Professional Documents
Culture Documents
1
Version 1.0.1 Author: Andrew Colin Kissa <andrew [at] topdog [dot] za [dot] net> Last edited 14/04/2008
Introduction
This tutorial shows how to set up a CentOS 5.x server to offer all services needed by virtual web hosters. These include web hosting, smtp server with (SMTP-AUTH and TLS, SPF, DKIM, Domainkeys), DNS, FTP, MySQL, POP3/IMAP, Firewall, Webalizer for stats. I will use the following software:
Database Server: MySQL 5.0.22 Mail Server: Postfix 2.3.3 NS Server: BIND9 9.3.3 Web Server: Apache 2.2.3 /PHP 5.1.6 FTP Server: Vsftpd 2.0.5 POP3/IMAP server: Dovecot 1.0 Webalizer: for site statistics 2.01_10 Virtualmin: Control panel
OS Installation
Requirements
To install the system you will need
Boot from the DVD or CD media and at the boot prompt type linux text. Skip the media test. Select your language:
Configure your network, I will be using dhcp if you do not have dhcp you can use static entries.
Create partitions:
Configure networking:
Editors
o vim-enhanced FTP server Mail server o dovecot o spamassassin o postfix
Services To Disable To enhance security and free system resources on the system we need to disable any services that are not required. You can run this script to do this for you.
acpid anacron apmd autofs bluetooth cups firstboot gpm haldaemon messagebus mdmonitor hidd ip6tables kudzu lvm2-monitor netfs nfslock pcscd portmap rpcgssd rpcidmapd sendmail smartd yum-updatesd
Basics
We need to fix a few issues to prepare the system for configuration.
Install updates
yum upgrade
alternatives --config mta There are 2 programs which provide 'mta'. Selection Command ----------------------------------------------1 /usr/sbin/sendmail.postfix *+ 2 /usr/sbin/sendmail.sendmail Enter to keep the current selection[+], or type selection number: 1
yum install gcc cpp gcc-c++ automake automake14 automake15 automake16 automake17 openssl-devel subversion ncurses-devel -y
wget http://prdownloads.sourceforge.net/webadmin/webmin-1.390-1.noarch.rpm
Change the port to 443 and bind to the second nic only:
port=443 bind=192.168.1.6
#listen=10000
blockhost_failures=3
blockhost_time=120
blockuser_failures=3
blockuser_time=120
realm=cpanel
utmp=1
Login to webmin via https://192.168.1.5:10000 using root and your password. Go to webmin ? Configuration ? webmin themes. Select From ftp or http URL and enter http://www.stress-free.co.nz/files/theme-stressfree.tar.gz Click install theme. Click "return to list themes". Select StressFree as the Current theme then click change.
Go to webmin webmin configuration webmin modules. Select Third party module from and enter http://www.webmin.com/download/modules/phppear.wbm.gz. Click install module.
Install virtualmin:
Go to webmin webmin configuration webmin modules. Select install from ftp or http URL and enter http://download.webmin.com/download/virtualmin/virtualserver-3.51.gpl.wbm.gz Click install module.
Remove unwanted modules Go to webmin webmin configuration delete and select the following:
ADSL client Bacula backup system CD Burner CVS Server Cluster change passwords Cluster copy files Cluster cron jobs Cluster shell commands Cluster software packages Cluster usermin servers Cluster users and groups
Cluster webmin servers Command shell Configuration engine Custom commands DHCP server Fetchmail mail retrieval File manager Frox ftp proxy HTTP Tunnel Heartbeat monitor IPsec VPN Jabber IM server LDAP server Logical volume management Majordomo list manager NFS exports NIS client and server OpenSLP server PPP dialin server PPP dialup client PPTP vpn server PPTP vpn client Postgresql database server Printer admin ProFTPD server QMAIL mail server SMART drive status SSH / Telnet login SSL tunnels SAMBA windows file sharing Scheduled commands Sendmail mail server Shoreline firewall Squid analysis report generator Squid proxy server Voicemail server WU-FTP server Idmapd server
Disable the repo (such that base packages not overwritten) edit /etc/yum.d/rpmforge.repo and set the following option:
enabled = 0
Install clamav:
yum --enablerepo=rpmforge install clamav clamav-db clamav-milter clamd -y wget http://www.topdog-software.com/files/clamav-milter.patch patch /etc/init.d/clamav-milter < clamav-milter.patch chkconfig --del clamd freshclam
Install spamass-milter:
perl -MCPAN -e 'install Mail::SPF' perl -MCPAN -e 'install Mail::SPF::Query' perl -MCPAN -e 'install Net::Ident' perl -MCPAN -e 'install IP::Country::Fast' perl -MCPAN -e 'install Mail::DomainKeys' perl -MCPAN -e 'install Mail::DKIM'
Install fuzzyOCR:
yum --enablerepo=rpmforge install netpbm-progs ocrad gocr gifsicle giflib-utils giflib -y svn co https://svn.own-hero.net/fuzzyocr/trunk/devel/ cd devel/ perl -MCPAN -e 'install String::Approx' perl -MCPAN -e 'install Time::HiRes' perl -MCPAN -e 'install Log::Agent' cp -rv {FuzzyOcr.cf,FuzzyOcr.scansets,FuzzyOcr.preps,FuzzyOcr.pm,FuzzyOcr.words,FuzzyOcr/} /etc/mail/spamassassin chcon -R system_u:object_r:etc_mail_t /etc/mail/spamassassin/{FuzzyOcr.cf,FuzzyOcr.scansets,FuzzyOcr.preps,FuzzyOcr.pm,FuzzyOcr.words,Fuzzy Ocr/} wget http://www.gbnetwork.co.uk/mailscanner/FuzzyOcr.words -O /etc/mail/spamassassin/FuzzyOcr.words
Install Razor:
Install roundcube:
Install imapproxy:
Activate services:
chkconfig --level 345 httpd on chkconfig --level 345 postfix on chkconfig --level 345 spamassassin on chkconfig --level 345 spamass-milter on chkconfig --level 345 clamav-milter on chkconfig --level 345 mysqld on chkconfig --level 345 named on chkconfig --level 345 vsftpd on chkconfig --level 345 dovecot on chkconfig --level 345 imapproxy on
Introduction
We will be setting up postfix with the following features:
Virtual hosting UCE prevention Anti virus SMTP authentication TLS RBLs SPF Attack mitigation
The adding of accounts and domains with be configured through virtualmin although it can be done manually as well. The setup is designed to be resource friendly so should be able to run on machines that are not over spec'ed so enabling the resources to be put to better use. To make it resource friendly we are not using external databases to store virtual user information like most other how-to's do as well as using milters for spam and virus checking as opposed to running amavisd-new.
The Basics
To begin with we will configure the basics such as the hostname, mail origin, networks, hash maps spool directory. All these configuration options should be added to /etc/postfix/main.cf unless stated. Sample configuration files are available for download at the end of this page.
command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mydomain = example.com myorigin = $mydomain mynetworks = 127.0.0.0/8 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases canonical_maps = hash:/etc/postfix/canonical sender_canonical_maps = hash:/etc/postfix/canonical recipient_canonical_maps = hash:/etc/postfix/canonical virtual_alias_maps = hash:/etc/postfix/virtual mail_spool_directory = /var/spool/mail
Maildir
We will use the much improved maildir format as opposed to the default mbox format:
home_mailbox = Maildir/
SASL
To perform SMTP authentication we will be using SASL, however we will not use the Cyrus SASL as that requires us to run the saslauthd daemon, we will instead use dovecot sasl since we will be running dovecot for IMAP and POP3 thus killing 2 birds with one stone.
smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes
TLS
We need TLS to ensure that the plain text passwords are not transmitted over the wire during SMTP authentication, servers that support TLS are also able to communicate with this server over a secured connection. Instructions on creating your server certificate signed by cacert.org are can be found here.
tls_random_source = dev:/dev/urandom
smtpd_tls_cert_file = /etc/pki/postfix/server.pem smtpd_tls_CAfile = /etc/pki/postfix/root.crt smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtp_use_tls = yes smtp_tls_key_file = /etc/pki/postfix/key.pem smtp_tls_cert_file = /etc/pki/postfix/server.pem smtp_tls_CAfile = /etc/pki/postfix/root.crt smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_cache smtp_tls_note_starttls_offer = yes
Spam Prevention
smtpd_helo_required = yes
disable_vrfy_command = yes
Change reject codes to permanent (by default postfix issues 4xx error codes which implies temporary failure we need 5xx for permanent errors):
#sample /etc/postfix/sender_access contains frequently spoofed domains aol.com reject_unverified_sender hotmail.com reject_unverified_sender yahoo.com reject_unverified_sender gmail.com reject_unverified_sender bigfoot.com reject_unverified_sender
smtpd_data_restrictions = reject_unauth_pipelining
Dovecot Setup
Introduction
This will setup dovecot as our IMAP/POP3 server.
Basic Configuration
We will setup dovecot for IMAP and POP3 and disable SSL.
protocols = imap pop3 listen = * ssl_listen = * ssl_disable = yes
Maildir
We will use the maildir format as opposed to the default mbox format.
mail_location = maildir:~/Maildir
} } }
Client Issues
Some MS imap clients in the outlook family have issues with both thier IMAP and POP3 implementations so we need to accommodate them by setting up these work arounds:
protocol imap { imap_client_workarounds = outlook-idle delay-newmail } protocol pop3 { pop3_client_workarounds = outlook-no-nuls oe-ns-eoh }
Sample files
dovecot.conf
Introduction
imapproxy was written to compensate for webmail clients that are unable to maintain persistent connections to an IMAP server. Most webmail clients need to log in to an IMAP server for nearly every single transaction. This behaviour can cause tragic performance problems on the IMAP server. imapproxy tries to deal with this problem by leaving server connections open for a short time after a webmail client logs out. When the webmail client connects again, imapproxy will determine if there's a cached connection available and reuse it if possible. - according to the imapproxy website.
Configuration
Make the following changes in the file /etc/imapproxy.conf:
server_hostname 127.0.0.1 cache_size 3072 listen_port 143 server_port 10143 cache_expiration_time 900 proc_username nobody proc_groupname nobody stat_filename /var/run/pimpstats protocol_log_filename /var/log/imapproxy_protocol.log syslog_facility LOG_MAIL send_tcp_keepalives no enable_select_cache yes foreground_mode no force_tls no enable_admin_commands no
Sample Files
imapproxy.conf
Bind Setup
Introduction
Bind will be set up chrooted to improve security we will also use views to prevent abuse of the dns server.
Basic Configuration
The basic configuration disables by default, recursive queries and zone transfers. We also obscure the version of BIND we are running such that we are not hit by zero day vulnerabilities from script kiddies.
options { directory "/var/named"; pid-file "/var/run/named/named.pid"; listen-on { 127.0.0.1; 192.168.1.5; }; version "just guess"; allow-recursion { "localhost"; }; allow-transfer { "none"; }; };
Logging
The logging is customized to remove the annoying "lame-server" and update errors that appear in the logs:
logging { category update { null; }; category update-security { null; category lame-servers{ null; };
};
};
Chroot
Ensure that this is set in the file /etc/sysconfig/named (it's usually set by the bind-chroot package):
ROOTDIR=/var/named/chroot
Point Server
Let the machine use this server for dns resolution edit /etc/resolv.conf and prepend:
nameserver 127.0.0.1
Sample files
named.conf /etc/sysconfig/named
Vsftpd Setup
Introduction
We will use vsftpd as our ftp server. This has a better track record as opposed to the proftpd & wuftpd servers.
Basic Setting
Our basic setup disables anonymous users, and enables local system users to connect to the ftp server.
anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 anon_upload_enable=NO anon_mkdir_write_enable=NO dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_file=/var/log/vsftpd.log xferlog_std_format=YES ftpd_banner=Welcome to example.com server pam_service_name=vsftpd tcp_wrappers=YES
Chroot
All users will be chrooted to their home directories (except usernames in the /etc/vsftpd/chroot_list file) meaning the cannot break out and see other users files.
chroot_list_enable=YES chroot_local_user=YES chroot_list_file=/etc/vsftpd/chroot_list
Banned Users
Users added to the file /etc/vsftpd/user_list will not be allowed to login:
userlist_enable=YES
Sample Files
Edit /etc/sysconfig/clamav-milter:
CLAMAV_FLAGS=" --config-file=/etc/clamd.conf --force-scan --local --max-children=5 --sendmail-cf= --outgoing --quiet " SOCKET_ADDRESS="local:/var/clamav/clmilter.socket"
MySQL Setup
Basic Config
Listen only to the localhost, edit /etc/my.cnf under the mysqld section:
bind-address = 127.0.0.1
SpamAssassin Setup
Basic Config
required_hits 5 report_safe 0 rewrite_header Subject [SPAM]
Configure To Use DB
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL bayes_sql_dsn DBI:mysql:bayes:localhost bayes_sql_override_username bayes bayes_sql_username bayes bayes_sql_password password
Configure FuzzyOCR
We will be storing the image hashes in a mysql database to improve on performance such that images that we have already scanned do not get scanned again as OCR is a resource intense activity.
The sql script creates the database and tables and adds a user fuzzyocr with the password fuzzyocr:
Basic Settings
focr_mysql_db FuzzyOcr focr_mysql_hash Hash focr_mysql_safe Safe focr_mysql_user fuzzyocr focr_mysql_pass password focr_mysql_host localhost focr_mysql_port 3306 focr_mysql_socket /var/lib/mysql/mysql.sock
mkdir /etc/mail/spamassassin/sa-update-keys/ chmod 700 /etc/mail/spamassassin/sa-update-keys/ wget http://daryl.dostech.ca/sa-update/sare/GPG.KEY sa-update --import GPG.KEY
70_sare_adult.cf.sare.sa-update.dostech.net 72_sare_bml_post25x.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net 70_sare_spoof.cf.sare.sa-update.dostech.net 70_sare_random.cf.sare.sa-update.dostech.net 70_sare_oem.cf.sare.sa-update.dostech.net 70_sare_genlsubj0.cf.sare.sa-update.dostech.net 70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net 70_sare_unsub.cf.sare.sa-update.dostech.net 70_sare_uri0.cf.sare.sa-update.dostech.net 70_sare_obfu0.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net
Spamass-milter Setup
Basic Configuration
Edit /etc/sysconfig/spamass-milter:
Patch
We need to patch the init file to fix the permissions of the socket created such that postfix is able to use the socket.
wget http://www.topdog-software.com/files/spamass-milter.patch patch /etc/rc.d/init.d/spamass-milter < spamass-milter.patch
Apache Setup
Disable Modules
We will disable some modules that we are not using thus freeing up memory and also improving security.
#LoadModule #LoadModule #LoadModule #LoadModule #LoadModule #LoadModule #LoadModule #LoadModule #LoadModule #LoadModule #LoadModule #LoadModule #LoadModule #LoadModule
ldap_module modules/mod_ldap.so authnz_ldap_module modules/mod_authnz_ldap.so dav_module modules/mod_dav.so status_module modules/mod_status.so dav_fs_module modules/mod_dav_fs.so proxy_module modules/mod_proxy.so proxy_balancer_module modules/mod_proxy_balancer.so proxy_ftp_module modules/mod_proxy_ftp.so proxy_http_module modules/mod_proxy_http.so proxy_connect_module modules/mod_proxy_connect.so cache_module modules/mod_cache.so disk_cache_module modules/mod_disk_cache.so file_cache_module modules/mod_file_cache.so mem_cache_module modules/mod_mem_cache.so
Create Database
mysqladmin -p create roundcube mysql -p mysql> GRANT ALL ON roundcube.* TO roundcube@localhost IDENTIFIED BY 'password';
Basic Config
$rcmail_config['db_dsnw'] = 'mysql://roundcube:password@localhost/roundcube';
$rcmail_config['default_host'] = 'localhost'; $rcmail_config['default_port'] = 143; $rcmail_config['virtuser_file'] = '/etc/postfix/virtual'; $rcmail_config['smtp_server'] = 'localhost'; $rcmail_config['smtp_port'] = 25; $rcmail_config['smtp_helo_host'] = 'localhost';
<VirtualHost *:80> ServerName webmail.example.com ServerAlias webmail.* DocumentRoot /var/www/roundcube <Directory /var/www/roundcube> Options -Indexes IncludesNOEXEC FollowSymLinks allow from all </Directory> </VirtualHost>
Firewall Setup
Introduction
This is a basic firewall it may not suit your needs, firewalling is an art so i recommend to read into it to improve on this basic one.
Basic Config
Add these rules in your configuration file /etc/sysconfig/iptables:
*raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *filter :FORWARD DROP [0:0] :INPUT DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m multiport -j ACCEPT --dports 80,443,25,110,143,53 -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p icmp -m icmp -m limit --icmp-type 8 --limit 5/min -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -s 127.0.0.1 -j ACCEPT -A OUTPUT -s 192.168.1.5 -j ACCEPT -A OUTPUT -s 192.168.1.6 -j ACCEPT COMMIT
Activate Config
service iptables restart
Configure Virtualmin
Introduction
Virtualmin is a powerful and flexible hosting control panel that integrates with webmin. We will be using it to provide the virtual hosting functions such as creation of domains, accounts and maintaining configurations on the system.
Start Services
You need to start up services that are required to be able to configure virtualmin. Start the following services:
service service service service service service service service named start spamassassin start spamass-milter start clamav-milter start postfix start dovecot start imapproxy start httpd start
Configure Features
You need to enable the features and plugins that we want to use. On login this is the screen that you will see.
Enable the following features and save o Home directory o Administration user o Mail for domain
o o o o o o
BIND DNS domain Apache website Webalizer reporting Log file rotation Mysql database Webmin user
Apache Template
You can make changes to the way apache virtual hosts are created by editing this template, The defaults however will do for purposes of this howto.
Administration User
This template lets you set the quota for the virtual server and the admin user for this howto we will use the default quota 1GB.
In the directives text box add the following with the IP address of your slave server such that the slave is allowed to do zone transfers.
allow-transfer { 192.168.1.2; };
Add a mail user to the domain. click on the domain name, then click edit mail and FTP users, then add user and fill in the information.
Testing Postfix
Test SMTP
telnet 192.168.1.5 25 Connected to localhost. Escape character is '^]'. 220 tds mail cluster helo me 250 hosting1 mail from:address@yahoo.com 250 2.1.0 Ok rcpt: andrew@example.com 250 2.1.0 Ok DATA 354 End data with <CR><LF>.<CR><LF> From:address@yahoo.com To:andrew@example.com Subject:This is a test Hi This is a test . 250 2.0.0 Ok: queued as 4ACCC7C5A6 telnet 192.168.1.5 25 Trying 192.168.1.5... Connected to localhost. Escape character is '^]'. 220 tds mail cluster ehlo me 250-hosting1 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Test dkim
Send a mail to autorespond+dkim@dk.elandsys.com.
Test domainkeys
Send a mail to autorespond+dk@dk.elandsys.com.
Dovecot
Test POP3
telnet 192.168.1.5 110 +OK Dovecot ready. user andrew.example +OK pass password +OK Logged in. quit +OK Logging out.
Test IMAP
telnet 192.168.1.5 143 * OK Dovecot ready. 01 login andrew.example password 01 OK User logged in 01 list "" "*" * * * * LIST LIST LIST LIST (\HasNoChildren) (\HasNoChildren) (\HasNoChildren) (\HasNoChildren) "." "." "." "." "Trash" "Drafts" "Junk" "Sent"
* LIST (\HasNoChildren) "." "INBOX" 01 OK List completed. 01 logout * BYE LOGOUT received 01 OK Completed
BIND
dig example.com @127.0.0.1
Clamav-milter
We are using the test virus from www.eicar.org.
telnet 192.168.1.5 25 Connected to localhost. Escape character is '^]'. 220 tds mail cluster helo me 250 hosting1 mail from:address@yahoo.com 250 2.1.0 Ok rcpt: andrew@example.com 250 2.1.0 Ok DATA 354 End data with <CR><LF>.<CR><LF> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* . 550 5.7.1 virus Eicar-Test-Signature detected by ClamAV - http://www.clamav.net quit 221 2.0.0 Bye
Take a lot at your /var/log/maillog you should see something like this:
73BC87C4E4: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 virus Eicar-Test-Signature detected by ClamAV - http://www.clamav.net; from=<address@yahoo.com> to=<andrew@example.com> proto=SMTP helo=<me>
Spamass-milter
We are using the test message from http://spamassassin.apache.org/gtube/.
telnet 192.168.1.5 25 Connected to localhost. Escape character is '^]'. 220 tds mail cluster helo me 250 hosting1 mail from:address@yahoo.com 250 2.1.0 Ok rcpt: andrew@example.com 250 2.1.0 Ok DATA 354 End data with <CR><LF>.<CR><LF> XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X . 550 5.7.1 Blocked by SpamAssassin quit 221 2.0.0 Bye