Inhaltsverzeichnis

Installation eines Dedicated Servers von Hetzner

Partitionslayout

Alles einbinden

Wichtig bei Verwendung des Hetzner Rescue-Systems.

mkdir -p /mnt/debian/; mdadm-startall; mount /dev/md2 /mnt/debian; mount /dev/md1 /mnt/debian/boot; mount /dev/md4 /mnt/debian/srv; mount -o bind /dev /mnt/debian/dev; mount -o bind /sys /mnt/debian/sys; mount -o bind /proc /mnt/debian/proc

r8168 Treiber

Hetzner empfiehlt (empfahl) die Installation eines proprietaeren Netzwerktreibers, da der Kernel-interne Probleme machte. Das fuehrt dazu, dass nach dist-upgrade kein Netzwerk mehr funktioniert. Ein Entfernen des Kernel-eigenen r8168 Treibers aus der Module Blacklist aktiviert den Kernel-internen Treiber wieder und Netzwerk geht wieder.

iscsitarget

iscsitarget braucht seinen Kernel-treiber, aber baut den nicht waehrend des dist-upgrades neu, daher muss das haendisch erledigt werden:

  1. apt-get install linux-headers-$(uname -r)
  2. apt-get install --reinstall iscsitarget-dkms
  3. apt-get install iscsitarget

systemd journal

Systemd mach alles anders, aber nicht immer schlecher. Das journal des letzten Bootens kann man sich anschauen und Fehler finden. Das Journal wird aktiviert mittels:

install -d -g systemd-journal /var/log/journal

Das Journal wird betrachtet mittels:

journalctl

Dist upgrade

  1. apt-get update && apt-get -y upgrade
  2. in /etc/apt/sources.list auf stable umstellen. Siehe auch https://www.debian.org/releases/
  3. apt-get update && apt-get -y upgrade
  4. apt-get dist-upgrade

Installation von LAMP

Wir installieren folgende wesentliche Pakete (und noch einiges an Beiwerk):

  1. apt-get install postfix postfix-doc mariadb-client mariadb-server openssl  rkhunter binutils dovecot-imapd sudo amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj clamav-docs zip apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils  ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-pspell php5-recode php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached libapache2-mod-passenger php-horde-webmail

SSL Zertifikate

  1. /etc/ssl/openssl.cnf anpassen
  2. openssl genrsa -out /etc/ssl/private/mail.key 4096<code>
      - <code bash>openssl req -new -x509 -key /etc/ssl/private/mail.key -out /etc/ssl/private/mail.crt -days 10950<code>
     
    ===== Horde webmail =====
      - <code bash>mysql -uroot -p 
    CREATE DATABASE horde;
    GRANT ALL PRIVILEGES ON horde.* TO 'horde'@'localhost' IDENTIFIED BY 'PASSWORT';
    FLUSH PRIVILEGES;
  3. webmail-install
  4. /etc/horde/imp/backends.php: advanced servers aktivieren, andere deaktivieren und unter maildomain die default maildomain eintragen

dovecot

dovecot.conf:

disable_plaintext_auth = no 
mail_privileged_group = mail
mail_location = maildir:~/Maildir
userdb {
  driver = passwd
}
passdb {
  args = %s 
  driver = pam
}
protocols = " imap"

protocol imap {
  mail_plugins = " autocreate"
}
plugin {
  autocreate = Trash
  autocreate2 = Sent
  autosubscribe = Trash
  autosubscribe2 = Sent
}

service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }  
}
auth_mechanisms = plain login
ssl=required
ssl_cert = </etc/ssl/private/mail.crt
ssl_key = </etc/ssl/private/mail.key

postfix

  1. main.cf:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no 
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no 
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = /usr/share/doc/postfix
    
    # TLS parameters
    smtpd_tls_cert_file=/etc/ssl/private/mail.crt
    smtpd_tls_key_file=/etc/ssl/private/mail.key
    smtpd_use_tls=yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    myhostname = <hostname>
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = backup.kcad.de, localhost
    relayhost =  
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    home_mailbox = Maildir/
    recipient_delimiter = +
    smtp_tls_security_level = may
    smtpd_tls_protocols = !SSLv2, !SSLv3
    local_recipient_maps = proxy:unix:passwd.byname $alias_maps
    virtual_alias_domains = <virtual domains>
    virtual_alias_maps = hash:/etc/postfix/virtual_alias
    # Auth
    smtpd_sasl_auth_enable = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination
    broken_sasl_auth_clients = yes
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
  2. master.cf unten anfuegen:
    submission inet n       -       -       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_reject_unlisted_recipient=no
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o smtpd_recipient_restrictions=
      -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING
      -o smtpd_sasl_type=dovecot
      -o smtpd_sasl_path=private/auth
    smtps     inet  n       -       -       -       -       smtpd
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_reject_unlisted_recipient=no
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o smtpd_recipient_restrictions=
      -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING
      -o smtpd_sasl_type=dovecot
      -o smtpd_sasl_path=private/auth
  3. In /etc/postfix/virtual_alias „Zustellungstabelle“ eintragen:
    berni@ex23.de    berni@localhost
  4. postmap /etc/postfix/virtual_alias

seafile

  1. Als Erstes:
    mkdir /opt/seafile
  2. seafile tar.gz herunterladen und auspacken
  3. setup-seafile-mysql.sh ausfuehren
  4. /opt/seafile/conf/seafdav.conf:
    [WEBDAV]
    enabled = true
    port = 8080
    fastcgi = false
    share_name = /seafdav
  5. /etc/systemd/system/seafile.service:
    [Unit]
    Description=Seafile services
    After=mysql.service
    
    [Service]
    Type=forking
    User=seafile
    ExecStart=/bin/sh -c "/opt/seafile/seafile-server-latest/seafile.sh start"
    ExecStop=/bin/sh -c "/opt/seafile/seafile-server-latest/seafile.sh stop"
    PIDFile=/opt/seafile/pids/ccnet.pid
    
    [Install]
    WantedBy=multi-user.targe
  6. /etc/systemd/system/seahub.service:
    [Unit]
    Description=Seahub frontend service
    Requires=seafile.service
    After=seafile.service
    
    [Service]
    Type=forking
    User=seafile
    ExecStart=/bin/sh -c "/opt/seafile/seafile-server-latest/seahub.sh start-fastcgi"
    ExecStop=/bin/sh -c "/opt/seafile/seafile-server-latest/seahub.sh stop"
    
    [Install]
    WantedBy=seafile.service
  7. Services beim Booten starten:
    systemctl enable seahub.service && systemctl enable seafile.service
  8. Im jeweiligen apache vhost Eintrag:
      RewriteEngine On
      Alias /media /opt/seafile/seafile-server-latest/seahub/media
      FastCGIExternalServer /srv/www/seahub.fcgi -host 127.0.0.1:8000
      FastCGIExternalServer /srv/www/seafdav.fcgi -host 127.0.0.1:8080
    
      #
      # seafile fileserver
      #
      ProxyPass /seafhttp http://127.0.0.1:8082
      ProxyPassReverse /seafhttp http://127.0.0.1:8082
      RewriteRule ^/seafhttp - [QSA,L]
    
      #
      # seafile webdav
      #
      RewriteCond %{HTTP:Authorization} (.+)
      RewriteRule ^(/seafdav.*)$ /seafdav.fcgi$1 [QSA,L,e=HTTP_AUTHORIZATION:%1]
      RewriteRule ^(/seafdav.*)$ /seafdav.fcgi$1 [QSA,L]
    
      #
      # seahub
      #
      RewriteRule ^/(media.*)$ /$1 [QSA,L,PT]
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteRule ^(.*)$ /seahub.fcgi$1 [QSA,L,E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    
      <Directory /opt/seafile/seafile-server-latest/seahub/media>
        Options FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
        Require all granted
      </Directory>
    
      <Location /media>
        Options FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
      </Location>

Amavisd - Spam und Virenschutz der Mails

  1. /etc/amavis/conf.d/15-content_filter_mode:
    @bypass_virus_checks_maps = (
       \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
    ...
    @bypass_spam_checks_maps = (
       \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
    
  2. In /etc/clamav/clamd.conf:
    AllowSupplementaryGroups true
  3. Gruppen hinbiegen:
    usermod -a -G amavis clamav
  4. /etc/postfix/main.cf hinzufuegen:
    #Content Filter
    content_filter=smtp-amavis:[127.0.0.1]:10024
  5. /etc/postfix/master.cf hinzufuegen:
    smtp-amavis     unix    -       -       -       -       2       smtp
            -o smtp_data_done_timeout=1200
            -o smtp_send_xforward_command=yes
            -o disable_dns_lookups=yes
            -o max_use=20
            -o smtp_tls_security_level=none
    
    
    127.0.0.1:10025 inet    n       -       -       -       -       smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_delay_reject=no
            -o smtpd_client_restrictions=permit_mynetworks,reject
            -o smtpd_tls_security_level=none

Testen

Eine Mail mit dem Inhalt

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Testet den Virenscanner. Eine Mail mit dem Inhalt

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

testet den Spamfilter.

dovecot-sieve

Sieve dient zur Serverseitigen Mailfilterung. Das ist ganz praktisch: Man muss seine Filter nicht auf verschiedenen Geraeten einrichten. Nochdazu lassen sich der Filter per Horde/Ingo super einfach erstellen.

  1. Installation:
    apt-get install dovecot-managesieved dovecot-lmtp
  2. dovecot.conf
    ...
    protocols = imap sieve lmtp
     
    service managesieve-login {
      inet_listener sieve {  
        port = 4190 
        address = 127.0.0.1
      }  
      service_count = 1  
      process_min_avail = 1  
      vsz_limit = 64M 
    }
     
    service managesieve {
      process_limit = 10 
    }
     
    plugin {
      sieve_before = /srv/mail/sieve/spam-global.sieve
      sieve_dir = /srv/mail/%d/%n/sieve
      sieve = /srv/mail/%d/%n/%u.sieve
    }
     
    protocol lmtp {
      postmaster_address = admin@ex23.de
      mail_plugins = $mail_plugins sieve
      info_log_path = /var/log/dovecot-lmtp.log
    }
     
    service lmtp {
      user = vmail
      unix_listener /var/spool/postfix/private/dovecot-lmtp {
        group = postfix
        mode = 0600
        user = postfix
      }  
    }
    ...
  3. postfix/main.cf:
    ...
    #Sieve
    virtual_transport = lmtp:unix:private/dovecot-lmtp
    ...
  4. Damits das Update ueberlebt:
    cd /etc/horde/ingo; cp backends.php backends.local.php; cp hooks.php.dist hooks.local.php
  5. Imap ausschalten in backends.local.php:
    ...
    /* IMAP Example */
    $backends['imap'] = array(
        // ENABLED by default
        'disabled' => true,
        'transport' => array(
            Ingo::RULE_ALL => array(
                'driver' => 'null',
                'params' => array(),
    ...
  6. Sieve einschalten in backends.local.php:
    ...
    /* Sieve Example */
    $backends['sieve'] = array(
        // Disabled by default
        'disabled' => false,
        'transport' => array(
            Ingo::RULE_ALL => array(
                'driver' => 'timsieved',
                'params' => array(
    ...
  7. in hooks.local.php einfuegen:
    ...
     
    public function transport_auth($driver)
    {
      switch ($driver) {
        case 'timsieved':
        // Example #1: Use full Horde username for password.
        // This is generally needed for sieve servers.
        $full_user = $GLOBALS['registry']->getAuth(null);
        return array('euser' => $full_user, 'username' => $full_user);
      }  
      return true;
    }
    ...