4elements, web design and consultancy

  1. MacMini Server 2011 Part IV

    On request, I did get many requests for this section, hereby the uncut version of Part IV: Settings. Still need to rewrite and change information, but that's for later.


    Part IV: Settings.

    ======= Webmin ========
    Post-Installation Wizard
    - Install Virtualmin
    - Install Virtualmin template
    - DNS need to setup,
    - PostgreSQL
    - MySQL

    goto your webmin url in safari or firefox.
    https://your.givenname.com:10000
    login with root and root password

    click on webmin, at the left. -> webmin configuration.
    click on webmin modules and select + install virtualmin
    Click on Return to Webmin configuration
    click on Webmin Themes -> Install theme
    click on Return to themes list
    select virtualmin template and click on change...

    page will reload and will be shown the new template.
    Click on webmin, left top
    click on "servers" from the left menu
    clcik on BIND DNS Server

    ======== DNS ========
    DNS module Configuration
    Display options:
    Reverse zone must exist? yes
    Zone file options:
    Serial number style: Date based (YYYYMMDDnn)

    DNS Configuration:
    Addresses and Topology
    Ports and addresses: Listed below
    Port number: 53
    Addresses: any

    Zone Defaults
    Allow transfers from.. default
    Refresh time: 10800
    Expiry time: 1209600
    Transfer retry time: 3600
    Negative cache time: 10800
    Default email address: email addes your like to use
    Default nameserver for master domains: ns01.servername.com
    and press save.

    than create an default master zone of the domain used for your host name.
    (this domain name will also be used for name server. aka mailserver)
    It should look like this.

    $ttl 10800
    domainname.com. IN SOA ns01.domainname.com. info.domainname.com. (
    2011102600
    10800
    3600
    1209600
    10800 )
    domainname.com. IN A xx.xx.xx.xx
    www.domainname.com. IN A xx.xx.xx.xx
    mail.domainname.com. IN A xx.xx.xx.xx
    ftp.domainname.com. IN A xx.xx.xx.xx
    ns01.domainname.com. 14400 IN A xx.xx.xx.xx
    ns02.domainname.com. 14400 IN A xx.xx.xx.xx
    domainname.com. 86400 IN NS ns01.domainname.com.
    domainname.com. 86400 IN NS ns02.domainname.com.
    domainname.com. IN MX 10 mail.domainname.com.

    Now goto your domain rigistar and add at the dns section
    ns01.yourdomain.com - IP address here
    ns02.yourdomain.com - IP address here
    it can take upto 24 hours before it's progressed.
    (depending on the domain rigistar you use)

    ======== PostgreSQL ========
    If you not already done it by now. start server and let it load.
    than quit the server (PostgreSQL will be configured and activated now)

    under unused modules at the right pick, PostgreSQL
    click on module configure

    Options:
    Administrator login: _postgres
    password: set password to your root password.

    System configuration:
    Path to psql command: /usr/bin/psql
    Path to PostgreSQL shared libraries: /usr/lib/postgresql
    Initial PostgreSQL database: template1
    Command to start PostgreSQL: su _postgres -c "/usr/bin/pg_ctl -D/private/var/pgsql"
    Path to postmaster PID file: /private/var/pgsql/postmaster.pid
    Paths to host access config file: /private/var/pgsql/pg_hba.conf
    Path to pg_dump command: /usr/bin/pg_dump
    Path to pg_restore command: /usr/bin/pg_restore
    press save and PostgreSQL webinterface is loading..

    ======== MySQL ========
    under server, click on MySQL
    enter your password.
    press save
    Click on Module Config -> system configure
    Path to mysqld command: /usr/local/mysql/bin/mysqld
    Click on save

    Mysql is done.

    ======== Post-Installation Wizard ========
    press on system information left bottom.

    Post-Installation Wizard
    Preload Virtualmin libraries? Yes
    Run MySQL database server? Yes
    Run PostgreSQL database server? Yes
    Change MySQL password Leave un-changed
    DNS: keep your hostname as main.
    enter as 2nd your ns02.#censored#
    (if you get an error, restart dns and try again)
    Password storage mode: store plain-text passwords

    ======== setting up continue webmin and virtualmin ========
    Before we set the other settings, first install all needed modules first.

    http://software.virtualmin.com/gpl/wbm/
    Module php pear: http://software.virtualmin.com/gpl/wbm/php-pear-1.5.wbm.gz
    Module Ruby GEMS: http://software.virtualmin.com/gpl/wbm/ruby-gems-1.4.wbm.gz
    virtualmin-dav: http://software.virtualmin.com/gpl/wbm/virtualmin-dav-3.5.wbm.gz
    virtualmin-awstats: http://software.virtualmin.com/gpl/wbm/virtualmin-awstats-4.6.wbm.gz
    virtual-server-mobile: http://software.virtualmin.com/gpl/wbm/virtual-server-mobile-2.4.wbt.gz
    virtualmin-svn: http://software.virtualmin.com/gpl/wbm/virtualmin-svn-4.9.wbm.gz
    virtualmin-htpasswd: http://software.virtualmin.com/gpl/wbm/virtualmin-htpasswd-2.5.wbm.gz

    amavisd: I have a rare copy... only downloadable from our site.
    Webmin -> webmin -> webmin configuration -> Webmin Modules

    ======== Feature or Plugin ========
    Our coal:

    Feature or Plugin
    + Administration user
    + Home directory
    + BIND DNS domain
    + Mail for domain
    + Apache website
    + Webalizer reporting
    + SSL website
    + Log file rotation
    + MySQL database
    + PostgreSQL database
    + ProFTPd virtual FTP
    - Spam filtering
    - Virus filtering
    + Webmin login
    + AWstats reporting Plugin
    + DAV Login Plugin

    Spam and virus will be handled by AwavisD-New and Clam Antivirus

    ======== PRO FTP ========
    webmin -> Un-used Modules -> proftp -> module config

    ProFTP:
    Path to ProFTPD config file: /usr/local/proftpd/etc/proftpd.conf
    Path to ProFTPD executable: /usr/local/proftpd/sbin/proftpd
    Path to ProFTPD PID file:/usr/local/proftpd/var/proftpd.pid
    Path to ftpusers file None (was /etc/ftpusers)

    Before we can start ProFTPD, we need to make some OS X specific adjustments. Go ahead and open up the "ProFTPD Server" module under the "Servers" section. Select the "Edit Config Files" option. Look for the line that has the comment "Set the user and group under which the server will run." and comment out the next two lines so it looks like this:

    # Set the user and group under which the server will run.
    #User nobody
    #Group nogroup
    Click the "Save" button to return to the main menu. By now you should have a functional FTP server. However, thier are a couple of "tweaks" I like to do to make things work a little better. Lets start by removing the login delay.

    Click on "Networking Options" in the ProFTPD module's main menu.
    Change the "Do reverse DNS lookups of client" option to "No".
    Change the "Lookup remote ident username" option to "No".
    PASV port range: 60000 - 65535
    Click "Save" to save and return to the main menu.

    Lets allow the use of "CHMOD":
    In the main menu, under "Virtual Servers" click "Default server".
    Under "Per-directory and Per-command options" click "Commands SITE_CHMOD".
    Click "Access Control".
    Change the "Access Control Policy" option to "Allow all clients".
    Click "SITE_CHMOD".
    set FTP commands to All (or just what you like)

    Click "Save" to save. Then click "return to main menu".

    Limit Users to Home Directory:
    Click on "Files and Directoriess" in the main menu.
    Change the "Limit users to directories" option to "Home Directory".
    Click "Save" to save and return to the main menu".

    To avoid hack attacks, change the port number of proftp.
    I changed it from port 21 to XXXX (pick your own number)
    I also disabled anonymous ftp.

    Download config file.....

    -----> proftp settings file bijsluiten
    Starting ProFTPD Automaticly on Boot
    You probably want ProFTPD to start automaticly on boot instead of having to start it up manually each time. To setup an OS X startup item, just use Webmin.

    Open up Webmin, and go to the "Bootup and Shutdown" module under the "System" menu.
    Click on "Add a new bootup action script".
    Action Name: PROFTPD
    Script name: PROFTPD
    Bootup Commands: /usr/local/proftpd/sbin/proftpd
    Description: ProFTPD
    Provides: FTP
    Start Message: Starting ProFTPD
    Stop Message: Stopping ProFTPD
    Start at boot time?: Yes
    Click "Create"

    Shell /bin/false for FTP users is not included in /etc/shells, which may prevent FTP access.
    Create a group names ftp

    ======== SSH Server - OpenSSH_5.6 ========
    Authentication:
    Allow authentication by password? No
    Allow login by root? No (before server setup - yes)
    Allow RSA (SSH 1) authentication? no

    Networking:
    Listen on port XXXX (pick your own number)
    Accept protocols SSH v2
    Deny members of groups deniedssh (create this group)

    User SSH Key Setup
    Setup SSH key for new Unix users? yes

    Host SSH Keys
    Create a ssh_host_key.pub, ssh_host_rsa_key.pub and ssh_host_dsa_key.pub
    under /private/etc/
    Use provided script (sh sshd-key-gen)

    Client Host Options
    Edit Host Options
    Port to connect to xxxxx (your own unique number here)
    Number of connection attempts 2
    Try SSH protocols 2 only

    Start server
    If you're not able to connect to ssh server, add Port XXXX (pick your own number)
    to the config file. (sometimes it won't copy from the settings)

    Open up Webmin, and go to the "Bootup and Shutdown" module under the "System" menu.
    Click on "Add a new bootup action script".
    Action Name: OPENSSH
    Script name: OPENSSH
    Bootup Commands: /usr/sbin/sshd
    Description: OpenSSH
    Provides: SSH
    Start Message: Starting OpenSSH
    Stop Message: Stopping OpenSSH
    Start at boot time?: Yes

    ======== SSH Server - SSH Login ========
    Other -> SSH Login:
    Module config.
    Port to connect to: XXXX (pick your own number)

    ======== Amavisd-new ========
    Path to AMaViSD-new amavisd: /usr/bin/amavisd
    Path to AMaViSD-new amavisd.conf: /etc/amavisd.conf
    Path to PID-File: /var/amavis/amavsid.pid
    default Domain: domainname.com
    Path to Amavis Start file: /etc/init.d/amavisd

    ======== Clam Antivirus ========
    Configuration category: ClamAV
    ClamAV system user: _clamav
    ClamAV system group: _clamav
    Daemon init script path: /usr/sbin/clamd
    Logfile path: /var/log/clamav.log
    Configuration file path: /etc/clamd.conf
    Main virus signatures database path: /var/clamav/main.cld
    Daily virus signatures database path: /var/clamav/daily.cvd

    Configuration category: Freshclam
    Configuration file path: /etc/freshclam.conf
    Logfile path: /var/log/freshclam.log
    Daemon init script path: /etc/cron.daily/freshclam

    Press save
    Than press backup

    ======== AWstats ========
    AWstats configuration directory: /Library/WebServer/awstats/wwwroot/cgi-bin/
    Full path to AWstats program:/Library/WebServer/awstats/wwwroot/cgi-bin/awstats.pl
    Full path to AWstats icons directory: /Library/WebServer/awstats/wwwroot/icon
    Full path to AWstats lang directory: /Library/WebServer/awstats/wwwroot/cgi-bin/lang
    Full path to AWstats lib directory: /Library/WebServer/awstats/wwwroot/cgi-bin/lib
    Full path to AWstats plugins directory: /Library/WebServer/awstats/wwwroot/cgi-bin/plugins

    ======== CVS Server ========
    Just click, "Initialize Repository" than "Setup"

    ======== Webalizer Logfile Analysis ========
    Configurable options:
    Automatically include logfiles from: Apache, Squid, ProFTPd

    System configuration:
    Path to webalizer command: /usr/local/bin/webalizer
    Path to webalizer configuration file: /usr/local/etc/webalizer.conf
    Sample webalizer configuration file: /usr/local/etc/webalizer.conf.sample

    ======== PHP manage ========
    Resource Limits:
    Maximum memory allocation 512M
    Maximum file upload size 64M
    Maximum input parsing time 360
    Maximum HTTP POST size 64M
    Maximum execution time 360

    Error Logging:
    Expression for error types: E_ALL & ~E_NOTICE

    Other Settings:
    Allow PHP scripts starting with <? ? YES

    ======== PHP Manuel ========
    [apc]
    extension="/usr/local/Cellar/apc/3.1.9/apc.so"
    apc.enabled=1
    apc.shm_segments=1
    apc.shm_size=256M
    apc.ttl=7200
    apc.user_ttl=7200
    apc.num_files_hint=1024
    apc.mmap_file_mask=/tmp/apc.XXXXXX
    apc.enable_cli=1

    [memcache]
    extension="/usr/local/Cellar/memcache-php/2.2.6/memcache.so"

    [suhosin]
    extension=suhosin.so

    [oauth]
    extension=oauth.so

    [mcrypt]
    extension=mcrypt.so

    [imap]
    extension=imap.so

    [ffmpeg]
    extension=ffmpeg.so


    ======== Perl ========
    Suggested Modules: Click install Selected Modules ans all will be included (small glidsh in webmin)

    ======== Log File Rotation ========
    webmin -> Un-used Modules -> Log File Rotation
    Path to logrotate configuration file: /usr/local/etc/logrotate.conf
    Path to logrotate program: /usr/local/sbin/logrotate

    ======== Amavisd ========
    #@local_domains_maps = ( [".$mydomain"] ); # list of all local domains
    @local_domains_maps = ( read_hash("/var/amavis/local_domains") );

    into

    @local_domains_maps = ( [".$mydomain"] ); # list of all local domains
    #@local_domains_maps = ( read_hash("/var/amavis/local_domains") );

    forward_method => 'smtp:[127.0.0.1]:10027',
    into
    forward_method => 'smtp:[127.0.0.1]:10025',

    uncomment $virus_admin if you would like to reseive emails (what's going on spam/virus wize)

    # $myhostname = 'host.example.com'; # must be a fully-qualified domain name!
    into
    $myhostname = 'space09.domainname.com'; # must be a fully-qualified domain name!


    ======== postgrey ========
    Open up Webmin, and go to the "Bootup and Shutdown" module under the "System" menu.
    Click on "Add a new bootup action script".
    Action Name: POSTGREY
    Script name: POSTGREY
    Bootup Commands: /var/spool/postfix/postgrey/postgrey --inet=10023 -d --user=postgrey --group=postgrey
    Description: POSTGREY
    Provides: filter
    Start Message: Starting postgrey
    Stop Message: Stopping postgrey
    Start at boot time?: Yes
    Click "Create"

    /etc/postfix/main.cf

    Change:
    smtpd_recipient_restrictions = reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated permit_auth_destination,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_access,reject_rbl_client bl.spamcop.net,reject_rbl_client list.dsbl.org,reject_rbl_client zen.spamhaus.org,permit

    Into:

    smtpd_recipient_restrictions = reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated permit_auth_destination,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_access,reject_rbl_client bl.spamcop.net,reject_rbl_client list.dsbl.org,reject_rbl_client zen.spamhaus.org,check_policy_service inet:127.0.0.1:10023

    ======== mail server ========
    check to see if your mailserver is running as should be
    http://www.mxtoolbox.com/

    Check your DNS
    http://www.intodns.com/

    ======== Webmin -> system ==========
    Apache Webserver

    Processes and Limits:
    Maximum requests per server process: 0
    Minimum spare server processes: 5
    Maximum spare server processes: 10
    Initial server processes: 5

    SSL Options:
    Fixed password: (pick a password for later on)

    Default Server: Virtual Server Options

    Directory Indexing:
    Directory index files
    index.html
    index.htm
    index.shtml
    index.php
    index.php4
    index.php5
    index.pl
    index.cgi

    SSL Options: Generate a .crt and .key file

    Step 1: Generate a Private Key

    The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.

    The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

    openssl genrsa -des3 -out server.key 1024

    Generating RSA private key, 1024 bit long modulus
    .........................................................++++++
    ........++++++
    e is 65537 (0x10001)
    Enter PEM pass phrase:
    Verifying password - Enter PEM pass phrase:

    Step 2: Generate a CSR (Certificate Signing Request)

    Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.

    During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be https://public.akadia.com, then enter public.akadia.com at this prompt. The command to generate the CSR is as follows:

    openssl req -new -key server.key -out server.csr

    Country Name (2 letter code) [GB]:CH
    State or Province Name (full name) [Berkshire]:Bern
    Locality Name (eg, city) [Newbury]:Oberdiessbach
    Organization Name (eg, company) [My Company Ltd]:Akadia AG
    Organizational Unit Name (eg, section) []:Information Technology
    Common Name (eg, your name or your server's hostname) []:public.akadia.com
    Email Address []:martin dot zahn at akadia dot ch
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

    Step 3: Remove Passphrase from Key

    One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:

    cp server.key server.key.org
    openssl rsa -in server.key.org -out server.key

    The newly created server.key file has no more passphrase in it.

    -rw-r--r-- 1 root root 745 Jun 29 12:19 server.csr
    -rw-r--r-- 1 root root 891 Jun 29 13:22 server.key
    -rw-r--r-- 1 root root 963 Jun 29 13:22 server.key.org

    Step 4: Generating a Self-Signed Certificate

    At this point you will need to generate a self-signed certificate because you either don't plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.

    To generate a temporary certificate which is good for 365 days, issue the following command:

    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
    Signature ok
    subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information
    Technology/CN=public.akadia.com/Email=martin dot zahn at akadia dot ch
    Getting Private key

    Step 5: Installing the Private Key and Certificate

    When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The location of this directory will differ depending on how Apache was compiled.

    cp server.crt /usr/local/apache/conf/ssl.crt
    cp server.key /usr/local/apache/conf/ssl.key

    Step 6: Configuring SSL Enabled Virtual Hosts

    SSLEngine on
    SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
    SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    CustomLog logs/ssl_request_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    Step 7: Restart Apache and Test

    apachectl stop
    apachectl start


    ======== check system configuration ========
    Bind ok....
    Postfix ok....
    Suexec, need to be changed.
    (Virtualmin -> Virtualmin configuration -> defaults for new domain. enter /home2 -> press save

    Bind ok....
    Postfix ok....
    Apache ok....
    Mysql ok....
    PostgreSQL ok....
    Logrotate ok....

    All is running, but we are not done yet.
    Now we will configure webmin and virtualmin.

    ======== Webmin ==========
    webmin -> Webmin Configuration
    start at boot time: yes

    Trusted Referrers:
    Referrer checking enabled? yes
    Trust links from unknown referrers: yes

    Authentication:
    Support full PAM conversations? yes
    Use MD5 encryption for Webmin passwords (allows long passwords) YES

    ======== Webmin -> system ==========
    Disk Quotas, turn it on on the HD where your system runs on

    ======== Webmin -> system ==========
    Historic System Statistics: turn it on or leave it off. (

    ======== Webmin -> Usermin Configuration ==========
    install Usermin -> Un-used Modules -> Usermin Configuration -> click on "install Usermin"

    webmin -> Usermin Configuration
    start at boot time: yes

    Authentication:
    Enable session authentication: yes
    Always require username and password: yes
    Support full PAM conversations? yes

    Available Modules:
    select you want to Usermin

    Access Control Options:
    Root directory for file chooser: User's home directory

    DAV Server:
    DAV enabled? Enabled
    Allow access to directory: User's home directory

    Restart usermin.

    ======== Webmin - Usermin -> PAM ==========
    PAM Authentication:
    cp /work/usermin-webmail-1.480/usermin-pam-osx /etc/pam.d/usermin
    cp /etc/pam.d/usermin /etc/pam.d/webmin
    For Dovecot
    cp /etc/pam.d/usermin /etc/pam.d/dovecot
    Open /etc/pam.d/dovecot and replace current listing with:

    # dovecot: auth account password session
    auth required pam_nologin.so
    auth sufficient pam_securityserver.so
    auth sufficient pam_unix.so
    auth required pam_deny.so
    account required pam_permit.so
    password required pam_deny.so
    session required pam_uwtmp.so

    ======== Webmin -> Usermin -> Usermin Configuration ==========
    Read mail:
    Mail storage format for Inbox: Qmail style
    Sendmail mail file location: ~${USER}/Maildir

    PostgreSQL Database:
    Path to psql command: /usr/bin/psql
    Path to PostgreSQL shared libraries: /usr/lib/postgresql
    Path to pg_dump command: /usr/bin/pg_dump
    Path to pg_restore command: /usr/bin/pg_restore
    Only show databases owned by user? yes

    SSH Login:
    Port number for SSH: XXXX (pick your own number)

    Upload and Download:
    Limit uploads and downloads to home directory? yes

    ======== Virtualmin -> System Settings -> Features and Plugins ==========
    Select all except "Spam filtering" and "virus filtering" We use our own (remember)

    ======== Virtualmin -> System Settings -> Server Templates ==========
    mkdir /etc/skel
    I moved my own under construction html files to it.
    The moment a new accounts has been created the under construction page is shown by default.

    Default Settings:
    Home directory: Substitute variables in contents? Yes

    Bind DNS domain:
    Custom TTL: 10800
    Create new domains in view: com.apple.ServerAdmin.DNS....
    Add SPF DNS record? Yes
    Does SPF record cover all senders? yes

    Mail for domain:
    Email message to send upon server creation: Message below ..
    Default quota for mail users: Unlimited

    Apache Website:
    Directives and settings for new websites:

    ServerName ${DOM}
    ServerAlias www.${DOM}
    DocumentRoot ${HOME}/public_html
    ErrorLog /var/log/virtualmin/${DOM}_error_log
    CustomLog /var/log/virtualmin/${DOM}_access_log combined
    ScriptAlias /cgi-bin/ ${HOME}/public_html/cgi-bin/
    DirectoryIndex index.html index.htm index.php index.php4 index.php5
    <.Directory ${HOME}/public_html>
    Options FollowSymLinks
    AllowOverride all
    Order allow,deny
    Allow from all
    <./Directory>
    <.Directory ${HOME}/public_html/cgi-bin>
    Options FollowSymLinks +ExecCGI
    AddHandler cgi-script .cgi .pl
    Allow from all
    <./Directory>

    Configure Webmin to use same SSL cert for IP? Yes
    Configure Usermin to use same SSL cert for IP? Yes
    PHP configuration variables for scripts: memory_limit 256M

    Webmin Login:
    Webmin group for domain owners: hosting

    ======== Virtualmin -> System Settings -> Account Plans ==========

    You may create what you want here.
    I'll add a "Pro Plan" with all on unlimited

    ======== Virtualmin -> System Settings -> Virtualmin Configuration ==========
    User interface settings:
    Columns to show: pick your own
    Feature columns to show: pick your own
    Show mailbox size in users list? Yes
    Allow editing of limits when creating server? Yes

    Defaults for new domains:
    Home directory base: /Users

    Actions upon Server and User creation:
    Notify other modules when updating server administrator Unix users? yes
    Notify other modules when updating mailbox Unix users? Yes
    Add users with no SSH access to deniedssh group? yes

    Advanced Options:
    Delete all email aliases when disabling mail? Yes
    Allow creation of sub-domains? Yes

    ======== Un-used Modules -> squid ==========
    Module configuration: _ options
    Encryption method for proxy passwords: md5base64

    system conf:
    Full path to squid config file: /usr/local/etc/squid.conf
    Squid executable: /usr/local/sbin/squid
    Full path to PID file: /usr/local/var/run/squid.pid
    Full path to squid cache directory: /usr/local/var/cache
    Squid cachemgr.cgi executable: /usr/local/Cellar/squid/3.1.9/libexec/cachemgr.cgi
    Full path to squid log directory: /usr/local/var/logs
    Path to squidclient program: /usr/local/bin/squidclient

    ======== Squid Report Generator ========
    Module configuration.

    Full path to sarg executable: /usr/local/bin/sarg
    Full path to SARG configuration file: /usr/local/etc/sarg.conf

    ======== Apple OSX settings ========
    chmod 777 /Library/Logs

    ======== Web server ========
    There are 2 ways to setup apache. I choose to use the default settings of apache to work well with webmin.

    Specific setup for use with server.app is easy accomplish.
    Both instruction will be posted on a later stage.

    ======== Mail server ========
    A complete solution will be provided. Stay tuned.
    (Below is the raw version, for those who requested.)

    ======== Dovecot IMAP/POP3 Server ========
    We will configure the mail our selves, but to get all config files created
    please launge "Admin Server" add mail and start the mail server. This will generate all files we need. (stop the mail server when generation is done)

    Dovecot server program: /usr/sbin/dovecotd
    Full path to Dovecot configuration file: /etc/dovecot/dovecot.conf
    Dovecot server PID file: /var/run/dovecot/master.pid

    Mail Files:
    Mail file location: Inbox and folders in ~/Maildir
    UIDL format: %08Xu%08Xv

    ======== Postfix Mail Server ========
    The message "group or other writable" means that another user (not the owner) is able to write. You can fix it with chmod. Example to remove group write permissions

    $ sudo chmod g-w /Library/Server/Mail/Data/mta

    Suggest to create a backup of /etc/postfix /etc/dovecot and /etc/apache2
    cd /etc
    /Developer/Tools/CpMac -r apache2 "apache2 backup"
    /Developer/Tools/CpMac -r postfix "postfix backup"
    /Developer/Tools/CpMac -r dovecot "dovecot backup"

    While it's possible to write all steps by hand, I decided to attach the config files.
    (change my files and copy them to the ment folders. i'll explain during the process)

    after copy:
    chown root:wheel /private/etc/postfix/*
    chmod g-w /var/lib/postfix

    cd /etc/postfix
    postmap hash:access
    postmap hash:transport
    postmap hash:sender_access

    General Options:
    What domains to receive mail for: $myhostname
    Network interfaces for receiving mail: All
    Local internet domain name: Default
    Mail queue directory: /var/spool/postfix
    rm -r /var/spool/postfix
    mkdir /var/spool/postfix

    Mail Aliases:
    Alias databases used by the local delivery agent: Map specifications: hash:/etc/postfix/aliases

    Canonical Mapping:
    Tables for recipient addresses: No map set

    Virtual Domains:
    Domain mapping lookup tables: hash:/etc/postfix/virtual

    Transport Mapping:
    Transport mapping lookup tables: Map specifications: hash:/etc/postfix/smtproutes

    Header Checks:
    Example header checks

    Body Checks:
    Message body checking tables: Map specifications: pcre:/etc/postfix/custom_body_checks
    Example body checks

    Local Delivery:
    Home-relative pathname of user mailbox file: Maildir/
    External command to use instead of mailbox delivery: /usr/libexec/dovecot/deliver
    Optional actual transport to use: None

    SMTP Server Options:
    Timeout in seconds for SMTP transactions: 300s
    Disable SMTP VRFY command: Yes
    Error count for closing connection: 20
    Restrictions on sends in HELO commands: permit_mynetworks,check_helo_access hash:/etc/postfix/access,permit_auth_destination,permit_sasl_authenticated,reject_non_fqdn_hostname,reject_invalid_hostname,permit
    Restrictions on sender addresses: permit_sasl_authenticated,permit_mynetworks,permit_auth_destination,reject_non_fqdn_sender,reject_unknown_sender_domain,permit
    Restrictions on recipient addresses: reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,permit_auth_destination,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_access,permit
    cd /etc/postfix
    postmap hash:sender_access
    postmap hash:access

    SMTP Authentication And Encryption:
    Handle non-compliant SMTP clients?: yes
    SMTP security options: none

    SMTP Client Restrictions:
    Client restrictions: Postfix default (allow all clients) (all off)

    Edit main.cf
    data_directory = /var/lib/postfix
    rm /var/lib/postfix
    mkdir /var/lib/postfix
    chown _postfix /var/lib/postfix
    Show main.cf file (example domainnames)

    ==> virtual_transport = lmtp:unix:/var/imap/socket/lmtp

    Edit greylist.pl (/usr/libexec/postfix/greylist.pl)
    change: /Library/Server/Mail/Data/mta/
    into: /var/lib/postfix/

    Edit Master.cf:
    Show master.cf file (example domainnames)

     

    15 Comments

    Leave a comment › Posted in: Daily

15 Comments

  1. Wow great, thank you. I spent almost a week installing Lion server on my new mac mini. Failed so many times. Services didn't run properly etc... At the end I found out it was BT fault. Their router is rubbish so I swapped it with Airport Extreme and it is working fine since. I have one silly question, do I need to set Dns when all my dns entries are with company where I registered domain? Thanks
  2. @Filip, Thanks. Depends, if you like to run your own mail server, multiple websites etc you would need to enable DNS on your MacMini Server. But you only need 1 static IP to get all running. (DNS e.a.)
  3. Fantastic work - was great to use, and works well. Was wondering if you can post your fix for webmin to work with Lion's apache, at the moment no ghosts show Will be highly appreciated.
  4. @Eran, Thanks, I just send you an email on how to get your request working.
  5. I have read a few excellent stuff here. Certainly value bookmarking for revisiting. I wonder how much attempt you set to make the sort of great informative site.
  6. Hi, is your lion tutorial here compatible with mountain lion server? i got a new mac mini and cannot change to lion. groetjes from germany carsten
  7. Hello carsten, Yes this tutorial is compatible. (paths, locations will be the same. Only some version numbers could be different (newer) but that's not a problem...)
  8. Hi Martijn, i stuck at the beginning with the Server-Admin Screen where i have to disable "Dedicate system resources to server services". What should i do? BTW. What does this button do? Groetjes Carsten
  9. Hello carsten, Sorry for the late response. (blog is getting some spam so I need to check every entry before approving) Apple reserves memory and cpu for their own tasks. (like account manager, wiki a.o. apps from apple) But this makes other web related tasks and the server overall slower. By disabling you are in charge, what results in faster websites, mail and others... If you have any other question, please email me. Kind regards, Martijn
  10. Hello, I read your new stuff regularly. Your story-telling style is witty, keep up the good work!
  11. Page 1 of 2 pages  1 2 > 

Got anything to add?

(Basic HTML is fine)