4Elements, Amsterdam, Holland

Part II: Preparations.

Full web server, mailserver, caldav and carddav with webmin/virtualmin.

Update OS X 10.7 server software.
Download Xcode 4.1 + install
Download ServerAdminTools + install
Download Java + install
Download java developer + install
Repair permissions

Xcode 4.2 discontinued GCC 4.2 compiler and downgraded LLVM-GCC to 'legacy' compiler.
Meaning that a lot of scripts/programs will not compile right until they are updated.
This is the reason I stayed with Xcode 4.1. If you encounter problems please downgrade your Xcode 4.2.x to 4.1. (if you relay on my ffmpeg bash script you need to use Xcode 4.1)

Preps:
- While push mail didn't work for my setup, I decided to not use it.
- But also when push was enabled, using my mac email account, I was not able to send a mail to my mac email account from the server. It continues to get back. (loop)
- After installation, at the server setup section. Do not enter your mac account.

Set computer name: server
Set NS name: server.yourdomain.com

Enable Root:
Macintosh HD -> System -> Library -> CoreServices -> Directory Utility
Menu -> edit -> enable Root
Enter a new password 2 times.
Root enabled

Dedicate system resources:
Start the server.app
Select your computer under hardware.
Press on settings. (see image)
Disable "Dedicate system resources to server services"
Restart your server.

 

Part III: Installation.

We are going to use brew to install several libs and programs.
Big advantage of brew is that it makes simlinks into the local bin, lib and sbin folders.
No mess as macports or fink (let's say I like this way better)

======= Brew =======
Brew will ask to add and change some path info. You may do this by editing
BBEdit:

open /etc/paths
/usr/local/sbin (infront of /usr/sbin/)
/usr/local/bin (infront of /usr/bin/)

Terminal:

mkdir /usr/local/Cellar

/usr/bin/ruby -e "$(curl -fsSL https://raw.github.com/gist/323731)"

Only in case there is an error.

chown name:admin /usr/local/share
chown name:admin /usr/local/share/man
chown name:admin /usr/local/share/man/man1
chown name:admin /usr/local/Cellar

Terminal:
brew update

brew install GD
brew install wget
brew install apc
brew install libtiff
brew install ghostscript
brew install imagemagick
brew install logrotate
brew install mcrypt
brew install qdbm
brew install memcached
brew install memcache-php
brew install memcache-top
brew install lynx
brew install smartmontools
brew install libconfig
brew install GnuPG
brew install re2c

Some extra brews I could use.

brew install xmlrpc-c
brew install xml-coreutils
brew install webfs
brew install webkit2png

Read my notes.

brew install ffmpeg *
brew install ffmpeg-php *
brew install rrdtool **
brew install ruby **
brew install lsof **
brew install snort **
brew install libxml2 **
brew install cairo **
brew install squid ****
brew install webalizer ***
brew install mysql *****

* don't use brew for this, I wrote a script that will install it all for you, and this one works
** only needed if you would like to install system stats in webmin.
*** do not install trough brew, berkery DB will cause some problems later on. (example squid or when you want to run your own postfix version)
**** only needed if you would like to run squid proxy.
***** Or follow the steps below (recommended)

======= Create a work folder =======
We are going to download some software that we need to compile. The most clean way is to create a folder where we will put all the files.
My case "work" on your main HD.

mkdir /work

======= Installing FFMPEG and FFMPEG-php =======
Download my script into the work folder.
Open terminal and su root.

cd /work
wget http://www.4elements.com/files/macmini_server/ffmpegphp_ok.sh.zip
unzip ffmpegphp_ok.sh.zip
bash ffmpegphp_ok.sh

This will take a while.

======= Installing MYSQL =======
Download MYSQL: http://dev.mysql.com/downloads/mysql/
Pick the "Mac OS X ver 10.6 (x86, 64-bit), DMG" mysql-5.5.16-osx10.6-x86_64.dmg

Turn mysql on. (system prefs)

sudo mkdir /var/mysql
sudo ln -s /tmp/mysql.sock /var/mysql/mysql.sock

ln -s /usr/local/mysql/bin/mysql /usr/bin/mysql
ln -s /usr/local/mysql/bin/mysqld /usr/libexec/mysqld

Add to /etc/paths

/usr/local/mysql/bin"

sudo install_name_tool -id /usr/local/mysql/lib/libmysqlclient.18.dylib /usr/local/mysql/lib/libmysqlclient.dylib

Set up MySQL root password: (without the {})

/usr/local/mysql/bin/mysqladmin -u root password {password}
/usr/local/mysql/bin/mysqladmin -u root -p{password} -h localhost password {password}
/usr/local/mysql/bin/mysqladmin -u root -p{password} reload

======= Installing CPAN =======
Su root
cpan (OSX 10.7 has 64bit as default, all will be installed as 64bit)

Parameters for the 'make' command? Typical frequently used setting:

-j3 # dual processor system (on GNU make)
your choice -j6

CPAN Shell> install CPAN
CPAN Shell> install YAML YAML::Syck

CPAN Shell> install DBI
CPAN Shell> install DBD::mysql
CPAN Shell> install DBD::Pg
CPAN Shell> install Bundle::DBI Bundle::DBD::mysql Bundle::DBD::Pg
CPAN Shell> install SQL::Statement Net::SSLeay Authen::PAM Net::LDAP

webmin, install needed for clamAV module

CPAN Shell> install Benchmark::Timer
CPAN Shell> install Mail::Mbox::MessageParser
CPAN Shell> force install GD
CPAN Shell> install GD::Graph::lines GD::Text
CPAN Shell> install Date::Manip
CPAN Shell> install Compress::Zlib HTML::Entities Getopt::Long IO::File
CPAN Shell> install Net::SMTP IO::Socket Mail::Internet

For webmin stats:

CPAN Shell> install Cwd English CGI::Carp Bundle::LWP
CPAN Shell> install Date::Calc Bundle::libnet Crypt::SSLeay

CPAN Shell> install Mail::SPF Net::DNS::Resolver::Programmable
CPAN Shell> install Bundle::Email Geo::IPfree Net::XWhois SOAP::Lite

Postgrey

CPAN Shell> install Net::Server IO::Multiplex Filesys::Virtual::Plain Net::DAV::Server

http://search.cpan.org and download the following:

NetAddr::IP
Data::Dumper
Digest::MD5
Storable

By hand:

tar xfvz /work/Data-Dumper-2.131.tar.gz
tar xfvz /work/Digest-MD5-2.51.tar.gz
tar xfvz /work/NetAddr-IP-4.050.tar.gz
tar xfvz /work/Storable-2.30.tar.gz

cd /work/Data-Dumper-2.131
perl Makefile.pl
make
make install
cd /work/Digest-MD5-2.51
perl Makefile.pl
make
make install
cd /work/NetAddr-IP-4.050
perl Makefile.pl
make
make install
cd /work/Storable-2.30
perl Makefile.pl
make
make install

======= Apache Mod_perl =======

cd /work
wget http://perl.apache.org/dist/mod_perl-2.0-current.tar.gz
tar xfvz /work/mod_perl-2.0-current.tar.gz
cd /work/mod_perl-2.0.5
perl Makefile.PL MP_APXS=/usr/sbin/apxs \
MP_APR_CONFIG=/usr/bin/apr-1-config

/etc/apache2/httpd.conf
LoadModule perl_module libexec/apache2/mod_perl.so

======= Apache suexec =======

cd /work
wget http://apache.proserve.nl//httpd/httpd-2.2.21.tar.gz
tar xfvz httpd-2.2.21.tar.gz
cd /work/httpd-2.2.21
./configure --with-layout=Darwin --enable-suexec --with-suexec-caller=_www --with-suexec-docroot=/home2 --with-suexec-userdir=public_html --with-suexec-logfile=/var/log/apache2/suexec_log
make

sudo cp /work/httpd-2.2.21/support/suexec /usr/bin/
sudo chown root:_www /usr/bin/suexec
sudo chmod 4750 /usr/bin/suexec

cd /work/httpd-2.2.21/modules/generators
sudo apxs -i -a -c mod_suexec.c
(gcc -fpic -DSHARED_MODULE -I/usr/include/apache2 -c mod_suexec.c)

======= host =======

Edit host file:
goto /etc
open file "host" with BBEdit.
127.0.0.1 localhost
XX.XX.XX.XX Hostname.domainname.com (XX is your static IP, hostname and domainname are your chosen one)

======= ProFtp =======

Install ProFtp proftpd-1.3.4rc2.tar.gz
cd /work
wget http://ftp.heanet.ie/mirrors/ftp.proftpd.org/distrib/source/proftpd-1.3.4rc2.tar.gz
tar xfvz /work/proftpd-1.3.4rc2.tar.gz
cd /work/proftpd-1.3.4rc2
./configure --prefix=/usr/local/proftpd
make
make install
cp /private/etc/pam.d/ftpd /private/etc/pam.d/ftp
Shell /bin/false for FTP users is not included in /etc/shells, which may prevent FTP access.

======= ssl hosting =======

Cert for ssl hosting:
openssl genrsa -des3 -out www.yourdomain.com.key 2048
cat www.yourdomain.com.key
openssl req -new -key www.yourdomain.com.key -out www.yourdomain.com.csr
ls -ltr www.yourdomain.*

openssl x509 -req -days 365 -in www.yourdomain.com.csr -signkey www.yourdomain.com.key -out www.yourdomain.com.crt

cat www.yourdomain.com.crt

======= webalizer =======

cd /work
wget ftp://ftp.mrunix.net/pub/webalizer/webalizer-2.23-05-src.tgz
tar xfvz /work/webalizer-2.23-05-src.tgz
cd /work/webalizer-2.23-05
./configure --with-pnglib=/usr/X11/lib --enable-geoip
make
make install

======= awstats =======

http://awstats.sourceforge.net/
cd /home2
wget http://sourceforge.net/projects/awstats/files/AWStats/7.0/awstats-7.0.tar.gz
tar xfvz awstats-7.0.tar.gz
mv awstats-7.0 awstats
cd /home2/awstats/tools/
perl awstats_configure.pl
cd /home2

rm -r awstats-7.0.tar.gz

======= Postgrey =======

cd /work
wget http://pkgs.fedoraproject.org/repo/pkgs/postgrey/postgrey-1.34.tar.gz/f736a7be1094593f1a66cd13f32b39ef/postgrey-1.34.tar.gz
tar xfvz postgrey-1.34.tar.gz
cd /work/postgrey-1.34

mkdir /var/spool/postfix/postgrey
cp postgrey /var/spool/postfix/postgrey
cp postgrey_whitelist_clients /etc/postfix/postgrey_whitelist_clients
cp postgrey_whitelist_recipients /etc/postfix/postgrey_whitelist_recipients
chown -R _amavisd /var/spool/postfix/postgrey
chgrp -R _amavisd /var/spool/postfix/postgrey
chmod -R 755 /var/spool/postfix/postgrey
/var/spool/postfix/postgrey/postgrey --inet=10023 -d --user=_amavisd --group=_amavisd

======= rrdtool =======

Download rrdtool-1.4.5
cd /work
tar xfvz rrdtool-1.4.5.tar.gz
cd /work/rrdtool-1.4.5

./configure
make && make Install
On your main HD you will find a folder "opt"

cp /opt/rrdtool-1.4.5/lib/perl/5.12.3/RRDp.pm /Library/Perl/5.12/RRDp.pm
cp -r /opt/rrdtool-1.4.5/lib/perl/5.12.3/darwin-thread-multi-2level/auto/RRDp/ /Library/Perl/5.12/darwin-thread-multi-2level/auto/RRDp/
cp -r /opt/rrdtool-1.4.5/lib/perl/5.12.3/darwin-thread-multi-2level/auto/RRDs/ /Library/Perl/5.12/darwin-thread-multi-2level/auto/RRDs/
cp /opt/rrdtool-1.4.5/lib/perl/5.12.3/darwin-thread-multi-2level/perllocal.pod /Library/Perl/5.12/darwin-thread-multi-2level/perllocal.pod
cp /opt/rrdtool-1.4.5/lib/perl/5.12.3/darwin-thread-multi-2level/RRDs.pm /Library/Perl/5.12/darwin-thread-multi-2level/RRDs.pm

Now open de screen webminstats in webmin, some errrors for some modules that won't work on os x and you get your working webminstats. Turn it on and let it run 1 hour. (nice graphics

======= Logrotate =======

/usr/local/sbin/logrotate
/usr/local/etc/logrotate.conf (download)

======= php suhosin =======

cd /work
wget http://download.suhosin.org/suhosin-0.9.32.1.tar.gz
tar xfvz suhosin-0.9.32.1.tar.gz
cd /work/suhosin-0.9.32.1
phpize
./configure
make
make install

add the folowing to /etc/php.ini
extension=suhosin.so

======= php PEAR =======

We need PEAR! For some reason, it's not set up ready to on Lion, but the install phar file is here, so we just need to run it.

cd /usr/lib/php
sudo php install-pear-nozlib.phar
Edit /etc/php.ini and find the line: ;include_path = ".:/php/includes" and change it to:
include_path = ".:/usr/lib/php/pear"
sudo pear channel-update pear.php.net
sudo pecl channel-update pecl.php.net
sudo pear upgrade-all

PHPUnit and friends
I assume that everyone needs these…
sudo pear channel-discover pear.phpunit.de
sudo pear channel-discover components.ez.no
sudo pear channel-discover pear.symfony-project.com
sudo pear install phpunit/PHPUnit
sudo pear install phpunit/phpcpd
sudo pear install PHP_CodeSniffer

======= php PECL OAuth =======

A couple of projects I work on use the PECL OAuth component:
cd /work
wget http://sourceforge.net/projects/pcre/files/pcre/8.12/pcre-8.12.tar.gz
tar xfvz pcre-8.12.tar.gz
cd /work/pcre-8.12
./configure
sudo cp pcre.h /usr/include/
Remove the pcre folder on your desktop as you don't need it any more
sudo pecl install oauth
Edit/etc/php.ini add these lines to the end of the file:

[oauth]
extension=oauth.so
Restart apache: sudo apachectl restart and check in the phpinfo that OAuth is now loaded.

======= php mcrypt =======

cd /work
wget http://sourceforge.net/projects/mcrypt/files/Libmcrypt/2.5.8/libmcrypt-2.5.8.tar.gz
tar xfvz libmcrypt-2.5.8.tar.gz
cd /work/libmcrypt-2.5.8
MACOSX_DEPLOYMENT_TARGET=10.7 CFLAGS='-O3 -fno-common -arch i386 -arch x86_64' LDFLAGS='-O3 -arch i386 -arch x86_64' CXXFLAGS='-O3 -fno-common -arch i386 -arch x86_64' ./configure --disable-dependency-tracking
make -j6
make install

cd /work
wget http://us.php.net/get/php-5.3.6.tar.gz/from/nl.php.net/mirror
tar xfvz php-5.3.6.tar.gz
cd /work/php-5.3.6/ext/mcrypt
/usr/bin/phpize
MACOSX_DEPLOYMENT_TARGET=10.7 CFLAGS='-O3 -fno-common -arch i386 -arch x86_64' LDFLAGS='-O3 -arch i386 -arch x86_64' CXXFLAGS='-O3 -fno-common -arch i386 -arch x86_64' ./configure --with-php-config=/Developer/SDKs/MacOSX10.7.sdk/usr/bin/php-config
make -j6
make install
sudo apachectl restart
extension=mcrypt.so

======= logwatch =======

cd /work
wget http://sourceforge.net/projects/logwatch/files/logwatch-7.4.0/logwatch-7.4.0.tar.gz
tar xfvz logwatch-7.4.0.tar.gz
cd /work/logwatch-7.4.0

bash install_logwatch.sh

======= pflogsumm =======

cd /work
wget http://linxnet.com/downloads/pflogsumm-1.1.1.tar.gz
tar xfvz pflogsumm-1.1.1.tar.gz
cd /work/pflogsumm-1.1.1

cp pflogsumm.pl /usr/local/bin/pflogsumm
chown root:wheel /usr/local/bin/pflogsumm
chmod 755 /usr/local/bin/pflogsumm

mkdir /usr/local/man/man1/
cp pflogsumm.1 /usr/local/man/man1/pflogsumm.1
chown root:wheel /usr/local/man/man1/pflogsumm.1
chmod 644 /usr/local/man/man1/pflogsumm.1

======= squid =======

cd /work
wget http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.15.tar.gz
tar xfvz squid-3.1.15.tar.gz
cd /work/squid-3.1.15
./configure --enable-ssl --enable-delay-pools

cd /work
wget http://sourceforge.net/projects/sarg/files/sarg/sarg-2.3.1/sarg-2.3.1.tar.gz
tar xfvz sarg-2.3.1.tar.gz
cd /work/sarg-2.3.1
./configure
make
make install

======= PHP Imap =======

cd /work
wget http://ftp.ntua.gr/pub/net/mail/imap/imap-2007f.tar.gz
tar xfvz imap-2007f.tar.gz

mv /work/imap-2007f /usr/local/imap-2007
cd /usr/local/imap-2007
make osx
sudo cp c-client/c-client.a c-client/libc-client.a

cd /work
tar xfvz php-5.3.6.tar.gz
cd /work/php-5.3.6/ext/imap
phpize
./configure --with-imap=/usr/local/imap-2007 --with-kerberos --with-imap-ssl
make
cp modules/imap.so /usr/lib/php/extensions/no-debug-non-zts-20090626/

add extension=imap.so
to php.ini

======= webmin/usermin/virtualmin =======

cd /work
wget: http://sourceforge.net/projects/webadmin/files/webmin/1.570/webmin-1.570.tar.gz
tar xfvz webmin-1.570.tar.gz
cd /work/webmin-1.570
./setup.sh
admin username: root
pass: use your root password

cd /work
wget http://sourceforge.net/projects/webadmin/files/usermin/1.490/usermin-1.490.tar.gz
tar xfvz usermin-webmail-1.480.tar.gz
cd /work/usermin-webmail-1.480
./setup.sh

Open webmin website and install virtualmin server + virtualmin server template
wget http://download.webmin.com/download/virtualmin/virtual-server-3.89.gpl.wbm.gz
wget http://download.webmin.com/download/virtualmin/virtual-server-theme-8.1.wbt.gz

In webmin, these two modules are hard to find on the internet.
download and install wbmclamav-0.14.wbm.gz
download and install amavisd_1.8-for-amavisdV2.038.wbm

 

On request, I did get many requests for this section, hereby the uncut version of Part IV: Settings. Still need to rewrite and change information, but that's for later.

Part IV: Settings.

======= Webmin ========
Post-Installation Wizard
- Install Virtualmin
- Install Virtualmin template
- DNS need to setup,
- PostgreSQL
- MySQL

goto your webmin url in safari or firefox.
https://your.givenname.com:10000
login with root and root password

click on webmin, at the left. -> webmin configuration.
click on webmin modules and select + install virtualmin
Click on Return to Webmin configuration
click on Webmin Themes -> Install theme
click on Return to themes list
select virtualmin template and click on change...

page will reload and will be shown the new template.
Click on webmin, left top
click on "servers" from the left menu
clcik on BIND DNS Server

======== DNS ========
DNS module Configuration
Display options:
Reverse zone must exist? yes
Zone file options:
Serial number style: Date based (YYYYMMDDnn)

DNS Configuration:
Addresses and Topology
Ports and addresses: Listed below
Port number: 53
Addresses: any

Zone Defaults
Allow transfers from.. default
Refresh time: 10800
Expiry time: 1209600
Transfer retry time: 3600
Negative cache time: 10800
Default email address: email addes your like to use
Default nameserver for master domains: ns01.servername.com
and press save.

than create an default master zone of the domain used for your host name.
(this domain name will also be used for name server. aka mailserver)
It should look like this.

$ttl 10800
domainname.com. IN SOA ns01.domainname.com. info.domainname.com. (
2011102600
10800
3600
1209600
10800 )
domainname.com. IN A xx.xx.xx.xx
www.domainname.com. IN A xx.xx.xx.xx
mail.domainname.com. IN A xx.xx.xx.xx
ftp.domainname.com. IN A xx.xx.xx.xx
ns01.domainname.com. 14400 IN A xx.xx.xx.xx
ns02.domainname.com. 14400 IN A xx.xx.xx.xx
domainname.com. 86400 IN NS ns01.domainname.com.
domainname.com. 86400 IN NS ns02.domainname.com.
domainname.com. IN MX 10 mail.domainname.com.

Now goto your domain rigistar and add at the dns section
ns01.yourdomain.com - IP address here
ns02.yourdomain.com - IP address here
it can take upto 24 hours before it's progressed.
(depending on the domain rigistar you use)

======== PostgreSQL ========
If you not already done it by now. start server and let it load.
than quit the server (PostgreSQL will be configured and activated now)

under unused modules at the right pick, PostgreSQL
click on module configure

Options:
Administrator login: _postgres
password: set password to your root password.

System configuration:
Path to psql command: /usr/bin/psql
Path to PostgreSQL shared libraries: /usr/lib/postgresql
Initial PostgreSQL database: template1
Command to start PostgreSQL: su _postgres -c "/usr/bin/pg_ctl -D/private/var/pgsql"
Path to postmaster PID file: /private/var/pgsql/postmaster.pid
Paths to host access config file: /private/var/pgsql/pg_hba.conf
Path to pg_dump command: /usr/bin/pg_dump
Path to pg_restore command: /usr/bin/pg_restore
press save and PostgreSQL webinterface is loading..

======== MySQL ========
under server, click on MySQL
enter your password.
press save
Click on Module Config -> system configure
Path to mysqld command: /usr/local/mysql/bin/mysqld
Click on save

Mysql is done.

======== Post-Installation Wizard ========
press on system information left bottom.

Post-Installation Wizard
Preload Virtualmin libraries? Yes
Run MySQL database server? Yes
Run PostgreSQL database server? Yes
Change MySQL password Leave un-changed
DNS: keep your hostname as main.
enter as 2nd your ns02.#censored#
(if you get an error, restart dns and try again)
Password storage mode: store plain-text passwords

======== setting up continue webmin and virtualmin ========
Before we set the other settings, first install all needed modules first.

http://software.virtualmin.com/gpl/wbm/
Module php pear: http://software.virtualmin.com/gpl/wbm/php-pear-1.5.wbm.gz
Module Ruby GEMS: http://software.virtualmin.com/gpl/wbm/ruby-gems-1.4.wbm.gz
virtualmin-dav: http://software.virtualmin.com/gpl/wbm/virtualmin-dav-3.5.wbm.gz
virtualmin-awstats: http://software.virtualmin.com/gpl/wbm/virtualmin-awstats-4.6.wbm.gz
virtual-server-mobile: http://software.virtualmin.com/gpl/wbm/virtual-server-mobile-2.4.wbt.gz
virtualmin-svn: http://software.virtualmin.com/gpl/wbm/virtualmin-svn-4.9.wbm.gz
virtualmin-htpasswd: http://software.virtualmin.com/gpl/wbm/virtualmin-htpasswd-2.5.wbm.gz

amavisd: I have a rare copy... only downloadable from our site.
Webmin -> webmin -> webmin configuration -> Webmin Modules

======== Feature or Plugin ========
Our coal:

Feature or Plugin
+ Administration user
+ Home directory
+ BIND DNS domain
+ Mail for domain
+ Apache website
+ Webalizer reporting
+ SSL website
+ Log file rotation
+ MySQL database
+ PostgreSQL database
+ ProFTPd virtual FTP
- Spam filtering
- Virus filtering
+ Webmin login
+ AWstats reporting Plugin
+ DAV Login Plugin

Spam and virus will be handled by AwavisD-New and Clam Antivirus

======== PRO FTP ========
webmin -> Un-used Modules -> proftp -> module config

ProFTP:
Path to ProFTPD config file: /usr/local/proftpd/etc/proftpd.conf
Path to ProFTPD executable: /usr/local/proftpd/sbin/proftpd
Path to ProFTPD PID file:/usr/local/proftpd/var/proftpd.pid
Path to ftpusers file None (was /etc/ftpusers)

Before we can start ProFTPD, we need to make some OS X specific adjustments. Go ahead and open up the "ProFTPD Server" module under the "Servers" section. Select the "Edit Config Files" option. Look for the line that has the comment "Set the user and group under which the server will run." and comment out the next two lines so it looks like this:

# Set the user and group under which the server will run.
#User nobody
#Group nogroup
Click the "Save" button to return to the main menu. By now you should have a functional FTP server. However, thier are a couple of "tweaks" I like to do to make things work a little better. Lets start by removing the login delay.

Click on "Networking Options" in the ProFTPD module's main menu.
Change the "Do reverse DNS lookups of client" option to "No".
Change the "Lookup remote ident username" option to "No".
PASV port range: 60000 - 65535
Click "Save" to save and return to the main menu.

Lets allow the use of "CHMOD":
In the main menu, under "Virtual Servers" click "Default server".
Under "Per-directory and Per-command options" click "Commands SITE_CHMOD".
Click "Access Control".
Change the "Access Control Policy" option to "Allow all clients".
Click "SITE_CHMOD".
set FTP commands to All (or just what you like)

Click "Save" to save. Then click "return to main menu".

Limit Users to Home Directory:
Click on "Files and Directoriess" in the main menu.
Change the "Limit users to directories" option to "Home Directory".
Click "Save" to save and return to the main menu".

To avoid hack attacks, change the port number of proftp.
I changed it from port 21 to XXXX (pick your own number)
I also disabled anonymous ftp.

Download config file.....

-----> proftp settings file bijsluiten
Starting ProFTPD Automaticly on Boot
You probably want ProFTPD to start automaticly on boot instead of having to start it up manually each time. To setup an OS X startup item, just use Webmin.

Open up Webmin, and go to the "Bootup and Shutdown" module under the "System" menu.
Click on "Add a new bootup action script".
Action Name: PROFTPD
Script name: PROFTPD
Bootup Commands: /usr/local/proftpd/sbin/proftpd
Description: ProFTPD
Provides: FTP
Start Message: Starting ProFTPD
Stop Message: Stopping ProFTPD
Start at boot time?: Yes
Click "Create"

Shell /bin/false for FTP users is not included in /etc/shells, which may prevent FTP access.
Create a group names ftp

======== SSH Server - OpenSSH_5.6 ========
Authentication:
Allow authentication by password? No
Allow login by root? No (before server setup - yes)
Allow RSA (SSH 1) authentication? no

Networking:
Listen on port XXXX (pick your own number)
Accept protocols SSH v2
Deny members of groups deniedssh (create this group)

User SSH Key Setup
Setup SSH key for new Unix users? yes

Host SSH Keys
Create a ssh_host_key.pub, ssh_host_rsa_key.pub and ssh_host_dsa_key.pub
under /private/etc/
Use provided script (sh sshd-key-gen)

Client Host Options
Edit Host Options
Port to connect to xxxxx (your own unique number here)
Number of connection attempts 2
Try SSH protocols 2 only

Start server
If you're not able to connect to ssh server, add Port XXXX (pick your own number)
to the config file. (sometimes it won't copy from the settings)

Open up Webmin, and go to the "Bootup and Shutdown" module under the "System" menu.
Click on "Add a new bootup action script".
Action Name: OPENSSH
Script name: OPENSSH
Bootup Commands: /usr/sbin/sshd
Description: OpenSSH
Provides: SSH
Start Message: Starting OpenSSH
Stop Message: Stopping OpenSSH
Start at boot time?: Yes

======== SSH Server - SSH Login ========
Other -> SSH Login:
Module config.
Port to connect to: XXXX (pick your own number)

======== Amavisd-new ========
Path to AMaViSD-new amavisd: /usr/bin/amavisd
Path to AMaViSD-new amavisd.conf: /etc/amavisd.conf
Path to PID-File: /var/amavis/amavsid.pid
default Domain: domainname.com
Path to Amavis Start file: /etc/init.d/amavisd

======== Clam Antivirus ========
Configuration category: ClamAV
ClamAV system user: _clamav
ClamAV system group: _clamav
Daemon init script path: /usr/sbin/clamd
Logfile path: /var/log/clamav.log
Configuration file path: /etc/clamd.conf
Main virus signatures database path: /var/clamav/main.cld
Daily virus signatures database path: /var/clamav/daily.cvd

Configuration category: Freshclam
Configuration file path: /etc/freshclam.conf
Logfile path: /var/log/freshclam.log
Daemon init script path: /etc/cron.daily/freshclam

Press save
Than press backup

======== AWstats ========
AWstats configuration directory: /Library/WebServer/awstats/wwwroot/cgi-bin/
Full path to AWstats program:/Library/WebServer/awstats/wwwroot/cgi-bin/awstats.pl
Full path to AWstats icons directory: /Library/WebServer/awstats/wwwroot/icon
Full path to AWstats lang directory: /Library/WebServer/awstats/wwwroot/cgi-bin/lang
Full path to AWstats lib directory: /Library/WebServer/awstats/wwwroot/cgi-bin/lib
Full path to AWstats plugins directory: /Library/WebServer/awstats/wwwroot/cgi-bin/plugins

======== CVS Server ========
Just click, "Initialize Repository" than "Setup"

======== Webalizer Logfile Analysis ========
Configurable options:
Automatically include logfiles from: Apache, Squid, ProFTPd

System configuration:
Path to webalizer command: /usr/local/bin/webalizer
Path to webalizer configuration file: /usr/local/etc/webalizer.conf
Sample webalizer configuration file: /usr/local/etc/webalizer.conf.sample

======== PHP manage ========
Resource Limits:
Maximum memory allocation 512M
Maximum file upload size 64M
Maximum input parsing time 360
Maximum HTTP POST size 64M
Maximum execution time 360

Error Logging:
Expression for error types: E_ALL & ~E_NOTICE

Other Settings:
Allow PHP scripts starting with <? ? YES

======== PHP Manuel ========
[apc]
extension="/usr/local/Cellar/apc/3.1.9/apc.so"
apc.enabled=1
apc.shm_segments=1
apc.shm_size=256M
apc.ttl=7200
apc.user_ttl=7200
apc.num_files_hint=1024
apc.mmap_file_mask=/tmp/apc.XXXXXX
apc.enable_cli=1

[memcache]
extension="/usr/local/Cellar/memcache-php/2.2.6/memcache.so"

[suhosin]
extension=suhosin.so

[oauth]
extension=oauth.so

[mcrypt]
extension=mcrypt.so

[imap]
extension=imap.so

[ffmpeg]
extension=ffmpeg.so


======== Perl ========
Suggested Modules: Click install Selected Modules ans all will be included (small glidsh in webmin)

======== Log File Rotation ========
webmin -> Un-used Modules -> Log File Rotation
Path to logrotate configuration file: /usr/local/etc/logrotate.conf
Path to logrotate program: /usr/local/sbin/logrotate

======== Amavisd ========
#@local_domains_maps = ( [".$mydomain"] ); # list of all local domains
@local_domains_maps = ( read_hash("/var/amavis/local_domains") );

into

@local_domains_maps = ( [".$mydomain"] ); # list of all local domains
#@local_domains_maps = ( read_hash("/var/amavis/local_domains") );

forward_method => 'smtp:[127.0.0.1]:10027',
into
forward_method => 'smtp:[127.0.0.1]:10025',

uncomment $virus_admin if you would like to reseive emails (what's going on spam/virus wize)

# $myhostname = 'host.example.com'; # must be a fully-qualified domain name!
into
$myhostname = 'space09.domainname.com'; # must be a fully-qualified domain name!


======== postgrey ========
Open up Webmin, and go to the "Bootup and Shutdown" module under the "System" menu.
Click on "Add a new bootup action script".
Action Name: POSTGREY
Script name: POSTGREY
Bootup Commands: /var/spool/postfix/postgrey/postgrey --inet=10023 -d --user=postgrey --group=postgrey
Description: POSTGREY
Provides: filter
Start Message: Starting postgrey
Stop Message: Stopping postgrey
Start at boot time?: Yes
Click "Create"

/etc/postfix/main.cf

Change:
smtpd_recipient_restrictions = reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated permit_auth_destination,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_access,reject_rbl_client bl.spamcop.net,reject_rbl_client list.dsbl.org,reject_rbl_client zen.spamhaus.org,permit

Into:

smtpd_recipient_restrictions = reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated permit_auth_destination,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_access,reject_rbl_client bl.spamcop.net,reject_rbl_client list.dsbl.org,reject_rbl_client zen.spamhaus.org,check_policy_service inet:127.0.0.1:10023

======== mail server ========
check to see if your mailserver is running as should be
http://www.mxtoolbox.com/

Check your DNS
http://www.intodns.com/

======== Webmin -> system ==========
Apache Webserver

Processes and Limits:
Maximum requests per server process: 0
Minimum spare server processes: 5
Maximum spare server processes: 10
Initial server processes: 5

SSL Options:
Fixed password: (pick a password for later on)

Default Server: Virtual Server Options

Directory Indexing:
Directory index files
index.html
index.htm
index.shtml
index.php
index.php4
index.php5
index.pl
index.cgi

SSL Options: Generate a .crt and .key file

Step 1: Generate a Private Key

The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.

The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus
.........................................................++++++
........++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

Step 2: Generate a CSR (Certificate Signing Request)

Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.

During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be https://public.akadia.com, then enter public.akadia.com at this prompt. The command to generate the CSR is as follows:

openssl req -new -key server.key -out server.csr

Country Name (2 letter code) [GB]:CH
State or Province Name (full name) [Berkshire]:Bern
Locality Name (eg, city) [Newbury]:Oberdiessbach
Organization Name (eg, company) [My Company Ltd]:Akadia AG
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server's hostname) []:public.akadia.com
Email Address []:martin dot zahn at akadia dot ch
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3: Remove Passphrase from Key

One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

The newly created server.key file has no more passphrase in it.

-rw-r--r-- 1 root root 745 Jun 29 12:19 server.csr
-rw-r--r-- 1 root root 891 Jun 29 13:22 server.key
-rw-r--r-- 1 root root 963 Jun 29 13:22 server.key.org

Step 4: Generating a Self-Signed Certificate

At this point you will need to generate a self-signed certificate because you either don't plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.

To generate a temporary certificate which is good for 365 days, issue the following command:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information
Technology/CN=public.akadia.com/Email=martin dot zahn at akadia dot ch
Getting Private key

Step 5: Installing the Private Key and Certificate

When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The location of this directory will differ depending on how Apache was compiled.

cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key

Step 6: Configuring SSL Enabled Virtual Hosts

SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Step 7: Restart Apache and Test

apachectl stop
apachectl start


======== check system configuration ========
Bind ok....
Postfix ok....
Suexec, need to be changed.
(Virtualmin -> Virtualmin configuration -> defaults for new domain. enter /home2 -> press save

Bind ok....
Postfix ok....
Apache ok....
Mysql ok....
PostgreSQL ok....
Logrotate ok....

All is running, but we are not done yet.
Now we will configure webmin and virtualmin.

======== Webmin ==========
webmin -> Webmin Configuration
start at boot time: yes

Trusted Referrers:
Referrer checking enabled? yes
Trust links from unknown referrers: yes

Authentication:
Support full PAM conversations? yes
Use MD5 encryption for Webmin passwords (allows long passwords) YES

======== Webmin -> system ==========
Disk Quotas, turn it on on the HD where your system runs on

======== Webmin -> system ==========
Historic System Statistics: turn it on or leave it off. (

======== Webmin -> Usermin Configuration ==========
install Usermin -> Un-used Modules -> Usermin Configuration -> click on "install Usermin"

webmin -> Usermin Configuration
start at boot time: yes

Authentication:
Enable session authentication: yes
Always require username and password: yes
Support full PAM conversations? yes

Available Modules:
select you want to Usermin

Access Control Options:
Root directory for file chooser: User's home directory

DAV Server:
DAV enabled? Enabled
Allow access to directory: User's home directory

Restart usermin.

======== Webmin - Usermin -> PAM ==========
PAM Authentication:
cp /work/usermin-webmail-1.480/usermin-pam-osx /etc/pam.d/usermin
cp /etc/pam.d/usermin /etc/pam.d/webmin
For Dovecot
cp /etc/pam.d/usermin /etc/pam.d/dovecot
Open /etc/pam.d/dovecot and replace current listing with:

# dovecot: auth account password session
auth required pam_nologin.so
auth sufficient pam_securityserver.so
auth sufficient pam_unix.so
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
session required pam_uwtmp.so

======== Webmin -> Usermin -> Usermin Configuration ==========
Read mail:
Mail storage format for Inbox: Qmail style
Sendmail mail file location: ~${USER}/Maildir

PostgreSQL Database:
Path to psql command: /usr/bin/psql
Path to PostgreSQL shared libraries: /usr/lib/postgresql
Path to pg_dump command: /usr/bin/pg_dump
Path to pg_restore command: /usr/bin/pg_restore
Only show databases owned by user? yes

SSH Login:
Port number for SSH: XXXX (pick your own number)

Upload and Download:
Limit uploads and downloads to home directory? yes

======== Virtualmin -> System Settings -> Features and Plugins ==========
Select all except "Spam filtering" and "virus filtering" We use our own (remember)

======== Virtualmin -> System Settings -> Server Templates ==========
mkdir /etc/skel
I moved my own under construction html files to it.
The moment a new accounts has been created the under construction page is shown by default.

Default Settings:
Home directory: Substitute variables in contents? Yes

Bind DNS domain:
Custom TTL: 10800
Create new domains in view: com.apple.ServerAdmin.DNS....
Add SPF DNS record? Yes
Does SPF record cover all senders? yes

Mail for domain:
Email message to send upon server creation: Message below ..
Default quota for mail users: Unlimited

Apache Website:
Directives and settings for new websites:

ServerName ${DOM}
ServerAlias www.${DOM}
DocumentRoot ${HOME}/public_html
ErrorLog /var/log/virtualmin/${DOM}_error_log
CustomLog /var/log/virtualmin/${DOM}_access_log combined
ScriptAlias /cgi-bin/ ${HOME}/public_html/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<.Directory ${HOME}/public_html>
Options FollowSymLinks
AllowOverride all
Order allow,deny
Allow from all
<./Directory>
<.Directory ${HOME}/public_html/cgi-bin>
Options FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi .pl
Allow from all
<./Directory>

Configure Webmin to use same SSL cert for IP? Yes
Configure Usermin to use same SSL cert for IP? Yes
PHP configuration variables for scripts: memory_limit 256M

Webmin Login:
Webmin group for domain owners: hosting

======== Virtualmin -> System Settings -> Account Plans ==========

You may create what you want here.
I'll add a "Pro Plan" with all on unlimited

======== Virtualmin -> System Settings -> Virtualmin Configuration ==========
User interface settings:
Columns to show: pick your own
Feature columns to show: pick your own
Show mailbox size in users list? Yes
Allow editing of limits when creating server? Yes

Defaults for new domains:
Home directory base: /Users

Actions upon Server and User creation:
Notify other modules when updating server administrator Unix users? yes
Notify other modules when updating mailbox Unix users? Yes
Add users with no SSH access to deniedssh group? yes

Advanced Options:
Delete all email aliases when disabling mail? Yes
Allow creation of sub-domains? Yes

======== Un-used Modules -> squid ==========
Module configuration: _ options
Encryption method for proxy passwords: md5base64

system conf:
Full path to squid config file: /usr/local/etc/squid.conf
Squid executable: /usr/local/sbin/squid
Full path to PID file: /usr/local/var/run/squid.pid
Full path to squid cache directory: /usr/local/var/cache
Squid cachemgr.cgi executable: /usr/local/Cellar/squid/3.1.9/libexec/cachemgr.cgi
Full path to squid log directory: /usr/local/var/logs
Path to squidclient program: /usr/local/bin/squidclient

======== Squid Report Generator ========
Module configuration.

Full path to sarg executable: /usr/local/bin/sarg
Full path to SARG configuration file: /usr/local/etc/sarg.conf

======== Apple OSX settings ========
chmod 777 /Library/Logs

======== Web server ========

There are 2 ways to setup apache. I choose to use the default settings of apache to work well with webmin.

Specific setup for use with server.app is easy accomplish.
Both instruction will be posted on a later stage.

======== Mail server ========

A complete solution will be provided. Stay tuned.
(Below is the raw version, for those who requested.)

======== Dovecot IMAP/POP3 Server ========
We will configure the mail our selves, but to get all config files created
please launge "Admin Server" add mail and start the mail server. This will generate all files we need. (stop the mail server when generation is done)

Dovecot server program: /usr/sbin/dovecotd
Full path to Dovecot configuration file: /etc/dovecot/dovecot.conf
Dovecot server PID file: /var/run/dovecot/master.pid

Mail Files:
Mail file location: Inbox and folders in ~/Maildir
UIDL format: %08Xu%08Xv

======== Postfix Mail Server ========
The message "group or other writable" means that another user (not the owner) is able to write. You can fix it with chmod. Example to remove group write permissions

$ sudo chmod g-w /Library/Server/Mail/Data/mta

Suggest to create a backup of /etc/postfix /etc/dovecot and /etc/apache2
cd /etc
/Developer/Tools/CpMac -r apache2 "apache2 backup"
/Developer/Tools/CpMac -r postfix "postfix backup"
/Developer/Tools/CpMac -r dovecot "dovecot backup"

While it's possible to write all steps by hand, I decided to attach the config files.
(change my files and copy them to the ment folders. i'll explain during the process)

after copy:
chown root:wheel /private/etc/postfix/*
chmod g-w /var/lib/postfix

cd /etc/postfix
postmap hash:access
postmap hash:transport
postmap hash:sender_access

General Options:
What domains to receive mail for: $myhostname
Network interfaces for receiving mail: All
Local internet domain name: Default
Mail queue directory: /var/spool/postfix
rm -r /var/spool/postfix
mkdir /var/spool/postfix

Mail Aliases:
Alias databases used by the local delivery agent: Map specifications: hash:/etc/postfix/aliases

Canonical Mapping:
Tables for recipient addresses: No map set

Virtual Domains:
Domain mapping lookup tables: hash:/etc/postfix/virtual

Transport Mapping:
Transport mapping lookup tables: Map specifications: hash:/etc/postfix/smtproutes

Header Checks:
Example header checks

Body Checks:
Message body checking tables: Map specifications: pcre:/etc/postfix/custom_body_checks
Example body checks

Local Delivery:
Home-relative pathname of user mailbox file: Maildir/
External command to use instead of mailbox delivery: /usr/libexec/dovecot/deliver
Optional actual transport to use: None

SMTP Server Options:
Timeout in seconds for SMTP transactions: 300s
Disable SMTP VRFY command: Yes
Error count for closing connection: 20
Restrictions on sends in HELO commands: permit_mynetworks,check_helo_access hash:/etc/postfix/access,permit_auth_destination,permit_sasl_authenticated,reject_non_fqdn_hostname,reject_invalid_hostname,permit
Restrictions on sender addresses: permit_sasl_authenticated,permit_mynetworks,permit_auth_destination,reject_non_fqdn_sender,reject_unknown_sender_domain,permit
Restrictions on recipient addresses: reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,permit_auth_destination,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_access,permit
cd /etc/postfix
postmap hash:sender_access
postmap hash:access

SMTP Authentication And Encryption:
Handle non-compliant SMTP clients?: yes
SMTP security options: none

SMTP Client Restrictions:
Client restrictions: Postfix default (allow all clients) (all off)

Edit main.cf
data_directory = /var/lib/postfix
rm /var/lib/postfix
mkdir /var/lib/postfix
chown _postfix /var/lib/postfix
Show main.cf file (example domainnames)

==> virtual_transport = lmtp:unix:/var/imap/socket/lmtp

Edit greylist.pl (/usr/libexec/postfix/greylist.pl)
change: /Library/Server/Mail/Data/mta/
into: /var/lib/postfix/

Edit Master.cf:
Show master.cf file (example domainnames)