Postserver - med certifikat mm: Difference between revisions

From Skytech
Jump to navigation Jump to search
No edit summary
 
(One intermediate revision by the same user not shown)
Line 31: Line 31:
Filen skal have hele domain navnet
Filen skal have hele domain navnet
<pre>
<pre>
postXX.wwi.dk
postXX.dk
</pre>
</pre>


Line 42: Line 42:
</pre>
</pre>


Herefter kan du tage ssh private og public nøgler fra post01.wwi.dk
Herefter kan du tage ssh private og public nøgler fra post01.dk


Dem skal du ligge i .ssh i /root/
Dem skal du ligge i .ssh i /root/
Line 48: Line 48:
cd
cd
mkdir .ssh
mkdir .ssh
scp -rp post01.wwi.dk:~/.ssh/ .
scp -rp post01.dk:~/.ssh/ .
</pre>
</pre>


Line 57: Line 57:
mkdir baseinstall
mkdir baseinstall
cd baseinstall
cd baseinstall
svn co svn+ssh://svn@svn.wwi.dk/mailsetup/baseinstall .
svn co svn+ssh://svn@svn.dk/mailsetup/baseinstall .
dpkg --set-selections < installed.txt
dpkg --set-selections < installed.txt
apt-get dselect-upgrade
apt-get dselect-upgrade
Line 81: Line 81:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WorldWeb Interactive A/S
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WorldWeb Interactive A/S
Organizational Unit Name (eg, section) []:System
Organizational Unit Name (eg, section) []:System
Common Name (eg, YOUR name) []:hostname.wwi.dk
Common Name (eg, YOUR name) []:hostname.dk
Email Address []:sysadm@wwi.dk
Email Address []:sysadm@dk


</pre>
</pre>
Line 95: Line 95:
cd /etc/exim4/
cd /etc/exim4/
rm -rf conf.d
rm -rf conf.d
svn co svn+ssh://svn@svn.wwi.dk/mailsetup/post .
svn co svn+ssh://svn@svn.dk/mailsetup/post .
</pre>
</pre>


Editer i update-exim4.conf.conf
Editer i update-exim4.conf.conf
<pre>
<pre>
dc_other_hostnames='postXX.wwi.dk'
dc_other_hostnames='postXX.dk'
</pre>
</pre>


Line 124: Line 124:
cd /etc/courier/
cd /etc/courier/
rm -rf *
rm -rf *
svn co svn+ssh://svn@svn.wwi.dk/mailsetup/courier
svn co svn+ssh://svn@svn.dk/mailsetup/courier
</pre>
</pre>


Line 150: Line 150:
mkdir /var/www/.ssh/
mkdir /var/www/.ssh/
mkdir /var/www/squirrelmail/
mkdir /var/www/squirrelmail/
scp -rp mailadmin.wwi.dk:/var/www/.ssh/* /var/www/.ssh/
scp -rp mailadmin.dk:/var/www/.ssh/* /var/www/.ssh/
chown www-data: -R /var/www/.ssh/
chown www-data: -R /var/www/.ssh/
chown www-data: -R /var/www/squirrelmail/
chown www-data: -R /var/www/squirrelmail/
Line 158: Line 158:
<pre>
<pre>
su - www-data
su - www-data
svn co svn+ssh://svn@svn.wwi.dk/mailsetup/squirrelmail
svn co svn+ssh://svn@svn.dk/mailsetup/squirrelmail
</pre>
</pre>


Line 184: Line 184:
<VirtualHost *:80>
<VirtualHost *:80>
RewriteEngine On
RewriteEngine On
RewriteCond %{SERVER_NAME} !post01.wwi.dk
RewriteCond %{SERVER_NAME} !post01.dk
RewriteRule ^(.*)$ https://post01.wwi.dk$1 [L,R]
RewriteRule ^(.*)$ https://post01.dk$1 [L,R]


RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://post01.wwi.dk$1 [L,R]
RewriteRule ^(.*)$ https://post01.dk$1 [L,R]


..
..
Line 205: Line 205:
RewriteEngine On
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://post01.wwi.dk/$1 [L,R]
RewriteRule ^(.*)$ https://post01.dk/$1 [L,R]
ServerAdmin webmaster@wwi.dk
ServerAdmin webmaster@dk
ServerName post01.wwi.dk
ServerName post01.dk


SSLEngine on
SSLEngine on
Line 249: Line 249:


=== mailadmin ===
=== mailadmin ===
For at mailadmin virker som den skal. Skal vi have key auth til root fra mailadmin.wwi.dk<br>
For at mailadmin virker som den skal. Skal vi have key auth til root fra mailadmin.dk<br>
edit /root/.ssh/authorized_keys
edit /root/.ssh/authorized_keys
<pre>
<pre>
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnzEs1SVZhvmaXeO3LiYO4U2q2pppdI57/cnK0ccW7fT1J36fT+4od15isppxc3HilvosY/e9kOEwQTPciEa+NffQ9O5QCroXUyweEZN7HFKFU509drUFrjLgxiAXwbEoQmpysJzPKerqZOzri/Et+kCybvHx4HipshqVHHEQNGvt2b9jk8T7Plia1u2zP941zFh0L5v4QW+UiNO7Zcx4xAXfIjsCOTiw+y0rMop8J3SCrP7jOYRRY8zvCQ7pwS7XINw88LicMuVjgLh1hvZrUB6OnUZaLDA2sh2wFo+rGpeyVYCkU3gjZo04CIfnht56g0yTxALHn+UTX67Ac46AlQ== admin@mailadmin.wwi.dk
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnzEs1SVZhvmaXeO3LiYO4U2q2pppdI57/cnK0ccW7fT1J36fT+4od15isppxc3HilvosY/e9kOEwQTPciEa+NffQ9O5QCroXUyweEZN7HFKFU509drUFrjLgxiAXwbEoQmpysJzPKerqZOzri/Et+kCybvHx4HipshqVHHEQNGvt2b9jk8T7Plia1u2zP941zFh0L5v4QW+UiNO7Zcx4xAXfIjsCOTiw+y0rMop8J3SCrP7jOYRRY8zvCQ7pwS7XINw88LicMuVjgLh1hvZrUB6OnUZaLDA2sh2wFo+rGpeyVYCkU3gjZo04CIfnht56g0yTxALHn+UTX67Ac46AlQ== admin@mailadmin.dk
</pre>
</pre>


Line 259: Line 259:
<pre>
<pre>
mkdir /usr/local/sbin/log
mkdir /usr/local/sbin/log
svn co svn+ssh://svn@svn.wwi.dk/mailsetup/scripts /usr/local/sbin/
svn co svn+ssh://svn@svn.dk/mailsetup/scripts /usr/local/sbin/
</pre>
</pre>



Latest revision as of 19:56, 23 April 2011


Standard installation

Start med at gå installationen af en Xen Klient maskine igennem InstallXenClientServer

Tilføjelser

mail partition

Lav en mail partition

evmsn
tilføj en maildir partition i stil med dem der findes

Tilføj denne partition i fstab

/dev/hda3               /var/maildir    ext3    defaults,noatime        0       0

Tilføj biblioteket til var

mkdir /var/maildir
host filen

Første linje i host filen skal indeholde:

127.0.0.1       postXX.dk localhost
mailname filen

Filen skal have hele domain navnet

postXX.dk

Når det er gjort så kan du jo gå i gang med at installerer de programmer der skal være på den og konfigurerer dem.

Installation af programmer

Du skal starte med at installerer subversion. Den skal du bruge til at hente konfigurationrene fra repositoriet med.

apt-get install subversion

Herefter kan du tage ssh private og public nøgler fra post01.dk

Dem skal du ligge i .ssh i /root/

cd 
mkdir .ssh
scp -rp post01.dk:~/.ssh/ .

Nu kan vi så gå i gang med at hente konfigurations filerne fra subversion.

cd
mkdir baseinstall
cd baseinstall
svn co svn+ssh://svn@svn.dk/mailsetup/baseinstall .
dpkg --set-selections < installed.txt
apt-get dselect-upgrade

Så har vi fået installeret de programmer der skal ligge på serveren.

Konfiguration af programmer

ssl certifikater

Bestil et certifikat på https://products.geotrust.com/geocenter/reseller/logon.do
key fil

openssl genrsa -out /etc/ssl/private/hostname.key 1024

csr fil

openssl req -new -key /etc/ssl/private/hostname.key -out /etc/ssl/hostname.csr
-----
Country Name (2 letter code) [AU]:DK
State or Province Name (full name) [Some-State]:N/A
Locality Name (eg, city) []:Kolding
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WorldWeb Interactive A/S
Organizational Unit Name (eg, section) []:System
Common Name (eg, YOUR name) []:hostname.dk
Email Address []:sysadm@dk

Gem din crt fil i

/etc/ssl/private/hostname.crt

exim4

De filer svn brokker sig over svn ikke kan overskrive skal bare fjernes.

cd /etc/exim4/
rm -rf conf.d
svn co svn+ssh://svn@svn.dk/mailsetup/post .

Editer i update-exim4.conf.conf

dc_other_hostnames='postXX.dk'

Opdater exim konfig

update-exim4.conf

Opdater exim certifikaterne

cp /etc/ssl/private/hostname.key /etc/exim4/exim.key
cp /etc/ssl/private/hostname.crt /etc/exim4/exim.crt

Genstart exim4

/etc/init.d/exim4 restart

courier

Så er det courier's tur.

cd /etc/courier/
rm -rf *
svn co svn+ssh://svn@svn.dk/mailsetup/courier

Så skal vi lige have lavet nogle pem filer til imap og pop3

cat /etc/ssl/private/hostname.key /etc/ssl/private/hostname.crt > hostname.pem
openssl gendh >> hostname.pem
cp hostname.pem imapd.pem
cp hostname.pem pop3d.pem

Genstart server og deamon

/etc/init.d/courier-authdaemon restart
/etc/init.d/courier-imap restart
/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop restart
/etc/init.d/courier-pop-ssl restart

apache2

Squirrelmail

Vi skal lige have lavet de bibs der skal bruges

mkdir /var/www/.ssh/
mkdir /var/www/squirrelmail/
scp -rp mailadmin.dk:/var/www/.ssh/* /var/www/.ssh/
chown www-data: -R /var/www/.ssh/
chown www-data: -R /var/www/squirrelmail/

Så er det tid til co af squirrelmail fra svn

su - www-data
svn co svn+ssh://svn@svn.dk/mailsetup/squirrelmail

apache2 config

Vi skal lige have ssl support i apache2

mkdir -p /etc/apache2/ssl.crt
mkdir -p /etc/apache2/ssl.key
cp /etc/ssl/private/hostname.crt /etc/apache2/ssl.crt/
cp /etc/ssl/private/hostname.key /etc/apache2/ssl.key/
a2enmod ssl

Sidst skal vi lige tilføje

Listen 443

til /etc/apache2/ports.conf

Vi skal lige have apache til at redirecte alt http til https gå til squirrelmail bib som default.
Starter i /etc/apache2/site-avaliable/default

NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
        RewriteEngine On
        RewriteCond  %{SERVER_NAME} !post01.dk
        RewriteRule ^(.*)$ https://post01.dk$1 [L,R]

        RewriteCond  %{SERVER_PORT} !^443$
        RewriteRule ^(.*)$ https://post01.dk$1 [L,R]

..
..
..
                RedirectMatch ^/$ /squirrelmail/
.. 
..
..
</VirtualHost>

Og laver et webmail site

<VirtualHost *:443>
        RewriteEngine On
        RewriteCond  %{SERVER_PORT} !^443$
        RewriteRule ^(.*)$ https://post01.dk/$1 [L,R]
        ServerAdmin webmaster@dk
        ServerName post01.dk

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl.crt/post01.crt
        SSLCertificateKeyFile /etc/apache2/ssl.key/post01.key
        SSLProtocol all
        SSLCipherSuite HIGH:MEDIUM

        DocumentRoot /var/www/squirrelmail
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature On
</VirtualHost>

Aktiverer webmail sitet

a2ensite webmail

Vi skal også lige have rewrite modulet enabled

a2enmod rewrite

Så kan vi reloade apache og vi er done med serveren.

apache2ctl configtest
apache2ctl graceful

mailadmin

For at mailadmin virker som den skal. Skal vi have key auth til root fra mailadmin.dk
edit /root/.ssh/authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnzEs1SVZhvmaXeO3LiYO4U2q2pppdI57/cnK0ccW7fT1J36fT+4od15isppxc3HilvosY/e9kOEwQTPciEa+NffQ9O5QCroXUyweEZN7HFKFU509drUFrjLgxiAXwbEoQmpysJzPKerqZOzri/Et+kCybvHx4HipshqVHHEQNGvt2b9jk8T7Plia1u2zP941zFh0L5v4QW+UiNO7Zcx4xAXfIjsCOTiw+y0rMop8J3SCrP7jOYRRY8zvCQ7pwS7XINw88LicMuVjgLh1hvZrUB6OnUZaLDA2sh2wFo+rGpeyVYCkU3gjZo04CIfnht56g0yTxALHn+UTX67Ac46AlQ== admin@mailadmin.dk

scripts/sudo mm

Kopier alle perl/bash scripts over til serveren:

mkdir /usr/local/sbin/log
svn co svn+ssh://svn@svn.dk/mailsetup/scripts /usr/local/sbin/

Tilføj så brugeren kan eksekvere med root-access:


# Cmnd alias specification
Cmnd_Alias      MAILCMD=/usr/local/sbin/createmaildir.sh

# # User privilege specification
root    ALL=(ALL) ALL
Debian-exim     ALL=(ALL) NOPASSWD:MAILCMD

PHP ændring

Det er nødvendigt at sætte php memory execution op til 32MB fra default 8MB, ellers virker squirrelmail ikke.


Overvågning/backup mm

Tilføj normal procedure vedr. overvågning og backup