The Perfect Server - OpenSUSE 11.3 x86_64 [ISPConfig 2] - Page 4


In order to install MySQL, we run

yast2 -i mysql mysql-community-server mysql-client perl-DBD-mysql perl-DBI perl-Data-ShowTable libmysqlclient-devel libmysqlclient16 libmysqlclient16-32bit libmysqlclient_r16-32bit

Then we add the system startup links for MySQL and start it:

chkconfig --add mysql
/etc/init.d/mysql start

Now check that networking is enabled. Run

netstat -tap | grep mysql

In the output you should see something like this:

server1:~ # netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      5336/mysqld
server1:~ #

If you don't see a line like this, edit /etc/my.cnf, comment out the option skip-networking:

vi /etc/my.cnf


and restart your MySQL server:

/etc/init.d/mysql restart

To secure the MySQL installation, run:


Now you will be asked several questions:

server1:~ # mysql_secure_installation


In order to log into MySQL to secure it, we'll need the current
password for the root user.  If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
 <-- ENTER
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n]
 <-- ENTER
New password: <-- yourrootsqlpassword
Re-enter new password: <-- yourrootsqlpassword
Password updated successfully!
Reloading privilege tables..
 ... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n]
 <-- ENTER
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
 <-- ENTER
 ... Success!

By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
 <-- ENTER
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
 <-- ENTER
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

server1:~ #

Now your MySQL setup should be secured.

Now we need to do this...

mkdir -p /usr/local/lib/mysql
ln -s /usr/include/mysql /usr/local/lib/mysql/include
ln -s /usr/lib64/mysql /usr/local/lib/mysql/lib
cd /usr/local/lib/mysql/lib
ln -s /usr/lib64/
ln -s /usr/lib64/
ln -s /usr/lib64/
ln -s /usr/lib64/
ln -s /usr/lib64/
ln -s /usr/lib64/

... because otherwise we'd get the following error during the ISPConfig installation:

configure: error: Cannot find libmysqlclient under /usr/local/lib/mysql.


9 Postfix With SMTP-AUTH And TLS

Now let's install Postfix and Cyrus-SASL:

yast2 -i postfix cyrus-sasl cyrus-sasl-crammd5 cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-sasl-otp cyrus-sasl-plain cyrus-sasl-saslauthd procmail

Then we add the system startup links for Postfix and saslauthd and start them:

chkconfig --add postfix
/etc/init.d/postfix start

chkconfig --add saslauthd
/etc/init.d/saslauthd start

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for SMTP-AUTH and TLS:

postconf -e 'mydomain ='
postconf -e 'myhostname = server1.$mydomain'
postconf -e 'mynetworks ='
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains'
postconf -e 'inet_interfaces = all'
postconf -e 'alias_maps = hash:/etc/aliases'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

(Make sure you use the right hostname/domain in mydomain and myhostname!)

To enable TLS connections in Postfix, edit /etc/postfix/ and uncomment the tlsmgr line so that it looks like this one:

vi /etc/postfix/

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

Now restart Postfix:

/etc/init.d/postfix restart

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines




then everything is fine.

On my system the output looks like this:

server1:/etc/postfix/ssl # telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 ESMTP Postfix
ehlo localhost
250 DSN
221 2.0.0 Bye
Connection closed by foreign host.
server1:/etc/postfix/ssl #



to return to the system's shell.


10 Courier-IMAP/Courier-POP3

I want to use a POP3/IMAP daemon that has Maildir support. That's why I use Courier-IMAP and Courier-POP3.

yast2 -i courier-imap fam-server courier-authlib expect tcl

Afterwards we add the system startup links and start POP3, IMAP, POP3s and IMAPs:

chkconfig --add fam
chkconfig --add courier-authdaemon
chkconfig --add courier-pop
chkconfig --add courier-imap
/etc/init.d/courier-pop start
/etc/init.d/courier-imap start
chkconfig --add courier-pop-ssl
chkconfig --add courier-imap-ssl
/etc/init.d/courier-pop-ssl start
/etc/init.d/courier-imap-ssl start

If you do not want to use ISPConfig, configure Postfix to deliver emails to a user's Maildir*:

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart

*Please note: You do not have to do this (but it does not hurt ;-)) if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Server -> Settings -> EMail in the ISPConfig web interface.

Share this page:

1 Comment(s)

Add comment


From: Darren Fletcher at: 2011-02-21 17:16:17

great guide btw,


problem is the libmysqlclient16-32bit and libmysqlclient_16-32bit are no longer valid packages to fix this is just removed the 32bit section to make libmysqlclient16 and libmysqlclient_16