Wichtig bei Verwendung des Hetzner Rescue-Systems.
mkdir -p /mnt/debian/; mdadm-startall; mount /dev/md2 /mnt/debian; mount /dev/md1 /mnt/debian/boot; mount /dev/md4 /mnt/debian/srv; mount -o bind /dev /mnt/debian/dev; mount -o bind /sys /mnt/debian/sys; mount -o bind /proc /mnt/debian/proc
Hetzner empfiehlt (empfahl) die Installation eines proprietaeren Netzwerktreibers, da der Kernel-interne Probleme machte. Das fuehrt dazu, dass nach dist-upgrade kein Netzwerk mehr funktioniert. Ein Entfernen des Kernel-eigenen r8168 Treibers aus der Module Blacklist aktiviert den Kernel-internen Treiber wieder und Netzwerk geht wieder.
iscsitarget braucht seinen Kernel-treiber, aber baut den nicht waehrend des dist-upgrades neu, daher muss das haendisch erledigt werden:
apt-get install linux-headers-$(uname -r)
apt-get install --reinstall iscsitarget-dkms
apt-get install iscsitarget
Systemd mach alles anders, aber nicht immer schlecher. Das journal des letzten Bootens kann man sich anschauen und Fehler finden. Das Journal wird aktiviert mittels:
install -d -g systemd-journal /var/log/journal
Das Journal wird betrachtet mittels:
journalctl
apt-get update && apt-get -y upgrade
apt-get update && apt-get -y upgrade
apt-get dist-upgrade
Wir installieren folgende wesentliche Pakete (und noch einiges an Beiwerk):
apt-get install postfix postfix-doc mariadb-client mariadb-server openssl rkhunter binutils dovecot-imapd sudo amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj clamav-docs zip apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-pspell php5-recode php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached libapache2-mod-passenger php-horde-webmail
openssl genrsa -out /etc/ssl/private/mail.key 4096<code> - <code bash>openssl req -new -x509 -key /etc/ssl/private/mail.key -out /etc/ssl/private/mail.crt -days 10950<code> ===== Horde webmail ===== - <code bash>mysql -uroot -p CREATE DATABASE horde; GRANT ALL PRIVILEGES ON horde.* TO 'horde'@'localhost' IDENTIFIED BY 'PASSWORT'; FLUSH PRIVILEGES;
webmail-install
dovecot.conf:
disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = maildir:~/Maildir
userdb {
driver = passwd
}
passdb {
args = %s
driver = pam
}
protocols = " imap"
protocol imap {
mail_plugins = " autocreate"
}
plugin {
autocreate = Trash
autocreate2 = Sent
autosubscribe = Trash
autosubscribe2 = Sent
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
auth_mechanisms = plain login
ssl=required
ssl_cert = </etc/ssl/private/mail.crt
ssl_key = </etc/ssl/private/mail.key
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/private/mail.crt
smtpd_tls_key_file=/etc/ssl/private/mail.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = <hostname>
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = backup.kcad.de, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
home_mailbox = Maildir/
recipient_delimiter = +
smtp_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
virtual_alias_domains = <virtual domains>
virtual_alias_maps = hash:/etc/postfix/virtual_alias
# Auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth
berni@ex23.de berni@localhost
postmap /etc/postfix/virtual_alias
mkdir /opt/seafile
[WEBDAV] enabled = true port = 8080 fastcgi = false share_name = /seafdav
[Unit] Description=Seafile services After=mysql.service [Service] Type=forking User=seafile ExecStart=/bin/sh -c "/opt/seafile/seafile-server-latest/seafile.sh start" ExecStop=/bin/sh -c "/opt/seafile/seafile-server-latest/seafile.sh stop" PIDFile=/opt/seafile/pids/ccnet.pid [Install] WantedBy=multi-user.targe
[Unit] Description=Seahub frontend service Requires=seafile.service After=seafile.service [Service] Type=forking User=seafile ExecStart=/bin/sh -c "/opt/seafile/seafile-server-latest/seahub.sh start-fastcgi" ExecStop=/bin/sh -c "/opt/seafile/seafile-server-latest/seahub.sh stop" [Install] WantedBy=seafile.service
systemctl enable seahub.service && systemctl enable seafile.service
RewriteEngine On
Alias /media /opt/seafile/seafile-server-latest/seahub/media
FastCGIExternalServer /srv/www/seahub.fcgi -host 127.0.0.1:8000
FastCGIExternalServer /srv/www/seafdav.fcgi -host 127.0.0.1:8080
#
# seafile fileserver
#
ProxyPass /seafhttp http://127.0.0.1:8082
ProxyPassReverse /seafhttp http://127.0.0.1:8082
RewriteRule ^/seafhttp - [QSA,L]
#
# seafile webdav
#
RewriteCond %{HTTP:Authorization} (.+)
RewriteRule ^(/seafdav.*)$ /seafdav.fcgi$1 [QSA,L,e=HTTP_AUTHORIZATION:%1]
RewriteRule ^(/seafdav.*)$ /seafdav.fcgi$1 [QSA,L]
#
# seahub
#
RewriteRule ^/(media.*)$ /$1 [QSA,L,PT]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /seahub.fcgi$1 [QSA,L,E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
<Directory /opt/seafile/seafile-server-latest/seahub/media>
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
Require all granted
</Directory>
<Location /media>
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Location>
@bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); ... @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
AllowSupplementaryGroups true
usermod -a -G amavis clamav
#Content Filter content_filter=smtp-amavis:[127.0.0.1]:10024
smtp-amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
-o smtp_tls_security_level=none
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_tls_security_level=none
Eine Mail mit dem Inhalt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Testet den Virenscanner. Eine Mail mit dem Inhalt
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
testet den Spamfilter.
Sieve dient zur Serverseitigen Mailfilterung. Das ist ganz praktisch: Man muss seine Filter nicht auf verschiedenen Geraeten einrichten. Nochdazu lassen sich der Filter per Horde/Ingo super einfach erstellen.
apt-get install dovecot-managesieved dovecot-lmtp
... protocols = imap sieve lmtp service managesieve-login { inet_listener sieve { port = 4190 address = 127.0.0.1 } service_count = 1 process_min_avail = 1 vsz_limit = 64M } service managesieve { process_limit = 10 } plugin { sieve_before = /srv/mail/sieve/spam-global.sieve sieve_dir = /srv/mail/%d/%n/sieve sieve = /srv/mail/%d/%n/%u.sieve } protocol lmtp { postmaster_address = admin@ex23.de mail_plugins = $mail_plugins sieve info_log_path = /var/log/dovecot-lmtp.log } service lmtp { user = vmail unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ...
... #Sieve virtual_transport = lmtp:unix:private/dovecot-lmtp ...
cd /etc/horde/ingo; cp backends.php backends.local.php; cp hooks.php.dist hooks.local.php
... public function transport_auth($driver) { switch ($driver) { case 'timsieved': // Example #1: Use full Horde username for password. // This is generally needed for sieve servers. $full_user = $GLOBALS['registry']->getAuth(null); return array('euser' => $full_user, 'username' => $full_user); } return true; } ...