If you install one of these qcow2 images above at your VPS provider you can go directly to the SlackerMail install script if you want to install SlackerMail.
chmod 0755 /etc/rc.d/rc.dnsmasq /etc/rc.d/rc.dnsmasq startYou've probably already setup your hostname on the install, but if you didn't you need to do that now. Edit the /etc/HOSTNAME file and enter your Fully
mail.example.orgThen check your /etc/hosts file, and make sure there are lines there referencing your server just like below, but adjust the bottom line for your FQDN:
127.0.0.1 localhost.localdomain localhost 127.0.0.1 mail.example.org mailIf you made any changes above to your network or NetworkManager then restart them and see how it goes with:
/etc/rc.d/rc.networkmanager restart /etc/rc.d/rc.inet1 restartNext I setup the DNS records at my VPS provider for this server. This includes the SPF records, DMARC records, and DKIM key:
Resource record TTL Type Priority Data --------------------------------------------------------------------- mail.example.org 14400 A 0 ip.address example.org 14400 A 0 ip.address www.example.org 14400 A 0 ip.address example.org 14400 MX 10 mail.example.org example.org 14400 TXT 0 v=spf1 mx -all # This is how I do the SPF record, but you can adjust this to your liking. _dmarc.example.org 14400 TXT 0 v=DMARC1; p=none; pct=100; fo=1; rua=mailto:you@example.org # This is how I do the DMARC record, but you can adjust this to your liking. dkim._domainkey.example.org 14400 TXT 0 v=DKIM1;p= # This is where you put the DKIM key that was generated during the SlackerMail install.You will have to wait until SlackerMail is installed to retrieve and enter the DKIM key in your DNS Zone Management at your VPS provider.
ip.address mail.example.orgWe'll need to do a full system upgrade next to get the latest security patches and kernel for our system. If you haven't already edited "/etc/slackpkg/mirrors"
Important! Before you go any further make sure that mysqld does not start at boot, and is not running. The latest Slackware mariadb-10.5.26 security update will
not install like older versions of mysqld prior to mariadb-10.5.25 did, and will cause problems.
Run the following commands to make sure mysqld is not running and will not start at boot:
/etc/rc.d/rc.mysqld stop >/dev/null 2>&1 chmod 0644 /etc/rc.d/rc.mysqldYou can now safely do a full system upgrade.
Run the commands below to do a full system upgrade:
slackpkg update slackpkg upgrade-allYou will be asked what you want to do with the new config files. I always enter "k" to keep the old config files and install the new config files with a .new extension
Important! The kernel is updated during this upgrade, so you'll have to update your bootloader.
If lilo is your bootloader, run the command below:
liloIf grub is your bootloader, run the command below:
grub-mkconfig -o /boot/grub/grub.cfgNow do a reboot!
Next, imagick.so requires some X libs and fontconfig to be installed, so we'll install the needed X libs and fontconfig with:
slackpkg install libX11 libXpm libxcb libXau libXdmcp libXext libXt libSM libICE fontconfigLastly we'll need to install some perl modules needed by SlackerMail:
export PERL_MM_USE_DEFAULT=1 cpan install CPAN cpan install App::cpanminus cpanm -n Log::Log4perl cpanm -n Test::Deep Test::Base Test::YAML YAML Module::Signature Module::Build Test::Pod Test::Pod::Coverage Test::Perl::Critic \ inc::latest Encode::Detect Image::Info TimeDate Net::LibIDN Net::SSLeay Socket6 IO::Socket::IP IO::Socket::SSL IO::Socket::INET6 \ Crypt::OpenSSL::Bignum Crypt::OpenSSL::Random Crypt::OpenSSL::RSA Geography::Countries IP::Country Digest::SHA Digest::SHA1 Digest::HMAC \ Digest::MD5 HTML::Tagset HTML::Parser Test::LeakTrace Authen::NTLM Data::Dump LWP Net::CIDR::Lite PAR::Dist ExtUtils::MakeMaker ExtUtils::Install \ Net::HTTP WWW::RobotRules HTTP::Date File::Listing IO::HTML Encode::Locale LWP::Protocol::https LWP::MediaTypes HTTP::Message HTTP::Negotiate \ HTTP::Cookies HTTP::Daemon Bundle::LWP NetAddr::IP Net::Server Net::Ident MailTools Net::IP Net::DNS Net::DNS::Resolver::Programmable \ Mail::SPF Mail::DKIM Geo::IP Net::Patricia Convert::TNEF Convert::UUlib Convert::BinHex Archive::Zip IO::Stringy MIME::Tools Unix::Syslog \ BerkeleyDB IO::Multiplex Net::LibIDN File::LibMagic Archive::Tar Archive::SevenZip Inline::C Authen::PAM IO::Pty Razor2::Client::Agent \ Algorithm::Diff B::COW Net::DNS::Resolver::Mock File::Copy::Recursive File::Slurp Hook::LexWrap Sub::Uplevel Text::Diff YAML::LibYAML \ Tie::IxHashWe are now ready to install SlackerMail with the SlackerMail install script at this point.
mkdir -p /root/tmp cd /root/tmp/ wget https://github.com/webmin/webmin/releases/download/2.202/webmin-2.202.tar.gz tar -xf webmin-2.202.tar.gz rm /root/tmp/webmin-2.202.tar.gz cd webmin-2.202 ./setup.sh /usr/local/webmin cd /root rm -R /root/tmp/webmin-2.202You will be asked a few questions, then webmin will install. For this howto it is best to accept all the defaults, and enter your desired password when asked.
echo '#!/bin/bash rm /var/webmin/miniserv.pid >/dev/null 2>&1 /etc/webmin/start >/dev/null 2>&1' > /etc/rc.d/rc.localIf webmin is started at boot we'll need to shut it down on reboot or shutdown. We'll need to create the /etc/rc.d/rc.local_shutdown file, and add the needed
echo '#!/bin/bash /etc/webmin/stop >/dev/null 2>&1 rm /var/webmin/miniserv.pid >/dev/null 2>&1' > /etc/rc.d/rc.local_shutdown chmod 0755 /etc/rc.d/rc.local_shutdownThe reason I put "rm /var/webmin/miniserv.pid" after webmin is stopped is, in some situations webmin doesn't delete the old miniserv.pid file when stopped.
allow=your-ip-addressIf you want webmin to be even more secure don't start it at boot, but only start it when you need it with the command above at the command line.
cd /root/tmp wget https://the-slacker.com/download/php-imagick-3.7.0-x86_64-2_SBo.tgz installpkg php-imagick-3.7.0-x86_64-2_SBo.tgz rm php-imagick-3.7.0-x86_64-2_SBo.tgzThen create new /etc/php.d/imagick.ini file with:
echo -e 'extension=imagick.so' > /etc/php.d/imagick.iniThen we need to create a Diffie–Hellman key exchange (DH) that we will use in our webserver, postfix, dovecot, etc.
cd /root/tmp openssl dhparam -out dh2048_param.pem 2048 mv -f dh2048_param.pem /etc/ssl/
cd /root/tmp wget https://the-slacker.com/download/httpd.conf mv -f httpd.conf /etc/httpd/Next make sure Apache is startable at boot:
chmod 0755 /etc/rc.d/rc.httpdDownload and install /etc/php-fpm.d/www.conf:
cd /root/tmp wget https://the-slacker.com/download/www.conf.apache mv -f www.conf.apache /etc/php-fpm.d/www.confNow we make sure php-fpm is executable and can be started at boot, and then start it with:
chmod 0755 /etc/rc.d/rc.php-fpm /etc/rc.d/rc.php-fpm startTo make sure php-fpm starts at boot we'll need to append to the rc.local file with:
echo -e '/etc/rc.d/rc.php-fpm start > /dev/null 2>&1' >> /etc/rc.d/rc.localThen if you haven't aleready done so for webmin, create and make executable the /etc/rc.d/rc.local_shutdown file:
echo -e '#!/bin/bash' > /etc/rc.d/rc.local_shutdown chmod 0755 /etc/rc.d/rc.local_shutdownThen we need to append the following to the /etc/rc.d/rc.local_shutdown file:
echo -e '/etc/rc.d/rc.php-fpm stop > /dev/null 2>&1' >> /etc/rc.d/rc.local_shutdownApache will not work like we need it to yet without SSL certs. Next we get free Let's Encrypt certs.
/etc/rc.d/rc.httpd stop chmod 0644 /etc/rc.d/rc.httpdThen create the nginx user and group with:
useradd -r -M -U -c "Nginx web server" -d /var/lib/nginx -s /bin/false nginxThen download and install Nginx with:
cd /root/tmp wget https://the-slacker.com/download/nginx-1.26.2-x86_64-1_SBo.tgz installpkg nginx-1.26.2-x86_64-1_SBo.tgz rm nginx-1.26.2-x86_64-1_SBo.tgzNext download and install the needed Nginx config files with:
wget https://the-slacker.com/download/nginx.conf mv -f nginx.conf /etc/nginx/ wget https://the-slacker.com/download/mailserver.conf mv -f mailserver.conf /etc/nginx/conf.d/Then we need to change ownership of /var/lib/php:
chown root:nginx /var/lib/phpDownload and install /etc/php-fpm.d/www.conf:
wget https://the-slacker.com/download/www.conf.nginx mv -f www.conf.nginx /etc/php-fpm.d/www.confNow we make sure nginx and php-fpm are executable and can be started at boot:
chmod 0755 /etc/rc.d/rc.nginx chmod 0755 /etc/rc.d/rc.php-fpmNow make Nginx and PHP-FPM start at boot with the following echo command:
echo -e '/etc/rc.d/rc.nginx start >/dev/null 2>&1 /etc/rc.d/rc.php-fpm start >/dev/null 2>&1' >> /etc/rc.d/rc.localThen we need to add the following to /etc/rc.d/rc.local_shutdown with the following echo command:
echo -e '/etc/rc.d/rc.nginx stop >/dev/null 2>&1 /etc/rc.d/rc.php-fpm stop >/dev/null 2>&1' >> /etc/rc.d/rc.local_shutdownFinally you can download and install a preconfigured robots.txt file to your web server's root directory if you want. It has rules to allow some good bots
For Apache: wget https://the-slacker.com/download/robots.txt mv -f robots.txt /var/www/htdocs/ For Nginx: wget https://the-slacker.com/download/robots.txt mv -f robots.txt /var/www/html/Next we setup free Let's Encrypt SSL certs so our webserver can serve legit https.
mkdir -p /var/www/htdocs/.well-known/acme-challenge chgrp -R apache /var/www/htdocs/.well-knownThen create a new /etc/dehydrated/config file with the following echo command, and edit it with your email address:
echo -e 'CA="https://acme-v02.api.letsencrypt.org/directory" CHALLENGETYPE="http-01" WELLKNOWN="/var/www/htdocs/.well-known/acme-challenge" CONTACT_EMAIL="admin@example.org"' > /etc/dehydrated/configThen create the /etc/dehydrated/domains.txt file, and then edit for your FQDN and subdomains:
echo -e 'mail.example.org www.example.org example.org' > /etc/dehydrated/domains.txtNext restart Apache with:
/etc/rc.d/rc.httpd restartNotice! Make sure you can reach your domain at http://example.org before you proceed with Let's Encrypt SSL certs.
/usr/bin/dehydrated --register --accept-terms dehydrated -cIf everything seemed to work properly then set the permissions below, and of coarse adjust for your domain name.
chmod 0755 /etc/dehydrated/certs /etc/dehydrated/certs/mail.example.org chmod 0644 /etc/dehydrated/certs/mail.example.org/{cert-*,chain-*,fullchain-*}Then download the preconfigured httpd-ssl.conf file and move it to /etc/httpd/extra/httpd-ssl.conf:
cd /root/tmp wget https://the-slacker.com/download/httpd-ssl.conf mv -f httpd-ssl.conf /etc/httpd/extra/Then edit /etc/httpd/httpd.conf and uncomment the following:
# Secure (SSL/TLS) connections Include /etc/httpd/extra/httpd-ssl.confThen edit /etc/httpd/extra/httpd-ssl.conf and adjust for your domain starting at line 124.
SSLCertificateFile "/etc/dehydrated/certs/mail.example.org/fullchain.pem" SSLCertificateKeyFile "/etc/dehydrated/certs/mail.example.org/privkey.pem"Next restart httpd to see if it's working properely:
/etc/rc.d/rc.httpd restartIf you want to allow only https, then uncomment the 3 Rewrite lines below in the /etc/httpd.conf file:
Listen 80 #RewriteEngine On #RewriteCond %{HTTPS} off #RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
mkdir -p /var/www/html/.well-known/acme-challenge chgrp -R nginx /var/www/html/.well-knownThen create a new /etc/dehydrated/config file with the following echo command, and edit it with your email address:
echo -e 'CA="https://acme-v02.api.letsencrypt.org/directory" CHALLENGETYPE="http-01" WELLKNOWN="/var/www/html/.well-known/acme-challenge" CONTACT_EMAIL="admin@example.org"' > /etc/dehydrated/configThen create the /etc/dehydrated/domains.txt file, and then edit for your FQDN and subdomains:
echo -e 'mail.example.org www.example.org example.org' > /etc/dehydrated/domains.txtNext we need to run Nginx in http mode to get the Let's Encrypt certs for the first time, so we'll need to use a temporary
mv -f /etc/nginx/conf.d/mailserver.conf /etc/nginx/conf.d/mailserver.conf.bakThen create the temporary mailserver config file with the following echo command.
echo -e "# HTTP server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root /var/www/html; index index.html index.htm; } }" > /etc/nginx/conf.d/temp.confNext restart Nginx with:
/etc/rc.d/rc.nginx restartNotice! Make sure you can reach your domain at http://example.org before you proceed with Let's Encrypt SSL certs.
/usr/bin/dehydrated --register --accept-terms dehydrated -cIf everything seemed to work properly then set the permissions below, and of coarse adjust for your domain name.
chmod 0755 /etc/dehydrated/certs /etc/dehydrated/certs/mail.example.org chmod 0644 /etc/dehydrated/certs/mail.example.org/{cert-*,chain-*,fullchain-*}Then change back to the original mailserver.conf file
rm /etc/nginx/conf.d/temp.conf mv -f /etc/nginx/conf.d/mailserver.conf.bak /etc/nginx/conf.d/mailserver.confThen edit /etc/nginx/mailserver.conf and adjust the following two lines to match your domain.
ssl_certificate /etc/dehydrated/certs/mail.example.org/fullchain.pem; ssl_certificate_key /etc/dehydrated/certs/mail.example.org/privkey.pem;Next restart php-fpm and nginx to see if it's working properely:
/etc/rc.d/rc.php-fpm restart /etc/rc.d/rc.nginx restartYou should be able to reach https://example.org (with your doamain name)
echo -e '#!/bin/sh MYLOG=/var/log/dehydrated echo "Checking cert renewals at `date`" > $MYLOG /usr/bin/dehydrated -c >> $MYLOG 2>&1 chmod 0644 /etc/dehydrated/certs/mail.example.org/{cert-*,chain-*,fullchain-*} mail -s "Let'\''s Encrypt Certs Renewal" -r dehydrated@example.org root@example.org < /var/log/dehydrated' > /etc/cron.weekly/dehydrated-renew Then make it executable with the following: chmod 0755 /etc/cron.weekly/dehydrated-renewThen run dehydrated-renew to see if it's working and logging properly:
/etc/cron.weekly/dehydrated-renew cat /var/log/dehydrated
cd /root/tmp wget https://the-slacker.com/download/rc.firewall mv -f rc.firewall /etc/rc.d/You may need to change the line INET_IFACE="eth0" in the downloaded /etc/rc.d/rc.firewall to match your system.
"$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT" to "$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP"I have ports 80, 443, 25, 587, 110, 143, 995, 993, 22, 10000 open in the downloaded rc.firewall. These are the ports needed to be open for this how-to, but you
chmod 0755 /etc/rc.d/rc.firewall /etc/rc.d/rc.firewall startThe iptables firewall should be running now and doing it's job. It will automatically start at boot.
Make sure mysqld isn't running and not started at boot with:
/etc/rc.d/rc.mysqld stop >/dev/null 2>&1 chmod 0644 /etc/rc.d/rc.mysqldThen create the mysql database with:
mysql_install_db --user=mysqlThen enable networking by commenting #SKIP="--skip-networking in the /etc/rc.d/rc.mysqld file with the following sed command:
sed -i '/SKIP="--skip-networking"/c\#SKIP="--skip-networking"' /etc/rc.d/rc.mysqldThen make sure mysqld is set to start at boot and start it with:
chmod 755 /etc/rc.d/rc.mysqld /etc/rc.d/rc.mysqld restart >/dev/null 2>&1Mariadb should be up and running now.
mysqladmin -u root password put-mysql-password-hereSince we enabled networking, we need to run:
mysqladmin -u root -h localhost password put-mysql-password-hereFor security reasons you should delete the anonymous users and drop the test database with:
mysql -u root [none]> drop database test; [none]> use mysql; [mysql]> SELECT user, host FROM user; [mysql]> DELETE FROM user WHERE user=''; [mysql]> FLUSH PRIVILEGES; [mysql]> QUIT;Next download and install a preconfigured /etc/my.cnf.d/server.cnf file with the following:
cd /root/tmp wget https://the-slacker.com/download/server.cnf mv -f server.cnf /etc/my.cnf.d/Next create a new /etc/my.cnf.d/client.cnf file with the following echo command:
echo -e '[client] default-character-set = utf8mb4 [client-mariadb]' > /etc/my.cnf.d/client.cnfNext we need to create the directory for the mysql logs:
mkdir /var/log/mysql chown mysql:mysql /var/log/mysqlNow restart mysqld and see if it works with:
/etc/rc.d/rc.mysqld restart > /dev/null 2>&1Next create the vmail user and database we'll need for Postfix, Postfixadmin, and Roundcube. Make it a strong password with
mysql -u root CREATE DATABASE vmail; GRANT ALL PRIVILEGES ON vmail.* TO 'vmail'@'localhost' IDENTIFIED BY 'vmailpassword'; FLUSH PRIVILEGES; QUIT;
echo -e "ssl_min_protocol = TLSv1.2 ssl = required verbose_ssl = no ssl_cert = </etc/dehydrated/certs/mail.example.org/fullchain.pem ssl_key = </etc/dehydrated/certs/mail.example.org/privkey.pem ssl_dh = </etc/ssl/dh2048_param.pem # Fix 'The Logjam Attack' ssl_cipher_list = EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH ssl_prefer_server_ciphers = yes" > /etc/dovecot/conf.d/10-ssl.confMake sure to adjust the above to reflect the location of your ssl certs.
chmod 0755 /etc/rc.d/rc.dovecot /etc/rc.d/rc.dovecot startDovecot should start now.
groupadd -g 150 vmail useradd -r -d /var/vmail -s /bin/false -u 150 -g 150 vmail mkdir /var/vmail chmod 770 /var/vmail chown vmail:vmail /var/vmailThen we create a new /etc/dovecot/dovecot-sql.conf.ext file with:
echo -e "driver = mysql connect = host=127.0.0.1 port=3306 dbname=vmail user=vmail password=vmailpassword default_pass_scheme = SHA512-CRYPT password_query = \\ SELECT username as user, password, '/var/vmail/%d/%n' as \\ userdb_home, 'maildir:/var/vmail/%d/%n' as userdb_mail, \\ 150 as userdb_uid, 150 as userdb_gid \\ FROM mailbox WHERE username = '%u' AND active = '1' user_query = \\ SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' \\ as vmail, 150 AS uid, 150 AS gid, \\ concat('dirsize:storage=', quota) AS quota \\ FROM mailbox WHERE username = '%u' AND active = '1'" > /etc/dovecot/dovecot-sql.conf.extMake sure to adjust /etc/dovecot/dovecot-sql.conf.ext with your earlier made vmail password.
chmod 0600 /etc/dovecot/dovecot-sql.conf.extNext create a new /etc/dovecot/conf.d/10-auth.conf file with:
echo -e 'disable_plaintext_auth = yes auth_mechanisms = plain login !include auth-sql.conf.ext' > /etc/dovecot/conf.d/10-auth.confNext append to the /etc/dovecot/conf.d/10-mail.conf file with the following:
echo -e 'mail_location = maildir:/var/vmail/%d/%n mail_uid = vmail mail_gid = vmail first_valid_uid = 150 last_valid_uid = 150' >> /etc/dovecot/conf.d/10-mail.confNext we download a preconfigured Dovecot 10-master.conf file, and move it to /etc/dovecot/conf.d/:
cd /root/tmp wget https://the-slacker.com/download/10-master.conf mv -f 10-master.conf /etc/dovecot/conf.d/Next append the following to /etc/dovecot/conf.d/10-logging.conf file with the following echo command,
echo -e '## Log destination. ## log_path = /var/log/dovecot/dovecot.log info_log_path = /var/log/dovecot/dovecot-info.log' >> /etc/dovecot/conf.d/10-logging.confDovecot Pigeonhole for Sieve and ManageSieve support.
cd /root/tmp wget https://the-slacker.com/download/dovecot-pigeonhole-0.5.21.1-x86_64-1_SBo.tgz installpkg dovecot-pigeonhole-0.5.21.1-x86_64-1_SBo.tgz rm dovecot-pigeonhole-0.5.21.1-x86_64-1_SBo.tgzNext we'll need to copy the following example configuration files into the /etc/dovecot/conf.d directory:
cp /usr/doc/dovecot-2.3.17.1/example-config/conf.d/90-sieve.conf /etc/dovecot/conf.d/ cp /usr/doc/dovecot-2.3.17.1/example-config/conf.d/90-sieve-extprograms.conf /etc/dovecot/conf.d/ cp /usr/doc/dovecot-2.3.17.1/example-config/conf.d/20-managesieve.conf /etc/dovecot/conf.d/We will need to create the following Dovecot configuration files now:
echo -e 'protocol lmtp { postmaster_address = admin@example.org mail_plugins = $mail_plugins sieve quota log_path = /var/log/dovecot/dovecot-lmtp-errors.log info_log_path = /var/log/dovecot/dovecot-lmtp.log }' > /etc/dovecot/conf.d/20-lmtp.confCreate new /etc/dovecot/conf.d/15-lda.conf file with the following echo command, and edit for your domain.
echo -e 'protocol lda { postmaster_address = admin@example.org mail_plugins = $mail_plugins sieve quota auth_socket_path = /var/run/dovecot/auth-master log_path = /var/log/dovecot/dovecot-lda-errors.log info_log_path = /var/log/dovecot/dovecot-lda.log }' > /etc/dovecot/conf.d/15-lda.confAppend the following to the /etc/dovecot/conf.d/10-mail.conf file with this echo command.
echo -e 'mail_home = /var/vmail/%d/%n/sieve' >> /etc/dovecot/conf.d/10-mail.confCreate new /etc/dovecot/conf.d/20-managesieve.conf file with the following echo command:
echo -e 'protocols = $protocols sieve service managesieve-login { inet_listener sieve { port = 4190 } } service managesieve { process_limit = 1024 } protocol sieve { log_path = /var/log/dovecot/dovecot-sieve-errors.log info_log_path = /var/log/dovecot/dovecot-sieve.log managesieve_max_line_length = 65536 managesieve_implementation_string = Dovecot Pigeonhole }' > /etc/dovecot/conf.d/20-managesieve.confCreate new /etc/dovecot/conf.d/90-sieve.conf file with the following echo command:
echo -e 'plugin { sieve = file:/var/vmail/%d/%n/sieve;active=/var/vmail/%d/%n/sieve/.dovecot.sieve sieve_default = /etc/dovecot/sieve/default.sieve sieve_global = /etc/dovecot/sieve/global/ } lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes' > /etc/dovecot/conf.d/90-sieve.confNow we need to create some files that are needed for our configuration to work:
mkdir -p /etc/dovecot/sieve/global chown -R vmail:vmail /etc/dovecot/sieve/ mkdir /var/log/dovecot chown vmail:vmail /var/log/dovecot chmod 771 /var/log/dovecotThen create the file /etc/dovecot/sieve/default.sieve with the following commands.
echo -e 'require "fileinto"; if header :contains "X-Spam-Flag" "YES" { fileinto "Junk"; }' > /etc/dovecot/sieve/default.sieve chown vmail:vmail /etc/dovecot/sieve/default.sieveAdd postfix to the dovecot group with:
usermod -G dovecot -a postfixDovecot will automatically start at boot if /etc/rc.d/rc.dovecot is set to executable. To make sure it is run the command below:
chmod 0755 /etc/rc.d/rc.dovecot
mkdir -p /etc/postfix/mysqlNow we'll create the 5 needed mysql map files with the needed content.
echo -e "user = vmail password = vmailpassword hosts = 127.0.0.1:3306 dbname = vmail query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' AND alias.address=concat('%u', '@', alias_domain.target_domain) AND alias.active = 1" > /etc/postfix/mysql/mysql_virtual_alias_domainaliases_maps.cfSecond the /etc/postfix/mysql/mysql_virtual_alias_maps.cf file:
echo -e "user = vmail password = vmailpassword hosts = 127.0.0.1:3306 dbname = vmail table = alias select_field = goto where_field = address additional_conditions = and active = '1'" > /etc/postfix/mysql/mysql_virtual_alias_maps.cfThird the /etc/postfix/mysql/mysql_virtual_domains_maps.cf file:
echo -e "user = vmail password = vmailpassword hosts = 127.0.0.1:3306 dbname = vmail table = domain select_field = domain where_field = domain additional_conditions = and backupmx = '0' and active = '1'" > /etc/postfix/mysql/mysql_virtual_domains_maps.cfFourth the /etc/postfix/mysql/mysql_virtual_mailbox_domainaliases_maps.cf file:
echo -e "user = vmail password = vmailpassword hosts = 127.0.0.1:3306 dbname = vmail query = SELECT maildir FROM mailbox, alias_domain WHERE alias_domain.alias_domain = '%d' AND mailbox.username=concat('%u', '@', alias_domain.target_domain ) AND mailbox.active = 1" > /etc/postfix/mysql/mysql_virtual_mailbox_domainaliases_maps.cfFifth the /etc/postfix/mysql/mysql_virtual_mailbox_maps.cf file:
echo -e "user = vmail password = vmailpassword hosts = 127.0.0.1:3306 dbname = vmail table = mailbox select_field = CONCAT(domain, '/', local_part) where_field = username additional_conditions = and active = '1'" > /etc/postfix/mysql/mysql_virtual_mailbox_maps.cfMake sure to set your vmail database password created earlier in the 5 files just created.
chmod 0600 /etc/postfix/mysql/*Next download and install the /etc/postfix/main.cf file that I use for this how-to, and of course adjust for your domain and ssl certs:
cd /root/tmp wget https://the-slacker.com/download/main.cf mv -f main.cf /etc/postfix/Then download and install the /etc/postfix/master.cf file that I use for this how-to. Shouldn't have to make any adjustments here:
cd /root/tmp wget https://the-slacker.com/download/master.cf mv -f master.cf /etc/postfix/Then download and install the needed aliases file for this mail serever, then run newaliases at the prompt. Before you run newaliases
wget https://the-slacker.com/download/aliases mv -f aliases /etc/ newaliasesPostfix like Dovecot starts automatically at boot if /etc/rc.d/rc.postfix is set to executable, so make sure it is with:
chmod 0755 /etc/rc.d/rc.postfix
cd /root/tmp wget https://the-slacker.com/download/spamassassin-3.4.6-x86_64-1_SBo.tgz installpkg spamassassin-3.4.6-x86_64-1_SBo.tgz rm spamassassin-3.4.6-x86_64-1_SBo.tgzSpamassassin will be called by Amavisd when needed, so we don't need the spamd daemon enabled. Disable it with:
chmod 0644 /etc/rc.d/rc.spamdThen update the Spamassassin rules with:
sa-updateRust16 is now required to build the latest ClamAV, so you'll need to install the Rust16 SlackBuild package with:
cd /root/tmp wget https://the-slacker.com/download/rust16-1.79.0-x86_64-1_SBo.tgz installpkg rust16-1.79.0-x86_64-1_SBo.tgz rm rust16-1.79.0-x86_64-1_SBo.tgzNext we need to install the libmspack SlackBuild package, now required by the latest Clamav:
wget https://the-slacker.com/download/libmspack-0.10.1alpha-x86_64-1_SBo.tgz installpkg libmspack-0.10.1alpha-x86_64-1_SBo.tgz rm libmspack-0.10.1alpha-x86_64-1_SBo.tgzNext install the ClamAV SlackBuild package with:
groupadd -g 210 clamav useradd -u 210 -d /dev/null -s /bin/false -g clamav clamav cd /root/tmp wget https://the-slacker.com/download/clamav-1.4.1-x86_64-1_SBo.tgz installpkg clamav-1.4.1-x86_64-1_SBo.tgz rm clamav-1.4.1-x86_64-1_SBo.tgzAfter ClamAV is installed run the following sed command to set LocalSocketGroup amavis:
sed -i "/LocalSocketGroup clamav/c\LocalSocketGroup amavis" /etc/clamd.confNext we install the amavisd-new SlackBuild package with:
groupadd -g 225 amavis useradd -m -d /var/lib/amavis -s /bin/bash -u 225 -g 225 amavis usermod -G clamav -a amavis usermod -G amavis -a clamav cd /root/tmp wget https://the-slacker.com/download/amavisd-new-2.13.1-noarch-1_SBo.tgz installpkg amavisd-new-2.13.1-noarch-1_SBo.tgz rm amavisd-new-2.13.1-noarch-1_SBo.tgzNext install the alterMIME Slackbuild pkg for writing to mail headers and inserting disclaimers with:
cd /root/tmp wget https://the-slacker.com/download/altermime-0.3.10-x86_64-1_SBo.tgz installpkg altermime-0.3.10-x86_64-1_SBo.tgz rm altermime-0.3.10-x86_64-1_SBo.tgzNow download and install the /etc/amavisd.conf file:
cd /root/tmp wget https://the-slacker.com/download/amavisd.conf mv -f amavisd.conf /etc/You will need to adjust the downloaded /etc/amavisd.conf to match your domain and vmail database password.
mkdir /var/spool/amavisd /var/spool/amavisd/tmp /var/spool/amavisd/db /var/spool/amavisd/var /var/spool/amavisd/quarantine chown -R amavis:amavis /var/spool/amavisdWe need to change ownership and permissions of /etc/amavisd.conf with:
chown root:amavis /etc/amavisd.conf chmod 0640 /etc/amavisd.confWe also need to fix some permissions to get all three of these to play nicely:
chmod 775 /var/lib/spamassassin/ chown -R amavis:amavis /var/lib/spamassassin chown -R amavis:amavis /var/lib/amavis chown -R clamav:amavis /var/lib/clamavNow go ahead and update your virus database by running as root:
freshclamDon't worry if you get a message from freshclam saying clamd was not updated. This is because we have not started clamd yet.
echo -e "/etc/rc.d/rc.clamav start >/dev/null 2>&1" >> /etc/rc.d/rc.local echo -e "/etc/rc.d/rc.amavisd-new start >/dev/null 2>&1" >> /etc/rc.d/rc.localThen run the below 2 echo commands to append clamav and amavisd-new to the rc.local_shutdown file:
echo -e "/etc/rc.d/rc.clamav stop >/dev/null 2>&1" >> /etc/rc.d/rc.local_shutdown echo -e "/etc/rc.d/rc.amavisd-new stop >/dev/null 2>&1" >> /etc/rc.d/rc.local_shutdownDo a reboot and see if everything is working okay so far.
cd /root/tmp openssl genrsa -out example.org.priv 2048 openssl rsa -in example.org.priv -pubout > example.org.pubThen we'll install the dkim keys:
mv -f example.org.priv /etc/ssl/example.org.pem mv -f example.org.pub /etc/ssl/ chown amavis:amavis /etc/ssl/example.org.pem /etc/ssl/example.org.pub chmod 600 /etc/ssl/example.org.pem chmod 644 /etc/ssl/example.org.pubThen we need to edit /etc/amavisd.conf and uncomment the dkim_key line and set your domain name and the path to your
# Add dkim_key here. dkim_key('example.org', 'dkim', '/etc/ssl/example.org.pem');Now restart amavisd with:
/etc/rc.d/rc.amavisd-new restartNext we need to setup our DNS Zone for DKIM:
dkim._domainkey.example.org 14400 TXT v=DKIM1;p=here is where you put your dkim public key from the example.org.pub file we created earlier, all on one line with no spaces.Run the following line of piped commands to format your example.org.pub file for entering into a DNS Zone Record for DKIM, and of course adjust for your domain:
sed '1d;$d' "/etc/ssl/example.org.pub" | sed '1s/.*/v=DKIM1;p=&/' | tr -d '\n' > /root/example.org.pub.txtThat should do it for DKIM
example.org 14400 TXT "v=spf1 mx -all"Next we set the DMARC text record in the DNS Zone Management control panel. Below is how mine is set:
_dmarc.example.org 14400 TXT "v=DMARC1; p=none; pct=100; fo=1; rua=mailto:you@example.org"With the above DKIM, SPF, and DMARC records I get a 100% perfect score from mail-tester.com
groupadd -g 301 postgrey useradd -u 301 -d /var/lib/postgrey -s /bin/false -g postgrey postgreyThen we install the SlackBuild Postgrey package:
cd /root/tmp wget https://the-slacker.com/download/postgrey-1.37-x86_64-1_SBo.tgz installpkg postgrey-1.37-x86_64-1_SBo.tgz rm postgrey-1.37-x86_64-1_SBo.tgzThen update the postgrey_whitelist_clients file:
cd /root/tmp wget https://postgrey.schweikert.ch/pub/postgrey_whitelist_clients mv -f postgrey_whitelist_clients /etc/postfix/Then create a new /etc/postgrey.conf file, and edit for your domain:
echo -e 'PORT=10023 PIDFILE=/var/run/postgrey/postgrey.pid USER=postgrey GROUP=postgrey HOST=mail.example.org' > /etc/postgrey.confThen make /etc/rc.d/rc.postgrey executable with:
chmod 0755 /etc/rc.d/rc.postgreyThen run the following echo command to append "rc.postgrey start" in the /etc/rc.d/rc.local start file:
echo -e "/etc/rc.d/rc.postgrey start >/dev/null 2>&1" >> /etc/rc.d/rc.localThen run the following echo command to append "rc.postgrey stop" to the /etc/rc.d/rc.local_shutdown file:
echo -e "/etc/rc.d/rc.postgrey stop >/dev/null 2>&1" >> /etc/rc.d/rc.local_shutdownThen start it up and see if it works with:
/etc/rc.d/rc.postgrey start
cd /root/tmp wget logwatch-7.11-noarch-1_SBo.tgz installpkg logwatch-7.11-noarch-1_SBo.tgz rm logwatch-7.11-noarch-1_SBo.tgzThen we need to setup a cron.daily job to email root a daily report:
rm /etc/cron.daily/0logwatch touch /etc/cron.daily/0logwatch chmod 0755 /etc/cron.daily/0logwatchThen run the following echo command to create the logwatch daily cron job:
echo '#!/bin/sh #Set logwatch location LOGWATCH_SCRIPT="/usr/sbin/logwatch" #Add options to this line. Most options should be defined in /etc/logwatch/conf/logwatch.conf, #but some are only for the nightly cronrun such as --output mail and should be set here. #Other options to consider might be "--format html" or "--encode base64", man logwatch for more details. OPTIONS="--output mail" #Call logwatch $LOGWATCH_SCRIPT $OPTIONS exit 0' >> /etc/cron.daily/0logwatchThen create the /etc/logwatch/conf/services/postfix.conf file with the following echo command:
echo '$postfix_Enable_Long_Queue_Ids = Yes' > /etc/logwatch/conf/services/postfix.conf
cd /var/www wget https://github.com/postfixadmin/postfixadmin/archive/refs/tags/postfixadmin-3.3.13.tar.gz tar -xf postfixadmin-3.3.13.tar.gz rm postfixadmin-3.3.13.tar.gz ln -s postfixadmin-postfixadmin-3.3.13 postfixadmin cd postfixadmin mkdir -p templates_c If Apache is your webserver run the following: chown apache:root templates_c If Nginx is your webserver run the following: chown nginx:root templates_cMake a copy of config.inc.php to config.local.php and make your changes there.
cp /var/www/postfixadmin/config.inc.php /var/www/postfixadmin/config.local.phpThen we'll create the setup_password for postfixadmin. Copy, paste, and run all 7 lines of code below at once to get postfixadmin
mkdir -p /root/SlackerMail PASSWD=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n 1) echo $PASSWD > /root/SlackerMail/postfixadmin_setup.pass SETUPPASS=$(cat /root/SlackerMail/postfixadmin_setup.pass) HASHPASS=$(doveadm pw -p $SETUPPASS) echo $HASHPASS | cut -c 8- > /root/SlackerMail/postfixadmin_setup_hashed.pass chmod 0600 /root/SlackerMail/postfixadmin_setup.pass /root/SlackerMail/postfixadmin_setup_hashed.passThen enter the hashed password from /root/SlackerMail/postfixadmin_setup_hashed.pass in the setup_password field in
$CONF['configured'] = true; $CONF['setup_password'] = 'hashed-password-here'; $CONF['database_type'] = 'mysqli'; $CONF['database_user'] = 'vmail'; $CONF['database_password'] = "vmail-db-password-here"; $CONF['database_name'] = 'vmail'; $CONF['database_host'] = 'localhost'; $CONF['database_port'] = '3306'; //$CONF['database_socket'] = ''; Comment out, since we are using port instead of socket. $CONF['admin_email'] = 'admin@example.org'; $CONF['default_aliases'] = array ( 'abuse' => 'admin@example.org', 'hostmaster' => 'admin@example.org', 'postmaster' => 'admin@example.org', 'webmaster' => 'admin@example.org', 'virusalert' => 'admin@example.org', 'root' => 'admin@example.org' ); $CONF['domain_path'] = 'NO'; $CONF['domain_in_mailbox'] = 'YES'; $CONF['footer_text'] = 'Return to example.org'; $CONF['footer_link'] = 'https://example.org';' $CONF['emailcheck_resolve_domain']='NO'; $CONF['password_expiration'] = 'NO'; $CONF['version'] = '3.3.13';Next create the needed postfixadmin tables for the vmail mysql database with:
php /var/www/postfixadmin/public/upgrade.phpThen create the superadmin user for postfixadmin. The password and password2 must be the same password that you want for the superadmin
/var/www/postfixadmin/scripts/postfixadmin-cli admin add admin@example.org --superadmin 1 --active 1 --password admin-password --password2 admin-passwordThen add your domain to postfixadmin. You can adjust --aliases, --mailboxes, and --description to whatever you want.
/var/www/postfixadmin/scripts/postfixadmin-cli domain add example.org --aliases 100 --mailboxes 100 --active 1 --description example.orgLastly add the mailbox for admin@example.org, and again enter the same password twice. You can adjust --name to your liking, and you can
/var/www/postfixadmin/scripts/postfixadmin-cli mailbox add admin@example.org --name admin --quota 100 --active 1 --password roundcube-mailbox-password --password2 roundcube-mailbox-passwordNow you should be able to login to postfixadmin at https://example.org/postfixadmin as admin@example.org with your admin-password. After
PASSWD=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n 1) echo $PASSWD > /root/SlackerMail/roundcube_password.pass chmod 0600 /root/SlackerMail/roundcube_password.passWe'll need to create the mysql database for roundcubemail with:
mysql -u root CREATE DATABASE roundcubemail CHARACTER SET utf8 COLLATE utf8_general_ci; CREATE USER 'roundcube'@'localhost' IDENTIFIED BY 'roundcube_password'; GRANT ALL PRIVILEGES ON roundcubemail.* TO 'roundcube'@'localhost'; FLUSH PRIVILEGES; QUIT;Then we'll download and install Roundcube Webmail with:
cd /var/www wget https://github.com/roundcube/roundcubemail/releases/download/1.6.9/roundcubemail-1.6.9-complete.tar.gz tar -xf roundcubemail-1.6.9-complete.tar.gz rm roundcubemail-1.6.9-complete.tar.gz ln -s roundcubemail-1.6.9 roundcubemail If Apache is your webserver run the following: chown apache:root -h /var/www/roundcubemail chown -R apache:root /var/www/roundcubemail-1.6.8 If Nginx is your webserver run the following: chown nginx:root -h /var/www/roundcubemail chown -R nginx:root /var/www/roundcubemail-1.6.8 Then run the following: cd roundcubemail mysql -u roundcube roundcubemail -proundcube_password < SQL/mysql.initial.sqlNext I had to create a postfix file that roundcube expects:
echo '#submission header checks file' >> /etc/postfix/submission_header_checksYou can setup Roundcube with the installer wizard, but it's easier for me to do it manually.
DESKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n 1) echo $DESKEY > /root/SlackerMail/roundcubemail.deskeyThe 24-character-Des-Key will be in the /root/SlackerMail/roundcubemail.deskey file, so just copy that and paste it into
cd /root/tmp wget https://the-slacker.com/download/config.inc.php.txt mv -f config.inc.php.txt /var/www/roundcubemail/config/config.inc.php If your webserver is Apache run the following: chown apache:apache /var/www/roundcubemail/config/config.inc.php If your webserver is Nginx run the following: chown nginx:nginx /var/www/roundcubemail/config/config.inc.php Then run the following: chmod 0600 /var/www/roundcubemail/config/config.inc.phpYou'll need to edit the following fields in /var/www/roundcubemail/config/config.inc.php:
$config['db_dsnw'] = 'mysql://roundcube:password-here@localhost/roundcubemail'; $config['support_url'] = 'https://example.org'; $config['des_key'] = '24-character-Des-Key';Now go to https://example.org/mail and login to admin@example.org that you created earlier with postfixadmin, good luck! There
echo "SyslogFacility AUTHPRIV" >> /etc/ssh/sshd_configNow we download and install the Fail2ban SlackBuild pkg to help with all the attempts to break in to the server:
cd /root/tmp wget https://the-slacker.com/download/fail2ban-1.0.2-x86_64-1_SBo.tgz installpkg fail2ban-1.0.2-x86_64-1_SBo.tgz rm fail2ban-1.0.2-x86_64-1_SBo.tgzYou'll see a warning during installation, but it will install, and work properly.
echo "[Definition] # Option: loglevel. Default is ERROR # Available options: CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG loglevel = INFO # Set the log target logtarget = /var/log/fail2ban.log" > /etc/fail2ban/fail2ban.localCreate the /etc/fail2ban/jail.local file with needed content with the following echo command:
echo "[DEFAULT] # time is in seconds. 3600 = 1 hour, 86400 = 24 hours (1 day) findtime = 3600 bantime = 604800 maxretry = 3 ignoreip = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" > /etc/fail2ban/jail.localYou can put your ip address at the end of the ignoreip line if you want fail2ban to ignore it.
echo "[sshd] backend = polling enabled = true filter = sshd logpath = /var/log/secure" > /etc/fail2ban/jail.d/sshd.localNotice! - If you use /etc/hosts.allow and /etc/hosts.deny to limit access to sshd you can omit the fail2ban sshd jail.
chmod 755 /etc/rc.d/rc.fail2ban /etc/rc.d/rc.fail2ban startHopefully fail2ban is running and banning ip's now.
echo "# Got this from iRedMail [postfix-pregreet] backend = polling enabled = true maxretry = 1 filter = postfix-pregreet logpath = /var/log/maillog" > /etc/fail2ban/jail.d/postfix-pregreet.localCreate the /etc/fail2ban/filter.d/postfix-pregreet.conf file with the following echo command:
echo "# Got this from iRedMail [Definition] # Block clients which cannot pass Postfix postscreen pregreet test. # FYI: http://www.postfix.org/POSTSCREEN_README.html#pregreet # # The SMTP protocol is a classic example of a protocol where the server speaks # before the client. postscreen(8) detects zombies that are in a hurry and that # speak before their turn. failregex = postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: # while setting up new account, Thunderbird doesn't wait for server connection # greeting/banner, this causes Thunderbird cannot pass the Postfix pregreet # test and caught by \`failregex\` rules listed above (the rule contains # 'PREGREET' line). # FYI: https://bugzilla.mozilla.org/show_bug.cgi?id=538809#c41 ignoreregex = postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO) we-guess.mozilla.org" > /etc/fail2ban/filter.d/postfix-pregreet.confCreate the postfix jail:
echo "# Got this from iRedMail [postfix] backend = polling enabled = true filter = postfix-2 logpath = /var/log/maillog" > /etc/fail2ban/jail.d/postfix.localCreate the /etc/fail2ban/filter.d/postfix-2.local file with the following echo command:
echo "# Got this from iRedMail [Definition] # *) '554 5.7.1' is 'Helo command rejected: ACCESS DENIED' # # 'ACCESS DENIED' is string defined in postfix restriction rule \`check_helo_access\`. # no all rules contains 'ACCESS DENIED', so we use status code insead. failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed lost connection after AUTH from (.*)\[<HOST>\] reject: RCPT from .*\[<HOST>\]: .*: Relay access denied reject: RCPT from .*\[<HOST>\]: .*: Sender address rejected: Domain not found reject: RCPT from .*\[<HOST>\]: .*: Helo command rejected: Host not found reject: RCPT from .*\[<HOST>\]: .*: Helo command rejected: need fully-qualified hostname reject: RCPT from .*\[<HOST>\]: 554 5.7.1 reject: RCPT from .*\[<HOST>\]:\d+: 550 5.5.1 Protocol error warning: Illegal address syntax from (.*)\[<HOST>\] in RCPT command postfix\/submission\/smtpd.*: too many errors after AUTH from .*\[<HOST>\] ignoreregex =" > /etc/fail2ban/filter.d/postfix-2.confCreate the dovecot jail:
echo "# Got this from iRedMail [dovecot] backend = polling enabled = true filter = dovecot-2 logpath = /var/log/dovecot/*.log" > /etc/fail2ban/jail.d/dovecot.localCreate the /etc/fail2ban/filter.d/dovecot-2.conf file with the following echo command:
echo "# Got this from iRedMail [Definition] failregex = Authentication failure.* rip=<HOST> \(auth failed.* rip=<HOST> ignoreregex =" > /etc/fail2ban/filter.d/dovecot-2.confIf Apache is your webserver Create the apache-noscript jail:
echo "[apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/httpd/error_log maxretry = 1" > /etc/fail2ban/jail.d/apache-noscript.localIf Apache is your webserver Create the apache-4xx jail:
echo "[apache-4xx] enabled = true port = http,https filter = apache-4xx logpath = /var/log/httpd/access_log" > /etc/fail2ban/jail.d/apache-4xx.localIf Apache is your webserver Create the /etc/fail2ban/filter.d/apache-4xx.conf file with the following echo command:
echo '[Definition] failregex = ^<HOST>.*"(GET|POST|HEAD).*" (404|444|403|400) .*$ ignoreregex =' > /etc/fail2ban/filter.d/apache-4xx.confIf Nginx is your webserver Create the nginx-http-auth jail:
echo "[nginx-http-auth] backend = polling journalmatch= enabled = true filter = nginx-http-auth logpath = /var/log/nginx/error.log" > /etc/fail2ban/jail.d/nginx-http-auth.localThen fail2ban needs to be started at boot and stopped at reboot or shutdown.
echo "/etc/rc.d/rc.fail2ban start >/dev/null 2>&1" >> /etc/rc.d/rc.localAppend "rc.fail2ban stop" to the /etc/rc.d/rc.local_shutdown file with the following echo command:
echo "/etc/rc.d/rc.fail2ban stop >/dev/null 2>&1" >> /etc/rc.d/rc.local_shutdownRestart fail2ban to see if it works:
/etc/rc.d/rc.fail2ban restart
pip3 install mysql-connector-pythonThen we need to add the netdata group and user:
groupadd -g 338 netdata useradd -u 338 -g 338 -c "netdata user" -s /bin/false netdataThen you'll need to grant usage to netdata@localhost. Put your chosen password in the "mysql-netdata-password" field.
mysql -u root GRANT USAGE ON *.* TO netdata@localhost IDENTIFIED BY 'mysql-netdata-password'; FLUSH PRIVILEGES; QUIT;Then download and install Netdata. Netdata will be installed in /opt/netdata.
cd /root/tmp wget https://github.com/netdata/netdata/releases/download/v1.47.5/netdata-v1.47.5.gz.run chmod 0755 netdata-v1.47.5.gz.run ./netdata-v1.47.5.gz.run --accept rm netdata-v1.47.5.gz.runI have Netdata set so authentication is required to sign into netdata, so you'll need to create a netdata.users file with username
printf "netdata:$(openssl passwd -apr1 password)" > /etc/httpd/netdata.users chown apache:apache /etc/httpd/netdata.users chmod 0400 /etc/httpd/netdata.usersFor Nginx webserver run the following:
printf "netdata:$(openssl passwd -apr1 password)" > /etc/nginx/netdata.users chown nginx:nginx /etc/nginx/netdata.users chmod 0400 /etc/nginx/netdata.usersNext download the /etc/rc.d/rc.netdata file, install it, and start netdata:
wget https://the-slacker.com/download/rc.netdata mv -f rc.netdata /etc/rc.d/ chmod 0755 /etc/rc.d/rc.netdata For Apache webserver /etc/rc.d/rc.httpd restart For Nginx webserver /etc/rc.d/rc.nginx restart /etc/rc.d/rc.netdata start >/dev/null 2>&1I am able to get to netdata at https://example.org/netdata now.
chmod 0644 /var/log/fail2ban.logThen in /etc/logrotate.d/fail2ban put the following line in the fail2ban bracketed commands:
create 644 root rootGot Apache to show up in netdata by doing the following:
touch /opt/netdata/etc/netdata/go.d/apache.conf chown netdata:netdata /opt/netdata/etc/netdata/go.d/apache.conf chmod 0640 /opt/netdata/etc/netdata/go.d/apache.confAdd the following to /opt/netdata/etc/netdata/go.d/apache.conf:
jobs: - name: local url: https://127.0.0.1/server-status?auto tls_skip_verify: yesGot mysql to show up in netdata by doing the following:
touch /opt/netdata/etc/netdata/go.d/mysql.conf chown netdata:netdata /opt/netdata/etc/netdata/go.d/mysql.conf chmod 0400 /opt/netdata/etc/netdata/go.d/mysql.confAdd the following to /opt/netdata/etc/netdata/go.d/mysql.conf with the mysql netdata password you created earlier:
jobs: - name: local dsn: netdata:mysql-netdata-password@tcp(127.0.0.1:3306)/Got PHP-FPM to show up in netdata by doing the following:
touch /opt/netdata/etc/netdata/go.d/phpfpm.conf chown netdata:netdata /opt/netdata/etc/netdata/go.d/phpfpm.conf chmod 0640 /opt/netdata/etc/netdata/go.d/phpfpm.confAdd the following to /opt/netdata/etc/netdata/go.d/phpfpm.conf:
jobs: - name: local_socket socket: '/var/run/php-fpm.sock'Create the empty .opt-out-from-anonymous-statistics file to opt out:
touch /opt/netdata/etc/netdata/.opt-out-from-anonymous-statistics chown netdata:netdata /opt/netdata/etc/netdata/.opt-out-from-anonymous-statisticsIf you don't want to recieve emails from netdata, and it can send a lot of emails. I recommend doing the following:
echo 'SEND_EMAIL="NO"' > /opt/netdata/etc/netdata/health_alarm_notify.conf chown netdata:netdata /opt/netdata/etc/netdata/health_alarm_notify.confIf you want netdata to start at boot put the following in /etc/rc.d/rc.local:
/etc/rc.d/rc.netdata start >/dev/null 2>&1Then put the following in /etc/rc.d/rc.local_shutdown:
/etc/rc.d/rc.netdata stop >/dev/null 2>&1Download and install the needed netdata.conf file for this server:
wget https://the-slacker.com/download/netdata.conf mv -f netdata.conf /opt/netdata/etc/netdata/Disable Netdata cloud:
echo "[global] enabled = no" > /opt/netdata/var/lib/netdata/cloud.d/cloud.conf Then change ownership of cloud.conf: chown netdata:netdata /opt/netdata/var/lib/netdata/cloud.d/cloud.confNext, if Apache is your web server then you'll need to edit /etc/httpd/extra/httpd-info.conf to allow Netdata to get server-status.
<Location /server-status> SetHandler server-status Require host .example.org Require ip 127 </Location> #ExtendedStatus On <Location /server-info> SetHandler server-info Require host .example.org Require ip 127 </Location>If Apache is your web server you need to restart it:
/etc/rc.d/rc.httpd restartLastly restart netdata:
/etc/rc.d/rc.netdata restartHopefully Netdata is up and running properly now.
/var/www/postfixadmin/scripts/postfixadmin-cli mailbox add mailinglist@example.org --name mailinglist --quota 100 --active 1 --password password --password2 passwordThen create group, user, and directory for smmlm:
groupadd -g 401 smmlm useradd -u 401 -d /var/spool/smmlm -s /bin/false -g smmlm smmlm mkdir /var/spool/smmlm chown smmlm:smmlm /var/spool/smmlm chmod 0750 /var/spool/smmlmNext create the sqlite3 database for email addresses:
cd /var/spool/smmlm echo "CREATE TABLE lists( list_id INTEGER PRIMARY KEY, email TEXT UNIQUE );" > /var/spool/smmlm/smmlm.sql sqlite3 mailinglist.db < smmlm.sql chown smmlm:smmlm /var/spool/smmlm/smmlm.sql chown smmlm:smmlm /var/spool/smmlm/mailinglist.dbThen download the smmlm bash script that controls the email addresses list:
wget https://the-slacker.com/download/smmlm chown smmlm:smmlm /var/spool/smmlm/smmlm chmod 0750 /var/spool/smmlm/smmlm Make sure to change example.org to your domain in this smmlm script.Then create the /var/spool/smmlm/init.sql file:
echo ".timeout 1000" > /var/spool/smmlm/init.sql chown smmlm:smmlm /var/spool/smmlm/init.sqlThen we need to download the email2subs script that sends emails to all your subscribers:
cd /var/spool/smmlm wget https://the-slacker.com/download/email2subs chown smmlm:smmlm /var/spool/smmlm/email2subs chmod 0750 /var/spool/smmlm/email2subs Make sure to change example.org to your domain in this email2subs script.Then we need the file that holds the message you want to send to your mailing list subscribers:
echo "Hello subscribers! This is a test of my mailing list. To unsubscribe: send an email to mailinglist@example.org with unsubscribe in the body of the email. Thanks, admin@example.org" > /var/spool/smmlm/message chown smmlm:smmlm /var/spool/smmlm/messageNext create the welcome message that is automatically sent out when you get a new subscriber:
echo "Welcome to the my mailing list. To unsubscribe: Send an email to mailinglist@example.org with unsubscribe in the body of the email. Thanks, admin@example.org" > /var/spool/smmlm/welcome-message chown smmlm:smmlm /var/spool/smmlm/welcome-messageNext we need to do postfix header checks to direct emails to mailinglist@example.org to the smmlm mail filter.
/^To: "mailinglist@example.org"/ FILTER smmlm: /^To: mailinglist@example.org/ FILTER smmlm: Make sure to change example.org to your domain.Then we need to edit /etc/postfix/master.cf to add the smmlm mail filter.
smmlm unix - n n - 10 pipe flags=Rq user=smmlm null_sender= argv=/var/spool/smmlm/smmlm -f ${sender} -- ${recipient} 127.0.0.1:10022 inet n - - - - smtpd -o content_filter=smmlm:With the above setup people should be able to subscribe or unsubscribe to your mailing list by sending an email to mailinglist@yourdomain.com, and
sshd: put.your.ip.hereThen put the following in the /etc/hosts.deny file:
sshd: ALLThis works great if you access your server by sshd with a static ip, and I guess you could add more ip's to the hosts.allow file, but I haven't tried that.
sed -i "/disable_functions =/c\disable_functions = system,posix_uname,eval,pcntl_wexitstatus,posix_getpwuid,xmlrpc_entity_decode,\ pcntl_wifstopped,pcntl_wifexited,pcntl_wifsignaled,phpAds_XmlRpc,pcntl_strerror,ftp_exec,pcntl_wtermsig,mysql_pconnect,proc_nice,\ pcntl_sigtimedwait,posix_kill,pcntl_sigprocmask,fput,phpinfo,phpAds_remoteInfo,ftp_login,inject_code,posix_mkfifo,highlight_file,\ escapeshellcmd,show_source,pcntl_wifcontinued,fp,pcntl_alarm,pcntl_wait,ini_alter,posix_setpgid,parse_ini_file,ftp_raw,pcntl_waitpid,\ pcntl_getpriority,ftp_connect,pcntl_signal_dispatch,pcntl_wstopsig,ini_restore,ftp_put,passthru,proc_terminate,posix_setsid,pcntl_signal,\ pcntl_setpriority,phpAds_xmlrpcEncode,pcntl_exec,ftp_nb_fput,ftp_get,phpAds_xmlrpcDecode,pcntl_sigwaitinfo,shell_exec,pcntl_get_last_error,\ ftp_rawlist,pcntl_fork,posix_setuid" /etc/php.ini
cd /root/tmp mkdir /var/vmail/backup wget https://the-slacker.com/download/mysql_backup.sh mv -f mysql_backup.sh /var/vmail/backup/ chmod 0500 /var/vmail/backup/mysql_backup.shThen we need to create a cron.daily job to run mysql-backup. Run the following echo command:
echo -e '# Daily backup of the mysql databases. #!/bin/sh /var/vmail/backup/mysql_backup.sh > /dev/null 2>&1' > /etc/cron.daily/mysql-backup Then make it executable: chmod 0755 /etc/cron.daily/mysql-backupBtrfs Snapshots
# This creates the snapshots. cd / mkdir snapshots btrfs subvolume create /snapshots/root btrfs subvolume snapshot / /snapshots/root/$(date +"%m-%d-%y:%T") # This creates the snapshot of your root system / read-write with date and time. # This list the snapshots. You'll need to run this to get the snapshot ID number if you want to set-default a snapshot. btrfs subvolume list / # This sets a snapshot to be rebooted to. btrfs subvolume set-default 264 / # You'll need to run "btrfs subvolume list /" to get the ID number of the snapshot you want to reboot to. My ID number was 264. # If you want to delete a snapshot run the command below: btrfs subvolume delete /snapshots/root/subvolume # Put the actual name of the subvolume not the word subvolume.Below is a cron.daily job that will make a btrfs snapshot daily, and will delete snapshots older than 3 days. You can adjust how old a snapshot is before it is deleted.
touch /etc/cron.daily/btrfs-snapshot chmod 0755 /etc/cron.daily/btrfs-snapshot edit /etc/cron.daily/btrfs-snapshot and add the following: #!/bin/sh # This script will make a daily btrfs snapshot of your root system / if [ ! -d "/snapshots/" ]; then mkdir /snapshots fi if [ ! -d "/snapshots/root" ]; then btrfs subvolume create /snapshots/root fi d=$(date "+%m-%d-%y:%T") btrfs subvolume snapshot / /snapshots/root/$d sleep 1 touch /snapshots/root/$d sleep 2 # The command below will delete snapshots older than 3 days. You can adjust this to your liking. find /snapshots/root/ -maxdepth 1 -type d -mmin +2900 | xargs rm -rfI've created and rebooted to snapshots with the above commands, and so far it works well for me. It's good if you've made some mistake or installed something that's
# rotate log files weekly: weekly # keep 4 weeks worth of backlogs: rotate 4 # create new (empty) log files after rotating old ones: create # don't rotate empty log files notifempty # uncomment if you want to use the date as a suffix of the rotated file dateext # uncomment this if you want your log files compressed: compress compresscmd /bin/bzip2 uncompresscmd /bin/bunzip2 compressext .bz2This is how I do logrotate, but you can do it how you like. You may need to go to /etc/logrotate.d/* and adjust the various logs to your
keyfile=/etc/dehydrated/certs/YOURDOMAIN/privkey.pem certfile=/etc/dehydrated/certs/YOURDOMAIN/fullchain.pemInstall some needed utilities:
cd /root/tmp wget https://the-slacker.com/download/p7zip-17.04-x86_64-1_SBo.tgz installpkg p7zip-17.04-x86_64-1_SBo.tgz rm p7zip-17.04-x86_64-1_SBo.tgz wget https://the-slacker.com/download/unrar-6.2.12-x86_64-1_SBo.tgz installpkg unrar-6.2.12-x86_64-1_SBo.tgz rm unrar-6.2.12-x86_64-1_SBo.tgzKeep the time right with a daily ntpdate time update:
echo -e '# Daily time update #!/bin/sh /usr/sbin/ntpdate pool.ntp.org > /dev/null 2>&1' > /etc/cron.daily/time-update chmod 0755 /etc/cron.daily/time-update If you've already set your timezone during installation then run the command below now to update time: /etc/cron.daily/time-update Need to set time at boot because sometimes time is set wrong at boot. Run command below to add the command to set time at boot: echo -e "/usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1" >> /etc/rc.d/rc.localCreate /etc/cron.daily/free-mem job to free up memory:
echo '#!/bin/sh # Free up memory sync && echo 3 | sudo tee /proc/sys/vm/drop_caches' > /etc/cron.daily/free-mem chmod 0755 /etc/cron.daily/free-memSetup sudo for an unprivileged user:
Slackware Sudo Setup
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34XThis server passed the test and marked the email as SPAM and delivered it to the Junk folder.
$defang_virus = 1; $final_virus_destiny = D_DISCARD;I then tried to send an email with the eicar virus from this server to another mailserver of mine, and it was blocked from being sent by clamav, so that's good.
slackpkg check-updatesThen if slackpkg check-updates comes back with Slackpkg: Updated packages are available since last check., and you want to upgrade run:
slackpkg update slackpkg upgrade-allAfter you run the above command slackpkg upgrade-all you will be presented with a ncurses window with a list of all the packages that can be
01. altermime v0.3.10 ---------- Check for updates 02. amavisd-new v2.13.1 -------- Check for updates 03. libmspack v0.10.1alpha ----- Check for updates Required by Clamav 04. clamav v1.4.1 -------------- Check for updates 05. dovecot-pigeonhole v0.5.21.1 Check for updates Had to modify dovecot-pigeonhole.SlackBuild to use dovecot-pigeonhole-0.5.21.1, that's needed by dovecot-2.3.21.1. 06. fail2ban v1.0.2 ------------ Check for updates 07. logwatch v7.11 ------------- Check for updates 08. p7zip v17.04 --------------- Check for updates 09. php-imagick v3.7.0 --------- Check for updates Had to modify php-imagick.SlckBuild to use the latest stable version of php-imagick. 10. postgrey v1.37 ------------- Check for updates 11. rust16 v1.79.0 ------------- Check for updates Required by Clamav 12. spamassassin v3.4.6 -------- Check for updates 13. unrar v6.2.12 -------------- Check for updates 14. Nginx v1.26.2 -------------- Check for updatesTo check if there are any upgrades for the above packages go to SlackBuilds.org, and enter the packages names I have listed above in the search box. If you
01. Webmin v2.202 ----------- Check for updates 02. Roundcube v1.6.9 -------- Check for updates Download the Complete version. 03. PostfixAdmin v3.3.13 ---- Check for updates 04. Netdata v1.47.5 --------- Check for updatesJoin the slackware-security mailing list:
1. Remove blacklist for MariaDB in /etc/slackpkg/blacklist. 1. Upgrade Netdata to v1.47.5.Upgrade from earlier versions of SlackerMail Here.
cd /root wget https://the-slacker.com/download/SlackerMail-0.48.0.tar.gz tar -xf SlackerMail-0.48.0.tar.gz cd SlackerMail-0.48.0 ./SlackerMail.sh Below is the checksum for SlackerMail-0.48.0.tar.gz: SHA256: 955fe392c2f48a892aec0bc28f48d6797d22a674b558c704b78bfc4a5517feb6 If you want to check the checksum run the command below: sha256sum /root/SlackerMail-0.48.0.tar.gzThe SlackerMail install script is working very good for me now, and it consistantly installs with no problems at this point.