The Perfect Server - Debian Lenny (Debian 5.0) [ISPConfig 2] - Page 4

11 MySQL

In order to install MySQL, we run

apt-get install mysql-server mysql-client libmysqlclient15-dev

You will be asked to provide a password for the MySQL root user - this password is valid for the user root@localhost as well as root@server1.example.com, so we don't have to specify a MySQL root password manually later on:

New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

vi /etc/mysql/my.cnf

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
[...]

Then we restart MySQL:

/etc/init.d/mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

server1:~# netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      6612/mysqld
server1:~#

 

12 Postfix With SMTP-AUTH And TLS

In order to install Postfix with SMTP-AUTH and TLS do the following steps:

apt-get install postfix libsasl2-2 sasl2-bin libsasl2-modules procmail

You will be asked two questions. Answer as follows:

General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com

Then run

dpkg-reconfigure postfix

Again, you'll be asked some questions:

General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com
Root and postmaster mail recipient: <-- [blank]
Other destinations to accept mail for (blank for none): <-- server1.example.com, localhost.example.com, localhost.localdomain, localhost
Force synchronous updates on mail queue? <-- No
Local networks: <-- 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
Use procmail for local delivery? <-- Yes
Mailbox size limit (bytes): <-- 0
Local address extension character: <-- +
Internet protocols to use: <-- all

Next, do this:

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for TLS (make sure that you use the correct hostname for myhostname):

postconf -e 'myhostname = server1.example.com'

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

The file /etc/postfix/main.cf should now look like this:

cat /etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:

mkdir -p /var/spool/postfix/var/run/saslauthd

Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Set START to yes and change the line OPTIONS="-c -m /var/run/saslauthd" to OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r":

vi /etc/default/saslauthd

#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Next add the postfix user to the sasl group (this makes sure that Postfix has the permission to access saslauthd):

adduser postfix sasl

Now restart Postfix and start saslauthd:

/etc/init.d/postfix restart
/etc/init.d/saslauthd start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH LOGIN PLAIN

everything is fine.

The output on my system looks like this:

server1:/etc/postfix/ssl# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 server1.example.com ESMTP Postfix (Debian/GNU)
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
server1:/etc/postfix/ssl#

Type

quit

to return to the system's shell.

 

13 Courier-IMAP/Courier-POP3

Run this to install Courier-IMAP/Courier-IMAP-SSL (for IMAPs on port 993) and Courier-POP3/Courier-POP3-SSL (for POP3s on port 995):

apt-get install courier-authdaemon courier-base courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl gamin libgamin0 libglib2.0-0

You will be asked two questions:

Create directories for web-based administration? <-- No
SSL certificate required <-- Ok

During the installation, the SSL certificates for IMAP-SSL and POP3-SSL are created with the hostname localhost. To change this to the correct hostname (server1.example.com in this tutorial), delete the certificates...

cd /etc/courier
rm -f /etc/courier/imapd.pem
rm -f /etc/courier/pop3d.pem

... and modify the following two files; replace CN=localhost with CN=server1.example.com (you can also modify the other values, if necessary):

vi /etc/courier/imapd.cnf

[...]
CN=server1.example.com
[...]

vi /etc/courier/pop3d.cnf

[...]
CN=server1.example.com
[...]

Then recreate the certificates...

mkimapdcert
mkpop3dcert

... and restart Courier-IMAP-SSL and Courier-POP3-SSL:

/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop-ssl restart

If you do not want to use ISPConfig, configure Postfix to deliver emails to a user's Maildir*:

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart

*Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Server -> Settings -> EMail in the ISPConfig web interface.

Share this page:

25 Comment(s)

Add comment

Comments

From: Tony at: 2009-03-14 06:40:55

As usual, fantastic guide by Falko!
However, chose the extra partitions - /var, /tmp, /usr & /home
Got all the way to end of this guide, went to install ISPConfig & got this error from the installer package -

ERROR: Sie benötigen mind. 512MB Platz im /root-Verzeichnis, um ISPConfig zu installieren! / You need at least 512MB of disk space in the /root directory to install ISPConfig!

Therefore it seems you must be careful when partitioning if using ISPConfig 2. ISPConfig 3 had no problem with same partitioning.

From: Anonymous at: 2009-02-20 22:24:52

From Etch onward, it is recommended that users use aptitude instead of apt-get.  Aptitude has advanced dependency handling that can avoid some serious problems in unusual situations. 

From the official debian documentation http://www.debian.org/releases/stable/i386/release-notes/ch-whats-new.en.html#s-pkgmgmt:

" The preferred program for package management from the command line is aptitude, which can perform the same package management functions as apt-get and has proven to be better at dependency resolution."

From: ree at: 2009-12-31 12:38:38

hi,

plz edit /etc/init.d/bind9 startup script!! 

to do it follow :

nano /etc/init.d/bind9

then find the PIDFILE def. and edit to look lile that:

PIDFILE=/var/lib/named/var/run/bind/run/named.pid

and restart bind9: 

/etc/init.d/bind9 restart

regards

From: Yves at: 2010-01-29 22:26:31

This is not necessary. The correct path inside the jail is /var/run/bind/run/named.pid

From: Yves at: 2010-01-31 13:11:58

To use IPv6, i.e. listen-on-v6, you need to mount proc inside your chroot:

 mkdir /var/lib/named/proc

 mount -t proc proc /var/lib/named/proc

 Don't forget to create a mount that persists after next reboot, i.e. by adding it to /etc/fstab

From: ROk at: 2010-03-18 09:50:34

In file /etc/network/interfaces DO NOT WRITE DNS adressess. ONLY /etc/resolv.conf

If you will need to specify your DNS servers manually in /etc/resolv.conf, which should look something like this:

search mydomain.example

nameserver 192.168.0.1

nameserver 4.2.2.2

Else this will be mistakes.

From: Nokao at: 2010-05-20 21:37:10

Do you think that the DNS step is important even for who don't need a DNS server ?

 

I mean ... is it true that a DNS server only for local software is "a must have" ?

From: Dima at: 2011-06-14 22:49:32

There is no need to manualy create aquota.user and aquota.group files. They are created automatically by using command quotacheck with appropriate keys ( -c -u -g )

From: at: 2009-05-07 18:19:57

I would suggest to setup addional parameters:

 

postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,
reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_rbl_client dnsbl.njabl.org,
reject_rbl_client sbl-xbl.spamhaus.org,reject_rbl_client pbl.spamhaus.org,reject_rbl_client bl.spamcop.net,reject_rbl_client duinv.aupads.org,
reject_rbl_client ix.dnsbl.manitu.net,reject_rhsbl_sender rhsbl.sorbs.net,reject_unauth_destination'

postconf -e 'smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated, reject_rhsbl_sender dsn.rfc-ignorant.org'

From: Yves at: 2010-02-04 16:21:54

reject_unauth_destination is way to far to the end; it should be before the rbl calls...

reject_unauth_pipelining should be placed under smtpd_data_restrictions for Postfix 2.x!

From: Jerry at: 2010-08-18 19:44:38

I discovered in my /var/log/mail.log file that the aliases db hadn't yet been created.

I recommend that the reader be instructed to execute the # newaliases command before trying to # telnet localhost 25

 The aliases db wasn't there, in my case, because the system had just been installed and no other mail related foo had been done.

 cheers.

From: Jerry at: 2010-08-20 06:48:35

My experiments with the SMTPD showed that with the setup you recommend the relay wasn't "open"  i.e. it at least required a valid user name and password.  But what's the point of a password if it's sent in the clear??  You should strongly recommend that the
smtpd_tls_auth_only keyword be set to "Yes" to require that the client use the TLS feature when sending the password.

Also, I found that setting MECHANISMS to shadow  (for my tiny server) got me away from depending on /etc/courier/userdb.dat;  I now use the systems shadow password file. That minimizes my management overhead. I'm supposed to be productive at the job I trained for, not spending all my time being a sysadmin. :-)

j

From: Edgar at: 2010-10-31 21:45:59

correct this error:

postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
instead of

postconf -e 'smtpd_tls CAfile = /etc/postfix/ssl/cacert.pem'

 

Awesome article

From: Edgar at: 2010-10-31 21:48:46

never mind my last comment. it was the stupid HIGHLIGHT that was hiding the '_'

 

 

From: at: 2009-05-07 18:22:13

To secure php you should edit

 

/etc/php5/apache2/php.ini

 

edit this line:

 

disable_functions = exec,system,passthru,shell_exec,popen,escapeshellcmd,proc_open,proc_nice,ini_restore

From: Emil at: 2009-05-07 10:13:57

i have sucessfully install ispconfig2, but how to change home directory for user example /home/username/public_html/ in ispconfig.

and i have recompile apache with suexec in /home

please advise

thanks

 

 

From: Sanjay K at: 2009-04-18 00:30:49

The tutorial is great.

I did have a few glitches along the way, much of which was due to php5-idn not being installed properly. Eventually I decided not to install it. (Don't know if that would cause other problems down the line). 

I also found aptitude to be marginally better than apt-get especially aptitude purge as a great help to uninstall the failing packages.

And I am absolutely delighted to see the ISPConfig screen. Thanks a lot Falko!

Regards

Sanjay

 

From: light-blue at: 2009-04-01 04:42:57

So that you don't spend 14 hours confused and frustrated like me, be sure that you are NOT submitting forms with lots of data (e.g. 100 form items--yes, I know they're huge by design) when using this setup. Suhosin won't allow that, and submits may FAIL SILENTLY.

after playing with standard php.ini POST settings for WAY too long, /var/log/apache2/error.log was the clue that solved this problem...

ALERT - configured POST variable limit exceeded - dropped variable 'field_agreement[0][value]' (attacker '192.168.10.13', file '/var/www/drupal/index.php'), referer: https://server.mycompany.com/node/add/agreement

The solution is simple ...

#vi /etc/php5/conf.d/suhosin.ini

set these values:

suhosin.post.max_vars = 1000

suhosin.request.max_vars = 1000

From: Anonymous at: 2009-02-20 23:29:32

Is there some reason why you've chosen Courier and not Dovecot for the IMAP server?

From: Pat Foley at: 2009-03-04 22:01:00

Falko. Thanks for all the tutorials! When creating the server (www) behind a router, is it still necessary to use a real tld when ispconfig is going to be added?

From: Leslie at: 2009-06-11 20:11:29

Hi all!

I am starter in perfect server configuration... even server configuration...but with this wonderful manual I did the impossible... :-)

Thanks Falko !

But this is not the end:

ISP is runninig I logged in and changed the login name from admin to other and the password and started to study ISP, and then logged out...

Now I can't log in with my new user name and password, I get the error code: 1002 or 1004

 Please help

From: Anonymous at: 2009-10-03 05:00:43

How do I change the domain.tld from .com to .net!?!?!?! LoL... The setup was PERFECT. Just had to change the ISPConfig to reflect 5.0.3 but other than that, this server is running and working! I just need to change the domain TLD from .com to .net for obvious reasons... Thanks in Advance for your assistance... I tried to change it in hosts and apache wouldnt restart... I need to change ALL instances BTW, from Start to Finish... Im pretty savvy, but this is above me ATM and Im not finding everything I need via google searches. Again Thank You in Advance for your Help. Mike

From: at: 2010-02-17 21:05:09

Falko,

 This How-To is on point; however, I do have a question.  How secure is this setup as it is described here?  By following all of these steps, we are opening a lot of ports on the server and I believe it opens us up to a lot of liability.  Anyone have any pointers or suggestions?  Am I being overly paranoid?  Any input would be appreciated. 

 KaBarsEdge

From: Bernard at: 2010-02-27 13:47:40

To enable usage of FTP username of an admin user for particular ISPConfig domain you have to disable ProFTP check for valid shell (as /dev/null isn't and this one gets added to ISPConfig users with disabled shell access). You have to uncomment this to /etc/proftpd/proftpd.conf :

[...]
 RequireValidShell           off
[...]

From: metoo at: 2010-07-21 20:50:59

thanks for great howto

i have choose (server1) as my host name as described in the tuto.

but when i nstall ispconfig 2 it tell :

Please enter the host name: E.g. www

what to write  in this case ? www or server1 ?

thanks