Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

Set Up Ubuntu-Server 6.10 As A Firewall/Gateway For Your Small Business Environment


Includes: Shorewall, NAT, Caching NameServer, DHCP Server, VPN Server, Webmin, Munin, Apache (SSL enabled), Squirrelmail, Postfix setup with virtual domains, courier imap imaps pop3 pop3s, sasl authentication for road warriors, MailScanner as a wrapper for SpamAssassin, Razor, ClamAV, etc. Samba installed, not configured.

Needs very little maintenance and is extendable beyond your wildest imagination. All depending on the hardware used, of course.

This is a COPY&PASTE howto. For info use the net. I did… However, contributions and suggestions are allways welcome! I know this can be done better, so feel free.

If anyone of you can find the time to add a good install and config for snort AND snortsam, including a comprehensive control panel, I would be very grateful.

Scope: creating a firewall/(mail)gateway for a small network (say 10 to 15 users or so on a PIII 450MHz, 512 MB ram and two identical network interface cards, broadband connection, fully featured, for a bussines environment. Better specs of your hardware (notably the amount of ram) will improve the performance of your server significantly. The specs mentioned ar a bare minimum for not so demanding customers, yust to indicate that if you really want, it can be done indeed (need to do some tweaking afterwards though).

Expected audience: (beginning) sysop.

This tuto leads towards a solid ‘ready to go’ sytem. The fun part, I think, (tweaking and tuning etc.) starts when you are done. You may wish to inspect your logs to find clues as to where the tuning should start. Munin might tell you a lot as well.

Have Fun!

First, do a clean install using Ubuntu-Server 6.10. During installation, proper settings for eth0 will be detected automatically. If this fails, change your network cables and try again. There is a very small chance that your ISP does not run a DHCP server (never seen that happen), or it just might be down (seen that quite a few times, also they may screw up their DNS every now and then), in which case you are on your one, best to wait till they are done fixing it.

So we start out with a DHCP assigned address for eth0. This is just an easy way to figure out which NIC is actually eth0. If you already know which is which you better start out with a static address for eth0. If your ISP isn’t crappy, you have the proper settings for it.

Now proceed and accept all defaults (but you may want to do your own partitioning) At the end of the process you will be asked if you want to install extra packages. Select “LAMP” and finish.

Now login as the new user you just created and do:

sudo passwd

Now enter your password again. Next enter the new password for user “root” and confirm. So we dropped the nasty sudo experience (bit strange on a server, isn’t it?) Now logout and login again as root with the new root password.

Do:

apt-get install vim

Using vim (or your favorite editor) edit /etc/apt/sources.list Comment out the cd repository. Next add “universe” (without the quotes) to all lines that aren’t commented out. Save the file.

Now do:

apt-get update

apt-get install openssh-server

Edit /etc/network/interfaces and add the following at the bottom:

auto eth1
iface eth1 inet static
	address		192.168.1.1
	netmask	        255.255.255.0
	broadcast	192.168.1.255
	network		192.168.1.0

Note that the rest of this tuto assumes that you actually make the settings for eth1 as shown.

My full/etc/network/interfaces looks like this:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
	address		192.168.1.1
	netmask		255.255.255.0
	broadcast	192.168.1.255
	network		192.168.1.0

As you can see my eth0 gets its settings using DHCP.

Save the file. Next do:

/etc/init.d/networking restart

You can do the rest of this tuto from your workstation, either linux or the other one (must have putty), so you can actually copy and paste. Just login to 192.168.1.1 as root and get on with it.

Make sure that the network settings of your workstation match the settings of your server’s eth1

If you are confused here, first configure and start your DHCP server as shown in this article (page 9), and let your workstation detect the proper settings automatically.

Now do:

apt-get install libmd5-perl libnet-ssleay-perl libauthen-pam-perl libio-pty-perl shorewall dnsmasq

wget http://surfnet.dl.sourceforge.net/sourceforge/webadmin/webmin_1.330_all.deb

“surfnet” is the dutch server. Change that to “heanet”(for Ireland), “belnet”(for Belgium), “mesh” (for Germany) and so on.

dpkg -i webmin_1.330_all.deb

cp /usr/share/doc/shorewall/examples/two-interfaces/* /etc/shorewall/

cd /etc/shorewall

gunzip interfaces.gz masq.gz rules.gz policy.gz

Now open your browser and login to webmin at https://192.168.1.1:10000 as root with your root password and, using webmin’s shorewall module, change the policy’s and rules of your firewall as needed (for now, I only set the policy file to the example as shown, you may copy and paste my policy file for starters, if you don’t like webmin).

Also set in /etc/shorewall.conf  the line “IP_FORWARDING=Keep”  to  “IP_FORWARDING=On” (without quotes) and enable the firewall in /etc/default/shorewall.

My /etc/shorewall/policy  now looks like this:

###############################################################################
#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
#
# Note about policies and logging:
#	This file contains an explicit policy for every combination of
#	zones defined in this sample.  This is solely for the purpose of
#	providing more specific messages in the logs.  This is not
#	necessary for correct operation of the firewall, but greatly
#	assists in diagnosing problems.
#
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc		net		ACCEPT
loc	$FW	ACCEPT
loc		all		REJECT		info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW	net	ACCEPT
$FW	loc	ACCEPT
$FW		all		REJECT		info
#
# Policies for traffic originating from the Internet zone (net)
#
net		$FW		DROP		info
net		loc		DROP		info
net		all		DROP		info
# THE FOLLOWING POLICY MUST BE LAST
all		all		REJECT		info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Next do:

/etc/init.d/shorewall start

You should be able now to surf the net.

DO NOT PROCEED UNTILL YOU SUCCEED IN SURFING THE NET.  SINCE THIS IS YOUR FRAMEWORK. IT HAS TO BE OK.

So now we need some packages. Do (all in one line!):

apt-get install postfix postfix-doc courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-modules-sql sasl2-bin libpam-mysql build-essential dpkg-dev fakeroot debhelper libdb4.2-dev libgdbm-dev libldap2-dev libpcre3-dev libmysqlclient15-dev libssl-dev libsasl2-dev postgresql-dev po-debconf dpatch zoo unzip arj rdate fetchmail unzip zip ncftp libarchive-zip-perl zlib1g-dev libpopt-dev nmap lynx fileutils curl mail-audit-tools libwww-perl imagemagick squirrelmail squirrelmail-locales munin munin-node ntp samba spamassassin razor pyzor unzoo spamc libio-string-perl libnet-ident-perl libio-socket-ssl-perl libapache2-mod-php4 libapache2-mod-perl2 php4 php4-cli php4-common php4-curl php4-dev php4-domxml php4-gd php4-imap php4-ldap php4-mcal php4-mhash php4-mysql php4-odbc php4-pear php4-xslt curl libwww-perl php-pear mailscanner mailx libzzip-dev libgmp3c2 libgmp3-dev dhcp3-server pptpd

Accept all defaults.

Now do:

mysqladmin -u root password yourrootsqlpassword ##USE A REAL PASSWORD HERE!

Now configure Apache and Squirrelmail.

/usr/sbin/squirrelmail-configure

Set it to courier (option D) and make ik otherwise as you like it. Don’t forget to enable some plugins and to set a default language if desired. Also I suggest to set this:

$show_contain_subfolders_option = true;

My/etc/squirrelmail/config.php now looks like this:
(Just my current config. Don’t copy this, use it as a reference.)

<?php

/**
 * SquirrelMail Configuration File
 * Created using the configure script, conf.pl
 */

global $version;
$config_version = '1.4.0';
$config_use_color = 2;

$org_name      = "Lürsen";
$org_logo      = SM_PATH . 'images/sm_logo.png';
$org_logo_width  = '564';
$org_logo_height = '261';
$org_title     = "Lürsen";
$signout_page  = 'https://lursen.net/webmail';
$frame_top     = '_top';

$provider_uri     = 'http://www.squirrelmail.org/';

$provider_name     = 'SquirrelMail';

$motd = "";

$squirrelmail_default_language = 'nl_NL';
$default_charset       = 'iso-8859-1';
$lossy_encoding        = false;

$domain                 = 'lursen.net';
$imapServerAddress      = 'localhost';
$imapPort               = 143;
$useSendmail            = false;
$smtpServerAddress      = 'localhost';
$smtpPort               = 25;
$sendmail_path          = '/usr/sbin/sendmail';
$sendmail_args          = '-i -t';
$pop_before_smtp        = false;
$imap_server_type       = 'courier';
$invert_time            = false;
$optional_delimiter     = '.';
$encode_header_key      = '';

$default_folder_prefix          = 'INBOX.';
$trash_folder                   = 'Trash';
$sent_folder                    = 'Sent';
$draft_folder                   = 'Drafts';
$default_move_to_trash          = true;
$default_move_to_sent           = true;
$default_save_as_draft          = true;
$show_prefix_option             = false;
$list_special_folders_first     = true;
$use_special_folder_color       = true;
$auto_expunge                   = true;
$default_sub_of_inbox           = false;
$show_contain_subfolders_option = true;
$default_unseen_notify          = 2;
$default_unseen_type            = 1;
$auto_create_special            = true;
$delete_folder                  = true;
$noselect_fix_enable            = false;

$data_dir                 = '/var/lib/squirrelmail/data/';
$attachment_dir           = '/var/spool/squirrelmail/attach/';
$dir_hash_level           = 0;
$default_left_size        = '150';
$force_username_lowercase = false;
$default_use_priority     = true;
$hide_sm_attributions     = false;
$default_use_mdn          = true;
$edit_identity            = true;
$edit_name                = true;
$hide_auth_header         = false;
$allow_thread_sort        = false;
$allow_server_sort        = false;
$allow_charset_search     = true;
$uid_support              = true;

$plugins[0] = 'abook_take';
$plugins[1] = 'delete_move_next';
$plugins[2] = 'calendar';
$plugins[3] = 'filters';
$plugins[4] = 'message_details';
$plugins[5] = 'mail_fetch';
$plugins[6] = 'newmail';

$theme_css = '';
$theme_default = 0;
$theme[0]['PATH'] = SM_PATH . 'themes/default_theme.php';
$theme[0]['NAME'] = 'Default';
$theme[1]['PATH'] = SM_PATH . 'themes/plain_blue_theme.php';
$theme[1]['NAME'] = 'Plain Blue';
$theme[2]['PATH'] = SM_PATH . 'themes/sandstorm_theme.php';
$theme[2]['NAME'] = 'Sand Storm';
$theme[3]['PATH'] = SM_PATH . 'themes/deepocean_theme.php';
$theme[3]['NAME'] = 'Deep Ocean';
$theme[4]['PATH'] = SM_PATH . 'themes/slashdot_theme.php';
$theme[4]['NAME'] = 'Slashdot';
$theme[5]['PATH'] = SM_PATH . 'themes/purple_theme.php';
$theme[5]['NAME'] = 'Purple';
$theme[6]['PATH'] = SM_PATH . 'themes/forest_theme.php';
$theme[6]['NAME'] = 'Forest';
$theme[7]['PATH'] = SM_PATH . 'themes/ice_theme.php';
$theme[7]['NAME'] = 'Ice';
$theme[8]['PATH'] = SM_PATH . 'themes/seaspray_theme.php';
$theme[8]['NAME'] = 'Sea Spray';
$theme[9]['PATH'] = SM_PATH . 'themes/bluesteel_theme.php';
$theme[9]['NAME'] = 'Blue Steel';
$theme[10]['PATH'] = SM_PATH . 'themes/dark_grey_theme.php';
$theme[10]['NAME'] = 'Dark Grey';
$theme[11]['PATH'] = SM_PATH . 'themes/high_contrast_theme.php';
$theme[11]['NAME'] = 'High Contrast';
$theme[12]['PATH'] = SM_PATH . 'themes/black_bean_burrito_theme.php';
$theme[12]['NAME'] = 'Black Bean Burrito';
$theme[13]['PATH'] = SM_PATH . 'themes/servery_theme.php';
$theme[13]['NAME'] = 'Servery';
$theme[14]['PATH'] = SM_PATH . 'themes/maize_theme.php';
$theme[14]['NAME'] = 'Maize';
$theme[15]['PATH'] = SM_PATH . 'themes/bluesnews_theme.php';
$theme[15]['NAME'] = 'BluesNews';
$theme[16]['PATH'] = SM_PATH . 'themes/deepocean2_theme.php';
$theme[16]['NAME'] = 'Deep Ocean 2';
$theme[17]['PATH'] = SM_PATH . 'themes/blue_grey_theme.php';
$theme[17]['NAME'] = 'Blue Grey';
$theme[18]['PATH'] = SM_PATH . 'themes/dompie_theme.php';
$theme[18]['NAME'] = 'Dompie';
$theme[19]['PATH'] = SM_PATH . 'themes/methodical_theme.php';
$theme[19]['NAME'] = 'Methodical';
$theme[20]['PATH'] = SM_PATH . 'themes/greenhouse_effect.php';
$theme[20]['NAME'] = 'Greenhouse Effect (Changes)';
$theme[21]['PATH'] = SM_PATH . 'themes/in_the_pink.php';
$theme[21]['NAME'] = 'In The Pink (Changes)';
$theme[22]['PATH'] = SM_PATH . 'themes/kind_of_blue.php';
$theme[22]['NAME'] = 'Kind of Blue (Changes)';
$theme[23]['PATH'] = SM_PATH . 'themes/monostochastic.php';
$theme[23]['NAME'] = 'Monostochastic (Changes)';
$theme[24]['PATH'] = SM_PATH . 'themes/shades_of_grey.php';
$theme[24]['NAME'] = 'Shades of Grey (Changes)';
$theme[25]['PATH'] = SM_PATH . 'themes/spice_of_life.php';
$theme[25]['NAME'] = 'Spice of Life (Changes)';
$theme[26]['PATH'] = SM_PATH . 'themes/spice_of_life_lite.php';
$theme[26]['NAME'] = 'Spice of Life - Lite (Changes)';
$theme[27]['PATH'] = SM_PATH . 'themes/spice_of_life_dark.php';
$theme[27]['NAME'] = 'Spice of Life - Dark (Changes)';
$theme[28]['PATH'] = SM_PATH . 'themes/christmas.php';
$theme[28]['NAME'] = 'Holiday - Christmas';
$theme[29]['PATH'] = SM_PATH . 'themes/darkness.php';
$theme[29]['NAME'] = 'Darkness (Changes)';
$theme[30]['PATH'] = SM_PATH . 'themes/random.php';
$theme[30]['NAME'] = 'Random (Changes every login)';
$theme[31]['PATH'] = SM_PATH . 'themes/midnight.php';
$theme[31]['NAME'] = 'Midnight';
$theme[32]['PATH'] = SM_PATH . 'themes/alien_glow.php';
$theme[32]['NAME'] = 'Alien Glow';
$theme[33]['PATH'] = SM_PATH . 'themes/dark_green.php';
$theme[33]['NAME'] = 'Dark Green';
$theme[34]['PATH'] = SM_PATH . 'themes/penguin.php';
$theme[34]['NAME'] = 'Penguin';
$theme[35]['PATH'] = SM_PATH . 'themes/minimal_bw.php';
$theme[35]['NAME'] = 'Minimal BW';
$theme[36]['PATH'] = SM_PATH . 'themes/redmond.php';
$theme[36]['NAME'] = 'Redmond';
$theme[37]['PATH'] = SM_PATH . 'themes/netstyle_theme.php';
$theme[37]['NAME'] = 'Net Style';
$theme[38]['PATH'] = SM_PATH . 'themes/silver_steel_theme.php';
$theme[38]['NAME'] = 'Silver Steel';
$theme[39]['PATH'] = SM_PATH . 'themes/simple_green_theme.php';
$theme[39]['NAME'] = 'Simple Green';
$theme[40]['PATH'] = SM_PATH . 'themes/wood_theme.php';
$theme[40]['NAME'] = 'Wood';
$theme[41]['PATH'] = SM_PATH . 'themes/bluesome.php';
$theme[41]['NAME'] = 'Bluesome';
$theme[42]['PATH'] = SM_PATH . 'themes/simple_green2.php';
$theme[42]['NAME'] = 'Simple Green 2';
$theme[43]['PATH'] = SM_PATH . 'themes/simple_purple.php';
$theme[43]['NAME'] = 'Simple Purple';
$theme[44]['PATH'] = SM_PATH . 'themes/autumn.php';
$theme[44]['NAME'] = 'Autumn';
$theme[45]['PATH'] = SM_PATH . 'themes/autumn2.php';
$theme[45]['NAME'] = 'Autumn 2';
$theme[46]['PATH'] = SM_PATH . 'themes/blue_on_blue.php';
$theme[46]['NAME'] = 'Blue on Blue';
$theme[47]['PATH'] = SM_PATH . 'themes/classic_blue.php';
$theme[47]['NAME'] = 'Classic Blue';
$theme[48]['PATH'] = SM_PATH . 'themes/classic_blue2.php';
$theme[48]['NAME'] = 'Classic Blue 2';
$theme[49]['PATH'] = SM_PATH . 'themes/powder_blue.php';
$theme[49]['NAME'] = 'Powder Blue';
$theme[50]['PATH'] = SM_PATH . 'themes/techno_blue.php';
$theme[50]['NAME'] = 'Techno Blue';
$theme[51]['PATH'] = SM_PATH . 'themes/turquoise.php';
$theme[51]['NAME'] = 'Turquoise';

$default_use_javascript_addr_book = false;
$abook_global_file = '';
$abook_global_file_writeable = false;

$addrbook_dsn = '';
$addrbook_table = 'address';

$prefs_dsn = '';
$prefs_table = 'userprefs';
$prefs_user_field = 'user';
$prefs_key_field = 'prefkey';
$prefs_val_field = 'prefval';
$addrbook_global_dsn = '';
$addrbook_global_table = 'global_abook';
$addrbook_global_writeable = false;
$addrbook_global_listing = false;

$no_list_for_subscribe = false;
$smtp_auth_mech = 'none';
$imap_auth_mech = 'login';
$use_imap_tls = false;
$use_smtp_tls = false;
$session_name = 'SQMSESSID';

$config_location_base     = '';

@include SM_PATH . 'config/config_local.php';

/**
 * Make sure there are no characters after the PHP closing
 * tag below (including newline characters and whitespace).
 * Otherwise, that character will cause the headers to be
 * sent and regular output to begin, which will majorly screw
 * things up when we try to send more headers later.
 */
?>

Next do:

apache2-ssl-certificate -days 3650

Fill in the right server name!!!

That is: the addres on which you plan to give your users access to Squirrelmail or any other service by apache on port 443. (also we are going to use this one for postfix, imaps and pop3s) Just the domain will do (MUST EXIST IN DNS). Not domain/webmail

If anything went wrong, just delete the certificate and repeat this step.

Now enter:

a2enmod ssl

a2enmod rewrite

a2enmod include

cp /etc/apache2/sites-available/default /etc/apache2/sites-available/https

ln -s /etc/apache2/sites-available/https /etc/apache2/sites-enabled/https

ln -s /etc/squirrelmail/apache.conf /etc/apache2/sites-enabled/squirrelmail

Now edit /etc/apache2/sites-available/default. The top has to be changed so that it reads:

NameVirtualHost *:80
<VirtualHost *:80>

Edit /etc/apache2/sites-available/https as well, the top of the file should read:

NameVirtualHost *:443
<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/apache.pem

Edit /etc/squirrelmail/apache.conf It should look like this:

Alias /webmail /usr/share/squirrelmail

<Directory /usr/share/squirrelmail>
  php_flag register_globals off
  Options Indexes FollowSymLinks
  <IfModule mod_dir.c>
    DirectoryIndex index.php
  </IfModule>

  # access to configtest is limited by default to prevent information leak
  <Files configtest.php>
    order deny,allow
    deny from all
    allow from 127.0.0.1
  </Files>
</Directory>
# users will prefer a simple URL like http://webmail.example.com
#<VirtualHost 1.2.3.4>
#  DocumentRoot /usr/share/squirrelmail
#  ServerName webmail.example.com
#</VirtualHost>
# redirect to https when available (thanks omen@descolada.dartmouth.edu)
#
#  Note: There are multiple ways to do this, and which one is suitable for
#  your site's configuration depends. Consult the apache documentation if
#  you're unsure, as this example might not work everywhere.
#
<IfModule mod_rewrite.c>
  <IfModule mod_ssl.c>
    <Location /webmail>
      RewriteEngine on
      RewriteCond %{HTTPS} !^on$ [NC]
      RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]
    </Location>
  </IfModule>
</IfModule>

Now make squirrelmail talk your language. If you only use English you can skip the last line in the file of course.

Edit /var/lib/locales/supported.d/local.

It should look like this: (if you are Dutch, otherwise adjust as desired).
Main thing is to enable your locale with the charset ISO-8859-1.

en_US.UTF-8 UTF-8
nl_NL.UTF-8 UTF-8
en_US.ISO-8859-1	ISO-8859-1
nl_NL.ISO-8859-1	ISO-8859-1

 

dpkg-reconfigure locales

Now make sure that the DirectoryIndex line in /etc/apache2/apache2.conf reads:

DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml

Edit /etc/apache2/ports.conf and add Listen 443:

Listen 80
Listen 443

Now we configure Postfix and MailScanner.

postconf -e ‘mynetworks = 127.0.0.0/8, 192.168.1.0/24’

postconf -e ‘smtpd_sasl_local_domain =’

postconf -e ‘smtpd_sasl_auth_enable = yes’

postconf -e ‘smtpd_sasl_security_options = noanonymous’

postconf -e ‘broken_sasl_auth_clients = yes’

postconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,reject_unauth_destination’

postconf -e ‘inet_interfaces = all’

echo ‘pwcheck_method: saslauthd’ >> /etc/postfix/sasl/smtpd.conf

echo ‘mech_list: plain login’ >> /etc/postfix/sasl/smtpd.conf

postconf -e ‘smtpd_tls_auth_only = no’

postconf -e ‘smtp_use_tls = yes’

postconf -e ‘smtpd_use_tls = yes’

postconf -e ‘smtp_tls_note_starttls_offer = yes’

postconf -e ‘smtpd_tls_key_file = /etc/apache2/ssl/apache.pem’

postconf -e ‘smtpd_tls_cert_file = /etc/apache2/ssl/apache.pem’

postconf -e ‘smtpd_tls_loglevel = 1’

postconf -e ‘smtpd_tls_received_header = yes’

postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’

postconf -e ‘tls_random_source = dev:/dev/urandom’

postconf -e ‘home_mailbox = Maildir/’

postconf -e ‘mailbox_command =’

postconf -e ‘header_checks = regexp:/etc/postfix/header_checks’

postconf -e ‘relayhost =’

postconf -e ‘virtual_alias_domains = hash:/etc/postfix/virtual’

postconf -e ‘virtual_alias_maps = hash:/etc/postfix/virtual’

touch /etc/postfix/header_checks

touch /etc/postfix/virtual

Now edit etc/postfix/header_checks. It should look like this:

/^Received:/ HOLD

chown postfix.postfix /var/spool/MailScanner/incoming

chown postfix.postfix /var/spool/MailScanner/quarantine

mkdir /var/spool/MailScanner/spamassassin

chown postfix.postfix /var/spool/MailScanner/spamassassin

Now edit /etc/MailScanner/MailScanner.conf and set the following lines as shown:

Run As User = postfix
Run As Group = postfix
Queue Scan Interval = 120
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix
Virus Scanners = clamav
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

Now configure sasl authentication.

mkdir -p /var/spool/postfix/var/run/saslauthd

Now we have to edit /etc/default/saslauthd. It should look like this:

# This needs to be uncommented before saslauthd will be run automatically
START=yes
PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"
# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"
MECHANISMS="pam"
Next edit /etc/init.d/saslauthd and change the location of saslauthd's PID file. Change the value of PIDFILE to /var/spool/postfix/var/run/${NAME}/saslauthd.pid, so that it reads:

PIDFILE="/var/spool/postfix/var/run/${NAME}/saslauthd.pid"

Now populate your system with real users. Set the users shell to /bin/false to avoid security holes.

Next fill /etc/postfix/virtual as you like. I love Webmin for this. You can edit it directly too, of course. However, webmin does a great job.

Gotcha!: “some.domain” etc. can not equal to anything mentioned in the “mydestination” line in
/etc/postfix/main.cf

Mine has the following structure:

some.domain	virtual domain
some.other.domain	virtual domain
some.really.other.domain	virtual domain
user@some.domain		user
otheruser@some.domain	otheruser
user@some.other.domain	user
otheruser@some.other.domain	otheruser
somealias@some.other.domain	user
info@some.other.domain	someoneidontlike
info@some.domain	someoneidontlike otheruser@foo.bar
differentuser@some.domain	differentuser	differentusers@home.addres	someoneidontlike
@some.really.other.domain		someonidontlike		someoneidontlikes@home.address

and so on. So I only have to set an alias for root and postmaster in /etc/aliases. All other aliases should be in this file.

Forwarding and delivering mail to multiple addresses and so forth can (and should, I believe) be set in this file too.

I use webmin for this job (and many other jobs).

Note that in this kind of setup your users can have as many aliases as they like (untill you get sick of them), but for each user you still have to add a real user, with a home directory.

Don’t forget to do

postmap /etc/postfix/virtual

when you are done.

Now we want some rules for spamassassin to do a better job.

First edit /etc/MailScanner/spam.assassin.prefs.conf. Comment out “dcc_path /usr/bin/dccproc”  (this is a workaround, please contribute to this if you can).

Next do:

cd /root

wget http://www.fsl.com/support/Rules_Du_Jour.tar.gz

tar -zxvf Rules_Du_Jour.tar.gz

cd rules_du_jour

mkdir /etc/rulesdujour

cp config /etc/rulesdujour/config

cp rules_du_jour /usr/bin

cp rules_du_jour_wrapper /etc/cron.daily

cd /etc/spamassassin

mkdir old

mv *.cf old

/etc/cron.daily/rules_du_jour_wrapper

sa-update

Now make the last command a cron job, say once a week.

Next do:

ln -s /etc/MailScanner/spam.assassin.prefs.conf /etc/spamassassin/mailscanner.cf

Check your /etc/default/spamassassin. It should look like this:

# /etc/default/spamassassin
# Duncan Findlay
# WARNING: please read README.spamd before using.
# There may be security risks.
# Change to one to enable spamd
ENABLED=0
# Options
# See man spamd for possible options. The -d option is automatically added.
# SpamAssassin uses a preforking model, so be careful! You need to
# make sure --max-children is not set to anything higher than 5,
# unless you know what you're doing.
OPTIONS="--create-prefs --max-children 2 --helper-home-dir"
# Pid file
# Where should spamd write its PID to file? If you use the -u or
# --username option above, this needs to be writable by that user.
# Otherwise, the init script will not be able to shut spamd down.
PIDFILE="/var/run/spamd.pid"
# Set nice level of spamd
# NICE="--nicelevel 15"

Next we configure the DHCP server.

Edit /etc/dhcp3/dhcpd.conf. Mine now looks like this:

# Local Network
subnet 192.168.1.0 netmask 255.255.255.0 {
	option netbios-name-servers 192.168.1.1;
	option domain-name-servers 192.168.1.1;
	option domain-name "your.domain.here";
	option broadcast-address 192.168.1.255;
	option routers 192.168.1.1;
	range 192.168.1.100 192.168.1.130;
	}

Edit /etc/default/dhcp3-server. It should read

INTERFACES=eth1

 

/etc/init.d/dhcp3-server start

Next do:

cd /root

wget http://www.dcc-servers.net/dcc/source/dcc.tar.Z

gunzip dcc.tar.Z

tar -xvf dcc.tar

cd dcc-1.3.45     ##or whatever version is current.

./configure

make

make install

Now edit /etc/default/mailscanner. It should loo like this:

# This sets how many days files will remain in the "quarantine" area before
# being automatically removed.
#
q_days=7
#
# This sets how much the priority of the mailscanner daemon should be
# reduced by (i.e. "nice -X").  Since it is a batch oriented task,
# there it can easily give up some CPU cycles to more interactive
# tasks.
#
run_nice=5
#
# Uncomment this line once MailScanner has been fully configured.
#
run_mailscanner=1

Next edit /etc/courier/imapd-ssl and change the following:

TLS_CERTFILE=/etc/apache2/ssl/apache.pem

Now do the same with your /etc/courier/pop3d-ssl.

Next do:

shutdown -r now

and wait until it is up again.

Now you have to send each real user a welcome message, thus creating the Maildir structures in their home directorys needed to be able to login to their accounts. You can use webmin’s postfix module for this.

No need to send anything to their aliases.

Your Webmail Server is located at https://your.domain/webmail (first send those messages!).

Munin is at http://your.domain/munin

Webmin is at https://your.domain:10000

If you haven’t set any domains, use https://192.168.1.1/webmail etc.

Check that you can login to your webmail and actually send and receive mail within your local network.

If you’re satisfied, open port 25 on your firewall for incoming tcp traffic (postfix) and port 6277 (dcc) for incoming udp traffic.

You may wish to make your webmail server available to your users from the outside world.
Open port 443 (apache ssl)  for incoming tcp traffic as well. Opening port 993 is also a good idea for tcp connections, as it facilitates imaps.

My /etc/shorewall/rules now looks like this: (just to begin with, all firewall settings shown in this article are just ment to get you up and running, you might want to adjust these settings once you are done!)

#############################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/
#							PORT	PORT(S)		DEST		LIMIT		GROUP
#								PORT	PORT(S) DEST			LIMIT	GROUP
#
#	Accept DNS connections from the firewall to the network
#
ACCEPT	net	$FW	tcp	25
ACCEPT	net	$FW	tcp	443
ACCEPT	net	$FW	udp	6277
DNS/ACCEPT	$FW		net
#
#	Accept SSH connections from the local network for administration
#
SSH/ACCEPT	loc		$FW
#
#	Allow Ping from the local network
#
Ping/ACCEPT	loc		$FW
#
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping/REJECT	net		$FW
ACCEPT		$FW		loc		icmp
ACCEPT		$FW		net		icmp
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Restart the firewall:

/etc/init.d/shorewall restart

Next do:

/var/dcc/libexec/updatedcc

Now we configure your VPN Server.

Edit /etc/pptpd.conf. It should look like this now:

###############################################################################
# $Id: pptpd.conf 4255 2004-10-03 18:44:00Z rene $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################
# TAG: ppp
#	Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd
# TAG: option
#	Specifies the location of the PPP options file.
#	By default PPP looks in '/etc/ppp/options'
#
option	/etc/ppp/options.pptpd
# TAG: debug
#	Turns on (more) debugging to syslog
#
#debug
# TAG: stimeout
#	Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10
# TAG: noipparam
#       Suppress the passing of the client's IP address to PPP, which is
#       done by default otherwise.
#
#noipparam
# TAG: logwtmp
#	Use wtmp(5) to record client connections and disconnections.
#
# logwtmp        ## comment this out!! broken deb package!!
# TAG: bcrelay 
#	Turns on broadcast relay to clients from interface 
#
#bcrelay eth1
# TAG: localip
# TAG: remoteip
#	Specifies the local and remote IP address ranges.
#
#       Any addresses work as long as the local machine takes care of the
#       routing.  But if you want to use MS-Windows networking, you should
#       use IP addresses out of the LAN address space and use the proxyarp
#       option in the pppd options file, or run bcrelay.
#
#	You can specify single IP addresses seperated by commas or you can
#	specify ranges, or both. For example:
#
#		192.168.0.234,192.168.0.245-249,192.168.0.254
#
#	IMPORTANT RESTRICTIONS:
#
#	1. No spaces are permitted between commas or within addresses.
#
#	2. If you give more IP addresses than MAX_CONNECTIONS, it will
#	   start at the beginning of the list and go until it gets 
#	   MAX_CONNECTIONS IPs. Others will be ignored.
#
#	3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
#	   you must type 234-238 if you mean this.
#
#	4. If you give a single localIP, that's ok - all local IPs will
#	   be set to the given one. You MUST still give at least one remote
#	   IP for each simultaneous client.
#
# (Recommended)
localip	192.168.1.1
remoteip	192.168.1.90-99
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
speed	115200

Next edit /etc/ppp/options. It should look like this:

lock

Now do:

touch /etc/ppp/options.pptpd

Now edit /etc/ppp/options.pptpd. It should look like this:

lock
ms-dns 192.168.1.1
ms-wins 192.168.1.1
domain your.domain.here
debug
name pptp-vpn
auth
proxyarp
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
chapms-strip-domain
lcp-echo-failure 10
lcp-echo-interval 30
nobsdcomp

Next, edit /etc/ppp/chap-secrets. It should look like this:

# Secrets for authentication using CHAP
# client	server	secret			IP addresses
user  pptp-vpn  abcdefg  "*"

Now do:

/etc/init.d/pptpd restart

You must be able now to setup a vpn connection from the inside of your firewall as “user” with paswword “abcdefg” (without the quotes) Change this initial username and password and add some users, if you like. Maybe you’ll have to reboot some machines to make it work.

Now open your firewall for vpn connections. To do this, set your /etc/shorewall/rules as shown.

My /etc/shorewall/rules at this time:

#############################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/
#							PORT	PORT(S)		DEST		LIMIT		GROUP
#								PORT	PORT(S) DEST			LIMIT	GROUP
#
#	Accept DNS connections from the firewall to the network
#
ACCEPT	net	$FW	tcp	25
ACCEPT	net	$FW	tcp	443
ACCEPT	net	$FW	tcp	993
ACCEPT	net	$FW	udp	6277
DNAT	net	loc:192.168.1.1	tcp	1723
DNAT	net	loc:192.168.1.1	47
DNS/ACCEPT	$FW		net
#
#	Accept SSH connections from the local network for administration
#
SSH/ACCEPT	loc		$FW
#
#	Allow Ping from the local network
#
Ping/ACCEPT	loc		$FW
#
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
#

To comlete this step, do:

/etc/init.d/shorewall restart

So now your customers will be able to do their job at home as well.

Note, that this only makes sense when your server has a reliable broadband connection to the internet, which in The Netherlands is the defacto standard, even for very tiny offices and most home addresses. In this respect we are way ahead of the rest of the world.

Next do:

cd /root

Version numbers in the next commands apply to the latest stable source at the time of writing this article. Adjust as needed.

wget http://surfnet.dl.sourceforge.net/sourceforge/clamav/clamav-0.88.7.tar.gz

Like before, pick a mirror close to you.

groupadd clamav

useradd -g clamav -s /bin/false -c “Clam Antivirus” clamav

tar -zxvf clamav-0.88.7.tar.gz

cd clamav-0.88.7

./configure –sysconfdir=/etc

make

make install

touch /var/log/freshclam.log

chmod 600 /var/log/freshclam.log

chown clamav /var/log/freshclam.log

Now edit /etc/clamd.conf. Comment out “EXAMPLE” (without quotes). Next do the same in/etc/freshclam.conf.

Next do:

/usr/local/bin/freshclam

Now make this a cron job and run it every hour. Preferably not on the hour or anywhere near, as the clamav servers will be flooded when everybody does so. Choose a smart time for this job. The service is absolutely FREE! Let’s keep it that way.

/etc/init.d/mailscanner restart

Now I want to do some perl jobs. If you actually use the ancient hardware I did to make this tuto, be advised that it is going to take some time.

Note that you can do without this, for starters. You may wish to schedule this job anywhere soon. If you choose so, you are

DONE!

Alternatively go all the way right now and do:

perl -MCPAN -e shell

Accept all defaults, except for the question where you can answer “UNINST=1” (without the quotes). I think it is best to actually do UNINST=1.

Now do:

install ExtUtils::CBuilder

reload cpan

The “reload cpan” command should be given right after each step in the cpan shell. Better safe than sorry. I only mention this once.

install ExtUtils::MakeMaker

As a result of the next commands you will be asked some questions. Just hit “enter” in all cases.

install Bundle::CPAN

install Bundle::LWP

install Mail::ClamAV

Now leave the cpan shell:

q

/etc/init.d/mailscanner restart

Now clean your /root directory. That’s where all the downloads went.

Warning!!! Don’t install Mail::SpamAssassin from cpan alongside the ubuntu spamassassin package as it will breake your system. No more rules du jour, and the rules, my friends, that’s what it is mostly about!

If you really want Mail::SpamAssassin from cpan, you will have to purge your spamassassin package and compile, instal and configure it from the latest stable source, which at the time of writing is version 3.1.7.

Samba is installed. As every setup of Samba is unique, I can’t help you out here. Don’t know how to do it? This is a good starting point.

Done!

Comments

comments