Open Source: Postfix Mail Relay, SPAM filter, DNS Server, Web Server, AWStats, ISPConfig3 and More!


Everyone out there hates SPAM, right? I know I do. And my domain isn’t out there that much, so I can’t say that I get anywhere near as much SPAM mail as some large enterprise businesses do. What If I told you that your Barracuda Spam filter, or your McAfee Spam Filter, or whatever paid product, is junk? What if I told you that we can get you up and running with a FREE SPAM filter for your mail server. What if I told you that it was just as easy to setup and use as your current SPAM filter? How about this question: How much are you paying for your current SPAM filter?

Well, this blog post is getting put together for all you people out there that love spending money on useless junk. Welcome to the world of Free Software projects that have been around for well more than a decade. Instead of paying $100+ grand a year on an appliance, how about you employ a real person to manage a few Linux boxes? That’s entirely what we’re planning right here. So come along, we’re going to show you how to setup your already existing Microsoft Exchange server to sit in a more secure, higher tier DMZ, and setup a Debian server, from scratch, to host a Postfix server that is going to work with Amavis, Spam Assassin, and ClamAV to securely inspect all your mail.

Warning… This blog is long. Be prepared, and make sure you have TIME!

I very seriously recommend following my previous blog on how to build a Debian Server: Debian Minimal Install

 
 

But if you want to just push forward, just follow these instructions:
 
 
Let’s start with getting your Debian server built and running. Start with getting a Virtual Machine up and running. Boot to your Small Debian ISO and kick off the install.
 
You can really just hit “next” on many of the screens during the install. English language, USA, keyboard layout American English, etc…
 
Make sure you pick a server name that is going to last a while, like CompanySPAM01, or something unique like that.
 
Setup your domain name, root password, user accounts, etc…
 
Setup your partitions however you deem fit, install packages, pick a local Debian Mirror repository, etc…
 
NOW, when you get to Software Selection, DO NOT INSTALL “Graphical Desktop Environment”. The only thing you need is an SSH Server and the “Standard System Utilities”.
 

Install the GRUB boot loader as normal, and boom, you’re done!

 
 

Alright, so boot up your new Debian server, and lets get going. Log in as root or whatever user you created and lets get some housekeeping completed.

 

So Let’s get a static Address on this thing by editing this file: /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

 

And you can restart networking with this:

/etc/init.d/networking restart

 

Next we’ll get the SSH Server so we can get some remote access to this server.

apt-get install ssh openssh-server openssh-client

 

When that’s done you should be able to SSH from your local machine to this virtual host using:

ssh steve@192.168.0.100

 
 

You’ll probably want to sudo from this user, so if that’s the case:

su root
Password:
# apt-get install sudo
#nano /etc/sudoers

 
 

When Editing the sudoers file, if you break it, have fun! Just copy the line where root is and paste it right below, change the name root to your username. Like this:

# User privilege specification
root ALL=(ALL) ALL
steve ALL=(ALL) ALL

 
 

Now, we need to update this thing to install “Dotdeb” software. So Edit your “/etc/apt/sources.list”

# Dotdeb repository
deb http://packages.dotdeb.org squeeze all
deb-src http://packages.dotdeb.org squeeze all

 
 

Now we can add the GPG key:

wget http://www.dotdeb.org/dotdeb.gpg
cat dotdeb.gpg | sudo apt-key add -
Ok!
#apt-get update
apt-get upgrade

 
 

Now we need to make sure that NTP is installed and running properly on our new server, we’ll also need Postfix, Amavisd, SpamAssassin, ClamAV, and a slew of other software. And at the same time go ahead and install Bind9 if you plan on hosting your Externally facing DNS zones from here. It’s not a bad idea, and even if you’re a small company, you can easily do this on your own.

apt-get install ntp ntpdate

 

Then you can “sudo nano /etc/ntp.conf”

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# Specify one or more NTP servers.

server kerberos.mydomain.com #insert your PDC here
server kerberos2.mydomain.com #secondary DC
server kerberos3.mydomain.com #third DC
server 1.ubuntu.pool.ntp.org #fall back to Ubuntu's NTP
server 2.ubuntu.pool.ntp.org #
server 3.ubuntu.pool.ntp.org #
#

 
 

Now install more software:

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils

 

During the install, Postfix will ask you for what type of site, make sure to choose “INTERNET SITE”. The System mail name is going to be the primary domain name that you own and operate. In my case this is “erdmanor.com” Then you’ll be prompted to setup passwords for MySQL.

 

If you do a “netstat -ntap” you’ll see that MySQL is running binded to local loopback (127.0.0.1). We don’t want this. We need to make sure that MySQL is listening on all Interfaces, so edit out the bind address in this file “/etc/mysql/my.cnf”. Make sure to look at all the other options you can set in there too. It’s a pretty big conf file.

 

And when you’re done, restart the MySQL Server like this: “sudo /etc/init.d/mysql restart”

#bind-address = 127.0.0.1

 
 

Now rerun your “netstat -ntap” and verify that it’s running on 0.0.0.0:3306.

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -

 
 

Alright, so let’s get some SPAM killing software installed. Running this command will prompt you to install this software and a ton of dependencies. Save your scroll back and you can go through that stuff later.

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl nginx

 
 

Awesome, now we have most of the software we need. Let’s get the website up and running for our PHPMyAdmin site and ISPConfig3 software. Now, I’m no PHP wizard or expert, but all of these packages are necessary. If you need more information, I’ve left some links in the sources portion of this blog, all the way at the bottom. Again, you’ll see a bunch of dependencies installed here.

apt-get install php5-fpm php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl fcgiwrap

 
 

Now we’re ready to install PhpMyAdmin:

apt-get install phpmyadmin

 

You’ll see that Apache is installed at this time, again with many other dependencies. When installing this software, make sure that you answer these questions:
1. Webserver to reconfigure: (this is a checkbox, dont check either of them).
2. Configure database for phpmyadmin with dbconfig-common?: NO

PhpMyAdmin is installed into this directory: “/usr/share/phpmyadmin/” You can check it out like this:

ls -alh /usr/share/phpmyadmin/

 
 

Like I stated before, Apache is installed now. We need to stop the Apache service while we’re configuring the server, and we need to make sure that Apache doesn’t start with the system too. We’ll turn it back on later. Then we can get nginx (Pronounced, Engine-X) started up.

sudo /etc/init.d/apache2 stop
sudo insserv -r apache2
sudo /etc/init.d/nginx start

 
 

Now we can get DNS working, but first we need to install it. We’ll configure it later.

apt-get install bind9 dnsutils

 
 

If you’re looking to get some statistics from your server and analize logs, etc… you’ll want to get some stat software installed.

“Vlogger is a little piece of code borned to handle dealing with large amounts of virtualhost logs. it’s bad news that apache can’t do this on its own. vlogger takes piped input from apache, splits it off to separate files based on the first field. it uses a file handle cache so it can’t run out of file descriptors. it will also start a new logfile every night at midnight, and maintain a symlink to the most recent file. for security, it can drop privileges and do a chroot to the logs directory.”

 

“The Webalizer is a fast, free web server log file analysis program. It produces highly detailed, easily configurable usage reports in HTML format, for viewing with a standard web browser.”

 

“AWStats is a free powerful and featureful tool that generates advanced web, streaming, ftp or mail server statistics, graphically. This log analyzer works as a CGI or from command line and shows you all possible information your log contains, in few graphical web pages. It uses a partial information file to be able to process large log files, often and quickly. It can analyze log files from all major server tools like Apache log files (NCSA combined/XLF/ELF log format or common/CLF log format), WebStar, IIS (W3C log format) and a lot of other web, proxy, wap, streaming servers, mail servers and some ftp servers.”

 

apt-get install vlogger webalizer awstats geoip-database

 
 

First thing we’ll do here is stop the AWStats cron job by commenting out all the lines in the AWStats Cron job. Start by editing this file: “/etc/cron.d/awstats”

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
#
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

 
 

Next we’re going to make sure that Apache is stopped and that nginx is running so that we can install ISPConfig3. This is super important, otherwise you’ll have all kinds of issues when you install ISPConfig3!

sudo /etc/init.d/apache2 stop
sudo /etc/init.d/nginx restart

 
 

Now you need to download ISPConfig3 from their website. http://www.ispconfig.org/ispconfig-3/download/

cd ~/tarballs #create this directory if it doesn't exist.
wget http://prdownloads.sourceforge.net/ispconfig/ISPConfig-3.0.4.6.tar.gz
tar -zxvf ISPConfig-3.0.4.6.tar.gz
cd ~/tarballs/ispconfig3_install/install/
sudo php -q install.php

 
 

Now that the installer is running for ISPConfig3, and this will help you configure all the necessary services for you.

steve@:~/tarballs/ispconfig3_install/install$ sudo php -q install.php
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/ming.ini on line 1 in Unknown on line 0
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/ps.ini on line 1 in Unknown on line 0

--------------------------------------------------------------------------------
 _____ ___________   _____              __ _         ____
|_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
  | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
  | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |  |_ |
 _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
 \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
                                              __/ |
                                             |___/
--------------------------------------------------------------------------------


>> Initial configuration

Operating System: Debian 6.0 (Squeeze/Sid) or compatible

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with .
Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: en

Installation mode (standard,expert) [standard]: standard

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server.erdmanor.com]:

MySQL server hostname [localhost]:

MySQL root username [root]:

MySQL root password []: {generate a long password here}

MySQL database to create [dbispconfig]: {something clever}

MySQL charset [utf8]:

Apache and nginx detected. Select server to use for ISPConfig: (apache,nginx) [apache]: nginx

Generating a 2048 bit RSA private key
.......+++
..................................................................+++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Ohio
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Erdmanor.com
Organizational Unit Name (eg, section) []:IT-IS
Common Name (eg, YOUR name) []:Steve Erdman
Email Address []:webmaster
Configuring Jailkit
Configuring SASL
Configuring PAM
Configuring Courier
PHP Warning: chmod(): No such file or directory in /home/steve/tarballs/ispconfig3_install/install/lib/installer_base.lib.php on line 838
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
sh: cannot create /etc/pure-ftpd/conf/ChrootEveryone: Directory nonexistent
sh: cannot create /etc/pure-ftpd/conf/BrokenClientsCompatibility: Directory nonexistent
sh: cannot create /etc/pure-ftpd/conf/DisplayDotFiles: Directory nonexistent
sh: cannot create /etc/pure-ftpd/conf/DontResolve: Directory nonexistent
Configuring MyDNS
Configuring nginx
Configuring Vlogger
Configuring Apps vhost
Configuring Bastille Firewall
PHP Notice: Undefined index: fail2ban in /home/steve/tarballs/ispconfig3_install/install/install.php on line 263
Installing ISPConfig
ISPConfig Port [8080]:

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: y

Generating RSA private key, 4096 bit long modulus
.................................................................................................................................................................................................................................................++
.............................................................................++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Ohio
Locality Name (eg, city) []:Concord-Twp
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Erdmanor.com
Organizational Unit Name (eg, section) []:IT-IS
Common Name (eg, YOUR name) []:Steve Erdman
Email Address []:webmaster@erdmanor.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Erdman.cc
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Stopping MySQL database server: mysqld.
Starting MySQL database server: mysqld ..
Checking for tables which need an upgrade, are corrupt or were
not closed cleanly..
Stopping Postfix Mail Transport Agent: postfix.
Starting Postfix Mail Transport Agent: postfix.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
Stopping ClamAV daemon: clamd.
Starting ClamAV daemon: clamd .
Reloading PHP5 FastCGI Process Manager: php5-fpm.
Reloading nginx configuration: nginx.
Restarting nginx: nginx.
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] still could not bind()
Installation completed.

 
 
 

Now that you have ISPConfig3 installed, pop open a web browser and head over to your new ISPConfig3 control panel. The default credentials are super secure: admin:admin. Obviously you’re going to be changing those… RIGHT?!

 

You need to start by adding a new website to your ISPConfig3 admin console. So Click on “Sites” then “Create new website…”

 

Here you need to fill out the proper information. Server the site is hosted on, Domain Name you’re hosting, if you need CGI, SSI, SSL and the type of PHP you want. Obviously it’ll be active.

 

From what I’ve seen out on some other websites, we need to create some “mod_rewrite” aliases. Reason being is that the PhpMyAdmin console needs to be available from a few different URL’s. So If you’re hosting multiple hostnames or domains from this server, you’ll basically need to create an vhost alias for each one. It’s a lot of manual work, but at the end of the day it’ll be worth it. I got this code snippet from the www.howtoforge.com website, so make sure to visit them and say thanks!

This code MUST go into the “nginx Directives” field on the Options tab of each website managed inside ISPConfig3, as you can see in the graphic:

 location /phpmyadmin {
root /usr/share/;
index index.php index.html index.htm;
location ~ ^/phpmyadmin/(.+\.php)$ {
try_files $uri =404;
root /usr/share/;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
}
location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
root /usr/share/;
}
}
location /phpMyAdmin {
rewrite ^/* /phpmyadmin last;

 
 

Now, from a security perspective, I would highly recommend disabling http (port 80) and only using https (SSL over port 443). I’m not stupid though and realize that not everyone can afford to pay for a site certificate. If you’re a small organization, make sure to only allow access to this server from the Internal network of your organization. Obviously this server should be sitting in your multi tiered DMZ as I outlined in a previous blog Serious network architecture that works for everyone.

 location /phpmyadmin {
root /usr/share/;
index index.php index.html index.htm;
location ~ ^/phpmyadmin/(.+\.php)$ {
try_files $uri =404;
root /usr/share/;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param HTTPS on; # fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
}
location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
root /usr/share/;
}
}
location /phpMyAdmin {
rewrite ^/* /phpmyadmin last;
}

 
 

If you are using HTTPS across your site and you want to force user to use that, then you need to edit your “/etc/nginx/nginx.conf” conf file with this code below. Make sure that code gets placed inside your braces of the HTTP area, otherwise you’ll have all sorts of issues getting this to work:

http {
## Detect when HTTPS is used
map $scheme $fastcgi_https {
default off;
https on;
}
}

 

 

Then restart nginx:

sudo /etc/init.d/nginx restart

 
 

For nginx to work over both HTTP and HTTPS, you’ll need to go into your “nginx Directives” again and instead of the “fastcgi_param HTTPS on”, you need to add the line “fastcgi_param HTTPS $fastcgi_https” so that requests will work over both protocols.

 location /phpmyadmin {
root /usr/share/;
index index.php index.html index.htm;
location ~ ^/phpmyadmin/(.+\.php)$ {
try_files $uri =404;
root /usr/share/;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param HTTPS $fastcgi_https; # fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
}
location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
root /usr/share/;
}
}
location /phpMyAdmin {
rewrite ^/* /phpmyadmin last;
}

 
 

Now, lets get back to the Mail setup. Start with running the “newaliases” command, then restart Postfix.

newaliases
/etc/init.d/postfix restart

 
 

So from here on out everything should be able to be managed from the ISPConfig3 Control Panel. if you have any further questions, feel free to contact me!

 
 
 
 

Sources:
http://www.dotdeb.org/
http://wiki.nginx.org/Main
http://php-fpm.org/about/
http://php.net/manual/en/book.apc.php
http://www.if-not-true-then-false.com/2012/php-apc-configuration-and-usage-tips-and-tricks/
http://nginx.localdomain.pl/wiki/FcgiWrap
http://wiki.nginx.org/Fcgiwrap
http://community.linuxmint.com/software/view/vlogger
http://www.webalizer.org/
http://awstats.sourceforge.net/
http://www.howtoforge.com/perfect-server-debian-squeeze-debian-6.0-with-bind-dovecot-and-nginx-ispconfig-3

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
Tagged , , , , , , , , , . Bookmark the permalink.

Comments are closed.