The Perfect Server - Fedora 10 - Page 4

10 MySQL (5.0)

To install MySQL, we do this:

yum install mysql mysql-devel mysql-server

Then we create the system startup links for MySQL (so that MySQL starts automatically whenever the system boots) and start the MySQL server:

chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start

Now check that networking is enabled. Run

netstat -tap | grep mysql

It should show something like this:

[root@server1 ~]# netstat -tap | grep mysql
tcp        0      0 *:mysql                     *:*                         LISTEN      2407/mysqld
[root@server1 ~]#

If it does not, edit /etc/my.cnf and comment out the option skip-networking:

vi /etc/my.cnf

[...]
#skip-networking
[...]

and restart your MySQL server:

/etc/init.d/mysqld restart

Run

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).

If the last command throws an error at you...

[root@server1 named]# mysqladmin -h server1.example.com -u root password yourrootsqlpassword
mysqladmin: connect to server at 'server1.example.com' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'
[root@server1 named]#

... we can set the password as follows: connect to MySQL:

mysql -u root -p

Type in the password for the MySQL root user. Then, on the MySQL shell, do this:

mysql> USE mysql;

mysql> UPDATE user SET Password = password('yourrootsqlpassword') WHERE Host = 'server1.example.com' AND User = 'root';

mysql> UPDATE user SET Password = password('yourrootsqlpassword') WHERE Host = '127.0.0.1' AND User = 'root';

Run

mysql> SELECT * FROM user;

to make sure that all rows where the user is root have a password.

If everything is looking ok, run

mysql> FLUSH PRIVILEGES;

... and leave the MySQL shell:

mysql> quit;

 

11 Postfix With SMTP-AUTH And TLS

Now we install Postfix and Dovecot (Dovecot will be our POP3/IMAP server):

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot

Now we configure SMTP-AUTH and TLS:

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'mynetworks = 127.0.0.0/8'

We must edit /usr/lib/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins (on 64bit systems, this file is in /usr/lib64/sasl2/smtpd.conf). It should look like this:

vi /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for TLS:

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

Then we set the hostname in our Postfix installation (make sure you replace server1.example.com with your own hostname):

postconf -e 'myhostname = server1.example.com'

After these configuration steps you should now have a /etc/postfix/main.cf that looks like this (I have removed all comments from it):

cat /etc/postfix/main.cf

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.5.5/samples

readme_directory = /usr/share/doc/postfix-2.5.5/README_FILES
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
mynetworks = 127.0.0.0/8
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
myhostname = server1.example.com

Now start Postfix, saslauthd, and Dovecot:

chkconfig --levels 235 sendmail off
chkconfig --levels 235 postfix on
chkconfig --levels 235 saslauthd on
chkconfig --levels 235 dovecot on
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/dovecot start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH PLAIN LOGIN

everything is fine.

[root@server1 ssl]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 server1.example.com ESMTP Postfix
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@server1 ssl]#

Type

quit

to return to the system's shell.

 

11.1 Maildir

Dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir under Management -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration.

If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user's Maildir (you can also do this if you use ISPConfig - it doesn't hurt ;-)):

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart

Share this page:

18 Comment(s)

Add comment

Comments

From: at: 2009-06-05 05:42:04

I admire your work, but I would not use a HOWTO that recommends making the operating system far less secure by disabling SELinux.

From: at: 2009-07-24 16:26:27

I do not agree, just because you do not know how to use it does not make it crap. Selinux is quite useful and has been know to secure servers that would otherwise have been compromised due to software vulnerabilities.



From: at: 2009-07-24 01:45:49

SELinux is a terrible feature that has absolutely no place in a dedicated server. In my opinion it was meant for the increased number of home users using linux nowadays, but I spent 4 days trying to figure out why a forum on my new Fedora 9 server couldn't upload images, even though I had properly chown'd the upload directory and everything. After I found out it was SELinux, I promptly disabled it.


 Servers running UNIX were fine for decades with an absence of SELinux. As long as you know how to do crap right, you don't need it.

From: Anonymous at: 2009-05-08 22:44:16

i think you forgot flex

From: Anonymous at: 2009-05-06 11:30:25

After following the procedure...  After quit from configuration with firewall, network, and others (blue screen with lists of configuration) then reboot , it came up black screen with logon which I didn't input any of my username yet?? 

From: Anonymous at: 2009-03-23 18:11:03

Hi,


i just finished all the steps from the 'fedora the perfect server' guide (except ispconfig), and i got the message '[warn] NameVirtualHost *:80 has no VirtualHosts'.


i can not start apache through the service HTTP restart or stop/start, and i don't really know what i should do.


 

any advise?thanks

From: Terry Jennings at: 2008-12-03 15:47:28

Warning: Most servers would likely be using SCSI disks or RAID arrays.  Fedora 10 currently has bugs that make these configurations either difficult or impossible to use.  See these two threads:


From: Anonymous at: 2008-12-04 03:21:04

Wrong path to mysql daemon start stop script! Should be /etc/rc.d/init.d/mysqld instead of /etc/init.d/mysqld/ which is where you will find this on Debian based systems.

From: Anonymous at: 2008-12-06 23:54:00

Disabling iptables and selinux is down-right stupid and negligent.  The rest of the guide is mostly nonsense..

From: admin at: 2008-12-07 00:43:44

/etc/init.d is a symlink to /etc/rc.d/init.d so both are working.

From: admin at: 2008-12-07 00:44:50

Can you give me some reasons, or are you just having a bad day?

From: at: 2009-01-06 11:36:26

hi


how can i run or use the run command ? i am in the fedora desktop?

From: at: 2009-01-12 18:50:07

########## MAIL SERVER ##########


Checking for MTA...
./setup2: line 439: which: ??????? ?? ???????
./setup2: line 439: which: ??????? ?? ???????
ERROR: Your system configuration is not compatible with ISPConfig! The installation routine stops here!


 


=(

From: at: 2009-01-13 12:48:21

Hello! I've successfully installed Fedora10 server, ISPConfig2 and some extensions: php-ffmpeg, memcashed, locale. It's working in terminal but not the Web. The CMS can not found ffmpeg dir, memcashed can not configured ( not available). The same problem in Ubuntu 8.10 too. What should I do?

From: at: 2009-02-10 14:24:06

I have done the perfect setup for Core 10 a couple of times lately over a basic install of Fedora Core 8 upgraded to 9 and then to 10 with yum. 


In both cases, mod_ssl was not installed along the way.  Simple fix: 


yum install mod_ssl


Anyway, was wondering at first why no https...  and that was the problem.


 

From: papalozarou at: 2009-03-07 21:01:01

You need to install which - yum install which. After that everything should run okay, but you need to delete the install_ispconfig folder (rm -Rf install_ispconfig) first and untar it again


 


 


 

From: DTR at: 2009-06-21 12:47:17

If you want ssl to work you must have mod_ssl


<code>yum install mod_ssl</code>

From: Léonce at: 2009-11-01 06:59:59

Hi!


I have the same probleme. I've finished the install steps and decided to reboot my computer.


And was really surprised that i can't log in. Nothing. I've try to enter command mode (Ctrl+Alt+F2) succesfully.


But I'll rather know how to log in with GUI, because I want to configure the ISPConfig.


So I hope that you finally found a solution.


I'll be please if you can helped.