Talk:HOWTO Linux Virtual Hosting Server

From Gentoo Linux Wiki

[edit] Original Top of Page

Minor edit: Here certs are named w/ 'www':

Code: Commands  
# export VHOST=www.kernel.org
# mkdir /etc/apache2/conf/ssl/${VHOST}
# cp /etc/ssl/misc/new.cert.cert /etc/apache2/conf/ssl/${VHOST}/${VHOST}.cert
# cp /etc/ssl/misc/new.cert.key /etc/apache2/conf/ssl/${VHOST}/${VHOST}.key
# unset VHOST

However here they are referenced w/o www:

SSLCertificateFile conf/ssl/domain.tld/domain.tld.cert
SSLCertificateKeyFile conf/ssl/domain.tld/domain.tld.key

Minor but could trip someone up... -Sam

Thank you. I have gone through your instructions for virtual apache domains, and am starting on the instructions for virtual e-mail domains. The section on configuring the commonapache2.conf file works well for me as you wrote it, so no need to be unsure of your configuration knowledge.

Nazadus (2005.04.21): Cool, thanks! I have allot of plans for this HOWTO. Time is freeing up again, so I'm adding more content. I think I'm about 60-70% done with a 'version 1.0' release. My goals, in the future, will be to harden apache some more, encrypt passwords, write (or find) a better interface to admin the Postfix databases (I know something like this already exists, but I would have to do some minor re-writes, which I will probably do). If/When I feel comfortable with the Clam Spam Filterting, I will add that as well. It seems the page has had almost 2,700 hits. WOW. Just flat out -wow-.

Nazadus (2005.04.21): I do plan on placing a wikify tag on this after I'm completed and focusing some more time on the purty-ness of the article. Right now, my main goal is just to get the data out there and propogating -- so fear not my skills (or lack thereof) of the Wiki. At some point, I would like to number the boxes (IE: Example 13 -- or Figure 12) so I could refer to them instead. I just now remember that Gentoo is also hosting the mailsql file, so I will probably point to it instead (http://www.gentoo.org/doc/en/files/genericmailsql.sql) after I check and make sure I didn't modify anything (or plan on modifying something).

EarthCreed (2005.04.21): I was going through ssl certs, and where you edit 41_mod_ssl.default-vhost.conf I think you should point the document root at /var/www/domain.tld/htdocs instead of just /var/www/domain.tld.

Apache2 doesn't use commonapache2.conf anymore :)

Nazadus (2005.04.22): Whoops (about the documentroot). Fixed. I wasn't aware Apache2 stopped using the commonapache2.conf? I'll need to do some research on this... When this HOWTO is done, I don't want any of it to be out of date or based on elder versions. I appreciate the feedback!

Eddieroger (2005.04.28) I have used SquirrelMail before, and would be willing to contribute to that section once I get that far in on my server, if so desired. Also, I would like to write about Horde too, since its a popular alternative to SquirrelMail. Just thought I'd offer services, and didn't know if this was being centrally run or something.

[edit] New apache2 setup

I can't remember which version it is, but the latest one in the portage tree changed the whole layout, and for vhosts it is now done some way in /etc/apache2/vhosts.d/ so if you could add something about how that is working that would be great.

Nazadus (2005.05.04) Eddie, We could make it an alternative path. The goal of this document originally was to bring up-to-date and combine elder documents but I have *zero* problem giving people an alternative. I wrote allot today and am working on the SM section now. There are some small tricks I've found in SquirrelMail that make the virtual life a bit better (IE: the ability to send through other aliases). Infact, I'll go ahead and provide the Horde option now and feel free to add it whenever.

Anonymous Vhost person, I will begin all this over again shortly to double check. Assuming it has changed, I will update it. I greatly appreciate you telling me now though, so I can begin getting prepared (instead of getting caught off guard and getting upset).

Nazadus,06-04-2005 I am using the docs on the wiki ./CA.pl -sign is failing with this error:

Using configuration from /etc/ssl/openssl.cnf Error opening CA private key /etc/apache2/conf/ssl/benkong2.ath.cx/private/cakey.pem 12332:error:02001002:system library:fopen:No such file or directory:bss_file.c:278:fopen('/etc/apache2/conf/ssl/benkong2.ath.cx/private/cakey.pem','r') 12332:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:280: unable to load CA private key Signed certificate is in newcert.pem

Where did I go wrong? I rechecked my typing and all instructions as well as I re-emerged openssl incase I messed up the conf. but it is not working at that point.

Any help?

ppito (01-08-2005) I found that /etc/ssl/demoCA/private/cakey.pem is not being saved in the right way. Just renamed this file to cakey.pem.old and edited /etc/ssl/openssl.cnf, changing (near "# ask user for existing CA certificate" the line "if ($FILE) {" by "if (!$FILE) {". After issuing again the command ./CA.pl -newca the cakey.pem is created in the right way.

[edit] more maps...

Maybe its just me, but I had to add the following lines to /etc/postfix/main.cf before mail would be delivered to virtual users:

transport_maps = mysql:/etc/postfix/mysql-transport.cf

virtual_gid_maps = mysql:/etc/postfix/mysql-virtual-gid.cf

virtual_uid_maps = mysql:/etc/postfix/mysql-virtual-uid.cf

Did I miss a step?

Nazadus (2005.05.21): You shouldn't need to have those. Infact I use the following (aquired via postconf): transport_maps = virtual_gid_maps = static:100 virtual_uid_maps = static:1001

This is what I was shown in all the tutorials. Now I'm sure you can place it in a MySQL database and in fact I don't see why you couldn't / shouldn't do this. I prefer your method as it allows a more dynamic way of handling things. Thank you! I will add these in once I've looked them over and checked some things out.

bwoo (2005.07.31): I had to doo the same thing. Additionally, I found that there are relaying errors unless you put your virtual domains in both the virtual_mailbox_domains attribute in main.cf AS WELL AS the transport table. Can you explain why this is necessary please?

LX 20:38, 14 September 2005 (GMT): I had the same. Don't know if it's due to a new Postix version or if there's a mistake in the Howto. However, the prob can be easily solved with

[...]
virtual_mailbox_domains = mysql:/etc/postfix/mysql-transport.cf
[...]

This way, all domains marked "virtual" in the "transport" table will be considered for the virtual_mailbox_domains.

Nazadus (2005.09.15): Mistake on my part. I should have done the lookups on the MySQL table. While it was neglected in the orginal howto, I did it in mine but forgot to document it. -- Sorry 'bout that.

[edit] Apache2

Lungomotz (2006.07.22) Using apache-2.0.58 things are different, so this HOWTO should be adapted. By the way, the conception remains quite obscure: a lot of technical details, but the coherence is not explained. One has to be aware that persons reading a HOWTO are no experts in this particular topic, otherwise they shouldn't have the need to read it! So if you start configuring a Virtual Hosting Server you depend on basic informations first. It would be nice if the first chapters of your HOWTO would explain the basic conception and perhaps give a few examples.

Nazadus (2005.05.21): I found, on the gentoo-server mailing list, that the Apache2 changes (the *big* ones) have not come into effect yet. This means this document is still fairly accurate. I'll keep a sharp eye out though. I'm currently building using this tutorial on Virtual PC (so it's a wee bit slow). Sorry for taking so long.

data (2005.05.30): Afaik those have come into effect, but some ebuilds which depend on apache have not been yet updated and so the changes are still in unstable. Also, this is going to be a change some admins might need a little bit of time for. As for me, I can say that the new layout works fine with php5 (And with slightly modifying the eclass you can also get php5 to compile with mysql and mysqli support, but that's in bugzilla)

Changes the Apache Team made (Somewhat outdated as they say themselves at the top)

@Nazadus: You have probably already found this; this is only for informing others of this issue

[edit] Adding SSL and SASL support to Postfix

[edit] tweaking saslauthd

The HOWTO says

SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam -r"

The manpage of saslauthd comments the -r option like this:

 -r      Combine the realm with the login (with an '@' sign in between).
         e.g.  login: "foo" realm: "bar" will get passed as login:
         "foo@bar".  Note that the realm will still be passed, which may
         lead to unexpected behavior.

So, having recently set up a new server, I found it working more stable with

SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam"

That's just my two cents, suppose it might be worth a try. Btw, nice HOWTO.

[edit] genericmailsql.sql: data types

LX (2005.09.10) In "genericmailsql.sql" table "users", the fields for homedir and maildir are type "TINYTEXT". I don't see why is this? Because of the flexible lenght to be saved in the data base? I don't know as I'm not a big (My)SQL freak. In my special case, I liked to enter default values in the "users" table for not having to type same stuff over and over again. In my "users" table, I changed homedir and maildir from TINYTEXT to VARCHAR (128) and it works perfectly. Now I can use e.g.

/home/vmail/DOMAIN/USER/.maildir/

as default entry and just have to edit DOMAIN and USER.

But if there is an actual reason for explicitly choosing TINYTEXT instead of VARCHAR, could somebody explain it to me, please? TIA.

Nazadus (2005.09.15) I should probably organize this page a little better and make a FAQ or something. But anyways, going from TINYTEXT to VARCHAR(128) don't kill anything.

Technically:

VARCHAR( )	A variable section from 0 to 255 characters long.
TINYTEXT	A string with a maximum length of 255 characters.

So, TINYTEXT should be bigger than that 128varchar, but you can set the varchar to 256 and they would be the same. I've stuck with TINYTEXT and never had problems -- but if you run into space path problems and aren't worried about hdd space (hdd space is cheap anyways) -- make it type TEXT Here is a quick rundown of the SQL types:

CHAR( )	A fixed section from 0 to 255 characters long.
VARCHAR( )	A variable section from 0 to 255 characters long.
TINYTEXT	A string with a maximum length of 255 characters.
TEXT	A string with a maximum length of 65535 characters.
BLOB	A string with a maximum length of 65535 characters.
MEDIUMTEXT	A string with a maximum length of 16777215 characters.
MEDIUMBLOB	A string with a maximum length of 16777215 characters.
LONGTEXT	A string with a maximum length of 4294967295 characters.
LONGBLOB	A string with a maximum length of 4294967295 characters.

a blog is for storing binary objects -- very inefficient for our text stores.

Official documentation can be found here: [http://dev.mysql.com/doc/mysql/en/column-type-overview.html]

[edit] General Notes

Nazadus (2005.07.10): I've been exceptionally busy lately. Sorry everyone. I'll modify the page letting everyone know that this is Beta and feel free to update it as you learn cool things. One of the things I, personally, would like to see is the ability to have crypted passwords (someone mentioned this below) -- that would be a nice addition in here.

[edit] Requests/Suggestions/Ideas

Shadus (2005.07.11): You can't really use this as a vhosting server until you can run php scripts as the owner of the script, or rather if you don't do things that way how do you run your apache users? I've had very little luck finding a good setup other than running php as the user, is there even a good way to do this in gentoo without custom compiling half the stuff?

Nazadus (2005.07.15): Hmm, while this article's orginal scope was to just host them, I never thought of allowing each domain their own user. What could be possible is placing apache in the users group (or the users in the apache group) and giving them group read/execute? The only *easy* way to do it is permission level stuff. I think the correct permissions would be something like 755. If you need apache to write files, then it would be 775. For example, Drupal does file storing stuff and Apache would need to throw it on the file system.

How do your users access thier files? SSH? FTP?

[edit] OpenBSD / Generic Update

Nazadus (2005.08.28): For those trying to use this article for getting an OpenBSD boxen to work under this configuration, let me save you allot of time. It won't work. Not without doing PAM by youself. OpenBSD doesn't have PAM. The pam_mysql stuff was semi-able to compile (complained about the lack of PAM headers, and rightly so). I was in the process of porting this to OpenBSD for a friend and I ran into that. It's possible to get PAM working with OpenBSD however you will have to do all the compiling yourself and probably some tweaky stuff. You mighy be better off going OpenLDAP for that situation. Use phpLDAPadmin to monitor/maintain your site. I learned that I had to use loopback and couldn't use domain.com for the server (on the config.php for phpLDAPadmin) or else it wouldn't connect or give me issues with my dn,password. For those are have a Java JRE, check out: [jamm.sf.net]. While I haven't tried it, it looks pretty sweet.

I thought I would pass this bit of info on. Best of luck to everyone out there!

[edit] Some thoughts...

mrsaccess (2005.10.17):
First of all thanks for this *REALLY* great tutorial.
Just some thoughts though:

• /etc/sasl2/smtpd.conf by default is readable from anyone, so our database password is at risk from some local user.
  
• Same goes for $phpmyadmin_dir/config.inc.php I think. This you can safely chown apache:apache, chmod 600
  
• I'ld like to be reminded at the end of the tutorial to turn off the verbose mode for virtual, local, smtp, and smtpd services.
  
• I chose a more strict security for user vmail: chmod -R 700 /home/vmail so that no user can read other users' emails.
  
• You have to have famd enabled in order for the IMAP to work properly. I used to have it turned off so I got some debug messages from IMAP not being able to create monitor file maildirwatch.
  

I really like the complete virtual hosting thing! That way you can use different passwords for root's and users' email accounts than the ones they use to login to the machine! I really don't like using my user/root password through the internet!
In order to get this to work completely, even for system mail, I had to change in /etc/postfix/main.cf the $myhostname from mail.domain.tld to domain.tld. Although you clearly state to use mail.domain.tld this configuration still works fine!

[edit] kashani fixes

kashani (2005.10.25) Added -fam to the Courier build. Fam has been funky with Courier, there are four or five threads on the forums about this. It's been more stable to remove fam altogether.

kashani (2005.10.30) I see from the anoymous adds that the fam situation is more complicated than I thought. If I can find a working gamin config, which is supposed to be a drop in replacement for fam and better technology, I'll add that in and suggest we depreciate fam.

kashani (2005.11.29) Dropped pam-mysql again. It isn't needed if you use authdaemond as your connection to the database and pam-mysql DOES NOT support encrypted passwords. Stop adding it back in.

[edit] Certificate for postfix

ecosta (2006/10/17)

I think there might be an error in the documentation but I'd rather state it here in case I am wrong.

The error I was getting was:

454 TLS not available due to local problem

After a long search I figured it was a problem with my certificate and realised the documentation is not using the private key as it should.

These are the changes I'd make:

# cd /etc/ssl/misc
# cp newkey.pem /etc/postfix
# cp newcert.pem /etc/postfix
# cp demoCA/cacert.pem /etc/postfix
 

edit main.cf

smtpd_tls_key_file = /etc/postfix/newkey.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
 

then for extra security:

chmod 400 /etc/postfix/newkey.pem
 

On a final note. Thanks for this fab HOWTO. Got the mail server up and running now. I wouldn't split this HOWTO. We'll just end up looking for all the bits rather than have them in one place. All is relevant to a virtual mail server.

Aeternus (2007/04/01)

I had the same problem recently, I think it's fallout from the Gentoo Documentation on the same subject which changes CA.pl to overwrite newreq.pem with the private key instead of putting it in newkey.pem - http://www.gentoo.org/doc/en/virt-mail-howto.xml .

[edit] Split?

So. . . someone put a Split tag on the article, which points to the talk page for discussion on whether the article should be split up, and yet there is absolutely no discussion here about it. Who put the tag there and why?

--Ragawu 23:59, 3 February 2007 (UTC) I agree, in the meantime lets forget about splitting up and concentrate on working it out. ;-)

Just because the original proposer didn't put a detailed reason, that doesn't make the split request any less valid. The fact is that this article compiles a number of programs in a single install. In my opinion it would be better to have individual articles for each individual piece of software and let the users choose which particularly pieces of software they put together.

There are already articles for some pieces of software mentioned in this article - it would be far better to improve those individual articles than to try and improve this very specific compilation of software which far less people are likely to look to.

--AllenJB 09:09, 4 February 2007 (UTC)

That's a fair point & I was being a little facetious, maybe to this discussion's detriment. It just so happened that the setup I believed I was after was covered by this article, when I probably would have done better with a more general overview of a combined web/mail/dns server capabale of hosting tens of domains with virtual email accounts, web, pop3, imap, ssl access and easily configurable from one location. That article could then link to choices of software for each stage. It would give the reader a greater understanding of all the options available.

That seems like a lot of work, though I'm new to wikis & fairly clueless. More than willing to help test current software versions as I'm building the afore mentioned combined server as we speak.

--Ragawu 14:54, 4 February 2007 (UTC)