Server Setup with Debian GNU/Linux 4.0 'Etch'


Minimum Features
Miscellaneous Main Features
File Serving Etcetera
Network Services


This server guide and my experiences have only been tested in environments with up to fifteen people/workstations so don't expect it to be spot-on when it comes to other areas. I have no experience of running a server openly on the Internet or a (Linux) server at high capacity for large numbers of users so expect the advice as applied to these realms to be vague. Everything in here comes from direct experience at one time or another but my most thorough day-to-day server knowledge, reflected in sections in here and in other guides from, is in Samba domain controllers; mail servers; print servers; Linux and Debian.

The Samba server details in this guide are for a simple file server, for more see my separate guide to a Samba primary domain controller and file/print/software deployment server for Windows using Samba 3

See my related documents on setting up a desktop system using Debian which includes some aspects common to both servers and desktops: Desktop System Setup with Debian 4.0 Testing/Etch.

I also provide a menu driven command-line program, called Twix, to help you install most of what is covered in this document and configure some of it. Twix can be downloaded for free from

Notable changes to this document

Work in progress:
- 11 September 2012 - Advice on changing Postfix's message size limit mistakenly said to use a value in kilobytes, rather than in bytes.
- Leave 2% of unused unpartitioned space at the end of each disk so that in the event of failure, if the disk is replaced with another of notionally the same size, because disk sizes tend to differ slightly we can cope if the replacement disk is a little smaller.
- improved RAID and LVM sections
- TODO: updated kernel package

1.3.4 - 25 August 2010

1.3.0 - 5 August 2009

1.2.14 - 26 April 2009 - added ca-certificates package to Fetchmail section.

1.2.9 - 4 Oct 2008 - moved hosts file configuration from MySQL section to General Configuration section because a properly configured /ets/hosts is required for other software too.

1.2.7 - 9 July 2008 - removed appendices on mail server, moved it to seperate document...

1.2.6 - 20 June 2008 - added how to use authenticated SMTP when your mail server uses a relayhost.

1.2.5 - 6 June 2008 - Fetchmail requires START_DAEMON=yes in /etc/default/fetchmail to work.

1.2.4 - 4 June 2008 - added creation of abuse and postmaster accounts to mail server.

1.2.3 - 30 May 2008 - removed webmin-fetchmail, webmin isn't available in Debian, it's installed as one large package from the webmin web site

1.2.0 - 9 March 2008

1.1.3 - 5 March 2008 - Added 'Network Addressing' section to 'General Configuration' section; improved 'updates' section in 'Linux kernel updates'.

1.1 - 27 February 2008

1.0.5 - 10 December 2007

1.0.4 - November 2007 - Added 'set no bouncemail' to Fetchmail configuration to fix issue of replying to spam email

1.0.1 - 18 October 2007 - in example Fetchmail configuration file added 'set postmaster ""' to set no postmaster so mail tagged as SMTP 550 error 'Recipient address rejected: User unknown in virtual mailbox table' is discarded rather than going in fetchmail's mailbox (/var/mail/fetchmail) and eating up disk space

1.0 - 13 October 2007


<something> - when something is in angle brackets you should replace this with something particular to your system; you do not use the angle brackets.

command - text highlighted and in monospaced typeface indicates a command you issue at the command-line.

setting - text in monospaced typeface indicates something seen on screen such as a filename or configuration setting.

$ - when a command-line command is preceded by a dollar it means you run this whilst logged in as a regular user

# - when a command-line command is preceded by a dollar it means you run this whilst logged in as super user / root

Choosing Hardware

Debian GNU/Linux device driver check page:

Package Repositories, Updates & Upgrades

Package repositories

Debian's package management system, known as 'apt', keeps a list of sources, or repositories, it can retrieve packages from when you choose to install them, in the file /etc/apt/sources.list.

Sources can be of the form

You define which Debian flavour you're subscribed to

These different licencing groups are kept track of

There are different providors of Internet server sources

Debian installs with a default that uses 'main', it doesn't include 'contrib' or 'non-free'.

To add new CDs to your sources list, other than during installation: apt-cdrom add. The disc will be automatically mounted, scanned and its details added to your sources list (if you have trouble you may need to use apt-cdrom add -d /media/cdrom)

To add new Internet servers to your sources list, other than during installation: ?.


4.0 Etch

Release Date Changes
4.0r0 8 April 2007
4.0r1 15 August 2007 (doesn't list non-free packages i.e. ipw2200-)
4.0r2 27 December 2007
4.0r3 17 February 2008
4.0r4 / etch-and-a-half / etch'n'half 26 July 2008
4.0r5 23 October 2008
4.0r6 18 December 2008
4.0r7 10 February 2009
4.0r8 8 April 2009
4.0r9 22 May 2010

A full changelog is available at

There are two daily 'pulses' at 00:00 and 12:00 GMT upon which updated packages, if any, are made available.

Security updates are often made available, potentially even daily.

Very occasional other updates are made in the form of new 'point releases' of Debian stable. They comprise packages with a very conservative amount of miscellaneous bugfixes, removed packages, missing builds and security updates (those previously available thru security updates). These packages are introduced into the main stable archive when released. Similarly the downloadable ISO images available for installing Debian are updated, they have a 'r' designation.

The packages waiting to be made available in the next point release are held in a repository known as stable-proposed-updates but seemingly more readily available as etch-proposed-updates. You can subscribe to this repository to get these packages as they enter the queue rather than waiting for the release date.

For access to packages headed for but not yet entered etch-proposed-updates - 'Packages awaiting proposed-updates moderation - Summary for proposed-updates':


To upgrade to the next version of Debian, replace the code name / alias in sources.list from 'etch' to 'lenny'.

Skipping releases is not supported. To upgrade from Woody to Etch you must first upgrade to Sarge, then to Etch. Edit /etc/apt/sources.list and replace 'testing' or 'etch' or 'stable' or 'unstable' with 'sarge' then 'aptitude update && aptitude dist-upgrade'.

General Configuration

Use the latest Debian 'stable' distribution (this document is for version 4.0) from (Note that because Etch is now archived it can only be downloaded from

Set the time to the correct Greenwich Mean Time (GMT) in the BIOS before installing Debian. During installation, say that the system clock is set to GMT. Debian will take care of setting your localised time correctly (as an offset from GMT).

Partitioning Scheme

Debian Installer's 'Multi-user workstation' option may create the following kind of partitions with a 40GB disk:

You may want to locate /home on a separate disk.

Instead of following Debian's suggested partition sizes you may want to manually partition like so:

Label Partition No. Partition type Minimum Size Recommended Size Mount point File system Usage that can unexpectedly use up space
boot 1 primary 500MB 1GB / ext3 Linux kernels
2 extended Total size of rest of disk Contains logical partitions
usr 5 logical 2GB ? /usr ext3
var 6 logical 3GB 3GB /var ext3 Email for local mailboxes (i.e. root)
tmp 8 logical 500MB 1GB /tmp ext3 For temporary files whilst certain operations are carried out
swap 7 logical 1GB 2GB. Needs occasional monitoring; upgrade RAM if swap is used; server shouldn't be using swap but useful to have if something goes wrong. swap swap "'it depends ...' (on the size of physical memory, number of competing processes, degree to which code is shared between active processes, number of users, database requirements"
home 9 logical Larger than current user data requires Estimate how much user data will grow over next couple of years /home ext3 User home directories; email
2% 2% If you need to replace this disk in the event of failure with another notionally of the same size, the replacement may not exactly match, so leave 2% of unpartitioned space to enable duplication

If you're also using this server for a Samba domain controller, following my separate Samba guide, then take into account the differing partition sizes recommended for that role.


Don't install applications using Tasksel or DSelect, just install the basic system with the installer, then manually install any software you specifically require, or use Twix to install it for you.

Download and apply any security updates using 'aptitude update' then 'aptitude dist-upgrade'

Make a rescue/boot floppy disk: mkboot

Disk Labeling

If you have a SCSI hard disk (or disks) and a USB-attached disk, say, for backing up to, and you aren't using Linux RAID and/or LVM, then the machine can fail to boot when the USB-attached disk is connected. This is particulrly problematic if you administer the machine remotely. The SCSI subsystem (which deals with SCSI and USB disks, but not ATA disks) numbers disks in the order it finds them, which isn't always the same order. The SCSI disk is generally seen as /dev/sda and the USB-attached disk is generally seen as /dev/sdb. These device references can change depending on various conditions at boot time. Apart from when using LVM, files involved in the Linux boot process by default use the disk device reference, rather than a reference that isn't subject to change. If the USB-attached disk is attached on startup then most of the time, but not always, some way into loading the system Linux fails because the USB-attached disk has been recognised as /dev/sda and part of the kernel is trying to be loaded from the backup disk.

We can fix this by labeling disks, then telling the system the labels of the disks to boot from rather than their device references.

From the fstab man page: "Instead of giving the device explicitly, one may indicate the (ext2 or xfs) filesystem that is to be mounted by its UUID or volume label (cf. e2label(8) or xfs_admin(8)), writing LABEL=<label> or UUID=<uuid>, e.g., 'LABEL=Boot' or 'UUID=3e6be9de-8139-11d1-9106-a43f08d823a6'. This will make the system more robust: adding or removing a SCSI disk changes the disk device name but not the filesystem volume label."

(See 'Auto backup a server to a hotswap USB disk' for how we treat the backup disk)

Label disks

Label the disks as per how they appear in /etc/fstab. Here's an example for one physical disk, with one primary partition, the rest logical partitions:

Label the boot partition: e2label /dev/sda1 boot
Label the usr partition: e2label /dev/sda5 usr
Label the var partition: e2label /dev/sda6 var
Label the swap partition: mkswap -L swap /dev/sda7
Label the tmp partition: e2label /dev/sda8 tmp
Label the home partition: e2label /dev/sda9 home


This is a section from an example fstab file (where the system is on one disk, with one primary partition and the other partitions logical, not using LVM - yours might differ):

/dev/sda1	/
/dev/sda5	/usr
/dev/sda6	/var
/dev/sda7	swap
/dev/sda8	/tmp
/dev/sda9	/home

This is how the same section looks using labels (on a system without Linux RAID and/or LVM):

LABEL=boot	/
LABEL=usr	/usr
LABEL=var	/var
LABEL=swap	none
LABEL=tmp	/tmp
LABEL=home	/home

Linux RAID uses a unique device reference in fstab that doesn't clash with USB attached disks and so systems using Linux RAID don't require a change to fstab.

LVM uses a unique device reference in fstab that doesn't clash with USB attached disks and so systems using LVM don't require a change to fstab, but note that we don't use LVM on the '/' partition and so that reference will still need an amendment making in fstab unless Linux RAID is also being used.


In menu.lst, for every kernel you want to use, change the partition name where the kernel finds its root filesystem, changing kernel lines like:
kernel /boot/vmlinuz-2.6.24-etchnhalf.1-686 root=/dev/sda1 ro
kernel /boot/vmlinuz-2.6.24-etchnhalf.1-686 root=LABEL=boot ro

Note that a kernel upgrade, even a minor one, will restore the above line back to the original style of device reference, for each kernel entry, whether or not you updated the other kernels in the list. So after each kernel upgrade, before rebooting, you'll need to amend these back to using a label.

Linux RAID uses a unique device reference in menu.lst that doesn't clash with USB attached disks and so systems using Linux RAID don't require a change to menu.lst, whether or not LVM is also used.

LVM, used on its own rather than in conjunction with Linux RAID, suffers from this issue with menu.lst and so systems using only LVM do require a change to menu.lst, both initially and after each kernel upgrade before rebooting.

(LVM already uses UUID (similar to label) in mdadm.conf)

Network Addressing

It's usually easiest to choose automatic network addressing during installation, if you have a DHCP server running. After installation though, you'll want the server to have a static IP address. In /etc/network/interfaces, replace 'allow-hotplug eth0' and 'iface eth0 inet dhcp' with this kind of addressing information (your scheme may need to differ):

auto eth0
iface eth0 inet static
	dns-search localdomain

Hosts File

MySQL, Apache, amavis (or some other part of the mail server, possibly also postfix) require the hosts file to be set correctly. MySQL will only install if the system already has a non-numeric hostname that is resolvable via the /etc/hosts file.

Run hostname -f; if it returns just the machine's name, i.e. 'server', rather than its fully qualified domain name (FQDN) - its name followed by its domain, i.e. server.localdomain or - then you need to add a line to /etc/hosts with its IP address then FQDN then name such as ' server.localdomain server'.
Here's an example for a server on an intranet: localhost server server.localdomain server server.localdomain server

Here's an example for a server on the Internet: localhost server server server

Useful Tools

Mail Transfer

If you want the system to be able to send out mail, such as for sending logs to you, and you don't have a full-blown mail server:

NTP - Set The Time From An Internet Time Server



Configuration file: /etc/ntp.conf

From /etc/ntp.conf:

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)

From /usr/share/doc/README.Debian.gz:

"Several people have reported that ntpd fails on [Intel] SMP boxes unless the "Enhanced Real-Time Clock" support is enabled in the kernel."

"If your system is behind a firewall, the port you need to open up to allow the NTP protocol to work (for either ntpdate or ntpd) is UDP port 123. Server-to-server NTP packets usually use this for both source and destination: for extra security, a stateful firewall should block "new" packets with source, but not destination, port 123 from entering your network."


Control the daemon: /etc/init.d/ntp start|stop|restart

Print a list of the peers known to the server as well as a summary of their state:
ntpq -p


Logs to /var/log/daemon.log and /var/log/syslog

Further Information

Debian Bug report logs: Bugs in package ntp in etch:;dist=etch


Backup - Backup Manager - Backup to CD-R/CD-RW/DVD-R/FTP/SSH


Good for backing up one computer to either CD-R/CD-RW/DVD-R/FTP/SSH (note that it doesn't support DVD-RW or removable media such as USB-attached hard disk or flash media)


Configuration file: /etc/backup-manager.conf.

Schedule configuration file: /etc/cron.d/backup-manager.

A debconf priority of 'low' is advised if you want to be asked if the backup is to be written to CD/DVD or to another computer using SSH.

The backup is automatically scheduled with cron to run at 04:00.

The easiest and officially recommended method to configure backup-manager is using dpkg-reconfigure backup-manager. Alternatively you can edit its configuration file.

If you are trying to write the backup to CD using an ATA CD writer and it's failing, follow this from the Backup Manager User Guide (the man page with version 0.6.2 doesn't explain this option anywhere near as well):
"Backup Manager uses cdrecord for burning CDs. If when you run cdrecord -scanbus you don't see your burning device, that means you will have to force the device in ATA mode. To tell Backup Manager to do so, just put here the path to your device, and a switch will be appended to the cdrecord commandline like the following : cdrecrord ... dev=$BM_BURNING_DEVFORCED ....
Leave this configuration key blank if you see your device with cdrecord -scanbus, in this case, Backup Manager will use the default cdrecord device for burning CDR media.
Example: export BM_BURNING_DEVFORCED="/dev/cdrom""


You will generally leave responsibility with cron to schedule backups but you can run it manually with backup-manager -v.


The log of messages describing backup-manager's operations go to /var/log/messages with the tag backup-manager.

The log of what happened when writing to CD/DVD go to /tmp/bm-burning.log.<6 seemingly random characters>.

Further Information



Backup Manager Documentation, including User Guide:

An example configuration file:

Backup - Flexbackup - Backup to tape (DAT)

Good for backing up to tape (DAT).



Schedule it to run daily automatically using /etc/crontab: 00 1 * * 1-5 root flexbackup -set home -full

Rewind a tape: mt -f /dev/nst0 rewind

flexbackup -newtape

flexbackup -set home -full

List files in archive: flexbackup -list

List current device's table of contents: flexbackup -toc

To quickly extract just a single file, use -extract -onefile <path to file>, giving the path from the archive. Or flexbackup -extract -flist <filename> (you have to give a full path, the man page doesn't indicate this, otherwise says "list of files <filename> not readable: No such file or directory".

To extract a list of multiple files, put them into a text file, for instance "restorelist", then use -extract -flist restorelist. The format is one line per pathname, using the path of the file in the archive.
Note if you are using afio with compression you need to append .z to filenames for any compressed files (depends on threshold and exclusion patterns).

Flexbackup logs to /var/log/flexbackup/ with filenames such as flexbackup.list.200705081249.log, home.0.200705100200.gz, home.latest.gz.

See files / status written last: zless /var/log/flexbackup/home.latest.gz


Configuration file: /etc/flexbackup.conf (See

It's possibly better to do '-full' backups because less complex when restoring files; works around using the '-level' option ('-full' defaults to '-level 0').

Backup - Tape Drives - Dealing directly with tape drives



You don't create a file system on a tape, nor do you mount it or attempt to access the data on it as files. You simply treat the tape device itself as a single 'file'.

SCSI tape drives are referenced by /dev/st0 (device is "rewind on close") or /dev/nst0 (device is "don't rewind on close".

Use tar to read and write files and directories to and from the tape, with the following options:

Use mt to control the tape drive, with the following syntax: mt -f /dev/st0 command where command would be any of the following:

Write files to a tape:
tar cvf /dev/st0 files-or-directories-to-backup
(by default it recurses into sub-directories)

Retrieve a complete archive back from a tape to the current working directory:
tar xvf /dev/st0
(be mindful of the directory you're in when you run this as it could overwrite files in your current directory)

List the files on a tape:
tar tvf /dev/st0

Retrieve individual files from a tape to the current directory:
tar xvf /dev/st0 filename1 filename2 filename3

You can schedule backups using cron, via the configuration file /etc/crontab, such as with this line which will run your own backup script at 04:00:
00 4 * * * root /root/


Check that the operating system sees the device by running dmesg and looking for "attached SCSI tape st0 at".

List SCSI devices:
cat /proc/scsi/scsi.

See man pages on 'mt' and 'st'.

Apache - web server







Error log (this includes database connection errors from web applications such as egroupware): /var/log/apache2/error.log

PHP - for programming databases

PHP is an Apache module and the only way PHP is used (other than the command-line interpreter, php5-cli).




Upgrading from previous Debian stable version

PHP5 replaces PHP4

Compression / Archival

These can be useful for many reasons, for example the anti-virus and spam co-ordinating program Amavis uses many of them if they're installed.


LVM - Logical Volume Management

See also the RAID section, but you can follow just this section to setup both RAID and LVM at the same time.

You can use the Debian Installer to configure RAID and LVM when you initially setup the server.

GRUB can't boot from an LVM partition, nor from an mdadm / software RAID 5 array, so we create a '/' partition that is configured just as a RAID 1 array.

GRUB will only boot when the filesystem uses ext3. If you use something other than ext3 the Debian installer will want to install LILO.

Example 1

This is an example of setting up a system with LVM on a RAID1 array using 2 of 72GB SCSI, SATA or SAS hard disks, without any hot spares, using the Debian Installer.

Here is a kind of map of how disks, RAID and LVM fit together:

disk (/dev/sda or /dev/sdb)
	partition (/dev/sda1, /dev/sdb1)
		RAID1 - MD device 1 - /dev/md0

disk (/dev/sda, /dev/sdb)
	partition (/dev/sda2, /dev/sdb2)
		RAID1 - MD device 2 - /dev/md1
			LVM - volume group - 'server'
				logical volume - 'server_usr'
				logical volume - 'server_var'
				logical volume - 'server_tmp'
				logical volume - 'server_swap'
				logical volume - 'server_home'

Here is another kind of map of how disks, RAID and LVM fit together, with the disk itself at the bottom and the increasingly abstracted layers as you go up toward the top:

Filesystem Role / other partitions / other partitions
Partition No. 1 2 1 2
Disk No. 1 1 2 2

Note - if you're reinstalling over a previous installation that had RAID + LVM:
You'd probably be best deleting the existing partitions. It may be possible to re-use the already setup RAID and LVM but there might be potential for issues; I'm not sure about this, I'm just recommending this for caution as I've not done it.
As well as deleting the partitions and RAID devices in 'Partition disks', you need to remove the RAID using Configure software RAID → Delete MD device → Multidisk device to be deleted: md0_raid1 otherwise it says "No RAID partitions available - No unused partitions of the type "Linux RAID Autodetect" are available. Please create such a partition, or delete an already used multidisk device to free its partitions."

Leave 2% of unused unpartitioned space at the end of each disk so that in the event of failure, if the disk is replaced with another of notionally the same size, because disk sizes tend to differ slightly we can cope if the replacement disk is a little smaller.

Follow these steps to setup this example:

Example 2

This is a similar LVM example, but without RAID, using just 1 physical ATA disk:


Getting Information

Physical Volumes

Display various attributes of physical volume(s):

Display information about physical volumes (physical volume used, physical volume size used and amount free):

Volume Groups

Display volume group information:

Display information about volume groups (including space allocated to volume group and space free):

Logical Volumes

Display information about a logical volume:

Display information about logical volumes:

List all logical volumes in all volume groups:

Further Information

Software RAID5 and LVM with the Etch Installer:


Wikipedia - Logical Volume Manager (Linux):

Partitioning RAID / LVM on RAID

MySQL - database server



MySQL will only install if the system already has a non-numeric hostname that is resolvable via the /etc/hosts file. See the Hosts File section for how to set this up.


The MySQL configuration file can live in a number of locations:

Configuration files, accounts and databases:

Set a password for the MySQL root user because it defaults to not having one. You can do so in a number of ways.

a) Set the password from the command-line (this will fail if a password has already been set, in which case you need to add -p):

b) Set the password from within MySQL:

a) Set the username and password in a my.cnf configuration file:

For security, Debian's MySQL defaults to listening only on the localhost ( network interface for connections, so it will not allow remote connections. This is achieved by setting bind-address in /etc/mysql/my.cnf (The less secure skip-networking used to be used instead). This is fine for a mail server running on the same server, or phpMyAdmin, but not for, say, OpenOffice running on a workstation connecting to MySQL. Setting bind-address to the server's IP address or hostname (i.e. or server) alternatively enables only remote connections to MySQL. To enable connections from any source, local or remote, comment out bind-address entirely.

To reset the MySQL root password if you've lost it:


If you're wanting to use ODBC to connect client computers across a network to the database server, nothing has to be set on the server specifically to enable this ODBC connection.


The location of database files is usually /var/lib/mysql/your-database-name (use mysqladmin variables | grep datadir to find it otherwise)

To open the mysql program: mysql -u <username> -p. The -p tells it a password is required, which you will be prompted for.

To create a database:

To first delete the database if it already exists:
mysql> drop database <database>;

Set privileges on the database (grants the root account all database level access on your database when connecting from any machine, using the defined password and allows them to give other users priviliges. See for reference):

See which users have privileges in MySQL:

See what databases have what users with privileges to access them:

List the privileges granted to the account that you are using to connect to the server:
mysql> show grants;

List the privileges granted to a specific account, for example:
mysql> show grants for 'root'@'localhost';

Remove all priviliges from a specific user:
mysql> revoke all priviligies, grant option from <user>

Delete a specific user:
mysql> drop user <user>

MySQL server (mysqld) administration, using the command-line - these are the main MySQL clients and processes:

Further Information

MySQL 5.0 Reference Manual:

MySql 4.1.x Database Survival Guide:

'MySQL Database Administration' - 'MySQL User Account Management' - 'MySQL Usernames and Passwords'

PostgreSQL - database server



Program: psql

RAID arrays

The multidisk device (or, after its most famous variant, 'software RAID'). New devices made up of combined traditional disk devices into RAID volumes referred to as /dev/md#. RAID is not a guarantee for data integrity, it just allows you to keep your data if a disk dies (that is, with RAID levels above or equal one, of course).

The host controller may itself provide RAID capability, in which case the hardware RAID will be superior to using Linux software RAID, but only as long as the host controller is of high quality. Linux software RAID is usually superior to the cheap IDE (pseudo hardware), RAID controllers; and also superior to 'fakeraid' controllers such as Adaptec's 'HostRaid'. Note that host-based RAID controllers may support only a sub-set of the various RAID levels. We use Linux software RAID whether or not the server includes true hardware RAID, or fakeraid, so that in the event of server failure disks can be moved to an alternate server that doesn't have to have the same disk controller.

I remove the RAID controller card and instead attach the cable(s) direct from the motherboard-based controller straight to the disks, or to the backplane if there is a backplane installed.

You may find when you configure a RAID array in your host's software at boot time that the Debian installer partitioning section still sees both disks independently. In this case you need a driver for the host controller that isn't available in Debian. For example Adaptec provide a binary-only HostRaid controller driver. Just use Linux software RAID instead.



We usually use Software RAID 1 (mirroring), or occasionally software RAID 5 (block-level striping with parity data distributed across all member disks). See for a description.

Read this:

GRUB can't boot from an mdadm / software RAID 5 array, so we create a '/' partition that is configured just as a RAID 1 array.

The tool you use to work with RAID arrays is mdadm.

You can use the Debian Installer to setup a RAID array, rather than doing so manually:

You can run mdadm as a daemon by using the follow-monitor mode. If needed, that will make mdadm send email alerts to the system administrator when arrays encounter errors or fail. Also, follow mode can be used to trigger contingency commands if a disk fails, like giving a second chance to a failed disk by removing and reinserting it, so a non-fatal failure could be automatically solved. For example mdadm --monitor --mail=root@localhost --delay=1800 /dev/md2.

The MD driver is compiled into the kernel rather than compiled as a module.

Configuration files

/etc/mdadm/mdadm.conf - see man mdadm.conf


cat /proc/mdstat

Get brief details of a RAID device:
mdadm --query <RAID device>

Get full details of a RAID device:
mdadm --detail <RAID device>

Add a new disk partition to an existing RAID device:
mdadm --add <existing RAID device> <new disk partition i.e. /dev/sdb3>

Use a new disk partition that has been added to an existing RAID device:
mdadm --grow --raid-devices=<total number of RAID devices in this array now> <existing RAID device>
You then have to manually increment the total number of RAID devices in this array in mdadm.conf

Further Information

man mdadm

Linux Raid

Partitioning RAID / LVM on RAID

Software RAID5 and LVM with the Etch Installer

Serial ATA (SATA) chipsets — Linux support status:

Recovering a RAID disk back into a RAID device /dev/md*:

Installing Debian with SATA based RAID:

Growing - adding partitions, expanding existing partitions:

Probably too out of date, but seemed useful:

Samba - Windows file and print server


Creating a Primary Domain Controller

See our separate document Setting up a Samba primary domain controller and file/print/software deployment server using Samba 3 on Debian 4.0 Etch.

Simple Samba File Sharing

Use this /etc/samba/smb.conf configuration file:

# Samba 3.0.x configuration file for simple password-less file sharing.

# (if we set security=no would this work with Windows 95, 98 and Me clients?)


# The server's name on the Windows network
netbios name = server

# The workgroup name. Make this the same on all participating computers
workgroup = workgroup

# Combined with 'guest account' this doesn't require a username/password 
# to connect
security = share

# Makes this the WINS server for the network.
# Required for computers to browse for the share
wins support = yes

# Defines which Unix account will be used when the share is used
guest account = nobody

# Try to make sure this machine is the local master browser so that what
# it says, goes, amongst it and the other computers on the (WINS) network
os level = 34
preferred master = yes

guest only = yes

guest ok = yes

# The directory that will be shared
path = /home/samba/shared

# It is visible when people are browsing the network
browseable = yes

read only = no

# New files are created with this permission
# Requires a corresponding Unix setting
force create mode = 0666

# New directories are created with this permission
# Requires a corresponding Unix setting on the directory
force directory mode = 2770

Create the shared directory:
mkdir /home/samba && mkdir /home/samba/shared

Give it liberal permissions:
chmod 666 /home/samba/shared

Creating shares that can be mounted from a GNU/Linux workstation

This share can be mounted by root but files take the permission of whomever creates them.

This is what to do on the server, for what to do on the workstation see Desktop System Setup with Debian 4.0 'Etch'.

Upgrading from the previous Debian stable version

Samba 3.0.14a → 3.0.23d

RCS - added to 'passwd chat': '...password created succesfully...'

Release notes for all versions up to 3.0.23d:

RID Algorithms & Passdb

Starting with the 3.0.23c release, the officially supported passdb 
backends (smbpasswd, tdbsam, and ldapsam) now operate identically
with regards to the historical RID algorithm for unmapped users 
and groups (i.e. accounts not in the passdb or group mapping table).
The resulting behavior is that all unmapped users are resolved 
to a SID in the S-1-22-1 domain and all unmapped groups resolve
to a SID in the S-1-22-2 domain.  Previously, when using the 
smbpasswd passdb, such users and groups would resolve to an 
algorithmic SID in the machine's own domain (S-1-5-XX-XX-XX).
However, the smbpasswd backend still utilizes the RID algorithm
when creating new user accounts or allocating a RID for a new 
group mapping entry.

With the changes in the 3.0.23c release, it is now possible to 
resolve a uid/gid, name, or SID in any direction and always obtain
a symmetric mapping.  This is important so that values for smb.conf 
parameters such as "valid users" resolve to the same SIDs as those 
included  in the local user's initial token.

Most installations will notice no change.  However, because
an unmapped account's SID will now change even when using 
smbpasswd it is possible that any security descriptors on files
previously copied from a Samba host to a Windows NTFS partition
may now fail to give access. The workaround is to either manually
map all affect groups (or add impacted users to the server's 
passdb) or to manually reset the file's ACL.

Member servers, domain accounts, and smb.conf

Since Samba 3.0.8, it has been recommended that all domain accounts 
listed in smb.conf on a member server be fully qualified with the 
domain name.  This is now a requirement.  All unqualified names are 
assumed to be local to the Unix host, either as part of the server's 
local passdb or in the local system list of accounts (e.g. /etc/passwd 
or /etc/group).

The reason for this change is that smbd has transitioned from
access checks based on string comparisons to token based
authorization.  All names are resolved to a SID and then verified
against the logged on user's NT user token.  Local names will
resolve to a local SID, while qualified domain names will resolve
to the appropriate domain SID.  

If the member server is not running winbindd at all, domain 
accounts will be implicitly mapped to local accounts and their
tokens will be modified appropriately to reflect the local 
SID and group membership.

For example, the following share will restrict access to the
domain group "Linux Admins" and the local group srvadmin.

	path = /data
	valid users = +"DOMAIN\Linux Admins" +srvadmin

Note that to restrict the [homes] share on a member server to the 
owner of that directory, it is necessary to prefix the %S value 
to "valid users".

	security = {domain,ads}
	workgroup = DOM
	winbind separator = +
	valid users = DOM+%S

* Improved support for local and BUILTIN groups.

* User and Group changes - 
The user and group internal management routines have been 
rewritten to prevent overlaps of assigned Relative Identifiers 
(RIDs).  In the past the has been a potential problem when either 
manually mapping Unix groups with the 'net groupmap' command or 
when migrating a Windows domain to a Samba domain using 'net rpc 

Unmapped users are now assigned a SID in the S-1-22-1 domain and 
unmapped groups are assigned a SID in the S-1-22-2 domain. 
Previously they were assign a RID within the SAM on the Samba 
server.  For a DC this would have been under the authority of the 
domain SID where as on a member server or standalone host, this 
would have been under the authority of the local SAM (hint: net 

The result is that any unmapped users or groups on an upgraded 
Samba domain controller may be assigned a new SID.  Because the 
SID rather than a name is stored in Windows security descriptors, 
this can cause a user to no longer have access to a resource for 
example if a file was copied from a Samba file server to a local 
NTFS partition.  Any files stored on the Samba server itself will 
continue to be accessible because Unix stores the Unix gid and not 
the SID for authorization checks.

A further example will help illustrate the change.  Assume that a 
group named 'developers' exists with a Unix gid of 782 but this 
user does not exist in Samba's group mapping table. it would be 
perfectly normal for this group to be appear in an ACL editor.  
Prior to 3.0.23, the group SID might appear as 
S-1-5-21-647511796-4126122067-3123570092-2565. With 3.0.23, the 
group SID would be reported as S-1-22-2-782. Any security 
descriptors associated with files stored on an NTFS disk partition 
would not allow access based on the group permissions if the user 
was not a member of the 
S-1-5-21-647511796-4126122067-3123570092-2565 group. Because this 
group SID not reported in a user's token is S-1-22-2-782, Windows 
would fail the authorization check even though both SIDs in some 
respect referred to the same Unix group.

The current workaround is to create a manual domain group mapping 
entry for the group 'developers' to point at the 
S-1-5-21-647511796-4126122067-3123570092-2565 SID.

* Group Mapping Changes - The default mapping entries for groups such as 
"Domain Admins" are 
no longer created when using an smbpasswd file or a tdbsam passdb 
backend.  This means that it is necessary to use 'net groupmap 
add' rather than 'net groupmap modify' to set these entries. 

    Parameter Name                      Action
    --------------                      ------
    dos filemode			Modified	  No
    acl group control			Deprecated	  No
    * Deprecate 'acl group control' and replace it with added 
      functionality to 'dos filemode'.

'dos filemode' notes:
make sure your filesystem is mounted with user_xattr:
dev/hda5 / ext3,acl,user_xattr defaults 1 1

Offline files fails

If you have a file share with multiple users using it regularly, and one of the users tries to synchronize the files using Windows' "Offline Files" feature, you might find that random files fail. The user will have read/write access through their group, but the file will be owned by someone else.
Why this is happening

From Jeremy Allison, Samba developer: "Windows does a sync by creating a new file with a temporary name, then sets an ACL on it that matches the current one (but seems to add write access for the current user, not just the owner). This must succeed else the sync will fail. Then it sets the DOS attributes, again this must succeed or the sync will fail. Under POSIX we encode the attributes in the file permissions and these can only be changed by the owner, unless the "dos filemode" parameter is set."
How to fix it

Upgrade to at least Samba 3.0.0. Ensure that smbd is compiled with ACL support (the Debian packages work fine out of the box), and running on a filesystem with POSIX AccessControlLists. Then you also need to set the parameter "dos filemode = yes" for the share. You don't need the acl package installed, but you probably need libacl.

?   iprint server			New
    map read only			New
    rename user script			New
	for Suse: rename user script = /usr/sbin/usermod -l '%unew' '%uold'

    acl check permissions		New
    acl map full control		New
    printer admin			Deprecated
    * Deprecate the "printer admin" parameter in favor of the 
	WE EXTENSIVELY USE printer admin BUT WE DO ALREADY USE SePrintOperatorPrivilege. Perhaps we could remove all 'printer admin' from our existing smb.conf.

Mail server

If you only want your system to be able to have the ability to send out mail, for example to email you logs, then see Mail Transfer.

We recommend Christoph Haas's 'Howto: ISP-style Email Server with Debian-Etch and Postfix 2.3', at This solution provides POP3/IMAP access and webmail access to multiple domains, virus scanning, spam prevention, secure mail relay access for road-warriors and easy domain administration. It accomplishes this using Postfix SMTP, MySQL database, Dovecot POP3/IMAP, amavisd-new, SpamAssassin and Clam AntiVirus.

In addition to that tutorial, if your server isn't required to receive its own email directly and/or send it directly you can use Fetchmail to collect from a POP3 host (see the Fetchmail section) and add a relay host to Postfix that will deliver mail on your behalf.

Twix does not setup this version of the mail server for you.

Diagram of the mail server system.



Questions and recommended answers for package installation:


Configuration Choices Or Clarifications I Make Where The Howto Gives Choices

In 'Step 9: Authenticated SMTP', I use a Postfix 'mynetworks' setting of
postconf -e mynetworks=

In 'Step 10: AMaViS: Filtering spam and viruses', these are set in /etc/amavis/conf.d/20-debian_defaults:

I don't follow 'Step 11: Learning spam and ham'.

In 'Step 12: Populate and administer the users in the database' I use 'Peter Gutwein's PHP administration frontend' (called 'GR Soft Virtual Mail Manager') rather than 'Ronny Tiebel's PHP administration frontend'.

Installing GR Soft Virtual Mail Manager

If you get part way through and need to run the installation again from the start, clear your browser's cookies, otherwise the program remembers which install step you've gone through and has no option to go back.

Upgrading GR Soft Virtual Mail Manager

These are the parts of the 'Optional features' section that I use:

Optional Configuration Additional To what Is Described In The Howto

To add a relay host that will deliver mail on your behalf

postconf -e relayhost=[<your ISP's SMTP server>]
"The form enclosed with [ ] eliminates DNS MX lookups. Don't worry if you don't know what that means. Just be sure to specify the [] around the mailhub hostname that your ISP gave to you, otherwise mail may be mis-delivered."

To Use authenticated SMTP with a relayhost
To Change Maximum Email Size That Can Be Sent

Postfix defaults to not accepting mail larger than 10MB. This limit is for good reason so you should not increase it but if you do want to, hopefully temporarily, you override it with the message_size_limit parameter in /etc/postfix/ using:
postconf -e message_size_limit=<new value in kilobytes>


Configure the Squirrelmail Apache configuration, /etc/squirrelmail/apache.conf, to enable the specific address http://mail.server to load Squirrelmail (change the name if you call your server something else)

#When accessed from anywhere on port 80 at mail.server, respond with Squirrelmail:
#This also requires a DNS entry for mail.server
<VirtualHost *:80>
  DocumentRoot /usr/share/squirrelmail
  ServerName mail.server

For mail.server to work you also need to register it with your DNS server:
Host IP address:
Hostname: mail
Domain name: server

Make use of the IMAP server's IMAP SORT feature to improve performance when there's lots of email in a folder and fixes the issue with a large inbox where the server tries to download to you right_main.php rather than display the inbox (From 'Optimizing SquirrelMail - IMAP server extensions' -
Use either method:

Abuse and Postmaster

Create abuse@<your domain name> and postmaster@<your domain name> mailboxes for each domain. There's some kind of legal requirement to create an abuse mailbox for people to contact you to report spam; similarly postmaster is used to contact the mail administrator and for delivery problem reports to go to. Create proper accounts so any user can add them to their mail client, and they won't get their spam into their main mailbox. You can additionally create forwardings if you want to send mail for these addresses elsewhere.

Set the postmaster address in /etc/dovecot/dovecot.confprotocol ldapostmaster_address = postmaster@<your domain name>

GR Soft Virtual Mail Manager Mailmaster Accounts

In the mailserver.domain_admins table any user with domain_id = 0 is a mailmaster. Additional mailmasters can be created by adding a new record with a domain_id field of '0' and a user_id field the same as the 'id' field of the user you want to be mailmaster in the mailserver.virtual_users table.


Query Postfix's configuration:

Mail Queue

postqueue - Postfix queue control - for unprivileged queue operations such as listing or flushing the mail queue. For example postqueue -p or postqueue -pvvv.

postsuper - Postfix superintendent - for queue operations that require super-user privileges such as deleting a message from the queue or changing the status of a message. Use of the command is restricted to the superuser.

Delete a single message from the queue (applies to hold, incoming, active and deferred queues):
postsuper -d <queue ID>

Remove all messages from a particular queue (where queue can be hold, incoming, active or deferred):
postsuper -d ALL <queue>


Look in the logs, see Logs section.

Show open ports and whether they listen on just localhost or for remote connections. If you see tcp 0 0* LISTEN 29945/mysqld it means the server is only listening locally:
netstat -l -t -p

Check open ports:

Check 'master' is running.

Flush the queue - attempt to deliver all queued mail (warning: flushing undeliverable mail frequently will result in poor delivery performance of all other mail):
postqueue -f
This can similarly be achieved using:
postfix flush

List contents of the mail queue (add -v to be more verbose, add multiple -v's for increased verbosity):
mailq or postqueue -p

Schedule immediate delivery of all mail that is queued:
mailq -q

Schedule immediate delivery of all mail that is queued for the named site. This option accepts only site names that are eligible for the "fast flush" service, and is implemented by executing the postqueue(1) command. See flush(8) for more information about "fast flush":
mailq -qRsite

/etc/init.d/amavis stop
/etc/init.d/amavis debug


Mail in general (what the mail server suite is doing, mail by mail)

Fetchmail: /var/log/syslog

amavisd-new: /var/log/amavis.log - lists its capabilities (which is also saved to syslog) and mail that it's dealt with. Note that logging to this file is off by default (do you turn it on with $LOGFILE?). You can alter the verbosity of Amavis's logging using, for example, $log_level = 2 in /etc/amavis/conf.d/50-user.

Clam: /var/log/clam/clam.log

Freshclam: /var/log/clam/freshclam.log

If you're sending email to the server to test it, whilst looking at a log file, it can be useful to email an address like xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@<domain> to make it easy to spot.

Further Information

Man pages for Postfix daemon processes you'll see mentioned in syslog: cleanup, local, master, qmgr, smtp, smtpd, virtual.

You can learn a lot by reading through the archives of the postfix-users mailing list:

Dovecot configuration file:

Wikipedia on the Maildir mailbox format.

Moving the mail server to another machine

Filesystem - you can copy the whole /home/vmail directory to another server. All files in this directory structure need to be owned by vmail.vmail which makes it easy to copy it around.

Database - backup the database 'mailserver' using mysqldump or phpMyAdmin.

Upgrading from the Previous Debian Stable Version

The guide for Etch has a 'Migrating from the Sarge Tutorial' that gives an overview of the changes.

Major Changes in Programs Since the Previous Debian Stable Version

PostFix 2.1.5 → 2.3.7 (since upgraded to 2.3.8)

amavisd-new 20030616p10-5 → 2.4.2-5

Added 'check-jpeg' example entry to the @av_scanners list and provide the associated module; it offers a fully-fledged check for jpeg comment field buffer overflow attempts; should serve mainly as an example for adding similar quick responses to new threats;

Additional archive extractors that can now be used if available

cabextract - suggested by amavisd-new?

pax - can handle tar/cpio/pax archives (including legacy format variants). Due to limitations in cpio (and in Archive::Tar), for security reasons it is preferred to decode such archives with pax and no longer with cpio; please add a line: $pax = 'pax'; to amavisd.conf and verify that the program pax is installed on the system. pax is available in Debian. This is not a suggests of the package. Should I file a bug to get this added as a suggests for amavisd-new?

tnef - support for decoding TNEF (Microsoft Outlook, winmail.dat) containers by 'tnef'; selectable by an entry in the @decoders list. Debian includes tnef and ytnef. This is not a suggests of the package. Should I file a bug to get this added as a suggests for amavisd-new?

zoo/unzoo - zoo decoder interface routine (do_zoo) can now use utility unzoo(1) or the traditional zoo(1); the unzoo(1) recognizes some additional parameters which makes it more resilient (but still not watertight) against some attempts to hide archive contents or to extract members to unexpected locations, but unfortunately does not recognize all zoo compression schemes ("error, LZD not yet implemented"), and the relative modes "-j ./" or "-j X" do not protect against all malicious cases - so it is a mixed blessing. The way amavisd calls zoo(1) (piping members to stdout, which can be slow) avoids some of the security problems with zoo (writing to arbitrary directories), which were probably the main reason for ClamAV project deciding to switch to unzoo(1);

zoo/unzoo - zoo sucks, unzoo (v4.4) sucks more: considered, but decided against changing zoo entry in @decoders to ['unzoo','zoo'] in amavisd.conf, as was suggested by Gbor Kvesdn. It would not necessarily be an improvement (see previous item, misses extracting members from my test cases), so feel free to choose between the two poor choices, I still prefer zoo(1), partly also because it covers cases which clamd decoding misses;

arj - The non-free unarj has been replaced by the free arj

ripole - ripOLE decoder, which attempts to extract embedded documents from MS OLE documents (MS Office) (; ripOLE is still experimental/alpha code; To make amavisd-new find the installed program 'ripole', add the: $ripole = 'ripole'; to the amavisd.conf. Not available in Debian but perhaps it can be installed manually?

unfreeze / freeze / melt. freeze - Not in Debian.

* NEWS.Debian: call attention to the left-over quarantine file (caused
  by the #350917 fix described above)

* Make $mydomain normal variable. Still need long term solution, as this
  variable is referenced by other variables which will be wrong.

Check during startup that $myhostname is a fully qualified domain name
(or 'localhost', if you must), and abort if it isn't, otherwise a non-FQDN
can end up in places where RFC 2822 does not allow it; if uname(3) does not
provide a FQDN, then an assignment to $myhostname must be done explicitly
in amavisd.conf;
Configuration changes
 The new configuration system uses split files in /usr/share/amavis/conf.d and
 /etc/amavis/conf.d, which are read in priority order.  First from
 /usr/share/amavis/conf.d, then /etc/amavis/conf.d.

 The ones in /usr/share are Debian/upstream land.  You can override anything in
 them placing files in /etc/amavis/conf.d or editing the ones already in
 /etc/amavis/conf.d.  It is suggested that all user changes be done to 50-user,
 overriding whatever Debian options you don't like.

WARNING: you will have to upgrade your configuration manually

Configuration is split into two directories, and processed in the order below:

Read-only configuration:  /usr/share/amavis/conf.d/
  10-debian_scripts:            Stuff you'd better not override
  20-package:                   Packaging decisions, override at will

Read-write conffiles: /etc/amavis/conf.d/
  01-debian:                    Rarely modified settings
  05-domain_id:                 mydomain autodetection, local_domains config
  05-node_id:                   myhostname autodetection
  15-av_scanners:               AV scanner interface configuration
  15-content_filter_mode:       Use this to re-enable spamassassin/av checks
  20-debian_defaults:           Commonly modified settings
  50-user:                      Place your overrides here, if you want - debian package upgrades won't override them 

If the package detects legacy config files, it renames them adding a
".disabled" extension, and the amavisd-new initscript will refuse to start the
service until these files with a ".disabled" extension are removed or renamed.
The legacy config files are /etc/amavis.conf and /etc/amavis/amavis.conf.

Antivirus and spam-checking.
If you use clamav-daemon, make sure that it is configured to init supplementary
groups when it drops priviledges, and that you add the clamav user to the
amavis group: add AllowSupplementaryGroups to /etc/clamav/clamd.conf if it is
not there yet, and run "adduser clamav amavis" as root.

If you use spamassassin with the Bayes database system, you should make sure
that the spamassassin configuration option "bayes_auto_expire 0" is set in
spamassassin configure files.  This disables the automatic expiration of tokens
which causes problems for amavisd-new when activated.  The amavisd-new package
includes cron jobs that take care of syncing and expiring the token database

spamassassin 3.0.3-2sarge1 → 3.1.7-2

From Note for Users Upgrading to SpamAssassin 3.1.0 and Release notes for versions 3.1.0, 3.1.1, 3.1.2, 3.1.5.

A significant amount of core functionality has been moved into plugins. These include, AWL (auto-whitelist), DCC, Pyzor, Razor2, SpamCop reporting and TextCat. For information on configuring these plugins please refer to their individual documentation: perldoc Mail::SpamAssassin::Plugin::* (ie AWL, DCC, etc)

There are now multiple files read to enable plugins in the /etc/mail/spamassassin directory; previously only one, "init.pre" was read. Now both "init.pre", "v310.pre", and any other files ending in ".pre" will be read. As future releases are made, new plugins will be added to new files named according to the release they're added in.

Due to license restrictions the DCC plugin is disabled by default. We encourage you to read the appropriate license yourself and decide if you are able to re-enable the plugins for your site. [by uncommenting the appropriate line in /etc/mail/spamassassin/v310.pre]

As of 3.1.0, in addition to the generic BayesSQL support (via Mail::SpamAssassin::BayesStore::SQL) usable by multiple database drivers there is now specific support for MySQL 4.1+ and PostgreSQL. This support is based on non-standard features present in both database servers that allow for various performance boosts.

If you were using the previous BayesSQL support with MySQL, and already have MySQL 4.1+ installed you can begin using the new module immediately by replacing the bayes_store_module line in your configuration with: Mail::SpamAssassin::BayesStore::MySQL

Inclusion of sa-update script which will allow for updates of rules and scores in between code releases.

squirrelmail 1.4.4-10 → 1.4.9a-1

Mostly bug fixes and small improvements.

Fetchmail mail retrieval

Fetchmail retrieves mail from a remote mail server and sends it to your local SMTP server.



Fetchmail runs in general mode or daemon (AKA service) mode, by default checking every 5 minutes. Its behaviour is controlled by command-line options and/or a run control (i.e. config) file, either a system-wide one (/etc/fetchmailrc) or in per-user home directories (~/.fetchmailrc). The fetchmail package installer doesn't create a config file for you, you either create it manually or use the fetchmailconf utility (separately, on a workstation) to create and edit a .fetchmailrc in the home directory of the user that runs it; fetchmailconf requires X windows.

Fetchmail is configured not to run by default. For it to work you have to edit /etc/default/fetchmail, setting START_DAEMON=no to START_DAEMON=yes.

The normal mode of fetchmail is to try to download only 'new' messages, leaving untouched (and undeleted) messages you have already read directly on the server (or fetched with a previous fetchmail --keep).

The most thorough explanation of Fetchmail's configuration is in info fetchmail.

Example /etc/fetchmailrc configuration file:

# Fetchmail configuration file
# /etc/fetchmailrc for system-wide daemon mode
# Version 1.3

# Changes:
# 1.3 - 13 Nov 2007 - added 'set no bouncemail'.
# Fetchmail's default is to bounce mail to addresses that don't exist. This is
# known as backscatter and in a world of spam you don't want to reply to either
# a spammer or the address they forged. With this set an error mail is sent to 
# postmaster rather than the sender, which for us goes nowhere.
# 1.2 - 18 Oct 2007 - added 'set postmaster ""' so unknown user emails are discarded
# 1.1 - 14 Aug 2007 - added example using 'envelope 1 "Delivered-To:" qvirtual "109-"'

# How often to poll servers, in seconds. The default is 300.
set daemon     90

# Don't log to syslog:
#set no syslog

# Log to the specified log file, for troubleshooting:
# (Beware that if you're using the log for troubleshooting, it can grow quickly)
# (The log file wants to be editable by the user fetchmail)
# (How do we cycle the log file? /etc/logrotate.conf?)
#set logfile /var/log/fetchmail

protocol pop3

set postmaster ""
# Set no postmaster so mail tagged as SMTP 550 error 'Recipient address
# rejected: User unknown in virtual mailbox table' is discarded rather
# than going in fetchmail's mailbox (/var/mail/fetchmail) and eating up
# disk space

set no bouncemail
# Fetchmail's default is to bounce mail to addresses that don't exist.
# This sets Fetchmail to instead send an error to postmaster.

# The verbose syntax is like this
#	user USERNAME with password PASSWORD is LOCALUSERNAME here;

# Example of various user accounts on the same server
# poll proto pop3
#	user \"jsmith\" with pass \"password\" is \"smith\" here
#	user jones with pass \"password\" is \"jjones\" here

# Example of a multi-drop mailbox
# poll localdomains
#	user your_username with pass your_password to * here

# Example of a multi-drop mailbox where mail
# - host doesn't provide 'X-Envelope-To' so we look at 'Delivered-To'
# - mail host is running qmail virtual mailbox, prepending 109- to each address
# - 1st 'Delivered-To' is unusable so we look at the 2nd
# - Mail is deleted from the mail host.
# poll localdomains
#  envelope 1 "Delivered-To:" qvirtual "109-"
#  user your_username with pass your_password to * here

# keep - Don't delete seen messages from server
# no keep - Delete seen messages from server (default)
# fetchall - Fetch all messages whether seen or not
# no fetchall - Retrieve only new messages (default)

Set restrictive permissions on the fetchmail configuration file because it contains passwords:
chmod 0600 /etc/fetchmailrc
chown fetchmail /etc/fetchmailrc

Create the Fetchmail log file, change its owner to fetchmail and give root write access to it (beware that if you're using the log for troubleshooting, it can grow quickly):
touch /var/log/fetchmail
chown fetchmail /var/log/fetchmail
chmod g+w /var/log/fetchmail

For details of configuring Fetchmail to deal with nuances specific to different mail hosts read the Fetchmail Multidrop Issues section of Administering A Mail Server


Be mindful when working through problems with servers that use Fetchmail. There are many occasions where when you bring a server up you don't want it to automatically download for example where you don't trust the disks and you may soon swap them, or if it's a spare server you're bring up that you're not yet migrating to. In these situations it's wise to comment out the /etc/fetchmailrc file until you're ready for it.

Start system-wide fetchmail service: /etc/init.d/fetchmail start

Stop system-wide fetchmail service: /etc/init.d/fetchmail stop

Restart system-wide fetchmail service: /etc/init.d/fetchmail restart

Tell system-wide fetchmail to start a poll cycle immediately: /etc/init.d/fetchmail awaken


With the log file settings in our example configuration above uncommented, you can watch the log with tail -f /var/log/fetchmail.
When interpreting syslog, be sure to note, for each item, which particular mail program is doing the processing. This will indicate where you should be looking for the problem, such as 'fetchmail', 'postfix', 'amavis', etcetera. The Fetchmail information in the log file won't be particularly verbose.

You can get a more verbose log running Fetchmail in debug mode (and optionally running it under strace) using::
/etc/init.d/fetchmail debug-run
This scrolls a lot of information down the screen, to save it to a file as well as display it to the screen use something like:
/etc/init.d/fetchmail debug-run 2>&1) | tee fetchmail-debug.log

Display Fetchmail's defaults: /usr/bin/fetchmail --configdump

Further Information

info fetchmail



SSH server (sshd)



Configuration file: /etc/ssh/sshd_config

/etc/init.d/ssh start|stop|restart

To allow X windows programs to be run by people remotely logging in using SSH, in /etc/ssh/sshd_config have X11Forwarding yes (requires one of a number of corresponding configuration settings on the connecting computer).

LDAP server



See these worthwhile guides for configuration instructions:

Restart slapd for changes to take effect using /etc/init.d/slapd restart.

Linux kernel updates


Debian 4.0 releases 1 though to 7 'Etch' Linux 2.6.18 kernels

The linux-image-<architecture> package will install the most recent Etch 2.6.18 series kernel available for that particular architecture and keep it updated when new versions of 2.6.18 are available. '486', '686', '686-bigmem' and 'k7' architectures are for single and multiprocessor (AKA SMP) 32-bit x86 (generically known as PC, i386, IA32, IA-32 or x86-32) processors. The 'amd64' architecture is for single and multiprocessor (AKA SMP) 64-bit Intel and AMD PC processors (generically known as x86-64 or x64). Debian includes kernels for many other architectures but we focus on these. The following describes how installing the generic kernel package will bring in the specific kernel package. These are upstream kernel version, Debian's actual version 2.6.18.dfsg.1-12, upgradeable through Debian security updates to at least 2.6.18.dfsg.1-22etch3.

Debian 4.0 releases 4 though to 7 'Etch'n'Half' Linux 2.6.24 kernels

Debian 4.0r4, known as 'Etch'n'Half' introduced a totally new kernel, version 2.6.24.

See Release Notes and Installing Debian GNU/Linux "etch-and-a-half" for details.

Kernel 2.6.24 is not the default kernel. This kernel won't be installed automatically with a dist-upgrade, nor with a fresh install, it needs specifically installing.

This is the first time Debian have made this kind of semi-major release, between major versions 4.0 and 5.0. The usual Debian guarantees aren't present, see the release notes for details. In what to-all-intents-and-purposes is a normal Debian release, I find such changes to usual Debian dependability and consistency alarming:

The linux-latest-2.6-etchnhalf package will install the most recent Etch-and-a-half 2.6.24 series kernel available for your particular architecture and keep it updated when new versions of 2.6.24 are available. '486', '686', and '686-bigmem' architectures are for single and multiprocessor (AKA SMP) 32-bit x86 (generically known as PC, i386, IA32, IA-32 or x86-32) processors (a 'k7' Etch-and-a-half doesn't seem to be available). The 'amd64' architecture is for single and multiprocessor (AKA SMP) 64-bit Intel and AMD PC processors (generically known as x86-64 or x64). Debian includes kernels for many other architectures but we focus on these. The following describes how installing the generic kernel package will bring in the specific kernel package. These are upstream kernel version, Debian's actual version 2.6.24-6~etchnhalf.4, upgradeable through Debian security updates to at least 2.6.24-6~etchnhalf.9etch3.


If you install any of these kernels they will be installed and your old kernel version retained with the new kernel set as the default in the GRUB boot menu. You can find out which CPU you have in your system with the command cat /proc/cpuinfo, under 'model name'.


You will see various messages when updating or upgrading kernels. Here are some examples.

When you use aptitude upgrade you get updated versions of the same kernel(s) you have installed. Same package name, different version of that package. For example you might get package linux-image-2.6.18-4-686 (package version 2.6.18.dfsg.1-12etch1) updated to package version 2.6.18.dfsg.1-12etch2. This is the kind of message you would see in this case (this particular example actually deals with a Debian 3.1 Sarge update, kernel-image-2.6.8-4-686-smp (package version 2.6.8-17) → kernel-image-2.6.8-4-686-smp (package version 2.6.8-17sarge1)):

Setting up kernel-image-2.6.8-4-686-smp (2.6.8-17sarge1) ...

 You are attempting to install a kernel version that is the same as
 the version you are currently running (version 2.6.8-4-686-smp). The modules
 list is quite likely to have been changed, and the modules dependency
 file /lib/modules/2.6.8-4-686-smp/modules.dep needs to be re-built. It can
 not be built correctly right now, since the module list for the
 running kernel are likely to be different from the kernel installed.
 I am creating a new modules.dep file, but that may not be
 correct. It shall be regenerated correctly at next reboot.

 I repeat: you have to reboot in order for the modules file to be
 created correctly. Until you reboot, it may be impossible to load
 some modules. Reboot as soon as this install is finished (Do not
 reboot right now, since you may not be able to boot back up until
 installation is over, but boot immediately after). I can not stress
 that too much. You need to reboot soon.

Please Hit return to continue.

Not touching initrd symlinks since we are being reinstalled (2.6.8-17)
Not updating image symbolic links since we are being updated (2.6.8-17)
Searching for GRUB installation directory ... found: /boot/grub .
Testing for an existing GRUB menu.list file... found: /boot/grub/menu.lst .
Searching for splash image... none found, skipping...
Found kernel: /boot/vmlinuz-2.6.8-4-686-smp
Updating /boot/grub/menu.lst ... done

When you use aptitude dist-upgrade you get upgraded kernel packages themselves - actual new builds of the same kernel version (2.6.18) you have installed, bringing in bigger updates than when just the package version changes. For example you might get package linux-image-2.6.18-5-686 upgraded to package linux-image-2.6.18-6-686. The whole package itself has changed, so you end up with the old kernel and the new kernel. This is the kind of message you would see in this case (this particular example actually deals with a Debian 3.1 Sarge update, kernel-image-2.6.8-3-686-smp → kernel-image-2.6.8-4-686-smp):

  You are running a kernel (version 2.6.8-3-686-smp) and attempting to remove
  the same version. This is a potentially disastrous action. Not only
  will /boot/vmlinuz-2.6.8-3-686-smp be removed, making it impossible to boot
  it, (you will have to take action to change your boot loader to boot
  a new kernel), it will also remove all modules under the directory
  /lib/modules/2.6.8-3-686-smp. Just having a copy of the kernel image is not
  enough, you will have to replace the modules too.

    I repeat, this is very dangerous. If at all in doubt, answer
    no. If you know exactly what you are doing, and are prepared to
    hose your system, then answer Yes.
Remove the running kernel image (not recommended) [No]?

If you say 'no' here you get this:

dpkg: error processing kernel-image-2.6.8-3-686-smp (--remove):
 subprocess pre-removal script returned error exit status 1
Errors were encountered while processing:
E: Sub-process /usr/bin/dpkg returned an error code (1)
Ack!  Something bad happened while installing packages.  Trying to recover:
Setting up kernel-image-2.6.8-4-686-smp (2.6.8-17) ...
Searching for GRUB installation directory ... found: /boot/grub .
Testing for an existing GRUB menu.list file... found: /boot/grub/menu.lst .
Searching for splash image... none found, skipping...
Found kernel: /boot/vmlinuz-2.6.8-4-686-smp
Found kernel: /boot/vmlinuz-2.6.8-3-686-smp
Updating /boot/grub/menu.lst ... done

If you say 'yes' here you get this:

Ok, proceeding with removing running kernel image.
Searching for GRUB installation directory ... found: /boot/grub .
Testing for an existing GRUB menu.list file... found: /boot/grub/menu.lst .
Searching for splash image... none found, skipping...
Found kernel: /boot/vmlinuz-2.6.8-4-686-smp
Updating /boot/grub/menu.lst ... done

The link /vmlinuz.old is a dangling link
Removing symbolic link vmlinuz.old
Unless you used the optional flag in lilo,
 you may need to re-run lilo
The link /initrd.img.old is a dangling link
Removing symbolic link initrd.img.old
Unless you used the optional flag in lilo,
 you may need to re-run lilo


Setting up kernel-image-2.6-686-smp (101sarge2) ...

server:/var/log# aptitude dist-upgrade
Reading Package Lists... Done
Building Dependency Tree
Reading extended state information
Initializing package states... Done
Reading task descriptions... Done
The following packages are unused and will be REMOVED:

This example involves an ABI (application binary interface) change:

Note that this update changes various package names due to ABI changes.
You must therefore have the corresponding upgrade-assist metapackage(s)
installed for your upgrades to automatically take place. These packages
have names with the prefix 'linux-image-2.6-'. Systems installed with an
official Debian 4.0 installer will have the appropriate packages installed
by default. For a full list of these metapackages for Debian 4.0, see:
Any 3rd party modules that have been built and installed for your system
will need to be rebuilt and installed for compatability with the new ABI.

The following matrix lists additional source packages that were rebuilt for
compatability with or to take advantage of this update:

                                             Debian 4.0 (etch)
     fai-kernels                             1.17+etch.17etch1
     linux-latest-2.6                        6etch3
     linux-modules-contrib-2.6               2.6.18-4+etch3
     linux-modules-extra-2.6                 2.6.18-7+etch4
     linux-modules-nonfree-2.6               2.6.18-4etch2
     loop-aes                                3.1d-13etch2
     nvidia-graphics-legacy-modules-amd64    1.0.7184+6etch2
     nvidia-graphics-legacy-modules-i386     1.0.7184+6etch2
     nvidia-graphics-modules-amd64           1.0.8776+6etch2
     nvidia-graphics-modules-i386            1.0.8776+6etch2
     user-mode-linux                         2.6.18-1um-2etch.17etc

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get dist-upgrade
        will install corrected packages


To see which compile-time options were set in your kernel, see the file /boot/config-<kernel version>-<Debian build version>-<architecture>.

Further Information

Changes in the 2.6 Linux kernel - prior to the present mainline kernel

Changes in the 2.6 Linux kernel - the present mainline kernel

'Debian Reference - Chapter 7 - The Linux kernel under Debian:


Kernel Traffic:

The Linux Kernel Mailing List (LKML):

The Linux Kernel Archives:

Bits from the kernel team - "Half-way between the Sarge release and the Etch freeze the Debian kernel team takes a look back at what already happened after the Sarge release and what you should expect for Etch" - 8 Mar 2006:

NFS server



The userID of the user on the workstation must match the userID of a user on the server.

Add directories to share and who to share them to in /etc/exports, for example:

Re-export all directories in the table of exported file systems for NFS:
exportfs -ra

Further Information

Version control - Subversion



This configuration is explained in more depth at

In order to use Subversion's own lightweight server (as opposed to using Apache) to enable access over a network edit the following then restart inetd with /etc/init.d/inetd restart:
/etc/inetd.conf: svn stream tcp nowait svnowner /usr/bin/svnserve svnserve -i -r /usr/local/repositories
You can leave out the -r /usr/local/repositories but users will have to include the whole local path in their client software). You need to create the user svnowner and give them appropriate permissions on the subversion repository directory.

Define the name of the password file of users that can commit to the repository, and give your realm a name, by adding the following to:
[general] password-db = passwd
realm = My First Realm

Define users that can commit to the repository, by creating the file: /repository-directory/conf/passwd
and adding users using this syntax: [users]
harry = foopassword
sally = barpassword

Further Information

Version Control with Subversion:



This is an interesting document on changes to be made to printing packages in Debian: PrinterDriverPackagesSuggestedChanges.

When printing to a directly attached printer

When printing to either a directly attached or remote printer

Package installation options

cupsys-bsd asks "Do you want to set up the BSD lpd compatibility server?" - yes

When printing to a remote printer

Put the hostname or IP address of the print server in the ServerName section of the configuration file /etc/cups/client.conf. The printer should then be available to most applications to print to.

Install the Printer Driver, when the printer is directly attached

You need a PostScript printer driver (and filter, if the printer isn't a PostScript printer) for each printer, even if the printer isn't a PostScript printer. Go to the Printer Database at and look up your particular printer and note which driver (and accompanying filter) it recommends using.

Install the recommended PostScript printer driver package (see previously), or if you're using an actual PostScript printer you may be getting the driver from the printer vendor.

Restart CUPS: /etc/init.d/cupsys restart

(This example is for an Epson Stylus C84, you need to change the name of the files to suit your printer)

Create the print queue, when the printer is directly attached

Using the CUPS web interface

Using the command-line

If you need to remove the print queue, use lpadmin -x <printer>.

Configure the printer driver

Using the CUPS web interface

Configure Printer...

Using the command-line

lpoptions - display or set printer options and defaults. Use it to lock down a set of sensible defaults. To see the options available for your setup, use the 'docs' option like this: lp -d <printer> -o docs /etc/hosts; or use lpoptions -p <printer> -l. Usually, you can also use the media=..., sides=..., and duplex CUPS options, if there are InputSlot, MediaType, and Duplex options for your driver.

Sharing the printer



To share printers to Windows workstations (this assumes some understanding of Samba).

This is only a rudimentary guide to setting up print sharing through Samba. For a much more complete guide see the printing section of our Samba document 'Setting up a Samba primary domain controller and file/print/software deployment server for Windows using Samba 3 on Debian 4.0 Etch'.

Tools for working with printer queues and print jobs

Using the CUPS web interface

Should be self explanatory.

Using the command-line

(use -h IP-address with each of these to specify the IP address of the print server if using a remote printer)

Inkjet printer maintenance

With Epson Stylus printers

Using the command-line


List available devices on the system: lpinfo -v

List available drivers on the system: lpinfo -m

Restart CUPS: /etc/init.d/cupsys restart

CUPS configuration file: /etc/cups/cupsd.conf

CUPS error log: /var/log/cups/error_log. (Change 'LogLevel warn' to 'LogLevel debug' in /etc/cups/cupsd.conf, then restart CUPS, for more verbose messages in the error log.)

Configuration for Printing to Windows Printers

(Note: add package names for installing Samba components for this to work)

Check you can connect to the Windows system: smbclient -L <computer-name> -N. If WINS isn't available you need to additionally specify the IP address with -I IP-address.

Verify that your installation of CUPS has the SMB backend by looking for a particular symbolic link: ls -l /usr/lib/cups/backend/smb. If this symbolic link doesn't exist, create it: ln -s /usr/bin/smbspool /usr/lib/cups/backend/smb

Further Information

CUPS Software Administrators Manual: http://localhost:631/documentation.html or

CUPS Software Users Manual: includes forums for specific printer makes

CUPS Software Users Manual, http://localhost:631/documentation.html

Setting Up CUPS under Debian GNU/Linux:

HP Linux Printing Project:

Debian and Windows Shared Printing mini-HOWTO: (this is a good introduction)

Noteworthy changes since previous Debian stable version

cupsd.conf by default only listens for connections from the local machine.
For remote access you need to change 'Listen Localhost:631' to 'Listen *:631' or what ever suits your 

        - Added official support for printer maintenance commands
          via the CUPS Command file format and hooks in the
          printer-type and web interfaces (STR #932)
        - Added support for DBUS on Linux.
        - Fixed a problem with N-up printing and OpenOffice (STR
        - Added new on-line help CGI to web interface to provide
          searchable help.
        - Added new printer auto-detection, server configuration,
          and log file viewing to the administration web page.
        - Added KDE/GNOME icons and a Manage Printers menu item.
        - The parallel and USB backends no longer wait for the
          printer to go on-line - this caused problems with
          certain printers that don't follow with the IEEE-1284
          standard (STR #1738)

potentially worth looking into to use
        - Added new "set allowed users" web interface to set the
          list of allowed users for a printer or class.
        - Added a "set allowed users" interface to the web
          interface so that you can set the list of allowed or
          denied users/groups for a printer or class.
        - Updated the cupsaddsmb utility to correctly export the
          CUPS driver for Windows.
        - New policy mechanism allows per-operation and
          per-printer control over what users and groups are
          allowed to do various IPP operations.
        - Added the SNMP backend for network printer discovery
          (STR #1555)
        - The cupsaddsmb man page listed the wrong files for the
          CUPS driver.

potentially problematic for an upgrade
        - The USB backend no longer supports the usb:/dev/foo
          format on systems that support device ID queries.

useful bugs fixed
        - Windows clients could not monitor the queue status (STR
          #2006) -

Document scanner server



Follow the configuration instructions in our document 'Desktop System Setup with Debian 4.0 Etch' and additionally configure for sharing as described below.

saned is the SANE (Scanner Access Now Easy) daemon that allows remote clients to access image acquisition devices available on the local host.

  1. configuration file: /etc/sane.d/saned.conf - contains a list of accepted clients
  2. add this to /etc/inetd.conf:
    sane stream tcp nowait saned.saned /usr/sbin/saned saned
  3. The Debian package automatically adds this for you to /etc/services:
    sane 6566/tcp # SANE network scanner daemon
    (Note: Debian uses 'sane' where as the SANE project's documentation uses 'sane-port'. It looks as though 'sane-port' will be replaced in the IANA ports specification with 'sane')




Configuration file: /etc/dhcp3/dhcpd.conf

Internet relay chat (IRC) server using dancer




The documentation in /usr/share/doc/dancer-ircd/ and /usr/share/doc/dancer-ircd-doc/ doesn't seem helpful with configuration.

dancer services




Dancer services


Linux Terminal Server (LTSP)



Once LTSP is running and you're able to login, you'll need to install a window manager and other software. We found you just install, for example, gnome, and it just works when logging in from the workstation.
(However this seems to run counter to what is described in the Project MueKow / LTSP 5 documentation which says you need to install packages into the LTSP export directory /opt/ltsp using:
chroot /opt/ltsp/i386
aptitude install mozilla-firefox

Further Reading



Bugs with documentation

Telephony - Asterisk

This section is incomplete.


Webmin - web-browser GUI server administration

Project site:

Webmin isn't available in the main Debian archive for Debian 4.0 Etch because it is considered a security risk on Internet-connected servers. However for people doing system administration who aren't system administrators on servers behind firewalls Webmin is probably an essential program.



(It would be preferable to use the Webmin APT repository at but this is currently only available for Debian 3.1 Sarge.)

Download the Debian package directly (or by other means if you wish):

Install it (it installs in /usr/share/webmin):
dpkg -i webmin_<version>_all.deb

You can now login to Webmin at https://<your server hostname or IP address>:10000 i.e. https://server:10000, as root with your Unix root password, or as any user who can use sudo to run commands as root.

Further Information

Debian installation instructions:

'The Book of Webmin' or 'How I Learned to Stop Worrying and Love UNIX' by Joe Cooper:

UPS - Uninterruptible Power Supply Monitoring



When you install the package it will automatically start it and use a sensible set of defaults, which are to monitor the first serial port and shutdown after 20 seconds of running on battery power.

Configuration for different kinds of UPS are in /etc/upsd.conf.

Upsd uses the syslog(2) facility for status reporting when running as a daemon, so its messages will be in /var/log/syslog.


? Test (with UPS attached to first serial port): upsd -t /dev/ttyS0

? Check status: cat /etc/upstatus


Log files

Error logs are kept that can help understand when something is broken.

When troubleshooting a problem it can be useful to keep a command-line window open displaying a program's log file, with entries appended in real time as the file grows, using: tail -f <log-file>.