A Server (Almost) of Your Own
There have been many automated attacks against SSH. At the very least, you must use strong passwords, or your system will be compromised. The apg utility simplifies this task. It generates random, non-dictionary “words” that you can pronounce. There are apg packages for most popular Linux distributions.
Make sure to look in the on-line Resources for this article for more information. SSH security is not specific to the VPS environment—it is also an important issue in standard virtual hosting. With a VPS, however, you do have the flexibility to protect yourself properly. The resources page is at /article/9380.
The mail server, also known as the Mail Transfer Agent (MTA), is a program that delivers and receives e-mail messages. The MTA will receive all the mail that others send you. Likewise, any messages you send to others will leave your VPS through the MTA.
The default MTA on your VPS is Sendmail. This sophisticated, powerful program has advantages for complex e-mail configurations. Unfortunately, it also is difficult to configure and tends to have a lot of security problems.
Therefore, we replace Sendmail with Postfix. Postfix is efficient, very secure and, most important, easy to configure. Before proceeding with the installation, shut down Sendmail, and make sure that it will not start again on reboot. Then, install Postfix:
[root@myvps ~]# /etc/init.d/sendmail stop Shutting down sendmail: [ OK ] Shutting down sm-client: [ OK ] [root@myvps ~]# chkconfig --del sendmail [root@myvps ~]# up2date --install postfix
Note that using the up2date command to install packages is specific to Red Hat and related distributions. You may be presented with a configuration screen the first time that you run up2date. You can simply press Enter to accept the default values. In addition, up2date is sometimes very slow and can even fail for transient reasons. You can try the command again if it does not work the first time.
The main Postfix configuration file is /etc/postfix/main.cf. Save a copy of this file to read later, because it contains many helpful comments. Then, replace /etc/postfix/main.cf with the code from Listing 1. You should modify your new main.cf to specify the domain names that you will be hosting on your VPS.
# Example "main.cf" file for Postfix on a VPS. # # Note that lines that begin with whitespace # continue the previous line. # # LOCAL PATHNAME INFORMATION queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix # QUEUE AND PROCESS OWNERSHIP mail_owner = postfix # Host name is usually the domain name on a VPS. myhostname = first.domain mydomain = first.domain # Where locally-posted mail will come from. myorigin = $myhostname # Listen on all interfaces. inet_interfaces = all # This server is the final destination for these domains. mydestination = localhost, localhost.localdomain, $myhostname, localhost.$mydomain, $mydomain, second.domain # IMPORTANT -- accept mail for relaying ONLY from # the local machine. mynetworks_style = host # Where your aliases are. alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases # This user should receive any mail whose recipient # could not otherwise be matched. luser_relay = firstname.lastname@example.org # IMPORTANT -- local recipient checking must be # turned off for the "luser_relay" directive to # work. local_recipient_maps = # Error code to reject mail with when the local # recipient is not known. unknown_local_recipient_reject_code = 550 # Your server's greeting banner. IMPORTANT -- it # MUST start with your server's hostname, and the # reverse DNS lookup on the server's IP address MUST # match this hostname, or your outgoing mail could # be rejected as SPAM. smtpd_banner = $myhostname ESMTP # See the "main.cf" that came with your Postfix # distribution for discussion on the rest of the # directives in this file. debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.1.5/samples readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
Replace all occurrences of first.domain in Listing 1 with your own fully qualified domain name, such as openlight.com. The reverse DNS lookup of your VPS's IP address must return this domain! Otherwise, your outbound messages may be rejected as spam.
If you are hosting an additional domain name, substitute it instead of the second.domain entry. Otherwise, delete second.domain before using Listing 1. If you wish, you can also, replace maila in Listing 1 with the user name of your choice.
Now, append an entry to the /etc/aliases file to specify the user who will receive root's mail. Here is an example:
Next, create accounts for the other e-mail users. Append any aliases for these users to /etc/aliases. The following example entry will cause user mailb to receive all messages sent to email@example.com:
Note that if you have an additional domain name, messages to firstname.lastname@example.org will also go to mailb. For a small organization, this is probably the right default behavior, because all domain names that you will be hosting are almost certainly related. For example, if you are hosting an additional domain for your product, then tech-support questions about the product should likely go to the same person, regardless of which domain name appears in the e-mail address.
When you are finished, update the alias database file, and start Postfix:
[root@myvps ~]# postalias /etc/aliases [root@myvps ~]# /etc/init.d/postfix start Starting postfix: [ OK ]
Check the log file /var/log/maillog for any errors.
You can update the aliases file even while Postfix is running, just run postalias /etc/aliases again when you are finished.
You should now verify that Postfix is doing what you expect. Connect to port 25 on your VPS using telnet, as shown in Listing 2. Enter just the text highlighted in bold—the rest of the text is the system's responses. Of course, you should type the IP address of your VPS in place of MY.VPS.IP.ADDRESS, and your actual domain name instead of first.domain.
Free DevOps eBooks, Videos, and more!
Regardless of where you are in your DevOps process, Linux Journal can help!
We offer here the DEFINITIVE DevOps for Dummies, a mobile Application Development Primer, and advice & help from the expert sources like:
- Linux Journal
- Users, Permissions and Multitenant Sites
- New Products
- Flexible Access Control with Squid Proxy
- Security in Three Ds: Detect, Decide and Deny
- High-Availability Storage with HA-LVM
- DevOps: Everything You Need to Know
- Tighten Up SSH
- Solving ODEs on Linux
- Non-Linux FOSS: MenuMeters
- March 2015 Issue of Linux Journal: System Administration