Server Setup with Debian GNU/Linux 4.0 'Etch'

Introduction

Introduction
Notable changes to this document
Glossary

Foundation

RAID arrays
LVM - Logical Volume Management
Linux Kernel updates
Package Repositories, Updates & Upgrades
General configuration
NTP - Set The Time From An Internet Time Server

Minimum Features

Compression / Archival
SSH server - remote login
UPS - Uninterruptible Power Supply Monitoring
Backup - Backup Manager
Backup - Flexbackup
Backup - Tape Drives
Webmin - web-browser GUI server administration

Miscellaneous Main Features

Apache - web server
MySQL - database server
PostgreSQL - database server
PHP - programming databases with a web front end
Mail server
Fetchmail mail retrieval
Printing
Scanning - Document scanner server
Subversion - version control
Internet relay chat (IRC) server using dancer
Telephony - Asterisk

File Serving Etcetera

NFS server
Samba - Windows file and print server
LDAP server
Linux Terminal Server (LTSP)

Network Services

DHCP

Troubleshooting

Troubleshooting

Appendices

Appendix 1 - Fetchmail Multidrop Issues

Introduction

This server guide and my experiences have only been tested in environments with up to fifteen people/workstations so don't expect it to be spot-on when it comes to other areas. I have no experience of running a server openly on the Internet or a (Linux) server at high capacity for large numbers of users so expect the advice as applied to these realms to be vague. Everything in here comes from direct experience at one time or another but my most thorough day-to-day server knowledge, reflected in sections in here and in other guides from thegoldenear.org, is in Samba domain controllers; mail servers; print servers; Linux and Debian.

The Samba server details in this guide are for a simple file server, for more see my separate guide to a Samba primary domain controller and file/print/software deployment server for Windows using Samba 3

See my related documents on setting up a desktop system using Debian which includes some aspects common to both servers and desktops: Desktop System Setup with Debian 4.0 Testing/Etch.

I also provide a menu driven command-line program, called Twix, to help you install most of what is covered in this document and configure some of it. Twix can be downloaded for free from http://thegoldenear.org/toolbox/unices/twix/.

Notable changes to this document

1.2.6 - 20 June 2008 - Added how to use authenticated SMTP when your mail server uses a relayhost.

1.2.5 - 6 June 2008 - Fetchmail requires START_DAEMON=yes in /etc/default/fetchmail to work.

1.2.4 - 4 June 2008 - added creation of abuse and postmaster accounts to mail server.

1.2.3 - 30 May 2008 - removed webmin-fetchmail, webmin isn't available in Debian, it's installed as one large package from the webmin web site

1.2.0 - 9 March 2008

Added 'NTP - Set The Time From An Internet Time Server' section
Expanded the Mail Server section
Polished off Webmin section

1.1.3 - 5 March 2008 - Added 'Network Addressing' section to 'General Configuration' section; improved 'updates' section in 'Linux kernel updates'.

1.1 - 27 February 2008

Added PostgreSQL database
Added 'updates' section to 'Linux kernel updates' section with examples of the different messages you're likley to see when updating.
Added diagram to help explain mail server system
Fleshed out RAID + LVM so that it's now a step-by-step guide you can follow rather than a synopsis
Various minor updates

1.0.5 - 10 December 2007

Added unshield
Squirrelmail - added configuration to make use of IMAP SORT

1.0.4 - November 2007 - Added 'set no bouncemail' to Fetchmail configuration to fix issue of replying to spam email

1.0.1 - 18 October 2007 - in example Fetchmail configuration file added 'set postmaster ""' to set no postmaster so mail tagged as SMTP 550 error 'Recipient address rejected: User unknown in virtual mailbox table' is discarded rather than going in fetchmail's mailbox (/var/mail/fetchmail) and eating up disk space

1.0 - 13 October 2007

Apache 2: apache2-mpm-worker, apache2-mpm-prefork and apache2-mpm-event
MySQL section
- Made sure phpmyadmin installs with PHP5 and Apache2 by using libapache2-mod-php5
- Added php5-mysql
PHP section
- Changed php5 to libapache2-mod-php5
- Replaced php5-pear with php-pear
- Added php5-dev and a full list of available PHP modules

Glossary

<something> - when something is in angle brackets you should replace this with something particular to your system; you do not use the angle brackets.

command - text in monospaced typeface indicates a command you issue at the command-line or text you type yourself into a text editor.

$ - when a command-line command is preceded by a dollar it means you run this whilst logged in as a regular user

# - when a command-line command is preceded by a dollar it means you run this whilst logged in as super user / root

Package Repositories, Updates & Upgrades

Package repositories

Debian's package management system, known as 'apt', keeps a list of sources, or repositories, it can retrieve packages from when you choose to install them, in the file /etc/apt/sources.list.

Sources can be of the form

CD/DVD media
Internet server

You define which Debian flavour you're subscribed to

stable, also referenced by its alias, Etch
testing
unstable
experimental

These different licencing groups are kept track of

main
contrib
non-free - packages that don't comply with the Debian Free Software Guidelines. Packages can be non-free for any number and gravity of reasons, sometimes for reasons you might consider too slight to prevent you from installing what might be a worthwhile package. You can usually read the copyright file in /usr/share/doc/<package name> to read the restrictions for yourself. There is a non-free tracking system at nonfree.alioth.debian.org/.

There are different providors of Internet server sources

Debian sources, for the Stable archive
- for regular packages and very occasional updates to them in the form of new 'point releases' throughout the stable release's supported life. The point releases comprise packages with a very conservative number of important non-security related functionality fixes as well as those previously updated through security updates. Use something like this but substitute the domain and directory with that of your nearest Debian mirror:
  deb http://ftp.uk.debian.org/debian etch main contrib
  (You can add non-free if you wish)
- security updates - for non-intrusive updates to fix security issues in packages(apart from Iceweasel and Icedove) - www.debian.org/security/ - use:
  deb http://security.debian.org/ etch/updates main contrib
  Security updates are only provided for packages in main, not contrib and non-free.
- volatile - for updates to quickly outdated software such as spam filtering and virus scanning - http://volatile.debian.org - use something like:
  deb http://volatile.debian.org/debian-volatile etch/volatile main contrib
  If you're running a stable system you may want to subscribe to or read the archives of the debian-volatile-announce mailing list or the debian-volatile mailing list. You can see the files that are included at volatile.debian.org/debian-volatile/dists/etch/volatile/. See the list of mirrors and other protocols with which to access them.
  As-of August 2007 the main section has clamav (antivirus scanner), avscan (GTK frontend for clamav), spamassassin (spam filter), tzdata (Time Zone and Daylight Saving Time Data) and postgrey (Postfix greylisting policy server); contrib and non-free are empty.
- volatile-sloppy - for function enhancements to software in the stable archive akin to that in volatile (see lists.debian.org/debian-devel-announce/2005/05/msg00016.html for a description) - use something like:
  deb http://volatile.debian.org/debian-volatile etch/volatile-sloppy main contrib
  You can see the files that are included at volatile.debian.org/debian-volatile/dists/etch/volatile-sloppy/. See the list of mirrors and other protocols with which to access them.
  As-of August 2007 main, contrib and non-free sections were empty.
other peoples' sources - software not officially in Debian or backports of updated software for stable versions of Debian. For example:
- Debian Backports - backports.org - "You are running Debian stable, because you prefer the stable Debian tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. That is where backports come in. Backports are recompiled packages from testing (mostly) and unstable (in a few cases only, e.g. security updates), so they will run without new libraries (wherever it is possible) on a stable Debian distribution. I recommend you to pick out single backports which fits your needs, and not to use all backports available here.":
  - deb http://www.backports.org/debian etch-backports main contrib
    (You can add non-free if you wish and shold instead choose a mirror)
  - Package: debian-backports-keyring - GnuPG archive key of the backports.org repository.
  All packages at backports are deactivated by default, you install using aptitude -t etch-backports install <package>

Debian installs with a default that uses 'main', it doesn't include 'contrib' or 'non-free'.

To add new CDs to your sources list, other than during installation: apt-cdrom add. The disc will be automatically mounted, scanned and its details added to your sources list (if you have trouble you may need to use apt-cdrom add -d /media/cdrom)

To add new Internet servers to your sources list, other than during installation: ?.

Updates

4.0 Etch

Release	Date	Changes
4.0r0	8 April 2007
4.0r1	15 August 2007	http://times.debian.net/1161-etch-r1 (doesn't list non-free packages i.e. ipw2200-)

There are two daily 'pulses' at 00:00 and 12:00 GMT upon which updated packages, if any, are made available.

Security updates are often made available, potentially even daily.

Very occasional other updates are made in the form of new 'point releases' of Debian stable. They comprise packages with a very conservative amount of miscellaneous bugfixes, removed packages, missing builds and security updates (those previously available thru security updates). These packages are introduced into the main stable archive when released. Similarly the downloadable ISO images available for installing Debian are updated, they have a 'r' designation.

The packages waiting to be made available in the next point release are held in a repository known as stable-proposed-updates but seemingly more readily available as etch-proposed-updates. You can subscribe to this repository to get these packages as they enter the queue rather than waiting for the release date.

For access to packages headed for but not yet entered etch-proposed-updates - 'Packages awaiting proposed-updates moderation - Summary for proposed-updates': http://ftp-master.debian.org/proposed-updates.html

Upgrades

To upgrade to the next version of Debian, replace the code name / alias in sources.list from 'etch' to 'lenny'.

Skipping releases is not supported. To upgrade from Woody to Etch you must first upgrade to Sarge, then to Etch. Edit /etc/apt/sources.list and replace 'testing' or 'etch' or 'stable' or 'unstable' with 'sarge' then 'aptitude update && aptitude dist-upgrade'.

Etch+1 year

An updated version of Debian 4.0 Etch will be made available a year from its release in April 2008. This will at least consist of updated GNOME, KDE, X.org and Linux kernel.

General Configuration

Use the latest Debian 'stable' distribution (this document is for version 4.0) from http://www.debian.org/distrib/

Set the time to GMT in the BIOS before installing Debian. During installation, say that the system clock is set to GMT. Debian will take care of setting your localised time correctly (as an offset from GMT).

Partitioning Scheme

Debian Installer's 'Multi-user workstation' option will create the following kind of partitions:

/ i.e. 500MB
/usr i.e. 5GB
/var i.e. 3GB
/tmp i.e. 399MB
swap i.e. 390MB
/home i.e. 31GB

You may want to locate /home on a separate disk.

You may want to manually partition like so:

Partition No.	Partition type	Size	Mount point	File system	Usage
1	primary	500MB	/	ext3
5	logical	2GB minimum? 5GB-7GB if WPKG server	/usr	ext3
6	logical	3GB	/var	ext3
8	logical	500MB	/tmp	ext3
7	logical	1GB max	swap	swap
9	logical	whatever is appropriate	/home	ext3	User home directories

Network Addressing

In /etc/network/interfaces, replace 'allow-hotplug eth0' and 'iface eth0 inet dhcp' with this kind of addressing information (your scheme may need to differ):

auto eth0
iface eth0 inet static
	address 10.0.0.10
	netmask 255.255.255.0
	gateway 10.0.0.1
	dns-nameservers 10.0.0.1
	dns-search localdomain

Miscellaneous

Don't install applications using Tasksel or DSelect, just install the basic system and manually install any software we specifically require or use Twix.

Download and apply any security updates using 'aptitude update' then 'aptitude dist-upgrade'

Install any diagnostic programs for network card(s)

mii-diag - for strictly 10/100 MII hardware (includes 3Com)
ethtool - a general network card configuration program (http://sourceforge.net/projects/gkernel/)
nictools-pci - Diagnostic tools for many PCI ethernet cards. Amongst many such configuration programs, includes:
- eepro100-diag : Diagnostic and setup for the Intel EEPro100 Ethernet cards
- rtl8139-diag : Diagnostics and EEPROM setup for RealTek RTL8129/8139 chips
- vortex-diag : Diagnostics and EEPROM setup for the 3Com Vortex series
nictools-nopci - Diagnostic tools for many PCI ethernet cards. Amongst many such configuration programs, includes:
- 3c5x9setup : Setup program for 3Com EtherLink III Ethernet cards
- el3diag : Diagnostic program for 3c509 and 3c579 Ethernet cards

Make a rescue/boot floppy disk: mkboot

Useful Tools

tree
less
wipe - securely erase files
lynx
traceroute
tcpdump
nmap - network port scanner

Mail Transfer

If you want the system to be able to send out mail, such as for sending logs to you, and you don't have a full-blown mail server:

Install postfix, replacing exim
When asked during Postfix's installation, set it to be an 'internet site'
When asked during Postfix's installation, set the name to your normal mail domain name rather than the local server's intranet name
Add a relay host to Postfix that will deliver mail on your behalf:
postconf -e relayhost=[<your ISP's SMTP server>]
"The form enclosed with [] eliminates DNS MX lookups. ... otherwise mail may be mis-delivered."
postconf ensures Postfix picks up the new setting, you don't need to force it to do so yourself.

NTP - Set The Time From An Internet Time Server

Package(s)

ntp - ntp.isc.org and www.ntp.org [Version: 4.2.2.p4]
ntp-doc [Version: 4.2.2.p4]

Configuration

Configuration file: /etc/ntp.conf

From /etc/ntp.conf:

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

From /usr/share/doc/README.Debian.gz:

"Several people have reported that ntpd fails on [Intel] SMP boxes unless the "Enhanced Real-Time Clock" support is enabled in the kernel."

"If your system is behind a firewall, the port you need to open up to allow the NTP protocol to work (for either ntpdate or ntpd) is UDP port 123. Server-to-server NTP packets usually use this for both source and destination: for extra security, a stateful firewall should block "new" packets with source, but not destination, port 123 from entering your network."

Usage

Control the daemon: /etc/init.d/ntp start|stop|restart

Print a list of the peers known to the server as well as a summary of their state:
ntpq -p

Logging

Logs to /var/log/daemon.log and /var/log/syslog

Further Information

Debian Bug report logs: Bugs in package ntp in etch: http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=ntp;dist=etch

/usr/share/doc/ntp-doc/html/index.html

Backup - Backup Manager

Package(s)

backup-manager - http://www.backup-manager.org/ - good for backing up one computer to either CD-R/CD-RW/DVD-R/FTP/SSH (note that it doesn't support DVD-RW).
backup-manager-doc

Configuration

Configuration file: /etc/backup-manager.conf.

Schedule configuration file: /etc/cron.d/backup-manager.

A debconf priority of 'low' is advised if you want to be asked if the backup is to be written to CD/DVD or to another computer using SSH.

The backup is automatically scheduled with cron to run at 04:00.

The easiest and officially recommended method to configure backup-manager is using dpkg-reconfigure backup-manager. Alternatively you can edit its configuration file.

If you are trying to write the backup to CD using an ATA CD writer and it's failing, follow this from the Backup Manager User Guide (the man page with version 0.6.2 doesn't explain this option anywhere near as well):
"Backup Manager uses cdrecord for burning CDs. If when you run cdrecord -scanbus you don't see your burning device, that means you will have to force the device in ATA mode. To tell Backup Manager to do so, just put here the path to your device, and a switch will be appended to the cdrecord commandline like the following : cdrecrord ... dev=$BM_BURNING_DEVFORCED ....
Leave this configuration key blank if you see your device with cdrecord -scanbus, in this case, Backup Manager will use the default cdrecord device for burning CDR media.
Example: export BM_BURNING_DEVFORCED="/dev/cdrom""

Usage

You will generally leave responsibility with cron to schedule backups but you can run it manually with backup-manager -v.

Troubleshooting

The log of messages describing backup-manager's operations go to /var/log/messages with the tag backup-manager.

The log of what happened when writing to CD/DVD go to /tmp/bm-burning.log.<6 seemingly random characters>.

Further Information

/usr/share/doc/backup-manager

/usr/share/doc/backup-manager-doc

Backup Manager Documentation, including User Guide: http://www.backup-manager.org/documentation/.

An example configuration file: http://www.backup-manager.org/documentation/backup-manager.conf.html.

Backup - Flexbackup

Package(s)

flexbackup
afio

Usage

Schedule using /etc/crontab:
00 1 * * 1-5 root flexbackup -set home -full

From the command-line

flexbackup -newtape flexbackup -set home -full

List files in archive: flexbackup -list

List current device's table of contents: flexbackup -toc

To quickly extract just a single file, use -extract -onefile path/to/my/file, giving the path from the archive.

To extract a list of multiple files, put them into a text file, for instance "restorelist", then use -extract -flist restorelist. The format is one line per pathname, using the path of the file in the archive.
Note if you are using afio with compression you need to append .z to filenames for any compressed files (depends on threshold and exclusion patterns).

Flexbackup logs to /var/log/flexbackup/ with filenames such as flexbackup.list.200705081249.log, home.0.200705100200.gz, home.latest.gz.

Configuration

Configuration file: /etc/flexbackup.conf (See http://www.edwinh.org/flexbackup/flexbackup.conf.txt)

$set{'home'} = "/home";
$device = '/dev/nst0';
Defaults to using afio
Defaults to compress using gzip at compression level 4
By default -full will erase the tape first; if it takes too long it can be set to just start from the beginning of the tape rather than erasing it as well

It's possibly better to do '-full' backups because less complex when restoring files; works around using the '-level' option ('-full' defaults to '-level 0').

Backup - Tape Drives

Package(s)

tar - tape archiver
mt-st - Linux SCSI tape driver aware magnetic tape control (aka mt)

Usage

You don't create a file system on a tape, nor do you mount it or attempt to access the data on it as files. You simply treat the tape device itself as a single 'file'.

SCSI tape drives are referenced by /dev/st0 (device is "rewind on close") or /dev/nst0 (device is "don't rewind on close".

Use tar to read and write files and directories to and from the tape, with the following options:

c - create
x - extract
v - verbose
f - use archive file
t - list

Use mt to control the tape drive, with the following syntax: mt -f /dev/st0 command where command would be any of the following:

rewind - rewind a tape
retension - retension a tape
offline - unload a tape
status - print status information about the tape unit
erase - erase a tape

Write files to a tape:
tar cvf /dev/st0 files-or-directories-to-backup
(by default it recurses into sub-directories)

Retrieve a complete archive back from a tape to the current working directory:
tar xvf /dev/st0
(be mindful of the directory you're in when you run this as it could overwrite files in your current directory)

List the files on a tape:
tar tvf /dev/st0

Retrieve individual files from a tape to the current directory:
tar xvf /dev/st0 filename1 filename2 filename3

You can schedule backups using cron, via the configuration file /etc/crontab, such as with this line which will run your own backup script at 04:00:
00 4 * * * root /root/backup.sh

Troubleshooting

Check that the operating system sees the device by running dmesg and looking for "attached SCSI tape st0 at".

List SCSI devices:
cat /proc/scsi/scsi.

See man pages on 'mt' and 'st'.

Apache - web server

Package(s)

Apache - httpd.apache.org/ - the 'apache2' meta-package is fulfilled by one of either of these versions which each include a different Multi-Processing Module (MPM). If you install apache in order to provide for a single specific application, such as for phpmyadmin, then you can let the application choose its own version of Apache rather than worrying about it in advance. [Version: 2.2.3]
- apache2-mpm-worker - high speed threaded model for Apache HTTPD 2.1. The worker MPM provides a threaded implementation for Apache HTTPD 2.1. It is considerably faster than the traditional model, and is the recommended MPM. This MPM is generally a good choice for high-traffic servers because it has a smaller memory footprint than the prefork MPM.
- apache2-mpm-prefork - traditional model for Apache HTTPD 2.1. This Multi-Processing Module (MPM) implements a non-threaded, pre-forking web server that handles requests in a manner similar to Apache 1.3. It is appropriate for sites that need to avoid threading for compatibility with non-thread-safe libraries. (For example PHP5 ONLY works with Apache's prefork MPM (the apache2-mpm-prefork package), as PHP is not compiled thread-safe.) It is also the best MPM for isolating each request, so that a problem with a single request will not affect any other. This MPM is not as fast, but is considered to be more stable.
- apache2-mpm-event - event driven model for Apache HTTPD 2.1. The event Multi-Processing Module (MPM) is designed to allow more requests to be served simultaneously by passing off some processing work to supporting threads, freeing up the main threads to work on new requests. This MPM is especially suitable for sites that see extensive KeepAlive traffic.
apache2-doc - documentation

Configuration

/etc/apache2/apache2.conf

/etc/apache2/conf.d

/etc/apache2/httpd.conf

Troubleshooting

Error log (this includes database connection errors from web applications such as egroupware): /var/log/apache2/error.log

PHP - for programming databases

PHP is an Apache module and the only way PHP is used (other than the command-line interpreter, php5-cli).

Package(s)

libapache2-mod-php5 - this is PHP 5. This also installs the Apache prefork MPM (apache2-mpm-prefork) version of the Apache 2 web server (the only version of Apache 2 PHP will work with)
php-pear - PEAR - PHP Extension and Application Repository - pear.php.net/. Includes the base PEAR classes for PHP, as well as the PEAR installer (see pear.php.net/package/PEAR for a description of what's included). The PHP Extension Community Library (PECL) (pecl.php.net/) is a repository of PHP extensions that are made available to you via the PEAR packaging system. Alternatively, many PEAR classes are already packaged for Debian, see the list of vailable PHP modules below. Note: to build and install precompiled PECL extensions, you will need php5-dev.
php5-dev - provides the files from the PHP5 source needed for compiling additional modules.
Available PHP modules - for database connectivity and a host of other features
- php5-apache2-mod-bt - mod_bt
- php5-auth-pam - PAM authentication
- php5-clamavlib - ClamAV
- php5-idn - PHP api for the IDNA library
- php5-imagick - ImageMagick
- php5-json - JSON serialiser
- php5-mapscript - mapserver
- php5-maxdb - MaxDB database access
- php5-memcache - memcache
- php5-ming - Ming
- php5-ps - ps
- php5-sqlite3 - SQLite3 module
- php5-sqlrelay - SQL Relay PHP API
- php5-suhosin - advanced protection
- php5-uuid - OSSP uuid module
- php5-xapian - Xapian search engine
- php5-curl - CURL
- php5-gd - GD
- php5-imap - IMAP
- php5-interbase - interbase/firebird
- php5-ldap - LDAP
- php5-mcrypt - MCrypt
- php5-mhash - MHASH
- php5-mysql - MySQL
- php5-odbc - ODBC
- php5-pgsql - PostgreSQL
- php5-pspell - pspell
- php5-recode - recode
- php5-snmp - SNMP
- php5-sqlite - SQLite
- php5-sybase - Sybase / MS SQL Server
- php5-tidy - tidy
- php5-xmlrpc - XML-RPC
- php5-xsl - XSL

Configuration

/etc/php5/apache2/php.ini

Upgrading from previous Debian stable version

PHP5 replaces PHP4

Compression / Archival

These can be useful for many reasons, for example the anti-virus and spam co-ordinating program Amavis uses many of them if they're installed.

Package(s)

arc - archive utility based on the MSDOS ARC program plus a few enhancements
arj - archiver for .arj files. An open source version of the arj archiver. This version has been created with the intent to preserve maximum compatibility and retain the feature set of original ARJ archiver as provided by ARJ Software, Inc.
bzip2 - www.bzip.org - bzip2 is a freely available, patent free, high-quality data compressor. It typically compresses files to within 10% to 15% of the best available techniques, whilst being around twice as fast at compression and six times faster at decompression. The archive file format of bzip2 (.bz2) is incompatible with that of its predecessor, bzip (.bz).
cabextract - www.cabextract.org.uk/ - unpacks Microsoft cabinet (.cab) files. Microsoft cabinet files are used by Microsoft and others to distribute all kinds of data and software: core Web fonts, videos, operating system updates and video codecs, to give some examples. Microsoft cabinets are also used as the installation format for Windows CE software.
[Author: Stuart Caie]
cpio - GNU cpio is a tool for creating and extracting archives, or copying files from one place to another. It handles a number of cpio formats as well as reading and writing tar files.
lha - the lzh archiver, popular on MS-DOS (and Windows?). [non-free - open source, has some restrictions and some vaguely worded terms; read the licence]
lzop - www.lzop.org - lzop is a compressor similar to gzip. Its main advantages over gzip are much higher compression and decompression speed. lzop was designed with the following goals in mind: reliability, speed (both compression and decompression), reasonable drop-in compatibility with gzip, portability
nomarch - Unpacks .ARC and .ARK MS-DOS archives. This is a de-archiving only replacement for the arc archiver from SEA. It can handle pkarc archives, as well as others. This package is very useful for E-Mail virus scanner scripts for attachement unpacking.
p7zip-full - p7zip.sourceforge.net - 7-Zip (7-zip.org) is the file archiver that archives with the highest compression. This package will also handle ZIP, Zip64, CAB, RAR, ARJ, GZIP, BZIP2, TAR, CPIO, RPM, ISO and DEB formats. It includes programs 7z (handles all the above formats) and 7za (handles less formats than 7z). If you need to save space (2.5MB) you can instead install the p7zip package with its 7zr / p7zip program, a 'light' version of 7za which only includes support for the 7z format. If you want just the 7Zip library you can install the lzma package.
pax - Portable Archive Interchange. Pax is an archiving utility that reads and writes tar and cpio formats, both the traditional ones and the extended formats specified in IEEE 1003.1. Three user interfaces are supported: tar, cpio, and pax. The pax interface was designed by IEEE 1003.2 as a compromise in the chronic controversy over which of tar or cpio is best. This is the free OpenBSD's version written by Keith Muller.
tnef - sourceforge.net/projects/tnef - TNEF is a program for unpacking MIME attachments of type "application/ms-tnef". This is a Microsoft only attachment. Due to the proliferation of Microsoft Outlook and Exchange mail servers, more and more mail is encapsulated into this format (often in the form of a winmail.dat file). The TNEF program allows one to unpack the attachments which were encapsulated into the TNEF attachment. Thus alleviating the need to use Microsoft Outlook to view the attachment.
unrar - extracts files from .rar archives. If you want to create .rar archives, install package rar. Unrar can handle where as unrar-free cannot. [non-free - freeware, open source, restricts you to not using the source to create a rar archiver; read the licence] (alternatively there is unrar-free (https://gna.org/projects/unrar/) but it cannot handle version 3.0 of the rar format)
unshield - www.synce.org/index.php/Unshield - extracts Microsoft-format CAB files from InstallShield installers. InstallShield installers comprise a .exe InstallShield installer for Microsoft Windows in which there are InstallShield cabinet files (usually named data1.cab, data1.hdr, data2.cab, data2.hdr, etc) and within them Microsoft cabinet files. The Microsoft and InstallShield cabinet files are of different formats. Unshield extracts the InstallShield cabinet files from the .exe InstallShield installer and then the Microsoft cabinet files from the InstallShield cabinet files. The Microsoft cabinet files can then either be loaded into a Windows CE device for installation or themselves unpacked using cabextract (a separate package). Unshield doesn't support encrypted files.
[Version: 0.5 | Author(s): David Eriksson | Licence: MIT]
unzip - www.info-zip.org/UnZip.html
ytnef - ytnef.sourceforge.net - Yerase's TNEF Stream Reader allows you to decode application/ms-tnef e-mail attachments, which are usually entitled "winmail.dat" and are generally a file container format that is only readable by Microsoft Outlook. Some TNEF streams also include RTF-formatted data. Ytnef parses these streams into normal MIME attachments and RTF attachments that you can read from non-Outlook mail readers.
It also handles VCAL format calendar / meeting requests, though this may not work when dealing with newer versions of Outlook.
A convenience script is provided to allow users to transparently filter messages containing TNEF attachments into messages with proper attachments, via procmail.
ytnef isn't yet a drop-in replacement for tnef.
zip - www.info-zip.org/Zip.html
zoo - manipulate zoo archives. This package exists for its historical value. If you are looking for a compression tool for serious use, check tar and gzip.

LVM - Logical Volume Management

Filesystem Role	/	other partitions	/	other partitions	/	other partitions
LVM		LVM 1		LVM 1		LVM 1
RAID Level	RAID 1	RAID1 or RAID 5	RAID 1	RAID1 or RAID 5	RAID 1	RAID1 or RAID 5
Partition No.	1	2	2	2	1	2
Disk No.	1	1	2	2	3	3

Further Information

Software RAID5 and LVM with the Etch Installer: www.debian-administration.org/articles/512

LVM HOWTO by AJ Lewis tldp.org/HOWTO/LVM-HOWTO/

Wikipedia - Logical Volume Manager (Linux): en.wikipedia.org/wiki/Logical_Volume_Manager_(Linux)

MySQL - database server

Package(s)

MySQL - www.mysql.com - "MySQL is a fast, stable and true multi-user, multi-threaded SQL database server. SQL (Structured Query Language) is the most popular database query language in the world. The main goals of MySQL are speed, robustness and ease of use.". [Version: 5.0.32]

Either you want a specific version because the way you use it will be affected by an upgrade in a way that you'll have to plan for. In which case you want the stability of knowing which version you're using and to be able to upgrade at your convenience.
Or, your use of MySQL is restricted to another application you use that uses it, for example the mail server. If that mail server only minimally uses MySQL's abilities and so isn't affected by an upgrade then use mysql-server.
If your server is used for both scenarios you will want to consider this carefully.
However this doesn't necessarily mean you won't get a forced upgrade when upgrading Debian - mysql-server-4.1 in Debian Etch is there to allow a transition to mysql-server-5.0, it actually installs mysql-server-5.0.
- mysql-server - this is my preference - in Debian Etch this installs mysql-server-5.0
- mysql-server-5.0
PHPMyAdmin - database administration. We have it install and use PHP5, the PHP5 MySQL connector and Apache 2.
- phpmyadmin
- libapache2-mod-php5 (AKA PHP5). This installs the Apache prefork MPM (apache2-mpm-prefork) version of the Apache 2 web server (the only version of Apache 2 PHP will work with)
- php5-mysql - provides modules for MySQL database connections directly from PHP scripts

Installation

MySQL will only install if the system already has a non-numeric hostname that is resolvable via the /etc/hosts file. Run hostname -f; if it returns just the machine's name, i.e. 'server', rather than its fully qualified domain name (FQDN) - its name followed by its domain, i.e. server.localdomain or server.yourdomain.org - then you need to add a line to /etc/hosts with its IP address then FQDN then name such as '10.0.0.10 server.localdomain server'.
Here's an example for a server on an intranet:

127.0.0.1 localhost server
127.0.1.1 server.localdomain server
10.0.0.10 server.localdomain server

Here's an example for a server on the Internet:

127.0.0.1 localhost server
127.0.1.1 server.yourdomain.org server
10.0.0.10 server.yourdomain.org server

Configuration

The MySQL configuration file can live in a number of locations:

/etc/mysql/my.cnf - to set global options
/var/lib/mysql/my.cnf - to set server-specific options
~/.my.cnf - to set user-specific options

Configuration files, accounts and databases:

/etc/mysql/my.cnf - brought in by mysql-common. Reconfigure using dpkg-reconfigure mysql-common. If you remove my.cnf you can run 'aptitude -o DPkg::Options::="--force-confmiss reinstall mysql-common" to bring in a new version even when you've changed or removed yours.
root user password - dpkg-reconfigure mysql-server-5.0
databases - dpkg-reconfigure mysql-server-5.0 ?

Set a password for the MySQL root user because it defaults to not having one. You can do so in a number of ways.

a) Set the password from the command-line (this will fail if a password has already been set, in which case you need to add -p):

$ mysqladmin --user=root password '<your new password>'
$ mysqladmin --user=root --host <hostname> password '<your new password>'

b) Set the password from within MySQL:

Open mysql:
$ mysql -u root
(this will fail if a password has already been set, in which case you need to add -p)
Set the password for the various incarnations of the user 'root':
- mysql> SET PASSWORD FOR 'root'@'localhost'=PASSWORD('<your new password>');
- mysql> SET PASSWORD FOR 'root'@';<hostname>'=PASSWORD('<your new password>');

a) Set the username and password in a my.cnf configuration file:

If you use a /root/my.conf (write the 'user' and the 'password' lines in there, never only the password - see /usr/share/doc/mysql-server/README.Debian for more information.

For security Debian's MySQL defaults to listening only on the localhost (127.0.0.1) network interface for connections, so it will not allow remote connections. This is achieved by setting bind-address 127.0.0.1 in /etc/my.cnf (The less secure skip-networking option used to be used instead for this). This is fine for a mail server running on the same machine or phpMyAdmin but not for OpenOffice clients connecting using ODBC for instance. You can enable only remote connections to MySQL by changing bind-address to the machine's IP address or hostname. You don't seem to be able to set it to both. You can enable connections from any source by removing bind-address.

To reset the MySQL root password if you've lost it:

mysqld first reads the name of the user it should run as from /etc/mysql/my.cnf before any username you might specify at the command-line. We need to run it as root so you must temporarily change in this file user = mysql to user = root
Stop the MySQL daemon:
/etc/init.d/mysql stop
Start MySQL without permissions and as the root user:
mysqld --skip-grant-tables
At another terminal, run MySQL:
mysql -u root
Reset the root password for all incarnations of root (replace <your new password> with the password you choose):
mysql> UPDATE mysql.user SET Password=PASSWORD('<your new password>') WHERE User='root';
Set the MySQL daemon to use permissions again:
mysql> FLUSH PRIVILEGES;
Quit MySQL:
mysql> quit
Edit /etc/mysql/my.cnf and change user = root back to user = mysql
Restart MySQL:
/etc/init.d/mysql restart

(From http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html)

If you're wanting to use ODBC to connect client computers across a network to the database server, nothing has to be set on the server specifically to enable this ODBC connection.

Usage

The location of database files is usually /var/lib/mysql/your-database-name (use mysqladmin variables | grep datadir to find it otherwise)

To open the mysql program: mysql -u <username> -p. The -p tells it a password is required, which you will be prompted for.

To create a database:

From the command-line (using the MySQL root account):
# mysqladmin -p create <database>
From within MySQL:
mysql> create database <database>;

To first delete the database if it already exists:
mysql> drop database <database>;

Set privileges on the database (grants the root account all database level access on your database when connecting from any machine, using the defined password and allows them to give other users priviliges. See http://dev.mysql.com/doc/refman/5.0/en/grant.html for reference):

mysql> grant all on yourdatabasename.* to root@'%' identified by '<your password>' with grant option;

See which users have privileges in MySQL:

mysql> use mysql;
mysql> select user,host,password from user;

See what databases have what users with privileges to access them:

mysql> use mysql;
mysql> select db,user,host from db;

list the privileges granted to the account that you are using to connect to the server:
mysql> show grants;

list the privileges granted to a specific account, for example:
mysql> show grants for 'root'@'localhost';

MySQL server (mysqld) administration, using the command-line - these are the main MySQL clients and processes:

mysql - Command line interface to MySQL
mysqld - MySQL server daemon
mysqld_safe - Server process monitor
mysqlaccess - Tool for creating MySQL users
mysqladmin - Utility for administering MySQL
mysqldump - Tool for dumping the contents of a MySQL database
mysqlshow - List all MySQL database

Further Information

MySQL 5.0 Reference Manual: http://dev.mysql.com/doc/refman/5.0/en/

MySql 4.1.x Database Survival Guide: http://www.akadia.com/services/mysql_survival.html

'MySQL Database Administration' - 'MySQL User Account Management' - 'MySQL Usernames and Passwords'

PostgreSQL - database server

Package(s)

postgresql-8.1 - the database server [Version: 8.1.11]
postgresql-doc-8.1 - documentation [Version: 7.5.22]
postgresql-client-8.1 - client program to connect to the database [Version: 8.1.11]
phppgadmin - web-based database administration [Version: 4.0.1]

Usage

Program: psql

RAID arrays

The host controller may itself provide RAID capability, in which case this hardware RAID will be superior to using Linux software RAID but only as long as the host controller is of high quality. Linux software RAID is usually superior to the cheap IDE (pseudo hardware), RAID controllers; and also superior to 'fakeraid' controllers such as Adaptec's 'HostRaid'. Note that host-based RAID controllers may support only a sub-set of the various RAID levels.

You may find when you configure a RAID array in your host's software at boot time that the Debian installer partitioning section still sees both disks independently. In this case you need a driver for the host controller that isn't available in Debian. For example Adaptec provide a binary-only HostRaid controller driver. just use Linux software RAID.

Package(s)

mdadm - tool to administer 'Linux md device arrays' (AKA Linux Software RAID). Can be used to create, manage, and monitor MD devices; a replacement for the old raidtools package.

Configuration

We use Software RAID 1 (mirroring) or software RAID 5 (block-level striping with parity data distributed across all member disks. See 'Standard RAID levels': en.wikipedia.org/wiki/Standard_RAID_levels for a description).

The multidisk device (or, after its most famous variant, 'software RAID'). New devices made up of combined traditional disk devices into RAID volumes referred to as /dev/md#. RAID is not a guarantee for data integrity, it just allows you to keep your data if a disk dies (that is, with RAID levels above or equal one, of course).

Read this: http://www.tldp.org/HOWTO/Software-RAID-HOWTO.html#toc

GRUB can't boot from an mdadm / software RAID 5 array so we create a / partition that is jusr a RAID 1 array.

The tool you use to work with RAID arrays is mdadm.

You can use the Debian Installer to setup a RAID array, rather than doing so manually:

1) choose your partitioning method on each. If guided partitioning, then apply similarly to each hard disk
2) individually select each partition (not disk) and select 'Use as:' → 'physical volume for RAID' (including for swap) either when create manually, or after guided partitioning
3) Configure software RAID
4) Create MD device (this is 1 of a number of MD devices you may create)
5) choose 'RAID1' or 'RAID5'
6) set the 'Number of active devices for the RAID# array:'
7) set the 'Number of spare devices for the RAID# array:'
8) set the 'Active devices for the RAID# multidisk device' i.e.:
- [] /dev/ide/host0/bus0/target0/lun0/part1
- [] /dev/ide/host0/bus1/target0/lun0/part1
repeat steps 4 through to 8 until done. Then continue as usual.

You can run mdadm as a daemon by using the follow-monitor mode. If needed, that will make mdadm send email alerts to the system administrator when arrays encounter errors or fail. Also, follow mode can be used to trigger contingency commands if a disk fails, like giving a second chance to a failed disk by removing and reinserting it, so a non-fatal failure could be automatically solved. Let's see a basic example. Running mdadm --monitor --mail=root@localhost --delay=1800 /dev/md2

Is the MD driver compiled as a module or compiled into the kernel? compiled into the kernel.

Configuration files

? /etc/raid/raidtab, and a symlink from /etc/raidtab

/proc/mdstat

Usage

mdadm --query /dev/md0

mdadm --detail /dev/md0

Further Information

Software RAID5 and LVM with the Etch Installer

Serial ATA (SATA) chipsets — Linux support status: http://linuxmafia.com/faq/Hardware/sata.html

Recovering a RAID disk back into a RAID device /dev/md*: http://www.kieser.net/linux/raidhotadd.html

Installing Debian with SATA based RAID: http://wiki.xtronics.com/index.php/Raid

Probably too out of date, but seemed useful: http://www.james.rcpt.to/programs/debian/raid1/

Samba - Windows file and print server

Package(s)

samba
samba-doc - documentation
smbclient - required for cupsaddsmb; useful for troubleshooting

Creating a Primary Domain Controller

See our separate document Setting up a Samba primary domain controller and file/print/software deployment server using Samba 3 on Debian 4.0 Etch.

Simple Samba File Sharing

Use this /etc/samba/smb.conf configuration file:

# Samba 3.0.x configuration file for simple password-less file sharing.

# (if we set security=no would this work with Windows 95, 98 and Me clients?)

[global]

# The server's name on the Windows network
netbios name = server

# The workgroup name. Make this the same on all participating computers
workgroup = workgroup

# Combined with 'guest account' this doesn't require a username/password 
# to connect
security = share

# Makes this the WINS server for the network.
# Required for computers to browse for the share
wins support = yes

# Defines which Unix account will be used when the share is used
guest account = nobody

# Try to make sure this machine is the local master browser so that what
# it says, goes, amongst it and the other computers on the (WINS) network
os level = 34
preferred master = yes


[shared]
guest only = yes

guest ok = yes

# The directory that will be shared
path = /home/samba/shared

# It is visible when people are browsing the network
browseable = yes

read only = no

# New files are created with this permission
# Requires a corresponding Unix setting
force create mode = 0666

# New directories are created with this permission
# Requires a corresponding Unix setting on the directory
force directory mode = 2770

Create the shared directory:
mkdir /home/samba && mkdir /home/samba/shared

Give it liberal permissions:
chmod 666 /home/samba/shared

Creating shares that can be mounted from a GNU/Linux workstation

This share can be mounted by root but files take the permission of whomever creates them.

This is what to do on the server, for what to do on the workstation see Desktop System Setup with Debian 4.0 'Etch'.

You should at least add the following to /etc/samba/smb.conf:

Security = user

[shared]
        writable = yes
        path = /home/organisation/shared
        public = yes
        browseable = yes
        force create mode = 0666
        force directory mode = 2770

Enable root to connect in /etc/samba/smb.conf (Debian defaults to root being an invalid user)
Create a group for everyone, a useful name is the organisation name
Create UNIX accounts for everyone who wants to use the server, the same as those used on workstations
Create corresponding Samba accounts for everyone who wants to use the server, using the same passwords as the UNIX accounts, including root, using smbpasswd -a username
Make the users members of the group
Create a directory for the group, i.e. /home/organisation
Create a shared directory for the group in that directory, i.e. /home/organisation/shared
Set permissions for that shared directory:
chmod 2770 /home/organisation/shared
(do we also need to set similarly for the directory itself?)
Set the group of that shared directory to the same group:
chgrp group /home/organisation/shared

Upgrading from the previous Debian stable version

Samba 3.0.14a → 3.0.23d

RCS - added to 'passwd chat': '...password created succesfully...'

Release notes for all versions up to 3.0.23d:
http://www.samba.org/samba/history/samba-3.0.23d.html

3.0.23c
RID Algorithms & Passdb
=======================

Starting with the 3.0.23c release, the officially supported passdb
backends (smbpasswd, tdbsam, and ldapsam) now operate identically
with regards to the historical RID algorithm for unmapped users
and groups (i.e. accounts not in the passdb or group mapping table).
The resulting behavior is that all unmapped users are resolved
to a SID in the S-1-22-1 domain and all unmapped groups resolve
to a SID in the S-1-22-2 domain. Previously, when using the
smbpasswd passdb, such users and groups would resolve to an
algorithmic SID in the machine's own domain (S-1-5-XX-XX-XX).
However, the smbpasswd backend still utilizes the RID algorithm
when creating new user accounts or allocating a RID for a new
group mapping entry.

With the changes in the 3.0.23c release, it is now possible to
resolve a uid/gid, name, or SID in any direction and always obtain
a symmetric mapping. This is important so that values for smb.conf
parameters such as "valid users" resolve to the same SIDs as those
included in the local user's initial token.

Most installations will notice no change. However, because
an unmapped account's SID will now change even when using
smbpasswd it is possible that any security descriptors on files
previously copied from a Samba host to a Windows NTFS partition
may now fail to give access. The workaround is to either manually
map all affect groups (or add impacted users to the server's
passdb) or to manually reset the file's ACL.

3.0.23b
Member servers, domain accounts, and smb.conf
=============================================

Since Samba 3.0.8, it has been recommended that all domain accounts
listed in smb.conf on a member server be fully qualified with the
domain name. This is now a requirement. All unqualified names are
assumed to be local to the Unix host, either as part of the server's
local passdb or in the local system list of accounts (e.g. /etc/passwd
or /etc/group).

The reason for this change is that smbd has transitioned from
access checks based on string comparisons to token based
authorization. All names are resolved to a SID and then verified
against the logged on user's NT user token. Local names will
resolve to a local SID, while qualified domain names will resolve
to the appropriate domain SID.

If the member server is not running winbindd at all, domain
accounts will be implicitly mapped to local accounts and their
tokens will be modified appropriately to reflect the local
SID and group membership.

For example, the following share will restrict access to the
domain group "Linux Admins" and the local group srvadmin.

[restricted]
path = /data
valid users = +"DOMAIN\Linux Admins" +srvadmin

Note that to restrict the [homes] share on a member server to the
owner of that directory, it is necessary to prefix the %S value
to "valid users".

[global]
security = {domain,ads}
workgroup = DOM
winbind separator = +
[homes]
valid users = DOM+%S

3.0.23
* Improved support for local and BUILTIN groups.

* User and Group changes -
The user and group internal management routines have been
rewritten to prevent overlaps of assigned Relative Identifiers
(RIDs). In the past the has been a potential problem when either
manually mapping Unix groups with the 'net groupmap' command or
when migrating a Windows domain to a Samba domain using 'net rpc
vampire'.

Unmapped users are now assigned a SID in the S-1-22-1 domain and
unmapped groups are assigned a SID in the S-1-22-2 domain.
Previously they were assign a RID within the SAM on the Samba
server. For a DC this would have been under the authority of the
domain SID where as on a member server or standalone host, this
would have been under the authority of the local SAM (hint: net
getlocalsid).

The result is that any unmapped users or groups on an upgraded
Samba domain controller may be assigned a new SID. Because the
SID rather than a name is stored in Windows security descriptors,
this can cause a user to no longer have access to a resource for
example if a file was copied from a Samba file server to a local
NTFS partition. Any files stored on the Samba server itself will
continue to be accessible because Unix stores the Unix gid and not
the SID for authorization checks.

A further example will help illustrate the change. Assume that a
group named 'developers' exists with a Unix gid of 782 but this
user does not exist in Samba's group mapping table. it would be
perfectly normal for this group to be appear in an ACL editor.
Prior to 3.0.23, the group SID might appear as
S-1-5-21-647511796-4126122067-3123570092-2565. With 3.0.23, the
group SID would be reported as S-1-22-2-782. Any security
descriptors associated with files stored on an NTFS disk partition
would not allow access based on the group permissions if the user
was not a member of the
S-1-5-21-647511796-4126122067-3123570092-2565 group. Because this
group SID not reported in a user's token is S-1-22-2-782, Windows
would fail the authorization check even though both SIDs in some
respect referred to the same Unix group.

The current workaround is to create a manual domain group mapping
entry for the group 'developers' to point at the
S-1-5-21-647511796-4126122067-3123570092-2565 SID.

* Group Mapping Changes - The default mapping entries for groups such as
"Domain Admins" are
no longer created when using an smbpasswd file or a tdbsam passdb
backend. This means that it is necessary to use 'net groupmap
add' rather than 'net groupmap modify' to set these entries.

Parameter Name Action
-------------- ------
dos filemode Modified No
acl group control Deprecated No
* Deprecate 'acl group control' and replace it with added
functionality to 'dos filemode'.

'dos filemode' notes:
make sure your filesystem is mounted with user_xattr:
dev/hda5 / ext3,acl,user_xattr defaults 1 1

Offline files fails

If you have a file share with multiple users using it regularly, and one of the users tries to synchronize the files using Windows' "Offline Files" feature, you might find that random files fail. The user will have read/write access through their group, but the file will be owned by someone else.
Why this is happening

From Jeremy Allison, Samba developer: "Windows does a sync by creating a new file with a temporary name, then sets an ACL on it that matches the current one (but seems to add write access for the current user, not just the owner). This must succeed else the sync will fail. Then it sets the DOS attributes, again this must succeed or the sync will fail. Under POSIX we encode the attributes in the file permissions and these can only be changed by the owner, unless the "dos filemode" parameter is set."
How to fix it

Upgrade to at least Samba 3.0.0. Ensure that smbd is compiled with ACL support (the Debian packages work fine out of the box), and running on a filesystem with POSIX AccessControlLists. Then you also need to set the parameter "dos filemode = yes" for the share. You don't need the acl package installed, but you probably need libacl.

3.0.21
? iprint server New
map read only New
rename user script New
for Suse: rename user script = /usr/sbin/usermod -l '%unew' '%uold'

3.0.20
acl check permissions New
acl map full control New
printer admin Deprecated
* Deprecate the "printer admin" parameter in favor of the
SePrintOperatorPrivilege.
WE EXTENSIVELY USE printer admin BUT WE DO ALREADY USE SePrintOperatorPrivilege. Perhaps we could remove all 'printer admin' from our existing smb.conf.

Mail server

If you only want your system to be able to have the ability to send out mail, for example to email you logs, then see Mail Transfer.

We recommend Christoph Haas's 'Howto: ISP-style Email Server with Debian-Etch and Postfix 2.3', at http://workaround.org/articles/ispmail-etch/. This solution provides POP3/IMAP access and webmail access to multiple domains, virus scanning, spam prevention, secure mail relay access for road-warriors and easy domain administration. It accomplishes this using Postfix SMTP, MySQL database, Dovecot POP3/IMAP, amavisd-new, SpamAssassin and Clam AntiVirus.

In addition to that tutorial, if your server isn't required to receive its own email directly and/or send it directly you can use Fetchmail to collect from a POP3 host (see the Fetchmail section) and add a relay host to Postfix that will deliver mail on your behalf.

Twix doesn't yet setup this version of the mail server for you.

Packages

mysql-server - see our mySQL section
phpMyAdmin

phpmyadmin
libapache2-mod-php5
php5-mysql

postfix-mysql - www.postfix.org. [Version: 2.3.6]
dovecot-pop3d - www.dovecot.org. [Version: 1.0.rc15]
dovecot-imapd - www.dovecot.org. [Version: 1.0.rc15]
amavisd-new - www.ijs.si/software/amavisd/. [Version: 2.4.2]
spamassassin - spamassassin.apache.org. [Version(s): 3.1.7 (Etch), 3.2.3 (etch/volatile)]
clamav-daemon - www.clamav.net. [Version(s): 0.88.7 (Etch), 0.92.1 (etch/volatile)
unarchivers
- arj
- cabextract
- lha [non-free - open source, has some restrictions and some vaguely worded terms; read the licence]
- lzop
- nomarch
- pax
- unrar [non-free - freeware, open source, restricts you to not using the source to create a rar archiver; read the licence]
- zoo
- Additional unarchivers I choose:
openssl - www.openssl.org. [Version: 0.9.8c]
squirrelmail - www.squirrelmail.org. [Version: 1.4.9a]
telnet
mutt - www.mutt.org

Installation

Questions and recommended answers for package installation:

Postfix: type of configuration: Internet Site (the default)
Postfix: Mail name: server.localdomain (or whatever your server and domain are called, this should default to this FQDN if you've already set it in /etc/hostname)

Configuration

Configuration Choices Or Clarifications I Make Where The workaround.org Howto Gives Choices

In 'Step 9: Authenticated SMTP', I use a Postfix 'mynetworks' setting of 10.0.0.0/24:
postconf -e mynetworks=10.0.0.0/24

In 'Step 10: AMaViS: Filtering spam and viruses', these are set in /etc/amavis/conf.d/20-debian_defaults:

$sa_tag_level_deflt = undef;
$final_spam_destiny = D_PASS;

I don't follow 'Step 11: Learning spam and ham'.

In 'Step 12: Populate and administer the users in the database' I use 'Peter Gutwein's PHP administration frontend' (called 'GR Soft Virtual Mail Manager') rather than 'Ronny Tiebel's PHP administration frontend'. This is how to install it:

mkdir /srv/mailmanager
cd /srv/mailmanager/
wget http://www.grs-service.ch/pub/grs_mailmgr_v<version>.tgz
tar -xzf grs_mailmgr_v<version>.tgz
ln -s /srv/mailmanager/ /var/www/mailmanager
chown www-data.www-data /srv/mailmanager/* -R
Go to http://server/mailmanager/install.php and follow the wizard, entering the following details:

Database host: localhost
Database name: mailserver
Database username (with right to create tables): mailadmin - this is described a little further on
Database password:
MailMaster email adress: mailadmin@<yourdomain> - this is the admin for the whole mail server. You can create separate admins for each separate domain
MailMaster password:

rm /srv/mailmanager/install.php /srv/mailmanager/conf/cnf_main_template.php
rm -rf /srv/mailmanager/install
? "Please check the rights for the other files to fit your needs."
The web interface is now available at http://server/mailmanager/login.php

These are the parts of the 'Optional features' section that I use:

'Offering webmail access'
'Sieve: Filtering out spam'
'Vacation / Autoresponder' using Remo Fritzsche's goldfish - follow the installation 'Installation / configuration manual' at its web site. Note that it requires the package php5-cli; you should rename goldfish-<version>.php to autoresponder.php.
'Removing old deleted mails'

Edit root's crontab:
crontab -u root -e
Add this, scheduling deletion daily at 01:00:
00 1 * * * root find /home/vmail/ -name '*,ST' -ctime +7 | xargs rm -f

Configuration Additional To what Is Described In The Howto

Postfix

Add a relay host that will deliver mail on your behalf

postconf -e relayhost=[<your ISP's SMTP server>]
"The form enclosed with [] eliminates DNS MX lookups. Don't worry if you don't know what that means. Just be sure to specify the [] around the mailhub hostname that your ISP gave to you, otherwise mail may be mis-delivered."

Use authenticated SMTP with a relayhost

Create /etc/postfix/sasl_passwd

Install package libsasl2-modules - a SASL plug-in that the Postfix SMTP client will use for authentication (without this you get postfix/smtp errors warning: SASL authentication failure: No worthy mechs found and SASL authentication failed; cannot authenticate to server mail.exampledomain.co.uk[x.x.x.x]: no mechanism available)

In /etc/postfix/sasl_passwd add relayhost and your authentication credentials:
<relayhost> <username>:<password>

Create a new file with a hash of the password contained in /etc/postfix/sasl_passwd:
# postmap hash:/etc/postfix/sasl_passwd

Add Postfix configuration to use all this (goes into /etc/postfix/main.cf)
# postconf -e smtp_sasl_auth_enable=yes # postconf -e smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd # postconf -e smtp_sasl_security_options=noanonymous

Changing Maximum Email Size That Can Be Sent

Postfix defaults to not accepting mail larger than 10MB. This limit is for good reason so you should not increase it but if you do want to, hopefully temporarily, you override it with the message_size_limit parameter in /etc/postfix/main.cf using:
postconf -e message_size_limit=<new value in kilobytes>

MySQL

I'm trying this database account out for when an account is needed with more privileges than just read access (Virtual Mail Manager, etcetera):
grant ALTER, CREATE, DELETE, INDEX, INSERT, SELECT, UPDATE on mailserver.* to mailadmin@'%' identified by '<password>';

Squirrelmail

Configure the Squirrelmail Apache configuration, /etc/squirrelmail/apache.conf, to enable the specific address http://mail.server to load Squirrelmail (change the name if you call your server something else)

#When accessed from anywhere on port 80 at mail.server, respond with Squirrelmail:
#This also requires a DNS entry for mail.server
<VirtualHost *:80>
  DocumentRoot /usr/share/squirrelmail
  ServerName mail.server
</VirtualHost>

For mail.server to work you also need to register it with your DNS server:
Host IP address: 10.0.0.10
Hostname: mail
Domain name: server

Make use of the IMAP server's IMAP SORT feature to improve performance when there's lots of email in a folder and fixes the issue with a large inbox where the server tries to download to you right_main.php rather than display the inbox (From 'Optimizing SquirrelMail - IMAP server extensions' - www.squirrelmail.org/docs/admin/admin-6.html#ss6.3).
Use either method:

# squirrelmail-configure → 4. General Options → 11. Allow server-side sorting: true
In config/config.php set $allow_server_sort = true;

Create abuse@<your domain name> and postmaster@<your domain name> mailboxes for each domain. There's some kind of legal requirement to create an abuse mailbox for people to contact you to report spam; similarly postmaster is used to contact the mail administrator and for delivery problem reports to go to. Create proper accounts so any user can add them to their mail client, and they won't get their spam into their main mailbox. You can additionally create forwardings if you want to send mail for these addresses elsewhere.

Usage

Query Postfix's configuration:

Display all parameter settings:
postconf
Display parameter settings that are not left at their built-in default value, because they are explicitly specified in main.cf:
postconf -n
Display a particular Postfix parameter settings:
postconf -d <parameter>

Mail Queue

postqueue - Postfix queue control - for unprivileged queue operations such as listing or flushing the mail queue. For example postqueue -p or postqueue -pvvv.

postsuper - Postfix superintendent - for queue operations that require super-user privileges such as deleting a message from the queue or changing the status of a message. Use of the command is restricted to the superuser.

Delete a single message from the queue (applies to hold, incoming, active and deferred queues):
postsuper -d %lt;queue ID%gt;

Remove all messages from a particular queue (where queue can be hold, incoming, active or deferred):
postsuper -d ALL <queue>

Troubleshooting

Look at /var/log/syslog or /var/log/mail.log.

Show open ports and whether they listen on just localhost or for remote connections:
netstat -l -t -p
If you see tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 29945/mysqld it means the server is only listening locally.

Check open ports:

use netstat to verify that postfix is listening: netstat -nap | grep 25
nmap localhost
netstat -tap

Check 'master' is running.

Flush the queue - attempt to deliver all queued mail (warning: flushing undeliverable mail frequently will result in poor delivery performance of all other mail):
postqueue -f | postfix flush

Produce a traditional sendmail-style queue listing. This option implements the traditional mailq command. Add -v to enable verbose logging for debugging purposes, add multiple -v options to make the software increasingly verbose:
mailq or postqueue -p

Schedule immediate delivery of all mail that is queued for the named site. This option accepts only site names that are eligible for the "fast flush" service, and is implemented by executing the postqueue(1) command. See flush(8) for more information about "fast flush":
?mailq? -qRsite

Logs

Mail in general (what the mail server suite is doing, mail by mail): /var/log/mail.log

amavisd-new: /var/log/amavis.log - lists its capabilities and mail it's dealt with

Clam: /var/log/clam/clam.log

Dovecot delivery: /home/vmail/dovecot-deliver.log

Freshclam: /var/log/clam/freshclam.log

If you're sending email to the server to test it, whilst looking at a log file, it can be useful to email an address like xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@<domain> to make it easy to spot.

Moving the mail server system to another machine

TODO...

Upgrading from the previous Debian stable version

Remove courier-authdaemon, courier-authmysql, courier-pop, courier-pop-ssl, courier-imap, courier-imap-ssl, libsasl2, libsasl2-modules and libsasl2-modules-sql; install instead dovecot-pop3d and dovecot-imapd (POP/IMAP by Courier and SASL by auxprop are both now done by Dovecot)
Remove postfix-tls because postfix now includes tls
Remove clamav (just use clamav-daemon now)
Add libclass-dbi-mysql-perl
Add libapache2-mod-php5 and php5-mysql (explicit dependencies for phpmyadmin)
Add archival software
add telnet and mutt (useful troubleshooting tools)
Configuration differences and additions - follow the workaround.org guide
Database schema changes - install python-sqlalchemy and python-mysqldb then download and run dbconvert.py

PostFix 2.1.5 → 2.3.7 (since upgraded to 2.3.8-2)

amavisd-new 20030616p10-5 → 2.4.2-5

Added 'check-jpeg' example entry to the @av_scanners list and provide the associated module JpegTester.pm; it offers a fully-fledged check for jpeg comment field buffer overflow attempts; should serve mainly as an example for adding similar quick responses to new threats;

Additional archive extractors that can now be used if available

cabextract - suggested by amavisd-new?

pax - can handle tar/cpio/pax archives (including legacy format variants). Due to limitations in cpio (and in Archive::Tar), for security reasons it is preferred to decode such archives with pax and no longer with cpio; please add a line: $pax = 'pax'; to amavisd.conf and verify that the program pax is installed on the system. pax is available in Debian. This is not a suggests of the package. Should I file a bug to get this added as a suggests for amavisd-new?

tnef - support for decoding TNEF (Microsoft Outlook, winmail.dat) containers by 'tnef'; selectable by an entry in the @decoders list. Debian includes tnef and ytnef. This is not a suggests of the package. Should I file a bug to get this added as a suggests for amavisd-new?

zoo/unzoo - zoo decoder interface routine (do_zoo) can now use utility unzoo(1) or the traditional zoo(1); the unzoo(1) recognizes some additional parameters which makes it more resilient (but still not watertight) against some attempts to hide archive contents or to extract members to unexpected locations, but unfortunately does not recognize all zoo compression schemes ("error, LZD not yet implemented"), and the relative modes "-j ./" or "-j X" do not protect against all malicious cases - so it is a mixed blessing. The way amavisd calls zoo(1) (piping members to stdout, which can be slow) avoids some of the security problems with zoo (writing to arbitrary directories), which were probably the main reason for ClamAV project deciding to switch to unzoo(1);

zoo/unzoo - zoo sucks, unzoo (v4.4) sucks more: considered, but decided against changing zoo entry in @decoders to ['unzoo','zoo'] in amavisd.conf, as was suggested by Gbor Kvesdn. It would not necessarily be an improvement (see previous item, misses extracting members from my test cases), so feel free to choose between the two poor choices, I still prefer zoo(1), partly also because it covers cases which clamd decoding misses;

arj - The non-free unarj has been replaced by the free arj

ripole - ripOLE decoder, which attempts to extract embedded documents from MS OLE documents (MS Office) (http://www.pldaniels.com/ripole/); ripOLE is still experimental/alpha code; To make amavisd-new find the installed program 'ripole', add the: $ripole = 'ripole'; to the amavisd.conf. Not available in Debian but perhaps it can be installed manually?

unfreeze / freeze / melt. freeze - ftp://ftp.warwick.ac.uk/pub/compression/. Not in Debian.

Configuration changes

Where previously we changed $mydomain = 'example.com'; to $mydomain = 'localhost'; It looks as though now it auto detects the correct mail domain using /etc/mailname so do we stick with this or still change it to localhost?
Antivirus checking is not enabled by default. Where previously we left commented out '#@bypass_virus_checks_acl = qw( . );' we now re-enable anti-virus by uncommenting the following in /etc/amavis/conf.d/15-content_filter_mode: #@bypass_virus_checks_maps = ( # \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
Spam checking is not enabled by default. Where previously we left commented out '@bypass_spam_checks_acl = qw( . );' we now re-enable anti-spam by uncommenting the following in /etc/amavis/conf.d/15-content_filter_mode: #@bypass_spam_checks_maps = ( # \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

(?doesn't this say the opposite of what we have above?) because of the reorganization
of lookup tables, a new way of quickly disabling virus or spam checks in amavisd.conf is used.
  Instead of:
    # @bypass_virus_checks_acl= qw( . ); # uncomment to DISABLE anti-virus code
    # @bypass_spam_checks_acl = qw( . ); # uncomment to DISABLE anti-spam code
  the new recipe is:
    # @bypass_virus_checks_maps = (1);   # uncomment to DISABLE anti-virus code
    # @bypass_spam_checks_maps  = (1);   # uncomment to DISABLE anti-spam code

Where previously we left '$final_virus_destiny = D_DISCARD;' as it was, we now do the same because of the setting in 20-debian_defaults
Where previously we changed '$final_banned_destiny = D_BOUNCE;' to '$final_banned_destiny = D_REJECT;' we now do the same but in the file 50-user
TO DO: WE PROBABLY WANT TO ENABLE SOME FILE TYPES INSTEAD, SUCH AS .DOC
Where previously we changed '$sa_tag_level_deflt = 4.0;' to '$sa_tag_level_deflt = -1000;' it's now set to 2.0 in 20-debian_defaults so do we override it in 50-user?
Where previously we changed '$sa_tag2_level_deflt = 6.3;' to '$sa_tag2_level_deflt = 5.0;' it's now set to 6.31 in 20-debian_defaults so do we override it in 50-user?
Where previously we changed '$sa_kill_level_deflt = $sa_tag2_level_deflt;' to '$sa_kill_level_deflt = 10;' it's now set to 6.31 in 20-debian_defaults so do we override it in 50-user?
Where previously we left the @av_scanners list as it was, we now do the same, but is this the correct way to treat it?

Thus our /etc/amavis/conf.d/50-user is shaping up to probably look like:
$final_banned_destiny = D_REJECT; $final_spam_destiny = D_PASS; $sa_tag_level_deflt = -1000; $sa_tag2_level_deflt = 5.0; $sa_kill_level_deflt = 10;

From README.Debian

The new configuration system uses split files in /usr/share/amavis/conf.d and
/etc/amavis/conf.d, which are read in priority order. First from
/usr/share/amavis/conf.d, then /etc/amavis/conf.d.

The ones in /usr/share are Debian/upstream land. You can override anything in
them placing files in /etc/amavis/conf.d or editing the ones already in
/etc/amavis/conf.d. It is suggested that all user changes be done to 50-user,
overriding whatever Debian options you don't like.

WARNING: you will have to upgrade your configuration manually

Configuration is split into two directories, and processed in the order below:

Read-only configuration: /usr/share/amavis/conf.d/
10-debian_scripts: Stuff you'd better not override
20-package: Packaging decisions, override at will

Read-write conffiles: /etc/amavis/conf.d/
01-debian: Rarely modified settings
05-domain_id: mydomain autodetection, local_domains config
05-node_id: myhostname autodetection
15-av_scanners: AV scanner interface configuration
15-content_filter_mode: Use this to re-enable spamassassin/av checks
20-debian_defaults: Commonly modified settings
50-user: Place your overrides here, if you want - debian package upgrades won't override them

If the package detects legacy config files, it renames them adding a
".disabled" extension, and the amavisd-new initscript will refuse to start the
service until these files with a ".disabled" extension are removed or renamed.
The legacy config files are /etc/amavis.conf and /etc/amavis/amavis.conf.

Antivirus and spam-checking.
If you use clamav-daemon, make sure that it is configured to init supplementary
groups when it drops priviledges, and that you add the clamav user to the
amavis group: add AllowSupplementaryGroups to /etc/clamav/clamd.conf if it is
not there yet, and run "adduser clamav amavis" as root.
This is mentioned in NEWS.Debian.gz too.

If you use spamassassin with the Bayes database system, you should make sure
that the spamassassin configuration option "bayes_auto_expire 0" is set in
spamassassin configure files. This disables the automatic expiration of tokens
which causes problems for amavisd-new when activated. The amavisd-new package
includes cron jobs that take care of syncing and expiring the token database
frequently.

From changelog.gz

There are a huge amount of changes in amavis. Here's just one:

Check during startup that $myhostname is a fully qualified domain name
(or 'localhost', if you must), and abort if it isn't, otherwise a non-FQDN
can end up in places where RFC 2822 does not allow it; if uname(3) does not
provide a FQDN, then an assignment to $myhostname must be done explicitly
in amavisd.conf;

From changelog.Debian.gz

* NEWS.Debian: call attention to the left-over quarantine file (caused
  by the #350917 fix described above)

* Make $mydomain normal variable. Still need long term solution, as this
  variable is referenced by other variables which will be wrong.

log file info which might be useful:
    mail.err      /var/log/messages
    mail.notice   /var/log/amavisd.log
    mail.info     /var/log/amavisd-info.log
    mail.debug    /var/log/amavisd-debug.log

spamassassin 3.0.3-2sarge1 → 3.1.7-2

From Note for Users Upgrading to SpamAssassin 3.1.0 and Release notes for versions 3.1.0, 3.1.1, 3.1.2, 3.1.5.

A significant amount of core functionality has been moved into plugins. These include, AWL (auto-whitelist), DCC, Pyzor, Razor2, SpamCop reporting and TextCat. For information on configuring these plugins please refer to their individual documentation: perldoc Mail::SpamAssassin::Plugin::* (ie AWL, DCC, etc)

There are now multiple files read to enable plugins in the /etc/mail/spamassassin directory; previously only one, "init.pre" was read. Now both "init.pre", "v310.pre", and any other files ending in ".pre" will be read. As future releases are made, new plugins will be added to new files named according to the release they're added in.

Due to license restrictions the DCC plugin is disabled by default. We encourage you to read the appropriate license yourself and decide if you are able to re-enable the plugins for your site. [by uncommenting the appropriate line in /etc/mail/spamassassin/v310.pre]

As of 3.1.0, in addition to the generic BayesSQL support (via Mail::SpamAssassin::BayesStore::SQL) usable by multiple database drivers there is now specific support for MySQL 4.1+ and PostgreSQL. This support is based on non-standard features present in both database servers that allow for various performance boosts.

If you were using the previous BayesSQL support with MySQL, and already have MySQL 4.1+ installed you can begin using the new module immediately by replacing the bayes_store_module line in your configuration with: Mail::SpamAssassin::BayesStore::MySQL

Inclusion of sa-update script which will allow for updates of rules and scores in between code releases.

openssl 0.9.7e-3sarge4 → 0.9.8c-4

? Make it possible to create self-signed certificates using 'openssl ca -selfsign'.

squirrelmail 1.4.4-10 → 1.4.9a-1

Mostly bug fixes and small improvements.

Recommended and Suggested Packages - imapproxy: "since SquirrelMail is a web application, it needs to reconnect to the IMAP server on each page load. On heavily loaded sites, this can be a problem; use the excellent imapproxy package to cache connections between page requests and reduce the load on your IMAP server".

Further Information

Postfix

Man pages for Postfix daemon processes you'll see mentioned in syslog: cleanup, local, master, qmgr, smtp, smtpd, virtual.

You can learn a lot by reading through the archives of the postfix-users mailing list: www.postfix.org/lists.html

Fetchmail mail retrieval

Fetchmail retrieves mail from a remote mail server and sends it to your local SMTP server.

Package(s)

fetchmail - http://www.catb.org/~esr/fetchmail/ - remote mail retrieval and forwarding utility
? fetchyahoo
? gotmail

Configuration

Fetchmail runs in general mode or daemon (AKA service) mode, by default checking every 5 minutes. Its behaviour is controlled by command-line options and/or a run control (i.e. config) file, either a system-wide one (/etc/fetchmailrc) or in per-user home directories (~/.fetchmailrc). The fetchmail package installer doesn't create a config file for you, you either create it manually or use the fetchmailconf utility (separately, on a workstation) to create and edit a .fetchmailrc in the home directory of the user that runs it; fetchmailconf requires X windows.

Fetchmail is configured not to run by default. For it to work you have to edit /etc/default/fetchmail, setting START_DAEMON=no to START_DAEMON=yes.

The normal mode of fetchmail is to try to download only 'new' messages, leaving untouched (and undeleted) messages you have already read directly on the server (or fetched with a previous fetchmail --keep).

The most thorough explanation of Fetchmail's configuration is in info fetchmail.

Example /etc/fetchmailrc configuration file:

# Fetchmail configuration file
# /etc/fetchmailrc for system-wide daemon mode
# Version 1.3

# Changes:
# 1.3 - 13 Nov 2007 - added 'set no bouncemail'.
# Fetchmail's default is to bounce mail to addresses that don't exist. This is
# known as backscatter and in a world of spam you don't want to reply to either
# a spammer or the address they forged. With this set an error mail is sent to 
# postmaster rather than the sender, which for us goes nowhere.
# 1.2 - 18 Oct 2007 - added 'set postmaster ""' so unknown user emails are discarded
# 1.1 - 14 Aug 2007 - added example using 'envelope 1 "Delivered-To:" qvirtual "109-"'

# How often to poll servers, in seconds. The default is 300.
set daemon     90

# LOGGING
# Don't log to syslog:
#set no syslog

# Log to the specified log file, for troubleshooting:
# (Beware that if you're using the log for troubleshooting, it can grow quickly)
# (The log file wants to be editable by the user fetchmail)
# (How do we cycle the log file? /etc/logrotate.conf?)
#set logfile /var/log/fetchmail


defaults
protocol pop3

set postmaster ""
# Set no postmaster so mail tagged as SMTP 550 error 'Recipient address
# rejected: User unknown in virtual mailbox table' is discarded rather
# than going in fetchmail's mailbox (/var/mail/fetchmail) and eating up
# disk space

set no bouncemail
# Fetchmail's default is to bounce mail to addresses that don't exist.
# This sets Fetchmail to instead send an error to postmaster.

# The verbose syntax is like this
# poll SERVERNAME protocol PROTOCOL
#	user USERNAME with password PASSWORD is LOCALUSERNAME here;

# Example of various user accounts on the same server
#
# poll pop.provider.net proto pop3
#	user \"jsmith\" with pass \"password\" is \"smith\" here
#	user jones with pass \"password\" is \"jjones\" here

# Example of a multi-drop mailbox
#
# poll pop.provider.net localdomains loonytoons.org toons.org:
#	user your_username with pass your_password to * here

# Example of a multi-drop mailbox where mail
# - host doesn't provide 'X-Envelope-To' so we look at 'Delivered-To'
# - mail host is running qmail virtual mailbox, prepending 109- to each address
# - 1st 'Delivered-To' is unusable so we look at the 2nd
# - Mail is deleted from the mail host.
#
# poll pop.provider.net localdomains loonytoons.org:
#  envelope 1 "Delivered-To:" qvirtual "109-"
#  user your_username with pass your_password to * here


# SOME USEFUL OPTIONS
# keep - Don't delete seen messages from server
# no keep - Delete seen messages from server (default)
# fetchall - Fetch all messages whether seen or not
# no fetchall - Retrieve only new messages (default)

Set restrictive permissions on the fetchmail configuration file because it contains passwords:
chmod 0600 /etc/fetchmailrc
chown fetchmail /etc/fetchmailrc

Create the Fetchmail log file, change its owner to fetchmail and give root write access to it (beware that if you're using the log for troubleshooting, it can grow quickly):
touch /var/log/fetchmail chown fetchmail /var/log/fetchmail chmod g+w /var/log/fetchmail

For details of configuring Fetchmail to deal with nuances specific to different mail hosts read Appendix 1 - Fetchmail Multidrop Issues

Usage

Start system-wide fetchmail service: /etc/init.d/fetchmail start

Stop system-wide fetchmail service: /etc/init.d/fetchmail stop

Restart system-wide fetchmail service: /etc/init.d/fetchmail restart

Tell system-wide fetchmail to start a poll cycle immediately: /etc/init.d/fetchmail awaken

Troubleshooting

With the log file set as described in our example configuration above, you can watch the log with tail -f /var/log/fetchmail
When interpreting the log, be sure to look for each line which particular program is processing the mail and this will indicate where you should be looking for the problem, such as 'fetchmail', 'postfix', 'amavis', etcetera.
(how do we get a log to watch as verbose a log as when using debug-run? do we have to always run in debug-run mode to get this?)

Start a debug run of the system-wide fetchmail service, optionally running it under strace: /etc/init.d/fetchmail debug-run

Display Fetchmail's defaults: /usr/bin/fetchmail --configdump

Further Information

info fetchmail

/usr/share/doc/fetchmail/fetchmail-FAQ.html

/usr/share/doc/fetchmail/README.Debian.gz

SSH server (sshd)

Package(s)

openssh-server - Secure shell server, an rshd replacement. Provides secure encrypted communications between two untrusted hosts over an insecure network. Depends on openssh-client.

Configuration

Configuration file: /etc/ssh/sshd_config

/etc/init.d/ssh start|stop|restart

To allow X windows programs to be run by people remotely logging in using SSH, in /etc/ssh/sshd_config have X11Forwarding yes (requires one of a number of corresponding configuration settings on the connecting computer).

LDAP server

Package(s)

slapd - OpenLDAP server
ldap-utils

Configuration

/etc/ldap/slapd.conf - configure using dpkg-reconfigure slapd

See these worthwhile guides for configuration instructions:

'Linux LDAP authentication' by "American" Dave Kline, is a Debian-specific tutorial covering both LDAP client and server setup: http://enterprise.linux.com/article.pl?sid=05/09/15/1930256&tid=129
'Using OpenLDAP' by metaconsultancy, covers LDAP server setup: http://www.metaconsultancy.com/whitepapers/ldap.htm (Debian-specific; simply written, makes it easy to follow)

Restart slapd for changes to take effect using /etc/init.d/slapd restart.

Linux kernel updates

Package(s)

The linux-image-<architecture> package will install the most recent 2.6 series kernel available for that particular architecture and keep it updated when new versions are available. '486', '686', '686-bigmem' and 'k7' architectures are for single and multiprocessor (AKA SMP) 32-bit x86 (generically known as PC, i386, IA32, IA-32 or x86-32) processors. The 'amd64' architecture is for single and multiprocessor (AKA SMP) 64-bit Intel and AMD PC processors (generically known as x86-64 or x64). Debian includes kernels for many other architectures but we focus on these. The following describes how installing the generic kernel package will bring in the specific kernel package. These are upstream kernel version 2.6.18.7, Debian's actual version 2.6.18.dfsg.1-12, upgradeable through Debian security updates to at least 2.6.18.dfsg.1-12etch1.

linux-image-486 → linux-image-2.6-486 → linux-image-2.6.18-4-486 - optimised for 486-class processors, will work on all 32-bit x86 class processors. Provides a useful fail-safe boot option in case of problems and one which allows you to move the system to a different computer with a different x86 processor architecture.
linux-image-686 → linux-image-2.6-686 → linux-image-2.6.18-4-686 - optimised for Intel Pentium-Pro/Celeron/Pentium II/Pentium II Xeon/Pentium III/Mobile Pentium III (AKA PIII-M)/Pentium III Xeon/Pentium 4/Mobile Pentium 4/Mobile Pentium 4 M (AKA P4-M)/Pentium 4M/Pentium 4 Extreme Edition/Xeon (32-bit)/Xeon MP (32-bit)/Pentium M (a part of Centrino) [and Core Solo and Core Duo?]
linux-image-k7 → linux-image-2.6-k7 → linux-image-2.6.18-4-k7 - optimised for AMD K7 (Duron/Athlon/AthlonXP)
linux-image-686-bigmem → linux-image-2.6-686-bigmem → linux-image-2.6.18-4-686-bigmem - optimised for the same processors as '686' but with 4-64GB RAM
linux-image-amd64 → linux-image-2.6-amd64 → linux-image-2.6.18-4-amd64 - For Intel IA-32e / EM64T / Intel 64 (Intel Xeon (some models since Nocona), Celeron D (some models since Prescott), Pentium 4 (some models since Prescott), Pentium D, Pentium Extreme Edition, Xeon (Woodcrest), Core 2) and AMD64 K8 (AMD Athlon 64, Athlon 64 X2, Athlon 64 FX, Opteron, Turion 64, Turion 64 X2, Sempron (Palermo E6 stepping and all Manila models))

Installation

If you install any of these kernels they will be installed and your old kernel version retained with the new kernel set as the default in the GRUB boot menu. You can find out which CPU you have in your system with the command cat /proc/cpuinfo, under 'model name'.

Updates

You will see various messages when updating or upgrading kernels. Here are some examples.

When you use aptitude upgrade you get updated versions of the same kernel(s) you have installed. Same package name, different version of that package. For example you might get package linux-image-2.6.18-4-686 (package version 2.6.18.dfsg.1-12etch1) updated to package version 2.6.18.dfsg.1-12etch2. This is the kind of message you would see in this case (this particular example actually deals with a Debian 3.1 Sarge update, kernel-image-2.6.8-4-686-smp (package version 2.6.8-17) → kernel-image-2.6.8-4-686-smp (package version 2.6.8-17sarge1)):

Setting up kernel-image-2.6.8-4-686-smp (2.6.8-17sarge1) ...

 You are attempting to install a kernel version that is the same as
 the version you are currently running (version 2.6.8-4-686-smp). The modules
 list is quite likely to have been changed, and the modules dependency
 file /lib/modules/2.6.8-4-686-smp/modules.dep needs to be re-built. It can
 not be built correctly right now, since the module list for the
 running kernel are likely to be different from the kernel installed.
 I am creating a new modules.dep file, but that may not be
 correct. It shall be regenerated correctly at next reboot.

 I repeat: you have to reboot in order for the modules file to be
 created correctly. Until you reboot, it may be impossible to load
 some modules. Reboot as soon as this install is finished (Do not
 reboot right now, since you may not be able to boot back up until
 installation is over, but boot immediately after). I can not stress
 that too much. You need to reboot soon.

Please Hit return to continue.

Not touching initrd symlinks since we are being reinstalled (2.6.8-17)
Not updating image symbolic links since we are being updated (2.6.8-17)
Searching for GRUB installation directory ... found: /boot/grub .
Testing for an existing GRUB menu.list file... found: /boot/grub/menu.lst .
Searching for splash image... none found, skipping...
Found kernel: /boot/vmlinuz-2.6.8-4-686-smp
Updating /boot/grub/menu.lst ... done

When you use aptitude dist-upgrade you get upgraded kernel packages themselves - actual new builds of the same kernel version (2.6.18) you have installed, bringing in bigger updates than when just the package version changes. For example you might get package linux-image-2.6.18-5-686 upgraded to package linux-image-2.6.18-6-686. The whole package itself has changed, so you end up with the old kernel and the new kernel. This is the kind of message you would see in this case (this particular example actually deals with a Debian 3.1 Sarge update, kernel-image-2.6.8-3-686-smp → kernel-image-2.6.8-4-686-smp):

  You are running a kernel (version 2.6.8-3-686-smp) and attempting to remove
  the same version. This is a potentially disastrous action. Not only
  will /boot/vmlinuz-2.6.8-3-686-smp be removed, making it impossible to boot
  it, (you will have to take action to change your boot loader to boot
  a new kernel), it will also remove all modules under the directory
  /lib/modules/2.6.8-3-686-smp. Just having a copy of the kernel image is not
  enough, you will have to replace the modules too.

    I repeat, this is very dangerous. If at all in doubt, answer
    no. If you know exactly what you are doing, and are prepared to
    hose your system, then answer Yes.
Remove the running kernel image (not recommended) [No]?

If you say 'no' here you get this:

dpkg: error processing kernel-image-2.6.8-3-686-smp (--remove):
 subprocess pre-removal script returned error exit status 1
Errors were encountered while processing:
 kernel-image-2.6.8-3-686-smp
E: Sub-process /usr/bin/dpkg returned an error code (1)
Ack!  Something bad happened while installing packages.  Trying to recover:
Setting up kernel-image-2.6.8-4-686-smp (2.6.8-17) ...
Searching for GRUB installation directory ... found: /boot/grub .
Testing for an existing GRUB menu.list file... found: /boot/grub/menu.lst .
Searching for splash image... none found, skipping...
Found kernel: /boot/vmlinuz-2.6.8-4-686-smp
Found kernel: /boot/vmlinuz-2.6.8-3-686-smp
Updating /boot/grub/menu.lst ... done

If you say 'yes' here you get this:

Ok, proceeding with removing running kernel image.
Searching for GRUB installation directory ... found: /boot/grub .
Testing for an existing GRUB menu.list file... found: /boot/grub/menu.lst .
Searching for splash image... none found, skipping...
Found kernel: /boot/vmlinuz-2.6.8-4-686-smp
Updating /boot/grub/menu.lst ... done

The link /vmlinuz.old is a dangling link
Removing symbolic link vmlinuz.old
Unless you used the optional flag in lilo,
 you may need to re-run lilo
The link /initrd.img.old is a dangling link
Removing symbolic link initrd.img.old
Unless you used the optional flag in lilo,
 you may need to re-run lilo

...

Setting up kernel-image-2.6-686-smp (101sarge2) ...

server:/var/log# aptitude dist-upgrade
Reading Package Lists... Done
Building Dependency Tree
Reading extended state information
Initializing package states... Done
Reading task descriptions... Done
The following packages are unused and will be REMOVED:
  kernel-image-2.6.8-3-686-smp

This example involves an ABI (application binary interface) change:

Note that this update changes various package names due to ABI changes.
You must therefore have the corresponding upgrade-assist metapackage(s)
installed for your upgrades to automatically take place. These packages
have names with the prefix 'linux-image-2.6-'. Systems installed with an
official Debian 4.0 installer will have the appropriate packages installed
by default. For a full list of these metapackages for Debian 4.0, see:
  http://packages.debian.org/source/etch/linux-latest-2.6
Any 3rd party modules that have been built and installed for your system
will need to be rebuilt and installed for compatability with the new ABI.

The following matrix lists additional source packages that were rebuilt for
compatability with or to take advantage of this update:

                                             Debian 4.0 (etch)
     fai-kernels                             1.17+etch.17etch1
     linux-latest-2.6                        6etch3
     linux-modules-contrib-2.6               2.6.18-4+etch3
     linux-modules-extra-2.6                 2.6.18-7+etch4
     linux-modules-nonfree-2.6               2.6.18-4etch2
     loop-aes                                3.1d-13etch2
     nvidia-graphics-legacy-modules-amd64    1.0.7184+6etch2
     nvidia-graphics-legacy-modules-i386     1.0.7184+6etch2
     nvidia-graphics-modules-amd64           1.0.8776+6etch2
     nvidia-graphics-modules-i386            1.0.8776+6etch2
     user-mode-linux                         2.6.18-1um-2etch.17etc

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get dist-upgrade
        will install corrected packages

Configuration

To see which compile-time options were set in your kernel, see the file /boot/config-<kernel version>-<Debian build version>-<architecture>.

Further Information

Changes in the 2.6 Linux kernel - prior to the present mainline kernel wiki.kernelnewbies.org/Linux26Changes

Changes in the 2.6 Linux kernel - the present mainline kernel wiki.kernelnewbies.org/LinuxChanges

'Debian Reference - Chapter 7 - The Linux kernel under Debian: www.debian.org/doc/manuals/reference/ch-kernel.en.html

KernelTrap: kerneltrap.org

Kernel Traffic: www.kerneltraffic.org/kernel-traffic/latest.html

The Linux Kernel Mailing List (LKML): lkml.org

The Linux Kernel Archives: kernel.org

Bits from the kernel team - "Half-way between the Sarge release and the Etch freeze the Debian kernel team takes a look back at what already happened after the Sarge release and what you should expect for Etch" - 8 Mar 2006: lists.debian.org/debian-devel-announce/2006/03/msg00007.html.

NFS server

Package(s)

nfs-kernel-server (because nfs-user-server "is buggy and unmaintained")
portmap

Configuration

The userID of the user on the workstation must match the userID of a user on the server.

Add directories to share and who to share them to in /etc/exports, for example:
/home/shared 10.0.0.0/255.255.0.0(rw) 192.168.0.0/255.255.0.0(rw)

Re-export all directories in the table of exported file systems for NFS:
exportfs -ra

Further Information

man exports

Version control - Subversion

Package(s)

subversion (http://subversion.tigris.org/)
subversion-dav

Configuration

This configuration is explained in more depth at http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html

In order to use Subversion's own lightweight server (as opposed to using Apache) to enable access over a network edit the following then restart inetd with /etc/init.d/inetd restart:
/etc/inetd.conf: svn stream tcp nowait svnowner /usr/bin/svnserve svnserve -i -r /usr/local/repositories
You can leave out the -r /usr/local/repositories but users will have to include the whole local path in their client software). You need to create the user svnowner and give them appropriate permissions on the subversion repository directory.

Define the name of the password file of users that can commit to the repository, and give your realm a name, by adding the following to:
/repository-directory/conf/svnserve.conf
[general] password-db = passwd realm = My First Realm

Define users that can commit to the repository, by creating the file: /repository-directory/conf/passwd

Server Setup with Debian GNU/Linux 4.0 'Etch'

Contents

Introduction

Notable changes to this document

Glossary

Package Repositories, Updates & Upgrades

Package repositories

Updates

4.0 Etch

Upgrades

Etch+1 year

General Configuration

Partitioning Scheme

Network Addressing

Miscellaneous

Useful Tools

Mail Transfer

NTP - Set The Time From An Internet Time Server

Package(s)

Configuration

Usage

Logging

Further Information

Backup - Backup Manager

Package(s)

Configuration

Usage

Troubleshooting

Further Information

Backup - Flexbackup

Package(s)

Usage

From the command-line

Configuration

Backup - Tape Drives

Package(s)

Usage

Troubleshooting

Apache - web server

Package(s)

Configuration

Troubleshooting

PHP - for programming databases

Package(s)

Configuration

Upgrading from previous Debian stable version

Compression / Archival

Package(s)

LVM - Logical Volume Management

Further Information

MySQL - database server

Package(s)

Installation

Configuration

Usage

Further Information

PostgreSQL - database server

Package(s)

Usage

RAID arrays

Package(s)

Configuration

Configuration files

Usage

Further Information

Samba - Windows file and print server

Package(s)

Creating a Primary Domain Controller

Simple Samba File Sharing

Creating shares that can be mounted from a GNU/Linux workstation

Upgrading from the previous Debian stable version

Mail server

Packages

Installation

Configuration

Configuration Choices Or Clarifications I Make Where The workaround.org Howto Gives Choices

Configuration Additional To what Is Described In The Howto

Postfix

Add a relay host that will deliver mail on your behalf

Use authenticated SMTP with a relayhost