Escolar Documentos
Profissional Documentos
Cultura Documentos
1
Version 1.0.1
Author: Andrew Colin Kissa <andrew [at] topdog [dot] za [dot] net>
Last edited 14/04/2008
Introduction
This tutorial shows how to set up a CentOS 5.x server to offer all services needed by virtual web
hosters. These include web hosting, smtp server with (SMTP-AUTH and TLS, SPF, DKIM,
Domainkeys), DNS, FTP, MySQL, POP3/IMAP, Firewall, Webalizer for stats.
OS Installation
Requirements
NOTE Some stages of the installation are not described here in interest of keeping the howto
short, The grub configuration stages are left out for instance.
Boot from the DVD or CD media and at the boot prompt type linux text.
Skip the media test.
Select your language:
1
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
2
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
Configure your network, I will be using dhcp if you do not have dhcp you can use static
entries.
3
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
4
Select custom layout for partitioning type:
5
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
Create partitions:
6
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
7
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
8
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
9
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
10
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
Configure networking:
11
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
12
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
13
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
14
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
15
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
16
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
17
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
18
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
19
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
Editors
o vim-enhanced
FTP server
Mail server
o dovecot
o spamassassin
o postfix
20
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
Mysql Database
o mysql-server
21
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
Web server
o mod_ssl
o webalizer
o php
o php-pear
o http-suexec
o php-mysql
22
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
23
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
24
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
25
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
26
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
27
Services To Disable
To enhance security and free system resources on the system we need to disable any services that
are not required. You can run this script to do this for you.
acpid
anacron
apmd
autofs
bluetooth
cups
firstboot
gpm
haldaemon
messagebus
mdmonitor
hidd
ip6tables
kudzu
lvm2-monitor
netfs
nfslock
pcscd
28
portmap
rpcgssd
rpcidmapd
sendmail
smartd
yum-updatesd
Basics
Install updates
yum upgrade
yum install gcc cpp gcc-c++ automake automake14 automake15 automake16 automake17
openssl-devel subversion ncurses-devel -y
cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0:1
29
IPADDR=192.168.1.6
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes
wget http://www.webmin.com/jcameron-key.asc
rpm --import jcameron-key.asc
wget http://prdownloads.sourceforge.net/webadmin/webmin-1.390-1.noarch.rpm
ssl=1
Change the port to 443 and bind to the second nic only:
port=443
bind=192.168.1.6
#listen=10000
30
blockhost_failures=3
blockhost_time=120
blockuser_failures=3
blockuser_time=120
realm=cpanel
utmp=1
Install virtualmin:
31
Remove unwanted modules Go to webmin ? webmin configuration ? delete and select the
following:
ADSL client
Bacula backup system
CD Burner
CVS Server
Cluster change passwords
Cluster copy files
Cluster cron jobs
Cluster shell commands
Cluster software packages
Cluster usermin servers
Cluster users and groups
Cluster webmin servers
Command shell
Configuration engine
Custom commands
DHCP server
Fetchmail mail retrieval
File manager
Frox ftp proxy
HTTP Tunnel
Heartbeat monitor
IPsec VPN
Jabber IM server
LDAP server
Logical volume management
Majordomo list manager
NFS exports
NIS client and server
OpenSLP server
PPP dialin server
PPP dialup client
PPTP vpn server
PPTP vpn client
Postgresql database server
Printer admin
ProFTPD server
QMAIL mail server
SMART drive status
SSH / Telnet login
SSL tunnels
SAMBA windows file sharing
Scheduled commands
Sendmail mail server
32
Shoreline firewall
Squid analysis report generator
Squid proxy server
Voicemail server
WU-FTP server
Idmapd server
Restart webmin:
Disable the repo (such that base packages not overwritten) edit /etc/yum.d/rpmforge.repo
and set the following option:
enabled = 0
Install clamav:
wget http://www.sanesecurity.co.uk/clamav/update_sanesecurity.txt -O
/usr/local/bin/update_sanesecurity.sh
chmod +x /usr/local/bin/update_sanesecurity.sh
ln -s /usr/local/bin/update_sanesecurity.sh /etc/cron.hourly/
/usr/local/bin/update_sanesecurity.sh
33
yum --enablerepo=rpmforge install php-eaccelerator
Install spamass-milter:
Install fuzzyOCR:
cp -rv
{FuzzyOcr.cf,FuzzyOcr.scansets,FuzzyOcr.preps,FuzzyOcr.pm,FuzzyOcr.words,FuzzyOcr/}
/etc/mail/spamassassin
chcon -R system_u:object_r:etc_mail_t
/etc/mail/spamassassin/{FuzzyOcr.cf,FuzzyOcr.scansets,FuzzyOcr.preps,FuzzyOcr.pm,FuzzyOc
r.words,FuzzyOcr/}
wget http://www.gbnetwork.co.uk/mailscanner/FuzzyOcr.words -O
/etc/mail/spamassassin/FuzzyOcr.words
Install Razor:
Install roundcube:
34
Install imapproxy:
wget http://imapproxy.org/downloads/up-imapproxy-1.2.6.tar.gz
rpmbuild -tb up-imapproxy-1.2.6.tar.gz
rpm -Uvh /usr/src/redhat/RPMS/i386/up-imapproxy-1.2.6-1.i386.rpm
Activate services:
Configuration
Postfix Setup
Introduction
Virtual hosting
UCE prevention
Anti virus
SMTP authentication
TLS
RBLs
SPF
Attack mitigation
The adding of accounts and domains with be configured through virtualmin although it can be
done manually as well. The setup is designed to be resource friendly so should be able to run on
machines that are not over spec'ed so enabling the resources to be put to better use. To make it
resource friendly we are not using external databases to store virtual user information like most
other how-to's do as well as using milters for spam and virus checking as opposed to running
amavisd-new.
The Basics
35
To begin with we will configure the basics such as the hostname, mail origin, networks, hash
maps spool directory. All these configuration options should be added to /etc/postfix/main.cf
unless stated. Sample configuration files are available for download at the end of this page.
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mydomain = example.com
myorigin = $mydomain
mynetworks = 127.0.0.0/8
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
canonical_maps = hash:/etc/postfix/canonical
sender_canonical_maps = hash:/etc/postfix/canonical
recipient_canonical_maps = hash:/etc/postfix/canonical
virtual_alias_maps = hash:/etc/postfix/virtual
mail_spool_directory = /var/spool/mail
Maildir
We will use the much improved maildir format as opposed to the default mbox format:
home_mailbox = Maildir/
SASL
To perform SMTP authentication we will be using SASL, however we will not use the Cyrus
SASL as that requires us to run the saslauthd daemon, we will instead use dovecot sasl since we
will be running dovecot for IMAP and POP3 thus killing 2 birds with one stone.
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
TLS
We need TLS to ensure that the plain text passwords are not transmitted over the wire during
SMTP authentication, servers that support TLS are also able to communicate with this server
over a secured connection.
Instructions on creating your server certificate signed by cacert.org are can be found here.
tls_random_source = dev:/dev/urandom
36
Enable server TLS:
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/pki/postfix/key.pem
smtpd_tls_cert_file = /etc/pki/postfix/server.pem
smtpd_tls_CAfile = /etc/pki/postfix/root.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtp_use_tls = yes
smtp_tls_key_file = /etc/pki/postfix/key.pem
smtp_tls_cert_file = /etc/pki/postfix/server.pem
smtp_tls_CAfile = /etc/pki/postfix/root.crt
smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_cache
smtp_tls_note_starttls_offer = yes
Spam Prevention
smtpd_helo_required = yes
disable_vrfy_command = yes
Change reject codes to permanent (by default postfix issues 4xx error codes which
implies temporary failure we need 5xx for permanent errors):
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
unknown_local_recipient_reject_code = 550
address_verify_map = btree:/var/spool/postfix/verify
smtpd_sender_restrictions = hash:/etc/postfix/sender_access
37
Mitigate attacks from zombies and broken clients:
smtpd_error_sleep_time = 5s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_data_restrictions = reject_unauth_pipelining
wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.005.tar.gz
tar xzvf postfix-policyd-spf-perl-2.005.tar.gz
cd postfix-policyd-spf-perl-2.005
cp postfix-policyd-spf-perl /etc/postfix/
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_recipient_access hash:/etc/postfix/access
reject_unknown_recipient_domain
reject_unknown_sender_domain
reject_unverified_recipient
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_invalid_hostname
reject_rbl_client list.dsbl.org
reject_rbl_client zen.spamhaus.org
reject_rbl_client l1.spews.dnsbl.sorbs.net
reject_rbl_client combined.njabl.org
reject_rbl_client bl.spamcop.net
reject_rhsbl_sender dsn.rfc-ignorant.org
reject_rhsbl_sender bogusmx.rfc-ignorant.org
38
reject_rhsbl_sender rhsbl.sorbs.net
reject_rhsbl_client dsn.rfc-ignorant.org
reject_rhsbl_client bogusmx.rfc-ignorant.org
reject_rhsbl_client rhsbl.sorbs.net
check_policy_service unix:private/spfpolicy
For your spam classification using spamassassin and virus scanning using clamav we will be
using postfix's milter interface instead of using the resource intensive amavisd-new daemon. This
is a very efficient way of doing it as we don't even have to run clamd the clamav milter does the
scanning itself.
Create DB Files
postmap /etc/postfix/canonical
postmap /etc/postfix/access
postmap /etc/postfix/virtual
postmap /etc/postfix/sender_access
main.cf
master.cf
canonical
virtual
Dovecot Setup
Introduction
This will setup dovecot as our IMAP/POP3 server.
Basic Configuration
We will setup dovecot for IMAP and POP3 and disable SSL.
protocols = imap pop3
listen = *
ssl_listen = *
ssl_disable = yes
Maildir
We will use the maildir format as opposed to the default mbox format.
mail_location = maildir:~/Maildir
Authentication & SASL
39
Configure dovecot to use LOGIN and PLAIN as the authentication mechanisims as many
MS clients are unable to use encrypted authentication mechanisms. We also setup the
SASL socket to enable postfix to authenticate SMTP connections using dovecot.
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
Client Issues
Some MS imap clients in the outlook family have issues with both thier IMAP and POP3
implementations so we need to accommodate them by setting up these work arounds:
protocol imap {
imap_client_workarounds = outlook-idle delay-newmail
}
protocol pop3 {
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
The imap server is configured to run on port 10143 such that port 143 is handled by the imap
proxy server that will improve performance for your webmail by caching connections to the
imap server. The listen option under protocol sets this up.
protocol imap {
imap_client_workarounds = outlook-idle delay-newmail
listen = 127.0.0.1:10143
}
Sample files
dovecot.conf
40
Setup Imap Proxy
Introduction
imapproxy was written to compensate for webmail clients that are unable to maintain persistent
connections to an IMAP server. Most webmail clients need to log in to an IMAP server for
nearly every single transaction. This behaviour can cause tragic performance problems on the
IMAP server. imapproxy tries to deal with this problem by leaving server connections open for a
short time after a webmail client logs out. When the webmail client connects again, imapproxy
will determine if there's a cached connection available and reuse it if possible. - according to the
imapproxy website.
Configuration
server_hostname 127.0.0.1
cache_size 3072
listen_port 143
server_port 10143
cache_expiration_time 900
proc_username nobody
proc_groupname nobody
stat_filename /var/run/pimpstats
protocol_log_filename /var/log/imapproxy_protocol.log
syslog_facility LOG_MAIL
send_tcp_keepalives no
enable_select_cache yes
foreground_mode no
force_tls no
enable_admin_commands no
Sample Files
imapproxy.conf
Bind Setup
Introduction
Bind will be set up chrooted to improve security we will also use views to prevent abuse of the
dns server.
41
Basic Configuration
The basic configuration disables by default, recursive queries and zone transfers. We also
obscure the version of BIND we are running such that we are not hit by zero day vulnerabilities
from script kiddies.
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
listen-on {
127.0.0.1;
192.168.1.5;
};
version "just guess";
allow-recursion { "localhost"; };
allow-transfer { "none"; };
};
Logging
The logging is customized to remove the annoying "lame-server" and update errors that appear in
the logs:
logging {
category update { null; };
category update-security { null; };
category lame-servers{ null; };
};
Chroot
Ensure that this is set in the file /etc/sysconfig/named (it's usually set by the bind-chroot
package):
ROOTDIR=/var/named/chroot
Point Server
Let the machine use this server for dns resolution edit /etc/resolv.conf and prepend:
nameserver 127.0.0.1
42
Sample files
named.conf
/etc/sysconfig/named
Vsftpd Setup
Introduction
We will use vsftpd as our ftp server. This has a better track record as opposed to the proftpd &
wuftpd servers.
Basic Setting
Our basic setup disables anonymous users, and enables local system users to connect to the ftp
server.
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
ftpd_banner=Welcome to example.com server
pam_service_name=vsftpd
tcp_wrappers=YES
Chroot
All users will be chrooted to their home directories (except usernames in the
/etc/vsftpd/chroot_list file) meaning the cannot break out and see other users files.
chroot_list_enable=YES
chroot_local_user=YES
chroot_list_file=/etc/vsftpd/chroot_list
Banned Users
43
Users added to the file /etc/vsftpd/user_list will not be allowed to login:
userlist_enable=YES
Sample Files
vsftpd.conf
user_list
chroot_list
Edit /etc/sysconfig/clamav-milter:
CLAMAV_FLAGS="
--config-file=/etc/clamd.conf
--force-scan
--local
--max-children=5
--sendmail-cf=
--outgoing
--quiet
"
SOCKET_ADDRESS="local:/var/clamav/clmilter.socket"
wget http://www.topdog-software.com/files/clamav-milter.patch
patch /etc/init.d/clamav-milter < clamav-milter.patch
MySQL Setup
Basic Config
Listen only to the localhost, edit /etc/my.cnf under the mysqld section:
bind-address = 127.0.0.1
44
SpamAssassin Setup
Basic Config
required_hits 5
report_safe 0
rewrite_header Subject [SPAM]
mysql -p
mysql> GRANT ALL ON bayes.* TO bayes@localhost IDENTIFIED BY 'password';
Configure To Use DB
bayes_store_module Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn DBI:mysql:bayes:localhost
bayes_sql_override_username bayes
bayes_sql_username bayes
bayes_sql_password password
Configure FuzzyOCR
We will be storing the image hashes in a mysql database to improve on performance such that
images that we have already scanned do not get scanned again as OCR is a resource intense
activity.
45
Create MySQL Database
The sql script creates the database and tables and adds a user fuzzyocr with the password
fuzzyocr:
Basic Settings
focr_path_bin /usr/bin:/usr/local/bin
focr_minimal_scanset 1
focr_autosort_scanset 1
focr_enable_image_hashing 3
focr_logfile /tmp/FuzzyOcr.log
focr_mysql_db FuzzyOcr
focr_mysql_hash Hash
focr_mysql_safe Safe
focr_mysql_user fuzzyocr
focr_mysql_pass password
focr_mysql_host localhost
focr_mysql_port 3306
focr_mysql_socket /var/lib/mysql/mysql.sock
mkdir /etc/mail/spamassassin/sa-update-keys/
chmod 700 /etc/mail/spamassassin/sa-update-keys/
46
wget http://daryl.dostech.ca/sa-update/sare/GPG.KEY
sa-update --import GPG.KEY
updates.spamassassin.org
72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net
70_sare_evilnum0.cf.sare.sa-update.dostech.net
70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net
70_sare_html0.cf.sare.sa-update.dostech.net
70_sare_html_eng.cf.sare.sa-update.dostech.net
70_sare_header0.cf.sare.sa-update.dostech.net
70_sare_header_eng.cf.sare.sa-update.dostech.net
70_sare_specific.cf.sare.sa-update.dostech.net
70_sare_adult.cf.sare.sa-update.dostech.net
72_sare_bml_post25x.cf.sare.sa-update.dostech.net
99_sare_fraud_post25x.cf.sare.sa-update.dostech.net
70_sare_spoof.cf.sare.sa-update.dostech.net
70_sare_random.cf.sare.sa-update.dostech.net
70_sare_oem.cf.sare.sa-update.dostech.net
70_sare_genlsubj0.cf.sare.sa-update.dostech.net
70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net
70_sare_unsub.cf.sare.sa-update.dostech.net
70_sare_uri0.cf.sare.sa-update.dostech.net
70_sare_obfu0.cf.sare.sa-update.dostech.net
70_sare_stocks.cf.sare.sa-update.dostech.net
#!/bin/bash
#
#
sa-update -D --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt
--gpgkey 856AA88A &>/var/log/sa-updates.log
chmod +x /usr/local/bin/update-sa
ln -s /usr/local/bin/update-sa /etc/cron.daily/
ln -s /usr/local/bin/update-sa /etc/cron.hourly/
Spamass-milter Setup
Basic Configuration
Edit /etc/sysconfig/spamass-milter:
SOCKET=/var/run/spamass.sock
EXTRA_FLAGS="-m -r 8"
47
Patch
We need to patch the init file to fix the permissions of the socket created such that postfix is able
to use the socket.
wget http://www.topdog-software.com/files/spamass-milter.patch
patch /etc/rc.d/init.d/spamass-milter < spamass-milter.patch
Apache Setup
Disable Modules
We will disable some modules that we are not using thus freeing up memory and also improving
security.
Apache has to be configured to listed to one address for port 443 as webmin will be using the
same port. Edit /etc/httpd/conf.d/ssl:
Listen 192,168.1.6:443
48
Enable Gzip Compression
We setup gzip compression via the mod_deflate module to improve web server performance and
to cut down on bandwidth usage by compressing responses to the client.
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png)$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary
DeflateFilterNote deflate_ratio
LogFormat "%v %h %l %u %t \"%r\" %>s %b mod_deflate: %{deflate_ratio}n pct."
vhost_with_deflate_info
CustomLog logs/deflate_access_log vhost_with_deflate_info
memory_limit = 64M
NameVirtualHost *:80
This needs to be the first virtual host, it will be the default on the server the equivalent of the
server with out virtual hosting.
<VirtualHost *:80>
Servername localhost.localdomain
Serveradmin root@localhost.localdomain
</Virtualhost>
49
Create Database
Basic Config
$rcmail_config['db_dsnw'] = 'mysql://roundcube:password@localhost/roundcube';
$rcmail_config['default_host'] = 'localhost';
$rcmail_config['default_port'] = 143;
$rcmail_config['virtuser_file'] = '/etc/postfix/virtual';
$rcmail_config['smtp_server'] = 'localhost';
$rcmail_config['smtp_port'] = 25;
$rcmail_config['smtp_helo_host'] = 'localhost';
As we will be providing webmail for all domains that are created on the system we need to setup
a catch all virtualhost that can display roundcube when ever a user accesses
http://webmail.domainname. Edit /etc/httpd/conf/httpd.conf and append:
<VirtualHost *:80>
ServerName webmail.example.com
ServerAlias webmail.*
DocumentRoot /var/www/roundcube
<Directory /var/www/roundcube>
Options -Indexes IncludesNOEXEC FollowSymLinks
allow from all
</Directory>
</VirtualHost>
50
Firewall Setup
Introduction
This is a basic firewall it may not suit your needs, firewalling is an art so i recommend to read
into it to improve on this basic one.
Basic Config
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m multiport -j ACCEPT --dports 80,443,25,110,143,53
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p icmp -m icmp -m limit --icmp-type 8 --limit 5/min -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.1.5 -j ACCEPT
-A OUTPUT -s 192.168.1.6 -j ACCEPT
COMMIT
Activate Config
Configure Virtualmin
Introduction
51
Virtualmin is a powerful and flexible hosting control panel that integrates with webmin. We will
be using it to provide the virtual hosting functions such as creation of domains, accounts and
maintaining configurations on the system.
Start Services
You need to start up services that are required to be able to configure virtualmin. Start the
following services:
Initial Settings
MySQL
Webmin needs to be able to communicate with mysql since we have set a password for mysql we
need to set that up in webmin, go to servers ? mysql and enter this information:
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
Configure Features
You need to enable the features and plugins that we want to use. On login this is the screen that
you will see.
52
Enable the following features and save
o Home directory
o Administration user
o Mail for domain
o BIND DNS domain
o Apache website
o Webalizer reporting
o Log file rotation
o Mysql database
o Webmin user
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
Server template are used to customize the services and to create packages for different hosting
account types.
Apache Template
You can make changes to the way apache virtual hosts are created by editing this template, The
defaults however will do for purposes of this howto.
53
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
54
Home Directory Template
This template allows you to set a skel directory to hold setting for new users for this howto we
will use the defaults.
Administration User
This template lets you set the quota for the virtual server and the admin user for this howto we
will use the default quota 1GB.
55
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
This template sets various mail related options, we will modify the email message sent on server
creation to have the content below:
56
BIND DNS Domain Template
This template is used to customize the zones that will be created by virtualmin. The changes to
be made are adding a spf record, add the following records to auto generated text box (replace
ns1.home.topdog-software.com. with your slave server):
@ IN NS ns1.home.topdog-software.com. ;slave
admin IN A 192.168.1.6 ;virtualmin
webmail IN A 192.168.1.5 ;webmail
In the directives text box add the following with the IP address of your slave server such that the
slave is allowed to do zone transfers.
allow-transfer { 192.168.1.2; };
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
Contains options on creation of databases by virtualmin, for the howto we will use the defaults.
57
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
Contains option on creation of new users by virtualmin, for the howto we will use the defaults.
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
Finally we have a working virtual server system, lets create our first virtual server. Go to servers
? virtualmin virtual servers and click add new virtual server, owned by new user.
58
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
Add a mail user to the domain. click on the domain name, then click edit mail and FTP users,
then add user and fill in the information.
59
(JavaScript must be enabled in your browser to view the large image as an image overlay.)
Testing
Postfix
Test SMTP
telnet 192.168.1.5 25
Connected to localhost.
Escape character is '^]'.
220 tds mail cluster
helo me
250 hosting1
mail from:address@yahoo.com
250 2.1.0 Ok
rcpt: andrew@example.com
250 2.1.0 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From:address@yahoo.com
To:andrew@example.com
Subject:This is a test
Hi
This is a test
.
250 2.0.0 Ok: queued as 4ACCC7C5A6
telnet 192.168.1.5 25
Trying 192.168.1.5...
Connected to localhost.
Escape character is '^]'.
220 tds mail cluster
ehlo me
250-hosting1
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
60
Test dkim
Test domainkeys
Dovecot
Test POP3
Test IMAP
61
* BYE LOGOUT received
01 OK Completed
BIND
Clamav-milter
telnet 192.168.1.5 25
Connected to localhost.
Escape character is '^]'.
220 tds mail cluster
helo me
250 hosting1
mail from:address@yahoo.com
250 2.1.0 Ok
rcpt: andrew@example.com
250 2.1.0 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
.
550 5.7.1 virus Eicar-Test-Signature detected by ClamAV - http://www.clamav.net
quit
221 2.0.0 Bye
Take a lot at your /var/log/maillog you should see something like this:
Spamass-milter
62
telnet 192.168.1.5 25
Connected to localhost.
Escape character is '^]'.
220 tds mail cluster
helo me
250 hosting1
mail from:address@yahoo.com
250 2.1.0 Ok
rcpt: andrew@example.com
250 2.1.0 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-
EMAIL*C.34X
.
550 5.7.1 Blocked by SpamAssassin
quit
221 2.0.0 Bye
63