Description: Install courier on server Implementation: Login as root Install fam and courier-imap-ssl through aptitude Create directories for web-based administration? No In /etc/postfix/main.cf, add line: home_mailbox = Maildir/ Restart service service postfix restart You may need to run maildirmake Maildir when in homedir? Verification: Should be able to login as root on imap from outside of LAN Should be able to login as root on imap with STARTTLS from outside of LAN
Description: Configure your DNS server to include SPF records for your domain. The only acceptable as a source of e-mail from your domain is your server. The SPF record should reflect this. Implementation: Add line to /etc/bind/db.d4.sysinst.ida.liu.se: @ IN TXT "v=spf1 mx -all" Restart service: service bind9 reload Verification: dig d4.sysinst.ida.liu.se TXT should return the above line Sending an email from server.d4.sysinst.ida.liu.se to e.g. a gmail should have a ‘Received-SPF: pass’ in the header. Sending an email from another client should have a ‘Received-SPF: fail’ in the header
Basically, postfix was configured with ipv6 support when the OS does not provide it Starting Postfix Mail Transport Agent: postfixpostmulti: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol postmulti: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol postfix: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol Solution: sudo postconf -e 'inet_protocols = ipv4' sudo /etc/init.d/postfix restart
Description: Clients should use server.d4.sysinst.ida.liu.se for LDAP authentication Implementation: Login to computers as root Install package libnss-ldapd Set LDAP server URI: ldap://server.d4.sysinst.ida.liu.se Set LDAP server search base: dc=d4,dc=sysinst,dc=ida,dc=liu,dc=se Set LDAP server to use all services In /etc/nsswitch.conf, replace compat with files In /etc/pam.d/common-session, add line to end: session required pam_mkhomedir.so skel=/etc/skel umask=0022
Description: Configure LDAP to the domain d4.sysinst.ida.liu.se Implementation: Login to server as root Install the packages slapd, ldap-utils and migrationtools Set /etc/ldap/ldap.conf so contain the following: # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=d4,dc=sysinst,dc=ida,dc=liu,dc=se URI ldapi:/// In /etc/migrationtools/migrate_common.ph, locate and set the following: $DEFAULT_MAIL_DOMAIN = "d4.sysinst.ida.liu.se"; $DEFAULT_BASE = "dc=d4,dc=sysinst,dc=ida,dc=liu,dc=se"; cd /usr/share/migrationtools ./migrate_all_online.sh Install package libnss-ldapd through aptitude, use all services Edit /etc/nsswitch.conf, change all “compat” to “files” In /etc/pam.d/common-session, add line to end: session required pam_mkhomedir.so skel=/etc/skel umask=0022 Verification: Create /root/olle.ldif root@server:~# cat user.ldif dn: uid=olle,ou=People,dc=d4,dc=sysinst,dc=ida,dc=liu,dc=se objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: olle uid: olle uidNumber: 10000 gidNumber: 100 homeDirectory: /home/olle loginShell: /bin/bash gecos: olle userPassword: {crypt}x shadowLastChange: 0 shadowMax: 99999 shadowWarning: 0 ldapadd -W -D "cn=admin,dc=d4,dc=sysinst,dc=ida,dc=liu,dc=se" -f olle.ldif ...
Description: Need to install DNS on server with the following configuration: It must respond authoritatively to all non-recursive queries for names in the zones it is authoritative for. It must respond to all recursive queries from the hosts on its own network. It must not respond to any recursive queries from any outside host (i.e. host not on its own network). Apart from the queries in (1), it should not respond to any queries from any outside host. It must contain valid zone data for its zone(s). The cache parameters must be chosen sensibly It must not be susceptible to the standard cache poisoning attacks. See http://www.kb.cert.org/vuls/id/800113 for details. Test its DNS server using porttest.dns-oarc.net (see http://www.dns-oarc.net/oarc/services/porttest). It should have the following normal zone: ...
Description: Install quagga on gw and configure it so traffic can be forwarded between internet and the virtual LAN Implementation: Enable ip-forwarding: In /etc/sysctl.conf: Uncomment net.ipv4.ip_forward=1 Restart gw Installation: Run aptitude Locate and install metapackage quagga Configuration: In /etc/quagga/daemons, set the following: zebra=yes ripd=yes Create /etc/quagga/zebra.conf (owned by quagga:quagga, mode 640): hostname gw.d4.sysinst.ida.liu.se password read_password enable password write_password log file /var/log/quagga/zebra.log ip forwarding ipv6 forwarding Create /etc/quagga/ripd.conf (owned by quagga:quagga, mode 640): hostname gw.d4.sysinst.ida.liu.se password read_password enable password write_password log file /var/log/quagga/ripd.conf router rip version 2 network eth1 route 130.236.179.88/29 ! Start: service quagga start ...
# This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps too # many!) most of which are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentry and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command "testparm" # to check that you have not made any basic syntactic errors. # #======================= Global Settings ===================================== [global] netbios name = David workgroup = WORKGROUP server string = David wins support = true dns proxy = no hosts allow = 192.168.1. security = user map to guest = Bad User default service = global #server signing = mandatory ; Doesn't seem to work on OSX #log level = 2 log file = /var/log/samba/%m.log max log size = 50 public = yes available = yes browseable = yes only guest = yes read only = yes ; Disable printers load printers = no printing = bsd printcap name = /dev/null show add printer wizard = no disable spoolss = yes #============================ Share Definitions ============================== [ftp] comment = Public Stuff path = /var/ftp/public read only = no directory mask = 5777 create mask = 5677
Download tarball from www.teamspeak.com Untar to /home/teamspeak Add user/group teamspeak Run the init as teamspeak sudo su - teamspeak ./ts3server_minimal_runscript.sh createinifile=1 Configure ts3server.ini Make sure you can start it (then ^C to kill it) ./ts3server_startscript.sh start Create /etc/systemd/system/teamspeak.service [Unit] Description=Teamspeak server After=network.target [Service] User=teamspeak Group=teamspeak Type=forking PIDFile=/home/teamspeak/ts3server.pid ExecStart=/home/teamspeak/ts3server_startscript.sh start [Install] WantedBy=multi-user.target Test it through systemctl and then enable it sudo systemctl start teamspeak.service sudo systemctl enable teamspeak.service
N.B. This expects a working sendmail installation with STARTTLS Install cyrus-sasl # install cyrus-sasl2 cd /usr/ports/security/cyrus-sasl2 make install clean echo "pwcheck_method: saslauthd" > /usr/local/lib/sasl2/Sendmail.conf # install cyrus-sasl2-saslauthd cd /usr/ports/security/cyrus-sasl2-saslauthd make install clean echo 'saslauthd_enable="YES"' >> /etc/rc.conf service saslauthd start Set sendmail make flags Set the following flags in /etc/make.conf (create if it doesn’t exist) SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL SENDMAIL_LDFLAGS=-L/usr/local/lib SENDMAIL_LDADD=-lsasl2 Recompile sendmail Did you have the source in /usr/src? Otherwise you will need to run the following command. If you don’t use RELEASE-10, you should change that. ...