The Perfect Server - Fedora 12 x86_64 [ISPConfig 2] - Page 4 | HowtoForge - Linux Howtos and Tutorials

9 MySQL 5

To install MySQL, we do this:

yum install mysql mysql-devel mysql-server

Then we create the system startup links for MySQL (so that MySQLstarts automatically whenever the system boots) and start the MySQLserver:

chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start

Now check that networking is enabled. Run

netstat -tap | grep mysql

It should show something like this:

[root@server1 ~]# netstat -tap | grep mysql
tcp        0      0 *:mysql                     *:*                         LISTEN      1433/mysqld
[root@server1 ~]#

If it does not, edit /etc/my.cnf and comment out the option skip-networking:

vi /etc/my.cnf

[...]            #skip-networking            [...]

and restart your MySQL server:

/etc/init.d/mysqld restart

Run

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).

10 Postfix With SMTP-AUTH And TLS

Now we install Postfix and Dovecot (Dovecot will be our POP3/IMAP server):

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot

Now we configure SMTP-AUTH and TLS:

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'mynetworks = 127.0.0.0/8 [::1]/128'

We must edit /usr/lib64/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins (on 32bit systems, this file is in /usr/lib/sasl2/smtpd.conf). It should look like this:

vi /usr/lib64/sasl2/smtpd.conf

pwcheck_method: saslauthd            mech_list: plain login

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for TLS:

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

Then we set the hostname in our Postfix installation (make sure you replace server1.example.com with your own hostname):

postconf -e 'myhostname = server1.example.com'

After these configuration steps you should now have a /etc/postfix/main.cf that looks like this (I have removed all comments from it):

cat /etc/postfix/main.cf

queue_directory = /var/spool/postfix            command_directory = /usr/sbin            daemon_directory = /usr/libexec/postfix            data_directory = /var/lib/postfix            mail_owner = postfix            inet_interfaces = all            inet_protocols = all            mydestination = $myhostname, localhost.$mydomain, localhost            unknown_local_recipient_reject_code = 550            alias_maps = hash:/etc/aliases            alias_database = hash:/etc/aliases            debug_peer_level = 2            debugger_command =            PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin            ddd $daemon_directory/$process_name $process_id & sleep 5            sendmail_path = /usr/sbin/sendmail.postfix            newaliases_path = /usr/bin/newaliases.postfix            mailq_path = /usr/bin/mailq.postfix            setgid_group = postdrop            html_directory = no            manpage_directory = /usr/share/man            sample_directory = /usr/share/doc/postfix-2.6.5/samples            readme_directory = /usr/share/doc/postfix-2.6.5/README_FILES            smtpd_sasl_local_domain =            smtpd_sasl_auth_enable = yes            smtpd_sasl_security_options = noanonymous            broken_sasl_auth_clients = yes            smtpd_sasl_authenticated_header = yes            smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination            mynetworks = 127.0.0.0/8 [::1]/128            smtpd_tls_auth_only = no            smtp_use_tls = yes            smtpd_use_tls = yes            smtp_tls_note_starttls_offer = yes            smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key            smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt            smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem            smtpd_tls_loglevel = 1            smtpd_tls_received_header = yes            smtpd_tls_session_cache_timeout = 3600s            tls_random_source = dev:/dev/urandom            myhostname = server1.example.com

Now start Postfix, saslauthd, and Dovecot:

chkconfig --levels 235 sendmail off
chkconfig --levels 235 postfix on
chkconfig --levels 235 saslauthd on
chkconfig --levels 235 dovecot on
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/dovecot start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH PLAIN LOGIN

everything is fine.

[root@server1 ssl]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 server1.example.com ESMTP Postfix
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@server1 ssl]#

Type

quit

to return to the system's shell.

10.1 Maildir

Dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir under Management -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration.

If you do not want to install ISPConfig, then you must configurePostfix to deliver emails to a user's Maildir (you can also do this ifyou use ISPConfig - it doesn't hurt ;-)):

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart