Nov 5, 2009 ... The Perfect Server - Mandriva 2010.0 Free (x86_64) [ISPConfig 2] ... likely differ,
so you might have to adjust the instructions from this tutorial.
http://www.howtoforge.com/perfect-server-mandriva-2010.0-free-x86_64ispconfig-2 The Perfect Server - Mandriva 2010.0 Free (x86_64) [ISPConfig 2] Version 1.0 Author: Falko Timme Last edited 11/05/2009 This tutorial shows how to set up a Mandriva 2010.0 Free (x86_64) server that offers all services needed by ISPs and hosters: Apache web server (SSL-capable), Postfix mail server with SMTP-AUTH and TLS, BIND DNS server, Proftpd FTP server, MySQL server, Dovecot POP3/IMAP, Quota, Firewall, etc. In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig 2 (i.e., ISPConfig runs on it out of the box). This tutorial is written for the 64-bit version of Mandriva 2010.0. I will use the following software: • • • • • •
Web Server: Apache 2 (with PHP5, Ruby,Python, and WebDAV) Mail Server: Postfix DNS Server: BIND9 FTP Server: proftpd POP3/IMAP server: Dovecot Webalizer for web site statistics Please note that this setup does not work for ISPConfig 3! It is valid for ISPConfig 2 only! I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!
1 Preliminary Note In this example I will use the following settings for my system: • •
IP address: 192.168.0.100, gateway: 192.168.0.1 Host name: server1.example.com Your settings will most likely differ, so you might have to adjust the instructions from this tutorial.
2 Requirements To install such a system you will need the following:
•
Download the Mandriva 2010.0 DVD iso image or the Mandriva 2010.0 CD iso images from a mirror near you
•
(you can find the download here:http://www.mandriva.com/en/download); I have used the Mandriva 2010.0 DVD for this tutorial. a fast Internet connection...
3 The Base System Boot from your Mandriva 2010.0 DVD or CD (the first one). Select Install Mandriva Linux 2010 and press Enter:
Choose your language next:
Object 2
Object 1
Accept the license and click on Next:
Select your keyboard layout:
Now we have to partition our hard disk. You can choose to let the Mandriva installer do the partitioning, or you can do it yourself. I want to create a small /bootpartition (about 150 MB) with the file system ext4, a swap partition and a huge / partition (again with ext4):
Afterwards, the new partitions are being formatted:
We don't have any other installation media, so we select None and click on Next:
We don't want a desktop on a server system, therefore we select Custom on this screen:
Now we select the package groups we want to install. Select Internet station, Network Computer (client), Configuration, Console Tools, Development,Web/FTP, Mail, Database, Firewall/Router and Network Computer server, unselect all other package groups, and click on Next:
The package installation starts:
Object 4
Afterwards, provide a root password and create another user (e.g. administrator) and click on Next:
Now the installer presents us a summary of the installation and gives us the possibility to change settings by clicking on the appropriate Configure button. First of all we configure the time zone we're in:
Object 3
Select your time zone:
On the next screen select hardware clock set to UTC, Automatic time synchronization (using NTP), and for NTP Server choose All servers:
Next we make sure that the Security Level is set to Standard (all other security levels are too restrictive):
Next we modify the firewall settings:
ISPConfig comes with its own firewall, so if you like to install ISPConfig, select Everything (no firewall) to disable the firewall. Otherwise, configure the firewall to your needs:
Select Wired (Ethernet) unless you're using something different:
Select the network interface that you want to configure:
We want to assign a static IP address to our network interface (remember, we're installing a server...), so we do not want to get an IP address using BOOTP orDHCP. Therefore we choose Manual configuration:
Now enter the IP address, Netmask, and Gateway. Also enter the Host name (e.g. server1.example.com) and up to two DNS servers (e.g. 145.253.2.75 and213.191.92.86):
Object 6
Object 5
Do not allow users to start the connection. It's a server, and servers are always online (at least, they should be...). But select Start the connection at boot:
Choose to start the network connection now:
In my setup I got the message that the Internet connectivity test failed - I'm not sure if this is a bug in the Mandriva installer, or if there was a temporary problem with my Internet connection at that time; anyway, the Internet connection was working without any problems after the intitial installation, so if you see this message, don't let it fool you:
We've now made all necessary configurations, so we can leave the summary screen by clicking on Next:
Now you can download the latest updates. Please note: this is optional. We are going to create a cron job which will update our system automatically, so you can select No here:
The base installation is now finished, you can now remove the CD or DVD and reboot the system:
Now on to the system configuration... Please note that root logins via SSH are disabled by default on Mandriva 2010.0. If you want to log in over SSH, log in as a normal user first (because I created the normal user account administrator during the installation, I use administrator to log in) and then run su to become root.
4 Adjust /etc/hosts Next we edit /etc/hosts. Make it look like this: vi /etc/hosts
127.0.0.1 192.168.0.100
localhost.localdomain localhost server1.example.com server1
5 Setting The Hostname You can check the current hostname with the commands hostname hostname -f Both commands should show server1.example.com. If the output shows a wrong hostname, you can set the correct one like this: echo server1.example.com > /etc/hostname /bin/hostname -F /etc/hostname To have the system set the correct hostname whenever you boot the system, we add the last command to /etc/rc.local: vi /etc/rc.local
[...]
/bin/hostname -F /etc/hostname
6 Configure urpmi By default, Mandriva 2010.0 uses the installation DVD as its only software repository which is inconvenient if the server is in a remote location. Therefore we disable the DVD and enable the Mandriva online repositories: urpmi.removemedia -a && urpmi.addmedia --distrib --mirrorlist
6.1 Creating An Auto-Update Script Now we create a script /etc/cron.daily/software_update that will autmatically be run by cron daily and looks for and installs the latest software updates on your Mandriva 2010.0 system. The script looks like this: vi /etc/cron.daily/software_update
#!/bin/bash urpmi --auto-update --update
--auto
Make the script executable:
Object 8
Object 7
chmod 755 /etc/cron.daily/software_update
7 Install Some Packages Now we install a few packages that are needed later on: urpmi fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp flex lib64xorg-x11devel gcc gcc-c++
8 Journaled Quota To install the quota package, run urpmi quota Edit /etc/fstab to look like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /): vi /etc/fstab
# Entry for /dev/sda6 : UUID=5655e2e6-9865-41be-aafb-ef9111b7b6f9 / ext4 relatime,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 1 1 # Entry for /dev/sda1 : UUID=93aca769-d885-4694-a1c6-1df246caa426 /boot ext4 relatime 1 2 /dev/cdrom /media/cdrom auto umask=0,users,iocharset=utf8,noauto,ro,exec 0 0 /dev/fd0 /media/floppy auto umask=0,users,iocharset=utf8,noauto,exec,flush 0 0 none /proc proc defaults 0 0 # Entry for /dev/sda5 : UUID=5751d7b7-9d7a-48bf-aedb-48a9bda0a308 swap swap defaults 0 0 Then run:
touch /aquota.user /aquota.group chmod 600 /aquota.* mount -o remount / quotacheck -avugm quotaon -avug
9 DNS Server To install the BIND DNS server, run: urpmi bind Mandriva 2010.0's BIND is running chrooted by default, therefore we need to create a few symlinks so that ISPConfig (if you want to install it) can deal with it: cd /var/lib/named/var mkdir -p lib/named/var cd lib/named/var ln -s ../../../named/ named ln -s ../../../run/ run cp /var/lib/named/var/named/reverse/named.local /var/lib/named/var/named/ Next we create the system startup links for BIND... chkconfig named on ... and start it: /etc/init.d/named start
10 MySQL 5 To install MySQL 5, we simply run: urpmi MySQL MySQL-client lib64mysql-devel By default, networking is not enabled in Mandriva 2010.0's MySQL package, but networking is required by ISPConfig. We can change this by commenting out the line skip-networking in /etc/my.cnf. vi /etc/my.cnf
[...] # Don't listen on a TCP/IP port at all. This can be a security enhancement, # if all processes that need to connect to mysqld run on the same host. # All interaction with mysqld must be made via Unix sockets or named pipes. # Note that using this option without enabling named pipes on Windows # (via the "enable-named-pipe" option) will render mysqld useless! # #skip-networking [...] Afterwards, we create the system startup links for MySQL... chkconfig mysqld on ... and start it: /etc/init.d/mysqld start Now check that networking is enabled. Run
netstat -tap | grep mysql The output should look like this: [root@server1 var]# netstat -tap | grep mysql tcp 0 0 *:mysql ysqld tcp 0 0 *:mysql-im ysqlmanager [root@server1 var]#
*:*
LISTEN
2538/m
*:*
LISTEN
2529/m
Next, run mysqladmin -u root password yourrootsqlpassword mysqladmin -h server1.example.com -u root password yourrootsqlpassword to set a password for the user root (otherwise anybody can access your MySQL database!).
11 Postfix With SMTP-AUTH And TLS; Dovecot Install the required packages (Postfix, cyrus-sasl, Dovecot, etc.) like this: urpmi cyrus-sasl lib64sasl2 lib64sasl2-devel lib64sasl2-plug-plain lib64sasl2-plug-anonymous lib64sasl2-plug-crammd5 lib64sasl2-plug-digestmd5 lib64sasl2-plug-gssapi lib64sasl2-plug-login postfix dovecot Then run: postconf -e 'mydestination = /etc/postfix/local-host-names, localhost.$mydomain' postconf -e 'smtpd_sasl_local_domain =' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_sasl_authenticated_header = yes' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' postconf -e 'inet_interfaces = all' postconf -e 'mynetworks = 127.0.0.0/8' touch /etc/postfix/local-host-names Then we set the hostname in our Postfix installation (make sure you replace server1 and example.com with your own settings): postconf -e 'mydomain = example.com' postconf -e 'myhostname = server1.$mydomain'
Object 10
Object 9
Edit /etc/sasl2/smtpd.conf. It should look like this: vi /etc/sasl2/smtpd.conf
# SASL library configuration file for postfix # all parameters are documented into: # /usr/share/doc/cyrus-sasl/options.html # The mech_list parameters list the sasl mechanisms to use, # default being all mechs found. mech_list: plain login
# To authenticate using the separate saslauthd daemon, (e.g. for # system or ldap users). Also see /etc/sysconfig/saslauthd. pwcheck_method: saslauthd saslauthd_path: /var/lib/sasl2/mux # To authenticate against users stored in sasldb. #pwcheck_method: auxprop #auxprop_plugin: sasldb #sasldb_path: /var/lib/sasl2/sasl.db Create the SSL certificate needed for TLS: mkdir /etc/postfix/ssl cd /etc/postfix/ssl/ openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 ... and configure Postfix for TLS: postconf postconf postconf postconf postconf postconf postconf postconf postconf postconf postconf
-e -e -e -e -e -e -e -e -e -e -e
'smtpd_tls_auth_only = no' 'smtp_use_tls = yes' 'smtpd_use_tls = yes' 'smtp_tls_note_starttls_offer = yes' 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key' 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt' 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem' 'smtpd_tls_loglevel = 1' 'smtpd_tls_received_header = yes' 'smtpd_tls_session_cache_timeout = 3600s' 'tls_random_source = dev:/dev/urandom'
Next we must configure Dovecot to serve the protocols imap, imaps, pop3, and pop3s. Open /etc/dovecot.conf and adjust the following values: vi /etc/dovecot.conf
[...] protocols = imap imaps pop3 pop3s [...] disable_plaintext_auth = no [...] pop3_uidl_format = %08Xu%08Xv [...] Now we must tell the system to start Dovecot only after ntpd has started because Dovecot isn't very forgiving if your system's time moves backwards while Dovecot is running (see http://wiki.dovecot.org/TimeMovedBackwards). This might cause errors like the following in your syslog: Apr 9 19:29:18 server1 dovecot: Time just moved backwards by 17 seconds. This might cause a lot of problems, so I'll just kill myself now. http://wiki.dovecot.org/TimeMovedBackw ards Unfortunately, on Mandriva Dovecot is started before ntpd, so we change it like this:
cd mv cd mv cd mv
/etc/rc3.d S99ntpd S98ntpd /etc/rc4.d S99ntpd S98ntpd /etc/rc5.d S99ntpd S98ntpd
Then we create the system startup links for Postfix... chkconfig postfix on ... and (re)start Postfix, saslauthd, and Dovecot: /etc/init.d/postfix restart /etc/init.d/saslauthd restart /etc/init.d/dovecot restart To see if SMTP-AUTH and TLS work properly now run the following command: telnet localhost 25 After you have established the connection to your Postfix mail server type ehlo localhost If you see the lines 250-STARTTLS and 250-AUTH LOGIN PLAIN everything is fine: [root@server1 ~]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 server1.example.com ESMTP Postfix (2.6.5) (Mandriva Linux) ehlo localhost 250-server1.example.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host. [root@server1 ~]# Type quit to return to the system's shell.
11.1 Maildir Dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir under Management -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration. If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user's Maildir (you can also do this if you use ISPConfig - it doesn't hurt ;-)): postconf -e 'home_mailbox = Maildir/' postconf -e 'mailbox_command =' /etc/init.d/postfix restart
12 Apache2 With PHP5, Ruby, And Python To install Apache2, PHP5, and Ruby, run the following command (in one line): urpmi apache-mod_suexec apache-mod_ssl apache-mod_php apache-mod_ruby apache-mod_python lib64php5_common5 php-bz2 php-calendar php-ctype php-curl php-devel php-dio php-dom phpeaccelerator php-enchant php-esmtp php-event php-exif php-fam php-ffmpeg php-fileinfo phpfilepro php-ftp php-gd php-gettext php-gmp php-iconv php-id3 php-idn php-imap php-imlib2 phpmailparse php-mbstring php-mcache php-mcrypt php-ming php-mysql php-mysqli php-newt php-odbc php-oggvorbis php-pcntl php-pcre php-pear-Net_IDNA php-posix php-pspell php-readline phprecode php-session php-shmop php-simplexml php-snmp php-soap php-sockets php-sqlite php-ssh2 php-suhosin php-sysvmsg php-sysvsem php-sysvshm php-tclink php-tcpwrap php-tidy php-xml phpxmlrpc php-zip php-ini curl lib64curl4-devel perl-libwww-perl ImageMagick Create the system startup links for Apache... chkconfig httpd on ... and start it: /etc/init.d/httpd restart
12.1 Disable PHP Globally (If you do not plan to install ISPConfig on this server, please skip this section!) In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig. Edit /etc/httpd/modules.d/70_mod_php.conf and comment out the AddType lines: vi /etc/httpd/modules.d/70_mod_php.conf
LoadModule php5_module
extramodules/mod_php5.so
# AddType application/x-httpd-php .php # AddType application/x-httpd-php .phtml # AddType application/x-httpd-php-source .phps
DirectoryIndex index.php index.phtml Edit /etc/httpd/conf/httpd.conf and add the following line to the LoadModule section: vi /etc/httpd/conf/httpd.conf
[...] LoadModule php5_module [...]
extramodules/mod_php5.so
(Although this line is already in /etc/httpd/modules.d/70_mod_php.conf this is very important because otherwise the command httpd -t will report errors instead of Syntax OK when the virtual hosts created by ISPConfig contain lines like php_admin_flag safe_mode On or the like!) Restart Apache: /etc/init.d/httpd restart
12.2 Disable Ruby Globally (If you do not plan to install ISPConfig on this server, please skip this section!) In ISPConfig you will configure Ruby on a per-website basis, i.e. you can specify which website can run Ruby scripts and which one cannot. This can only work if Ruby is disabled globally because otherwise all websites would be able to run Ruby scripts, no matter what you specify in ISPConfig. vi /etc/httpd/modules.d/20_mod_ruby.conf Comment out or delete everything in that file except the following lines:
LoadModule ruby_module
extramodules/mod_ruby.so
Then restart Apache:
Object 12
Object 11
/etc/init.d/httpd restart
12.3 Enabling WebDAV Support Since version 2.2.30 of ISPConfig, you can manage WebDAV through ISPConfig. Of course, this works only if WebDAV is installed and enabled in Apache. To install WebDAV, we run urpmi apache-mod_dav Next we open /etc/httpd/conf/httpd.conf and uncomment the following three lines in the LoadModule section (make sure you delete the following string at the end of these lines because otherwise Apache might complain about a syntax error: -> available in the apache-mod_dav package): vi /etc/httpd/conf/httpd.conf
[...] LoadModule dav_module modules/mod_dav.so [...] LoadModule dav_fs_module modules/mod_dav_fs.so LoadModule dav_lock_module modules/mod_dav_lock.so [...] Then restart Apache: /etc/init.d/httpd restart
13 Proftpd Install Proftpd like this: urpmi proftpd For security reasons you can add the following lines to /etc/proftpd.conf (thanks to Reinaldo Carvalho; more information can be found here:http://www.proftpd.org/localsite/Userguide/linked/userguide.html): vi /etc/proftpd.conf
[...] DefaultRoot ~ IdentLookups off ServerIdent on "FTP Server ready." [...] Be sure to comment out the following lines at the end of /etc/proftpd.conf in order to allow ftp users to CHMOD:
[...] # Bar use of SITE CHMOD by default # # DenyAll # Then restart Proftpd: /etc/init.d/proftpd restart
14 Webalizer Webalizer can be installed as follows: urpmi webalizer ln -s /usr/bin/awffull /usr/bin/webalizer
15 Install Some Perl Modules Needed By SpamAssassin (Comes With ISPConfig) To install all needed Perl Modules, we can use the appropriate Mandriva packages and install them using urpmi: urpmi perl-HTML-Parser perl-Digest-SHA1 perl-DB_File perl-Net-DNS
16 The End The configuration of the server is now finished, and if you wish you can now install ISPConfig on it. You can find the installation instructions here:http://www.ispconfig.org/manual_installation.htm. A First-Steps tutorial can be found here: http://www.howtoforge.com/ispconfig-2.x-first-steps Before you install ISPConfig, there's one important thing you must do. Open /usr/include/stdio.h and replace getline with parseline in line 651: vi /usr/include/stdio.h
[...] This function is not part of POSIX and therefore no official cancellation point. But due to similarity with an POSIX interface or due to the implementation it is a cancellation point and therefore not marked with __THROW. */ extern _IO_ssize_t parseline (char **__restrict __lineptr, size_t *__restrict __n, FILE *__restrict __stream) __wur; #endif [...] If you don't do this, the installation will fail because of the following error: htpasswd.c:101: error: conflicting types for âgetlineâ /usr/include/stdio.h:651: note: previous declaration of âgetlineâ was here make[2]: *** [htpasswd.o] Error 1 make[2]: Leaving directory `/home/administrator/install_ispconfig/compile_aps/apache_1.3.41/src/support' make[1]: *** [build-support] Error 1 make[1]: Leaving directory `/home/administrator/install_ispconfig/compile_aps/apache_1.3.41' make: *** [build] Error 2 ERROR: Could not make Apache You can undo the change to /usr/include/stdio.h after the successful ISPConfig installation (but don't forget to change it back whenever you want to update ISPConfig!).
17 A Note On SuExec If you want to run CGI scripts under suExec, you should specify /var/www as the web root for websites created by ISPConfig as Mandriva's suExec is compiled with /var/www as Doc_Root. Run /usr/sbin/suexec -V and the output should look like this: [root@server1 ~]# /usr/sbin/suexec -V -D AP_DOC_ROOT="/var/www" -D AP_GID_MIN=100 -D AP_HTTPD_USER="apache" -D AP_LOG_EXEC="/var/log/httpd/suexec_log" -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" -D AP_SUEXEC_UMASK=077 -D AP_UID_MIN=100 -D AP_USERDIR_SUFFIX="public_html" [root@server1 ~]# So if you want to use suExec with ISPconfig, don't change the default web root (which is /var/www) if you use expert mode during the ISPConfig installation (in standard mode you can't change the web root anyway so you'll be able to use suExec in any case).
