A Server (Almost) of Your Own
There have been many automated attacks against SSH. At the very least, you must use strong passwords, or your system will be compromised. The apg utility simplifies this task. It generates random, non-dictionary “words” that you can pronounce. There are apg packages for most popular Linux distributions.
Make sure to look in the on-line Resources for this article for more information. SSH security is not specific to the VPS environment—it is also an important issue in standard virtual hosting. With a VPS, however, you do have the flexibility to protect yourself properly. The resources page is at /article/9380.
The mail server, also known as the Mail Transfer Agent (MTA), is a program that delivers and receives e-mail messages. The MTA will receive all the mail that others send you. Likewise, any messages you send to others will leave your VPS through the MTA.
The default MTA on your VPS is Sendmail. This sophisticated, powerful program has advantages for complex e-mail configurations. Unfortunately, it also is difficult to configure and tends to have a lot of security problems.
Therefore, we replace Sendmail with Postfix. Postfix is efficient, very secure and, most important, easy to configure. Before proceeding with the installation, shut down Sendmail, and make sure that it will not start again on reboot. Then, install Postfix:
[root@myvps ~]# /etc/init.d/sendmail stop Shutting down sendmail: [ OK ] Shutting down sm-client: [ OK ] [root@myvps ~]# chkconfig --del sendmail [root@myvps ~]# up2date --install postfix
Note that using the up2date command to install packages is specific to Red Hat and related distributions. You may be presented with a configuration screen the first time that you run up2date. You can simply press Enter to accept the default values. In addition, up2date is sometimes very slow and can even fail for transient reasons. You can try the command again if it does not work the first time.
The main Postfix configuration file is /etc/postfix/main.cf. Save a copy of this file to read later, because it contains many helpful comments. Then, replace /etc/postfix/main.cf with the code from Listing 1. You should modify your new main.cf to specify the domain names that you will be hosting on your VPS.
# Example "main.cf" file for Postfix on a VPS. # # Note that lines that begin with whitespace # continue the previous line. # # LOCAL PATHNAME INFORMATION queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix # QUEUE AND PROCESS OWNERSHIP mail_owner = postfix # Host name is usually the domain name on a VPS. myhostname = first.domain mydomain = first.domain # Where locally-posted mail will come from. myorigin = $myhostname # Listen on all interfaces. inet_interfaces = all # This server is the final destination for these domains. mydestination = localhost, localhost.localdomain, $myhostname, localhost.$mydomain, $mydomain, second.domain # IMPORTANT -- accept mail for relaying ONLY from # the local machine. mynetworks_style = host # Where your aliases are. alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases # This user should receive any mail whose recipient # could not otherwise be matched. luser_relay = email@example.com # IMPORTANT -- local recipient checking must be # turned off for the "luser_relay" directive to # work. local_recipient_maps = # Error code to reject mail with when the local # recipient is not known. unknown_local_recipient_reject_code = 550 # Your server's greeting banner. IMPORTANT -- it # MUST start with your server's hostname, and the # reverse DNS lookup on the server's IP address MUST # match this hostname, or your outgoing mail could # be rejected as SPAM. smtpd_banner = $myhostname ESMTP # See the "main.cf" that came with your Postfix # distribution for discussion on the rest of the # directives in this file. debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.1.5/samples readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
Replace all occurrences of first.domain in Listing 1 with your own fully qualified domain name, such as openlight.com. The reverse DNS lookup of your VPS's IP address must return this domain! Otherwise, your outbound messages may be rejected as spam.
If you are hosting an additional domain name, substitute it instead of the second.domain entry. Otherwise, delete second.domain before using Listing 1. If you wish, you can also, replace maila in Listing 1 with the user name of your choice.
Now, append an entry to the /etc/aliases file to specify the user who will receive root's mail. Here is an example:
Next, create accounts for the other e-mail users. Append any aliases for these users to /etc/aliases. The following example entry will cause user mailb to receive all messages sent to firstname.lastname@example.org:
Note that if you have an additional domain name, messages to email@example.com will also go to mailb. For a small organization, this is probably the right default behavior, because all domain names that you will be hosting are almost certainly related. For example, if you are hosting an additional domain for your product, then tech-support questions about the product should likely go to the same person, regardless of which domain name appears in the e-mail address.
When you are finished, update the alias database file, and start Postfix:
[root@myvps ~]# postalias /etc/aliases [root@myvps ~]# /etc/init.d/postfix start Starting postfix: [ OK ]
Check the log file /var/log/maillog for any errors.
You can update the aliases file even while Postfix is running, just run postalias /etc/aliases again when you are finished.
You should now verify that Postfix is doing what you expect. Connect to port 25 on your VPS using telnet, as shown in Listing 2. Enter just the text highlighted in bold—the rest of the text is the system's responses. Of course, you should type the IP address of your VPS in place of MY.VPS.IP.ADDRESS, and your actual domain name instead of first.domain.
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
|Trying to Tame the Tablet||May 08, 2013|
- RSS Feeds
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- New Products
- Validate an E-Mail Address with PHP, the Right Way
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Tech Tip: Really Simple HTTP Server with Python
- Home, My Backup Data Center
- Download the Free Red Hat White Paper "Using an Open Source Framework to Catch the Bad Guy"
- Android is Linux -- why no better inter-operation
16 min 28 sec ago
- Connecting Android device to desktop Linux via USB
44 min 58 sec ago
- Find new cell phone and tablet pc
1 hour 43 min ago
3 hours 11 min ago
- Automatically updating Guest Additions
4 hours 20 min ago
- I like your topic on android
5 hours 6 min ago
- Reply to comment | Linux Journal
5 hours 28 min ago
- This is the easiest tutorial
11 hours 42 min ago
- Ahh, the Koolaid.
17 hours 21 min ago
- git-annex assistant
23 hours 20 min ago
Enter to Win an Adafruit Pi Cobbler Breakout Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Pi Cobbler Breakout Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- 5-21-13, Prototyping Pi Plate Kit: Philip Kirby
- Next winner announced on 5-27-13!
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.