====== Installation eines Dedicated Servers von Hetzner ======
===== Partitionslayout =====
* md0: 8GB Swap
* md1: 500MB /boot
* md2: 137GB /
* md3: 1TB iscsi
* md4: 1.7TB /srv
==== Alles einbinden ====
Wichtig bei Verwendung des Hetzner Rescue-Systems.
mkdir -p /mnt/debian/; mdadm-startall; mount /dev/md2 /mnt/debian; mount /dev/md1 /mnt/debian/boot; mount /dev/md4 /mnt/debian/srv; mount -o bind /dev /mnt/debian/dev; mount -o bind /sys /mnt/debian/sys; mount -o bind /proc /mnt/debian/proc
==== r8168 Treiber ====
Hetzner empfiehlt (empfahl) die Installation eines proprietaeren Netzwerktreibers, da der Kernel-interne Probleme machte. Das fuehrt dazu, dass nach dist-upgrade kein Netzwerk mehr funktioniert. Ein Entfernen des Kernel-eigenen r8168 Treibers aus der Module Blacklist aktiviert den Kernel-internen Treiber wieder und Netzwerk geht wieder.
==== iscsitarget ====
iscsitarget braucht seinen Kernel-treiber, aber baut den nicht waehrend des dist-upgrades neu, daher muss das haendisch erledigt werden:
- apt-get install linux-headers-$(uname -r)
- apt-get install --reinstall iscsitarget-dkms
- apt-get install iscsitarget
==== systemd journal ====
Systemd mach alles anders, aber nicht immer schlecher. Das journal des letzten Bootens kann man sich anschauen und Fehler finden.
Das Journal wird aktiviert mittels:
install -d -g systemd-journal /var/log/journal
Das Journal wird betrachtet mittels: journalctl
===== Dist upgrade =====
- apt-get update && apt-get -y upgrade
- in /etc/apt/sources.list auf stable umstellen. Siehe auch [[https://www.debian.org/releases/]]
- apt-get update && apt-get -y upgrade
- apt-get dist-upgrade
===== Installation von LAMP =====
Wir installieren folgende wesentliche Pakete (und noch einiges an Beiwerk):
* MariaDB + phpmyadmin
* Apache2 + php5
* dovecot + postfix + clamav + spamassassin
* Horde webmail
- apt-get install postfix postfix-doc mariadb-client mariadb-server openssl rkhunter binutils dovecot-imapd sudo amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj clamav-docs zip apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-pspell php5-recode php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached libapache2-mod-passenger php-horde-webmail
===== SSL Zertifikate =====
- /etc/ssl/openssl.cnf anpassen
- openssl genrsa -out /etc/ssl/private/mail.key 4096
- openssl req -new -x509 -key /etc/ssl/private/mail.key -out /etc/ssl/private/mail.crt -days 10950
===== Horde webmail =====
- mysql -uroot -p
CREATE DATABASE horde;
GRANT ALL PRIVILEGES ON horde.* TO 'horde'@'localhost' IDENTIFIED BY 'PASSWORT';
FLUSH PRIVILEGES;
- webmail-install
- /etc/horde/imp/backends.php: advanced servers aktivieren, andere deaktivieren und unter maildomain die default maildomain eintragen
===== dovecot =====
dovecot.conf:
disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = maildir:~/Maildir
userdb {
driver = passwd
}
passdb {
args = %s
driver = pam
}
protocols = " imap"
protocol imap {
mail_plugins = " autocreate"
}
plugin {
autocreate = Trash
autocreate2 = Sent
autosubscribe = Trash
autosubscribe2 = Sent
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
auth_mechanisms = plain login
ssl=required
ssl_cert =
===== postfix =====
- main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/private/mail.crt
smtpd_tls_key_file=/etc/ssl/private/mail.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = backup.kcad.de, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
home_mailbox = Maildir/
recipient_delimiter = +
smtp_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
virtual_alias_domains =
virtual_alias_maps = hash:/etc/postfix/virtual_alias
# Auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
- master.cf unten anfuegen:
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
- In /etc/postfix/virtual_alias "Zustellungstabelle" eintragen: berni@ex23.de berni@localhost
- postmap /etc/postfix/virtual_alias
===== seafile =====
- Als Erstes: mkdir /opt/seafile
- seafile tar.gz herunterladen und auspacken
- setup-seafile-mysql.sh ausfuehren
- /opt/seafile/conf/seafdav.conf:
[WEBDAV]
enabled = true
port = 8080
fastcgi = false
share_name = /seafdav
- /etc/systemd/system/seafile.service: [Unit]
Description=Seafile services
After=mysql.service
[Service]
Type=forking
User=seafile
ExecStart=/bin/sh -c "/opt/seafile/seafile-server-latest/seafile.sh start"
ExecStop=/bin/sh -c "/opt/seafile/seafile-server-latest/seafile.sh stop"
PIDFile=/opt/seafile/pids/ccnet.pid
[Install]
WantedBy=multi-user.targe
- /etc/systemd/system/seahub.service: [Unit]
Description=Seahub frontend service
Requires=seafile.service
After=seafile.service
[Service]
Type=forking
User=seafile
ExecStart=/bin/sh -c "/opt/seafile/seafile-server-latest/seahub.sh start-fastcgi"
ExecStop=/bin/sh -c "/opt/seafile/seafile-server-latest/seahub.sh stop"
[Install]
WantedBy=seafile.service
- Services beim Booten starten: systemctl enable seahub.service && systemctl enable seafile.service
- Im jeweiligen apache vhost Eintrag:
RewriteEngine On
Alias /media /opt/seafile/seafile-server-latest/seahub/media
FastCGIExternalServer /srv/www/seahub.fcgi -host 127.0.0.1:8000
FastCGIExternalServer /srv/www/seafdav.fcgi -host 127.0.0.1:8080
#
# seafile fileserver
#
ProxyPass /seafhttp http://127.0.0.1:8082
ProxyPassReverse /seafhttp http://127.0.0.1:8082
RewriteRule ^/seafhttp - [QSA,L]
#
# seafile webdav
#
RewriteCond %{HTTP:Authorization} (.+)
RewriteRule ^(/seafdav.*)$ /seafdav.fcgi$1 [QSA,L,e=HTTP_AUTHORIZATION:%1]
RewriteRule ^(/seafdav.*)$ /seafdav.fcgi$1 [QSA,L]
#
# seahub
#
RewriteRule ^/(media.*)$ /$1 [QSA,L,PT]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /seahub.fcgi$1 [QSA,L,E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
Require all granted
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
===== Amavisd - Spam und Virenschutz der Mails =====
- /etc/amavis/conf.d/15-content_filter_mode: @bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
...
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
- In /etc/clamav/clamd.conf: AllowSupplementaryGroups true
- Gruppen hinbiegen: usermod -a -G amavis clamav
- /etc/postfix/main.cf hinzufuegen: #Content Filter
content_filter=smtp-amavis:[127.0.0.1]:10024
- /etc/postfix/master.cf hinzufuegen: smtp-amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
-o smtp_tls_security_level=none
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_tls_security_level=none
==== Testen ====
Eine Mail mit dem Inhalt X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Testet den Virenscanner.
Eine Mail mit dem Inhalt XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X testet den Spamfilter.
===== dovecot-sieve =====
Sieve dient zur Serverseitigen Mailfilterung. Das ist ganz praktisch: Man muss seine Filter nicht auf verschiedenen Geraeten einrichten. Nochdazu lassen sich der Filter per Horde/Ingo super einfach erstellen.
- Installation: apt-get install dovecot-managesieved dovecot-lmtp
- dovecot.conf ...
protocols = imap sieve lmtp
service managesieve-login {
inet_listener sieve {
port = 4190
address = 127.0.0.1
}
service_count = 1
process_min_avail = 1
vsz_limit = 64M
}
service managesieve {
process_limit = 10
}
plugin {
sieve_before = /srv/mail/sieve/spam-global.sieve
sieve_dir = /srv/mail/%d/%n/sieve
sieve = /srv/mail/%d/%n/%u.sieve
}
protocol lmtp {
postmaster_address = admin@ex23.de
mail_plugins = $mail_plugins sieve
info_log_path = /var/log/dovecot-lmtp.log
}
service lmtp {
user = vmail
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
...
- postfix/main.cf: ...
#Sieve
virtual_transport = lmtp:unix:private/dovecot-lmtp
...
- Damits das Update ueberlebt: cd /etc/horde/ingo; cp backends.php backends.local.php; cp hooks.php.dist hooks.local.php
- Imap ausschalten in backends.local.php: ...
/* IMAP Example */
$backends['imap'] = array(
// ENABLED by default
'disabled' => true,
'transport' => array(
Ingo::RULE_ALL => array(
'driver' => 'null',
'params' => array(),
...
- Sieve einschalten in backends.local.php: ...
/* Sieve Example */
$backends['sieve'] = array(
// Disabled by default
'disabled' => false,
'transport' => array(
Ingo::RULE_ALL => array(
'driver' => 'timsieved',
'params' => array(
...
- in hooks.local.php einfuegen: ...
public function transport_auth($driver)
{
switch ($driver) {
case 'timsieved':
// Example #1: Use full Horde username for password.
// This is generally needed for sieve servers.
$full_user = $GLOBALS['registry']->getAuth(null);
return array('euser' => $full_user, 'username' => $full_user);
}
return true;
}
...