[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ISP setup

On Mon, Feb 27, 2006 at 03:06:59AM -0700, Charles wrote:
> I'm looking at the step by step instructions included at
> http://www.howtoforge.com/perfect_setup_debian_sarge, and I have a
> few questions that relate to local implementation and some different
> assumptions, as follows:

on the whole, a reasonable howto but it does contain some broken advice.

1. don't use uw-imapd. ever. it's garbage. if you want a pop/imap daemon
that supports both mbox and Maildir (as well as both SSL encrypted and
unencrypted connections), then use Dovecot. Courier's OK too if you just
need Maildir support, but i prefer Dovecot.

ISPConfig's web site says that it supports all pop/imap servers so it
should work with dovecot. no reason why it shouldn't - there's very
little to configure with a pop/imap daemon once it's installed.

a word of advice: configure dovecot to require SSL connections if any
of your clients read their mail from other networks. otherwise they
will be transmitting their logins & passwords in clear text across the
internet. bad idea. the easiest way to do that is to configure dovecot
to accept both ssl and non-ssl connections but to add firewall rules at
your border router to block unencrypted pop & imap (ports 110 and 143)

2. set your system clock to GMT - otherwise daylight savings changes are
not handled correctly in most (all?) time zones.

the only reason to leave the system clock to localtime on a linux box is
if that box has to dual boot with windows. otherwise use GMT (aka UTC).

also, don't set up that crappy rdate cron job to keep the clock in
sync. instead, install ntp-server. by default, it is configured to use
pool.ntp.org (a huge collection of public NTP servers). if your system
clock is seriously out, you may need to first use ntpdate or rdate to
set the time, then ntpd will keep it in sync.

this also gives you a local time server you can use to keep all your
machines in sync with the correct time (this is very important when
tracking down problems in log files - it makes it much easier if all
logs have the same time stamps).

anyway, his advice on touching and editing root's crontab is wrong.
always use 'crontab -e' to edit a crontab. you don't need to fix
permissions, restart crond, or even know where the crontab is stored.

NOTE: by default, 'crontab -e' will use vi. if you don't like vi, set
$EDITOR to your preferred editor. e.g. if you want to use joe, then use
'export EDITOR=/usr/bin/joe'. you can add that to your ~/.bash_profile
so that it gets set every time you log in. or to /etc/profile if you
want it set for all users if/when they log in. setting $EDITOR like this
will change the editor used or called by many other programs - vipw,
visudo, less, and many more.

3. ignore everything he says about installing perl modules. the modules
required are already packaged for debian (and DB_File is included in the
perl package). install them by running:

  apt-get install libhtml-parser-perl lib-net-dns-perl

every perl module required by spamassassin (and hundreds more) is
already packaged for debian. if you find you need more than just those
two, then install the debian packages - search through the debian
package list and install them with apt-get rather than from CPAN.

the package names for perl modules are generally "libFOO-perl", where
FOO is a variation of the CPAN module name (usually "::" replaced with

4. re: your problem with creating ssl keys for postfix. i dont have
time to debug the commands he provided, but it might be worth your
while searching through the archives of this list for a script i posted
(last year i think) called make-postfix-cert.sh. the message containing
that script also has instructions for setting up a CA and creating
certificates for both your server and for any client machines you want
to allow to relay if they have the right certificate (i.e. in addition
to permit_mynetworks, permit_sasl_authenticated).

5. i didn't see him mention it, but postfix should be added to group
'sasl' for SMTP Auth to work.

6. as others noted in the comments at the bottom of the last page, dont
follow his instructions for editing /etc/init.d/saslauthd. just edit
/etc/default/saslauthd instead. the debian package already supports the
kind of changes he wanted to make as a configuration option - and that
wont get overwritten the next time the saslauthd package is upgraded.


craig sanders <cas@taz.net.au>           (part time cyborg)

Reply to: