Go2Linux | Linux Operating System

A site dedicated to: Linux Operating System

Complete Debian Sarge 3.1 server

Date: 2007-01-29 00:00:00 -0400

This How - To in its first version, has

Apache2, Postfix, MySQL 5.x, Dovecot, SpamAssassin, proftp, and Bind (Chroot) all on a stable Debian server installed from a NetInstall CD, and with Backports enabled (Selective)

Installing Debian

0

Be sure to enter linux26 to install the 2.6 version of the Kernel.

1

2

 Select the language you want to use.

3

 Select your country.

4

Select your Keyboard layout

5

6

12

 choose the name you want for your server.
12a

Here you put your domain name. In my case is go2linx.org

13

15

Select to manually set the partition.

16

  17

Confirm that you are going to work on that Disk.

18

Select Free space


{mospagebreak}

19

Create a new partition.

20

Select a 512 MB, or 1 Gig anything you want for swap.

21

 Select, primary partition.

22

Select the begining or the this or the end.

23

24

Select swap.

25

26

Now on the same way choose the rest of the disk, for an ext3 partition, mounted on root, as follows.

27

28

29

30

{mospagebreak}

32

33

35

37

38

  40

41

On the next screen you will have to adjust your time zone, clock, and your root password and also create a new user. (I am not showing them here)

On this one you can choose to scan a new disk, I have none so I choosed no.

50

On the next one you should choose to configure an apt source according your needs.

51

Choose http, and the mirror nearest you.

52

53

54

If you are connected to the Internet across a proxy put the info here.

55

After the server will connect to the Internet and get some packages (This may take time, depending your Internet speed conection)

Now select to install nothing as, we are going to do all manually, later. 

57

Also Choose no email configuration.

 

59

Now you are Done with the installation

62

Now lets start with the installation of all the packages needed to have our Complete Debian Server.

 {mospagebreak}

Install DNS (BIND Chrooted)

First get the software
apt-get install bind9
/etc/init.d/bind9 stop
Now edit with your favorite editor the file /etc/default/bind9
vi /etc/default/bind9
And make sure it looks like this, so the daemon will run as the bind user, and in the jail of /var/lib/named/.

 OPTIONS="-u bind -t /var/lib/named/"

This will make Bind to run jailed in the directory /var/lib/named

Now recreate the directory structure under the /var/lib/named/, for the daemon to find the needed files

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run

(We use mkdir -p in order to create the parents directories as needed)

Now copy the configurations files of bind from /etc/ to /var/lib/named/etc/

mv /etc/bind /var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind

The last line makes a sym link from the original configuration directory to the resently created, so future upgrades to the software like when you run (apt-get upgrade) could find the files where they are supposed to be. (or at lease the symlinks)

Now create some devices on our /var/lib/named/dev/ directory.

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random

Assign the right ownership to the directories.

chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

We also need to modify the syslog, in order to have all logs send to the jailed directory, look at the BOLDED
line in the file, that makes syslog listen in another socket, and make it able to get the messages from the CHROOTED Bind.


#! /bin/sh
# /etc/init.d/sysklogd: start the system log daemon.

PATH=/bin:/usr/bin:/sbin:/usr/sbin

pidfile=/var/run/syslogd.pid
binpath=/sbin/syslogd

test -x $binpath || exit 0

# Options for start/restart the daemons
# For remote UDP logging use SYSLOGD="-r"
#
SYSLOGD="-a /var/lib/named/dev/log"

create_xconsole()
{
if [ ! -e /dev/xconsole ]; then
mknod -m 640 /dev/xconsole p
else
chmod 0640 /dev/xconsole
fi
chown root:adm /dev/xconsole
}

running()
{
# No pidfile, probably no daemon present
#
if [ ! -f $pidfile ]
then
return 1
fi

pid=cat $pidfile

# No pid, probably no daemon present
#
if [ -z "$pid" ]
then
return 1
fi

if [ ! -d /proc/$pid ]
then
return 1
fi

cmd=cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1

No syslogd?
#
if [ "$cmd" !=

"$binpath" ]
then
return 1
fi<br

/>
return 0
}

case "$1" in

start)
echo -n "Starting system log daemon: syslogd"<br

/> create_xconsole
start-stop-daemon --start --quiet --exec

$binpath -- $SYSLOGD
echo "."
;;
stop)<br

/> echo -n "Stopping system log daemon: syslogd"

start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile

echo "."
;;
reload|force-reload)
echo -n

"Reloading system log daemon: syslogd"
start-stop-daemon

--stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
echo

"."
;;
restart)
echo -n "Restarting

system log daemon: syslogd"
start-stop-daemon --stop --quiet

--exec $binpath --pidfile $pidfile
sleep 1

start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
echo

"."
;;
reload-or-restart)
if running<br

/> then
echo -n "Reloading system log daemon:

syslogd"
start-stop-daemon --stop --quiet --signal 1

--exec $binpath --pidfile $pidfile
else
echo -n

"Restarting system log daemon: syslogd"

start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
fi<br

/> echo "."
;;
*)
echo "Usage:

/etc/init.d/sysklogd

{start|stop|reload|restart|force-reload|reload-or-restart}"

exit 1
esac

exit 0


<br

/>Finally, restart syslog, and start bind
/etc/init.d/sysklogd

restart
/etc/init.d/bind9 start

<hr

/>

 

Installing backports

We will need

to install backports to be able to download the latest available MySQL

server for Debian, we are doing this because some aplications like (<a

href="http://www.vtiger.com/" target="_blank">VTiger ) does not run with

MySQL 4.x which comes with Debian 3.1 Sarge.

First, change to root<br

/>
$su -

Then edit with your favorite text editor, (I use

vi)

#vi /etc/apt/get/sources.lst

Mine looks this way,

maybe yours look different.

<table border="1"

align="center">#deb file:///cdrom/ sarge main

#deb

cdrom:[Debian GNU/Linux 3.1 r3 Sarge - Official i386 Binary-1 (20060904)]/

unstable contrib main

deb http://mirrors.kernel.org/debian/

stable main
deb-src http://mirrors.kernel.org/debian/ stable main<br

/>
deb http://security.debian.org/ stable/updates main contrib
<br

/># Backports
deb http://www.backports.org/debian/ sarge-backports main


(Each line starting with "deb"

indicates where the .deb packages could be found, and other info also.)<br

/>
That is all, but if you want to use backports only for selected

packages, and not for all.

Edit or create the file

/etc/apt/preferences

#vi /etc/apt/preferences

<table

border="1" align="center">Explanation: see

http://www.argon.org/~roderick/apt-pinning.html
Package: *
Pin:

release o=Debian,a=stable
Pin-Priority: 900

Package: *<br

/>Pin: release a=sarge-backports
Pin-Priority: 200

Package:

*
Pin: release o=Debian
Pin-Priority: -1  <br

/>

This file indicates the priority the repos

will have, so a package

from a more wighted repo will be installed and mainted, if you do not specifically choose to install from a less weighted repo.<br

/>

That's all.

 

Install MySQL

(From Backports)

apt-get -t sarge-backports install

mysql-server mysql-client

 

Install

Apache2

apt-get install apache2 apache2-doc

apt-get

install libapache2-mod-php4 libapache2-mod-perl2

apt-get install php4

php4-cli php4-common php4-curl php4-dev php4-domxml php4-gd php4-imap

php4-ldap

apt-get install php4-mcal php4-mhash php4-mysql php4-odbc

php4-pear php4-xslt curl libwww-perl imagemagick

Edit

/etc/apache2/apache2.conf. Change

DirectoryIndex index.html index.cgi

index.pl index.php index.xhtml

to this

DirectoryIndex index.html

index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml<br

/>
We need to do this, in order to make it possible to have pages named

i.e. index.htm in the Server or virtual server home directory and still get

a result when somebody hits our server. In other words, if index.htm is not

there and that is our start page, the user will have to explicity write

-http://www.yourserver.xxx/index.htm-

<table border="0"

align="center"> 

Now we have

to enable some Apache modules (SSL, rewrite and suexec):

a2enmod

ssl
a2enmod rewrite
a2enmod suexec
a2enmod include
<br

/>Restart Apache:

/etc/init.d/apache2 restart

<hr

/>

Install Postfix, dovecot, spamassassin, Saslauthd<br

/>

apt-get install sasl2-bin libpam-pgsql postfix postfix-tls

postfix-pgsql dovecot-imapd dovecot-pop3d spamassassin libsasl2-modules<br

/>

Saslauthd

Saslauthd will be used for postfix

authorization (because postfix's smtp daemon runs chrooted).

Edit

/etc/default/saslauthd and be sure this lines appears and are commented

out

START=yes<br

/>MECHANISMS=pam
PARAMS="-r"

Add

the postfix user to the sasl group

usermod -G sasl postfix

Copy

the saslauthd directory to the postfix jail

mkdir -p

/var/spool/postfix/var/run/saslauthd
chgrp sasl

/var/spool/postfix/var/run/saslauthd

Create

/etc/init.d/saslauthd-symlinks:

#! /bin/sh

if [

"$1" = "start" ] ; then
    rm -rf

/var/run/saslauthd
    ln -s

/var/spool/postfix/var/run/saslauthd /var/run
fi

And make the

script active:

chmod 755 /etc/init.d/saslauthd-symlinks
ln -s

/etc/init.d/saslauthd-symlinks /etc/rcS.d/S80saslauthd-symlinks
<br

/>/etc/init.d/saslauthd stop
/etc/init.d/saslauthd-symlinks start<br

/>/etc/init.d/saslauthd start

Generate your

certificates

mkdir /etc/postfix/ssl
cd

/etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key

1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out

smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key

-out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted<br

/>mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509

-extensions v3_ca -keyout cakey.pem -out cacert.pem -days

3650

 

Postfix

The relevant sections

from /etc/postfix/main.cf - replace HOSTNAME with the servers

hostname

myhostname =

debby.milkyway.gal
myorigin = /etc/mailname
mydestination =

$myhostname, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8<br

/>relayhost =
alias_maps = hash:/etc/aliases
alias_database =

hash:/etc/aliases
mailbox_size_limit = 0

# sasl

authentication
smtpd_sasl_auth_enable = yes<br

/>smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options =

noanonymous

# outlook-sasl is borken<br

/>broken_sasl_auth_clients = yes

#report authenticated username

in headers?
smtpd_sasl_authenticated_header = yes
<br

/>smtpd_sasl_local_domain =

smtpd_recipient_restrictions =<br

/>        permit_mynetworks,<br

/>        permit_sasl_authenticated,<br

/>        reject_unauth_destination

smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_auth_only

= no
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key<br

/>smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile =

/etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 3<br

/>smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout =

3600s
tls_random_source = dev:/dev/urandom

postconf -e

'home_mailbox = Maildir/'
postconf -e 'mailbox_command

='
 

Create the file

/etc/postfix/sasl/smtpd.conf

and put this inside.

<table

border="1" align="center">pwcheck_method: saslauthd<br

/>mech_list: login plain

Now let's do some

testing

Start the postfix daemon

/etc/init.d/postfix

restart

telnet localhost 25

and type

ehlo localhost, as

soon as you get the prompt 

** Here you should see something like

this **

debian:~# telnet localhost 25
Trying 127.0.0.1...<br

/>Connected to localhost.localdomain.
Escape character is

']'.<br />220 debian.go2linux.org ESMTP Postfix
ehlo

localhost
250-debian.go2linux.org
250-PIPELINING
250-SIZE

10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN<br

/>250-AUTH=LOGIN PLAIN
250 8BITMIME

The important

lines are in

BOLD 

Dovecot

Here you

need to edit the file /etc/dovecot/dovecot.conf

vi

/etc/dovecot/dovecot.conf

And be sure this lines appear.<br

/>

# Protocols we want to

be serving:
#  imap imaps pop3 pop3s
protocols = imap imaps

pop3 pop3s
<br

/>

SpamAssassine

Create a

spamassassin-User:

adduser --system --shell /bin/sh --group --gecos

"Spamassassin User" filter

Create a script

/usr/local/bin/spamchk:

<table border="1"

align="center">#!/bin/sh

-----------------------------------------------------------------

File:        spamchk
#

Purpose:     SPAMASSASIN shell-based filter
#<br

/># Location:    /usr/local/bin
#

Usage:       Call this script from master.cf

(Postfix)
#
# Certified:   GENTOO Linux, Spamassassin

3.0, Postfix

-----------------------------------------------------------------
<br

/># Variables
#SENDMAIL="/usr/local/postfix/sendmail/sendmail

-i"
SENDMAIL="/usr/sbin/sendmail.postfix -i"<br

/>EGREP=/bin/egrep

# Exit codes from <sysexits.h><br

/>EX_UNAVAILABLE=69

# Number of *'s in X-Spam-level header

needed to sideline message:
# (Eg. Score of 5.5 = "*****"

)
SPAMLIMIT=5

# Clean up when done or when aborting.<br

/>trap "rm -f /var/tempfs/out.$$" 0 1 2 3 15

# Pipe

message to spamc
cat | /usr/bin/spamc -u filter >

/var/tempfs/out.$$

# Are there more than $SPAMLIMIT stars in

X-Spam-Level header? :
if $EGREP -q "X-Spam-Level:

*{$SPAMLIMIT,}" < /var/tempfs/out.$$
then
  # Option

1: Move high scoring messages to sideline dir so
  # a human can

look at them later:
  # mv out.$$ $SIDELINE_DIR/`date

+%Y-%m-%d_%R`-$$

  # Option 2: Divert to an alternate e-mail

address:
  $SENDMAIL ggarron@alketech.com <

/var/tempfs/out.$$

  # Option 3: Delete the message<br

/>  # rm -f /var/tempfs/out.$$
else
  $SENDMAIL

"$@" < /var/tempfs/out.$$
fi

# Postfix returns

the exit status of the Postfix sendmail command.
exit $?<br

/> 

Add this to the end of your

/etc/postfix/master.cf

<table border="1"

align="center">spamchk   unix 

-       n      

n       -      

10      pipe
  flags=Rq user=filter

argv=/usr/local/bin/spamchk -f ${sender} -- ${recipient} <br

/>

 

Change the ENABLED=0 line in

/etc/default/spamassassin to ENABLED=1

 

 

<hr

/>Install ProFtp

 

apt-get install 

proftpd

Now restart proftpd

/etc/init.d/proftpd restart

<hr

/>

 

Finally the Firewall.

Go to this

link and follow the instructions.

<a

href="http://www.go2linux.org/index.php?option=com_content&task=view&id=37&Itemid=9">http://www.go2linux.org/index.php?option=com_content&task=view&id=37&Itemid=9

<hr

/>

Contact

If you find anything wrong with this

info, please inform, me as this is my first version of it.

feel free

to contact me at:

ggarron at alketech dot com

<hr

/>

Links

http://www.gjdv.at/snippets/linux/virtual_mail_hosting

http://www.howtoforge.com/perfect_setup_centos_4.4

http://www.howtoforge.com/perfect_setup_debian_sarge

http://www.falkotimme.com/howtos/debian_bind_chroot/

http://www.vtiger.com/

http://www.hurring.com/howto/debian_postfix_sasl/

http://www.debianhelp.co.uk/proftp.htm

 

If you liked this article please share it.

powered by TinyLetter

If you want to contact me in any other way, please use the contact page.

Creative Commons Attribution-NonCommercial-ShareAlike 3.0 | Powered by Jekyll

RSS feed | Twitter feed