The Perfect Setup - CentOS 4.4 (32-bit) - Page 5

10 Postfix With SMTP-AUTH And TLS

Now we install Postfix and dovecot (dovecot will be our POP3/IMAP server):

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot

Next we configure SMTP-AUTH and TLS:

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'mynetworks = 127.0.0.0/8'

We must edit /usr/lib/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins. On a 64Bit Centos 4.4 you must edit the file /usr/lib64/sasl2/smtpd.conf instead. It should look like this:

vi /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

After these configuration steps you should now have a /etc/postfix/main.cf that looks like this (I have removed all comments from it):

vi /etc/postfix/main.cf

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix

mail_owner = postfix

inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost

unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.1.5/samples
readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
mynetworks = 127.0.0.0/8
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

By default, CentOS' dovecot daemon provides only IMAP and IMAPs services. Because we also want POP3 and POP3s we must configure dovecot to do so. We edit /etc/dovecot.conf and put the line protocols = imap imaps pop3 pop3s into it:

vi /etc/dovecot.conf

[...]
# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/

# Protocols we want to be serving:
#  imap imaps pop3 pop3s
protocols = imap imaps pop3 pop3s

# IP or host address where to listen in for connections. It's not currently
# possible to specify multiple addresses. "*" listens in all IPv4 interfaces.
[...]

Now start Postfix, saslauthd, and dovecot:

chkconfig --levels 235 sendmail off
chkconfig --levels 235 postfix on
chkconfig --levels 235 saslauthd on
chkconfig --levels 235 dovecot on
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/dovecot start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

everything is fine.

Type

quit

to return to the system's shell.

 

10.1 Maildir

dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir under Management -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration.

If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user's Maildir:

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart

 

11 Apache2 With PHP

Now we install Apache with PHP (this is PHP 4.3.9; CentOS does not provide PHP5 packages):

yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel

Then edit /etc/httpd/conf/httpd.conf:

vi /etc/httpd/conf/httpd.conf

and change DirectoryIndex to

DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl

Now configure your system to start Apache at boot time:

chkconfig --levels 235 httpd on

Start Apache:

/etc/init.d/httpd start

 

11.1 Disable PHP Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.

To disable PHP globally, we edit /etc/httpd/conf.d/php.conf and comment out the AddType line:

vi /etc/httpd/conf.d/php.conf

#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#

LoadModule php4_module modules/libphp4.so

#
# Cause the PHP interpreter to handle files with a .php extension.
#
#AddType application/x-httpd-php .php
# AddType application/x-httpd-php-source .phps

#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php

Afterwards we restart Apache:

/etc/init.d/httpd restart

Share this page:

13 Comment(s)

Add comment

Comments

From: hoihtah at: 2006-10-11 23:53:44

Thank you guys for putting up this well written guide.

 Just one question,  how do I do this setup with mysql version 5 instead of 4?

From: orentocy at: 2006-10-12 16:09:59

Enable CentOS plus yum repository in your /etc/yum.repos.d/CentOS-Base.repo, then you will be able to upgrade both your mysql and php to version 5.

From: at: 2006-11-04 07:57:58

Hi, I enabled cetosplus section using enabled=1,  No my system is updated with php 5 and mysql 5 with the command

yum update -y 

Enabling the centosplus section: 

vi /etc/yum.repos.d/CentOS-Base.repo
[centosplus]
gpgcheck=1
enabled=1

From: at: 2006-11-07 20:14:43

there is one more thing you need to do.  update php.conf file

 cp /etc/httpd/conf.d/php.conf.rpmnew /etc/httpd/conf.d/php.conf

Otherwise, httpd will error out when trying to start.  Or at least it does on mine.  :) 

From: at: 2007-02-13 23:14:51

Hi all,

I found some bugs if the yum CentOS Plus is enabled before starting the ISPconfig  OS  preparation.

If it happens to you, go back to mysql4 and php4, make your ISPconfig prep THEN enable the CentOS plus repo to install Mysql5 and php5.

Now you are ready for ISPconfig install.

Thanks for this perfect howto. Saves a lot of hours. 

From: jperrin at: 2006-10-13 00:28:30

Very good tutorial, and very detailed, however one part concerns me. Your rebuild of zlib at the end does not address removing the currently installed zlib, or address the problem of future rpms which may rely on zlib failing because of the one built from source (rpms are rather ignorant about source built software). I would also posit that you cannot rely on the version of zlib to identify that it's vulnerable. Security fixes are backported in centos (and it's parent distro, RHEL), so version numbers may be inaccurate. The changelog for the zlib rpm lists several CAN- advisory fixes, so I wonder if the bug you claim is one of these. If it is not, has this been reported to the centos folks, or to the upstream RedHat bugzilla?

 If this bug is not fixed in the RPM as one of the listed CAN changes in the changelog and the rpm does indeed contain vulnerable code, I'd like to see it fixed in the distro, rather than being bolted onto a(n excellent) tutorial.

From: till at: 2006-10-13 14:29:25

I dont think that theare is really a bug in the zlib that ships with CentOS, the problem is that the version number dont get updated when the fixes where applied.

For example if you want o compile ClamAV which is nescessary for ISPConfig, Clamav complains about a bug in zlib and stops compiling. So either the ClamAV team has to add a better zlib detection routine or the CentOS team has to set a higher version number in the zlib library when they apply fixes.

From: jperrin at: 2006-10-13 15:02:42

This is addressed a bit more thoroughly in the post by Johnny Hughes, who is one of the CentOS Project leads, http://www.howtoforge.com/perfect_setup_centos_4.4_p6#comment-3055 What it comes down to is an upstream versioning decision by redhat, which centos inherits as a clone/rebuild product. I would consider this to be a flaw in ClamAV/ISPConfig packaging, and that it should not be advertised as a CentOS vulnerability unless such a problem actually exists.

From: at: 2007-04-18 02:25:10

First, thanks for an excellent tutorial!

I had serious problems with ntp running the Perfect setup on a Windows host using VMWare GSX server. My clock was constantly running behind and I would use rdate to set the clock but very soon the clock was running behind again.

Googling I found a workaround that worked out well (if running SMP on single core processor):

1. Edit /etc/grub.conf
Add 'noapic nosmp nolapic clock=pit acpi=no' so your grub.conf looks like this:

title CentOS (2.6.9-42.0.10.ELsmp)
        root (hd0,0)
        kernel /vmlinuz-2.6.9-42.0.10.ELsmp ro root=/dev/VolGroup00/LogVol00 noapic nosmp nolapic clock=pit acpi=no
        initrd /initrd-2.6.9-42.0.10.ELsmp.img


2. Edit /etc/ntp.conf
Add 'burst iburst' after your server:

# --- OUR TIMESERVERS -----
server 0.pool.ntp.org burst iburst
server 1.pool.ntp.org burst iburst
server 2.pool.ntp.org burst iburst

This solved all my problems with a slow clock and my time is now on the spot 24/7.

My Windows system:
P4 3 GHz
3.5 GB RAM
VMWare GSX server

From: hughesjr at: 2006-10-13 12:16:39

This is an excellent article ... the only thing I am not sure about is the zlib comment.

The upstream provider uses a process called Backporting

Backporting takes security issues and rolls them into older packages to prevent breaking abi's that people have based custom programing on.

I have looked at the zlib that you mention at the end of the article and it fixes these security issues:

CAN-2004-0797

CAN-2005-2096

(see the zib website for more details) 

Both of these security issues are fixed in the zlib that is included in CentOS via backporting and I do not recommend that people compile their own zlib unless someone can point out a different issue that is fixed in zlib-1.2.3.

I would even say that installing your own zlib is BAD, as it will put different libraries than the ones used to build the other CentOS executables ... which can cause issues with how these applications function.  We are talking about very system critical applications like openssh, openssl, etc.

Thanks,

Johnny Hughes, CentOS-4 Lead Developer. 

From: at: 2006-11-02 11:07:15

The ISPConfig setup routine includes compiling ClamAV which is the culprit. It checks for a specific zlib version. This check can be skipped by modifying

install_ispconfig/compile_aps/compile

and adding

--disable-zlib-vcheck

to the ClamAV configure script. 

From: Anonymous at: 2009-02-16 07:44:14

yum -y remove ftp vsftpd webmin usermin xinetd php* httpd* proftpd mysql* bind* post*;yum update -y;cd /etc/yum.repos.d/;wget http://centos.karan.org/kbsingh-CentOS-Extras.repo;rpm --import http://centos.karan.org/RPM-GPG-KEY-karan.org.txt;yum -y install proftpd;chkconfig --levels 235 proftpd on;/etc/init.d/proftpd start;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/device-mapper-1.02.21-1.el4.i386.rpm;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/hotplug-2004_04_01-7.8.i386.rpm;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/lvm2-2.02.27-2.el4.i386.rpm;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/hwdata-0.146.33.EL-1.noarch.rpm;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/usbutils-0.11-7.RHEL4.1.i386.rpm;rpm -Uvh *.rpm;rm -r -f *.rpm;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/udev-039-10.19.el4.i386.rpm;rpm -ivh udev*rpm --justdb;yum -y install up2date nano;wget http://download.lxlabs.com/download/lxadmin/production/lxadmin-install-master.sh;yum update -y;nano /etc/pam.d/ftp;

From: Matthew at: 2011-09-25 16:22:06

yum install webalizer

 once you run that... then what? how do you configure it?