Installation serveur Debian:

CE TUTO EST INCOMPLET, C'EST UNE EBAUCHE

Voici un pas a pas complet pour installer un serveur sous debian (lamp, postfix, dovecot, dspam, clamav, ftp,

Configuration du reseau

Pour configurer le reseau, il faut editer le fichier /etc/network/interfaces.

Voila un exemple avec une ip fixe et une dhcp.

Pour "relancer" le reseau:

/etc/init.d/networking restart

Changer les reglages consoles

J'utilise mes debian en VM virtualbox et je les controles depuis un mac, j'ai donc besoin de changer le layout clavier

dpkg-reconfigure console-data

Mise a jour initiale

On va recuperer tout les mises a jour (il faut rajouter

apt-get update
apt-get upgrade
apt-get install mc iptraf vim lynx debian-policy lm-sensors ntp ntop openssh-server
apt-get remove telnet 

LAMP

Installation d'apache 2 / php 5 / mysql 5

apt-get install apache2 libapache2-mod-php5 libapache2-mod-bw libapache2-mod-evasive php5-gd php5-mcrypt php-pear php5-mysql mysql-server phpmyadmin mytop
a2enmod bw
a2enmod evasive -- FAUX , pourquoi ?

Pureftpd

Installation du serveur ftp avec virtual user mysql

apt-get install pure-ftpd-mysql ln -s /usr/sbin/pure-ftpd-mysql /usr/sbin/pure-ftpd

Serveur Mail

Nous allons installer blabla

On enleve Exim

Exim est le serveur de mail (mta) par defaut sur debian, on l'enleve pour installer postfix

apt-get remove exim4 exim4-base exim4-config exim4-daemon-light

Installation de postfix

apt-get install postfix postfix-mysql libsasl2-modules-sql sasl2-bin libsasl2-2 postfix-tls libpam-mysql

Creation de l'user / repertoire

useradd -r -u 5000 -g mail -d /home/mail -s /sbin/nologin -c "Virtual Mailbox" vmail mkdir /home/mail chmod 770 /home/mail/ chown vmail:mail /home/mail/ CREER USER MAIL ET DB MAIL DANS MYSQL a partir de

Configuration de main.cf

postconf -e 'myhostname = mail.dryades.org'
postconf -e 'smtpd_banner = $myhostname ESMTP $mail_name'
postconf -e 'biff = no'
postconf -e 'append_dot_mydomain = no'
postconf -e 'myorigin = dryades.org'
postconf -e 'mydestination = $myhostname, localhost, locahost.localdomain'
postconf -e 'mynetworks = 127.0.0.0/8' 
postconf -e 'recipient_delimiter = +'
postconf -e 'inet_interfaces = all'
postconf -e 'proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps'
postconf -e 'virtual_alias_domains ='
postconf -e 'virtual_alias_maps = proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf'
postconf -e 'virtual_mailbox_domains = proxy:mysql:$config_directory/mysql_virtual_domains_maps.cf'
postconf -e 'virtual_mailbox_maps = proxy:mysql:$config_directory/mysql_virtual_mailbox_maps.cf'
postconf -e 'virtual_mailbox_base = /home/mail'
postconf -e 'virtual_minimum_uid = 5000'
postconf -e 'virtual_uid_maps = static:5000'
postconf -e 'virtual_gid_maps = static:8'
postconf -e 'virtual_create_maildirsize = yes'
postconf -e 'virtual_mailbox_extended = yes'
postconf -e 'virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf'
postconf -e 'virtual_mailbox_limit_override = yes'
postconf -e 'virtual_maildir_limit_message = "La personne que vous essayez de contacter a depasse son quota."'
postconf -e 'virtual_overquota_bounce = yes'
postconf -e 'transport_maps = proxy:mysql:/etc/postfix/mysql_virtual_transports.cf'

Creation des fichiers sql de postfix

/etc/postfix/mysql_virtual_alias_maps.cf

user = mail
password = password
hosts = 127.0.0.1
dbname = mail
table = alias
select_field = goto
where_field = address
additional_conditions = and active = '1'
#query = SELECT goto FROM alias WHERE address='%s' AND active = '1'

/etc/postfix/mysql_virtual_domains_maps.cf

user = mail
password = password
hosts = 127.0.0.1
dbname = mail
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = ‘0′ and active = ‘1′
#query = SELECT domain FROM domain WHERE domain=’%s’ AND backupmx = ‘0′ AND active = ‘1′

/etc/postfix/mysql_virtual_mailbox_limit_maps.cf

user = mail
password = password
hosts = 127.0.0.1
dbname = mail
table = mailbox
select_field = quota
where_field = username
additional_conditions = and active = ‘1′
#query = SELECT quota FROM mailbox WHERE username=’%s’ AND active = ‘1′

/etc/postfix/mysql_virtual_mailbox_maps.cf

user = mail
password = password
hosts = 127.0.0.1
dbname = mail
table = mailbox
select_field = CONCAT(domain,’/',maildir)
where_field = username
additional_conditions = and active = ‘1′
#query = SELECT CONCAT(domain,’/',maildir) FROM mailbox WHERE username=’%s’ AND active = ‘1′

/etc/postfix/mysql_virtual_transports.cf

user = mail
password = password
hosts = 127.0.0.1
dbname = mail
table = domain
select_field = transport
where_field = domain
additional_conditions = and active = ‘1′
#query = SELECT transport FROM domain WHERE domain=’%s’ AND active = ‘1′

Politique du relay

postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, permit'

Installation du greylisting

Le greylisting est un mecanisme de refus systematique des emails à leu première reception, ce qui peut parraitre bizarre ;)
En fait les emails refusés sont reenvoyés automatiquement, donc les emails arrivent, sauf les spams, qui eux ne sont pas resoumis :p

apt-get install postgrey

Ensuite on edite le fichier de conf: /etc/default/postgrey

[...] POSTGREY_OPTS="--inet=127.0.0.1:60000 --delay=55" [...]

RBL et autres restrictions

Rbl est un systeme de liste des ips de spammeurs que l'on va interdire sur notre mta. Il y a aussi d'autres regles de restrictions (aller voir la doc sur le site de postfix )

postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname, reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client list.dsbl.org, reject_rhsbl_sender dsn.fc-ignorant.org, check_policy_service inet:127.0.0.1:60000, permit'

Dspam

Dspam est un systeme antispam qui verifie chaque nouvel email et qui peut apprendre
Il semblerait qu'il soit plus efficace que spamassassin, mais surtout plus leger

apt-get install dspam dspam-doc libdspam7-drv-mysql

A la question de savoir si l'on veut utiliser dbconfig, repondre non
On va injecter les bases a la main (on aime ca :d )

mysql -u root -h 127.0.0.1 -p mail < /usr/share/doc/libdspam7-drv-mysql/mysql_objects-speed.sql

Maintenant on lui indique les virtual users

mysql -u root -h 127.0.0.1 -p mail < /usr/share/doc/libdspam7-drv-mysql/virtual_users.sql

Il ne reste plus qu'a indiquer a dspam comment utiliser tout ca
Editer /etc/dspam/dspam.d/mysql.conf

[...] MySQLServer /var/run/mysqld/mysqld.sock #MySQLPort 3306 MySQLUser mail MySQLPass password MysqLDb mail [...] MySQLVirtualTable dspam_virtual_uids MySQLVirtualUIDField uid MySQLVirtualUsernameField username [...]

NOTE: This is a temporary setup, just because we hadn't finished the DSPAM virtual user install prior to writing this guide. Ideally, you'd want DSPAM looking at the same virtual user table as Postfix in order to get all the token information stored correctly. I'll update the guide as soon as we've completed that change-over.

Dovecot

Nous allons installer dovecot, qui permettra de recuperer ses emails (mda = mail delivery agent)

apt-get install dovecot-imapd

Faisons parler dspam et dovecot

On edite le fichier /etc/dspam/dspam.conf

[...] TrustedDeliveryAgent "/usr/lib/dovecot/deliver -d %u" [...] UntrustedDeliveryAgent "/usr/lib/dovecot/deliver -d %u" [...] QuarantineAgent "/usr/lib/dovecot/deliver -d %u -m SPAM" [...] Debug * [...] Preference "spamAction=tag" Preference "signatureLocation=headers" # 'message' or 'headers' Preference "showFactors=on" Preference "spamSubject=[SPAM]" [...] LocalMX 127.0.0.1 [...] Opt out [...] ParseToHeaders on ChangeModeOnParse on ChangeUserOnParse full [...] ServerPort 2424 ServerPID /var/run/dspam/dspam.pid [...] ServerMode standard [...] ServerParameters "--deliver=innocent, spam" [...]

Il ne reste plus qu'a le lancer au demarrage en tant que daemon ( par defaut il se lance a chaque appel en tant qu'appli )
Editer /etc/default/dspam

# Variables for dpam. # # Do not start dspam. #START=no # # Changed for DSPAM Daemon # START=yes # User that runs dspam. USER=dspam # Options for dspam #OPTIONS="--debug"

On le lance manuellement la premiere fois

invoke-rc.d dspam start

On entraine dspam pour l'aider a mieux filtrer des le depart

apt-get install bzip2 cd /tmp wget http://spamassassin.apache.org/publiccorpus/20050311_spam_2.tar.bz2 wget http://spamassassin.apache.org/publiccorpus/20030228_easy_ham_2.tar.bz2 tar xvfj 20050311_spam_2.tar.bz2 tar xvfj 20030228_easy_ham_2.tar.bz2 dspam_train test spam_2/ easy_ham_2/

Cela va prendre un petit temps apres lequel on peut virer tout les fichiers que l'on vient d'utiliser

Clamav

Clamav est un antivirus qui va nous permettre de tester si les virus sont verolés, bien quand on a des gens sous windows :d

apt-get install clamav-daemon

editer /etc/clamav/clamd.conf

[...] TCPSocket 3310 [...]

On redemarre clamav

invoke-rc.d clamav-daemon restart

Ensuite on va indiquer a dspam ou se trouve clamav
On edite /etc/dspam/dspam.conf

[...] ClamAVPort 3310 ClamAVHost 127.0.0.1 ClamAVResponse reject [...]

Ensuite on redemarre dspam

invoke-rc.d dspam restart

Voila, on a maintenant un systeme anti spam qui affiche spam dans l'objet de l'email et qui refuse l'email s'il contient un virus.

Configuration de Dovecot

On a un systeme capable de transferer les emails, mais maintenant il faut pouvoir aller les recuperer, dovecot est installé mais pas configuré, on va s'en occuper tout de suite.
/etc/dovecot/dovecot.conf

## Dovecot configuration file # base_dir = /var/run/dovecot/ # # imap imaps pop3 pop3s (use imaps and pop3s if configured for SSL) protocols = imap # # Uncomment the ssl_listen statements and comment out listen if using SSL protocol imap { listen = *:143 # ssl_listen = *:993 } #protocol pop3 { #listen = *:110 # ssl_listen = *:995 #} # log_timestamp = “%Y-%m-%d %H:%M:%S ” syslog_facility = mail # # Uncomment these if using SSL #ssl_cert_file = /etc/ssl/mycompany/mailserver/mail-cert.pem #ssl_key_file = /etc/ssl/mycompany/mailserver/mail-key.pem #ssl_ca_file = /etc/ssl/mycompany/ca/mycompany.pem #ssl_verify_client_cert = yes #ssl_parameters_regenerate = 168 #verbose_ssl = no # # Where the mailboxes are located mail_location = maildir:/home/mail/%d/%u # mail_privileged_groups = mail mail_debug = no first_valid_uid = 5000 last_valid_uid = 5000 maildir_copy_with_hardlinks = yes # protocol imap { login_executable = /usr/lib/dovecot/imap-login mail_executable = /usr/lib/dovecot/imap imap_max_line_length = 65536 } #protocol pop3 { #login_executable = /usr/lib/dovecot/pop3-login #mail_executable = /usr/lib/dovecot/pop3 #pop3_uidl_format = %08Xu%08Xv #} protocol lda { postmaster_address = postmaster@dryades.org sendmail_path = /usr/lib/sendmail auth_socket_path = /var/run/dovecot/auth-master } # auth_verbose = no auth_debug = no auth_debug_passwords = no # auth default { mechanisms = plain passdb sql { args = /etc/dovecot/dovecot-sql.conf } userdb sql { args = /etc/dovecot/dovecot-sql.conf } user = nobody socket listen { master { path = /var/run/dovecot/auth-master mode = 0660 user = vmail group = mail } client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } # # If you want client certificates, use these lines # ssl_require_client_cert = yes # ssl_username_from_cert = yes }

Maintenant il faut permettre a dovecot de se connecter lui aussi en sql
/etc/dovecot/dovecot-sql.conf

driver = mysql connect = host=127.0.0.1 dbname=mail user=mail password=password # The new name for MD5 is MD5-CRYPT so you might need to change this depending on version default_pass_scheme = MD5-CRYPT # Get the password password_query = SELECT username AS user, password, '/vmail/%d/%n' AS userdb_home, 'maildir:/vmail/%d/%n' AS userdb_mail, 150 AS userdb_uid, 8 AS userdb_gid FROM mailbox WHERE username = '%u' AND active = '1' # Get the mailbox user_query = SELECT '/home/mail/%d/%n' AS home, 'maildir:/home/mail/%d/%n' AS mail, 5000 AS uid, 8 AS gid, CONCAT('dirsize:storage=', quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1' # If using client certificates for authentication, comment the above and uncomment the following #password_query = SELECT null AS password, '%u' AS user

Comme le mot de passe mysql est stocké dans le fichier, protegeons le un petit peu

chmod 600 /etc/dovecot/*.conf chown vmail /etc/dovecot/*.conf

La config interne ( pas securisée ) de dovecot est maintenant finie, on le redemarre

invoke-rc.d dovecot restart

Securisation des connexions avec TLS/SASL

On va créer notre certificat (self signed certificat), TLS est un tunnel securisé, SASL est le syteme de login obligatoire.

mkdir -p /etc/ssl/dryades.org/mailserver/ cd /etc/ssl/dryades.org/mailserver/ openssl genrsa 1024 > mail-key.pem chmod 400 mail-key.pem openssl req -new -x509 -nodes -sha1 -days 3650 -key mail-key.pem > mail-cert.pem

On indique a postfix d'utiliser tls et sasl (UNSURE)

postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, reject' postconf -e 'smtpd_tls_cert_file = /etc/ssl/dryades.org/mailserver/mail-cert.pem' postconf -e 'smtpd_tls_key_file = /etc/ssl/dryades.org/mailserver/mail-key.pem' postconf -e 'smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache' postconf -e 'smtpd_tls_security_level = encrypt' postconf -e 'smptd_tls_received_header = no' postconf -e 'smtpd_tls_loglevel = 0' postconf -e 'tls_random_source = dev:/dev/urandom'

On relance postfix pour prendre en compte les changements

postfix reload

On indique maintenant a dovecot d'utiliser TLA/SASL
/etc/dovecot/dovecot.conf

protocols = imap imaps # # Uncomment the ssl_listen statements and comment out listen if using SSL protocol imap { listen = *:143 ssl_listen = *:993 } ssl_cert_file = /etc/ssl/dryades.org/mailserver/mail-cert.pem ssl_key_file = /etc/ssl/dryades.org/mailserver/mail-key.pem #ssl_ca_file = /etc/ssl/mycompany/ca/mycompany.pem #ssl_verify_client_cert = yes ssl_parameters_regenerate = 168 verbose_ssl = no # # If you want client certificates, use these lines # ssl_require_client_cert = yes # ssl_username_from_cert = yes }

On precise aussi la connexion sql de dovecot
/etc/dovecot/dovecot-sql.conf

driver = mysql connect = host=127.0.0.1 dbname=mail user=mail password=password # The new name for MD5 is MD5-CRYPT so you might need to change this depending on version default_pass_scheme = MD5 # Get the mailbox user_query = SELECT '/home/mail/%d/%n' AS home, 'maildir:/vmail/%d/%n' AS mail, 5000 AS uid, 8 AS gid, CONCAT('dirsize:storage=', quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1' # Get the password password_query = SELECT username AS user, password, '/home/mail/%d/%n' AS userdb_home, 'maildir:/home/mail/%d/%n' AS userdb_mail, 5000 AS userdb_uid, 8 AS userdb_gid FROM mailbox WHERE username = '%u' AND active = '1' # If using client certificates for authentication, comment the above and uncomment the following #password_query = SELECT null AS password, '%u' AS user

On securise le fichier qui contient notre mot de passe mysql

chmod 600 /etc/dovecot/*.conf chown vmail /etc/dovecot/*.conf

On relance

invoke-rc.d dovecot restart

Securisation de postfix

Pour qu'il utilise lui aussi tls toussa ;)

postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_sasl_type = dovecot' postconf -e 'smtpd_sasl_path = private/auth'

dhcp

Desinstallation de dhcp, on en a pas l'utilité

apt-get remove dhcp3-client dhcp3-common

Nettoyage du cache aptitude

A chaque installation de paquet, cela laisse des traces dans /var/cache/apt/archives

aptitude autoclean aptitude clean

TEMP dans dspam ServerDomainSocketPath "/var/run/dspam.sock" dans master.cf smtp unix - - - - - smtp >> -o content_filter=lmtp:unix:/var/run/dspam.sock