1 Install The Base System: Boot From Your Fedora Core 5 DVD or CD (CD 1)
1 Install The Base System: Boot From Your Fedora Core 5 DVD or CD (CD 1)
1 Install The Base System: Boot From Your Fedora Core 5 DVD or CD (CD 1)
It can take a long time to test the installation media so we skip this test here:
Next we do the partitioning. Select Remove linux partitions on selected drives and create default
layout. This will give you a smalll /boot partition and a large / partition which is fine for our
purposes:
We want to remove all Linux partitions (remember, this is a fresh system), so we answer Yes to the
following question:
On to the network settings. The default setting here is to configure the network interfaces with
DHCP, but we are installing a server, so static IP addresses are not a bad idea... Click on the Edit
button at the top right. In the window that pops up uncheck Configure using DHCP and give your
network card a static IP address (in this tutorial I'm using the IP address 192.168.0.100 for
demonstration purposes):
Set the hostname manually, e.g. server1.example.com, and enter a gateway (e.g. 192.168.0.1) and
up to three DNS servers (e.g. 145.253.2.75, 193.174.32.18, and 194.25.0.60):
Choose your time zone:
Now we must select the package groups we want to install. Select Editors, Text-based Internet,
Development Libraries, Development Tools, DNS Name Server, FTP Server, Mail Server, MySQL
Database, Server Configuration Tools, Web Server, Administration Tools, Base, Java, and System
Tools and click on Next:
Click on Next to start the installation:
(This section is totally optional. It just shows how to add additional IP addresses to your network
interface eth0 if you need more than one IP address. If you're fine with one IP address, you can skip
this section.)
Let's assume our network interface is eth0. Then there is a file /etc/sysconfig/network-scripts/ifcfg-
eth0 which looks like this:
vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.0.255
HWADDR=00:0C:29:46:19:D3
IPADDR=192.168.0.100
NETMASK=255.255.255.0
NETWORK=192.168.0.0
ONBOOT=yes
Now we want to create the virtual interface eth0:0 with the IP address 192.168.0.101. All we have
to do is to create the file /etc/sysconfig/network-scripts/ifcfg-eth0:0 which looks like this (we can
leave out the HWADDR line as it is the same physical network card):
vi /etc/sysconfig/network-scripts/ifcfg-eth0:0
DEVICE=eth0:0
BOOTPROTO=static
BROADCAST=192.168.0.255
IPADDR=192.168.0.101
NETMASK=255.255.255.0
NETWORK=192.168.0.0
ONBOOT=yes
/etc/init.d/network restart
I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That's why
I disable the default Fedora firewall now. Of course, you are free to leave it on and configure it to
your needs (but then you shouldn't use any other firewall later on as it will most probably interfere
with the Fedora firewall).
Run
system-config-securitylevel
To check that the firewall has really been disabled, you can run
iptables -L
SELinux is a security extension of Fedora that should provide extended security. In my opinion you
don't need it to configure a secure system, and it usually causes more problems than advantages
(think of it after you have done a week of trouble-shooting because some service wasn't working as
expected, and then you find out that everything was ok, only SELinux was causing the problem).
Therefore I disable it (this is a must if you want to install ISPConfig later on).
vi /etc/selinux/config
shutdown -r now
Now we install some software packages that are needed later on:
yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp
6 Quota
vi /etc/fstab
/dev/VolGroup00/LogVol00 / ext3
defaults,usrquota,grpquota 1 1
LABEL=/boot /boot ext3 defaults
1 2
devpts /dev/pts devpts gid=5,mode=620
0 0
tmpfs /dev/shm tmpfs defaults
0 0
proc /proc proc defaults
0 0
sysfs /sys sysfs defaults
0 0
/dev/VolGroup00/LogVol01 swap swap defaults
0 0
Then run
to enable quota.
If you see this error: Transaction Check Error: file /etc/named.conf from install of bind-9.3.2-
12.FC5 conflicts with file from package caching-nameserver-7.3-5.FC5, you can ignore it.
BIND will run in a chroot jail under /var/named/chroot/var/named/. I will use ISPConfig to
configure BIND (zones, etc.).
8 MySQL (5.0)
Then we create the system startup links for MySQL (so that MySQL starts automatically whenever
the system boots) and start the MySQL server:
chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
netstat -tap
If it does not, edit /etc/my.cnf and comment out the option skip-networking:
vi /etc/my.cnf
#skip-networking
/etc/init.d/mysqld restart
Run
to set a password for the user root (otherwise anybody can access your MySQL database!).
Now we install Postfix and dovecot (dovecot will be our POP3/IMAP server):
We must edit /usr/lib64/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins. It
should look like this:
vi /usr/lib64/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
After these configuration steps you should now have a /etc/postfix/main.cf that looks like this (I
have removed all comments from it):
vi /etc/postfix/main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.2.8/samples
readme_directory = /usr/share/doc/postfix-2.2.8/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25
After you have established the connection to your Postfix mail server type
ehlo localhost
250-STARTTLS
and
250-AUTH
everything is fine.
Type
quit
9.1 Maildir
dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure
you enable Maildir under Management -> Server -> Settings -> Email. ISPConfig will then do the
necessary configuration.
If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user's
Maildir:
yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-
xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel
vi /etc/httpd/conf/httpd.conf
and change DirectoryIndex to
Start Apache:
/etc/init.d/httpd start
10.1 Disable PHP Globally
(If you do not plan to install ISPConfig on this server, please skip this section!)
In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can
run PHP scripts and which one cannot. This can only work if PHP is disabled globally because
otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.
To disable PHP globally, we edit /etc/httpd/conf.d/php.conf and comment out the AddHandler and
AddType lines:
vi /etc/httpd/conf.d/php.conf
#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
#
# Cause the PHP interpreter to handle files with a .php extension.
#
#AddHandler php5-script .php
#AddType text/html .php
#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php
#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps
/etc/init.d/httpd restart
11 ProFTPd
ISPConfig has better support for proftpd than vsftpd, so let's remove vsftpd and install proftpd:
12 Webalizer
If you want to have the system clock synchronized with an NTP server do the following:
ISPConfig comes with SpamAssassin which needs a few Perl modules to work. We install the
required Perl modules with a single command:
15 The End
The configuration of the server is now finished, and if you wish you can now install ISPConfig on
it.
15.1 A Note On SuExec
If you want to run CGI scripts under suExec, you should specify /var/www as the home directory
for websites created by ISPConfig as Fedora's suExec is compiled with /var/www as Doc_Root.
Run
/usr/sbin/suexec -V
To select /var/www as the home directory for websites during the installation of ISPConfig do the
following: When you are asked for the installation mode, select the expert mode.
Later during the installation you are asked if the default directory /home/www should be the
directory where ISPConfig will create websites in. Answer n and enter /var/www as the home
directory for websites.