Run virtual servers using XEN

Running virtual servers may save you a bundle on server costs, but in the same time create a more secure environment by separating services into logical hosts. This guide will show you how to setup a XEN virtual server using Debian, but it may also be used on Ubuntu if that it preferred.

Installation

The first task is to install all required software packages. Installing the virtual xen package will in turn install all required programs like a new libc6, kernel with virtual support and the xen hypervisor. Installing xen-tools makes it very easy to create new virtual servers.

# aptitude install xen-linux-system-2.6.18-6-xen-vserver-686 xen-tools

After installing the new kernel and libs, you will need to reboot the computer to use it.

Configuration

The virtual hosts need some way to access the network, so we have to create a network bridge for them to use. Open the file /etc/network/interfaces and create a section like the following. Be sure to change the network settings to reflect your own network.

iface xenbr0 inet static
address 10.10.10.100
netmask 255.255.255.0
network 10.10.10.0
broadcast 10.10.10.255
gateway 10.10.10.1
bridge_ports eth0

Open up the xen configuration file /etc/xen/xend-config.sxp in your favorite editor and make the following changes.

(network-script network-bridge)
(vif-script vif-bridge)
(dom0-min-mem 196)
(dom0-cpus 0)

The configuration file contains lots of comments, so I will not go into detail about every change.

The last configuration is for the xen-tools package /etc/xen-tools/xen-tools.conf, which we will use to create the virtual machines. Be sure to change the network settings and home directory to match your envionment.

dir = /home/xen
dist   = etch
gateway   = 10.10.10.1
netmask   = 255.255.255.0
cache = no
passwd = 1
mirror = http://ftp.se.debian.org/debian/

The rest of the values can probably be left alone, but do take a look at them to see if you need to custmize anything.

Now to create a new virtual host, just write the following and debootstrap should start installing a fresh Debian system.

xen-create-image –ip=10.10.10.101 –hostname=host1.chadda.se

When the installation part is finished, just start the host (or create in xen speak), using the following command.

xm create /home/xen/domains/host1.chadda.se/host1.chadda.se.cfg

If you add the -c option, you will attach to the virtual console and you will see all output from the guest.

Enjoy

Now enjoy your new virtualized server!

Postfix HOWTO

This guide will help you install a complete mail server for the home, office and even an ISP. The guide follows a freshly installed Debian Sarge (currently testing) system, and uses Postfix, Courier IMAP, SASL, MySQL, Postfix admin, Squirrelmail and other nice software packages.

This HOWTO has probably been slightly outdated lately, since I have not had time to update it.

New HOWTO available: Mail server HOWTO – Postfix and Dovecot with MySQL and TLS/SSL, Postgrey and DSPAM

Prerequisites

Before getting started with the Postfix installation, the mysql server should be installed. We also need the mysql-client to populate the tables in the Postfix database:

# apt-get install mysql-server mysql-client

Note that the default MySQL installation in Debian does not have a password for the root user. Before continuing with this guide, set a root password! This is a far too easy thing to forget later on and it can have tremendous security implications.

Now it is time to download the Postfix admin software. It is a virtual user administraton system written in PHP for the Postfix SMTP server. Head over to a temporary directory and download the archive from their site. When wget is done, unpack the file and enter the directory. Now we want to populate our MySQL database with the schema provided by Postfix admin:

# wget “http://high5.net/postfixadmin/download.php?file=postfixadmin-2.1.0.tgz”
# tar xvfz postfixadmin-2.1.0.tgz
# cd postfixadmin-2.1.0
# mysql -uroot -p < DATABASE_MYSQL.TXT

Now over to the next section.

Postfix

The database part is finished for now, and the time has now come for the Postfix SMTP daemon to be installed. When debconf asks you which configuration to install, just choose “no configuration”, since we will do everything by hand:

# apt-get install postfix postfix-tls postfix-mysql

The first thing to do is figuring out where you want the virtual home directory located. Good places for this could be /home/virtual, /var/mail/virtual, /var/spool/postfix/virtual and so on. In this guide I will use /home/virtual as a base for virtual users. We need to let Postfix be the owner of this directory, so do the following:

# cd /home
# mkdir virtual
# chown -R postfix:postfix virtual
# chmod -R 771 virtual

Let’s get cracking on the Postfix configuration now shall we. We need to add lots of configuration options to several files in the /etc/postfix directory.

/etc/postfix/main.cf:

# Set your hostname
myhostname = mail.example.com
mynetworks = 127.0.0.0/8
smtpd_banner = $myhostname ESMTP ready
# If you need to relay outgoing mail via your ISP, set it here
#relayhost = smtprelay.example.com
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
# Make sure that the following number is the GID for the postfix user
virtual_gid_maps = static:102
virtual_mailbox_base = /home/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 512000000
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 100
virtual_transport = virtual
# Make sure that the following number is the UID for the postfix user
virtual_uid_maps = static:102
virtual_create_maildirsize = yes
virtual_mailbox_extended = yes
virtual_mailbox_limit_maps =
mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = Sorry, the user’s maildir has overdrawn his
diskspace quota, please try again later.
virtual_overquota_bounce = yes
relay_domains = proxy:mysql:/etc/postfix/mysql_relay_domains_maps.cf
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_unauth_pipelining,
reject_invalid_hostname,
reject_rbl_client opm.blitzed.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl-xbl.spamhaus.org,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/postfix/sasl/smtpd.cert
smtpd_tls_key_file = /etc/postfix/sasl/smtpd.key
tls_random_source = dev:/dev/urandom
tls_daemon_random_source = dev:/dev/urandom
smtpd_use_tls = yes
broken_sasl_auth_clients = yes
#content_filter=smtp-amavis:[127.0.0.1]:10024
max_use = 10

/etc/postfix/mysql_virtual_alias_maps.cf:

user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = alias
select_field = goto
where_field = address

/etc/postfix/mysql_virtual_domains_maps.cf:

user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = domain
select_field = description
where_field = domain
#additional_conditions = and backupmx = ‘0’ and active = ‘1’

/etc/postfix/mysql_virtual_mailbox_maps.cf:

user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = mailbox
select_field = maildir
where_field = username
#additional_conditions = and active = ‘1’

/etc/postfix/mysql_virtual_mailbox_limit_maps.cf:

user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = mailbox
select_field = quota
where_field = username
#additional_conditions = and active = ‘1’

/etc/postfix/mysql_relay_domains_maps.cf:

user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = domain
select_field = domain
where_field = domain
additional_conditions = and backupmx = ‘1’

Now over to the next section.

SASL2

For the SMTP authentication to work, the configuration file for SASL2 must be added. Here you can change everything about how the Postfix server behave in the authentication procedure. First you need to install the Sasl2 application:

# apt-get install sasl2-bin libsasl2 libsasl2-modules libsasl2-modules-sql

/etc/postfix/sasl/smtpd.conf:

pwcheck_method: auxprop
auxprop_plugin: sql
sql_engine: mysql
mech_list: LOGIN
sql_hostnames: localhost
sql_user: postfix
sql_passwd: postfix
sql_database: postfix
sql_select: SELECT password FROM mailbox WHERE username = ‘%[email protected]%r’

Create the certificates for the Postfix server. Just make sure that the Common Name equals the mail server hostname:

# openssl genrsa -out server.key 1024
# openssl req -new -key server.key -x509 -out server.cert

Now over to the next section.

Courier IMAP

The Courier IMAP daemon needs to be told that it should use the postfix database for authentication. Note that there must not be ANY spaces in authmysqlrc, only tabs! Also, make sure that the UID and GID fields are according to the postfix user.

Begin by installing the IMAP server:

# apt-get install courier-imap-ssl

/etc/courier/authmysqlrc:

#DEFAULT_DOMAIN example.net
MYSQL_CRYPT_PWFIELD password
MYSQL_DATABASE postfix
MYSQL_GID_FIELD 102
MYSQL_HOME_FIELD ‘/home/virtual’
MYSQL_LOGIN_FIELD username
MYSQL_MAILDIR_FIELD maildir
MYSQL_NAME_FIELD name
MYSQL_OPT 0
MYSQL_PASSWORD postfix
#MYSQL_PORT 0
MYSQL_QUOTA_FIELD quota
MYSQL_SERVER localhost
MYSQL_SOCKET /var/run/mysqld/mysqld.sock
MYSQL_UID_FIELD 102
MYSQL_USERNAME postfix
MYSQL_USER_TABLE mailbox
#MYSQL_WHERE_CLAUSE server=’mailhost.example.com’

Now over to the next section.

Postfix admin

Copy the Postfix admin directory to a web directory and read the installation instructions. Now your server should be working, but for simple webmail access Squirrelmail is the way to go.

Squirrelmail

Download the latest version of Squirrelmail and unpack it to an SSL enabled webspace. Configure it to use localhost as SMTP and IMAP, and set the IMAP server to courier. Good plugins are the following. (TODO: Add links to plugins)

  • address_add
  • compatibility
  • notes
  • quicksave
  • sent_confirmation
  • check_quota
  • gpg (development version)
  • retrieveuserdata
  • BayesSpam

Quota support

Note that this step is optional, but if you have lots of users, quota is necessary. Postfix in Debian doesn’t support virtual quouta out of the box. This isn’t a big deal. Just make sure that you have corresponding deb-src entries in your /etc/apt/sources.list file. Don’t forget to run apt-get update after to download the latest package information. To patch the Postfix source, do the following:

# apt-get source postfix
# apt-get build-dep postfix
# wget http://web.onda.com.br/nadal/postfix/VDA/postfix-2.1.5-trash.patch.gz
# zcat postfix-2.1.5-trash.patch.gz | patch -p0
# cd postfix-2.1.5
# dpkg-buildpackage -rfakeroot -uc -b
# cd ..
# dpkg –install postfix*.deb

The new Postfix packages should now be installed and the quota should now be working!

IMAP Proxy Daemon

Since Squirrelmail is stateless, it makes a new connection to the IMAP server every time it need some data. If you have lots of users accessing the IMAP server simultaneous, this can have a tremendous impact on performance. To remedy this proxy servers can be used. To install an IMAP proxy in Debian, do the following:

# apt-get install imapproxy

You will need to change the configuration somewhat, and file to edit is /etc/imapproxy.conf so open it up with your favourite editor and make it look like the following.

/etc/imapproxy.conf:

server_hostname localhost
cache_size 3072
listen_port 144
server_port 143
cache_expiration_time 900
proc_username nobody
proc_groupname nogroup
stat_filename /var/run/pimpstats
protocol_log_filename /var/log/imapproxy_protocol.log
syslog_facility LOG_MAIL
send_tcp_keepalives no
enable_select_cache no
foreground_mode no

Now start the daemon and change the IMAP server port in Squirrelmail to 144, and now your IMAP connections will be cached and will speed up Squirrelmail.

References

Virtual Users and Domains with Courier-IMAP and MySQL