/etc/init.d/masa-lalu stop

zabbix server monitoring

2009-04-16T01:31:00.001-07:00

The first step to install the zabbix host is to ensure that we have installed the webserver (apache2-PHP5) and the database server (mysql server5).

If you have installed the next step to install SNMP:
Tsubasa root @: / # apt-get install SNMP

Then the following tambahkanlah repository in / etc / apt / source.list

# Zabbix
deb http://mirror.opf.slu.cz/zabbix unstable contrib

then updatelah source list and install zabbix
Tsubasa root @: / # apt-get update
Tsubasa root @: / # aptitude install zabbix-frontend-php zabbix-server zabbix-agent

After that there will be a display screen that asks for admin password for our database server (user root)
will have on demand from the user zabbix password and confirmation.

After the finish has been installed zabbix.

How to run zabbix:
Tsubasa root @: / # / etc / init.d / zabbix-server start
Tsubasa root @: / # / etc / init.d / zabbix-agent start

To begin configuring zabbix:
open a browser and type http://localhost/zabbix
Then you will be taken to install the zabbix and configure underweb.

Here are some error messages as well as the solution that I experienced when installing zabbix:

1. Timezone for PHP is not set set.Please ... ... ... ..
solution: change the variable value of the date.timezone php.ini in the directory / etc/php5/apache2 into date.timezone = Asia / Jakarta. Then restartlah apache service.

2. PHP Max execution time: 30 sec fail
solution: change the value max_execution_time = 30 in which there is a php.ini max_execution_time = 300, then apache restartlah service.

3. Mysql_pconnect, access denied for user @ localhost user zabbix
solutions: Adjust the configuration (username, password and database), which is located at / usr / share / conf / zabbix.conf.php with username, password and database in mysql.

4. Incorrect configuration file [/ usr / share / conf / zabbix.conf.php]
solution: Click save configuration files on the 6.install then change the content of the file / usr / share / conf / zabbix.conf.php with the contents of the file before clicked.

Enough here until I can explain that, depending on how you use and develop.
> swap

Router Debian

2009-03-18T02:56:00.000-07:00

First prepare your computer with 2 lan card is eth0 and eth1.

1. Make sure the program is installed iptables

2. And open the console

3. Remove the rules that already exist with the command as follows:

* Iptables-flush
* Iptables-table nat-flush
* Iptables-delete-chain
* Iptables-table nat-delete-chain

4. Then do the settings for the Masquerade and forwarding with the command as follows:

* Iptables-table nat-append POSTROUTING-out-interface eth0-j Masquerade
Iptables-append * Forward-in-interface eth1-j ACCEPT
* Echo 1> / proc/sys/net/ipv4/ip_forward

5. Save firewall rules have been made with the command as follows:

* Iptables-save> / etc / firewall.conf

6. Then, create a file with a name in the directory iptables / etc / network / if-up.d /
iptables:
* Vi / etc / network / if-up.d / iptables
* Inside type the command:

#! / bin / sh

iptables-restore
echo 1> / proc/sys/net/ipv4/ip_forward

* Then save the file

7. Provide access to execution so that firewall rules have been created that can be used since
the process of booting with the command:

chmod + x / etc / network / if-up.d / iptables

8. Restart your Computer to do the testing iptables rules.

9. Done.
Indonesian

Install Squid

2009-03-13T05:22:00.000-07:00

Install squid and squid-common

sudo aptitude install squid squid-common

Edit the squid config file.

sudo vi /etc/squid/squid.conf

Set the allowed hosts.

acl internal_network src 192.168.0.0/24 (Where 192.168.0.0/24 is your IP range.)
http_access allow internal_network

Set the correct permissions.

sudo chown -R proxy:proxy /var/log/squid/
sudo chown proxy:proxy /etc/squid/squid.conf

You will need to restart squid for the changes to take affect.

sudo /etc/init.d/squid restart

Now open up your browser and set your proxy to point to your new squid server on port 3128

Authentication

If you wish to use authentication with your proxy you will need to install apache2 utilities

sudo aptitude install squid squid-common apache2-utils

To add your first user you will need to specify -c

sudo htpasswd -c /etc/squid.passwd first_user

Thereafter you add new users with

sudo htpasswd /etc/squid.passwd another_user

Edit the squid config file

sudo vi /etc/squid/squid.conf

Set the the authentication parameters and the acl

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid.passwd
auth_param basic children 5
auth_param basic realm NFYE Squid proxy-caching web server
auth_param basic credentialsttl 3 hours
auth_param basic casesensitive off

acl users proxy_auth REQUIRED

acl sectionx proxy_auth REQUIRED

http_access allow users

So this is what your squid.conf should look like.

acl all src 0.0.0.0/0.0.0.0
acl internal_network src 192.168.0.0/24
acl users proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl sectionx proxy_auth REQUIRED
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access allow users
http_access allow internal_network
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all

Redirect the all HTTP traffic.

If you would like to redirect the all HTTP traffic through the proxy without needing to set up a proxy manually in all your applications you will need to add some rules

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j REDIRECT --to-ports 3128

Where eth1,eth0 are the LAN, WAN devices and 192.168.0.1 is the IP address of your LAN device.

If you wish to monitor the performance of your proxy you can look as some log parser’s (sarg, calamaris, ect.)

Install samba and kerberos in Ubuntu

2009-03-13T05:17:00.002-07:00

sudo aptitude install krb5-user

sudo aptitude install samba smbfs smbclient winbind

Configure samba

Now likewise-open and samba packages use separate secrets.tdb (samba password file) files,We need to create a symlink to be /var/lib/samba

Take a backupof existing file

sudo mv /var/lib/samba/secrets.tdb /var/lib/samba/secrets.tdb.orig

Create a link to /var/lib/samba

sudo ln -s /etc/samba/secrets.tdb /var/lib/samba

Configuring samba and kerberos

Edit /etc/samba/smb.conf file

sudo vi /etc/samba/smb.conf

Note:- replace ug01 netbios name with your own

Change the following parameters

[global]
security = ads
netbios name = ug01
realm = DOMAIN.INTERNAL
password server = domainserver.domain.internal
workgroup = DOMAIN
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no

Save and exit the file

Test the configuration with the testparm command

Kerberos Configuration

Edit the /etc/krb5.conf File

sudo vi /etc/krb5.conf

Change the following lines

[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.INTERNAL
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN.INTERNAL = {
kdc = domainserver.domain.internal
admin_server = domainserver.domain.internal
default_domain = DOMAIN.INTERNAL

}

[domain_realm]
.domain.internal = DOMAIN.INTERNAL
domain.internal = DOMAIN.INTERNAL

Save and exit the file

Configuring nsswitch file

Edit /etc/nsswitch.conf to look like the example below

sudo vi /etc/nsswitch.conf

passwd: compat
winbindgroup: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

Save and exit the file

Modify the PAM settings

* /etc/pam.d/common-account should contain only the following lines

account sufficient pam_winbind.so
account required pam_unix.so

* /etc/pam.d/common-auth should contain only the following lines

auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass

* Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below

password required pam_unix.so nullok obscure min=4 max=50 md5

* Make sure the /etc/pam.d/common-session file contains the following line

session required pam_mkhomedir.so umask=0022 skel=/etc

Make a directory to hold domain user home directories

Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file

mkdir -p /home/DOMAIN

Initialize Kerberos

sudo kinit domain_admin_account@DOMAIN.INTERNAL

Note:- write $FQDN_OF_YOUR_DOMAIN in capitals as you did in your krb5.conf file.You can check you’ve obtained your ticket with klist

Next check to be sure you got a ticket from the domain controller

sudo klist

If you didn’t add your ubuntu server to windows AD use the following command

net ads join -U Adminstrator@$FQDN_OF_YOUR_DOMAIN

Restart Samba-related Services (Or reboot the server)

Note: If you are stopping and starting services the order is important

sudo /etc/init.d/samba stop

sudo /etc/init.d/winbind stop

sudo /etc/init.d/samba start

sudo /etc/init.d/winbind start

Restart SSH and Test Connectivity

Note: If you rebooted the server in the previous step, just try and login.

sudo /etc/init.d/ssh restart

ssh useraccount@server

If you can login using your active directory username and password then everything is working fine.

Configure SUDO

First you need to create a group in Active Directory called UbuntuAdmins and add the names of people whom you want to be able to use sudo to admin the server.

Next, add the UbuntuAdmins group to the /etc/sudoers so these users can use sudo

%UbuntuAdmins ALL=(ALL) ALL

Useful Commands

List the derived UNIX GID values for Active Directory groups

for gid in $(wbinfo -r ); \
do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done

See the Active Directory SID for a particular named user

wbinfo –n

Nagios

2009-03-13T05:17:00.001-07:00

Nagios is a host and service monitor designed to inform you of network problems before your clients, end-users or managers do. It has been designed to run under the Linux operating system, but works fine under most *NIX variants as well. The monitoring daemon runs intermittent checks on hosts and services you specify using external “plugins” which return status information to Nagios. When problems are encountered, the daemon can send notifications out to administrative contacts in a variety of different ways (email, instant message, SMS, etc.). Current status information, historical logs, and reports can all be accessed via a web browser.

WARNING: “this tutorial is meant for users that have a good knowledge of development tools and manual installation process and will be hardly supported by the Ubuntu community. Standard supported procedure are to install packages from the official repositories, not to compile them by hand”.

Install Nagios in Ubuntu

This Tutorial is intended to provide you with simple instructions on how to install Nagios from source (code) on Ubuntu and have it monitoring your local machine inside of 20 minutes.

If you follow these instructions, here’s what you’ll end up with:

Nagios and the plugins will be installed underneath /usr/local/nagios

Nagios will be configured to monitor a few aspects of your local system (CPU load, disk usage, etc.)

The Nagios web interface will be accessible at http://localhost/nagios/

Required Packages

Make sure you’ve installed the following packages on your Ubuntu installation before continuing.

Apache 2
GCC compiler and development libraries
GD development libraries

Preparing Your System

First you need to install the following packages

sudo apt-get install apache2

sudo apt-get install build-essential

sudo apt-get install libgd2-xpm-dev

1) Create Account Information

Become the root user.

sudo -s

Create a new nagios user account and give it a password.

#/usr/sbin/useradd nagios

#passwd nagios

On Ubuntu server edition , you will need to also add a nagios group (it’s not created by default). You should be able to skip this step on desktop editions of Ubuntu.

#/usr/sbin/groupadd nagios

#/usr/sbin/usermod -G nagios nagios

Create a new nagcmd group for allowing external commands to be submitted through the web interface. Add both the nagios user and the apache user to the group.

#/usr/sbin/groupadd nagcmd

#/usr/sbin/usermod -G nagcmd nagios

#/usr/sbin/usermod -G nagcmd www-data

2) Download Nagios and the Plugins

Create a directory for storing the downloads.

#mkdir ~/downloads

#cd ~/downloads

Download the source code tarballs of both Nagios and the Nagios plugins (visit http://www.nagios.org/download/ for links to the latest versions). At the time of writing, the latest versions of Nagios and the Nagios plugins were 2.10 and 1.4.10, respectively.

#wget http://switch.dl.sourceforge.net/sourceforge/nagios/nagios-2.10.tar.gz

#wget http://kent.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.10.tar.gz

3) Compile and Install Nagios

Extract the Nagios source code tarball.

#cd ~/downloads

#tar xzf nagios-2.10.tar.gz

#cd nagios-2.10

Run the Nagios configure script, passing the name of the group you created earlier like so:

#./configure --with-command-group=nagcmd

Compile the Nagios source code.

#make all

Install binaries, init script, sample config files and set permissions on the external command directory.

#make install

#make install-init

#make install-config

#make install-commandmode

Don’t start Nagios yet - there’s still more that needs to be done…

4) Customize Configuration

Sample configuration files have now been installed in the /usr/local/nagios/etc directory. These sample files should work fine for getting started with Nagios. You’ll need to make just one change before you proceed…

Edit the /usr/local/nagios/etc/objects/contacts.cfg config file with your favorite editor and change the email address associated with the nagiosadmin contact definition to the address you’d like to use for receiving alerts.

#vi /usr/local/nagios/etc/objects/contacts.cfg

5) Configure the Web Interface

Install the Nagios web config file in the Apache conf.d directory.

#make install-webconf

Create a nagiosadmin account for logging into the Nagios web interface. Remember the password you assign to this account - you’ll need it later.

#htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

Restart Apache to make the new settings take effect.

#/etc/init.d/apache2 reload

6) Compile and Install the Nagios Plugins

Extract the Nagios plugins source code tarball.

#cd ~/downloads

#tar xzf nagios-plugins-1.4.10.tar.gz

#cd nagios-plugins-1.4.10

Compile and install the plugins.

#./configure --with-nagios-user=nagios --with-nagios-group=nagios

#make

#make install

7) Start Nagios

Configure Nagios to automatically start when the system boots.

#ln -s /etc/init.d/nagios /etc/rcS.d/S99nagios

Verify the sample Nagios configuration files.

#/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

If there are no errors, start Nagios.

#/etc/init.d/nagios start
8) Login to the Web Interface

You should now be able to access the Nagios web interface at the URL below. You’ll be prompted for the username (nagiosadmin) and password you specified earlier.

http://localhost/nagios/

Click on the “Service Detail” navbar link to see details of what’s being monitored on your local machine. It will take a few minutes for Nagios to check all the services associated with your machine, as the checks are spread out over time.

9) Other Modifications

If you want to receive email notifications for Nagios alerts, you need to install the mailx (Postfix) package.

#apt-get install mailx

You’ll have to edit the Nagios email notification commands found in /usr/local/nagios/etc/commands.cfg and change any ‘/bin/mail’ references to ‘/usr/bin/mail’. Once you do that you’ll need to restart Nagios to make the configuration changes live.

#/etc/init.d/nagios restart

Fall Heart

2009-03-13T05:10:00.000-07:00

Expect that a munkin not happened, and happened takan

Trying to change all the existing circumstances and continue to try to become what we want

Install PureFTPd With MySQL Support

2009-03-11T01:35:00.000-07:00

For Debian there is a pre-configured pure-ftpd-mysql package available. Install it like this:

apt-get install pure-ftpd-mysql

Then we create an ftp group (ftpgroup) and user (ftpuser) that all our virtual users will be mapped to. Replace the group- and userid 2001 with a number that is free on your system:

groupadd -g 2001 ftpgroup
useradd -u 2001 -s /bin/false -d /bin/null -c "pureftpd user" -g ftpgroup ftpuser

Installing The DHCP Server

2009-03-11T01:20:00.000-07:00

Now let's install our DHCP server on our Debian Sarge system:

apt-get install dhcp3-server

You will be asked a few questions:

On what network interfaces should the DHCP server listen? <-- eth0

Please configure the DHCP server as soon as the installation finishes. <-- Ok

The version 3 DHCP server is now non-authoritative by default <-- Ok

At the end of the installation you will see errors like these:

Generating /etc/default/dhcp3-server...
Starting DHCP server: dhcpd3 failed to start - check syslog for diagnostics.
invoke-rc.d: initscript dhcp3-server, action "start" failed.

That's ok because we did not have the chance yet to configure our DHCP server.

Configuring The DHCP Server

Now we must configure our DHCP server. We must tell it from which IP range it should assign IP addresses to requesting clients, which gateway it should assign, which DNS servers, etc.

The configuration file for our DHCP server is /etc/dhcp3/dhcpd.conf. Currently it contains a sample configuration which we copy to /etc/dhcp3/dhcpd.conf_orig for future reference:

cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf_orig
cat /dev/null > /etc/dhcp3/dhcpd.conf

With the last command we have emptied /etc/dhcp3/dhcpd.conf so that we can place our own configuration in it which we do now:

vi /etc/dhcp3/dhcpd.conf

The file should look like this:

ddns-update-style none;

option domain-name-servers 145.253.2.75, 193.174.32.18;

default-lease-time 86400;
max-lease-time 604800;

authoritative;

subnet 192.168.0.0 netmask 255.255.255.0 {
       range 192.168.0.200 192.168.0.229;
       option subnet-mask 255.255.255.0;
       option broadcast-address 192.168.0.255;
       option routers 192.168.0.1;
}

I explain the configuration options here:

dns-update-style: You can tell the DHCP server to update a DNS server if the IP address of a server in your LAN has changed (because it has been assigned a different IP by DHCP). As we do not run servers in our LAN or always give them static IP addresses (which is a good idea for servers...) we don't want to update DNS records so we set this to none.
option domain-name-servers: This tells the DHCP server which DNS servers it should assign to a client. You can specify more than one DNS server here, seperated by commas.
default-lease-time, max-lease-time: A client can tell the DHCP server for how long it would like to get an IP address. If it doesn't do this, the server assigns an IP address for default-lease-time seconds; if it does, the server grants the requested time, but only up to max-lease-time seconds.
authoritative: If this is not set this means that if a client requests an address that the server knows nothing about and the address is incorrect for that network segment, the server will _not_ send a DHCPNAK (which tells the client it should stop using the address.) We don't want this so we set authoritative.
subnet: The subnet to use.
netmask: The netmask to use.
range: Tells the DHCP server from which range it can assign IP addresses to clients. In our example it's from 192.168.0.200 to 192.168.0.229 (30 IP addresses).
option broadcast-address: The broadcast address to use.
option routers: Tells the DHCP server the gateway address it should assign to requesting clients. In our case the gateway is 192.168.0.1.

If you are not sure about your personal network settings (network, netmask, broadcast address, etc.), visit www.subnetmask.info where you can calculate your settings.

You see, this is a very simple and basic configuration, but it's enough to make our DHCP server functionable. Now let's start it:

/etc/init.d/dhcp3-server restart

Afterwards you can check the output of

ps aux

to see if DHCP is running. You should also see it in the output of

netstat -uap

which should resemble this one:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 *:bootps                *:*                                2185/dhcpd3
udp        0      0 *:868                   *:*                                1964/rpc.statd
udp        0      0 *:871                   *:*                                1964/rpc.statd
udp        0      0 *:sunrpc                *:*                                1553/portmap

You can see that DHCP is running on the bootps UDP port which translates to port 67 UDP (run

grep bootps /etc/services

and you will see that bootps means port 67).

Finally you can check /var/log/syslog if any errors occurred during the DHCP server start. To see the last 100 lines of /var/log/syslog, for example, run

tail -n 100 /var/log/syslog

4 How Can I See That My DHCP Server Is Working OK?

To see if your DHCP server is working as expected, boot another PC (Windows, Linux, MAC, ...) in your LAN that doesn't have a static IP address. Wait a few seconds, and in /var/log/syslog on the DHCP server you should see that the DHCP server assigns an IP address to your PC. For example, in this excerpt of /var/log/syslog, a client PC named matze has been assigned the IP address 192.168.0.229:

Sep 19 16:01:26 server1 dhcpd: DHCPDISCOVER from 00:0c:76:8b:c4:16 via eth0
Sep 19 16:01:26 server1 dhcpd: DHCPOFFER on 192.168.0.229 to 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:27 server1 dhcpd: DHCPDISCOVER from 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:27 server1 dhcpd: DHCPOFFER on 192.168.0.229 to 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:31 server1 dhcpd: DHCPDISCOVER from 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:31 server1 dhcpd: DHCPOFFER on 192.168.0.229 to 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:31 server1 dhcpd: Wrote 1 leases to leases file.
Sep 19 16:01:31 server1 dhcpd: DHCPREQUEST for 192.168.0.229 (192.168.0.100) from 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:31 server1 dhcpd: DHCPACK on 192.168.0.229 to 00:0c:76:8b:c4:16 (matze) via eth0

The DHCP server writes all current IP address "leases" to the file /var/lib/dhcp3/dhcpd.leases so you should also find the lease there:

vi /var/lib/dhcp3/dhcpd.leases

# All times in this file are in UTC (GMT), not your local timezone.   This is
# not a bug, so please don't ask about it.   There is no portable way to
# store leases in the local timezone, so please don't request this as a
# feature.   If this is inconvenient or confusing to you, we sincerely
# apologize.   Seriously, though - don't ask.
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-V3.0.1

lease 192.168.0.229 {
 starts 2 2006/09/19 14:01:31;
 ends 3 2006/09/20 14:01:31;
 binding state active;
 next binding state free;
 hardware ethernet 00:0c:76:8b:c4:16;
 uid "\001\000\014v\213\304\026";
 client-hostname "matze";
}

Have Fun!

Postfix With SMTP-AUTH And TLS Debian

2009-03-08T01:27:00.000-08:00

In order to install Postfix with SMTP-AUTH and TLS do the following steps:

apt-get install postfix libsasl2-2 sasl2-bin libsasl2-modules libdb3-util procmail

You will be asked two questions. Answer as follows:

General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com

Then run

dpkg-reconfigure postfix

Again, you'll be asked some questions:

General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com
Root and postmaster mail recipient: <-- [blank]
Other destinations to accept mail for (blank for none): <-- server1.example.com, localhost.example.com, localhost.localdomain, localhost
Force synchronous updates on mail queue? <-- No
Local networks: <-- 127.0.0.0/8
Use procmail for local delivery? <-- Yes
Mailbox size limit: <-- 0
Local address extension character: <-- +
Internet protocols to use: <-- all

Next, do this:

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for TLS (make sure that you use the correct hostname for myhostname):

postconf -e 'myhostname = server1.example.com'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

The file /etc/postfix/main.cf should now look like this:

cat /etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Restart Postfix:

/etc/init.d/postfix restart

Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:

mkdir -p /var/spool/postfix/var/run/saslauthd

Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Set START to yes and change the line OPTIONS="-c" to OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r":

vi /etc/default/saslauthd

#
# Settings for saslauthd daemon
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Now start saslauthd:

/etc/init.d/saslauthd start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

Mysql Server

2009-03-08T00:23:00.000-08:00

apt-get install mysql-server mysql-client libmysqlclient15-dev

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

vi /etc/mysql/my.cnf

[...]
#bind-address           = 127.0.0.1
[...]

Then we restart MySQL:

/etc/init.d/mysql restart

Now check that networking is enabled. Run

netstat -tap

In the output you should see a line like this one:

tcp 0 0 *:mysql *:* LISTEN 3281/mysqld

Run

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).

DNS Server

2009-03-08T00:22:00.000-08:00

apt-get install bind9

For security reasons we want to run BIND chrooted so we have to do the following steps:

/etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":

vi /etc/default/bind9

OPTIONS="-u bind -t /var/lib/named"
# Set RESOLVCONF=no to not run resolvconf
RESOLVCONF=yes

Create the necessary directories under /var/lib:

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run

Then move the config directory from /etc to /var/lib/named/etc:

mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems when bind gets updated in the future):

ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

We need to modify /etc/default/syslogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads: SYSLOGD="-a /var/lib/named/dev/log":

vi /etc/default/syslogd

#
# Top configuration file for syslogd
#

#
# Full documentation of possible arguments are found in the manpage
# syslogd(8).
#

#
# For remote UDP logging use SYSLOGD="-r"
#
SYSLOGD="-a /var/lib/named/dev/log"

Restart the logging daemon:

/etc/init.d/sysklogd restart

Start up BIND, and check /var/log/syslog for errors:

/etc/init.d/bind9 start

Tutorial Dovecot and Postfix

2009-03-07T20:15:00.000-08:00

I user postfix and dovecot , but i can't configure auth..

/etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = jony.atlantica.us
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = jony.atlantica.us
mydestination = jony.atlantica.us
mynetworks = 192.168.0.0/28, 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
delay_notice_recipient = d3v1ous
queue_directory = /var/mail
bounce_notice_recipient = d3v1ous
2bounce_notice_recipient = d3v1ous
error_notice_recipient = d3v1ous

# User

# helo restrictions
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_hostname,
permit

# sender restrictions
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit

# recipient restriction
smtpd_recipient_restrictions =
reject_unauth_pipelining,
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination

#enable SMTP auth for relaying
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /private/auth-client
# deliver with dovecot
dovecot_destination_recipient_limit = 1
mailbox_transport = dovecot
local_recipient_maps =

##########################################################################################################################

/etc/dovecot/dovecot.conf

shutdown_clients = yes
ssl_disable = no
base_dir = /var/run/dovecot/
protocols = imap pop3 imaps pop3s
listen = [::]
protocol imap {
listen = *:143
ssl_listen = *:993
login_executable = /usr/lib/dovecot/imap-login
mail_executable = /usr/lib/dovecot/imap
}
protocol pop3 {
listen = *:110
ssl_listen = *:995
login_executable = /usr/lib/dovecot/pop3-login
mail_executable = /usr/lib/dovecot/pop3
pop3_no_flag_updates = yes
pop3_reuse_xuidl = no
pop3_lock_session = no
pop3_uidl_format = %08Xu%08Xv
pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol lda {
postmaster_address = main@main.com
}
disable_plaintext_auth = no
log_timestamp = "%b %d %H:%M:%S "
syslog_facility = mail
login_dir = /var/run/dovecot/login
login_chroot = yes
login_user = dovecot
login_process_size = 64
login_process_per_connection = yes
login_processes_count = 16
login_max_processes_count = 128
login_max_connections = 256
login_greeting = Dovecot ready.
login_log_format_elements = user=<%u> rip=%r %c
login_log_format = %$: %s
mail_location = mbox:~/mail/:INBOX=/var/mail/%u
mail_full_filesystem_access = no
mail_debug = no
mail_log_prefix = "%Us(%u): "
mail_read_mmaped = no
lock_method = fcntl
mail_drop_priv_before_exec = no
verbose_proctitle = no
#first_valid_uid = 10000
#last_valid_uid = 10000
#first_valid_gid = 10000
#last_valid_gid = 10000
max_mail_processes = 1024
mail_process_size = 256
mail_max_keyword_length = 50
umask = 0077
valid_chroot_dirs = /
mbox_read_locks = fcntl
mbox_write_locks = fcntl
mbox_lock_timeout = 300
mbox_dotlock_change_timeout = 120
mbox_dirty_syncs = yes
auth_executable = /usr/lib/dovecot/dovecot-auth
auth_process_size = 256
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth_username_format = %Lu
auth_verbose = no
auth_debug = no
auth_debug_passwords = no
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
count = 1
ssl_require_client_cert = no
ssl_username_from_cert = no
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = dovecot
group = dovecot
}
client {
path = /var/spool/postfix/private/auth-client
mode = 0666
user = postfix
group = mail
}
}
}

##########################################################################################################################

ls /var/spool/postfix/private/auth-client -l
srw-rw-rw- 1 postfix mail 0 2008-03-18 11:19 /var/spool/postfix/private/auth-client

ls /var/run/dovecot/auth-master -l
srw-rw---- 1 dovecot dovecot 0 2008-03-18 11:19 /var/run/dovecot/auth-master

/var/log/mail.log

Mar 18 11:20:56 main dovecot: imap-login: Login: user=, rip=217.18.252.139
Mar 18 11:20:56 main dovecot: IMAP(d3v1ous): Disconnected in IDLE
Mar 18 11:20:56 main dovecot: imap-login: Login: user=, rip=217.18.252.139
Mar 18 11:20:56 main dovecot: IMAP(d3v1ous): Disconnected in IDLE
Mar 18 11:20:56 main dovecot: imap-login: Login: user=, rip=217.18.252.139
Mar 18 11:20:56 main dovecot: IMAP(d3v1ous): Disconnected in IDLE
Mar 18 11:20:56 main dovecot: imap-login: Login: user=, rip=217.18.252.139
Mar 18 11:20:56 main dovecot: IMAP(d3v1ous): Disconnected in IDLE
Mar 18 11:20:56 main dovecot: imap-login: Login: user=, rip=217.18.252.139
Mar 18 11:20:56 main dovecot: IMAP(d3v1ous): Disconnected in IDLE
Mar 18 11:21:56 main dovecot: imap-login: Login: user=, rip=217.18.252.139

##########################################################################################################################

/var/log/mail.log

Mar 18 11:40:32 jony postfix/master[30724]: daemon started -- version 2.3.8, configuration /etc/postfix
Mar 18 11:40:34 jony postfix/smtpd[30731]: warning: SASL: Connect to private/auth-client failed: No such file or directory
Mar 18 11:40:34 jony postfix/smtpd[30731]: fatal: no SASL authentication mechanisms
Mar 18 11:40:35 jony postfix/master[30724]: warning: process /usr/lib/postfix/smtpd pid 30731 exit status 1
Mar 18 11:40:35 jony postfix/master[30724]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling