1) Foreword
This documentation is dedicated to all those who would like to set up their own web- and mailserver on Linux.
OK, you will find all this information and much more if you search the web.
But when I was setting up my own system (e.g. the webserver you are visiting at the moment)
I had noticed the lack of a full installation-guide from the beginning to the end.
One of reasons is probably that when you have installed your own system, you don't bother to document the steps,
because when it is running you are just happy that it IS running. Another might be that there are so many ways of setting up the system,
with so many diffrent software and configurations, that everyone should find his own preferences.
Anyway. - The following chapters describe how I set up my system.
No need to say you will have to change 'chew.ch' with your own server-name, etc...
Because technologies are constantly on the move, it is possible that some steps might be different by now.
Important: Because this will be a server, no fancy stuff like GUI's will be installed :-).
Administration is done using an SSH-Shell. I use PUTTY.
2) Prerequisites
The most important prerequisites are time, pacience and motivation.
If you have got all of this, nothing will stop you, but even if you have a full installation-guide like this here,
you will certainly stumble over some problems which you will have to resolve yourself.
Here are the secondary prerequisites:
- basic UNIX-knowledge (you should be familiar with shell-commands like 'cd/pwd/ls/cp/mv' and so on
- a spare PC. (mine is a Pentium-III/800MHz/20GB Disk)
- An (Ethernet-)Internet-Connection for the server. If the server is behind a firewall or a router, they need proper configuration.
Easiest, if it is NOT behind a router or firewall.
- A domain name of your own.
You can registar a '.ch'-domain-name at www.switch.ch
3) First steps
- download boot-image at debian.org.
-> http://www.debian.org/devel/debian-installer/
-> netinst CD image i386 (filename is sarge-i386-netinst.iso)
- Burn image to CD:
Possible CD-burning software: 'NERO'
(I had problems using WinOnCD)
- You will need a DNS(Domain-Name)-server to map the IP-Address of your server to the Domain-Name you have registered:
Open an account at www.zoneedit.com (its free).
4) Basic Installation using CD
Be sure that you have no valuable data on the PC (server).
Enter the CD into the server and configure the BIOS so that it boots from CD.
Here are my personal configurations for the basic installation:
- Language: en
- Keyboard: Swiss German
- install GRUB-loader : Yes
4.1 Harddisks:
->> All Partitions (except hda2) need to be of Type Linux Ext3
- hda (primary disk, 20 GB)
- hda1 Boot Partition (350 MB) mount on / (boot=yes / physical)
- hda2 Swap Partition (250 MB) -> end of disk for better performance
- hda3 Software Partition (2 GB) mount on /usr (physical)
- hda5 Data Partition (15 GB) mount on /var (logical)
- hda6 Home Partition (2.8 GB) mount on /home (logical)
- hdb (secondary disk, 10 GB)
- hdb1 backup disk (10 GB) mount on /backup
-> REBOOT without CD
4.2 Timezone
- Hardware set to GMT: NO
- timezone: Zurich
4.3 Users and Passwords
create normal user-account: Yes
- full Name: Leonard Chew
- username: leonard
- Hostname: rahl
4.4 Configure apt
-> edit sources list by hand
Yes, this is annoying and circuitous, but if you dont enter this manually,
the installation might be completely different, because:
-> the releases named by the Toy-Story characters (i.e. Woody/Sarge/Sid, etc)
are static, and always refer to the same release.
-> the releases named 'stable/testing/unstable' are NOT static.
Currently (begin of 2005) the testing-release is 'Sarge', but Sarge will soon
become 'stable' and a 'Sid' will become 'testing'.
deb http://sunsite.cnlab-switch.ch/ftp/mirror/debian/ sarge main
deb-src http://sunsite.cnlab-switch.ch/ftp/mirror/debian/ sarge main
deb http://security.debian.org/ sarge/updates main
- for the time beeing, no other sites are needed.
- However you might want to add some more later (just in case sunsite.cnlab-switch.ch is down):
deb ftp://ftp.de.debian.org/debian sarge main
deb-src ftp://ftp.de.debian.org/debian sarge main
4.5 Select and Install Packages
- web-server
- mail-server
4.5.1 Configuration Questions
- Console-data -> select keymap from arch list -> qwertz (for SwissGerman keyboard)
- allow insecure passwords: no
- continue without maildir: yes
- Interface for selecting packages: Editor
- Question-Priority: Medium
4.5.2 Mail-Configuration
- general type of mail configuration: Internet
- System mail-name: chew.ch (in whole document: substitute chew.ch with your own domain)
- IP-Address to listen on for incoming SMTP-Connections:
- Other destination:
- Domains to relay:
- Machines to relay:
- Keep DNS-queries minimal: no
- Note: This has installed the configuration in '/var/lib/exim4/config.autogenerated'
It can be redone by using the command
$ dpkg-reconfigure exim4-config
4.5.3 others
- update your system-library with the newest package-versions:
$ apt-get update
- set your default-editor
(I prefer 'vi' the most, but if you don't know how to use vi, then you should not take it)
$ update-alternatives --config editor
5) Secondary Installations
- apt-get install ddclient # this is needed for the domain-identification
prerequisites: - domain (e.g. 'chew.ch') registered at zoneedit.com with a valid useraccount.
(config-file is /etc/ddclient.conf)
-> run as daemon, 20s interval
- Install ssh (secure-shell-login)
$ apt-get install ssh
-> SSH2-Connections only
-> edit the file /etc/ssh/sshd_config:
PasswordAuthentication yes # needs to be 'yes' if you want to log-in using CuteFTP
->> From now on you may connect to the server from a PC using PUTTY/CUTE-FTP with SSH2-Connections
- apt-get install mysql-server # installs mySQL
- Installation of the webmin system-administration webapplication (cgi-perl with its own webserver):
-> since etch, there is no official webmin debian package anymore.
However webmin can still be downloaded as .deb package.
Here is how it is done:
$ wget http://prdownloads.sourceforge.net/webadmin/webmin_1.420_all.deb # webmin application
$ wget http://prdownloads.sourceforge.net/webadmin/usermin_1.350_all.deb # usermin application
-> note: now make sure nothing is running on port 10000, else stop the service temporarily
$ dpkg --install webmin_1.420_all.deb # installs webmin on port 10000 (install the missing packages if dependency fails)
$ dpkg --install usermin_1.350_all.deb # installs usermin on port 20000
-> Check Webmin on this URL:
https://chew.ch:10000
-> if you should get an access-denied-error, do this:
-> vi /etc/webmin/miniserv.conf
-> delete row containing: allow=127.0.0.1
-> here you can also change your port and reactivate the service you previously had running
-> /etc/init.d/webmin restart # restarts webmin-service
- apt-get install perl-doc # PERL-Documentation reading program
- apt-get install ftpd-ssl # SSL-FTP Server (needed for mail-forwarding in Horde)
6) Enable pop3-mail with SSL-Certificate (using qpopper)
- Create Self-Signed SSL-certificates using openssl
***********************************************************************************
- install openssl:
apt-get install openssl (just in case, but it should already be installed)
- create private-key:
$ /usr/bin/openssl req -new -nodes -out /tmp/req.pem -keyout /etc/ssl/certs/chew.pem
-> Common Name (eg, YOUR name) []:chew.ch
- create certificate:
$ /usr/bin/openssl req -x509 -days 2000 -key /etc/ssl/certs/chew.pem -in /tmp/req.pem -out /tmp/signed_req.pem
- concatinate private- and public key:
$ cat /tmp/signed_req.pem >> /etc/ssl/certs/chew.pem
- Check the certificate:
$ cat /etc/ssl/certs/chew.pem
-> it should look like this:
-----BEGIN RSA PRIVATE KEY-----
... bla bla ...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
... bla bla ...
-----END CERTIFICATE-----
**********************************************************************************
- edit /etc/inetd.conf:
(Change ftp to ftps and pop-3 to pop3s)
pop3s stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.qpopper -f /etc/qpopper.conf
ftps stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd
- Configure qpopper for tls/ssl
-> edit /etc/qpopper.conf with following two entries:
- set tls-support = alternate-port
- set tls-server-cert-file = /etc/ssl/certs/chew.pem (/etc/mail/certs/cert.pem)
- restart inted:
$ kill -HUP $(ps -ef | grep inetd | grep ? | awk '{print $2}')
- Check SSL on port 995 (should now be configured with the pop3s-protocol)
$ openssl s_client -connect localhost:995
-> the last line must look like this:
+OK Qpopper (version 4.0.5) at localhost.localdomain starting. <3975.1099078420@localhost.localdomain>
- Configure your mail-tool (Outlook-Express, etc.) with secure pop3-protocol.
You should be able to download your mail now, without anyone being able to snoop your password.
9) Post-Configuration of mail-components
###########################################
9.1) Enable Anti-Spam measures on the MTA (exim4)
9.1.1)
Add these lines at the top of the config-file /etc/exim4/exim4.conf.template:
CHECK_RCPT_VERIFY_SENDER = yes
CHECK_RCPT_REVERSE_DNS = yes
CHECK_RCPT_SPF = yes
CHECK_DATA_VERIFY_HEADER_SENDER = yes
This will enable various checks in the acl-section to authenticate the origin of the sender.
9.1.2)
Enable RBL (Real-time Spam Black Lists) to block spam.
-> Before you enable and configure SpamAssassin, you should enable the RBLs in exim.
This is an extremely cool feature, because it is very easy to configure and it will block
a good deal of your spam before SpamAssassin does anything.
- edit /etc/exim4/exim4.conf.template again:
search for string 'acl_check_rcpt:' in the ACL-Block then add following lines:
accept
hosts = :
#########################################
# spam-killer in acl_check_rcpt-block
#########################################
deny message = $sender_host_address is blacklisted at $dnslist_domain.\n\
See $dnslist_domain for more information.
dnslists = bl.spamcop.net : sbl-xbl.spamhaus.org :
# the dns-list can be extended with other spam-identifiers
#########################################
9.1.3)
- activate the changes using:
$ dpkg-reconfigure exim4-config # writes changes into /var/lib/exim4/config.autogenerated
$ /etc/init.d/exim4 restart # restart exim, just to be sure the changes are active
- check the logfiles for blocked mails and you will see the vast amount it blocks (providing you get much spam):
/var/log/exim4/rejectlog
9.2) Configure SpamAssassin
Configuring the MTA is far not enough to prevent spam. One of the most powerful anti-spam tools is probably SpamAssassin.
SpamAssassin is a perl-program which checks an email. According to this check, the email is flagged with Spam-Points and if it is Spam or not.
Normally a message is Spam as soon as it has more than 5 Spam-Points.
This part shows you two ways of integrating SpamAssassin to your system.
Part one (9.2.1) shows you how to conventionally integrate SpamAssassin, after the mail has been accepted by the MTA.
Part two (9.2.2) shows you how to integrate SpamAssassin to Exim, which is more powerful, because you are able to reject the incoming
email according to the SpamAssassin analysis.
- edit /etc/default/spamassassin
-> ENABLED=1 # starts spamd at boot-time
- edit /etc/exim4/exim4.conf.template:
procmail:
driver = localuser
transport = procmail_pipe
#require_files = ${local_part}:+${home}:+${home}/.procmailrc:+/usr/bin/procmail
# to activate procmail system-wide (with the default file /etc/procmailrc)
require_files = ${local_part}:+${home}:+/usr/bin/procmail
no_verify
- reconfigure your exim4 with your changes from above:
$ dpkg-reconfigure exim4-config
(the changes are written into the file '/var/lib/exim4/config.autogenerated'
9.2.1) The conventional integration of SpamAssassin
-> Exim delivers the mail to procmail (all mails except the RBLs are accepted)
-> procmail calls SA
-> procmail evaluates where to put the mail (inbox or Spam-foder)
- create file /etc/procmailrc
MAILDIR=/var/mail
LOGFILE=/var/log/procmail/procmail.log
:0fw
| /usr/bin/spamc
:0
* ^X-Spam-Status: Yes
$HOME/mail/Spam
--> this is the procmail-configuration, and will do the following:
1) process the mails with spamc (SpamAssassin-Daemon)
(if SpamAssassin considers a mail as Spam, then the header "X-Spam-Status: Yes" will be written into the mail)
2) If the Header contains the String '^X-Spam-Status: Yes', procmail will moved it to the Spam folder
9.2.2) Alternatively to 9.2.1, you can integrate SA into Exim4, using sa-exim:
This is more powerful than using SA after Exim has processed the mail.
-> Exim directly calls SpamAssassin when the mail is received
-> SA scans the mail and according to the spam-count, exim can reject, or greylist the mail
-> Exim delivers the (accepted) mail to procmail
-> procmail evaluates where to put the mail (inbox or Spam-foder)
$ apt-get install sa-exim # installs the integration package of SpamAssassin to Exim
- edit /etc/exim4/exim4.conf.template
# add this line at the top of the file:
local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so
- edit /etc/exim4/sa-exim.conf
# change values to fit your needs
# example: reject all mails with a spam-score > 14
SApermreject: 14.0
# if you want to greylist (tempreject) a mail you can configure sa-exim as follows:
###################################################################################
# description: greylist a mail which has a spam-score of 9.0 or higher (between 9.0 and 14.0 if you have the permreject of above)
# the mail will be temp-rejected for 1800 seconds (most spammers only send the mail once)
- edit /etc/exim4/sa-exim.conf
SAtempreject: 9.0
SAgreylistiswhitestr: GREYLIST_ISWHITE
SAgreylistraisetempreject: 4.0
- edit /etc/spamassassin/local.cf
# add the following 4 lines:
loadplugin Greylisting /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm
header GREYLIST_ISWHITE eval:greylisting("( 'dir' => '/var/spool/sa-exim/tuplets'; 'method' => 'dir'; 'greylistsecs' => '1800'; 'dontgreylistthreshold' => 11; 'connectiphdr' => 'X-SA-Exim-Connect-IP'; 'envfromhdr' => 'X-SA-Exim-Mail-From'; 'rcpttohdr' => 'X-SA-Exim-Rcpt-To'; 'greylistnullfrom' => 1; 'greylistfourthbyte' => 0 )")
describe GREYLIST_ISWHITE The incoming server has been freed of graylisting for this recipient and sender
score GREYLIST_ISWHITE -1
###################################################################################
- create file /etc/procmailrc
MAILDIR=/var/mail
LOGFILE=/var/log/procmail/procmail.log
:0
* ^X-Spam-Status: Yes
$HOME/mail/Spam
--> this is the procmail-configuration, and will do the following:
1) If the Header contains the String '^X-Spam-Status: Yes', procmail will moved it to the Spam folder
9.2.3) Configure SpamAssassin (applies to 9.2.1 and 9.2.2)
- create directory for global bayes-database:
mkdir -p /var/spamassassin
- edit /etc/spamassassin/local.cf (see perldoc for further info)
bayes_path /var/spamassassin/bayes
report_safe 0
rewrite_subject 0
- The bayes component of SpamAssassin is only effective, if it has learned from Spam and Ham (Non-Spam) mails.
see
$ perldoc sa-learn
-> important to know: sa-learn --spam/ham --mbox /home/user/mail/NewSpam
- Redefine a score for one of the tests:
-> check /usr/share/spamassassin/50_scores.cf -> here you see the default-scores (this file is regenerated after an update, so it is not wise to edit)
-> edit /etc/spamassassin/local.cf -> overwrite the score in this file (this file will persist after an update)
example: disable check for dynamic IP-Address (this test is real rubbish, because it will give loads of spam-points to a mail sent by
webmail on a pc with a dynamic IP-address ..and most PC's have dynamic IP-addresses)
score HELO_DYNAMIC_IPADDR2 0
example2: add new SpamAssassin-rule to check header (my example marks reverse-DNS-lookup with 4 Spam-points):
header RULE_REVERSE_DNS_FAIL X-Host-Lookup-Failed =~ /failed/
score RULE_REVERSE_DNS_FAIL 4
-> restart spamassassin: /etc/init.d/spamassassin restart
- A special SpamAssassin configuration:
Configure SpamAssassin so that it automatically whitelists the email-addresses in the personal horde-addressbook.
SpamAssassin should read the addressbook directly from the MySQL-horde-database.
-> Of course email-addresses can be faked, but if you ommit your own domain, this works very well.
-> substitute <horde-db> with your horde-database
-> substitute <password> with your password
-> substitute chew.ch with your own domain
a) Create the MySQL database-user "spamassassin"
b) Grant select to spamassassin on table <horde-db>:turba_objects
c) edit /etc/default/spamassassin. Add the option '--sql-config' to the OPTIONS-string.
d) edit /etc/spamassassin/local.cf. Add the following lines:
user_scores_dsn DBI:mysql:<horde-db>:localhost
user_scores_sql_username spamassassin
user_scores_sql_password <password>
user_scores_sql_custom_query select distinct 'whitelist_from' as preference, object_email as value from turba_objects where object_email not like '%chew.ch'
e) restart spamassassin: /etc/init.d/spamassassin restart
9.3) If need be: Update Spamassassin from the testing (or unstable) distribution
- Spamers are fast in changing tactics and Spamassassin needs to adapt.
It might help to get the latest Spamassassin version.
Here is how you can get a specific package from 'testing' or even 'unstable':
- vi /etc/apt/apt.conf
APT::Default-Release stable;
-> this ensures, that your main distribution tree is stable.
- vi /etc/apt/sources.list
# add a row containing the testing and unstable distribution :
deb http://sunsite.cnlab-switch.ch/ftp/mirror/debian/ testing main
deb http://sunsite.cnlab-switch.ch/ftp/mirror/debian/ unstable main
- update Spamassassin from the testing (or unstable) branch:
$ apt-get -t testing install spamassassin # installs spamassassin from testing branch
$ apt-get -t unstable install spamassassin # installs spamassassin from unstable branch
9.4) Protect your own domain with SPF-settings (Sender Policy Framework):
Go to your domain-name services at your DNS-provider.
Add the following TXT record to your domain-name (chew.ch):
"v=spf1 +a +mx -all"
This is the e-mail rule for your domain and it says:
-> v=spf1: this marks the start of the SPF-rule
-> +a: If the IP-Address of the sending MTA is the one of your domain (DNS A-Record) the mail should be accepted.
-> +mx: If the IP-Address of the sending MTA is one of your defined MX-servers (DNS MX-Record), the mail should be accepted.
-> -all: If the IP-Address of the sending MTA is any other than listed above, the mail should be rejected.
With this "-all" you can block unauthorized MTA's sending emails from your domain.
Of course this only works, if the receiving MTA checks your SPF-rule. My mailserver does.
It only costs a few minutes to make an SPF policy for your domain.
Doing this does not mean you have to enable the SPF-check on your MTA, but it helps other receiving MTA's (with enabled SPF-check)
to verify if the sender is authorized to send mail from your domain or not.
It is in your interest that no spam is sent from your email-addresses.
For more details see http://www.openspf.org
9.5) Install uw-imapd
$ apt-get install uw-imapd # it should already be installed by default
-> check /etc/inetd.conf for imap2,imaps
-----------------------------
imap2 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/imapd
imaps stream tcp nowait root /usr/sbin/tcpd /usr/sbin/imapd
-----------------------------
9.5.1) configure uw-imapd with a default mail-directory outside of the normal $HOME directory:
-> You would not beleive this, but it really is true:
uw-imapd does NOT have a configuration file. If you want to configure uw-imapd, you need to edit the source-code
and recompile the whole stuff again.
An alternative would be to install another imapd, like cyrus-imapd, but cyrus-imapd is quite complicated to configure
and is an overkill for what I needed (and it didnt work after installation).
-> I wanted the imap-server to get mail-folders from $HOME/mail instead of $HOME
(if you leave it on $HOME, the imap-clients will (per default) download all other stuff you have in your $HOME directory)
- get the source-code:
$ wget http://security.debian.org/debian-security/pool/updates/main/u/uw-imap/uw-imap_2002edebian1.orig.tar.gz
$ gunzip uw-imap_2002edebian1.orig.tar.gz
$ tar xfv uw-imap_2002edebian1.orig.tar
- edit the source-code:
$ cd imap-2002e
$ vi ./src/osdep/unix/env_unix.c
-> change this line (line 29):
static char *myMailboxDir = "mail"; /* mailbox directory name */
-> horde users might want to change the following line (line 123)
static NAMESPACE nsftp = {"",'/',NIL,&nsnews};
/* this will remove the stupid #ftp folder displayed with your mail folders */
- recompile source:
$ apt-get install libpam0g-dev gcc libssl-dev # installs libraries nessessary for compilation
$ make ldb # ldb = Debian-Linux build-tag
- replace binary-file of imapd:
$ cp /usr/sbin/imapd /usr/sbin/imapd.orig # make a backup of original binary
$ /etc/init.d/inetd stop # stop imapd
$ cp ./imapd/imapd /usr/sbin/imapd #
$ chmod 2755 /usr/sbin/imapd # set the GUID bit if nessessary
$ chown root:mail /usr/sbin/imapd # important: make sure that the group is 'mail' and not 'root'
$ /etc/init.d/inetd start # start imapd
9.6) Integrate ClamAv antivirus to exim4
- There are different ways of integrating the virus-check using ClamAv.
I have decided to integrate ClamAv directly to the MTA exim4.
Another possibility would have been to use the procmail pipe.
If you decide to use it with exim4, then you must have the exim4-daemon-heavy installed,
e.g. you need to uninstall exim4-daeomon light.
$ apt-get remove exim4-daemon-light
$ apt-get install exim4-daemon-heavy
$ apt-get install clamav-daemon
- configure exim4 to call clamav and reject infected mails.
Edit /etc/exim4/exim4.conf.template:
-> search for section: 01_exim4-config_listmacrosdefs, then add the line:
######################################################
# call clamav-antivirus
av_scanner = clamd:/var/run/clamav/clamd.ctl
######################################################
-> search for section: 40_exim4-config_check_data, then add the lines:
acl_check_data:
######################################################
# deny-message for clamav antivirus
deny message = Message contains malware or a virus ($malware_name).
log_message = $sender_host_address tried sending $malware_name
demime = *
malware = *
######################################################
- add the clamav-user to the exim-group and add the exim-user to the clamav-group:
$ adduser clamav Debian-exim
$ adduser Debian-exim clamav
- restart exim4 and clamav:
$ dpkg-reconfigure exim4-config
$ /etc/init.d/clamav-daemon restart
$ /etc/init.d/clamav-freshclam restart
10) Enabling HTTPS on port 443:
- enable SSL-Modules (you need to create symbolic links):
$ ln -s /etc/apache2/mods-available/ssl.* /etc/apache2/mods-enabled
- Check if the links have been created:
$ ls -l /etc/apache2/mods-enabled | grep ssl
The output should look as follows:
lrwxrwxrwx 1 root root 36 Nov 2 19:18 ssl.conf -> /etc/apache2/mods-available/ssl.conf
lrwxrwxrwx 1 root root 36 Nov 2 19:18 ssl.load -> /etc/apache2/mods-available/ssl.load
- configure your apache-daemon to listen on ports 443 and 80 (default HTTPS, HTTP)
$ vi /etc/apache2/ports.conf
Listen 80
Listen 443
- create the basic setup for your https-server:
$ vi /etc/apache2/conf.d/apache2-https
**************************************************
<VirtualHost *:443>
ServerName www.chew.ch
DocumentRoot /var/www-ssl
# SSL-Configuration:
SSLEngine on
SSLCertificateFile /etc/ssl/certs/chew.pem
</VirtualHost>
**************************************************
- configure the default (non-ssl) port, edit the first few lines, so that it looks like this:
$ vi /etc/apache2/sites-available/default
**************************************************
<VirtualHost *:80>
ServerAdmin adminstrator@chew.ch
ServerName www.chew.ch
SSLEngine off
DocumentRoot /var/www/
... bla
... bla
... bla
**************************************************
- create the https-directory
$ mkdir /var/www-ssl
- put any html-file into the HTTPS-directory, rename it to 'index.html'
- restart the webserver
$ apache2 -k restart
- check your website using the URL:
https://www.chew.ch/
http://www.chew.ch/
11) Installation of the powerful webtool 'Horde' (webmail/sharing-calendar/task-lists/online-bookmarks):
********************************************************
Note: I had problems with the debian-distribution (woody distribution) of the Horde-Project (Debian-apt-Packages),
so I downloaded the CVS-Head of the Horde-Project and installed it directly.
When I previously installed Horde with the Debian-Packages I had three problems:
1) It didn't work correctly.
2) It was a very old distribution of Horde
3) The configuration was extremly complicated with tons of config-files spread all over the system.
The manual installation worked well, and I didn't regret not installing the debian packages.
********************************************************
11.1 Pre-Installation of required features and packages:
- install php-modules:
# either php4 (debian-woody,sarge):
$ apt-get install php4-mysql php4-mcal php4-mcrypt php4-imap php4-gd php4-domxml
apt-get install php4 php4-pear php4-pear-log (php4-dev: for PEAR/PECL modul fileinfo)
apt-get install phpdoc (only on woody, not on sarge)
# or php5 (debian-etch)
apt-get install php5 php5-cli php5-common php-pear php5-imap php5-mysql php5-gd
- install rsync and cvs:
$ apt-get install rsync
$ apt-get install cvs
- install the Horde-Application from the fresh CVS-Directory.
Note that your CVS-Repository of the Horde-Project will be much newer than the one in this installation guide.
It may therefore contain new features and might react differently.
$ export CVSROOT=:pserver:cvsread@anoncvs.horde.org:/repository
$ cvs login # password = horde
$ cd /var/www-ssl/
$ cvs co -r FRAMEWORK_3 horde
$ cd horde
$ cvs co -r FRAMEWORK_3 imp # add mail-program with the same Framework-Tag as the horde-framework above
$ cvs co -r FRAMEWORK_3 mimp # mobile imp (imp-addon for mobiles)
$ cvs co -r FRAMEWORK_3 turba # add address-book
$ cvs co -r FRAMEWORK_3 kronolith # add calendar
$ cvs co -r FRAMEWORK_3 nag # add task-manager
$ cvs co -r FRAMEWORK_3 passwd # add password-change-tool
$ cvs co -r FRAMEWORK_3 ingo # email-filters (forwards/vacations, etc)
$ cvs co -r FRAMEWORK_3 framework # framework to generate classes
$ cvs co trean # trean (bookmarks) is still in development at the moment, but it works
$ chown -R www-data:www-data * # change the ownership to the web-user
- upgrade and install the php-modules of PEAR:
-> note: some packages might require a beta-version download, just add '-beta' behind the packagename
ie. pear install XML_Util-beta (instead of XML_Util)
$ pear upgrade-all
$ pear install MDB2 # used for trean
$ pear install pear/MDB2#mysql # used for trean
$ pear install Mail_Mime
$ pear install Date
$ pear install Auth_SASL
$ pear install Net_URL
$ pear install Net_SMTP
$ pear install Cache
$ pear install File
$ pear install Services_Weather
-> needed for weather forecast. Additionally you need to have an account at https://registration.weather.com/ursa/profile
$ pear install Net_IMAP
$ pear install Log
$ pear install Net_Socket
$ pear install XML_Util
$ pear install XML_Parser
$ pear install XML_Serializer
$ pear install HTTP_Request
-> this might fail due to old version of Net_Socket (upgrade Net_Socket first)
- install your preferred languages:
$ dpkg-reconfigure locales
$ locale -a # check your languages
-> set your messages to your preferred language:
$ export LC_MESSAGES=en_US # add this to .bashrc if it differs from the default locale
- generate the classes:
$ cd /var/www-ssl/horde/framework
$ php5 ./install-packages.php
$ cd ..; rm -r framework # once the classes are generated, the framework can be deleted
11.2 Configure Horde
- make the configuration files out of the dist files:
$ cd /var/www-ssl/horde/config
$ for f in *dist; do echo cp -p $f $(basename $f .dist); done
-> check output and paste it into the shell (for security reasons it is not executed directly)
- install the basic mysql-horde database:
$ mysql [--user=root --password=yourpwd] < /var/www-ssl/horde/scripts/sql/create.mysql.sql
NOTE: the password of the new database-user 'horde' has now been set to 'horde' and should be changed.
- check the horde-configuration:
https://chew.ch/horde/test.php
-> most of it should be green. These configurations can be left 'red':
# LDAP Support: No
# Mcrypt Support: No
# MIME Magic Support: No
# PostgreSQL Support: No
# memory_limit disabled: No
- configure the horde framework using the Web-GUI.
https://chew.ch/horde/
- configure imp (mail-program)
----------------------------
$ cd /var/www-ssl/horde/imp/config
$ for f in *dist; do echo cp -p $f $(basename $f .dist); done
edit /var/www-ssl/horde/imp/config/servers.php:
-> delete all servers except for the 'imap'-server:
$servers['imap'] = array(
'name' => 'IMAP Server',
'server' => 'localhost',
'hordeauth' => true,
'protocol' => 'imap/ssl/novalidate-cert',
'port' => 993,
'namespace' => '',
'maildomain' => 'chew.ch',
'smtphost' => 'localhost',
'realm' => '',
'preferred' => '',
'dotfiles' => false,
'hierarchies' => array()
);
-> finish the configuration of imp using the Web-GUI.
- configure turba (addressbook)
-----------------------------
$ cd /var/www-ssl/horde/turba/config
$ for f in *dist; do echo cp -p $f $(basename $f .dist); done
- edit /var/www-ssl/horde/turba/config/sources.php
-> delete all entries except for 'sql':
- create the mysql-table for turba:
$ mysql [--user=root --password=yourpwd] horde < /var/www-ssl/horde/turba/scripts/sql/turba_objects.mysql.sql
-> finish the configuration of turba using the Web-GUI.
- configure kronolith (calendar)
------------------------------
$ cd /var/www-ssl/horde/kronolith/config
$ for f in *dist; do echo cp -p $f $(basename $f .dist); done
- create the mysql-tables for kronolith:
$ mysql [--user=root --password=yourpwd] horde < /var/www-ssl/horde/kronolith/scripts/sql/kronolith.mysql.sql
-> finish the configuration of kronolith using the Web-GUI.
- configure passwd
----------------
$ apt-get install poppassd # installs server-side mechanism for changing the password
$ cd /var/www-ssl/horde/passwd/config
$ cp -p backends.php.dist backends.php
$ vi backends.php:
- delete all but 'poppassd'
-> finish the configuration of passwd using the Web-GUI.
-*****************************************************
11.3 Update Horde
$ mv /var/www-ssl/horde /backup/horde
$ checkout the new horde projects (as in 11.1)
$ ./generate_horde_distfiles.bash # proprietery script of mine
$ ./copy_hordefiles.bash # proprietery script of mine
12) Additional Configurations
12.1 Create a restricted ftp-user without shell-login
- Add user 'restricteduser' into /etc/passwd (using useradd) and edit the shell to '/bin/false'
restricteduser:x:uid:gid:'Description':/home/restrictedfolder:/bin/false
- Add username 'restricteduser' to the file /etc/ftpchroot. This will restrict the ftp-rootdirectory to the users home-directory.
- Add '/bin/false' to the file /etc/shells. FTP checks for a valid shell. We can fake the /bin/false as a valid shell.
-> The ftpuser 'restricteduser' now has access to the folder /home/restrictedfolder (and subfolders) only through FTP.
The user does not have a shell-login and therefore cannot browse your system.
12.2 Create a ssh-connection without using a password
-> we want to use a public-key authentication, so there is no need for the password anymore.
- on server: Edit your sshd-config file '/etc/ssh/sshd_config' and make sure these lines are set:
--------------------------
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
--------------------------
- on client: generate a public key
$ ssh-keygen -t rsa # this will generate the files $HOME/.ssh/id_rsa.pub, $HOME/.ssh/id_rsa
- on server:
paste the generated public key (id_rsa.pub) from the client into the file $HOME/.ssh/authorized_keys (on server)
12.3 Restrict the ssh-sessions
-> to restrict ssh-sessions to certain trusted users just add the following line to '/etc/ssh/sshd_config':
AllowUsers user1 user2 user3 # only these users have permissions to open an ssh-shell, all others are automatically prohibited.
DenyUsers root user4 # This will prohibit root and user4 from opening a ssh-shell
(only valid if AllowUsers is not set)
-> edit these files to block ip-addresses/ranges:
/etc/hosts.allow
/etc/hosts.deny
example: only allow subnet 192.168.0.x:
/etc/hosts.allow
sshd: 192.168.0.0/255.255.255.0
/etc/hosts.deny
sshd: ALL
note: unlike AllowUsers/DenyUsers in sshd_config, the blocked IP-Addresses need to be set in /etc/hosts.deny, even if /etc/hosts.allow is set.
12.4 Change hostname
-> edit /etc/hostname
$ /etc/init.d/hostname.sh
12.5 Useful packages:
apt-get install acl # extended file-permissions (getfacl/setfacl)
apt-get install rdate # synchronize date with remote server, ie ntp1.ptb.de
apt-get install host # dns-lookup tool for hostnames
13) Useful debian-commands and files
- set default editor:
$ update-alternatives --config editor
- Network Info: /etc/inetd.conf
- daemons on ports: /etc/services
- system wide variables: /etc/environment
- access-control-lists: apt-get install acl
- nmap localhost # lists all the binded TCP-ports
- nmap -Su localhost # lists all the binded UDP-ports
- netstat -ap # lists binded and used ports programs and PID's
- traceroute # network traffic
- ipcalc 192.168.0.1/16 # ip subnet calculator
- dpkg -l # package list (stored in /var/cache/apt/archives)
- dpkg-reconfigure <pkg-name> # Reconfigure a package
- dpkg -S <file-pattern> # searches for a file and lists the package from which it was installed
- dpkg -L <pkg-name> # lists the files of a package
- apt-get install/remove # installs/removes packages
- apt-cache search <pkg> # searches for <pkg> in available packages
|