Debian optional configuration

Setup of the Apache web server

Apache is the most widely used web server, but it's configuration is very cumbersome to understand. Incomplete or erroneous configurations are pointed out in incomprehensible error messages.

When you see this message

apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName

you may not have a problem with Apache. First check that you have your /etc/hosts setup correctly. If your IP address is likely to change, you need to put 127.0.0.1 as the first characters in the second line of /etc/hosts.

Apache supports serving web sites from many different domains with one single Apache installation.

When you have set up the server, it comes with a default virtual host. I suggest you leave it's configuration intact. Let us assume you have a server bar in the domain foo.org.

root@host:~# cp /etc/apache2/sites-available/000-default /etc/apache2/sites-available/bar.foo.org␍

Edit this for something like

  <VirtualHost *:80>
  ServerAdmin webmaster@localhost
  ServerName bar.foo.org
  DocumentRoot /var/www

  <Directory />
    Options FollowSymLinks
    AllowOverride None
  </Directory>

  <Directory /var/www/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
  </Directory>

  ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
  <Directory "/usr/lib/cgi-bin">
    AllowOverride None
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    Order allow,deny
    Allow from all
  </Directory>

  ErrorLog /var/log/apache2/bar_error.log

  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel warn

  CustomLog /var/log/apache2/bar_access.log combined
</VirtualHost>

This file stays in sites-available. It only becomes a valid virtual host when it is part of the sites-enabled directory. The easiest way to do that is to set up a symbolic link.

root@host:~# a2ensite site_file␍

Setup of email files

The file /etc/aliases is used by mailing programs to set aliases to local, or even remote users. On a freshly istalled host, it may look like

# /etc/aliases

mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root

The minimum change you should do it to change whomever mail to root should be changed to to your personal account. Add a line

root: your_personal_account

root: me@othermail.com

or you can have the mail delivered to both a local and a remote address. For example

root: your_personal_account, me@othermail.com

Note the use of the comma here.

The file /etc/mailname is used by mailing programs to set the domain part of outgoing mail. This could be the same as the domain name or the fully qualified damain name. Say you have bought domain and want to have email of user "me" to come from "me@domain" you set the contents of /etc/mailname to

domain

Make sure the file just contains the domain name, and the newline character.

Setup of the Exim mailer

Exim is the default mailer on a Debian machine. If it is not there you can install it with

root@host:~# aptitude install exim4␍

Its configurations live in /etc/exim4. Example

root@host:/etc/exim4# ls -l␍
total number
drwxr-xr-x 9 root root         bytes time conf.d
-rw-r--r-- 1 root root         bytes time exim4.conf.template
-rw-r----- 1 root Debian-exim  bytes time passwd.client
-rw-r--r-- 1 root root         bytes time update-exim4.conf.conf

Configurating a mailer is generally very complicated. The Debian version of exim’s configuration is no exeption. The basic configuration is held in two ways. It is stored in the conf.d directory, where it lives in a large number of small files. And it is stored in a single large file exim4.conf.template. You have to decide one way to maintain it, and then you better stick to it. I use the big single file, actually I think this is the default option. To change that file, you need to be a bit of a wizard. For basic changes to the mailer, there is a special file update-exim4.conf.conf that you can edit. Here is a typical initial setup.

dc_eximconfig_configtype='local'
dc_other_hostnames='some_domain'
dc_local_interfaces='127.0.0.1'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'

dc_eximconfig_configtype='internet': If you set the value to internet, this means you are ready to receive mail from other Internet hosts for your local users. If the value is local, your mailer will not deliver mail from other hosts, it will only deliver mail locally, i.e. between users of the same computer.
dc_other_hostnames='domain:other_domain': This variable set what domains your are accepting mail for. This should be a list of domain names separate by :. Here you enter all the domains you accept email for, separated by :.
dc_local_interfaces='0.0.0.0': This variable set what domains ip addresses exim should listen to for connections. In the default installation it listens to the local ip address only. This can to be changed to '0.0.0.0' if you want to take mail from the Internet. In that case it means the IP addresses of all interfaces should be listened to.

Other settings don’t need changing.

To make your changes work, you need to apply the settings. This is done with two commands.

root@host:/etc/exim4# update-exim4.conf␍
root@host:/etc/exim4# /etc/init.d/exim4 restart␍

You will see something like

Stopping MTA for restart: exim4_listener.
Restarting MTA: exim4.

If you are accepting email from the Internet, you may also want to make sure you have spam filtering configured.

Setup of spam configuration.

I am running my spam filtering using sa-exim. Basically, it’s a separate package that makes exim4 work with spamassassin.

First, you have to make sure you have the package.

root@host:~# aptitude install sa-exim␍

This may, of course install some dependencies that you may not yet have. The installation of sa-exim will not enable it. You have to do some manual steps. This instruction set assumes that you keep the exim configuration in one single file.

Edit the file /etc/exim4/exim4.conf.template. Between this passage

#####################################################
### end main/03_exim4-config_tlsoptions
#####################################################

and this passage

#####################################################
### main/90_exim4-config_log_selector
#####################################################

insert the following

#####################################################
# This will enable sa-exim, but it won't actually scan and possibly reject
# messsages before you enable this in sa-exim.conf (see SAEximRunCond)
#
# For a starter, you'd probably want to read the documentation at:
# /usr/share/doc/sa-exim/README.Debian
# and
# /usr/share/doc/sa-exim/README.gz
#
local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so
#####################################################

Here is what is you can do to get an initial, reasonable configuration of sa-exim, the software that bridges exim and spamassassin.

root@host:~# GET http://dlib.info/home/krichel/courses/lis652/configs/sa-exim.conf > /etc/exim4/sa-exim.conf

However, please edit the end of the /etc/exim4/sa-exim.conf file to change my personal details with yours.

In this configuration, a number of directorise are references where spammassissined mail is saved into. It is useful to create these directories and to assign proper permissions to them

root@host:~# mkdir /var/spool/sa-exim/SAtempreject␍
root@host:~# chown Debian-exim.Debian-exim /var/spool/sa-exim/SAtempreject␍
root@host:~# chmod 770 /var/spool/sa-exim/SAtempreject␍
root@host:~# mkdir /var/spool/sa-exim/SAteergrube␍
root@host:~# chown Debian-exim.Debian-exim /var/spool/sa-exim/SAteergrube␍
root@host:~# chmod 755 /var/spool/sa-exim/SAteergrube␍
root@host:~# mkdir /var/spool/sa-exim/SAdevnull␍
root@host:~# chown Debian-exim.Debian-exim /var/spool/sa-exim/SAdevnull␍
root@host:~# chmod 755 /var/spool/sa-exim/SAdevnull␍
root@host:~# mkdir /var/spool/sa-exim/SAerrorsave␍
root@host:~# chown Debian-exim.Debian-exim /var/spool/sa-exim/SAerrorsave␍
root@host:~# chmod 755 /var/spool/sa-exim/SAerrorsave␍
root@host:~# mkdir /var/spool/sa-exim/SAnotspam␍
root@host:~# chown Debian-exim.Debian-exim /var/spool/sa-exim/SAnotspam␍
root@host:~# chmod 755 /var/spool/sa-exim/SAnotspam␍
root@host:~# mkdir /var/spool/sa-exim/SApermreject␍
root@host:~# chown Debian-exim.Debian-exim /var/spool/sa-exim/SApermreject␍
root@host:~# chmod 770 /var/spool/sa-exim/SApermreject␍

For your convieninec you can use the create_sa-exim_directories script.

For security reasons, spamassissin is initially disabled. To enable it, you need to edit the file /etc/default/spamassassin. There find a couple of lines

# Change to one to enable spamd
ENABLED=0

Change this to

# Change to one to enable spamd
ENABLED=1

If you want to configure spamassissin, edit the file /etc/spamassassin/local.cf

You are now ready to update your mail programs

root@host:/etc/exim4# update-exim4.conf␍
root@host:/etc/exim4# /etc/init.d/exim4 restart␍
Stopping MTA for restart: exim4_listener.
Restarting MTA: exim4.

After that, start spamassassin

root@host:/etc/exim4# /etc/init.d/spamassassin restart␍
Starting SpamAssassin Mail Filter Daemon: spamd.

Now become yourself, where me is your user name

root@host:/etc/exim4# su me␍

send a test mail

user@host:~$ echo test | mutt -s 'a test mail' krichel@openlib.org␍

This presumes you have to mutt mail client installed, if you have not, you sure know how to get it. To look at the log of the mail, do, as root

root@host:~# tail /var/log/exim4/mainlog␍

Here we use a neat utility called tail to look at the end of a file.

user@host:~$ man tail␍

will tell you more about it.

Useful scheduled jobs as root

Let us create a directory etc, that will contain the scheduled job table (aka crontab) of user root.

root@host:~# mkdir /root/etc␍

and then one for the data iself

root@host:~# mkdir /root/var␍

Now get a file /root/etc/crontab from Thomas' handy collection

root@host:~# GET http://dlib.info/home/krichel/courses/lis652/configs/root_crontab > /root/etc/crontab␍

Make this the file the crontab for root

root@host:~# crontab /root/etc/crontab␍

You can then list it, for checking

root@host:~# crontab -l␍