Deploying a FreeBSD Server
Scope of This Document
I will assume that if you are reading this, that you have completed the installation steps described in the previous document Installing FreeBSD 6.1. This document will show the steps to take to deploy a FreeBSD server. This server will have the latest stable from the Apache 2.0 tree, PHP 5, MySQL 5.0, Sendmail with SMTP-AUTH, Webmail, Bind DNS, SNMP, synchronized local time, and Webmin. I have also included steps to take to build a network graphing solution with Rrdtool/cacti, and this part can be considered optional.
Setup Useful Daemons
We are going to install webmin with ssl, ntpd for time syncronization, and net-snmp. When you configure webmin, be sure to choose 'yes' when asked if you want to use ssl. When configuring net-snmp, make sure you specify snmp-v1 and snmp-v2 community strings that only you know, its just good practice (portupgrade, webmin, and net-snmp can all be safely installed using the 'pkg_add -r' method as well, if you want to save some time).
# cd /usr/ports/sysutils/portupgrade; make install clean # cd /usr/ports/sysutils/webmin; make install clean # cd /usr/ports/net-mgmt/net-snmp; make install clean
First up, lets manually sync the time of the computer (optional).
# ntpdate -v -b 0.us.pool.ntp.org
Add these damons to /etc/rc.conf, so that they start at boot.
ntpdate_enable="YES" ntpdate_hosts="0.us.pool.ntp.org" snmpd_enable="YES" webmin_enable="YES" ntpd_enable="YES"
Ntpd will require the creation and population of the file /etc/ntp.conf, with these settings:
server 0.us.pool.ntp.org server 1.us.pool.ntp.org server 2.us.pool.ntp.org restrict 192.168.125.0 mask 255.255.255.0 nomodify notrap driftfile /var/db/ntp.drift
Last, we start our daemons (webmin already started with the configuration script)
# ntpdate -v -b us.pool.ntp.org; /etc/rc.d/ntpd start # /usr/local/etc/rc.d/snmpd start
Configuring Mail Services
Now we will begin with configuring the Sendmail SMTP server, with SMTP-AUTH. When we compile Sendmail, we want it to recognize that we will use SASL2 for smtp authentication. So, we need to add these items to the file /etc/make.conf:
SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2 SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2
Now, compile sasl2 and sasl2-saslauthd (in 1 operation):
# cd /usr/ports/security/cyrus-sasl2-saslauthd; make install clean
Check the contents of /usr/local/lib/sasl2/Sendmail.conf, make sure it says: pwcheck_method: saslauthd
# cat /usr/local/lib/sasl2/Sendmail.conf pwcheck_method: saslauthd
Test saslauthd against a local user account. (optional)
# testsaslauthd -u [username] -p [passwd] 0: OK "Success."
Configure saslauthd to load at boot. Add this to the end of /etc/rc.conf:
# /usr/local/etc/rc.d/saslauthd.sh start Starting saslauthd.
Now its time to recompile sendmail.
# cd /usr/src/lib/libsm; make clean; make obj; make depend; make # cd /usr/src/lib/libsmutil; make clean; make obj; make depend; make # cd /usr/src/usr.sbin/sendmail; make clean; make obj; make depend; make; make install
Create your servers copy of the .mc file. it will be [hostname].mc.
# cd /etc/mail # make all
Edit the [hostname].mc file, add these lines, I put mine above DAEMON_OPTIONS:
define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl TRUST_AUTH_MECH(`PLAIN LOGIN')dnl
Set sendmail to start (and listen) at boot, so add this to /etc/rc.conf:
Create the file /etc/mail/local-host-names and insert your domain name(s) to accept mail for. Then, finish the sendmail re-build.
# touch /etc/mail/local-host-names # make all install restart
For good measure, I always give Sendmail a second restart, forcing it to re-read all configuration files.
# /etc/rc.d/sendmail restart
Dovecot is going to be our POP3/IMAP daemon, so our users can get their mail from remote.
# cd /usr/ports/mail/dovecot; make install clean # cd /usr/local/etc # cp dovecot-example.conf dovecot.conf
When you edit the dovecot.conf file, you will need to disable ssl support, and enable plain text login. Also, verify that mail_extra_groups is set to mail.
ssl_disable = yes disable_plaintext_auth = no mail_extra_groups = mail
Configure Dovecot to start at boot, add this to /etc/rc.conf:
And then start dovecoot.
# /usr/local/etc/rc.d/dovecot.sh start
Spam Control is pretty much a necessity in this day and age, and Spamassassin is up for the job.
# cd /usr/ports/mail/spamass-milter; make install clean
Create or edit /usr/local/etc/mail/spamassassin/local.cf (see note 1 at bottom), and add the following to /etc/rc.conf so that Spamassassin will start at boot time:
spamd_enable="YES" spamd_flags="-u spamd" spamass_milter_enable="YES"
- NOTE I am still researching if this next line is the [wrong] way to do this, but on my system, I make this change so that spamd can write to a single directory in /root (so that it can keep its learning files updated). If you skip this, spamassassin will still work, it just wont be updating its white list.
chmod 775 /root/.spamassassin chown root:spamd /root/.spamassassin
# /usr/local/etc/rc.d/sa-spamd.sh start # /usr/local/etc/rc.d/spamass-milter.sh start
Add the following to /etc/mail/[hostname].mc
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m') define(`confINPUT_MAIL_FILTERS', `spamassassin')
Apply the configuration changes from [hostname].mc
# make all install restart
Again, I always do the scripted restart of Sendmail as well.
# /etc/rc.d/sendmail restart
Configuring Web Services
Next up, is to compile Apache 2.0.x, with mod_ssl and php5. *Important!* Check the Makefile in /usr/ports/lang/php5 by typing 'make config'. Be sure that the apache module is selected, or php5 will not work as planned!
# cd /usr/ports/www/apache20; make install clean # cd /usr/ports/lang/php5; make install clean
There will need to be some lines to httpd.conf so that the php modules will work, and load php pages. At the end of the LoadModules section of httpd.conf:
AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps
Append this to the line for DirectoryIndex:
We need to generate SSL keys for the Apache server.
# openssl genrsa -des3 -out server.key 1024 # openssl req -new -key server.key -out server.csr # openssl x509 -req -days 365 -in /root/server.csr -signkey /root/server.key -out /root/server.crt
Create the directories to hold the certificate.
# mkdir /usr/local/etc/apache2/ssl.key/ # mkdir /usr/local/etc/apache2/ssl.crt/
Copy the certs to the destination directory.
# cp ~/server.key /usr/local/etc/apache2/ssl.key/ # cp ~/server.crt /usr/local/etc/apache2/ssl.crt/
I prefer to remove the passphrase from the cert, otherwise each time apache2 must start, you must enter the passphrase.
# cd /usr/local/etc/apache2/ssl.key # cp server.key server.key.orig # openssl rsa -in server.key.orig -out server.key
Set the proper security on your new keys.
# chmod 0400 /usr/local/etc/apache2/ssl.key/server.key # chmod 0400 /usr/local/etc/apache2/ssl.crt/server.crt
Add this to /etc/rc.conf to autostart Apache with SSL at boot:
Compile Squirrelmail webmail interface
# cd /usr/ports/mail/squirrelmail; make install clean
Create squirrelmail.conf in /usr/local/etc/apache2/Includes
# echo Alias /webmail /usr/local/www/squirrelmail >> /usr/local/etc/apache2/Includes/squirrelmail.conf
Last, Start Apache.
# apachectl startssl
Configuring System Graphing, powered by MySQL
Compile MySQL 5.0 Server
# cd /usr/ports/databases/mysql50-server; make install clean
Configure MySQL server to load at boot, add this to /etc/rc.conf:
Cacti is a powerful network graphing utility that front ends Rrdtool. This process will compile Rrdtool and all of its dependencies for you.
# cd /usr/ports/net/cacti; make install clean
The cacti port supplied by FreeBSD is kind of quirky, with strange configuration options that I don't understand why they changed. The detault configuration makes much more sense to me, so really, I just used the install of cacti to take care of all its dependencies. Now remove cacti from system, for preference to original version from http://www.cacti.net/downloads/. Since the version name of the port could change after I write this article, we should first find out the exact name of the installed version.
# pkg_info | grep cacti
Take the exact output of the name of the port, and use it to force an unisntall. At the time of this writing, the port version was cacti-0.8.6h_2.
# pkg_delete -f cacti-0.8.6h_2 # wget http://www.cacti.net/downloads/cacti-0.8.6h.tar.gz # tar zxvf cacti-0.8.6h.tar.gz
Move cacti-0.8.6h to /usr/local/www/, and create cacti.conf in /usr/local/etc/apache2/Includes
# touch /usr/local/etc/apache2/Includes/cacti.conf # echo Alias /cacti /usr/local/www/cacti-0.8.6h >> /usr/local/etc/apache2/Includes/cacti.conf
Create localuser for cactiuser with shell=nologin and homedir=/nonexistant. Then, we need to add our systems traits to the entire cacti directory structure.
# chown -R root:wheel /usr/local/www/cacti-0.8.6h
Follow cacti setup instructions from http://www.cacti.net/downloads/docs/html/install_unix.html. Modify instruction 7 to match path for local php binary and location of cacti, and instad use this for your crontab entry:
*/5 * * * * cactiuser /usr/local/bin/php /usr/local/www/cacti-0.8.6h/poller.php > /dev/null 2>&1
Install and Configure Bind DNS server, so that we can give our local network DNS resolution against internet hosts.
# cd /usr/ports/dns/bind9; make install clean
Configure /var/named/etc/namedb/named.conf to listen on all ips, becuase by defualt it only wants to listen on loopback. Configure Bind to load at boot by adding this to /etc/rc.conf:
Configuration File Notes
Note 1, the spamassassin local.cf i use:
# SpamAssassin config file for version 3.x # NOTE: NOT COMPATIBLE WITH VERSIONS 2.5 or 2.6 # See http://www.yrex.com/spam/spamconfig25.php for earlier versions # Generated by http://www.yrex.com/spam/spamconfig.php (version 1.50) # How many hits before a message is considered spam. required_score 5.0 # Change the subject of suspected spam rewrite_header subject *[SPAM]* # Encapsulate spam in an attachment (0=no, 1=yes, 2=safe) report_safe 1 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning bayes_auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. # - english ok_languages en # Mail using locales used in these country codes will not be marked # as being possibly spam in a foreign language. ok_locales en