MadPPC

8.  Setting up FTP

To start install the FTP Server:

apt-get -y install vsftpd

Now all we have to do is configure it:

nano /etc/vsftpd.conf

We don’t want people logging in anonymously so change “anonymous_enable=YES” to:

anonymous_enable=NO

You also want to uncomment [remove the # in front] these lines:

#local_enable=YES
#write_enable=YES

Ctrl + O, then Enter to save.  Ctrl + X to exit.  Now restart the ftp deamon:

/etc/init.d/vsftpd restart

We can’t really test this until we get another user set up, so lets Lose the Root account.
9.  Losing Root

It’s never a good idea to be running root for long periods of time in any Linux distro and Ubuntu is no exception.  So we are going to create ourself a user, and ditch root, so that root can not be logged into via traditional means.

In order to gain root privileges as a user you use a command call sudo (super user do).  In order to have the privilege of using sudo you have to be part of the admin group.  So lets create the admin group:

addgroup admin

Now lets create a user [replace username with desired username]:

adduser username

You’ll be prompted to create a password, don’t forget it.  I suggest it to very long [20+ characters] and random, because you can’t be too parinoid.  Use google there are many password creators out there.  Now we have to add the user to the admin group:

adduser username admin

For some reason this footprint doesn’t match up with official Ubuntu documentation so we have to make it so users in the admin group can have sudo privileges:

nano /etc/sudoers

Add the following lines to the end of the file:

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

Ctrl + O, and Enter to save.  Ctrl + X to exit.  Now logout:

exit

Reconnect to the server using your new username:

username@vpsipaddress

Enter the password you created for the user.

Now we make the root account inaccessible to any login attempt:

sudo passwd -l root

If your sudo is not working correctly pull a reboot though your VPSVille Control Panel.

8.5 Test FTP

Basically anytime after you have created your new user you can test the FTP server.  The username and password are your users username and password.

10. Mail Server

This next part is kind of long, if you experience problems with openssl I suggest just restarting the server, I find that works.

Make sure you in your home directory:

cd ~

First off lets start with installing a mail server:

sudo apt-get -y install postfix libsasl2-2 sasl2-bin libsasl2-modules procmail

Go Ok on the next screen.

General type of mail configuration: [enter]
System mail name: [enter]

Now we need to configure it even deeper:

sudo dpkg-reconfigure postfix

Your going to be asked a bunch of questions:

General type of mail configuration: <- Internet Site
System mail name: <- server.someaddress.com
Root and postmaster mail recipient: <- [blank]
Other destinations to accept mail for (blank for none): <- server.someaddress.com, localhost.someaddress.com, localhost.localdomain, localhost [change this one]
Force synchronous updates on mail queue? <- No
Local networks: <- 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
Use procmail for local delivery? <- Yes
Mailbox size limit (bytes): <- 0
Local address extension character: <- +
Internet protocols to use: <- all

Next do:

sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_sasl_authenticated_header = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
sudo postconf -e 'inet_interfaces = all'

Open smtpd.con:

sudo nano /etc/postfix/sasl/smtpd.conf

Add the folling lines to the end of the file:

pwcheck_method: saslauthd
mech_list: plain login

Create an RSA key:

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

Your gonig to be prompted for a pass phrase.  Go find an online password generator and generate a password, its recommended to be AT LEAST 8 characters.  Use that for the pass phrase, remember that password.

Generate a Certificate Signing Request:

openssl req -new -key smtpd.key -out smtpd.csr

You’ll have to enter the pass phrase you entered before.

You’ll also be prompted a few questions,  You could really leave them all blank.  I don’t think it even really matters.  Fill in as you see fit:

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Finally create the security certificate:

sudo openssl x509 -req -days 365 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

Enter your pass phrase again.

Do:

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

Enter your pass phrase again.

Change the name of the file:

mv -f smtpd.key.unencrypted smtpd.key

Do:

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

When it asks for a PEM key I just entered the same pass phrase I had been using.  You’ll be asked the same questions as you had answered earlier.

Change file permissions:

chmod 600 smtpd.key

Create final directory for these:

sudo mkdir /etc/postfix/ssl

Now move everything to its final directory.

sudo mv * /etc/postfix/ssl

Configure Postfix to provide TLS encryption for both incoming and outgoing mail:

sudo postconf -e 'smtpd_tls_auth_only = no'
sudo postconf -e 'smtp_use_tls = yes'
sudo postconf -e 'smtpd_use_tls = yes'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
sudo postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
sudo postconf -e 'tls_random_source = dev:/dev/urandom'

You need to know your hostname:

hostname

Then:

sudo postconf -e ‘myhostname = hostname‘

I suggest using your servers hostname, but you don’t have to.  You could easily make it mail.somedomain.com or whatnot.

Restart Postfix:

sudo /etc/init.d/postfix restart

Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:

sudo mkdir -p /var/spool/postfix/var/run/saslauthd

Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Set START to yes [NOTE: lower case "yes"] and change the line OPTIONS=”-c -m /var/run/saslauthd” to OPTIONS=”-c -m /var/spool/postfix/var/run/saslauthd -r”:

sudo nano /etc/default/saslauthd

#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Next add the postfix user to the sasl group:

sudo adduser postfix sasl

Now restart Postfix and start saslauthd:

sudo /etc/init.d/postfix restart
sudo /etc/init.d/saslauthd start

Test to make sure it’s up and running:

telnet localhost 25

Then:

ehlo localhost

Then:

quit

You should see some kind of output like this:

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 your-localhost-name ESMTP Postfix (Ubuntu)
ehlo localhost
250-your-localhost-name
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

You’ll see the three commands on lines 1, 6, and 18.

11. Courier-IMAP/Courier-POP3

Do, NOTE: All one command!

sudo apt-get -y install courier-authdaemon courier-base courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl gamin libgamin0 libglib2.0-0

You will be asked two questions:

Create directories for web-based administration? No

SSL certificate required OK [only option]

Lastly:

sudo postconf -e 'home_mailbox = Maildir/'
sudo postconf -e 'mailbox_command ='
sudo /etc/init.d/postfix restart

End Part 2

I originally wanted to get more done in this section, but it’s so long and I had lots of trouble with openssl because of the way Ubuntu is set up and when in the process we have to do it.

We have a fairly good server setup and we are on the home stretch, however we need to creat a stucture that will let us upload files to the server effectivly.  We’ll cover that and more in Part 3.