Debian Mail Server with Exim as MTA

Install LAMP Base System:
                                      # installed: (L)inux
  - apt-get install apache2           # installs   (A)pache
  - apt-get install mysql-server      # installs   (M)ySQL
  - apt-get install php5 phpmyadmin   # installs   (P)HP and mySQL Webtool


  - Installation of the webmin system-administration webapplication (cgi-perl with its own webserver):
    -> since etch, there is no official webmin debian package anymore.
       However webmin can still be downloaded as .deb package.
       Here is how it is done:
       $ wget http://prdownloads.sourceforge.net/webadmin/webmin_1.420_all.deb   # webmin application
       $ wget http://prdownloads.sourceforge.net/webadmin/usermin_1.350_all.deb  # usermin application
       -> note: now make sure nothing is running on port 10000, else stop the service temporarily
       $ dpkg --install webmin_1.420_all.deb  # installs webmin on port 10000 (install the missing packages if dependency fails)
       $ dpkg --install usermin_1.350_all.deb # installs usermin on port 20000
      
    -> Check Webmin on this URL:
       https://yourdomain.com:10000
       -> if you should get an access-denied-error, do this:
    -> vi /etc/webmin/miniserv.conf
       -> delete row containing: allow=127.0.0.1
       -> here you can also change your port and reactivate the service you previously had running

    -> /etc/init.d/webmin restart # restarts webmin-service

4. Debian as fully functional Mail System

 # install the exim4 MTA:
 $ apt-get install exim4-daemon-heavy

4.1. Enable pop3/pop3s, imap/imaps with dovecot

  You probably want your users to be able to download their mails using pop3 or imap.
  This is easily done with the dovecot-package (New in the lenny-distribution!).
  - Install the packages:
  $ apt-get install dovecot-imapd dovecot-pop3d
  -> this will install all you need for imap(s) and pop3(s).
     In previous Debian-distributions I have installed qpopper for pop3(s) and the crappy uw-imapd for imap(s).
     Furthermore you can use dovecot for exim-authentication, but more of that later.

  All I had to change from the default configuration was:
  /etc/dovecot/dovecot.conf:
  mail_access_groups = mail
  this enables dovecot to read and write in /var/mail

4.2. Customize the exim4-deamon-heavy debian package to use domainkeys

  If you don't know what domainkeys or dkim is, skip this chapter.
  Unfortunately the exim-deamon-heavy package does not yet support domainkeys or dkim.
  Here are the steps to set up your system with domainkeys:
  http://patchlog.com/linux/debian-building-custom-exim-packages/
  http://patchlog.com/linux/exim-domainkeys-on-debian/

  -> there are some warnings, but the package seems to be OK.

  after the package is made, remove the old exim-package and install the customized version:
  $ apt-get remove exim4-daemon-heavy
  $ dpkg --install exim4-daemon-custom_4.69-9_amd64.deb

4.3. Enable Anti-Spam measures on the MTA (exim4)

  Add SPF-library:
  $ apt-get install libmail-spf-query-perl

  Add these lines at the top of the config-file /etc/exim4/exim4.conf.template:
    CHECK_RCPT_VERIFY_SENDER = yes
    CHECK_RCPT_REVERSE_DNS = yes          # checks the reverse DNS of incoming mail
    CHECK_RCPT_SPF = yes                  # checks the SPF record of incoming mail
    CHECK_DATA_VERIFY_HEADER_SENDER = yes
    CHECK_RCPT_IP_DNSBLS = bl.spamcop.net : sbl-xbl.spamhaus.org : dnsbl.njabl.org :
    local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so
    MAIN_TLS_ENABLE = yes

  This will enable various checks in the acl-section to authenticate the origin of the sender.

4.3.1. deny IP-Blacklisted servers:

  I suggest to deny the ip-blacklisted MTA's.
  This will block a good deal of your spam before SpamAssassin does anything.

  search for string 'CHECK_RCPT_IP_DNSBLS' in the ACL-Block then replace "warn" with "deny":
  ##################
   deny
   message = your ip-address $sender_host_address is blacklisted at $dnslist_domain ($dnslist_value: $dnslist_text)
  ##################
  

4.3.2. activate the changes using:

    $ dpkg-reconfigure exim4-config  # writes changes into /var/lib/exim4/config.autogenerated and restarts exim4

  - check the logfiles for blocked mails and you will see the vast amount it blocks (providing you get much spam):
    /var/log/exim4/rejectlog

4.4. Relay mail with SMTP-Authentication

  Authentication should be used if you want to relay mails. 
  E.g. users are able to send mails from their PC's through your mailserver.
  There are several ways to enable SMTP-Authentication.
  I have chosen to use the dovecot authentication interface, since I already use dovecot as IMAP- and POP3 server.

  $ vi /etc/dovecot/dovecot.conf    # search for "socket listen"
socket listen {
    client {
      # The client socket is generally safe to export to everyone. Typical use
      # is to export it to your SMTP server so it can do SMTP AUTH lookups
      # using it.
      path = /var/run/dovecot/auth-client
      group = Debian-exim
      mode = 0660
    }
  }

  Now edit the exim config:
  $ vi /etc/exim4/exim4.conf.template   # go to the auth/30_exim4-config_examples section
dovecot_login:
  driver = dovecot
  public_name = LOGIN
  server_socket = /var/run/dovecot/auth-client
# setting server_set_id might break several headers in mails sent by authenticated smtp. So be careful.
  server_set_id = $auth1

dovecot_plain:
  driver = dovecot
  public_name = PLAIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1


  The next step is not nessessary, but will help your mails not to be marked as spam:
  $ vi /etc/exim4/exim4.conf.template   # search for dnslookup: in the router section
dnslookup:
  ## some other lines
  # remove the "Received"-header when relaying (we use authenticated logins)
  headers_remove = Received

-> so why should this be good?
   Answer: You have set up the authentication so that your mailserver can be used by your users to send mails from their PC's (or other devices).
           The problem is that PC's mostly have dynamic IP-Addresses (which actually should be no problem at all).
	   But it IS a problem, because most dynamic IP-Addresses are listed in databases used by Spamassassin (or other Spam filters),
	   and many dynamic IP-Addresses are even blacklisted (for instance at bl.spamcop.net).
	   If you have such an IP-Address in your header, the chances are big that the remote Spam-Software will falsely add spam-points to your 
	   mail, just because it was originally sent by a PC with a dynamic IP-Address.


4.5. SpamAssassin as Mailbox Safeguard

  Configuring the MTA is far not enough to prevent spam. One of the most powerful anti-spam tools is probably SpamAssassin.
  SpamAssassin (SA) is a perl-program which checks email. According to these various checks, SA will rate the mail with Spampoints. 
  Many Spampoints = bad (e.g. most likely spam)
  Few Spampoints (or better: negative Spampoints) = good (e.g. most likely ham).
  Per default a message is flagged as Spam as soon as it has more than 5 SA-Spam-Points.

  Install SpamAssassin:
  $ apt-get install spamassassin

  Install ProcMail:
  $ apt-get install procmail
  -> procmail will deliver the mail to the correct mail- or spamfolder by reading the Spam/Ham-Flag in the mail-header.

  - edit /etc/default/spamassassin
    -> ENABLED=1                     # starts spamd at boot-time

  - edit /etc/exim4/exim4.conf.template:
  procmail:
     driver = localuser
     transport = procmail_pipe
     #require_files = ${local_part}:+${home}:+${home}/.procmailrc:+/usr/bin/procmail
     # to activate procmail system-wide (with the default file /etc/procmailrc)
     require_files = ${local_part}:+${home}:+/usr/bin/procmail
     no_verify

  - reconfigure your exim4 with your changes from above:
    $ dpkg-reconfigure exim4-config
    (the changes are written into the file '/var/lib/exim4/config.autogenerated'

  - edit /etc/procmailrc:
#### start procmailrc ###
MAILDIR=/var/mail
LOGFILE=/var/log/procmail/procmail.log
# our only condition:
:0
* ^X-Spam-Status: Yes
$HOME/mail/Spam
#### end procmailrc ###
    
   -> if the mail is marked as spam (by SA-Exim), procmail delivers it to the spamfolder $HOME/mail/Spam


4.5.1. The conventional integration of SpamAssassin

   -> Deprecated, see my previous installation guide for Debian "Etch/Sarge/Woody"

4.5.2. SAExim

   The use of SAExim is more powerful than using SA after Exim has processed the mail.
       -> Exim directly calls SpamAssassin when the mail is received
       -> SA scans the mail and according to the spam-count, exim can reject, or greylist the mail
       -> Exim delivers the (accepted) mail to procmail
       -> procmail evaluates where to put the mail (inbox or Spam-foder)

  $ apt-get install sa-exim  # installs the integration package of SpamAssassin to Exim

  - edit /etc/exim4/exim4.conf.template
    # add this line at the top of the file:
    local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so

  - edit /etc/exim4/sa-exim.conf 
    # change values to fit your needs
    # example: reject all mails with a spam-score > 14
    SApermreject: 14.0

    # If you want to greylist (tempreject) a mail you can configure sa-exim as follows:
    # note: this is why I prefer SA-Exim to directly executing SA in Exim
    ###################################################################################
    # description: greylist a mail which has a spam-score of 9.0 or higher (between 9.0 and 14.0 if you have the permreject of above)
    # the mail will be temp-rejected for 1800 seconds (most spammers only send the mail once)
    - edit /etc/exim4/sa-exim.conf
    SAtempreject: 9.0
    SAgreylistiswhitestr: GREYLIST_ISWHITE
    SAgreylistraisetempreject: 4.0

    - edit /etc/spamassassin/local.cf
    # add the following 4 lines:
    loadplugin Greylisting /usr/share/perl5/Mail/SpamAssassin/Plugin/Greylisting.pm
    header GREYLIST_ISWHITE eval:greylisting("( 'dir' => '/var/spool/sa-exim/tuplets'; 'method' => 'dir'; 'greylistsecs' => '1800'; 'dontgreylistthreshold' => 11; 'connectiphdr' => 'X-SA-Exim-Connect-IP'; 'envfromhdr' => 'X-SA-Exim-Mail-From'; 'rcpttohdr' => 'X-SA-Exim-Rcpt-To'; 'greylistnullfrom' => 1; 'greylistfourthbyte' => 0 )")
    describe GREYLIST_ISWHITE The incoming server has been freed of graylisting for this recipient and sender
    score GREYLIST_ISWHITE  -1
    ###################################################################################

  - create file /etc/procmailrc

    MAILDIR=/var/mail
    LOGFILE=/var/log/procmail/procmail.log
    :0
    * ^X-Spam-Status: Yes
    $HOME/mail/Spam

  --> this is the procmail-configuration, and will do the following:
      1) If the Header contains the String '^X-Spam-Status: Yes', procmail will moved it to the Spam folder


4.5.3. Configure SpamAssassin

 (applies to both conventional and SA-Exim)

  - create directory for global bayes-database:
    mkdir -p /var/spamassassin

  - edit /etc/spamassassin/local.cf (see perldoc for further info)

    bayes_path /var/spamassassin/bayes
    report_safe 0
    rewrite_subject 0

  - The bayes component of SpamAssassin is only effective, if it has learned from Spam and Ham (Non-Spam) mails.
    see
    $ perldoc sa-learn
    -> important to know: sa-learn --spam/ham --mbox /home/user/mail/NewSpam

  - Redefine a score for one of the tests:
    -> check /usr/share/spamassassin/50_scores.cf -> here you see the default-scores (this file is regenerated after an update, so it is not wise to edit)
    -> edit /etc/spamassassin/local.cf            -> overwrite the score in this file (this file will persist after an update)
       example: disable check for dynamic IP-Address (this test is real rubbish, because it will give loads of spam-points to a mail sent by
                                                      webmail on a pc with a dynamic IP-address ..and most PC's have dynamic IP-addresses)
       score HELO_DYNAMIC_IPADDR2 0

       example2: add new SpamAssassin-rule to check header (this example marks reverse-DNS-lookup with 4 Spam-points):
       header RULE_REVERSE_DNS_FAIL X-Host-Lookup-Failed =~ /failed/
       score  RULE_REVERSE_DNS_FAIL 4

    -> restart spamassassin: /etc/init.d/spamassassin restart 

  - A special SpamAssassin configuration for Horde users: 
    Configure SpamAssassin so that it automatically whitelists the email-addresses in the personal horde-addressbook.
    Here SpamAssassin reads the addressbook directly from the MySQL-horde-database.
    -> Of course email-addresses can be faked, but spammers normally don't know the email addresses in your addressbooks. 
       If you don't protect your domain with an SPF-Record, you may want to ommit your own domain, 
       as spammers often try to fake your own email-address as sender.
   
    for the following configuration you should:
    -> substitute <horde-db> with your horde-database
    -> substitute <password> with your password
    -> substitute yourdomain.com with your own domain

    a) Create the MySQL database-user "spamassassin"
    b) Grant select to spamassassin on table <horde-db>:turba_objects
    c) edit /etc/default/spamassassin. Add the option '--username Debian-exim --nouser-config --sql-config' to the OPTIONS-string.
    d) edit /etc/spamassassin/local.cf. Add the following lines:
       user_scores_dsn                 DBI:mysql:<horde-db>:localhost
       user_scores_sql_username        spamassassin
       user_scores_sql_password        <password>
       user_scores_sql_custom_query    select distinct 'whitelist_from' as preference, object_email as value from turba_objects where object_email not like '%yourdomain.com'
    e) $ /etc/init.d/spamassassin restart


4.5.4. Update SpamAssassin

If need be: Update Spamassassin from the testing (or unstable) distribution
  - Spammers are fast in changing tactics and Spamassassin needs to adapt. 
    It might help to get the latest Spamassassin version.

    Here is how you can get a specific package from 'testing' or even 'unstable':

  - vi /etc/apt/apt.conf
    APT::Default-Release stable;
    -> this ensures, that your main distribution tree is stable.

  - vi /etc/apt/sources.list
    # add a row containing the testing and unstable distribution :
    deb http://sunsite.cnlab-switch.ch/ftp/mirror/debian/ testing main
    deb http://sunsite.cnlab-switch.ch/ftp/mirror/debian/ unstable main

  - update Spamassassin from the testing (or unstable) branch:
    $ apt-get -t testing install spamassassin   # installs spamassassin from testing branch
    $ apt-get -t unstable install spamassassin  # installs spamassassin from unstable branch


4.6. SPF-Settings

  Protect your own domain with SPF-settings (Sender Policy Framework):
  Go to your domain-name services at your DNS-provider.
  Add the following TXT record to your domain-name (yourdomain.com): 
  "v=spf1 +a +mx -all"

  This is the e-mail rule for your domain and it says:
  -> v=spf1: this marks the start of the SPF-rule
  -> +a:     If the IP-Address of the sending MTA is the one of your domain (DNS A-Record) the mail should be accepted.
  -> +mx:    If the IP-Address of the sending MTA is one of your defined MX-servers (DNS MX-Record), the mail should be accepted.
  -> -all:   If the IP-Address of the sending MTA is any other than listed above, the mail should be rejected. 
             With this "-all" you can block unauthorized MTA's sending emails from your domain. 
	     Of course this only works, if the receiving MTA checks your SPF-rule. My mailserver does.

  It only costs a few minutes to make an SPF policy for your domain. 
  Doing this does not mean you have to enable the SPF-check on your MTA, but it helps other receiving MTA's (with enabled SPF-check)
  to verify if the sender is authorized to send mail from your domain or not.
  It is in your interest that no spam is sent from your email-addresses.
  For more details see http://www.openspf.org

5. Debian as Webserver

5.1. Enabling HTTPS on port 443

  - enable SSL-Modules (you need to create symbolic links):
    $ ln -s /etc/apache2/mods-available/ssl.* /etc/apache2/mods-enabled
  - Check if the links have been created:
    $ ls -l /etc/apache2/mods-enabled | grep ssl

    The output should look as follows:
    lrwxrwxrwx  1 root root 36 Nov  2 19:18 ssl.conf -> /etc/apache2/mods-available/ssl.conf
    lrwxrwxrwx  1 root root 36 Nov  2 19:18 ssl.load -> /etc/apache2/mods-available/ssl.load

  - configure your apache-daemon to listen on ports 443 and 80 (default HTTPS, HTTP)
    $ vi /etc/apache2/ports.conf
      Listen 80
      Listen 443


  - create the basic setup for your https-server:
    $ vi /etc/apache2/conf.d/apache2-https
    **************************************************
    <VirtualHost *:443>
       ServerName www.yourdomain.com
       DocumentRoot /var/www-ssl

       # SSL-Configuration:
       SSLEngine               on
       SSLCertificateFile      /etc/ssl/certs/yourcert.pem
    </VirtualHost>
    **************************************************


  - configure the default (non-ssl) port, edit the first few lines, so that it looks like this:
    $ vi /etc/apache2/sites-available/default
    **************************************************
    <VirtualHost *:80>
        ServerAdmin adminstrator@yourdomain.com
        ServerName www.yourdomain.com

        SSLEngine               off

        DocumentRoot /var/www/
       
        ... bla
        ... bla
        ... bla

    **************************************************

  - create the https-directory
    $ mkdir /var/www-ssl

  - put any html-file into the HTTPS-directory, rename it to 'index.html'

  - restart the webserver
    $ apache2 -k restart

  - check your website using the URL:
    https://www.yourdomain.com/
    http://www.yourdomain.com/



6. Installation of the powerful webtool 'Horde'

 
(webmail/sharing-calendar/task-lists/online-bookmarks)

    ********************************************************
    Note:  I had problems with the debian-distribution (woody distribution) of the Horde-Project (Debian-apt-Packages), 
           so I downloaded the CVS-Head of the Horde-Project and installed it directly.
           When I previously installed Horde with the Debian-Packages I had three problems:
           1) It didn't work correctly.
           2) It was a very old distribution of Horde
           3) The configuration was extremly complicated with tons of config-files spread all over the system.
	   The manual installation worked well, and I didn't regret not installing the debian packages.
    ********************************************************

6.1. Prerequisites: Features and Packages

  - install php5-modules:
    apt-get install php5 php5-cli php5-common php-pear php5-imap php5-mysql php5-gd

  - install rsync and cvs:
    $ apt-get install rsync
    $ apt-get install cvs

  - install the Horde-Application from the fresh CVS-Directory.
    Note that your CVS-Repository of the Horde-Project will be much newer than the one in this installation guide.
    It may therefore contain new features and might react differently.

    $ export CVSROOT=:pserver:cvsread@anoncvs.horde.org:/repository
    $ cvs login                           # password = horde
    $ cd /var/www-ssl/
    $ cvs co -r FRAMEWORK_3 horde
    $ cd horde
    $ cvs co -r FRAMEWORK_3 imp           # add mail-program with the same Framework-Tag as the horde-framework above
    $ cvs co -r FRAMEWORK_3 mimp          # mobile imp (imp-addon for mobiles)
    $ cvs co -r FRAMEWORK_3 turba         # add address-book
    $ cvs co -r FRAMEWORK_3 kronolith     # add calendar
    $ cvs co -r FRAMEWORK_3 nag           # add task-manager
    $ cvs co -r FRAMEWORK_3 passwd        # add password-change-tool
    $ cvs co -r FRAMEWORK_3 ingo          # email-filters (forwards/vacations, etc)
    $ cvs co -r FRAMEWORK_3 framework     # framework to generate classes
    $ cvs co trean                        # trean (bookmarks) is still in development at the moment, but it works

    $ chown -R www-data:www-data *        # change the ownership to the web-user

  - upgrade and install the php-modules of PEAR:
    -> note: some packages might require a beta-version download, just add '-beta' behind the packagename
             ie. pear install XML_Util-beta (instead of XML_Util)
    $ pear upgrade-all
    $ pear install DB
    $ pear install MDB2              # used for trean
    $ pear install pear/MDB2#mysql   # used for trean
    $ pear install Mail
    $ pear install Mail_Mime
    $ pear install Date
    $ pear install Auth_SASL
    $ pear install Net_URL
    $ pear install Net_SMTP
    $ pear install Cache
    $ pear install File
    $ pear install Services_Weather
      -> needed for weather forecast. Additionally you need to have an account at https://registration.weather.com/ursa/profile
    $ pear install Net_IMAP
    $ pear install Log
    $ pear install Net_Socket
    $ pear install XML_Util
    $ pear install XML_Parser
    $ pear install XML_Serializer
    $ pear install HTTP_WebDAV_Server
    $ pear install HTTP_Request
      -> this might fail due to old version of Net_Socket (upgrade Net_Socket first)


  - install your preferred languages:
    $ dpkg-reconfigure locales
    $ locale -a                  # check your languages
    -> set your messages to your preferred language:
    $ export LC_MESSAGES=en_US   # add this to .bashrc if it differs from the default locale

  - generate the classes:
    $ cd /var/www-ssl/horde/framework
    $ php5 ./install-packages.php
    $ cd ..; rm -r framework      # once the classes are generated, the framework can be deleted


6.2. Configure Horde

  - make the configuration files out of the dist files:
  $ cd /var/www-ssl/horde
  $ for f in $(find . -name "*.php.dist"); do echo cp -p $f $(basename $f .dist); done
    -> check output and paste it into the shell (for security reasons it is not executed directly)

  - install the basic mysql-horde database:
  $ mysql [--user=root --password=yourpwd] < /var/www-ssl/horde/scripts/sql/create.mysql.sql
    NOTE: the password of the new database-user 'horde' has now been set to 'horde' and should be changed.

  - check the horde-configuration:
    https://yourdomain.com/horde/test.php
    -> most of it should be green. These configurations can be left 'red':
       # LDAP Support: No
       # Mcrypt Support: No
       # MIME Magic Support: No
       # PostgreSQL Support: No
       # memory_limit disabled: No

  - configure the horde framework using the Web-GUI.
    https://yourdomain.com/horde/


  - configure imp (mail-program)
    ----------------------------
    $ cd /var/www-ssl/horde/imp/config
    $ for f in *dist; do echo cp -p $f $(basename $f .dist); done

  edit /var/www-ssl/horde/imp/config/servers.php:
  -> delete all servers except for the 'imap'-server:
   $servers['imap'] = array(
       'name' => 'IMAP Server',
       'server' => 'localhost',
       'hordeauth' => true,
       'protocol' => 'imap/ssl/novalidate-cert',
       'port' => 993,
       'namespace' => '',
       'maildomain' => 'yourdomain.com',
       'smtphost' => 'localhost',
       'realm' => '',
       'preferred' => '',
       'dotfiles' => false,
       'hierarchies' => array()
   );

  -> finish the configuration of imp using the Web-GUI.


  - configure turba (addressbook)
    -----------------------------
    $ cd /var/www-ssl/horde/turba/config
    $ for f in *dist; do echo cp -p $f $(basename $f .dist); done

    - edit /var/www-ssl/horde/turba/config/sources.php
      -> delete all entries except for 'sql':

    - create the mysql-table for turba:
      $ mysql [--user=root --password=yourpwd] horde < /var/www-ssl/horde/turba/scripts/sql/turba_objects.mysql.sql

  -> finish the configuration of turba using the Web-GUI.


  - configure kronolith (calendar)
    ------------------------------
    $ cd /var/www-ssl/horde/kronolith/config
    $ for f in *dist; do echo cp -p $f $(basename $f .dist); done

    - create the mysql-tables for kronolith:
      $ mysql [--user=root --password=yourpwd] horde < /var/www-ssl/horde/kronolith/scripts/sql/kronolith.mysql.sql

  -> finish the configuration of kronolith using the Web-GUI.


  - configure passwd
    ----------------
    $ apt-get install poppassd   # installs server-side mechanism for changing the password
    $ cd /var/www-ssl/horde/passwd/config
    $ cp -p backends.php.dist backends.php
    $ vi backends.php:
      - delete all but 'poppassd'

   ###########################################
   # note:
   # My poppassd service didnt start, because the deb-package put the startup command in 
   # the /etc/inetd.conf superserver file, which my system does not use.
   # If you want to run poppassd on the xinetd superserver, create a poppassd startup file:

   $ vi /etc/xinetd.d/poppassd
   ###########################################
   service poppassd
   {
     disable = no
     socket_type = stream
     wait = no
     user = root
     server = /usr/sbin/poppassd
     only_from = localhost
     log_on_success += USERID
     log_on_failure += USERID
   }
   ###########################################

   check the poppassd service:
   $ /etc/init.d/xinetd restart
   $ nmap localhost | grep pop3pw
   $ telnet localhost 106

  -> finish the horde-configuration of passwd using the Web-GUI.

   -*****************************************************


6.3. Update Horde

  $ mv /var/www-ssl/horde /backup/horde
  $ checkout the new horde projects (as in 11.1)
  $ ./generate_horde_distfiles.bash  # proprietery script of mine
  $ ./copy_hordefiles.bash           # proprietery script of mine


7. Useful Server Configurations

  

7.1. Create a restricted ftp-user without shell-login

    - Add user 'restricteduser' into /etc/passwd (using useradd) and edit the shell to '/bin/false'
      restricteduser:x:uid:gid:'Description':/home/restrictedfolder:/bin/false
    - Add username 'restricteduser' to the file /etc/ftpchroot. This will restrict the ftp-rootdirectory to the users home-directory.
    - Add '/bin/false' to the file /etc/shells. FTP checks for a valid shell. We can fake the /bin/false as a valid shell.

    -> The ftpuser 'restricteduser' now has access to the folder /home/restrictedfolder (and subfolders) only through FTP. 
       The user does not have a shell-login and therefore cannot browse your system.

  

7.2. Create a ssh-connection without using a password

    -> we want to use a public-key authentication, so there is no need for the password anymore.
    - on server: Edit your sshd-config file '/etc/ssh/sshd_config' and make sure these lines are set:
      --------------------------
      RSAAuthentication yes
      PubkeyAuthentication yes
      AuthorizedKeysFile      %h/.ssh/authorized_keys
      --------------------------

    - on client: generate a public key
      $ ssh-keygen -t rsa     # this will generate the files $HOME/.ssh/id_rsa.pub, $HOME/.ssh/id_rsa

    - on server: 
      paste the generated public key (id_rsa.pub) from the client into the file $HOME/.ssh/authorized_keys (on server)

  

7.3. Restrict the ssh-sessions

    -> to restrict ssh-sessions to certain trusted users just add the following line to '/etc/ssh/sshd_config':
       AllowUsers user1 user2 user3   # only these users have permissions to open an ssh-shell, all others are automatically prohibited.
       DenyUsers  root user4          # This will prohibit root and user4 from opening a ssh-shell
                                        (only valid if AllowUsers is not set) 

    -> edit these files to block ip-addresses/ranges:
       /etc/hosts.allow
       /etc/hosts.deny

       example: only allow subnet 192.168.0.x:
       /etc/hosts.allow
       sshd: 192.168.0.0/255.255.255.0

       /etc/hosts.deny
       sshd: ALL

       note: unlike AllowUsers/DenyUsers in sshd_config, the blocked IP-Addresses need to be set in /etc/hosts.deny, even if /etc/hosts.allow is set.

  

7.4. Change hostname

    -> edit /etc/hostname
    $ /etc/init.d/hostname.sh

  

7.5. Useful packages

    apt-get install acl        # extended file-permissions (getfacl/setfacl)
    apt-get install rdate      # synchronize date with remote server, ie ntp1.ptb.de
    apt-get install host       # dns-lookup tool for hostnames

8. Distribution Upgrade

    The distribution upgrade ist the part where you can do the most damage to the system.
    To avoid this risk, I do the distribution upgrade as follows:
    - Wait until there is a virtual root-server available with the new stable Debian-distribution.
      Personal note:
        My current hoster is: www.hosteurope.de.
        I'm quite content with this hoster. What I really like is that you can quit the contract online, 
        which is (for reasons I cant understand) not common in this business.
        That is the main reason why Hosteurope has become my favorite hoster after having tested 3 others.
    - Rent the new server with the new distribution and install all the new software.
    - Once the new server works as it should, synchronize the content from the old server using the rsync command.
    - Update the DNS-entries to point to the new server.

9. Useful debian-commands and files

  - set default editor:
    $ update-alternatives --config editor
  - Network Info:           /etc/inetd.conf
  - services on ports:      /etc/services
  - system wide variables:  /etc/environment
  - nmap localhost              # lists all the binded TCP-ports
  - nmap -Su localhost          # lists all the binded UDP-ports
  - netstat -ap                 # lists binded and used ports programs and PID's
  - traceroute                  # network traffic
  - strace -p <pid>             # monitor what the process is doing
  - ipcalc 192.168.0.1/16       # ip subnet calculator
  - dpkg -l                     # package list (stored in /var/cache/apt/archives)
  - dpkg-reconfigure <pkg-name> # Reconfigure a package
  - dpkg -S <file-pattern>      # searches for a file and lists the package from which it was installed
  - dpkg -L <pkg-name>          # lists the files of a package
  - apt-get install/remove      # installs/removes packages
  - apt-cache search <pkg>      # searches for <pkg> in available packages

Src: http://www.chew.ch/leoluc/software/debian/

Share

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.