The first step to install the zabbix host is to ensure that we have installed the webserver (apache2-PHP5) and the database server (mysql server5).
If you have installed the next step to install SNMP:
Tsubasa root @: / # apt-get install SNMP
Then the following tambahkanlah repository in / etc / apt / source.list
# Zabbix
deb http://mirror.opf.slu.cz/zabbix unstable contrib
then updatelah source list and install zabbix
Tsubasa root @: / # apt-get update
Tsubasa root @: / # aptitude install zabbix-frontend-php zabbix-server zabbix-agent
After that there will be a display screen that asks for admin password for our database server (user root)
will have on demand from the user zabbix password and confirmation.
After the finish has been installed zabbix.
How to run zabbix:
Tsubasa root @: / # / etc / init.d / zabbix-server start
Tsubasa root @: / # / etc / init.d / zabbix-agent start
To begin configuring zabbix:
open a browser and type http://localhost/zabbix
Then you will be taken to install the zabbix and configure underweb.
Here are some error messages as well as the solution that I experienced when installing zabbix:
1. Timezone for PHP is not set set.Please ... ... ... ..
solution: change the variable value of the date.timezone php.ini in the directory / etc/php5/apache2 into date.timezone = Asia / Jakarta. Then restartlah apache service.
2. PHP Max execution time: 30 sec fail
solution: change the value max_execution_time = 30 in which there is a php.ini max_execution_time = 300, then apache restartlah service.
3. Mysql_pconnect, access denied for user @ localhost user zabbix
solutions: Adjust the configuration (username, password and database), which is located at / usr / share / conf / zabbix.conf.php with username, password and database in mysql.
4. Incorrect configuration file [/ usr / share / conf / zabbix.conf.php]
solution: Click save configuration files on the 6.install then change the content of the file / usr / share / conf / zabbix.conf.php with the contents of the file before clicked.
Enough here until I can explain that, depending on how you use and develop.
> swap
Thursday, April 16, 2009
zabbix server monitoring
Wednesday, March 18, 2009
Router Debian
First prepare your computer with 2 lan card is eth0 and eth1.
1. Make sure the program is installed iptables
2. And open the console
3. Remove the rules that already exist with the command as follows:
* Iptables-flush
* Iptables-table nat-flush
* Iptables-delete-chain
* Iptables-table nat-delete-chain
4. Then do the settings for the Masquerade and forwarding with the command as follows:
* Iptables-table nat-append POSTROUTING-out-interface eth0-j Masquerade
Iptables-append * Forward-in-interface eth1-j ACCEPT
* Echo 1> / proc/sys/net/ipv4/ip_forward
5. Save firewall rules have been made with the command as follows:
* Iptables-save> / etc / firewall.conf
6. Then, create a file with a name in the directory iptables / etc / network / if-up.d /
iptables:
* Vi / etc / network / if-up.d / iptables
* Inside type the command:
#! / bin / sh
iptables-restore
echo 1> / proc/sys/net/ipv4/ip_forward
* Then save the file
7. Provide access to execution so that firewall rules have been created that can be used since
the process of booting with the command:
chmod + x / etc / network / if-up.d / iptables
8. Restart your Computer to do the testing iptables rules.
9. Done.
Indonesian
Friday, March 13, 2009
Install Squid
Install squid and squid-common
sudo aptitude install squid squid-common
Edit the squid config file.
sudo vi /etc/squid/squid.conf
Set the allowed hosts.
acl internal_network src 192.168.0.0/24 (Where 192.168.0.0/24 is your IP range.)
http_access allow internal_network
Set the correct permissions.
sudo chown -R proxy:proxy /var/log/squid/
sudo chown proxy:proxy /etc/squid/squid.conf
You will need to restart squid for the changes to take affect.
sudo /etc/init.d/squid restart
Now open up your browser and set your proxy to point to your new squid server on port 3128
Authentication
If you wish to use authentication with your proxy you will need to install apache2 utilities
sudo aptitude install squid squid-common apache2-utils
To add your first user you will need to specify -c
sudo htpasswd -c /etc/squid.passwd first_user
Thereafter you add new users with
sudo htpasswd /etc/squid.passwd another_user
Edit the squid config file
sudo vi /etc/squid/squid.conf
Set the the authentication parameters and the acl
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid.passwd
auth_param basic children 5
auth_param basic realm NFYE Squid proxy-caching web server
auth_param basic credentialsttl 3 hours
auth_param basic casesensitive off
acl users proxy_auth REQUIRED
acl sectionx proxy_auth REQUIRED
http_access allow users
So this is what your squid.conf should look like.
acl all src 0.0.0.0/0.0.0.0
acl internal_network src 192.168.0.0/24
acl users proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl sectionx proxy_auth REQUIRED
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow users
http_access allow internal_network
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
Redirect the all HTTP traffic.
If you would like to redirect the all HTTP traffic through the proxy without needing to set up a proxy manually in all your applications you will need to add some rules
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j REDIRECT --to-ports 3128
Where eth1,eth0 are the LAN, WAN devices and 192.168.0.1 is the IP address of your LAN device.
If you wish to monitor the performance of your proxy you can look as some log parser’s (sarg, calamaris, ect.)
Install samba and kerberos in Ubuntu
sudo aptitude install krb5-user
sudo aptitude install samba smbfs smbclient winbind
Configure samba
Now likewise-open and samba packages use separate secrets.tdb (samba password file) files,We need to create a symlink to be /var/lib/samba
Take a backupof existing file
sudo mv /var/lib/samba/secrets.tdb /var/lib/samba/secrets.tdb.orig
Create a link to /var/lib/samba
sudo ln -s /etc/samba/secrets.tdb /var/lib/samba
Configuring samba and kerberos
Edit /etc/samba/smb.conf file
sudo vi /etc/samba/smb.conf
Note:- replace ug01 netbios name with your own
Change the following parameters
[global]
security = ads
netbios name = ug01
realm = DOMAIN.INTERNAL
password server = domainserver.domain.internal
workgroup = DOMAIN
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
Save and exit the file
Test the configuration with the testparm command
Kerberos Configuration
Edit the /etc/krb5.conf File
sudo vi /etc/krb5.conf
Change the following lines
[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.INTERNAL
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN.INTERNAL = {
kdc = domainserver.domain.internal
admin_server = domainserver.domain.internal
default_domain = DOMAIN.INTERNAL
}
[domain_realm]
.domain.internal = DOMAIN.INTERNAL
domain.internal = DOMAIN.INTERNAL
Save and exit the file
Configuring nsswitch file
Edit /etc/nsswitch.conf to look like the example below
sudo vi /etc/nsswitch.conf
passwd: compat
winbindgroup: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Save and exit the file
Modify the PAM settings
* /etc/pam.d/common-account should contain only the following lines
account sufficient pam_winbind.so
account required pam_unix.so
* /etc/pam.d/common-auth should contain only the following lines
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
* Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below
password required pam_unix.so nullok obscure min=4 max=50 md5
* Make sure the /etc/pam.d/common-session file contains the following line
session required pam_mkhomedir.so umask=0022 skel=/etc
Make a directory to hold domain user home directories
Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file
mkdir -p /home/DOMAIN
Initialize Kerberos
sudo kinit domain_admin_account@DOMAIN.INTERNAL
Note:- write $FQDN_OF_YOUR_DOMAIN in capitals as you did in your krb5.conf file.You can check you’ve obtained your ticket with klist
Next check to be sure you got a ticket from the domain controller
sudo klist
If you didn’t add your ubuntu server to windows AD use the following command
net ads join -U Adminstrator@$FQDN_OF_YOUR_DOMAIN
Restart Samba-related Services (Or reboot the server)
Note: If you are stopping and starting services the order is important
sudo /etc/init.d/samba stop
sudo /etc/init.d/winbind stop
sudo /etc/init.d/samba start
sudo /etc/init.d/winbind start
Restart SSH and Test Connectivity
Note: If you rebooted the server in the previous step, just try and login.
sudo /etc/init.d/ssh restart
ssh useraccount@server
If you can login using your active directory username and password then everything is working fine.
Configure SUDO
First you need to create a group in Active Directory called UbuntuAdmins and add the names of people whom you want to be able to use sudo to admin the server.
Next, add the UbuntuAdmins group to the /etc/sudoers so these users can use sudo
%UbuntuAdmins ALL=(ALL) ALL
Useful Commands
List the derived UNIX GID values for Active Directory groups
for gid in $(wbinfo -r
do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done
See the Active Directory SID for a particular named user
wbinfo –n
Nagios
Nagios is a host and service monitor designed to inform you of network problems before your clients, end-users or managers do. It has been designed to run under the Linux operating system, but works fine under most *NIX variants as well. The monitoring daemon runs intermittent checks on hosts and services you specify using external “plugins” which return status information to Nagios. When problems are encountered, the daemon can send notifications out to administrative contacts in a variety of different ways (email, instant message, SMS, etc.). Current status information, historical logs, and reports can all be accessed via a web browser.
WARNING: “this tutorial is meant for users that have a good knowledge of development tools and manual installation process and will be hardly supported by the Ubuntu community. Standard supported procedure are to install packages from the official repositories, not to compile them by hand”.
Install Nagios in Ubuntu
This Tutorial is intended to provide you with simple instructions on how to install Nagios from source (code) on Ubuntu and have it monitoring your local machine inside of 20 minutes.
If you follow these instructions, here’s what you’ll end up with:
Nagios and the plugins will be installed underneath /usr/local/nagios
Nagios will be configured to monitor a few aspects of your local system (CPU load, disk usage, etc.)
The Nagios web interface will be accessible at http://localhost/nagios/
Required Packages
Make sure you’ve installed the following packages on your Ubuntu installation before continuing.
Apache 2
GCC compiler and development libraries
GD development libraries
Preparing Your System
First you need to install the following packages
sudo apt-get install apache2
sudo apt-get install build-essential
sudo apt-get install libgd2-xpm-dev
1) Create Account Information
Become the root user.
sudo -s
Create a new nagios user account and give it a password.
#/usr/sbin/useradd nagios
#passwd nagios
On Ubuntu server edition , you will need to also add a nagios group (it’s not created by default). You should be able to skip this step on desktop editions of Ubuntu.
#/usr/sbin/groupadd nagios
#/usr/sbin/usermod -G nagios nagios
Create a new nagcmd group for allowing external commands to be submitted through the web interface. Add both the nagios user and the apache user to the group.
#/usr/sbin/groupadd nagcmd
#/usr/sbin/usermod -G nagcmd nagios
#/usr/sbin/usermod -G nagcmd www-data
2) Download Nagios and the Plugins
Create a directory for storing the downloads.
#mkdir ~/downloads
#cd ~/downloads
Download the source code tarballs of both Nagios and the Nagios plugins (visit http://www.nagios.org/download/ for links to the latest versions). At the time of writing, the latest versions of Nagios and the Nagios plugins were 2.10 and 1.4.10, respectively.
#wget http://switch.dl.sourceforge.net/sourceforge/nagios/nagios-2.10.tar.gz
#wget http://kent.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.10.tar.gz
3) Compile and Install Nagios
Extract the Nagios source code tarball.
#cd ~/downloads
#tar xzf nagios-2.10.tar.gz
#cd nagios-2.10
Run the Nagios configure script, passing the name of the group you created earlier like so:
#./configure --with-command-group=nagcmd
Compile the Nagios source code.
#make all
Install binaries, init script, sample config files and set permissions on the external command directory.
#make install
#make install-init
#make install-config
#make install-commandmode
Don’t start Nagios yet - there’s still more that needs to be done…
4) Customize Configuration
Sample configuration files have now been installed in the /usr/local/nagios/etc directory. These sample files should work fine for getting started with Nagios. You’ll need to make just one change before you proceed…
Edit the /usr/local/nagios/etc/objects/contacts.cfg config file with your favorite editor and change the email address associated with the nagiosadmin contact definition to the address you’d like to use for receiving alerts.
#vi /usr/local/nagios/etc/objects/contacts.cfg
5) Configure the Web Interface
Install the Nagios web config file in the Apache conf.d directory.
#make install-webconf
Create a nagiosadmin account for logging into the Nagios web interface. Remember the password you assign to this account - you’ll need it later.
#htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
Restart Apache to make the new settings take effect.
#/etc/init.d/apache2 reload
6) Compile and Install the Nagios Plugins
Extract the Nagios plugins source code tarball.
#cd ~/downloads
#tar xzf nagios-plugins-1.4.10.tar.gz
#cd nagios-plugins-1.4.10
Compile and install the plugins.
#./configure --with-nagios-user=nagios --with-nagios-group=nagios
#make
#make install
7) Start Nagios
Configure Nagios to automatically start when the system boots.
#ln -s /etc/init.d/nagios /etc/rcS.d/S99nagios
Verify the sample Nagios configuration files.
#/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
If there are no errors, start Nagios.
#/etc/init.d/nagios start
8) Login to the Web Interface
You should now be able to access the Nagios web interface at the URL below. You’ll be prompted for the username (nagiosadmin) and password you specified earlier.
http://localhost/nagios/
Click on the “Service Detail” navbar link to see details of what’s being monitored on your local machine. It will take a few minutes for Nagios to check all the services associated with your machine, as the checks are spread out over time.
9) Other Modifications
If you want to receive email notifications for Nagios alerts, you need to install the mailx (Postfix) package.
#apt-get install mailx
You’ll have to edit the Nagios email notification commands found in /usr/local/nagios/etc/commands.cfg and change any ‘/bin/mail’ references to ‘/usr/bin/mail’. Once you do that you’ll need to restart Nagios to make the configuration changes live.
#/etc/init.d/nagios restart
Fall Heart
Expect that a munkin not happened, and happened takan
Trying to change all the existing circumstances and continue to try to become what we want
Wednesday, March 11, 2009
Install PureFTPd With MySQL Support
For Debian there is a pre-configured pure-ftpd-mysql package available. Install it like this:
apt-get install pure-ftpd-mysql
Then we create an ftp group (ftpgroup) and user (ftpuser) that all our virtual users will be mapped to. Replace the group- and userid 2001 with a number that is free on your system:
groupadd -g 2001 ftpgroup
useradd -u 2001 -s /bin/false -d /bin/null -c "pureftpd user" -g ftpgroup ftpuser
Installing The DHCP Server
Now let's install our DHCP server on our Debian Sarge system:
apt-get install dhcp3-server
You will be asked a few questions:
On what network interfaces should the DHCP server listen? <-- eth0
Please configure the DHCP server as soon as the installation finishes. <-- Ok
The version 3 DHCP server is now non-authoritative by default <-- Ok
At the end of the installation you will see errors like these:
Generating /etc/default/dhcp3-server...
Starting DHCP server: dhcpd3 failed to start - check syslog for diagnostics.
invoke-rc.d: initscript dhcp3-server, action "start" failed.
That's ok because we did not have the chance yet to configure our DHCP server.
Configuring The DHCP Server
Now we must configure our DHCP server. We must tell it from which IP range it should assign IP addresses to requesting clients, which gateway it should assign, which DNS servers, etc.
The configuration file for our DHCP server is /etc/dhcp3/dhcpd.conf. Currently it contains a sample configuration which we copy to /etc/dhcp3/dhcpd.conf_orig for future reference:
cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf_orig
cat /dev/null > /etc/dhcp3/dhcpd.conf
With the last command we have emptied /etc/dhcp3/dhcpd.conf so that we can place our own configuration in it which we do now:
vi /etc/dhcp3/dhcpd.conf
The file should look like this:
ddns-update-style none; |
I explain the configuration options here:
- dns-update-style: You can tell the DHCP server to update a DNS server if the IP address of a server in your LAN has changed (because it has been assigned a different IP by DHCP). As we do not run servers in our LAN or always give them static IP addresses (which is a good idea for servers...) we don't want to update DNS records so we set this to none.
- option domain-name-servers: This tells the DHCP server which DNS servers it should assign to a client. You can specify more than one DNS server here, seperated by commas.
- default-lease-time, max-lease-time: A client can tell the DHCP server for how long it would like to get an IP address. If it doesn't do this, the server assigns an IP address for default-lease-time seconds; if it does, the server grants the requested time, but only up to max-lease-time seconds.
- authoritative: If this is not set this means that if a client requests an address that the server knows nothing about and the address is incorrect for that network segment, the server will _not_ send a DHCPNAK (which tells the client it should stop using the address.) We don't want this so we set authoritative.
- subnet: The subnet to use.
- netmask: The netmask to use.
- range: Tells the DHCP server from which range it can assign IP addresses to clients. In our example it's from 192.168.0.200 to 192.168.0.229 (30 IP addresses).
- option broadcast-address: The broadcast address to use.
- option routers: Tells the DHCP server the gateway address it should assign to requesting clients. In our case the gateway is 192.168.0.1.
If you are not sure about your personal network settings (network, netmask, broadcast address, etc.), visit www.subnetmask.info where you can calculate your settings.
You see, this is a very simple and basic configuration, but it's enough to make our DHCP server functionable. Now let's start it:
/etc/init.d/dhcp3-server restart
Afterwards you can check the output of
ps aux
to see if DHCP is running. You should also see it in the output of
netstat -uap
which should resemble this one:
Active Internet connections (servers and established) |
You can see that DHCP is running on the bootps UDP port which translates to port 67 UDP (run
grep bootps /etc/services
and you will see that bootps means port 67).
Finally you can check /var/log/syslog if any errors occurred during the DHCP server start. To see the last 100 lines of /var/log/syslog, for example, run
tail -n 100 /var/log/syslog
4 How Can I See That My DHCP Server Is Working OK?
To see if your DHCP server is working as expected, boot another PC (Windows, Linux, MAC, ...) in your LAN that doesn't have a static IP address. Wait a few seconds, and in /var/log/syslog on the DHCP server you should see that the DHCP server assigns an IP address to your PC. For example, in this excerpt of /var/log/syslog, a client PC named matze has been assigned the IP address 192.168.0.229:
Sep 19 16:01:26 server1 dhcpd: DHCPDISCOVER from 00:0c:76:8b:c4:16 via eth0
Sep 19 16:01:26 server1 dhcpd: DHCPOFFER on 192.168.0.229 to 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:27 server1 dhcpd: DHCPDISCOVER from 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:27 server1 dhcpd: DHCPOFFER on 192.168.0.229 to 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:31 server1 dhcpd: DHCPDISCOVER from 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:31 server1 dhcpd: DHCPOFFER on 192.168.0.229 to 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:31 server1 dhcpd: Wrote 1 leases to leases file.
Sep 19 16:01:31 server1 dhcpd: DHCPREQUEST for 192.168.0.229 (192.168.0.100) from 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:31 server1 dhcpd: DHCPACK on 192.168.0.229 to 00:0c:76:8b:c4:16 (matze) via eth0
The DHCP server writes all current IP address "leases" to the file /var/lib/dhcp3/dhcpd.leases so you should also find the lease there:
vi /var/lib/dhcp3/dhcpd.leases
# All times in this file are in UTC (GMT), not your local timezone. This is |
Have Fun!
Sunday, March 8, 2009
Postfix With SMTP-AUTH And TLS Debian
In order to install Postfix with SMTP-AUTH and TLS do the following steps:
apt-get install postfix libsasl2-2 sasl2-bin libsasl2-modules libdb3-util procmail
You will be asked two questions. Answer as follows:
General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com
Then run
dpkg-reconfigure postfix
Again, you'll be asked some questions:
General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com
Root and postmaster mail recipient: <-- [blank]
Other destinations to accept mail for (blank for none): <-- server1.example.com, localhost.example.com, localhost.localdomain, localhost
Force synchronous updates on mail queue? <-- No
Local networks: <-- 127.0.0.0/8
Use procmail for local delivery? <-- Yes
Mailbox size limit: <-- 0
Local address extension character: <-- +
Internet protocols to use: <-- all
Next, do this:
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
Afterwards we create the certificates for TLS:
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Next we configure Postfix for TLS (make sure that you use the correct hostname for myhostname):
postconf -e 'myhostname = server1.example.com'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
The file /etc/postfix/main.cf should now look like this:
cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version |
Restart Postfix:
/etc/init.d/postfix restart
Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:
mkdir -p /var/spool/postfix/var/run/saslauthd
Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Set START to yes and change the line OPTIONS="-c" to OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r":
vi /etc/default/saslauthd
# |
Now start saslauthd:
/etc/init.d/saslauthd start
To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25
After you have established the connection to your Postfix mail server type
ehlo localhost
If you see the lines
Mysql Server
apt-get install mysql-server mysql-client libmysqlclient15-dev
We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:
vi /etc/mysql/my.cnf
[...] |
Then we restart MySQL:
/etc/init.d/mysql restart
Now check that networking is enabled. Run
netstat -tap
In the output you should see a line like this one:
tcp 0 0 *:mysql *:* LISTEN 3281/mysqld
Run
mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword
to set a password for the user root (otherwise anybody can access your MySQL database!).
DNS Server
apt-get install bind9
For security reasons we want to run BIND chrooted so we have to do the following steps:
/etc/init.d/bind9 stop
Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":
vi /etc/default/bind9
OPTIONS="-u bind -t /var/lib/named" |
Create the necessary directories under /var/lib:
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
Then move the config directory from /etc to /var/lib/named/etc:
mv /etc/bind /var/lib/named/etc
Create a symlink to the new config directory from the old location (to avoid problems when bind gets updated in the future):
ln -s /var/lib/named/etc/bind /etc/bind
Make null and random devices, and fix permissions of the directories:
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
We need to modify /etc/default/syslogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads: SYSLOGD="-a /var/lib/named/dev/log":
vi /etc/default/syslogd
# |
Restart the logging daemon:
/etc/init.d/sysklogd restart
Start up BIND, and check /var/log/syslog for errors:
/etc/init.d/bind9 start
Saturday, March 7, 2009
Tutorial Dovecot and Postfix
I user postfix and dovecot , but i can't configure auth..
/etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = jony.atlantica.us
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = jony.atlantica.us
mydestination = jony.atlantica.us
mynetworks = 192.168.0.0/28, 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
delay_notice_recipient = d3v1ous
queue_directory = /var/mail
bounce_notice_recipient = d3v1ous
2bounce_notice_recipient = d3v1ous
error_notice_recipient = d3v1ous
# User
# helo restrictions
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_hostname,
permit
# sender restrictions
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
# recipient restriction
smtpd_recipient_restrictions =
reject_unauth_pipelining,
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination
#enable SMTP auth for relaying
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /private/auth-client
# deliver with dovecot
dovecot_destination_recipient_limit = 1
mailbox_transport = dovecot
local_recipient_maps =
##########################################################################################################################
/etc/dovecot/dovecot.conf
shutdown_clients = yes
ssl_disable = no
base_dir = /var/run/dovecot/
protocols = imap pop3 imaps pop3s
listen = [::]
protocol imap {
listen = *:143
ssl_listen = *:993
login_executable = /usr/lib/dovecot/imap-login
mail_executable = /usr/lib/dovecot/imap
}
protocol pop3 {
listen = *:110
ssl_listen = *:995
login_executable = /usr/lib/dovecot/pop3-login
mail_executable = /usr/lib/dovecot/pop3
pop3_no_flag_updates = yes
pop3_reuse_xuidl = no
pop3_lock_session = no
pop3_uidl_format = %08Xu%08Xv
pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol lda {
postmaster_address = main@main.com
}
disable_plaintext_auth = no
log_timestamp = "%b %d %H:%M:%S "
syslog_facility = mail
login_dir = /var/run/dovecot/login
login_chroot = yes
login_user = dovecot
login_process_size = 64
login_process_per_connection = yes
login_processes_count = 16
login_max_processes_count = 128
login_max_connections = 256
login_greeting = Dovecot ready.
login_log_format_elements = user=<%u> rip=%r %c
login_log_format = %$: %s
mail_location = mbox:~/mail/:INBOX=/var/mail/%u
mail_full_filesystem_access = no
mail_debug = no
mail_log_prefix = "%Us(%u): "
mail_read_mmaped = no
lock_method = fcntl
mail_drop_priv_before_exec = no
verbose_proctitle = no
#first_valid_uid = 10000
#last_valid_uid = 10000
#first_valid_gid = 10000
#last_valid_gid = 10000
max_mail_processes = 1024
mail_process_size = 256
mail_max_keyword_length = 50
umask = 0077
valid_chroot_dirs = /
mbox_read_locks = fcntl
mbox_write_locks = fcntl
mbox_lock_timeout = 300
mbox_dotlock_change_timeout = 120
mbox_dirty_syncs = yes
auth_executable = /usr/lib/dovecot/dovecot-auth
auth_process_size = 256
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth_username_format = %Lu
auth_verbose = no
auth_debug = no
auth_debug_passwords = no
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
count = 1
ssl_require_client_cert = no
ssl_username_from_cert = no
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = dovecot
group = dovecot
}
client {
path = /var/spool/postfix/private/auth-client
mode = 0666
user = postfix
group = mail
}
}
}
##########################################################################################################################
ls /var/spool/postfix/private/auth-client -l
srw-rw-rw- 1 postfix mail 0 2008-03-18 11:19 /var/spool/postfix/private/auth-client
ls /var/run/dovecot/auth-master -l
srw-rw---- 1 dovecot dovecot 0 2008-03-18 11:19 /var/run/dovecot/auth-master
/var/log/mail.log
Mar 18 11:20:56 main dovecot: imap-login: Login: user=, rip=217.18.252.139
Mar 18 11:20:56 main dovecot: IMAP(d3v1ous): Disconnected in IDLE
Mar 18 11:20:56 main dovecot: imap-login: Login: user=, rip=217.18.252.139
Mar 18 11:20:56 main dovecot: IMAP(d3v1ous): Disconnected in IDLE
Mar 18 11:20:56 main dovecot: imap-login: Login: user=, rip=217.18.252.139
Mar 18 11:20:56 main dovecot: IMAP(d3v1ous): Disconnected in IDLE
Mar 18 11:20:56 main dovecot: imap-login: Login: user=, rip=217.18.252.139
Mar 18 11:20:56 main dovecot: IMAP(d3v1ous): Disconnected in IDLE
Mar 18 11:20:56 main dovecot: imap-login: Login: user=, rip=217.18.252.139
Mar 18 11:20:56 main dovecot: IMAP(d3v1ous): Disconnected in IDLE
Mar 18 11:21:56 main dovecot: imap-login: Login: user=, rip=217.18.252.139
##########################################################################################################################
/var/log/mail.log
Mar 18 11:40:32 jony postfix/master[30724]: daemon started -- version 2.3.8, configuration /etc/postfix
Mar 18 11:40:34 jony postfix/smtpd[30731]: warning: SASL: Connect to private/auth-client failed: No such file or directory
Mar 18 11:40:34 jony postfix/smtpd[30731]: fatal: no SASL authentication mechanisms
Mar 18 11:40:35 jony postfix/master[30724]: warning: process /usr/lib/postfix/smtpd pid 30731 exit status 1
Mar 18 11:40:35 jony postfix/master[30724]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
Subscribe to:
Posts (Atom)
