System of firewall of Ubuntu-Server 6.10 is installed
Tuesday, March 03, 2009 by rain
Includes: Shorewall, NAT, caching NameServer, DHCP Server, VPN Server, webmin, munin, apache (SSL Enabled) , squirrelmail, postfix Setup With Virtual Domains, courier Imap Imaps Pop3 Pop3s, sasl Authentication For Road Warriors, mailScanner As A Wrapper For SpamAssassin, razor, clamAv, etc. Samba Installed, not Configured.
Needs Very Little Maintenance And Is Extendable Beyond Your Wildest Imagination. All Depending On The Hardware Used, of Course.
This Is A COPY%26amp;PASTE Howto. For Info Use The Net. I Did. . . However, contributions And Suggestions Are Allways Welcome! I Know This Can Be Done Better, so Feel Free.
If Anyone Of You Can Find The Time To Add A Good Install And Config For Snort AND Snortsam, including A Comprehensive Controll Panel, I Would Be Very Greathfull.
Scope: Creating A Firewall/(mail)gateway For A Small Network (say 10 To 15 Users Or So On A PIII 450MHz, 512 MB Ram And Two Identical Network Interface Cards, broadband Connection, fully Featured, for A Bussines Environment. Better Specs Of Your Hardware (notably The Amount Of Ram) Will Improve The Performance Of Your Server Significantly. The Specs Mentioned Ar A Bare Minimum For Not So Demanding Customers, yust To Indicate That If You Really Want, it Can Be Done Indeed (need To Do Some Tweaking Afterwards Though) .
Expected Audience: (Beginning) Sysop.
This Tuto Leads Towards A Solid 'ready To Go' Sytem. The Fun Part, I Think, (Tweaking And Tuning Etc. ) Starts When You Are Done. You May Wish To Inspect Your Logs To Find Clues As To Where The Tuning Should Start. Munin Might Tell You A Lot As Well.
Have Fun!
First, do A Clean Install Using Ubuntu-Server 6.10. During Installation, proper Settings For Eth0 Will Be Detected Automatically. If This Fails, change Your Network Cables And Try Again. There Is A Very Small Chance That Your ISP Does Not Run A DHCP Server (never Seen That Happen) , or It Just Might Be Down (seen That Quite A Few Times, also They May Screw Up Their DNS Every Now And Then) , in Which Case You Are On Your One, best To Wait Till They Are Done Fixing It.
So We Start Out With A DHCP Assigned Address For Eth0. This Is Just An Easy Way To Figure Out Which NIC Is Actually Eth0. If You Already Know Which Is Which You Better Start Out With A Static Address For Eth0. If Your ISP Isn't Crappy, you Have The Proper Settings For It.
Now Proceed And Accept All Defaults (but You May Want To Do Your Own Partitioning) At The End Of The Process You Will Be Asked If You Want To Install Extra Packages. Select "LAMP" And Finish.
Now Login As The New User You Just Made And Do:
Sudo Passwd
Now Enter Your Password Again. Next Enter The New Password For User "root" And Confirm. So We Dropped The Nasty Sudo Experience (bit Strange On A Server, isn ' T It? ) Now Logout And Login Again As Root With The New Root Password.
Do:
Apt-get Install Vim
Using Vim (or Your Favorite Editor) Edit /etc/apt/sources.list Comment Out The Cd Repository. Next Add "universe" (without The Quotes) To All Lines That Aren't Commented Out. Save The File.
Now Do:
Apt-get Update
Apt-get Install Openssh-server
Edit /etc/network/interfaces And Add The Following At The Bottom:
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
broadcast 192.168.1.255
network 192.168.1.0
Note That The Rest Of This Tuto Assumes That You Actually Make The Settings For Eth1 As Shown.
My Full/etc/network/interfaces Looks Like This:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
broadcast 192.168.1.255
network 192.168.1.0
As You Can See My Eth0 Gets Its Settings Using DHCP.
Save The File. Next Do:
/ Etc/init.d/networking Restart
You Can Do The Rest Of This Tuto From Your Workstation, either Linux Or The Other One (must Have Putty) , so You Can Actually Copy And Paste. Just Login To 192.168.1.1 As Root And Get On With It.
Make Sure That The Network Settings Of Your Workstation Match The Settings Of Your Server's Eth1
If You Are Confused Here, first Configure And Start Your DHCP Server As Shown In This Article (page 9) , and Let Your Workstation Detect The Proper Settings Automatically.
Now Do:
Apt-get Install Libnet-ssleay-perl Libauthen-pam-perl Libio-pty-perl Shorewall Dnsmasq
Wget Http://surfnet.dl.sourceforge.net/sourceforge/webadmin/webmin_1.300_all.deb
"Surfnet" Is The Dutch Server. Change That To "heanet"(for Ireland) , "Belnet"(for Belgium) , "Mesh" (for Germany) And So On.
Dpkg -i Webmin_1.300_all.deb
Cp /usr/share/doc/shorewall/examples/two-interfaces/* /etc/shorewall/
Cd /etc/shorewall
Gunzip Interfaces.gz Masq.gz Rules.gz Policy.gz
Now Open Your Browser And Login To Webmin At Https://192.168.1.1:10000 As Root With Your Root Password And, using Webmin's Shorewall Module, change The Policy's And Rules Of Your Firewall As Needed (for Now, I Only Set The Policy File To The Example As Shown, you May Copy And Paste My Policy File For Starters, if You Don't Like Webmin) .
Also Set In /etc/shorewall.conf The Line "IP_FORWARDING=Keep " To "IP_FORWARDING=On" (without Quotes) And Enable The Firewall In /etc/default/shorewall.
My /etc/shorewall/policy Now Looks Like This:
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
#
# Note about policies and logging:
# This file contains an explicit policy for every combination of
# zones defined in this sample. This is solely for the purpose of
# providing more specific messages in the logs. This is not
# necessary for correct operation of the firewall, but greatly
# assists in diagnosing problems.
#
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc net ACCEPT
loc $FW ACCEPT
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW net ACCEPT
$FW loc ACCEPT
$FW all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Next Do:
/ Etc/init.d/shorewall Start
You Should Be Able Now To Surf The Net.
DO NOT PROCEED UNTILL YOU SUCCEED IN SURFING THE NET. SINCE THIS IS YOUR FRAMEWORK. IT HAS TO BE OK.
So Now We Need Some Packages. Do (all In One Line! ) :
Apt-get Install Postfix Postfix-doc Courier-authlib-mysql Courier-pop Courier-pop-ssl Courier-imap Courier-imap-ssl Libsasl2-modules-sql Sasl2-bin Libpam-mysql Build-essential Dpkg-dev Fakeroot Debhelper Libdb4.2-dev Libgdbm-dev Libldap2-dev Libpcre3-dev
Accept All Defaults.
Now Do:
Mysqladmin -u Root Password Yourrootsqlpassword ##USE A REAL PASSWORD HERE!
Now Configure Apache And Squirrelmail.
/ Usr/sbin/squirrelmail-configure
Set It To Courier (option D) And Make Ik Otherwise As You Like It. Don't Forget To Enable Some Plugins And To Set A Default Language If Desired. Also I Suggest To Set This:
$show_contain_subfolders_option = True;
My/etc/squirrelmail/config.php Now Looks Like This:
(Just My Current Config. Don't Copy This, use It As A Reference. Use It As A Reference..
%26lt; ? Php
/ **
* SquirrelMail Configuration File
* Created Using The Configure Script, conf.pl
*/
Global $version;
$config_version = '1.4.0';
$config_use_color = 2;
Rsen"; of of $org_name = "L
$org_logo = SM_PATH. 'images/sm_logo.png';
$org_logo_width = '564';
$org_logo_height = '261';
Rsen"; of of $org_title = "L
$signout_page = 'https://lursen.net/webmail';
$frame_top = '_top';
$provider_uri = 'http://www.squirrelmail.org/';
$provider_name = 'SquirrelMail';
$motd = "";
$squirrelmail_default_language = 'nl_NL';
$default_charset = 'iso-8859-1';
$lossy_encoding = False;
$domain = 'lursen.net';
$imapServerAddress = 'localhost';
$imapPort = 143;
$useSendmail = False;
$smtpServerAddress = 'localhost';
$smtpPort = 25;
$sendmail_path = '/usr/sbin/sendmail';
$sendmail_args = '-i -t';
$pop_before_smtp = False;
$imap_server_type = 'courier';
$invert_time = False;
$optional_delimiter = ' . ';
$encode_header_key = '';
$default_folder_prefix = 'INBOX. ';
$trash_folder = 'Trash';
$sent_folder = 'Sent';
$draft_folder = 'Drafts';
$default_move_to_trash = True;
$default_move_to_sent = True;
$default_save_as_draft = True;
$show_prefix_option = False;
$list_special_folders_first = True;
$use_special_folder_color = True;
$auto_expunge = True;
$default_sub_of_inbox = False;
$show_contain_subfolders_option = True;
$default_unseen_notify = 2;
$default_unseen_type = 1;
$auto_create_special = True;
$delete_folder = True;
$noselect_fix_enable = False;
$data_dir = '/var/lib/squirrelmail/data/';
$attachment_dir = '/var/spool/squirrelmail/attach/';
$dir_hash_level = 0;
$default_left_size = '150';
$force_username_lowercase = False;
$default_use_priority = True;
$hide_sm_attributions = False;
$default_use_mdn = True;
$edit_identity = True;
$edit_name = True;
$hide_auth_header = False;
$allow_thread_sort = False;
$allow_server_sort = False;
$allow_charset_search = True;
$uid_support = True;
$plugins[0] = 'abook_take';
$plugins[1] = 'delete_move_next';
$plugins[2] = 'calendar';
$plugins[3] = 'filters';
$plugins[4] = 'message_details';
$plugins[5] = 'mail_fetch';
$plugins[6] = 'newmail';
$theme_css = '';
$theme_default = 0;
$theme[0]['PATH'] = SM_PATH. 'themes/default_theme.php';
$theme[0]['NAME'] = 'Default';
$theme[1]['PATH'] = SM_PATH. 'themes/plain_blue_theme.php';
$theme[1]['NAME'] = 'Plain Blue';
$theme[2]['PATH'] = SM_PATH. 'themes/sandstorm_theme.php';
$theme[2]['NAME'] = 'Sand Storm';
$theme[3]['PATH'] = SM_PATH. 'themes/deepocean_theme.php';
$theme[3]['NAME'] = 'Deep Ocean';
$theme[4]['PATH'] = SM_PATH. 'themes/slashdot_theme.php';
$theme[4]['NAME'] = 'Slashdot';
$theme[5]['PATH'] = SM_PATH. 'themes/purple_theme.php';
$theme[5]['NAME'] = 'Purple';
$theme[6]['PATH'] = SM_PATH. 'themes/forest_theme.php';
$theme[6]['NAME'] = 'Forest';
$theme[7]['PATH'] = SM_PATH. 'themes/ice_theme.php';
$theme[7]['NAME'] = 'Ice';
$theme[8]['PATH'] = SM_PATH. 'themes/seaspray_theme.php';
$theme[8]['NAME'] = 'Sea Spray';
$theme[9]['PATH'] = SM_PATH. 'themes/bluesteel_theme.php';
$theme[9]['NAME'] = 'Blue Steel';
$theme[10]['PATH'] = SM_PATH. 'themes/dark_grey_theme.php';
$theme[10]['NAME'] = 'Dark Grey';
$theme[11]['PATH'] = SM_PATH. 'themes/high_contrast_theme.php';
$theme[11]['NAME'] = 'High Contrast';
$theme[12]['PATH'] = SM_PATH. 'themes/black_bean_burrito_theme.php';
$theme[12]['NAME'] = 'Black Bean Burrito';
$theme[13]['PATH'] = SM_PATH. 'themes/servery_theme.php';
$theme[13]['NAME'] = 'Servery';
$theme[14]['PATH'] = SM_PATH. 'themes/maize_theme.php';
$theme[14]['NAME'] = 'Maize';
$theme[15]['PATH'] = SM_PATH. 'themes/bluesnews_theme.php';
$theme[15]['NAME'] = 'BluesNews';
$theme[16]['PATH'] = SM_PATH. 'themes/deepocean2_theme.php';
$theme[16]['NAME'] = 'Deep Ocean 2';
$theme[17]['PATH'] = SM_PATH. 'themes/blue_grey_theme.php';
$theme[17]['NAME'] = 'Blue Grey';
$theme[18]['PATH'] = SM_PATH. 'themes/dompie_theme.php';
$theme[18]['NAME'] = 'Dompie';
$theme[19]['PATH'] = SM_PATH. 'themes/methodical_theme.php';
$theme[19]['NAME'] = 'Methodical';
$theme[20]['PATH'] = SM_PATH. 'themes/greenhouse_effect.php';
$theme[20]['NAME'] = 'Greenhouse Effect (Changes)';
$theme[21]['PATH'] = SM_PATH. 'themes/in_the_pink.php';
$theme[21]['NAME'] = 'In The Pink (Changes)';
$theme[22]['PATH'] = SM_PATH. 'themes/kind_of_blue.php';
$theme[22]['NAME'] = 'Kind Of Blue (Changes)';
$theme[23]['PATH'] = SM_PATH. 'themes/monostochastic.php';
$theme[23]['NAME'] = 'Monostochastic (Changes)';
$theme[24]['PATH'] = SM_PATH. 'themes/shades_of_grey.php';
$theme[24]['NAME'] = 'Shades Of Grey (Changes)';
$theme[25]['PATH'] = SM_PATH. 'themes/spice_of_life.php';
$theme[25]['NAME'] = 'Spice Of Life (Changes)';
$theme[26]['PATH'] = SM_PATH. 'themes/spice_of_life_lite.php';
$theme[26]['NAME'] = 'Spice Of Life - Lite (Changes)';
$theme[27]['PATH'] = SM_PATH. 'themes/spice_of_life_dark.php';
$theme[27]['NAME'] = 'Spice Of Life - Dark (Changes)';
$theme[28]['PATH'] = SM_PATH. 'themes/christmas.php';
$theme[28]['NAME'] = 'Holiday - Christmas';
$theme[29]['PATH'] = SM_PATH. 'themes/darkness.php';
$theme[29]['NAME'] = 'Darkness (Changes)';
$theme[30]['PATH'] = SM_PATH. 'themes/random.php';
$theme[30]['NAME'] = 'Random (Changes Every Login)';
$theme[31]['PATH'] = SM_PATH. 'themes/midnight.php';
$theme[31]['NAME'] = 'Midnight';
$theme[32]['PATH'] = SM_PATH. 'themes/alien_glow.php';
$theme[32]['NAME'] = 'Alien Glow';
$theme[33]['PATH'] = SM_PATH. 'themes/dark_green.php';
$theme[33]['NAME'] = 'Dark Green';
$theme[34]['PATH'] = SM_PATH. 'themes/penguin.php';
$theme[34]['NAME'] = 'Penguin';
$theme[35]['PATH'] = SM_PATH. 'themes/minimal_bw.php';
$theme[35]['NAME'] = 'Minimal BW';
$theme[36]['PATH'] = SM_PATH. 'themes/redmond.php';
$theme[36]['NAME'] = 'Redmond';
$theme[37]['PATH'] = SM_PATH. 'themes/netstyle_theme.php';
$theme[37]['NAME'] = 'Net Style';
$theme[38]['PATH'] = SM_PATH. 'themes/silver_steel_theme.php';
$theme[38]['NAME'] = 'Silver Steel';
$theme[39]['PATH'] = SM_PATH. 'themes/simple_green_theme.php';
$theme[39]['NAME'] = 'Simple Green';
$theme[40]['PATH'] = SM_PATH. 'themes/wood_theme.php';
$theme[40]['NAME'] = 'Wood';
$theme[41]['PATH'] = SM_PATH. 'themes/bluesome.php';
$theme[41]['NAME'] = 'Bluesome';
$theme[42]['PATH'] = SM_PATH. 'themes/simple_green2.php';
$theme[42]['NAME'] = 'Simple Green 2';
$theme[43]['PATH'] = SM_PATH. 'themes/simple_purple.php';
$theme[43]['NAME'] = 'Simple Purple';
$theme[44]['PATH'] = SM_PATH. 'themes/autumn.php';
$theme[44]['NAME'] = 'Autumn';
$theme[45]['PATH'] = SM_PATH. 'themes/autumn2.php';
$theme[45]['NAME'] = 'Autumn 2';
$theme[46]['PATH'] = SM_PATH. 'themes/blue_on_blue.php';
$theme[46]['NAME'] = 'Blue On Blue';
$theme[47]['PATH'] = SM_PATH. 'themes/classic_blue.php';
$theme[47]['NAME'] = 'Classic Blue';
$theme[48]['PATH'] = SM_PATH. 'themes/classic_blue2.php';
$theme[48]['NAME'] = 'Classic Blue 2';
$theme[49]['PATH'] = SM_PATH. 'themes/powder_blue.php';
$theme[49]['NAME'] = 'Powder Blue';
$theme[50]['PATH'] = SM_PATH. 'themes/techno_blue.php';
$theme[50]['NAME'] = 'Techno Blue';
$theme[51]['PATH'] = SM_PATH. 'themes/turquoise.php';
$theme[51]['NAME'] = 'Turquoise';
$default_use_javascript_addr_book = False;
$abook_global_file = '';
$abook_global_file_writeable = False;
$addrbook_dsn = '';
$addrbook_table = 'address';
$prefs_dsn = '';
$prefs_table = 'userprefs';
$prefs_user_field = 'user';
$prefs_key_field = 'prefkey';
$prefs_val_field = 'prefval';
$addrbook_global_dsn = '';
$addrbook_global_table = 'global_abook';
$addrbook_global_writeable = False;
$addrbook_global_listing = False;
$no_list_for_subscribe = False;
$smtp_auth_mech = 'none';
$imap_auth_mech = 'login';
$use_imap_tls = False;
$use_smtp_tls = False;
$session_name = 'SQMSESSID';
$config_location_base = '';
@include SM_PATH. 'config/config_local.php';
/ **
* Make Sure There Are No Characters After The PHP Closing
* Tag Below (including Newline Characters And Whitespace) .
* Otherwise, that Character Will Cause The Headers To Be
* Sent And Regular Output To Begin, which Will Majorly Screw
* Things Up When We Try To Send More Headers Later.
*/
? %26gt;
Next Do:
Apache2-ssl-certificate -days 3650
Fill In The Right Server Name! ! !
That Is: The Addres On Which You Plan To Give Your Users Access To Squirrelmail Or Any Other Service By Apache On Port 443. (Also We Are Going To Use This One For Postfix, imaps And Pop3s) Just The Domain Will Do (MUST EXIST IN DNS) . Not Domain/webmail
If Anything Went Wrong, just Delete The Certificate And Repeat This Step.
Now Enter:
A2enmod Ssl
A2enmod Rewrite
A2enmod Include
Cp /etc/apache2/sites-available/default /etc/apache2/sites-available/https
Ln -s /etc/apache2/sites-available/https /etc/apache2/sites-enabled/https
Ln -s /etc/squirrelmail/apache.conf /etc/apache2/sites-enabled/squirrelmail
Now Edit /etc/apache2/sites-available/default. The Top Has To Be Changed So That It Reads:
NameVirtualHost *:80
%26lt;VirtualHost *:80%26gt;
Edit /etc/apache2/sites-available/https As Well, the Top Of The File Should Read:
NameVirtualHost *:443
%26lt;VirtualHost *:443%26gt;
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
Edit /etc/squirrelmail/apache.conf It Should Look Like This:
Alias /webmail /usr/share/squirrelmail
%26lt;Directory /usr/share/squirrelmail%26gt;Php_flag Register_globals Off
Options Indexes FollowSymLinks
%26lt;IfModule Mod_dir.c%26gt;
DirectoryIndex Index.php
%26lt;/IfModule%26gt;
# Access To Configtest Is Limited By Default To Prevent Information Leak
%26lt;Files Configtest.php%26gt;Order Deny, allowDeny From AllAllow From 127.0.0.1
%26lt;/Files%26gt;
%26lt;/Directory%26gt;
# Users Will Prefer A Simple URL Like Http://webmail.example.com
#%26lt;VirtualHost 1.2.3.4%26gt;
# DocumentRoot /usr/share/squirrelmail
# ServerName Webmail.example.com
#%26lt;/VirtualHost%26gt;
# Redirect To Https When Available (thanks Omen@descolada.dartmouth.edu)
#
# Note: There Are Multiple Ways To Do This, and Which One Is Suitable For
# Your Site's Configuration Depends. Consult The Apache Documentation If
# You're Unsure, as This Example Might Not Work Everywhere.
#
%26lt;IfModule Mod_rewrite.c%26gt;
%26lt;IfModule Mod_ssl.c%26gt;
%26lt;Location /webmail%26gt;
RewriteEngine On
RewriteCond %{HTTPS} ! ^on$ [NC]
RewriteRule. Https://%{HTTP_HOST}%{REQUEST_URI} [L]
%26lt;/Location%26gt;
%26lt;/IfModule%26gt;
%26lt;/IfModule%26gt;
Now Make Squirrelmail Talk Your Language. If You Only Use English You Can Skip The Last Line In The File Of Course.
Edit /var/lib/locales/supported.d/local.
It Should Look Like This: (If You Are Dutch, otherwise Adjust As Desired) .
Main Thing Is To Enable Your Locale With The Charset ISO-8859-1.
en_US.UTF-8 UTF-8
en_US.ISO-8859-1 ISO-8859-1
nl_NL.ISO-8859-1 ISO-8859-1
Dpkg-reconfigure Locales
Now Make Sure That The DirectoryIndex Line In /etc/apache2/apache2.conf Reads:
DirectoryIndex Index.html Index.htm Index.shtml Index.cgi Index.php Index.php3 Index.pl Index.xhtml
Edit /etc/apache2/ports.conf And Add Listen 443:
Listen 80
Listen 443
Now We Configure Postfix And MailScanner.
Postconf -e 'mynetworks = 127.0.0.0/8, 192.168.1.0/24'
Postconf -e 'smtpd_sasl_local_domain ='
Postconf -e 'smtpd_sasl_auth_enable = Yes'
Postconf -e 'smtpd_sasl_security_options = Noanonymous'
Postconf -e 'broken_sasl_auth_clients = Yes'
Postconf -e 'smtpd_recipient_restrictions = Permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'
Postconf -e 'inet_interfaces = All'
Echo 'pwcheck_method: Saslauthd' %26gt;%26gt;/ Etc/postfix/sasl/smtpd.conf
Echo 'mech_list: Plain Login' %26gt;%26gt;/ Etc/postfix/sasl/smtpd.conf
Postconf -e 'smtpd_tls_auth_only = No'
Postconf -e 'smtp_use_tls = Yes'
Postconf -e 'smtpd_use_tls = Yes'
Postconf -e 'smtp_tls_note_starttls_offer = Yes'
Postconf -e 'smtpd_tls_key_file = /etc/apache2/ssl/apache.pem'
Postconf -e 'smtpd_tls_cert_file = /etc/apache2/ssl/apache.pem'
Postconf -e 'smtpd_tls_loglevel = 1'
Postconf -e 'smtpd_tls_received_header = Yes'
Postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
Postconf -e 'tls_random_source = Dev:/dev/urandom'
Postconf -e 'home_mailbox = Maildir/'
Postconf -e 'mailbox_command ='
Postconf -e 'header_checks = Regexp:/etc/postfix/header_checks'
Postconf -e 'relayhost ='
Postconf -e 'virtual_alias_domains = Hash:/etc/postfix/virtual'
Postconf -e 'virtual_alias_maps = Hash:/etc/postfix/virtual'
Touch /etc/postfix/header_checks
Touch /etc/postfix/virtual
Now Edit Etc/postfix/header_checks. It Should Look Like This:
/ ^Received:/ HOLD
Chown Postfix.postfix /var/spool/MailScanner/incoming
Chown Postfix.postfix /var/spool/MailScanner/quarantine
Mkdir /var/spool/MailScanner/spamassassin
Chown Postfix.postfix /var/spool/MailScanner/spamassassin
Now Edit /etc/MailScanner/MailScanner.conf And Set The Following Lines As Shown:
Run As User = Postfix
Run As Group = Postfix
Queue Scan Interval = 120
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = Postfix
Virus Scanners = Clamav
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
Now Configure Sasl Authentication.
Mkdir -p /var/spool/postfix/var/run/saslauthd
Now We Have To Edit /etc/default/saslauthd. It Should Look Like This:
# This needs to be uncommented before saslauthd will be run automatically
START=yes
PARAMS=%26quot;-m /var/spool/postfix/var/run/saslauthd -r%26quot;
# You must specify the authentication mechanisms you wish to use.
# This defaults to %26quot;pam%26quot; for PAM support, but may also include
# %26quot;shadow%26quot; or %26quot;sasldb%26quot;, like this:
# MECHANISMS=%26quot;pam shadow%26quot;
MECHANISMS=%26quot;pam%26quot;
Next Edit /etc/init.d/saslauthd And Change The Location Of Saslauthd's PID File. Change The Value Of PIDFILE To /var/spool/postfix/var/run/${NAME}/saslauthd.pid, so That It Reads:
PIDFILE="/var/spool/postfix/var/run/${NAME}/saslauthd.pid "Now Populate Your System With Real Users. Set The Users Shell To /bin/false To Avoid Security Holes.
Next Fill /etc/postfix/virtual As You Like. I Love Webmin For This. You Can Edit It Directly Too, of Course. However, webmin Does A Great Job.
Gotcha! : "Some.domain" Etc. Can Not Equal To Anything Mentioned In The "mydestination" Line In
/ Etc/postfix/main.cf
Mine Has The Following Structure:
some.domain virtual domain
some.other.domain virtual domain
some.really.other.domain virtual domain
user@some.domain user
otheruser@some.domain otheruser
user@some.other.domain user
otheruser@some.other.domain otheruser
somealias@some.other.domain user
info@some.other.domain someoneidontlike
info@some.domain someoneidontlike otheruser@foo.bar
differentuser@some.domain differentuser differentusers@home.addres someoneidontlike
@some.really.other.domain someonidontlike someoneidontlikes@home.address
And So On. So I Only Have To Set An Alias For Root And Postmaster In /etc/aliases. All Other Aliases Should Be In This File.
Forwarding And Delivering Mail To Multiple Addresses And So Forth Can (and Should, I Believe) Be Set In This File Too.
I Use Webmin For This Job (and Many Other Jobs) .
Note That In This Kind Of Setup Your Users Can Have As Many Aliases As They Like (untill You Get Sick Of Them) , but For Each User You Still Have To Add A Real User, with A Home Directory.
Don't Forget To Do
Postmap /etc/postfix/virtual
When You Are Done.
Ow We Want Some Rules For Spamassassin To Do A Better Job.
First Edit /etc/MailScanner/spam.assassin.prefs.conf. Comment Out "dcc_path /usr/bin/dccproc " (This Is A Workaround, please Contribute To This If You Can) .
Next Do:
Cd /root
Wget Http://www.fsl.com/support/Rules_Du_Jour.tar.gz
Tar -zxvf Rules_Du_Jour.tar.gz
Cd Rules_du_jour
Mkdir /etc/rulesdujour
Cp Config /etc/rulesdujour/config
Cp Rules_du_jour /usr/bin
Cp Rules_du_jour_wrapper /etc/cron.daily
Cd /etc/spamassassin
Mkdir Old
Mv *.cf Old
/ Etc/cron.daily/rules_du_jour_wrapper
Sa-update
Now Make The Last Command A Cron Job, say Once A Week.
Next Do:
Ln -s /etc/MailScanner/spam.assassin.prefs.conf /etc/spamassassin/mailscanner.cf
Check Your /etc/default/spamassassin. It Should Look Like This:
# /etc/default/spamassassin
# Duncan Findlay
# WARNING: please read README.spamd before using.
# There may be security risks.
# Change to one to enable spamd
ENABLED=0
# Options
# See man spamd for possible options. The -d option is automatically added.
# SpamAssassin uses a preforking model, so be careful! You need to
# make sure --max-children is not set to anything higher than 5,
# unless you know what you're doing.
OPTIONS=%26quot;--create-prefs --max-children 2 --helper-home-dir%26quot;
# Pid file
# Where should spamd write its PID to file? If you use the -u or
# --username option above, this needs to be writable by that user.
# Otherwise, the init script will not be able to shut spamd down.
PIDFILE=%26quot;/var/run/spamd.pid%26quot;
# Set nice level of spamd
# NICE=%26quot;--nicelevel 15%26quot;
Next We Configure The DHCP Server.
Edit /etc/dhcp3/dhcpd.conf. Mine Now Looks Like This:
# Local Network
subnet 192.168.1.0 netmask 255.255.255.0 {
option netbios-name-servers 192.168.1.1;
option domain-name-servers 192.168.1.1;
option domain-name %26quot;your.domain.here%26quot;;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
range 192.168.1.100 192.168.1.130;
}
Edit /etc/default/dhcp3-server. It Should Read
INTERFACES=eth1
/ Etc/init.d/dhcp3-server Start
Next Do:
Cd /root
Wget Http://www.dcc-servers.net/dcc/source/dcc.tar.Z
Gunzip Dcc.tar.Z
Tar -xvf Dcc.tar
Cd Dcc-1.3.44 ##or Whatever Version Is Current.
. / Configure
Make
Make Install
Now Edit /etc/default/mailscanner. It Should Loo Like This:
# This sets how many days files will remain in the %26quot;quarantine%26quot; area before
# being automatically removed.
#
q_days=7
#
# This sets how much the priority of the mailscanner daemon should be
# reduced by (i.e. %26quot;nice -X%26quot;). Since it is a batch oriented task,
# there it can easily give up some CPU cycles to more interactive
# tasks.
#
run_nice=5
#
# Uncomment this line once MailScanner has been fully configured.
#
run_mailscanner=1
Next Edit /etc/courier/imapd-ssl And Change The Following:
TLS_CERTFILE=/etc/apache2/ssl/apache.pem
Now Do The Same With Your /etc/courier/pop3d-ssl.
Next Do:
Shutdown -r Now
And Wait Until It Is Up Again.
Now You Have To Send Each Real User A Welcome Message, thus Creating The Maildir Structures In Their Home Directorys Needed To Be Able To Login To Their Accounts. You Can Use Webmin's Postfix Module For This.
No Need To Send Anything To Their Aliases.
Your Webmail Server Is Located At Https://your.domain/webmail (first Send Those Messages! ) .
Munin Is At Http://your.domain/munin
Webmin Is At Https://your.domain:10000
If You Haven't Set Any Domains, use Https://192.168.1.1/webmail Etc.
Check That You Can Login To Your Webmail And Actually Send And Receive Mail Within Your Local Network.
If You're Satisfied, open Port 25 On Your Firewall For Incoming Tcp Traffic And Port 6277 For Incoming Udp Traffic.
You May Wish To Make Your Webmail Server Available To Your Users From The Outside World.
Open Port 443 For Incoming Tcp Traffic As Well. Opening Port 993 Is Also A Good Idea For Tcp Connections, as It Facilitates Imaps.
My /etc/shorewall/rules Now Looks Like This: (Just To Begin With, all Firewall Settings Shown In This Article Are Just Ment To Get You Up And Running, you Might Want To Adjust These Settings Once You Are Done! You Might Want To Adjust These Settings Once You Are Done!!
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
ACCEPT net $FW tcp 25
ACCEPT net $FW tcp 443
ACCEPT net $FW udp 6277
DNS/ACCEPT $FW net
#
# Accept SSH connections from the local network for administration
#
SSH/ACCEPT loc $FW
#
# Allow Ping from the local network
#
Ping/ACCEPT loc $FW
#
# Reject Ping from the %26quot;bad%26quot; net zone.. and prevent your log from being flooded..
#
Ping/REJECT net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Restart The Firewall:
/ Etc/init.d/shorewall Restart
Next Do:
/ Var/dcc/libexec/updatedcc
Now We Configure Your VPN Server.
Edit /etc/pptpd.conf. It Should Look Like This Now:
###############################################################################
# $Id: pptpd.conf 4255 2004-10-03 18:44:00Z rene $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################
# TAG: ppp
# Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd
# TAG: option
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/options.pptpd
# TAG: debug
# Turns on (more) debugging to syslog
#
#debug
# TAG: stimeout
# Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10
# TAG: noipparam
# Suppress the passing of the client's IP address to PPP, which is
# done by default otherwise.
#
#noipparam
# TAG: logwtmp
# Use wtmp(5) to record client connections and disconnections.
#
# logwtmp ## comment this out!! broken deb package!!
# TAG: bcrelay# Turns On Broadcast Relay To Clients From Interface
#
#bcrelay eth1
# TAG: localip
# TAG: remoteip
# Specifies the local and remote IP address ranges.
#
# Any addresses work as long as the local machine takes care of the
# routing. But if you want to use MS-Windows networking, you should
# use IP addresses out of the LAN address space and use the proxyarp
# option in the pppd options file, or run bcrelay.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than MAX_CONNECTIONS, it will
# start at the beginning of the list and go until it gets
# MAX_CONNECTIONS IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
# (Recommended)
localip 192.168.1.1
remoteip 192.168.1.90-99
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
speed 115200
Next Edit /etc/ppp/options. It Should Look Like This:
Lock
Now Do:
Touch /etc/ppp/options.pptpd
Now Edit /etc/ppp/options.pptpd. It Should Look Like This:
lock
ms-dns 192.168.1.1
ms-wins 192.168.1.1
domain your.domain.here
debug
name pptp-vpn
auth
proxyarp
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
chapms-strip-domain
lcp-echo-failure 10
lcp-echo-interval 30
nobsdcomp
Next, edit /etc/ppp/chap-secrets. It Should Look Like This:
# Secrets for authentication using CHAP
# client server secret IP addresses
user pptp-vpn abcdefg %26quot;*%26quot;
Now Do:
/ Etc/init.d/pptpd Restart
You Must Be Able Now To Setup A Vpn Connection From The Inside Of Your Firewall As "user" With Paswword "abcdefg" (without The Quotes) Change This Initial Username And Password And Add Some Users, if You Like. Maybe You'll Have To Reboot Some Machines To Make It Work.
Now Open Your Firewall For Vpn Connections. To Do This, set Your /etc/shorewall/rules As Shown.
My /etc/shorewall/rules At This Time:
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
ACCEPT net $FW tcp 25
ACCEPT net $FW tcp 443
ACCEPT net $FW tcp 993
ACCEPT net $FW udp 6277
DNAT net loc:192.168.1.1 tcp 1723
DNAT net loc:192.168.1.1 47
DNS/ACCEPT $FW net
#
# Accept SSH connections from the local network for administration
#
SSH/ACCEPT loc $FW
#
# Allow Ping from the local network
#
Ping/ACCEPT loc $FW
#
# Reject Ping from the %26quot;bad%26quot; net zone.. and prevent your log from being flooded..
#
To Comlete This Step, do:
/ Etc/init.d/shorewall Restart
So Now Your Customers Will Be Able To Do Their Job At Home As Well.
Note, that This Only Makes Sense When Your Server Has A Reliable Broadband Connection To The Internet, which In The Netherlands Is The Defacto Standard, even For Very Tiny Offices And Most Home Addresses. In This Respect We Are Way Ahead Of The Rest Of The World.
Next Do:
Cd /root
Wget Http://surfnet.dl.sourceforge.net/sourceforge/clamav/clamav-0.88.6.tar.gz
Like Before, pick A Mirror Close To You.
Groupadd Clamav
Useradd -g Clamav -s /bin/false -c "Clam Antivirus" Clamav
Tar -zxvf Clamav-0.88.6.tar.gz
Cd Clamav-0.88.6
. / Configure- - Sysconfdir=/etc
Make
Make Install
Touch /var/log/freshclam.log
Chmod 600 /var/log/freshclam.log
Chown Clamav /var/log/freshclam.log
Now Edit /etc/clamd.conf. Comment Out "EXAMPLE" (without Quotes) . Next Do The Same In/etc/freshclam.conf.
Next Do:
/ Usr/local/bin/freshclam
Now Make This A Cron Job And Run It Every Hour. Preferably Not On The Hour Or Anywhere Near, as The Clamav Servers Will Be Flooded When Everybody Does So. Choose A Smart Time For This Job. The Service Is Absolutely FREE! Let's Keep It That Way.
/ Etc/init.d/mailscanner Restart
Now I Want To Do Some Perl Jobs. If You Actually Use The Ancient Hardware I Did To Make This Tuto, be Advised That It Is Going To Take Some Time.
Note That You Can Do Without This, for Starters. You May Wish To Schedule This Job Anywhere Soon. If You Choose So, you Are
DONE!Alternatively Go All The Way Right Now And Do:
Perl -MCPAN -e Shell
Accept All Defaults, except For The Question Where You Can Answer "UNINST=1" (without The Quotes) . I Think It Is Best To Actually Do UNINST=1.
Now Do:
Install ExtUtils: CBuilder
Reload Cpan
The "reload Cpan" Command Should Be Given Right After Each Step In The Cpan Shell. Better Safe Than Sorry. I Only Mention This Once.
Install ExtUtils: MakeMaker
As A Result Of The Next Commands You Will Be Asked Some Questions. Just Hit "enter" In All Cases.
Install Bundle: CPAN
Install Bundle: LWP
Install Mail: ClamAV
Now Leave The Cpan Shell:
Q
/ Etc/init.d/mailscanner Restart
Now Clean Your /root Directory. That's Where All The Downloads Went.
Warning! ! ! Don't Install Mail: SpamAssassin From Cpan Alongside The Ubuntu Spamassassin Package As It Will Breake Your System. No More Rules Du Jour, and The Rules, my Friends, that's What It Is Mostly About!
If You Really Want Mail: SpamAssassin From Cpan, you Will Have To Purge Your Spamassassin Package And Compile, instal And Configure It From The Latest Stable Source, which At The Time Of Writing Is Version 3.1.7.
Samba Is Installed. As Every Setup Of Samba Is Unique, I Can't Help You Out Here. Don't Know How? This Is A Good Starting Point.
Textual link:Http://www.howtoforge.com/ubuntu6.10_firewall_gateway