http://www.4elements.com/blog en info@4elements.com Copyright 2013 2013-03-26T09:36:40+00:00 http://www.4elements.com/blog/the_perfect_apc_configuration http://www.4elements.com/blog/the_perfect_apc_configuration#When:09:36:40Z I’m hosting about 10 ExpressionEngine sites using Apache 2, APC, and Memcached. Here is my configuration: Operating system - Mac OS X Server Lion 10.7.5 (11G63) Processor - 2 GHz Intel Core i7 RAM - 16 GB 1333 MHz DDR3 Disk - 13.5 TB total Apache - 2.2.22 PHP - 5.3.15 APC - 3.1.13 My php.ini configuration [APC] apc.enabled=1 apc.shm_segments=1 ;51M per ExpressionEngine install apc.shm_size=512M ;Relative to the number of cached files (you may need to watch your stats for a day or two to find out a good number) apc.num_files_hint=7000 ;Relative to the size of ExpressionEngine apc.user_entries_hint=4096 ;The number of seconds a cache entry is allowed to idle in a slot before APC dumps the cache apc.ttl=7200 apc.user_ttl=7200 apc.gc_ttl=3600 ;Setting this to 0 will give you the best performance, as APC will ;not have to check the IO for changes. However, you must clear ;the APC cache to recompile already cached files. If you are still ;developing, set this to 1 apc.stat=0 ;This MUST be 0, ExpressionEngine can have errors otherwise! apc.include_once_override=0 ;Only set to 1 while debugging apc.enable_cli=0 ;Allow 2 seconds after a file is created before it is cached to prevent users from seeing half-written/weird pages apc.file_update_protection=2 ;Leave at 2M or lower. ExpressionEngine does't have any file sizes close to 2M apc.max_file_size=2M apc.cache_by_default=1 apc.use_request_time=1 apc.slam_defense=0 apc.mmap_file_mask=/tmp/apc.XXXXXX apc.stat_ctime=0 apc.canonicalize=1 apc.write_lock=1 apc.report_autofilter=0 apc.rfc1867=0 apc.rfc1867_prefix =upload_ apc.rfc1867_name=APC_UPLOAD_PROGRESS apc.rfc1867_freq=0 apc.rfc1867_ttl=3600 apc.lazy_classes=0 apc.lazy_functions=0 While this configuration works great for me, it may not for you. Finding “The Perfect APC Configuration” is like asking how many stars are in the sky. The are endless variables, like, “How much RAM, how many websites, do your websites support lazy classes, etc…” The best way to create your config is to do a little research. P.S. There seems to be a lot of debate about apc.stat = 0. The general thought is, set apc.stat=0 on production servers and it will prevent APC from actually going to the IO to check if the file has been changed. My advice: If you are running ExpressionEngine set apc.stat = 0. Daily, 2013-03-26T09:36:40+00:00 http://www.4elements.com/blog/its_official_ii http://www.4elements.com/blog/its_official_ii#When:11:15:40Z It’s official, today 4 years ago we changed our name and launched our current website. To celebrate our birthday: Coming up: - New website, offers a.o. soon. - Our project, Designscan.me, a breath taken new web service will be launched soon. Daily, 2012-07-23T11:15:40+00:00 http://www.4elements.com/blog/macmini_server_2011_update_ii http://www.4elements.com/blog/macmini_server_2011_update_ii#When:12:51:57Z Apple just released Lion Server 10.7.4 update Download and install the combi update, this prevents any miss behavior. After the update all the custom settings and installed scripts stayed intact and are working as it should be. With other words, it's save to update. Don't forget to download and install Server Admin Tools 10.7.4 as well. Daily, 2012-07-02T12:51:57+00:00 http://www.4elements.com/blog/cssfx_makes_your_live_a_bit_easier http://www.4elements.com/blog/cssfx_makes_your_live_a_bit_easier#When:09:00:04Z cssFx cssFx is a standalone polyfill that inserts the vendor-specific CSS3 properties necessary for old and new browsers. This saves you tons of time, maintenance, and bandwidth! Properties Supported Border radius, box shadow, flex box, RGBA, gradients, multiple columns, border image, transforms, transitions, opacity, inline-block, ellipsis, and more. Get it (just updated): cssFx CSS, 2012-04-06T09:00:04+00:00 http://www.4elements.com/blog/major_cms_upgrade http://www.4elements.com/blog/major_cms_upgrade#When:18:35:00Z Expressionengine 1.7.1 -> 2.4 Major upgrade - We needed to upgrade for future grow, more on this soon. - New version is faster and more secure. - and a lot more.... Installed AutoMin (an EE module) - caching - Compressing HTML Markup (no more nice html code) - Combining css files (into one) - Combining js files (into one) The website now uses MemCache and APC, a really great improvement in page loading speed. Installed Http:BL antiSpam for forum and contact forms. This is also why I joined the projecthoneypot.org Expression Engine, 2012-02-09T18:35:00+00:00 http://www.4elements.com/blog/macmini_server_2011_update http://www.4elements.com/blog/macmini_server_2011_update#When:15:25:45Z Apple just released Lion Server 10.7.3 update Download and install the combi update, this prevents any miss behavior. After the update all the custom settings and installed scripts stayed intact and are working as it should be. With other words, it's save to update. Daily, 2012-02-02T15:25:45+00:00 http://www.4elements.com/blog/macmini_server_2011_part_I http://www.4elements.com/blog/macmini_server_2011_part_I#When:13:54:07Z Part I: Intro and Goal. Part II: Preparations. Part III: Installation. Part IV: Settings. Intro: My G5, dual 2Ghz and 8GB ram, server was still working like a charm. (Including a G5 Jive to add 4 extra Internal Sata disks - total 6 Internal Disks) But the downside: - Heat, lots of heat. I even placed an airco in my server room. - Costs, A PowerMac G5 uses max 604 Watt. Add the airco time and your monthly bill will increase rapidly. - Noise, Due to the major fans, the heats it generates. I (sound)isolated the server room. Goal: My own new web/mail/file/media server that generates less noise, heat and uses less power. And the right storage solution. Solution: MacMini Server 2011 (2Ghz i7 Quad-core, 2 x 750 GB HD @ 7200 and 16GB RAM) MacMini uses: 8W (Idle) 18W (regular use) 85W (max) Sound: Silent (no sound) MacMini server: English - Dutch 2 X 8 GB ram: English - Dutch Empty Enclosure for my 4 extra Internal HD's (JBOD) OWC RackPro Uses: 16W (Idle) 24W (regular use) 100W (max) Sound: Silent (no sound) Thunderbolt to eSata: Thunderbolt Adapter and eSATA adapter (two eSata connectors for future grow) Why eSata and not USB3: USB3 is theoretically faster but eSata has no latency what makes it high responsible and low/none system resource use. Daily, 2012-01-05T13:54:07+00:00 http://www.4elements.com/blog/macmini_server_2011_part_II http://www.4elements.com/blog/macmini_server_2011_part_II#When:13:45:13Z Part II: Preparations. Full web server, mailserver, caldav and carddav with webmin/virtualmin. Update OS X 10.7 server software. Download Xcode 4.1 + install Download ServerAdminTools + install Download Java + install Download java developer + install Repair permissions Xcode 4.2 discontinued GCC 4.2 compiler and downgraded LLVM-GCC to 'legacy' compiler. Meaning that a lot of scripts/programs will not compile right until they are updated. This is the reason I stayed with Xcode 4.1. If you encounter problems please downgrade your Xcode 4.2.x to 4.1. (if you relay on my ffmpeg bash script you need to use Xcode 4.1) Preps: - While push mail didn't work for my setup, I decided to not use it. - But also when push was enabled, using my mac email account, I was not able to send a mail to my mac email account from the server. It continues to get back. (loop) - After installation, at the server setup section. Do not enter your mac account. Set computer name: server Set NS name: server.yourdomain.com Enable Root: Macintosh HD -> System -> Library -> CoreServices -> Directory Utility Menu -> edit -> enable Root Enter a new password 2 times. Root enabled Dedicate system resources: Start the server.app Select your computer under hardware. Press on settings. (see image) Disable "Dedicate system resources to server services" Restart your server. Daily, 2012-01-05T13:45:13+00:00 http://www.4elements.com/blog/macmini_server_2011_part_iii http://www.4elements.com/blog/macmini_server_2011_part_iii#When:13:37:47Z Part III: Installation. We are going to use brew to install several libs and programs. Big advantage of brew is that it makes simlinks into the local bin, lib and sbin folders. No mess as macports or fink (let's say I like this way better.) ======= Brew ======= Brew will ask to add and change some path info. You may do this by editing BBEdit:open /etc/paths /usr/local/sbin (infront of /usr/sbin/) /usr/local/bin (infront of /usr/bin/) Terminal:mkdir /usr/local/Cellar /usr/bin/ruby -e "$(curl -fsSL https://raw.github.com/gist/323731)" Only in case there is an error.chown name:admin /usr/local/share chown name:admin /usr/local/share/man chown name:admin /usr/local/share/man/man1 chown name:admin /usr/local/Cellar Terminal: brew update brew install GD brew install wget brew install apc brew install libtiff brew install ghostscript brew install imagemagick brew install logrotate brew install mcrypt brew install qdbm brew install memcached brew install memcache-php brew install memcache-top brew install lynx brew install smartmontools brew install libconfig brew install GnuPG brew install re2c Some extra brews I could use.brew install xmlrpc-c brew install xml-coreutils brew install webfs brew install webkit2png Read my notes.brew install ffmpeg * brew install ffmpeg-php * brew install rrdtool ** brew install ruby ** brew install lsof ** brew install snort ** brew install libxml2 ** brew install cairo ** brew install squid **** brew install webalizer *** brew install mysql ***** * don't use brew for this, I wrote a script that will install it all for you, and this one works ** only needed if you would like to install system stats in webmin. *** do not install trough brew, berkery DB will cause some problems later on. (example squid or when you want to run your own postfix version) **** only needed if you would like to run squid proxy. ***** Or follow the steps below (recommended) ======= Create a work folder ======= We are going to download some software that we need to compile. The most clean way is to create a folder where we will put all the files. My case "work" on your main HD. mkdir /work ======= Installing FFMPEG and FFMPEG-php ======= Download my script into the work folder. Open terminal and su root. cd /work wget http://www.4elements.com/files/macmini_server/ffmpegphp_ok.sh.zip unzip ffmpegphp_ok.sh.zip bash ffmpegphp_ok.shThis will take a while. ======= Installing MYSQL ======= Download MYSQL: http://dev.mysql.com/downloads/mysql/ Pick the "Mac OS X ver 10.6 (x86, 64-bit), DMG" mysql-5.5.16-osx10.6-x86_64.dmg Turn mysql on. (system prefs) sudo mkdir /var/mysql sudo ln -s /tmp/mysql.sock /var/mysql/mysql.sock ln -s /usr/local/mysql/bin/mysql /usr/bin/mysql ln -s /usr/local/mysql/bin/mysqld /usr/libexec/mysqld Add to /etc/paths /usr/local/mysql/bin" sudo install_name_tool -id /usr/local/mysql/lib/libmysqlclient.18.dylib /usr/local/mysql/lib/libmysqlclient.dylib Set up MySQL root password: (without the {}) /usr/local/mysql/bin/mysqladmin -u root password {password} /usr/local/mysql/bin/mysqladmin -u root -p{password} -h localhost password {password} /usr/local/mysql/bin/mysqladmin -u root -p{password} reload ======= Installing CPAN ======= Su root cpan (OSX 10.7 has 64bit as default, all will be installed as 64bit) Parameters for the 'make' command? Typical frequently used setting: -j3 # dual processor system (on GNU make) your choice -j6 CPAN Shell> install CPAN CPAN Shell> install YAML YAML::Syck CPAN Shell> install DBI CPAN Shell> install DBD::mysql CPAN Shell> install DBD::Pg CPAN Shell> install Bundle::DBI Bundle::DBD::mysql Bundle::DBD::Pg CPAN Shell> install SQL::Statement Net::SSLeay Authen::PAM Net::LDAP webmin, install needed for clamAV moduleCPAN Shell> install Benchmark::Timer CPAN Shell> install Mail::Mbox::MessageParser CPAN Shell> force install GD CPAN Shell> install GD::Graph::lines GD::Text CPAN Shell> install Date::Manip CPAN Shell> install Compress::Zlib HTML::Entities Getopt::Long IO::File CPAN Shell> install Net::SMTP IO::Socket Mail::Internet For webmin stats: CPAN Shell> install Cwd English CGI::Carp Bundle::LWP CPAN Shell> install Date::Calc Bundle::libnet Crypt::SSLeay CPAN Shell> install Mail::SPF Net::DNS::Resolver::Programmable CPAN Shell> install Bundle::Email Geo::IPfree Net::XWhois SOAP::Lite Postgrey CPAN Shell> install Net::Server IO::Multiplex Filesys::Virtual::Plain Net::DAV::Server http://search.cpan.org and download the following: NetAddr::IP Data::Dumper Digest::MD5 Storable By hand: tar xfvz /work/Data-Dumper-2.131.tar.gz tar xfvz /work/Digest-MD5-2.51.tar.gz tar xfvz /work/NetAddr-IP-4.050.tar.gz tar xfvz /work/Storable-2.30.tar.gz cd /work/Data-Dumper-2.131 perl Makefile.pl make make install cd /work/Digest-MD5-2.51 perl Makefile.pl make make install cd /work/NetAddr-IP-4.050 perl Makefile.pl make make install cd /work/Storable-2.30 perl Makefile.pl make make install ======= Apache Mod_perl ======= cd /work wget http://perl.apache.org/dist/mod_perl-2.0-current.tar.gz tar xfvz /work/mod_perl-2.0-current.tar.gz cd /work/mod_perl-2.0.5 perl Makefile.PL MP_APXS=/usr/sbin/apxs \ MP_APR_CONFIG=/usr/bin/apr-1-config /etc/apache2/httpd.conf LoadModule perl_module libexec/apache2/mod_perl.so ======= Apache suexec ======= cd /work wget http://apache.proserve.nl//httpd/httpd-2.2.21.tar.gz tar xfvz httpd-2.2.21.tar.gz cd /work/httpd-2.2.21 ./configure --with-layout=Darwin --enable-suexec --with-suexec-caller=_www --with-suexec-docroot=/home2 --with-suexec-userdir=public_html --with-suexec-logfile=/var/log/apache2/suexec_log make sudo cp /work/httpd-2.2.21/support/suexec /usr/bin/ sudo chown root:_www /usr/bin/suexec sudo chmod 4750 /usr/bin/suexec cd /work/httpd-2.2.21/modules/generators sudo apxs -i -a -c mod_suexec.c (gcc -fpic -DSHARED_MODULE -I/usr/include/apache2 -c mod_suexec.c) ======= host ======= Edit host file: goto /etc open file "host" with BBEdit. 127.0.0.1 localhost XX.XX.XX.XX Hostname.domainname.com (XX is your static IP, hostname and domainname are your chosen one) ======= ProFtp ======= Install ProFtp proftpd-1.3.4rc2.tar.gz cd /work wget http://ftp.heanet.ie/mirrors/ftp.proftpd.org/distrib/source/proftpd-1.3.4rc2.tar.gz tar xfvz /work/proftpd-1.3.4rc2.tar.gz cd /work/proftpd-1.3.4rc2 ./configure --prefix=/usr/local/proftpd make make install cp /private/etc/pam.d/ftpd /private/etc/pam.d/ftp Shell /bin/false for FTP users is not included in /etc/shells, which may prevent FTP access. ======= ssl hosting ======= Cert for ssl hosting: openssl genrsa -des3 -out www.yourdomain.com.key 2048 cat www.yourdomain.com.key openssl req -new -key www.yourdomain.com.key -out www.yourdomain.com.csr ls -ltr www.yourdomain.* openssl x509 -req -days 365 -in www.yourdomain.com.csr -signkey www.yourdomain.com.key -out www.yourdomain.com.crt cat www.yourdomain.com.crt ======= webalizer ======= cd /work wget ftp://ftp.mrunix.net/pub/webalizer/webalizer-2.23-05-src.tgz tar xfvz /work/webalizer-2.23-05-src.tgz cd /work/webalizer-2.23-05 ./configure --with-pnglib=/usr/X11/lib --enable-geoip make make install ======= awstats ======= http://awstats.sourceforge.net/ cd /home2 wget http://sourceforge.net/projects/awstats/files/AWStats/7.0/awstats-7.0.tar.gz tar xfvz awstats-7.0.tar.gz mv awstats-7.0 awstats cd /home2/awstats/tools/ perl awstats_configure.pl cd /home2 rm -r awstats-7.0.tar.gz ======= Postgrey ======= cd /work wget http://pkgs.fedoraproject.org/repo/pkgs/postgrey/postgrey-1.34.tar.gz/f736a7be1094593f1a66cd13f32b39ef/postgrey-1.34.tar.gz tar xfvz postgrey-1.34.tar.gz cd /work/postgrey-1.34 mkdir /var/spool/postfix/postgrey cp postgrey /var/spool/postfix/postgrey cp postgrey_whitelist_clients /etc/postfix/postgrey_whitelist_clients cp postgrey_whitelist_recipients /etc/postfix/postgrey_whitelist_recipients chown -R _amavisd /var/spool/postfix/postgrey chgrp -R _amavisd /var/spool/postfix/postgrey chmod -R 755 /var/spool/postfix/postgrey /var/spool/postfix/postgrey/postgrey --inet=10023 -d --user=_amavisd --group=_amavisd ======= rrdtool ======= Download rrdtool-1.4.5 cd /work tar xfvz rrdtool-1.4.5.tar.gz cd /work/rrdtool-1.4.5 ./configure make && make Install On your main HD you will find a folder "opt" cp /opt/rrdtool-1.4.5/lib/perl/5.12.3/RRDp.pm /Library/Perl/5.12/RRDp.pm cp -r /opt/rrdtool-1.4.5/lib/perl/5.12.3/darwin-thread-multi-2level/auto/RRDp/ /Library/Perl/5.12/darwin-thread-multi-2level/auto/RRDp/ cp -r /opt/rrdtool-1.4.5/lib/perl/5.12.3/darwin-thread-multi-2level/auto/RRDs/ /Library/Perl/5.12/darwin-thread-multi-2level/auto/RRDs/ cp /opt/rrdtool-1.4.5/lib/perl/5.12.3/darwin-thread-multi-2level/perllocal.pod /Library/Perl/5.12/darwin-thread-multi-2level/perllocal.pod cp /opt/rrdtool-1.4.5/lib/perl/5.12.3/darwin-thread-multi-2level/RRDs.pm /Library/Perl/5.12/darwin-thread-multi-2level/RRDs.pm Now open de screen webminstats in webmin, some errrors for some modules that won't work on os x and you get your working webminstats. Turn it on and let it run 1 hour. (nice graphics ======= Logrotate ======= /usr/local/sbin/logrotate /usr/local/etc/logrotate.conf (download) ======= php suhosin ======= cd /work wget http://download.suhosin.org/suhosin-0.9.32.1.tar.gz tar xfvz suhosin-0.9.32.1.tar.gz cd /work/suhosin-0.9.32.1 phpize ./configure make make install add the folowing to /etc/php.ini extension=suhosin.so ======= php PEAR ======= We need PEAR! For some reason, it's not set up ready to on Lion, but the install phar file is here, so we just need to run it. cd /usr/lib/php sudo php install-pear-nozlib.phar Edit /etc/php.ini and find the line: ;include_path = ".:/php/includes" and change it to: include_path = ".:/usr/lib/php/pear" sudo pear channel-update pear.php.net sudo pecl channel-update pecl.php.net sudo pear upgrade-all PHPUnit and friends I assume that everyone needs these… sudo pear channel-discover pear.phpunit.de sudo pear channel-discover components.ez.no sudo pear channel-discover pear.symfony-project.com sudo pear install phpunit/PHPUnit sudo pear install phpunit/phpcpd sudo pear install PHP_CodeSniffer ======= php PECL OAuth ======= A couple of projects I work on use the PECL OAuth component: cd /work wget http://sourceforge.net/projects/pcre/files/pcre/8.12/pcre-8.12.tar.gz tar xfvz pcre-8.12.tar.gz cd /work/pcre-8.12 ./configure sudo cp pcre.h /usr/include/ Remove the pcre folder on your desktop as you don't need it any more sudo pecl install oauth Edit/etc/php.ini add these lines to the end of the file: [oauth] extension=oauth.so Restart apache: sudo apachectl restart and check in the phpinfo that OAuth is now loaded. ======= php mcrypt ======= cd /work wget http://sourceforge.net/projects/mcrypt/files/Libmcrypt/2.5.8/libmcrypt-2.5.8.tar.gz tar xfvz libmcrypt-2.5.8.tar.gz cd /work/libmcrypt-2.5.8 MACOSX_DEPLOYMENT_TARGET=10.7 CFLAGS='-O3 -fno-common -arch i386 -arch x86_64' LDFLAGS='-O3 -arch i386 -arch x86_64' CXXFLAGS='-O3 -fno-common -arch i386 -arch x86_64' ./configure --disable-dependency-tracking make -j6 make install cd /work wget http://us.php.net/get/php-5.3.6.tar.gz/from/nl.php.net/mirror tar xfvz php-5.3.6.tar.gz cd /work/php-5.3.6/ext/mcrypt /usr/bin/phpize MACOSX_DEPLOYMENT_TARGET=10.7 CFLAGS='-O3 -fno-common -arch i386 -arch x86_64' LDFLAGS='-O3 -arch i386 -arch x86_64' CXXFLAGS='-O3 -fno-common -arch i386 -arch x86_64' ./configure --with-php-config=/Developer/SDKs/MacOSX10.7.sdk/usr/bin/php-config make -j6 make install sudo apachectl restart extension=mcrypt.so ======= logwatch ======= cd /work wget http://sourceforge.net/projects/logwatch/files/logwatch-7.4.0/logwatch-7.4.0.tar.gz tar xfvz logwatch-7.4.0.tar.gz cd /work/logwatch-7.4.0 bash install_logwatch.sh ======= pflogsumm ======= cd /work wget http://linxnet.com/downloads/pflogsumm-1.1.1.tar.gz tar xfvz pflogsumm-1.1.1.tar.gz cd /work/pflogsumm-1.1.1 cp pflogsumm.pl /usr/local/bin/pflogsumm chown root:wheel /usr/local/bin/pflogsumm chmod 755 /usr/local/bin/pflogsumm mkdir /usr/local/man/man1/ cp pflogsumm.1 /usr/local/man/man1/pflogsumm.1 chown root:wheel /usr/local/man/man1/pflogsumm.1 chmod 644 /usr/local/man/man1/pflogsumm.1 ======= squid ======= cd /work wget http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.15.tar.gz tar xfvz squid-3.1.15.tar.gz cd /work/squid-3.1.15 ./configure --enable-ssl --enable-delay-pools cd /work wget http://sourceforge.net/projects/sarg/files/sarg/sarg-2.3.1/sarg-2.3.1.tar.gz tar xfvz sarg-2.3.1.tar.gz cd /work/sarg-2.3.1 ./configure make make install ======= PHP Imap ======= cd /work wget http://ftp.ntua.gr/pub/net/mail/imap/imap-2007f.tar.gz tar xfvz imap-2007f.tar.gz mv /work/imap-2007f /usr/local/imap-2007 cd /usr/local/imap-2007 make osx sudo cp c-client/c-client.a c-client/libc-client.a cd /work tar xfvz php-5.3.6.tar.gz cd /work/php-5.3.6/ext/imap phpize ./configure --with-imap=/usr/local/imap-2007 --with-kerberos --with-imap-ssl make cp modules/imap.so /usr/lib/php/extensions/no-debug-non-zts-20090626/ add extension=imap.so to php.ini ======= webmin/usermin/virtualmin ======= cd /work wget: http://sourceforge.net/projects/webadmin/files/webmin/1.570/webmin-1.570.tar.gz tar xfvz webmin-1.570.tar.gz cd /work/webmin-1.570 ./setup.sh admin username: root pass: use your root password cd /work wget http://sourceforge.net/projects/webadmin/files/usermin/1.490/usermin-1.490.tar.gz tar xfvz usermin-webmail-1.480.tar.gz cd /work/usermin-webmail-1.480 ./setup.sh Open webmin website and install virtualmin server + virtualmin server template wget http://download.webmin.com/download/virtualmin/virtual-server-3.89.gpl.wbm.gz wget http://download.webmin.com/download/virtualmin/virtual-server-theme-8.1.wbt.gz In webmin, these two modules are hard to find on the internet. download and install wbmclamav-0.14.wbm.gz download and install amavisd_1.8-for-amavisdV2.038.wbm Daily, 2012-01-05T13:37:47+00:00 http://www.4elements.com/blog/macmini_server_2011_part_iv http://www.4elements.com/blog/macmini_server_2011_part_iv#When:12:54:29Z On request, I did get many requests for this section, hereby the uncut version of Part IV: Settings. Still need to rewrite and change information, but that's for later. Part IV: Settings. ======= Webmin ======== Post-Installation Wizard - Install Virtualmin - Install Virtualmin template - DNS need to setup, - PostgreSQL - MySQL goto your webmin url in safari or firefox. https://your.givenname.com:10000 login with root and root password click on webmin, at the left. -> webmin configuration. click on webmin modules and select + install virtualmin Click on Return to Webmin configuration click on Webmin Themes -> Install theme click on Return to themes list select virtualmin template and click on change... page will reload and will be shown the new template. Click on webmin, left top click on "servers" from the left menu clcik on BIND DNS Server ======== DNS ======== DNS module Configuration Display options: Reverse zone must exist? yes Zone file options: Serial number style: Date based (YYYYMMDDnn) DNS Configuration: Addresses and Topology Ports and addresses: Listed below Port number: 53 Addresses: any Zone Defaults Allow transfers from.. default Refresh time: 10800 Expiry time: 1209600 Transfer retry time: 3600 Negative cache time: 10800 Default email address: email addes your like to use Default nameserver for master domains: ns01.servername.com and press save. than create an default master zone of the domain used for your host name. (this domain name will also be used for name server. aka mailserver) It should look like this. $ttl 10800 domainname.com. IN SOA ns01.domainname.com. info.domainname.com. ( 2011102600 10800 3600 1209600 10800 ) domainname.com. IN A xx.xx.xx.xx www.domainname.com. IN A xx.xx.xx.xx mail.domainname.com. IN A xx.xx.xx.xx ftp.domainname.com. IN A xx.xx.xx.xx ns01.domainname.com. 14400 IN A xx.xx.xx.xx ns02.domainname.com. 14400 IN A xx.xx.xx.xx domainname.com. 86400 IN NS ns01.domainname.com. domainname.com. 86400 IN NS ns02.domainname.com. domainname.com. IN MX 10 mail.domainname.com. Now goto your domain rigistar and add at the dns section ns01.yourdomain.com - IP address here ns02.yourdomain.com - IP address here it can take upto 24 hours before it's progressed. (depending on the domain rigistar you use) ======== PostgreSQL ======== If you not already done it by now. start server and let it load. than quit the server (PostgreSQL will be configured and activated now) under unused modules at the right pick, PostgreSQL click on module configure Options: Administrator login: _postgres password: set password to your root password. System configuration: Path to psql command: /usr/bin/psql Path to PostgreSQL shared libraries: /usr/lib/postgresql Initial PostgreSQL database: template1 Command to start PostgreSQL: su _postgres -c "/usr/bin/pg_ctl -D/private/var/pgsql" Path to postmaster PID file: /private/var/pgsql/postmaster.pid Paths to host access config file: /private/var/pgsql/pg_hba.conf Path to pg_dump command: /usr/bin/pg_dump Path to pg_restore command: /usr/bin/pg_restore press save and PostgreSQL webinterface is loading.. ======== MySQL ======== under server, click on MySQL enter your password. press save Click on Module Config -> system configure Path to mysqld command: /usr/local/mysql/bin/mysqld Click on save Mysql is done. ======== Post-Installation Wizard ======== press on system information left bottom. Post-Installation Wizard Preload Virtualmin libraries? Yes Run MySQL database server? Yes Run PostgreSQL database server? Yes Change MySQL password Leave un-changed DNS: keep your hostname as main. enter as 2nd your ns02.#censored# (if you get an error, restart dns and try again) Password storage mode: store plain-text passwords ======== setting up continue webmin and virtualmin ======== Before we set the other settings, first install all needed modules first. http://software.virtualmin.com/gpl/wbm/ Module php pear: http://software.virtualmin.com/gpl/wbm/php-pear-1.5.wbm.gz Module Ruby GEMS: http://software.virtualmin.com/gpl/wbm/ruby-gems-1.4.wbm.gz virtualmin-dav: http://software.virtualmin.com/gpl/wbm/virtualmin-dav-3.5.wbm.gz virtualmin-awstats: http://software.virtualmin.com/gpl/wbm/virtualmin-awstats-4.6.wbm.gz virtual-server-mobile: http://software.virtualmin.com/gpl/wbm/virtual-server-mobile-2.4.wbt.gz virtualmin-svn: http://software.virtualmin.com/gpl/wbm/virtualmin-svn-4.9.wbm.gz virtualmin-htpasswd: http://software.virtualmin.com/gpl/wbm/virtualmin-htpasswd-2.5.wbm.gz amavisd: I have a rare copy... only downloadable from our site. Webmin -> webmin -> webmin configuration -> Webmin Modules ======== Feature or Plugin ======== Our coal: Feature or Plugin + Administration user + Home directory + BIND DNS domain + Mail for domain + Apache website + Webalizer reporting + SSL website + Log file rotation + MySQL database + PostgreSQL database + ProFTPd virtual FTP - Spam filtering - Virus filtering + Webmin login + AWstats reporting Plugin + DAV Login Plugin Spam and virus will be handled by AwavisD-New and Clam Antivirus ======== PRO FTP ======== webmin -> Un-used Modules -> proftp -> module config ProFTP: Path to ProFTPD config file: /usr/local/proftpd/etc/proftpd.conf Path to ProFTPD executable: /usr/local/proftpd/sbin/proftpd Path to ProFTPD PID file:/usr/local/proftpd/var/proftpd.pid Path to ftpusers file None (was /etc/ftpusers) Before we can start ProFTPD, we need to make some OS X specific adjustments. Go ahead and open up the "ProFTPD Server" module under the "Servers" section. Select the "Edit Config Files" option. Look for the line that has the comment "Set the user and group under which the server will run." and comment out the next two lines so it looks like this: # Set the user and group under which the server will run. #User nobody #Group nogroup Click the "Save" button to return to the main menu. By now you should have a functional FTP server. However, thier are a couple of "tweaks" I like to do to make things work a little better. Lets start by removing the login delay. Click on "Networking Options" in the ProFTPD module's main menu. Change the "Do reverse DNS lookups of client" option to "No". Change the "Lookup remote ident username" option to "No". PASV port range: 60000 - 65535 Click "Save" to save and return to the main menu. Lets allow the use of "CHMOD": In the main menu, under "Virtual Servers" click "Default server". Under "Per-directory and Per-command options" click "Commands SITE_CHMOD". Click "Access Control". Change the "Access Control Policy" option to "Allow all clients". Click "SITE_CHMOD". set FTP commands to All (or just what you like) Click "Save" to save. Then click "return to main menu". Limit Users to Home Directory: Click on "Files and Directoriess" in the main menu. Change the "Limit users to directories" option to "Home Directory". Click "Save" to save and return to the main menu". To avoid hack attacks, change the port number of proftp. I changed it from port 21 to XXXX (pick your own number) I also disabled anonymous ftp. Download config file..... -----> proftp settings file bijsluiten Starting ProFTPD Automaticly on Boot You probably want ProFTPD to start automaticly on boot instead of having to start it up manually each time. To setup an OS X startup item, just use Webmin. Open up Webmin, and go to the "Bootup and Shutdown" module under the "System" menu. Click on "Add a new bootup action script". Action Name: PROFTPD Script name: PROFTPD Bootup Commands: /usr/local/proftpd/sbin/proftpd Description: ProFTPD Provides: FTP Start Message: Starting ProFTPD Stop Message: Stopping ProFTPD Start at boot time?: Yes Click "Create" Shell /bin/false for FTP users is not included in /etc/shells, which may prevent FTP access. Create a group names ftp ======== SSH Server - OpenSSH_5.6 ======== Authentication: Allow authentication by password? No Allow login by root? No (before server setup - yes) Allow RSA (SSH 1) authentication? no Networking: Listen on port XXXX (pick your own number) Accept protocols SSH v2 Deny members of groups deniedssh (create this group) User SSH Key Setup Setup SSH key for new Unix users? yes Host SSH Keys Create a ssh_host_key.pub, ssh_host_rsa_key.pub and ssh_host_dsa_key.pub under /private/etc/ Use provided script (sh sshd-key-gen) Client Host Options Edit Host Options Port to connect to xxxxx (your own unique number here) Number of connection attempts 2 Try SSH protocols 2 only Start server If you're not able to connect to ssh server, add Port XXXX (pick your own number) to the config file. (sometimes it won't copy from the settings) Open up Webmin, and go to the "Bootup and Shutdown" module under the "System" menu. Click on "Add a new bootup action script". Action Name: OPENSSH Script name: OPENSSH Bootup Commands: /usr/sbin/sshd Description: OpenSSH Provides: SSH Start Message: Starting OpenSSH Stop Message: Stopping OpenSSH Start at boot time?: Yes ======== SSH Server - SSH Login ======== Other -> SSH Login: Module config. Port to connect to: XXXX (pick your own number) ======== Amavisd-new ======== Path to AMaViSD-new amavisd: /usr/bin/amavisd Path to AMaViSD-new amavisd.conf: /etc/amavisd.conf Path to PID-File: /var/amavis/amavsid.pid default Domain: domainname.com Path to Amavis Start file: /etc/init.d/amavisd ======== Clam Antivirus ======== Configuration category: ClamAV ClamAV system user: _clamav ClamAV system group: _clamav Daemon init script path: /usr/sbin/clamd Logfile path: /var/log/clamav.log Configuration file path: /etc/clamd.conf Main virus signatures database path: /var/clamav/main.cld Daily virus signatures database path: /var/clamav/daily.cvd Configuration category: Freshclam Configuration file path: /etc/freshclam.conf Logfile path: /var/log/freshclam.log Daemon init script path: /etc/cron.daily/freshclam Press save Than press backup ======== AWstats ======== AWstats configuration directory: /Library/WebServer/awstats/wwwroot/cgi-bin/ Full path to AWstats program:/Library/WebServer/awstats/wwwroot/cgi-bin/awstats.pl Full path to AWstats icons directory: /Library/WebServer/awstats/wwwroot/icon Full path to AWstats lang directory: /Library/WebServer/awstats/wwwroot/cgi-bin/lang Full path to AWstats lib directory: /Library/WebServer/awstats/wwwroot/cgi-bin/lib Full path to AWstats plugins directory: /Library/WebServer/awstats/wwwroot/cgi-bin/plugins ======== CVS Server ======== Just click, "Initialize Repository" than "Setup" ======== Webalizer Logfile Analysis ======== Configurable options: Automatically include logfiles from: Apache, Squid, ProFTPd System configuration: Path to webalizer command: /usr/local/bin/webalizer Path to webalizer configuration file: /usr/local/etc/webalizer.conf Sample webalizer configuration file: /usr/local/etc/webalizer.conf.sample ======== PHP manage ======== Resource Limits: Maximum memory allocation 512M Maximum file upload size 64M Maximum input parsing time 360 Maximum HTTP POST size 64M Maximum execution time 360 Error Logging: Expression for error types: E_ALL & ~E_NOTICE Other Settings: Allow PHP scripts starting with <? ? YES ======== PHP Manuel ======== [apc] extension="/usr/local/Cellar/apc/3.1.9/apc.so" apc.enabled=1 apc.shm_segments=1 apc.shm_size=256M apc.ttl=7200 apc.user_ttl=7200 apc.num_files_hint=1024 apc.mmap_file_mask=/tmp/apc.XXXXXX apc.enable_cli=1 [memcache] extension="/usr/local/Cellar/memcache-php/2.2.6/memcache.so" [suhosin] extension=suhosin.so [oauth] extension=oauth.so [mcrypt] extension=mcrypt.so [imap] extension=imap.so [ffmpeg] extension=ffmpeg.so ======== Perl ======== Suggested Modules: Click install Selected Modules ans all will be included (small glidsh in webmin) ======== Log File Rotation ======== webmin -> Un-used Modules -> Log File Rotation Path to logrotate configuration file: /usr/local/etc/logrotate.conf Path to logrotate program: /usr/local/sbin/logrotate ======== Amavisd ======== #@local_domains_maps = ( [".$mydomain"] ); # list of all local domains @local_domains_maps = ( read_hash("/var/amavis/local_domains") ); into @local_domains_maps = ( [".$mydomain"] ); # list of all local domains #@local_domains_maps = ( read_hash("/var/amavis/local_domains") ); forward_method => 'smtp:[127.0.0.1]:10027', into forward_method => 'smtp:[127.0.0.1]:10025', uncomment $virus_admin if you would like to reseive emails (what's going on spam/virus wize) # $myhostname = 'host.example.com'; # must be a fully-qualified domain name! into $myhostname = 'space09.domainname.com'; # must be a fully-qualified domain name! ======== postgrey ======== Open up Webmin, and go to the "Bootup and Shutdown" module under the "System" menu. Click on "Add a new bootup action script". Action Name: POSTGREY Script name: POSTGREY Bootup Commands: /var/spool/postfix/postgrey/postgrey --inet=10023 -d --user=postgrey --group=postgrey Description: POSTGREY Provides: filter Start Message: Starting postgrey Stop Message: Stopping postgrey Start at boot time?: Yes Click "Create" /etc/postfix/main.cf Change: smtpd_recipient_restrictions = reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated permit_auth_destination,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_access,reject_rbl_client bl.spamcop.net,reject_rbl_client list.dsbl.org,reject_rbl_client zen.spamhaus.org,permit Into: smtpd_recipient_restrictions = reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated permit_auth_destination,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_access,reject_rbl_client bl.spamcop.net,reject_rbl_client list.dsbl.org,reject_rbl_client zen.spamhaus.org,check_policy_service inet:127.0.0.1:10023 ======== mail server ======== check to see if your mailserver is running as should be http://www.mxtoolbox.com/ Check your DNS http://www.intodns.com/ ======== Webmin -> system ========== Apache Webserver Processes and Limits: Maximum requests per server process: 0 Minimum spare server processes: 5 Maximum spare server processes: 10 Initial server processes: 5 SSL Options: Fixed password: (pick a password for later on) Default Server: Virtual Server Options Directory Indexing: Directory index files index.html index.htm index.shtml index.php index.php4 index.php5 index.pl index.cgi SSL Options: Generate a .crt and .key file Step 1: Generate a Private Key The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage. The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text. openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus .........................................................++++++ ........++++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: Step 2: Generate a CSR (Certificate Signing Request) Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section. During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be https://public.akadia.com, then enter public.akadia.com at this prompt. The command to generate the CSR is as follows: openssl req -new -key server.key -out server.csr Country Name (2 letter code) [GB]:CH State or Province Name (full name) [Berkshire]:Bern Locality Name (eg, city) [Newbury]:Oberdiessbach Organization Name (eg, company) [My Company Ltd]:Akadia AG Organizational Unit Name (eg, section) []:Information Technology Common Name (eg, your name or your server's hostname) []:public.akadia.com Email Address []:martin dot zahn at akadia dot ch Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Step 3: Remove Passphrase from Key One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key: cp server.key server.key.org openssl rsa -in server.key.org -out server.key The newly created server.key file has no more passphrase in it. -rw-r--r-- 1 root root 745 Jun 29 12:19 server.csr -rw-r--r-- 1 root root 891 Jun 29 13:22 server.key -rw-r--r-- 1 root root 963 Jun 29 13:22 server.key.org Step 4: Generating a Self-Signed Certificate At this point you will need to generate a self-signed certificate because you either don't plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted. To generate a temporary certificate which is good for 365 days, issue the following command: openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information Technology/CN=public.akadia.com/Email=martin dot zahn at akadia dot ch Getting Private key Step 5: Installing the Private Key and Certificate When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The location of this directory will differ depending on how Apache was compiled. cp server.crt /usr/local/apache/conf/ssl.crt cp server.key /usr/local/apache/conf/ssl.key Step 6: Configuring SSL Enabled Virtual Hosts SSLEngine on SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Step 7: Restart Apache and Test apachectl stop apachectl start ======== check system configuration ======== Bind ok.... Postfix ok.... Suexec, need to be changed. (Virtualmin -> Virtualmin configuration -> defaults for new domain. enter /home2 -> press save Bind ok.... Postfix ok.... Apache ok.... Mysql ok.... PostgreSQL ok.... Logrotate ok.... All is running, but we are not done yet. Now we will configure webmin and virtualmin. ======== Webmin ========== webmin -> Webmin Configuration start at boot time: yes Trusted Referrers: Referrer checking enabled? yes Trust links from unknown referrers: yes Authentication: Support full PAM conversations? yes Use MD5 encryption for Webmin passwords (allows long passwords) YES ======== Webmin -> system ========== Disk Quotas, turn it on on the HD where your system runs on ======== Webmin -> system ========== Historic System Statistics: turn it on or leave it off. ( ======== Webmin -> Usermin Configuration ========== install Usermin -> Un-used Modules -> Usermin Configuration -> click on "install Usermin" webmin -> Usermin Configuration start at boot time: yes Authentication: Enable session authentication: yes Always require username and password: yes Support full PAM conversations? yes Available Modules: select you want to Usermin Access Control Options: Root directory for file chooser: User's home directory DAV Server: DAV enabled? Enabled Allow access to directory: User's home directory Restart usermin. ======== Webmin - Usermin -> PAM ========== PAM Authentication: cp /work/usermin-webmail-1.480/usermin-pam-osx /etc/pam.d/usermin cp /etc/pam.d/usermin /etc/pam.d/webmin For Dovecot cp /etc/pam.d/usermin /etc/pam.d/dovecot Open /etc/pam.d/dovecot and replace current listing with: # dovecot: auth account password session auth required pam_nologin.so auth sufficient pam_securityserver.so auth sufficient pam_unix.so auth required pam_deny.so account required pam_permit.so password required pam_deny.so session required pam_uwtmp.so ======== Webmin -> Usermin -> Usermin Configuration ========== Read mail: Mail storage format for Inbox: Qmail style Sendmail mail file location: ~${USER}/Maildir PostgreSQL Database: Path to psql command: /usr/bin/psql Path to PostgreSQL shared libraries: /usr/lib/postgresql Path to pg_dump command: /usr/bin/pg_dump Path to pg_restore command: /usr/bin/pg_restore Only show databases owned by user? yes SSH Login: Port number for SSH: XXXX (pick your own number) Upload and Download: Limit uploads and downloads to home directory? yes ======== Virtualmin -> System Settings -> Features and Plugins ========== Select all except "Spam filtering" and "virus filtering" We use our own (remember) ======== Virtualmin -> System Settings -> Server Templates ========== mkdir /etc/skel I moved my own under construction html files to it. The moment a new accounts has been created the under construction page is shown by default. Default Settings: Home directory: Substitute variables in contents? Yes Bind DNS domain: Custom TTL: 10800 Create new domains in view: com.apple.ServerAdmin.DNS.... Add SPF DNS record? Yes Does SPF record cover all senders? yes Mail for domain: Email message to send upon server creation: Message below .. Default quota for mail users: Unlimited Apache Website: Directives and settings for new websites: ServerName ${DOM} ServerAlias www.${DOM} DocumentRoot ${HOME}/public_html ErrorLog /var/log/virtualmin/${DOM}_error_log CustomLog /var/log/virtualmin/${DOM}_access_log combined ScriptAlias /cgi-bin/ ${HOME}/public_html/cgi-bin/ DirectoryIndex index.html index.htm index.php index.php4 index.php5 Options FollowSymLinks AllowOverride all Order allow,deny Allow from all Options FollowSymLinks +ExecCGI AddHandler cgi-script .cgi .pl Allow from all Configure Webmin to use same SSL cert for IP? Yes Configure Usermin to use same SSL cert for IP? Yes PHP configuration variables for scripts: memory_limit 256M Webmin Login: Webmin group for domain owners: hosting ======== Virtualmin -> System Settings -> Account Plans ========== You may create what you want here. I'll add a "Pro Plan" with all on unlimited ======== Virtualmin -> System Settings -> Virtualmin Configuration ========== User interface settings: Columns to show: pick your own Feature columns to show: pick your own Show mailbox size in users list? Yes Allow editing of limits when creating server? Yes Defaults for new domains: Home directory base: /Users Actions upon Server and User creation: Notify other modules when updating server administrator Unix users? yes Notify other modules when updating mailbox Unix users? Yes Add users with no SSH access to deniedssh group? yes Advanced Options: Delete all email aliases when disabling mail? Yes Allow creation of sub-domains? Yes ======== Un-used Modules -> squid ========== Module configuration: _ options Encryption method for proxy passwords: md5base64 system conf: Full path to squid config file: /usr/local/etc/squid.conf Squid executable: /usr/local/sbin/squid Full path to PID file: /usr/local/var/run/squid.pid Full path to squid cache directory: /usr/local/var/cache Squid cachemgr.cgi executable: /usr/local/Cellar/squid/3.1.9/libexec/cachemgr.cgi Full path to squid log directory: /usr/local/var/logs Path to squidclient program: /usr/local/bin/squidclient ======== Squid Report Generator ======== Module configuration. Full path to sarg executable: /usr/local/bin/sarg Full path to SARG configuration file: /usr/local/etc/sarg.conf ======== Apple OSX settings ======== chmod 777 /Library/Logs ======== Web server ======== There are 2 ways to setup apache. I choose to use the default settings of apache to work well with webmin. Specific setup for use with server.app is easy accomplish. Both instruction will be posted on a later stage. ======== Mail server ======== A complete solution will be provided. Stay tuned. (Below is the raw version, for those who requested.) ======== Dovecot IMAP/POP3 Server ======== We will configure the mail our selves, but to get all config files created please launge "Admin Server" add mail and start the mail server. This will generate all files we need. (stop the mail server when generation is done) Dovecot server program: /usr/sbin/dovecotd Full path to Dovecot configuration file: /etc/dovecot/dovecot.conf Dovecot server PID file: /var/run/dovecot/master.pid Mail Files: Mail file location: Inbox and folders in ~/Maildir UIDL format: %08Xu%08Xv ======== Postfix Mail Server ======== The message "group or other writable" means that another user (not the owner) is able to write. You can fix it with chmod. Example to remove group write permissions $ sudo chmod g-w /Library/Server/Mail/Data/mta Suggest to create a backup of /etc/postfix /etc/dovecot and /etc/apache2 cd /etc /Developer/Tools/CpMac -r apache2 "apache2 backup" /Developer/Tools/CpMac -r postfix "postfix backup" /Developer/Tools/CpMac -r dovecot "dovecot backup" While it's possible to write all steps by hand, I decided to attach the config files. (change my files and copy them to the ment folders. i'll explain during the process) after copy: chown root:wheel /private/etc/postfix/* chmod g-w /var/lib/postfix cd /etc/postfix postmap hash:access postmap hash:transport postmap hash:sender_access General Options: What domains to receive mail for: $myhostname Network interfaces for receiving mail: All Local internet domain name: Default Mail queue directory: /var/spool/postfix rm -r /var/spool/postfix mkdir /var/spool/postfix Mail Aliases: Alias databases used by the local delivery agent: Map specifications: hash:/etc/postfix/aliases Canonical Mapping: Tables for recipient addresses: No map set Virtual Domains: Domain mapping lookup tables: hash:/etc/postfix/virtual Transport Mapping: Transport mapping lookup tables: Map specifications: hash:/etc/postfix/smtproutes Header Checks: Example header checks Body Checks: Message body checking tables: Map specifications: pcre:/etc/postfix/custom_body_checks Example body checks Local Delivery: Home-relative pathname of user mailbox file: Maildir/ External command to use instead of mailbox delivery: /usr/libexec/dovecot/deliver Optional actual transport to use: None SMTP Server Options: Timeout in seconds for SMTP transactions: 300s Disable SMTP VRFY command: Yes Error count for closing connection: 20 Restrictions on sends in HELO commands: permit_mynetworks,check_helo_access hash:/etc/postfix/access,permit_auth_destination,permit_sasl_authenticated,reject_non_fqdn_hostname,reject_invalid_hostname,permit Restrictions on sender addresses: permit_sasl_authenticated,permit_mynetworks,permit_auth_destination,reject_non_fqdn_sender,reject_unknown_sender_domain,permit Restrictions on recipient addresses: reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,permit_auth_destination,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_access,permit cd /etc/postfix postmap hash:sender_access postmap hash:access SMTP Authentication And Encryption: Handle non-compliant SMTP clients?: yes SMTP security options: none SMTP Client Restrictions: Client restrictions: Postfix default (allow all clients) (all off) Edit main.cf data_directory = /var/lib/postfix rm /var/lib/postfix mkdir /var/lib/postfix chown _postfix /var/lib/postfix Show main.cf file (example domainnames) ==> virtual_transport = lmtp:unix:/var/imap/socket/lmtp Edit greylist.pl (/usr/libexec/postfix/greylist.pl) change: /Library/Server/Mail/Data/mta/ into: /var/lib/postfix/ Edit Master.cf: Show master.cf file (example domainnames) Daily, 2012-01-05T12:54:29+00:00