User Tools

Site Tools


amber_build

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
amber_build [2011/05/31 12:07]
SLUUG Administration [Courier]
amber_build [2018/07/12 15:14]
SLUUG Administration [Base OS Config]
Line 11: Line 11:
  
 selinux is disabled by 'echo 0 > /​selinux/​enforce'​ selinux is disabled by 'echo 0 > /​selinux/​enforce'​
 +
 +Admin control is not publically available; contact the BatCave crew for questions (Lee, Chuck, Steve, Don).
  
 ===== Apache ===== ===== Apache =====
Line 19: Line 21:
  
 To set up SSL, we did: To set up SSL, we did:
 +<​code>​
 +# cd /​etc/​pki/​tls/​certs
  
-''​cd /​etc/​pki/​tls/​certs''​+make apache.pem
  
-''#​ make apache.pem''​+Country Name (2 letter code) [GB]:US
  
-''​Country ​Name (2 letter code) [GB]:US''​+State or Province ​Name (full name) [Berkshire]:Missouri
  
-''State or Province ​Name (full name) [Berkshire]:Missouri'​'+Locality Name (eg, city) [Newbury]:​St. Louis 
 + 
 +Organization Name (eg, company) [My Company Ltd]:St. Louis Unix User's Group 
 + 
 +Organizational Unit Name (eg, section) []:Admin Team 
 + 
 +Common Name (eg, your name or your server's hostname) []:​amber.sluug.org 
 + 
 +Email Address []:​sysadmin@sluug.org 
 +</​code>​
  
 Then we did: Then we did:
Line 34: Line 47:
 In /​etc/​httpd/​conf.d/​ssl.conf,​ we set the following two values: In /​etc/​httpd/​conf.d/​ssl.conf,​ we set the following two values:
  
-''​SSLCertificateFile /​etc/​pki/​tls/​certs/​apache.pem''​+''​SSLCertificateFile /​etc/​pki/​tls/​certs/​sluug.pem''​
  
-''​SSLCertificateKeyFile /​etc/​pki/​tls/​certs/​apache.pem''​+''​SSLCertificateKeyFile /​etc/​pki/​tls/​certs/​sluug.pem''​
  
 And then changed: And then changed:
Line 48: Line 61:
 Then we restarted apache. ​ Then we restarted apache. ​
  
-''​Locality Name (eg, city) [Newbury]:​St. Louis''​ 
  
-''​Organization Name (eg, company) [My Company Ltd]:St. Louis Unix User's Group''​+===== PHP ===== 
 +PHP didn't require much configuration. We just did:
  
-''​Organizational Unit Name (eg, section) []:Admin Team''​+''​yum install php php-mysql php-mbstring php-imap''​
  
-''​Common Name (eg, your name or your server'​s hostname) []:​amber.sluug.org''​+===== Mysql =====
  
-''​Email Address ​[]:sysadmin@sluug.org''​+Install mysql: 
 + 
 +''​# yum install mysql mysql-server''​ 
 + 
 +''#​ mysql_secure_installation''​ 
 + 
 +Edit /​etc/​my.cnf. Notice that we are bound to 127.0.0.1, and don't accept queries over the network. Also, the query log is set to /​var/​log/​mysql_query.log. This is good for troubleshooting,​ but should be turned off for normal use. 
 + 
 +<​code>​ 
 +[mysqld] 
 +datadir=/​var/​lib/​mysql 
 +socket=/​var/​lib/​mysql/​mysql.sock 
 +log=/​var/​log/​mysql_query.log 
 +user=mysql 
 +# Default to using old password format for compatibility with mysql 3.x 
 +# clients (those using the mysqlclient10 compatibility package). 
 +old_passwords=0 
 +bind-address=127.0.0.1 
 + 
 +# Disabling symbolic-links is recommended to prevent assorted security risks; 
 +# to do so, uncomment this line: 
 +# symbolic-links=0 
 + 
 +[mysqld_safe] 
 +log-error=/​var/​log/​mysqld.log 
 +pid-file=/​var/​run/​mysqld/​mysqld.pid 
 +</​code>​ 
 +===== Postfixadmin ===== 
 + 
 +Postfixadmin is a web tool for managing virtual mailboxes across multiple domains. In our case, the mailboxes and domains are both defined in mysql, while the actual mail spools live under /​home/​vmail/​user@domain.tld. When receiving mail, postfix looks in mysql to see what to do with the mail. It knows exactly where to look based on the contents of the /​etc/​postfix/​mysql* files. Similarly, when courier gets an IMAP or POP3 request, it looks in mysql to authenticate users and to learn where their mail spools are. Postfixadmin lets us easily populate the database with the needed records and avoid manually running SQL. 
 + 
 +Download postfixadmin from [[http://​sourceforge.net/​projects/​postfixadmin/​]]. Untar it into /​srv/​www/​amber.sluug.org ​and create a symlink postfixadmin->​postfixadmin.x.y.z. 
 + 
 +Log into mysql as the root user. Run: 
 + 
 +<​code>​ 
 +mysql> CREATE DATABASE postfix; 
 +mysql> CREATE USER postfix@localhost IDENTIFIED BY 'xxxxxxx'
 +mysql> GRANT ALL PRIVILEGES ON postfix.* TO postfix; 
 +mysql> flush privileges;​ 
 +</​code>​ 
 + 
 +Navigate to https://​amber.sluug.org/​postfixadmin/​setup.php. Generate the setup password as prompted and copy it into /​srv/​www/​amber.sluug.org/​postfixadmin/​config.inc.php as $CONF['​setup_password'​].  
 + 
 +Also in that file, set: 
 + 
 +<​code>​ 
 +$CONF['​database_type'​] = '​mysqli';​ 
 +$CONF['​database_host'​] = '​localhost';​ 
 +$CONF['​database_user'​] = '​postfix';​ 
 +$CONF['​database_password'​] = '​xxxxxxx';​ 
 +$CONF['​database_name'​] = '​postfix';​ 
 +$CONF['​database_prefix'​] = '';​ 
 +$CONF['​encrypt'​] = '​md5crypt';​ 
 +</​code>​ 
 + 
 +Then go back to https://​amber.sluug.org/​postfixadmin/​setup.php. It will create an admin user and build the database structure. 
 + 
 +After postfixadmin is set up, mailboxes can be manually created, or we can do a bulk populate. The bulk populate script is ~jmuse/​bulk_add_md5.pl. It expects to find a file called ~jmuse/​.md5,​ of the format: 
 + 
 +''​accountname:​md5_hash:​Real Name''​ 
 + 
 +Each account name needs to be on a separate line. The script should really be smart enough to check for duplicates, or accounts already present, but it isn't at the moment. Running the script without arguments will populate the mailbox table and create the appropriate maildir under /​home/​vmail. Because we only have one domain at the moment, it assumes that the domain part is '​sluug.org'​. If we ever expected to need this tool after the migration, these would be good changes to make. The script works on the principle that we can copy md5 hashes from /etc/shadow on bud into the postfix DB.  
 + 
 +<​code>​ 
 +#​!/​usr/​bin/​perl 
 + 
 +# Script to take data in the form 
 +# accountname:​md5_hash:​real_name 
 +# and put it into the postfix database 
 + 
 +# Warning: no error checking or duplicate checking! 
 + 
 +use warnings; 
 +use strict; 
 +use DBI; 
 + 
 +open (FILE,"/​home/​jmuse/​.md5"​) or die $!; 
 + 
 +my $dbuser='​postfix';​ 
 +my $dbpass='​xxxxxx';​ 
 +my $db='​postfix';​ 
 +my $dbh=DBI->​connect('​DBI:​mysql:​postfix',​$dbuser,​$dbpass) || die $!; 
 +while (<​FILE>​) { 
 +        my $line=$_; 
 +        my ($user,​$pass,​$realname)=split(":",​$line);​ 
 +        my $mailuser=$user . '​@sluug.org';​ 
 +        my $mailboxname=$user. '​@sluug.org/';​ 
 +        my $query="​INSERT INTO mailbox (username,​password,​name,​maildir,​quota,​local_part,​domain,​created,​modified,​active) VALUES (?,?,?,?,​0,?,'​sluug.org','​2011-05-21 12:​44:​58','​2011-05-21 12:​44:​58',​1)";​ 
 +        my $query_handle=$dbh->​prepare($query);​ 
 +        $query_handle->​execute($mailuser,​$pass,​$realname,​$mailboxname,​$user);​ 
 +        system("/​usr/​lib/​courier-imap/​bin/​maildirmake /​home/​vmail/​$mailboxname"​);​ 
 +        system ("/​bin/​chown -R vmail:vmail /​home/​vmail/​$mailboxname"​);​ 
 +
 +</​code>​
  
-===== PHP ===== 
-PHP didn't require much configuration. We just did: 
  
-''​yum install php php-mysql php-mbstring php-imap''​ 
 ===== Postfix/​Amavisd-new/​Spamassassin/​ClamAV/​Postgrey ====== ===== Postfix/​Amavisd-new/​Spamassassin/​ClamAV/​Postgrey ======
  
Line 166: Line 270:
 virtual_transport = virtual virtual_transport = virtual
 </​code>​ </​code>​
 +
 +Also in /​etc/​postfix/​main.cf,​ add or uncomment line "​recipient_delimiter = +". This specifies the separator between user names and address extensions (user+foo).
 +
 +Also in /​etc/​postfix/​main.cf,​ add "​disable_vrfy_command=yes"​. Disable VRFY....From Jeff's presentation.
  
 Now, edit the mapping files. **IMPORTANT:​ These files contain database passwords! They need to be root:​postfix 640!** Now, edit the mapping files. **IMPORTANT:​ These files contain database passwords! They need to be root:​postfix 640!**
Line 237: Line 345:
   * Set $mydomain, $myhostname in /​etc/​amavisd.conf   * Set $mydomain, $myhostname in /​etc/​amavisd.conf
   * Uncomment $MYHOME,​$helpers_home,​$lock_file,​$pid_file   * Uncomment $MYHOME,​$helpers_home,​$lock_file,​$pid_file
-  * Uncomment the clamav block in amavisd.conf. Make sure the patch to the socket +  * Uncomment the clamav block in amavisd.conf. Make sure the path to the socket is /​var/​run/​clamav/​clamd.sock (must match the LocalSocket setting in clamd.conf) 
-is /​var/​run/​clamav/​clamd.sock (must match the LocalSocket setting in clamd.conf) +  * Change setting $sa_tag_level_deflt to -9999 instead of 2.0.  This means the SpamAssassin score headers are added to all mail. 
 +  * Uncomment the sample $final_spam_destiny line and change the value from D_PASS to D_DISCARD. Due to the default changing from bounce to pass. 
 +  * Try to be a little more lenient on mail relayed by our users. ​ Add "​spam_kill_level_maps => [10.0],"​ to the "​$policy_bank{'​ORIGINATING'​}"​ section.
  
 Append the following to /​etc/​postfix/​master.cf:​ Append the following to /​etc/​postfix/​master.cf:​
Line 294: Line 403:
   * courier-authlib-mysql   * courier-authlib-mysql
   * courier-imap   * courier-imap
-  * courrier-authlib-devel+  * courier-authlib-devel
  
-As an unprivilged ​user, do:+As an unprivileged ​user, do:
 <​code>​ <​code>​
 mkdir $HOME/rpm mkdir $HOME/rpm
Line 344: Line 453:
 Be sure that TCP 110, 143, 993, and 995 are enabled in iptables. ​ Be sure that TCP 110, 143, 993, and 995 are enabled in iptables. ​
  
-===== Postfixadmin ===== 
  
 ===== Mailman ===== ===== Mailman =====
Line 369: Line 477:
 Mailman wouldn'​t start because the mailman list was missing. Mailman wouldn'​t start because the mailman list was missing.
  
-FIXME Did someone rsync over lists from bud? What happened in this step? +FIXME Did someone rsync over lists from bud? What happened in this step? It should have been lists/, data/, archives/, followed by /​usr/​local/​mailman/​bin/​genaliases.
- +
  
 +See [[build:​lists|MailMan]] for configuration files and options,
 +including Apache.
 +===== Webmail=====
  
 +We have installed roundcube as our [[build:​webmail|Webmail]] tool.
amber_build.txt · Last modified: 2018/07/12 15:16 by SLUUG Administration