<< HOWTO-Index
NEW!
Visit my Linux forums!
 This Howto is also available on HowtoForge! If you have also written tutorials, you can publish them there.
The Perfect
Setup - Mandrake/Mandriva 10.2
Version 1.0
Author: Falko Timme
<ft [at] falkotimme [dot] com>
Last edited: 07/19/2005
This is a detailed
description about the steps to be taken to setup a Mandrake 10.2 based
server that offers all services needed by ISPs and hosters (web server (SSL-capable),
mail server (with SMTP-AUTH and TLS!), DNS server, FTP server, MySQL server,
POP3/IMAP, Quota, Firewall, etc.). In addition to that I will show how to use
Debian's package manager apt
on an rpm-based system because it takes care of package dependencies automagically
which can save a lot of trouble.
I will use the
following software:
- Web Server:
Apache 2.0.x
- Mail Server:
Postfix (easier to configure than sendmail; has a shorter history of security
holes than sendmail)
- DNS Server:
BIND9
- FTP Server:
proftpd
- POP3/IMAP servers
- Webalizer for
web site statistics
In the end you
should have a system that works reliably and is ready for the free webhosting
control panel ISPConfig
(i.e., ISPConfig runs on it out of the box).
I want to say first
that this is not the only way of setting up such a system. There are many ways
of achieving this goal but this is the way I take. I do not issue any guarantee
that this will work for you!
Requirements
To install such
a system you will need the following:
1 The Base System
Boot from your
Mandrake 10.2 CD (CD 1) or DVD. Press Enter
to start the installation:

Choose your language
next:

Accept the license
and click on Next:

Select Standard
as the Security level
and leave the field Security Administrator
empty:

Now we have to
partition our hard disk. You can choose to let the Mandrake installer do the
partitioning, or you can do it yourself. I want to create a small /boot
partition (less than 100 MB) with the file system ext3,
a swap partition and a
huge / partition (again
with ext3):







Click on Next
if you have all three CDs of the Mandrake Download Edition:

Select None
and click on Next:

Now we are to select
the package groups we want to install. Select Internet
station, Network Computer
(client), Configuration,
Console Tools, Development,
Web/FTP, Mail,
Database, Firewall/Router
and Network Computer server
and click on Next:


The package installation
starts:

Give root
a password:

Create another
user (e.g. admin):

Now the installer
presents us a summary of the installation and gives us the possibility to change
settings by clicking on the appropriate Configure
button. First of all we adjust our keyboard layout (if you don't have a US keyboard...):


Next we configure
the time zone we're in:


Finally we change
the Network - lan settings.
Select LAN connection
unless you're using something different:

Select the network
interface you want to configure (normally eth0):


We want to assign
a static IP address to our network interface (remember, we're installing a server...),
so we do not want to get an IP address using BOOTP
or DHCP. Therefore we
choose Manual configuration:

Now enter the IP
address and a Netmask:

Enter the Host
name (e.g. server1.example.com),
up to three DNS servers
(e.g. 145.253.2.75 and
193.174.32.18) and the
Gateway:

You can leave the
field Zeroconf Host name
empty:

Do not allow users
to start the connection. It's a server, and servers are always online (at least,
they should be...):


We've now made
all necessary configurations, so we can leave the summary screen by clicking
on Next:

Now you can download
the latest updates:

The installation
is now finished, you can now remove the CD or DVD and reboot the system:

2 Installing And Configuring
The Rest Of The System
Starting the
SSH Daemon
You have to start
the SSH daemon before you can login via SSH (using PuTTY
or something else). To do that, you first have to login as admin
on the system itself, then run su
and provide the password for root:

(Direct login as
root is not allowed on
the system itself, that's why you have to login as admin
first. If you use SSH, you can directly login as root.)
Then start the
SSH daemon:
/etc/init.d/sshd start
Configure Additional
IP Addresses
Let's assume our
network interface is eth0.
Then there is a file /etc/sysconfig/network-scripts/ifcfg-eth0
which looks like this:
DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.0.100
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=no
USERCTL=no
|
Now we want to
create the virtual interface eth0:0
with the IP address 192.168.0.101. All we have to do is to create the file
/etc/sysconfig/network-scripts/ifcfg-eth0:0
which looks like
this:
DEVICE=eth0:0
BOOTPROTO=static
IPADDR=192.168.0.101
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=no
USERCTL=no
|
Afterwards we have
to restart the network:
/etc/init.d/network
restart
Setting The
Hostname
echo server1.example.com
> /etc/hostname
/bin/hostname -F /etc/hostname
Install apt
For Mandrake
apt is the packaging
system used on Debian. Since it cares much better for package dependencies than
rpm it would be nice if we could use it on our new Mandrake system. This would
save us a lot of hassle. Fortunately, apt has been ported to a lot of rpm based
distributions, and is also available for Mandrake 10.2 (you will love it...
:-)).
rpm -ivh ftp://ftp.lip6.fr/pub/linux/distributions/Mandrakelinux/official/10.2/\
i586/media/contrib/libapt-pkg0-0.5.15cnc6-5mdk.i586.rpm
rpm -ivh ftp://ftp.lip6.fr/pub/linux/distributions/Mandrakelinux/official/10.2/\
i586/media/contrib/apt-0.5.15cnc6-5mdk.i586.rpm
Edit /etc/apt/sources.list.
It should contain the following line:
rpm ftp://ftp.lip6.fr/pub/linux/distributions/Mandrakelinux/official/10.2/i586/media/ media_info/hdlist_main main
|
Run
apt-get update
Install
Some Software
apt-get install fetchmail
wget bzip2 unzip zip nmap openssl lynx fileutils ncftp flex
Quota
apt-get install quota
Edit /etc/fstab
to look like this (I added ,usrquota,grpquota
to the partition with the mount point /):
# This file is edited by fstab-sync - see 'man fstab-sync' for details
/dev/sda6 / ext3 defaults,usrquota,grpquota 1 1
/dev/sda1 /boot ext3 defaults 1 2
/dev/hdc /mnt/cdrom iso9660 user,iocharset=iso8859-1,noauto,ro,exec 0 0
none /mnt/floppy supermount dev=/dev/fd0,fs=ext2:vfat,--,umask=0,iocharset=iso8859-1,sync,codepage=850 0 0
none /proc proc defaults 0 0
/dev/sda5 swap swap defaults 0 0
|
Then run:
touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug
DNS-Server
apt-get install bind
In the Manadrake
BIND package there are a few files missing (e.g. /etc/named.conf),
therefore BIND will not start when you run
/etc/init.d/named start
This is nothing
to worry about because all needed files are created by ISPConfig as soon as
you create your first DNS record with ISPConfig.
MySQL (4.1)
apt-get install
MySQL MySQL-client libmysql14-devel
/etc/init.d/mysqld start
Now check that
networking is enabled. Run
netstat -tap
It should show
a line like this:
tcp 0 0 *:mysql *:* LISTEN 6621/mysqld
|
If it does not,
edit /etc/sysconfig/mysqld
and remove --skip-networking
from the Variable MYSQLD_OPTIONS:
# (oe) Remove --skip-networking to enable network access from
# non local clients. Access from localhost will still work.
MYSQLD_OPTIONS=""
# (oe) set TMPDIR and TMP environment variables
TMPDIR="${datadir}/.tmp"
TMP="${TMPDIR}"
|
and restart your
MySQL server:
/etc/init.d/mysqld restart
Run
mysqladmin -u root password
yourrootsqlpassword
to set a password
for the user root (otherwise
anybody can access your MySQL database!).
Postfix With
SMTP-AUTH And TLS
apt-get install cyrus-sasl
libsasl2 libsasl2-devel libsasl2-plug-plain libsasl2-plug-anonymous libsasl2-plug-crammd5
libsasl2-plug-digestmd5 libsasl2-plug-gssapi libsasl2-plug-login postfix imap
postconf -e 'smtpd_sasl_local_domain
='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'mydomain = example.com'
postconf -e 'myhostname = server1.$mydomain'
postconf -e 'mydestination = /etc/postfix/local-host-names, localhost.example.com'
Edit /etc/postfix/sasl/smtpd.conf.
It should look like this:
# SASL library configuration file for postfix
# all parameters are documented into:
# /usr/share/doc/cyrus-sasl-2.*/options.html
# The mech_list parameters list the sasl mechanisms to use,
# default being all mechs found.
mech_list: plain login
# To authenticate using the separate saslauthd daemon, (e.g. for
# system or ldap users). Also see /etc/sysconfig/saslauthd.
pwcheck_method: saslauthd
saslauthd_path: /var/lib/sasl2/mux
# To authenticate against users stored in sasldb.
#pwcheck_method: auxprop
#auxprop_plugin: sasldb
#sasldb_path: /var/lib/sasl2/sasldb2
|
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days
3650
postconf -e 'smtpd_tls_auth_only
= no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
Now start Postfix,
saslauthd, imap and pop3:
chkconfig
imap on
chkconfig imaps on
chkconfig ipop3 on
chkconfig pop3s on
/etc/init.d/postfix restart
/etc/init.d/saslauthd restart
/etc/init.d/xinetd restart
To see if SMTP-AUTH
and TLS work properly now run the following command:
telnet
localhost 25
After you have
established the connection to your postfix mail server type
ehlo
localhost
If you see the
lines
250-STARTTLS
and
250-AUTH
everything is fine.

Type
quit
to return to the
system's shell.
Apache With
PHP
apt-get install apache2-mod_php
php-cli php-ini php-gd php-xml php-ldap php-xmlrpc php-domxml php-imap php-mysql
php-pear php-readline php-xslt php432-devel curl libcurl3-devel perl-libwww-perl
ImageMagick
Now edit /etc/httpd/conf.d/70_mod_php.conf
and comment out the AddType
lines:
<IfDefine HAVE_PHP4>
<IfModule !mod_php4.c>
LoadModule php4_module extramodules/mod_php4.so
</IfModule>
</IfDefine>
<IfModule mod_php4.c>
PHPINIDir /etc
</IfModule>
<IfModule mod_mime.c>
#AddType application/x-httpd-php .php
#AddType application/x-httpd-php .php3
#AddType application/x-httpd-php .php4
#AddType application/x-httpd-php .phtml
#AddType application/x-httpd-php-source .phps
</IfModule>
|
Edit /etc/httpd/conf/apache-mime.types
and comment oout the following lines:
#application/x-perl perl pl
#application/x-php php php3 php4
|
Edit /etc/httpd/conf/httpd2.conf
and add the following line to the LoadModule
section:
LoadModule php4_module extramodules/mod_php4.so
|
(Although this
line is already in /etc/httpd/conf.d/70_mod_php.conf
this is very important
because otherwise the command httpd
-t will report errors instead of Syntax
OK when the virtual hosts created by ISPConfig contain lines like
php_admin_flag safe_mode On
or the like!)
Restart Apache:
/etc/init.d/httpd restart
Proftpd
apt-get install proftpd
/etc/init.d/proftpd start
For security reasons
you can add the following lines to /etc/proftpd.conf
(thanks to Reinaldo Carvalho; more information can be found here: http://proftpd.linux.co.uk/localsite/Userguide/linked/userguide.html):
DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."
Be sure to comment
out the following lines in /etc/proftpd.conf
in order to allow ftp users to CHMOD:
# Bar use of SITE CHMOD by default
# <Limit SITE_CHMOD>
# DenyAll
# </Limit>
|
and restart Proftpd:
/etc/init.d/proftpd restart
Webalizer
To install webalizer,
run
cd /tmp/
wget --passive-ftp ftp://ftp.mrunix.net/pub/webalizer/webalizer-2.01-10-static.gz
gunzip webalizer-2.01-10-static.gz
mv webalizer-2.01-10-static /usr/bin/webalizer
chmod 755 /usr/bin/webalizer
Synchronize
the System Clock
If you want to
have the system clock synchronized with an NTP server do the following:
apt-get install rdate
rdate
-s 128.2.136.71
Create /var/spool/cron/root:
# update time with ntp server
0 3,9,15,21 * * * /usr/bin/rdate -s 128.2.136.71 | logger -t NTP
|
Then run
chmod 600 /var/spool/cron/root
/etc/init.d/crond restart
Install some
Perl Modules needed by SpamAssassin (comes with ISPConfig)
Installation
using the Perl Shell
Login to your command
line as root and run the following command to start the Perl shell:
perl -MCPAN -e shell
If you run the
Perl shell for the first time you will be asked some questions. In most cases
the default answers are ok.
Please note: If
you run a firewall on your system you might have to turn it off while working
on the Perl shell in order for the Perl shell to be able to fetch the needed
modules without a big delay. You can switch it on afterwards.
The big advantage
of the Perl shell compared to the two other methods described here is that it
cares about dependencies when installing new modules. I.e., if it turns out
that a prerequisite Perl module is missing when you install another module the
Perl shell asks you if it should install the prerequisite module for you. You
should answer that question with "Yes".
Run the following
commands to install the modules needed by SpamAssassin:
install HTML::Parser
install Digest::SHA1
q (to leave the Perl shell)
If a module is
already installed on your system you will get a message similar to this one:
HTML::Parser
is up to date.
Successful installation
of a module looks like this:
/usr/bin/make
install -- OK
The End
The configuration
of the server is now finished, and if you wish you can now install ISPConfig
on it.
A Note On SuExec
If you want to
run CGI scripts under suExec, you should specify /var/www
as the home directory for websites created by ISPConfig as Mandrake's suExec
is compiled with /var/www
as Doc_Root.
Run /usr/sbin/apache2-suexec -V,
and the output should look like this:

To select /var/www
as the home directory for websites during the installation of ISPConfig do the
following: When you are asked for the installation mode, select the expert
mode.

Later during the
installation you are asked if the default directory /home/www
should be the directory where ISPConfig will create websites in. Answer n
and enter /var/www as
the home directory for websites.

Links
NEW!
Visit my Linux forums!
 This Howto is also available on HowtoForge! If you have also written tutorials, you can publish them there.
<< HOWTO-Index
|