it:linux:debian:installation_hetzner_dedicated

Installation eines Dedicated Servers von Hetzner

Partitionslayout

  • md0: 8GB Swap
  • md1: 500MB /boot
  • md2: 137GB /
  • md3: 1TB iscsi
  • md4: 1.7TB /srv

Alles einbinden

Wichtig bei Verwendung des Hetzner Rescue-Systems. 

mkdir -p /mnt/debian/; mdadm-startall; mount /dev/md2 /mnt/debian; mount /dev/md1 /mnt/debian/boot; mount /dev/md4 /mnt/debian/srv; mount -o bind /dev /mnt/debian/dev; mount -o bind /sys /mnt/debian/sys; mount -o bind /proc /mnt/debian/proc

r8168 Treiber

Hetzner empfiehlt (empfahl) die Installation eines proprietaeren Netzwerktreibers, da der Kernel-interne Probleme machte. Das fuehrt dazu, dass nach dist-upgrade kein Netzwerk mehr funktioniert. Ein Entfernen des Kernel-eigenen r8168 Treibers aus der Module Blacklist aktiviert den Kernel-internen Treiber wieder und Netzwerk geht wieder.

iscsitarget

iscsitarget braucht seinen Kernel-treiber, aber baut den nicht waehrend des dist-upgrades neu, daher muss das haendisch erledigt werden: 

  1. apt-get install linux-headers-$(uname -r)
  2. apt-get install --reinstall iscsitarget-dkms
  3. apt-get install iscsitarget

systemd journal

Systemd mach alles anders, aber nicht immer schlecher. Das journal des letzten Bootens kann man sich anschauen und Fehler finden. Das Journal wird aktiviert mittels: 

install -d -g systemd-journal /var/log/journal

Das Journal wird betrachtet mittels: 

journalctl

Dist upgrade

  1. apt-get update && apt-get -y upgrade
  2. in /etc/apt/sources.list auf stable umstellen. Siehe auch https://www.debian.org/releases/
  3. apt-get update && apt-get -y upgrade
  4. apt-get dist-upgrade

Installation von LAMP

Wir installieren folgende wesentliche Pakete (und noch einiges an Beiwerk):

  • MariaDB + phpmyadmin
  • Apache2 + php5
  • dovecot + postfix + clamav + spamassassin
  • Horde webmail
  1. apt-get install postfix postfix-doc mariadb-client mariadb-server openssl  rkhunter binutils dovecot-imapd sudo amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj clamav-docs zip apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils  ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-pspell php5-recode php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached libapache2-mod-passenger php-horde-webmail

SSL Zertifikate

  1. /etc/ssl/openssl.cnf anpassen
  2. openssl genrsa -out /etc/ssl/private/mail.key 4096<code>
  - <code bash>openssl req -new -x509 -key /etc/ssl/private/mail.key -out /etc/ssl/private/mail.crt -days 10950<code>
 
===== Horde webmail =====
  - <code bash>mysql -uroot -p 
CREATE DATABASE horde;
GRANT ALL PRIVILEGES ON horde.* TO 'horde'@'localhost' IDENTIFIED BY 'PASSWORT';
FLUSH PRIVILEGES;
  3. webmail-install
  4. /etc/horde/imp/backends.php: advanced servers aktivieren, andere deaktivieren und unter maildomain die default maildomain eintragen

dovecot

dovecot.conf: 

disable_plaintext_auth = no 
mail_privileged_group = mail
mail_location = maildir:~/Maildir
userdb {
  driver = passwd
}
passdb {
  args = %s 
  driver = pam
}
protocols = " imap"

protocol imap {
  mail_plugins = " autocreate"
}
plugin {
  autocreate = Trash
  autocreate2 = Sent
  autosubscribe = Trash
  autosubscribe2 = Sent
}

service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }  
}
auth_mechanisms = plain login
ssl=required
ssl_cert = </etc/ssl/private/mail.crt
ssl_key = </etc/ssl/private/mail.key

postfix

  1. main.cf:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no 

# appending .domain is the MUA's job.
append_dot_mydomain = no 

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/private/mail.crt
smtpd_tls_key_file=/etc/ssl/private/mail.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = <hostname>
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = backup.kcad.de, localhost
relayhost =  
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
home_mailbox = Maildir/
recipient_delimiter = +
smtp_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
virtual_alias_domains = <virtual domains>
virtual_alias_maps = hash:/etc/postfix/virtual_alias
# Auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
  2. master.cf unten anfuegen: 
    submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  3. In /etc/postfix/virtual_alias „Zustellungstabelle“ eintragen: 
    berni@ex23.de    berni@localhost
  4. postmap /etc/postfix/virtual_alias

seafile

  1. Als Erstes: 
    mkdir /opt/seafile
  2. seafile tar.gz herunterladen und auspacken
  3. setup-seafile-mysql.sh ausfuehren
  4. /opt/seafile/conf/seafdav.conf:
    [WEBDAV]
enabled = true
port = 8080
fastcgi = false
share_name = /seafdav
  5. /etc/systemd/system/seafile.service: 
    [Unit]
Description=Seafile services
After=mysql.service

[Service]
Type=forking
User=seafile
ExecStart=/bin/sh -c "/opt/seafile/seafile-server-latest/seafile.sh start"
ExecStop=/bin/sh -c "/opt/seafile/seafile-server-latest/seafile.sh stop"
PIDFile=/opt/seafile/pids/ccnet.pid

[Install]
WantedBy=multi-user.targe
  6. /etc/systemd/system/seahub.service: 
    [Unit]
Description=Seahub frontend service
Requires=seafile.service
After=seafile.service

[Service]
Type=forking
User=seafile
ExecStart=/bin/sh -c "/opt/seafile/seafile-server-latest/seahub.sh start-fastcgi"
ExecStop=/bin/sh -c "/opt/seafile/seafile-server-latest/seahub.sh stop"

[Install]
WantedBy=seafile.service
  7. Services beim Booten starten: 
    systemctl enable seahub.service && systemctl enable seafile.service
  8. Im jeweiligen apache vhost Eintrag:
      RewriteEngine On
  Alias /media /opt/seafile/seafile-server-latest/seahub/media
  FastCGIExternalServer /srv/www/seahub.fcgi -host 127.0.0.1:8000
  FastCGIExternalServer /srv/www/seafdav.fcgi -host 127.0.0.1:8080

  #
  # seafile fileserver
  #
  ProxyPass /seafhttp http://127.0.0.1:8082
  ProxyPassReverse /seafhttp http://127.0.0.1:8082
  RewriteRule ^/seafhttp - [QSA,L]

  #
  # seafile webdav
  #
  RewriteCond %{HTTP:Authorization} (.+)
  RewriteRule ^(/seafdav.*)$ /seafdav.fcgi$1 [QSA,L,e=HTTP_AUTHORIZATION:%1]
  RewriteRule ^(/seafdav.*)$ /seafdav.fcgi$1 [QSA,L]

  #
  # seahub
  #
  RewriteRule ^/(media.*)$ /$1 [QSA,L,PT]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteRule ^(.*)$ /seahub.fcgi$1 [QSA,L,E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

  <Directory /opt/seafile/seafile-server-latest/seahub/media>
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
    Require all granted
  </Directory>

  <Location /media>
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
  </Location>

Amavisd - Spam und Virenschutz der Mails

  1. /etc/amavis/conf.d/15-content_filter_mode: 
    @bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
...
@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
  2. In /etc/clamav/clamd.conf: 
    AllowSupplementaryGroups true
  3. Gruppen hinbiegen: 
    usermod -a -G amavis clamav
  4. /etc/postfix/main.cf hinzufuegen: 
    #Content Filter
content_filter=smtp-amavis:[127.0.0.1]:10024
  5. /etc/postfix/master.cf hinzufuegen: 
    smtp-amavis     unix    -       -       -       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20
        -o smtp_tls_security_level=none


127.0.0.1:10025 inet    n       -       -       -       -       smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_tls_security_level=none

Testen

Eine Mail mit dem Inhalt 

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Testet den Virenscanner. Eine Mail mit dem Inhalt 

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

testet den Spamfilter.

dovecot-sieve

Sieve dient zur Serverseitigen Mailfilterung. Das ist ganz praktisch: Man muss seine Filter nicht auf verschiedenen Geraeten einrichten. Nochdazu lassen sich der Filter per Horde/Ingo super einfach erstellen.

  1. Installation: 
    apt-get install dovecot-managesieved dovecot-lmtp
  2. dovecot.conf 
    ...
protocols = imap sieve lmtp
 
service managesieve-login {
  inet_listener sieve {  
    port = 4190 
    address = 127.0.0.1
  }  
  service_count = 1  
  process_min_avail = 1  
  vsz_limit = 64M 
}
 
service managesieve {
  process_limit = 10 
}
 
plugin {
  sieve_before = /srv/mail/sieve/spam-global.sieve
  sieve_dir = /srv/mail/%d/%n/sieve
  sieve = /srv/mail/%d/%n/%u.sieve
}
 
protocol lmtp {
  postmaster_address = admin@ex23.de
  mail_plugins = $mail_plugins sieve
  info_log_path = /var/log/dovecot-lmtp.log
}
 
service lmtp {
  user = vmail
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }  
}
...
  3. postfix/main.cf: 
    ...
#Sieve
virtual_transport = lmtp:unix:private/dovecot-lmtp
...
  4. Damits das Update ueberlebt: 
    cd /etc/horde/ingo; cp backends.php backends.local.php; cp hooks.php.dist hooks.local.php
  5. Imap ausschalten in backends.local.php: 
    ...
/* IMAP Example */
$backends['imap'] = array(
    // ENABLED by default
    'disabled' => true,
    'transport' => array(
        Ingo::RULE_ALL => array(
            'driver' => 'null',
            'params' => array(),
...
  6. Sieve einschalten in backends.local.php: 
    ...
/* Sieve Example */
$backends['sieve'] = array(
    // Disabled by default
    'disabled' => false,
    'transport' => array(
        Ingo::RULE_ALL => array(
            'driver' => 'timsieved',
            'params' => array(
...
  7. in hooks.local.php einfuegen: 
    ...
 
public function transport_auth($driver)
{
  switch ($driver) {
    case 'timsieved':
    // Example #1: Use full Horde username for password.
    // This is generally needed for sieve servers.
    $full_user = $GLOBALS['registry']->getAuth(null);
    return array('euser' => $full_user, 'username' => $full_user);
  }  
  return true;
}
...
  • it/linux/debian/installation_hetzner_dedicated.txt
  • Zuletzt geändert: 2016/01/01 12:11
  • von admin