Complete Debian Sarge 3.1 server
Submitted by ggarron on Tue, 01/30/2007 - 02:50.
This How - To in its first version, has
Apache2, Postfix, MySQL 5.x, Dovecot, SpamAssassin, proftp, and Bind (Chroot)
all on a stable Debian server installed from a NetInstall CD, and with
Backports enabled (Selective)
Installing Debian
Be sure to enter linux26 to install the 2.6
version of the Kernel.
Select the language you want to
use.
Select your country.
Select your Keyboard
layout
choose the name you want for
your server.
Here you put your domain name. In my
case is go2linx.org
Select to manually set the
partition.
Confirm that you are going to work on that
Disk.
Select Free space
/>{mospagebreak}
Create a new partition.
Select a 512 MB, or 1 Gig anything
you want for swap.
Select, primary
partition.
Select the begining or the this or
the end.
Select swap.
Now on the same way choose the rest
of the disk, for an ext3 partition, mounted on root, as follows.
{mospagebreak}
On the next screen you will have to adjust
your time zone, clock, and your root password and also create a new user. (I
am not showing them here)
On this one you can choose to scan a new disk,
I have none so I choosed no.
On the next one you should choose to
configure an apt source according your needs.
Choose http, and the mirror nearest
you.
If you are connected to the Internet across
a proxy put the info here.
After the server will connect to the
Internet and get some packages (This may take time, depending your Internet
speed conection)
Now select to install nothing as, we are going to do
all manually, later.
Also Choose no email
configuration.
Now you are Done with the
installation
Now lets start with the installation
of all the packages needed to have our Complete Debian
Server.
{mospagebreak}
Install DNS (BIND Chrooted)
First get the software
apt-get install
bind9
/etc/init.d/bind9 stop
Now edit with your favorite editor the
file /etc/default/bind9
vi /etc/default/bind9
And make sure it looks
like this, so the daemon will run as the bind user, and in the jail of
/var/lib/named/.
align="center">
OPTIONS="-u bind -t
/var/lib/named/" |
|
This will make Bind to
run jailed in the directory /var/lib/named
Now recreate the
directory structure under the /var/lib/named/, for the daemon to find the
needed files
mkdir -p /var/lib/named/etc
mkdir
/var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p
/var/lib/named/var/run/bind/run
(We use mkdir -p in order to create
the parents directories as needed)
Now copy the configurations
files of bind from /etc/ to /var/lib/named/etc/
mv /etc/bind
/var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind
The
last line makes a sym link from the original configuration directory to the
resently created, so future upgrades to the software like when you run
(apt-get upgrade) could find the files where they are supposed to be. (or at
lease the symlinks)
Now create some devices on our
/var/lib/named/dev/ directory.
mknod /var/lib/named/dev/null c 1
3
mknod /var/lib/named/dev/random c 1 8
chmod 666
/var/lib/named/dev/null /var/lib/named/dev/random
Assign the right
ownership to the directories.
chown -R bind:bind
/var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
/>We also need to modify the syslog, in order to have all logs send to the
jailed directory, look at the BOLDED
line in the file,
that makes syslog listen in another socket, and make it able to get the
messages from the CHROOTED Bind.
align="center">
#! /bin/sh
# /etc/init.d/sysklogd: start
the system log daemon.
PATH=/bin:/usr/bin:/sbin:/usr/sbin
/>pidfile=/var/run/syslogd.pid
binpath=/sbin/syslogd
test -x
$binpath || exit 0
# Options for start/restart the daemons
#
For remote UDP logging use SYSLOGD="-r"
#
/>SYSLOGD="-a /var/lib/named/dev/log"
/>create_xconsole()
{
if [ ! -e /dev/xconsole ]; then
mknod -m 640 /dev/xconsole p
else
chmod 0640
/dev/xconsole
fi
chown root:adm /dev/xconsole
}
/>
running()
{
# No pidfile, probably no daemon present
/> #
if [ ! -f $pidfile ]
then
return 1
/> fi
pid=`cat $pidfile`
# No pid, probably
no daemon present
#
if [ -z "$pid" ]
then
return 1
fi
if [ ! -d /proc/$pid
]
then
return 1
fi
cmd=`cat
/proc/$pid/cmdline | tr "\000" "\n"|head -n 1`
# No syslogd?
#
if [ "$cmd" !=
# "$binpath" ]
then
return 1
fi
# />
return 0
}
case "$1" in
# start)
echo -n "Starting system log daemon: syslogd"
# /> create_xconsole
start-stop-daemon --start --quiet --exec
# $binpath -- $SYSLOGD
echo "."
;;
stop)
# /> echo -n "Stopping system log daemon: syslogd"
# start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
# echo "."
;;
reload|force-reload)
echo -n
# "Reloading system log daemon: syslogd"
start-stop-daemon
# --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
echo
# "."
;;
restart)
echo -n "Restarting
# system log daemon: syslogd"
start-stop-daemon --stop --quiet
# --exec $binpath --pidfile $pidfile
sleep 1
# start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
echo
# "."
;;
reload-or-restart)
if running
# /> then
echo -n "Reloading system log daemon:
# syslogd"
start-stop-daemon --stop --quiet --signal 1
# --exec $binpath --pidfile $pidfile
else
echo -n
# "Restarting system log daemon: syslogd"
# start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
fi
# /> echo "."
;;
*)
echo "Usage:
# /etc/init.d/sysklogd
# {start|stop|reload|restart|force-reload|reload-or-restart}"
# exit 1
esac
exit 0 |
# />Finally, restart syslog, and start bind
/etc/init.d/sysklogd
# restart
/etc/init.d/bind9 start
# />
Installing backports
We will need
# to install backports to be able to download the latest available MySQL
# server for Debian, we are doing this because some aplications like (
# href="http://www.vtiger.com/" target="_blank">VTiger ) does not run with
# MySQL 4.x which comes with Debian 3.1 Sarge.
First, change to root
# />
$su -
Then edit with your favorite text editor, (I use
# vi)
#vi /etc/apt/get/sources.lst
Mine looks this way,
# maybe yours look different.
# align="center">
| #deb file:///cdrom/ sarge main
#deb
# cdrom:[Debian GNU/Linux 3.1 r3 _Sarge_ - Official i386 Binary-1 (20060904)]/
# unstable contrib main
deb http://mirrors.kernel.org/debian/
# stable main
deb-src http://mirrors.kernel.org/debian/ stable main
# />
deb http://security.debian.org/ stable/updates main contrib
# /># Backports
deb http://www.backports.org/debian/ sarge-backports main
# |
(Each line starting with "deb"
# indicates where the .deb packages could be found, and other info also.)
# />
That is all, but if you want to use backports only for selected
# packages, and not for all.
Edit or create the file
# /etc/apt/preferences
#vi /etc/apt/preferences
# border="1" align="center">
Explanation: see
# http://www.argon.org/~roderick/apt-pinning.html
Package: *
Pin:
# release o=Debian,a=stable
Pin-Priority: 900
Package: *
# />Pin: release a=sarge-backports
Pin-Priority: 200
Package:
# *
Pin: release o=Debian
Pin-Priority: -1
# /> |
This file indicates the priority the repos
# will have, so a package
# from a more wighted repo will be installed and mainted, if you do not specifically choose to install from a less weighted repo.
# />
That's all.
Install MySQL
# (From Backports)
apt-get -t sarge-backports install
# mysql-server mysql-client
Install
# Apache2
apt-get install apache2 apache2-doc
apt-get
# install libapache2-mod-php4 libapache2-mod-perl2
apt-get install php4
# php4-cli php4-common php4-curl php4-dev php4-domxml php4-gd php4-imap
# php4-ldap
apt-get install php4-mcal php4-mhash php4-mysql php4-odbc
# php4-pear php4-xslt curl libwww-perl imagemagick
Edit
# /etc/apache2/apache2.conf. Change
DirectoryIndex index.html index.cgi
# index.pl index.php index.xhtml
to this
DirectoryIndex index.html
# index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml
# />
We need to do this, in order to make it possible to have pages named
# i.e. index.htm in the Server or virtual server home directory and still get
# a result when somebody hits our server. In other words, if index.htm is not
# there and that is our start page, the user will have to explicity write
# -http://www.yourserver.xxx/index.htm-
# align="center">
| |
Now we have
# to enable some Apache modules (SSL, rewrite and suexec):
a2enmod
# ssl
a2enmod rewrite
a2enmod suexec
a2enmod include
# />Restart Apache:
/etc/init.d/apache2 restart
# />
Install Postfix, dovecot, spamassassin, Saslauthd
# />
apt-get install sasl2-bin libpam-pgsql postfix postfix-tls
# postfix-pgsql dovecot-imapd dovecot-pop3d spamassassin libsasl2-modules
# />
Saslauthd
Saslauthd will be used for postfix
# authorization (because postfix's smtp daemon runs chrooted).
Edit
# /etc/default/saslauthd and be sure this lines appears and are commented
# out
START=yes
# />MECHANISMS=pam
PARAMS="-r" |
Add
# the postfix user to the sasl group
usermod -G sasl postfix
Copy
# the saslauthd directory to the postfix jail
mkdir -p
# /var/spool/postfix/var/run/saslauthd
chgrp sasl
# /var/spool/postfix/var/run/saslauthd
Create
# /etc/init.d/saslauthd-symlinks:
#! /bin/sh
if [
# "$1" = "start" ] ; then
rm -rf
# /var/run/saslauthd
ln -s
# /var/spool/postfix/var/run/saslauthd /var/run
fi
And make the
# script active:
chmod 755 /etc/init.d/saslauthd-symlinks
ln -s
# /etc/init.d/saslauthd-symlinks /etc/rcS.d/S80saslauthd-symlinks
# />/etc/init.d/saslauthd stop
/etc/init.d/saslauthd-symlinks start
# />/etc/init.d/saslauthd start
Generate your
# certificates
mkdir /etc/postfix/ssl
cd
# /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key
# 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out
# smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key
# -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
# />mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509
# -extensions v3_ca -keyout cakey.pem -out cacert.pem -days
# 3650
Postfix
The relevant sections
# from /etc/postfix/main.cf - replace HOSTNAME with the servers
# hostname
|
myhostname =
# debby.milkyway.gal
myorigin = /etc/mailname
mydestination =
# $myhostname, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8
# />relayhost =
alias_maps = hash:/etc/aliases
alias_database =
# hash:/etc/aliases
mailbox_size_limit = 0
# sasl
# authentication
smtpd_sasl_auth_enable = yes
# />smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options =
# noanonymous
# outlook-sasl is borken
# />broken_sasl_auth_clients = yes
#report authenticated username
# in headers?
smtpd_sasl_authenticated_header = yes
# />smtpd_sasl_local_domain =
smtpd_recipient_restrictions =
# /> permit_mynetworks,
# /> permit_sasl_authenticated,
# /> reject_unauth_destination
#
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_auth_only
# = no
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
# />smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile =
# /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 3
# />smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout =
# 3600s
tls_random_source = dev:/dev/urandom
postconf -e
# 'home_mailbox = Maildir/'
postconf -e 'mailbox_command
# ='
|
Create the file
# /etc/postfix/sasl/smtpd.conf
and put this inside.
# border="1" align="center">
| pwcheck_method: saslauthd
# />mech_list: login plain |
Now let's do some
# testing
Start the postfix daemon
/etc/init.d/postfix
# restart
telnet localhost 25
and type
ehlo localhost, as
# soon as you get the prompt
** Here you should see something like
# this **
debian:~# telnet localhost 25
Trying 127.0.0.1...
# />Connected to localhost.localdomain.
Escape character is
# '^]'.
220 debian.go2linux.org ESMTP Postfix
ehlo
# localhost
250-debian.go2linux.org
250-PIPELINING
250-SIZE
# 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
# />250-AUTH=LOGIN PLAIN
250 8BITMIME
The important
# lines are in
# BOLD
Dovecot
Here you
# need to edit the file /etc/dovecot/dovecot.conf
vi
# /etc/dovecot/dovecot.conf
And be sure this lines appear.
# />
# Protocols we want to
# be serving:
# imap imaps pop3 pop3s
protocols = imap imaps
# pop3 pop3s
# /> |
SpamAssassine
Create a
# spamassassin-User:
adduser --system --shell /bin/sh --group --gecos
# "Spamassassin User" filter
Create a script
# /usr/local/bin/spamchk:
# align="center">
| #!/bin/sh
#
# -----------------------------------------------------------------
#
# File: spamchk
#
#
# Purpose: SPAMASSASIN shell-based filter
#
# /># Location: /usr/local/bin
#
#
# Usage: Call this script from master.cf
# (Postfix)
#
# Certified: GENTOO Linux, Spamassassin
# 3.0, Postfix
#
# -----------------------------------------------------------------
# /># Variables
#SENDMAIL="/usr/local/postfix/sendmail/sendmail
# -i"
SENDMAIL="/usr/sbin/sendmail.postfix -i"
# />EGREP=/bin/egrep
# Exit codes from <sysexits.h>
# />EX_UNAVAILABLE=69
# Number of *'s in X-Spam-level header
# needed to sideline message:
# (Eg. Score of 5.5 = "*****"
# )
SPAMLIMIT=5
# Clean up when done or when aborting.
# />trap "rm -f /var/tempfs/out.$$" 0 1 2 3 15
# Pipe
# message to spamc
cat | /usr/bin/spamc -u filter >
# /var/tempfs/out.$$
# Are there more than $SPAMLIMIT stars in
# X-Spam-Level header? :
if $EGREP -q "^X-Spam-Level:
# \*{$SPAMLIMIT,}" < /var/tempfs/out.$$
then
# Option
# 1: Move high scoring messages to sideline dir so
# a human can
# look at them later:
# mv out.$$ $SIDELINE_DIR/`date
# +%Y-%m-%d_%R`-$$
# Option 2: Divert to an alternate e-mail
# address:
$SENDMAIL ggarron@alketech.com <
# /var/tempfs/out.$$
# Option 3: Delete the message
# /> # rm -f /var/tempfs/out.$$
else
$SENDMAIL
# "$@" < /var/tempfs/out.$$
fi
# Postfix returns
# the exit status of the Postfix sendmail command.
exit $?
# /> |
Add this to the end of your
# /etc/postfix/master.cf
# align="center">
spamchk unix
# - n
# n -
# 10 pipe
flags=Rq user=filter
# argv=/usr/local/bin/spamchk -f ${sender} -- ${recipient}
# /> |
Change the ENABLED=0 line in
# /etc/default/spamassassin to ENABLED=1
# />Install ProFtp
apt-get install
# proftpd
Now restart proftpd
/etc/init.d/proftpd restart
# />
Finally the Firewall.
Go to this
# link and follow the instructions.
# href="http://www.go2linux.org/index.php?option=com_content&task=view&id=37&Itemid=9">http://www.go2linux.org/index.php?option=com_content&task=view&id=37&Itemid=9
# />
Contact
If you find anything wrong with this
# info, please inform, me as this is my first version of it.
feel free
# to contact me at:
ggarron at alketech dot com
# />
Links
http://www.gjdv.at/snippets/linux/virtual_mail_hosting
#
http://www.howtoforge.com/perfect_setup_centos_4.4
#
http://www.howtoforge.com/perfect_setup_debian_sarge
#
http://www.falkotimme.com/howtos/debian_bind_chroot/
#
http://www.vtiger.com/
http://www.hurring.com/howto/debian_postfix_sasl/
#
http://www.debianhelp.co.uk/proftp.htm
#
Bookmark/Search this post with:
Trackback URL for this post:
http://www.go2linux.org/trackback/10
Post new comment