The Perfect Setup - Fedora Core 5 (64-bit) - Page 5

9 Postfix With SMTP-AUTH And TLS

Now we install Postfix and dovecot (dovecot will be our POP3/IMAP server):

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot

Now we configure SMTP-AUTH and TLS:

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'

We must edit /usr/lib64/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins. It should look like this:

vi /usr/lib64/sasl2/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

After these configuration steps you should now have a /etc/postfix/main.cf that looks like this (I have removed all comments from it):

vi /etc/postfix/main.cf

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.2.8/samples
readme_directory = /usr/share/doc/postfix-2.2.8/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Now start Postfix, saslauthd, and dovecot:

chkconfig --levels 235 sendmail off
chkconfig --levels 235 postfix on
chkconfig --levels 235 saslauthd on
chkconfig --levels 235 dovecot on
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/dovecot start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

everything is fine.

Type

quit

to return to the system's shell.


9.1 Maildir

dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir under Management -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration.

If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user's Maildir:

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart


10 Apache2 With PHP5

Now we install Apache with PHP5:

yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel

Then edit /etc/httpd/conf/httpd.conf:

vi /etc/httpd/conf/httpd.conf

and change DirectoryIndex to

DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl

Now configure your system to start Apache at boot time:

chkconfig --levels 235 httpd on

Start Apache:

/etc/init.d/httpd start


10.1 Disable PHP Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.

To disable PHP globally, we edit /etc/httpd/conf.d/php.conf and comment out the AddHandler and AddType lines:

vi /etc/httpd/conf.d/php.conf

#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#

LoadModule php5_module modules/libphp5.so

#
# Cause the PHP interpreter to handle files with a .php extension.
#
#AddHandler php5-script .php
#AddType text/html .php

#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php

#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps

Afterwards we restart Apache:

/etc/init.d/httpd restart

Share this page:

27 Comment(s)

Add comment

Comments

From: Anonymous at: 2006-04-12 04:22:51

Good and easy to understand. But i have one question, how do you take screen shots of the install process?

From: Anonymous at: 2006-04-14 14:43:18

i normally use vmware to capture that process

From: Anonymous at: 2006-04-24 17:17:23

During any install, just hit the print screen key. The screen capture will be saved in /root. You can access it later from there.

From: Anonymous at: 2006-04-26 08:36:48

I've been following most of your perfect guides. Thanks for your effort of putting these up for newbies like me to follow.

I'd like to know when you'll put up Fedora Core 5 (not 64bit ver) for us as my box doesn't support the already guide on this site.

Thanks

From: Anonymous at: 2006-05-03 11:15:49

the only difference is on page 5 of the guide where its says this..

vi /usr/lib64/sasl2/smtpd.conf

just substitute it with

vi /usr/lib/sasl2/smtpd.conf

and thats it :)

From: Anonymous at: 2006-05-03 11:16:46

the only difference is on page 5 of the guide where its says this..

vi /usr/lib64/sasl2/smtpd.conf

just substitute it with

vi /usr/lib/sasl2/smtpd.conf

and thats it :)

From: Anonymous at: 2006-07-26 20:44:50

It is perfect.  There are no typos and the grammar is perfect.

A real joy after struggling with trying to get proftpd and vhcs set up.

Now I actually have a completely working server with postfix, ftp, etc.

The only thing that would have made this perfect is if you had continued with the installation of ISPConfig.  I am a little nervous now because I have to follow ISPConfig's documentation, which I know won't be as good as yours.  Good job!!

From: admin at: 2006-07-27 06:37:21

The ISPConfig documentation was also written by Falko and Till, so there's nothing to worry about.

Just follow the instructions here: http://www.ispconfig.org/manual_installation.htm 

From: Anonymous at: 2006-04-18 15:56:10

The given reboot command is incorrect on Fedora core 5. Just use the command "reboot" and it works correctly.

From: Anonymous at: 2006-04-18 19:45:12

Actually "shutdown -r now" works just fine on FC5. it's worked on every redhat version I have used since 2.2 as well as Solaris and SysVR4 -nic

From: Anonymous at: 2006-05-04 17:27:58

try /sbin/shutdown -r 0

From: tommytomato at: 2006-10-03 02:55:42

try

shutdown -h now

Has worked on every linux OS I have installed, I spose there's are few different ways to doing it. 

From: at: 2007-08-12 14:15:11

shutdown -h now halts the system after the shutdown, shutdown -r now reboots the system and them two commands always work for me on every fedora OS i have installed,

Regards ProServ-UK

From: Anonymous at: 2006-04-18 21:18:04

It's not wrong, it's just a different way of running the same command. On some systems (not sure about Fedora) the 'reboot' command is just an alias to 'shutdown -r now'.

From: Anonymous at: 2006-06-17 13:07:16

Thank you very much for this post!!! I was trying for days to install fedora5 without results. The standard installed firewall and selinux were the two thinks I hang on. Thanks again !!!

b.t.w. I always use: /sbin/reboot

From: Anonymous at: 2006-05-26 07:18:49

mysqladmin -h server1.example.com -u root -p password yourrootsqlpassword

Newbie (me) struggled with that one for a short while.

From: Anonymous at: 2006-08-07 10:25:21

Thanks for the heads up bro!

From: KJ at: 2008-12-02 01:36:43

Thanks to everyone who participated in writing up all these tutorials. Truly a lifesaver.

From: Anonymous at: 2006-05-28 01:32:18

If (64-bit) use

vi /usr/lib64/sasl2/smtpd.conf

If (32-bit) use

vi /usr/lib/sasl2/smtpd.conf

From: Anonymous at: 2006-08-16 16:33:20

i noticed that too.... but overall for beginner's use this is a great setup walkthrough... it goes step by step... with commands and all... and if you don't plan to install ISPConfig... it helps you to choose the correct options for you.

From: Sanjay at: 2009-06-08 12:16:29

10 Apache2 With PHP5

Now we install Apache with PHP5:

yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel

 

Thank you thank you Sooooooooooooooooo much for this awesome piece of information !!!

:)

From: shafi at: 2009-11-20 12:00:49

Great man.. i didnt know that kinda module exists. i was searching blank. Thank youuuuuuuuuuuuuuuuuuuuuuuuuuu!

From: Anonymous at: 2006-04-16 23:27:50

Thankfully I read your fedora core 4 walkthrough and actually attempted it but wanted to use fc 5 instead. You didn't mention here though that this os needs the /etc/pam.d/ftp file created just like in fc 4 so for those users that would like their clients to have ftp access do the following. Excellent walkthrough by the way, this software is very impressive!!!

Some users reported that they were not able to login with system users so you might have to do the following steps:

Create the file /etc/pam.d/ftp with the following content:

#%PAM-1.0
auth required pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so

Restart proftpd afterwards:

/etc/init.d/proftpd restart

From: Anonymous at: 2006-04-18 19:48:23

(this is my third try.. It it doesn't work, then someone needs to post a how-to on posting comments here since this interface is buggy.)

The proftpd RPM should include /etc/pam.d/proftpd which, following the fedora/redhat methodology, would use system-auth. If you don't have it, hunt around for it (I would post it here, but it seems to not like the posting of the pam.d/proftpd code).

In regards to the how-to, there are a couple of things that don't seem to click correctly:

1. Installing bind-chroot (step 7) will automatically set up the chroot'ed environment. There is no need to make the symbolic links by hand.

2. Why install additional software, as in Step 5, when you can just do it during the install process (that's what I did)?

3. Why the preference towards webalizer? It hasn't been updated in *ages* (2001, I believe) and there are other (better) applications out there now (ie: awstats).

4. In step 9.1, it is stated that "dovecot uses Maildir format (not mbox)", but that is incorrect. The beauty of dovecot is that it supports both Maildir and mbox formats equally. (we use dovecot here with mbox)

I have to agree with you completely regarding SELinux. :) And, with all of that aside, this how-to is an excellent article! Nice work!

From: tommytomato at: 2006-10-03 02:58:59

Is this for 64bit FC5 only ? or can it been installed on a 32bit system ?

 TT

From: Anonymous at: 2006-06-25 16:01:42

Dude!

Thanks so much for the "disabling sulinux" tip. I was killing myself trying to get viewvc or trac setup as CGI's behind httpd. I disabled sulinux, and suddenly, everything worked as advertised!

Howtos like this help clarify the process for everyone. Choice is good, and a proven baseline is even better.

-Ted Husted.

 

 

From: Anonymous at: 2006-06-26 14:40:56

Hello, After frustrating with other "all-in-one" guides, I had just about given up but my drive to get it done directed me to this little gem and now I have my complete FC5 system just the way I wanted on a VMWare machine. This basically allowed me to have a carbon copy of my production server. If I could have found this a few days ago I would have been done so much sooner, but I am still very pleased with the end result. Sincerely, Very happy reader/developer Matt