Virtual Hosting Howto With Virtualmin On CentOS 5.1 - Page 5
Clamav Milter Setup
- Edit /etc/sysconfig/clamav-milter:
CLAMAV_FLAGS=" --config-file=/etc/clamd.conf --force-scan --local --max-children=5 --sendmail-cf= --outgoing --quiet " SOCKET_ADDRESS="local:/var/clamav/clmilter.socket"
- Patch the init file to fix socket permissions:
wget http://www.topdog-software.com/files/clamav-milter.patch
patch /etc/init.d/clamav-milter < clamav-milter.patch
MySQL Setup
Basic Config
- Listen only to the localhost, edit /etc/my.cnf under the mysqld section:
bind-address = 127.0.0.1
Set Root Password
- Set the root password:
service mysqld start
mysqladmin -u root password NEWPASSWORD
SpamAssassin Setup
Basic Config
required_hits 5 report_safe 0 rewrite_header Subject [SPAM]
Create MySQL Database
- Create the database:
mysqladmin -p create bayes
- Populate the database:
mysql -p bayes < /usr/share/doc/spamassassin-$(rpm --qf %{VERSION} -q spamassassin)/sql/bayes_mysql.sql
- Create the user:
mysql -p
mysql> GRANT ALL ON bayes.* TO bayes@localhost IDENTIFIED BY 'password';
Configure To Use DB
- Edit the file /etc/mail/spamassassin/local.cf and add:
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL bayes_sql_dsn DBI:mysql:bayes:localhost bayes_sql_override_username bayes bayes_sql_username bayes bayes_sql_password password
Configure FuzzyOCR
We will be storing the image hashes in a mysql database to improve on performance such that images that we have already scanned do not get scanned again as OCR is a resource intense activity.
Create MySQL Database
- The sql script creates the database and tables and adds a user fuzzyocr with the password fuzzyocr:
mysql -p < /usr/local/src/devel/FuzzyOcr.mysql
- Change the password:
mysqladmin -u fuzzyocr -p fuzzyocr password
Basic Settings
- Edit /etc/mail/spamassassin/FuzzyOCR.cf and set the basic options:
focr_path_bin /usr/bin:/usr/local/bin focr_minimal_scanset 1 focr_autosort_scanset 1 focr_enable_image_hashing 3 focr_logfile /tmp/FuzzyOcr.log
Make FuzzyOCR Use The Database
- Edit the file /etc/mail/spamassassin/FuzzyOcr.cf and add:
focr_mysql_db FuzzyOcr focr_mysql_hash Hash focr_mysql_safe Safe focr_mysql_user fuzzyocr focr_mysql_pass password focr_mysql_host localhost focr_mysql_port 3306 focr_mysql_socket /var/lib/mysql/mysql.sock
SARE Rule Updates
- Import the GPG key used to sign the rules:
mkdir /etc/mail/spamassassin/sa-update-keys/
chmod 700 /etc/mail/spamassassin/sa-update-keys/
wget http://daryl.dostech.ca/sa-update/sare/GPG.KEY
sa-update --import GPG.KEY
- Create the channels file /etc/mail/spamassassin/sare-sa-update-channels.txt:
updates.spamassassin.org 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net 70_sare_evilnum0.cf.sare.sa-update.dostech.net 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net 70_sare_html0.cf.sare.sa-update.dostech.net 70_sare_html_eng.cf.sare.sa-update.dostech.net 70_sare_header0.cf.sare.sa-update.dostech.net 70_sare_header_eng.cf.sare.sa-update.dostech.net 70_sare_specific.cf.sare.sa-update.dostech.net 70_sare_adult.cf.sare.sa-update.dostech.net 72_sare_bml_post25x.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net 70_sare_spoof.cf.sare.sa-update.dostech.net 70_sare_random.cf.sare.sa-update.dostech.net 70_sare_oem.cf.sare.sa-update.dostech.net 70_sare_genlsubj0.cf.sare.sa-update.dostech.net 70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net 70_sare_unsub.cf.sare.sa-update.dostech.net 70_sare_uri0.cf.sare.sa-update.dostech.net 70_sare_obfu0.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net
- Create an update script /usr/local/bin/update-sa:
#!/bin/bash # # sa-update -D --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt --gpgkey 856AA88A &>/var/log/sa-updates.log
- Make it executable and add to cron:
chmod +x /usr/local/bin/update-sa
ln -s /usr/local/bin/update-sa /etc/cron.daily/
ln -s /usr/local/bin/update-sa /etc/cron.hourly/
Spamass-milter Setup
Basic Configuration
- Edit /etc/sysconfig/spamass-milter:
SOCKET=/var/run/spamass.sock EXTRA_FLAGS="-m -r 8"
Patch
We need to patch the init file to fix the permissions of the socket created such that postfix is able to use the socket.
wget http://www.topdog-software.com/files/spamass-milter.patch
patch /etc/rc.d/init.d/spamass-milter < spamass-milter.patch
Apache Setup
Disable Modules
We will disable some modules that we are not using thus freeing up memory and also improving security.
- Edit /etc/httpd/conf/httpd.conf and comment out the modules as below.
#LoadModule ldap_module modules/mod_ldap.so #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so #LoadModule dav_module modules/mod_dav.so #LoadModule status_module modules/mod_status.so #LoadModule dav_fs_module modules/mod_dav_fs.so #LoadModule proxy_module modules/mod_proxy.so #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so #LoadModule proxy_http_module modules/mod_proxy_http.so #LoadModule proxy_connect_module modules/mod_proxy_connect.so #LoadModule cache_module modules/mod_cache.so #LoadModule disk_cache_module modules/mod_disk_cache.so #LoadModule file_cache_module modules/mod_file_cache.so #LoadModule mem_cache_module modules/mod_mem_cache.so
- Edit /etc/httpd/conf.d/proxy_ajp.conf and comment out as below:
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
Listen To One IP For HTTPS
Apache has to be configured to listed to one address for port 443 as webmin will be using the same port. Edit /etc/httpd/conf.d/ssl:
Listen 192,168.1.6:443
Enable Gzip Compression
We setup gzip compression via the mod_deflate module to improve web server performance and to cut down on bandwidth usage by compressing responses to the client.
SetOutputFilter DEFLATE BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/html SetEnvIfNoCase Request_URI \ \.(?:gif|jpe?g|png)$ no-gzip dont-vary Header append Vary User-Agent env=!dont-vary
Set up logging for the deflate module:
DeflateFilterNote deflate_ratio LogFormat "%v %h %l %u %t \"%r\" %>s %b mod_deflate: %{deflate_ratio}n pct." vhost_with_deflate_info CustomLog logs/deflate_access_log vhost_with_deflate_info
Increase PHP Max Memory
Edit the file /etc/php.ini and set the following:
memory_limit = 64M
Enable Virtual Hosting
NameVirtualHost *:80
Create Default Virtual Host
This needs to be the first virtual host, it will be the default on the server the equivalent of the server with out virtual hosting.
<VirtualHost *:80> Servername localhost.localdomain Serveradmin [email protected] </Virtualhost>
Roundcube Webmail Setup
Create Database
- Create the database and add the roundcube user.
mysqladmin -p create roundcube
mysql -p
mysql> GRANT ALL ON roundcube.* TO roundcube@localhost IDENTIFIED BY 'password';
- Initialize the database:
mysql -u roundcube -p roundcube < /usr/share/doc/roundcube-0.1/SQL/mysql5.initial.sql
Basic Config
- Configure database DSN in /var/www/roundcube/config/db.inc.php:
$rcmail_config['db_dsnw'] = 'mysql://roundcube:password@localhost/roundcube';
- Configure roundcube in /var/www/roundcube/config/main.inc.php:
$rcmail_config['default_host'] = 'localhost'; $rcmail_config['default_port'] = 143; $rcmail_config['virtuser_file'] = '/etc/postfix/virtual'; $rcmail_config['smtp_server'] = 'localhost'; $rcmail_config['smtp_port'] = 25; $rcmail_config['smtp_helo_host'] = 'localhost';
Set Up Catch All Virtualhost
As we will be providing webmail for all domains that are created on the system we need to setup a catch all virtualhost that can display roundcube when ever a user accesses http://webmail.domainname. Edit /etc/httpd/conf/httpd.conf and append:
<VirtualHost *:80> ServerName webmail.example.com ServerAlias webmail.* DocumentRoot /var/www/roundcube <Directory /var/www/roundcube> Options -Indexes IncludesNOEXEC FollowSymLinks allow from all </Directory> </VirtualHost>
Firewall Setup
Introduction
This is a basic firewall it may not suit your needs, firewalling is an art so i recommend to read into it to improve on this basic one.
Basic Config
Add these rules in your configuration file /etc/sysconfig/iptables:
*raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *filter :FORWARD DROP [0:0] :INPUT DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m multiport -j ACCEPT --dports 80,443,25,110,143,53 -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p icmp -m icmp -m limit --icmp-type 8 --limit 5/min -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -s 127.0.0.1 -j ACCEPT -A OUTPUT -s 192.168.1.5 -j ACCEPT -A OUTPUT -s 192.168.1.6 -j ACCEPT COMMIT
Activate Config
service iptables restart