Configurations required for Arch compared to Ubuntu [[server:arch|App Compile Settings]]
----
Never very good at recording the steps I took to setup my server. Bit silly given every so often I might need to do it again (for whatever reason). This new setup is because I am moving my server from my home system to a VPS out there on the net.
The main bits that I am concerned with at the moment are:
* Webserver
* Email servers
Each of those things has a bunch of sub steps that need to be taken care of.
====== Base System ======
The base system I selected was Ubuntu Gutsy 7.10, this was partly because of familiarity and partly because of the easy update of the software.
===== Scratch Notes To Be Written Up =====
* Initially disabled root login over ssh. Have re-enabled this for use with ssh key for remote editing of files in textmate.
*
====== Web Server ======
====== Email Server ======
Mail server is actually made up of two different parts:
* Imap / Pop mail server
* SMTP server
In my original setup, the Imap server was Courier-Imap (Courier-Auth & Courier-Pop) and the SMTP server was Exim which was connected to Vexim to provide virtual users & multiple domains.
Going into my new setup I am changing over from Courier-Imap to Dovecot for a coupe of reasons. Partly for a change, partly because it is claimed to be faster with large folders (which I have) and partly because its a little easier to work with. The downside of this is that for moving the mails over I have two options:
* Retain existing folder structure where everything (bar Junk, Trash, Sent) are children of INBOX
* Moved all the mails across (either manually or with a program of some kind)
Other changes happening are moving from Spamassassin to DSPAM for Spam filtering, adding greylisting, SPF, possibly Domain Keys, and looking at what Antivirus solution I am using (clamav is wasting a TON of memory).
==== Problems with SQL login for Dovecot with Vexim database. ====
The transfer of the database to the new server went fine. However there was a problem with the orginal SQL used to connected to the Vexim database to authenticate the users.
driver = mysql
connect = host=localhost dbname=vexim user=vexim password=!vexim*
default_pass_scheme = PLAIN
password_query = SELECT clear as password FROM users WHERE username = '%u' AND type = 'local' AND enabled = '1'
user_query = SELECT smtp AS maildir, uid, gid FROM users WHERE username = '%u' AND type = 'local' AND enabled = '1'
The problem is that two of my users (oddly enough my accounts) use the type "piped" rather than "local" to run procmail for mail filtering.
==== Tweaking login for Tarasis.net users ====
In an effort to make it a bit easier for Tarasis users to log into their accounts, they only need to specify their username without the domain.
''user @ domain''
This is done by setting ''auth_default_realm ='' to the domain you require in ''dovecot.conf''
Also I have used [[http://wiki.dovecot.org/UserDatabase/Prefetch|SQL Database Prefetch]] with Dovecot to hit the DB only once rather than twice. I suspect this would be premature optimization though. Given there are few users and at present limited db hits.
===== Configure DPSAM =====
First install dpsam and its dependencies
install dspam dspam-doc dspam-webui libdspam7-drv-mysql
On completion of install it will ask to configure libdspam7-drv-mysql with db-config. Answer Yes
Then specify a password for the dspam "user".
Then supply the password of the DB admin so that it can log in and create the relevant data. (I got this wrong the first couple of times)
Create dpsamdb database
Create dspam user, grant all permissions on dspamdb
Import tables
mysql -u dspam -p -D dspamdb < /usr/share/doc/libdspam7-drv-mysql/mysql_objects-speed.sql
mysql -u dspam -p -D dspamdb < /usr/share/doc/libdspam7-drv-mysql/virtual_users.sql
Set 5 tables to InnoDB (not MyISAM which is default -- if not can cause corruption) (did this by hand using PHPMyAdmin - Select DB, Select Table, Select Operations, Change Storage Engine type and then Go. )
dspam_preferences
dspam_signature_data
dspam_stats
dspam_token_data
dspam_virtual_uids
Configure BLAH
Set it to auto start, edit ''/etc/default/dspam'' changing
set START=no
to
set START=yes
Oh God, skipped writing a ton. Had to do tweaking of dspam configs:
Move mysql.conf into dspam.d (possibly also purge.sql)
Change permissions
Changed trusted deliverer to exim rather than procmail
Enabled spamassasin for the user (thought I had done it when creating user but entry in database said off)
===== DSpam on NGINX =====
Need to setup FCGI for Perl -- use here with minor tweaks [[http://wiki.codemongers.com/NginxSimpleCGI|NGINX English Wiki - NginxSimpleCGI]]
Hmm while that works to get DSPAM loaded, need to get auth working and by the looks of it that isn'T possible with an SQL database. Looks like I will need to proxy site to an instance of apache2. Grr was hoping to avoid that.
===== Exim Configuration =====
sudo dpkg-reconfigure exim4-config
# select internet site; mail is sent and received directly using SMTP
# set mail name to tarasis.net
# set listen ip to 127.0.0.1
# leave other destinations for which mail is accepted
# leave Domains to relay mail for blank
# leave Machines to relay mail for blank
# set Keep number of DNS-queries minimal (Dial-on-Demand) to NO
# set Delivery method for local mail to Maildir format in home directory
# set Maildir format in home directory to NO
# set Root and postmaster mail recipient to robertm
# THATS IT
Okay, lets eschew either of the configs that Ubuntu comes with as default. Either their split files setup, or there littered single file with Macrodefs. Copy the example config from the Vexim docs
sudo cp ~/sources/vexim2/docs/*.conf configure /etc/exim4/
sudo mv /etc/exim4/configure /etc/exim4/exim4.conf
I am commenting out all references to Mailman because I have no need for them at this moment in time.
First set the IP address
MY_IP = IP-ADDRESS
Then remove ''pear.silverwratch.com'' from
domainlist local_domains = @ : pear.silverwraith.com : ${lookup mysql{VIRTUAL_DOMAINS}} : ${lookup mysql{ALIAS_DOMAINS}}
Change ''trusted_users''
trusted_users = avleen:www
to
trusted_users = vmail:www-data
Uncomment the ''hide mysql_servers'' line, fix the location of the mysql socket and add the required password for the vexim DB.
#hide mysql_servers = localhost::(/tmp/mysql.sock)/vexim/vexim/CHANGE
to
hide mysql_servers = localhost::(/var/run/mysqld/mysqld.sock)/vexim/vexim/PASSWORD
Change the ''av_scanner'' line to reflect clamav's real file
av_scanner = clamd:/var/run/clamav/clamd
to
av_scanner = clamd:/var/run/clamav/clamd.ctl
Next change the exim user & group
exim_user = mailnull
exim_group = mail
to
exim_user = Debian-exim
exim_group = Debian-exim
Change all of the Vexim configuration include lines to reflect location in ''/etc/exim4'' and not ''/usr/local/etc/exim/''
.include /etc/exim4/vexim-acl-check-spf.conf
.include /etc/exim4/vexim-acl-check-helo.conf
.include /etc/exim4/vexim-acl-check-rcpt.conf
.include /etc/exim4/vexim-acl-check-content.conf
.include /etc/exim4/vexim-group-router.conf
In the ''system_aliases'' section change
user = mailnull
group = mail
to
user = Debian-exim
group = Debian-exim
Locate the ''mailmain_transport'' transport and comment it out
#mailman_transport:
# driver = pipe
# command = MAILMAN_WRAP \
# '${if def:local_part_suffix \
# {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
# {post}}' \
# $local_part
# current_directory = MAILMAN_HOME
# home_directory = MAILMAN_HOME
# user = MAILMAN_USER
# group = MAILMAN_GROUP
Locate the ''mailman_router'' and comment it out
# mailman_router:
# driver = accept
# require_files = MAILMAN_HOME/lists/$local_part/config.pck
# local_part_suffix_optional
# local_part_suffix = -bounces : -bounces+* : \
# -confirm+* : -join : -leave : \
# -owner : -request : -admin
# headers_remove = X-Spam-Score:X-Spam-Report
# transport = mailman_transport
Finally, lets check our changes so far. The following command will check our new configuration file for syntactical correctness.
exim -C /etc/exim4/exim4.conf -bV
Next in ''/etc/exim4/vexim-acl-check-content.conf'', change the following line (which appears twice):
spam = maildeliver:true
to
spam = vmail:true
You can now start exim
/etc/init.d/exim4 restart
NOTE You may get a alert notice on startup: ''ALERT: exim paniclog /var/log/exim4/paniclog has non-zero size, mail system possibly broken'' if you get this check the paniclog. It is likely warnings from when you tested the exim4.conf (assuming you made any typos). If they are, safely delete them and restart exim.
Now lets remove the references to ''Spamassain'' & ''spamd'' in favour of DSPAM. Note the following is based on this thread [[http://www.exim-users.org/forums/showthread.php?t=52056|Vexim+DSPAM]] from the archives of the Vexim mailing list.
Remove / comment out the ''ditch_spam'' router and replace it with
.include /etc/exim4/vexim-router-dspam.conf
Next before the ''virtual_delivery'' transport add
.include /etc/exim4/vexim-transport-dspam.conf
Comment out
spamd_address = 127.0.0.1 783
In the ''virtual_domains'' route, remove the add / remove headers section based on value of $spam_score_int
**rmcg TODO**
In ''vexim-transport-dspam.conf'' change all references of
user = maildeliver
group = mail
to
user = Debian-exim
group = Debian-exim
Note had to disable the following lines from vexim-acl-check-rcpt.conf because my home IP is currently listed in zen.spamhaus.org. Need to look into options around this.
# deny message = DNSBL listed at $dnslist_domain\n$dnslist_text
# dnslists = zen.spamhaus.org:list.dsbl.org
If you get the following error you need to add ''clamav'' to the ''Debian-exim'' group in ''/etc/group'' and then restart clamav-daemon process.
malware acl condition: clamd: ClamAV returned /var/spool/exim4/scan/1JM6uk-0000ye-Bt: lstat() failed. ERROR
In vexim-acl-check-content.conf, change the following from ''warn'' to ''deny'' to reject any messages that contain a virus.
NOTE Some sites (namely Yahoo Groups) will block your email address from recieving any more messages if you reject a message.
# Reject virus infested messages.
deny message = This message contains malware ($malware_name)
malware = *
log_message = This message contains malware ($malware_name)
Add requirement for SSL connection for SMTP
First generate a certificate. NOTE That the certificate only takes ONE Common Name (a domain name) so in a virtual host setup other domains will have to accept a certificate for a site that is likely not their mail domain. Not really an issue in the grand scheme of things.
$ openssl req -x509 -newkey rsa:1024 -keyout exim.key -out exim.crt -days 9999 -nodes
Now, add the following lines somewhere near the top of your exim.conf. QUESTION Does the top line mean that anything sent locally (like via webmail) will be required to use SSL?
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
tls_advertise_hosts = *
tls_certificate = /usr/share/ssl/certs/exim.crt
tls_privatekey = /usr/share/ssl/private/exim.key
===== Webmail =====
I use [[http://roundcube.net|Roundcube]] for its looks and general speed.
First download the latest released version
http://mesh.dl.sourceforge.net/sourceforge/roundcubemail/roundcubemail-0.1-rc2.tar.gz
Unpack it
tar zxf roundcubemail-0.1-rc2.tar.gz
Make folder for it on the server
mkdir -p /home/sites/rc.tarasis.net/{public,private,logs,backup}
Copy the files across
cp -a * /home/sites/rc.tarasis.net/public/
Change file ownership to webserver
sudo chown -R www-data logs temp
Create a new database, database user and tables
mysql -u root -p
mysql> CREATE DATABASE roundcubemail DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
mysql> GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY 'A PASSWORD -- CHANGE THIS';
mysql> quit
mysql -u root -p roundcubemail < SQL/mysql5.initial.sql
Next edit ''db.inc.php'' in the config directory. Edit ''rcmail_config'' to the name of the name, user & password specified above.
$rcmail_config['db_dsnw'] = 'mysql://roundcube:A PASSWORD -- CHANGE THIS@localhost/roundcubemail';
Lets set the config for Nginx up next
tarasis /usr/local/nginx/conf/sites-available: sudo vim rc.tarasis.net
With the content ...
tarasis /usr/local/nginx/conf/sites-available: sudo ln -s /usr/local/nginx/conf/sites-available/rc.tarasis.net /usr/local/nginx/conf/sites-enabled/
Christ, missed a few changes to the config main.php.inc and had to import DB from oldsetup because of a error. Need to log that.
Next, given that Apaches .htaccess files are not used we need to protect certain locations against direct access. So in your rc.tarasis.net add the following BEFORE, NOTE BEFORE, the location directive for php files
location ~ ^/(bin|config|logs|SQL|temp)/ {
allow 192.168.0.0/32;
deny all;
}
Also add the following to disable access to the .htaccess files
# deny access to .htaccess files
location ~ /\.ht {
deny all;
}
===== Level 2 Headline =====
===== Stuff =====
[[http://hublog.hubmed.org/archives/001075.html|Info]] on creating SSL certificates
If you want SSL for logins you need to listen on both port 80 & port 443
===== Chyrp Blog =====
Create DB
Run install.php via web, get some errors for things that aren't mentioned in the getting_started.html file
STOP! Before you go any further, you must complete the following steps:
CHMOD chyrp.htaccess to 777 and rename it to .htaccess
Rename /includes/database.yml.stock to /includes/database.yml.php and CHMOD it to 777
Rename /includes/config.yml.stock to /includes/config.yml.php and CHMOD it to 777
So
tarasis /home/sites/blog.tarasis.net/public: chmod 777 chyrp.htaccess
tarasis /home/sites/blog.tarasis.net/public: mv chyrp.htaccess .htaccess
tarasis /home/sites/blog.tarasis.net/public: cp includes/database.yml.stock includes/database.
tarasis /home/sites/blog.tarasis.net/public: cp includes/database.yml.stock includes/database.yml.php
tarasis /home/sites/blog.tarasis.net/public: cp includes/config.yml.stock includes/config.yml.php
tarasis /home/sites/blog.tarasis.net/public: chmod 777 includes/config.yml.php includes/database.yml.php
Fill in DB details
On next page give it a name, check the URL and specify a time difference (HOW?)
Then
chmod 755 .htaccess
mv install.php install.php-old
Done, NOW WHAT THE FUCK IS A SLUG? (in advanced post or page options)
===== Clam Bug? =====
Finding Clamav making randomish increases in memory. Looks like there might be a bug of sorts. More [[http://lurker.clamav.net/message/20070815.214726.8001ec5e.en.html|info]]
====== Picking UP again ======
Having been good and writing everything up while doing the ARCH install it highlights how poor the doc is for the Ubuntu setup. Here are somethings that need to be done:
* Add a shared folder to dropping Spam messages & Ham messages to train DSPAM (Ahh no this can't be shared, training is generally done per user)
* Tweak DSPAM configs & set default webui settings properly
* Add script to clear DB of DSPAM tags no longer needed.
* Consider using Quarentine (will it redeliver as it should? -- test on Duemoko)
===== NGINX + PHP (FASTCGI) + SSL =====
If using ''fastcgi_param HTTPS on;'' you need to explicitly supply the following in your nginx vhost config file. They are ignored from a previously included ''fastcgi_params'' file in the http section of ''nginx.conf''. It appears to be re included again. (SPENT A LOT OF TIME BANGING MY HEAD ON THIS)
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param HTTPS on;
include conf/fastcgi_params;
===== Upgrade to 8.10 Ubuntu (Intrepid) =====
Upgrade went mostly fine. Couple of problems
1) Permissions on dspam mysql config file
2) Had to install mod_auth_mysql, for whatever reason the default installed version was crashing talking to the database. Connected then died.
At first tried offical mod_auth_mysql version 3.0.0 but it wouldn#t compile. Then tried the version with phpass support patched in, available from Wordpress http://barry.wordpress.com/2008/05/19/mod_auth_mysql-and-phpass/, that is now working.