Blame Manuals/Tcpi-ug/Configurations/Dialup/server.docbook

422188
<sect1 id="configurations-dialup-server">
5cec14
35566a
    <title>The Server Computer</title>
35566a
422188
    <sect2 id="configurations-dialup-server-install">
422188
    <title>Installing Server Computer</title>
35566a
c0d2a2
    <para>
c0d2a2
        Start with a minimal installation of &TC;;, bootup the
c0d2a2
        operating system, and login as root user. 
c0d2a2
    </para>
c0d2a2
c0d2a2
    <sect3 id="configurations-dialup-server-install-ppp">
692c3a
    <title>Installing Ppp Server</title>
c0d2a2
    <para>
c0d2a2
        The ppp server provides the software required to establish and
c0d2a2
        maintain a PPP link with another system and negociate Internet
c0d2a2
        Protocol addresses for each end of the link.
c0d2a2
    </para>
c0d2a2
c0d2a2
    <screen>yum install ppp</screen>
c0d2a2
c0d2a2
    </sect3>
c0d2a2
422188
    <sect3 id="configurations-dialup-server-install-dns">
692c3a
    <title>Installing Name Server</title>
35566a
    <para>
35566a
        The name server provides the software required to translate
35566a
        domain names into IP address and IP addresses into domain
35566a
        names. With this software you can rembember addresses like
422188
        <ulink url="https://server.example.com/" /> instead of
422188
        addresses like <ulink url="https://192.168.0.1/" />.  There
422188
        are other feautres (e.g., mail exchanger resolution, zone
422188
        delegation, etc.) provided by this software that aren't used
422188
        in the point-to-point configuration we describe in this
422188
        chapter.
35566a
    </para>
35566a
    <screen>yum install bind</screen>
35566a
    <note>
35566a
    <para>
35566a
        There is a <package>bind-chroot</package> packages, however,
35566a
        we aren't using it because SELinux is already enforced on the
35566a
        &TC;; filesystem and it provides far more security than the
35566a
        idea of <package>bind-chroot</package> package itself does.
35566a
    </para>
35566a
    </note>
35566a
    </sect3>
35566a
422188
    <sect3 id="configurations-dialup-server-install-mail">
692c3a
    <title>Installing Mail Server</title>
35566a
    <para>
35566a
        The mail server provides the software required to let you
0253bb
        send/receive mail messages to/from others. The mail server
35566a
        is splitted in three basic components: The Mail Transfer Agent
0253bb
        (MTA), The Mail Delivery Agent (MDA) and an intermediary
0253bb
        daemon named <systemitem class="daemon">saslauthd</systemitem>
0253bb
        to handle user authentication. The MTA is the program your
0253bb
        mail client sends mail messages to. The MDA, on the other
0253bb
        hand, is the program your mail client reads mail message
0253bb
        from (i.e., this is the program that let you access your
0253bb
        mailbox).  The saslauthd daemon is used by the MDA to
0253bb
        authenticate user's credentials (e.g., the information that
0253bb
        let you access an specific mailbox) and by the MTA to
0253bb
        authenticate users before sending mail to it, however, in the
0253bb
        configuration we are implementing, the MTA doesn't require
0253bb
        that you authenticate to it in order to send mails through
0253bb
        it.  The MTA will listen on all network interfaces it is
0253bb
        attached to and will receive mail sent to 
692c3a
        class="fqdomainname">example.com</systemitem> domain name or
692c3a
        
692c3a
        class="fqdomainname">server.example.com</systemitem> host
692c3a
        name).
35566a
    </para>
35566a
692c3a
    <screen>yum install postfix cyrus-{imapd{,-utils},sasl{,-ldap,-md5,-plain}}</screen>
35566a
35566a
    <para>
35566a
        By default, the <application>sendmail</application>
35566a
        program is used as mail transfer agent, not postfix. For the
35566a
        sake of that point-to-point configuration we are implementing,
35566a
        I decided to use postfix instead as default mail transfer
35566a
        agent, not sendmail.  To effectively achieve this decition, it
35566a
        is required to use the <command>alternatives</command>
35566a
        command, as it shown below:
35566a
    </para>
35566a
35566a
    <screen>alternatives --config mta</screen>
5cec14
5cec14
    <para>
35566a
        This command will present you a menu to chose between
35566a
        available mail transfer agents, so it is there where you
35566a
        choose to use posfix as default option. Now that you've
35566a
        changed postfix the default mail transfer agent, you can
35566a
        saftly remove the sendmail package to avoid unused software
35566a
        to remain inside the computer. To do this, you can run the
35566a
        following command:
5cec14
    </para>
5cec14
35566a
    <screen>yum remove sendmail</screen>
35566a
35566a
    <para>
35566a
       In addition to mail server specific packages, we also provide
0253bb
       mailing list support. Mailing lists provide mail addresses
35566a
       that users registered inside the ISP can write to. When you
0253bb
       sed an mail to a mailing list, your message is distributed to
35566a
       all members of that list. In order for this to happen, people
35566a
       registered inside ISP need to subscribe themselves into that
35566a
       mailing list they want to receive messages from.  The
35566a
       subscription of mailinglist will be available through a secured
35566a
       web application in the following url:
35566a
    </para>
35566a
35566a
    <itemizedlist>
35566a
    <listitem>
35566a
    <para>
692c3a
        <ulink url="https://example.com/lists/" />
35566a
    </para>
35566a
    </listitem>
35566a
    </itemizedlist>
35566a
    
35566a
    <screen>yum install mailman</screen>
35566a
    </sect3>
35566a
422188
    <sect3 id="configurations-dialup-server-install-web">
692c3a
    <title>Installing Web Server</title>
35566a
    <para>
35566a
        The web server provides the software required to support web
35566a
        interfaces like those one previously mention to register new
35566a
        users inside the ISP and subscribe mailing lists. The web
35566a
        server provided in this configuration will accept requests
35566a
        both unencrypted and encrypted.
35566a
    </para>
35566a
35566a
    <screen>yum install httpd mod_ssl crypto-utils</screen>
35566a
35566a
    <para>
35566a
        In addition to mailing lists support, the web server will
35566a
        provide access to Subversion.  Subvesion provides a way to
35566a
        manage files through version control. The main purpose of
35566a
        providing Subversion support here is sharing the version of
c0d2a2
        &TCAR; I've been working on.
c0d2a2
    </para>
35566a
35566a
    <screen>yum install subversion mod_dav_svn</screen>
35566a
35566a
    </sect3>
35566a
422188
    <sect3 id="configurations-dialup-server-install-ldap">
422188
692c3a
    <title>Installing Directory Server</title>
422188
35566a
    <para>
35566a
        The directory server provides the software required to unify
35566a
        user information. This server is access by other server
35566a
        whenever user information is required. You, as end user, can
35566a
        also use this server from your workstation to retrive a list
35566a
        of all users registered in the ISP. This list can be retrived
35566a
        by the web interface the ISP provides, or any application your
0253bb
        workstation provide (e.g., most mail clients provide a way
35566a
        to configure LDAP servers to build address book from it.).
35566a
    </para>
35566a
35566a
    <screen>yum openldap-servers python-ldap</screen>
35566a
35566a
    </sect3>
35566a
    </sect2>
35566a
422188
    <sect2 id="configurations-dialup-server-config">
422188
    <title>Configuring Server Computer</title>
422188
    <para>
692c3a
        Once all required packages have been installed inside the
692c3a
        server computer, it is time to configure them. This section
692c3a
        describes how to configure the server computer to provide a
692c3a
        public mail system.
692c3a
    </para>
692c3a
692c3a
    <sect3 id="configurations-dialup-server-install-network">
692c3a
    <title>Configuring Network Internface</title>
692c3a
    <variablelist>
692c3a
    <varlistentry>
692c3a
    <term><filename>/etc/sysconfig/network-scripts/ifcfg-eth0</filename></term>
692c3a
    <listitem>
692c3a
<screen>
692c3a
# Please read /usr/share/doc/initscripts-*/sysconfig.txt
692c3a
# for the documentation of these parameters.
692c3a
TYPE=Ethernet
692c3a
DEVICE=eth0
692c3a
HWADDR=00:1c:c0:f0:aa:05
692c3a
BOOTPROTO=none
692c3a
NETMASK=255.255.255.0
692c3a
IPADDR=192.168.0.1
692c3a
ONBOOT=yes
692c3a
USERCTL=no
692c3a
IPV6INIT=no
692c3a
PEERDNS=yes
692c3a
</screen>
692c3a
    </listitem>
692c3a
    </varlistentry>
692c3a
    </variablelist>
692c3a
    </sect3>
692c3a
692c3a
    <sect3 id="configurations-dialup-server-config-ppp">
692c3a
    <title>Configuring Ppp Server</title>
692c3a
    <para>
692c3a
        This configuration specifies the way the server computer will
692c3a
        handle incoming dial-up connections. 
692c3a
    </para>
692c3a
    <variablelist>
692c3a
    <varlistentry>
692c3a
    <term><filename>/etc/ppp/options</filename></term>
692c3a
    <listitem>
692c3a
<screen>
692c3a
# Set  the  name of the local system for authentication purposes to
692c3a
# name.  This is a privileged option.  With this option, pppd will use
692c3a
# lines in the secrets files which have name as the second field when
692c3a
# looking  for a secret to use in authenticating the peer.  In
692c3a
# addition, unless overridden with the user option, name will be used
692c3a
# as the name to send to the peer when authenticating the local system
692c3a
# to the peer.  (Note that pppd does not append the domain name to
692c3a
# name.)
692c3a
name "server.example.com"
692c3a
692c3a
# Require the peer to authenticate itself before allowing network
692c3a
# packets to be sent or received. This option is the default if the
692c3a
# system has a default route. If neither this option nor the noauth
692c3a
# option is specified, pppd will only allow the peer to use IP
692c3a
# addresses to which the system does not already have a route.
692c3a
auth
692c3a
692c3a
# Specifies that pppd should create a UUCP-style lock file for the
692c3a
# serial device to ensure exclusive access to the device. By default,
692c3a
# pppd will not create a lock file.
692c3a
lock
692c3a
692c3a
# If pppd is acting as a server for Microsoft Windows clients, this
692c3a
# option allows pppd to supply one  or  two DNS (Domain Name Server)
692c3a
# addresses to the clients.  The first instance of this option
692c3a
# specifies the primary DNS address; the second instance (if given)
692c3a
# specifies the secondary DNS address.  (This option was  present in
692c3a
# some older versions of pppd under the name dns-addr.)
692c3a
ms-dns 192.168.0.1
692c3a
692c3a
# Allow peers to connect from the given telephone number.  A trailing
692c3a
# ‘*’ character will  match  all  numbers beginning with the leading
692c3a
# part.  Notice that this option (allow-number) is useful only to
692c3a
# incoming calls.  When you want to realize an outgoing call, this
692c3a
# restrictions must be commentted out. 
692c3a
##### centos-pppd-admin will overwrite this part!!! (begin) #####
692c3a
##### centos-pppd-admin will overwrite this part!!! (end) #####
692c3a
692c3a
# Enable connection debugging facilities. If this option is given,
692c3a
# pppd will log the contents of all control packets sent or received
692c3a
# in a readable form. The packets are logged through syslog with
692c3a
# facility daemon and level debug. This information can be directed to
692c3a
# a file by 
692c3a
# setting up /etc/syslog.conf appropriately (see syslog.conf(5)).
692c3a
debug
692c3a
692c3a
# Terminate the connection when it has been available for  network
692c3a
# traffic for 900 seconds (i.e. 15 minutes after the first network 
692c3a
# control protocol comes up).
692c3a
maxconnect 900
692c3a
692c3a
# Specifies that pppd should disconnect if the link is idle for 60
692c3a
# seconds (e.g., 1 minute). The link is idle when no data packets (i.e. 
692c3a
# IP packets) are being sent or received. Note: it is not advisable 
692c3a
# to use this option with the persist option without the demand 
692c3a
# option. If the active-filter option is given, data packets which are 
692c3a
# rejected by the specified activity filter also count as the link 
692c3a
# being idle.
692c3a
idle 60
692c3a
</screen>
692c3a
    </listitem>
692c3a
    </varlistentry>
692c3a
692c3a
    <varlistentry>
692c3a
    <term><filename>/etc/ppp/cha-secrets</filename></term>
692c3a
    <term><filename>/etc/ppp/pap-secrets</filename></term>
692c3a
    <listitem>
692c3a
<screen>
692c3a
# client        server  secret                  IP addresses
692c3a
692c3a
# Specify the client configuration. This is when this manchine calls
692c3a
# someone's else machine and tries to establish a point-to-point
692c3a
# connection. Most of this configuration is handled by the
692c3a
# `system-config-network' utility.
692c3a
#
692c3a
####### redhat-config-network will overwrite this part!!! (begin) ##########
692c3a
####### redhat-config-network will overwrite this part!!! (end) ############
692c3a
692c3a
# Specify the server configuration. This is when someone's else
692c3a
# machine calls this machine trying to establish a point-to-point
692c3a
# connection.  This part of the configuration isn't handled by
692c3a
# `system-config-network' utility. To prenvent this configuration to
692c3a
# be lost the next time the `system-config-network' utility be used,
692c3a
# be sure to have this configuration backed up somewhere so it can be
692c3a
# resotred in such situations.
692c3a
#
692c3a
"client.example.com"     "server.example.com"   "mail4u" "192.168.0.2"
692c3a
</screen>
692c3a
    </listitem>
692c3a
    </varlistentry>
692c3a
    </variablelist>
692c3a
692c3a
    </sect3>
692c3a
692c3a
    <sect3 id="configurations-dialup-server-config-dns">
692c3a
    <title>Configuring Name Server</title>
692c3a
692c3a
    <variablelist>
692c3a
    <varlistentry>
692c3a
    <term><filename>/etc/named.conf</filename></term>
692c3a
    <listitem>
692c3a
<screen>
692c3a
# BIND DNS server 'named' configuration file for the Red Hat BIND
692c3a
# distribution. This file was initially taken from
692c3a
# `/usr/share/doc/bind-*/samples/named.conf' file and modified to fit
692c3a
# this server's needs.
692c3a
#
692c3a
# This machine exists to develop The CentOS Project Corporate Identity
692c3a
# through The CentOS Artwork Repository. Presently, this machine is
692c3a
# isolated from Internet. However, a modem has been attached[1] and
692c3a
# configured so people can establish point-to-point connections to
692c3a
# this machine and download working copies of The CentOS Artwork
692c3a
# Repository and help me to develop it. 
692c3a
#
692c3a
# In this configuration there are only two IP addresses involved. The
692c3a
# one used in this server (192.168.0.1) and another for the client who
692c3a
# realize the point-to-point connection (192.168.0.2). This server is
692c3a
# named `server.example.com' and the client `client.example.com' or
692c3a
# something similar.
692c3a
# --------------------------------------------------------------------
692c3a
# See the BIND Administrator's Reference Manual (ARM) for details, in:
692c3a
#   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
692c3a
#
692c3a
# Also see the BIND Configuration GUI: 
692c3a
#   /usr/bin/system-config-bind and its manual.
692c3a
# --------------------------------------------------------------------
692c3a
692c3a
options {
692c3a
692c3a
        # Those options should be used carefully because they disable port
692c3a
        # randomization.
692c3a
        // query-source         port 53;        
692c3a
        // query-source-v6      port 53;
692c3a
692c3a
        # Put files that named is allowed to write in the data/ directory:
692c3a
        directory               "/var/named"; // the default
692c3a
        dump-file               "data/cache_dump.db";
692c3a
        statistics-file         "data/named_stats.txt";
692c3a
        memstatistics-file      "data/named_mem_stats.txt";
692c3a
};
692c3a
692c3a
logging {
692c3a
692c3a
        # If you want to enable debugging, eg. using the 'rndc trace'
692c3a
        # command, named will try to write the 'named.run' file in the
692c3a
        # $directory (/var/named).  By default, SELinux policy does not
692c3a
        # allow named to modify the /var/named directory, so put the
692c3a
        # default debug log file in data/ :
692c3a
        channel default_debug {
692c3a
                file            "data/named.run" versions 5 size 20m;
692c3a
                severity        dynamic;
692c3a
        };
692c3a
};
692c3a
692c3a
# All BIND 9 zones are in a "view", which allow different zones to be
692c3a
# served to different types of client addresses, and for options to be
692c3a
# set for groups of zones.  By default, if named.conf contains no
692c3a
# "view" clauses, all zones are in the "default" view, which matches
692c3a
# all clients.  If named.conf contains any "view" clause, then all
692c3a
# zones MUST be in a view; so it is recommended to start off using
692c3a
# views to avoid having to restructure your configuration files in the
692c3a
# future.
692c3a
692c3a
view "internal" {
692c3a
692c3a
        # This view will contain zones you want to serve only to
692c3a
        # "internal" clients that connect via your directly attached LAN
692c3a
        # interfaces - "localnets".
692c3a
        match-clients           { 192.168.0/24; };
692c3a
        match-destinations      { 192.168.0/24; };
692c3a
        recursion               no;
692c3a
692c3a
        # All views must contain the root hints zone. However, since this
692c3a
        # machine is disconnected from Internet it is not possible for it 
692c3a
        # to reach root servers. So, this line is commented based that no
692c3a
        # recursion is performed here.
692c3a
        //include "named.rfc1912.zones";
692c3a
692c3a
        # These are your "authoritative" internal zones, and would
692c3a
        # probably also be included in the "localhost_resolver" view
692c3a
        # above:
692c3a
        zone "example.com" IN { 
692c3a
                type master;
692c3a
                file "example.com.zone";
692c3a
                allow-update { none; }; 
692c3a
        };
692c3a
692c3a
        zone "0.168.192.in-addr.arpa" IN { 
692c3a
                type master; 
692c3a
                file "example.com.rr.zone"; 
692c3a
                allow-update { none; }; 
692c3a
        };
692c3a
};
692c3a
692c3a
# The localhost_resolver is already configured in `/etc/hosts' and set 
692c3a
# as first choise in `/etc/hosts.conf' file. However, if you change 
692c3a
# the order in `/etc/hosts.conf' file to make bind the first choise,
692c3a
# then you need to include here the localhost_resolver in order to 
692c3a
# resolve localhost (127.0.0.1) address.
692c3a
692c3a
key "rndckey" {
692c3a
        algorithm hmac-md5;
692c3a
        secret "JjsCg0VcCjZILGD8FR9nnw==";
692c3a
};
692c3a
692c3a
controls { 
692c3a
        inet 127.0.0.1 port 953 
692c3a
        allow { 127.0.0.1; } keys { "rndckey"; };
692c3a
};
692c3a
</screen>
692c3a
    </listitem>
692c3a
    </varlistentry>
692c3a
692c3a
    <varlistentry>
692c3a
    <term><filename>/var/named/example.com.zone</filename></term>
692c3a
    <listitem>
692c3a
<screen>
692c3a
$ORIGIN example.com.
692c3a
$TTL    86400
692c3a
@               IN SOA  example.com. hostmaster.example.com. (
692c3a
                                        2011100404      ; serial (d. adams)
692c3a
                                        3H              ; refresh
692c3a
                                        15M             ; retry
692c3a
                                        1W              ; expiry
692c3a
                                        1D )            ; minimum
692c3a
692c3a
                IN NS           dns.example.com.
692c3a
                IN MX 10        mail.example.com.
692c3a
692c3a
server          IN A            192.168.0.1
692c3a
client          IN A            192.168.0.2
692c3a
692c3a
dns             IN CNAME        server
692c3a
mail            IN CNAME        server
692c3a
www             IN CNAME        server
692c3a
</screen>
692c3a
    </listitem>
692c3a
    </varlistentry>
692c3a
692c3a
    <varlistentry>
692c3a
    <term><filename>/var/named/example.com.rr.zone</filename></term>
692c3a
    <listitem>
692c3a
<screen>
692c3a
$ORIGIN 0.168.192.in-addr.arpa.
692c3a
$TTL    86400
692c3a
@               IN SOA  example.com. hostmaster.example.com. (
692c3a
                                        2011100405      ; serial (d. adams)
692c3a
                                        3H              ; refresh
692c3a
                                        15M             ; retry
692c3a
                                        1W              ; expiry
692c3a
                                        1D )            ; minimum
692c3a
692c3a
                IN NS           192.168.0.1
692c3a
692c3a
1               IN PTR          server.example.com.
692c3a
2               IN PTR          client.example.com.
692c3a
</screen>
692c3a
    </listitem>
692c3a
    </varlistentry>
692c3a
692c3a
    <varlistentry>
692c3a
    <term><filename>/etc/rndc.conf</filename></term>
692c3a
    <listitem>
692c3a
<screen>
692c3a
include "/etc/rndc.key";
692c3a
options {
692c3a
        default-key "rndckey";
692c3a
        default-server 127.0.0.1;
692c3a
        default-port 953;
692c3a
};
692c3a
</screen>
692c3a
    </listitem>
692c3a
    </varlistentry>
692c3a
    
692c3a
    <varlistentry>
692c3a
    <term><filename>/etc/rndc.key</filename></term>
692c3a
    <listitem>
692c3a
<screen>
692c3a
key "rndckey" {
692c3a
        algorithm hmac-md5;
692c3a
        secret "JjsCg0VcCjZILGD8FR9nnw==";
692c3a
};
692c3a
</screen>
692c3a
    <para>
692c3a
        When configuring <command>rndc</command> controls, don't use
692c3a
        the same secret shown in the example above. If you do so, the
692c3a
        secret information will not be a secret anymore (since we
692c3a
        already used it here). Instead, use the
692c3a
        <command>rndc-genconf</command> command to generate a new one,
692c3a
        and be sure it be placed correctly both in
692c3a
        <filename>/etc/rndc.conf</filename> and
692c3a
        <filename>/etc/named.conf</filename> configuration files.
692c3a
    </para>
692c3a
    </listitem>
692c3a
    </varlistentry>
692c3a
    <varlistentry>
692c3a
    <term><filename>/etc/resolv.conf</filename></term>
692c3a
    <listitem>
692c3a
    <screen>nameserver 192.168.0.1</screen>
692c3a
    </listitem>
692c3a
    </varlistentry>
692c3a
    <varlistentry>
692c3a
    <term><filename>/etc/host.conf</filename></term>
692c3a
    <listitem>
692c3a
    <screen>order hosts,bind</screen>
692c3a
    </listitem>
692c3a
    </varlistentry>
692c3a
    </variablelist>
692c3a
692c3a
    <para>
692c3a
        At this point you can start the named service and realize some
692c3a
        tests to verify the named service is certainly working as
692c3a
        expected. For example, consider the the following two
692c3a
        commands:
692c3a
    </para>
692c3a
692c3a
<screen>
692c3a
[root@server ~]# service named start
692c3a
Starting named:                                            [  OK  ]
692c3a
[root@server ~]# dig example.com mx
692c3a
692c3a
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> example.com mx
692c3a
;; global options:  printcmd
692c3a
;; Got answer:
692c3a
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3540
692c3a
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
692c3a
692c3a
;; QUESTION SECTION:
692c3a
;example.com.                    IN      MX
692c3a
692c3a
;; ANSWER SECTION:
692c3a
example.com.             86400   IN      MX      10 mail.example.com.
692c3a
692c3a
;; AUTHORITY SECTION: 
692c3a
example.com.             86400   IN      NS      dns.example.com.
692c3a
692c3a
;; Query time: 0 msec
692c3a
;; SERVER: 192.168.0.1#53(192.168.0.1)
692c3a
;; WHEN: Wed Oct  5 10:33:24 2011
692c3a
;; MSG SIZE  rcvd: 67
692c3a
</screen>
692c3a
692c3a
    <para>
692c3a
        If everything is ok, configure the named service to start at
692c3a
        boot time:
692c3a
    </para>
692c3a
692c3a
    <screen>chkconfig --level 345 named on</screen>
692c3a
692c3a
    <para>
692c3a
        If something goes wrong, look for 
692c3a
        class="daemon">named</systemitem> daemon entries inside the
692c3a
        <filename>/var/log/messages</filename> file to know what is
692c3a
        going on. When you are configuring the name server, it could
692c3a
        result useful to you keeping an always visible terminal,
692c3a
        running the following command on it: 
692c3a
    </para>
692c3a
692c3a
    <screen>grep named /var/log/messages | tail -f -</screen>
692c3a
692c3a
    </sect3>
692c3a
692c3a
    <sect3 id="configurations-dialup-server-config-mta">
692c3a
    <title>Configuring Mail Server (MTA)</title>
692c3a
    <para>
692c3a
        Based on default configuration provided by Postfix RPM inside
692c3a
        &TC;; (release 5.5), look for the following options and leave
692c3a
        the rest as is.
692c3a
    </para>
692c3a
692c3a
    <variablelist>
692c3a
    <varlistentry>
692c3a
    <term><filename>/etc/postfix/main.cf</filename></term>
692c3a
    <listitem>
692c3a
<screen>
692c3a
myhostname = server.example.com
692c3a
mydomain = example.org
692c3a
inet_interfaces = $myhostname, localhost
692c3a
mynetworks = 192.168.0.0/24, 127.0.0.0/8
692c3a
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
692c3a
local_destination_recipient_limit = 300
692c3a
local_destination_concurrency_limit = 5
692c3a
</screen>
692c3a
    </listitem>
692c3a
    </varlistentry>
692c3a
    </variablelist>
692c3a
692c3a
    </sect3>
692c3a
692c3a
    <sect3 id="configurations-dialup-server-config-mda">
692c3a
    <title>Configuring Mail Server (MDA)</title>
692c3a
    <variablelist>
692c3a
    <varlistentry>
692c3a
    <term><filename>/etc/cyrus.conf</filename></term>
692c3a
    <listitem>
692c3a
    <para>
692c3a
        Leave it as is. There is nothing to touch here for a small and
692c3a
        basic configuration like that one we are implementing in this
692c3a
        chapter.
692c3a
    </para>
692c3a
    </listitem>
692c3a
    </varlistentry>
692c3a
    <varlistentry>
692c3a
    <term><filename>/etc/imapd.conf</filename></term>
692c3a
    <listitem>
692c3a
    <para>
692c3a
        Leave it as is. There is nothing to touch here for a small and
692c3a
        basic configuration like that one we are implementing in this
692c3a
        chapter.
692c3a
    </para>
692c3a
    <para>
692c3a
        The initial configuration of Cyrus IMAP server is set to use
692c3a
        PLAIN authentication mechanisim (see
692c3a
        <option>sasl_mech_list</option> option) against 
692c3a
        class="daemon">saslauthd</systemitem> daemon. This makes the
692c3a
        password information to be vulnerable for man in the middle
692c3a
        attacks. In order to protect the user authentication, you can
692c3a
        use other authentication mechanisms like CRAM-MD5 or
0253bb
        DIGEST-MD5 in the mail client in order to send the password
692c3a
        information encrypted. Another solution would be to create an
692c3a
        encrypted channel for communication between the e-email client
692c3a
        and Cyrus IMAP server by mean of SSL encryption.
692c3a
    </para>
692c3a
    <para>
692c3a
        When you use authentication mechanisms that encrypt user
692c3a
        information before passing them to saslauthd daemon (e.g.,
0253bb
        DIGETS-MD5), you are protecting your data in the mail
692c3a
        client before passing it to saslauthd daemon. Therefore, when
692c3a
        the <systemitem class="daemon">saslauthd</systemitem> daemon
692c3a
        tries to validate the credentials you passed in against PAM,
692c3a
        it fails.  At my personal understanding,  this happens becase
692c3a
        PAM must receive the user information as it was entered by the
692c3a
        user (i.e., plainly, without any encryption) in order to
692c3a
        realize the verification against the system default
692c3a
        authentication database (e.g.,
692c3a
        <filename>/etc/passwd</filename>,
692c3a
        <filename>/etc/shadow</filename>), and 
692c3a
        class="daemon">saslauthd</systemitem> daemon is passing an
692c3a
        encrypted version of the plain user information which
692c3a
        obviously cannot match the hash produced by plain user
692c3a
        information in first place.
692c3a
    </para>
692c3a
692c3a
    <para>
692c3a
        One alternative to the situation mentioned above could be to
692c3a
        use PLAIN authentication mechanism over an SSL encrypted
692c3a
        communication or excluding PAM mechanism from saslauthd
692c3a
        daemon, and use LDAP mechanism instead.  When LDAP mechanism
692c3a
        is used as default authentication mechanism inside saslauthd
0253bb
        daemon, it is possible for mail clients to send encrypted
692c3a
        passwords to saslauthd daemon. In this configuration, the
692c3a
        password stored in LDAP server must be encrypted using the
0253bb
        same algorithm used to send the encrypted password from mail
692c3a
        client to saslauthd daemon. Therefore, you need to force the
692c3a
        user to use just one authentication mechanism, that one used
692c3a
        to stored encrypted passwords inside the LDAP server.
692c3a
        Otherwise, it would be very difficult to authenticate users
692c3a
        that send passwords encrypted in a way different to that one
692c3a
        stored in the LDAP server.
692c3a
    </para>
692c3a
692c3a
    <para>
0253bb
        Another configuration could be to keep mail clients using
692c3a
        PLAIN authentication over an SSL connection against saslauthd
692c3a
        daemon, and saslauthd using a PAM. But this time, PAM would be
692c3a
        configured to extend its default system authentication by
692c3a
        using an LDAP server. This way, it would be possible to
692c3a
        isolate user accound administration and greatly control the
692c3a
        kind of information a user might have. For example, the root
692c3a
        user account would be in the system default authentication,
692c3a
        however all service-specific user information would be in the
692c3a
        LDAP server. This permits us to create a web application that
692c3a
        interact with LDAP server in order to manage service-specific
692c3a
        user information only avoiding any contant with system default
692c3a
        authentication, the place where the root user is stored in. In
692c3a
        this PAM configuration, the first match that fails means that
692c3a
        the whole authentication process fails.
692c3a
    </para>
692c3a
692c3a
    </listitem>
692c3a
    </varlistentry>
692c3a
    <varlistentry>
692c3a
    <term><filename>/etc/pki/cyrus-imapd/cyrus-imapd.pem</filename></term>
692c3a
    <listitem>
692c3a
    <para>
692c3a
        This file is a symbolic link to
692c3a
        <filename>/etc/pki/tls/certs/cyrus-imapd.pem</filename>. This
692c3a
        file contains a self-generated SSL certificate you probably
692c3a
        want to update for setting your host name in the <quote>Common
692c3a
        Name</quote> field of it. To create this file use the
692c3a
        following command:
692c3a
    </para>
692c3a
    <screen>openssl req -new -x509 -nodes -out /etc/pki/tls/certs/cyrus-imapd.pem -keyout /etc/pki/tls/certs/cyrus-imapd.pem -days 365</screen>
692c3a
692c3a
    </listitem>
692c3a
    </varlistentry>
692c3a
    </variablelist>
692c3a
692c3a
    <para>
692c3a
        To initiate the Cyrus IMAP server, run the following command:
692c3a
    </para>
692c3a
692c3a
    <screen>service cyrus-imapd start</screen>
692c3a
692c3a
    <para>
692c3a
        In case something fails, look into the
692c3a
        <filename>/var/log/maillog</filename> file, specifically those
692c3a
        entries containing imap, pop,
692c3a
        nntp and cyrus strings. It could be
692c3a
        useful if, before initiating Cyrus IMAP server, you open a
692c3a
        terminal and run the following command in it, just to see what
692c3a
        is happening once Cyrus IMAP server is initiated:
692c3a
    </para>
692c3a
692c3a
    <screen>egrep '(cyrus|imap|pop)' /var/log/maillog | tail -f -</screen>
692c3a
692c3a
    <para>
692c3a
        Later, to test the STARTTLS negociation, you can
692c3a
        run the following command:
692c3a
    </para>
692c3a
692c3a
    <screen>imtest -t "" server.example.com</screen>
692c3a
692c3a
    <para>
692c3a
        To administer mailboxes inside Cyrus Imapd, set a password to
692c3a
        cyrus user (e.g., <command>passwd cyrus</command>), do login
692c3a
        with it, and connect to Cyrus IMAP server using the
692c3a
        <command>cyradm</command> command, as shown below:
692c3a
    </para>
692c3a
692c3a
    <screen>cyradm --user=cyrus --auth=login localhost</screen>
692c3a
692c3a
    </sect3>
692c3a
692c3a
    <sect3 id="configurations-dialup-server-config-sasl">
692c3a
    <title>Configuring Mail Server (SASL)</title>
692c3a
    <para>
422188
        ...
422188
    </para>
692c3a
    </sect3>
692c3a
    
692c3a
    <sect3 id="configurations-dialup-server-config-web">
692c3a
    <title>Configuring Web Server</title>
692c3a
    <para>
692c3a
        ...
692c3a
    </para>
692c3a
    </sect3>
692c3a
692c3a
    <sect3 id="configurations-dialup-server-config-ldap">
692c3a
    <title>Configuring Directory Server</title>
692c3a
    <para>
692c3a
        ...
692c3a
    </para>
692c3a
    </sect3>
692c3a
422188
    </sect2>
422188
5cec14
</sect1>