/spool/amavisd/white.lst

Configure AmaVisd start at boot time. You can do this using webmin for example.

Configuring The Little Things That Drive You MAD

Be sure your /etc/hosts looks similar to the following.

 
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost
192.168.11.21   host.domain.com

Preparing And Testing Mail Filtering

First things first. Reboot the system. If everything went well we all should be at the same point. Setup your favorit mail client and send some test emails.

Notes

That takes care of the mail filtering

Setting Up The Zoneminder Security Camera Server

This section describes setting up security camera monitoring. The setup is based on Zoneminder. I don't cover using cameras connected to the server. My setup uses all IP network cameras. I don't cover getting your cameras configured.

Instaall Softwre

One quick yum line will get everything we need.
> yum install zoneminder

Configure Zoneminder

The apache config file for zoneminder doesn't allow connections from anyone. We want to allow connections so delete the line the info in the file says to delete.
> nano -w /etc/httpd/conf.d/zoneminder.conf

Next we need to setup the mysql database.
> mysql -p -u root mysql < /usr/share/zoneminder/db/zm_create.sql
> mysqladmin -p -u root reload

Be sure to start the zoneminder service. You may also want to log into webmin and set the service to start on boot.
> service zoneminder start

Now load up the zoneminder web page.

Notes

That's the complete setup. Be sure to read the documentation at the zoneminder website.

Conclusion

I bet you're happy that you're reading this. Enjoy your server.

Comments

  CREATE DATABASE postfix;
  CREATE USER 'postfix'@'localhost' IDENTIFIED BY 'choose_a_password';
  GRANT ALL PRIVILEGES ON `postfix` . * TO 'postfix'@'localhost';

  CREATE USER postfix WITH PASSWORD 'whatever';
  CREATE DATABASE postfix OWNER postfix ENCODING 'unicode';