The Perfect Setup - Debian Woody (3.0) - Page 5

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Wed, 2005-03-30 18:12. ::

MySQL

apt-get install mysql-server mysql-client libmysqlclient10-dev
<- No
<- Yes

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

In /etc/mysql/my.cnf comment out the following line:

skip-networking

It should now look similar to this:

# You can copy this to one of:
# /etc/mysql/my.cnf to set global options,
# mysql-data-dir/my.cnf to set server-specific options (in this
# installation this directory is /var/lib/mysql) or
# ~/.my.cnf to set user-specific options.
#
# One can use all long options that the program supports.
# Run the program with --help to get a list of available options

# This will be passed to all mysql clients
[client]
#password = my_password
port = 3306
socket = /var/run/mysqld/mysqld.sock

# Here is entries for some specific programs
# The following values assume you have at least 32M ram

[safe_mysqld]
err-log = /var/log/mysql/mysql.err

[mysqld]
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
#
# You can also put it into /var/log/mysql/mysql.log but I leave it in /var/log
# for backward compatibility. Both location gets rotated by the cronjob.
#log = /var/log/mysql/mysql.log
log = /var/log/mysql.log
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
language = /usr/share/mysql/english
skip-locking
#
# The skip-networkin option will no longer be set via debconf menu.
# You have to manually change it if you want networking i.e. the server
# listening on port 3306. The default is "disable" - for security reasons.
#skip-networking
set-variable = key_buffer=16M
set-variable = max_allowed_packet=1M
set-variable = thread_stack=128K
#
# Here you can see queries with especially long duration
#log-slow-queries = /var/log/mysql/mysql-slow.log
#
# The following can be used as easy to replay backup logs or for replication
#server-id = 1
#log-bin = /var/log/mysql/mysql-bin.log
#binlog-do-db = include_database_name
#binlog-ignore-db = include_database_name
#
# Read the manual if you want to enable InnoDB!
skip-innodb

[mysqldump]
quick
set-variable = max_allowed_packet=1M

[mysql]
#no-auto-rehash # faster start of mysql but no tab completition

[isamchk]
set-variable = key_buffer=16M

Restart MySQL:

/etc/init.d/mysql restart

so that MySQL is accessible on port 3306 (you can check that with netstat -tap).

Postfix/Qpopper

addgroup sasl
apt-get install postfix-tls qpopper sasl-bin libsasl-modules-plain libsasl2 libsasl-gssapi-mit libsasl-digestmd5-des sasl2-bin libsasl2-modules (1 line!)

<- Kerberos: accept default value (I don't want to use Kerberos so I don't really care about it)
<- Internetsite
<- Domainname
<- No
<- accept default values
<- Kerberos: accept default value
<- NONE

cd /etc/init.d/
wget http://hanselan.de/postfix/pwcheck

In case you cannot access http://hanselan.de/postfix/pwcheck here's the pwcheck script:

#! /bin/sh
#
# pwcheck Startet pwcheck für SMTP-Auth mit Postfix
#

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/pwcheck
NAME=pwcheck
DESC="pwcheck daemon"

test -x $DAEMON || exit 0

set -e

case "$1" in
start)
echo -n "Starting $DESC: $NAME"
ln -s /var/spool/postfix/var/run/pwcheck /var/run/pwcheck
$DAEMON
echo "."
;;
stop)
echo -n "Stopping $DESC: $NAME "
rm /var/run/pwcheck
/usr/bin/killall -KILL $NAME
echo "."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop}" >&2
exit 1
;;
esac

exit 0


chmod 755 /etc/init.d/pwcheck
update-rc.d pwcheck defaults
mkdir -p /var/spool/postfix/var/run/pwcheck
chown postfix.root /var/spool/postfix/var/run/pwcheck/
chmod 700 /var/spool/postfix/var/run/pwcheck/
ln -s /var/spool/postfix/var/run/pwcheck /var/run/pwcheck

postconf -e 'smtpd_sasl_local_domain = $myhostname'
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: pwcheck' >> /etc/postfix/sasl/smtpd.conf

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

The file /etc/postfix/main.cf should now look like this:

# see /usr/share/postfix/main.cf.dist for a commented, fuller
# version of this file.

# Do not change these directory settings - they are critical to Postfix
# operation.
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
program_directory = /usr/lib/postfix

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
setgid_group = postdrop
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no
myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains
inet_interfaces = all
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

/etc/init.d/pwcheck start
/etc/init.d/postfix restart

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

everything is fine.

Type

quit

to return to the system's shell.

Courier-IMAP/Courier-POP3

If you want to use a POP3/IMAP daemon that has Maildir support (if you do not want to use the traditional Unix mailbox format) you can install Courier-IMAP and Courier-POP3. Otherwise you can proceed with the Apache configuration.

apt-get install courier-imap courier-pop

qpopper and UW-IMAP will then be replaced.

Then configure Postfix to deliver emails to a user's Maildir*:

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='

/etc/init.d/postfix restart

*Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Settings -> EMail in the ISPConfig web interface.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Thu, 2006-03-23 00:29.

My version of /etc/mysql/my.cnf seems to read like this:


# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = 127.0.0.1


The article should probably be updated accordingly. I am ignoring the entry and continuing with the article.