Linux Servers

Copyright 2006 Pakistan Software Export Board (G) Limited Ministry of Information Technology Government of Pakistan Printing Artland Communications, Lahore. September 2006 Published by Pakistan Software Export Board The Funding Agency This open source toolkit is funded by the Open Source Resource Center (OSRC) project of the Pakistan Software Export Board (PSEB). PSEB is the entity within Government charged with the task of enhancing exports of software and IT enabled services (ITES) from Pakistan. PSEB is a guarantee limited company totally owned and funded by the Government of Pakistan. Any questions or comments about this toolkit may be directed to PSEB Islamabad at 92-51-111-333-666 or through e-mail at [email protected]. Disclaimer This toolkit is published by the PSEB for members of the IT industry and the public-at-large. The toolkits compilers, or the editor, are not responsible, in any way possible, for the errors/omissions of this toolkit. The OSRC does not accept any liability for any direct and consequential use of this toolkit or its contents. The contents of this toolkit may be distributed only subject to the terms and conditions set forth in the Open Publication License v 1.0 or later. The latest version is presently available at http://opencontent.org/openpub/

i

TABLE OF CONTENTS INTRODUCTION...............................................................................................................................................1 DOMAIN NAME SYSTEM (DNS)........................................................................................................2 1. NAMED.CONF..............................................................................................................................................3 2. STEP-BY-STEP CONFIGURATION GUIDE..........................................................................................................3 APACHE WEB SERVER ......................................................................................................................8 1. INTRODUCTION TO APACHE.......................................................................................................9 2. INSTALLATION............................................................................................................................................9 2.1. Installing from the rpm..................................................................................................................9 2.2. Installing from the source............................................................................................................10 3. APACHE CONFIGURATION..........................................................................................................................10 3.1. Running Apache...........................................................................................................................11 4. BASICS OF APACHE CONFIGURATION...........................................................................................................11 4.1. Server-wide configuration...........................................................................................................11 4.2. Site-specific configuration...........................................................................................................12 4.3. Virtual Hosts................................................................................................................................12 4.4. Authentication, Authorization and Access Control.....................................................................14 4.5 Logging.........................................................................................................................................17 5. AN EXAMPLE SET-UP...............................................................................................................................17 6. REFERENCE ............................................................................................................................................18 MAIL SERVER.....................................................................................................................................19 1. HOW ELECTRONIC MAIL WORKS...............................................................................................................20 1.1 Mail between full-time Internet machines....................................................................................20 2. NOTIFIERS...............................................................................................................................................22 3. MAILBOX FORMATS..................................................................................................................................22 4. CHOOSING A MAIL TRANSPORT AGENT (MTA)..........................................................................................22 4.1 Sendmail.......................................................................................................................................23 4.2 smail v3.2......................................................................................................................................23 4.3 qmail.............................................................................................................................................23 5. LOCAL DELIVERY AGENTS (LDAS)...........................................................................................................23 6. USER AGENT ADMINISTRATION..................................................................................................................23 6.1 Mutt...............................................................................................................................................23 6.2 Elm................................................................................................................................................23 6.3 Mailx.............................................................................................................................................24 7. SENDMAIL - STEP-BY-STEP CONFIGURATION ................................................................................................24 7.1. MTA (sendmail)...........................................................................................................................24 7.2. POP3............................................................................................................................................26 7.3. Starting and Testing the Mail Server...........................................................................................26 8. QMAIL - STEP-BY-STEP CONFIGURATION ....................................................................................................26 8.1. Pre-requisites/Pre-installation steps...........................................................................................27 8.2 qmail Installation and Configuration...........................................................................................28 8.3. qmail additional tools and utilities..............................................................................................308.1.1. Required software/packages.............................................................................................................27 8.1.2. Software/packages that should not be installed................................................................................28 8.2.1. Download qmail...............................................................................................................................28 8.2.2. Installing qmail.................................................................................................................................28 8.3.1. ezmlm...............................................................................................................................................30 8.3.2. Autoresponder..................................................................................................................................30 8.3.3. Vpopmail..........................................................................................................................................30 8.3.4. Vqadmin...........................................................................................................................................30 8.3.5. Maildrop...........................................................................................................................................31 8.3.6. Qmailadmin......................................................................................................................................31 4.3.1. IP-Based...........................................................................................................................................13 4.3.2. Name-Based.....................................................................................................................................13

8.4. qmail Configuration.....................................................................................................................32 8.5. Testing qmail Installation and Configuration.............................................................................32 8.6. Courier-imap/imaps and Courierpassd.......................................................................................34

i

8.7. SquirrelMail.................................................................................................................................37 8.8. ClamAntivirus and SpamAssasin.................................................................................................39 9. REFERENCES............................................................................................................................................41 DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP).......................................................42 1. INTRODUCTION.........................................................................................................................................43 2. INSTALLTION............................................................................................................................................43 2.1. Server Configuration...................................................................................................................43 2.2. Client Configuration....................................................................................................................45 3. REFERENCES............................................................................................................................................45 LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL (LDAP)...................................................46 1. OVERVIEW:.............................................................................................................................................47 2. HOW DOES LDAP WORK?........................................................................................................................47 3. LDAP BACK-ENDS, OBJECTS AND ATTRIBUTES.............................................................................................48 4. STEP-BY-STEP CONFIGURATION GUIDE........................................................................................................49 4.1. Scenario.......................................................................................................................................49 4.2. Downloading and Installing the LDAP Packages.......................................................................49 4.3. Configuring the LDAP Server.....................................................................................................504.2.1. Required LDAP Server RPMs..........................................................................................................49 4.2.2. Required LDAP Client RPMs..........................................................................................................50 4.3.1. Create a database directory...............................................................................................................50 4.3.2. Create an LDAP "root" password.....................................................................................................50 4.3.3. Edit the slapd.conf file......................................................................................................................50 4.3.4. Start the LDAP daemon...................................................................................................................51 4.3.5. Convert the /etc/passwd file into LDIF format.................................................................................51 4.3.6. Create the ldapuser test account.......................................................................................................51 4.3.7. Extract the required records from /etc/passwd..................................................................................51 4.3.8. Find the conversion script................................................................................................................51 4.3.9. Convert the ".ldapuser" file..............................................................................................................52 4.3.10. Modify the LDIF files....................................................................................................................52 4.3.11. Edit the user LDIF file....................................................................................................................52 4.3.12. Create an LDIF file for the "tdomain.com" domain........................................................................52 4.3.13. Import the LDIF files into the database..........................................................................................53 4.3.14. Test the LDAP database.................................................................................................................53 4.4.1. Edit the ldap.conf configuration file.................................................................................................53 4.4.2. Edit the /etc/nsswitch file.................................................................................................................53 4.4.3. Create Home Directories on the LDAP Client..................................................................................54 4.4.4. Check if ldapuser is missing from the /etc/passwd file.....................................................................54 4.4.5. Create the Home Directory for ldapuser on the LDAP Client...........................................................54

4.4. Configuring the LDAP Client......................................................................................................53

4.5. Testing..........................................................................................................................................55 SAMBA...................................................................................................................................................56 1. OVERVIEW..............................................................................................................................................57 2. CONFIGURING SAMBA...............................................................................................................................58 2.1. Setting the NetBIOS parameters..................................................................................................58 2.2. Global printing settings...............................................................................................................58 2.3. Global security settings...............................................................................................................59 2.4. Global name resolution settings..................................................................................................59 2.5. Creating shares............................................................................................................................59 2.6. Share permissions........................................................................................................................60 2.7. Creating shares for home directories..........................................................................................60 2.8. Creating a printer share..............................................................................................................61 3. STARTING AND STOPPING THE SAMBA SERVER...............................................................................................61 4. STEP-BY-STEP CONFIGURATION GUIDE........................................................................................................61 4.1. Samba as Primary Domain Controller .......................................................................................61 4.2. Join Domain.................................................................................................................................63 SQUID CACHE SERVER ...................................................................................................................64 1. AN OVERVIEW.........................................................................................................................................65 2. WHY CACHE?..........................................................................................................................................65 2.1. Origin Server Load......................................................................................................................65 2.2. Quick Abort..................................................................................................................................65

ii

2.3. Peer Congestion...........................................................................................................................65 2.4. Traffic spikes................................................................................................................................66 2.5. Unreachable sites........................................................................................................................66 2.6. Costs............................................................................................................................................66 3. SUPPORTED PROTOCOLS............................................................................................................................66 3.1. Supported Client Protocols..........................................................................................................66 3.2 Inter-cache and Management Protocols......................................................................................66 3.3 Inter-cache Communication Protocols.........................................................................................66 4. SQUID CONFIGURATION.............................................................................................................................67 4.1 The Configuration File.................................................................................................................67 4.2 Setting Squid's HTTP Port............................................................................................................67 4.3 Storing Cached Data....................................................................................................................67 4.4 E-mail for the Cache Administrator.............................................................................................67 5. ACCESS CONTROL LISTS AND ACCESS CONTROL OPERATORS.........................................................................68 5.1 Simple Access Control..................................................................................................................68 6. STEP-BY-STEP CONFIGURATION GUIDE........................................................................................................69 FIREWALLS..........................................................................................................................................71 1. INTRODUCTION.........................................................................................................................................72 2. CONCEPTS...............................................................................................................................................72 3. IPFIREWALL (IPFW) .......................................................................................................................72 3.1. Enabling IPFW............................................................................................................................73 3.3. IPFW Rule Sets............................................................................................................................75 3.4. Building a Rule Script..................................................................................................................783.4.1. A Sample Inclusive Rule set.............................................................................................................79 3.4.2. A Sample NAT and Stateful Rule set...............................................................................................82 3.1.1. Kernel Options.................................................................................................................................73 3.1.2. /etc/rc.conf Options..........................................................................................................................74 3.3.1. Rule Syntax......................................................................................................................................75

ASTERISK ............................................................................................................................................87 1. OVERVIEW..............................................................................................................................................88 2. INTRODUCTION.........................................................................................................................................88 2.1. The Components..........................................................................................................................882.1.1. The IP PBX......................................................................................................................................88 2.1.2. Phones..............................................................................................................................................89 2.1.3. Network...........................................................................................................................................89

3. INSTALLATION AND CONFIGURATIONS..........................................................................................................89 Change the Linux Password...............................................................................................................91 Change the IP Address .....................................................................................................................91 Set Time Zone ....................................................................................................................................92 4. CONNECT TO AMP FROM A WEB BROWSER................................................................................................93 4.1 Logging into an Asterisk Management Portal (AMP)..................................................................93 4.2. General Settings...........................................................................................................................94 4.3. Extensions....................................................................................................................................95 5. SETTING THE SOFT PHONE..........................................................................................................................96 5.1. Profile Tab...................................................................................................................................97 5.2. Audio and Video Tab...................................................................................................................98 5.3. Network Tab.................................................................................................................................98 5.4. Call-forwarding...........................................................................................................................98 5.5. Flash Operator Panel (FOP).......................................................................................................99

iii

Introduction

This open source toolkit has been developed by the Open Source Resource Center (OSRC), a project of the Ministry of Information Technology (MoIT). This toolkit contains step-by-step manuals related to open source applications for databases, application servers, desktop applications, office productivity suites, Enterprise Resource Planning (ERP) and Customer Relationship Management (CRM) software, and open source desktop applications for the Microsoft Windows platform. A set of CDs, including some Linux distributions and other applications, forms an integral part of this open source toolkit. I would like to thank the OSRC team, including Mr. Abubakar Shoaib, Mr. Iftikhar Ahmad, Mr. Muhammad Hammmad, Mr. Muazzam Ali, Mr. Sher Shah Farooq, and Mr. Qandeel Aslam, who have compiled this toolkit; and Miss Seema Javed Amin, who has edited it. The OSRC would especially wish to thank PSEBs Director (Projects) Mr. Nasir Khan Afridi, Former Project Manger(OSRC) Mr. Osman Haq and Ministry of Information Technology's Member (IT) Mr. M. Tariq Badsha for their generous moral support, without which this toolkit would never have been completed. This is the first edition of this toolkit, and the OSRC hopes to continue to improve it with the help of your feedback and comments.

Sufyan Kakakhel Open Source Resource Center, Pakistan Software Export Board, 2nd Floor, ETC, Agha Khan Road, F-5, Islamabad, Pakistan. Ph: +92-51-9208748 Fax: +92-51-9204075 Email: [email protected] http://www.osrc.org.pk

Open Source Software Training Toolkit

1

Domain Name System (DNS)

Linux Servers Configuraton

2

A domain name server can be configured using a configuration file, several zone files, and a cache file. The part of a network that the name server is responsible for is known as a zone. A zone is not the same as a domain, in that in a very large domain you can have several zones, each with its own name server. You can also have one name server service several zones, each with its own name server. You can also have one name server service several zones. In this case, each zone will have its own zone file. The zone files hold resource records that provide hostname and IP address associations for computers on the network that the domain name server is responsible for. There are zone files for the servers network and the local machine. In addition, there is also a cache file that lists the root servers your domain server connects to.

1. named.confThe configuration file for the named daemon is named.conf, located in the /etc directory. It uses a flexible syntax similar to C programs. The format enables easy configuration of selected zones, enabling features such as access control lists and categorized logging. The named.conf file consists of BIND configuration commands with attached blocks, within which specific options are listed. A configuration command is followed by arguments and a block that is delimited with braces. Within the block are lines of option and feature entries. Each entry is terminated with a semicolon. Comments can use the C, C++ or Shell/Perl Syntax: enclosing /* */, preceding //, or preceding #. The following example shows a zone command followed by the zone name and a block of options that begin with an opening brace, {. Each option entry ends with a semicolon. The entire block ends with a closing brace also followed by a semicolon. // a caching only nameserver config // zone . { type hint; file named.ca; }; The zone command is used to specify the domains that the name server will service for you. Enter the keyword zone followed by the name of the domain placed within double quotes. Do not place a period at the end of the domain name. There are several types of zones to choose from: master, slave, stub, forward, and hint. The type master specifies that the zone holds master information and is authorized to act on it. The type slave indicates that the zone needs to update its date periodically from a specified master name server. A slave is also known as a secondary server. You can use this entry if your name sever is operating as a secondary server for another primary (master) domain name server. A stub zone only copies other name server entries, instead of the entire zone. A forward zone will direct all queries to a specified name server. A hint zone specifies the set of root name servers used by all Internet domain name servers. You can also specify several options that will override any global options set with the options command. The following example illustrates a simple zone command for the mytrek.com domain. Its class is Internet, IN, and type is master.

2. Step-by-step Configuration GuideThe machine used in this example has been configured and assigned an IP as follows: Hostname Domain name FQDN Routable/Static IP Non-Routable IP ops-isb test.edu.pk ops-isb.test.edu.pk 203.135.44.5 192.168.1.14


3

Open the file /etc/named.conf. It must be configured in the manner given below: // generated by named-bootconf.pl options { directory "/var/named"; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; }; // // a caching only nameserver config // zone . IN{ type hint; file db.cache; }; zone test.edu.pk IN{ type master ; file db.test; }; zone 44.135.203.in-addr.arpa IN{ }; zone 0.0.127.in.addr.arpa IN{ type master ; file named.local ; }; Explaining the /etc/named.conf file: options { }; zone . { type hint; file db.cache; }; This portion of the file is left to its original state. type master ; file db.203.135.44;


4

This block is also left to its original configuration. After this block, you can start the real theme of named.conf i.e. defining your zone. zone test.edu.pk { type master ; file db.test ; }; The key word zone is written as it is. Write the name of your zone in quotes. This zone name must be the name as your domain name. Now the first line of the block defines the type of this zone i.e. master. The type master means that it is an independent Name Server (NS) i.e., it doesnt need to be updated from any other NS, and if was to be updated from another NS, then it would have been a type slave. File shows the name of your zone file i.e. db.test, in which you will be configuring your zone. zone 44.135.203.in-addr.arpa { type master ; file db.203.135.44 ; }; This file configures the backward mapping i.e. resolves IP to name. zone 0.0.127.in.addr.arpa{ type master ; file named.local ;

}; NOTE Dont forget to put a semicolon (;) after the closing braces of every zone block. Dont forget to put the semicolon after each statement of the zone block. .db in the filename is just a naming naming convention and you can use your own naming convention for this purpose. All the files mentioned in named.conf must exist in the specified path in the option {} block and must be correctly configured. After configuring the named.conf file, the next step is the zone files configuration. Go to the path mentioned in the option {} block of the named.conf file, i.e., /var/named. Begin with the zone file db.test (as mentioned in the third block of named.conf).1. @ 2. 3. 4. 5. 1 week 6. 7. 8. 9. 10. 11. 12. $ORIGIN 13. xyz 14. ops-isb 15. www 16. abc 17. bakar 18. www.bakar IN SOA ops-isb.test.edu.pk. root.ops-isb.test.edu.pk. ( 1 ; Serial 10800 ; Refresh after 3 hours 3600 ; Retry after 1 hour 604800 ; Expire after 86400 ; Minimum TTL of 1 day ) IN IN test.edu.pk. IN A IN A IN A IN A IN A IN A NS A ops-isb.test.edu.pk. 203.135.44.5 203.135.44.5 203.135.44.5 203.135.44.5 203.135.44.5 203.135.44.5 203.135.44.5


5

NOTE

Here ops-isb is the hostname i.e. the name of machine on which the named daemon is running. 203.135.44.5 is the IP address the machine ops-isb (hostname) has been assigned. xyz, abc, bakar and www.bakar are the names of my virtual hosts. For example, the full address of the virtual host, bakar, would be bakar.test.edu.pk. You can add as many virtual hosts as you want. When writing the SOA, write the hostname.zonename (zone name is the name that you have declared in the file named.conf). In this example, as in the line one, it is ops-isb.test.edu.pk, where ops-isb is the host name of my machine and test.edu.pk is the zonename. Write the name of the administrator of the zone in the format root.hostname.zonename. In this example, it is root.ops-isb.test.edu.pk. Dont forget to put dot (.) after ops-isb.test.edu.pk., root.ops-isb.test.edu.pk. and test.edu.pk. in line 1, 9 and 12.

The next configuration is the reverse lookup zone i.e. it resolves IP to domain name. The file name used in this example is db.203.135.441. @ ( 2. 3. 4. 5. 6. 7. 8. 9. 10. 1.44.135.203.IN-ADDR,ARPA IN SOA ops-isb.test.edu.pk. root.ops-isb.test.edu.pk. 1 10800 3600 604800 86400 ) IN IN NS PTR ; Serial ; Refresh after 3 hours ; Retry after 1 hour ; Expire after 1 week ; Minimum TTL of 1 day

ops-isb.test.edu.pk. ops-isb.test.edu.pk.

named.local:1. @ ( 2. 3. 4. 5. 6. 7. 8. 9. IN 10. 1.0.0.127.IN-ADDR.ARPA. IN SOA 1 10800 3600 604800 86400 ) NS IN NS ops-isb.test.edu.pk. root.ops-isb.test.edu.pk. ; Serial ; Refresh after 3 hours ; Retry after 1 hour ; Expire after 1 week ; Minimum TTL of 1 day 127.0.01 PTR locahost.

NOTE Numbers have been assigned to the above configuration files in order to clearly explain each line, otherwise they (numbers i.e. 1, 2, 3) must not be written, neither in the zone, nor in any configuration files. The next step is the zone file db.cache. Leave the zone db.cache to its default configurations. Open the file /etc/resolv.conf and write the following lines: search test.edu.pk nameserver 203.135.44.5 nameserver 127.0.0.1


6

NOTE

In search, give the domain name of your system nameserver is the IP of the machine in the example, and the loopback address

Starting the Daemon: Start the DNS server by starting its daemon by running the following script: /etc/rc.d/init.d/named start You can start, stop or restart the daemon by putting start, stop, restart at the end of the /etc/rc.d/init.d/named script. Testing the DNS: There are two major ways to ensure that your DNS has been configured correctly: Ping your domain name or any of your virtual host (s). ping test.edu.pk ping bakar.test.edu.pk If you get the ping reply that means your DNS is functioning correctly.

Use nslookup command. nslookup test.edu.pk If it is functioning correctly, it will give the following message: Server: localhost Address: 127.0.0.1 Name test.edu.pk Address 203.135.44.5


7

Apache Web Server


8

1. Introduction to ApacheThe World Wide Web (WWW) is the Internets most successful application, and its most prominent component is a web server. The web server serves the users request by returning the requested web page to the user. Two applications are required in order to process such requests: a web server, and a web client. A protocol known as the Hyper Text Transfer Protocol (HTTP or http) is required for communication between a client and a server, and between a web client and a web server. According to Netcrafts monthly secure server surveys available at http://news.netcraft.com/, the Apache web server currently has 68.01% of the market share as compared to its competitors, Microsoft at 20.56%, and Sun Microsystems at 2.47%. The Apache HTTP web server is a part of the Apache Software Foundation, which supports other open source projects as well, including Ant, SpamAssasin, Struts, and Tomcat, etc. The current version of the Apache web server, which is being used for the purposes of this tutorial, is version 2.2.0. It can be downloaded from its official website at http://httpd.apache.org/download.cgi.

2. InstallationApache is usually pre-installed in most Linux distributions. Use the rpm -qa |grep httpd command to confirm whether it is installed or not. If Apache has been installed from the source code, the command mentioned above will not produce any result. In this case, try locating the httpd/apache/apache2 directories. If these directories exist on your system, it means that Apache has already been installed on it. Apache can also be installed manually as well, by downloading either the rpm or the source code. This tutorial will demonstrate both methods.

2.1. Installing from the rpm

1. Download Apaches latest version from http://httpd.apache.org/download.cgi.# wget \ http://apache.mirrors.pair.com/httpd/binaries/rpm/i386/http://apache.mirrors.pa ir.com/httpd/binaries/rpm/i386/httpd-2.2.0-1.i386.rpm 2. If you have already installed a previous version of Apache:

From the rpm: Uninstall it, using the command: # rpm -e httpd From the source installation: Install the new rpm on a path that is different from the path of the source installation. Apaches rpm can be installed by the following command: # rpm -ivh httpd-2.2.0-1.i386.rpm

If you get any dependency errors regarding the Apache Portable Runtime (APR or apr) packages, upgrade it to the version compatible with the current version, httpd2.2.0-1. This is the apr-1.2.2-1, which can be downloaded from http://apr.apache.org/. 3. Verify the installation by running:


9

# rpmm -q httpd Browse to the "/etc/httpd" path.

2.2. Installing from the sourceA number of options can be used to configure Apache. Customized installation will be discussed in the References section. Download Apache from http://httpd.apache.org/download.cgi # wget http://apache.mirror99.com/httpd/httpd-2.2.0.tar.gz

Create an Apache directory in "/usr/local". This path is optional, and is being used for the purposes of this tutorial only. Unpack the distribution: # tar zxvf httpd-2.2.0.tar.gz -C /usr/local # cd /usr/local/httpd-2.2.0/ # cd apache2

Run configure with the following options: # ./configure --with-layout=Apache --prefix=/usr/local/apache2 \--enablemodule=most--enable-mods-shared=most

Run make to compile the distribution: # make

Install Apache by running the following command: # make install

3. Apache ConfigurationIf you are using pre-installed Apache that comes with the distribution, then it is probably installed in /etc/httpd. If you have built it from the source, and followed the procedure mentioned in the previous section, then the path is /usr/local/apache2. In order to refer to this default installation path (/etc/httpd" or "/usr/local/apache2") $APACHE_HOME will be used for the purposes of this tutorial only. Apache runs as a daemon in the background, on which the server handles requests continuously. Port 80 is specified by default in the Apache configuration file, httpd.conf. Running Apache on port 80 requires root privileges, and can be run via the following command: # $APACHE_HOME/bin/apachectl start [If a pre-installed version of Apache is being used, then the bin might not be under the $APACHE_HOME directory] Other useful commands include: # $APACHE_HOME/bin/apachectl stop


10

# $APACHE_HOME/bin/apachectl restart # $APACHE_HOME/bin/apachectl status A start-up script, httpd can also be used to start, stop, or restart the Apache web server: # /etc/init.d/httpd start Apache reads a special file at start-up, httpd.conf, which contains configuration-specific information. This is the main configuration file, and its location can be configured either at the time of compilation, or it can be specified by passing the -f option, $apachectl -f /path/to/config/file. This configuration file is divided into three sections:

Global Environment: This section defines configuration parameters for the Apache server process e.g. the path to the Apache configuration directory; the Apache pid file, and the path to other configuration files, etc. Main Server Configuration: Apache can be configured to host multiple websites on a single host, and each website can be handled by defining a virtual host entry. The main server configuration specifies the default settings for the Apache server which are not handled by virtual hosts. Virtual Host: This section defines settings for virtual hosts that are either IP-based, or name-based.

The configuration file is configured by placing directives. Most directives have a global scope that applies to the entire server, but this can be changed by placing the directives in some special directives, such as , , , and , etc.

3.1. Running ApacheIn order to test whether the web server configuration file is syntactically correct or not, run the command: # apachectl configtest The output will display "Syntax OK" if everything is correct. The Apache configuration file, httpd.conf, specifies the web server listening port; it is 80 by default. If it is not, change the port to 80, restart the Apache web server, and browse to "http://localhost". If the configuration is correct, the browser will display, "Test Page". Note: In Fedora Core 3, a special package, "SE Linux", can create problems in Apaches configuration. Ensure that it is disabled before testing the configuration, and then restart Apache.

4. Basics of Apache ConfigurationSome common configuration tasks include server-wide configuration, configuration, virtual hosting, logging, access control and authentication. site-specific

4.1. Server-wide configurationBasic server configuration specifies the following: Server Name: This specifies the server name and the port which is used by the server to identify itself. This is useful for the purposes of redirection e.g. when the machines name is


11

xyz.osrc.org.pk, but it has the DNS entry for www.osrc.org.pk, and you want to identify the machine as the latter, then the "ServerName" can be used as given below: ServerName www.osrc.org.pk:80 Specify the server name in order to prevent any problem at start-up. This directive can also be used in the virtual host section. Listening Port: This specifies the port number or IP, and the port number on which the web server will listen for incoming requests. If only the port is specified, then the server will listen on the given port number on all IP interfaces, otherwise it will listen to the specified IP and port number only: Listen 80 [Listens on port 80 and all available interfaces] Listen 12.34.56.78:80 [Listens on port 80 and the IP 12.34.54.78 only]

4.2. Site-specific configurationDocument Root: The default web folder for Apache is /var/www/html where you can publish HTML documents. This can be changed by using the DocumentRoot directive. This directive can also be used in the virtual host section: DocumentRoot /var/www/html Directory Index: If the requested URL specifies a directory, this option specifies the resources to look for e.g. http://www.xyz.com/downloads/ where / specifies that "downloads" is a directory. The resources can be, for instance, index.html index.php, etc. It is important to note that the order matters, and that the first available resource will always be returned: DirectoryIndex index.html idnex.php index.txt The above configuration tells Apache to look for the index.html file in the "downloads" directory. If there is no index.html, look for index.php, and then index.txt. If none of these resources can be found, then the behavior depends upon whether the Options directive is set or not with the Indexes options. This directive can also be used in virtual host section. Options Indexes: If this option is set for a directory, and the requested URL maps to a directory e.g. http://www.xyz.com/downloads/, and no DirectoryIndex is set, or the resource specified in the DirectoryIndex cannot be found, then this option will create a default formatted listing for the requested directory: Options Indexes This configuration will set the auto index generation for the directory "html" and its subdirectories. This directive can also be used in the virtual host section.

4.3. Virtual HostsVirtual hosting allows running more than one website on a single machine. Apache usually allows running only one website on a single machine. In order to run multiple websites, you can either use multiple Apache daemons, with each daemon handling a specific website, or configure Apache for virtual hosting. Running multiple daemons is an inefficient practice, and should, therefore, be avoided. Virtual hosts can be:


12

4.3.1. IP-Based This allows running multiple websites, each with a different IP, on a single machine. This can be achieved by hosts that have multiple network connections, or by virtual interfaces. A multihomed machine, for example, can have two network cards with IPs 192.168.2.58 and 10.10.10.100. You can configure a website http://www.xyz.com/accounts on 192.168.2.178 and http://www.xyz.com/hr on 10.10.10.100. The following is a sample configuration of IP-based virtual hosts. The hostnames will be resolved to their respective IP addresses. DocumentRoot /var/www/html/example1 DocumentRoot /var/www/html/example2 Ensure that the entry NameVirtualHost in the main section is commented out. The above configuration specifies that when a request is made from the client to http://www.example1.com then first resolve the hostname, which returns to 192.168.2.58. This returns the contents in the directory specified by DocumentRoot. A similar operation can be performed by Apache for http://www.example2.com, where the IP address is 10.10.10.100. These hostnames, and their corresponding IP addresses, should be specified in the "/etc/hosts" file in the web server machine, in addition to creating entries in the DNS server. Otherwise, the client will need to specify http://www.example1.com/example1 instead of just www.example1.com. The above-mentioned configuration requires DNS name resolution, which will obviously slow down the entire process. Please refer to http://httpd.apache.org/docs/2.2/dns-caveats.html for more information. The recommended practice is to specify IP address instead of the hostname in the virtual host section. DocumentRoot /var/www/html/example1 ServerName www.example1.com DocumentRoot /var/www/html/example2 ServerName www.example2.com You need an additional directive, ServerName, so that the requests for example1 or example2 can be mapped. If no ServerName is specified, then Apache will try the reverse DNS in order to look up the hostname. 4.3.2. Name-Based Name-based virtual hosts allow multiple websites on a single IP address. This is in contrast to IP-based virtual hosts, where you need an IP address for each website. IP-based virtual hosts rely explicitly on IP addresses to determine the correct virtual host to the server. Name-


13

based virtual hosts rely on the client to specify the hostname in the HTTP headers. Namebased virtual hosts are easy to configure, and do not require multiple IP addresses, and can, therefore, work in situations in which you are short of IPs. Prefer name-based virtual hosting over IP-based virtual hosting unless you have very specific reasons for doing otherwise. The following is a sample configuration for name-based virtual hosts: NameVirtualHost 192.168.2.58:80 DocumentRoot /var/www/html/example1 ServerName www.example1.com DocumentRoot /var/www/html/example2 ServerName www.example2.com The directive NameVirtualHost specifies that IP 192.168.2.58 must listen on this specific IP for incoming requests. Normally, you can use * here, but in cases which require mixed types of settings, i.e. a host that supports both IP-based and name-based virtual hosts, you need to specify which IP address you want to configure for name-based virtual hosting. If you are planning to use multiple ports, such as SSL, for example, then specify the port here. The argument given in NameVirtualHost must match with the virtual host section for name-based virtual hosts: NameVirtualHost * DocumentRoot /var/www/html/example1 ServerName www.example1.com DocumentRoot /var/www/html/example2 ServerName www.example2.com

4.4. Authentication, Authorization and Access ControlAuthentication refers to the verification of the identity of the requesting host and/or user i.e. the user/host is actually who/what they claim to be. Authorization is the process of granting someone access to the areas to which the user is allowed to go. Access control is also authorization, but it provides authorization at another layer i.e. based on an IP address, hostname or the characteristic of the request. Make sure that the requisite modules are installed and loaded in Apache beforehand. Please refer to http://httpd.apache.org/docs/2.2/howto/auth.html and http://httpd.apache.org/docs/2.2/howto/access.html for the list. In order to implement such security mechanisms, you first need to understand the Apache directorys structure, and its configuration. Apache is normally configured using the main httpd.conf file, where the configuration parameters are applicable to all the published web


14

folders. Sometimes you need to customize configuration based on specific directories, URLs, files, hosts, or locations. You might, for example, want to restrict a particular section of the website to a few users, in which case Apache provides two options: either use in the main configuration file httpd.conf, or use the .htaccess special file by placing it in that directory. Conceptually, there is no difference in either of the abovementioned methods, as both have the same syntax and applicability. The difference between a directory, a file, and locations is as follows: Order allow,deny Deny from all This means denying access to the directory test and all its sub-directories. So, access to the URL http://www.test.com pointing to the directory /var/www/html/test is denied. Access to the URL http://www.test.com/public pointing to the directory /var/www/html/all is allowed. Order allow,deny Deny from all This means that access to the file private.html located anywhere is denied. Order allow,deny Deny from all This means that access to any URL containing private is denied. Access to http://www.test.com/private/public is not allowed, whereas access to http://www.test.com/public is allowed. The .htaccess method is easy to configure. Place the contents of the .httaccess file in in the main configuration file. The name of the .htaccess file can be changed by using the AccessFileName directive in the main configuration file. Configure Apache to allow such configuration files for directories. This can be done by using AllowOverride AuthConfig in . If you want a special directory, /var/www/html/public/restricted to be restricted, for example, you must allow the use of the .htaccess file. Place the following configuration in Apaches main configuration file: AllowOverride AuthConfig Define the users who are granted access to the restricted area. These users, and their passwords, will be defined in a special file, which should be placed somewhere which is inaccessible to the web. The file can be created with a special utility htpasswd that comes with Apache: # htpasswd -c /etc/httpd/conf/passwd user1 New password: Re-type new password: Adding password for user user1


15

Create the .htpasswd file in /var/www/html/public/restricted from where the Apache server will read the configuration about the password file and users in order to allow them access to the restricted area: .htaccess ---------------------------------------------AuthType Basic AuthName "Restricted Files" # Optional line: AuthBasicProvider file AuthUserFile /usr/local/apache/passwd/passwords AuthUserFile /etc/httpd/conf/passwd Require user user1 ---------------------------------------------AuthType specifies the type of authentication, and Basic is unencrypted. AuthName specifies the realm which is used as a temporary session identifier. AuthUserFile specifies the path of the password file, and Require user specifies the user to whom access must be granted. Sometimes access needs to be granted to more than one user. This can be achieved by using the Require valid-user, which will allow access to the restricted area to anyone listed in the password file. Please see the References section for more advanced techniques regarding configuring authentication/authorization, using groups, and databases. Now consider restricting access based on hostnames, IP addresses, or the characteristic of the request. Please refer to http://httpd.apache.org/docs/2.2/howto/access.html for a list of modules that require installing and loading in this regard. In order to customize access based on hosts/IPs, use Allow and Deny directives. The Order directive can also be used to specify the order in which the filters should be applied. The syntax is: Allow from HOST Deny from HOST Order Allow,Deny Order Deny, Allow Consider the examples given below:

1. 2. 3. 4.

Allow from 192.168.2.100 [Allow from this host only] Allow from 192.168.2.0/24 [Allow from this network 192.168.2 only] Allow from 192.168.2.100 192.168.2.200 [Allow from these hosts only] Allow from my.host.com

Order specifies the order of the filters, which can be: Deny,Allow: First Deny, and then the Allow directive is evaluated. Access is allowed by the default meaning that any client that matches neither the Deny nor the Access directive will be allowed to access the server. Allow,Deny: First Allow, and then the Deny directive is evaluated. Access is denied by the default meaning that any client that matches neither the Allow nor the Deny directive will be allowed to access the server. Consider a real example, a directory /var/www/html/localusers. You want only local users falling in the 192.168.2 network access to /var/www/html/localusers. Use the following configuration:


16

Order Allow,Deny Allow from 192.168.2.0/24 Consider the following configuration: Order Allow,Deny Allow from 192.168.2.0/24 Deny from 192.168.2.178 This will allow access to all hosts in the network 192.168.2.0/24 except 192.168.2.178. All other requests will be denied by default. Changing the order from Allow,Deny to Deny,Allow will only allow the host 192.168.2.178 to access, since Allow will override the Deny behavior.

4.5 LoggingApache logs provide comprehensive information and customization for the purposes of security analysis and troubleshooting. Apache logs are located, by default, under the /var/log/httpd directory. There are two basic types of logs: Error Log: This log provides error information while processing requests for diagnostic purposes. The location of this log can be controlled by the ErrorLog directive in the main configuration file. Error logs cannot be customized. Access Log: This log records useful information, such as client IP, date/time, location accessed, client platform information, and so on. An access log can be customized, and its location and content can be controlled by the CustomLog directive.

5. An Example Set-upConsider a real-world example to configure a static website. The configuration is given below: Routable Server IP Non-routable IP Domain name host name FQDN 203.215.183.11 192.168.2.178 www.testmachine.org osrc-test osrc-test.testmachine.org

The machines name is osrc-test, but the DNS alias for this configuration is www.testmachine.org. Steps

Open the Apache configuration file httpd.conf Locate DocumentRoot and ensure that it is set to /var/www/html Set ServerName to testmachine.org:80 Put your web-publishing directory directly under /var/www/html. If you have all the data that is to be published under/home/user1/website, type:


17

$ mv /home/user1/website/* /var/www/html Save the Apache configuration file with new changes, exit, and restart the Apache service.

Ensure that valid DNS entries exist for www.testmachine.org that should point to the IP of your machine. Test the website by pointing to www.testmachine.org.

6. Reference http://httpd.apache.org/docs/2.2/mod/directives.html http://httpd.apache.org/docs/2.2/configuring.html http://httpd.apache.org/docs/2.2/sections.html http://httpd.apache.org/docs/2.2/logs.html http://httpd.apache.org/docs/2.2/howto/auth.html http://httpd.apache.org/docs/2.2/vhosts/


18

Mail Server


19

1. How Electronic Mail WorksLet us begin by explaining the flow of information that typically takes place when two people want to communicate through Electronic Mail (e-mail). Let us suppose that Fraz, on his machine wonderland.com, wants to send mail to Omer, on his machine dobbs.com. Both machines are connected to the Internet. An Internet mail message consists of two parts: mail headers and a mail body, separated by a blank line. The mail headers contain the source and destination of the mail, a user-supplied subject line, the date it was sent, and various other kinds of useful information. The body is the actual content of the message. The following is an example: From: "Fraz" Message-Id: Subject: Have you seen my white rabbit? To: [email protected] (Omer) Date: Thu, 13 Nov 2002 12:04:05 -0500 (EST) Content-Type: text I'm most concerned. I fear he may have fallen down a hole. ->>fraz>> The arrangement and meaning of Internet mail headers are defined by an Internet standard in RFC822.

1.1 Mail between full-time Internet machinesTo send mail, Fraz will invoke a program called a Mail User Agent (MUA). The MUA is what users think of as 'the mailer'; it helps them compose the message, usually by calling out to a text editor of their choice. When Fraz hits the MUA 'Send' button, his part in the process is complete. The MUA he uses immediately hands his message over to a program known as a Mail Transport Agent (MTA). Usually this program will be sendmail, although some alternative MTAs are gaining popularity, and may appear in future Linux distributions. The MTA's job is to pass the mail to an MTA on Omer's machine. It determines Omer's machine by analyzing the To header and by seeing the dobbs.com on the right-hand side of Omer's address. It uses that address to open an Internet connection to Omer's machine. The mechanics of making that connection is a separate topic. For the purposes of this tutorial, it is enough to know that that connection is a way for Fraz's MTA to send text commands to Omer's machine, and receive replies to those commands. The MTA's commands do not go to a shell. Instead, they go to a service port on Fraz's machine. A service port is a sort of rendezvous point, a known place where Internet service programs listen for incoming requests. Service ports are numbered, and Fraz's MTA knows that it needs to talk to port 25 on Omer's machine in order to pass on the mail.


20

+---------+ +-------+ +-------+ +-------+ types | sending | calls |sending| |fraz |--------->| MUA |--------->| MTA |::::>:::: +-------+ | | | | :: on the +---------+ +-------+ :: sending :: machine ....................................................................... SMTP :: ::::::::::::::::::::::::::::>Fraz>> S: . R: 250 OK Usually, an SMTP command is a single text line, and so is its response. The DATA command is an exception; after seeing that, the SMTP listener accepts message lines until it sees a period on a line by itself. (SMTP is defined by the Internet standard RFC821.) Now Omer's MTA has Fraz's message. It will add a header to the message that looks something like this: Received: (from [email protected]) by mail.dobbs.com (8.8.5/8.8.5) id MAA18447 for [email protected]; Thu, 13 Nov 2002 12:04:05 0500 This is for tracking purposes in case of mail errors (sometimes a message has to be relayed through more than one machine, and it will have several of these). dobb's MTA will pass the modified message to a Local Delivery Agent (LDA). On Linux systems, the LDA is usually a program called procmail, although others exist. The LDA's job is to append the message to Omer's mailbox. It is separate from the MTA so that both programs can be simpler, and then


21

the MTA can concentrate on performing Internet-related activities without worrying about local details, such as where the users mailboxes live, for example. Omer's mailbox will normally be a file called /usr/spool/mail/omer or /var/mail/omer. When he reads his mail, he runs his own MUA to look at, and edit, that file.

2. NotifiersThere is yet another kind of program that is important in the mail chain, although it does not itself read or transmit mail. It is a mail notifier, a program that watches your e-mail Inbox for activity, and alerts you to new mail when it arrives. The original notifiers were a pair of UNIX programs called biff(1) and comsat(8). The biff program is a front-end that enables you to turn on the comsat service. When this service is on, the header of new mail will be dumped onto your terminal as it arrives. This facility was designed for people using line-oriented programs on CRTs; it is not really a good idea in today's environment. Most UNIX shells have built-in mail check facilities that allow them to function as notifiers in a rather less intrusive way (by emitting a message just before the prompt when new mail is detected). Enable this facility by setting environment variables documented on the shell's manual page. Systems supporting X come with one of several little desktop gadgets that check for new mail periodically, and give you both visible and audible indications of new mail. The oldest and most widely used of these is called xbiff; if your Linux has a pre-configured X desktop setup, xbiff is probably on it. See the xbiff(1) manual page for details.

3. Mailbox formatsWhen incoming mail gets appended to a mailbox, it is up to the MTA to provide some kind of delimiters that indicate where one message stops, and the next one begins. Under UNIX, the convention almost all mailers use is that each line beginning with From (the space is significant) begins a new message. If From occurs at the beginning of a line in text, a UNIX MTA will generally prefix it with a greater-than sign, so it looks like >From. RFC822 headers follow this From line (which usually continues with the sender name and receipt date). This convention originated with UNIX Version 7, so this kind of mailbox is referred to as a V7 mailbox; it is also sometimes called an mbox format. It is not, however, quite universal, and tools expecting and generating different formats can confuse each other badly. The four other formats are BABYL, MMDF, MH, and qmail maildir. Of these, MMDF is the simplest; it uses a delimiter line consisting four control-As (ASCII 001) characters followed by CR-LF. MMDF was an early and a rather crude Internet mail transport; a descendant is still in use on SCO systems. BABYL is another survivor from an early mail system at MIT. It is still used by Emacs's mail-reader mode. MH and qmail maildir are 'mailbox' formats that actually burst each mailbox into a directory of files, one per message. Running grep on such a 'mailbox' is useless, since all grep will see are the directory bits. Microsoft Outlook Express .mbx mailboxes can be converted to RFC822 format with mbx2mbox app.

4. Choosing a Mail Transport Agent (MTA)Mail Transport Agents (MTAs) are the software that transfers mail from your local system to remote systems. It is very seldom necessary to replace your MTA on modern Linux. Nevertheless, the following comparison survey will help you to understand what the benefits are if you decide you need more security or performance than your system's default can offer. (There are other UNIX MTAs besides these, but you are quite unlikely to encounter them in a Linux box.) Each has its own unique features, but the best compromise is qmail. It features high security (even if vmail is more secure), high speed (even if smail is faster for local use) and ease of configuration. Feel free to choose any mail software. The information provided here is intended to help you make an informed decision. Sendmail is suitable for many sites with complicated options, but its configuration is too hard for beginners. It is not very secure or very fast, so the following is really an outdated section


22

regarding sendmail. If you know what you are doing, choose sendmail; otherwise qmail is generally recommended.

4.1 SendmailBSD sendmail is the oldest of Internet MTAs. It has outlasted a few would-be successors. Most Linux distributions now use it and have it pre-installed. Sendmail has a long-standing reputation for being an administrator's nightmare - hard to understand, tricky to configure, rife with security holes. As Internet technology and standards have stabilized, however, many of sendmails options and configurable rules that gave rise to this reputation have ceased to require per-site tweaking (the demise of non-TCP/IP network layers like UUCP has helped a lot). Also, recent sendmail versions have an improved configuration system. Most importantly, Sendmail now normally comes pre-configured, and you should never need to touch it unless you have unusual requirements (such as needing to route mail over a non-TCP/IP network). Visit Sendmails official website at http://www.sendmail.org/. It includes references to extensive documentation regarding sendmail, should you actually need to custom-configure it.

4.2 smail v3.2smail was the first serious attempt to replace sendmail. It has a simpler and much more comprehensible configuration system than sendmail's, and is fairly secure. Some Linux distributions pre-install smail rather than sendmail. At one time, smail's excellent support for mixed TCP/IP and UUCP sites was its major selling-point, but as UUCP has declined, so has smail. It is also less efficient than sendmail on high-volume connections. As with sendmail, it is unlikely that you will need to tweak a pre-installed smail configuration.

4.3 qmailqmail is a secure, reliable and robust MTA. It is a popular choice as a replacement for sendmail. While sendmail is older than qmail, security was not considered a major issue during its designing and development stages. Although its code has been repeatedly modified to make it more secure, the whole design architecture of sendmail has to be replaced with a new one. qmail, on the other hand, was designed with high security as a goal. qmail is much more robust in terms of performance, and is reliable because of its internal architecture, to deliver mails. This is possible because of its clean and simple modular approach.

5. Local Delivery Agents (LDAs)Unlike most operating systems, Linux did not have "built-in mail: one needed a program to deliver the local mail, like "lmail", "procmail" or "deliver". Every recent distribution, however, now includes a local mailer sendmail.

6. User Agent Administration6.1 MuttYou should have no problem compiling, installing, or running Mutt. Users of qmail can either get the patch, or run it with -f flag to read their local mail folder. If mutt sends an "unknown terminal error" after a distribution upgrading, recompile it.

6.2 ElmElm compiles, installs and runs flawlessly under Linux. For more information, see its sources and installation instructions. Elm and its filter need to be in mode 2755 (group mail) with /var/spool/mail mode 775 and group mail. Qmail users can get a patch to use interesting qmail features, or run Elm with the -f flag to point to their local mail folder. If you have Elm compiled to be MIME-able, you need Metamail installed and in the standard path, or Elm will not be able to read the MIME mail that you have received. Metamail is available at thumper.bellcore.com and via "archie". If you use a binary distribution, you'll need to create a "/usr/local/lib/elm/elm.rc" file to override the compiled-in hostname and domain information:


23

replace "subdomain.domain" with your domain name replace "myhostname" with you un-domainized hostname replace #---------- /usr/local/lib/elm/elm.rc -----------------# # this is the unqualified hostname hostname = myhostname # # this is the local domain hostdomain = subdomain.domain # # this is the fully qualified hostname hostfullname = myhostname.subdomain.domain # #-------------------------------------------------------A distribution of Elm-2.4.24 is available that is "PGP-aware". In order to try it, obtain the file ftp://ftp.viewlogic.com/pub/elm-2.4pl24pgp3.tar.gz, which is elm2.4.24 with PGP hooks added. Configure and build it in the same way as normal Elm by adding the patches mentioned above. More recent versions include elm-ME+. While this item is not Linux-specific, it is, nevertheless, wrongly perceived to be a nagging Elm bug. Elm sometimes fails with a message that it is unable to malloc() massive numbers of bytes. The identified workaround is to remove the post-processed global mail aliases (aliases.dir and aliases.pag). This is not a bug in ELM; it is a configuration error. Elm has an enhanced and non-compatible format for aliases; ensure that the path Elm uses for aliases is different from the path that sendmail/smail uses. From the volume of reports regarding this problem, it is apparent that at least one major distribution has been misconfigured in the past. {From Scot at catzen.gun.de (Scot W. Stevenson)}. The current metamail package requires csh for some of its scripts. Failure to install csh (or tcsh) will cause errors.

6.3 MailxIf you do not have a local mailx program, obtain a mailx kit from Slackware 2.1.0 or later, which contains an implementation of mailx 5.5. If you build from sources, mailx v5.5 compiles without patching under Linux if you have "pmake" installed. Remove the old "edmail" from SLS1.00 and replace it with mailx.

7. Sendmail - Step-by-step ConfigurationAs we are configuring a mail server that can send and receive mails from any domain, this means that we shall be using SMTP and POP3 as well. We are using sendmail as the MTA and qpopper as the POP3 server.

7.1. MTA (sendmail)Begin by configuring Sendmails configuration file by the name of sendmail.cf. This file can found in the directory /etc/ Move to the directory /etc: cd /etc Open the configuration file: vi sendmail.cf The file will contain lines similar to the following: # override file safeties - setting this option compromises system security # need to set this now for the sake of class files #O DontBlameSendmail=safe ##################


24

# local info # ################## Cwlocalhost # file containing names of hosts for which we receive email Fw/etc/sendmail.cw Look for the line Cwlocalhost. At the end of this line, append the domain name for which you want to receive mails. Before any changes, the line will look like the following: Cwlocalhost In order to receive mails for the domain test.edu.pk, append the domain name after the mentioned line, and it will look like this: Cwlocalhost test.edu.pk In order to receive mails for other domains as well, like testing.com and flipflop.org, append these domain names after the previous one, and separate each domain name with a space. The line will look like: Cwlocalhost test.edu.pk testing.com flipflop.org Add as many domain names as necessary. Save the file and exit. Go to the directory /etc/mail/. Create a file named relay-domains and configure an alreadyexisting file access. relay-domains: This file will contain the hosts that will allow relaying. Open this file with the command: pico relay-domains Write the following lines in the file: ALLOW ALLOW ALLOW ALLOW

ALLOW test.edu.pk .test.edu.pk Save and exit.

Note: 210.56.18.203 is the real IP that has been assigned to the authors machine against the domain name test.edu.pk. This will be different in each machines case. 192.168.1 is the local IP of the authors machine. test.edu.pk is the domain name. Access: Open the file named access in the same directory i.e. /etc/mail and write the following lines in it: ops-isb.test.edu.pk 210.56.18 1. RELAY 192.168.1 RELAY RELAY RELAY

Note: Where ops-isb is the machine or the hostname on which the domain exists.


25

7.2. POP3To configure the POP3 server, download qpopper from: ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper3.1.tar.gz Download it in the directory /usr/. Untar the qpopper3.1.tar.gz file with the command: tar zvxf qpopper3.1.tar.gz This will create directory /usr/qpopper3.1. Move into the directory: cd /usr/qpopper3.1 Type the following commands in a sequence: ./configure make ./configure --enable-specialauth make Go to the directory /etc/xinetd/. Create a file called pop3: pico pop3 Type the following in it: service pop3 { socket_type protocol wait user server server_args port }

= stream = tcp = no = root = /usr/qpopper3.1/popper/popper = qpopper s = 110

Save the file and exit. Run the following commands to start the services:

7.3. Starting and Testing the Mail Server/etc/rc.d/init.d/sendmail start /etc/rc.d/init.d/xinetd restart Telnet the localhost to check whether the pop3 is working properly or not: telnet localhost 110 You will see a response which will confirm that the qpopper is functioning smoothly. You can now make users on Linux, and assign them their e-mail addresses. If you have a user called bakar, for example, then his e-mail address will be [email protected] (test.edu.pk is the domain name).

8. Qmail - Step-by-step Configurationqmail can be installed in a variety of ways. There are different How-To's on the Internet that briefly explain how to install and configure qmail. This guide is based on one of the How-Tos, qmailrocks, which describes qmails setup stepby-step, in addition to installing qmail add-ons. These additional packages include ezmlm, Autoresponder, Vpopmail, Vqadmin, maildrop, QmailAdmin, Courier-imap/imaps, Squirrel mail, Clam AV, and SpamAssasin. A brief introduction to all these packages is given below:


26

ezmlm ezmlm is a mailing list manager for qmail. It allows the users to setup their own mailing lists easily. Visit http://cr.yp.to/ezmlm.html Autoresponder A useful utility which automatically responds to e-mails. Vpopmail Vpopmail is a useful program that facilitates the creation and management of multiple virtual domains on a qmail server. Vqadmin Vqadmin is a web-based interface to manage Vpopmail at the root level. Maildrop Maildrop provides a mail-filtering service that can be used to filter incoming messages on the server. qmailAdmin qmailAdmin is a useful tool that allows users to administer their own domains, but cannot create new domains (Vqadmin can be used for this purpose). Courier-imap, Courier-authlib, Courierpassd Courier-imap is an IMAP server that allows IMAP connections to the server, and is required to install SquirrelMail. Courier-authlib provides authentication through courier-imap. Courierpassd allows the users to change their password using SquirrelMail. SquirrelMail SquirrelMail is a webclient for qmail with IMAP, which provides a web-based client interface on the server. Clam AV and SpamAssassin This is an antivirus and spam control program that can be integrated with qmail.

8.1. Pre-requisites/Pre-installation steps8.1.1. Required software/packages 1. Apache, either 1.x or 2.x, should be installed 2. PHP, version 4.0.6 or higher, with IMAP and MySQL support. MySQL support may or may not be required, depending on the number of domains being hosted. 3. Perl, version 5.x. The following packages should be installed: 1 2 3 4 5 6 Digest::SHA1 Digest::HMAC Net::DNS Time::HiRes HTML::Tagset HTML::Parser

4. GCC 5. MySQL, version 3.x or higher, is only required if it is integrated with vpopmail. 6. OpenSSL, version 0.9.5a or higher 7. OpenSSL-devel 8. patch and patchutils To check whether Apache is installed on your machine, run: # rpm -qa | grep httpd


27

Note: For Fedora Core 3 users, disable SeLinux before proceeding any further. 8.1.2. Software/packages that should not be installed 1. Postfix 2. Any POP service 3. Any SMTP service. Leave Sendmail installed for the moment; it will be uninstalled later on in the tutorial Make sure that the following ports are not blocked in the firewall: Outbound Ports (TCP) 25 - SMTP 110 - POP services 143 - IMAP 783 - SpamAssassin 993 IMAPS Inbound Ports (TCP) 25 - SMTP 80 - HTTP 110 - POP services 143 - IMAP 443 - HTTPS 783 - SpamAssassin 993 - IMAPS

8.2 qmail Installation and Configuration8.2.1. Download qmail qmailrocks comes with a complete package to install and setup qmail. It also includes automated scripts to perform some functionalities e.g. creating users, directories etc. Follow the exact steps e.g. directory names, paths etc. because the scripts bundled with qmailrocks have all the paths hard-coded. All the installation must be done as root user, unless otherwise stated. # mkdir /downloads # cd /downloads Download the qmailrocks package in this directory: # wget http://www.qmailrocks.org/downloads/qmailrocks.tar.gz The above-mentioned package contains everything required for this tutorial. In order to download individual packages, visit http://downloads.qmailrocks.org/. An alternative mirror can be selected http://www.qmailrocks.org/mirror_list.htm. Unpack the packages in the Downloads directory: # tar zxvf qmailrocks.tar.gz 8.2.2. Installing qmail This step will demonstrate qmail installation along with ucspi-tcp and daemon tools, which form the core components of a qmail server. You will also need to create some directories, users and set permissions. qmailrocks has combined all these steps in a single script, available at to speed up downloading at


28

/downloads/qmailrocks/scripts/install/qmr_install_linux-s1.script Run this script in /downloads: # /downloads/qmailrocks/scripts/install/qmr_install_linux-s1.script You should see All steps completed! in the end. Apply patches to qmail in order to enhance its functionality. qmailrocks comes up with another script to apply them. Details regarding these patches can be found at the qmailrocks website. Run the following script in /downloads: # /downloads/qmailrocks/scripts/util/qmail_big_patches.script You should see All done! in the end. Install qmail, ucspi-tcp and daemon tools. Run the following steps in /downloads: # cd /usr/src/qmail/qmail-1.03 # make man # make setup check # ./config The config script will try to perform a reverse DNS against all local IP addresses. If the DNS server on your network is working correctly, this should run smoothly. In case the DNS server is not configured or setup, use config-fast: # ./config-fast your_fqdn_hostname [your_fqdn_hostname is your full host name ex: ./config-fast mail.osrc.org.pk where mail is the hostname and osrc.org.pk is the domain name] qmail is now installed. Generate a certificate to communicate over TLS with the server. Run the following command: # make cert This will ask some questions, you can fill in any value. The following is a sample: Country Name (2 letter code) [GB]:PK State or Province Name (full name) [Berkshire]:Capital Locality Name (eg, city) [Newbury]:Islamabad Organization Name (eg, company) [My Company Ltd]:osrc.org.pk Organizational Unit Name (eg, section) []:mail Common Name (eg, your name or your server's hostname) []:mail.osrc.org.pk Email Address []:[email protected] This will install the certificate at /var/qmail/control/servercert.pem along with a symbolic link to that certificate at /var/qmail/control/clientcert.pem. Set the right ownership for the certificate: # chown -R vpopmail:qmail /var/qmail/control/clientcert.pem \ /var/qmail/control/servercert.pem Compile and setup ucspi-tcp and daemon tools: # cd /usr/src/qmail/ucspi-tcp-0.88/ # patch < /downloads/qmailrocks/patches/ucspi-tcp-0.88.errno.patch # make # make setup check Install the daemon tools:


29

# cd /package/admin/daemontools-0.76/src # patch < /downloads/qmailrocks/patches/daemontools-0.76.errno.patch # cd /package/admin/daemontools-0.76 # package/install You should be able to see svscanboot running at this moment. Run the following command to confirm it: # ps -aux | grep svscanboot qmail is now installed. Now install some useful qmail add-ons.

8.3. qmail additional tools and utilities8.3.1. ezmlm # cd /downloads/qmailrocks/ # tar zxvf ezmlm-0.53-idx-0.41.tar.gz # cd ezmlm-0.53-idx-0.41 # make # make setup 8.3.2. Autoresponder # cd /downloads/qmailrocks # tar zxvf autorespond-2.0.5.tar.gz # cd autorespond-2.0.5 # make # make install 8.3.3. Vpopmail Vpopmail can be installed with or without MySQL support. This guide will demonstrate setting up Vpopmail without MySQL support, since MySQL integration will complicate matters, and is required only when hosting a large number of domains. # cd /downloads/qmailrocks # tar zxvf vpopmail-5.4.9.tar.gz # cd vpopmail-5.4.9 # ./configure enable-logging=p # make # make install-strip Vpopmail is now installed. 8.3.4. Vqadmin # cd /downloads/qmailrocks # tar zxvf vqadmin-2.3.6.tar.gz # cd vqadmin-2.3.6 We need to know the location of the cgi-bin and web server publishing directory. On most systems, it is /var/www/cgi-bin and /var/www/html. # ./configure enable-cgibindir=/var/www/cgi-bin \ --enable-htmldir=/var/www/html/ # make # make install-strip


30

This should install Vqadmin in /var/www/cgi-bin. In order to configure Apache i.e. httpd.conf, add the following configuration lines: deny from all Options ExecCGI AllowOverride AuthConfig Order deny,allow # cd /var/www/cgi-bin/vqadmin # chown apache .htaccess # chmod 644 .htaccess Configure the vqadmin directory to restrict access to the Vqadmin interface to authorized users only. Edit the .httaccess file: AuthType Basic AuthUserFile /path/to/where/you/want/to/store/the/password/file/vqadmin.passwd AuthName vQadmin require valid-user satisfy any The recommended path to store vqadmin.passwd is /etc/httpd/conf/passwds; storing it at any other location does not make any difference. Create the /etc/httpd/conf/passwds directory. The /path/to/where/you/want/to/store/the/password/file/.htpasswd should now read as /etc/httpd/conf/passwds/vqadmin.passwd Create the vqadmin.passwd file. [Make sure that the password file name is the same as has been specified in the .htaccess file] # htpasswd -bc /etc/httpd/conf/passwds/vqadmin.htpasswd admin \ YOUR_PASSWORD_HERE # chmod 644 /etc/httpd/conf/passwds/vqadmin.passwd Browse to http://www.yourdomain.com/cgi-bin/vqadmin/vqadmin.cgi to check the configuration. If all goes well, you should be prompted with a login password, and to enter the credentials created earlier. You will see the Vqadmin configuration page. Create a test domain. This will prompt you for a new domain name and a postmaster password. The user postmaster user will be used later in Qmailadmin. 8.3.5. Maildrop # cd /downloads/qmailrocks # tar zxvf maildrop-1.6.3.tar.gz # cd maildrop-1.6.3 # ./configure --prefix=/usr/local --exec-prefix=/usr/local \ --enable-maildrop-uid=root --enable-maildrop-gid=vchkpw enable-maildirquota # make # make install-strip # make install-man Maildrop should be installed now. 8.3.6. Qmailadmin # cd /downloads/qmailrocks # tar zxvf qmailadmin-1.2.3.tar.gz # cd qmailadmin-1.2.3


31

# ./configure --enable-cgibindir=/path/to/your/cgi-bin --enablehtmldir=/path/to/your/html/directory The path to your cgi-bin is /var/www/cgi-bin, and the path to your HTML directory is /var/www/html. # make # make install-strip Browse to http://www.yourdomain.com/cgi-bin/qmailadmin and enter the domain and the password created earlier using Vqadmin.

8.4. qmail ConfigurationCreate system scripts for qmail. qmailrocks has already automated the process of creating scripts and setting up the permissions in a script. Run the script: # /downloads/qmailrocks/scripts/finalize/linux/finalize_linux.script If the instructions have been followed until now, the script should not return any error. Edit /var/qmail/supervise/qmail-pop3d/run and /var/qmail/supervise/qmail-smtpd/run. Find mail.example.com and replace it with your server's hostname e.g. mail.osrc.org.pk. Prevent any qmail process from running: # qmailctl stop # echo '127.:allow,RELAYCLIENT=""' >> /etc/tcp.smtp # qmailctl cdb Create common system aliases to redirect bounced mails to a specific address: # echo [email protected] > /var/qmail/alias/.qmail-root # echo [email protected] > /var/qmail/alias/.qmail-postmaster # echo [email protected] > /var/qmail/alias/.qmail-mailer-daemon Any address can be used instead of [email protected] # ln -s /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-anonymous # chmod 644 /var/qmail/alias/.qmail* Before using qmail, uninstall sendmail. On Red Hat systems, sendmail is usually installed as an rpm. # rpm -qa | grep sendmail This should indicate whether any sendmail packages have been installed or not. Uninstall using the following commands, but first stop any sendmail processes that might be running: # /etc/rc.d/init.d/sendmail stop # rpm -e --nodeps SENDMAIL_PACKAGE Create a dummy sendmail symbolic link: # ln -s /var/qmail/bin/sendmail /usr/lib/sendmail # ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail qmail is configured and is now ready for use. qmailrocks presents a script that can be used to test the installation and configuration process performed until now: # /downloads/qmailrocks/scripts/util/qmr_inst_check Congratulations indicates that the procedure has been successful so far.


32

8.5. Testing qmail Installation and ConfigurationThe following methods are used to test qmails installation and configuration: # qmailctl stop # qmailctl start The qmail status can be checked by running: # qmailctl stat You should see the following: /service/qmail-send: up (pid 19868) 3 seconds /service/qmail-send/log: up (pid 19873) 3 seconds /service/qmail-smtpd: up (pid 19876) 3 seconds /service/qmail-smtpd/log: up (pid 19878) 3 seconds /service/qmail-pop3d: up (pid 19881) 3 seconds /service/qmail-pop3d/log: up (pid 19882) 3 seconds messages in queue: 0 messages in queue but not yet preprocessed: 0 Test the POP service: # telnet localhost 110 You should see the following: Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. +OK user [email protected] +OK pass 123 +OK quit +OK Connection closed by foreign host. The italicized letters display the input to be entered. The above output shows that the POP service is running successfully. Send a mail to [email protected]. Ensure that the DNS is properly configured; otherwise you will receive a delivery failure message. Connect again to post 110 using the same credentials entered above: Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. +OK user [email protected] +OK pass 123 +OK list +OK 1 859 . quit +OK Connection closed by foreign host.


33

The italicized letters display the input to be entered. The number displayed after entering the command list indicates the number of messages in the user mailbox. Test the SMTP service: # telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 mail.osrc.org.pk ESMTP ehlo localhost 250-mai

Documents

Linux Servers