Cheap VPS & Xen Server

Residential Proxy Network - Hourly & Monthly Packages

The Perfect Server – Mandriva 2010.0 Free (x86_64) [ISPConfig 2]


This tutorial shows how to set up a Mandriva 2010.0 Free (x86_64) server that offers all services needed by ISPs and hosters: Apache web server (SSL-capable), Postfix mail server with SMTP-AUTH and TLS, BIND DNS server, Proftpd FTP server, MySQL server, Dovecot POP3/IMAP, Quota, Firewall, etc. In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig 2 (i.e., ISPConfig runs on it out of the box). This tutorial is written for the 64-bit version of Mandriva 2010.0.

I will use the following software:

  • Web Server: Apache 2 (with PHP5, Ruby,Python, and WebDAV)
  • Mail Server: Postfix
  • DNS Server: BIND9
  • FTP Server: proftpd
  • POP3/IMAP server: Dovecot
  • Webalizer for web site statistics

Please note that this setup does not work for ISPConfig 3! It is valid for ISPConfig 2 only!

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

In this example I will use the following settings for my system:

  • IP address: 192.168.0.100, gateway: 192.168.0.1
  • Host name: server1.example.com

Your settings will most likely differ, so you might have to adjust the instructions from this tutorial.

 

2 Requirements

To install such a system you will need the following:

  • Download the Mandriva 2010.0 DVD iso image or the Mandriva 2010.0 CD iso images from a mirror near you (you can find the download here: http://www.mandriva.com/en/download); I have used the Mandriva 2010.0 DVD for this tutorial.
  • a fast Internet connection…

 

3 The Base System

Boot from your Mandriva 2010.0 DVD or CD (the first one). Select Install Mandriva Linux 2010 and press Enter:

1

Choose your language next:

2

Accept the license and click on Next:

3

Select your keyboard layout:

4

Select your keyboard layout:

5

Now we have to partition our hard disk. You can choose to let the Mandriva installer do the partitioning, or you can do it yourself. I want to create a small /boot partition (about 150 MB) with the file system ext4, a swap partition and a huge / partition (again with ext4):

6

7

8

9

10

11

12

Afterwards, the new partitions are being formatted:

13

We don’t have any other installation media, so we select None and click on Next:

14

We don’t want a desktop on a server system, therefore we select Custom on this screen:

15

Now we select the package groups we want to install. Select Internet station, Network Computer (client), Configuration, Console Tools, Development, Web/FTP, Mail, Database, Firewall/Router and Network Computer server, unselect all other package groups, and click on Next:

16

The package installation starts:

17

Afterwards, provide a root password and create another user (e.g. administrator) and click on Next:

18

Now the installer presents us a summary of the installation and gives us the possibility to change settings by clicking on the appropriate Configure button. First of all we configure the time zone we’re in:

19

Select your time zone:

20

On the next screen select hardware clock set to UTC, Automatic time synchronization (using NTP), and for NTP Server choose All servers:

21

Next we make sure that the Security Level is set to Standard (all other security levels are too restrictive):

22

Next we modify the firewall settings:

23

ISPConfig comes with its own firewall, so if you like to install ISPConfig, select Everything (no firewall) to disable the firewall. Otherwise, configure the firewall to your needs:

24

Finally we change our network settings. Click on the Configure button next to Network – ethernet:

25

Select Wired (Ethernet) unless you’re using something different:

26

Select the network interface that you want to configure:

27

We want to assign a static IP address to our network interface (remember, we’re installing a server…), so we do not want to get an IP address using BOOTP or DHCP. Therefore we choose Manual configuration:

28

Now enter the IP address, Netmask, and Gateway. Also enter the Host name (e.g. server1.example.com) and up to two DNS servers (e.g. 145.253.2.75 and 213.191.92.86):

29

Do not allow users to start the connection. It’s a server, and servers are always online (at least, they should be…). But select Start the connection at boot:

30

Choose to start the network connection now:

31

In my setup I got the message that the Internet connectivity test failed – I’m not sure if this is a bug in the Mandriva installer, or if there was a temporary problem with my Internet connection at that time; anyway, the Internet connection was working without any problems after the intitial installation, so if you see this message, don’t let it fool you:

32

We’ve now made all necessary configurations, so we can leave the summary screen by clicking on Next:

33

Now you can download the latest updates. Please note: this is optional. We are going to create a cron job which will update our system automatically, so you can select No here:

34

The base installation is now finished, you can now remove the CD or DVD and reboot the system:

35

Now on to the system configuration…

Please note that root logins via SSH are disabled by default on Mandriva 2010.0. If you want to log in over SSH, log in as a normal user first (because I created the normal user account administrator during the installation, I use administrator to log in) and then run

su

to become root.

4 Adjust /etc/hosts

Next we edit /etc/hosts. Make it look like this:

vi /etc/hosts

127.0.0.1               localhost.localdomain localhost
192.168.0.100           server1.example.com server1

5 Setting The Hostname

You can check the current hostname with the commands

hostname
hostname -f

Both commands should show server1.example.com.

If the output shows a wrong hostname, you can set the correct one like this:

echo server1.example.com > /etc/hostname
/bin/hostname -F /etc/hostname

To have the system set the correct hostname whenever you boot the system, we add the last command to /etc/rc.local:

vi /etc/rc.local

[...]
/bin/hostname -F /etc/hostname

 

 

6 Configure urpmi

By default, Mandriva 2010.0 uses the installation DVD as its only software repository which is inconvenient if the server is in a remote location. Therefore we disable the DVD and enable the Mandriva online repositories:

urpmi.removemedia -a && urpmi.addmedia –distrib –mirrorlist

 

6.1 Creating An Auto-Update Script

Now we create a script /etc/cron.daily/software_update that will autmatically be run by cron daily and looks for and installs the latest software updates on your Mandriva 2010.0 system. The script looks like this:

vi /etc/cron.daily/software_update

#!/bin/bash
urpmi --auto-update --update  --auto

Make the script executable:

chmod 755 /etc/cron.daily/software_update

7 Install Some Packages

Now we install a few packages that are needed later on:

urpmi fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp flex lib64xorg-x11-devel gcc gcc-c++

 

8 Journaled Quota

To install the quota package, run

urpmi quota

Edit /etc/fstab to look like this (I added

,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /):

vi /etc/fstab

# Entry for /dev/sda6 :
UUID=5655e2e6-9865-41be-aafb-ef9111b7b6f9 / ext4 relatime,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 1 1
# Entry for /dev/sda1 :
UUID=93aca769-d885-4694-a1c6-1df246caa426 /boot ext4 relatime 1 2
/dev/cdrom /media/cdrom auto umask=0,users,iocharset=utf8,noauto,ro,exec 0 0
/dev/fd0 /media/floppy auto umask=0,users,iocharset=utf8,noauto,exec,flush 0 0
none /proc proc defaults 0 0
# Entry for /dev/sda5 :
UUID=5751d7b7-9d7a-48bf-aedb-48a9bda0a308 swap swap defaults 0 0

Then run:

touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

 

9 DNS Server

To install the BIND DNS server, run:

urpmi bind

Mandriva 2010.0’s BIND is running chrooted by default, therefore we need to create a few symlinks so that ISPConfig (if you want to install it) can deal with it:

cd /var/lib/named/var
mkdir -p lib/named/var
cd lib/named/var
ln -s ../../../named/ named
ln -s ../../../run/ run
cp /var/lib/named/var/named/reverse/named.local /var/lib/named/var/named/

Next we create the system startup links for BIND…

chkconfig named on

… and start it:

/etc/init.d/named start

10 MySQL 5

To install MySQL 5, we simply run:

urpmi MySQL MySQL-client lib64mysql-devel

By default, networking is not enabled in Mandriva 2010.0’s MySQL package, but networking is required by ISPConfig. We can change this by commenting out the line skip-networking in /etc/my.cnf.

vi /etc/my.cnf

[...]
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
# if all processes that need to connect to mysqld run on the same host.
# All interaction with mysqld must be made via Unix sockets or named pipes.
# Note that using this option without enabling named pipes on Windows
# (via the "enable-named-pipe" option) will render mysqld useless!
#
#skip-networking
[...]

Afterwards, we create the system startup links for MySQL…

chkconfig mysqld on

… and start it:

/etc/init.d/mysqld start

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

[root@server1 var]# netstat -tap | grep mysql
tcp        0      0 *:mysql                     *:*                         LISTEN      2538/mysqld
tcp        0      0 *:mysql-im                  *:*                         LISTEN      2529/mysqlmanager
[root@server1 var]#

Next, run

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).

 

11 Postfix With SMTP-AUTH And TLS; Dovecot

Install the required packages (Postfix, cyrus-sasl, Dovecot, etc.) like this:

urpmi cyrus-sasl lib64sasl2 lib64sasl2-devel lib64sasl2-plug-plain lib64sasl2-plug-anonymous lib64sasl2-plug-crammd5 lib64sasl2-plug-digestmd5 lib64sasl2-plug-gssapi lib64sasl2-plug-login postfix dovecot

Then run:

postconf -e ‘mydestination = /etc/postfix/local-host-names, localhost.$mydomain’
postconf -e ‘smtpd_sasl_local_domain =’
postconf -e ‘smtpd_sasl_auth_enable = yes’
postconf -e ‘smtpd_sasl_security_options = noanonymous’
postconf -e ‘broken_sasl_auth_clients = yes’
postconf -e ‘smtpd_sasl_authenticated_header = yes’
postconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination’
postconf -e ‘inet_interfaces = all’
postconf -e ‘mynetworks = 127.0.0.0/8’
touch /etc/postfix/local-host-names

Then we set the hostname in our Postfix installation (make sure you replace server1 and example.com with your own settings):

postconf -e ‘mydomain = example.com’
postconf -e ‘myhostname = server1.$mydomain’

Edit /etc/sasl2/smtpd.conf. It should look like this:

vi /etc/sasl2/smtpd.conf

# SASL library configuration file for postfix
# all parameters are documented into:
# /usr/share/doc/cyrus-sasl/options.html

# The mech_list parameters list the sasl mechanisms to use,
# default being all mechs found.
mech_list:         plain login

# To authenticate using the separate saslauthd daemon, (e.g. for
# system or ldap users). Also see /etc/sysconfig/saslauthd.
pwcheck_method:    saslauthd
saslauthd_path:    /var/lib/sasl2/mux

# To authenticate against users stored in sasldb.
#pwcheck_method:    auxprop
#auxprop_plugin:    sasldb
#sasldb_path:       /var/lib/sasl2/sasl.db

Create the SSL certificate needed for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

… and configure Postfix for TLS:

postconf -e ‘smtpd_tls_auth_only = no’
postconf -e ‘smtp_use_tls = yes’
postconf -e ‘smtpd_use_tls = yes’
postconf -e ‘smtp_tls_note_starttls_offer = yes’
postconf -e ‘smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key’
postconf -e ‘smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt’
postconf -e ‘smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem’
postconf -e ‘smtpd_tls_loglevel = 1’
postconf -e ‘smtpd_tls_received_header = yes’
postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’
postconf -e ‘tls_random_source = dev:/dev/urandom’

Next we must configure Dovecot to serve the protocols imap, imaps, pop3, and pop3s. Open /etc/dovecot.conf and adjust the following values:

vi /etc/dovecot.conf

[...]
protocols = imap imaps pop3 pop3s
[...]
disable_plaintext_auth = no
[...]
  pop3_uidl_format = %08Xu%08Xv
[...]

Now we must tell the system to start Dovecot only after ntpd has started because Dovecot isn’t very forgiving if your system’s time moves backwards while Dovecot is running (see http://wiki.dovecot.org/TimeMovedBackwards). This might cause errors like the following in your syslog:

Apr  9 19:29:18 server1 dovecot: Time just moved backwards by 17 seconds. This might
cause a lot of problems, so I’ll just kill myself now. http://wiki.dovecot.org/TimeMovedBackwards

Unfortunately, on Mandriva Dovecot is started before ntpd, so we change it like this:

cd /etc/rc3.d
mv S99ntpd S98ntpd
cd /etc/rc4.d
mv S99ntpd S98ntpd
cd /etc/rc5.d
mv S99ntpd S98ntpd

Then we create the system startup links for Postfix…

chkconfig postfix on

… and (re)start Postfix, saslauthd, and Dovecot:

/etc/init.d/postfix restart
/etc/init.d/saslauthd restart
/etc/init.d/dovecot restart

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH LOGIN PLAIN

everything is fine:

[root@server1 ~]# telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 server1.example.com ESMTP Postfix (2.6.5) (Mandriva Linux)
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@server1 ~]#

Type

quit

to return to the system’s shell.

 

11.1 Maildir

Dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir under Management -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration.

If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user’s Maildir (you can also do this if you use ISPConfig – it doesn’t hurt ;-)):

postconf -e ‘home_mailbox = Maildir/’
postconf -e ‘mailbox_command =’
/etc/init.d/postfix restart

12 Apache2 With PHP5, Ruby, And Python

To install Apache2, PHP5, and Ruby, run the following command (in one line):

urpmi apache-mod_suexec apache-mod_ssl apache-mod_php apache-mod_ruby apache-mod_python lib64php5_common5 php-bz2 php-calendar php-ctype php-curl php-devel php-dio php-dom php-eaccelerator php-enchant php-esmtp php-event php-exif php-fam php-ffmpeg php-fileinfo php-filepro php-ftp php-gd php-gettext php-gmp php-iconv php-id3 php-idn php-imap php-imlib2 php-mailparse php-mbstring php-mcache php-mcrypt php-ming php-mysql php-mysqli php-newt php-odbc php-oggvorbis php-pcntl php-pcre php-pear-Net_IDNA php-posix php-pspell php-readline php-recode php-session php-shmop php-simplexml php-snmp php-soap php-sockets php-sqlite php-ssh2 php-suhosin php-sysvmsg php-sysvsem php-sysvshm php-tclink php-tcpwrap php-tidy php-xml php-xmlrpc php-zip php-ini curl lib64curl4-devel perl-libwww-perl ImageMagick

Create the system startup links for Apache…

chkconfig httpd on

… and start it:

/etc/init.d/httpd restart

 

12.1 Disable PHP Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.

Edit /etc/httpd/modules.d/70_mod_php.conf and comment out the AddType lines:

vi /etc/httpd/modules.d/70_mod_php.conf

<IfDefine HAVE_PHP5>
    <IfModule !mod_php5.c>
        LoadModule php5_module    extramodules/mod_php5.so
    </IfModule>
</IfDefine>

<IfModule mod_mime.c>
#    AddType application/x-httpd-php .php
#    AddType application/x-httpd-php .phtml
#    AddType application/x-httpd-php-source .phps
</IfModule>

<IfModule mod_php5.c>
    <IfModule mod_dir.c>
        DirectoryIndex index.php index.phtml
    </IfModule>
</IfModule>

Edit /etc/httpd/conf/httpd.conf and add the following line to the LoadModule section:

vi /etc/httpd/conf/httpd.conf

[...]
LoadModule php5_module    extramodules/mod_php5.so
[...]

(Although this line is already in /etc/httpd/modules.d/70_mod_php.conf this is very important because otherwise the command

httpd -t

will report errors instead of Syntax OK when the virtual hosts created by ISPConfig contain lines like php_admin_flag safe_mode On or the like!)

Restart Apache:

/etc/init.d/httpd restart

 

12.2 Disable Ruby Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure Ruby on a per-website basis, i.e. you can specify which website can run Ruby scripts and which one cannot. This can only work if Ruby is disabled globally because otherwise all websites would be able to run Ruby scripts, no matter what you specify in ISPConfig.

vi /etc/httpd/modules.d/20_mod_ruby.conf

Comment out or delete everything in that file except the following lines:

<IfDefine HAVE_RUBY>
    <IfModule !mod_ruby.c>
        LoadModule ruby_module  extramodules/mod_ruby.so
    </IfModule>
</IfDefine>

Then restart Apache:

/etc/init.d/httpd restart

 

12.3 Enabling WebDAV Support

Since version 2.2.30 of ISPConfig, you can manage WebDAV through ISPConfig. Of course, this works only if WebDAV is installed and enabled in Apache. To install WebDAV, we run

urpmi apache-mod_dav

Next we open /etc/httpd/conf/httpd.conf and uncomment the following three lines in the LoadModule section (make sure you delete the following string at the end of these lines because otherwise Apache might complain about a syntax error: -> available in the apache-mod_dav package):

vi /etc/httpd/conf/httpd.conf

[...]
LoadModule dav_module modules/mod_dav.so
[...]
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dav_lock_module modules/mod_dav_lock.so
[...]

Then restart Apache:

/etc/init.d/httpd restart

 

13 Proftpd

Install Proftpd like this:

urpmi proftpd

For security reasons you can add the following lines to /etc/proftpd.conf (thanks to Reinaldo Carvalho; more information can be found here: http://www.proftpd.org/localsite/Userguide/linked/userguide.html):

vi /etc/proftpd.conf

[...]
DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."
[...]

Be sure to comment out the following lines at the end of /etc/proftpd.conf in order to allow ftp users to CHMOD:

[...]
# Bar use of SITE CHMOD by default
#<Limit SITE_CHMOD>
#    DenyAll
#</Limit>

Then restart Proftpd:

/etc/init.d/proftpd restart

 

14 Webalizer

Webalizer can be installed as follows:

urpmi webalizer

ln -s /usr/bin/awffull /usr/bin/webalizer

 

15 Install Some Perl Modules Needed By SpamAssassin (Comes With ISPConfig)

To install all needed Perl Modules, we can use the appropriate Mandriva packages and install them using urpmi:

urpmi perl-HTML-Parser perl-Digest-SHA1 perl-DB_File perl-Net-DNS perl-NetAddr-IP perl-Archive-Tar

 

16 The End

The configuration of the server is now finished, and if you wish you can now install ISPConfig on it. You can find the installation instructions here: http://www.ispconfig.org/manual_installation.htm. A First-Steps tutorial can be found here: http://www.Kreationnext.com/ispconfig-2.x-first-steps

Before you install ISPConfig, there’s one important thing you must do. Open /usr/include/stdio.h and replace getline with parseline in line 651:

vi /usr/include/stdio.h

[...]
   This function is not part of POSIX and therefore no official
   cancellation point.  But due to similarity with an POSIX interface
   or due to the implementation it is a cancellation point and
   therefore not marked with __THROW.  */
extern _IO_ssize_t parseline (char **__restrict __lineptr,
                            size_t *__restrict __n,
                            FILE *__restrict __stream) __wur;
#endif
[...]

If you don’t do this, the installation will fail because of the following error:

htpasswd.c:101: error: conflicting types for âgetlineâ
/usr/include/stdio.h:651: note: previous declaration of âgetlineâ was here
make[2]: *** [htpasswd.o] Error 1
make[2]: Leaving directory `/home/administrator/install_ispconfig/compile_aps/apache_1.3.41/src/support’
make[1]: *** [build-support] Error 1
make[1]: Leaving directory `/home/administrator/install_ispconfig/compile_aps/apache_1.3.41′
make: *** [build] Error 2
ERROR: Could not make Apache

You can undo the change to /usr/include/stdio.h after the successful ISPConfig installation (but don’t forget to change it back whenever you want to update ISPConfig!).

 

17 A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the web root for websites created by ISPConfig as Mandriva’s suExec is compiled with /var/www as Doc_Root. Run

/usr/sbin/suexec -V

and the output should look like this:

[root@server1 ~]# /usr/sbin/suexec -V
-D AP_DOC_ROOT=”/var/www”
-D AP_GID_MIN=100
-D AP_HTTPD_USER=”apache”
-D AP_LOG_EXEC=”/var/log/httpd/suexec_log”
-D AP_SAFE_PATH=”/usr/local/bin:/usr/bin:/bin”
-D AP_SUEXEC_UMASK=077
-D AP_UID_MIN=100
-D AP_USERDIR_SUFFIX=”public_html”
[root@server1 ~]#

So if you want to use suExec with ISPconfig, don’t change the default web root (which is /var/www) if you use expert mode during the ISPConfig installation (in standard mode you can’t change the web root anyway so you’ll be able to use suExec in any case).

 

  • Mandriva: http://www.mandriva.com/
  • ISPConfig: http://www.ispconfig.org/

 

 

 

 

Comments

comments