Virtual Hosting Howto With Virtualmin On CentOS 5.1 - Page 4
On this page
Dovecot Setup
Introduction
This will setup dovecot as our IMAP/POP3 server.
Basic Configuration
We will setup dovecot for IMAP and POP3 and disable SSL.
protocols = imap pop3 listen = * ssl_listen = * ssl_disable = yes
Maildir
We will use the maildir format as opposed to the default mbox format.
mail_location = maildir:~/Maildir
Authentication & SASL
Configure dovecot to use LOGIN and PLAIN as the authentication mechanisims as many MS clients are unable to use encrypted authentication mechanisms. We also setup the SASL socket to enable postfix to authenticate SMTP connections using dovecot.
auth default { mechanisms = plain login passdb pam { } userdb passwd { } socket listen { client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } }
Client Issues
Some MS imap clients in the outlook family have issues with both thier IMAP and POP3 implementations so we need to accommodate them by setting up these work arounds:
protocol imap { imap_client_workarounds = outlook-idle delay-newmail } protocol pop3 { pop3_client_workarounds = outlook-no-nuls oe-ns-eoh }
Run IMAP Behind Proxy
The imap server is configured to run on port 10143 such that port 143 is handled by the imap proxy server that will improve performance for your webmail by caching connections to the imap server. The listen option under protocol sets this up.
protocol imap { imap_client_workarounds = outlook-idle delay-newmail listen = 127.0.0.1:10143 }
Sample files
Setup Imap Proxy
Introduction
imapproxy was written to compensate for webmail clients that are unable to maintain persistent connections to an IMAP server. Most webmail clients need to log in to an IMAP server for nearly every single transaction. This behaviour can cause tragic performance problems on the IMAP server. imapproxy tries to deal with this problem by leaving server connections open for a short time after a webmail client logs out. When the webmail client connects again, imapproxy will determine if there's a cached connection available and reuse it if possible. - according to the imapproxy website.
Configuration
Make the following changes in the file /etc/imapproxy.conf:
server_hostname 127.0.0.1 cache_size 3072 listen_port 143 server_port 10143 cache_expiration_time 900 proc_username nobody proc_groupname nobody stat_filename /var/run/pimpstats protocol_log_filename /var/log/imapproxy_protocol.log syslog_facility LOG_MAIL send_tcp_keepalives no enable_select_cache yes foreground_mode no force_tls no enable_admin_commands no
Sample Files
Bind Setup
Introduction
Bind will be set up chrooted to improve security we will also use views to prevent abuse of the dns server.
Basic Configuration
The basic configuration disables by default, recursive queries and zone transfers. We also obscure the version of BIND we are running such that we are not hit by zero day vulnerabilities from script kiddies.
options { directory "/var/named"; pid-file "/var/run/named/named.pid"; listen-on { 127.0.0.1; 192.168.1.5; }; version "just guess"; allow-recursion { "localhost"; }; allow-transfer { "none"; }; };
Logging
The logging is customized to remove the annoying "lame-server" and update errors that appear in the logs:
logging { category update { null; }; category update-security { null; }; category lame-servers{ null; }; };
Chroot
Ensure that this is set in the file /etc/sysconfig/named (it's usually set by the bind-chroot package):
ROOTDIR=/var/named/chroot
Point Server
Let the machine use this server for dns resolution edit /etc/resolv.conf and prepend:
nameserver 127.0.0.1
Sample files
Vsftpd Setup
Introduction
We will use vsftpd as our ftp server. This has a better track record as opposed to the proftpd & wuftpd servers.
Basic Setting
Our basic setup disables anonymous users, and enables local system users to connect to the ftp server.
anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 anon_upload_enable=NO anon_mkdir_write_enable=NO dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_file=/var/log/vsftpd.log xferlog_std_format=YES ftpd_banner=Welcome to example.com server pam_service_name=vsftpd tcp_wrappers=YES
Chroot
All users will be chrooted to their home directories (except usernames in the /etc/vsftpd/chroot_list file) meaning the cannot break out and see other users files.
chroot_list_enable=YES chroot_local_user=YES chroot_list_file=/etc/vsftpd/chroot_list
Banned Users
Users added to the file /etc/vsftpd/user_list will not be allowed to login:
userlist_enable=YES