JRCORMIER.COM

I've had this website up and running in one form or another since late 2003, however the website has never been my main pre-occupation. When I first got my domain name back in August 2003 the idea was that I would never have to change my e-mail address ever again. Also by having my own domain name, I can control where my e-mails are hosted. I wrote this guide when I setup my last VPS but never got around to finishing it and putting it online until now. I'm actually setting up another VPS because the last one isn't stable enough so I'm switching to another provider.

While this guide is primarily for me so I have something to help me setup my next VPS if I ever need to setup another one, it should be able to help you out when your setting up yours. Also there are some things that are more specific to my case because I have to migrate my stuff from the old VPS as well.

The VPS is hosted at Linode.com. So far I really like it, the VPS has been quite stable and the control panel is great. I can even setup my own reverse DNS. While I had Fedora Core running on a previous VPS, my two current VPSes are running CentOS. The reason I chose CentOS over Fedora is simple, CentOS will get updates for a few years, while Fedora's update will only last about a year to a year and a half at the most so I won't have to worry as much about security patches. I still use Fedora for my other PCs because of the short release cycle and I like to try the latest software that's available but for a server, better use something that I won't have to worry about upgrading every year or so.

After the VPS is setup, one of the first thing to do is to make sure it has all it's updates. Next it's time to de-activate all unnecessary services, the less services you have running the less chances of having security holes open and the less memory and CPU the VPS uses. Also you might want to check '/etc/sysconfig/network' to make sure your hostname is set to what you want. One more thing to do is configure the timezone, just edit '/etc/sysconfig/clock' and link '/etc/localtime' to the correct timezone using something like 'ln -sf /usr/share/zoneinfo/America/Moncton' but with your own timezone. I'll add more info on this later. Also on Linode you can use the host's DHCP server to assign your IP address but I prefer to setup the static IP address. You can do that by running the 'system-config-network' command. I also added 'PEERDNS=no' in '/etc/sysconfig/network-scripts/ifcfg-eth0' so that my '/etc/resolv.conf' won't get overwritten at every reboot.

There's also a few small tweaks I like to do which are disabling line wrap in nano, I just create a '/etc/nanorc' file with 'set nowrap' in it and I don't want the duplicate commands in the bash history so I add 'export HISTCONTROL=erasedups' at the end of '/etc/bashrc'

Secure SSHD

Next up is securing openssh. I usually do a few things for this. what I do is I de-activate root logins, I disable password authentication and I setup the firewall to limit the rate of connection attempts.

First I add some users, I have a few mailboxes that I use so I need a user for each of them. I just create the same users that's on the other VPS making sure to create them with the same uid/gid. Also most of the users have /sbin/nologin for their shell because like I said their primary uses is for e-mails.

Next I upload my public RSA key in my main user's '~/.ssh/authorized_keys' (the .ssh directory might need to be created if it doesn't already exists) and I make sure the .ssh directory and the authorized_keys file are only readable and writeable by the owner. Then I make sure I can login as my user using my private RSA key and su to root. If that works fine I can then set 'PasswordAuthentication' and 'PermitRootLogin' to 'no' in '/etc/ssh/sshd_config'.

Lastly, I setup some iptables rules to limit the rate of connection attempts. This is a small trick I learned on the Fedora User list I believe but I don't remember who's it from. What it does is it allows anybody to connect twice to the ssh daemon then it rejects the next connections for a minute. So when scanner tries all kind of user/password combination to try to connect to your server it's only gonna allow them to try twice per minute which will cut significantly on the amount of connections to the ssh daemon. The only downside is if you connect more than twice yourself you'll also need to wait a minute before you can reconnect but in reality it doesn't bother me since it rarely happens. Also you can tweak it to your taste, you just have two things to change, the connection limit and the time limit. Since my firewall rules started with the default CentOS rules, I added these line to the RH-Firewall-1-INPUT chain.

I added these lines in '/etc/sysconfig/iptables':

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --set --name sshattack --rsource
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --rcheck --seconds 60 --hitcount 3 --name sshattack --rsource -j LOG --log-prefix "SSH REJECT: "
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --rcheck --seconds 60 --hitcount 3 --name sshattack --rsource -j REJECT --reject-with tcp-reset

right above the line:

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

And that's about it for SSH, now onto bind.

Install and configure bind

Since I am replacing my DNS server from my old VPS to this one, I couldn't just setup a new server from scratch I needed to make sure they were both in sync until the records gets updated in the root nameservers. So the first thing I did is I copied the /etc/named.conf and the zone files in /var/named from my old server. I also got the latest named.cache from ftp://ftp.internic.net/domain/named.cache to have the most up-to-date version. I setup the new server as master server for my zones then I changed the zones from master to slave on my old VPS. I also had to update the /etc/named.conf in my other slave server. A quick restart of named later I had the zones up-to-date in all my nameservers. I also had to open up port 53 on the firewall. After everything is done and the zones are all up-to-date on all servers, I can update the domains at the registrar to use the new nameserver and also remove the one I won't be using anymore.

Since I have my own nameservers, I can also use it to do name resolution so I updated my '/etc/resolv.conf' to use it and set the search domain to my domain.

And lastly, I just make sure it's gonna restart on it's own after a reboot.

Create new keys and certificates

I use TinyCA2 to manage my keys and certificates. First I create a new certificate that I sign with my own CA, then I export a PEM key with the certificate but without the passphrase and upload it to the server along with a copy of my CA certificate. I usually store it in the '/etc/pki' directory making sure only root as read/write access to it.

Install and configure Dovecot

I use IMAP to get my mail from the server so I can check my mail from multiple computers and with a webmail client I can also get it from anywhere I can have web access since the mail stays on the server. So I installed dovecot and configured it, I only needed to specify where my certificate, private key and CA certificate were, where the mail is stored on the server and set it up so that Postfix will be able to use the SASL authentication, this will allow me to do SMTP authentication so I can use my own mailserver from anywhere in the world without it being an open relay.

The configuration changes from the default config file are:

ssl_cert_file = /etc/pki/certfile.pem
ssl_key_file = /etc/pki/keyfile.pem
ssl_ca_file = /etc/pki/cacertfile.pem
mail_location = maildir:~/Maildir

Then the 'auth default' section should look something like this:

auth default {   mechanisms = plain login   passdb pam {   }   userdb passwd {     user = root   }   socket listen {     client {       # Assuming the default Postfix $queue_directory setting       path = /var/spool/postfix/private/auth       mode = 0660       # Assuming the default Postfix user and group       user = postfix       group = postfix     }   } } 

I also commented the 'protocol lda' section because I won't be using the Dovecot LDA.

Then I added some rules to my firewall to open up ports 110, 143, 993 and 995. Since I'm basically the only one who uses that server for emails and I only uses IMAP with TLS I could've just opened up port 143 and configure Dovecot to only use IMAP but I figured might as well have the other protocol just in case I need them someday.

Install and configure Postfix

I've been using postfix for a while since I find it easier to configure than sendmail and it's always been working well for me. So first thing I did is install it and removed sendmail from the VPS. Then I configure it for my domains. Then I make sure that the mail for root is sent to my email in /etc/aliases. since I'm subscribed to a few mailing lists I also use procmail to do my local delivery so I can sort them out in folders on the server. The mail is stored in Maildir format so procmail will need to know about this and for this I just create a '/etc/procmailrc' file with this inside it:

MAILDIR=$HOME/Maildir
DEFAULT=$MAILDIR/

Since my ISP and quite a few other ISPs block traffic to port 25 to servers other than their own and I want to be able to send mail from my laptop from anywhere I am without having to reconfigure my outgoing server, what I do is enable a MSA (message submission agent) in postfix. What it does is, it runs on a different port and requires a username/password to send mail from it. The default Postfix configuration is pretty good already, it just need some tweaking specific to my use. I also need to set it up to use TLS and enable the MSA. Also there's a few things I do to cut down on spam and I'll probably add some stuff to cut down even more.

First I like to define 'myhostname' and 'mydomain' instead of relying on Postfix figuring it out by itself.

These are also configuration options that I change from the defaults:

myorigin = $mydomain inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mynetworks_style = host mailbox_command = /usr/bin/procmail  # TLS stuff smtpd_use_tls = yes smtpd_tls_key_file = /etc/pki/keyfile.pem smtpd_tls_cert_file = /etc/pki/certfile.pem smtpd_tls_CAfile = /etc/pki/cacertfile.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom  # Anti-UCE smtpd_helo_required = yes disable_vrfy_command = yes  smtpd_recipient_restrictions =    permit_mynetworks,    permit_sasl_authenticated,    reject_non_fqdn_sender,    reject_non_fqdn_recipient,    reject_unauth_destination,    reject_rbl_client zen.spamhaus.org 

In the '/etc/postfix/master.cf' I also added these lines to enable the MSA:

submission inet n      -       n       -       -       smtpd         -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth         -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes         -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject         -o broken_sasl_auth_clients=yes 

As before I made sure that the dovecot and the postfix services will restart after a reboot and that the ports 25 and 587 are opened in the firewall.

Migrating e-mails to the new VPS

Now comes the part of migrating the mail from the old server to the new one. This is a part that need a bit of planning first because the mail needs to be transfered to the new server and you can't have new mail coming in on the old server after it's transfered or else you could lose some messages.

The first thing I do is I stop postfix on the new VPS to make sure that no mail will get to it. Then I change some options in the '/etc/postfix/main.cf' on the old VPS to become a backup mail server instead of a primary one. The changes I do are I remove everything from 'mydestination' and add '$mydomain' to 'relay_domains'. I could leave $myhostname, localhost.$mydomain and localhost but I don't want any mail to go to that server because I'll never read it anyway. I also add a 'bounce_queue_lifetime = 14d' and 'maximal_queue_lifetime = 14d' to keep the mail in the queue for 14 days instead of the default of 5 days. 5 days would probably be enough but I prefer to be on the safe side with 14 days. The main changes to the 'main.cf' are:

mydestination = relay_domains = $mydomain bounce_queue_lifetime = 14d maximal_queue_lifetime = 14d 

If you plan on keeping this server as your secondary MX, it would probably be a good idea to add a 'relay_recipient_maps' options as well. For more info about this go to: http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup

The next step is restarting the postfix server on the old VPS and making sure it stores the mail in it's queue. Then I update the zone file on the master DNS server and add the new VPS as primary MX and keep the old one as secondary MX. After that I do a restart on the slave DNS servers and make sure they get the latest zone info so the changes propagate faster. Now I just need to tar the Maildirs on the old VPS for every user, upload them to the new server and untar them in their respective home directories. I also make sure to copy the '.procmailrc' files if there's any so I don't lose my filters. I can now test to see if I get my emails using IMAP then I can start the postfix service on the new VPS and send it a test email to make sure I'll receive it. You could now shutdown the dovecot service from the old VPS but I wanted to make sure I didn't have anything setup to use the MSA on it before turning off postfix completely so I changed the 'protocols = imap imaps pop3 pop3s' to 'protocols = none' in the 'dovecot.conf' and restarted the service so that I wouldn't be able to login to IMAP or POP3 but still able to use the MSA.

Install pflogsumm

Next I setup pflogsumm so I can get some stats about mail coming in and going out. First I install perl-Date-Calc then I downloaded the latest version from here: http://jimsun.linxnet.com/postfix_contrib.html. Then it's just a matter of unpacking it, copying some files and setting up some cron jobs, one for daily stats and one for weekly stats.

I later realized that there's a package named 'postfix-pflogsumm' which is pflogsumm so you don't need to install it manually.

Well I'm not completely done with this article, there's still a few things I need to write, mainly I still need to add a section about installing and configuring Apache, PHP, MySQL.

Links

• http://www.centos.org/
• http://www.postfix.org/SASL_README.html#server_sasl
• http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
• http://jimsun.linxnet.com/postfix_contrib.html