In the previous post I covered setting up a server that allows the entire system to be encrypted. Today I will cover further setup of this system, including traffic shaping, a webserver and a mailserver.
Before you start reading this article, I'd urge you to read the following:
Setting up a mailserver
Setting up iptables
Code for /etc/init.d/shape_traffic was borrowed from the above article
For this article, i used the following use flags.
$cat /etc/portage/make.conf | grep USE
USE="bindist ssl php cgi curl postgres threads sasl maildir
imap vhosts bzip2 urandom authdaemond crypt spell geoip
spamassasin clamdtop -X -mysql mbox dovecot-sasl ipv6 iptables"
Furthermore I disabled sql support for our mail daemon, as I use system accounts.
$cat /etc/portage/package.use | grep cyrus-sasl
After editing your useflags, it is imperative to update your system:
emerge --quiet --verbose --deep --update --newuse --autounmask-write --with-bdeps=y world
Now we'll need to emerge the following packages:
While these packages are emerging, you can take your time to download and extract the set of configuration files provided at the bottom of the page. You should read them, and get familiar with their settings, and adjust them where indicated.
The files in www go in a folder in /var/www of your choosing. Remember to set the correct permissions, and to change /etc/hiawatha/hiawatha.conf to point to this folder. These PHP files constitute a trap page (error.php) and a rather simple blog (index.php). I hacked these up because I desperately wanted to avoid using wordpress, which is basically an open shell at port 80. The settings for this blog are at the top of each php file, and configuring them should be self explanatory.
You will need to generate a SSL certificate for your mailserver. I prefer self-signed certificates, as major CAs are compromised, and thus less secure.
You can generate one with the following command:
$openssl req -x509 -nodes -days 3650 -newkey rsa:4096
-keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.pem
Edit the scripts provided for /etc/init.d/ before continuing. One script you might not need is /etc/init.d/probe_all_net. I included it because the VPS that hosts this site has no transfer cap, but starts throttling your connection once you use over 60mbit for a few days. This script hopefully prevents that from happening.
If everything is configured to your liking, you can start each installed service using the following command:
If in the previous paragraph everything worked correctly, you can add all services to your system init using the following command:
$rc-update add [service] default
Now that everything is installed you can start adding users for mailboxes, spamasassin and the like. You can find information on how to do this here .Each email user should have no permissions outside of it's home folder, and /bin/false or /bin/nologin as shell.