CentOS Infrastructure, and Roadmap - FrontPage - CentOS Wiki
Virtual Hosting Howto With Virtual Min on CentOS 5.1
-
Upload
elvis-mcneely -
Category
Documents
-
view
93 -
download
1
Transcript of Virtual Hosting Howto With Virtual Min on CentOS 5.1
Virtual Hosting Howto With Virtualmin On CentOS 5.1
Virtual Hosting Howto With Virtualmin On CentOS 5.1
Version 1.0.1Author: Andrew Colin Kissa <andrew [at] topdog [dot] za [dot] net>Last edited 14/04/2008
Introduction
This tutorial shows how to set up a CentOS 5.x server to offer all services needed by virtual web hosters. These include web hosting, smtp server with (SMTP-AUTH and TLS, SPF,DKIM, Domainkeys), DNS, FTP, MySQL, POP3/IMAP, Firewall, Webalizer for stats.
I will use the following software:
Database Server: MySQL 5.0.22Mail Server: Postfix 2.3.3NS Server: BIND9 9.3.3Web Server: Apache 2.2.3 /PHP 5.1.6FTP Server: Vsftpd 2.0.5POP3/IMAP server: Dovecot 1.0Webalizer: for site statistics 2.01_10Virtualmin: Control panel
OS Installation
Requirements
To install the system you will need
CentOS 5.1 Install mediaA good internet connection
Install The Base System
NOTE Some stages of the installation are not described here in interest of keeping the howto short, The grub configuration stages are left out for instance.
Boot from the DVD or CD media and at the boot prompt type linux text.Skip the media test.Select your language:
Select keyboard layout:
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
1 of 29 1/31/2009 2:54 AM
Configure your network, I will be using dhcp if you do not have dhcp you can use static entries.
Select Yes to initialize drive:
Select custom layout for partitioning type:
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
2 of 29 1/31/2009 2:54 AM
Create partitions:
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
3 of 29 1/31/2009 2:54 AM
Configure networking:
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
4 of 29 1/31/2009 2:54 AM
Set IP address and netmask:
Set gateway and dns servers:
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
5 of 29 1/31/2009 2:54 AM
Set the hostname:
Set the timezone:
Set the root password:
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
6 of 29 1/31/2009 2:54 AM
Select server group and select customize software selection:
Package groups select as follows:DNS name server
bind-chroot
Editorsvim-enhanced
FTP serverMail server
dovecotspamassassinpostfix
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
7 of 29 1/31/2009 2:54 AM
Mysql Databasemysql-server
Web servermod_sslwebalizerphpphp-pearhttp-suexecphp-mysql
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
8 of 29 1/31/2009 2:54 AM
Start the installation:
File system is formatted:
The installation will run:
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
9 of 29 1/31/2009 2:54 AM
Reboot the system:
Copyright © 2008 Andrew Colin KissaAll Rights Reserved.
Virtual Hosting Howto With Virtualmin On CentOS 5.1 - Page 2
Services To Disable
To enhance security and free system resources on the system we need to disable any services that are not required. You can run this script to do this for you.
acpidanacronapmdautofsbluetoothcupsfirstbootgpmhaldaemonmessagebusmdmonitorhiddip6tableskudzulvm2-monitornetfsnfslockpcscdportmaprpcgssdrpcidmapdsendmailsmartd
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
10 of 29 1/31/2009 2:54 AM
yum-updatesd
Basics
We need to fix a few issues to prepare the system for configuration.
Install updates
yum upgrade
Switch the mta to postfix
alternatives --config mta
There are 2 programs which provide 'mta'.Selection Command-----------------------------------------------1 /usr/sbin/sendmail.postfix*+ 2 /usr/sbin/sendmail.sendmailEnter to keep the current selection[+], or type selection number: 1
Install caching-nameserver config:
yum install caching-nameserver
Install Build tools:
yum install gcc cpp gcc-c++ automake automake14 automake15 automake16 automake17 openssl-devel subversion ncurses-devel -y
Configure Network Alias
cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0:1
Modify the file /etc/sysconfig/network-scripts/ifcfg-eth0:1 to look like this:
DEVICE=eth0:1BOOTPROTO=staticBROADCAST=192.168.1.255IPADDR=192.168.1.6NETMASK=255.255.255.0NETWORK=192.168.1.0ONBOOT=yes
Install Webmin / Virtualmin
Import webmin pgp key:
wget http://www.webmin.com/jcameron-key.ascrpm --import jcameron-key.asc
Download the rpm:
wget http://prdownloads.sourceforge.net/webadmin/webmin-1.390-1.noarch.rpm
Verify the rpm (should say OK or else download again):
rpm --checksig webmin-1.390-1.noarch.rpm
Install the rpm:
rpm -Uvh webmin-1.390-1.noarch.rpm
Initial Webmin Config
We need to secure webmin by editing /etc/webmin/miniserv.conf and make the following changes:
Using SSL only:
ssl=1
Change the port to 443 and bind to the second nic only:
port=443bind=192.168.1.6
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
11 of 29 1/31/2009 2:54 AM
Disable UDP broadcasts:
#listen=10000
Change host lockout on login failures to 3 :
blockhost_failures=3
Increase host lockout timeout to 120:
blockhost_time=120
Change user lockout on login failures to 3:
blockuser_failures=3
Change user lockout timeout to 120:
blockuser_time=120
Change the realm to something else:
realm=cpanel
Log logins to utmp:
utmp=1
Install the webmin Tiger theme:
Login to webmin via https://192.168.1.5:10000 using root and your password.Go to webmin ? Configuration ? webmin themes.Select From ftp or http URL and enter http://www.stress-free.co.nz/files/theme-stressfree.tar.gzClick install theme.Click "return to list themes".Select StressFree as the Current theme then click change.
Install php-pear module:
Go to webmin ? webmin configuration ? webmin modules.Select Third party module from and enter http://www.webmin.com/download/modules/php-pear.wbm.gz.Click install module.
Install virtualmin:
Go to webmin ? webmin configuration ? webmin modules.Select install from ftp or http URL and enter http://download.webmin.com/download/virtualmin/virtual-server-3.51.gpl.wbm.gzClick install module.
Remove unwanted modules Go to webmin ? webmin configuration ? delete and select the following:
ADSL clientBacula backup systemCD BurnerCVS ServerCluster change passwordsCluster copy filesCluster cron jobsCluster shell commandsCluster software packagesCluster usermin serversCluster users and groupsCluster webmin serversCommand shellConfiguration engineCustom commandsDHCP serverFetchmail mail retrievalFile managerFrox ftp proxyHTTP TunnelHeartbeat monitorIPsec VPNJabber IM serverLDAP serverLogical volume managementMajordomo list managerNFS exportsNIS client and serverOpenSLP serverPPP dialin serverPPP dialup clientPPTP vpn server
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
12 of 29 1/31/2009 2:54 AM
PPTP vpn clientPostgresql database serverPrinter adminProFTPD serverQMAIL mail serverSMART drive statusSSH / Telnet loginSSL tunnelsSAMBA windows file sharingScheduled commandsSendmail mail serverShoreline firewallSquid analysis report generatorSquid proxy serverVoicemail serverWU-FTP serverIdmapd server
Restart webmin:
service webmin restart
Configure Rpmforge Repo
rpm -Uhv http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
NOTE: If you are using a different architecture check on https://rpmrepo.org/RPMforge/Using for the correct rpmDisable the repo (such that base packages not overwritten) edit /etc/yum.d/rpmforge.repo and set the following option:
enabled = 0
Install Extra Required Packages
Install clamav:
yum --enablerepo=rpmforge install clamav clamav-db clamav-milter clamd -ywget http://www.topdog-software.com/files/clamav-milter.patchpatch /etc/init.d/clamav-milter < clamav-milter.patchchkconfig --del clamdfreshclam
Install sanesecurity signatures:
wget http://www.sanesecurity.co.uk/clamav/update_sanesecurity.txt -O /usr/local/bin/update_sanesecurity.shchmod +x /usr/local/bin/update_sanesecurity.shln -s /usr/local/bin/update_sanesecurity.sh /etc/cron.hourly//usr/local/bin/update_sanesecurity.sh
Install PHP eaccelerator:
yum --enablerepo=rpmforge install php-eaccelerator
Install newer spamassassin package from rpmforge:
yum --enablerepo=rpmforge upgrade spamassassin
Install spamass-milter:
yum --enablerepo=rpmforge install spamass-milter
Install perl modules required by spamassassin:
perl -MCPAN -e 'install Mail::SPF'perl -MCPAN -e 'install Mail::SPF::Query'perl -MCPAN -e 'install Net::Ident'perl -MCPAN -e 'install IP::Country::Fast'perl -MCPAN -e 'install Mail::DomainKeys'perl -MCPAN -e 'install Mail::DKIM'
Install fuzzyOCR:
yum --enablerepo=rpmforge install netpbm-progs ocrad gocr gifsicle giflib-utils giflib -ysvn co https://svn.own-hero.net/fuzzyocr/trunk/devel/cd devel/perl -MCPAN -e 'install String::Approx'perl -MCPAN -e 'install Time::HiRes'perl -MCPAN -e 'install Log::Agent'
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
13 of 29 1/31/2009 2:54 AM
cp -rv {FuzzyOcr.cf,FuzzyOcr.scansets,FuzzyOcr.preps,FuzzyOcr.pm,FuzzyOcr.words,FuzzyOcr/} /etc/mail/spamassassinchcon -R system_u:object_r:etc_mail_t /etc/mail/spamassassin/{FuzzyOcr.cf,FuzzyOcr.scansets,FuzzyOcr.preps,FuzzyOcr.pm,FuzzyOcr.words,FuzzyOcr/}wget http://www.gbnetwork.co.uk/mailscanner/FuzzyOcr.words -O /etc/mail/spamassassin/FuzzyOcr.words
Install Razor:
yum --enablerepo=rpmforge install razor-agents -y
Install roundcube:
yum install php-imaprpm -Uvh http://www.topdog-software.com/oss/roundcube/roundcube-0.1-rc2.noarch.rpm
Install imapproxy:
wget http://imapproxy.org/downloads/up-imapproxy-1.2.6.tar.gzrpmbuild -tb up-imapproxy-1.2.6.tar.gzrpm -Uvh /usr/src/redhat/RPMS/i386/up-imapproxy-1.2.6-1.i386.rpm
Activate services:
chkconfig --level 345 httpd onchkconfig --level 345 postfix onchkconfig --level 345 spamassassin onchkconfig --level 345 spamass-milter onchkconfig --level 345 clamav-milter onchkconfig --level 345 mysqld onchkconfig --level 345 named onchkconfig --level 345 vsftpd onchkconfig --level 345 dovecot onchkconfig --level 345 imapproxy on
Copyright © 2008 Andrew Colin KissaAll Rights Reserved.
Virtual Hosting Howto With Virtualmin On CentOS 5.1 - Page 3
Configuration
Postfix Setup
Introduction
We will be setting up postfix with the following features:
Virtual hostingUCE preventionAnti virusSMTP authenticationTLSRBLsSPFAttack mitigation
The adding of accounts and domains with be configured through virtualmin although it can be done manually as well. The setup is designed to be resource friendly so should beable to run on machines that are not over spec'ed so enabling the resources to be put to better use. To make it resource friendly we are not using external databases to storevirtual user information like most other how-to's do as well as using milters for spam and virus checking as opposed to running amavisd-new.
The Basics
To begin with we will configure the basics such as the hostname, mail origin, networks, hash maps spool directory. All these configuration options should be added to/etc/postfix/main.cf unless stated. Sample configuration files are available for download at the end of this page.
command_directory = /usr/sbindaemon_directory = /usr/libexec/postfixmydomain = example.commyorigin = $mydomainmynetworks = 127.0.0.0/8alias_maps = hash:/etc/aliasesalias_database = hash:/etc/aliasescanonical_maps = hash:/etc/postfix/canonicalsender_canonical_maps = hash:/etc/postfix/canonicalrecipient_canonical_maps = hash:/etc/postfix/canonicalvirtual_alias_maps = hash:/etc/postfix/virtualmail_spool_directory = /var/spool/mail
Maildir
We will use the much improved maildir format as opposed to the default mbox format:
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
14 of 29 1/31/2009 2:54 AM
home_mailbox = Maildir/
SASL
To perform SMTP authentication we will be using SASL, however we will not use the Cyrus SASL as that requires us to run the saslauthd daemon, we will instead use dovecotsasl since we will be running dovecot for IMAP and POP3 thus killing 2 birds with one stone.
smtpd_sasl_type = dovecotsmtpd_sasl_path = private/authsmtpd_sasl_auth_enable = yes
TLS
We need TLS to ensure that the plain text passwords are not transmitted over the wire during SMTP authentication, servers that support TLS are also able to communicatewith this server over a secured connection.
Instructions on creating your server certificate signed by cacert.org are can be found here.
Set TLS random source:
tls_random_source = dev:/dev/urandom
Enable server TLS:
smtpd_use_tls = yessmtpd_tls_key_file = /etc/pki/postfix/key.pemsmtpd_tls_cert_file = /etc/pki/postfix/server.pemsmtpd_tls_CAfile = /etc/pki/postfix/root.crtsmtpd_tls_loglevel = 1smtpd_tls_received_header = yessmtpd_tls_session_cache_timeout = 3600ssmtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
Enable client TLS:
smtp_use_tls = yessmtp_tls_key_file = /etc/pki/postfix/key.pemsmtp_tls_cert_file = /etc/pki/postfix/server.pemsmtp_tls_CAfile = /etc/pki/postfix/root.crtsmtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_cachesmtp_tls_note_starttls_offer = yes
Spam Prevention
Require a valid EHLO / HELO:
smtpd_helo_required = yes
Prevent email address harvesting attacks:
disable_vrfy_command = yes
Change reject codes to permanent (by default postfix issues 4xx error codes which implies temporary failure we need 5xx for permanent errors):
unverified_recipient_reject_code = 550unverified_sender_reject_code = 550unknown_local_recipient_reject_code = 550
Setup sender address verification:
address_verify_map = btree:/var/spool/postfix/verifysmtpd_sender_restrictions = hash:/etc/postfix/sender_access
Create /etc/postfix/sender_access and add:
#sample /etc/postfix/sender_access contains frequently spoofed domainsaol.com reject_unverified_senderhotmail.com reject_unverified_senderyahoo.com reject_unverified_sendergmail.com reject_unverified_senderbigfoot.com reject_unverified_sender
Mitigate attacks from zombies and broken clients:
smtpd_error_sleep_time = 5ssmtpd_soft_error_limit = 10smtpd_hard_error_limit = 20
Only allow pipelining from authenticated clients:
smtpd_data_restrictions = reject_unauth_pipelining
Install postfix-policyd-spf-perl and enable SPF support:
wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.005.tar.gztar xzvf postfix-policyd-spf-perl-2.005.tar.gzcd postfix-policyd-spf-perl-2.005
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
15 of 29 1/31/2009 2:54 AM
cp postfix-policyd-spf-perl /etc/postfix/
Add this to /etc/postfix/master.cf:
spfpolicy unix - n n - - spawn user=nobody argv=/usr/bin/perl /etc/postfix/postfix-policyd-spf-perl
Add DKIM support:
Instructions on adding DKIM support can be found here.
Add domainkeys support:
Instructions on adding domainkeys support can be found here.
Getting it all to work depends on the smtpd_recipient_restrictions option so we set it below:
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_recipient_access hash:/etc/postfix/access reject_unknown_recipient_domain reject_unknown_sender_domain reject_unverified_recipient reject_non_fqdn_recipient reject_non_fqdn_sender reject_invalid_hostname reject_rbl_client list.dsbl.org reject_rbl_client zen.spamhaus.org reject_rbl_client l1.spews.dnsbl.sorbs.net reject_rbl_client combined.njabl.org reject_rbl_client bl.spamcop.net reject_rhsbl_sender dsn.rfc-ignorant.org reject_rhsbl_sender bogusmx.rfc-ignorant.org reject_rhsbl_sender rhsbl.sorbs.net reject_rhsbl_client dsn.rfc-ignorant.org reject_rhsbl_client bogusmx.rfc-ignorant.org reject_rhsbl_client rhsbl.sorbs.net check_policy_service unix:private/spfpolicy
Milters [SpamAssassin & ClamAV]
For your spam classification using spamassassin and virus scanning using clamav we will be using postfix's milter interface instead of using the resource intensive amavisd-newdaemon. This is a very efficient way of doing it as we don't even have to run clamd the clamav milter does the scanning itself.
smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.socknon_smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock
Create DB Files
postmap /etc/postfix/canonicalpostmap /etc/postfix/accesspostmap /etc/postfix/virtualpostmap /etc/postfix/sender_access
Sample Configuration Files
main.cfmaster.cfcanonicalvirtual
Copyright © 2008 Andrew Colin KissaAll Rights Reserved.
Virtual Hosting Howto With Virtualmin On CentOS 5.1 - Page 4
Dovecot Setup
Introduction
This will setup dovecot as our IMAP/POP3 server.
Basic Configuration
We will setup dovecot for IMAP and POP3 and disable SSL.
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
16 of 29 1/31/2009 2:54 AM
protocols = imap pop3listen = *ssl_listen = *ssl_disable = yes
Maildir
We will use the maildir format as opposed to the default mbox format.
mail_location = maildir:~/Maildir
Authentication & SASL
Configure dovecot to use LOGIN and PLAIN as the authentication mechanisims as many MS clients are unable to use encrypted authentication mechanisms. We also setup theSASL socket to enable postfix to authenticate SMTP connections using dovecot.
auth default { mechanisms = plain login passdb pam { } userdb passwd { } socket listen { client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } }}
Client Issues
Some MS imap clients in the outlook family have issues with both thier IMAP and POP3 implementations so we need to accommodate them by setting up these work arounds:
protocol imap { imap_client_workarounds = outlook-idle delay-newmail}protocol pop3 { pop3_client_workarounds = outlook-no-nuls oe-ns-eoh}
Run IMAP Behind Proxy
The imap server is configured to run on port 10143 such that port 143 is handled by the imap proxy server that will improve performance for your webmail by cachingconnections to the imap server. The listen option under protocol sets this up.
protocol imap { imap_client_workarounds = outlook-idle delay-newmail listen = 127.0.0.1:10143}
Sample files
dovecot.conf
Setup Imap Proxy
Introduction
imapproxy was written to compensate for webmail clients that are unable to maintain persistent connections to an IMAP server. Most webmail clients need to log in to an IMAPserver for nearly every single transaction. This behaviour can cause tragic performance problems on the IMAP server. imapproxy tries to deal with this problem by leavingserver connections open for a short time after a webmail client logs out. When the webmail client connects again, imapproxy will determine if there's a cached connectionavailable and reuse it if possible. - according to the imapproxy website.
Configuration
Make the following changes in the file /etc/imapproxy.conf:
server_hostname 127.0.0.1cache_size 3072
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
17 of 29 1/31/2009 2:54 AM
listen_port 143server_port 10143cache_expiration_time 900proc_username nobodyproc_groupname nobodystat_filename /var/run/pimpstatsprotocol_log_filename /var/log/imapproxy_protocol.logsyslog_facility LOG_MAILsend_tcp_keepalives noenable_select_cache yesforeground_mode noforce_tls noenable_admin_commands no
Sample Files
imapproxy.conf
Bind Setup
Introduction
Bind will be set up chrooted to improve security we will also use views to prevent abuse of the dns server.
Basic Configuration
The basic configuration disables by default, recursive queries and zone transfers. We also obscure the version of BIND we are running such that we are not hit by zero dayvulnerabilities from script kiddies.
options { directory "/var/named"; pid-file "/var/run/named/named.pid"; listen-on { 127.0.0.1; 192.168.1.5; }; version "just guess"; allow-recursion { "localhost"; }; allow-transfer { "none"; };};
Logging
The logging is customized to remove the annoying "lame-server" and update errors that appear in the logs:
logging { category update { null; }; category update-security { null; }; category lame-servers{ null; };};
Chroot
Ensure that this is set in the file /etc/sysconfig/named (it's usually set by the bind-chroot package):
ROOTDIR=/var/named/chroot
Point Server
Let the machine use this server for dns resolution edit /etc/resolv.conf and prepend:
nameserver 127.0.0.1
Sample files
named.conf/etc/sysconfig/named
Vsftpd Setup
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
18 of 29 1/31/2009 2:54 AM
Introduction
We will use vsftpd as our ftp server. This has a better track record as opposed to the proftpd & wuftpd servers.
Basic Setting
Our basic setup disables anonymous users, and enables local system users to connect to the ftp server.
anonymous_enable=NOlocal_enable=YESwrite_enable=YESlocal_umask=022anon_upload_enable=NOanon_mkdir_write_enable=NOdirmessage_enable=YESxferlog_enable=YESconnect_from_port_20=YESxferlog_file=/var/log/vsftpd.logxferlog_std_format=YESftpd_banner=Welcome to example.com serverpam_service_name=vsftpdtcp_wrappers=YES
Chroot
All users will be chrooted to their home directories (except usernames in the /etc/vsftpd/chroot_list file) meaning the cannot break out and see other users files.
chroot_list_enable=YESchroot_local_user=YESchroot_list_file=/etc/vsftpd/chroot_list
Banned Users
Users added to the file /etc/vsftpd/user_list will not be allowed to login:
userlist_enable=YES
Sample Files
vsftpd.confuser_listchroot_list
Copyright © 2008 Andrew Colin KissaAll Rights Reserved.
Virtual Hosting Howto With Virtualmin On CentOS 5.1 - Page 5
Clamav Milter Setup
Edit /etc/sysconfig/clamav-milter:
CLAMAV_FLAGS=" --config-file=/etc/clamd.conf --force-scan --local --max-children=5 --sendmail-cf= --outgoing --quiet"SOCKET_ADDRESS="local:/var/clamav/clmilter.socket"
Patch the init file to fix socket permissions:
wget http://www.topdog-software.com/files/clamav-milter.patchpatch /etc/init.d/clamav-milter < clamav-milter.patch
MySQL Setup
Basic Config
Listen only to the localhost, edit /etc/my.cnf under the mysqld section:
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
19 of 29 1/31/2009 2:54 AM
bind-address = 127.0.0.1
Set Root Password
Set the root password:
service mysqld startmysqladmin -u root password NEWPASSWORD
SpamAssassin Setup
Basic Config
required_hits 5report_safe 0rewrite_header Subject [SPAM]
Create MySQL Database
Create the database:
mysqladmin -p create bayes
Populate the database:
mysql -p bayes < /usr/share/doc/spamassassin-$(rpm --qf %{VERSION} -q spamassassin)/sql/bayes_mysql.sql
Create the user:
mysql -pmysql> GRANT ALL ON bayes.* TO bayes@localhost IDENTIFIED BY 'password';
Configure To Use DB
Edit the file /etc/mail/spamassassin/local.cf and add:
bayes_store_module Mail::SpamAssassin::BayesStore::MySQLbayes_sql_dsn DBI:mysql:bayes:localhostbayes_sql_override_username bayesbayes_sql_username bayesbayes_sql_password password
Configure FuzzyOCR
We will be storing the image hashes in a mysql database to improve on performance such that images that we have already scanned do not get scanned again as OCR is aresource intense activity.
Create MySQL Database
The sql script creates the database and tables and adds a user fuzzyocr with the password fuzzyocr:
mysql -p < /usr/local/src/devel/FuzzyOcr.mysql
Change the password:
mysqladmin -u fuzzyocr -p fuzzyocr password
Basic Settings
Edit /etc/mail/spamassassin/FuzzyOCR.cf and set the basic options:
focr_path_bin /usr/bin:/usr/local/binfocr_minimal_scanset 1focr_autosort_scanset 1focr_enable_image_hashing 3focr_logfile /tmp/FuzzyOcr.log
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
20 of 29 1/31/2009 2:54 AM
Make FuzzyOCR Use The Database
Edit the file /etc/mail/spamassassin/FuzzyOcr.cf and add:
focr_mysql_db FuzzyOcrfocr_mysql_hash Hashfocr_mysql_safe Safefocr_mysql_user fuzzyocrfocr_mysql_pass passwordfocr_mysql_host localhostfocr_mysql_port 3306focr_mysql_socket /var/lib/mysql/mysql.sock
SARE Rule Updates
Import the GPG key used to sign the rules:
mkdir /etc/mail/spamassassin/sa-update-keys/chmod 700 /etc/mail/spamassassin/sa-update-keys/wget http://daryl.dostech.ca/sa-update/sare/GPG.KEYsa-update --import GPG.KEY
Create the channels file /etc/mail/spamassassin/sare-sa-update-channels.txt:
updates.spamassassin.org72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net70_sare_evilnum0.cf.sare.sa-update.dostech.net70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net70_sare_html0.cf.sare.sa-update.dostech.net70_sare_html_eng.cf.sare.sa-update.dostech.net70_sare_header0.cf.sare.sa-update.dostech.net70_sare_header_eng.cf.sare.sa-update.dostech.net70_sare_specific.cf.sare.sa-update.dostech.net70_sare_adult.cf.sare.sa-update.dostech.net72_sare_bml_post25x.cf.sare.sa-update.dostech.net99_sare_fraud_post25x.cf.sare.sa-update.dostech.net70_sare_spoof.cf.sare.sa-update.dostech.net70_sare_random.cf.sare.sa-update.dostech.net70_sare_oem.cf.sare.sa-update.dostech.net70_sare_genlsubj0.cf.sare.sa-update.dostech.net70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net70_sare_unsub.cf.sare.sa-update.dostech.net70_sare_uri0.cf.sare.sa-update.dostech.net70_sare_obfu0.cf.sare.sa-update.dostech.net70_sare_stocks.cf.sare.sa-update.dostech.net
Create an update script /usr/local/bin/update-sa:
#!/bin/bash##sa-update -D --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt --gpgkey 856AA88A &>/var/log/sa-updates.log
Make it executable and add to cron:
chmod +x /usr/local/bin/update-saln -s /usr/local/bin/update-sa /etc/cron.daily/ln -s /usr/local/bin/update-sa /etc/cron.hourly/
Spamass-milter Setup
Basic Configuration
Edit /etc/sysconfig/spamass-milter:
SOCKET=/var/run/spamass.sockEXTRA_FLAGS="-m -r 8"
Patch
We need to patch the init file to fix the permissions of the socket created such that postfix is able to use the socket.
wget http://www.topdog-software.com/files/spamass-milter.patchpatch /etc/rc.d/init.d/spamass-milter < spamass-milter.patch
Apache Setup
Disable Modules
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
21 of 29 1/31/2009 2:54 AM
We will disable some modules that we are not using thus freeing up memory and also improving security.
Edit /etc/httpd/conf/httpd.conf and comment out the modules as below.
#LoadModule ldap_module modules/mod_ldap.so#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so#LoadModule dav_module modules/mod_dav.so#LoadModule status_module modules/mod_status.so#LoadModule dav_fs_module modules/mod_dav_fs.so#LoadModule proxy_module modules/mod_proxy.so#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so#LoadModule proxy_http_module modules/mod_proxy_http.so#LoadModule proxy_connect_module modules/mod_proxy_connect.so#LoadModule cache_module modules/mod_cache.so#LoadModule disk_cache_module modules/mod_disk_cache.so#LoadModule file_cache_module modules/mod_file_cache.so#LoadModule mem_cache_module modules/mod_mem_cache.so
Edit /etc/httpd/conf.d/proxy_ajp.conf and comment out as below:
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
Listen To One IP For HTTPS
Apache has to be configured to listed to one address for port 443 as webmin will be using the same port. Edit /etc/httpd/conf.d/ssl:
Listen 192,168.1.6:443
Enable Gzip Compression
We setup gzip compression via the mod_deflate module to improve web server performance and to cut down on bandwidth usage by compressing responses to the client.
SetOutputFilter DEFLATEBrowserMatch ^Mozilla/4 gzip-only-text/htmlBrowserMatch ^Mozilla/4\.0[678] no-gzipBrowserMatch \bMSIE !no-gzip !gzip-only-text/htmlSetEnvIfNoCase Request_URI \\.(?:gif|jpe?g|png)$ no-gzip dont-varyHeader append Vary User-Agent env=!dont-vary
Set up logging for the deflate module:
DeflateFilterNote deflate_ratioLogFormat "%v %h %l %u %t \"%r\" %>s %b mod_deflate: %{deflate_ratio}n pct." vhost_with_deflate_infoCustomLog logs/deflate_access_log vhost_with_deflate_info
Increase PHP Max Memory
Edit the file /etc/php.ini and set the following:
memory_limit = 64M
Enable Virtual Hosting
NameVirtualHost *:80
Create Default Virtual Host
This needs to be the first virtual host, it will be the default on the server the equivalent of the server with out virtual hosting.
<VirtualHost *:80> Servername localhost.localdomain Serveradmin [email protected]</Virtualhost>
Roundcube Webmail Setup
Create Database
Create the database and add the roundcube user.
mysqladmin -p create roundcubemysql -pmysql> GRANT ALL ON roundcube.* TO roundcube@localhost IDENTIFIED BY 'password';
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
22 of 29 1/31/2009 2:54 AM
Initialize the database:
mysql -u roundcube -p roundcube < /usr/share/doc/roundcube-0.1/SQL/mysql5.initial.sql
Basic Config
Configure database DSN in /var/www/roundcube/config/db.inc.php:
$rcmail_config['db_dsnw'] = 'mysql://roundcube:password@localhost/roundcube';
Configure roundcube in /var/www/roundcube/config/main.inc.php:
$rcmail_config['default_host'] = 'localhost';$rcmail_config['default_port'] = 143;$rcmail_config['virtuser_file'] = '/etc/postfix/virtual';$rcmail_config['smtp_server'] = 'localhost';$rcmail_config['smtp_port'] = 25;$rcmail_config['smtp_helo_host'] = 'localhost';
Set Up Catch All Virtualhost
As we will be providing webmail for all domains that are created on the system we need to setup a catch all virtualhost that can display roundcube when ever a user accesseshttp://webmail.domainname. Edit /etc/httpd/conf/httpd.conf and append:
<VirtualHost *:80>ServerName webmail.example.comServerAlias webmail.*DocumentRoot /var/www/roundcube<Directory /var/www/roundcube>Options -Indexes IncludesNOEXEC FollowSymLinksallow from all</Directory></VirtualHost>
Firewall Setup
Introduction
This is a basic firewall it may not suit your needs, firewalling is an art so i recommend to read into it to improve on this basic one.
Basic Config
Add these rules in your configuration file /etc/sysconfig/iptables:
*raw:PREROUTING ACCEPT [0:0]:OUTPUT ACCEPT [0:0]COMMIT*nat:PREROUTING ACCEPT [0:0]:POSTROUTING ACCEPT [0:0]:OUTPUT ACCEPT [0:0]COMMIT*mangle:PREROUTING ACCEPT [0:0]:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:POSTROUTING ACCEPT [0:0]COMMIT*filter:FORWARD DROP [0:0]:INPUT DROP [0:0]:OUTPUT DROP [0:0]-A INPUT -i lo -j ACCEPT-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT-A INPUT -p tcp -m multiport -j ACCEPT --dports 80,443,25,110,143,53-A INPUT -p udp -m udp --dport 53 -j ACCEPT-A INPUT -p icmp -m icmp -m limit --icmp-type 8 --limit 5/min -j ACCEPT-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A OUTPUT -s 127.0.0.1 -j ACCEPT-A OUTPUT -s 192.168.1.5 -j ACCEPT-A OUTPUT -s 192.168.1.6 -j ACCEPTCOMMIT
Activate Config
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
23 of 29 1/31/2009 2:54 AM
service iptables restart
Copyright © 2008 Andrew Colin KissaAll Rights Reserved.
Virtual Hosting Howto With Virtualmin On CentOS 5.1 - Page 6
Configure Virtualmin
Introduction
Virtualmin is a powerful and flexible hosting control panel that integrates with webmin. We will be using it to provide the virtual hosting functions such as creation of domains,accounts and maintaining configurations on the system.
Start Services
You need to start up services that are required to be able to configure virtualmin. Start the following services:
service named startservice spamassassin startservice spamass-milter startservice clamav-milter startservice postfix startservice dovecot startservice imapproxy startservice httpd start
Initial Settings
MySQL
Webmin needs to be able to communicate with mysql since we have set a password for mysql we need to set that up in webmin, go to servers ? mysql and enter thisinformation:
Configure Features
You need to enable the features and plugins that we want to use. On login this is the screen that you will see.
Enable the following features and saveHome directoryAdministration userMail for domainBIND DNS domainApache websiteWebalizer reportingLog file rotationMysql databaseWebmin user
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
24 of 29 1/31/2009 2:54 AM
Configure Server Templates
Server template are used to customize the services and to create packages for different hosting account types.
Apache Template
You can make changes to the way apache virtual hosts are created by editing this template, The defaults however will do for purposes of this howto.
Domain Owner Template
This template is used to configure various server limits such as number of mailboxes,aliases,databases,virtual servers and other options like bandwidth limits, admin abilities. Forthis howto we will use the default values.
Home Directory Template
This template allows you to set a skel directory to hold setting for new users for this howto we will use the defaults.
Administration User
This template lets you set the quota for the virtual server and the admin user for this howto we will use the default quota 1GB.
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
25 of 29 1/31/2009 2:54 AM
Mail For Domain Template
This template sets various mail related options, we will modify the email message sent on server creation to have the content below:
The following virtual server has been set up successfully :Domain name: ${DOM}Hosting server: ${HOSTNAME}${IF-VIRT}Virtual IP address: ${IP}${ENDIF-VIRT}Administration login: ${USER}Administration password: ${PASS}${IF-WEBMIN}Administration URL: ${WEBMIN_PROTO}://www.${DOM}:${WEBMIN_PORT}/${ENDIF-WEBMIN}${IF-WEB}Website: http://www.${DOM}/${IF-WEBALIZER}Webalizer log reporting: Enabled${ELSE-WEBALIZER}Webalizer log reporting: Disabled${ENDIF-WEBALIZER}${ENDIF-WEB}${IF-MAIL}Email domain: ${DOM}SMTP server: mail.${DOM}POP3 server: mail.${DOM}Webmail: webmail.${DOM}${ENDIF-MAIL}${IF-DNS}DNS domain: ${DOM}Nameserver: ${HOSTNAME}${ENDIF-DNS}${IF-MYSQL}MySQL database: ${DB}MySQL login: ${MYSQL_USER}MySQL password: ${PASS}${ENDIF-MYSQL}${IF-POSTGRES}PostgreSQL database: ${DB}PostgreSQL login: ${USER}PostgreSQL password: ${PASS}${ENDIF-POSTGRES}
We will leave the other options as the defaults.
BIND DNS Domain Template
This template is used to customize the zones that will be created by virtualmin. The changes to be made are adding a spf record, add the following records to auto generated textbox (replace ns1.home.topdog-software.com. with your slave server):
@ IN NS ns1.home.topdog-software.com. ;slaveadmin IN A 192.168.1.6 ;virtualminwebmail IN A 192.168.1.5 ;webmail
In the directives text box add the following with the IP address of your slave server such that the slave is allowed to do zone transfers.
allow-transfer { 192.168.1.2; };
MySQL Database Template
Contains options on creation of databases by virtualmin, for the howto we will use the defaults.
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
26 of 29 1/31/2009 2:54 AM
Webmin Login Template
Contains option on creation of new users by virtualmin, for the howto we will use the defaults.
Create Virtual Server
Finally we have a working virtual server system, lets create our first virtual server. Go to servers ? virtualmin virtual servers and click add new virtual server, owned by newuser.
Fill in the require fields and click create.
Add a mail user to the domain. click on the domain name, then click edit mail and FTP users, then add user and fill in the information.
Testing
Postfix
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
27 of 29 1/31/2009 2:54 AM
Test SMTP
telnet 192.168.1.5 25Connected to localhost.Escape character is '^]'.220 tds mail clusterhelo me250 hosting1mail from:[email protected] 2.1.0 Okrcpt: [email protected] 2.1.0 OkDATA354 End data with <CR><LF>.<CR><LF>
From:[email protected]:[email protected]:This is a testHiThis is a test.250 2.0.0 Ok: queued as 4ACCC7C5A6
telnet 192.168.1.5 25Trying 192.168.1.5...Connected to localhost.Escape character is '^]'.220 tds mail clusterehlo me250-hosting1250-PIPELINING250-SIZE 10240000250-ETRN250-STARTTLS250-ENHANCEDSTATUSCODES250-8BITMIME250 DSN
Test dkim
Send a mail to [email protected].
Test domainkeys
Send a mail to [email protected].
Dovecot
Test POP3
telnet 192.168.1.5 110+OK Dovecot ready.user andrew.example+OKpass password+OK Logged in.quit+OK Logging out.
Test IMAP
telnet 192.168.1.5 143* OK Dovecot ready.01 login andrew.example password01 OK User logged in01 list "" "*"
* LIST (\HasNoChildren) "." "Trash"* LIST (\HasNoChildren) "." "Drafts"* LIST (\HasNoChildren) "." "Junk"* LIST (\HasNoChildren) "." "Sent"
* LIST (\HasNoChildren) "." "INBOX"01 OK List completed.01 logout* BYE LOGOUT received01 OK Completed
BIND
dig example.com @127.0.0.1
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
28 of 29 1/31/2009 2:54 AM
Clamav-milter
We are using the test virus from www.eicar.org.
telnet 192.168.1.5 25Connected to localhost.Escape character is '^]'.220 tds mail clusterhelo me250 hosting1mail from:[email protected] 2.1.0 Okrcpt: [email protected] 2.1.0 OkDATA354 End data with <CR><LF>.<CR><LF>
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*.550 5.7.1 virus Eicar-Test-Signature detected by ClamAV - http://www.clamav.netquit221 2.0.0 Bye
Take a lot at your /var/log/maillog you should see something like this:
73BC87C4E4: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]:5.7.1 virus Eicar-Test-Signature detected by ClamAV - http://www.clamav.net; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<me>
Spamass-milter
We are using the test message from http://spamassassin.apache.org/gtube/.
telnet 192.168.1.5 25Connected to localhost.Escape character is '^]'.220 tds mail clusterhelo me250 hosting1mail from:[email protected] 2.1.0 Okrcpt: [email protected] 2.1.0 OkDATA354 End data with <CR><LF>.<CR><LF>
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X.550 5.7.1 Blocked by SpamAssassinquit221 2.0.0 Bye
You will see this in your log files:
spamd: result: Y 1002 - AWL,GTUBE,MISSING_SUBJECT,TVD_SPACE_RATIO,UNPARSEABLE_RELAY scantime=0.5,size=723,user=root,uid=99,required_score=5.0,
Copyright © 2008 Andrew Colin KissaAll Rights Reserved.
Virtual Hosting Howto With Virtualmin On CentOS 5.1 http://www.howtoforge.com/book/print/3208/1/all
29 of 29 1/31/2009 2:54 AM