LAB 1. Iptables – Multi Network Firewall (3 Network Cards, refer to scenario)
PACKAGE REQUIRED: squid
iptables –A FORWARD –j ACCEPT
iptables –t nat –A PREROUTING –d 66.178.1.221 –p tcp –m tcp --dport 80 –j DNAT --to-destination 10.1.1.2:80
iptables –t nat –A PREROUTING -s 192.168.0.0/24 –p tcp –m tcp --dport 80 –j DNAT --to-destination 192.168.0.1:3128
iptables –t nat –A POSTROUTING –o eth0 –j SNAT –-to-source 66.178.1.221
iptables-save > /etc/sysconfig/iptables
service iptables restart
vi /etc/sysctl.conf
(change this setting: net.ipv4.ip_forward = 1)
sysctl -p
LAB 2. Iptables – SQUID TRANSPARENT PROXY (2 Network Cards, refer to scenario)
PACKAGE REQUIRED: squid
IPTABLES FIREWALL CONFIGURATION:
iptables –A FORWARD –j ACCEPT
iptables –t nat –A PREROUTING -s 192.168.0.0/24 –p tcp –m tcp --dport 80 –j DNAT --to-destination 192.168.0.1:3128
iptables –t nat –A POSTROUING –o eth0 –j SNAT –-to-source 66.178.1.221
iptables-save > /etc/sysconfig/iptables
service iptables restart
SQUID PROXY CONFIGURATION:
http_port 192.168.0.1:3128
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 32 MB
cache_swap_low 80
cache_swap_high 100
maximum_object_size 1024 KB
cache_dir ufs /var/spool/squid 512 16 256
cache_access_log /var/log/squid/access.log
cache_log none
cache_store_log none
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
half_closed_clients off
acl all src 0.0.0.0/0.0.0.0
acl full_host src 192.168.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow full_host
http_access deny all
http_reply_access allow all
icp_access allow all
memory_pools off
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_port 80
httpd_accel_uses_host_header on
LAB 1 and LAB 2 checklist and additional information:
Make sure iptables and squid services are started, also check ntsysv
Check squid logs in /var/log/squid/access.log if squid transparent is working
Save your firewall using iptables-save > /etc/sysconfig/iptables
You can edit firewall using vi /etc/sysconfig/iptables and restart the firewall using service iptables restart
You can check if squid is installed using rpm –q squid
Make sure that net.ipv4.conf.default.rp_filter = 1 is enabled in /etc/sysctl.conf
LAB 3. VsFTPd – File Transfer Protocol server
PACKAGE REQUIRED: vsftpd
adduser sample –g 100 –c “sample description”
passwd sample
NOTE: Please copy any file to /var/ftp/pub and any file to /home/sample
LAB 3 checklist and additional information:
Make sure vsftpd started, also check ntsysv
Check ftp logs in /var/log/xferlog if vsftpd is working
Access your PUBLIC ftp
Access your PRIVATE ftp, you must login and supply password
LAB 4. Apache – Web server (IP-based)
PACKAGE REQUIRED: httpd-* php-*
SINGLE DOMAIN:
Copy or create an HTML file in /var/www/html and preview it in Web Browser
VIRTUAL DOMAIN:
Create sub-interface using GUI redhat-config-network or ifconfig
adduser sample1 –g 100 –c “sample1 description”
passwd sample1
cd /home/sample1
mkdir html
mkdir logs
mkdir icons
chmod 777 /home/sample1 -Rf
vi /etc/httpd/conf.d/sample1.conf
ServerAdmin sample1@sample.com
DocumentRoot /home/sample1/html
ServerName 10.1.1.3
ErrorLog /home/sample1/logs/error_log
TransferLog /home/sample1/logs/access_log
Order Deny,Allow
Allow from all
Options +Indexes
DirectoryIndex index.html index.php
LAB 4 checklist and additional information:
Make sure httpd started, also check ntsysv
Check https logs in /home/sample/logs/access.log if httpd is working
Copy or create an HTML file in /home/sample/html and preview it in Web Browser specify the IP
LAB 5. MySQL – Database Server
PACKAGE REQUIRED: libdbi, libdbi-dbd, mysql, mysqlclient10, mysql-server, perl-DBI, perl-DBD-mysql, php, php-mysql, php-mbstring, php-ldap, php-odbc, php-pear
NOTE: Please verify the following packages are installed, if not please install them before proceeding to the rest of the lab. The command “rpm –q package_name” verifies if a package is install, if not you can use “rpm –ivh package_name” to install it.
LAB 6. DNS – Domain Name Server
PACKAGE REQUIRED: caching-nameserver, bind
vi /etc/named.conf (add the following:)
zone "yourcompany.com" {
type master;
file "yourcompany.com.zone";
vi /var/named/yourcompany.com.zone (add the following)
$ORIGIN yourcompany.com.
$TTL 86400
@ IN SOA ns.yourcompany.com. admin.yourcompany.com. (
7 ; serial
28800 ; refresh
14400 ; retry
3600000 ; expire
86400 ; ttl
)
IN NS ns.yourcompany.com.
IN MX 10 mail.yourcompany.com.
IN A 10.1.1.2
ftp IN A 10.1.1.3
www IN A 10.1.1.4
mail IN A 10.1.1.5
LAB 6. Postfix/Cyrus-IMAPd – Mail Server
PACKAGE REQUIRED: pam_mysql, postfix-mysql, squirrelmail, cyrus-imap, web-cryadm
NOTE: Please check exact package name, actual filename may change because of version number.
INSTALL AND CONFIGURE web-cyradm /var/www/html/cyrus/config/conf.php
# The Cyrus login stuff
$CYRUS = array(
'HOST' => 'localhost',
'PORT' => 143,
'ADMIN' => 'cyrus',
'PASS' => 'secret'
);
$DB = array(
'TYPE' => 'mysql',
'USER' => 'mail',
'PASS' => 'secret',
'PROTO' => 'unix', // set to "tcp" for TCP/IP
'HOST' => 'localhost',
'NAME' => 'mail'
);
START MYSQLD, ASSIGN ROOT PASSWORD AND DATABASE web-cyradm
service mysqld start
mysqladmin -u root -p password 123456
mysqld -u root -p < /var/www/html/cyrus/scripts/insertuser_mysql.sql
mysqld mail -u root -p < /var/www/html/cyrus/scripts/create_mysql.sql
PAM AUTHENTICATION
(do this in /etc/imap.d)
vi /etc/pam.d/imap
vi /etc/pam.d/smtp
vi /etc/pam.d/pop
vi /etc/pam.d/seive
auth sufficient pam_mysql.so user=mail passwd=secret host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host logpidcolumn=pid logtimecolumn=time
account required pam_mysql.so user=mail passwd=secret host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host logpidcolumn=pid logtimecolumn=time
SASLAUTHD
vi /etc/sysconfig/saslauthd
# Directory in which to place saslauthd's listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/var/run/saslauthd
# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled to use.
MECH=pam
# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
FLAGS=-r
START=yes
CYRUS IMAPD CONFIGURATION
vi /etc/imapd.conf
vi /etc/imapd-local.conf
postmaster: postmaster
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sieve_maxscriptsize: 320
sieve_maxscripts: 5
unixhierarchysep: yes
altnamespace: yes
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
allowanonymouslogin: no
allowplaintext: yes
allowplainwithouttls: yes
autocreatequota: 10000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
servername: host.example.com
CYRUS IMAPD CONFIGURATION
vi /etc/cyrus.conf
START {
recover cmd="ctl_cyrusdb -r"
idled cmd="idled"
}
SERVICES {
imap cmd="imapd" listen="imap" prefork=5
imaps cmd="imapd -s" listen="imaps" prefork=1
pop3 cmd="pop3d" listen="pop3" prefork=3
pop3s cmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="sieve" prefork=1
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
}
EVENTS {
checkpoint cmd="ctl_cyrusdb -c" period=30
delprune cmd="cyr_expire -E 3" at=0400
tlsprune cmd="tls_prune" at=0400
}
CONFIGURE POSTFIX
vi /etc/postfix/main.cf
# postfix user/group
#soft_bounce=yes
mail_owner = postfix
setgid_group = postdrop
delay_warning_time = 4
# postfix paths
html_directory = no
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
queue_directory = /var/spool/postfix
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.2.2/samples
readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES
# network settings
inet_interfaces = all
mydomain = yourdomain.com
myhostname = host.yourdomain.com
mynetworks = 192.168.0.0/16,
127.0.0.0/24,
69.239.170.72/29
mydestination = $myhostname,
localhost.$mydomain,
localhost,
mysql:/etc/postfix/mysql-mydestination.cf
relay_domains = $mydestination
# mail delivery
local_transport = cyrus
mailbox_transport = cyrus
recipient_delimiter = +
# mappings
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf,
regexp:/etc/postfix/virtual_regexp
transport_maps = mysql:/etc/postfix/mysql-transport.cf,
regexp:/etc/postfix/transport_regexp
#local_recipient_maps =
# sympa parameters
# sympa_destination_recipient_limit = 1
# sympabounce_destination_recipient_limit = 1
# debugging
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
# authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
# rules restrictions
# smtpd_client_restrictions = reject_rbl_client sb1.spamhaus.org
smtpd_helo_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_hostname
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain
smtpd_helo_required = yes
unknown_local_recipient_reject_code = 550
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining
CONFIGURE POSTFIX
vi /etc/postfix/master.cf
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/deliver -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
CONFIGURE POSTFIX
vi /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
CONFIGURE POSTFIX
/etc/postfix/mysql-canonical.cf
hosts = 127.0.0.1
user = mail
password = secret
dbname = mail
table = virtual
select_field = alias
where_field = username
additional_conditions = and status = '1' limit 1
CONFIGURE POSTFIX
/etc/postfix/mysql-mydestination.cf
hosts = 127.0.0.1
user = mail
password = secret
dbname = mail
table = domain
select_field = domain_name
where_field = domain_name
CONFIGURE POSTFIX
/etc/postfix/mysql-relay.cf
hosts = 127.0.0.1
user = mail
password = secret
dbname = mail
table = domain
select_field = transport
where_field = domain_name
CONFIGURE POSTFIX
/etc/postfix/mysql-transport.cf
hosts = 127.0.0.1
user = mail
password = secret
dbname = mail
table = domain
select_field = transport
where_field = domain_name
CONFIGURE POSTFIX
/etc/postfix/mysql-virtual.cf
hosts = 127.0.0.1
user = mail
password = secret
dbname = mail
table = virtual
select_field = dest
where_field = alias
additional_conditions = and status = '1'
CONFIGURE POSTFIX
/etc/postfix/transport_regexp
# /^.*+owner\@lists\..*$/ sympabounce:
# /^.*\@lists\..*$/ sympa:
CONFIGURE POSTFIX
/etc/postfix/virtual_regexp
# This will be used to deal with the mailing lists
#/^(.*)-owner\@lists\.(.*)$/ $1+owner@lists.$2
service postfix start
service saslauthd start
service cyrus-imapd start
service mysqld start
PACKAGE REQUIRED: squid
iptables –A FORWARD –j ACCEPT
iptables –t nat –A PREROUTING –d 66.178.1.221 –p tcp –m tcp --dport 80 –j DNAT --to-destination 10.1.1.2:80
iptables –t nat –A PREROUTING -s 192.168.0.0/24 –p tcp –m tcp --dport 80 –j DNAT --to-destination 192.168.0.1:3128
iptables –t nat –A POSTROUTING –o eth0 –j SNAT –-to-source 66.178.1.221
iptables-save > /etc/sysconfig/iptables
service iptables restart
vi /etc/sysctl.conf
(change this setting: net.ipv4.ip_forward = 1)
sysctl -p
LAB 2. Iptables – SQUID TRANSPARENT PROXY (2 Network Cards, refer to scenario)
PACKAGE REQUIRED: squid
IPTABLES FIREWALL CONFIGURATION:
iptables –A FORWARD –j ACCEPT
iptables –t nat –A PREROUTING -s 192.168.0.0/24 –p tcp –m tcp --dport 80 –j DNAT --to-destination 192.168.0.1:3128
iptables –t nat –A POSTROUING –o eth0 –j SNAT –-to-source 66.178.1.221
iptables-save > /etc/sysconfig/iptables
service iptables restart
SQUID PROXY CONFIGURATION:
http_port 192.168.0.1:3128
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 32 MB
cache_swap_low 80
cache_swap_high 100
maximum_object_size 1024 KB
cache_dir ufs /var/spool/squid 512 16 256
cache_access_log /var/log/squid/access.log
cache_log none
cache_store_log none
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
half_closed_clients off
acl all src 0.0.0.0/0.0.0.0
acl full_host src 192.168.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow full_host
http_access deny all
http_reply_access allow all
icp_access allow all
memory_pools off
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_port 80
httpd_accel_uses_host_header on
LAB 1 and LAB 2 checklist and additional information:
Make sure iptables and squid services are started, also check ntsysv
Check squid logs in /var/log/squid/access.log if squid transparent is working
Save your firewall using iptables-save > /etc/sysconfig/iptables
You can edit firewall using vi /etc/sysconfig/iptables and restart the firewall using service iptables restart
You can check if squid is installed using rpm –q squid
Make sure that net.ipv4.conf.default.rp_filter = 1 is enabled in /etc/sysctl.conf
LAB 3. VsFTPd – File Transfer Protocol server
PACKAGE REQUIRED: vsftpd
adduser sample –g 100 –c “sample description”
passwd sample
NOTE: Please copy any file to /var/ftp/pub and any file to /home/sample
LAB 3 checklist and additional information:
Make sure vsftpd started, also check ntsysv
Check ftp logs in /var/log/xferlog if vsftpd is working
Access your PUBLIC ftp
Access your PRIVATE ftp, you must login and supply password
LAB 4. Apache – Web server (IP-based)
PACKAGE REQUIRED: httpd-* php-*
SINGLE DOMAIN:
Copy or create an HTML file in /var/www/html and preview it in Web Browser
VIRTUAL DOMAIN:
Create sub-interface using GUI redhat-config-network or ifconfig
adduser sample1 –g 100 –c “sample1 description”
passwd sample1
cd /home/sample1
mkdir html
mkdir logs
mkdir icons
chmod 777 /home/sample1 -Rf
vi /etc/httpd/conf.d/sample1.conf
ServerAdmin sample1@sample.com
DocumentRoot /home/sample1/html
ServerName 10.1.1.3
ErrorLog /home/sample1/logs/error_log
TransferLog /home/sample1/logs/access_log
Order Deny,Allow
Allow from all
Options +Indexes
DirectoryIndex index.html index.php
LAB 4 checklist and additional information:
Make sure httpd started, also check ntsysv
Check https logs in /home/sample/logs/access.log if httpd is working
Copy or create an HTML file in /home/sample/html and preview it in Web Browser specify the IP
LAB 5. MySQL – Database Server
PACKAGE REQUIRED: libdbi, libdbi-dbd, mysql, mysqlclient10, mysql-server, perl-DBI, perl-DBD-mysql, php, php-mysql, php-mbstring, php-ldap, php-odbc, php-pear
NOTE: Please verify the following packages are installed, if not please install them before proceeding to the rest of the lab. The command “rpm –q package_name” verifies if a package is install, if not you can use “rpm –ivh package_name” to install it.
LAB 6. DNS – Domain Name Server
PACKAGE REQUIRED: caching-nameserver, bind
vi /etc/named.conf (add the following:)
zone "yourcompany.com" {
type master;
file "yourcompany.com.zone";
vi /var/named/yourcompany.com.zone (add the following)
$ORIGIN yourcompany.com.
$TTL 86400
@ IN SOA ns.yourcompany.com. admin.yourcompany.com. (
7 ; serial
28800 ; refresh
14400 ; retry
3600000 ; expire
86400 ; ttl
)
IN NS ns.yourcompany.com.
IN MX 10 mail.yourcompany.com.
IN A 10.1.1.2
ftp IN A 10.1.1.3
www IN A 10.1.1.4
mail IN A 10.1.1.5
LAB 6. Postfix/Cyrus-IMAPd – Mail Server
PACKAGE REQUIRED: pam_mysql, postfix-mysql, squirrelmail, cyrus-imap, web-cryadm
NOTE: Please check exact package name, actual filename may change because of version number.
INSTALL AND CONFIGURE web-cyradm /var/www/html/cyrus/config/conf.php
# The Cyrus login stuff
$CYRUS = array(
'HOST' => 'localhost',
'PORT' => 143,
'ADMIN' => 'cyrus',
'PASS' => 'secret'
);
$DB = array(
'TYPE' => 'mysql',
'USER' => 'mail',
'PASS' => 'secret',
'PROTO' => 'unix', // set to "tcp" for TCP/IP
'HOST' => 'localhost',
'NAME' => 'mail'
);
START MYSQLD, ASSIGN ROOT PASSWORD AND DATABASE web-cyradm
service mysqld start
mysqladmin -u root -p password 123456
mysqld -u root -p < /var/www/html/cyrus/scripts/insertuser_mysql.sql
mysqld mail -u root -p < /var/www/html/cyrus/scripts/create_mysql.sql
PAM AUTHENTICATION
(do this in /etc/imap.d)
vi /etc/pam.d/imap
vi /etc/pam.d/smtp
vi /etc/pam.d/pop
vi /etc/pam.d/seive
auth sufficient pam_mysql.so user=mail passwd=secret host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host logpidcolumn=pid logtimecolumn=time
account required pam_mysql.so user=mail passwd=secret host=localhost db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1 logtable=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host logpidcolumn=pid logtimecolumn=time
SASLAUTHD
vi /etc/sysconfig/saslauthd
# Directory in which to place saslauthd's listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/var/run/saslauthd
# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled to use.
MECH=pam
# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
FLAGS=-r
START=yes
CYRUS IMAPD CONFIGURATION
vi /etc/imapd.conf
vi /etc/imapd-local.conf
postmaster: postmaster
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sieve_maxscriptsize: 320
sieve_maxscripts: 5
unixhierarchysep: yes
altnamespace: yes
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
allowanonymouslogin: no
allowplaintext: yes
allowplainwithouttls: yes
autocreatequota: 10000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
servername: host.example.com
CYRUS IMAPD CONFIGURATION
vi /etc/cyrus.conf
START {
recover cmd="ctl_cyrusdb -r"
idled cmd="idled"
}
SERVICES {
imap cmd="imapd" listen="imap" prefork=5
imaps cmd="imapd -s" listen="imaps" prefork=1
pop3 cmd="pop3d" listen="pop3" prefork=3
pop3s cmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="sieve" prefork=1
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
}
EVENTS {
checkpoint cmd="ctl_cyrusdb -c" period=30
delprune cmd="cyr_expire -E 3" at=0400
tlsprune cmd="tls_prune" at=0400
}
CONFIGURE POSTFIX
vi /etc/postfix/main.cf
# postfix user/group
#soft_bounce=yes
mail_owner = postfix
setgid_group = postdrop
delay_warning_time = 4
# postfix paths
html_directory = no
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
queue_directory = /var/spool/postfix
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.2.2/samples
readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES
# network settings
inet_interfaces = all
mydomain = yourdomain.com
myhostname = host.yourdomain.com
mynetworks = 192.168.0.0/16,
127.0.0.0/24,
69.239.170.72/29
mydestination = $myhostname,
localhost.$mydomain,
localhost,
mysql:/etc/postfix/mysql-mydestination.cf
relay_domains = $mydestination
# mail delivery
local_transport = cyrus
mailbox_transport = cyrus
recipient_delimiter = +
# mappings
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf,
regexp:/etc/postfix/virtual_regexp
transport_maps = mysql:/etc/postfix/mysql-transport.cf,
regexp:/etc/postfix/transport_regexp
#local_recipient_maps =
# sympa parameters
# sympa_destination_recipient_limit = 1
# sympabounce_destination_recipient_limit = 1
# debugging
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
# authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
# rules restrictions
# smtpd_client_restrictions = reject_rbl_client sb1.spamhaus.org
smtpd_helo_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_hostname
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain
smtpd_helo_required = yes
unknown_local_recipient_reject_code = 550
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining
CONFIGURE POSTFIX
vi /etc/postfix/master.cf
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/deliver -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
CONFIGURE POSTFIX
vi /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
CONFIGURE POSTFIX
/etc/postfix/mysql-canonical.cf
hosts = 127.0.0.1
user = mail
password = secret
dbname = mail
table = virtual
select_field = alias
where_field = username
additional_conditions = and status = '1' limit 1
CONFIGURE POSTFIX
/etc/postfix/mysql-mydestination.cf
hosts = 127.0.0.1
user = mail
password = secret
dbname = mail
table = domain
select_field = domain_name
where_field = domain_name
CONFIGURE POSTFIX
/etc/postfix/mysql-relay.cf
hosts = 127.0.0.1
user = mail
password = secret
dbname = mail
table = domain
select_field = transport
where_field = domain_name
CONFIGURE POSTFIX
/etc/postfix/mysql-transport.cf
hosts = 127.0.0.1
user = mail
password = secret
dbname = mail
table = domain
select_field = transport
where_field = domain_name
CONFIGURE POSTFIX
/etc/postfix/mysql-virtual.cf
hosts = 127.0.0.1
user = mail
password = secret
dbname = mail
table = virtual
select_field = dest
where_field = alias
additional_conditions = and status = '1'
CONFIGURE POSTFIX
/etc/postfix/transport_regexp
# /^.*+owner\@lists\..*$/ sympabounce:
# /^.*\@lists\..*$/ sympa:
CONFIGURE POSTFIX
/etc/postfix/virtual_regexp
# This will be used to deal with the mailing lists
#/^(.*)-owner\@lists\.(.*)$/ $1+owner@lists.$2
service postfix start
service saslauthd start
service cyrus-imapd start
service mysqld start
Comments (0)
Post a Comment