10/29/2010

Spam Control For Postfix

Spam Control For Postfix

Spam is a major problem for anyone with a mail server. Many times, spam goes to email addresses that don't exist. But, it still is hitting your server even if it isn't delivered. Other times, a users inbox will be overflowing with annoying messages about Viagra, hookers, free software, and whatever else.


Below is a solution. It's an ongoing accumulation of my efforts to stop spam to the best of my abilities. So far, it has a 97% success rate with over 20,000 emails (spam and ham, alike) processed.


Follow the instructions. I will update/modify as necessary if things seem unclear. Feel free to ask.

1) Install Postgrey, RRD, a log parser, and Graphing tools.
apt-get install postgrey rrdtool mailgraph pflogsumm

Postgrey will have a delay of 5 minutes by default on email going to your mailbox. If this is too long, edit the /etc/default/postgrey file by adding --delay=120 where 120 is seconds.

2) Restart the Postgrey server.
/etc/init.d/postgrey restart

3) Edit the Postfix main.cf.
We will be adding several things including the Postgrey configuration.

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = my.derekgordon.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = my.derekgordon.com, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128 66.118.142.78
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, check_policy_service inet:127.0.0.1:60000, reject_rbl_client zen.spamhaus.org, reject_rbl_client smtp.dnsbl.sorbs.net, reject_rbl_client bl.spamcop.net, reject_rbl_client combined.rbl.msrbl.net, reject_rbl_client multihop.dsbl.org, check_recipient_access regexp:/etc/postfix/spamtrap, permit
smtpd_tls_security_level = may
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = "The user you are trying to reach is over quota."
virtual_overquota_bounce = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = maildrop
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 0

disable_vrfy_command = yes
smtpd_helo_required = yes


From a generic main.cf found in the Debian Lenny installation, I added/modified the BOLD areas.

4) Create a file named "spamtrap" in the /etc/postfix/ directory.
This serves as a filter. If spam is emailed to this address and other addresses on your machine, it will drop that email so that it doesn't get to any other mailboxes.

spamtrap file looks like this:

/emailcontrol.*@derekgordon\.com/ DISCARD

This is regexp so the slashes have to be used. My filter email is emailcontrol@derekgordon.com so edit accordingly and place in the spamtrap file!!!

Side note: Do not create this mailbox using ISPConfig. There is absolutely no reason for it to exist on your mailserver. It's a fake address meant to catch annoying spam.



5) Open up local.cf for SpamAssassin and add the following bit.
It will be an extra filter designed to work with SA more than it is with general Postfix.

nano /etc/spamassassin/local.cf

Add the following to the bottom:

urirhssub       URIBL_BLACK  multi.uribl.com.        A   2
body            URIBL_BLACK  eval:check_uridnsbl('URIBL_BLACK')
describe        URIBL_BLACK  Contains an URL listed in the URIBL blacklist
tflags          URIBL_BLACK  net
score           URIBL_BLACK  3.0

6) Restart Postfix and Spamassassin
/etc/init.d/postfix restart
/etc/init.d/spamassassin restart



7) Copy the mailgraph CGI script to your websites CGI-BIN:
cp -p /usr/lib/cgi-bin/mailgraph.cgi /var/www/www.example.com/cgi-bin



8) Create and CHMOD the postfix_report.sh script:
nano /usr/local/sbin/postfix_report.sh

Paste the following into the script:

#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

pflogsumm /var/log/mail.log | formail -c -I"Subject: Mail Statistics" -I"From: maillog@example.com" -I"To: youremail@yourdomain.com" -I"Received: from www.example.com ([ 127.0.0.1])" | sendmail youremail@yourdomain.com

##gzip /var/log/mail.log.0
exit 0
chmod 755 /usr/local/sbin/postfix_report.sh



9) Edit the RSYSLOG file so that your mail.log rotates daily and to set up an automatic email with postfix statistics:
nano /etc/logrotate.d/rsyslog

Delete the line that says /var/log/mail.log and add this at the VERY bottom of the file:

/var/log/mail.log
{
        rotate 7
        daily
        missingok
        notifempty
        delaycompress
        compress
        prerotate
              /usr/local/sbin/postfix_report.sh > /dev/null
        endscript
        postrotate
                invoke-rc.d rsyslog reload > /dev/null
        endscript
}
With this, every time the mail.log rotates (usually around 6am by default) you will get a detailed email about what Postfix has delivered, not delivered, greylisted, and so on.

So now you're all done! What did you do? You installed blacklist filters, greylisting, graphing for on-the-fly information about Postfix, daily emails with detailed Postfix stats, created a spam trap, and other minor things to make your mailserver a lot more secure and less susceptible to spam.

IMPORTANT: Let me know what you all do. Please respond with your choice, if you use it, and how well it worked. If there's much of a use, I will keep building upon the instructions and make it even better (hopefully). Responses are in the form of thread messages.

BONUS INSTRUCTIONS:
If you use the script I posted below, that gives you GREYLISTING SPECIFIC STATS, do the following:

1) DELETE it from having a CRONJOB if you added one originaly. Most likely, you did.

2) Open the RSYSLOG file again.

3) Modify the above entry so that it looks like this:

/var/log/mail.log
{
        rotate 7
        daily
        missingok
        notifempty
        delaycompress
        compress
        prerotate
          /path/to/the/greylist_script.sh > /dev/null
              /usr/local/sbin/postfix_report.sh > /dev/null
        endscript
        postrotate
                invoke-rc.d rsyslog reload > /dev/null
        endscript
}
Make sure that the /path/to/the/greylist_script.sh > /dev/null matches the exact path to the script you were using.

Here is the greylist_script.sh:

#!/bin/sh

LOGFILE=/tmp/greylist-statistics
YOURMAIL=youremail@yourdomain.com

echo "Total amount of GreyListed messages
" > $LOGFILE
cat /var/log/mail.log | /usr/bin/postgreyreport --delay=300 >> $LOGFILE
echo -ne  "-------------------------------------\n" >> $LOGFILE
echo -ne  "-------------------------------------\n" >> $LOGFILE
echo "Get only the top 20 sources getting greylisted out
" >> $LOGFILE
cat /var/log/mail.log | postgreyreport | awk '{print $1}' | sort | uniq -c | sort -nr | head -n20 >> $LOGFILE
echo -ne  "-------------------------------------\n" >> $LOGFILE
echo -ne  "-------------------------------------\n" >> $LOGFILE
echo "Get a list of the top 20 email address that the greylisted sources are sending email to
"  >> $LOGFILE
cat /var/log/mail.log | postgreyreport | awk '{print $4}'  | sort  | uniq -c | sort -nr | head -n20 >> $LOGFILE
echo -ne  "-------------------------------------\n" >> $LOGFILE
echo -ne  "-------------------------------------\n" >> $LOGFILE
cat $LOGFILE | mail -s "Greylisting Statistics of `hostname` for `date +%Y-%m-%d`" $YOURMAIL
Edit the following parts of the above script:

1) Change the YOUREMAIL = line so that it goes to your personal mail box. This will give you details on how its working.
2) Make sure that /var/log/mail.log is the correct path to your current mail.log file. Distros are different.

Set the script to chmod +700 so that it is executable:

chmod 700 /path/to/the/greylist_script.sh

To: howtofoge

Build proxy server and make web browzing fast. Install squid for it.


[1] Install Squid  
[root@lan ~]# yum -y install squid
[root@lan ~]# vi /etc/squid/squid.conf
# line 919: change
http_port 8080
acl CONNECT method CONNECT

# line 590: add ( allow from only LAN )
acl lan src 192.168.0.0/255.255.255.0
http_access allow localhost

# line 637: add ( allow from only LAN )
http_access allow lan
http_access deny all
# line 3003: add ( define hostname )

visible_hostname lan.server-linux.info
# forwarded_for on

# line 4275: add ( hide IP )
forwarded_for off
# line 2789: add these lines
header_access Referer deny all
header_access X-Forwarded-For deny all
header_access Via deny all
header_access Cache-Control deny all
[root@lan ~]# /etc/rc.d/init.d/squid start
init_cache_dir /var/spool/squid... Starting squid:
[  OK  ]
[root@lan ~]#chkconfig squid on

[2].Start Web browser on your client PC. Select [Tools] - [Internet Options] and move to [Connections] tab like below.
Image option IE

[3].Check 'use a proxy' and input server's hostname and port number set in the section [1]. Then, you can access to internet through proxy server.
Image Add adress proxy

10/27/2010

Build Desktop Environment

Desktop Environment is not neccessary for Server usage, though. But Sometimes installation or using an application requires Desktop Environment, then build Desktop Environment as follwos.

[1] Install some packages
[root@ns ~]#
yum -y groupinstall "X Window System"

[root@ns ~]#
yum -y groupinstall "GNOME Desktop Environment"
[2] Input a command like below after finishing installation of new packages.
[root@ns ~]#
startx


You can operate CentOS on GUI like Windows.

10/25/2010

Install/Configure Postfix


This is How to Build SMTP Server with Postfix
Install/Configure Postfix



[root@mail ~]#
yum -y install postfix


[root@mail ~]#
vi /etc/postfix/main.cf


# line 70: uncomment and specify hostname

myhostname =
mail.server.world


# line 77: uncomment and specify domain name

mydomain =
server.world


# line 93: uncomment

myorigin = $mydomain

# line 110: change

inet_interfaces =
all


# line 155: add

mydestination = $myhostname, localhost.$mydomain, localhost
, $mydomain


# line 255: uncomment and specify LAN

mynetworks = 127.0.0.0/8,
10.0.0.0/24


# line 410: uncomment (use Maildir)

home_mailbox = Maildir/

# line 536: uncomment; line 537: add

header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks


# line 562: add

smtpd_banner = $myhostname ESMTP


# add at the bottom

# limit an email size 5M

message_size_limit = 5242880

# limit mailbox 100M

mailbox_size_limit = 104857600


# for SMTP-Auth setting

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth-client
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_client_restrictions = permit_mynetworks,reject_unknown_client,permit
smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject


[root@mail ~]#
vi /etc/postfix/header_checks


# add at the head

# reject if email address is empty

/^From:.*<#.*@.*>/ REJECT
/^Return-Path:.*<#.*@.*>/ REJECT
# hide Received line

/^Received:/ IGNORE


[root@mail ~]#
vi /etc/postfix/body_checks


# reject if includes 'example.com' in mail body

/^(|[^>].*)example.com/ REJECT


[root@mail ~]#
/etc/rc.d/init.d/sendmail stop

Shutting down sm-client:
[ OK ]

Shutting down sendmail:
[ OK ]

[root@mail ~]#
chkconfig sendmail off

[root@mail ~]#
alternatives --config mta

# change default MTA


There are 2 programs which provide 'mta'.

Selection Command
-----------------------------------------------
*+ 1
/usr/sbin/sendmail.sendmail

2
/usr/sbin/sendmail.postfix


Enter to keep the current selection[+], or type selection number:
2

# switch to postfix


[root@mail ~]#
/etc/rc.d/init.d/postfix start

Starting postfix:
[ OK ]

[root@mail ~]#
chkconfig postfix on


Source: sever-world.info

10/24/2010

FTP Server linux - Pure-FTPd

Build FTP server to transfer files. Install and configure Pure-FTPd for it.

[1] Install Pure-FTPd
[root@www ~]#
yum --enablerepo=dag -y install pure-ftpd

# install from DAG


[root@www ~]#
vi /etc/pure-ftpd/pure-ftpd.conf


# line 77: change (no Anonymous)

NoAnonymous
yes


# line 143: change

UnixAuthentication
yes


[root@www ~]#
/etc/rc.d/init.d/pure-ftpd start

Starting proftpd:
[ OK ]

[root@www ~]#
chkconfig pure-ftpd on

10/23/2010

Configuration for LDAP client

[2] Configure LDAP server
[root@master ~]# cp /etc/pki/tls/certs/server.* /etc/openldap/cacerts/
[root@master ~]# chown ldap. /etc/openldap/cacerts/*
[root@master ~]# vi /etc/openldap/slapd.conf

include/etc/openldap/schema/core.schema
include/etc/openldap/schema/cosine.schema
include/etc/openldap/schema/inetorgperson.schema
include/etc/openldap/schema/nis.schema

# line 10: add these lines
TLSCertificateFile /etc/openldap/cacerts/server.crt
TLSCertificateKeyFile /etc/openldap/cacerts/server.key

[root@master ~]# /etc/rc.d/init.d/ldap restart
Stopping slapd:[ OK ]
Checking configuration files for slapd: /etc/openldap/slapd.conf: line 117: rootdn is always granted unlimited privileges.
/etc/openldap/slapd.conf: line 121: rootdn is always granted unlimited privileges.
config file testing succeeded[ OK ]
Starting slapd: [ OK ]
[3] Config on Client
[root@www ~]# vi /etc/openldap/ldap.conf

# add at the bottom
URI ldaps://10.0.0.100/
BASE dc=server,dc=world
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow

[root@www ~]# vi /etc/ldap.conf

# near bottom
uri ldap://10.0.0.100/
ssl start_tls# change
tls_cacertdir /etc/openldap/cacerts
pam_password md5
[4] Configuration is completed. Connection is encrypted like below.
# for normal connection, password is shown ( yellow words )
[root@master ~]# tcpdump port ldap -i eth0 -X -s 1024
16:39:34.551462 IP 192.168.0.50.50530 > master.server.world.ldap: P 137:237(100) ack 349 win 108
0x0000: 4500 0098 a57d 4000 4006 1342 c0a8 0032 E....}@.@..B...2
0x0010: c0a8 001e c562 0185 7f88 5b3e 311f 4816 .....b....[>1.H.
0x0020: 8018 006c 0650 0000 0101 080a fffe ffc3 ...l.P..........
0x0030: 001a da06 3062 0201 0360 3e02 0103 042a ....0b...`>....*
0x0040: 7569 643d 736c 6573 2c6f 753d 5065 6f70 uid=sles,ou=Peop
0x0050: 6c65 2c64 633d 7365 7276 6572 2d77 6f72 le,dc=server
0x0060: 6c64 2c64 633d 696e 666f 800d 6869 726f ux,dc=world..pass
0x0070: 6b75 6e74 616e 6664 37a0 1d30 1b04 1931 wordcent..0...1.
0x0080: 2e33 2e36 2e31 2e34 2e31 2e34 322e 322e 3.6.1.4.1.42.2.2
0x0090: 3237 2e38 2e35 2e31 7.8.5.1

# for encrypted connection, password is not shown
[root@master ~]# tcpdump port ldap -i eth0 -X -s 1024
16:43:41.240075 IP 192.168.0.50.37173 > master.server.world.ldap: P 902:976(74) ack 1656 win 143
0x0000: 4500 007e d2d4 4000 4006 e604 c0a8 0032 E..~..@.@......2
0x0010: c0a8 001e 9135 0185 6994 2ee0 17a9 5c4c .....5..i.....
0x0020: 8018 008f 613e 0000 0101 080a fffe f9b1 ....a>..........
0x0030: 001b cae8 1703 0100 2067 f3c9 a959 5eb8 .........g...y^.
0x0040: 828a 80c4 a6d0 1d49 ccf7 ebcb 3a0e 0468 .......i....:..h
0x0050: a4d6 3756 1639 dcc2 bf17 0301 0020 bb89 ..7v.9..........
0x0060: 34ab 231f 0457 513c 3901 5950 b95e 8287 4.#..wq<9.yp.^..
0x0070: 7c77 74c5 7391 9c8a cdb0 0523 9f8d |wt.s......#..

10/21/2010

LDAP Server

[1] Install and Configure OpenLDAP.

[root@master ~]# yum -y install openldap-servers openldap-clients

# generate password for ldap admin
[root@master ~]# slappasswd -s password -h {MD5}
# (1) remember
{MD5}*********************

[root@master ~]# vi /etc/openldap/slapd.conf

# line 86: specify suffix
suffix "dc=server,dc=world"

# line 87: specify admin suffix
rootdn "cn=Manager,dc=server,dc=world"

# line 93: specify password generated (1)
rootpw {MD5}************************

# add at the bottom
access to attrs=userPassword
by self write
by dn="cn=Manager,dc=server,dc=world" write
by anonymous auth
by * none

access to *
by dn="cn=Manager,dc=server,dc=world" write
by self write
by * read

[root@master ~]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@master ~]# /etc/rc.d/init.d/ldap start
Checking configuration files for slapd: /etc/openldap/slapd.conf: line 116: rootdn is always granted unlimited privileges.
/etc/openldap/slapd.conf: line 121: rootdn is always granted unlimited privileges.
config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[root@master ~]# chkconfig ldap on


[2] Add initial information

[root@master ~]# cd /usr/share/openldap/migration
[root@master migration]# vi migrate_common.ph

# line 71: specify domain name
$DEFAULT_MAIL_DOMAIN = "server.world";

# line 74: specify suffix
$DEFAULT_BASE = "dc=server,dc=world";

[root@master migration]# ./migrate_base.pl > base.ldif
[root@master migration]# vi base.ldif

# edit only sections that are needed for your environment ( The follows is minimum requirement example )
dn: dc=server,dc=world
dc: server
objectClass: top
objectClass: domain

dn: ou=Hosts,dc=server,dc=world
ou: Hosts
objectClass: top
objectClass: organizationalUnit

dn: ou=People,dc=server,dc=world
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=server,dc=world
ou: Group
objectClass: top
objectClass: organizationalUnit

[root@master migration]# ldapadd -x -W -D "cn=Manager,dc=server,dc=world" -f base.ldif
Enter LDAP Password:# ldap admin password
adding new entry "dc=server,dc=world"

adding new entry "ou=Hosts,dc=server,dc=world"

adding new entry "ou=People,dc=server,dc=world"

adding new entry "ou=Group,dc=server,dc=world"


[3] Add Existing User and Group to LDAP Server

# get users from /etc/passwd
[root@master migration]# grep "x:[5-9][0-9][0-9]" /etc/passwd > passwd
# get groups from /etc/group
[root@master migration]# grep "x:[5-9][0-9][0-9]" /etc/group > group
[root@master migration]# ./migrate_passwd.pl passwd > passwd.ldif
[root@master migration]# ./migrate_group.pl group > group.ldif

# add user and group to LDAP Server
[root@master migration]# ldapadd -x -W -D "cn=Manager,dc=server,dc=world" -f passwd.ldif
Enter LDAP Password:
adding new entry "uid=fedora,ou=People,dc=server,dc=world"

adding new entry "uid=suse,ou=People,dc=server,dc=world"

adding new entry "uid=ubuntu,ou=People,dc=server,dc=world"

adding new entry "uid=cent,ou=People,dc=server,dc=world"

adding new entry "uid=debian,ou=People,dc=server,dc=world"

[root@master migration]# ldapadd -x -W -D "cn=Manager,dc=server,dc=world" -f group.ldif
Enter LDAP Password:
adding new entry "cn=fedora,ou=Group,dc=server,dc=world"

adding new entry "cn=suse,ou=Group,dc=server,dc=world"

adding new entry "cn=ubuntu,ou=Group,dc=server,dc=world"

adding new entry "cn=cent,ou=Group,dc=server,dc=world"

adding new entry "cn=debian,ou=Group,dc=server,dc=world"


[4] If you'd like to delete User or Group that is added in LDAP Server, Do as below.

[root@master ~]# ldapdelete -x -W -D 'cn=Manager,dc=server,dc=world' "uid=cent,ou=people,dc=server,dc=world"
Enter LDAP Password:
[root@master ~]# ldapdelete -x -W -D 'cn=Manager,dc=server,dc=world' "cn=cent,ou=group,dc=server,dc=world"
Enter LDAP Password:

FTP Server - ProFTPD

[root@www ~]# yum --enablerepo=dag -y install proftpd # install from DAG

[root@www ~]# vi /etc/proftpd.conf

# line 4: change to your hostname
ServerName "www.server.world"

# line 6: change to your email address
ServerAdmin root@server.world

# add near line 79
# get access log
ExtendedLog /var/log/proftpd/access.log WRITE,READ default
# get auth log
ExtendedLog /var/log/proftpd/auth.log AUTH auth

[root@www ~]# vi /etc/ftpusers

# add users you prohibit to FTP access
test

[root@www ~]# /etc/rc.d/init.d/proftpd start
Starting proftpd: [ OK ]
[root@www ~]# chkconfig proftpd on

FTP Server - Vsftpd

[root@www ~]# yum -y install vsftpd

[root@www ~]# vi /etc/vsftpd/vsftpd.conf

# line 12: no anonymous
anonymous_enable=NO

# line 80,81: uncomment (permit ascii mode transfer)
ascii_upload_enable=YES
ascii_download_enable=YES

# line 96: uncomment ( enable chroot list )
chroot_list_enable=YES

# line 98: uncomment ( enable chroot list file )
chroot_list_file=/etc/vsftpd/chroot_list

# line 104: uncomment
ls_recurse_enable=YES

# add at the bottom
# enable chroot
chroot_local_user=YES

# specify root directory ( if don't specify, users' home directory become FTP home directory)
local_root=public_html

# use localtime
use_localtime=YES

[root@www ~]# vi /etc/vsftpd/chroot_list

# add users you allow to move over their home directory
cent

[root@www ~]# /etc/rc.d/init.d/vsftpd start
Starting vsftpd for vsftpd: [ OK ]
[root@www ~]# chkconfig vsftpd on

10/19/2010

NIS

Build NIS Server in order to share users' accounts in local networks. It's neccessary to install ypserv for NIS. [root@ns ~]# yum -y install ypserv

[root@ns ~]# ypdomainname server-linux.info # set NIS domain
[root@ns ~]# vi /etc/sysconfig/network

NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=ns.server-linux.info
GATEWAY=192.168.0.1
# add at the bottom of file
NISDOMAIN=server-linux.info

[root@ns ~]# vi /var/yp/Makefile

# MERGE_PASSWD=true|false
# line 42: change
MERGE_PASSWD=false
#
# MERGE_GROUP=true|false
# line 46: change
MERGE_GROUP=false
#
# line 109: add
all: passwd shadow group hosts rpc services netid protocols

[root@ns ~]# vi /var/yp/securenets

host127.0.0.1
255.255.255.0192.168.0.0

# create a directory for web site automatically when a user is added in the system
[root@ns ~]# mkdir /etc/skel/public_html
[root@ns ~]# chmod 711 /etc/skel/public_html

# create a directory for email automatically when a user is added in the system
[root@ns ~]# mkdir -p /etc/skel/Maildir/cur
[root@ns ~]# mkdir -p /etc/skel/Maildir/new
[root@ns ~]# mkdir -p /etc/skel/Maildir/tmp
[root@ns ~]# chmod -R 700 /etc/skel/Maildir/

[root@ns ~]# /etc/rc.d/init.d/portmap start
Starting portmap: [ OK ]
[root@ns ~]# /etc/rc.d/init.d/ypserv start
Starting YP server services: [ OK ]
[root@ns ~]# /etc/rc.d/init.d/yppasswdd start
Starting YP passwd service: [ OK ]
[root@ns ~]# chkconfig portmap on
[root@ns ~]# chkconfig ypserv on
[root@ns ~]# chkconfig yppasswdd on

[root@ns ~]# useradd cent
[root@ns ~]# passwd cent
Changing password for user cent.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

[root@ns ~]# /usr/lib/yp/ypinit -m# update NIS database
At this point, we have to construct a list of the hosts which will run NIS servers. ns.server-linux.info is in the list of NIS server hosts. Please continue to add the names for the other hosts, one per line. When you are done with the list, type a .
next host to add: ns.server-linux.info
next host to add: # push Ctrl + D keys
The current list of NIS servers looks like this:

ns.server-linux.info

Is this correct? [y/n: y] y# input 'y' and push Enter key
We need a few minutes to build the databases...
Building /var/yp/server-linux.info/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/server-linux.info'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/server-linux.info'

ns.server-linux.info has been set up as a NIS master server.

Now you can run ypinit -s ns.server-linux.info on all slave server.

# It's neccessary to update NIS database with following way if new user is added again
[root@ns ~]# cd /var/yp
[root@ns yp]# make

After building NIS Server, Configure on clients in order to share users' accounts

[root@www ~]# vi /etc/sysconfig/network

NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=www.server-linux.info
GATEWAY=192.168.0.1
# add at the bottom
NISDOMAIN=server-linux.info

[root@www ~]# vi /etc/sysconfig/authconfig

USEWINBINDAUTH=no
USEKERBEROS=no
USESYSNETAUTH=no
FORCESMARTCARD=no
USESMBAUTH=no
USESMARTCARD=no
USELDAPAUTH=no
USELOCAUTHORIZE=no
USEWINBIND=no
USESHADOW=yes
USEDB=no
USEMD5=yes
USEPASSWDQC=no
USELDAP=no
USEHESIOD=no
USECRACKLIB=yes
USENIS=yes# change

[root@www ~]# vi /etc/yp.conf

# Valid entries are
#
# domain NISDOMAIN server HOSTNAME
#Use server HOSTNAME for the domain NISDOMAIN.
#
# domain NISDOMAIN broadcast
#Use broadcast on the local net for domain NISDOMAIN
#
# domain NISDOMAIN slp
#Query local SLP server for ypserver supporting NISDOMAIN
#
# ypserver HOSTNAME
#Use server HOSTNAME for the local domain. The
#IP-address of server must be listed in /etc/hosts.
#
# broadcast
#If no server for the default domain is specified or
#none of them is rechable, try a broadcast call to
#find a server.
#
# add at the bottom
domain server-linux.info server nfs.server-linux.info

[root@www ~]# vi /etc/nsswitch.conf

passwd:files nis# line 33: add
shadow:files nis# add
group:files nis# add

#hosts:db files nisplus nis dns
hosts:files dns nis# add

[root@www ~]# chkconfig ypbind on
[root@www ~]# chkconfig portmap on
[root@www ~]# shutdown -r now

www login: cent# user name on NIS
Password:# password
Last login: Sun Mar 11 22:02:12 on tty1
[cent@www ~]$# just logined
[cent@www ~]$ ypwhich
nfs.server-linux.info
[cent@www ~]$ ypcat passwd
cent:x:500:500::/home/cent:/bin/bash
[cent@www ~]$ yppasswd# change password
Changing NIS account information for cent on nfs.server-linux.info.
Please enter old password:# current password
Changing NIS password for cent on nfs.server-linux.info.
Please enter new password: # new password
Please retype new password:

The NIS password has been changed on nfs.server-linux.info.

10/16/2010

Enable userdir

[1] Configure httpd
[root@www ~]# vi /etc/httpd/conf/httpd.conf

# line 355: make it comment
#UserDir disable

# line 362: uncomment
UserDir public_html

# line 370-381: uncomment

AllowOverride All# change
Options ExecCGI# enable CGI

Order allow,deny
Allow from all


Order deny,allow
Deny from all



[root@www ~]# /etc/rc.d/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[2] Make CGI test page in a user's home directory and access to it with web browser. It's OK if following page is shown.
[cent@www ~]$ mkdir public_html
[cent@www ~]$ chmod 711 /home/cent
[cent@www ~]$ chmod 755 /home/cent/public_html
[cent@www ~]$ cd public_html
[cent@www public_html]$ vi index.cgi

#!/usr/local/bin/perl

print "Content-type: text/html\n\n";
print <<"EOM";
CGI test page
EOM
exit;
[cent@www public_html]$ chmod 705 index.cgi
[1] Configuration on the system you want to build NFS server
[root@ns ~]# vi /etc/exports

# add *note
/home 192.168.0.0/24(rw,sync,no_root_squash)

# *note
/home ⇒ shared directory
192.168.0.0/24 ⇒ range of networks NFS permits accesses
rw ⇒ possible to read and write
sync ⇒ synchronize
no_root_squash ⇒ enable root privilege

[root@ns ~]# /etc/rc.d/init.d/portmap start
Starting portmap: [ OK ]
[root@ns ~]# /etc/rc.d/init.d/nfs start
Starting nfs services: [ OK ]
Starting nfs quotas: [ OK ]
Starting nfs daemon: [ OK ]
Starting nfs mountd: [ OK ]
[root@ns ~]# /etc/rc.d/init.d/nfslock start
Starting NFS statd: [ OK ]
[root@ns ~]# chkconfig nfs on
[root@ns ~]# chkconfig nfslock on
[root@ns ~]# chkconfig portmap on
[2] Configuration on NFS clients
[root@www ~]# /etc/rc.d/init.d/portmap start
Starting portmap: [ OK ]
[root@www ~]# /etc/rc.d/init.d/nfslock start
Starting NFS statd: [ OK ]
[root@www ~]# /etc/rc.d/init.d/netfs start
Mounting other filesystems: [ OK ]
[root@www ~]# chkconfig nfslock on
[root@www ~]# chkconfig portmap on
[root@www ~]# chkconfig netfs on
[root@www ~]# mount -t nfs nfs.server-linux.info:/home /home
[root@www ~]# df -m
Filesystem1M-blocksUsedAvailableUse%Mounted on
/dev/hda1504038244038%/
tmpfs25702570%/dev/shm
/dev/hda51008349244%/tmp
/dev/hda350401062372323%/usr
/dev/hda41008020593643%/var
nfs.server-linux.info:/home100794188954861%/home
# home directory on NFS is mounted

[root@www ~]# vi /etc/fstab
# add at the bottom: change home directory this server mounts to the one on NFS
/dev/hda1/ext3defaults1 1
devpts/dev/ptsdevptsgid=5,mode=6200 0
tmpfs/dev/shmtmpfsdefaults0 0
proc/procprocdefaults0 0
sysfs/syssysfsdefaults0 0
/dev/hda5/tmpext3defaults1 2
/dev/hda3/usrext3defaults1 2
/dev/hda4/varext3defaults1 2
/dev/hda2swap swapdefaults 0 0
nfs.server-linux.info:/home/homenfsdefaults1 2

Install/Configure Dovecot

[root@mail ~]# yum -y install dovecot

[root@mail ~]# vi /etc/dovecot.conf

# line 20: uncomment
protocols = imap imaps pop3 pop3s

# line 211: uncomment and add
mail_location = maildir:~/Maildir

# line 762: add
mechanisms = plain login

# line 978: change like below
socket listen { # uncomment
#master {
# Master socket provides access to userdb information. It's typically
# used to give Dovecot's local delivery agent access to userdb so it
# can find mailbox locations.
#path = /var/run/dovecot/auth-master
#mode = 0600
# Default user/group is the one who started dovecot-auth (root)
#user =
#group =
#}
client { # uncomment
# The client socket is generally safe to export to everyone. Typical use
# is to export it to your SMTP server so it can do SMTP AUTH lookups
# using it.
path = /var/spool/postfix/private/auth-client # uncomment and change
mode = 0660 # uncomment
user = postfix # add
group = postfix # add
}# uncomment
} # uncomment

[root@mail ~]# /etc/rc.d/init.d/dovecot start
Starting Dovecot Imap: [ OK ]
[root@mail ~]# chkconfig dovecot on

From: server-world

10/15/2010

Webmin Installation and Configuration in Ubuntu Linux

Webmin is a web-based interface for system administration for Unix. Using any browser that supports tables and forms (and Java for the File Manager module), you can setup user accounts, Apache, DNS, file sharing and so on.

Webmin consists of a simple web server, and a number of CGI programs which directly update system files like /etc/inetd.conf and /etc/passwd. The web server and all CGI programs are written in Perl version 5, and use no non-standard Perl modules.

Installing Webmin in Ubuntu



You can use the above procedure but if you want to install latest version you can download from webmin site download section

Prerequisites

Perl 5 interpreter and libnet-ssleay-perl

sudo apt-get install perl5 libnet-ssleay-perl

Now you need to download the latest webmin from the above downloadlink

Download ‘webmin-1.310.tar.gz’ (at the time of writing) to some location in your machine ex:- /usr/local/src

wget http://prdownloads.sourceforge.net/webadmin/webmin-1.310.tar.gz

cd /usr/local/src

sudo tar xzvf webmin-1.310.tar.gz

cd webmin-1.310

sudo sh setup.sh

This will start the installation and now it will prompt for several questions answer them as follows

Config file directory [/etc/webmin]:
Leave as default, or change as you wish

Log file directory [/var/webmin]:
Leave as default, or change as you wish

Full path to perl (default /usr/bin/perl):
Leave as default, or change as you wish

Operating system:
Enter ‘6′

Version:
Enter ‘6′

Web server port (default 10000):

This is where you can start to make webmin more secure then the standard install you get with apt-get, Synaptic, or RPM. Leave as default or change it to what ever port you want.

Login name (default admin):

It is ‘admin’, so you can leave it as that, or put in any name that you like.

Login password:

By creating the user above and giving it a password, you have now made it so you will not need to log into webmin with root.

Password again:

enter your password again

If you did not install ‘libnet-ssleay-perl’ you will get the following message:

‘The Perl SSLeay library is not installed. SSL not available.’ You can continue with the install, but it would be more secure if you install sslrelay.

Use SSL (y/n):y

Choose yes here

Start Webmin at boot time (y/n):y

select here y

At this point it is going to configure things, install things, and create things…

It will then tell you that you can log in to https://hostipaddress:10000 and to accept the certificate.

Webmin User Password Change

If you want to change root password in webmin use this included Perl script:

sudo /usr/share/webmin/changepass.pl /etc/webmin root

Set mail server on Debian

In the following article, Linuxbasiccommad will guide you how to set up the system fully featured mail server, secure, scalable and replace a number of other functions if necessary. This model provides hosting services for virtual mailbox with many different formats, filtering and quota server - side, domain alias, alias address, forwarding address and the catchall address. Transition are secure protocol SMTP-AUTH and STARTTLS. The email received will be strictly controlled by the virus filter, spam, malware and quickly remove the SPF and DNSBL policy.

And the whole process will be undergoing three main server:

- An MX server, here will concentrate all the security features (faramir.middle.earth)

- A transition SMTP protocol, allowing users to send emails to the outside (ectelion.middle.earth)

- Mailstore a server used to store all data of the mailbox (denetor.middle.earth)

Of course, you can assign more custom MX record to use DNS MX domains, forwarding services using DNS round-robin, archiving, email forwarding and division ... will be fully addressed in the article.

All operations were performed on systems that use Debian server operating system.

Set up LDAP

The entire information of the user are stored in the LDAP directory. And this is how we installed on the server making the transition task. The system requires the following packages needed:
sudo apt-get install slapd ldap-utils

Here, we will use the following LDAP parameters:
- ldapBase: dc=middle,dc=earth

- adminDn: cn=admin,dc=middle,dc=earth

- adminPwd: thirdAge

Besides, we need to use LDAP schema is available. Most of the properties and subject to the standard, noting that much of the standard attributes user should pay attention to avoid duplication event occurred.

Transplantation in openldap schema is available in the / etc / ldap / schema / mailMEO.schema
attributetype ( 2.16.840.1.113730.3.1.13
NAME 'mailLocalAddress'
DESC 'RFC822 email address of this recipient'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 2.16.840.1.113730.3.1.16
NAME 'mailQuota'
DESC 'Maiximal amount of disk space for a mailbox in kilobytes'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 2.16.840.1.113730.3.1.18
NAME 'mailHost'
DESC 'FQDN of the SMTP/MTA of this recipient'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}
SINGLE-VALUE )
attributetype ( 2.16.840.1.113730.3.1.22
NAME 'mailCopyAddress'
DESC 'RFC822 email shadow copy address'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 2.16.840.1.113730.3.1.47
NAME 'mailRoutingAddress'
DESC 'RFC822 routing address of this recipient'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 2.16.840.1.113730.3.1.49
NAME 'spamassassinUserPrefs'
DESC 'SpamAssassin user preferences'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
objectclass ( 2.16.840.1.113730.3.2.147
NAME 'inetLocalMailRecipient'
DESC 'Internet local mail recipient'
SUP top AUXILIARY
MAY ( mailLocalAddress $ mailHost $ mailRoutingAddress $ mailCopyAddress $ mailQuota $ spamassassinUserPrefs ) )

objectclass ( 2.16.840.1.113730.3.2.148
NAME 'inetMailForwarder'
DESC 'Internet mail Forward Address'
SUP top AUXILIARY
MAY ( mailHost $ mailRoutingAddress ) )


Confiure file /etc/ldap/slapd.conf:

include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/mailMEO.schema

Check line:
suffix "dc=middle,dc=earth"


Then, add the ACLs assigned to the daemon should use to transfer data to LDAP. Readonly attribute to initialize access to userPassword for devecot
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=middle,dc=earth" write
by dn="uid=dovecot,dc=middle,dc=earth" read
by anonymous auth
by self write
by * none

Confiure exim and dovecot with too
access to *
by dn="cn=admin,dc=middle,dc=earth" write
by dn="uid=dovecot,dc=middle,dc=earth" read
by dn="uid=exim,dc=middle,dc=earth" read
by * read
by anonymous none

ACL final parameters assume the responsibility for preventing the ability to read data from anonymous accounts, but allowed to edit the account is confirmed. Slapd restart to apply the changes
sudo /etc/init.d/slapd restart

After that, we must create a user account with the previous ACL. To do this, we must use user.ldif file follows:

dn: uid=exim,dc=middle,dc=earth
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
uid: exim
userPassword:: e01ENX1hOElTeXAwV2hnVzFSVnhHd0hCNDF3PT0=
dn: uid=dovecot,dc=middle,dc=earth
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
uid: dovecot
userPassword:: e01ENX1yZGp2Q1lPNmtDRm1scXAyVWQwa0xBPT0=


This account will have a user / pass is: dovecot / dovecotpopper and exim4 / eximmta

To provide information and data to the root directory, use the following command:
ldapadd -x -D cn=admin,dc=middle,dc=earth -W < users.ldif


Below is a sample ldif file containing the data:
dn: ou=domains,dc=middle,dc=earth
objectClass: organizationalUnit
objectClass: top
ou: domains
dn: dc=middle.earth,ou=domains,dc=middle,dc=earth
dc: middle.earth
objectClass: dNSDomain
objectClass: top
objectClass: inetLocalMailRecipient
objectClass: domainRelatedObject
objectClass: posixAccount
mailLocalAddress: catchall@middle.earth
cn: catchall
gidNumber: 8
homeDirectory: /var/mail/middle.earth/c/catchall
uid: catchall
uidNumber: 8
userPassword:: e01ENX1EV3RteGErOFROanJKNUFXZWt1Z0tBPT0=
mailQuota: 102400
mailHost: denetor.middle.earth
associatedDomain: middle.earth
associatedDomain: lotr.middle.earth
dn: uid=sam,dc=middle.earth,ou=domains,dc=middle,dc=earth
cn: sam
displayName: Sam Gamji
gidNumber: 8
homeDirectory: /var/mail/middle.earth/s/sam
mail: sam@middle.earth
mailHost: 172.16.16.23
mailQuota: 102400
objectClass: inetLocalMailRecipient
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
sn: Gamji
uidNumber: 8
uid: sam
userPassword:: e01ENX1NeVV5M1BxaHkvWWVLaVpyMXlOaExBPT0=
mailLocalAddress: sam@middle.earth
mailLocalAddress: gamji@middle.earth
mailLocalAddress: shire@middle.earth
dn: uid=frodo,dc=middle.earth,ou=domains,dc=middle,dc=earth
cn: frodo
displayName: Frodo Baggins
gidNumber: 8
givenName: Frodo
homeDirectory: /var/mail/middle.earth/f/frodo
mail: frodo@middle.earth
mailHost: 172.16.16.23
mailQuota: 102400
objectClass: inetLocalMailRecipient
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
sn: Baggins
uidNumber: 8
uid: frodo
userPassword:: e01ENX04UGlDRHVnWEdCMmNhRktnbDljTmpRPT0=
mailLocalAddress: frodo@middle.earth
mailLocalAddress: baggins@middle.earth
mailLocalAddress: shire@middle.earth
dn: uid=gmail,dc=middle.earth,ou=domains,dc=middle,dc=earth
cn: gmail
mail: alxgomz@gmail.com
mailHost: 172.16.16.23
mailRoutingAddress: alxgomz@gmail.com
objectClass: inetMailForwarder
objectClass: inetOrgPerson
objectClass: top
sn: alias to Gmail address
uid: gmail

10/14/2010

Spam Control For Postfix

Spam is a major problem for anyone with a mail server. Many times, spam goes to email addresses that don't exist. But, it still is hitting your server even if it isn't delivered. Other times, a users inbox will be overflowing with annoying messages about Viagra, hookers, free software, and whatever else.

Below is a solution. It's an ongoing accumulation of my efforts to stop spam to the best of my abilities. So far, it has a 97% success rate with over 20,000 emails (spam and ham, alike) processed.

Follow the instructions. I will update/modify as necessary if things seem unclear. Feel free to ask.

1) Install Postgrey, RRD, a log parser, and Graphing tools.
apt-get install postgrey rrdtool mailgraph pflogsumm

2) Restart the Postgrey server.
/etc/init.d/postgrey restart

3) Edit the Postfix main.cf.
We will be adding several things including the Postgrey configuration.
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = my.derekgordon.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = my.derekgordon.com, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128 66.118.142.78
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, check_policy_service inet:127.0.0.1:60000, reject_rbl_client zen.spamhaus.org, reject_rbl_client smtp.dnsbl.sorbs.net, reject_rbl_client bl.spamcop.net, reject_rbl_client combined.rbl.msrbl.net, reject_rbl_client multihop.dsbl.org, check_recipient_access regexp:/etc/postfix/spamtrap, permit
smtpd_tls_security_level = may
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = "The user you are trying to reach is over quota."
virtual_overquota_bounce = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = maildrop
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 0

disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit

4) Create a file named "spamtrap" in the /etc/postfix/ directory.
This serves as a filter. If spam is emailed to this address and other addresses on your machine, it will drop that email so that it doesn't get to any other mailboxes.

spamtrap file looks like this:
/emailcontrol.*@derekgordon\.com/ DISCARD
5) Open up local.cf for SpamAssassin and add the following bit.
It will be an extra filter designed to work with SA more than it is with general Postfix.

nano /etc/spamassassin/local.cf
Add the following to the bottom:
urirhssub URIBL_BLACK multi.uribl.com. A 2
body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describe URIBL_BLACK Contains an URL listed in the URIBL blacklist
tflags URIBL_BLACK net
score URIBL_BLACK 3.0


6) Restart Postfix and Spamassassin
/etc/init.d/postfix restart
/etc/init.d/spamassassin restart

7) Copy the mailgraph CGI script to your websites CGI-BIN:
cp -p /usr/lib/cgi-bin/mailgraph.cgi /var/www/www.example.com/cgi-bin

8) Create and CHMOD the postfix_report.sh script:
nano /usr/local/sbin/postfix_report.sh

Paste the following into the script:
#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

pflogsumm /var/log/mail.log | formail -c -I"Subject: Mail Statistics" -I"From: maillog@example.com" -I"To: youremail@yourdomain.com" -I"Received: from www.example.com ([ 127.0.0.1])" | sendmail youremail@yourdomain.com

##gzip /var/log/mail.log.0
exit 0

chmod 755 /usr/local/sbin/postfix_report.sh

9) Edit the RSYSLOG file so that your mail.log rotates daily and to set up an automatic email with postfix statistics:
nano /etc/logrotate.d/rsyslog

Delete the line that says /var/log/mail.log and add this at the VERY bottom of the file:

/var/log/mail.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
prerotate
/usr/local/sbin/postfix_report.sh > /dev/null
endscript
postrotate
invoke-rc.d rsyslog reload > /dev/null
endscript

10/13/2010

HOWTO install FFMPEG

FFMPEG INSTALLATION FROM SOURCE
FFMPEG INSTALLATION FROM SOURCE
installed by:
Robertas Dereskevicius
Edited by Jon Nikolakakis
OS/ Fedora Core 5

Summary and install:
libffac
libffad2
xvid
libogg,libvorbis
mp3lame
ffmpeg

Setting Up Install Folder, Logging and download Packages
1)Log into ssh
2) cd /usr/src && mkdir install && cd install
3) Download faad2 and faac
from http://faac.sourceforge.net/oldsite/download.php get Faad2 and faac (new versions)

wget http://prdownloads.sourceforge.net/f...ar.gz?download
wget http://prdownloads.sourceforge.net/f...ar.gz?download

4) Verify that you have these components are installed
rpm -qa automake
rpm -qa autoconf
rpm -qa libtool
rpm -qa m4
rpm -qa gcc-c++

If any are missing than simply yum install (packagename), if you dont have a package [COLOR=blue !important][COLOR=blue !important]manager[/COLOR][/COLOR] than get one, it will save you alot of time
and headaches.

Installing Faac
5)tar -zxvf faac-1.24.tar.gz && cd faac
6) sh bootstrap
7) ./configure
8) make
9) make install
10) cd ..

Installing Faad2
11) tar -zxvf faad2-2.0.tar.gz
12) cd faad2 && less README.[COLOR=blue !important][COLOR=blue !important]linux[/COLOR][/COLOR]
13) There is 2 bugs with this package, so need to manually edit these [COLOR=blue !important][COLOR=blue !important]files[/COLOR][/COLOR]
14) nano Makefile.am
Edit the file to look like this
SUBDIRS = libfaad common frontend plugins
EXTRA_DIST = faad2.spec

15) cd common/mp4ff && nano mp4ffint.h
16) Comment out this line
//void mp4ff_track_add(mp4ff_t *f);

17)Save file and cd ../..
18)autoreconf -vif
19) ./configure
20) make
21) make install

Installing Libogg and Libvorbis
22)cd .. and then Check to see if libogg and libvorbs
rpm -qa libogg-devel
rpm -qa libvorbis-devel
rpm -qa libncurses-devel

If not installed then simply Package Install (replace yum and install settings with your package manager)
yum install libogg-devel
yum install libvorbis-devel
yum install libncurses-devel

Installing LAME (for audio)
23)go into lame sourceforge - http://sourceforge.net/project/showf...package_id=309
24)wget http://mesh.dl.sourceforge.net/sourc...me-3.97.tar.gz
25)tar -zxvf lame-3.97.tar.gz
26)cd lame*
27) ./configure; make;make install

Installing Xvid
28) cd .. && wget http://downloads.xvid.org/downloads/...e-1.1.2.tar.gz
29)tar -zxvf xvidcore-1.1.2.tar.gz && cd xvid*/build/generic/
30) ./configure; make; make install;
31) cd ../../..

Installing ffmpeg
32) rpm -q subversion If not install, then install subversion
33)svn checkout svn://svn.mplayerhq.hu/ffmpeg/trunk ffmpeg && cd ffmpeg
34) ./configure --enable-shared --enable-xvid --enable-vorbis --enable-libogg --enable-mp3lame --enable-gpl --enable-faad --enable-faac --enable-a52
35)make
36)make install

If Installation went ok, run
ldd ./ffmpeg
If Path to Lib Libraries are not ok

37)Check to see if /usr/local/lib exists on this file
cat /etc/ld.so.conf

If not
echo /usr/local/lib >>/etc/ld.so.conf

38) cat/etc/ld.so.conf Now check to see if (/usr/local/lib exist)
39) save file
40) ldconfig
41) run ldd ./ffmpeg

FFmpeg should be complete and installed. On some servers you may need to add Disable Shared and enable flags.

Setup Squid-Cache

Step I - Downloading and compiling Squid

You can download squid source file as a gzipped tar ball (squid-x.y-STABLE.tar.gz) available at http://www.squid-cache.org/ or from ftp://www.squid-cache.org/pub.

Next you have to extract the compressed archive file and change the working directory to squid

tar -xvzf squid-*-src.tar.gz
cd squid -*

Now enter the following commands in order to configure, compile and install squid

./configure
make
make install

This by default, will install in "/usr/local/squid".

Type ./configure --help to view all available options.

Step II - Basic Configuration

Some basic configurations are to be done. Uncomment and edit the following lines in the configuration file found default at "/usr/local/squid/etc/squid.conf".

cache_dir this direcitve specifies the cache directory storage format and its size as given below.
cache_dir ufs /usr/local/squid/cache 100 16 256
The value 100 denotes 100MB cache size. This can be adjusted to the required size.

http_port
Check http_port, 3128 is a default.

http_access
By default http_access is denied. The ACL rules should be modified to allow access only to the trusted clients. This is important because it prevents people from stealing your network resources.

cache_effective_user & cache_effective_ group
Set these directive to the user and group by which squid will run. This user should have the permission to read and write in the cache directory and to the log files. .

Step III - Custom configuration based on your network needs

For Configuring squid for proxy

By default, squid is configured as a direct proxy . In order to cache web traffic with squid, the browser must be configured to use the squid proxy. This needs the following information

i. the proxy server's host name
ii. the port by which the proxy server accepts connections.

For Configuring squid for transparency

Using squid transparently is a two part process, requiring first that squid be configured properly to accept non-proxy requests (performed in the squid module) and second that web traffic gets redirected to the squid port (achieved in three ways namely policy based routing, Using smart switching or by setting squid Box as a gateway).

Getting transparent caching to work requires the following steps

i. For some operating systems, you have to configure and build a version of Squid which can recognize the hijacked connections and discern the destination addresses. For Linux this seems to work automatically. For BSD-based systems, configure squid with the --enable-ipf-transparent option and you have to configure squid as

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

ii. Next you have to configure your cache host to accept the redirected packets - any IP address, on port 80 - and deliver them to your cache application. This is typically done with IP filtering/forwarding features built into the kernel. In Linux they call this ipfilter (kernel 2.4.x), ipchains (2.2.x) or ipfwadm (2.0.x).

For Configuring squid for Reverse Proxy

To run Squid as an accelerator, you probably want to listen on port 80. And you have to define the machine you are accelerating for. This is done in squid module,

http_port 80
httpd_accel_host visolve.com
httpd_accel_port 81
httpd_accel_single_host on
httpd_accel_with_proxy on

If you are using Squid as an accelerator for a virtual host system, then instead of a 'hostname' here you have to use the word virtual as:

http_port 80
httpd_accel_host virtual
httpd_accel_port 81
httpd_accel_with_proxy on
httpd_accel_single_host off

Step IV - Starting Squid

After you've finished editing the configuration file, you can start Squid for the first time. First, you must create the swap directories. Do this by running Squid with the -z option:

/usr/local/squid/sbin/squid -z

Once that completes, you can start Squid and try it out. Probably the best thing to do is run it from your terminal and watch the debugging output. Use this command:

/usr/local/squid/sbin/squid -NCd1

If everything is working fine, then your console displays: "Ready to serve requests".

If you want to run squid in the background, as a daemon process

/usr/local/squid/sbin/squid

You should be a privileged user to start/stop squid..

Step V - To check if Squid is working

Check the cache.log file in your logs directory to find out if squid works correctly. This file contains the informational and error messages that Squid generates at runtime.

10/11/2010

phpmyadmin - Operate MySQL with Web Browser

Install phpmyadmin to operate MySQL from Web browser. Web server is required.

[1] Install and configure phpmyadmin

[root@www ~]# yum -y install phpmyadmin php-mysql php-mcrypt

[root@www ~]# vi /usr/share/phpmyadmin/config.inc.php

# line 16: set password
$cfg['blowfish_secret'] = 'password';

[root@www ~]# vi /etc/httpd/conf.d/phpmyadmin.conf

# line 8: add IP address you allow
Allow from 127.0.0.1 192.168.0.0/24

# line 11: add alias
Alias /mysql /usr/share/phpmyadmin

[root@www ~]# /etc/rc.d/init.d/httpd reload
Reloading httpd: [ OK ]

[2] Access to 'http://(your hostname or IP address)/(alias name you set)/' with web browser,then following screen is shown. Login with a user in MySQL.

[3] Just logined. You can operate MySQL on here.

Install Mysql

Install MySQL for database server.
[root@www ~]# yum -y install mysql-server

[root@www ~]# /etc/rc.d/init.d/mysqld start
Initializing MySQL database: Installing all prepared tables
Fill help tables

To start mysqld at boot time you have to copy support-files/mysql.server
to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h www.server-linux.info password 'new-password'
See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with the benchmarks in the 'sql-bench' directory:
cd sql-bench ; perl run-all-tests

Please report any problems with the /usr/bin/mysqlbug script!

The latest information about MySQL is available on the web at http://www.mysql.com
Support MySQL by buying support/licenses at http://shop.mysql.com
Starting MySQL: [ OK ]

[root@www ~]# chkconfig mysqld on
[root@www ~]# mysql -u root# login to MySQL
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 2 to server version: 5.0.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

# show user info
mysql> select user,host,password from mysql.user;

4 rows in set (0.00 sec)

# set root password
mysql> set password for root@localhost=password('password');
Query OK, 0 rows affected (0.00 sec)

# set root password
mysql> set password for root@'www.server-linux.info'=password('password');
Query OK, 0 rows affected (0.00 sec)

mysql> select user,host,password from mysql.user;

4 rows in set (0.00 sec)

# delete anonymous users
mysql> delete from mysql.user where user='';
Query OK, 2 rows affected (0.00 sec)

mysql> select user,host,password from mysql.user;

2 rows in set (0.00 sec)

mysql> exit# logout
Bye
[root@www ~]# mysql -u root -p# login as root
Enter password:# root password
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 4 to server version: 5.0.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> exit
Bye

10/10/2010

Take RAID on Linux

With PC have 1Disk[root@kiloccnp hakata]# fdisk -l

Disk /dev/sda: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00008ef8

Device Boot Start End Blocks Id System
/dev/sda1 * 1 26 204800 83 Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2 26 1044 8181098+ 8e Linux LVM

Disk /dev/dm-0: 6899 MB, 6899630080 bytes
255 heads, 63 sectors/track, 838 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000

Disk /dev/dm-0 doesn't contain a valid partition table

Disk /dev/dm-1: 1476 MB, 1476395008 bytes
255 heads, 63 sectors/track, 179 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000

Disk /dev/dm-1 doesn't contain a valid partition table
[root@kiloccnp hakata]#


Now, add 1Disk in PC

[root@kiloccnp hakata]# fdisk -l

Disk /dev/sda: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00008ef8

Device Boot Start End Blocks Id System
/dev/sda1 * 1 26 204800 83 Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2 26 1044 8181098+ 8e Linux LVM

Disk /dev/sdb: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000

Disk /dev/sdb doesn't contain a valid partition table

Disk /dev/sdc: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000

Disk /dev/sdc doesn't contain a valid partition table

Disk /dev/dm-0: 6899 MB, 6899630080 bytes
255 heads, 63 sectors/track, 838 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000

Disk /dev/dm-0 doesn't contain a valid partition table

Disk /dev/dm-1: 1476 MB, 1476395008 bytes
255 heads, 63 sectors/track, 179 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000

Disk /dev/dm-1 doesn't contain a valid partition table
[root@kiloccnp hakata]#


Take partition for disk sdb. We use command fdisk /dev/sdb

[root@kiloccnp hakata]# fdisk /dev/sdb
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0xd6e10a8f.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.


The number of cylinders for this disk is set to 1044.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Command (m for help):


Press key m, read help

Command (m for help): m
Command action
a toggle a bootable flag
b edit bsd disklabel
c toggle the dos compatibility flag
d delete a partition
l list known partition types
m print this menu
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disklabel
t change a partition's system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)

Command (m for help):


Press key n, take paritition

Command (m for help): n
Command action
e extended
p primary partition (1-4)




take paritition primary e and paritition extended

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-1044, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-1044, default 1044):
Using default value 1044


Press key P, select paritition

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.


press key w use save and exit
[root@kiloccnp hakata]# fdisk -l

Disk /dev/sda: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00008ef8

Device Boot Start End Blocks Id System
/dev/sda1 * 1 26 204800 83 Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2 26 1044 8181098+ 8e Linux LVM

Disk /dev/sdb: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0xd6e10a8f

Device Boot Start End Blocks Id System
/dev/sdb1 1 1044 8385898+ 83 Linux

Disk /dev/sdc: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0xe8cc5aac

Device Boot Start End Blocks Id System
/dev/sdc1 1 1044 8385898+ 83 Linux

Disk /dev/dm-0: 6899 MB, 6899630080 bytes
255 heads, 63 sectors/track, 838 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000

Disk /dev/dm-0 doesn't contain a valid partition table

Disk /dev/dm-1: 1476 MB, 1476395008 bytes
255 heads, 63 sectors/track, 179 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000

Disk /dev/dm-1 doesn't contain a valid partition table
[root@kiloccnp hakata]#

Configure Exim

######################################################################
# Runtime configuration file for Exim #
######################################################################


# This is a default configuration file which will operate correctly in
# uncomplicated installations. Please see the manual for a complete list
# of all the runtime configuration options that can be included in a
# configuration file. There are many more than are mentioned here. The
# manual is in the file doc/spec.txt in the Exim distribution as a plain
# ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available
# from the Exim ftp sites. The manual is also online at the Exim web sites.


# This file is divided into several parts, all but the first of which are
# headed by a line starting with the word "begin". Only those parts that
# are required need to be present. Blank lines, and lines starting with #
# are ignored.


########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ###########
# #
# Whenever you change Exim's configuration file, you *must* remember to #
# HUP the Exim daemon, because it will not pick up the new configuration #
# until you do. However, any other Exim processes that are started, for #
# example, a process started by an MUA in order to send a message, will #
# see the new configuration as soon as it is in place. #
# #
# You do not need to HUP the daemon for changes in auxiliary files that #
# are referenced from this file. They are read every time they are used. #
# #
# It is usually a good idea to test a new configuration for syntactic #
# correctness before installing it (for example, by running the command #
# "exim -C /config/file.new -bV"). #
# #
########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ###########



######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################

# Specify your host's canonical name here. This should normally be the fully
# qualified "official" name of your host. If this option is not set, the
# uname() function is called to obtain the name. In many cases this does
# the right thing and you need not set anything explicitly.

# primary_hostname =


# The next three settings create two lists of domains and one list of hosts.
# These lists are referred to later in this configuration using the syntax
# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
# are all colon-separated lists:

domainlist local_domains = @
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1

# Most straightforward access control requirements can be obtained by
# appropriate settings of the above options. In more complicated situations, you
# may need to modify the Access Control List (ACL) which appears later in this
# file.

# The first setting specifies your local domains, for example:
#
# domainlist local_domains = my.first.domain : my.second.domain
#
# You can use "@" to mean "the name of the local host", as in the default
# setting above. This is the name that is specified by primary_hostname,
# as specified above (or defaulted). If you do not want to do any local
# deliveries, remove the "@" from the setting above. If you want to accept mail
# addressed to your host's literal IP address, for example, mail addressed to
# "user@[192.168.23.44]", you can add "@[]" as an item in the local domains
# list. You also need to uncomment "allow_domain_literals" below. This is not
# recommended for today's Internet.

# The second setting specifies domains for which your host is an incoming relay.
# If you are not doing any relaying, you should leave the list empty. However,
# if your host is an MX backup or gateway of some kind for some domains, you
# must set relay_to_domains to match those domains. For example:
#
# domainlist relay_to_domains = *.myco.com : my.friend.org
#
# This will allow any host to relay through your host to those domains.
# See the section of the manual entitled "Control of relaying" for more
# information.

# The third setting specifies hosts that can use your host as an outgoing relay
# to any other host on the Internet. Such a setting commonly refers to a
# complete local network as well as the localhost. For example:
#
# hostlist relay_from_hosts = 127.0.0.1 : 192.168.0.0/16
#
# The "/16" is a bit mask (CIDR notation), not a number of hosts. Note that you
# have to include 127.0.0.1 if you want to allow processes on your host to send
# SMTP mail by using the loopback address. A number of MUAs use this method of
# sending mail.


# All three of these lists may contain many different kinds of item, including
# wildcarded names, regular expressions, and file lookups. See the reference
# manual for details. The lists above are used in the access control list for
# incoming messages. The name of this ACL is defined here:

acl_smtp_rcpt = acl_check_rcpt

# You should not change that setting until you understand how ACLs work.

# The following ACL entries are used if you want to do content scanning with
# the exiscan-acl patch. When you uncomment one of these lines, you must also
# review the respective entries in the ACL section further below.

# acl_smtp_mime = acl_check_mime
# acl_smtp_data = acl_check_content

# This configuration variable defines the virus scanner that is used with
# the 'malware' ACL condition of the exiscan acl-patch. If you do not use
# virus scanning, leave it commented. Please read doc/exiscan-acl-readme.txt
# for a list of supported scanners.

# av_scanner = sophie:/var/run/sophie

# The following setting is only needed if you use the 'spam' ACL condition
# of the exiscan-acl patch. It specifies on which host and port the SpamAssassin
# "spamd" daemon is listening. If you do not use this condition, or you use
# the default of "127.0.0.1 783", you can omit this option.

# spamd_address = 127.0.0.1 783

# Specify the domain you want to be added to all unqualified addresses
# here. An unqualified address is one that does not contain an "@" character
# followed by a domain. For example, " caesar@rome.exampleThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it " is a fully qualified
# address, but the string "caesar" (i.e. just a login name) is an unqualified
# email address. Unqualified addresses are accepted only from local callers by
# default. See the recipient_unqualified_hosts option if you want to permit
# unqualified addresses from remote sources. If this option is not set, the
# primary_hostname value is used for qualification.

# qualify_domain =


# If you want unqualified recipient addresses to be qualified with a different
# domain to unqualified sender addresses, specify the recipient domain here.
# If this option is not set, the qualify_domain value is used.

# qualify_recipient =


# The following line must be uncommented if you want Exim to recognize
# addresses of the form "user@[10.11.12.13]" that is, with a "domain literal"
# (an IP address) instead of a named domain. The RFCs still require this form,
# but it makes little sense to permit mail to be sent to specific hosts by
# their IP address in the modern Internet. This ancient format has been used
# by those seeking to abuse hosts by using them for unwanted relaying. If you
# really do want to support domain literals, uncomment the following line, and
# see also the "domain_literal" router below.

# allow_domain_literals


# No deliveries will ever be run under the uids of these users (a colon-
# separated list). An attempt to do so causes a panic error to be logged, and
# the delivery to be deferred. This is a paranoic safety catch. There is an
# even stronger safety catch in the form of the FIXED_NEVER_USERS setting
# in the configuration for building Exim. The list of users that it specifies
# is built into the binary, and cannot be changed. The option below just adds
# additional users to the list. The default for FIXED_NEVER_USERS is "root",
# but just to be absolutely sure, the default here is also "root".

# Note that the default setting means you cannot deliver mail addressed to root
# as if it were a normal user. This isn't usually a problem, as most sites have
# an alias for root that redirects such mail to a human administrator.

never_users = root


# The setting below causes Exim to do a reverse DNS lookup on all incoming
# IP calls, in order to get the true host name. If you feel this is too
# expensive, you can specify the networks for which a lookup is done, or
# remove the setting entirely.

host_lookup = *


# The settings below, which are actually the same as the defaults in the
# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
# calls. You can limit the hosts to which these calls are made, and/or change
# the timeout that is used. If you set the timeout to zero, all RFC 1413 calls
# are disabled. RFC 1413 calls are cheap and can provide useful information
# for tracing problem messages, but some hosts and firewalls have problems
# with them. This can result in a timeout instead of an immediate refused
# connection, leading to delays on starting up an SMTP session.

rfc1413_hosts = *
rfc1413_query_timeout = 30s


# By default, Exim expects all envelope addresses to be fully qualified, that
# is, they must contain both a local part and a domain. If you want to accept
# unqualified addresses (just a local part) from certain hosts, you can specify
# these hosts by setting one or both of
#
# sender_unqualified_hosts =
# recipient_unqualified_hosts =
#
# to control sender and recipient addresses, respectively. When this is done,
# unqualified addresses are qualified using the settings of qualify_domain
# and/or qualify_recipient (see above).


# If you want Exim to support the "percent hack" for certain domains,
# uncomment the following line and provide a list of domains. The "percent
# hack" is the feature by which mail addressed to x%y@z (where z is one of
# the domains listed) is locally rerouted to x@y and sent on. If z is not one
# of the "percent hack" domains, x%y is treated as an ordinary local part. This
# hack is rarely needed nowadays; you should not enable it unless you are sure
# that you really need it.
#
# percent_hack_domains =
#
# As well as setting this option you will also need to remove the test
# for local parts containing % in the ACL definition below.


# When Exim can neither deliver a message nor return it to sender, it "freezes"
# the delivery error message (aka "bounce message"). There are also other
# circumstances in which messages get frozen. They will stay on the queue for
# ever unless one of the following options is set.

# This option unfreezes frozen bounce messages after two days, tries
# once more to deliver them, and ignores any delivery failures.

ignore_bounce_errors_after = 2d

# This option cancels (removes) frozen messages that are older than a week.

timeout_frozen_after = 7d



######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################

begin acl

# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.

acl_check_rcpt:

# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.

accept hosts = :

#############################################################################
# The following section of the ACL is concerned with local parts that contain
# @ or % or ! or / or | or dots in unusual places.
#
# The characters other than dots are rarely found in genuine local parts, but
# are often tried by people looking to circumvent relaying restrictions.
# Therefore, although they are valid in local parts, these rules lock them
# out, as a precaution.
#
# Empty components (two dots in a row) are not valid in RFC 2822, but Exim
# allows them because they have been encountered. (Consider local parts
# constructed as "firstinitial.secondinitial.familyname" when applied to
# someone like me, who has no second initial.) However, a local part starting
# with a dot or containing /../ can cause trouble if it is used as part of a
# file name (e.g. for a mailing list). This is also true for local parts that
# contain slashes. A pipe symbol can also be troublesome if the local part is
# incorporated unthinkingly into a shell command line.
#
# Two different rules are used. The first one is stricter, and is applied to
# messages that are addressed to one of the local domains handled by this
# host. It blocks local parts that begin with a dot or contain @ % ! / or |.
# If you have local accounts that include these characters, you will have to
# modify this rule.

deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]

# The second rule applies to all other domains, and is less strict. This
# allows your own users to send outgoing messages to sites that use slashes
# and vertical bars in their local parts. It blocks local parts that begin
# with a dot, slash, or vertical bar, but allows these characters within the
# local part. However, the sequence /../ is barred. The use of @ % and ! is
# blocked, as before. The motivation here is to prevent your users (or
# your users' viruses) from mounting certain kinds of attack on remote sites.

deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
#############################################################################

# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.

accept local_parts = postmaster
domains = +local_domains

# Deny unless the sender address can be verified.

require verify = sender

#############################################################################
# There are no checks on DNS "black" lists because the domains that contain
# these lists are changing all the time. However, here are two examples of
# how you could get Exim to perform a DNS black list lookup at this point.
# The first one denies, while the second just warns.
#
# deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
# dnslists = black.list.example
#
# warn message = X-Warning: $sender_host_address is in a black list at $dnslist_domain
# log_message = found in $dnslist_domain
# dnslists = black.list.example
#############################################################################

# Accept if the address is in a local domain, but only if the recipient can
# be verified. Otherwise deny. The "endpass" line is the border between
# passing on to the next ACL statement (if tests above it fail) or denying
# access (if tests below it fail).

accept domains = +local_domains
endpass
verify = recipient

# Accept if the address is in a domain for which we are relaying, but again,
# only if the recipient can be verified.

accept domains = +relay_to_domains
endpass
verify = recipient

# If control reaches this point, the domain is neither in +local_domains
# nor in +relay_to_domains.

# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. Recipient verification is omitted here, because in many
# cases the clients are dumb MUAs that don't cope well with SMTP error
# responses. If you are actually relaying out from MTAs, you should probably
# add recipient verification here.

accept hosts = +relay_from_hosts

# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted.

accept authenticated = *

# Reaching the end of the ACL causes a "deny", but we might as well give
# an explicit message.

deny message = relay not permitted


# These access control lists are used for content scanning with the exiscan-acl
# patch. You must also uncomment the entries for acl_smtp_data and acl_smtp_mime
# (scroll up), otherwise the ACLs will not be used. IMPORTANT: the default entries here
# should be treated as EXAMPLES. You MUST read the file doc/exiscan-acl-spec.txt
# to fully understand what you are doing ...

acl_check_mime:

# Decode MIME parts to disk. This will support virus scanners later.
warn decode = default

# File extension filtering.
deny message = Blacklisted file extension detected
condition = ${if match \
{${lc:$mime_filename}} \
{\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
{1}{0}}

# Reject messages that carry chinese character sets.
# WARNING: This is an EXAMPLE.
deny message = Sorry, noone speaks chinese here
condition = ${if eq{$mime_charset}{gb2312}{1}{0}}

accept

acl_check_content:

# Reject virus infested messages.
deny message = This message contains malware ($malware_name)
malware = *

# Always add X-Spam-Score and X-Spam-Report headers, using SA system-wide settings
# (user "nobody"), no matter if over threshold or not.
warn message = X-Spam-Score: $spam_score ($spam_bar)
spam = nobody:true
warn message = X-Spam-Report: $spam_report
spam = nobody:true

# Add X-Spam-Flag if spam is over system-wide threshold
warn message = X-Spam-Flag: YES
spam = nobody

# Reject spam messages with score over 10, using an extra condition.
deny message = This message scored $spam_score points. Congratulations!
spam = nobody:true
condition = ${if >{$spam_score_int}{100}{1}{0}}

# finally accept all the rest
accept


######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
# An address is passed to each router in turn until it is accepted. #
######################################################################

begin routers

# This router routes to remote hosts over SMTP by explicit IP address,
# when an email address is given in "domain literal" form, for example,
# . The RFCs require this facility. However, it is
# little-known these days, and has been exploited by evil people seeking
# to abuse SMTP relays. Consequently it is commented out in the default
# configuration. If you uncomment this router, you also need to uncomment
# allow_domain_literals above, so that Exim can recognize the syntax of
# domain literal addresses.

# domain_literal:
# driver = ipliteral
# domains = ! +local_domains
# transport = remote_smtp


# This router routes addresses that are not in local domains by doing a DNS
# lookup on the domain name. Any domain that resolves to 0.0.0.0 or to a
# loopback interface address (127.0.0.0/8) is treated as if it had no DNS
# entry. Note that 0.0.0.0 is the same as 0.0.0.0/32, which is commonly treated
# as the local host inside the network stack. It is not 0.0.0.0/0, the default
# route. If the DNS lookup fails, no further routers are tried because of
# the no_more setting, and consequently the address is unrouteable.

dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more


# The remaining routers handle addresses in the local domain(s).


# This router handles aliasing using a linearly searched alias file with the
# name SYSTEM_ALIASES_FILE. When this configuration is installed automatically,
# the name gets inserted into this file from whatever is set in Exim's
# build-time configuration. The default path is the traditional /etc/aliases.
# If you install this configuration by hand, you need to specify the correct
# path in the "data" setting below.
#
##### NB You must ensure that the alias file exists. It used to be the case
##### NB that every Unix had that file, because it was the Sendmail default.
##### NB These days, there are systems that don't have it. Your aliases
##### NB file should at least contain an alias for "postmaster".
#
# If any of your aliases expand to pipes or files, you will need to set
# up a user and a group for these deliveries to run under. You can do
# this by uncommenting the "user" option below (changing the user name
# as appropriate) and adding a "group" option if necessary. Alternatively, you
# can specify "user" on the transports that are used. Note that the transports
# listed below are the same as are used for .forward files; you might want
# to set up different ones for pipe and file deliveries from aliases.

system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
# user = exim
file_transport = address_file
pipe_transport = address_pipe


# This router handles forwarding using traditional .forward files in users'
# home directories. If you want it also to allow mail filtering when a forward
# file starts with the string "# Exim filter" or "# Sieve filter", uncomment
# the "allow_filter" option.

# If you want this router to treat local parts with suffixes introduced by "-"
# or "+" characters as if the suffixes did not exist, uncomment the two local_
# part_suffix options. Then, for example, xxxx-foo@your.domainThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it will be treated
# in the same way as xxxx@your.domainThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it by this router. You probably want to make
# the same change to the localuser router.

# The no_verify setting means that this router is skipped when Exim is
# verifying addresses. Similarly, no_expn means that this router is skipped if
# Exim is processing an EXPN command.

# The check_ancestor option means that if the forward file generates an
# address that is an ancestor of the current one, the current one gets
# passed on instead. This covers the case where A is aliased to B and B
# has a .forward file pointing to A.

# The three transports specified at the end are those that are used when
# forwarding generates a direct delivery to a file, or to a pipe, or sets
# up an auto-reply, respectively.

userforward:
driver = redirect
check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
file = $home/.forward
# allow_filter
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply


# This router matches local user mailboxes. If the router fails, the error
# message is "Unknown user".

# If you want this router to treat local parts with suffixes introduced by "-"
# or "+" characters as if the suffixes did not exist, uncomment the two local_
# part_suffix options. Then, for example, xxxx-foo@your.domainThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it will be treated
# in the same way as xxxx@your.domainThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it by this router.

localuser:
driver = accept
check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
transport = local_delivery
cannot_route_message = Unknown user



######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
# ORDER DOES NOT MATTER #
# Only one appropriate transport is called for each delivery. #
######################################################################

# A transport is used only when referenced from a router that successfully
# handles an address.

begin transports


# This transport is used for delivering messages over SMTP connections.

remote_smtp:
driver = smtp


# This transport is used for local delivery to user mailboxes in traditional
# BSD mailbox format. By default it will be run under the uid and gid of the
# local user, and requires the sticky bit to be set on the /var/mail directory.
# Some systems use the alternative approach of running mail deliveries under a
# particular group instead of using the sticky bit. The commented options below
# show how this can be done.

local_delivery:
driver = appendfile
file = /var/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
group = mail
mode = 0660


# This transport is used for handling pipe deliveries generated by alias or
# .forward files. If the pipe generates any standard output, it is returned
# to the sender of the message as a delivery error. Set return_fail_output
# instead of return_output if you want this to happen only when the pipe fails
# to complete normally. You can set different transports for aliases and
# forwards if you want to - see the references to address_pipe in the routers
# section above.

address_pipe:
driver = pipe
return_output


# This transport is used for handling deliveries directly to files that are
# generated by aliasing or forwarding.

address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add


# This transport is used for handling autoreplies generated by the filtering
# option of the userforward router.

address_reply:
driver = autoreply


# This transport is used to deliver local mail to cyrus IMAP server via UNIX
# socket.
#
#local_delivery:
# driver = lmtp
# command = "/usr/lib/cyrus-imapd/deliver -l"
# batch_max = 20
# user = cyrus


######################################################################
# RETRY CONFIGURATION #
######################################################################

begin retry

# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 6 hours until 4 days have passed since the first
# failed delivery.

# Address or Domain Error Retries
# ----------------- ----- -------

* * F,2h,15m; G,16h,1h,1.5; F,4d,6h



######################################################################
# REWRITE CONFIGURATION #
######################################################################

# There are no rewriting specifications in this default configuration file.

begin rewrite



######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################

# There are no authenticator specifications in this default configuration file.

begin authenticators



######################################################################
# CONFIGURATION FOR local_scan() #
######################################################################

# If you have built Exim to include a local_scan() function that contains
# tables for private options, you can define those options here. Remember to
# uncomment the "begin" line. It is commented by default because it provokes
# an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS
# set in the Local/Makefile.

# begin local_scan


# End of Exim configuration file