Base OS Config

The base OS is supplied by Contegix. It is running CentOS, which we have brought up to 5.5 via 'yum update'.

We needed to comment out the IPv6 hosts file entry in order to make mysql access control work properly.

SSH has been moved to port 2206.

We have created accounts for those people who could reasonably be expected to do admin-type functions. We just used useradd, and didn't worry about user ID's staying in sync with our other machines. There will be no shell accounts for non-sysadmin users on amber.

iptables is configured by 'system-config-securitylevel-tui' or editing /etc/sysconfig/iptables directly. If editing the config file, run 'service iptables restart' afterwards.

selinux is disabled by 'echo 0 > /selinux/enforce'


We copied over almost all of the debian configs from bud into /etc/httpd. This means that we still have the sites-available/ and sites-enabled/ directories, and that we don't have to rework our configs into a way that fits the 'CentOS way' of setting up Apache. The original CentOS config file is in /etc/httpd/conf/httpd.conf.dist if we need it for anything. One change we did make was putting all our sites under /srv/www/html.

We used chkconfig to make sure Apache started at boot, and enabled ports 80 and 443 in iptables.

To set up SSL, we did:

# cd /etc/pki/tls/certs

# make apache.pem

Country Name (2 letter code) [GB]:US

State or Province Name (full name) [Berkshire]:Missouri

Then we did:

# yum install mod_ssl

In /etc/httpd/conf.d/ssl.conf, we set the following two values:

SSLCertificateFile /etc/pki/tls/certs/apache.pem

SSLCertificateKeyFile /etc/pki/tls/certs/apache.pem

And then changed:

<VirtualHost _default_:443>



Then we restarted apache.

Locality Name (eg, city) [Newbury]:St. Louis

Organization Name (eg, company) [My Company Ltd]:St. Louis Unix User's Group

Organizational Unit Name (eg, section) []:Admin Team

Common Name (eg, your name or your server's hostname) []

Email Address []


PHP didn't require much configuration. We just did:

yum install php php-mysql php-mbstring php-imap


Mysql support is required in postfix for our virtual domain setup to work. We've removed the standard CentOS postfix and installed the one from CentOS-Plus. This is done by

yum remove postfix

Then edit /etc/yum.repos.d/CentOS-Base.repo. We need to change first the base repo:

name=CentOS-$releasever - Base
exclude=postfix spamassass* 

and then the updates repo:

name=CentOS-$releasever - Updates
exclude=postfix spamass*

Then run:

# yum install postfix

From the docs at, we enabled rpmforge for more current spamassassin and clamav builds.


#rpm -K rpmforge-release-0.5.2-2.el5.rf.*.rpm

#rpm -i rpmforge-release-0.5.2-2.el5.rf.*.rpm

#yum –enablerepo=rpmforge,rpmforge-extras install amavisd-new clamav clamav-devel clamd spamassassin #yum install postgrey

We created id user 'vmail' for virtual mail delivery, UID/GID 5000/500.

inet_interfaces in /etc/postfix/ is set to 'all'

myhostname in /etc/postfix/ is set to ''

Also in, add a line saying:


And an entry for smtpd_recipient_restrictions:

smtpd_recipient_restrictions =
   check_policy_service unix:postgrey/socket,

/etc/amavisd.conf requires some changes

  • Comment out the TCPSocket line in clamd.conf
  • Set $mydomain, $myhostname in /etc/amavisd.conf
  • Uncomment $MYHOME,$helpers_home,$lock_file,$pid_file
  • Uncomment the clamav block in amavisd.conf. Make sure the patch to the socket

is /var/run/clamav/clamd.sock (must match the LocalSocket setting in clamd.conf)

Append the following to /etc/postfix/

amavisfeed unix    -       -       n        -      2     lmtp
    -o lmtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20 inet n    -       n       -       -     smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
    -o local_header_rewrite_clients=
    -o smtpd_milters=
    -o local_recipient_maps=
    -o relay_recipient_maps=




