Sunday, April 10, 2011


ISP Sever configuration on Fedara 9.Apache server,PHP5,Ruby,Postfix,MySQL, Dovecot,Quota, Firewall.

  • Sunday, April 10, 2011
  • ikraninc
  • Share

  • I will use the following software:
    • Web Server: Apache 2.2.8
    • PHP 5.2.5
    • Ruby
    • Database Server: MySQL 5.0.51
    • Mail Server: Postfix
    • DNS Server: BIND9 (chrooted)
    • FTP Server: proftpd
    • POP3/IMAP server: Dovecot
    • Webalizer for web site statistics
    In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig(i.e., ISPConfig runs on it out of the box).
    I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

    1 Requirements

    To install such a system you will need the following:

    2 Preliminary Note

    In this tutorial I use the hostname with the IP address and the gateway These settings might differ for you, so you have to replace them where appropriate.

    3 Install The Base System

    Boot from your Fedora 9 DVD. Select Install or upgrade an existing system:

    4 Fix The Network

    When I booted the system, I noticed that I could connect to and from it within my LAN, but the system could not connect to the internet. The output of
    revealed that eth0 was up and has the correct IP address, however
    route -nee
    showed that no gateway had been set although I specified the correct gateay during the setup. I took a look at
    chkconfig --list
    and found that the network init script was set to off in all runlevels, however there was another init script, NetworkManager, which was set to on. NetworkManager is a tool that figures out the best network connection for the system and sets it up - in my case, it seems to have forgotten the gateway. Anyway, as we only have one network connection, we don't need the NetworkManager. I disabled it and set network to on, restarted the network, and violĂ , networking is working as expected, also after a reboot:
    chkconfig NetworkManager off
    chkconfig --levels 35 network on
    /etc/init.d/network restart

    5 Adjust /etc/hosts

    Next we edit /etc/hosts. Make it look like this:
    vi /etc/hosts
    # Do not remove the following line, or various programs
    # that require network functionality will fail.               localhost.localdomain localhost  server1
    ::1             localhost6.localdomain6 localhost6
    It is important that you add a line for and remove and server1 from the

    6 Configure The Firewall

    (You can skip this chapter if you have already disabled the firewall at the end of the basic system installation.)
    I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That's why I disable the default Fedora firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn't use any other firewall later on as it will most probably interfere with the Fedora firewall).
    Click to enlarge

    Select Disabled and press OK.
    To check that the firewall has really been disabled, you can run
    iptables -L
    afterwards. The output should look like this:
    [root@server1 ~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination

    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination

    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    [root@server1 ~]#

    7 Disable SELinux

    SELinux is a security extension of Fedora that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).
    Edit /etc/selinux/config and set SELINUX=disabled:
    vi /etc/selinux/config
    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #       enforcing - SELinux security policy is enforced.
    #       permissive - SELinux prints warnings instead of enforcing.
    #       disabled - No SELinux policy is loaded.
    # SELINUXTYPE= can take one of these two values:
    #       targeted - Targeted processes are protected,
    #       mls - Multi Level Security protection.
    Afterwards we must reboot the system:

    8 Install Some Software

    First we import the GPG keys for software packages:
    rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
    Then we update our existing packages on the system:
    yum update
    Now we install some software packages that are needed later on:
    yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc gcc-c++

    9 Quota

    (If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)
    To install quota, we run this command:
    yum install quota
    Edit /etc/fstab and add ,usrquota,grpquota to the / partition (/dev/VolGroup00/LogVol00):
    vi /etc/fstab
    /dev/VolGroup00/LogVol00 /                       ext3    defaults,usrquota,grpquota        1 1
    UUID=03b23ff4-4dda-47a8-a23f-2f530df157b2 /boot                   ext3    defaults        1 2
    tmpfs                   /dev/shm                tmpfs   defaults        0 0
    devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
    sysfs                   /sys                    sysfs   defaults        0 0
    proc                    /proc                   proc    defaults        0 0
    /dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0
    Then run
    touch /aquota.user /
    chmod 600 /aquota.*
    mount -o remount /
    quotacheck -avugm
    quotaon -avug
    to enable quota.

    10 Install A Chrooted DNS Server (BIND9)

    To install a chrooted BIND9, we do this:
    yum install bind-chroot
    Next, we change a few permissions and start BIND:
    chmod 755 /var/named/
    chmod 775 /var/named/chroot/
    chmod 775 /var/named/chroot/var/
    chmod 775 /var/named/chroot/var/named/
    chmod 775 /var/named/chroot/var/run/
    chmod 777 /var/named/chroot/var/run/named/
    cd /var/named/chroot/var/named/
    ln -s ../../ chroot
    chkconfig --levels 235 named on
    /etc/init.d/named start
    BIND will run in a chroot jail under /var/named/chroot/var/named/. I will use ISPConfig to configure BIND (zones, etc.).

    11 MySQL (5.0)

    To install MySQL, we do this:
    yum install mysql mysql-devel mysql-server
    Then we create the system startup links for MySQL (so that MySQL starts automatically whenever the system boots) and start the MySQL server:
    chkconfig --levels 235 mysqld on
    /etc/init.d/mysqld start
    Now check that networking is enabled. Run
    netstat -tap | grep mysql
    It should show something like this:
    [root@server1 ~]# netstat -tap | grep mysql
    tcp        0      0 *:mysql                     *:*                         LISTEN      2407/mysqld
    [root@server1 ~]#
    If it does not, edit /etc/my.cnf and comment out the option skip-networking:
    vi /etc/my.cnf
    and restart your MySQL server:
    /etc/init.d/mysqld restart
    mysqladmin -u root password yourrootsqlpassword
    mysqladmin -h -u root password yourrootsqlpassword
    to set a password for the user root (otherwise anybody can access your MySQL database!).

    12 Postfix With SMTP-AUTH And TLS

    Now we install Postfix and Dovecot (Dovecot will be our POP3/IMAP server):
    yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot
    Now we configure SMTP-AUTH and TLS:
    postconf -e 'smtpd_sasl_local_domain ='
    postconf -e 'smtpd_sasl_auth_enable = yes'
    postconf -e 'smtpd_sasl_security_options = noanonymous'
    postconf -e 'broken_sasl_auth_clients = yes'
    postconf -e 'smtpd_sasl_authenticated_header = yes'
    postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
    postconf -e 'inet_interfaces = all'
    postconf -e 'mynetworks ='
    We must edit /usr/lib/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins (on 64bit systems, this file is in/usr/lib64/sasl2/smtpd.conf). It should look like this:
    vi /usr/lib/sasl2/smtpd.conf
    pwcheck_method: saslauthd
    mech_list: plain login
    Afterwards we create the certificates for TLS:
    mkdir /etc/postfix/ssl
    cd /etc/postfix/ssl/
    openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
    chmod 600 smtpd.key
    openssl req -new -key smtpd.key -out smtpd.csr
    openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
    openssl rsa -in smtpd.key -out smtpd.key.unencrypted
    mv -f smtpd.key.unencrypted smtpd.key
    openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
    Next we configure Postfix for TLS:
    postconf -e 'smtpd_tls_auth_only = no'
    postconf -e 'smtp_use_tls = yes'
    postconf -e 'smtpd_use_tls = yes'
    postconf -e 'smtp_tls_note_starttls_offer = yes'
    postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
    postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
    postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
    postconf -e 'smtpd_tls_loglevel = 1'
    postconf -e 'smtpd_tls_received_header = yes'
    postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
    postconf -e 'tls_random_source = dev:/dev/urandom'
    Then we set the hostname in our Postfix installation (make sure you replace with your own hostname):
    postconf -e 'myhostname ='
    After these configuration steps you should now have a /etc/postfix/ that looks like this (I have removed all comments from it):
    cat /etc/postfix/
    queue_directory = /var/spool/postfix
    command_directory = /usr/sbin
    daemon_directory = /usr/libexec/postfix
    data_directory = /var/lib/postfix
    mail_owner = postfix
    inet_interfaces = all
    mydestination = $myhostname, localhost.$mydomain, localhost
    unknown_local_recipient_reject_code = 550
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    debug_peer_level = 2
    debugger_command =
             ddd $daemon_directory/$process_name $process_id & sleep 5
    sendmail_path = /usr/sbin/sendmail.postfix
    newaliases_path = /usr/bin/newaliases.postfix
    mailq_path = /usr/bin/mailq.postfix
    setgid_group = postdrop
    html_directory = no
    manpage_directory = /usr/share/man
    sample_directory = /usr/share/doc/postfix-2.5.1/samples
    readme_directory = /usr/share/doc/postfix-2.5.1/README_FILES
    inet_protocols = all
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    mynetworks =
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtpd_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    myhostname =
    Now start Postfix, saslauthd, and Dovecot:
    chkconfig --levels 235 sendmail off
    chkconfig --levels 235 postfix on
    chkconfig --levels 235 saslauthd on
    chkconfig --levels 235 dovecot on
    /etc/init.d/sendmail stop
    /etc/init.d/postfix start
    /etc/init.d/saslauthd start
    /etc/init.d/dovecot start
    To see if SMTP-AUTH and TLS work properly now run the following command:
    telnet localhost 25
    After you have established the connection to your Postfix mail server type
    ehlo localhost
    If you see the lines
    everything is fine.
    [root@server1 ssl]# telnet localhost 25
    Connected to localhost.
    Escape character is '^]'.
    220 ESMTP Postfix
    ehlo localhost
    250-SIZE 10240000
    250 DSN
    221 2.0.0 Bye
    Connection closed by foreign host.
    [root@server1 ssl]#
    to return to the system's shell.

    12.1 Maildir

    Dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir underManagement -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration.
    If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user's Maildir (you can also do this if you use ISPConfig - it doesn't hurt ;-)):
    postconf -e 'home_mailbox = Maildir/'
    postconf -e 'mailbox_command ='
    /etc/init.d/postfix restart

    13 Apache2 With PHP5

    Now we install Apache with PHP5 (this is PHP 5.2.5):
    yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-eaccelerator php-magickwand php-magpierss php-mapserver php-mbstring php-mcrypt php-mhash php-mssql php-shout php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel
    Then edit /etc/httpd/conf/httpd.conf:
    vi /etc/httpd/conf/httpd.conf
    and change DirectoryIndex to
    DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3
    Now configure your system to start Apache at boot time:
    chkconfig --levels 235 httpd on
    Start Apache:
    /etc/init.d/httpd start

    13.1 Disable PHP Globally

    (If you do not plan to install ISPConfig on this server, please skip this section!)
    In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.
    To disable PHP globally, we edit /etc/httpd/conf.d/php.conf and comment out the AddHandler and AddType lines:
    vi /etc/httpd/conf.d/php.conf
    # PHP is an HTML-embedded scripting language which attempts to make it
    # easy for developers to write dynamically generated webpages.
    LoadModule php5_module modules/
    # Cause the PHP interpreter to handle files with a .php extension.
    #AddHandler php5-script .php
    #AddType text/html .php
    # Add index.php to the list of files that will be served as directory
    # indexes.
    DirectoryIndex index.php
    # Uncomment the following line to allow PHP to pretty-print .phps
    # files as PHP source code:
    #AddType application/x-httpd-php-source .phps
    Afterwards we restart Apache:
    /etc/init.d/httpd restart

    14 Ruby

    Starting with version 2.2.20, ISPConfig has built-in support for Ruby. Instead of using CGI/FastCGI, ISPConfig depends onmod_ruby being available in the server's Apache.
    For Fedora 9, there's no mod_ruby package available, so we must compile it ourselves. First we install some prerequisites:
    yum install httpd-devel ruby ruby-devel
    Next we download and install mod_ruby as follows:
    cd /tmp
    tar zxvf mod_ruby-1.2.6.tar.gz
    cd mod_ruby-1.2.6/
    ./configure.rb --with-apr-includes=/usr/include/apr-1
    make install
    Finally we must add the mod_ruby module to the Apache configuration, so we create the file /etc/httpd/conf.d/ruby.conf...
    vi /etc/httpd/conf.d/ruby.conf
    LoadModule ruby_module modules/
    ... and restart Apache:
    /etc/init.d/httpd restart

    15 ProFTPd (Part 1)

    ISPConfig has better support for proftpd than vsftpd, so let's remove vsftpd and install proftpd:
    yum remove vsftpd
    yum install proftpd
    Now we can create the system startup links for Proftpd and start it:
    chkconfig --levels 235 proftpd on
    /etc/init.d/proftpd start

    16 Webalizer

    To install webalizer, just run
    yum install webalizer

    17 Synchronize The System Clock

    If you want to have the system clock synchronized with an NTP server do the following:
    yum install ntp
    chkconfig --levels 235 ntpd on
    /etc/init.d/ntpd start

    18 Install Some Perl Modules

    ISPConfig comes with SpamAssassin which needs a few Perl modules to work. We install the required Perl modules with a single command:
    yum install perl-HTML-Parser perl-DBI perl-Net-DNS perl-Digest-SHA1

    19 ISPConfig

    The configuration of the server is now finished.
    If you want to install ISPConfig, there's one more thing you need to do. Fedora 9 comes with the gcc version 4.3, but the ISPConfig installation (the OpenSSL part, to be specific) fails with this gcc version. Therefore we install gcc 3.4...
    yum install compat-gcc-34
    ... and create a symlink from /usr/bin/gcc to /usr/bin/gcc34:
    cd /usr/bin
    mv gcc gcc43
    ln -s gcc34 gcc
    You can now install ISPConfig on it, following these instructions:

    19.1 A Note On SuExec

    If you want to run CGI scripts under suExec, you should specify /var/www as the web root for websites created by ISPConfig as Fedora's suExec is compiled with /var/www as Doc_Root. Run
    /usr/sbin/suexec -V
    and the output should look like this:
    [root@server1 ~]# /usr/sbin/suexec -V
     -D AP_DOC_ROOT="/var/www"
     -D AP_GID_MIN=100
     -D AP_HTTPD_USER="apache"
     -D AP_LOG_EXEC="/var/log/httpd/suexec.log"
     -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
     -D AP_UID_MIN=500
     -D AP_USERDIR_SUFFIX="public_html"
    [root@server1 ~]#
    So if you want to use suExec with ISPconfig, don't change the default web root (which is /var/www) if you use expert mode during the ISPConfig installation (in standard mode you can't change the web root anyway so you'll be able to use suExec in any case).

    19.2 ProFTPd (Part 2)

    (This chapter applies only if you have installed ISPConfig!)
    After you have installed ISPConfig, you must modify the template file for /etc/proftpd_ispconfig.conf which is called/root/ispconfig/isp/conf/proftpd_ispconfig.conf.master, because otherwise the users that you create with ISPConfig won't be able to log in using FTP. Instead of modifying /root/ispconfig/isp/conf/proftpd_ispconfig.conf.master (which gets overwritten each time you update ISPConfig) we copy /root/ispconfig/isp/conf/proftpd_ispconfig.conf.master to/root/ispconfig/isp/conf/customized_templates/ and modify that one. If ISPConfig finds a template in/root/ispconfig/isp/conf/customized_templates/, it will use that one instead of the default template in /root/ispconfig/isp/conf/. Templates in /root/ispconfig/isp/conf/customized_templates/ don't get overwritten when you update ISPConfig.
    cp /root/ispconfig/isp/conf/proftpd_ispconfig.conf.master /root/ispconfig/isp/conf/customized_templates/
    Now open /root/ispconfig/isp/conf/customized_templates/proftpd_ispconfig.conf.master and comment out the DefaultAddress line:
    vi /root/ispconfig/isp/conf/customized_templates/proftpd_ispconfig.conf.master
    # ISPConfig proftpd Configuration File
    #         Version 1.0
            DefaultRoot             ~
            AllowOverwrite          on
            Umask                   002

    20 Links

    0 Responses to “ISP Sever configuration on Fedara 9.Apache server,PHP5,Ruby,Postfix,MySQL, Dovecot,Quota, Firewall.”

    Post a Comment