Enter your email address:

Delivered by FeedBurner

Home

Complete Debian Sarge 3.1 server

Submitted by ggarron on Mon, 01/29/2007 - 22:50

This How - To in its first version, has

Apache2, Postfix, MySQL 5.x, Dovecot, SpamAssassin, proftp, and Bind (Chroot)
all on a stable Debian server installed from a NetInstall CD, and with
Backports enabled (Selective)

Installing Debian

0

Be sure to enter linux26 to install the 2.6
version of the Kernel.

1

2

 Select the language you want to
use.

3

 Select your country.

4

Select your Keyboard
layout

5

6

12

 choose the name you want for
your server.
12a

Here you put your domain name. In my
case is go2linx.org

13

15

Select to manually set the
partition.

16

 
17

Confirm that you are going to work on that
Disk.

18

Select Free space

/>{mospagebreak}

19

Create a new partition.

20

Select a 512 MB, or 1 Gig anything
you want for swap.

21

 Select, primary
partition.

22

Select the begining or the this or
the end.

23

24

Select swap.

25

26

Now on the same way choose the rest
of the disk, for an ext3 partition, mounted on root, as follows.

27

28

29

30

{mospagebreak}

32

33

35

37

38

 
40

41

On the next screen you will have to adjust
your time zone, clock, and your root password and also create a new user. (I
am not showing them here)

On this one you can choose to scan a new disk,
I have none so I choosed no.

50

On the next one you should choose to
configure an apt source according your needs.

51

Choose http, and the mirror nearest
you.

52

53

54

If you are connected to the Internet across
a proxy put the info here.

55

After the server will connect to the
Internet and get some packages (This may take time, depending your Internet
speed conection)

Now select to install nothing as, we are going to do
all manually, later. 

57

Also Choose no email
configuration.

 

59

Now you are Done with the
installation

62

Now lets start with the installation
of all the packages needed to have our Complete Debian
Server.

 {mospagebreak}

Install DNS (BIND Chrooted)

First get the software
apt-get install
bind9
/etc/init.d/bind9 stop
Now edit with your favorite editor the
file /etc/default/bind9
vi /etc/default/bind9
And make sure it looks
like this, so the daemon will run as the bind user, and in the jail of
/var/lib/named/.

align="center">
 OPTIONS="-u bind -t
/var/lib/named/"

This will make Bind to
run jailed in the directory /var/lib/named

Now recreate the
directory structure under the /var/lib/named/, for the daemon to find the
needed files

mkdir -p /var/lib/named/etc
mkdir
/var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p
/var/lib/named/var/run/bind/run

(We use mkdir -p in order to create
the parents directories as needed)

Now copy the configurations
files of bind from /etc/ to /var/lib/named/etc/

mv /etc/bind
/var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind

The
last line makes a sym link from the original configuration directory to the
resently created, so future upgrades to the software like when you run
(apt-get upgrade) could find the files where they are supposed to be. (or at
lease the symlinks)

Now create some devices on our
/var/lib/named/dev/ directory.

mknod /var/lib/named/dev/null c 1
3
mknod /var/lib/named/dev/random c 1 8
chmod 666
/var/lib/named/dev/null /var/lib/named/dev/random

Assign the right
ownership to the directories.

chown -R bind:bind
/var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
/>We also need to modify the syslog, in order to have all logs send to the
jailed directory, look at the BOLDED
line in the file,
that makes syslog listen in another socket, and make it able to get the
messages from the CHROOTED Bind.

align="center">
#! /bin/sh
# /etc/init.d/sysklogd: start
the system log daemon.

PATH=/bin:/usr/bin:/sbin:/usr/sbin
/>pidfile=/var/run/syslogd.pid
binpath=/sbin/syslogd

test -x
$binpath || exit 0

# Options for start/restart the daemons
#
For remote UDP logging use SYSLOGD="-r"
# />SYSLOGD="-a /var/lib/named/dev/log"
/>create_xconsole()
{
if [ ! -e /dev/xconsole ]; then
mknod -m 640 /dev/xconsole p
else
chmod 0640
/dev/xconsole
fi
chown root:adm /dev/xconsole
} />
running()
{
# No pidfile, probably no daemon present /> #
if [ ! -f $pidfile ]
then
return 1 /> fi

pid=`cat $pidfile`

# No pid, probably
no daemon present
#
if [ -z "$pid" ]
then
return 1
fi

if [ ! -d /proc/$pid
]
then
return 1
fi

cmd=`cat
/proc/$pid/cmdline | tr "\000" "\n"|head -n 1`

# No syslogd?
#
if [ "$cmd" !=
# "$binpath" ]
then
return 1
fi # />
return 0
}

case "$1" in
# start)
echo -n "Starting system log daemon: syslogd" # /> create_xconsole
start-stop-daemon --start --quiet --exec
# $binpath -- $SYSLOGD
echo "."
;;
stop) # /> echo -n "Stopping system log daemon: syslogd"
# start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
# echo "."
;;
reload|force-reload)
echo -n
# "Reloading system log daemon: syslogd"
start-stop-daemon
# --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
echo
# "."
;;
restart)
echo -n "Restarting
# system log daemon: syslogd"
start-stop-daemon --stop --quiet
# --exec $binpath --pidfile $pidfile
sleep 1
# start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
echo
# "."
;;
reload-or-restart)
if running # /> then
echo -n "Reloading system log daemon:
# syslogd"
start-stop-daemon --stop --quiet --signal 1
# --exec $binpath --pidfile $pidfile
else
echo -n
# "Restarting system log daemon: syslogd"
# start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
fi # /> echo "."
;;
*)
echo "Usage:
# /etc/init.d/sysklogd
# {start|stop|reload|restart|force-reload|reload-or-restart}"
# exit 1
esac

exit 0

# />Finally, restart syslog, and start bind
/etc/init.d/sysklogd
# restart
/etc/init.d/bind9 start

# />

 

Installing backports

We will need
# to install backports to be able to download the latest available MySQL
# server for Debian, we are doing this because some aplications like ( # href="http://www.vtiger.com/" target="_blank">VTiger ) does not run with
# MySQL 4.x which comes with Debian 3.1 Sarge.

First, change to root # />
$su -

Then edit with your favorite text editor, (I use
# vi)

#vi /etc/apt/get/sources.lst

Mine looks this way,
# maybe yours look different.

# align="center">
#deb file:///cdrom/ sarge main

#deb
# cdrom:[Debian GNU/Linux 3.1 r3 _Sarge_ - Official i386 Binary-1 (20060904)]/
# unstable contrib main

deb http://mirrors.kernel.org/debian/
# stable main
deb-src http://mirrors.kernel.org/debian/ stable main # />
deb http://security.debian.org/ stable/updates main contrib
# /># Backports
deb http://www.backports.org/debian/ sarge-backports main
#

(Each line starting with "deb"
# indicates where the .deb packages could be found, and other info also.) # />
That is all, but if you want to use backports only for selected
# packages, and not for all.

Edit or create the file
# /etc/apt/preferences

#vi /etc/apt/preferences

# border="1" align="center">
Explanation: see
# http://www.argon.org/~roderick/apt-pinning.html
Package: *
Pin:
# release o=Debian,a=stable
Pin-Priority: 900

Package: * # />Pin: release a=sarge-backports
Pin-Priority: 200

Package:
# *
Pin: release o=Debian
Pin-Priority: -1  # />

This file indicates the priority the repos
# will have, so a package
# from a more wighted repo will be installed and mainted, if you do not specifically choose to install from a less weighted repo. # />

That's all.

 

Install MySQL
# (From Backports)

apt-get -t sarge-backports install
# mysql-server mysql-client

 

Install
# Apache2

apt-get install apache2 apache2-doc

apt-get
# install libapache2-mod-php4 libapache2-mod-perl2

apt-get install php4
# php4-cli php4-common php4-curl php4-dev php4-domxml php4-gd php4-imap
# php4-ldap

apt-get install php4-mcal php4-mhash php4-mysql php4-odbc
# php4-pear php4-xslt curl libwww-perl imagemagick

Edit
# /etc/apache2/apache2.conf. Change

DirectoryIndex index.html index.cgi
# index.pl index.php index.xhtml

to this

DirectoryIndex index.html
# index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml # />
We need to do this, in order to make it possible to have pages named
# i.e. index.htm in the Server or virtual server home directory and still get
# a result when somebody hits our server. In other words, if index.htm is not
# there and that is our start page, the user will have to explicity write
# -http://www.yourserver.xxx/index.htm-

# align="center">
 

Now we have
# to enable some Apache modules (SSL, rewrite and suexec):

a2enmod
# ssl
a2enmod rewrite
a2enmod suexec
a2enmod include
# />Restart Apache:

/etc/init.d/apache2 restart

# />

Install Postfix, dovecot, spamassassin, Saslauthd # />

apt-get install sasl2-bin libpam-pgsql postfix postfix-tls
# postfix-pgsql dovecot-imapd dovecot-pop3d spamassassin libsasl2-modules # />

Saslauthd

Saslauthd will be used for postfix
# authorization (because postfix's smtp daemon runs chrooted).

Edit
# /etc/default/saslauthd and be sure this lines appears and are commented
# out

START=yes # />MECHANISMS=pam
PARAMS="-r"

Add
# the postfix user to the sasl group

usermod -G sasl postfix

Copy
# the saslauthd directory to the postfix jail

mkdir -p
# /var/spool/postfix/var/run/saslauthd
chgrp sasl
# /var/spool/postfix/var/run/saslauthd

Create
# /etc/init.d/saslauthd-symlinks:

#! /bin/sh

if [
# "$1" = "start" ] ; then
    rm -rf
# /var/run/saslauthd
    ln -s
# /var/spool/postfix/var/run/saslauthd /var/run
fi

And make the
# script active:

chmod 755 /etc/init.d/saslauthd-symlinks
ln -s
# /etc/init.d/saslauthd-symlinks /etc/rcS.d/S80saslauthd-symlinks
# />/etc/init.d/saslauthd stop
/etc/init.d/saslauthd-symlinks start # />/etc/init.d/saslauthd start

Generate your
# certificates

mkdir /etc/postfix/ssl
cd
# /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key
# 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out
# smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key
# -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted # />mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509
# -extensions v3_ca -keyout cakey.pem -out cacert.pem -days
# 3650

 

Postfix

The relevant sections
# from /etc/postfix/main.cf - replace HOSTNAME with the servers
# hostname

myhostname =
# debby.milkyway.gal
myorigin = /etc/mailname
mydestination =
# $myhostname, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8 # />relayhost =
alias_maps = hash:/etc/aliases
alias_database =
# hash:/etc/aliases
mailbox_size_limit = 0

# sasl
# authentication
smtpd_sasl_auth_enable = yes # />smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options =
# noanonymous

# outlook-sasl is borken # />broken_sasl_auth_clients = yes

#report authenticated username
# in headers?
smtpd_sasl_authenticated_header = yes
# />smtpd_sasl_local_domain =

smtpd_recipient_restrictions = # />        permit_mynetworks, # />        permit_sasl_authenticated, # />        reject_unauth_destination
#

smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_auth_only
# = no
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key # />smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile =
# /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 3 # />smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout =
# 3600s
tls_random_source = dev:/dev/urandom

postconf -e
# 'home_mailbox = Maildir/'
postconf -e 'mailbox_command
# ='
 

Create the file
# /etc/postfix/sasl/smtpd.conf

and put this inside.

# border="1" align="center">
pwcheck_method: saslauthd # />mech_list: login plain

Now let's do some
# testing

Start the postfix daemon

/etc/init.d/postfix
# restart

telnet localhost 25

and type

ehlo localhost, as
# soon as you get the prompt 

** Here you should see something like
# this **

debian:~# telnet localhost 25
Trying 127.0.0.1... # />Connected to localhost.localdomain.
Escape character is
# '^]'.
220 debian.go2linux.org ESMTP Postfix
ehlo
# localhost
250-debian.go2linux.org
250-PIPELINING
250-SIZE
# 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN # />250-AUTH=LOGIN PLAIN
250 8BITMIME

The important
# lines are in
# BOLD 

Dovecot

Here you
# need to edit the file /etc/dovecot/dovecot.conf

vi
# /etc/dovecot/dovecot.conf

And be sure this lines appear. # />

# Protocols we want to
# be serving:
#  imap imaps pop3 pop3s
protocols = imap imaps
# pop3 pop3s
# />

SpamAssassine

Create a
# spamassassin-User:

adduser --system --shell /bin/sh --group --gecos
# "Spamassassin User" filter

Create a script
# /usr/local/bin/spamchk:

# align="center">
#!/bin/sh

#
# -----------------------------------------------------------------
#
# File:        spamchk
#
#
# Purpose:     SPAMASSASIN shell-based filter
# # /># Location:    /usr/local/bin
#
#
# Usage:       Call this script from master.cf
# (Postfix)
#
# Certified:   GENTOO Linux, Spamassassin
# 3.0, Postfix
#
# -----------------------------------------------------------------
# /># Variables
#SENDMAIL="/usr/local/postfix/sendmail/sendmail
# -i"
SENDMAIL="/usr/sbin/sendmail.postfix -i" # />EGREP=/bin/egrep

# Exit codes from <sysexits.h> # />EX_UNAVAILABLE=69

# Number of *'s in X-Spam-level header
# needed to sideline message:
# (Eg. Score of 5.5 = "*****"
# )
SPAMLIMIT=5

# Clean up when done or when aborting. # />trap "rm -f /var/tempfs/out.$$" 0 1 2 3 15

# Pipe
# message to spamc
cat | /usr/bin/spamc -u filter >
# /var/tempfs/out.$$

# Are there more than $SPAMLIMIT stars in
# X-Spam-Level header? :
if $EGREP -q "^X-Spam-Level:
# \*{$SPAMLIMIT,}" < /var/tempfs/out.$$
then
  # Option
# 1: Move high scoring messages to sideline dir so
  # a human can
# look at them later:
  # mv out.$$ $SIDELINE_DIR/`date
# +%Y-%m-%d_%R`-$$

  # Option 2: Divert to an alternate e-mail
# address:
  $SENDMAIL ggarron@alketech.com <
# /var/tempfs/out.$$

  # Option 3: Delete the message # />  # rm -f /var/tempfs/out.$$
else
  $SENDMAIL
# "$@" < /var/tempfs/out.$$
fi

# Postfix returns
# the exit status of the Postfix sendmail command.
exit $? # /> 

Add this to the end of your
# /etc/postfix/master.cf

# align="center">
spamchk   unix 
# -       n      
# n       -      
# 10      pipe
  flags=Rq user=filter
# argv=/usr/local/bin/spamchk -f ${sender} -- ${recipient} # />

 

Change the ENABLED=0 line in
# /etc/default/spamassassin to ENABLED=1

 

 

# />Install ProFtp

 

apt-get install 
# proftpd

Now restart proftpd

/etc/init.d/proftpd restart

# />

 

Finally the Firewall.

Go to this
# link and follow the instructions.

# href="http://www.go2linux.org/index.php?option=com_content&task=view&id=37&Itemid=9">http://www.go2linux.org/index.php?option=com_content&task=view&id=37&Itemid=9

# />

Contact

If you find anything wrong with this
# info, please inform, me as this is my first version of it.

feel free
# to contact me at:

ggarron at alketech dot com

# />

Links

http://www.gjdv.at/snippets/linux/virtual_mail_hosting
#

http://www.howtoforge.com/perfect_setup_centos_4.4
#

http://www.howtoforge.com/perfect_setup_debian_sarge
#

http://www.falkotimme.com/howtos/debian_bind_chroot/
#

http://www.vtiger.com/

http://www.hurring.com/howto/debian_postfix_sasl/
#

http://www.debianhelp.co.uk/proftp.htm
#

 

 Share/Save
»

If this was useful for you, please consider making a donation, any amount is welcome, please proceed by clicking on the yellow donate button, thank you in advance.

Navigation

Recent comments