Deploying a FreeBSD Server

From DFWLPiki
Jump to: navigation, search

Scope of This Document

I will assume that if you are reading this, that you have completed the installation steps described in the previous document Installing FreeBSD 6.1. This document will show the steps to take to deploy a FreeBSD server. This server will have the latest stable from the Apache 2.0 tree, PHP 5, MySQL 5.0, Sendmail with SMTP-AUTH, Webmail, Bind DNS, SNMP, synchronized local time, and Webmin. I have also included steps to take to build a network graphing solution with Rrdtool/cacti, and this part can be considered optional.


Setup Useful Daemons

We are going to install webmin with ssl, ntpd for time syncronization, and net-snmp. When you configure webmin, be sure to choose 'yes' when asked if you want to use ssl. When configuring net-snmp, make sure you specify snmp-v1 and snmp-v2 community strings that only you know, its just good practice (portupgrade, webmin, and net-snmp can all be safely installed using the 'pkg_add -r' method as well, if you want to save some time).

# cd /usr/ports/sysutils/portupgrade; make install clean
# cd /usr/ports/sysutils/webmin; make install clean
# cd /usr/ports/net-mgmt/net-snmp; make install clean

First up, lets manually sync the time of the computer (optional).

# ntpdate -v -b 0.us.pool.ntp.org

Configure net-snmp.

# snmpconf

Configure webmin.

# /usr/local/lib/webmin/setup.sh

Add these damons to /etc/rc.conf, so that they start at boot.

ntpdate_enable="YES"
ntpdate_hosts="0.us.pool.ntp.org"
snmpd_enable="YES"
webmin_enable="YES"
ntpd_enable="YES"

Ntpd will require the creation and population of the file /etc/ntp.conf, with these settings:

server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
restrict 192.168.125.0 mask 255.255.255.0 nomodify notrap
driftfile /var/db/ntp.drift

Last, we start our daemons (webmin already started with the configuration script)

# ntpdate -v -b us.pool.ntp.org; /etc/rc.d/ntpd start
# /usr/local/etc/rc.d/snmpd start

Configuring Mail Services

Now we will begin with configuring the Sendmail SMTP server, with SMTP-AUTH. When we compile Sendmail, we want it to recognize that we will use SASL2 for smtp authentication. So, we need to add these items to the file /etc/make.conf:

SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2

Now, compile sasl2 and sasl2-saslauthd (in 1 operation):

# cd /usr/ports/security/cyrus-sasl2-saslauthd; make install clean

Check the contents of /usr/local/lib/sasl2/Sendmail.conf, make sure it says: pwcheck_method: saslauthd

# cat /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: saslauthd

Test saslauthd against a local user account. (optional)

# testsaslauthd -u [username] -p [passwd]
0: OK "Success."

Configure saslauthd to load at boot. Add this to the end of /etc/rc.conf:

saslauthd_enable="YES"

Start saslauthd

# /usr/local/etc/rc.d/saslauthd.sh start
Starting saslauthd.

Now its time to recompile sendmail.

# cd /usr/src/lib/libsm; make clean; make obj; make depend; make
# cd /usr/src/lib/libsmutil; make clean; make obj; make depend; make
# cd /usr/src/usr.sbin/sendmail; make clean; make obj; make depend; make; make install

Create your servers copy of the .mc file. it will be [hostname].mc.

# cd /etc/mail
# make all

Edit the [hostname].mc file, add these lines, I put mine above DAEMON_OPTIONS:

define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl
TRUST_AUTH_MECH(`PLAIN LOGIN')dnl

Set sendmail to start (and listen) at boot, so add this to /etc/rc.conf:

sendmail_enable="YES"

Create the file /etc/mail/local-host-names and insert your domain name(s) to accept mail for. Then, finish the sendmail re-build.

# touch /etc/mail/local-host-names
# make all install restart

For good measure, I always give Sendmail a second restart, forcing it to re-read all configuration files.

# /etc/rc.d/sendmail restart

Dovecot is going to be our POP3/IMAP daemon, so our users can get their mail from remote.

# cd /usr/ports/mail/dovecot; make install clean
# cd /usr/local/etc
# cp dovecot-example.conf dovecot.conf

When you edit the dovecot.conf file, you will need to disable ssl support, and enable plain text login. Also, verify that mail_extra_groups is set to mail.

ssl_disable = yes
disable_plaintext_auth = no
mail_extra_groups = mail

Configure Dovecot to start at boot, add this to /etc/rc.conf:

dovecot_enable="YES"

And then start dovecoot.

# /usr/local/etc/rc.d/dovecot.sh start

Spam Control is pretty much a necessity in this day and age, and Spamassassin is up for the job.

# cd /usr/ports/mail/spamass-milter; make install clean

Create or edit /usr/local/etc/mail/spamassassin/local.cf (see note 1 at bottom), and add the following to /etc/rc.conf so that Spamassassin will start at boot time:

spamd_enable="YES"
spamd_flags="-u spamd"
spamass_milter_enable="YES"
    • NOTE I am still researching if this next line is the [wrong] way to do this, but on my system, I make this change so that spamd can write to a single directory in /root (so that it can keep its learning files updated). If you skip this, spamassassin will still work, it just wont be updating its white list.
chmod 775 /root/.spamassassin
chown root:spamd /root/.spamassassin

Start Spamassassin:

# /usr/local/etc/rc.d/sa-spamd.sh start
# /usr/local/etc/rc.d/spamass-milter.sh start

Add the following to /etc/mail/[hostname].mc

INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m')
define(`confINPUT_MAIL_FILTERS', `spamassassin')

Apply the configuration changes from [hostname].mc

# make all install restart

Again, I always do the scripted restart of Sendmail as well.

# /etc/rc.d/sendmail restart

Configuring Web Services

Next up, is to compile Apache 2.0.x, with mod_ssl and php5. *Important!* Check the Makefile in /usr/ports/lang/php5 by typing 'make config'. Be sure that the apache module is selected, or php5 will not work as planned!

# cd /usr/ports/www/apache20; make install clean
# cd /usr/ports/lang/php5; make install clean

There will need to be some lines to httpd.conf so that the php modules will work, and load php pages. At the end of the LoadModules section of httpd.conf:

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

Append this to the line for DirectoryIndex:

index.php

We need to generate SSL keys for the Apache server.

# openssl genrsa -des3 -out server.key 1024
# openssl req -new -key server.key -out server.csr
# openssl x509 -req -days 365 -in /root/server.csr -signkey /root/server.key -out /root/server.crt

Create the directories to hold the certificate.

# mkdir /usr/local/etc/apache2/ssl.key/
# mkdir /usr/local/etc/apache2/ssl.crt/

Copy the certs to the destination directory.

# cp ~/server.key /usr/local/etc/apache2/ssl.key/
# cp ~/server.crt /usr/local/etc/apache2/ssl.crt/

I prefer to remove the passphrase from the cert, otherwise each time apache2 must start, you must enter the passphrase.

# cd /usr/local/etc/apache2/ssl.key
# cp server.key server.key.orig
# openssl rsa -in server.key.orig -out server.key

Set the proper security on your new keys.

# chmod 0400 /usr/local/etc/apache2/ssl.key/server.key
# chmod 0400 /usr/local/etc/apache2/ssl.crt/server.crt

Add this to /etc/rc.conf to autostart Apache with SSL at boot:

apache2_enable="YES"
apache2_flags="-DSSL"

Compile Squirrelmail webmail interface

# cd /usr/ports/mail/squirrelmail; make install clean

Create squirrelmail.conf in /usr/local/etc/apache2/Includes

# echo Alias /webmail /usr/local/www/squirrelmail >> /usr/local/etc/apache2/Includes/squirrelmail.conf

Last, Start Apache.

# apachectl startssl

Configuring System Graphing, powered by MySQL

Compile MySQL 5.0 Server

# cd /usr/ports/databases/mysql50-server; make install clean

Configure MySQL server to load at boot, add this to /etc/rc.conf:

mysql_enable="YES"

Cacti is a powerful network graphing utility that front ends Rrdtool. This process will compile Rrdtool and all of its dependencies for you.

# cd /usr/ports/net/cacti; make install clean

The cacti port supplied by FreeBSD is kind of quirky, with strange configuration options that I don't understand why they changed. The detault configuration makes much more sense to me, so really, I just used the install of cacti to take care of all its dependencies. Now remove cacti from system, for preference to original version from http://www.cacti.net/downloads/. Since the version name of the port could change after I write this article, we should first find out the exact name of the installed version.

# pkg_info | grep cacti

Take the exact output of the name of the port, and use it to force an unisntall. At the time of this writing, the port version was cacti-0.8.6h_2.

# pkg_delete -f cacti-0.8.6h_2
# wget http://www.cacti.net/downloads/cacti-0.8.6h.tar.gz
# tar zxvf cacti-0.8.6h.tar.gz

Move cacti-0.8.6h to /usr/local/www/, and create cacti.conf in /usr/local/etc/apache2/Includes

# touch /usr/local/etc/apache2/Includes/cacti.conf
# echo Alias /cacti /usr/local/www/cacti-0.8.6h >> /usr/local/etc/apache2/Includes/cacti.conf

Create localuser for cactiuser with shell=nologin and homedir=/nonexistant. Then, we need to add our systems traits to the entire cacti directory structure.

# chown -R root:wheel /usr/local/www/cacti-0.8.6h

Follow cacti setup instructions from http://www.cacti.net/downloads/docs/html/install_unix.html. Modify instruction 7 to match path for local php binary and location of cacti, and instad use this for your crontab entry:

*/5 * * * * cactiuser /usr/local/bin/php /usr/local/www/cacti-0.8.6h/poller.php > /dev/null 2>&1

Configure Bind

Install and Configure Bind DNS server, so that we can give our local network DNS resolution against internet hosts.

# cd /usr/ports/dns/bind9; make install clean

Configure /var/named/etc/namedb/named.conf to listen on all ips, becuase by defualt it only wants to listen on loopback. Configure Bind to load at boot by adding this to /etc/rc.conf:

named_enable="YES"

Configuration File Notes

Note 1, the spamassassin local.cf i use:

# SpamAssassin config file for version 3.x
# NOTE: NOT COMPATIBLE WITH VERSIONS 2.5 or 2.6
# See http://www.yrex.com/spam/spamconfig25.php for earlier versions
# Generated by http://www.yrex.com/spam/spamconfig.php (version 1.50)
# How many hits before a message is considered spam.
required_score           5.0
# Change the subject of suspected spam
rewrite_header subject         *[SPAM]*
# Encapsulate spam in an attachment (0=no, 1=yes, 2=safe)
report_safe             1
# Enable the Bayes system
use_bayes               1
# Enable Bayes auto-learning
bayes_auto_learn              1
# Enable or disable network checks
skip_rbl_checks         0
use_razor2              1
use_dcc                 1
use_pyzor               1
# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
# - english 
ok_languages            en 
# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_locales              en