The Perfect Setup - Debian Woody (3.0) - Page 5


apt-get install mysql-server mysql-client libmysqlclient10-dev
<- No
<- Yes

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h -u root password yourrootsqlpassword

In /etc/mysql/my.cnf comment out the following line:


It should now look similar to this:

# You can copy this to one of:
# /etc/mysql/my.cnf to set global options,
# mysql-data-dir/my.cnf to set server-specific options (in this
# installation this directory is /var/lib/mysql) or
# ~/.my.cnf to set user-specific options.
# One can use all long options that the program supports.
# Run the program with --help to get a list of available options

# This will be passed to all mysql clients
#password = my_password
port = 3306
socket = /var/run/mysqld/mysqld.sock

# Here is entries for some specific programs
# The following values assume you have at least 32M ram

err-log = /var/log/mysql/mysql.err

user = mysql
pid-file = /var/run/mysqld/
socket = /var/run/mysqld/mysqld.sock
port = 3306
# You can also put it into /var/log/mysql/mysql.log but I leave it in /var/log
# for backward compatibility. Both location gets rotated by the cronjob.
#log = /var/log/mysql/mysql.log
log = /var/log/mysql.log
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
language = /usr/share/mysql/english
# The skip-networkin option will no longer be set via debconf menu.
# You have to manually change it if you want networking i.e. the server
# listening on port 3306. The default is "disable" - for security reasons.
set-variable = key_buffer=16M
set-variable = max_allowed_packet=1M
set-variable = thread_stack=128K
# Here you can see queries with especially long duration
#log-slow-queries = /var/log/mysql/mysql-slow.log
# The following can be used as easy to replay backup logs or for replication
#server-id = 1
#log-bin = /var/log/mysql/mysql-bin.log
#binlog-do-db = include_database_name
#binlog-ignore-db = include_database_name
# Read the manual if you want to enable InnoDB!

set-variable = max_allowed_packet=1M

#no-auto-rehash # faster start of mysql but no tab completition

set-variable = key_buffer=16M

Restart MySQL:

/etc/init.d/mysql restart

so that MySQL is accessible on port 3306 (you can check that with netstat -tap).


addgroup sasl
apt-get install postfix-tls qpopper sasl-bin libsasl-modules-plain libsasl2 libsasl-gssapi-mit libsasl-digestmd5-des sasl2-bin libsasl2-modules (1 line!)

<- Kerberos: accept default value (I don't want to use Kerberos so I don't really care about it)
<- Internetsite
<- Domainname
<- No
<- accept default values
<- Kerberos: accept default value

cd /etc/init.d/

In case you cannot access here's the pwcheck script:

#! /bin/sh
# pwcheck Startet pwcheck für SMTP-Auth mit Postfix

DESC="pwcheck daemon"

test -x $DAEMON || exit 0

set -e

case "$1" in
echo -n "Starting $DESC: $NAME"
ln -s /var/spool/postfix/var/run/pwcheck /var/run/pwcheck
echo "."
echo -n "Stopping $DESC: $NAME "
rm /var/run/pwcheck
/usr/bin/killall -KILL $NAME
echo "."
echo "Usage: $N {start|stop}" >&2
exit 1

exit 0

chmod 755 /etc/init.d/pwcheck
update-rc.d pwcheck defaults
mkdir -p /var/spool/postfix/var/run/pwcheck
chown postfix.root /var/spool/postfix/var/run/pwcheck/
chmod 700 /var/spool/postfix/var/run/pwcheck/
ln -s /var/spool/postfix/var/run/pwcheck /var/run/pwcheck

postconf -e 'smtpd_sasl_local_domain = $myhostname'
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: pwcheck' >> /etc/postfix/sasl/smtpd.conf

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

The file /etc/postfix/ should now look like this:

# see /usr/share/postfix/ for a commented, fuller
# version of this file.

# Do not change these directory settings - they are critical to Postfix
# operation.
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
program_directory = /usr/lib/postfix

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
setgid_group = postdrop
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no
myhostname =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =,, localhost
relayhost =
mynetworks =
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains
inet_interfaces = all
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

/etc/init.d/pwcheck start
/etc/init.d/postfix restart

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your postfix mail server type

ehlo localhost

If you see the lines




everything is fine.



to return to the system's shell.


If you want to use a POP3/IMAP daemon that has Maildir support (if you do not want to use the traditional Unix mailbox format) you can install Courier-IMAP and Courier-POP3. Otherwise you can proceed with the Apache configuration.

apt-get install courier-imap courier-pop

qpopper and UW-IMAP will then be replaced.

Then configure Postfix to deliver emails to a user's Maildir*:

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='

/etc/init.d/postfix restart

*Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Settings -> EMail in the ISPConfig web interface.

Share this page:

6 Comment(s)

Add comment


From: tado at: 2005-04-07 10:33:50


are there any advantages using maildir and not mailbox format?

Thanks, Tado

From: at: 2005-04-08 09:22:21

Yes, Maildir stores each email in a separate file whereas mbox uses on big file to store all messages. That means if an email is corrupted you lose all your mails if you use mbox.

And if you use mbox each time a user fetches his mails over POP3, the whole mbox is copied to another file from which the mails are retrieved. This means that if a user has a quota limit, this limit has to be at least twive the size of his mbox file. This does not happen if you use Maildir because then no files are copied.


From: Anonymous at: 2006-01-24 04:28:24

apt-cache search mb2md

From: Anonymous at: 2006-03-22 23:22:50

If you get:

couldn't open pid file '/var/run/bind/run/': No such file or directory

then you might try something like:

chown -R nobody:nogroup /var/run/bind

From: Anonymous at: 2006-03-22 23:29:43

My version of /etc/mysql/my.cnf seems to read like this:

# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address =

The article should probably be updated accordingly. I am ignoring the entry and continuing with the article.

From: dan at: 2009-05-30 17:30:53

That would almost certainly be the more practical approach, though at 7 CDs I wouldn't be keen to do it, and I'm a notorious Debian pusher. Of course I'm also pretty lazy... There's rather a gap between fetching packages over the wire (works great if you have the bandwidth for it!) and getting the whole distro on CDs (or DVD - wasn't there an unoffical jigdo setup for Woody DVDs?).