1

Virtual Hosting Howto With Virtualmin On CentOS 5.1

Version 1.0.1

Author: Andrew Colin Kissa <andrew [at] topdog [dot] za [dot] net>

Last edited 14/04/2008

Introduction

This tutorial shows how to set up a CentOS 5.x server to offer all services needed by virtual web

hosters. These include web hosting, smtp server with (SMTP-AUTH and TLS, SPF, DKIM,

Domainkeys), DNS, FTP, MySQL, POP3/IMAP, Firewall, Webalizer for stats.

I will use the following software:

Database Server: MySQL 5.0.22

Mail Server: Postfix 2.3.3

NS Server: BIND9 9.3.3

Web Server: Apache 2.2.3 /PHP 5.1.6

FTP Server: Vsftpd 2.0.5

POP3/IMAP server: Dovecot 1.0

Webalizer: for site statistics 2.01_10

Virtualmin: Control panel

OS Installation

Requirements

To install the system you will need

CentOS 5.1 Install media

A good internet connection

Install The Base System

NOTE Some stages of the installation are not described here in interest of keeping the howto

short, The grub configuration stages are left out for instance.

Boot from the DVD or CD media and at the boot prompt type linux text.

Skip the media test.

Select your language:

2

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Select keyboard layout:

3

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Configure your network, I will be using dhcp if you do not have dhcp you can use static

entries.

4

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Select Yes to initialize drive:

5

Select custom layout for partitioning type:

6

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Create partitions:

7

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

8

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

9

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

10

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

11

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Configure networking:

12

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

13

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Set IP address and netmask:

14

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Set gateway and dns servers:

15

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Set the hostname:

16

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Set the timezone:

17

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Set the root password:

18

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Select server group and select customize software selection:

19

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Package groups select as follows:

o DNS name server

bind-chroot

20

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Editors

o vim-enhanced

FTP server

Mail server

o dovecot

o spamassassin

o postfix

21

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Mysql Database

o mysql-server

22

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Web server

o mod_ssl

o webalizer

o php

o php-pear

o http-suexec

o php-mysql

23

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

24

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Start the installation:

25

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

File system is formatted:

26

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

The installation will run:

27

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Reboot the system:

28

Services To Disable

To enhance security and free system resources on the system we need to disable any services that

are not required. You can run this script to do this for you.

acpid

anacron

apmd

autofs

bluetooth

cups

firstboot

gpm

haldaemon

messagebus

mdmonitor

hidd

ip6tables

kudzu

lvm2-monitor

netfs

nfslock

pcscd

29

portmap

rpcgssd

rpcidmapd

sendmail

smartd

yum-updatesd

Basics

We need to fix a few issues to prepare the system for configuration.

Install updates

yum upgrade

Switch the mta to postfix

alternatives --config mta

There are 2 programs which provide 'mta'.

Selection Command

-----------------------------------------------

1 /usr/sbin/sendmail.postfix

*+ 2 /usr/sbin/sendmail.sendmail

Enter to keep the current selection[+], or type selection number: 1

Install caching-nameserver config:

yum install caching-nameserver

Install Build tools:

yum install gcc cpp gcc-c++ automake automake14 automake15 automake16 automake17

openssl-devel subversion ncurses-devel -y

Configure Network Alias

cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0:1

Modify the file /etc/sysconfig/network-scripts/ifcfg-eth0:1 to look like this: DEVICE=eth0:1

BOOTPROTO=static

BROADCAST=192.168.1.255

30

IPADDR=192.168.1.6

NETMASK=255.255.255.0

NETWORK=192.168.1.0

ONBOOT=yes

Install Webmin / Virtualmin

Import webmin pgp key:

wget http://www.webmin.com/jcameron-key.asc

rpm --import jcameron-key.asc

Download the rpm:

wget http://prdownloads.sourceforge.net/webadmin/webmin-1.390-1.noarch.rpm

Verify the rpm (should say OK or else download again):

rpm --checksig webmin-1.390-1.noarch.rpm

Install the rpm:

rpm -Uvh webmin-1.390-1.noarch.rpm

Initial Webmin Config

We need to secure webmin by editing /etc/webmin/miniserv.conf and make the following

changes:

Using SSL only:

ssl=1

Change the port to 443 and bind to the second nic only:

port=443

bind=192.168.1.6

Disable UDP broadcasts:

#listen=10000

Change host lockout on login failures to 3 :

31

blockhost_failures=3

Increase host lockout timeout to 120:

blockhost_time=120

Change user lockout on login failures to 3:

blockuser_failures=3

Change user lockout timeout to 120:

blockuser_time=120

Change the realm to something else:

realm=cpanel

Log logins to utmp:

utmp=1

Install the webmin Tiger theme:

Login to webmin via https://192.168.1.5:10000 using root and your password.

Go to webmin ? Configuration ? webmin themes.

Select From ftp or http URL and enter http://www.stress-free.co.nz/files/theme-

stressfree.tar.gz

Click install theme.

Click "return to list themes".

Select StressFree as the Current theme then click change.

Install php-pear module:

Go to webmin ? webmin configuration ? webmin modules.

Select Third party module from and enter

http://www.webmin.com/download/modules/php-pear.wbm.gz.

Click install module.

Install virtualmin:

Go to webmin ? webmin configuration ? webmin modules.

Select install from ftp or http URL and enter

http://download.webmin.com/download/virtualmin/virtual-server-3.51.gpl.wbm.gz

Click install module.

32

Remove unwanted modules Go to webmin ? webmin configuration ? delete and select the

following:

ADSL client

Bacula backup system

CD Burner

CVS Server

Cluster change passwords

Cluster copy files

Cluster cron jobs

Cluster shell commands

Cluster software packages

Cluster usermin servers

Cluster users and groups

Cluster webmin servers

Command shell

Configuration engine

Custom commands

DHCP server

Fetchmail mail retrieval

File manager

Frox ftp proxy

HTTP Tunnel

Heartbeat monitor

IPsec VPN

Jabber IM server

LDAP server

Logical volume management

Majordomo list manager

NFS exports

NIS client and server

OpenSLP server

PPP dialin server

PPP dialup client

PPTP vpn server

PPTP vpn client

Postgresql database server

Printer admin

ProFTPD server

QMAIL mail server

SMART drive status

SSH / Telnet login

SSL tunnels

SAMBA windows file sharing

Scheduled commands

Sendmail mail server

33

Shoreline firewall

Squid analysis report generator

Squid proxy server

Voicemail server

WU-FTP server

Idmapd server

Restart webmin:

service webmin restart

Configure Rpmforge Repo

rpm -Uhv http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

NOTE: If you are using a different architecture check on

https://rpmrepo.org/RPMforge/Using for the correct rpm

Disable the repo (such that base packages not overwritten) edit /etc/yum.d/rpmforge.repo

and set the following option:

enabled = 0

Install Extra Required Packages

Install clamav:

yum --enablerepo=rpmforge install clamav clamav-db clamav-milter clamd -y

wget http://www.topdog-software.com/files/clamav-milter.patch

patch /etc/init.d/clamav-milter < clamav-milter.patch

chkconfig --del clamd

freshclam

Install sanesecurity signatures:

wget http://www.sanesecurity.co.uk/clamav/update_sanesecurity.txt -O

/usr/local/bin/update_sanesecurity.sh

chmod +x /usr/local/bin/update_sanesecurity.sh

ln -s /usr/local/bin/update_sanesecurity.sh /etc/cron.hourly/

/usr/local/bin/update_sanesecurity.sh

Install PHP eaccelerator:

34

yum --enablerepo=rpmforge install php-eaccelerator

Install newer spamassassin package from rpmforge:

yum --enablerepo=rpmforge upgrade spamassassin

Install spamass-milter:

yum --enablerepo=rpmforge install spamass-milter

Install perl modules required by spamassassin:

perl -MCPAN -e 'install Mail::SPF'

perl -MCPAN -e 'install Mail::SPF::Query'

perl -MCPAN -e 'install Net::Ident'

perl -MCPAN -e 'install IP::Country::Fast'

perl -MCPAN -e 'install Mail::DomainKeys'

perl -MCPAN -e 'install Mail::DKIM'

Install fuzzyOCR:

yum --enablerepo=rpmforge install netpbm-progs ocrad gocr gifsicle giflib-utils giflib -y

svn co https://svn.own-hero.net/fuzzyocr/trunk/devel/

cd devel/

perl -MCPAN -e 'install String::Approx'

perl -MCPAN -e 'install Time::HiRes'

perl -MCPAN -e 'install Log::Agent'

cp -rv

{FuzzyOcr.cf,FuzzyOcr.scansets,FuzzyOcr.preps,FuzzyOcr.pm,FuzzyOcr.words,FuzzyOcr/}

/etc/mail/spamassassin

chcon -R system_u:object_r:etc_mail_t

/etc/mail/spamassassin/{FuzzyOcr.cf,FuzzyOcr.scansets,FuzzyOcr.preps,FuzzyOcr.pm,FuzzyOc

r.words,FuzzyOcr/}

wget http://www.gbnetwork.co.uk/mailscanner/FuzzyOcr.words -O

/etc/mail/spamassassin/FuzzyOcr.words

Install Razor:

yum --enablerepo=rpmforge install razor-agents -y

Install roundcube:

yum install php-imap

rpm -Uvh http://www.topdog-software.com/oss/roundcube/roundcube-0.1-rc2.noarch.rpm

35

Install imapproxy:

wget http://imapproxy.org/downloads/up-imapproxy-1.2.6.tar.gz

rpmbuild -tb up-imapproxy-1.2.6.tar.gz

rpm -Uvh /usr/src/redhat/RPMS/i386/up-imapproxy-1.2.6-1.i386.rpm

Activate services:

chkconfig --level 345 httpd on

chkconfig --level 345 postfix on

chkconfig --level 345 spamassassin on

chkconfig --level 345 spamass-milter on

chkconfig --level 345 clamav-milter on

chkconfig --level 345 mysqld on

chkconfig --level 345 named on

chkconfig --level 345 vsftpd on

chkconfig --level 345 dovecot on

chkconfig --level 345 imapproxy on

Configuration

Postfix Setup

Introduction

We will be setting up postfix with the following features:

Virtual hosting

UCE prevention

Anti virus

SMTP authentication

TLS

RBLs

SPF

Attack mitigation

The adding of accounts and domains with be configured through virtualmin although it can be

done manually as well. The setup is designed to be resource friendly so should be able to run on

machines that are not over spec'ed so enabling the resources to be put to better use. To make it

resource friendly we are not using external databases to store virtual user information like most

other how-to's do as well as using milters for spam and virus checking as opposed to running

amavisd-new.

The Basics

36

To begin with we will configure the basics such as the hostname, mail origin, networks, hash

maps spool directory. All these configuration options should be added to /etc/postfix/main.cf

unless stated. Sample configuration files are available for download at the end of this page.

command_directory = /usr/sbin

daemon_directory = /usr/libexec/postfix

mydomain = example.com

myorigin = $mydomain

mynetworks = 127.0.0.0/8

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

canonical_maps = hash:/etc/postfix/canonical

sender_canonical_maps = hash:/etc/postfix/canonical

recipient_canonical_maps = hash:/etc/postfix/canonical

virtual_alias_maps = hash:/etc/postfix/virtual

mail_spool_directory = /var/spool/mail

Maildir

We will use the much improved maildir format as opposed to the default mbox format:

home_mailbox = Maildir/

SASL

To perform SMTP authentication we will be using SASL, however we will not use the Cyrus

SASL as that requires us to run the saslauthd daemon, we will instead use dovecot sasl since we

will be running dovecot for IMAP and POP3 thus killing 2 birds with one stone.

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_auth_enable = yes

TLS

We need TLS to ensure that the plain text passwords are not transmitted over the wire during

SMTP authentication, servers that support TLS are also able to communicate with this server

over a secured connection.

Instructions on creating your server certificate signed by cacert.org are can be found here.

Set TLS random source:

tls_random_source = dev:/dev/urandom

37

Enable server TLS:

smtpd_use_tls = yes

smtpd_tls_key_file = /etc/pki/postfix/key.pem

smtpd_tls_cert_file = /etc/pki/postfix/server.pem

smtpd_tls_CAfile = /etc/pki/postfix/root.crt

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache

Enable client TLS:

smtp_use_tls = yes

smtp_tls_key_file = /etc/pki/postfix/key.pem

smtp_tls_cert_file = /etc/pki/postfix/server.pem

smtp_tls_CAfile = /etc/pki/postfix/root.crt

smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_cache

smtp_tls_note_starttls_offer = yes

Spam Prevention

Require a valid EHLO / HELO:

smtpd_helo_required = yes

Prevent email address harvesting attacks:

disable_vrfy_command = yes

Change reject codes to permanent (by default postfix issues 4xx error codes which

implies temporary failure we need 5xx for permanent errors):

unverified_recipient_reject_code = 550

unverified_sender_reject_code = 550

unknown_local_recipient_reject_code = 550

Setup sender address verification:

address_verify_map = btree:/var/spool/postfix/verify

smtpd_sender_restrictions = hash:/etc/postfix/sender_access

Create /etc/postfix/sender_access and add:

#sample /etc/postfix/sender_access contains frequently spoofed domains

aol.com reject_unverified_sender

hotmail.com reject_unverified_sender

yahoo.com reject_unverified_sender

gmail.com reject_unverified_sender

bigfoot.com reject_unverified_sender

38

Mitigate attacks from zombies and broken clients:

smtpd_error_sleep_time = 5s

smtpd_soft_error_limit = 10

smtpd_hard_error_limit = 20

Only allow pipelining from authenticated clients:

smtpd_data_restrictions = reject_unauth_pipelining

Install postfix-policyd-spf-perl and enable SPF support:

wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.005.tar.gz

tar xzvf postfix-policyd-spf-perl-2.005.tar.gz

cd postfix-policyd-spf-perl-2.005

cp postfix-policyd-spf-perl /etc/postfix/

Add this to /etc/postfix/master.cf:

spfpolicy unix - n n - - spawn user=nobody

argv=/usr/bin/perl /etc/postfix/postfix-policyd-spf-perl

Add DKIM support:

Instructions on adding DKIM support can be found here.

Add domainkeys support:

Instructions on adding domainkeys support can be found here.

Getting it all to work depends on the smtpd_recipient_restrictions option so we set it

below:

smtpd_recipient_restrictions =

permit_mynetworks

permit_sasl_authenticated

reject_unauth_destination

check_recipient_access hash:/etc/postfix/access

reject_unknown_recipient_domain

reject_unknown_sender_domain

reject_unverified_recipient

reject_non_fqdn_recipient

reject_non_fqdn_sender

reject_invalid_hostname

reject_rbl_client list.dsbl.org

reject_rbl_client zen.spamhaus.org

reject_rbl_client l1.spews.dnsbl.sorbs.net

reject_rbl_client combined.njabl.org

reject_rbl_client bl.spamcop.net

reject_rhsbl_sender dsn.rfc-ignorant.org

reject_rhsbl_sender bogusmx.rfc-ignorant.org

39

reject_rhsbl_sender rhsbl.sorbs.net

reject_rhsbl_client dsn.rfc-ignorant.org

reject_rhsbl_client bogusmx.rfc-ignorant.org

reject_rhsbl_client rhsbl.sorbs.net

check_policy_service unix:private/spfpolicy

Milters [SpamAssassin & ClamAV]

For your spam classification using spamassassin and virus scanning using clamav we will be

using postfix's milter interface instead of using the resource intensive amavisd-new daemon. This

is a very efficient way of doing it as we don't even have to run clamd the clamav milter does the

scanning itself.

smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock

non_smtpd_milters = unix:/var/clamav/clmilter.soc

Create DB Files

postmap /etc/postfix/canonical

postmap /etc/postfix/access

postmap /etc/postfix/virtual

postmap /etc/postfix/sender_access

Sample Configuration Files

main.cf

master.cf

canonical

virtual

Dovecot Setup Introduction

This will setup dovecot as our IMAP/POP3 server.

Basic Configuration

We will setup dovecot for IMAP and POP3 and disable SSL. protocols = imap pop3

listen = *

ssl_listen = *

ssl_disable = yes

Maildir

We will use the maildir format as opposed to the default mbox format. mail_location = maildir:~/Maildir

Authentication & SASL

40

Configure dovecot to use LOGIN and PLAIN as the authentication mechanisims as many

MS clients are unable to use encrypted authentication mechanisms. We also setup the

SASL socket to enable postfix to authenticate SMTP connections using dovecot.

auth default {

mechanisms = plain login

passdb pam {

}

userdb passwd {

}

socket listen {

client {

path = /var/spool/postfix/private/auth

mode = 0660

user = postfix

group = postfix

}

}

}

Client Issues

Some MS imap clients in the outlook family have issues with both thier IMAP and POP3

implementations so we need to accommodate them by setting up these work arounds:

protocol imap {

imap_client_workarounds = outlook-idle delay-newmail

}

protocol pop3 {

pop3_client_workarounds = outlook-no-nuls oe-ns-eoh

}

Run IMAP Behind Proxy

The imap server is configured to run on port 10143 such that port 143 is handled by the imap

proxy server that will improve performance for your webmail by caching connections to the

imap server. The listen option under protocol sets this up.

protocol imap {

imap_client_workarounds = outlook-idle delay-newmail

listen = 127.0.0.1:10143

}

Sample files

dovecot.conf

41

Setup Imap Proxy

Introduction

imapproxy was written to compensate for webmail clients that are unable to maintain persistent

connections to an IMAP server. Most webmail clients need to log in to an IMAP server for

nearly every single transaction. This behaviour can cause tragic performance problems on the

IMAP server. imapproxy tries to deal with this problem by leaving server connections open for a

short time after a webmail client logs out. When the webmail client connects again, imapproxy

will determine if there's a cached connection available and reuse it if possible. - according to the

imapproxy website.

Configuration

Make the following changes in the file /etc/imapproxy.conf:

server_hostname 127.0.0.1

cache_size 3072

listen_port 143

server_port 10143

cache_expiration_time 900

proc_username nobody

proc_groupname nobody

stat_filename /var/run/pimpstats

protocol_log_filename /var/log/imapproxy_protocol.log

syslog_facility LOG_MAIL

send_tcp_keepalives no

enable_select_cache yes

foreground_mode no

force_tls no

enable_admin_commands no

Sample Files

imapproxy.conf

Bind Setup

Introduction

Bind will be set up chrooted to improve security we will also use views to prevent abuse of the

dns server.

42

Basic Configuration

The basic configuration disables by default, recursive queries and zone transfers. We also

obscure the version of BIND we are running such that we are not hit by zero day vulnerabilities

from script kiddies.

options {

directory "/var/named";

pid-file "/var/run/named/named.pid";

listen-on {

127.0.0.1;

192.168.1.5;

};

version "just guess";

allow-recursion { "localhost"; };

allow-transfer { "none"; };

};

Logging

The logging is customized to remove the annoying "lame-server" and update errors that appear in

the logs:

logging {

category update { null; };

category update-security { null; };

category lame-servers{ null; };

};

Chroot

Ensure that this is set in the file /etc/sysconfig/named (it's usually set by the bind-chroot

package):

ROOTDIR=/var/named/chroot

Point Server

Let the machine use this server for dns resolution edit /etc/resolv.conf and prepend:

nameserver 127.0.0.1

43

Sample files

named.conf

/etc/sysconfig/named

Vsftpd Setup

Introduction

We will use vsftpd as our ftp server. This has a better track record as opposed to the proftpd &

wuftpd servers.

Basic Setting

Our basic setup disables anonymous users, and enables local system users to connect to the ftp

server.

anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=022

anon_upload_enable=NO

anon_mkdir_write_enable=NO

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

xferlog_file=/var/log/vsftpd.log

xferlog_std_format=YES

ftpd_banner=Welcome to example.com server

pam_service_name=vsftpd

tcp_wrappers=YES

Chroot

All users will be chrooted to their home directories (except usernames in the

/etc/vsftpd/chroot_list file) meaning the cannot break out and see other users files.

chroot_list_enable=YES

chroot_local_user=YES

chroot_list_file=/etc/vsftpd/chroot_list

Banned Users

44

Users added to the file /etc/vsftpd/user_list will not be allowed to login:

userlist_enable=YES

Sample Files

vsftpd.conf

user_list

chroot_list

Clamav Milter Setup

Edit /etc/sysconfig/clamav-milter:

CLAMAV_FLAGS="

--config-file=/etc/clamd.conf

--force-scan

--local

--max-children=5

--sendmail-cf=

--outgoing

--quiet

"

SOCKET_ADDRESS="local:/var/clamav/clmilter.socket"

Patch the init file to fix socket permissions:

wget http://www.topdog-software.com/files/clamav-milter.patch

patch /etc/init.d/clamav-milter < clamav-milter.patch

MySQL Setup

Basic Config

Listen only to the localhost, edit /etc/my.cnf under the mysqld section:

bind-address = 127.0.0.1

Set Root Password

Set the root password:

service mysqld start

mysqladmin -u root password NEWPASSWORD

45

SpamAssassin Setup

Basic Config

required_hits 5

report_safe 0

rewrite_header Subject [SPAM]

Create MySQL Database

Create the database:

mysqladmin -p create bayes

Populate the database:

mysql -p bayes < /usr/share/doc/spamassassin-$(rpm --qf %{VERSION} -q

spamassassin)/sql/bayes_mysql.sql

Create the user:

mysql -p

mysql> GRANT ALL ON bayes.* TO bayes@localhost IDENTIFIED BY 'password';

Configure To Use DB

Edit the file /etc/mail/spamassassin/local.cf and add:

bayes_store_module Mail::SpamAssassin::BayesStore::MySQL

bayes_sql_dsn DBI:mysql:bayes:localhost

bayes_sql_override_username bayes

bayes_sql_username bayes

bayes_sql_password password

Configure FuzzyOCR

We will be storing the image hashes in a mysql database to improve on performance such that

images that we have already scanned do not get scanned again as OCR is a resource intense

activity.

46

Create MySQL Database

The sql script creates the database and tables and adds a user fuzzyocr with the password

fuzzyocr:

mysql -p < /usr/local/src/devel/FuzzyOcr.mysql

Change the password:

mysqladmin -u fuzzyocr -p fuzzyocr password

Basic Settings

Edit /etc/mail/spamassassin/FuzzyOCR.cf and set the basic options:

focr_path_bin /usr/bin:/usr/local/bin

focr_minimal_scanset 1

focr_autosort_scanset 1

focr_enable_image_hashing 3

focr_logfile /tmp/FuzzyOcr.log

Make FuzzyOCR Use The Database

Edit the file /etc/mail/spamassassin/FuzzyOcr.cf and add:

focr_mysql_db FuzzyOcr

focr_mysql_hash Hash

focr_mysql_safe Safe

focr_mysql_user fuzzyocr

focr_mysql_pass password

focr_mysql_host localhost

focr_mysql_port 3306

focr_mysql_socket /var/lib/mysql/mysql.sock

SARE Rule Updates

Import the GPG key used to sign the rules:

mkdir /etc/mail/spamassassin/sa-update-keys/

chmod 700 /etc/mail/spamassassin/sa-update-keys/

47

wget http://daryl.dostech.ca/sa-update/sare/GPG.KEY

sa-update --import GPG.KEY

Create the channels file /etc/mail/spamassassin/sare-sa-update-channels.txt:

updates.spamassassin.org

72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net

70_sare_evilnum0.cf.sare.sa-update.dostech.net

70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net

70_sare_html0.cf.sare.sa-update.dostech.net

70_sare_html_eng.cf.sare.sa-update.dostech.net

70_sare_header0.cf.sare.sa-update.dostech.net

70_sare_header_eng.cf.sare.sa-update.dostech.net

70_sare_specific.cf.sare.sa-update.dostech.net

70_sare_adult.cf.sare.sa-update.dostech.net

72_sare_bml_post25x.cf.sare.sa-update.dostech.net

99_sare_fraud_post25x.cf.sare.sa-update.dostech.net

70_sare_spoof.cf.sare.sa-update.dostech.net

70_sare_random.cf.sare.sa-update.dostech.net

70_sare_oem.cf.sare.sa-update.dostech.net

70_sare_genlsubj0.cf.sare.sa-update.dostech.net

70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net

70_sare_unsub.cf.sare.sa-update.dostech.net

70_sare_uri0.cf.sare.sa-update.dostech.net

70_sare_obfu0.cf.sare.sa-update.dostech.net

70_sare_stocks.cf.sare.sa-update.dostech.net

Create an update script /usr/local/bin/update-sa:

#!/bin/bash

#

#

sa-update -D --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt

--gpgkey 856AA88A &>/var/log/sa-updates.log

Make it executable and add to cron:

chmod +x /usr/local/bin/update-sa

ln -s /usr/local/bin/update-sa /etc/cron.daily/

ln -s /usr/local/bin/update-sa /etc/cron.hourly/

Spamass-milter Setup

Basic Configuration

Edit /etc/sysconfig/spamass-milter:

SOCKET=/var/run/spamass.sock

EXTRA_FLAGS="-m -r 8"

48

Patch

We need to patch the init file to fix the permissions of the socket created such that postfix is able

to use the socket.

wget http://www.topdog-software.com/files/spamass-milter.patch

patch /etc/rc.d/init.d/spamass-milter < spamass-milter.patch

Apache Setup

Disable Modules

We will disable some modules that we are not using thus freeing up memory and also improving

security.

Edit /etc/httpd/conf/httpd.conf and comment out the modules as below.

#LoadModule ldap_module modules/mod_ldap.so

#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

#LoadModule dav_module modules/mod_dav.so

#LoadModule status_module modules/mod_status.so

#LoadModule dav_fs_module modules/mod_dav_fs.so

#LoadModule proxy_module modules/mod_proxy.so

#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so

#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so

#LoadModule proxy_http_module modules/mod_proxy_http.so

#LoadModule proxy_connect_module modules/mod_proxy_connect.so

#LoadModule cache_module modules/mod_cache.so

#LoadModule disk_cache_module modules/mod_disk_cache.so

#LoadModule file_cache_module modules/mod_file_cache.so

#LoadModule mem_cache_module modules/mod_mem_cache.so

Edit /etc/httpd/conf.d/proxy_ajp.conf and comment out as below:

#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

Listen To One IP For HTTPS

Apache has to be configured to listed to one address for port 443 as webmin will be using the

same port. Edit /etc/httpd/conf.d/ssl:

Listen 192,168.1.6:443

49

Enable Gzip Compression

We setup gzip compression via the mod_deflate module to improve web server performance and

to cut down on bandwidth usage by compressing responses to the client.

SetOutputFilter DEFLATE

BrowserMatch ^Mozilla/4 gzip-only-text/html

BrowserMatch ^Mozilla/4\.0[678] no-gzip

BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

SetEnvIfNoCase Request_URI \

\.(?:gif|jpe?g|png)$ no-gzip dont-vary

Header append Vary User-Agent env=!dont-vary

Set up logging for the deflate module:

DeflateFilterNote deflate_ratio

LogFormat "%v %h %l %u %t \"%r\" %>s %b mod_deflate: %{deflate_ratio}n pct."

vhost_with_deflate_info

CustomLog logs/deflate_access_log vhost_with_deflate_info

Increase PHP Max Memory

Edit the file /etc/php.ini and set the following:

memory_limit = 64M

Enable Virtual Hosting

NameVirtualHost *:80

Create Default Virtual Host

This needs to be the first virtual host, it will be the default on the server the equivalent of the

server with out virtual hosting.

<VirtualHost *:80>

Servername localhost.localdomain

Serveradmin root@localhost.localdomain

</Virtualhost>

Roundcube Webmail Setup

50

Create Database

Create the database and add the roundcube user.

mysqladmin -p create roundcube

mysql -p

mysql> GRANT ALL ON roundcube.* TO roundcube@localhost IDENTIFIED BY 'password';

Initialize the database:

mysql -u roundcube -p roundcube < /usr/share/doc/roundcube-0.1/SQL/mysql5.initial.sql

Basic Config

Configure database DSN in /var/www/roundcube/config/db.inc.php:

$rcmail_config['db_dsnw'] = 'mysql://roundcube:password@localhost/roundcube';

Configure roundcube in /var/www/roundcube/config/main.inc.php:

$rcmail_config['default_host'] = 'localhost';

$rcmail_config['default_port'] = 143;

$rcmail_config['virtuser_file'] = '/etc/postfix/virtual';

$rcmail_config['smtp_server'] = 'localhost';

$rcmail_config['smtp_port'] = 25;

$rcmail_config['smtp_helo_host'] = 'localhost';

Set Up Catch All Virtualhost

As we will be providing webmail for all domains that are created on the system we need to setup

a catch all virtualhost that can display roundcube when ever a user accesses

http://webmail.domainname. Edit /etc/httpd/conf/httpd.conf and append:

<VirtualHost *:80>

ServerName webmail.example.com

ServerAlias webmail.*

DocumentRoot /var/www/roundcube

<Directory /var/www/roundcube>

Options -Indexes IncludesNOEXEC FollowSymLinks

allow from all

</Directory>

</VirtualHost>

51

Firewall Setup

Introduction

This is a basic firewall it may not suit your needs, firewalling is an art so i recommend to read

into it to improve on this basic one.

Basic Config

Add these rules in your configuration file /etc/sysconfig/iptables:

*raw

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

COMMIT

*nat

:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

COMMIT

*mangle

:PREROUTING ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

COMMIT

*filter

:FORWARD DROP [0:0]

:INPUT DROP [0:0]

:OUTPUT DROP [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

-A INPUT -p tcp -m multiport -j ACCEPT --dports 80,443,25,110,143,53

-A INPUT -p udp -m udp --dport 53 -j ACCEPT

-A INPUT -p icmp -m icmp -m limit --icmp-type 8 --limit 5/min -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -s 127.0.0.1 -j ACCEPT

-A OUTPUT -s 192.168.1.5 -j ACCEPT

-A OUTPUT -s 192.168.1.6 -j ACCEPT

COMMIT

Activate Config

service iptables restart

Configure Virtualmin

Introduction

52

Virtualmin is a powerful and flexible hosting control panel that integrates with webmin. We will

be using it to provide the virtual hosting functions such as creation of domains, accounts and

maintaining configurations on the system.

Start Services

You need to start up services that are required to be able to configure virtualmin. Start the

following services:

service named start

service spamassassin start

service spamass-milter start

service clamav-milter start

service postfix start

service dovecot start

service imapproxy start

service httpd start

Initial Settings

MySQL

Webmin needs to be able to communicate with mysql since we have set a password for mysql we

need to set that up in webmin, go to servers ? mysql and enter this information:

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Configure Features

You need to enable the features and plugins that we want to use. On login this is the screen that

you will see.

53

Enable the following features and save

o Home directory

o Administration user

o Mail for domain

o BIND DNS domain

o Apache website

o Webalizer reporting

o Log file rotation

o Mysql database

o Webmin user

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Configure Server Templates

Server template are used to customize the services and to create packages for different hosting

account types.

Apache Template

You can make changes to the way apache virtual hosts are created by editing this template, The

defaults however will do for purposes of this howto.

54

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Domain Owner Template

This template is used to configure various server limits such as number of

mailboxes,aliases,databases,virtual servers and other options like bandwidth limits, admin

abilities. For this howto we will use the default values.

55

Home Directory Template

This template allows you to set a skel directory to hold setting for new users for this howto we

will use the defaults.

Administration User

This template lets you set the quota for the virtual server and the admin user for this howto we

will use the default quota 1GB.

56

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Mail For Domain Template

This template sets various mail related options, we will modify the email message sent on server

creation to have the content below:

The following virtual server has been set up successfully :

Domain name: ${DOM}

Hosting server: ${HOSTNAME}

${IF-VIRT}

Virtual IP address: ${IP}

${ENDIF-VIRT}

Administration login: ${USER}

Administration password: ${PASS}

${IF-WEBMIN}

Administration URL: ${WEBMIN_PROTO}://www.${DOM}:${WEBMIN_PORT}/

${ENDIF-WEBMIN}

${IF-WEB}

Website: http://www.${DOM}/

${IF-WEBALIZER}

Webalizer log reporting: Enabled

${ELSE-WEBALIZER}

Webalizer log reporting: Disabled

${ENDIF-WEBALIZER}

${ENDIF-WEB}

${IF-MAIL}

Email domain: ${DOM}

SMTP server: mail.${DOM}

POP3 server: mail.${DOM}

Webmail: webmail.${DOM}

${ENDIF-MAIL}

${IF-DNS}

DNS domain: ${DOM}

Nameserver: ${HOSTNAME}

${ENDIF-DNS}

${IF-MYSQL}

MySQL database: ${DB}

MySQL login: ${MYSQL_USER}

MySQL password: ${PASS}

${ENDIF-MYSQL}

${IF-POSTGRES}

PostgreSQL database: ${DB}

PostgreSQL login: ${USER}

PostgreSQL password: ${PASS}

${ENDIF-POSTGRES}

We will leave the other options as the defaults.

57

BIND DNS Domain Template

This template is used to customize the zones that will be created by virtualmin. The changes to

be made are adding a spf record, add the following records to auto generated text box (replace

ns1.home.topdog-software.com. with your slave server):

@ IN NS ns1.home.topdog-software.com. ;slave

admin IN A 192.168.1.6 ;virtualmin

webmail IN A 192.168.1.5 ;webmail

In the directives text box add the following with the IP address of your slave server such that the

slave is allowed to do zone transfers.

allow-transfer { 192.168.1.2; };

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

MySQL Database Template

Contains options on creation of databases by virtualmin, for the howto we will use the defaults.

58

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Webmin Login Template

Contains option on creation of new users by virtualmin, for the howto we will use the defaults.

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Create Virtual Server

Finally we have a working virtual server system, lets create our first virtual server. Go to servers

? virtualmin virtual servers and click add new virtual server, owned by new user.

Fill in the require fields and click create.

59

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Add a mail user to the domain. click on the domain name, then click edit mail and FTP users,

then add user and fill in the information.

60

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Testing

Postfix

Test SMTP

telnet 192.168.1.5 25

Connected to localhost.

Escape character is '̂ ]'.

220 tds mail cluster

helo me

250 hosting1

mail from:address@yahoo.com

250 2.1.0 Ok

rcpt: andrew@example.com

250 2.1.0 Ok

DATA

354 End data with <CR><LF>.<CR><LF>

From:address@yahoo.com

To:andrew@example.com

Subject:This is a test

Hi

This is a test

.

250 2.0.0 Ok: queued as 4ACCC7C5A6

telnet 192.168.1.5 25

Trying 192.168.1.5...

Connected to localhost.

Escape character is '̂ ]'.

220 tds mail cluster

ehlo me

250-hosting1

250-PIPELINING

250-SIZE 10240000

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

61

Test dkim

Send a mail to autorespond+dkim@dk.elandsys.com.

Test domainkeys

Send a mail to autorespond+dk@dk.elandsys.com.

Dovecot

Test POP3

telnet 192.168.1.5 110

+OK Dovecot ready.

user andrew.example

+OK

pass password

+OK Logged in.

quit

+OK Logging out.

Test IMAP

telnet 192.168.1.5 143

* OK Dovecot ready.

01 login andrew.example password

01 OK User logged in

01 list "" "*"

* LIST (\HasNoChildren) "." "Trash"

* LIST (\HasNoChildren) "." "Drafts"

* LIST (\HasNoChildren) "." "Junk"

* LIST (\HasNoChildren) "." "Sent"

* LIST (\HasNoChildren) "." "INBOX"

01 OK List completed.

01 logout

62

* BYE LOGOUT received

01 OK Completed

BIND

dig example.com @127.0.0.1

Clamav-milter

We are using the test virus from www.eicar.org.

telnet 192.168.1.5 25

Connected to localhost.

Escape character is '̂ ]'.

220 tds mail cluster

helo me

250 hosting1

mail from:address@yahoo.com

250 2.1.0 Ok

rcpt: andrew@example.com

250 2.1.0 Ok

DATA

354 End data with <CR><LF>.<CR><LF>

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

.

550 5.7.1 virus Eicar-Test-Signature detected by ClamAV - http://www.clamav.net

quit

221 2.0.0 Bye

Take a lot at your /var/log/maillog you should see something like this:

73BC87C4E4: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]:

5.7.1 virus Eicar-Test-Signature detected by ClamAV - http://www.clamav.net;

from=<address@yahoo.com> to=<andrew@example.com> proto=SMTP helo=<me>

Spamass-milter

We are using the test message from http://spamassassin.apache.org/gtube/.

63

telnet 192.168.1.5 25

Connected to localhost.

Escape character is '̂ ]'.

220 tds mail cluster

helo me

250 hosting1

mail from:address@yahoo.com

250 2.1.0 Ok

rcpt: andrew@example.com

250 2.1.0 Ok

DATA

354 End data with <CR><LF>.<CR><LF>

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-

EMAIL*C.34X

.

550 5.7.1 Blocked by SpamAssassin

quit

221 2.0.0 Bye

You will see this in your log files:

spamd: result: Y 1002 - AWL,GTUBE,MISSING_SUBJECT