[Qvcs-CVS] qvcs-guide qvcs-guide.xml,1.5,1.6 yumgroups.xml,1.3,1.4
Brought to you by:
graf25
Menu
▾
▴
[Qvcs-CVS] qvcs-guide qvcs-guide.xml,1.5,1.6 yumgroups.xml,1.3,1.4
|
From: <gr...@us...> - 2003-07-09 03:14:03
|
Update of /cvsroot/qvcs-guide/qvcs-guide
In directory sc8-pr-cvs1:/tmp/cvs-serv14761
Modified Files:
qvcs-guide.xml yumgroups.xml
Log Message:
Done, except for proofing and upgrade path.
Index: qvcs-guide.xml
===================================================================
RCS file: /cvsroot/qvcs-guide/qvcs-guide/qvcs-guide.xml,v
retrieving revision 1.5
retrieving revision 1.6
diff -C2 -d -r1.5 -r1.6
*** qvcs-guide.xml 30 Jun 2003 11:42:04 -0000 1.5
--- qvcs-guide.xml 9 Jul 2003 03:13:58 -0000 1.6
***************
*** 603,609 ****
editor and locate the [auth] section. Change the
<varname>elvis</varname> parameter to reflect the virtual user
! that you have just added. For a <varname>domain</varname> add
! the domain name that you have just created using
! <command>addvirt</command>. E.g. for me that would be:
</para>
<programlisting>
--- 603,609 ----
editor and locate the [auth] section. Change the
<varname>elvis</varname> parameter to reflect the virtual user
! that you have just added. Note, that an elvis user
! <emphasis>must</emphasis> be a virtual user, or you won't be
! able to get domain editing access.
</para>
<programlisting>
***************
*** 612,616 ****
force_https = yes
elvis = albus@hogwarts.jk
- domain = hogwarts.jk
</programlisting>
</sect1>
--- 612,615 ----
***************
*** 629,633 ****
<Directory "/usr/share/squirrelmail">
SetEnv CRYPTO_HASH_LINE "Draco Dormiens Nunquam Titillandus"
! SetEnv MCRYPT_ALGO "blowfish"
</Directory>
</programlisting>
--- 628,632 ----
<Directory "/usr/share/squirrelmail">
SetEnv CRYPTO_HASH_LINE "Draco Dormiens Nunquam Titillandus"
! SetEnv MCRYPT_ALGO "rc4_builtin"
</Directory>
</programlisting>
***************
*** 635,641 ****
<para>
You can set the <varname>MCRYPT_ALGO</varname> to something
! other than "blowfish" if you
! wish. "Blowfish" is a good fast algorithm, but you
! may choose among the following:
<simplelist type="inline">
<member>blowfish</member>
--- 634,640 ----
<para>
You can set the <varname>MCRYPT_ALGO</varname> to something
! other than "rc4_builtin" if you want stronger
! encryption than rc4. "Blowfish" is a good fast
! algorithm, but you may choose among the following:
<simplelist type="inline">
<member>blowfish</member>
***************
*** 692,696 ****
deleting users, activating domains, setting quotas, etc. To
log in, surf to
! <userinput>https://mail.hogwarts.jk</userinput> and log in as
the user you have specified as "elvis" in vadmin
configuration. Once you log in, click on "options"
--- 691,695 ----
deleting users, activating domains, setting quotas, etc. To
log in, surf to
! <userinput>https://mail.hogwarts.jk/</userinput> and log in as
the user you have specified as "elvis" in vadmin
configuration. Once you log in, click on "options"
***************
*** 698,725 ****
presented somewhere on the page.
</para>
- <note>
- <para>
- If you are not seeing an "Administrator Interface"
- option, check the following two things:
- <orderedlist>
- <listitem>
- <para>
- Make sure you are logging in as the user specified as
- "elvis".
- </para>
- </listitem>
- <listitem>
- <para>
- Make sure you are logging in to the domain you have
- specified in the [auth]->domain section of
- <filename>vadmin.conf</filename>. It can be a
- subdomain -- does not really matter, but at some point
- they have to match. See "A note on DNS" in
- the previous chapter for some tips.
- </para>
- </listitem>
- </orderedlist>
- </para>
- </note>
<para>
The administrator interface starts with a login screen. Type
--- 697,700 ----
***************
*** 806,809 ****
--- 781,812 ----
</para>
</sect1>
+ <sect1>
+ <title>Automated Updates Using Yum</title>
+ <para>
+ The tool we have used for installation --
+ <application>yum</application> is an automated
+ installer/updater that is a free substitute for up2date. One
+ of the most important aspects of running a server is keeping
+ it constantly patched, so any security vulnerabilities are
+ closed as soon as Red Hat issues fixes.
+ </para>
+ <para>
+ If your installation is more or less a vanilla setup of
+ &qvcs;, then you might consider enabling automated nightly
+ updates of your system, so any errata packages are applied as
+ soon as they are released. To do so, run:
+ </para>
+ <programlisting>
+ &prompt; <userinput>chkconfig yum on</userinput>
+ &prompt; <userinput>service yum start</userinput>
+ </programlisting>
+ <para>
+ If you feel edgy about having an automated updater tool
+ running on your system, you may leave yum disabled, but then
+ please subscribe to the redhat errata notification list, so
+ you know when updates are being released. Don't let your server
+ become an internet statistic. :)
+ </para>
+ </sect1>
</chapter>
<chapter>
***************
*** 821,825 ****
piece of software, is not entirely free in terms of freedom of
use. It comes with a fairly restrictive license, which in part
! prohibits me from distributing modified versions. Due to this
restriction I am unable to ship a binary package that enables
most of the advanced features that are mentioned in this
--- 824,828 ----
piece of software, is not entirely free in terms of freedom of
use. It comes with a fairly restrictive license, which in part
! prohibits me from distributing modifications. Due to this
restriction I am unable to ship a binary package that enables
most of the advanced features that are mentioned in this
***************
*** 839,842 ****
--- 842,846 ----
</para>
<note>
+ <title>Backslashes</title>
<para>
I am using backslashes in the following set of commands to
***************
*** 929,933 ****
--- 933,1065 ----
email (SSL interface for the webmail is discussed later).
</para>
+ <para>
+ So, once you have decided on which domain name you are going
+ to use as your main SSL host, go ahead and fill out the
+ "Common Name" field in the test certificate. I'll
+ use "mail.quibbler.jk" for my examples.
+ </para>
</note>
+ <para>
+ Once you're done, you will see a
+ <filename>stunnel.pem</filename> in that directory. A good
+ place for it to be is <filename>/etc/sslcert.pem</filename> so
+ it can be easily backed up.
+ </para>
+ <programlisting>
+ &prompt; <userinput>mv stunnel.pem /etc/sslcert.pem</userinput>
+ </programlisting>
+ <sect2>
+ <title>Enabling SSL in Qmail</title>
+ <para>
+ Qmail never runs as user root, so we will need to change the
+ ownership on the ssl certificate to that of user
+ "qmaild":
+ </para>
+ <programlisting>
+ &prompt; <userinput>chown qmaild /etc/sslcert.pem</userinput>
+ &prompt; <userinput>chmod u-w /etc/sslcert.pem</userinput>
+ &prompt; <userinput>ln -s /etc/sslcert.pem /etc/qmail/control/servercert.pem</userinput>
+ &prompt; <userinput>service qmail restart</userinput>
+ </programlisting>
+ </sect2>
+ <sect2>
+ <title>Enabling SSL in Courier-IMAP</title>
+ <para>
+ The helpful courier-imap has already generated some SSL
+ certs for itself to use, but we'll need to replace them with
+ the centralized one, so there is only one ssl certificate on
+ the machine:
+ </para>
+ <programlisting>
+ &prompt; <userinput>cd /usr/share/courier-imap</userinput>
+ &prompt; <userinput>rm imapd.pem pop3d.pem</userinput>
+ &prompt; <userinput>ln -s /etc/sslcert.pem imapd.pem</userinput>
+ &prompt; <userinput>ln -s /etc/sslcert.pem pop3d.pem</userinput>
+ &prompt; <userinput>service courier-imap restart</userinput>
+ </programlisting>
+ </sect2>
+ <sect2>
+ <title>Enabling SSL in Apache</title>
+ <para>
+ Almost the exact same set of actions for Apache.
+ </para>
+ <programlisting>
+ &prompt; <userinput>cd /etc/httpd/conf</userinput>
+ &prompt; <userinput>rm ssl.crt/server.crt ssl.key/server.key</userinput>
+ &prompt; <userinput>ln -s /etc/sslcert.pem ssl.crt/server.crt</userinput>
+ &prompt; <userinput>ln -s /etc/sslcert.pem ssl.key/server.key</userinput>
+ &prompt; <userinput>service httpd restart</userinput>
+ </programlisting>
+ </sect2>
+ <sect2>
+ <title>Vadmin And SSL Enforcement</title>
+ <para>
+ You may wish to enforce SSL in vadmin, so all your clients
+ are redirected to an SSL site. Open
+ <filename>/etc/vadmin/vadmin.conf</filename> in your editor
+ and locate a commented-out section called
+ "[redirect]". Remove the semicolons and change it
+ so it looks like so:
+ </para>
+ <programlisting>
+ [redirect]
+ https = yes
+ host = mail.quibbler.jk
+ path = /
+ </programlisting>
+ <para>
+ Now if you go to mail.hogwarts.jk, it will transparently
+ redirect you to https://mail.quibbler.jk/, thus ensuring
+ that all your communication with the server is secured.
+ </para>
+ </sect2>
+ <sect2>
+ <title>Obtaining a Real SSL Certificate</title>
+ <para>
+ Depending on how serious you want to be, you might want to
+ go ahead and obtain a real SSL certificate, as sold by the
+ Certification Authorities. Obtaining an SSL certificate is
+ usually a painful and expensive process -- they run for
+ about $150 per year per hostname. Several companies provide
+ CA services; for more information go to <ulink
+ url="http://www.whichssl.com/">www.whichssl.com</ulink>. If
+ you are not worried about your clients seeing warning
+ messages in their browsers about unrecognized signing
+ authorities, then you may skip this part -- your self-signed
+ certificate is just as secure.
+ </para>
+ <para>
+ Trained monkeys working at the CA companies should be able
+ to walk you through the process once you have decided that
+ you want a real certificate and picked which company you
+ want to spend money with. Once you have the real certificate
+ made out for the domain name that you have picked, you will
+ need to make a .pem file out of the .crt and .key parts
+ (unless they can give you a .pem file in the first
+ place). This is done by simply concatenating the .crt and
+ .key files together. E.g.:
+ </para>
+ <programlisting>
+ &prompt; <userinput>cat server.key server.crt > sslcert.pem</userinput>
+ </programlisting>
+ <para>
+ If your key is protected by a passphrase, you will need to
+ remove it before making a .pem, as otherwise every time the
+ server restarts you will need to enter the passphrase
+ manually, plus qmail SSL will simply not work. To remove the
+ passphrase, perform the following actions:
+ </para>
+ <programlisting>
+ &prompt; <userinput>openssl rsa -in server.key -out nopass.key</userinput>
+ &prompt; <userinput>mv nopass.key server.key</userinput>
+ </programlisting>
+ <para>
+ Once you have the sslcert.pem file, just replace our
+ self-signed certificate in
+ <filename>/etc/sslcert.pem</filename> and restart the
+ services (qmail, courier-imap, httpd). Congratulations,
+ you've now officially sold your soul to the big business. :)
+ </para>
+ </sect2>
</sect1>
***************
*** 1025,1034 ****
</programlisting>
</sect2>
</sect1>
</chapter>
!
!
!
!
--- 1157,1392 ----
</programlisting>
</sect2>
+ <sect2>
+ <title>Authenticated SMTP</title>
+ <note>
+ <para>
+ You will need SSL enabled for Qmail in order for this to
+ work, so refer to the previous section if you haven't yet
+ done this.
+ </para>
+ </note>
+ <para>
+ Naturally, if your clients tend to travel and bring their
+ laptops with them, then specifying the allowed IP ranges is
+ not going to work. Authenticated SMTP allows relaying of
+ email messages only for people who already have accounts on
+ the server. In fact, this is the preferred way of relaying
+ these days.
+ </para>
+ <para>
+ Open <filename>/etc/xinetd.d/smtp</filename> in your
+ favorite browser and edit the server-args line so it looks
+ like so (<emphasis>NOTE: The following is all on one
+ line!</emphasis>):
+ </para>
+ <programlisting>
+ server_args = /var/qmail/bin/tcp-env -R /var/qmail/bin/qmail-smtpd mail.quibbler.jk /usr/bin/chk_vmauth
+ </programlisting>
+ <para>
+ Naturally, replace "mail.quibbler.jk" with the
+ name of your mail server (the one specified in the SSL
+ certificate). After you're done editing that file, run:
+ </para>
+ <programlisting>
+ &prompt; <userinput>service xinetd restart</userinput>
+ </programlisting>
+ </sect2>
+ </sect1>
+ <sect1>
+ <title>Email filtering</title>
+ <para>
+ This seems to be a popular request, and &qvcs; is certainly
+ capable of providing the infrastructure needed for
+ this. However, let me start with a huge warning.
+ </para>
+ <warning>
+ <title>Huge Warning</title>
+ <para>
+ Email filtering requires some <productname>VERY BEEFY
+ HARDWARE</productname>. If your mail server sees some
+ significant email traffic, and I'm talking upwards of 5-10
+ thousand emails a day, you will want to have some serious
+ iron for hardware, especially in terms of RAM and processor
+ speed. If you have less than 1G of high-speed memory, the
+ server performance will degrade significantly, and anyone
+ putting a less-than AMD/P4 2GHz for this will regret
+ their foolishness. You have been forewarned.
+ </para>
+ </warning>
+ <sect2>
+ <title>Packages</title>
+ <para>
+ You will need a set of packages for filtering email, namely
+ <application>qmail-scanner</application>. We will use yum to
+ get them.
+ </para>
+ <programlisting>
+ &prompt; <userinput>yum groupinstall "QVCS Filter"</userinput>
+ </programlisting>
+ <note>
+ <para>
+ If you have gotten yourself an unresolved dependency to
+ qmail-qmailqueue-patch, then you should've paid attention
+ to the part where I was talking about rebuilding qmail to
+ support the advanced features.
+ </para>
+ </note>
+ </sect2>
+ <sect2>
+ <title>Spamassassin</title>
+ <para>
+ Now let's enable spamassassin. Since we are using virtual
+ users, there are certain things we will need to turn off in
+ order for it not to complain. Open
+ <filename>/etc/sysconfig/spamassassin</filename> in your
+ editor and change the <varname>SPAMDOPTIONS</varname> line
+ to be the following:
+ </para>
+ <programlisting>
+ SPAMDOPTIONS="-d -c -a -x -u nobody"
+ </programlisting>
+ <para>
+ Now let's start it:
+ </para>
+ <programlisting>
+ &prompt; <userinput>chkconfig spamassassin on</userinput>
+ &prompt; <userinput>service spamassassin start</userinput>
+ </programlisting>
+ <para>
+ Now let's tell qmail-scanner that it can use
+ spamassassin. The following command will reconfigure it (you
+ don't have to answer the questions if you run with
+ --assumeyes).
+ </para>
+ <programlisting>
+ &prompt; <userinput>qmail-scanner-reconfigure --assumeyes</userinput>
+ </programlisting>
+ <para>
+ Not done yet! Now you have to edit
+ <filename>/etc/hosts.allow</filename> and change your
+ tcp-env : ALL line as follows:
+ </para>
+ <programlisting>
+ tcp-env: ALL : setenv QMAILQUEUE /var/qmail/bin/qmail-scanner-queue.pl
+ </programlisting>
+ <para>
+ Now you've done it!
+ </para>
+ </sect2>
+ <sect2>
+ <title>How to filter out spam</title>
+ <para>
+ If you now look at the headers of your email messages, you
+ will see something like this:
+ </para>
+ <programlisting>
+ Received: from luna@quibbler.jk by peeves by uid 500 with qmail-scanner-1.16
+ (spamassassin: 2.44. Clear:SA:0(0.4/5.0):.
+ Processed in 3.495582 secs); 09 Jul 2003 02:53:49 -0000
+ X-Spam-Status: No, hits=0.4 required=5.0
+ </programlisting>
+ <para>
+ The key here is the header
+ <varname>X-Spam-Status</varname>. All you have to do is
+ configure your email client to look for that header, and if
+ it contains "Yes", either move the message into
+ the Junk folder, or assign it a low priority. Simply
+ deleting messages marked as <varname>X-Spam-Status:
+ Yes</varname> is not at all advised, as any automated system
+ will have false-positives, meaning that you can lose
+ important email.
+ </para>
+ </sect2>
+ <sect2>
+ <title>Virus filtering</title>
+ <para>
+ You can also use <application>qmail-scanner</application> to
+ set up virus scanning, but that is not covered here. Feel
+ free to ask around on the lists, perhaps someone has done
+ it.
+ </para>
+ </sect2>
</sect1>
</chapter>
! <chapter>
! <title>Finalizing it all</title>
! <para>
! Your mail system is set up. If you have encountered any problems
! during the install, then consult the documentation provided with
! the misbehaving component -- it will most likely tell you whom
! to contact for support. If everything is running smoothly and
! you are happy with your system, then congratulations -- you've
! got yourself one of the best solutions for a pop-toaster out
! there.
! </para>
! <sect1>
! <title>Why this is not recommended for large systems</title>
! <para>
! The only reason this is not recommended for large systems is
! because SquirrelMail is currently not very scalable -- you
! cannot easily run it on a server farm, since both SquirrelMail
! and Vadmin save their preferences onto the HDD (a trade-off
! for not requiring a database engine). However, if you decide
! not to use SquirrelMail/Vadmin, then Qmail-VmailMgr-Courier is
! definitely a strong enough solution to be run on high-demand
! servers, but this has its own set of requirements and is not
! covered under this guide.
! </para>
! </sect1>
! <sect1>
! <title>Subsribe to the mailing lists!</title>
! <para>
! No, honestly, do so. Subscribe to the following two mailing lists:
! </para>
! <itemizedlist>
! <listitem>
! <para>
! <email>qvc...@li...</email>
! </para>
! </listitem>
! <listitem>
! <para>
! <email>qvc...@li...</email>
! </para>
! </listitem>
! </itemizedlist>
!
! <para>
! The first one will notify you when newer RPMs become
! available, and the second one will tell you of any other
! happenings. To subscribe to these lists please go to the
! qvcs-guide website, at <ulink
! url="&qvcsbase;">&qvcsbase;</ulink>.
! </para>
! </sect1>
! <sect1>
! <title>Corrections and Comments</title>
! <para>
! If you've found a mistake in this document which you would
! like to correct, or would just like to comment on something,
! please send a message to
! <email>qvc...@li...</email> so I can
! make the correction or read your comments. You may also check
! the qvcs-guide website at <ulink
! url="&qvcsbase;">&qvcsbase;</ulink> for the latest version of
! this document.
! </para>
! </sect1>
! <sect1>
! <title>Thank you and good luck! ;)</title>
! <para>
! If you found this Guide useful, please let me know by executing:
! </para>
! <programlisting>
! &prompt; <userinput>uname -a | mail ic...@du... -s 'Thanks'</userinput>
! </programlisting>
! </sect1>
! </chapter>
! <chapter>
! <title>Going from 7.3 to 9</title>
! <para>
! Lots of pain and suffering.
! </para>
! </chapter>
Index: yumgroups.xml
===================================================================
RCS file: /cvsroot/qvcs-guide/qvcs-guide/yumgroups.xml,v
retrieving revision 1.3
retrieving revision 1.4
diff -C2 -d -r1.3 -r1.4
*** yumgroups.xml 26 Jun 2003 15:04:08 -0000 1.3
--- yumgroups.xml 9 Jul 2003 03:13:58 -0000 1.4
***************
*** 41,47 ****
</group>
<group>
! <id>qvcs-advanced</id>
! <name>QVCS Advanced</name>
! <description>Advanced QVCS packages</description>
<uservisible>true</uservisible>
<grouplist>
--- 41,47 ----
</group>
<group>
! <id>qvcs-filter</id>
! <name>QVCS Filter</name>
! <description>QVCS packages needed for Email Filtering</description>
<uservisible>true</uservisible>
<grouplist>
|
