Contents[Hide]
Contents[Hide]

1. Premessa - Installazione base

In stile Another Code prendo nota dei passaggi fatti per configurare ISPConfig 3 sul server kubuntu che ho in gestione. Un riassunto di quanto trovato in rete ovviamente nulla e' inventato ma  gia' documentato altrove. Qui tengo un riassunto di quanto mi serve.

apt-get install ssh openssh-server ntp ntpdate postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword
General type of mail configuration: <-- Internet Site
System mail name: <-- server.example.com
nano /etc/postfix/master.cf
[...]
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
[...] [...]
 service postfix restart

Controllare che sia impostato un indirizzo ip statico

nano /etc/network/interfaces
[...]

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.1.10
        netmask 255.255.255.0
        broadcast 192.168.1.255
        gateway 192.168.1.1
        dns-nameservers 127.0.0.1

 

[...]
service networking restart
echo 192.168.1.10  server.example.com server > /etc/hosts
echo server.example.com  > /etc/hostname 
service hostname restart

2.  Installiamo antivirus / antispam e ammenicoli

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
service spamassassin stop
update-rc.d -f spamassassin remove

Spam assassin viene gestito da amavis quindi non serve farlo partire in automatico

3. Installazione servizi Apache2 / PHP / Squirrelmail e dipendenze

 apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-python php5-curl php5-intl php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached snmp libapache2-mod-fastcgi php5-fpm pure-ftpd-common pure-ftpd-mysql quota quotatool bind9 dnsutils vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold fail2ban squirrelmail

Abilitiamo manualmente il modulo mcrypt

php5enmod mcrypt
Web server to reconfigure automatically: <-- apache2 
Configure database for phpmyadmin with dbconfig-common? <-- No
a2enmod suexec rewrite ssl actions include cgi 
a2enmod dav_fs dav auth_digest
nano /etc/apache2/mods-available/suphp.conf

Commentiamo <FilesMatch "\.ph(p3?|tml)$"> e aggiungiamo la linea AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml

<IfModule mod_suphp.c>
    #<FilesMatch "\.ph(p3?|tml)$">
    #    SetHandler application/x-httpd-suphp
    #</FilesMatch>
        AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
        suPHP_AddHandler application/x-httpd-suphp

    <Directory />
        suPHP_Engine on
    </Directory>

    # By default, disable suPHP for debian packaged web applications as files
    # are owned by root and cannot be executed by suPHP because of min_uid.
    <Directory /usr/share>
        suPHP_Engine off
    </Directory>

# # Use a specific php config file (a dir which contains a php.ini file)
#       suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.
#       suPHP_RemoveHandler <mime-type>
</IfModule>
service apache2 restart

Assicuriamoci di impostare il demone FTP correttamente mettendo start mode in standalone e impostando VIRTUALCHROOT=true:

nano /etc/default/pure-ftpd-common 

 

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

 

4. Rendiamo piu' sicuro L'FTP attivando TLS e creando un certificato:

echo 1 > /etc/pure-ftpd/conf/TLS
mkdir -p /etc/ssl/private/
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Country Name (2 letter code) [AU]: IT 
State or Province Name (full name) [Some-State]: ITALY
Locality Name (eg, city) []: PADOVA
Organization Name (eg, company) [Internet Widgits Pty Ltd]: COMPANY-NAME
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:server.example.com
Email Address []: Questo indirizzo email è protetto dagli spambots. È necessario abilitare JavaScript per vederlo.
chmod 600 /etc/ssl/private/pure-ftpd.pem
service pure-ftpd-mysql restart

5. Configuriamo squirrel

squirrelmail-configure
D.  Set pre-defined settings for specific IMAP servers 
Command >> <-- dovecot
Command >> <-- S
Command >> <-- Q

 

Per fare in modo che Apache legga la configurazione di squirrelmail abbiamo bisogno di creare un link

cd /etc/apache2/conf-available/ 
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
service apache2 reload

Apriamo /etc/apache2/conf.d/squirrelmail.conf

nano /etc/apache2/conf-available/squirrelmail.conf

E aggiungiamo nel contenitore <Directory /usr/share/squirrelmail></Directory> quanto segue, dobbiamo essere sicuri di usare php_mod per gestire squirrel

 

[...]
<Directory /usr/share/squirrelmail>
  Options FollowSymLinks
  <IfModule mod_php5.c>
    AddType application/x-httpd-php .php
    php_flag magic_quotes_gpc Off
    php_flag track_vars On
    php_admin_flag allow_url_fopen Off
    php_value include_path .
    php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
    php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname
    php_flag register_globals off
  </IfModule>
  <IfModule mod_dir.c>
    DirectoryIndex index.php
  </IfModule>

  # access to configtest is limited by default to prevent information leak
  <Files configtest.php>
    order deny,allow
    deny from all
    allow from 127.0.0.1
  </Files>
</Directory>
[...]
mkdir /var/lib/squirrelmail/tmp
chown www-data /var/lib/squirrelmail/tmp
a2enconf squirrelmail
service apache2 reload

6. Non resta che installare ISPConfig3

cd /tmp 
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
php -q install.php

Seguire le istruzioni a schermo il gioco e' fatto.


Aggiungi commento

Codice di sicurezza
Aggiorna