Wichtig bei Verwendung des Hetzner Rescue-Systems.
mkdir -p /mnt/debian/; mdadm-startall; mount /dev/md2 /mnt/debian; mount /dev/md1 /mnt/debian/boot; mount /dev/md4 /mnt/debian/srv; mount -o bind /dev /mnt/debian/dev; mount -o bind /sys /mnt/debian/sys; mount -o bind /proc /mnt/debian/proc
Hetzner empfiehlt (empfahl) die Installation eines proprietaeren Netzwerktreibers, da der Kernel-interne Probleme machte. Das fuehrt dazu, dass nach dist-upgrade kein Netzwerk mehr funktioniert. Ein Entfernen des Kernel-eigenen r8168 Treibers aus der Module Blacklist aktiviert den Kernel-internen Treiber wieder und Netzwerk geht wieder.
iscsitarget braucht seinen Kernel-treiber, aber baut den nicht waehrend des dist-upgrades neu, daher muss das haendisch erledigt werden:
apt-get install linux-headers-$(uname -r)
apt-get install --reinstall iscsitarget-dkms
apt-get install iscsitarget
Systemd mach alles anders, aber nicht immer schlecher. Das journal des letzten Bootens kann man sich anschauen und Fehler finden. Das Journal wird aktiviert mittels:
install -d -g systemd-journal /var/log/journal
Das Journal wird betrachtet mittels:
journalctl
apt-get update && apt-get -y upgrade
apt-get update && apt-get -y upgrade
apt-get dist-upgrade
Wir installieren folgende wesentliche Pakete (und noch einiges an Beiwerk):
apt-get install postfix postfix-doc mariadb-client mariadb-server openssl rkhunter binutils dovecot-imapd sudo amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj clamav-docs zip apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-pspell php5-recode php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached libapache2-mod-passenger php-horde-webmail
openssl genrsa -out /etc/ssl/private/mail.key 4096<code> - <code bash>openssl req -new -x509 -key /etc/ssl/private/mail.key -out /etc/ssl/private/mail.crt -days 10950<code> ===== Horde webmail ===== - <code bash>mysql -uroot -p CREATE DATABASE horde; GRANT ALL PRIVILEGES ON horde.* TO 'horde'@'localhost' IDENTIFIED BY 'PASSWORT'; FLUSH PRIVILEGES;
webmail-install
dovecot.conf:
disable_plaintext_auth = no mail_privileged_group = mail mail_location = maildir:~/Maildir userdb { driver = passwd } passdb { args = %s driver = pam } protocols = " imap" protocol imap { mail_plugins = " autocreate" } plugin { autocreate = Trash autocreate2 = Sent autosubscribe = Trash autosubscribe2 = Sent } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } auth_mechanisms = plain login ssl=required ssl_cert = </etc/ssl/private/mail.crt ssl_key = </etc/ssl/private/mail.key
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file=/etc/ssl/private/mail.crt smtpd_tls_key_file=/etc/ssl/private/mail.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = <hostname> alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = backup.kcad.de, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all html_directory = /usr/share/doc/postfix/html home_mailbox = Maildir/ recipient_delimiter = + smtp_tls_security_level = may smtpd_tls_protocols = !SSLv2, !SSLv3 local_recipient_maps = proxy:unix:passwd.byname $alias_maps virtual_alias_domains = <virtual domains> virtual_alias_maps = hash:/etc/postfix/virtual_alias # Auth smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination broken_sasl_auth_clients = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth
submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth
berni@ex23.de berni@localhost
postmap /etc/postfix/virtual_alias
mkdir /opt/seafile
[WEBDAV] enabled = true port = 8080 fastcgi = false share_name = /seafdav
[Unit] Description=Seafile services After=mysql.service [Service] Type=forking User=seafile ExecStart=/bin/sh -c "/opt/seafile/seafile-server-latest/seafile.sh start" ExecStop=/bin/sh -c "/opt/seafile/seafile-server-latest/seafile.sh stop" PIDFile=/opt/seafile/pids/ccnet.pid [Install] WantedBy=multi-user.targe
[Unit] Description=Seahub frontend service Requires=seafile.service After=seafile.service [Service] Type=forking User=seafile ExecStart=/bin/sh -c "/opt/seafile/seafile-server-latest/seahub.sh start-fastcgi" ExecStop=/bin/sh -c "/opt/seafile/seafile-server-latest/seahub.sh stop" [Install] WantedBy=seafile.service
systemctl enable seahub.service && systemctl enable seafile.service
RewriteEngine On Alias /media /opt/seafile/seafile-server-latest/seahub/media FastCGIExternalServer /srv/www/seahub.fcgi -host 127.0.0.1:8000 FastCGIExternalServer /srv/www/seafdav.fcgi -host 127.0.0.1:8080 # # seafile fileserver # ProxyPass /seafhttp http://127.0.0.1:8082 ProxyPassReverse /seafhttp http://127.0.0.1:8082 RewriteRule ^/seafhttp - [QSA,L] # # seafile webdav # RewriteCond %{HTTP:Authorization} (.+) RewriteRule ^(/seafdav.*)$ /seafdav.fcgi$1 [QSA,L,e=HTTP_AUTHORIZATION:%1] RewriteRule ^(/seafdav.*)$ /seafdav.fcgi$1 [QSA,L] # # seahub # RewriteRule ^/(media.*)$ /$1 [QSA,L,PT] RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ /seahub.fcgi$1 [QSA,L,E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] <Directory /opt/seafile/seafile-server-latest/seahub/media> Options FollowSymLinks AllowOverride None Order allow,deny Allow from all Require all granted </Directory> <Location /media> Options FollowSymLinks AllowOverride None Order allow,deny Allow from all </Location>
@bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); ... @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
AllowSupplementaryGroups true
usermod -a -G amavis clamav
#Content Filter content_filter=smtp-amavis:[127.0.0.1]:10024
smtp-amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 -o smtp_tls_security_level=none 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_tls_security_level=none
Eine Mail mit dem Inhalt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Testet den Virenscanner. Eine Mail mit dem Inhalt
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
testet den Spamfilter.
Sieve dient zur Serverseitigen Mailfilterung. Das ist ganz praktisch: Man muss seine Filter nicht auf verschiedenen Geraeten einrichten. Nochdazu lassen sich der Filter per Horde/Ingo super einfach erstellen.
apt-get install dovecot-managesieved dovecot-lmtp
... protocols = imap sieve lmtp service managesieve-login { inet_listener sieve { port = 4190 address = 127.0.0.1 } service_count = 1 process_min_avail = 1 vsz_limit = 64M } service managesieve { process_limit = 10 } plugin { sieve_before = /srv/mail/sieve/spam-global.sieve sieve_dir = /srv/mail/%d/%n/sieve sieve = /srv/mail/%d/%n/%u.sieve } protocol lmtp { postmaster_address = admin@ex23.de mail_plugins = $mail_plugins sieve info_log_path = /var/log/dovecot-lmtp.log } service lmtp { user = vmail unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ...
... #Sieve virtual_transport = lmtp:unix:private/dovecot-lmtp ...
cd /etc/horde/ingo; cp backends.php backends.local.php; cp hooks.php.dist hooks.local.php
... public function transport_auth($driver) { switch ($driver) { case 'timsieved': // Example #1: Use full Horde username for password. // This is generally needed for sieve servers. $full_user = $GLOBALS['registry']->getAuth(null); return array('euser' => $full_user, 'username' => $full_user); } return true; } ...