The Perfect Setup - Mandriva 2006 Free Edition

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited: 11/29/2005

This is a detailed description about the steps to be taken to setup a Mandriva 2006 Free
Edition based server that offers all services needed by ISPs and hosters (web server (SSL-
capable), mail server (with SMTP-AUTH and TLS!), DNS server, FTP server, MySQL server,
POP3/IMAP, Quota, Firewall, etc.).

I will use the following software:

 Web Server: Apache 2.0.x

 Mail Server: Postfix (easier to configure than sendmail; has a

shorter history of security holes than sendmail)

 DNS Server: BIND9

 FTP Server: proftpd

 POP3/IMAP servers

 Webalizer for web site statistics

In the end you should have a system that works reliably and is ready for the free
webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).

I want to say first that this is not the only way of setting up such a system. There are many
ways of achieving this goal but this is the way I take. I do not issue any guarantee that this
will work for you!

Requirements

To install such a system you will need the following:

 Download the 3 Mandriva 2006 Free Edition CD iso images

from a mirror near you (the list of mirrors can be found here:
http://wwwnew.mandriva.com/en/downloads/mirrors), e.g.
ftp://fr2.rpmfind.net/linux/Mandrakelinux/official/iso/2006.0/i5
86/Mandriva-Linux-Free-2006-CD1.i586.iso,
ftp://fr2.rpmfind.net/linux/Mandrakelinux/official/iso/2006.0/i5
86/Mandriva-Linux-Free-2006-CD2.i586.iso and
 ftp://fr2.rpmfind.net/linux/Mandrakelinux/official/iso/2006.0/i5
86/Mandriva-Linux-Free-2006-CD3.i586.iso.

 an internet connection...

1 The Base System

Boot from your Mandriva 2006 CD (CD 1). Press Enter to start the installation:

Choose your language next:

Accept the license and click on Next:
Select Standard as the Security level and leave the field Security Administrator
empty:

Now we have to partition our hard disk. You can choose to let the Mandriva installer do the
partitioning, or you can do it yourself. I want to create a small /boot partition (about 100
MB) with the file system ext3, a swap partition and a huge / partition (again with ext3):
Click on Next if you have all three CDs of the Mandriva Download Edition:

Select None and click on Next:

  The Perfect Setup - Mandriva 2006 Free Edition - Page 2

 The Perfect Setup - Mandriva 2006 Free Edition - Page 3

 The Perfect Setup - Mandriva 2006 Free Edition - Page 4

 The Perfect Setup - Mandriva 2006 Free Edition - Page 5

 The Perfect Setup - Mandriva 2006 Free Edition - Page 6

 Now we are to select the package groups we want to install. Select Internet
station, Network Computer (client), Configuration, Console Tools,
Development, Web/FTP, Mail, Database, Firewall/Router and Network
Computer server and click on Next:


 The package installation starts:



 Give root a password:

 Create another user (e.g. admin):



 Now the installer presents us a summary of the installation and gives us the
possibility to change settings by clicking on the appropriate Configure button. First
of all we adjust our keyboard layout (if you don't have a US keyboard...):




 Next we configure the time zone we're in:


 Select Hardware clock set to GMT and Automatic time synchronization
(using NTP):

 Select an NTP Server:



 Finally we change the Network - lan settings. Select LAN connection unless you're
using something different:


 Select the network interface you want to configure (normally eth0):

 We want to assign a static IP address to our network interface (remember, we're

installing a server...), so we do not want to get an IP address using BOOTP or DHCP.
Therefore we choose Manual configuration:


 Now enter the IP address and a Netmask:


 Enter the Host name (e.g. server1.example.com), up to three DNS servers (e.g.
145.253.2.75 and 193.174.32.18) and the Gateway:

 You can leave the field Zeroconf Host name empty:



 Do not allow users to start the connection. It's a server, and servers are always
online (at least, they should be...):




 We've now made all necessary configurations, so we can leave the summary screen
by clicking on Next:


 We do not want to configure X because we do not want to run a desktop on a server:

 Now you can download the latest updates:


 The base installation is now finished, you can now remove the CD or DVD and reboot
the system:

 Now on to the system configuration...

 2 Installing And Configuring The Rest Of The

System
 Configure Additional IP Addresses
 Let's assume our network interface is eth0. Then there is a
file /etc/sysconfig/network-scripts/ifcfg-eth0 which
looks like this:

DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.0.100
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=no
 USERCTL=no
IPV6INIT=no
IPV6TO4INIT=no
PEERDNS=yes
NETMASK=255.255.255.0
IPADDR=192.168.0.100
 Now we want to create the virtual interface eth0:0 with the
IP address 192.168.0.101. All we have to do is to create the
file /etc/sysconfig/network-scripts/ifcfg-eth0:0 which
looks like this:

DEVICE=eth0:0
BOOTPROTO=static
IPADDR=192.168.0.101
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=no
USERCTL=no
 Afterwards we have to restart the network:
 /etc/init.d/network restart
 Setting The Hostname
 This is not necessary if you have set the correct hostname
during the installation. If you have not, do this:
 echo server1.example.com > /etc/hostname
/bin/hostname -F /etc/hostname
 Configure urpmi
 You can use the wizard on http://easyurpmi.zarb.org/ to find
out how to configure urpmi so that urpmi uses online package
repositories. For me the wizard gave back these commands
that I run on the command line:
 urpmi.addmedia plf-free http://distrib-
coffee.ipsl.jussieu.fr/pub/linux/plf/mandriva/free/2
006.0/i586 with hdlist.cz
urpmi.addmedia --update updates ftp://ftp-stud.fht-
esslingen.de/pub/Mirrors/Mandrakelinux/official/upda
 tes/2006.0/main_updates/ with media_info/hdlist.cz
urpmi.addmedia main ftp://ftp-stud.fht-
esslingen.de/pub/Mirrors/Mandrakelinux/official/2006
.0/i586/media/main with media_info/hdlist.cz
urpmi.addmedia contrib ftp://ftp-stud.fht-
esslingen.de/pub/Mirrors/Mandrakelinux/official/2006
.0/i586/media/contrib with media_info/hdlist.cz
 Now we create a script /etc/cron.daily/software_update
that will autmatically be run by cron daily and looks for and
installs the latest software updates on your Mandriva 2006
system. The script looks like this:

#!/bin/bash
urpmi.update updates
urpmi --auto --update --auto-select
 Make the script executable:
 chmod 755 /etc/cron.daily/software_update
 Install Some Software
 urpmi fetchmail wget bzip2 unzip zip nmap openssl
lynx fileutils ncftp flex libxorg-x11-devel


Quota
 urpmi quota
 Edit /etc/fstab to look like this (I added
,usrquota,grpquota to the partition with the mount point /):

# This file is edited by fstab-sync - see 'man fstab-sync'

for details
/dev/hda6 / ext3 defaults,usrquota,grpquota 1 1
/dev/hda1 /boot ext3 defaults 1 2
/dev/hdb /mnt/cdrom auto umask=0,user,iocharset=iso8859-
1,codepage=850,noauto,ro,exec,users 0 0
none /proc proc defaults 0 0
/dev/hda5 swap swap defaults 0 0
 Then run:
 touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
 quotacheck -avugm
quotaon -avug


DNS-Server
 urpmi bind

In the Manadrake BIND package there are a few files missing

(e.g. /etc/named.conf), therefore BIND will not start when
you run
 /etc/init.d/named start
 This is nothing to worry about because all needed files are
created by ISPConfig as soon as you create your first DNS
record with ISPConfig.
 MySQL (4.1)
 urpmi MySQL MySQL-client libmysql14-devel

/etc/init.d/mysqld start
 Now check that networking is enabled. Run
 netstat -tap
 It should show a line like this:

tcp 0 0 *:mysql *:*

LISTEN 6621/mysqld
 If it does not, edit /etc/sysconfig/mysqld and remove
--skip-networking from the Variable MYSQLD_OPTIONS:

# (oe) Remove --skip-networking to enable network access

from
# non local clients. Access from localhost will still
work.
MYSQLD_OPTIONS=""

# (oe) set TMPDIR and TMP environment variables

TMPDIR="${datadir}/.tmp"
TMP="${TMPDIR}"
 and restart your MySQL server:
 /etc/init.d/mysqld restart
 Run
 mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password
yourrootsqlpassword
 to set a password for the user root (otherwise anybody can
access your MySQL database!).


 Postfix With SMTP-AUTH And TLS

 urpmi cyrus-sasl libsasl2 libsasl2-devel libsasl2-
plug-plain libsasl2-plug-anonymous libsasl2-plug-
crammd5 libsasl2-plug-digestmd5 libsasl2-plug-gssapi
libsasl2-plug-login postfix imap
 postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options =
noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_u
nauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'mydomain = example.com'
postconf -e 'myhostname = server1.$mydomain'
postconf -e 'mydestination = /etc/postfix/local-
host-names, localhost.example.com'
 touch /etc/postfix/local-host-names
 Edit /etc/postfix/sasl/smtpd.conf. It should look like this:

# SASL library configuration file for postfix

# all parameters are documented into:
# /usr/share/doc/cyrus-sasl-2.*/options.html

# The mech_list parameters list the sasl mechanisms to

use,
# default being all mechs found.
mech_list: plain login

# To authenticate using the separate saslauthd daemon,

(e.g. for
# system or ldap users). Also see
 /etc/sysconfig/saslauthd.
pwcheck_method: saslauthd
saslauthd_path: /var/lib/sasl2/mux

# To authenticate against users stored in sasldb.

#pwcheck_method: auxprop
#auxprop_plugin: sasldb
#sasldb_path: /var/lib/sasl2/sasldb2
 mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key
1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey
smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout
cakey.pem -out cacert.pem -days 3650
 postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file =
/etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file =
/etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile =
/etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout =
3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
 Now start Postfix, saslauthd, imap and pop3:
 chkconfig imap on
chkconfig imaps on
 chkconfig ipop3 on
chkconfig pop3s on
/etc/init.d/postfix restart
/etc/init.d/saslauthd restart
/etc/init.d/xinetd restart
 To see if SMTP-AUTH and TLS work properly now run the
following command:
 telnet localhost 25
 After you have established the connection to your postfix mail
server type
 ehlo localhost
 If you see the lines
 250-STARTTLS
 and
 250-AUTH
 everything is fine.

 Type
 quit
 to return to the system's shell.


 Apache2 With PHP5

 urpmi apache2-mod_php libphp5_common5 php-bz2 php-
calendar php-ctype php-curl php-date_time php-devel
 php-dio php-dom php-eaccelerator php-enchant php-
esmtp php-event php-exif php-fam php-ffmpeg php-
fileinfo php-filepro php-ftp php-gd php-gettext php-
gmp php-iconv php-id3 php-idn php-imap php-imlib2
php-mailparse php-mbstring php-mcache php-mcrypt
php-mhash php-ming php-mysql php-mysqli php-ncurses
php-newt php-odbc php-oggvorbis php-pam_auth php-
pcntl php-pcre php-pear-Net_IDNA php-posix php-
pspell php-readline php-recode php-session php-shmop
php-simplexml php-snmp php-soap php-sockets php-
sqlite php-ssh2 php-sysvmsg php-sysvsem php-sysvshm
php-tclink php-tcpwrap php-tidy php-xml php-xmlrpc
php-zip php5-ini curl libcurl3-devel perl-libwww-
perl ImageMagick (1 line!)
 Whenever you see this:
 Missing signature ((no key found) OK)
Do you want to continue installation ? (y/N)
 it is safe to answer y.
 Now we must disable PHP globally because we want to install
ISPConfig later on. In ISPConfig you can enable/disable PHP
on a per-site basis. If you do not disable PHP globally now,
PHP will always be enabled, no matter what you specify in
ISPconfig! If you do not want to install ISPConfig, then you
are finished with the Apache/PHP5 installation and
configuration now!
 Edit /etc/httpd/modules.d/70_mod_php.conf and comment
out the AddType lines:

<IfDefine HAVE_PHP5>
<IfModule !mod_php5.c>
LoadModule php5_module extramodules/mod_php5.so
</IfModule>
</IfDefine>

<IfModule mod_php5.c>
PHPINIDir /etc
</IfModule>
 <IfModule mod_mime.c>
# AddType application/x-httpd-php .php
# AddType application/x-httpd-php .php3
# AddType application/x-httpd-php .php4
# AddType application/x-httpd-php .php5
# AddType application/x-httpd-php .phtml
# AddType application/x-httpd-php-source .phps
</IfModule>

<IfModule mod_php5.c>
<IfModule mod_dir.c>
DirectoryIndex index.php index.phtml index.php3
index.php4 index.php5
</IfModule>
</IfModule>
 Edit /etc/httpd/conf/mime.types and comment out the
following lines:

#application/x-perl perl pl
#application/x-php php php3 php4
 Edit /etc/httpd/conf/httpd.conf and add the following line
to the LoadModule section:

LoadModule php5_module extramodules/mod_php5.so

 (Although this line is already in
/etc/httpd/modules.d/70_mod_php.conf this is very
important because otherwise the command httpd -t will
report errors instead of Syntax OK when the virtual hosts
created by ISPConfig contain lines like php_admin_flag
safe_mode On or the like!)
 (Note: If you are going to install ISPConfig 2.1.1 or earlier,
you might also want to put

<Directory /var/www/sharedip>
Options +Includes -Indexes
AllowOverride None
AllowOverride Indexes AuthConfig Limit FileInfo
Order allow,deny
 Allow from all
<Files ~ "^\.ht">
Deny from all
</Files>
</Directory>
 at the end of /etc/httpd/conf/httpd.conf now although it
is not necessary.)
 Restart Apache:
 /etc/init.d/httpd restart

Proftpd

urpmi proftpd
/etc/init.d/proftpd start

For security reasons you can add the following lines to /etc/proftpd.conf (thanks to
Reinaldo Carvalho; more information can be found here:
http://proftpd.linux.co.uk/localsite/Userguide/linked/userguide.html):

DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."

Be sure to comment out the following lines in /etc/proftpd.conf in order to allow ftp users
to CHMOD:

# Bar use of SITE CHMOD by default

# <Limit SITE_CHMOD>
# DenyAll
# </Limit>
and restart Proftpd:

/etc/init.d/proftpd restart

Webalizer

To install webalizer, simply run

urpmi webalizer

Install some Perl Modules needed by SpamAssassin (comes with ISPConfig)

To install all needed Perl Modules, we can use the appropriate Mandriva packages and install
them using urpmi:

urpmi perl-HTML-Parser perl-Digest-SHA1 perl-DB_File perl-Net-DNS

The End

The configuration of the server is now finished, and if you wish you can now install
ISPConfig on it.

A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the home
directory for websites created by ISPConfig as Mandriva's suExec is compiled with /var/www
as Doc_Root. Run /usr/sbin/suexec -V, and the output should look like this:

To select /var/www as the home directory for websites during the installation of ISPConfig
do the following: When you are asked for the installation mode, select the expert mode.
Later during the installation you are asked if the default directory /home/www should be the
directory where ISPConfig will create websites in. Answer n and enter /var/www as the
home directory for websites.

Links

 http://www.mandrivalinux.com

 http://easyurpmi.zarb.org

 http://www.ispconfig.org