Debian Linode Setup

From Pademelon
Jump to: navigation, search

Ok, so you've just got that shiny new Linode and you've installed Debian Etch. So where do we go from here?

Contents

General Setup

Well lets start by setting up a few basics:

Use the Linode console to access your server via ssh.

Stop and disable sshd

I'm going to stop and disable the ssh service and only use the console for access. If you don't want to you can just ignore the following steps:

 /etc/init.d/ssh stop
 touch /etc/ssh/sshd_not_to_be_run

Upgrade the base system

Now lets upgrade the existing system to the latest:

 apt-get update
 apt-get dist-upgrade

Setup Static IP address to network interface

I've got two IP address and I want to make them both static. If you've only got one you can just ignore this bit, as the default install will use DHCP to setup your IP address automatically.

For this example I'm going to use IP addresses 10.10.10.10 and 10.10.10.11 you should use the two IP addresses assigned to you in place of these if you have them.

Edit /etc/network/interfaces

 auto eth0
 iface eth0 inet static
 address 10.10.10.10
 netmask 255.255.255.0
 broadcast 10.10.10.255
 gateway 10.10.10.1
 
 auto eth0:1
 iface eth0:1 inet static
 address 10.10.10.11
 netmask 255.255.255.0
 broadcast 10.10.10.255

Then restart networking

  /etc/init.d/networking restart

Set the timezone

Lets set the time zone to our home location:

 ln -sf /usr/share/zoneinfo/Australia/NSW /etc/localtime

Set the hostname

Now set the hostname of the machine. We'll be calling it "server":

 echo server > /etc/hostname
 hostname -F /etc/hostname

Then logout and log back in for the new hostname to take effect

Setup the servers host name resolution

Edit /etc/hosts

 127.0.0.1       localhost.localdomain   localhost
 10.10.10.10     server.example.com      server

Setup the Server Locale

 aptitude install locales

User Accounts

Users no longer have system accounts on my server, however if you need to set them up, this is how.

Setup the skeleton directory structure

First lets setup the skeleton directory, so when we create new users the directories and files in the skeleton directory is copied into the new users home directory.

 cd /etc/skel
 mkdir public_html
 mkdir public_html/fcgi-bin
 mkdir Maildir
 touch public_html/index.html
 touch public_html/robots.txt

Add User Accounts

Lets create accounts for a couple of the cows, to allow them to host their websites and collect mail.

 adduser girlie
 adduser littleone

Setup the DNS

Install Bind 9

Lets install Bind 9, so we can run our own DNS server.

 aptitude install bind9 dnsutils

Add the main domain to the zone

The domain example.com will be owned by the server, girlie will own example.net and littleone will own example.org

 zone "example.com" {
       type master;
       file "/etc/bind/db.example.com";
       allow-query { any; };
 };
 zone "example.net" {
       type master;
       file "/etc/bind/db.example.net";
       allow-query { any; };
 };
 zone "example.org" {
       type master;
       file "/etc/bind/db.example.org";
       allow-query { any; };
 };

Setup the zone file for the server

In this example we will use 10.10.10.10 and 10.10.10.11 for our IP addresses, that way if someone copies this example into a real DNS server, we won't break things. Use the one that is assigned to your linode.

Edit /etc/bind/db.example.com

 $TTL    86400
 $ORIGIN example.com.
 @           IN SOA       ns1.example.com. dns.example.com (
                                       2007123101
                                       2H
                                       15M
                                       1W
                                       1D )
                          IN NS        ns1.example.com.
                          IN NS        ns2.example.com.
                          IN A         10.10.10.10
                          IN MX 10     server.example.com.
 server.example.com.      IN TXT       "v=spf1 a -all"
 ns1                      IN A         10.10.10.10
 ns2                      IN A         10.10.10.11
 server                   IN A         10.10.10.10
 www                      IN A         10.10.10.10
 mail                     IN CNAME     example.com.
 ftp                      IN CNAME     example.com.
 example.com.             IN TXT       "v=spf1 a mx ~all"

Setup the zone file for any hosted domains

The zone file for hosted domains will all be similar in this case, with only the domain names changing. Girlie's zone file is below. Littleone's will be the same with example.org substituted for example.net

 $TTL    86400
 $ORIGIN example.net.
 @           IN SOA       ns1.example.com. dns.example.com (
                                       2007123101
                                       2H
                                       15M
                                       1W
                                       1D )
                          IN NS        ns1.example.com.
                          IN NS        ns2.example.com.
                          IN A         10.10.10.10
                          IN MX 10     server.example.com.
 www                      IN A         10.10.10.10
 mail                     IN CNAME     example.net.
 ftp                      IN CNAME     example.net.

Setup the options to Bind 9

First goto DNS Manager in the Linode Control Panel and add the domains from our DNS server as slaves (not Masters), placing our Linode IP address (10.10.10.10 for this example) in the Masters textbox and setting Domain Transfers to active.

Now in we need to allow transfers for the IP address of ns1.linode.com and ns2.linode.com (see below) from our server, so the Linode slave DNS server can be updated with changes we make to the zone files on our server.

Edit /etc/bind/named.conf.options

 auth-nxdomain no;    # conform to RFC1035
 listen-on-v6 { any; };
 
 // Disable any queries for domains we don't own
 allow-query { localhost; };
 
 // Disable recursive queries except from internal/local sources
 allow-recursion { localhost; };
 
 // Allow zone transfers with Linode Slave DNS Servers (ns1 - ns5.linode.com)
 allow-transfer {
   69.93.127.10;
   65.19.178.10;
   75.127.96.10;
   207.192.70.10;
   109.74.194.10;
 };
 notify yes;

Start bind

 /etc/init.d/bind9 start

Add bind to the nameserver list

To replace the Linode DNS settings to use our own DNS server we need to make the following changes Edit /etc/resolv.conf and replace everything with:

 nameserver 127.0.0.1

Lastly we setup our domains at our domain registrar to query the Linode name servers, instead of our servers DNS server. This gives us all the benefits of running our own DNS server, while providing redundancy though the Linode DNS servers.

Setup Postfix Mail Server

Now what self respecting cow doesn't have an email address? So we are going to need an email server, and we are going to use postfix.

 aptitude install postfix postfix-tls

Note: This will automatically remove Exim.

As part of the post-install script, Postfix will probably ask some questions:

  • Type of site? Internet Site
  • Where should mail for root go? girlie
  • Mail name? server.example.com
  • Other destinations to accept mail for? server.example.com, localhost.example.com, localhost
  • Force synchronous updates on mail queue? No

You can see where some of your answers ended up in /etc/postfix/main.cf

 myhostname = server.example.com
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 myorigin = /etc/mailname
 mydestination = server.example.com, localhost.example.com, localhost
 relayhost =
 mynetworks = 127.0.0.0/8
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all
 inet_protocols = all

Setup Postfix to use Virtual Mailboxes

External References: http://adminspotting.net/articles/messaging/building-a-messaging-server-part-two.html

Create Virtual Mailbox Owner

We are going to create an account which will be used by all virtual users to access email on the server. We will call this account vmail. First we create the group and then the user.

We will assign the user and group ID's to 5000 to keep them away from normal system accounts. Set the shell to /bin/false to prevent logins, and set the home directory to /var/mail/vmail. The home directory will be created for us with the -m option.

 groupadd -g 5000 vmail
 useradd -m -u 5000 -g 5000 -s /bin/false -d /var/mail/vmail vmail

Setup Postfix to use Maildir

We want to use Maildir style mail, so we set that here.

Edit /etc/postfix/main.cf

 # DELIVERY TO MAILBOX
 #
 # The home_mailbox parameter specifies the optional pathname of a
 # mailbox file relative to a user's home directory. The default
 # mailbox file is /var/spool/mail/user or /var/mail/user.  Specify
 # "Maildir/" for qmail-style delivery (the / is required).
 #
 home_mailbox = Maildir/

 # Forward local transport to virtual, otherwise postfix reject all mail as
 # "Recipient address rejected: User unknown in local recipient table;" 
 local_transport = virtual
 local_recipient_maps = $virtual_mailbox_maps
 
 # Virtual mail users
 virtual_mailbox_base = /var/mail/vmail
 virtual_mailbox_domains = /etc/postfix/virtual/vdomains.txt
 virtual_mailbox_maps = hash:/etc/postfix/virtual/vmailboxes.txt
 virtual_minimum_uid = 1000
 virtual_uid_maps = hash:/etc/postfix/virtual/vuid.txt
 virtual_gid_maps = hash:/etc/postfix/virtual/vgid.txt
 virtual_alias_maps = hash:/etc/postfix/virtual/valias.txt

List the Virtual Mail Domains

Each file located in /etc/postfix/virtual/domains is used to indicate which virtual domains the system sends and receives mail for.

Create these files we use the touch command

 touch example.net
 touch example.org

Add Users to the Virtual Mail Domains

Once we have created a file for a virtual mail domain, we edit this file to add a list of users that have mail accounts at this domain.

When user names are created, the domain name is include as part of the user name. This allows us to have a user called user1 at both example.net and example.org

Edit /etc/postfix/virtual/domains/example.net to add users to girlies domain

 # Maildir mail addresses for example.net
 user1@example.net   example.net/user1/Maildir/
 user2@example.net   example.net/user2/Maildir/
 
 # Comment out the entry below to implement a catch-all.
 # @example.net      girlie

The user name of the first user is user1@example.net This users mail will be located on the system in the directory example.net/user1/Maildir/ relative to virtual_mailbox_base defined in the virtual mail users setup. So the mail for this user is located in /var/mail/vmail/example.net/user1/Maildir/

Note: Don't neglect the trailing "/" or the file system layout for virtual accounts will not match the file system layout for local accounts. They must match if you intend to have mail for both virtual users and local system users

Associate the Virtual Mail Domains with a Local User

Each file located in /etc/postfix/virtual/uids is used to indicate which virtual domain are owned by this local user. Most local users will own only one domain, but this may not always be the case.

Edit /etc/postfix/virtual/uids/girlie

 # Domains owned by local user girlie (uid/gid) 1000:1000
 @example.net 5000

Where:

@example.net = all mail for example.net

5000 = the UserID/GroupID of the local user (vmail) who manages the virtual mail for the virtual mail domains

Add Aliases for the Virtual Mail Domains

Currently we don't have any aliases, but we will create the file anyway

Edit /etc/postfix/virtual/aliases/example.net

 # Aliases for example.net

Setup Virtual Mail Building Shell Script

Now we put together a mail building script to tie all these virtual files together

Create /etc/postfix/build-mail.sh

 #!/bin/sh
 
 # Create the list of domains
 ls /etc/postfix/virtual/domains > /etc/postfix/virtual/vdomains.txt
 
 # Create the virtual mailboxes
 cat /etc/postfix/virtual/domains/* > /etc/postfix/virtual/vmailboxes.txt
 postmap /etc/postfix/virtual/vmailboxes.txt
 
 # Create the virtual aliases
 cat /etc/postfix/virtual/aliases/* > /etc/postfix/virtual/valiases.txt
 postmap /etc/postfix/virtual/valiases.txt
 
 # Create the list of domain uids
 cat /etc/postfix/virtual/uids/* > /etc/postfix/virtual/vuid.txt
 postmap /etc/postfix/virtual/vuid.txt
 
 # Create the list of domain gids
 cat /etc/postfix/virtual/uids/* > /etc/postfix/virtual/vgid.txt
 postmap /etc/postfix/virtual/vgid.txt

Make sure user root can run the new script

 chmod 700 /etc/postfix/build-mail.sh

Then run the script to build our virtual mail system

 /etc/postfix/build-mail.sh


Setup Dovecot IMAP / POP Server

Now we have a mail server to accept mail for the cows, we need a way for the cows to get their mail from the mail server, and Dovecot is the answer.

I'm only going to install the pop3 server, if you want imap, just use dovecot-imapd instead.

 aptitude install dovecot-pop3d

Initial Configuration

To configure dovecot edit the file: /etc/dovecot/dovecot.conf

 # Protocols we want to be serving:
 protocols = pop3
 
 # Disable SSL/TLS support.
 ssl_disable = yes
 
 # Disable LOGIN command and all other plaintext authentications unless
 # SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and
 # IPv6 ::1 addresses are considered secure, this setting has no effect if
 # you connect from those addresses.
 disable_plaintext_auth = no
   
 ##
 ## Logging
 ##
 
 # Use this logfile instead of syslog(). /dev/stderr can be used if you want to
 # use stderr for logging (ONLY /dev/stderr - otherwise it is closed).
 log_path = /var/log/mail.log
 
 # For informational messages, use this logfile instead of the default
 #info_log_path =
 
 # Prefix for each line written to log file. % codes are in strftime(3)
 # format.
 log_timestamp = "%b %d %H:%M:%S "
 #log_timestamp = "%Y-%m-%d %H:%M:%S "
 
 # Syslog facility to use if you're logging to syslog. Usually if you don't
 # want to use "mail", you'll use local0..local7. Also other standard
 # facilities are supported.
 #syslog_facility = mail
 
 mail_location = maildir:~/Maildir
 
 protocol pop3 {
 pop3_uidl_format = %08Xu%08Xv
 }
 
 auth default {
 
   mechanisms = plain login
 
   passdb passwd-file {
   args = /etc/postfix/virtual/passwd
   }
 
   userdb static {
   args = uid=5000 gid=5000 home=/var/mail/vmail/%d/%n/
   }
 
 }

Create the Dovecot Password File

To create passwords for the users of the virtual domains use the command:

 dovecotpw -p MyPassword

Where: MyPassword is the password you want to use.

The returned value is the HMAC-MD5 hash of the word "MyPassword"

 {HMAC-MD5}274629e1d5632d0154a3bbe40c993766e9db0e4111b73d125d16b5b50d61e869

To add virtual mail users to girlies domain (example.net), edit /etc/postfix/virtual/passwd

 user1@example.net:{HMAC-MD5}274629e1d5632d0154a3bbe40c993766e9db0e4111b73d125d16b5b50d61e869
 user2@example.net:{HMAC-MD5}274629e1d5632d0154a3bbe40c993766e9db0e4111b73d125d16b5b50d61e869

Note: Both user1 and user2 have the same password "MyPassword" in the file above. Don't do this in a real system

Setup SMTP Auth

Currently the mail server will only send mail from localhost, and as our virtual mail users will never have system accounts on the server, they can't send their mail. To allow the server to send mail for virtual users, and to prevent the server becoming an open relay, we are going to setup SMTP Auth.

SMTP Auth requires a SASL library to operate. Now, we have already installed dovecot, which contains a SASL library, and as Postfix supports Dovecot's SASL library, that's what we are going to use.

Modify the Postfix Configuration

First we need to go back to postfix and do the following:

  • Configure it for SMTP Auth
  • Add some basic SASL security
  • Tell Postfix to use Dovecot's SASL library.

Edit /etc/postfix/main.cf

 # Standard SMTP Auth Options
 smtpd_sasl_auth_enable = yes
 smtpd_recipient_restrictions = 
    permit_mynetworks, 
    permit_sasl_authenticated, 
    reject_unauth_destination
 broken_sasl_auth_clients = yes
 
 # Security Stuff
 smtpd_sasl_security_options = noanonymous
 smtpd_sasl_local_domain = $myhostname
 
 # Dovecot’s SASL library
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 #smtpd_tls_auth_only = yes

Modify the Dovecot Configuration

Next we need to go back to Dovecot and do the following:

  • Enable the SMTP Auth library.
  • Set the password access method and file to use for virtual users
  • Set the password access method for system users (they want their mail to)
  • Set the vmail user and location of Dovecot's mail queue
  • Set the user to root
  • Create a socket between Dovecot and Postfix

Edit /etc/dovecot/dovecot.conf

 auth default {
   mechanisms = plain login
 
   passdb pam {
     args = dovecot
   }
 
   # passwd-like file with specified location
   passdb passwd-file {
     args = /etc/postfix/virtual/passwd
   }
 
   # /etc/passwd or similar, using getpwnam()
   userdb passwd {
   }
 
   # static settings generated from template
   # http://wiki.dovecot.org/UserDatabase/Static
   userdb static {
     args = uid=5000 gid=5000 home=/var/mail/vmail/%d/%n/
   }
 
   user = root
 
   # It's possible to export the authentication interface to other programs:
   socket listen {
     client listen {
       path = /var/spool/postfix/private/auth
       mode = 0660
       user = postfix
       group = postfix
     }
   }
 }

Setup SPAM Blocking

Setup some optional SPAM blocking for postfix

Edit /etc/postfix/main.cf

 ## ------------------------------------------------------------- ##
 # UCE measures
 # See: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
 # http://www.freesoftwaremagazine.com/articles/focus_spam_postfiX
 # and Postfix docs for explanation of configuration options.
 ## ------------------------------------------------------------- ##
 #
 # Uncomment when testing!
 #soft_bounce = yes
 
 # Prevents addr harvesting
 disable_vrfy_command = yes
 
 #
 # Prefix a new rule with 'warn_if_reject' to prevent real rejects.
 #
 
 smtpd_helo_required = yes
 smtpd_helo_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   check_helo_access
       hash:/etc/postfix/helo_access,
   # reject_non_fqdn_hostname,
   reject_invalid_hostname,
   permit
 
 smtpd_sender_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_non_fqdn_sender,
   reject_unknown_sender_domain,
   permit
 
 smtpd_recipient_restrictions =
   reject_non_fqdn_recipient,
   # reject_unknown_recipient_domain,
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   # check_sender_access
     # hash:/etc/postfix/sender_access,
   # check_recipient_access
     # hash:/etc/postfix/recipient_access,
   # check_helo_access
     # hash:/etc/postfix/secondary_mx_access,
   reject_rbl_client zen.spamhaus.org,
   # check_policy_service unix:private/policy
   # check_policy_service inet:127.0.0.1:10023
   permit
 
 smtpd_data_restrictions =
   reject_unauth_pipelining,
   permit

Restart Postfix and Dovecot

Now we are all set, restart postfix and dovecot to test out your mail system.

 /etc/init.d/postfix restart
 /etc/init.d/dovecot restart

Setup Web Server

The cows want to run a website, so were going to need a web server. We'll be installing Apache 2 on our server to do this job.

Install Apache 2

 aptitude install apache2

Now as we want to run websites for two different users and for the server itself, we are going to need virtual hosting.

Set the virtual host directory settings

We are going to setup the servers website as a virtual hosted site, responding to only one of the servers IP addresses.

To do this we need to add the IP address to the ports configuration file.

Edit /etc/apache2/ports.conf

 # Use name-based virtual hosting.
 NameVirtualHost 10.10.10.10:80

We also need to add the IP address to the servers default website configuration file.

Edit /etc/apache2/sites-available/default

 # Default virtual host - replaces main server
 <VirtualHost 10.10.10.10:80>


Note: If you only have one IP address, or you want the webserver to respond to all your servers IP addresses, you won't t need to make the changes above.

Setup other virtual hosts pointing to the users home directory

Let's setup girlie's site first.

Edit /etc/apache2/sites-available/example.net

 <VirtualHost 10.10.10.10:80>
 ServerName example.net
 ServerAlias www.example.net
 DocumentRoot "/home/girlie/public_html"
 ScriptAlias /cgi-bin/ /home/girlie/cgi-bin/
 </VirtualHost>

Now let's setup littleone's site.

Edit /etc/apache2/sites-available/example.org

 <VirtualHost 10.10.10.10:80>
 ServerName example.org
 ServerAlias www.example.org
 DocumentRoot "/home/littleone/public_html"
 ScriptAlias /cgi-bin/ /home/littleone/cgi-bin/
 </VirtualHost>

Only the default site is enabled by default.

Let's enable girlie's site:

 a2ensite example.net

Now let's enable littleone's site:

 a2ensite example.org

Now lets setup some logging for the server itself and the virtual hosts

By default the server is setup for logging using the common log format, and logging is enabled on only the default virtual host. If you are only running one website and are not hosting any other users, your done. Because we are hosting several users and the server itself, we need to enable logging on all virtual hosts. Now rather than modify every virtual host we are going to specify the logging settings in the global server configuration. So we only have to do it once.

Edit /etc/apache2/apache2.conf and find the following section

 #
 # The following directives define some format nicknames for use with
 # a CustomLog directive (see below).
 #
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
 LogFormat "%h %l %u %t \"%r\" %>s %b" common
 LogFormat "%{Referer}i -> %U" referer
 LogFormat "%{User-agent}i" agent

Now copy and paste the following LogFormat line

 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

and change it to

 LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedvhost

Where:

  •  %v - adds the virtual host name to the access log message
  • combinedvhost - creates a new name for this format

Now to activate this new log format for all hosts (we still need to change the default host) add the following line below the new LogFormat line.

 CustomLog /var/log/apache2/access.log combinedvhost

This tells Apache to log all access to the file /var/log/apache2/access.log using the log format described by the LogFormat string called combinedvhost

Change the default vhost to use the combinedvhost format

Edit /etc/apache2/sites-available/default and comment out the following lines

 # ErrorLog /var/log/apache2/error.log
 # LogLevel warn
 # LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
 # ServerSignature On

This will cause the default vhost to use the server wide logging configuration in apache.conf

When all this is done reload apache with

 /etc/init.d/apache2 force-reload

Setup PHP

Girlie wants to run a CMS that requires PHP. So let's install PHP5 for her. If you want PHP4 just change the 5 to a 4 in the following examples.

There are two ways to install PHP:

  • Installing PHP as an Apache module. This is quick and easy, the downside is that all PHP scripts will run as the webserver, in this case www-data.
  • Installing PHP as a CGI. This is more complicated, especially for virtual domains, the upside is all PHP scripts will run as the user who owns them.

Side-Note: You need to think carefully here. I originally went the Apache Module route, and ran PHP that way for years. Then one day I installed Dokuwiki, which saves it's pages to a data directory in the users home directory, which Apache didn't have access to. PHP as a CGI was the answer, but the change-over process was a real pain (and I'm not going to document it here), so think about what it is you might want to run, and choose wisely

Installing PHP5 as an Apache Module

I'm also going to install the php5-mysql libraries at the same time to avoid doing it later.

 aptitude install php5 php5-pear php5-mysql

Once PHP 5 is installed you probably won't need to make any changes, I didn't. But if you want to have look at the configuration file, it's located here: /etc/php5/apache2/php.ini

Installing PHP5 as a CGI

External References: http://jp-larocque.livejournal.com/49475.html

 aptitude install php5-cgi php5-mysql

Install and setup MySQL

Lucky we installed those php5-mysql libraries earlier.

Install MySQL

 aptitude install mysql-server

Now change the MySQL root password (Note, this is not the system root, just for MySQL)

 /etc/init.d/mysql reset-password

Again, no changes to the configuration file were required, but it's located here: /etc/mysql/my.cnf

Setup user MySQL databases

What we want to do now is allocate one mysql database for Girlie and one for Littleone. To do this we need to login to mysql

 mysql –u root –p

and create a database for girlie and grant privilege to girlie to access her database.

 create database girlie;
 grant all on girlie.* to girlie identified by ‘girlies_mysql_password’;

now create a database for littleone and grant privilege to littleone to access his database.

 create database littleone;
 grant all on littleone.* to littleone identified by ‘littleones_mysql_password’;

now that's done, we can exit mysql

 quit

Restart Apache

Now we need to restart Apache to get everything working.

 /etc/init.d/apache2 restart

Setup FTP Server

The cows are going to need an FTP server so they can copy stuff to their accounts. I'll be installing vsftp for this purpose.

Install vsftpd

 aptitude install vsftpd

General configuration

Edit /etc/vsftpd.conf

 anonymous_enable=NO
 local_enable=YES
 write_enable=YES
 local_umask=022

There will be no anonymous FTP logins; Users with local accounts can login and upload files; All files created by local users will have permissions 755. (7-0, 7-2, 7-2)

Start the FTP Server

 /etc/init.d/vsftpd start

Install WebMail

Now when the cows are at work, their firewall blocks access to their mail using their normal mail client, so we are going to need webmail to allow them to send and receive mail at work. To do this we are going to use SquirrelMail.

SquirrelMail needs an IMAP server, and since we have already installed Dovecot's POP3 server, and Dovecot also provides an IMAP server, this is what we will use.

 aptitude install dovecot-imap squirrelmail

Add the IMAP Protocol to Dovecot's Configuration

Edit the file: /etc/dovecot/dovecot.conf

 # Protocols we want to be serving:
 protocols = pop3 imap

Now Restart Dovecot for the changes to take effect

 /etc/init.d/dovecot start

Configure SquirrelMail

 squirrelmail-configure

Just select Q to quit the configure program and Y to save the initial configuration file. Modifications will come later if required.

Setup a Virtual Host for WebMail Accress

Now we want to access our webmail system from our main domain, not one of the virtual domains.

This is because we are running PHP as a CGI. Which means it will execute the Squirrelmail code as the user that owns the domain that calls the code, which is: www-data for example.com, girlie for example.net and littleone for example.org

Because the data directory, where the user preferences are stored, is owned by the user root and the group www-data, only example.com (owned by www-data) will be able to access and save preferences in this directory.

Enable SquirrelMail in Apache

We need to move the apache.conf file from the SquirrelMail config directory to the Apache conf.d directory. Don't sym-link it or it will be readable from the web.

 mv /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf

Configure the Apache Virtual Host

Edit /etc/apache2/conf.d/squirrelmail.conf and disable the alias to prevent access from the cows domains, and enable access from a virtual host on the servers domain

 # Alias /squirrelmail /usr/share/squirrelmail
 
 # users will prefer a simple URL like http://webmail.example.com
 <VirtualHost 10.10.10.10:80>
   DocumentRoot /usr/share/squirrelmail
   ServerName webmail.example.com
 </VirtualHost>

Then reload apache

 /etc/init.d/apache2 reload

Update the DNS

We now need to add our new virtual host to the DNS so we can access our webmail, now that the alias has been disabled.

Edit /etc/bind/db.example.com

 webmail                   IN A         10.10.10.10

Then reload bind

 /etc/init.d/bind9 reload

Once you have done this, you will probably need to wait a few hours for the DNS to propergate before you can access your webmail virtual host.