Ubuntu-Server 6.10 防火墙系统安装-sdccf-ChinaUnix博客

Fosdccf.blog.chinaunix.net

首页　| 　博文目录　| 　关于我

sdccf

博客访问： 101755726
博文数量： 19283
博客积分： 9968
博客等级：上将
技术积分： 196062
用户组：普通用户
注册时间： 2007-02-07 14:28

文章分类

全部博文（19283）

香文化（0）
CU技术专题（2443）

Linux酷软（214）

tmp（0）

PostgreSQL（93）

Solaris（383）

AIX（173）

SCOUNIX（575）

DB2（1005）
涂鸦（9）
编程开发（1573）

Shell（386）

C/C++（1187）
数据库（6458）

MySQL（1750）

Sybase（465）

Oracle（3695）

Informix（548）
操作系统（8627）

HP-UX（0）

IBM AIX（2）

Sun Solaris（0）

BSD（1）

Linux（8597）

SCO UNIX（23）
未分配的博文（173）

文章存档

2011年（1）

2009年（125）

2008年（19094）

2007年（63）

我的朋友

相关博文

Ubuntu-Server 6.10 防火墙系统安装

分类： LINUX

2008-05-02 18:33:31

文章分类:

Includes: Shorewall, NAT, Caching NameServer, DHCP Server, VPN Server, Webmin, Munin, Apache (SSL enabled), Squirrelmail, Postfix setup with virtual domains, courier imap imaps pop3 pop3s, sasl authentication for road warriors, MailScanner as a wrapper for SpamAssassin, Razor, ClamAv, etc. Samba installed, not configured.

Needs very little maintenance and is extendable beyond your wildest imagination. All depending on the hardware used, of course.

This is a COPY&PASTE howto. For info use the net. I did... However, contributions and suggestions are allways welcome! I know this can be done better, so feel free.

If anyone of you can find the time to add a good install and config for snort AND snortsam, including a comprehensive controll panel, I would be very greathfull.

Scope: creating a firewall/(mail)gateway for a small network (say 10 to 15 users or so on a PIII 450MHz, 512 MB ram and two identical network interface cards, broadband connection, fully featured, for a bussines environment. Better specs of your hardware (notably the amount of ram) will improve the performance of your server significantly. The specs mentioned ar a bare minimum for not so demanding customers, yust to indicate that if you really want, it can be done indeed (need to do some tweaking afterwards though).

Expected audience: (beginning) sysop.

This tuto leads towards a solid 'ready to go' sytem. The fun part, I think, (tweaking and tuning etc.) starts when you are done. You may wish to inspect your logs to find clues as to where the tuning should start. Munin might tell you a lot as well.

Have Fun!

First, do a clean install using Ubuntu-Server 6.10. During installation, proper settings for eth0 will be detected automatically. If this fails, change your network cables and try again. There is a very small chance that your ISP does not run a DHCP server (never seen that happen), or it just might be down (seen that quite a few times, also they may screw up their DNS every now and then), in which case you are on your one, best to wait till they are done fixing it.

So we start out with a DHCP assigned address for eth0. This is just an easy way to figure out which NIC is actually eth0. If you already know which is which you better start out with a static address for eth0. If your ISP isn't crappy, you have the proper settings for it.

Now proceed and accept all defaults (but you may want to do your own partitioning) At the end of the process you will be asked if you want to install extra packages. Select "LAMP" and finish.

Now login as the new user you just made and do:

sudo passwd

Now enter your password again. Next enter the new password for user "root" and confirm. So we dropped the nasty sudo experience (bit strange on a server, isn’t it?) Now logout and login again as root with the new root password.

Do:

apt-get install vim

Using vim (or your favorite editor) edit /etc/apt/sources.list Comment out the cd repository. Next add "universe" (without the quotes) to all lines that aren't commented out. Save the file.

Now do:

apt-get update

apt-get install openssh-server

Edit /etc/network/interfaces and add the following at the bottom:

auto eth1
iface eth1 inet static
 address  192.168.1.1
 netmask         255.255.255.0
 broadcast 192.168.1.255
 network  192.168.1.0

Note that the rest of this tuto assumes that you actually make the settings for eth1 as shown.

My full/etc/network/interfaces looks like this:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
 address  192.168.1.1
 netmask  255.255.255.0
 broadcast 192.168.1.255
 network  192.168.1.0

As you can see my eth0 gets its settings using DHCP.

Save the file. Next do:

/etc/init.d/networking restart

You can do the rest of this tuto from your workstation, either linux or the other one (must have putty), so you can actually copy and paste. Just login to 192.168.1.1 as root and get on with it.

Make sure that the network settings of your workstation match the settings of your server's eth1

If you are confused here, first configure and start your DHCP server as shown in this article (page 9), and let your workstation detect the proper settings automatically.

Now do:

apt-get install libnet-ssleay-perl libauthen-pam-perl libio-pty-perl shorewall dnsmasq

wget

"surfnet" is the dutch server. Change that to "heanet"(for Ireland), "belnet"(for Belgium), "mesh" (for Germany) and so on.

dpkg -i webmin_1.300_all.deb

cp /usr/share/doc/shorewall/examples/two-interfaces/* /etc/shorewall/

cd /etc/shorewall

gunzip interfaces.gz masq.gz rules.gz policy.gz

Now open your browser and login to webmin at as root with your root password and, using webmin's shorewall module, change the policy's and rules of your firewall as needed (for now, I only set the policy file to the example as shown, you may copy and paste my policy file for starters, if you don't like webmin).

Also set in /etc/shorewall.conf the line "IP_FORWARDING=Keep" to "IP_FORWARDING=On" (without quotes) and enable the firewall in /etc/default/shorewall.

My /etc/shorewall/policy now looks like this:

###############################################################################
#SOURCE  DEST  POLICY  LOG LEVEL LIMIT:BURST
#
# Note about policies and logging:
# This file contains an explicit policy for every combination of
# zones defined in this sample.  This is solely for the purpose of
# providing more specific messages in the logs.  This is not
# necessary for correct operation of the firewall, but greatly
# assists in diagnosing problems.
#
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc  net  ACCEPT
loc $FW ACCEPT
loc  all  REJECT  info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW net ACCEPT
$FW loc ACCEPT
$FW  all  REJECT  info
#
# Policies for traffic originating from the Internet zone (net)
#
net  $FW  DROP  info
net  loc  DROP  info
net  all  DROP  info
# THE FOLLOWING POLICY MUST BE LAST
all  all  REJECT  info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Next do:

/etc/init.d/shorewall start

You should be able now to surf the net.

DO NOT PROCEED UNTILL YOU SUCCEED IN SURFING THE NET. SINCE THIS IS YOUR FRAMEWORK. IT HAS TO BE OK.

So now we need some packages. Do (all in one line!):

apt-get install postfix postfix-doc courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-modules-sql sasl2-bin libpam-mysql build-essential dpkg-dev fakeroot debhelper libdb4.2-dev libgdbm-dev libldap2-dev libpcre3-dev libmysqlclient12-dev libssl-dev libsasl2-dev postgresql-dev po-debconf dpatch zoo unzip arj rdate fetchmail unzip zip ncftp libarchive-zip-perl zlib1g-dev libpopt-dev nmap lynx fileutils curl mail-audit-tools libwww-perl imagemagick squirrelmail squirrelmail-locales munin munin-node ntp samba spamassassin razor pyzor unzoo spamc libio-string-perl libnet-ident-perl libio-socket-ssl-perl libapache2-mod-php4 libapache2-mod-perl2 php4 php4-cli php4-common php4-curl php4-dev php4-domxml php4-gd php4-imap php4-ldap php4-mcal php4-mhash php4-mysql php4-odbc php4-pear php4-xslt curl libwww-perl php-pear mailscanner mailx libzzip-dev libgmp3c2 libgmp3-dev dhcp3-server pptpd

Accept all defaults.

Now do:

mysqladmin -u root password yourrootsqlpassword ##USE A REAL PASSWORD HERE!

Now configure Apache and Squirrelmail.

/usr/sbin/squirrelmail-configure

Set it to courier (option D) and make ik otherwise as you like it. Don't forget to enable some plugins and to set a default language if desired. Also I suggest to set this:

$show_contain_subfolders_option = true;

My/etc/squirrelmail/config.php now looks like this:
(Just my current config. Don't copy this, use it as a reference.)


/**
 * SquirrelMail Configuration File
 * Created using the configure script, conf.pl
 */

global $version;
$config_version = '1.4.0';
$config_use_color = 2;

$org_name      = "Lürsen";
$org_logo      = SM_PATH . 'images/sm_logo.png';
$org_logo_width  = '564';
$org_logo_height = '261';
$org_title     = "Lürsen";
$signout_page  = '';
$frame_top     = '_top';

$provider_uri     = '';

$provider_name     = 'SquirrelMail';

$motd = "";

$squirrelmail_default_language = 'nl_NL';
$default_charset       = 'iso-8859-1';
$lossy_encoding        = false;

$domain                 = 'lursen.net';
$imapServerAddress      = 'localhost';
$imapPort               = 143;
$useSendmail            = false;
$smtpServerAddress      = 'localhost';
$smtpPort               = 25;
$sendmail_path          = '/usr/sbin/sendmail';
$sendmail_args          = '-i -t';
$pop_before_smtp        = false;
$imap_server_type       = 'courier';
$invert_time            = false;
$optional_delimiter     = '.';
$encode_header_key      = '';

$default_folder_prefix          = 'INBOX.';
$trash_folder                   = 'Trash';
$sent_folder                    = 'Sent';
$draft_folder                   = 'Drafts';
$default_move_to_trash          = true;
$default_move_to_sent           = true;
$default_save_as_draft          = true;
$show_prefix_option             = false;
$list_special_folders_first     = true;
$use_special_folder_color       = true;
$auto_expunge                   = true;
$default_sub_of_inbox           = false;
$show_contain_subfolders_option = true;
$default_unseen_notify          = 2;
$default_unseen_type            = 1;
$auto_create_special            = true;
$delete_folder                  = true;
$noselect_fix_enable            = false;

$data_dir                 = '/var/lib/squirrelmail/data/';
$attachment_dir           = '/var/spool/squirrelmail/attach/';
$dir_hash_level           = 0;
$default_left_size        = '150';
$force_username_lowercase = false;
$default_use_priority     = true;
$hide_sm_attributions     = false;
$default_use_mdn          = true;
$edit_identity            = true;
$edit_name                = true;
$hide_auth_header         = false;
$allow_thread_sort        = false;
$allow_server_sort        = false;
$allow_charset_search     = true;
$uid_support              = true;

$plugins[0] = 'abook_take';
$plugins[1] = 'delete_move_next';
$plugins[2] = 'calendar';
$plugins[3] = 'filters';
$plugins[4] = 'message_details';
$plugins[5] = 'mail_fetch';
$plugins[6] = 'newmail';

$theme_css = '';
$theme_default = 0;
$theme[0]['PATH'] = SM_PATH . 'themes/default_theme.php';
$theme[0]['NAME'] = 'Default';
$theme[1]['PATH'] = SM_PATH . 'themes/plain_blue_theme.php';
$theme[1]['NAME'] = 'Plain Blue';
$theme[2]['PATH'] = SM_PATH . 'themes/sandstorm_theme.php';
$theme[2]['NAME'] = 'Sand Storm';
$theme[3]['PATH'] = SM_PATH . 'themes/deepocean_theme.php';
$theme[3]['NAME'] = 'Deep Ocean';
$theme[4]['PATH'] = SM_PATH . 'themes/slashdot_theme.php';
$theme[4]['NAME'] = 'Slashdot';
$theme[5]['PATH'] = SM_PATH . 'themes/purple_theme.php';
$theme[5]['NAME'] = 'Purple';
$theme[6]['PATH'] = SM_PATH . 'themes/forest_theme.php';
$theme[6]['NAME'] = 'Forest';
$theme[7]['PATH'] = SM_PATH . 'themes/ice_theme.php';
$theme[7]['NAME'] = 'Ice';
$theme[8]['PATH'] = SM_PATH . 'themes/seaspray_theme.php';
$theme[8]['NAME'] = 'Sea Spray';
$theme[9]['PATH'] = SM_PATH . 'themes/bluesteel_theme.php';
$theme[9]['NAME'] = 'Blue Steel';
$theme[10]['PATH'] = SM_PATH . 'themes/dark_grey_theme.php';
$theme[10]['NAME'] = 'Dark Grey';
$theme[11]['PATH'] = SM_PATH . 'themes/high_contrast_theme.php';
$theme[11]['NAME'] = 'High Contrast';
$theme[12]['PATH'] = SM_PATH . 'themes/black_bean_burrito_theme.php';
$theme[12]['NAME'] = 'Black Bean Burrito';
$theme[13]['PATH'] = SM_PATH . 'themes/servery_theme.php';
$theme[13]['NAME'] = 'Servery';
$theme[14]['PATH'] = SM_PATH . 'themes/maize_theme.php';
$theme[14]['NAME'] = 'Maize';
$theme[15]['PATH'] = SM_PATH . 'themes/bluesnews_theme.php';
$theme[15]['NAME'] = 'BluesNews';
$theme[16]['PATH'] = SM_PATH . 'themes/deepocean2_theme.php';
$theme[16]['NAME'] = 'Deep Ocean 2';
$theme[17]['PATH'] = SM_PATH . 'themes/blue_grey_theme.php';
$theme[17]['NAME'] = 'Blue Grey';
$theme[18]['PATH'] = SM_PATH . 'themes/dompie_theme.php';
$theme[18]['NAME'] = 'Dompie';
$theme[19]['PATH'] = SM_PATH . 'themes/methodical_theme.php';
$theme[19]['NAME'] = 'Methodical';
$theme[20]['PATH'] = SM_PATH . 'themes/greenhouse_effect.php';
$theme[20]['NAME'] = 'Greenhouse Effect (Changes)';
$theme[21]['PATH'] = SM_PATH . 'themes/in_the_pink.php';
$theme[21]['NAME'] = 'In The Pink (Changes)';
$theme[22]['PATH'] = SM_PATH . 'themes/kind_of_blue.php';
$theme[22]['NAME'] = 'Kind of Blue (Changes)';
$theme[23]['PATH'] = SM_PATH . 'themes/monostochastic.php';
$theme[23]['NAME'] = 'Monostochastic (Changes)';
$theme[24]['PATH'] = SM_PATH . 'themes/shades_of_grey.php';
$theme[24]['NAME'] = 'Shades of Grey (Changes)';
$theme[25]['PATH'] = SM_PATH . 'themes/spice_of_life.php';
$theme[25]['NAME'] = 'Spice of Life (Changes)';
$theme[26]['PATH'] = SM_PATH . 'themes/spice_of_life_lite.php';
$theme[26]['NAME'] = 'Spice of Life - Lite (Changes)';
$theme[27]['PATH'] = SM_PATH . 'themes/spice_of_life_dark.php';
$theme[27]['NAME'] = 'Spice of Life - Dark (Changes)';
$theme[28]['PATH'] = SM_PATH . 'themes/christmas.php';
$theme[28]['NAME'] = 'Holiday - Christmas';
$theme[29]['PATH'] = SM_PATH . 'themes/darkness.php';
$theme[29]['NAME'] = 'Darkness (Changes)';
$theme[30]['PATH'] = SM_PATH . 'themes/random.php';
$theme[30]['NAME'] = 'Random (Changes every login)';
$theme[31]['PATH'] = SM_PATH . 'themes/midnight.php';
$theme[31]['NAME'] = 'Midnight';
$theme[32]['PATH'] = SM_PATH . 'themes/alien_glow.php';
$theme[32]['NAME'] = 'Alien Glow';
$theme[33]['PATH'] = SM_PATH . 'themes/dark_green.php';
$theme[33]['NAME'] = 'Dark Green';
$theme[34]['PATH'] = SM_PATH . 'themes/penguin.php';
$theme[34]['NAME'] = 'Penguin';
$theme[35]['PATH'] = SM_PATH . 'themes/minimal_bw.php';
$theme[35]['NAME'] = 'Minimal BW';
$theme[36]['PATH'] = SM_PATH . 'themes/redmond.php';
$theme[36]['NAME'] = 'Redmond';
$theme[37]['PATH'] = SM_PATH . 'themes/netstyle_theme.php';
$theme[37]['NAME'] = 'Net Style';
$theme[38]['PATH'] = SM_PATH . 'themes/silver_steel_theme.php';
$theme[38]['NAME'] = 'Silver Steel';
$theme[39]['PATH'] = SM_PATH . 'themes/simple_green_theme.php';
$theme[39]['NAME'] = 'Simple Green';
$theme[40]['PATH'] = SM_PATH . 'themes/wood_theme.php';
$theme[40]['NAME'] = 'Wood';
$theme[41]['PATH'] = SM_PATH . 'themes/bluesome.php';
$theme[41]['NAME'] = 'Bluesome';
$theme[42]['PATH'] = SM_PATH . 'themes/simple_green2.php';
$theme[42]['NAME'] = 'Simple Green 2';
$theme[43]['PATH'] = SM_PATH . 'themes/simple_purple.php';
$theme[43]['NAME'] = 'Simple Purple';
$theme[44]['PATH'] = SM_PATH . 'themes/autumn.php';
$theme[44]['NAME'] = 'Autumn';
$theme[45]['PATH'] = SM_PATH . 'themes/autumn2.php';
$theme[45]['NAME'] = 'Autumn 2';
$theme[46]['PATH'] = SM_PATH . 'themes/blue_on_blue.php';
$theme[46]['NAME'] = 'Blue on Blue';
$theme[47]['PATH'] = SM_PATH . 'themes/classic_blue.php';
$theme[47]['NAME'] = 'Classic Blue';
$theme[48]['PATH'] = SM_PATH . 'themes/classic_blue2.php';
$theme[48]['NAME'] = 'Classic Blue 2';
$theme[49]['PATH'] = SM_PATH . 'themes/powder_blue.php';
$theme[49]['NAME'] = 'Powder Blue';
$theme[50]['PATH'] = SM_PATH . 'themes/techno_blue.php';
$theme[50]['NAME'] = 'Techno Blue';
$theme[51]['PATH'] = SM_PATH . 'themes/turquoise.php';
$theme[51]['NAME'] = 'Turquoise';

$default_use_javascript_addr_book = false;
$abook_global_file = '';
$abook_global_file_writeable = false;

$addrbook_dsn = '';
$addrbook_table = 'address';

$prefs_dsn = '';
$prefs_table = 'userprefs';
$prefs_user_field = 'user';
$prefs_key_field = 'prefkey';
$prefs_val_field = 'prefval';
$addrbook_global_dsn = '';
$addrbook_global_table = 'global_abook';
$addrbook_global_writeable = false;
$addrbook_global_listing = false;

$no_list_for_subscribe = false;
$smtp_auth_mech = 'none';
$imap_auth_mech = 'login';
$use_imap_tls = false;
$use_smtp_tls = false;
$session_name = 'SQMSESSID';

$config_location_base     = '';

@include SM_PATH . 'config/config_local.php';

/**
 * Make sure there are no characters after the PHP closing
 * tag below (including newline characters and whitespace).
 * Otherwise, that character will cause the headers to be
 * sent and regular output to begin, which will majorly screw
 * things up when we try to send more headers later.
 */
?>

Next do:

apache2-ssl-certificate -days 3650

Fill in the right server name!!!

That is: the addres on which you plan to give your users access to Squirrelmail or any other service by apache on port 443. (also we are going to use this one for postfix, imaps and pop3s) Just the domain will do (MUST EXIST IN DNS). Not domain/webmail

If anything went wrong, just delete the certificate and repeat this step.

Now enter:

a2enmod ssl

a2enmod rewrite

a2enmod include

cp /etc/apache2/sites-available/default /etc/apache2/sites-available/https

ln -s /etc/apache2/sites-available/https /etc/apache2/sites-enabled/https

ln -s /etc/squirrelmail/apache.conf /etc/apache2/sites-enabled/squirrelmail

Now edit /etc/apache2/sites-available/default. The top has to be changed so that it reads:

NameVirtualHost *:80

Edit /etc/apache2/sites-available/https as well, the top of the file should read:

NameVirtualHost *:443

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/apache.pem

Edit /etc/squirrelmail/apache.conf It should look like this:

Alias /webmail /usr/share/squirrelmail


  php_flag register_globals off
  Options Indexes FollowSymLinks
  
    DirectoryIndex index.php
  

  # access to configtest is limited by default to prevent information leak
  
    order deny,allow
    deny from all
    allow from 127.0.0.1
  

# users will prefer a simple URL like 
#
#  DocumentRoot /usr/share/squirrelmail
#  ServerName webmail.example.com
#
# redirect to https when available (thanks omen@descolada.dartmouth.edu)
#
#  Note: There are multiple ways to do this, and which one is suitable for
#  your site's configuration depends. Consult the apache documentation if
#  you're unsure, as this example might not work everywhere.
#

  
    
      RewriteEngine on
      RewriteCond %{HTTPS} !^on$ [NC]
      RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]

Now make squirrelmail talk your language. If you only use English you can skip the last line in the file of course.

Edit /var/lib/locales/supported.d/local.

It should look like this: (if you are Dutch, otherwise adjust as desired).
Main thing is to enable your locale with the charset ISO-8859-1.

en_US.UTF-8 UTF-8
en_US.ISO-8859-1 ISO-8859-1
nl_NL.ISO-8859-1 ISO-8859-1

dpkg-reconfigure locales

Now make sure that the DirectoryIndex line in /etc/apache2/apache2.conf reads:

DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml

Edit /etc/apache2/ports.conf and add Listen 443:

Listen 80
Listen 443

Now we configure Postfix and MailScanner.

postconf -e 'mynetworks = 127.0.0.0/8, 192.168.1.0/24'

postconf -e 'smtpd_sasl_local_domain ='

postconf -e 'smtpd_sasl_auth_enable = yes'

postconf -e 'smtpd_sasl_security_options = noanonymous'

postconf -e 'broken_sasl_auth_clients = yes'

postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,reject_unauth_destination'

postconf -e 'inet_interfaces = all'

echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf

echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf

postconf -e 'smtpd_tls_auth_only = no'

postconf -e 'smtp_use_tls = yes'

postconf -e 'smtpd_use_tls = yes'

postconf -e 'smtp_tls_note_starttls_offer = yes'

postconf -e 'smtpd_tls_key_file = /etc/apache2/ssl/apache.pem'

postconf -e 'smtpd_tls_cert_file = /etc/apache2/ssl/apache.pem'

postconf -e 'smtpd_tls_loglevel = 1'

postconf -e 'smtpd_tls_received_header = yes'

postconf -e 'smtpd_tls_session_cache_timeout = 3600s'

postconf -e 'tls_random_source = dev:/dev/urandom'

postconf -e 'home_mailbox = Maildir/'

postconf -e 'mailbox_command ='

postconf -e 'header_checks = regexp:/etc/postfix/header_checks'

postconf -e 'relayhost ='

postconf -e 'virtual_alias_domains = hash:/etc/postfix/virtual'

postconf -e 'virtual_alias_maps = hash:/etc/postfix/virtual'

touch /etc/postfix/header_checks

touch /etc/postfix/virtual

Now edit etc/postfix/header_checks. It should look like this:

/^Received:/ HOLD

chown postfix.postfix /var/spool/MailScanner/incoming

chown postfix.postfix /var/spool/MailScanner/quarantine

mkdir /var/spool/MailScanner/spamassassin

chown postfix.postfix /var/spool/MailScanner/spamassassin

Now edit /etc/MailScanner/MailScanner.conf and set the following lines as shown:

Run As User = postfix
Run As Group = postfix
Queue Scan Interval = 120
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix
Virus Scanners = clamav
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

Now configure sasl authentication.

mkdir -p /var/spool/postfix/var/run/saslauthd

Now we have to edit /etc/default/saslauthd. It should look like this:

# This needs to be uncommented before saslauthd will be run automatically
START=yes
PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"
# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"
MECHANISMS="pam"

Next edit /etc/init.d/saslauthd and change the location of saslauthd's PID file. Change the value of PIDFILE to /var/spool/postfix/var/run/${NAME}/saslauthd.pid, so that it reads:

PIDFILE="/var/spool/postfix/var/run/${NAME}/saslauthd.pid"

Now populate your system with real users. Set the users shell to /bin/false to avoid security holes.

Next fill /etc/postfix/virtual as you like. I love Webmin for this. You can edit it directly too, of course. However, webmin does a great job.

Gotcha!: "some.domain" etc. can not equal to anything mentioned in the "mydestination" line in
/etc/postfix/main.cf

Mine has the following structure:

some.domain virtual domain
some.other.domain virtual domain
some.really.other.domain virtual domain
user@some.domain  user
otheruser@some.domain otheruser
user@some.other.domain user
otheruser@some.other.domain otheruser
somealias@some.other.domain user
info@some.other.domain someoneidontlike
info@some.domain someoneidontlike otheruser@foo.bar
differentuser@some.domain differentuser differentusers@home.addres someoneidontlike
@some.really.other.domain  someonidontlike  someoneidontlikes@home.address

and so on. So I only have to set an alias for root and postmaster in /etc/aliases. All other aliases should be in this file.

Forwarding and delivering mail to multiple addresses and so forth can (and should, I believe) be set in this file too.

I use webmin for this job (and many other jobs).

Note that in this kind of setup your users can have as many aliases as they like (untill you get sick of them), but for each user you still have to add a real user, with a home directory.

Don't forget to do

postmap /etc/postfix/virtual

when you are done.

ow we want some rules for spamassassin to do a better job.

First edit /etc/MailScanner/spam.assassin.prefs.conf. Comment out "dcc_path /usr/bin/dccproc" (this is a workaround, please contribute to this if you can).

Next do:

cd /root

wget

tar -zxvf Rules_Du_Jour.tar.gz

cd rules_du_jour

mkdir /etc/rulesdujour

cp config /etc/rulesdujour/config

cp rules_du_jour /usr/bin

cp rules_du_jour_wrapper /etc/cron.daily

cd /etc/spamassassin

mkdir old

mv *.cf old

/etc/cron.daily/rules_du_jour_wrapper

sa-update

Now make the last command a cron job, say once a week.

Next do:

ln -s /etc/MailScanner/spam.assassin.prefs.conf /etc/spamassassin/mailscanner.cf

Check your /etc/default/spamassassin. It should look like this:

# /etc/default/spamassassin
# Duncan Findlay
# WARNING: please read README.spamd before using.
# There may be security risks.
# Change to one to enable spamd
ENABLED=0
# Options
# See man spamd for possible options. The -d option is automatically added.
# SpamAssassin uses a preforking model, so be careful! You need to
# make sure --max-children is not set to anything higher than 5,
# unless you know what you're doing.
OPTIONS="--create-prefs --max-children 2 --helper-home-dir"
# Pid file
# Where should spamd write its PID to file? If you use the -u or
# --username option above, this needs to be writable by that user.
# Otherwise, the init script will not be able to shut spamd down.
PIDFILE="/var/run/spamd.pid"
# Set nice level of spamd
# NICE="--nicelevel 15"

Next we configure the DHCP server.

Edit /etc/dhcp3/dhcpd.conf. Mine now looks like this:

# Local Network
subnet 192.168.1.0 netmask 255.255.255.0 {
 option netbios-name-servers 192.168.1.1;
 option domain-name-servers 192.168.1.1;
 option domain-name "your.domain.here";
 option broadcast-address 192.168.1.255;
 option routers 192.168.1.1;
 range 192.168.1.100 192.168.1.130;
 }

Edit /etc/default/dhcp3-server. It should read

INTERFACES=eth1

/etc/init.d/dhcp3-server start

Next do:

cd /root

wget

gunzip dcc.tar.Z

tar -xvf dcc.tar

cd dcc-1.3.44 ##or whatever version is current.

./configure

make

make install

Now edit /etc/default/mailscanner. It should loo like this:

# This sets how many days files will remain in the "quarantine" area before
# being automatically removed.
#
q_days=7
#
# This sets how much the priority of the mailscanner daemon should be
# reduced by (i.e. "nice -X").  Since it is a batch oriented task,
# there it can easily give up some CPU cycles to more interactive
# tasks.
#
run_nice=5
#
# Uncomment this line once MailScanner has been fully configured.
#
run_mailscanner=1

Next edit /etc/courier/imapd-ssl and change the following:

TLS_CERTFILE=/etc/apache2/ssl/apache.pem

Now do the same with your /etc/courier/pop3d-ssl.

Next do:

shutdown -r now

and wait until it is up again.

Now you have to send each real user a welcome message, thus creating the Maildir structures in their home directorys needed to be able to login to their accounts. You can use webmin's postfix module for this.

No need to send anything to their aliases.

Your Webmail Server is located at (first send those messages!).

Munin is at

Webmin is at

If you haven't set any domains, use etc.

Check that you can login to your webmail and actually send and receive mail within your local network.

If you're satisfied, open port 25 on your firewall for incoming tcp traffic and port 6277 for incoming udp traffic.

You may wish to make your webmail server available to your users from the outside world.
Open port 443 for incoming tcp traffic as well. Opening port 993 is also a good idea for tcp connections, as it facilitates imaps.

My /etc/shorewall/rules now looks like this: (just to begin with, all firewall settings shown in this article are just ment to get you up and running, you might want to adjust these settings once you are done!)

#############################################################################################################
#ACTION  SOURCE  DEST  PROTO DEST SOURCE  ORIGINAL RATE  USER/
#       PORT PORT(S)  DEST  LIMIT  GROUP
#        PORT PORT(S) DEST   LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
ACCEPT net $FW tcp 25
ACCEPT net $FW tcp 443
ACCEPT net $FW udp 6277
DNS/ACCEPT $FW  net
#
# Accept SSH connections from the local network for administration
#
SSH/ACCEPT loc  $FW
#
# Allow Ping from the local network
#
Ping/ACCEPT loc  $FW
#
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping/REJECT net  $FW
ACCEPT  $FW  loc  icmp
ACCEPT  $FW  net  icmp
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Restart the firewall:

/etc/init.d/shorewall restart

Next do:

/var/dcc/libexec/updatedcc

Now we configure your VPN Server.

Edit /etc/pptpd.conf. It should look like this now:

###############################################################################
# $Id: pptpd.conf 4255 2004-10-03 18:44:00Z rene $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################
# TAG: ppp
# Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd
# TAG: option
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/options.pptpd
# TAG: debug
# Turns on (more) debugging to syslog
#
#debug
# TAG: stimeout
# Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10
# TAG: noipparam
#       Suppress the passing of the client's IP address to PPP, which is
#       done by default otherwise.
#
#noipparam
# TAG: logwtmp
# Use wtmp(5) to record client connections and disconnections.
#
# logwtmp        ## comment this out!! broken deb package!!
# TAG: bcrelay 
# Turns on broadcast relay to clients from interface 
#
#bcrelay eth1
# TAG: localip
# TAG: remoteip
# Specifies the local and remote IP address ranges.
#
#       Any addresses work as long as the local machine takes care of the
#       routing.  But if you want to use MS-Windows networking, you should
#       use IP addresses out of the LAN address space and use the proxyarp
#       option in the pppd options file, or run bcrelay.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
#  192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than MAX_CONNECTIONS, it will
#    start at the beginning of the list and go until it gets 
#    MAX_CONNECTIONS IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
#    you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
#    be set to the given one. You MUST still give at least one remote
#    IP for each simultaneous client.
#
# (Recommended)
localip 192.168.1.1
remoteip 192.168.1.90-99
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
speed 115200

Next edit /etc/ppp/options. It should look like this:

lock

Now do:

touch /etc/ppp/options.pptpd

Now edit /etc/ppp/options.pptpd. It should look like this:

lock
ms-dns 192.168.1.1
ms-wins 192.168.1.1
domain your.domain.here
debug
name pptp-vpn
auth
proxyarp
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
chapms-strip-domain
lcp-echo-failure 10
lcp-echo-interval 30
nobsdcomp

Next, edit /etc/ppp/chap-secrets. It should look like this:

# Secrets for authentication using CHAP
# client server secret   IP addresses
user  pptp-vpn  abcdefg  "*"

Now do:

/etc/init.d/pptpd restart

You must be able now to setup a vpn connection from the inside of your firewall as "user" with paswword "abcdefg" (without the quotes) Change this initial username and password and add some users, if you like. Maybe you'll have to reboot some machines to make it work.

Now open your firewall for vpn connections. To do this, set your /etc/shorewall/rules as shown.

My /etc/shorewall/rules at this time:

#############################################################################################################
#ACTION  SOURCE  DEST  PROTO DEST SOURCE  ORIGINAL RATE  USER/
#       PORT PORT(S)  DEST  LIMIT  GROUP
#        PORT PORT(S) DEST   LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
ACCEPT net $FW tcp 25
ACCEPT net $FW tcp 443
ACCEPT net $FW tcp 993
ACCEPT net $FW udp 6277
DNAT net loc:192.168.1.1 tcp 1723
DNAT net loc:192.168.1.1 47
DNS/ACCEPT $FW  net
#
# Accept SSH connections from the local network for administration
#
SSH/ACCEPT loc  $FW
#
# Allow Ping from the local network
#
Ping/ACCEPT loc  $FW
#
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
#

To comlete this step, do:

/etc/init.d/shorewall restart

So now your customers will be able to do their job at home as well.

Note, that this only makes sense when your server has a reliable broadband connection to the internet, which in The Netherlands is the defacto standard, even for very tiny offices and most home addresses. In this respect we are way ahead of the rest of the world.

Next do:

cd /root

wget

Like before, pick a mirror close to you.

groupadd clamav

useradd -g clamav -s /bin/false -c "Clam Antivirus" clamav

tar -zxvf clamav-0.88.6.tar.gz

cd clamav-0.88.6

./configure --sysconfdir=/etc

make

make install

touch /var/log/freshclam.log

chmod 600 /var/log/freshclam.log

chown clamav /var/log/freshclam.log

Now edit /etc/clamd.conf. Comment out "EXAMPLE" (without quotes). Next do the same in/etc/freshclam.conf.

Next do:

/usr/local/bin/freshclam

Now make this a cron job and run it every hour. Preferably not on the hour or anywhere near, as the clamav servers will be flooded when everybody does so. Choose a smart time for this job. The service is absolutely FREE! Let's keep it that way.

/etc/init.d/mailscanner restart

Now I want to do some perl jobs. If you actually use the ancient hardware I did to make this tuto, be advised that it is going to take some time.

Note that you can do without this, for starters. You may wish to schedule this job anywhere soon. If you choose so, you are

DONE!

Alternatively go all the way right now and do:

perl -MCPAN -e shell

Accept all defaults, except for the question where you can answer "UNINST=1" (without the quotes). I think it is best to actually do UNINST=1.

Now do:

install ExtUtils::CBuilder

reload cpan

The "reload cpan" command should be given right after each step in the cpan shell. Better safe than sorry. I only mention this once.

install ExtUtils::MakeMaker

As a result of the next commands you will be asked some questions. Just hit "enter" in all cases.

install Bundle::CPAN

install Bundle::LWP

install Mail::ClamAV

Now leave the cpan shell:

/etc/init.d/mailscanner restart

Now clean your /root directory. That's where all the downloads went.

Warning!!! Don't install Mail::SpamAssassin from cpan alongside the ubuntu spamassassin package as it will breake your system. No more rules du jour, and the rules, my friends, that's what it is mostly about!

If you really want Mail::SpamAssassin from cpan, you will have to purge your spamassassin package and compile, instal and configure it from the latest stable source, which at the time of writing is version 3.1.7.

Samba is installed. As every setup of Samba is unique, I can't help you out here. Don't know how? is a good starting point.

原文链接：

阅读(490) | 评论(0) | 转发(0) |

上一篇：在系统工作时调整/tmp 和/var 分区

下一篇：Unix/BSD/Linux的口令机制初探

给主人留下些什么吧！~~

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6