The Perfect Setup - SuSE 10.1 (32-bit) - Page 5

6 MySQL

In order to install MySQL, we run

yast -i mysql mysql-client mysql-shared perl-DBD-mysql perl-DBI perl-Data-ShowTable mysql-devel

Then we add the system startup links for MySQL and start it:

chkconfig --add mysql
/etc/init.d/mysql start

Now check that networking is enabled. Run

netstat -tap

In the output you should see a line like this one:

tcp        0      0 *:mysql                 *:*                     LISTEN      6621/mysqld

If you don't see a line like this, edit /etc/my.cnf, comment out the option skip-networking:

vi /etc/my.cnf

#skip-networking

and restart your MySQL server:

/etc/init.d/mysql restart

Run

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).


7 Postfix With SMTP-AUTH And TLS

Postfix is already installed, but we must install Cyrus-SASL now:

yast -i cyrus-sasl cyrus-sasl-crammd5 cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-sasl-otp cyrus-sasl-plain cyrus-sasl-saslauthd

Then we add the system startup links for saslauthd and start it:

chkconfig --add saslauthd
/etc/init.d/saslauthd start

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for SMTP-AUTH and TLS:

postconf -e 'mydomain = example.com'
postconf -e 'myhostname = server1.$mydomain'
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains'
postconf -e 'inet_interfaces = all'
postconf -e 'alias_maps = hash:/etc/aliases'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

To enable TLS connections in Postfix, edit /etc/postfix/master.cf and uncomment the tlsmgr line so that it looks like this one:

vi /etc/postfix/master.cf

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

Now restart Postfix:

/etc/init.d/postfix restart

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

then everything is fine.

Type

quit

to return to the system's shell.


8 Courier-IMAP/Courier-POP3

I want to use a POP3/IMAP daemon that has Maildir support. That's why I use Courier-IMAP and Courier-POP3.

yast -i courier-imap fam-server courier-authlib expect tcl

Afterwards we add the system startup links and start POP3, IMAP, POP3s and IMAPs:

chkconfig --add fam
chkconfig --add courier-authdaemon
chkconfig --add courier-pop
chkconfig --add courier-imap
/etc/init.d/courier-pop start
/etc/init.d/courier-imap start
chkconfig --add courier-pop-ssl
chkconfig --add courier-imap-ssl
/etc/init.d/courier-pop-ssl start
/etc/init.d/courier-imap-ssl start

If you do not want to use ISPConfig, configure Postfix to deliver emails to a user's Maildir*:

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart

*Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Server -> Settings -> EMail in the ISPConfig web interface.

Share this page:

12 Comment(s)

Add comment

Comments

From: Anonymous at: 2006-05-24 17:53:41

is the same installation for the version ppc??

From: grommley at: 2006-10-18 23:58:34

This step by step instruction is so easy that even I could make it work.  I have tried other how-tos in the past relating to Linux and have found that many of them assume that I know what I am doing at a command line interface.  While I have a lot of computer background, all of my experience is with Microsoft software.  This How-to is very well written, and I was able to set up and even use my server with no problems at all.  This is the first time I have ever had that happen in Linux. Once again, thank you for these well written instructions.

From: powderskier at: 2006-10-20 02:33:51

Hi Falko,

 First off, you done an awesome job on the tutorial. You should really consider doing this professionally for Novell/Red Hat since their documentation is fairly atrocious when it comes to missing steps.

 
I want to ask how secure this setup is? Are people using this exact setup for production web servers? Is this meant only for testing environments? Could this be used for a company as an internal corporate web/intranet server provided its secure?

 
What else would you consider to be necessary for this server?

Thanks for your time in helping others,

powderskier
     

From: at: 2007-02-07 01:37:54

A tip: the compile of the embedded PHP fails because it doesn't find the openssl libraries. In Opensuse x86_64, they reside in /usr/lib64, so the easy way to solve the problem is to create symlinks for the openssl libraries in /usr/lib. For example: ln -s /usr/lib64/libssl.so /usr/lib ln -s /usr/lib64/libssl.a /usr/lib ln -s /usr/lib64/libcrypto.so /usr/lib

From: Anonymous at: 2006-06-28 16:16:37

SuSE has provided a update to solve all the problems with the slow and buggy updater. When you go updating, update ONLY the libzypp package FIRST. After that you can do a regular update without problems.

From: Anonymous at: 2006-06-13 21:30:50

Hi Falko,

Great howto once again.

But it seems that Yast on SuSE 10.1 version does indeed check every package before installation and therefore it takes longer (MD5 SUMS and all).

It is something good for Yast installations. (I have seen this in the opensuse pages ... somewhere ... )

About the partition, why don't you propose some other type of partition of the disk. Like a separate /var (for database and the like.)

Regards,

Pedro

From: Anonymous at: 2006-07-03 14:31:12

Hi...im a slack user...and a slack fan...i've been testinga a few distributions...and i did not like anyone...except Suse...and i think that u made a really great job here!!!! I'll try today!

Congratulations!!!! 

From: Anonymous at: 2006-06-25 23:56:57

I was very excited to try out Suse.  The live CD I played around with detected more hardware and was a joy to work with.  I've tried installing suse twice now, once by just installing everything and once with this howto.  Both times Yast died when trying to add mirrors.  The first time I just thought yast was locking up.  On top of that, adding a mirror is unintuitive to someone who isn't familiar with the system.  This time, I read the author's comments on the 10 minute wait.  Okay, I said, I'll wait this time.  I waited for 8 hours.  I left the setup running in the morning and when I came home from work it was still at the same screen.  So that's it, no three strikes and you are out.  I'm done after two attempts.  I'm going back to Redhat and yum.  Thanks to the author for this howto.

From: Anonymous at: 2006-05-31 13:36:16

proftpd_cfg="/usr/local/etc/proftpd.conf"

not like this:

proftpd_cfg="/etc/proftpd.conf"

Thanks

From: Anonymous at: 2006-06-15 16:38:07

On the 64-Bit System, the wrong version of the glibc-devel is installed. (i686 instead of x86_64)

Correct this in yast2 and it will work.

From: Anonymous at: 2006-06-11 20:03:18

BTW: you don't need to run `yast2 -i xntp` because yast2-ntp-client always checks whether the needed package xntp is installed and offers to install it when it is not.

You can also run the YaST ntp-client directly by entering `yast2 ntp-client` command.

From: Anonymous at: 2006-06-09 18:44:54

In your howto, you recommend to disable AppArmor because it has caused more harm than good to you. I can't agree with that - AppArmor is the main reason why I consider SUSE 10.1 the best Linux for servers!

Maybe you should simply read the AppArmor manual (comes as PDF, about 100 pages) and update the profiles as needed. You can also do this using YaST.

Checking /var/log/audit/audit.log is also a good idea if something failes with "permission denied" ;-)

Yes, AppArmor configuration can cause some work - as always: security has its price!