Virtual Hosting Howto With Virtualmin On CentOS 5.1 Version 1.0.1 Author: Andrew Colin Kissa <andrew [at] topdog [dot] za [dot] net> Last edited 14/04/2008 Introduction This tutorial shows how to set up a CentOS 5.x server to offer all services needed by virtual web hosters. These include web hosting, smtp server with (SMTP-AUTH and TLS, SPF, DKIM, Domainkeys), DNS, FTP, MySQL, POP3/IMAP, Firewall, Webalizer for stats. I will use the following software: Database Server: MySQL 5.0.22 Mail Server: Postfix 2.3.3 NS Server: BIND9 9.3.3 Web Server: Apache 2.2.3 /PHP 5.1.6 FTP Server: Vsftpd 2.0.5 POP3/IMAP server: Dovecot 1.0 Webalizer: for site statistics 2.01_10 Virtualmin: Control panel OS Installation Requirements To install the system you will need CentOS 5.1 Install media A good internet connection Install The Base System NOTE Some stages of the installation are not described here in interest of keeping the howto short, The grub configuration stages are left out for instance. Boot from the DVD or CD media and at the boot prompt type linux text. Skip the media test. Select your language:
43
Embed
Virtual Hosting Howto With Virtual Min on CentOS 5.1
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Virtual Hosting Howto With Virtualmin On CentOS 5.1
Version 1.0.1 Author: Andrew Colin Kissa <andrew [at] topdog [dot] za [dot] net> Last edited 14/04/2008
Introduction
This tutorial shows how to set up a CentOS 5.x server to offer all services needed by virtual web hosters. These include web hosting, smtp server with (SMTP-AUTH and TLS, SPF, DKIM, Domainkeys), DNS, FTP, MySQL, POP3/IMAP, Firewall, Webalizer for stats.
I will use the following software:
Database Server: MySQL 5.0.22 Mail Server: Postfix 2.3.3 NS Server: BIND9 9.3.3 Web Server: Apache 2.2.3 /PHP 5.1.6 FTP Server: Vsftpd 2.0.5 POP3/IMAP server: Dovecot 1.0 Webalizer: for site statistics 2.01_10 Virtualmin: Control panel
OS Installation
Requirements
To install the system you will need
CentOS 5.1 Install media A good internet connection
Install The Base System
NOTE Some stages of the installation are not described here in interest of keeping the howto short, The grub configuration stages are left out for instance.
Boot from the DVD or CD media and at the boot prompt type linux text. Skip the media test. Select your language:
Select keyboard layout:
Configure your network, I will be using dhcp if you do not have dhcp you can use static entries.
To enhance security and free system resources on the system we need to disable any services that are not required. You can run this script to do this for you.
We need to fix a few issues to prepare the system for configuration.
Install updates
yum upgrade
Switch the mta to postfix
alternatives --config mta
There are 2 programs which provide 'mta'. Selection Command ----------------------------------------------- 1 /usr/sbin/sendmail.postfix *+ 2 /usr/sbin/sendmail.sendmail Enter to keep the current selection[+], or type selection number: 1
Modify the file /etc/sysconfig/network-scripts/ifcfg-eth0:1 to look like this: DEVICE=eth0:1 BOOTPROTO=static BROADCAST=192.168.1.255 IPADDR=192.168.1.6 NETMASK=255.255.255.0 NETWORK=192.168.1.0 ONBOOT=yes
Verify the rpm (should say OK or else download again):
rpm --checksig webmin-1.390-1.noarch.rpm
Install the rpm:
rpm -Uvh webmin-1.390-1.noarch.rpm
Initial Webmin Config
We need to secure webmin by editing /etc/webmin/miniserv.conf and make the following changes:
Using SSL only:
ssl=1
Change the port to 443 and bind to the second nic only:
port=443 bind=192.168.1.6
Disable UDP broadcasts:
#listen=10000
Change host lockout on login failures to 3 :
blockhost_failures=3
Increase host lockout timeout to 120:
blockhost_time=120
Change user lockout on login failures to 3:
blockuser_failures=3
Change user lockout timeout to 120:
blockuser_time=120
Change the realm to something else:
realm=cpanel
Log logins to utmp:
utmp=1
Install the webmin Tiger theme:
Login to webmin via https://192.168.1.5:10000 using root and your password. Go to webmin ? Configuration ? webmin themes. Select From ftp or http URL and enter http://www.stress-free.co.nz/files/theme-stressfree.tar.gz Click install theme. Click "return to list themes". Select StressFree as the Current theme then click change.
Install php-pear module:
Go to webmin webmin configuration webmin modules. Select Third party module from and enter http://www.webmin.com/download/modules/php-
pear.wbm.gz. Click install module.
Install virtualmin:
Go to webmin webmin configuration webmin modules. Select install from ftp or http URL and enter http://download.webmin.com/download/virtualmin/virtual-
server-3.51.gpl.wbm.gz Click install module.
Remove unwanted modules Go to webmin webmin configuration delete and select the following:
ADSL client Bacula backup system CD Burner CVS Server Cluster change passwords Cluster copy files Cluster cron jobs Cluster shell commands Cluster software packages Cluster usermin servers Cluster users and groups
Cluster webmin servers Command shell Configuration engine Custom commands DHCP server Fetchmail mail retrieval File manager Frox ftp proxy HTTP Tunnel Heartbeat monitor IPsec VPN Jabber IM server LDAP server Logical volume management Majordomo list manager NFS exports NIS client and server OpenSLP server PPP dialin server PPP dialup client PPTP vpn server PPTP vpn client Postgresql database server Printer admin ProFTPD server QMAIL mail server SMART drive status SSH / Telnet login SSL tunnels SAMBA windows file sharing Scheduled commands Sendmail mail server Shoreline firewall Squid analysis report generator Squid proxy server Voicemail server WU-FTP server Idmapd server
chkconfig --level 345 httpd on chkconfig --level 345 postfix on chkconfig --level 345 spamassassin on chkconfig --level 345 spamass-milter on chkconfig --level 345 clamav-milter on chkconfig --level 345 mysqld on chkconfig --level 345 named on chkconfig --level 345 vsftpd on chkconfig --level 345 dovecot on chkconfig --level 345 imapproxy on
Configuration
Postfix Setup
Introduction
We will be setting up postfix with the following features:
The adding of accounts and domains with be configured through virtualmin although it can be done manually as well. The setup is designed to be resource friendly so should be able to run on machines that are not over spec'ed so enabling the resources to be put to better use. To make it resource friendly we are not using external databases to store virtual user information like most other how-to's do as well as using milters for spam and virus checking as opposed to running amavisd-new.
The Basics
To begin with we will configure the basics such as the hostname, mail origin, networks, hash maps spool directory. All these configuration options should be added to /etc/postfix/main.cf unless stated. Sample configuration files are available for download at the end of this page.
We will use the much improved maildir format as opposed to the default mbox format:
home_mailbox = Maildir/
SASL
To perform SMTP authentication we will be using SASL, however we will not use the Cyrus SASL as that requires us to run the saslauthd daemon, we will instead use dovecot sasl since we will be running dovecot for IMAP and POP3 thus killing 2 birds with one stone.
We need TLS to ensure that the plain text passwords are not transmitted over the wire during SMTP authentication, servers that support TLS are also able to communicate with this server over a secured connection.
Instructions on creating your server certificate signed by cacert.org are can be found here.
Install postfix-policyd-spf-perl and enable SPF support:
wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.005.tar.gz tar xzvf postfix-policyd-spf-perl-2.005.tar.gz cd postfix-policyd-spf-perl-2.005 cp postfix-policyd-spf-perl /etc/postfix/
Sample Configuration Files
main.cf master.cf canonical virtual
Dovecot Setup
Introduction
This will setup dovecot as our IMAP/POP3 server.
Basic Configuration
We will setup dovecot for IMAP and POP3 and disable SSL.
We will use the maildir format as opposed to the default mbox format.
mail_location = maildir:~/Maildir
Authentication & SASL
Configure dovecot to use LOGIN and PLAIN as the authentication mechanisims as many MS clients are unable to use encrypted authentication mechanisms. We also setup the SASL socket to enable postfix to authenticate SMTP connections using dovecot.
Some MS imap clients in the outlook family have issues with both thier IMAP and POP3 implementations so we need to accommodate them by setting up these work arounds:
The imap server is configured to run on port 10143 such that port 143 is handled by the imap proxy server that will improve performance for your webmail by caching connections to the imap server. The listen option under protocol sets this up.
imapproxy was written to compensate for webmail clients that are unable to maintain persistent connections to an IMAP server. Most webmail clients need to log in to an IMAP server for nearly every single transaction. This behaviour can cause tragic performance problems on the IMAP server. imapproxy tries to deal with this problem by leaving server connections open for a short time after a webmail client logs out. When the webmail client connects again, imapproxy will determine if there's a cached connection available and reuse it if possible. - according to the imapproxy website.
Configuration
Make the following changes in the file /etc/imapproxy.conf:
server_hostname 127.0.0.1 cache_size 3072 listen_port 143 server_port 10143 cache_expiration_time 900 proc_username nobody proc_groupname nobody stat_filename /var/run/pimpstats protocol_log_filename /var/log/imapproxy_protocol.log syslog_facility LOG_MAIL send_tcp_keepalives no enable_select_cache yes foreground_mode no force_tls no enable_admin_commands no
Sample Files
imapproxy.conf
Bind Setup
Introduction
Bind will be set up chrooted to improve security we will also use views to prevent abuse of the dns server.
Basic Configuration
The basic configuration disables by default, recursive queries and zone transfers. We also obscure the version of BIND we are running such that we are not hit by zero day vulnerabilities from script kiddies.
All users will be chrooted to their home directories (except usernames in the /etc/vsftpd/chroot_list file) meaning the cannot break out and see other users files.
We will be storing the image hashes in a mysql database to improve on performance such that images that we have already scanned do not get scanned again as OCR is a resource intense activity.
Create MySQL Database
The sql script creates the database and tables and adds a user fuzzyocr with the password fuzzyocr:
mysql -p < /usr/local/src/devel/FuzzyOcr.mysql
Change the password:
mysqladmin -u fuzzyocr -p fuzzyocr password
Basic Settings
Edit /etc/mail/spamassassin/FuzzyOCR.cf and set the basic options:
Apache has to be configured to listed to one address for port 443 as webmin will be using the same port. Edit /etc/httpd/conf.d/ssl:
Listen 192,168.1.6:443
Enable Gzip Compression
We setup gzip compression via the mod_deflate module to improve web server performance and to cut down on bandwidth usage by compressing responses to the client.
As we will be providing webmail for all domains that are created on the system we need to setup a catch all virtualhost that can display roundcube when ever a user accesses http://webmail.domainname. Edit /etc/httpd/conf/httpd.conf and append:
<VirtualHost *:80> ServerName webmail.example.com ServerAlias webmail.* DocumentRoot /var/www/roundcube <Directory /var/www/roundcube> Options -Indexes IncludesNOEXEC FollowSymLinks allow from all </Directory> </VirtualHost>
Firewall Setup
Introduction
This is a basic firewall it may not suit your needs, firewalling is an art so i recommend to read into it to improve on this basic one.
Basic Config
Add these rules in your configuration file /etc/sysconfig/iptables:
*raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *filter :FORWARD DROP [0:0] :INPUT DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m multiport -j ACCEPT --dports 80,443,25,110,143,53 -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p icmp -m icmp -m limit --icmp-type 8 --limit 5/min -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -s 127.0.0.1 -j ACCEPT -A OUTPUT -s 192.168.1.5 -j ACCEPT -A OUTPUT -s 192.168.1.6 -j ACCEPT COMMIT
Activate Config
service iptables restart
Configure Virtualmin
Introduction
Virtualmin is a powerful and flexible hosting control panel that integrates with webmin. We will be using it to provide the virtual hosting functions such as creation of domains, accounts and maintaining configurations on the system.
Start Services
You need to start up services that are required to be able to configure virtualmin. Start the following services:
service named start service spamassassin start service spamass-milter start service clamav-milter start service postfix start service dovecot start service imapproxy start service httpd start
Initial Settings
MySQL
Webmin needs to be able to communicate with mysql since we have set a password for mysql we need to set that up in webmin, go to servers ? mysql and enter this information:
Configure Features
You need to enable the features and plugins that we want to use. On login this is the screen that you will see.
Enable the following features and save o Home directory o Administration user o Mail for domain
This template is used to configure various server limits such as number of mailboxes,aliases,databases,virtual servers and other options like bandwidth limits, admin abilities. For this howto we will use the default values.
Home Directory Template
This template allows you to set a skel directory to hold setting for new users for this howto we will use the defaults.
Administration User
This template lets you set the quota for the virtual server and the admin user for this howto we will use the default quota 1GB.
This template sets various mail related options, we will modify the email message sent on server creation to have the content below:
The following virtual server has been set up successfully : Domain name: ${DOM} Hosting server: ${HOSTNAME} ${IF-VIRT} Virtual IP address: ${IP} ${ENDIF-VIRT} Administration login: ${USER} Administration password: ${PASS} ${IF-WEBMIN} Administration URL: ${WEBMIN_PROTO}://www.${DOM}:${WEBMIN_PORT}/ ${ENDIF-WEBMIN} ${IF-WEB} Website: http://www.${DOM}/ ${IF-WEBALIZER} Webalizer log reporting: Enabled ${ELSE-WEBALIZER} Webalizer log reporting: Disabled ${ENDIF-WEBALIZER} ${ENDIF-WEB} ${IF-MAIL} Email domain: ${DOM} SMTP server: mail.${DOM} POP3 server: mail.${DOM} Webmail: webmail.${DOM} ${ENDIF-MAIL} ${IF-DNS} DNS domain: ${DOM} Nameserver: ${HOSTNAME} ${ENDIF-DNS} ${IF-MYSQL} MySQL database: ${DB} MySQL login: ${MYSQL_USER} MySQL password: ${PASS} ${ENDIF-MYSQL} ${IF-POSTGRES} PostgreSQL database: ${DB} PostgreSQL login: ${USER} PostgreSQL password: ${PASS} ${ENDIF-POSTGRES}
We will leave the other options as the defaults.
BIND DNS Domain Template
This template is used to customize the zones that will be created by virtualmin. The changes to be made are adding a spf record, add the following records to auto generated text box (replace ns1.home.topdog-software.com. with your slave server):
@ IN NS ns1.home.topdog-software.com. ;slave admin IN A 192.168.1.6 ;virtualmin webmail IN A 192.168.1.5 ;webmail
Finally we have a working virtual server system, lets create our first virtual server. Go to servers ? virtualmin virtual servers and click add new virtual server, owned by new user.
Fill in the require fields and click create.
Add a mail user to the domain. click on the domain name, then click edit mail and FTP users, then add user and fill in the information.
telnet 192.168.1.5 25 Connected to localhost. Escape character is '^]'. 220 tds mail cluster helo me 250 hosting1 mail from:[email protected] 250 2.1.0 Ok rcpt: [email protected] 250 2.1.0 Ok DATA 354 End data with <CR><LF>.<CR><LF> From:[email protected] To:[email protected] Subject:This is a test Hi This is a test . 250 2.0.0 Ok: queued as 4ACCC7C5A6
telnet 192.168.1.5 25 Trying 192.168.1.5... Connected to localhost. Escape character is '^]'. 220 tds mail cluster ehlo me 250-hosting1 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
telnet 192.168.1.5 110 +OK Dovecot ready. user andrew.example +OK pass password +OK Logged in. quit +OK Logging out.
Test IMAP
telnet 192.168.1.5 143 * OK Dovecot ready. 01 login andrew.example password 01 OK User logged in 01 list "" "*" * LIST (\HasNoChildren) "." "Trash" * LIST (\HasNoChildren) "." "Drafts" * LIST (\HasNoChildren) "." "Junk" * LIST (\HasNoChildren) "." "Sent" * LIST (\HasNoChildren) "." "INBOX" 01 OK List completed. 01 logout * BYE LOGOUT received 01 OK Completed
telnet 192.168.1.5 25 Connected to localhost. Escape character is '^]'. 220 tds mail cluster helo me 250 hosting1 mail from:[email protected] 250 2.1.0 Ok rcpt: [email protected] 250 2.1.0 Ok DATA 354 End data with <CR><LF>.<CR><LF> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* . 550 5.7.1 virus Eicar-Test-Signature detected by ClamAV - http://www.clamav.net quit 221 2.0.0 Bye
Take a lot at your /var/log/maillog you should see something like this:
73BC87C4E4: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 virus Eicar-Test-Signature detected by ClamAV - http://www.clamav.net; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<me>
Spamass-milter
We are using the test message from http://spamassassin.apache.org/gtube/.
telnet 192.168.1.5 25 Connected to localhost. Escape character is '^]'. 220 tds mail cluster helo me 250 hosting1 mail from:[email protected] 250 2.1.0 Ok rcpt: [email protected] 250 2.1.0 Ok DATA 354 End data with <CR><LF>.<CR><LF> XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X . 550 5.7.1 Blocked by SpamAssassin quit 221 2.0.0 Bye
You will see this in your log files:
spamd: result: Y 1002 - AWL,GTUBE,MISSING_SUBJECT,TVD_SPACE_RATIO,UNPARSEABLE_RELAY scantime=0.5,size=723,user=root,uid=99,required_score=5.0,