|
|
422188 |
<sect1 id="configurations-dialup-server">
|
|
|
5cec14 |
|
|
|
35566a |
<title>The Server Computer</title>
|
|
|
35566a |
|
|
|
422188 |
<sect2 id="configurations-dialup-server-install">
|
|
|
422188 |
<title>Installing Server Computer</title>
|
|
|
35566a |
|
|
|
c0d2a2 |
<para>
|
|
|
c0d2a2 |
Start with a minimal installation of &TC;;, bootup the
|
|
|
c0d2a2 |
operating system, and login as root user.
|
|
|
c0d2a2 |
</para>
|
|
|
c0d2a2 |
|
|
|
c0d2a2 |
<sect3 id="configurations-dialup-server-install-ppp">
|
|
|
692c3a |
<title>Installing Ppp Server</title>
|
|
|
c0d2a2 |
<para>
|
|
|
c0d2a2 |
The ppp server provides the software required to establish and
|
|
|
c0d2a2 |
maintain a PPP link with another system and negociate Internet
|
|
|
c0d2a2 |
Protocol addresses for each end of the link.
|
|
|
c0d2a2 |
</para>
|
|
|
c0d2a2 |
|
|
|
c0d2a2 |
<screen>yum install ppp</screen>
|
|
|
c0d2a2 |
|
|
|
c0d2a2 |
</sect3>
|
|
|
c0d2a2 |
|
|
|
422188 |
<sect3 id="configurations-dialup-server-install-dns">
|
|
|
692c3a |
<title>Installing Name Server</title>
|
|
|
35566a |
<para>
|
|
|
35566a |
The name server provides the software required to translate
|
|
|
35566a |
domain names into IP address and IP addresses into domain
|
|
|
35566a |
names. With this software you can rembember addresses like
|
|
|
422188 |
<ulink url="https://server.example.com/" /> instead of
|
|
|
422188 |
addresses like <ulink url="https://192.168.0.1/" />. There
|
|
|
422188 |
are other feautres (e.g., mail exchanger resolution, zone
|
|
|
422188 |
delegation, etc.) provided by this software that aren't used
|
|
|
422188 |
in the point-to-point configuration we describe in this
|
|
|
422188 |
chapter.
|
|
|
35566a |
</para>
|
|
|
35566a |
<screen>yum install bind</screen>
|
|
|
35566a |
<note>
|
|
|
35566a |
<para>
|
|
|
35566a |
There is a <package>bind-chroot</package> packages, however,
|
|
|
35566a |
we aren't using it because SELinux is already enforced on the
|
|
|
35566a |
&TC;; filesystem and it provides far more security than the
|
|
|
35566a |
idea of <package>bind-chroot</package> package itself does.
|
|
|
35566a |
</para>
|
|
|
35566a |
</note>
|
|
|
35566a |
</sect3>
|
|
|
35566a |
|
|
|
422188 |
<sect3 id="configurations-dialup-server-install-mail">
|
|
|
692c3a |
<title>Installing Mail Server</title>
|
|
|
35566a |
<para>
|
|
|
35566a |
The mail server provides the software required to let you
|
|
|
0253bb |
send/receive mail messages to/from others. The mail server
|
|
|
35566a |
is splitted in three basic components: The Mail Transfer Agent
|
|
|
0253bb |
(MTA), The Mail Delivery Agent (MDA) and an intermediary
|
|
|
0253bb |
daemon named <systemitem class="daemon">saslauthd</systemitem>
|
|
|
0253bb |
to handle user authentication. The MTA is the program your
|
|
|
0253bb |
mail client sends mail messages to. The MDA, on the other
|
|
|
0253bb |
hand, is the program your mail client reads mail message
|
|
|
0253bb |
from (i.e., this is the program that let you access your
|
|
|
0253bb |
mailbox). The saslauthd daemon is used by the MDA to
|
|
|
0253bb |
authenticate user's credentials (e.g., the information that
|
|
|
0253bb |
let you access an specific mailbox) and by the MTA to
|
|
|
0253bb |
authenticate users before sending mail to it, however, in the
|
|
|
0253bb |
configuration we are implementing, the MTA doesn't require
|
|
|
0253bb |
that you authenticate to it in order to send mails through
|
|
|
0253bb |
it. The MTA will listen on all network interfaces it is
|
|
|
0253bb |
attached to and will receive mail sent to
|
|
|
692c3a |
class="fqdomainname">example.com</systemitem> domain name or
|
|
|
692c3a |
|
|
|
692c3a |
class="fqdomainname">server.example.com</systemitem> host
|
|
|
692c3a |
name).
|
|
|
35566a |
</para>
|
|
|
35566a |
|
|
|
692c3a |
<screen>yum install postfix cyrus-{imapd{,-utils},sasl{,-ldap,-md5,-plain}}</screen>
|
|
|
35566a |
|
|
|
35566a |
<para>
|
|
|
35566a |
By default, the <application>sendmail</application>
|
|
|
35566a |
program is used as mail transfer agent, not postfix. For the
|
|
|
35566a |
sake of that point-to-point configuration we are implementing,
|
|
|
35566a |
I decided to use postfix instead as default mail transfer
|
|
|
35566a |
agent, not sendmail. To effectively achieve this decition, it
|
|
|
35566a |
is required to use the <command>alternatives</command>
|
|
|
35566a |
command, as it shown below:
|
|
|
35566a |
</para>
|
|
|
35566a |
|
|
|
35566a |
<screen>alternatives --config mta</screen>
|
|
|
5cec14 |
|
|
|
5cec14 |
<para>
|
|
|
35566a |
This command will present you a menu to chose between
|
|
|
35566a |
available mail transfer agents, so it is there where you
|
|
|
35566a |
choose to use posfix as default option. Now that you've
|
|
|
35566a |
changed postfix the default mail transfer agent, you can
|
|
|
35566a |
saftly remove the sendmail package to avoid unused software
|
|
|
35566a |
to remain inside the computer. To do this, you can run the
|
|
|
35566a |
following command:
|
|
|
5cec14 |
</para>
|
|
|
5cec14 |
|
|
|
35566a |
<screen>yum remove sendmail</screen>
|
|
|
35566a |
|
|
|
35566a |
<para>
|
|
|
35566a |
In addition to mail server specific packages, we also provide
|
|
|
0253bb |
mailing list support. Mailing lists provide mail addresses
|
|
|
35566a |
that users registered inside the ISP can write to. When you
|
|
|
0253bb |
sed an mail to a mailing list, your message is distributed to
|
|
|
35566a |
all members of that list. In order for this to happen, people
|
|
|
35566a |
registered inside ISP need to subscribe themselves into that
|
|
|
35566a |
mailing list they want to receive messages from. The
|
|
|
35566a |
subscription of mailinglist will be available through a secured
|
|
|
35566a |
web application in the following url:
|
|
|
35566a |
</para>
|
|
|
35566a |
|
|
|
35566a |
<itemizedlist>
|
|
|
35566a |
<listitem>
|
|
|
35566a |
<para>
|
|
|
692c3a |
<ulink url="https://example.com/lists/" />
|
|
|
35566a |
</para>
|
|
|
35566a |
</listitem>
|
|
|
35566a |
</itemizedlist>
|
|
|
35566a |
|
|
|
35566a |
<screen>yum install mailman</screen>
|
|
|
35566a |
</sect3>
|
|
|
35566a |
|
|
|
422188 |
<sect3 id="configurations-dialup-server-install-web">
|
|
|
692c3a |
<title>Installing Web Server</title>
|
|
|
35566a |
<para>
|
|
|
35566a |
The web server provides the software required to support web
|
|
|
35566a |
interfaces like those one previously mention to register new
|
|
|
35566a |
users inside the ISP and subscribe mailing lists. The web
|
|
|
35566a |
server provided in this configuration will accept requests
|
|
|
35566a |
both unencrypted and encrypted.
|
|
|
35566a |
</para>
|
|
|
35566a |
|
|
|
35566a |
<screen>yum install httpd mod_ssl crypto-utils</screen>
|
|
|
35566a |
|
|
|
35566a |
<para>
|
|
|
35566a |
In addition to mailing lists support, the web server will
|
|
|
35566a |
provide access to Subversion. Subvesion provides a way to
|
|
|
35566a |
manage files through version control. The main purpose of
|
|
|
35566a |
providing Subversion support here is sharing the version of
|
|
|
c0d2a2 |
&TCAR; I've been working on.
|
|
|
c0d2a2 |
</para>
|
|
|
35566a |
|
|
|
35566a |
<screen>yum install subversion mod_dav_svn</screen>
|
|
|
35566a |
|
|
|
35566a |
</sect3>
|
|
|
35566a |
|
|
|
422188 |
<sect3 id="configurations-dialup-server-install-ldap">
|
|
|
422188 |
|
|
|
692c3a |
<title>Installing Directory Server</title>
|
|
|
422188 |
|
|
|
35566a |
<para>
|
|
|
35566a |
The directory server provides the software required to unify
|
|
|
35566a |
user information. This server is access by other server
|
|
|
35566a |
whenever user information is required. You, as end user, can
|
|
|
35566a |
also use this server from your workstation to retrive a list
|
|
|
35566a |
of all users registered in the ISP. This list can be retrived
|
|
|
35566a |
by the web interface the ISP provides, or any application your
|
|
|
0253bb |
workstation provide (e.g., most mail clients provide a way
|
|
|
35566a |
to configure LDAP servers to build address book from it.).
|
|
|
35566a |
</para>
|
|
|
35566a |
|
|
|
35566a |
<screen>yum openldap-servers python-ldap</screen>
|
|
|
35566a |
|
|
|
35566a |
</sect3>
|
|
|
35566a |
</sect2>
|
|
|
35566a |
|
|
|
422188 |
<sect2 id="configurations-dialup-server-config">
|
|
|
422188 |
<title>Configuring Server Computer</title>
|
|
|
422188 |
<para>
|
|
|
692c3a |
Once all required packages have been installed inside the
|
|
|
692c3a |
server computer, it is time to configure them. This section
|
|
|
692c3a |
describes how to configure the server computer to provide a
|
|
|
692c3a |
public mail system.
|
|
|
692c3a |
</para>
|
|
|
692c3a |
|
|
|
692c3a |
<sect3 id="configurations-dialup-server-install-network">
|
|
|
692c3a |
<title>Configuring Network Internface</title>
|
|
|
692c3a |
<variablelist>
|
|
|
692c3a |
<varlistentry>
|
|
|
692c3a |
<term><filename>/etc/sysconfig/network-scripts/ifcfg-eth0</filename></term>
|
|
|
692c3a |
<listitem>
|
|
|
692c3a |
<screen>
|
|
|
692c3a |
# Please read /usr/share/doc/initscripts-*/sysconfig.txt
|
|
|
692c3a |
# for the documentation of these parameters.
|
|
|
692c3a |
TYPE=Ethernet
|
|
|
692c3a |
DEVICE=eth0
|
|
|
692c3a |
HWADDR=00:1c:c0:f0:aa:05
|
|
|
692c3a |
BOOTPROTO=none
|
|
|
692c3a |
NETMASK=255.255.255.0
|
|
|
692c3a |
IPADDR=192.168.0.1
|
|
|
692c3a |
ONBOOT=yes
|
|
|
692c3a |
USERCTL=no
|
|
|
692c3a |
IPV6INIT=no
|
|
|
692c3a |
PEERDNS=yes
|
|
|
692c3a |
</screen>
|
|
|
692c3a |
</listitem>
|
|
|
692c3a |
</varlistentry>
|
|
|
692c3a |
</variablelist>
|
|
|
692c3a |
</sect3>
|
|
|
692c3a |
|
|
|
692c3a |
<sect3 id="configurations-dialup-server-config-ppp">
|
|
|
692c3a |
<title>Configuring Ppp Server</title>
|
|
|
692c3a |
<para>
|
|
|
692c3a |
This configuration specifies the way the server computer will
|
|
|
692c3a |
handle incoming dial-up connections.
|
|
|
692c3a |
</para>
|
|
|
692c3a |
<variablelist>
|
|
|
692c3a |
<varlistentry>
|
|
|
692c3a |
<term><filename>/etc/ppp/options</filename></term>
|
|
|
692c3a |
<listitem>
|
|
|
692c3a |
<screen>
|
|
|
360ea0 |
# Enforce the use of the hostname as the name of the local system for
|
|
|
360ea0 |
# authentication purposes (overrides the name option).
|
|
|
360ea0 |
usehostname
|
|
|
692c3a |
|
|
|
360ea0 |
# Specify which DNS Servers the incoming Win95 or WinNT Connection
|
|
|
360ea0 |
# should use Two Servers can be remotely configured
|
|
|
692c3a |
ms-dns 192.168.0.1
|
|
|
692c3a |
|
|
|
360ea0 |
# Increase debugging level (same as -d). The debug output is written
|
|
|
360ea0 |
# to syslog LOG_LOCAL2.
|
|
|
692c3a |
debug
|
|
|
692c3a |
|
|
|
360ea0 |
# Require the peer to authenticate itself before allowing network
|
|
|
360ea0 |
# packets to be sent or received. Please do not disable this setting.
|
|
|
360ea0 |
# It is expected to be standard in future releases of pppd. Use the
|
|
|
360ea0 |
# call option (see manpage) to disable authentication for specific
|
|
|
360ea0 |
# peers.
|
|
|
360ea0 |
#auth
|
|
|
360ea0 |
|
|
|
360ea0 |
# Use hardware flow control (i.e. RTS/CTS) to control the flow of data
|
|
|
360ea0 |
# on the serial port.
|
|
|
360ea0 |
crtscts
|
|
|
360ea0 |
|
|
|
360ea0 |
# Specifies that pppd should use a UUCP-style lock on the serial
|
|
|
360ea0 |
# device to ensure exclusive access to the device.
|
|
|
360ea0 |
lock
|
|
|
360ea0 |
|
|
|
360ea0 |
# Use the modem control lines.
|
|
|
360ea0 |
modem
|
|
|
360ea0 |
|
|
|
360ea0 |
# async character map -- 32-bit hex; each bit is a character that
|
|
|
360ea0 |
# needs to be escaped for pppd to receive it. 0x00000001 represents
|
|
|
360ea0 |
# '\x01', and 0x80000000 represents '\x1f'. To allow pppd to work
|
|
|
360ea0 |
# over a rlogin/telnet connection, ou should escape XON (^Q), XOFF
|
|
|
360ea0 |
# (^S) and ^]: (The peer should use "escape ff".)
|
|
|
360ea0 |
#asyncmap 200a0000
|
|
|
360ea0 |
asyncmap 0
|
|
|
360ea0 |
|
|
|
360ea0 |
# Set the interface netmask to <n>, a 32 bit netmask in "decimal dot"
|
|
|
360ea0 |
# notation (e.g. 255.255.255.0).
|
|
|
360ea0 |
netmask 255.255.255.0
|
|
|
360ea0 |
|
|
|
360ea0 |
# Don't fork to become a background process (otherwise pppd will do so
|
|
|
360ea0 |
# if a serial device is specified).
|
|
|
360ea0 |
nodetach
|
|
|
360ea0 |
|
|
|
360ea0 |
# Set the assumed name of the remote system for authentication
|
|
|
360ea0 |
# purposes to <n>.
|
|
|
360ea0 |
remotename client
|
|
|
360ea0 |
|
|
|
360ea0 |
# If this option is given, pppd will send an LCP echo-request frame to
|
|
|
360ea0 |
# the peer every n seconds. Under Linux, the echo-request is sent when
|
|
|
360ea0 |
# no packets have been received from the peer for n seconds. Normally
|
|
|
360ea0 |
# the peer should respond to the echo-request by sending an
|
|
|
360ea0 |
# echo-reply. This option can be used with the lcp-echo-failure
|
|
|
360ea0 |
# option to detect that the peer is no longer connected.
|
|
|
360ea0 |
lcp-echo-interval 30
|
|
|
360ea0 |
|
|
|
360ea0 |
# If this option is given, pppd will presume the peer to be dead if n
|
|
|
360ea0 |
# LCP echo-requests are sent without receiving a valid LCP echo-reply.
|
|
|
360ea0 |
# If this happens, pppd will terminate the connection. Use of this
|
|
|
360ea0 |
# option requires a non-zero value for the lcp-echo-interval
|
|
|
360ea0 |
# parameter. This option can be used to enable pppd to terminate
|
|
|
360ea0 |
# after the physical connection has been broken (e.g., the modem has
|
|
|
360ea0 |
# hung up) in situations where no hardware modem control lines are
|
|
|
360ea0 |
# available.
|
|
|
360ea0 |
lcp-echo-failure 4
|
|
|
360ea0 |
|
|
|
360ea0 |
# Specifies that pppd should disconnect if the link is idle for n
|
|
|
360ea0 |
# seconds.
|
|
|
692c3a |
idle 60
|
|
|
692c3a |
</screen>
|
|
|
692c3a |
</listitem>
|
|
|
692c3a |
</varlistentry>
|
|
|
692c3a |
|
|
|
692c3a |
<varlistentry>
|
|
|
692c3a |
<term><filename>/etc/ppp/cha-secrets</filename></term>
|
|
|
692c3a |
<term><filename>/etc/ppp/pap-secrets</filename></term>
|
|
|
692c3a |
<listitem>
|
|
|
692c3a |
<screen>
|
|
|
692c3a |
# client server secret IP addresses
|
|
|
692c3a |
|
|
|
692c3a |
# Specify the client configuration. This is when this manchine calls
|
|
|
692c3a |
# someone's else machine and tries to establish a point-to-point
|
|
|
692c3a |
# connection. Most of this configuration is handled by the
|
|
|
692c3a |
# `system-config-network' utility.
|
|
|
692c3a |
#
|
|
|
692c3a |
####### redhat-config-network will overwrite this part!!! (begin) ##########
|
|
|
692c3a |
####### redhat-config-network will overwrite this part!!! (end) ############
|
|
|
692c3a |
|
|
|
692c3a |
# Specify the server configuration. This is when someone's else
|
|
|
692c3a |
# machine calls this machine trying to establish a point-to-point
|
|
|
692c3a |
# connection. This part of the configuration isn't handled by
|
|
|
692c3a |
# `system-config-network' utility. To prenvent this configuration to
|
|
|
692c3a |
# be lost the next time the `system-config-network' utility be used,
|
|
|
692c3a |
# be sure to have this configuration backed up somewhere so it can be
|
|
|
692c3a |
# resotred in such situations.
|
|
|
692c3a |
#
|
|
|
360ea0 |
client server mail4u 192.168.0.2
|
|
|
360ea0 |
server client mail4u 192.168.0.1
|
|
|
692c3a |
</screen>
|
|
|
692c3a |
</listitem>
|
|
|
692c3a |
</varlistentry>
|
|
|
692c3a |
</variablelist>
|
|
|
692c3a |
|
|
|
360ea0 |
<para>
|
|
|
1091a0 |
To make the modem respond to calls ...
|
|
|
360ea0 |
</para>
|
|
|
360ea0 |
|
|
|
360ea0 |
<screen>pppd /dev/ttyACM0</screen>
|
|
|
360ea0 |
|
|
|
692c3a |
</sect3>
|
|
|
692c3a |
|
|
|
692c3a |
<sect3 id="configurations-dialup-server-config-dns">
|
|
|
692c3a |
<title>Configuring Name Server</title>
|
|
|
692c3a |
|
|
|
692c3a |
<variablelist>
|
|
|
692c3a |
<varlistentry>
|
|
|
692c3a |
<term><filename>/etc/named.conf</filename></term>
|
|
|
692c3a |
<listitem>
|
|
|
692c3a |
<screen>
|
|
|
692c3a |
# BIND DNS server 'named' configuration file for the Red Hat BIND
|
|
|
692c3a |
# distribution. This file was initially taken from
|
|
|
692c3a |
# `/usr/share/doc/bind-*/samples/named.conf' file and modified to fit
|
|
|
692c3a |
# this server's needs.
|
|
|
692c3a |
#
|
|
|
692c3a |
# This machine exists to develop The CentOS Project Corporate Identity
|
|
|
692c3a |
# through The CentOS Artwork Repository. Presently, this machine is
|
|
|
692c3a |
# isolated from Internet. However, a modem has been attached[1] and
|
|
|
692c3a |
# configured so people can establish point-to-point connections to
|
|
|
692c3a |
# this machine and download working copies of The CentOS Artwork
|
|
|
692c3a |
# Repository and help me to develop it.
|
|
|
692c3a |
#
|
|
|
692c3a |
# In this configuration there are only two IP addresses involved. The
|
|
|
692c3a |
# one used in this server (192.168.0.1) and another for the client who
|
|
|
692c3a |
# realize the point-to-point connection (192.168.0.2). This server is
|
|
|
692c3a |
# named `server.example.com' and the client `client.example.com' or
|
|
|
692c3a |
# something similar.
|
|
|
692c3a |
# --------------------------------------------------------------------
|
|
|
692c3a |
# See the BIND Administrator's Reference Manual (ARM) for details, in:
|
|
|
692c3a |
# file:///usr/share/doc/bind-*/arm/Bv9ARM.html
|
|
|
692c3a |
#
|
|
|
692c3a |
# Also see the BIND Configuration GUI:
|
|
|
692c3a |
# /usr/bin/system-config-bind and its manual.
|
|
|
692c3a |
# --------------------------------------------------------------------
|
|
|
692c3a |
|
|
|
692c3a |
options {
|
|
|
692c3a |
|
|
|
692c3a |
# Those options should be used carefully because they disable port
|
|
|
692c3a |
# randomization.
|
|
|
692c3a |
// query-source port 53;
|
|
|
692c3a |
// query-source-v6 port 53;
|
|
|
692c3a |
|
|
|
692c3a |
# Put files that named is allowed to write in the data/ directory:
|
|
|
692c3a |
directory "/var/named"; // the default
|
|
|
692c3a |
dump-file "data/cache_dump.db";
|
|
|
692c3a |
statistics-file "data/named_stats.txt";
|
|
|
692c3a |
memstatistics-file "data/named_mem_stats.txt";
|
|
|
692c3a |
};
|
|
|
692c3a |
|
|
|
692c3a |
logging {
|
|
|
692c3a |
|
|
|
692c3a |
# If you want to enable debugging, eg. using the 'rndc trace'
|
|
|
692c3a |
# command, named will try to write the 'named.run' file in the
|
|
|
692c3a |
# $directory (/var/named). By default, SELinux policy does not
|
|
|
692c3a |
# allow named to modify the /var/named directory, so put the
|
|
|
692c3a |
# default debug log file in data/ :
|
|
|
692c3a |
channel default_debug {
|
|
|
692c3a |
file "data/named.run" versions 5 size 20m;
|
|
|
692c3a |
severity dynamic;
|
|
|
692c3a |
};
|
|
|
692c3a |
};
|
|
|
692c3a |
|
|
|
692c3a |
# All BIND 9 zones are in a "view", which allow different zones to be
|
|
|
692c3a |
# served to different types of client addresses, and for options to be
|
|
|
692c3a |
# set for groups of zones. By default, if named.conf contains no
|
|
|
692c3a |
# "view" clauses, all zones are in the "default" view, which matches
|
|
|
692c3a |
# all clients. If named.conf contains any "view" clause, then all
|
|
|
692c3a |
# zones MUST be in a view; so it is recommended to start off using
|
|
|
692c3a |
# views to avoid having to restructure your configuration files in the
|
|
|
692c3a |
# future.
|
|
|
692c3a |
|
|
|
692c3a |
view "internal" {
|
|
|
692c3a |
|
|
|
692c3a |
# This view will contain zones you want to serve only to
|
|
|
692c3a |
# "internal" clients that connect via your directly attached LAN
|
|
|
692c3a |
# interfaces - "localnets".
|
|
|
692c3a |
match-clients { 192.168.0/24; };
|
|
|
692c3a |
match-destinations { 192.168.0/24; };
|
|
|
692c3a |
recursion no;
|
|
|
692c3a |
|
|
|
692c3a |
# All views must contain the root hints zone. However, since this
|
|
|
692c3a |
# machine is disconnected from Internet it is not possible for it
|
|
|
692c3a |
# to reach root servers. So, this line is commented based that no
|
|
|
692c3a |
# recursion is performed here.
|
|
|
692c3a |
//include "named.rfc1912.zones";
|
|
|
692c3a |
|
|
|
692c3a |
# These are your "authoritative" internal zones, and would
|
|
|
692c3a |
# probably also be included in the "localhost_resolver" view
|
|
|
692c3a |
# above:
|
|
|
692c3a |
zone "example.com" IN {
|
|
|
692c3a |
type master;
|
|
|
692c3a |
file "example.com.zone";
|
|
|
692c3a |
allow-update { none; };
|
|
|
692c3a |
};
|
|
|
692c3a |
|
|
|
692c3a |
zone "0.168.192.in-addr.arpa" IN {
|
|
|
692c3a |
type master;
|
|
|
692c3a |
file "example.com.rr.zone";
|
|
|
692c3a |
allow-update { none; };
|
|
|
692c3a |
};
|
|
|
692c3a |
};
|
|
|
692c3a |
|
|
|
692c3a |
# The localhost_resolver is already configured in `/etc/hosts' and set
|
|
|
692c3a |
# as first choise in `/etc/hosts.conf' file. However, if you change
|
|
|
692c3a |
# the order in `/etc/hosts.conf' file to make bind the first choise,
|
|
|
692c3a |
# then you need to include here the localhost_resolver in order to
|
|
|
692c3a |
# resolve localhost (127.0.0.1) address.
|
|
|
692c3a |
|
|
|
692c3a |
key "rndckey" {
|
|
|
692c3a |
algorithm hmac-md5;
|
|
|
692c3a |
secret "JjsCg0VcCjZILGD8FR9nnw==";
|
|
|
692c3a |
};
|
|
|
692c3a |
|
|
|
692c3a |
controls {
|
|
|
692c3a |
inet 127.0.0.1 port 953
|
|
|
692c3a |
allow { 127.0.0.1; } keys { "rndckey"; };
|
|
|
692c3a |
};
|
|
|
692c3a |
</screen>
|
|
|
692c3a |
</listitem>
|
|
|
692c3a |
</varlistentry>
|
|
|
692c3a |
|
|
|
692c3a |
<varlistentry>
|
|
|
692c3a |
<term><filename>/var/named/example.com.zone</filename></term>
|
|
|
692c3a |
<listitem>
|
|
|
692c3a |
<screen>
|
|
|
692c3a |
$ORIGIN example.com.
|
|
|
692c3a |
$TTL 86400
|
|
|
692c3a |
@ IN SOA example.com. hostmaster.example.com. (
|
|
|
692c3a |
2011100404 ; serial (d. adams)
|
|
|
692c3a |
3H ; refresh
|
|
|
692c3a |
15M ; retry
|
|
|
692c3a |
1W ; expiry
|
|
|
692c3a |
1D ) ; minimum
|
|
|
692c3a |
|
|
|
692c3a |
IN NS dns.example.com.
|
|
|
692c3a |
IN MX 10 mail.example.com.
|
|
|
692c3a |
|
|
|
692c3a |
server IN A 192.168.0.1
|
|
|
692c3a |
client IN A 192.168.0.2
|
|
|
692c3a |
|
|
|
692c3a |
dns IN CNAME server
|
|
|
692c3a |
mail IN CNAME server
|
|
|
692c3a |
www IN CNAME server
|
|
|
692c3a |
</screen>
|
|
|
692c3a |
</listitem>
|
|
|
692c3a |
</varlistentry>
|
|
|
692c3a |
|
|
|
692c3a |
<varlistentry>
|
|
|
692c3a |
<term><filename>/var/named/example.com.rr.zone</filename></term>
|
|
|
692c3a |
<listitem>
|
|
|
692c3a |
<screen>
|
|
|
692c3a |
$ORIGIN 0.168.192.in-addr.arpa.
|
|
|
692c3a |
$TTL 86400
|
|
|
692c3a |
@ IN SOA example.com. hostmaster.example.com. (
|
|
|
692c3a |
2011100405 ; serial (d. adams)
|
|
|
692c3a |
3H ; refresh
|
|
|
692c3a |
15M ; retry
|
|
|
692c3a |
1W ; expiry
|
|
|
692c3a |
1D ) ; minimum
|
|
|
692c3a |
|
|
|
692c3a |
IN NS 192.168.0.1
|
|
|
692c3a |
|
|
|
692c3a |
1 IN PTR server.example.com.
|
|
|
692c3a |
2 IN PTR client.example.com.
|
|
|
692c3a |
</screen>
|
|
|
692c3a |
</listitem>
|
|
|
692c3a |
</varlistentry>
|
|
|
692c3a |
|
|
|
692c3a |
<varlistentry>
|
|
|
692c3a |
<term><filename>/etc/rndc.conf</filename></term>
|
|
|
692c3a |
<listitem>
|
|
|
692c3a |
<screen>
|
|
|
692c3a |
include "/etc/rndc.key";
|
|
|
692c3a |
options {
|
|
|
692c3a |
default-key "rndckey";
|
|
|
692c3a |
default-server 127.0.0.1;
|
|
|
692c3a |
default-port 953;
|
|
|
692c3a |
};
|
|
|
692c3a |
</screen>
|
|
|
692c3a |
</listitem>
|
|
|
692c3a |
</varlistentry>
|
|
|
692c3a |
|
|
|
692c3a |
<varlistentry>
|
|
|
692c3a |
<term><filename>/etc/rndc.key</filename></term>
|
|
|
692c3a |
<listitem>
|
|
|
692c3a |
<screen>
|
|
|
692c3a |
key "rndckey" {
|
|
|
692c3a |
algorithm hmac-md5;
|
|
|
692c3a |
secret "JjsCg0VcCjZILGD8FR9nnw==";
|
|
|
692c3a |
};
|
|
|
692c3a |
</screen>
|
|
|
692c3a |
<para>
|
|
|
692c3a |
When configuring <command>rndc</command> controls, don't use
|
|
|
692c3a |
the same secret shown in the example above. If you do so, the
|
|
|
692c3a |
secret information will not be a secret anymore (since we
|
|
|
692c3a |
already used it here). Instead, use the
|
|
|
692c3a |
<command>rndc-genconf</command> command to generate a new one,
|
|
|
692c3a |
and be sure it be placed correctly both in
|
|
|
692c3a |
<filename>/etc/rndc.conf</filename> and
|
|
|
692c3a |
<filename>/etc/named.conf</filename> configuration files.
|
|
|
692c3a |
</para>
|
|
|
692c3a |
</listitem>
|
|
|
692c3a |
</varlistentry>
|
|
|
692c3a |
<varlistentry>
|
|
|
692c3a |
<term><filename>/etc/resolv.conf</filename></term>
|
|
|
692c3a |
<listitem>
|
|
|
692c3a |
<screen>nameserver 192.168.0.1</screen>
|
|
|
692c3a |
</listitem>
|
|
|
692c3a |
</varlistentry>
|
|
|
692c3a |
<varlistentry>
|
|
|
692c3a |
<term><filename>/etc/host.conf</filename></term>
|
|
|
692c3a |
<listitem>
|
|
|
692c3a |
<screen>order hosts,bind</screen>
|
|
|
692c3a |
</listitem>
|
|
|
692c3a |
</varlistentry>
|
|
|
692c3a |
</variablelist>
|
|
|
692c3a |
|
|
|
692c3a |
<para>
|
|
|
692c3a |
At this point you can start the named service and realize some
|
|
|
692c3a |
tests to verify the named service is certainly working as
|
|
|
692c3a |
expected. For example, consider the the following two
|
|
|
692c3a |
commands:
|
|
|
692c3a |
</para>
|
|
|
692c3a |
|
|
|
692c3a |
<screen>
|
|
|
692c3a |
[root@server ~]# service named start
|
|
|
692c3a |
Starting named: [ OK ]
|
|
|
692c3a |
[root@server ~]# dig example.com mx
|
|
|
692c3a |
|
|
|
692c3a |
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> example.com mx
|
|
|
692c3a |
;; global options: printcmd
|
|
|
692c3a |
;; Got answer:
|
|
|
692c3a |
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3540
|
|
|
692c3a |
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
|
|
|
692c3a |
|
|
|
692c3a |
;; QUESTION SECTION:
|
|
|
692c3a |
;example.com. IN MX
|
|
|
692c3a |
|
|
|
692c3a |
;; ANSWER SECTION:
|
|
|
692c3a |
example.com. 86400 IN MX 10 mail.example.com.
|
|
|
692c3a |
|
|
|
692c3a |
;; AUTHORITY SECTION:
|
|
|
692c3a |
example.com. 86400 IN NS dns.example.com.
|
|
|
692c3a |
|
|
|
692c3a |
;; Query time: 0 msec
|
|
|
692c3a |
;; SERVER: 192.168.0.1#53(192.168.0.1)
|
|
|
692c3a |
;; WHEN: Wed Oct 5 10:33:24 2011
|
|
|
692c3a |
;; MSG SIZE rcvd: 67
|
|
|
692c3a |
</screen>
|
|
|
692c3a |
|
|
|
692c3a |
<para>
|
|
|
692c3a |
If everything is ok, configure the named service to start at
|
|
|
692c3a |
boot time:
|
|
|
692c3a |
</para>
|
|
|
692c3a |
|
|
|
692c3a |
<screen>chkconfig --level 345 named on</screen>
|
|
|
692c3a |
|
|
|
692c3a |
<para>
|
|
|
692c3a |
If something goes wrong, look for
|
|
|
692c3a |
class="daemon">named</systemitem> daemon entries inside the
|
|
|
692c3a |
<filename>/var/log/messages</filename> file to know what is
|
|
|
692c3a |
going on. When you are configuring the name server, it could
|
|
|
692c3a |
result useful to you keeping an always visible terminal,
|
|
|
692c3a |
running the following command on it:
|
|
|
692c3a |
</para>
|
|
|
692c3a |
|
|
|
692c3a |
<screen>grep named /var/log/messages | tail -f -</screen>
|
|
|
692c3a |
|
|
|
692c3a |
</sect3>
|
|
|
692c3a |
|
|
|
692c3a |
<sect3 id="configurations-dialup-server-config-mta">
|
|
|
692c3a |
<title>Configuring Mail Server (MTA)</title>
|
|
|
692c3a |
<para>
|
|
|
692c3a |
Based on default configuration provided by Postfix RPM inside
|
|
|
692c3a |
&TC;; (release 5.5), look for the following options and leave
|
|
|
692c3a |
the rest as is.
|
|
|
692c3a |
</para>
|
|
|
692c3a |
|
|
|
692c3a |
<variablelist>
|
|
|
692c3a |
<varlistentry>
|
|
|
692c3a |
<term><filename>/etc/postfix/main.cf</filename></term>
|
|
|
692c3a |
<listitem>
|
|
|
692c3a |
<screen>
|
|
|
692c3a |
myhostname = server.example.com
|
|
|
692c3a |
mydomain = example.org
|
|
|
692c3a |
inet_interfaces = $myhostname, localhost
|
|
|
692c3a |
mynetworks = 192.168.0.0/24, 127.0.0.0/8
|
|
|
692c3a |
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
|
|
|
692c3a |
local_destination_recipient_limit = 300
|
|
|
692c3a |
local_destination_concurrency_limit = 5
|
|
|
692c3a |
</screen>
|
|
|
692c3a |
</listitem>
|
|
|
692c3a |
</varlistentry>
|
|
|
692c3a |
</variablelist>
|
|
|
692c3a |
|
|
|
692c3a |
</sect3>
|
|
|
692c3a |
|
|
|
692c3a |
<sect3 id="configurations-dialup-server-config-mda">
|
|
|
692c3a |
<title>Configuring Mail Server (MDA)</title>
|
|
|
692c3a |
<variablelist>
|
|
|
692c3a |
<varlistentry>
|
|
|
692c3a |
<term><filename>/etc/cyrus.conf</filename></term>
|
|
|
692c3a |
<listitem>
|
|
|
692c3a |
<para>
|
|
|
692c3a |
Leave it as is. There is nothing to touch here for a small and
|
|
|
692c3a |
basic configuration like that one we are implementing in this
|
|
|
692c3a |
chapter.
|
|
|
692c3a |
</para>
|
|
|
692c3a |
</listitem>
|
|
|
692c3a |
</varlistentry>
|
|
|
692c3a |
<varlistentry>
|
|
|
692c3a |
<term><filename>/etc/imapd.conf</filename></term>
|
|
|
692c3a |
<listitem>
|
|
|
692c3a |
<para>
|
|
|
692c3a |
Leave it as is. There is nothing to touch here for a small and
|
|
|
692c3a |
basic configuration like that one we are implementing in this
|
|
|
692c3a |
chapter.
|
|
|
692c3a |
</para>
|
|
|
692c3a |
<para>
|
|
|
692c3a |
The initial configuration of Cyrus IMAP server is set to use
|
|
|
692c3a |
PLAIN authentication mechanisim (see
|
|
|
692c3a |
<option>sasl_mech_list</option> option) against
|
|
|
692c3a |
class="daemon">saslauthd</systemitem> daemon. This makes the
|
|
|
692c3a |
password information to be vulnerable for man in the middle
|
|
|
692c3a |
attacks. In order to protect the user authentication, you can
|
|
|
692c3a |
use other authentication mechanisms like CRAM-MD5 or
|
|
|
0253bb |
DIGEST-MD5 in the mail client in order to send the password
|
|
|
692c3a |
information encrypted. Another solution would be to create an
|
|
|
692c3a |
encrypted channel for communication between the e-email client
|
|
|
692c3a |
and Cyrus IMAP server by mean of SSL encryption.
|
|
|
692c3a |
</para>
|
|
|
692c3a |
<para>
|
|
|
692c3a |
When you use authentication mechanisms that encrypt user
|
|
|
692c3a |
information before passing them to saslauthd daemon (e.g.,
|
|
|
0253bb |
DIGETS-MD5), you are protecting your data in the mail
|
|
|
692c3a |
client before passing it to saslauthd daemon. Therefore, when
|
|
|
692c3a |
the <systemitem class="daemon">saslauthd</systemitem> daemon
|
|
|
692c3a |
tries to validate the credentials you passed in against PAM,
|
|
|
692c3a |
it fails. At my personal understanding, this happens becase
|
|
|
692c3a |
PAM must receive the user information as it was entered by the
|
|
|
692c3a |
user (i.e., plainly, without any encryption) in order to
|
|
|
692c3a |
realize the verification against the system default
|
|
|
692c3a |
authentication database (e.g.,
|
|
|
692c3a |
<filename>/etc/passwd</filename>,
|
|
|
692c3a |
<filename>/etc/shadow</filename>), and
|
|
|
692c3a |
class="daemon">saslauthd</systemitem> daemon is passing an
|
|
|
692c3a |
encrypted version of the plain user information which
|
|
|
692c3a |
obviously cannot match the hash produced by plain user
|
|
|
692c3a |
information in first place.
|
|
|
692c3a |
</para>
|
|
|
692c3a |
|
|
|
692c3a |
<para>
|
|
|
692c3a |
One alternative to the situation mentioned above could be to
|
|
|
692c3a |
use PLAIN authentication mechanism over an SSL encrypted
|
|
|
692c3a |
communication or excluding PAM mechanism from saslauthd
|
|
|
692c3a |
daemon, and use LDAP mechanism instead. When LDAP mechanism
|
|
|
692c3a |
is used as default authentication mechanism inside saslauthd
|
|
|
0253bb |
daemon, it is possible for mail clients to send encrypted
|
|
|
692c3a |
passwords to saslauthd daemon. In this configuration, the
|
|
|
692c3a |
password stored in LDAP server must be encrypted using the
|
|
|
0253bb |
same algorithm used to send the encrypted password from mail
|
|
|
692c3a |
client to saslauthd daemon. Therefore, you need to force the
|
|
|
692c3a |
user to use just one authentication mechanism, that one used
|
|
|
692c3a |
to stored encrypted passwords inside the LDAP server.
|
|
|
692c3a |
Otherwise, it would be very difficult to authenticate users
|
|
|
692c3a |
that send passwords encrypted in a way different to that one
|
|
|
692c3a |
stored in the LDAP server.
|
|
|
692c3a |
</para>
|
|
|
692c3a |
|
|
|
692c3a |
<para>
|
|
|
0253bb |
Another configuration could be to keep mail clients using
|
|
|
692c3a |
PLAIN authentication over an SSL connection against saslauthd
|
|
|
692c3a |
daemon, and saslauthd using a PAM. But this time, PAM would be
|
|
|
692c3a |
configured to extend its default system authentication by
|
|
|
692c3a |
using an LDAP server. This way, it would be possible to
|
|
|
692c3a |
isolate user accound administration and greatly control the
|
|
|
692c3a |
kind of information a user might have. For example, the root
|
|
|
692c3a |
user account would be in the system default authentication,
|
|
|
692c3a |
however all service-specific user information would be in the
|
|
|
692c3a |
LDAP server. This permits us to create a web application that
|
|
|
692c3a |
interact with LDAP server in order to manage service-specific
|
|
|
692c3a |
user information only avoiding any contant with system default
|
|
|
692c3a |
authentication, the place where the root user is stored in. In
|
|
|
692c3a |
this PAM configuration, the first match that fails means that
|
|
|
692c3a |
the whole authentication process fails.
|
|
|
692c3a |
</para>
|
|
|
692c3a |
|
|
|
692c3a |
</listitem>
|
|
|
692c3a |
</varlistentry>
|
|
|
692c3a |
<varlistentry>
|
|
|
692c3a |
<term><filename>/etc/pki/cyrus-imapd/cyrus-imapd.pem</filename></term>
|
|
|
692c3a |
<listitem>
|
|
|
692c3a |
<para>
|
|
|
692c3a |
This file is a symbolic link to
|
|
|
692c3a |
<filename>/etc/pki/tls/certs/cyrus-imapd.pem</filename>. This
|
|
|
692c3a |
file contains a self-generated SSL certificate you probably
|
|
|
692c3a |
want to update for setting your host name in the <quote>Common
|
|
|
692c3a |
Name</quote> field of it. To create this file use the
|
|
|
692c3a |
following command:
|
|
|
692c3a |
</para>
|
|
|
692c3a |
<screen>openssl req -new -x509 -nodes -out /etc/pki/tls/certs/cyrus-imapd.pem -keyout /etc/pki/tls/certs/cyrus-imapd.pem -days 365</screen>
|
|
|
692c3a |
|
|
|
692c3a |
</listitem>
|
|
|
692c3a |
</varlistentry>
|
|
|
692c3a |
</variablelist>
|
|
|
692c3a |
|
|
|
692c3a |
<para>
|
|
|
692c3a |
To initiate the Cyrus IMAP server, run the following command:
|
|
|
692c3a |
</para>
|
|
|
692c3a |
|
|
|
692c3a |
<screen>service cyrus-imapd start</screen>
|
|
|
692c3a |
|
|
|
692c3a |
<para>
|
|
|
692c3a |
In case something fails, look into the
|
|
|
692c3a |
<filename>/var/log/maillog</filename> file, specifically those
|
|
|
692c3a |
entries containing imap , pop ,
|
|
|
692c3a |
nntp and cyrus strings. It could be
|
|
|
692c3a |
useful if, before initiating Cyrus IMAP server, you open a
|
|
|
692c3a |
terminal and run the following command in it, just to see what
|
|
|
692c3a |
is happening once Cyrus IMAP server is initiated:
|
|
|
692c3a |
</para>
|
|
|
692c3a |
|
|
|
692c3a |
<screen>egrep '(cyrus|imap|pop)' /var/log/maillog | tail -f -</screen>
|
|
|
692c3a |
|
|
|
692c3a |
<para>
|
|
|
692c3a |
Later, to test the STARTTLS negociation, you can
|
|
|
692c3a |
run the following command:
|
|
|
692c3a |
</para>
|
|
|
692c3a |
|
|
|
692c3a |
<screen>imtest -t "" server.example.com</screen>
|
|
|
692c3a |
|
|
|
692c3a |
<para>
|
|
|
692c3a |
To administer mailboxes inside Cyrus Imapd, set a password to
|
|
|
692c3a |
cyrus user (e.g., <command>passwd cyrus</command>), do login
|
|
|
692c3a |
with it, and connect to Cyrus IMAP server using the
|
|
|
692c3a |
<command>cyradm</command> command, as shown below:
|
|
|
692c3a |
</para>
|
|
|
692c3a |
|
|
|
692c3a |
<screen>cyradm --user=cyrus --auth=login localhost</screen>
|
|
|
692c3a |
|
|
|
692c3a |
</sect3>
|
|
|
692c3a |
|
|
|
692c3a |
<sect3 id="configurations-dialup-server-config-sasl">
|
|
|
692c3a |
<title>Configuring Mail Server (SASL)</title>
|
|
|
692c3a |
<para>
|
|
|
422188 |
...
|
|
|
422188 |
</para>
|
|
|
692c3a |
</sect3>
|
|
|
692c3a |
|
|
|
692c3a |
<sect3 id="configurations-dialup-server-config-web">
|
|
|
692c3a |
<title>Configuring Web Server</title>
|
|
|
692c3a |
<para>
|
|
|
692c3a |
...
|
|
|
692c3a |
</para>
|
|
|
692c3a |
</sect3>
|
|
|
692c3a |
|
|
|
692c3a |
<sect3 id="configurations-dialup-server-config-ldap">
|
|
|
692c3a |
<title>Configuring Directory Server</title>
|
|
|
692c3a |
<para>
|
|
|
692c3a |
...
|
|
|
692c3a |
</para>
|
|
|
692c3a |
</sect3>
|
|
|
692c3a |
|
|
|
422188 |
</sect2>
|
|
|
422188 |
|
|
|
5cec14 |
</sect1>
|