This How - To in its first version, has

Apache2, Postfix, MySQL 5.x, Dovecot, SpamAssassin, proftp, and Bind (Chroot) all on a stable Debian server installed from a NetInstall CD, and with Backports enabled (Selective)

Installing Debian

0

Be sure to enter linux26 to install the 2.6 version of the Kernel.

1

2

 Select the language you want to use.

3

 Select your country.

4

Select your Keyboard layout

5

6

12

 choose the name you want for your server.
12a

Here you put your domain name. In my case is go2linx.org

13

15

Select to manually set the partition.

16

  17

Confirm that you are going to work on that Disk.

18

Select Free space


{mospagebreak}
<p> 19
</p><p>Create a new partition.</p><p> 20
</p><p>Select a 512 MB, or 1 Gig anything you want for swap.</p><p> 21
</p><p> Select, primary partition.</p><p> 22
</p><p>Select the begining or the this or the end.</p><p> 23
</p><p> 24
</p><p>Select swap.</p><p> 25
</p><p> 26
</p><p>Now on the same way choose the rest of the disk, for an ext3 partition, mounted on root, as follows.</p><p> 27</p><p> 28
</p><p> 29</p><p> 30</p>{mospagebreak}<p> 32</p><p> 33</p><p> 35</p><p> 37</p><p> 38

</p><p>  40</p><p> 41</p><p>On the next screen you will have to adjust your time zone, clock, and your root password and also create a new user. (I am not showing them here)</p><p>On this one you can choose to scan a new disk, I have none so I choosed no.</p><p> 50
</p><p>On the next one you should choose to configure an apt source according your needs.</p><p> 51
</p><p>Choose http, and the mirror nearest you.</p><p> 52</p><p> 53</p><p> 54</p><p>If you are connected to the Internet across a proxy put the info here.</p><p> 55
</p><p>After the server will connect to the Internet and get some packages (This may take time, depending your Internet speed conection)</p><p>Now select to install nothing as, we are going to do all manually, later. </p><p> 57
</p><p>Also Choose no email configuration.</p><p> </p><p> 59
</p><p>Now you are Done with the installation</p><p> 62
</p><p>Now lets start with the installation of all the packages needed to have our Complete Debian Server.</p><p> {mospagebreak}

</p><p>Install DNS (BIND Chrooted)</p><p>First get the software
apt-get install bind9
/etc/init.d/bind9 stop
Now edit with your favorite editor the file /etc/default/bind9
vi /etc/default/bind9
And make sure it looks like this, so the daemon will run as the bind user, and in the jail of /var/lib/named/.

</p><table border="1" align="center"><tbody><tr><td> OPTIONS="-u bind -t /var/lib/named/"</td></tr></tbody></table>
This will make Bind to run jailed in the directory /var/lib/named

Now recreate the directory structure under the /var/lib/named/, for the daemon to find the needed files

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run

(We use mkdir -p in order to create the parents directories as needed)

Now copy the configurations files of bind from /etc/ to /var/lib/named/etc/

mv /etc/bind /var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind

The last line makes a sym link from the original configuration directory to the resently created, so future upgrades to the software like when you run (apt-get upgrade) could find the files where they are supposed to be. (or at lease the symlinks)

Now create some devices on our /var/lib/named/dev/ directory.

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random

Assign the right ownership to the directories.

chown -R bind:bind /var/lib/named/var/
chown -R bind:bind /var/lib/named/etc/bind

We also need to modify the syslog, in order to have all logs send to the jailed directory, look at the BOLDED
line in the file, that makes syslog listen in another socket, and make it able to get the messages from the CHROOTED Bind.


<table border="1" align="center"><tbody><tr><td>#! /bin/sh
# /etc/init.d/sysklogd: start the system log daemon.

PATH=/bin:/usr/bin:/sbin:/usr/sbin

pidfile=/var/run/syslogd.pid
binpath=/sbin/syslogd

test -x $binpath || exit 0

# Options for start/restart the daemons
# For remote UDP logging use SYSLOGD="-r"
#
SYSLOGD="-a /var/lib/named/dev/log"

create_xconsole()
{
if [ ! -e /dev/xconsole ]; then
mknod -m 640 /dev/xconsole p
else
chmod 0640 /dev/xconsole
fi
chown root:adm /dev/xconsole
}

running()
{
# No pidfile, probably no daemon present
#
if [ ! -f $pidfile ]
then
return 1
fi

pid=cat $pidfile

# No pid, probably no daemon present
#
if [ -z "$pid" ]
then
return 1
fi

if [ ! -d /proc/$pid ]
then
return 1
fi

cmd=cat /proc/$pid/cmdline | tr &quot;\000&quot; &quot;\n&quot;|head -n 1

# No syslogd?
#
if [ "$cmd" != # "$binpath" ]
then
return 1
fi<br # />
return 0
}

case "$1" in
# start)
echo -n "Starting system log daemon: syslogd"<br # /> create_xconsole
start-stop-daemon –start –quiet –exec # $binpath – $SYSLOGD
echo "."
;;
stop)<br # /> echo -n "Stopping system log daemon: syslogd"
# start-stop-daemon –stop –quiet –exec $binpath –pidfile $pidfile
# echo "."
;;
reload|force-reload)
echo -n # "Reloading system log daemon: syslogd"
start-stop-daemon # –stop –quiet –signal 1 –exec $binpath –pidfile $pidfile
echo # "."
;;
restart)
echo -n "Restarting # system log daemon: syslogd"
start-stop-daemon –stop –quiet # –exec $binpath –pidfile $pidfile
sleep 1
# start-stop-daemon –start –quiet –exec $binpath – $SYSLOGD
echo # "."
;;
reload-or-restart)
if running<br # /> then
echo -n "Reloading system log daemon: # syslogd"
start-stop-daemon –stop –quiet –signal 1 # –exec $binpath –pidfile $pidfile
else
echo -n # "Restarting system log daemon: syslogd"
# start-stop-daemon –start –quiet –exec $binpath – $SYSLOGD
fi<br # /> echo "."
;;
*)
echo "Usage: # /etc/init.d/sysklogd # {start|stop|reload|restart|force-reload|reload-or-restart}"
# exit 1
esac

exit 0</td></tr></tbody></table><p>
<br # />Finally, restart syslog, and start bind
/etc/init.d/sysklogd # restart
/etc/init.d/bind9 start</p><hr # /><p> </p><p>Installing backports</p><p>We will need # to install backports to be able to download the latest available MySQL # server for Debian, we are doing this because some aplications like (<a # href=”http://www.vtiger.com/” target=”_blank”>VTiger</a> ) does not run with # MySQL 4.x which comes with Debian 3.1 Sarge.</p><p>First, change to root<br # />
$su -

Then edit with your favorite text editor, (I use # vi)

#vi /etc/apt/get/sources.lst

Mine looks this way, # maybe yours look different.</p><table border=”1” # align=”center”><tbody><tr><td>#deb file:///cdrom/ sarge main

#deb # cdrom:[Debian GNU/Linux 3.1 r3 _Sarge_ - Official i386 Binary-1 (20060904)]/ # unstable contrib main

deb http://mirrors.kernel.org/debian/ # stable main
deb-src http://mirrors.kernel.org/debian/ stable main<br # />
deb http://security.debian.org/ stable/updates main contrib
<br # /># Backports
deb http://www.backports.org/debian/ sarge-backports main #
</td></tr></tbody></table><p>(Each line starting with "deb" # indicates where the .deb packages could be found, and other info also.)<br # />
That is all, but if you want to use backports only for selected # packages, and not for all.

Edit or create the file # /etc/apt/preferences

#vi /etc/apt/preferences</p><table # border=”1” align=”center”><tbody><tr><td>Explanation: see # http://www.argon.org/~roderick/apt-pinning.html
Package: *
Pin: # release o=Debian,a=stable
Pin-Priority: 900

Package: *<br # />Pin: release a=sarge-backports
Pin-Priority: 200

Package: # *
Pin: release o=Debian
Pin-Priority: -1  <br # /></td></tr></tbody></table><p>This file indicates the priority the repos # will have, so a package # from a more wighted repo will be installed and mainted, if you do not specifically choose to install from a less weighted repo.<br # />

That's all.</p><hr /><p> </p><p>Install MySQL # (From Backports)</p><p>apt-get -t sarge-backports install # mysql-server mysql-client</p><hr /><p> </p><p>Install # Apache2</p><p>apt-get install apache2 apache2-doc</p><p>apt-get # install libapache2-mod-php4 libapache2-mod-perl2</p><p>apt-get install php4 # php4-cli php4-common php4-curl php4-dev php4-domxml php4-gd php4-imap # php4-ldap</p><p>apt-get install php4-mcal php4-mhash php4-mysql php4-odbc # php4-pear php4-xslt curl libwww-perl imagemagick</p><p>Edit # /etc/apache2/apache2.conf. Change</p><p>DirectoryIndex index.html index.cgi # index.pl index.php index.xhtml</p><p>to this</p><p>DirectoryIndex index.html # index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml<br # />
We need to do this, in order to make it possible to have pages named # i.e. index.htm in the Server or virtual server home directory and still get # a result when somebody hits our server. In other words, if index.htm is not # there and that is our start page, the user will have to explicity write # -http://www.yourserver.xxx/index.htm-

</p><table border=”0” # align=”center”><tbody><tr><td> </td></tr></tbody></table><p>Now we have # to enable some Apache modules (SSL, rewrite and suexec):

a2enmod # ssl
a2enmod rewrite
a2enmod suexec
a2enmod include
<br # />Restart Apache:

/etc/init.d/apache2 restart</p><hr # /><p>Install Postfix, dovecot, spamassassin, Saslauthd<br # /></p><p>apt-get install sasl2-bin libpam-pgsql postfix postfix-tls # postfix-pgsql dovecot-imapd dovecot-pop3d spamassassin libsasl2-modules<br # /></p><p>Saslauthd</p><p>Saslauthd will be used for postfix # authorization (because postfix's smtp daemon runs chrooted).</p><p>Edit # /etc/default/saslauthd and be sure this lines appears and are commented # out</p><table border="1" align="center"><tbody><tr><td>START=yes<br # />MECHANISMS=pam
PARAMS="-r"</td></tr></tbody></table><p>Add # the postfix user to the sasl group</p><p>usermod -G sasl postfix</p><p>Copy # the saslauthd directory to the postfix jail</p><p>mkdir -p # /var/spool/postfix/var/run/saslauthd
chgrp sasl # /var/spool/postfix/var/run/saslauthd</p><p>Create # /etc/init.d/saslauthd-symlinks:</p><p>#! /bin/sh

if [ # "$1" = "start" ] ; then
    rm -rf # /var/run/saslauthd
    ln -s # /var/spool/postfix/var/run/saslauthd /var/run
fi</p><p>And make the # script active:</p><p>chmod 755 /etc/init.d/saslauthd-symlinks
ln -s # /etc/init.d/saslauthd-symlinks /etc/rcS.d/S80saslauthd-symlinks
<br # />/etc/init.d/saslauthd stop
/etc/init.d/saslauthd-symlinks start<br # />/etc/init.d/saslauthd start</p><p>Generate your # certificates</p><p>mkdir /etc/postfix/ssl
cd # /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key # 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out # smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key # -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted<br # />mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 # -extensions v3_ca -keyout cakey.pem -out cacert.pem -days # 3650</p><p> </p><p>Postfix</p><p>The relevant sections # from /etc/postfix/main.cf - replace HOSTNAME with the servers # hostname</p><table border="1" align="center"><tbody><tr><td><p>myhostname = # debby.milkyway.gal
myorigin = /etc/mailname
mydestination = # $myhostname, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8<br # />relayhost =
alias_maps = hash:/etc/aliases
alias_database = # hash:/etc/aliases
mailbox_size_limit = 0

# sasl # authentication
smtpd_sasl_auth_enable = yes<br # />smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = # noanonymous

# outlook-sasl is borken<br # />broken_sasl_auth_clients = yes

#report authenticated username # in headers?
smtpd_sasl_authenticated_header = yes
<br # />smtpd_sasl_local_domain =

smtpd_recipient_restrictions =<br # />        permit_mynetworks,<br # />        permit_sasl_authenticated,<br # />        reject_unauth_destination # </p><p>smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_auth_only # = no
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key<br # />smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = # /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 3<br # />smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = # 3600s
tls_random_source = dev:/dev/urandom</p><p>postconf -e # 'home_mailbox = Maildir/'
postconf -e 'mailbox_command # ='
 </p></td></tr></tbody></table><p>Create the file # /etc/postfix/sasl/smtpd.conf </p><p>and put this inside.</p><table # border=”1” align=”center”><tbody><tr><td>pwcheck_method: saslauthd<br # />mech_list: login plain</td></tr></tbody></table><p>Now let's do some # testing</p><p>Start the postfix daemon</p><p>/etc/init.d/postfix # restart</p><p>telnet localhost 25</p><p>and type</p><p>ehlo localhost, as # soon as you get the prompt </p><p>** Here you should see something like # this </p><p>debian:~# telnet localhost 25
Trying 127.0.0.1…<br # />Connected to localhost.localdomain.
Escape character is # '^]'.
220 debian.go2linux.org ESMTP Postfix
ehlo # localhost
250-debian.go2linux.org
250-PIPELINING
250-SIZE # 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN<br # />250-AUTH=LOGIN PLAIN
250 8BITMIME
</p><p>The important # lines are in # BOLD </p><p>Dovecot</p><p>Here you # need to edit the file /etc/dovecot/dovecot.conf</p><p>vi # /etc/dovecot/dovecot.conf</p><p>And be sure this lines appear.<br # /></p><table border="1" align="center"><tbody><tr><td># Protocols we want to # be serving:
#  imap imaps pop3 pop3s
protocols = imap imaps # pop3 pop3s
<br # /></td></tr></tbody></table><p>SpamAssassine</p><p>Create a # spamassassin-User:</p><p>adduser –system –shell /bin/sh –group –gecos # "Spamassassin User" filter</p><p>Create a script # /usr/local/bin/spamchk:</p><table border=”1” # align=”center”><tbody><tr><td>#!/bin/sh

# # —————————————————————–
# # File:        spamchk
#
# # Purpose:     SPAMASSASIN shell-based filter
#<br # /># Location:    /usr/local/bin
#
# # Usage:       Call this script from master.cf # (Postfix)
#
# Certified:   GENTOO Linux, Spamassassin # 3.0, Postfix
# # —————————————————————–
<br # /># Variables
#SENDMAIL="/usr/local/postfix/sendmail/sendmail # -i"
SENDMAIL="/usr/sbin/sendmail.postfix -i"<br # />EGREP=/bin/egrep

# Exit codes from <sysexits.h><br # />EX_UNAVAILABLE=69

# Number of *'s in X-Spam-level header # needed to sideline message:
# (Eg. Score of 5.5 = "
**" # )
SPAMLIMIT=5

# Clean up when done or when aborting.<br # />trap "rm -f /var/tempfs/out.

# Are there more than $SPAMLIMIT stars in # X-Spam-Level header? :
if $EGREP -q "^X-Spam-Level: # *{$SPAMLIMIT,}" < /var/tempfs/out. $SIDELINE_DIR/date # +%Y-%m-%d_%R-

  # Option 3: Delete the message<br # />  # rm -f /var/tempfs/out.
fi

# Postfix returns # the exit status of the Postfix sendmail command.
exit $?<br # /> </td></tr></tbody></table><p>Add this to the end of your # /etc/postfix/master.cf</p><table border=”1” # align=”center”><tbody><tr><td>spamchk   unix  # -       n       # n       -       # 10      pipe
  flags=Rq user=filter # argv=/usr/local/bin/spamchk -f ${sender} – ${recipient} <br # /></td></tr></tbody></table><p> </p><p>Change the ENABLED=0 line in # /etc/default/spamassassin to ENABLED=1</p><p> </p><p> </p><hr # />Install ProFtp
<p> </p><p>apt-get install  # proftpd</p><p>Now restart proftpd</p><p>/etc/init.d/proftpd restart</p><hr # /><p> </p><p>Finally the Firewall.</p><p>Go to this # link and follow the instructions.</p><p><a # href=”http://www.go2linux.org/index.php?option=com_content&task=view&id=37&Itemid=9”>http://www.go2linux.org/index.php?option=com_content&task=view&id=37&Itemid=9</a></p><hr # /><p>Contact</p><p>If you find anything wrong with this # info, please inform, me as this is my first version of it.</p><p>feel free # to contact me at:</p><p>ggarron at alketech dot com</p><hr # /><p>Links</p><p>http://www.gjdv.at/snippets/linux/virtual_mail_hosting # </p><p>http://www.howtoforge.com/perfect_setup_centos_4.4 # </p><p>http://www.howtoforge.com/perfect_setup_debian_sarge # </p><p>http://www.falkotimme.com/howtos/debian_bind_chroot/ # </p><p>http://www.vtiger.com/ </p><p> http://www.hurring.com/howto/debian_postfix_sasl/ # </p><p>http://www.debianhelp.co.uk/proftp.htm # </p><p> </p>