42go ISP-Manager | 42go SPAM-Filter | SQLiteWebAdmin
The Perfect Setup - Debian Sarge (3.1)
Version 1.3
Author: Falko Timme
<falko [dot] timme [at] projektfarm [dot] de>
Last edited 07/14/2005
This is a detailed description about the steps to be taken to setup a Debian based server (Debian Sarge alias Debian 3.1) that offers all services needed by ISPs and hosters (web server (SSL-capable), mail server (with SMTP-AUTH and TLS!), DNS server, FTP server, MySQL server, POP3/POP3s/IMAP/IMAPs, Quota, Firewall, etc.).
I will use the following software:
In the end you should have a system that works reliably and is ready for the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).
I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!
Requirements
To install such a system you will need the following:
1 The Base System
Insert your Sarge Netinstall CD into your system and boot from it (enter linux26 at the boot prompt to install a 2.6 kernel). The installation starts, and first you have to choose your language:
Select your country:
Choose a keyboard layout:
The hardware detection starts:
Enter the hostname. In this example, my system is called server1.example.com, so I enter server1:
Enter your domain name. In this example, this is example.com:
Now you have to partition your hard disk. I will create one big partition (with the mount point /) and a little swap partition:
Now the base system is being installed:
I install the GRUB boot loader to the master boot record:
Afterwards remove the Sarge Netinstall CD from your system and reboot it:
Configure your time zone:
Enter a password for root:
Create a second user admin:
Choose your installation method. Since I want to do an installtion over the network I select http or ftp.
Select a mirror for your installation:
Enter a proxy for the installtion (if necessary). Normally you can leave this field empty.
Under Debian software selection I only choose Mail server. I will install all other services manually later on.
The network installation starts:
Continue installing libc-client without Maildir support. If you want to use Maildir you can install Courier-POP3/Courier-IMAP (explained later on):
Do not configure Exim as we will replace it with Postfix later on:
Congratulations! Your base system is finished now:
2 Installing And Configuring The Rest Of The System
Configure The Network
Because the Debian Sarge installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
# The loopback interface
auto lo
iface lo inet loopback
# The first network card - this entry was created during the Debian installation
# (network, broadcast and gateway are optional)
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
|
If you want to add the IP address 192.168.0.101 to the interface eth0 you should change the file to look like this:
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
# The loopback interface
auto lo
iface lo inet loopback
# The first network card - this entry was created during the Debian installation
# (network, broadcast and gateway are optional)
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
auto eth0:0
iface eth0:0 inet static
address 192.168.0.101
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
|
Then restart your network:
/etc/init.d/networking restart
Edit /etc/resolv.conf and add some nameservers:
search server nameserver 145.253.2.75 nameserver 193.174.32.18 nameserver 194.25.0.60 |
Edit /etc/hosts and add your new IP addresses:
127.0.0.1 localhost.localdomain localhost server1 192.168.0.100 server1.example.com server1 192.168.0.101 virtual-ip1.example.com virtual-ip1 # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts |
Setting The Hostname
echo server1.example.com
> /etc/hostname
/bin/hostname -F /etc/hostname
Install/Remove Some Software
Now let's install some software we need later on and remove some packages that we do not need:
apt-get install wget bzip2
rdate fetchmail libdb3++-dev unzip zip ncftp xlispstat libarchive-zip-perl zlib1g-dev
libpopt-dev nmap openssl lynx fileutils
apt-get remove lpr nfs-common
portmap pidentd pcmcia-cs pppoe pppoeconf ppp pppconfig
update-rc.d -f exim remove
update-inetd --remove
daytime
update-inetd --remove telnet
update-inetd --remove time
update-inetd --remove finger
update-inetd --remove talk
update-inetd --remove ntalk
update-inetd --remove ftp
update-inetd --remove discard
<- Yes
/etc/init.d/inetd reload
Quota
apt-get install quota quotatool
<- No
Edit /etc/fstab to look like this (I added ,usrquota,grpquota to the partition with the mount point /):
# /etc/fstab: static file system information. # # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc defaults 0 0 /dev/sda1 / ext3 defaults,errors=remount-ro,usrquota,grpquota 0 1 /dev/sda5 none swap sw 0 0 /dev/hdc /media/cdrom0 iso9660 ro,user,noauto 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto 0 0 |
Then run:
touch /quota.user /quota.group
chmod 600 /quota.*
mount -o remount /
quotacheck -avugm
quotaon -avug
DNS-Server
apt-get install bind9
For security reasons we want to run BIND chrooted so we have to do the following steps:
/etc/init.d/bind9 stop
Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user 'bind', chrooted to /var/lib/named. Modify the line: OPTS="-u bind" so that it reads OPTS="-u bind -t /var/lib/named":
OPTIONS="-u bind -t /var/lib/named" |
Create the necessary directories under /var/lib:
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
Then move the config directory from /etc to /var/lib/named/etc:
mv /etc/bind /var/lib/named/etc
Create a symlink
to the new config directory from the old location (to avoid problems when bind
is upgraded in the future):
ln -s /var/lib/named/etc/bind /etc/bind
Make null and random
devices, and fix permissions of the directories:
mknod /var/lib/named/dev/null
c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
We need to modify the startup script /etc/init.d/sysklogd of sysklogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads: SYSLOGD="-a /var/lib/named/dev/log":
#! /bin/sh
# /etc/init.d/sysklogd: start the system log daemon.
PATH=/bin:/usr/bin:/sbin:/usr/sbin
pidfile=/var/run/syslogd.pid
binpath=/sbin/syslogd
test -x $binpath || exit 0
# Options for start/restart the daemons
# For remote UDP logging use SYSLOGD="-r"
#
SYSLOGD="-a /var/lib/named/dev/log"
create_xconsole()
{
if [ ! -e /dev/xconsole ]; then
mknod -m 640 /dev/xconsole p
else
chmod 0640 /dev/xconsole
fi
chown root:adm /dev/xconsole
}
running()
{
# No pidfile, probably no daemon present
#
if [ ! -f $pidfile ]
then
return 1
fi
pid=`cat $pidfile`
# No pid, probably no daemon present
#
if [ -z "$pid" ]
then
return 1
fi
if [ ! -d /proc/$pid ]
then
return 1
fi
cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1`
# No syslogd?
#
if [ "$cmd" != "$binpath" ]
then
return 1
fi
return 0
}
case "$1" in
start)
echo -n "Starting system log daemon: syslogd"
create_xconsole
start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
echo "."
;;
stop)
echo -n "Stopping system log daemon: syslogd"
start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
echo "."
;;
reload|force-reload)
echo -n "Reloading system log daemon: syslogd"
start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
echo "."
;;
restart)
echo -n "Restarting system log daemon: syslogd"
start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
sleep 1
start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
echo "."
;;
reload-or-restart)
if running
then
echo -n "Reloading system log daemon: syslogd"
start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
else
echo -n "Restarting system log daemon: syslogd"
start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
fi
echo "."
;;
*)
echo "Usage: /etc/init.d/sysklogd {start|stop|reload|restart|force-reload|reload-or-restart}"
exit 1
esac
exit 0
|
Restart the logging
daemon:
/etc/init.d/sysklogd restart
Start up BIND,
and check /var/log/syslog
for any errors:
/etc/init.d/bind9 start
MySQL
apt-get install mysql-server mysql-client libmysqlclient12-dev
mysqladmin -u root password yourrootsqlpassword
When you run netstat -tap you should now see a line like this:
tcp 0 0 localhost.localdo:mysql *:* LISTEN 2449/mysqld |
which means that MySQL is accessible on port 3306. You can go to the next section (Postfix). If you do not see this line, edit /etc/mysql/my.cnf and comment out skip-networking:
# skip-networking |
If you had to edit /etc/mysql/my.cnf you have to restart MySQL:
/etc/init.d/mysql restart
Postfix/POP3/IMAP
In order to install Postfix with SMTP-AUTH and TLS as well as a POP3 server that also does POP3s (port 995) and an IMAP server that is also capable of IMAPs (port 993) do the following steps:
apt-get install postfix postfix-tls libsasl2 sasl2-bin libsasl2-modules ipopd-ssl uw-imapd-ssl (1 line!)
<- pop3 and pop3s
<- No
<- Internet Site
<- NONE
<- server1.example.com
<- server1.example.com, localhost.example.com, localhost
<- No
postconf -e 'smtpd_sasl_local_domain
='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days
3650
postconf -e 'smtpd_tls_auth_only
= no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
The file /etc/postfix/main.cf should now look like this:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h myhostname = server1.example.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = server1.example.com, localhost.example.com, localhost relayhost = mynetworks = 127.0.0.0/8 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all smtpd_sasl_local_domain = $myhostname smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtpd_tls_auth_only = no smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom |
/etc/init.d/postfix restart
Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:
mkdir -p /var/spool/postfix/var/run/saslauthd
rm -fr /var/run/saslauthd
Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes and add the line PARAMS="-m /var/spool/postfix/var/run/saslauthd":
# This needs to be uncommented before saslauthd will be run automatically START=yes PARAMS="-m /var/spool/postfix/var/run/saslauthd" # You must specify the authentication mechanisms you wish to use. # This defaults to "pam" for PAM support, but may also include # "shadow" or "sasldb", like this: # MECHANISMS="pam shadow" MECHANISMS="pam" |
Finally we have to edit /etc/init.d/saslauthd. Change the line
dir=`dpkg-statoverride --list $PWDIR` |
to
#dir=`dpkg-statoverride --list $PWDIR` |
Then change the variables PWDIR and PIDFILE and add the variable dir at the beginning of the file:
PWDIR="/var/spool/postfix/var/run/${NAME}"
PIDFILE="${PWDIR}/saslauthd.pid"
dir="root sasl 755 ${PWDIR}"
|
/etc/init.d/saslauthd should now look like this:
#!/bin/sh -e
NAME=saslauthd
DAEMON="/usr/sbin/${NAME}"
DESC="SASL Authentication Daemon"
DEFAULTS=/etc/default/saslauthd
PWDIR="/var/spool/postfix/var/run/${NAME}"
PIDFILE="${PWDIR}/saslauthd.pid"
dir="root sasl 755 ${PWDIR}"
createdir() {
# $1 = user
# $2 = group
# $3 = permissions (octal)
# $4 = path to directory
[ -d "$4" ] || mkdir -p "$4"
chown -c -h "$1:$2" "$4"
chmod -c "$3" "$4"
}
test -f "${DAEMON}" || exit 0
# Source defaults file; edit that file to configure this script.
if [ -e "${DEFAULTS}" ]; then
. "${DEFAULTS}"
fi
# If we're not to start the daemon, simply exit
if [ "${START}" != "yes" ]; then
exit 0
fi
# If we have no mechanisms defined
if [ "x${MECHANISMS}" = "x" ]; then
echo "You need to configure ${DEFAULTS} with mechanisms to be used"
exit 0
fi
# Add our mechanimsms with the necessary flag
PARAMS="${PARAMS} -a ${MECHANISMS}"
START="--start --quiet --pidfile ${PIDFILE} --startas ${DAEMON} --name ${NAME} -- ${PARAMS}"
# Consider our options
case "${1}" in
start)
echo -n "Starting ${DESC}: "
#dir=`dpkg-statoverride --list $PWDIR`
test -z "$dir" || createdir $dir
if start-stop-daemon ${START} >/dev/null 2>&1 ; then
echo "${NAME}."
else
if start-stop-daemon --test ${START} >/dev/null 2>&1; then
echo "(failed)."
exit 1
else
echo "${DAEMON} already running."
exit 0
fi
fi
;;
stop)
echo -n "Stopping ${DESC}: "
if start-stop-daemon --stop --quiet --pidfile "${PIDFILE}" \
--startas ${DAEMON} --retry 10 --name ${NAME} \
>/dev/null 2>&1 ; then
echo "${NAME}."
else
if start-stop-daemon --test ${START} >/dev/null 2>&1; then
echo "(not running)."
exit 0
else
echo "(failed)."
exit 1
fi
fi
;;
restart|force-reload)
$0 stop
exec $0 start
;;
*)
echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
|
Now start saslauthd:
/etc/init.d/saslauthd start
To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25
After you have established the connection to your postfix mail server type
ehlo localhost
If you see the lines
250-STARTTLS
and
250-AUTH
everything is fine.
Type
quit
to return to the system's shell.
Courier-IMAP/Courier-POP3
If you want to use a POP3/IMAP daemon that has Maildir support (if you do not want to use the traditional Unix mailbox format) you can install Courier-IMAP/Courier-IMAP-SSL (for IMAPs on port 993) and Courier-POP3/Courier-POP3-SSL (for POP3s on port 995). Otherwise you can proceed with the Apache configuration.
apt-get install courier-imap courier-imap-ssl courier-pop courier-pop-ssl
<- No
ipopd and UW-IMAP will then be replaced.
Then configure Postfix to deliver emails to a user's Maildir*:
postconf -e 'home_mailbox
= Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart
*Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Settings -> EMail in the ISPConfig web interface.
Apache
Run
apt-get install apache2
apache2-doc
apt-get install libapache2-mod-php4 libapache2-mod-perl2 php4 php4-cli php4-common
php4-curl php4-dev php4-domxml php4-gd php4-imap php4-ldap php4-mcal php4-mhash
php4-mysql php4-odbc php4-pear php4-xslt curl libwww-perl imagemagick
(1 line!)
Edit /etc/apache2/apache2.conf. Change
DirectoryIndex index.html index.cgi index.pl index.php index.xhtml |
to
DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml |
Edit /etc/mime.types and comment out the following lines:
#application/x-httpd-php phtml pht php #application/x-httpd-php-source phps #application/x-httpd-php3 php3 #application/x-httpd-php3-preprocessed php3p #application/x-httpd-php4 php4 |
Edit /etc/apache2/mods-enabled/php4.conf and comment out the following lines:
<IfModule mod_php4.c> # AddType application/x-httpd-php .php .phtml .php3 # AddType application/x-httpd-php-source .phps </IfModule> |
Edit /etc/apache2/ports.conf and add Listen 443:
Listen 80 Listen 443 |
Now we have to enable some Apache modules (SSL, rewrite and suexec):
cd /etc/apache2/mods-enabled
ln -s /etc/apache2/mods-available/ssl.conf ssl.conf
ln -s /etc/apache2/mods-available/ssl.load ssl.load
ln -s /etc/apache2/mods-available/rewrite.load rewrite.load
ln -s /etc/apache2/mods-available/suexec.load suexec.load
Restart Apache:
/etc/init.d/apache2 restart
Proftpd
apt-get install proftpd
<- standalone
For security reasons you can add the following lines to /etc/proftpd.conf (thanks to Reinaldo Carvalho; more information can be found here: http://proftpd.linux.co.uk/localsite/Userguide/linked/userguide.html):
DefaultRoot ~ IdentLookups off ServerIdent on "FTP Server ready."
and restart Proftpd:
/etc/init.d/proftpd restart
Webalizer
apt-get
install webalizer
<- /var/www/webalizer
<- Usage Statistics for
<- /var/log/apache/access.log.1
Synchronize the System Clock
If you want to have the system clock synchronized with an NTP server you can add the following lines to /var/spool/cron/crontabs/root (if the file does not exist, create it by running
touch
/var/spool/cron/crontabs/root):
#
update time with ntp server
0 3,9,15,21 * * * /usr/sbin/rdate 128.2.136.71 | logger -t NTP
Then run
chmod
600 /var/spool/cron/crontabs/root
/etc/init.d/cron
restart
Install some Perl Modules needed by SpamAssassin (comes with ISPConfig)
Installation using the Perl Shell
Login to your command line as root and run the following command to start the Perl shell:
perl -MCPAN -e shell
If you run the Perl shell for the first time you will be asked some questions. In most cases the default answers are ok.
Please note: If you run a firewall on your system you might have to turn it off while working on the Perl shell in order for the Perl shell to be able to fetch the needed modules without a big delay. You can switch it on afterwards.
The big advantage of the Perl shell compared to the two other methods described here is that it cares about dependencies when installing new modules. I.e., if it turns out that a prerequisite Perl module is missing when you install another module the Perl shell asks you if it should install the prerequisite module for you. You should answer that question with "Yes".
Run the following commands to install the modules needed by SpamAssassin:
install HTML::Parser
install DB_File
install Net::DNS
(when prompted to enable tests, choose no)
q (to leave the Perl shell)
If a module is already installed on your system you will get a message similar to this one:
HTML::Parser is up to date.
Successful installation of a module looks like this:
/usr/bin/make install -- OK
Compile a Custom Kernel
If you need to
compile a new kernel for some reason (e.g. because you want to use the latest
bleeding-edge kernel or need a feature that the standard Debian kernel does
not offer), you can find more information here: Debian-Kernel-Compile-Howto.
The End
The configuration
of the server is now finished, and if you wish you can now install ISPConfig
on it.
A Note On SuExec
If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as Debian's suExec is compiled with /var/www as Doc_Root. Run /usr/lib/apache2/suexec2 -V, and the output should look like this:
To select /var/www as the home directory for websites during the installation of ISPConfig do the following: When you are asked for the installation mode, select the expert mode.
Later during the installation you are asked if the default directory /home/www should be the directory where ISPConfig will create websites in. Answer n and enter /var/www as the home directory for websites.
Links
If you know of other configurations (for Debian, RedHat, SuSE or Mandrake) that work with the 42go ISP-Manager, and you like to have that configuration published here, feel free to submit your installation instructions to: <falko [dot] timme [at] projektfarm [dot] de>.