Alteeve Wiki - User contributions [en-gb]

PPPower Server

2012-08-20T01:31:57Z

Dak1n1: /* Basic Postfix Configuration */

{{howto_header}}

With tongue firmly in cheek, this is a tutorial on building an [[EL6]] server for hosting website and email using PostgreSQL, Postfix and Postgrey for mail and Apache for web. There are many canned and arguably superior was of accomplishing the same, but this is what I user for this server.

= Post OS Install =

First, some post-install preparation. We'll need to set up some basic security, a program to report server statistics, and some 3rd-party yum repositories for additional software.

Yum repo install.
<source lang="bash">yum -y install yum-protectbase
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt # import keys
rpm -K rpmforge-release-0.5.2-2.el6.rf.*.rpm # verify package integrity
rpm -i rpmforge-release-0.5.2-2.el6.rf.*.rpm # install
# install EPEL
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm
</source>

The yum-protectbase plugin will ensure that the 3rd-party repos play nicely and never overwrite the Base repos. To use this plugin with a specific repo, add protect=0 or protect=1 to the repo's config file.
<source lang="bash">
cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.orig
vim /etc/yum.repos.d/CentOS-Base.repo
# add protect=1 to each paragraph
diff -U 0 /etc/yum.repos.d/CentOS-Base.repo.orig /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
--- /etc/yum.repos.d/CentOS-Base.repo.orig 2012-05-07 01:07:47.688145406 -0400
+++ /etc/yum.repos.d/CentOS-Base.repo 2012-05-07 01:08:15.915322496 -0400
@@ -18,0 +19 @@
+protect=1
@@ -26,0 +28 @@
+protect=1
@@ -34,0 +37 @@
+protect=1
@@ -43,0 +47 @@
+protect=1
@@ -52,0 +57 @@
+protect=1
</source>

<source lang="bash">
cp /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.orig
vim /etc/yum.repos.d/epel.repo
# add protect=0 to each paragraph
diff -U 0 /etc/yum.repos.d/epel.repo.orig /etc/yum.repos.d/epel.repo
</source>
<source lang="bash">
--- /etc/yum.repos.d/epel.repo.orig 2012-05-07 01:08:58.279379860 -0400
+++ /etc/yum.repos.d/epel.repo 2012-05-07 01:09:18.144157701 -0400
@@ -8,0 +9 @@
+protect=0
@@ -17,0 +19 @@
+protect=0
@@ -26,0 +29 @@
+protect=0
</source>

=== Protecting against malicious users with Denyhosts. ===
Denyhosts is a daemon that watches for too many failed logins via ssh. It uses TCP-wrappers to deny the user access to ssh (or any service) on the server after X failed logins. It has the option to download a list of known malicious IPs and add them to /hosts.deny, making possible to block attackers before they attack the server.

Install denyhosts
<source lang="bash">yum -y install denyhosts</source>

Edit the config to your preferences.
<source lang="bash">
cp /etc/denyhosts.conf /etc/denyhosts.conf.orig
vim /etc/denyhosts.conf
</source>
<source lang="bash">
BLOCK_SERVICE = ALL
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
SYNC_DOWNLOAD = yes
</source>
<source lang="bash">
diff -U 0 /etc/denyhosts.conf.orig /etc/denyhosts.conf
</source>
<source lang="diff">
--- /etc/denyhosts.conf.orig 2012-05-13 02:33:05.584566483 -0400
+++ /etc/denyhosts.conf 2012-05-13 02:34:19.386558503 -0400
@@ -96 +96 @@
-#BLOCK_SERVICE = ALL
+BLOCK_SERVICE = ALL
@@ -98 +98 @@
-BLOCK_SERVICE = sshd
+#BLOCK_SERVICE = sshd
@@ -547 +547 @@
-#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
+SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
@@ -582 +582 @@
-#SYNC_DOWNLOAD = yes
+SYNC_DOWNLOAD = yes
</source>

White-list any trusted machines, including localhost.
<source lang="bash">
cp /etc/hosts.allow /etc/hosts.allow.orig
vim /etc/hosts.allow
</source>
<source lang="bash">
127.0.0.1
206.108.5.162
</source>
<source lang="bash">
diff -U 0 /etc/hosts.allow.orig /etc/hosts.allow
</source>
<source lang="diff">
--- /etc/hosts.allow.orig 2012-05-13 02:36:02.613767847 -0400
+++ /etc/hosts.allow 2012-05-13 02:40:37.473523845 -0400
@@ -10,0 +11,2 @@
+127.0.0.1
+206.108.5.162
</source>

Start the service.
<source lang="bash">
chkconfig denyhosts on
/etc/init.d/denyhosts start
</source>
<source lang="text">
Starting denyhosts: [ OK ]
</source>

=== Additional software to install ===
To view neatly-summarized daily logs, and system resource usage.
<source lang="bash">yum -y install logwatch htop</source>

Packages for web server and wiki install.
<source lang="bash">
yum install httpd httpd-tools postgresql-server postgresql-plperl postgresql-contrib postgresql mysql-server telnet mod_ssl mysql-server php-mysql gcc jwhois bind \
acpid bind-utils syslinux screen man bzip2 zip unzip php-pgsql php yum-utils
chkconfig acpid on
</source>

Packages that are currently needed for personal stuff.

<source lang="bash">
yum install perl-XML-Simple perl-MIME-Lite perl-DBD-MySQL perl-DBD-Pg perl-Digest-Perl-MD5 mod_auth_pgsql perl-Digest-SHA perl-CGI perl-Time-HiRes
</source>

= Apache =

Apache is configured first with a global configuration, which also defines the "default" website which is shown when the server is called by it's IP address (or by a domain that is not configured). Then with per-domain configurations known as "virtual host containers".

First, the global configuration and default domain. We will put our default website in /var/www/default/. So the first step is to create the needed directories.

<source lang="bash">
mkdir -p /var/www/default/{html,cgi-bin,logs}
chown -R apache:apache /var/www
</source>

Now to edit the configuration file.

<source lang="bash">
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig
vim /etc/httpd/conf/httpd.conf
</source>

{{note|1=This needs to be explained.}}

Make the following changes.

<source lang="bash">
diff -U 0 /etc/httpd/conf/httpd.conf.orig /etc/httpd/conf/httpd.conf
</source>
<source lang="diff">
--- /etc/httpd/conf/httpd.conf.orig 2012-05-13 19:32:07.718570148 -0400
+++ /etc/httpd/conf/httpd.conf 2012-05-13 21:48:18.439736244 -0400
@@ -103,6 +103,6 @@
-StartServers 8
-MinSpareServers 5
-MaxSpareServers 20
-ServerLimit 256
-MaxClients 256
-MaxRequestsPerChild 4000
+StartServers 16
+MinSpareServers 10
+MaxSpareServers 40
+ServerLimit 512
+MaxClients 512
+MaxRequestsPerChild 8000
@@ -119,5 +119,5 @@
-StartServers 4
-MaxClients 300
-MinSpareThreads 25
-MaxSpareThreads 75
-ThreadsPerChild 25
+StartServers 8
+MaxClients 600
+MinSpareThreads 50
+MaxSpareThreads 150
+ThreadsPerChild 50
@@ -262 +262 @@
-ServerAdmin root@localhost
+ServerAdmin admin@alteeve.com
@@ -276,0 +277 @@
+ServerName omiya.alteeve.ca:80
@@ -292 +293 @@
-DocumentRoot "/var/www/html"
+DocumentRoot "/var/www/default/html"
@@ -317 +318 @@
-<Directory "/var/www/html">
+<Directory "/var/www/default/html">
@@ -551 +552 @@
-Alias /icons/ "/var/www/icons/"
+Alias /icons/ "/var/www/default/icons/"
@@ -553 +554 @@
-<Directory "/var/www/icons">
+<Directory "/var/www/default/icons">
@@ -576 +577 @@
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+ScriptAlias /cgi-bin/ "/var/www/default/cgi-bin/"
@@ -582 +583 @@
-<Directory "/var/www/cgi-bin">
+<Directory "/var/www/default/cgi-bin">
@@ -855 +856 @@
-Alias /error/ "/var/www/error/"
+Alias /error/ "/var/www/default/error/"
@@ -859 +860 @@
- <Directory "/var/www/error">
+ <Directory "/var/www/default/error">
@@ -990 +991 @@
-#NameVirtualHost *:80
+NameVirtualHost *:80
@@ -1004,5 +1005,5 @@
-# ServerAdmin webmaster@dummy-host.example.com
-# DocumentRoot /www/docs/dummy-host.example.com
-# ServerName dummy-host.example.com
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+# ServerAdmin admin@alteeve.com
+# DocumentRoot /var/www/default/html
+# ServerName unknown.alteeve.com
+# ErrorLog /var/www/default/logs/error.log
+# CustomLog /var/www/default/logs/access.log common
@@ -1009,0 +1011 @@
+
</source>

After all changes, use this to make sure there are no syntax errors.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
[Sun May 13 21:48:11 2012] [warn] NameVirtualHost *:80 has no VirtualHosts
Syntax OK
</source>

Note that the [Sun May 13 21:48:11 2012] [warn] NameVirtualHost *:80 has no VirtualHosts is expected at this stage as we've not yet configured any virtual hosts.

All virtual host configuration files need to be created in the /etc/httpd/conf.d directory and the file must have the .conf suffix in order to be read by apache. These files will be read in order, so if you want to ensure that one file is read before another, as we will do shortly, you can prefix the configuration file with an integer to ensure read order.

I like to redirect all unknown server requests to http://unknown.alteeve.ca. For this, I will create an initial configuration file called 00_default.conf.

<source lang="bash">
vim /etc/httpd/conf.d/00_default.conf
</source>
<source lang="text">
<VirtualHost *:80>
ServerAdmin admin@alteeve.ca
DocumentRoot /var/www/default/html
ServerName unknown.alteeve.com
ErrorLog /var/www/default/logs/error.log
CustomLog /var/www/default/logs/access.log common
</VirtualHost>
</source>

Now we will do two kinds of checks; One for syntax and one to check the configuration of virtual host containers.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

We no longer see the warning from before as we now have our first virtual host configured.

<source lang="bash">
apachectl -S
</source>
<source lang="text">
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 omiya.alteeve.ca (/etc/httpd/conf.d/ssl.conf:74)
*:80 is a NameVirtualHost
default server unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
port 80 namevhost unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
Syntax OK
</source>

We can now start the web server for the first time.

<source lang="bash">
/etc/init.d/httpd start
</source>
<source lang="text">
Starting httpd: [ OK ]
</source>

Perfect! Time to configure some real domains.

== Common Virtual Host Configurations ==

All domains on this server will be housed under either:

* /var/www/domain.tld/{cgi-bin,html,logs,temp}

Or, for [[SSL]] encrypted domains;

* /var/www/ssl_domain.tld/{cgi-bin,html,logs,temp}

The four directories found under the domain are used for hosting executable scripts (cgi-bin), standard [[HTML]] websites or websites with in-line code like [[PHP]] (html), log files (logs) and an optional temporary directory used for staging files (temp).

== Standard Virtual Hosts ==

This section covers the configuration on standard virtual host containers (using [[TCP]] port 80).

In this example, we will setup the domain http://mizu-bu.org.

First, create the directories for the domain's files.

<source lang="bash">
mkdir -p /var/www/mizu-bu.org/{cgi-bin,html,logs,temp}
</source>

Now create the virtual host container's configuration file. Note that in this example, it is a [http://www.mediawiki.org/ MediaWiki] website, so we will tell apache to look for index.php files by default.

<source lang="bash">
vim /etc/httpd/conf.d/mizu-bu.org.conf
</source>
<source lang="text">
<VirtualHost *:80>
ServerAdmin digimer@alteeve.com

ServerName mizu-bu.org
ServerAlias www.mizu-bu.org

DirectoryIndex index.html

DocumentRoot /var/www/mizu-bu.org/html/
<Directory /var/www/mizu-bu.org/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride Options
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/mizu-bu.org/cgi-bin/
<Directory "/var/www/mizu-bu.org/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/mizu-bu.org/logs/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/mizu-bu.org/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

As before, test the syntax and virtual host configurations.

<source lang="bash">
apachectl -S
</source>
<source lang="text">
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 omiya.alteeve.ca (/etc/httpd/conf.d/ssl.conf:74)
*:80 is a NameVirtualHost
default server unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
port 80 namevhost unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
port 80 namevhost mizu-bu.org (/etc/httpd/conf.d/mizu-bu.org.conf:1)
Syntax OK
</source>


<source lang="bash">
</source>
<source lang="text">
</source>

== SSL Virtual Hosts ==

SSL provides for secure client to server communications.

=== Creating The Signed Certificate ===

This section assumes you are using a 3rd party signing authority. Specifically, I use http://www.trustico.ca/ (resellers of http://RapidSSL.com and others). This is also for a domain-specific certificate. Wildcard certificates will differ.

First, create 2048bit private key. Note that this will require a pass-phrase, which you will need to enter whenever the Apache daemon httpd daemon starts. If you do not want this, remove the -des3 switch.

<source lang="bash">
openssl genrsa -des3 -out /etc/pki/CA/private/alteeve.com.key 2048
</source>
<source lang="text">
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Verifying - Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
</source>

Now create a [[CSR]] (Certificate signing request) which we will send to the signing authority. Do not enter anything in the extra section below.

{{note|1=The Common Name must be the fully qualified domain name. In this example, I want to create a certificate for the domain https://alteeve.com, so I will enter alteeve.com. If you prefer to use a www. prefix, include it. I will rewrite requests using the www. prefix to not use it.}}

<source lang="bash">
openssl req -new -key /etc/pki/CA/private/alteeve.com.key -out alteeve.com.csr
</source>
<source lang="text">
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Oakville
Organization Name (eg, company) [Default Company Ltd]:Alteeve's Niche
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:alteeve.com
Email Address []:admin@alteeve.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</source>

Test that the CSR file is ok.

<source lang="bash">
openssl req -noout -text -in /etc/pki/CA/alteeve.com.csr
</source>
<source lang="text">
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Oakville, O=Alteeve's Niche, OU=IT, CN=alteeve.com/emailAddress=admin@alteeve.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
...
</source>

Copy the exact contents of the alteeve.com.csr file and provide it to your signing authority as per their instructions. Once you complete their CSR form, they should email you a signed certificate and an intermediary certificate. At this point, the CSR file is no longer needed.

Save the signed certificate:

<source lang="bash">
vim /etc/pki/CA/ssl_alteeve.com.crt
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

Save the intermediary certificate. Change the certificate name to that of your provider. If they provide you with this file, simply save it in the /etc/pki/CA/ directory.

<source lang="bash">
vim /etc/pki/CA/RapidSSL_CA_bundle.pem
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

=== Creating An SSL Virtual Host ===

Create a new virtual host container for the new SSL protected virtual host. We will leave the normal unencrypted virtual-host alone for now. Once we're done, we'll use it to capture and redirect http:// requests to their https:// equivalents. I make my virtual host directories writeable by my normal user account. Feel free to adapt this to your preferences.

Setup the directories and then create a trivial index.html file.

<source lang="bash">
mkdir ssl_alteeve.com/{cgi-bin,html,logs,temp} -p
chown apache:digimer ssl_alteeve.com -R
chmod g+w ssl_alteeve.com -R
vim /var/www/ssl_alteeve.com/html/index.html
</source>
<source lang="apache">
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
</source>

Now setup the Apache2 config. I like to use the ssl_ prefix for encrypted domains.

{{note|1=This example is for a MediaWiki virtual host with short URLs configured. You will want to adapt the values to suit your needs.}}

<source lang="bash">
vim /etc/httpd/conf.d/ssl_alteeve.com.conf
</source>
<source lang="apache">
<VirtualHost *:443>
ServerAdmin digimer@alteeve.com

ServerName alteeve.com

DirectoryIndex index.php index.html

# We can haz security?
SSLEngine on
SSLProtocol all
SSLCACertificateFile /etc/pki/CA/RapidSSL_CA_bundle.pem
SSLCertificateFile /etc/pki/CA/ssl_alteeve.com.crt
SSLCertificateKeyFile /etc/pki/CA/private/alteeve.com.key

DocumentRoot /var/www/ssl_alteeve.com/html/
Alias /w /var/www/ssl_alteeve.com/html/index.php
<Directory /var/www/ssl_alteeve.com/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/ssl_alteeve.com/cgi-bin/
<Directory "/var/www/ssl_alteeve.com/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/ssl_alteeve.com/logs/error.log
TransferLog /var/www/ssl_alteeve.com/logs/transfer.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/ssl_alteeve.com/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

==== Bad Identity Error ====

If you get an error about the server not providing identity information, you may have be loading images, CSS, javascript or similar using a URL from a remote domain with no SSL or badly configured SSL.

For example, on Firefox 4, you may see:

<source lang="text">
This web site does not supply identity information.

Your connection to this site is only partially encrypted, and does not prevent eavesdropping.
[ More Information ]
</source>

In my case, this turned out to be a problem where mediawiki was loading a Creative Commons logo from their server using http:// link to the icon. Once this was changed to https:// (in LocalSettings.php), the error went away.

=== Testing and Using the New Configuration ===

Test your new Apache configuration.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

Now restart Apache. Note that you will be asked to enter the pass-phrase you used when you created your private key.

<source lang="bash">
/etc/init.d/httpd restart
</source>
<source lang="text">
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server alteeve.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
</source>

{{warning|1=From now on, you will need to enter the pass-phrase to start Apache. Consider this when restarting your server and when deciding if you want the Apache server to start with your server. As my server is in a VM and it's underlying disk is also encrypted, I will enable it at boot time. I'll need to be watching the boot process anyway. This may not apply to you.}}

Now make sure that you can still connect to your server on [[TCP]] port 80 (normal http port). The contents after the GET request will obviously vary depending on your configuration:

<source lang="bash">
telnet localhost 80
</source>
<source lang="text">
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET
<head>
<title>Asakusa.alteeve.com</title>
</head>
<body>
Default - Requested domain not found
</body>
Connection closed by foreign host.
</source>

Now to check that the SSL port is listening properly. We can't use [[telnet]] because of the SSL encryption. Instead we will use openssl.

<source lang="bash">
openssl s_client -connect localhost:443 -state -debug
</source>
<source lang="text">
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x196a050 [0x1a0b3a0] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 4d f8 f4 a4 f9 ....l...h..M....
0010 - 07 b3 11 f8 3d ff 5d 80-ed 69 87 52 e2 60 80 57 ....=.]..i.R.`.W
0020 - 59 c7 83 4c ea 5b e5 37-06 e0 13 00 00 3a 00 39 Y..L.[.7.....:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............#
0071 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x196a050 [0x1a10900] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x196a050 [0x1a1090a] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4d f8 f4 a4-7d 35 00 74 24 43 bc c9 .1..M...}5.t$C..
0010 - 84 5d fe e3 90 1a e8 14-39 a1 b1 7e e8 19 c7 9f .]......9..~....
0020 - 45 20 d1 cb 00 00 39 01-00 09 ff 01 00 01 00 00 E ....9.........
0030 - 23 #
0033 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 0c 2c ....,
read from 0x196a050 [0x1a10908] (3116 bytes => 3116 (0xC2C))
0000 - 0b 00 0c 28 00 0c 25 00-04 c2 30 82 04 be 30 82 ...(..%...0...0.
0010 - 03 a6 a0 03 02 01 02 02-03 02 15 24 30 0d 06 09 ...........$0...
0020 - 2a 86 48 86 f7 0d 01 01-05 05 00 30 3c 31 0b 30 *.H........0<1.0
0030 - 09 06 03 55 04 06 13 02-55 53 31 17 30 15 06 03 ...U....US1.0...
0040 - 55 04 0a 13 0e 47 65 6f-54 72 75 73 74 2c 20 49 U....GeoTrust, I
0050 - 6e 63 2e 31 14 30 12 06-03 55 04 03 13 0b 52 61 nc.1.0...U....Ra
0060 - 70 69 64 53 53 4c 20 43-41 30 1e 17 0d 31 31 30 pidSSL CA0...110
0070 - 36 31 34 31 32 31 39 30-31 5a 17 0d 31 31 30 37 614121901Z..1107
0080 - 31 36 31 35 35 36 31 34-5a 30 81 d9 31 29 30 27 16155614Z0..1)0'
0090 - 06 03 55 04 05 13 20 30-54 53 35 57 7a 61 75 51 ..U... 0TS5WzauQ
00a0 - 52 4a 37 73 63 32 62 2d-68 54 47 77 4b 31 79 78 RJ7sc2b-hTGwK1yx
00b0 - 53 66 45 44 70 68 46 31-0b 30 09 06 03 55 04 06 SfEDphF1.0...U..
00c0 - 13 02 43 41 31 14 30 12-06 03 55 04 0a 13 0b 61 ..CA1.0...U....a
00d0 - 6c 74 65 65 76 65 2e 63-6f 6d 31 13 30 11 06 03 lteeve.com1.0...
00e0 - 55 04 0b 13 0a 47 54 31-33 39 30 38 38 31 37 31 U....GT139088171
00f0 - 31 30 2f 06 03 55 04 0b-13 28 53 65 65 20 77 77 10/..U...(See ww
0100 - 77 2e 72 61 70 69 64 73-73 6c 2e 63 6f 6d 2f 72 w.rapidssl.com/r
0110 - 65 73 6f 75 72 63 65 73-2f 63 70 73 20 28 63 29 esources/cps (c)
0120 - 31 31 31 2b 30 29 06 03-55 04 0b 13 22 44 6f 6d 111+0)..U..."Dom
0130 - 61 69 6e 20 43 6f 6e 74-72 6f 6c 20 56 61 6c 69 ain Control Vali
0140 - 64 61 74 65 64 20 2d 20-46 72 65 65 53 53 4c 31 dated - FreeSSL1
0150 - 14 30 12 06 03 55 04 03-13 0b 61 6c 74 65 65 76 .0...U....alteev
0160 - 65 2e 63 6f 6d 30 82 01-22 30 0d 06 09 2a 86 48 e.com0.."0...*.H
0170 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0..
0180 - 0a 02 82 01 01 00 c7 b5-75 03 c7 a9 b5 21 b2 7a ........u....!.z
0190 - 9b 70 8d f2 44 5d e0 18-f4 05 52 c6 93 d3 17 a5 .p..D]....R.....
01a0 - 3a c7 46 03 68 d1 01 53-1b e8 b8 d3 4c 56 46 b2 :.F.h..S....LVF.
01b0 - ca 63 34 88 2c 4f 7b 23-49 07 ef 8e 37 5c 8a ac .c4.,O{#I...7\..
01c0 - d7 88 9b ed a1 01 90 bc-32 d8 46 30 6d 82 33 59 ........2.F0m.3Y
01d0 - ea b5 38 2c 8a 16 e1 63-e7 ba 39 d8 2a fa 8a 6b ..8,...c..9.*..k
01e0 - 25 45 0b c9 4d b8 d2 be-a9 3a e3 ff 61 60 f9 a4 %E..M....:..a`..
01f0 - 99 4e 3f c2 25 0b 21 07-c6 1b 1e 63 71 2e 3d 31 .N?.%.!....cq.=1
0200 - 42 98 01 f4 88 b8 80 26-b7 bf 5b 00 b1 57 86 b4 B......&..[..W..
0210 - d8 70 e6 ec ea 98 e1 17-45 a7 ff 83 e0 76 6f 8a .p......E....vo.
0220 - 50 bb 1d cb c5 8f f4 01-84 4e 59 c3 4d 28 73 70 P........NY.M(sp
0230 - 39 c8 da 85 43 b9 07 ae-57 26 04 24 b2 d6 d4 7c 9...C...W&.$...|
0240 - 03 af 4f 72 00 8f 20 ed-26 77 b3 bf 4e 01 62 8b ..Or.. .&w..N.b.
0250 - 62 1b 10 16 65 92 f5 bb-5a dc 83 5c f2 56 f3 60 b...e...Z..\.V.`
0260 - 34 2c ef 62 f4 ee cf 26-6d 9b 4a 5e 74 05 74 fb 4,.b...&m.J^t.t.
0270 - 23 86 07 6f cf b0 48 6d-ba 2d 89 5d 0f e0 c0 01 #..o..Hm.-.]....
0280 - 1c 91 af 00 5f f3 02 03-01 00 01 a3 82 01 29 30 ...._.........)0
0290 - 82 01 25 30 1f 06 03 55-1d 23 04 18 30 16 80 14 ..%0...U.#..0...
02a0 - 6b 69 3d 6a 18 42 4a dd-8f 02 65 39 fd 35 24 86 ki=j.BJ...e9.5$.
02b0 - 78 91 16 30 30 0e 06 03-55 1d 0f 01 01 ff 04 04 x..00...U.......
02c0 - 03 02 05 a0 30 1d 06 03-55 1d 25 04 16 30 14 06 ....0...U.%..0..
02d0 - 08 2b 06 01 05 05 07 03-01 06 08 2b 06 01 05 05 .+.........+....
02e0 - 07 03 02 30 16 06 03 55-1d 11 04 0f 30 0d 82 0b ...0...U....0...
02f0 - 61 6c 74 65 65 76 65 2e-63 6f 6d 30 43 06 03 55 alteeve.com0C..U
0300 - 1d 1f 04 3c 30 3a 30 38-a0 36 a0 34 86 32 68 74 ...<0:08.6.4.2ht
0310 - 74 70 3a 2f 2f 72 61 70-69 64 73 73 6c 2d 63 72 tp://rapidssl-cr
0320 - 6c 2e 67 65 6f 74 72 75-73 74 2e 63 6f 6d 2f 63 l.geotrust.com/c
0330 - 72 6c 73 2f 72 61 70 69-64 73 73 6c 2e 63 72 6c rls/rapidssl.crl
0340 - 30 1d 06 03 55 1d 0e 04-16 04 14 a1 2b 4e af 55 0...U.......+N.U
0350 - 08 7b 34 be 74 fc 57 41-de bc 8f d9 4a 1d c9 30 .{4.t.WA....J..0
0360 - 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 49 06 ...U.......0.0I.
0370 - 08 2b 06 01 05 05 07 01-01 04 3d 30 3b 30 39 06 .+........=0;09.
0380 - 08 2b 06 01 05 05 07 30-02 86 2d 68 74 74 70 3a .+.....0..-http:
0390 - 2f 2f 72 61 70 69 64 73-73 6c 2d 61 69 61 2e 67 //rapidssl-aia.g
03a0 - 65 6f 74 72 75 73 74 2e-63 6f 6d 2f 72 61 70 69 eotrust.com/rapi
03b0 - 64 73 73 6c 2e 63 72 74-30 0d 06 09 2a 86 48 86 dssl.crt0...*.H.
03c0 - f7 0d 01 01 05 05 00 03-82 01 01 00 66 8b 6f a8 ............f.o.
03d0 - d5 d2 84 c7 89 31 fb a5-ba e1 11 5e 2f 67 6f df .....1.....^/go.
03e0 - 0d 3c 0b 1a 4b ac d9 38-ee 29 0a 4d d9 06 98 2c .<..K..8.).M...,
03f0 - 25 0a 59 bb 39 03 b0 cd-3b 06 93 3e 59 90 cf 06 %.Y.9...;..>Y...
0400 - 17 74 77 bb cd 91 34 d0-6f b9 8f 53 57 ed 14 30 .tw...4.o..SW..0
0410 - bd e9 6c 04 84 b6 f0 16-9d 29 9b b1 47 f8 84 64 ..l......)..G..d
0420 - 5f 03 36 ea e1 d6 13 97-5b 50 b9 b2 59 cc f8 ef _.6.....[P..Y...
0430 - 23 01 99 91 6e 5e e8 d0-77 54 38 49 18 58 e7 0e #...n^..wT8I.X..
0440 - 54 35 c0 37 b5 9e 79 b2-d4 c6 d9 ff 27 31 d4 bf T5.7..y.....'1..
0450 - 04 ae d3 0a 90 4b bc 34-bc 53 f8 bc e7 4c 22 b7 .....K.4.S...L".
0460 - b3 bc 8c d7 41 44 fc e0-50 2e 9a ac ba 5c ee 88 ....AD..P....\..
0470 - 03 fc 0e 53 32 aa dd a4-24 ee a6 7c 3d dc 9d 7a ...S2...$..|=..z
0480 - 82 0b 9f b8 91 e0 a1 12-77 a3 95 f7 d0 c4 9e f1 ........w.......
0490 - d7 d9 99 68 80 e8 af ad-68 f5 1a 5f 66 06 78 c9 ...h....h.._f.x.
04a0 - 56 f8 36 37 16 fa 7d 27-df 1d a2 d8 7c 8c 5b 50 V.67..}'....|.[P
04b0 - db c6 fe 06 ff 96 86 f5-1f e4 35 ce cf 43 66 53 ..........5..CfS
04c0 - da a1 50 b5 c0 73 ec 1e-f4 c8 20 13 00 03 d9 30 ..P..s.... ....0
04d0 - 82 03 d5 30 82 02 bd a0-03 02 01 02 02 03 02 36 ...0...........6
04e0 - d1 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
04f0 - 30 42 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 0B1.0...U....US1
0500 - 16 30 14 06 03 55 04 0a-13 0d 47 65 6f 54 72 75 .0...U....GeoTru
0510 - 73 74 20 49 6e 63 2e 31-1b 30 19 06 03 55 04 03 st Inc.1.0...U..
0520 - 13 12 47 65 6f 54 72 75-73 74 20 47 6c 6f 62 61 ..GeoTrust Globa
0530 - 6c 20 43 41 30 1e 17 0d-31 30 30 32 31 39 32 32 l CA0...10021922
0540 - 34 35 30 35 5a 17 0d 32-30 30 32 31 38 32 32 34 4505Z..200218224
0550 - 35 30 35 5a 30 3c 31 0b-30 09 06 03 55 04 06 13 505Z0<1.0...U...
0560 - 02 55 53 31 17 30 15 06-03 55 04 0a 13 0e 47 65 .US1.0...U....Ge
0570 - 6f 54 72 75 73 74 2c 20-49 6e 63 2e 31 14 30 12 oTrust, Inc.1.0.
0580 - 06 03 55 04 03 13 0b 52-61 70 69 64 53 53 4c 20 ..U....RapidSSL
0590 - 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H...
05a0 - 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0.....
05b0 - 01 01 00 c7 71 f8 56 c7-1e d9 cc b5 ad f6 b4 97 ....q.V.........
05c0 - a3 fb a1 e6 0b 50 5f 50-aa 3a da 0f fc 3d 29 24 .....P_P.:...=)$
05d0 - 43 c6 10 29 c1 fc 55 40-72 ee bd ea df 9f b6 41 C..)..U@r......A
05e0 - f4 48 4b c8 6e fe 4f 57-12 8b 5b fa 92 dd 5e e8 .HK.n.OW..[...^.
05f0 - ad f3 f0 1b b1 7b 4d fb-cf fd d1 e5 f8 e3 dc e7 .....{M.........
0600 - f5 73 7f df 01 49 cf 8c-56 c1 bd 37 e3 5b be b5 .s...I..V..7.[..
0610 - 4f 8b 8b f0 da 4f c7 e3-dd 55 47 69 df f2 5b 7b O....O...UGi..[{
0620 - 07 4f 3d e5 ac 21 c1 c8-1d 7a e8 e7 f6 0f a1 aa .O=..!...z......
0630 - f5 6f de a8 65 4f 10 89-9c 03 f3 89 7a a5 5e 01 .o..eO......z.^.
0640 - 72 33 ed a9 e9 5a 1e 79-f3 87 c8 df c8 c5 fc 37 r3...Z.y.......7
0650 - c8 9a 9a d7 b8 76 cc b0-3e e7 fd e6 54 ea df 5f .....v..>...T.._
0660 - 52 41 78 59 57 ad f1 12-d6 7f bc d5 9f 70 d3 05 RAxYW........p..
0670 - 6c fa a3 7d 67 58 dd 26-62 1d 31 92 0c 79 79 1c l..}gX.&b.1..yy.
0680 - 8e cf ca 7b c1 66 af a8-74 48 fb 8e 82 c2 9e 2c ...{.f..tH.....,
0690 - 99 5c 7b 2d 5d 9b bc 5b-57 9e 7c 3a 7a 13 ad f2 .\{-]..[W.|:z...
06a0 - a3 18 5b 2b 59 0f cd 5c-3a eb 68 33 c6 28 1d 82 ..[+Y..\:.h3.(..
06b0 - d1 50 8b 02 03 01 00 01-a3 81 d9 30 81 d6 30 0e .P.........0..0.
06c0 - 06 03 55 1d 0f 01 01 ff-04 04 03 02 01 06 30 1d ..U...........0.
06d0 - 06 03 55 1d 0e 04 16 04-14 6b 69 3d 6a 18 42 4a ..U......ki=j.BJ
06e0 - dd 8f 02 65 39 fd 35 24-86 78 91 16 30 30 1f 06 ...e9.5$.x..00..
06f0 - 03 55 1d 23 04 18 30 16-80 14 c0 7a 98 68 8d 89 .U.#..0....z.h..
0700 - fb ab 05 64 0c 11 7d aa-7d 65 b8 ca cc 4e 30 12 ...d..}.}e...N0.
0710 - 06 03 55 1d 13 01 01 ff-04 08 30 06 01 01 ff 02 ..U.......0.....
0720 - 01 00 30 3a 06 03 55 1d-1f 04 33 30 31 30 2f a0 ..0:..U...3010/.
0730 - 2d a0 2b 86 29 68 74 74-70 3a 2f 2f 63 72 6c 2e -.+.)http://crl.
0740 - 67 65 6f 74 72 75 73 74-2e 63 6f 6d 2f 63 72 6c geotrust.com/crl
0750 - 73 2f 67 74 67 6c 6f 62-61 6c 2e 63 72 6c 30 34 s/gtglobal.crl04
0760 - 06 08 2b 06 01 05 05 07-01 01 04 28 30 26 30 24 ..+........(0&0$
0770 - 06 08 2b 06 01 05 05 07-30 01 86 18 68 74 74 70 ..+.....0...http
0780 - 3a 2f 2f 6f 63 73 70 2e-67 65 6f 74 72 75 73 74 ://ocsp.geotrust
0790 - 2e 63 6f 6d 30 0d 06 09-2a 86 48 86 f7 0d 01 01 .com0...*.H.....
07a0 - 05 05 00 03 82 01 01 00-ab bc bc 0a 5d 18 94 e3 ............]...
07b0 - c1 b1 c3 a8 4c 55 d6 be-b4 98 f1 ee 3c 1c cd cf ....LU......<...
07c0 - f3 24 24 5c 96 03 27 58-fc 36 ae a2 2f 8f f1 fe .$$\..'X.6../...
07d0 - da 2b 02 c3 33 bd c8 dd-48 22 2b 60 0f a5 03 10 .+..3...H"+`....
07e0 - fd 77 f8 d0 ed 96 67 4f-fd ea 47 20 70 54 dc a9 .w....gO..G pT..
07f0 - 0c 55 7e e1 96 25 8a d9-b5 da 57 4a be 8d 8e 49 .U~..%....WJ...I
0800 - 43 63 a5 6c 4e 27 87 25-eb 5b 6d fe a2 7f 38 28 Cc.lN'.%.[m...8(
0810 - e0 36 ab ad 39 a5 a5 62-c4 b7 5c 58 2c aa 5d 01 .6..9..b..\X,.].
0820 - 60 a6 62 67 a3 c0 c7 62-23 f4 e7 6c 46 ee b5 d3 `.bg...b#..lF...
0830 - 80 6a 22 13 d2 2d 3f 74-4f ea af 8c 5f b4 38 9c .j"..-?tO..._.8.
0840 - db ae ce af 84 1e a6 f6-34 51 59 79 d3 e3 75 dc ........4QYy..u.
0850 - bc d7 f3 73 df 92 ec d2-20 59 6f 9c fb 95 f8 92 ...s.... Yo.....
0860 - 76 18 0a 7c 0f 2c a6 ca-de 8a 62 7b d8 f3 ce 5f v..|.,....b{..._
0870 - 68 bd 8f 3e c1 74 bb 15-72 3a 16 83 a9 0b e6 4d h..>.t..r:.....M
0880 - 99 9c d8 57 ec a8 01 51-c7 6f 57 34 5e ab 4a 2c ...W...Q.oW4^.J,
0890 - 42 f6 4f 1c 89 78 de 26-4e f5 6f 93 4c 15 6b 27 B.O..x.&N.o.L.k'
08a0 - 56 4d 00 54 6c 7a b7 b7-00 03 81 30 82 03 7d 30 VM.Tlz.....0..}0
08b0 - 82 02 e6 a0 03 02 01 02-02 03 12 bb e6 30 0d 06 .............0..
08c0 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 4e 31 0b .*.H........0N1.
08d0 - 30 09 06 03 55 04 06 13-02 55 53 31 10 30 0e 06 0...U....US1.0..
08e0 - 03 55 04 0a 13 07 45 71-75 69 66 61 78 31 2d 30 .U....Equifax1-0
08f0 - 2b 06 03 55 04 0b 13 24-45 71 75 69 66 61 78 20 +..U...$Equifax
0900 - 53 65 63 75 72 65 20 43-65 72 74 69 66 69 63 61 Secure Certifica
0910 - 74 65 20 41 75 74 68 6f-72 69 74 79 30 1e 17 0d te Authority0...
0920 - 30 32 30 35 32 31 30 34-30 30 30 30 5a 17 0d 31 020521040000Z..1
0930 - 38 30 38 32 31 30 34 30-30 30 30 5a 30 42 31 0b 80821040000Z0B1.
0940 - 30 09 06 03 55 04 06 13-02 55 53 31 16 30 14 06 0...U....US1.0..
0950 - 03 55 04 0a 13 0d 47 65-6f 54 72 75 73 74 20 49 .U....GeoTrust I
0960 - 6e 63 2e 31 1b 30 19 06-03 55 04 03 13 12 47 65 nc.1.0...U....Ge
0970 - 6f 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 43 41 oTrust Global CA
0980 - 30 82 01 22 30 0d 06 09-2a 86 48 86 f7 0d 01 01 0.."0...*.H.....
0990 - 01 05 00 03 82 01 0f 00-30 82 01 0a 02 82 01 01 ........0.......
09a0 - 00 da cc 18 63 30 fd f4-17 23 1a 56 7e 5b df 3c ....c0...#.V~[.<
09b0 - 6c 38 e4 71 b7 78 91 d4-bc a1 d8 4c f8 a8 43 b6 l8.q.x.....L..C.
09c0 - 03 e9 4d 21 07 08 88 da-58 2f 66 39 29 bd 05 78 ..M!....X/f9)..x
09d0 - 8b 9d 38 e8 05 b7 6a 7e-71 a4 e6 c4 60 a6 b0 ef ..8...j~q...`...
09e0 - 80 e4 89 28 0f 9e 25 d6-ed 83 f3 ad a6 91 c7 98 ...(..%.........
09f0 - c9 42 18 35 14 9d ad 98-46 92 2e 4f ca f1 87 43 .B.5....F..O...C
0a00 - c1 16 95 57 2d 50 ef 89-2d 80 7a 57 ad f2 ee 5f ...W-P..-.zW..._
0a10 - 6b d2 00 8d b9 14 f8 14-15 35 d9 c0 46 a3 7b 72 k........5..F.{r
0a20 - c8 91 bf c9 55 2b cd d0-97 3e 9c 26 64 cc df ce ....U+...>.&d...
0a30 - 83 19 71 ca 4e e6 d4 d5-7b a9 19 cd 55 de c8 ec ..q.N...{...U...
0a40 - d2 5e 38 53 e5 5c 4f 8c-2d fe 50 23 36 fc 66 e6 .^8S.\O.-.P#6.f.
0a50 - cb 8e a4 39 19 00 b7 95-02 39 91 0b 0e fe 38 2e ...9.....9....8.
0a60 - d1 1d 05 9a f6 4d 3e 6f-0f 07 1d af 2c 1e 8f 60 .....M>o....,..`
0a70 - 39 e2 fa 36 53 13 39 d4-5e 26 2b db 3d a8 14 bd 9..6S.9.^&+.=...
0a80 - 32 eb 18 03 28 52 04 71-e5 ab 33 3d e1 38 bb 07 2...(R.q..3=.8..
0a90 - 36 84 62 9c 79 ea 16 30-f4 5f c0 2b e8 71 6b e4 6.b.y..0._.+.qk.
0aa0 - f9 02 03 01 00 01 a3 81-f0 30 81 ed 30 1f 06 03 .........0..0...
0ab0 - 55 1d 23 04 18 30 16 80-14 48 e6 68 f9 2b d2 b2 U.#..0...H.h.+..
0ac0 - 95 d7 47 d8 23 20 10 4f-33 98 90 9f d4 30 1d 06 ..G.# .O3....0..
0ad0 - 03 55 1d 0e 04 16 04 14-c0 7a 98 68 8d 89 fb ab .U.......z.h....
0ae0 - 05 64 0c 11 7d aa 7d 65-b8 ca cc 4e 30 0f 06 03 .d..}.}e...N0...
0af0 - 55 1d 13 01 01 ff 04 05-30 03 01 01 ff 30 0e 06 U.......0....0..
0b00 - 03 55 1d 0f 01 01 ff 04-04 03 02 01 06 30 3a 06 .U...........0:.
0b10 - 03 55 1d 1f 04 33 30 31-30 2f a0 2d a0 2b 86 29 .U...3010/.-.+.)
0b20 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 67 65 6f 74 72 http://crl.geotr
0b30 - 75 73 74 2e 63 6f 6d 2f-63 72 6c 73 2f 73 65 63 ust.com/crls/sec
0b40 - 75 72 65 63 61 2e 63 72-6c 30 4e 06 03 55 1d 20 ureca.crl0N..U.
0b50 - 04 47 30 45 30 43 06 04-55 1d 20 00 30 3b 30 39 .G0E0C..U. .0;09
0b60 - 06 08 2b 06 01 05 05 07-02 01 16 2d 68 74 74 70 ..+........-http
0b70 - 73 3a 2f 2f 77 77 77 2e-67 65 6f 74 72 75 73 74 s://www.geotrust
0b80 - 2e 63 6f 6d 2f 72 65 73-6f 75 72 63 65 73 2f 72 .com/resources/r
0b90 - 65 70 6f 73 69 74 6f 72-79 30 0d 06 09 2a 86 48 epository0...*.H
0ba0 - 86 f7 0d 01 01 05 05 00-03 81 81 00 76 e1 12 6e ............v..n
0bb0 - 4e 4b 16 12 86 30 06 b2-81 08 cf f0 08 c7 c7 71 NK...0.........q
0bc0 - 7e 66 ee c2 ed d4 3b 1f-ff f0 f0 c8 4e d6 43 38 ~f....;.....N.C8
0bd0 - b0 b9 30 7d 18 d0 55 83-a2 6a cb 36 11 9c e8 48 ..0}..U..j.6...H
0be0 - 66 a3 6d 7f b8 13 d4 47-fe 8b 5a 5c 73 fc ae d9 f.m....G..Z\s...
0bf0 - 1b 32 19 38 ab 97 34 14-aa 96 d2 eb a3 1c 14 08 .2.8..4.........
0c00 - 49 b6 bb e5 91 ef 83 36-eb 1d 56 6f ca da bc 73 I......6..Vo...s
0c10 - 63 90 e4 7f 7b 3e 22 cb-3d 07 ed 5f 38 74 9c e3 c...{>".=.._8t..
0c20 - 03 50 4e a1 af 98 ee 61-f2 84 3f 12 .PN....a..?.
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF, C = CA, O = alteeve.com, OU = GT13908817, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - FreeSSL, CN = alteeve.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 0d .....
read from 0x196a050 [0x1a10908] (525 bytes => 525 (0x20D))
0000 - 0c 00 02 09 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 51 5c 13 33 38 >.$!.......Q\.38
0090 - 83 ef 76 6f 23 52 55 bf-23 ba 7f f0 a4 ca 35 01 ..vo#RU.#.....5.
00a0 - 9c 70 e1 61 b2 0d 7b 5c-1c 32 02 c1 ac 14 be e9 .p.a..{\.2......
00b0 - b9 7a 5d 11 9b 53 48 64-cd 12 b8 15 4c df cc 10 .z]..SHd....L...
00c0 - 4e 2b e7 cd 3f 33 68 1a-60 cc f7 18 25 7c e5 ca N+..?3h.`...%|..
00d0 - c8 cb 45 ba 2a 6d dc 84-5f 26 6f 9a a3 73 b9 7f ..E.*m.._&o..s..
00e0 - 02 cb 7b a7 ac 59 9f f3-6e c9 01 ed b9 35 99 49 ..{..Y..n....5.I
00f0 - 37 77 68 65 ec e2 f7 17-03 e7 f5 f5 86 33 e6 6c 7whe.........3.l
0100 - 06 3c 15 83 98 74 2e b9-83 31 11 01 00 20 6e 17 .<...t...1... n.
0110 - 3d 2d ec 3e 19 b2 9e 5b-37 38 3a 31 57 3d 0e c1 =-.>...[78:1W=..
0120 - 6b c4 b4 83 d9 6b f0 d3-44 db 9f 18 55 15 e1 09 k....k..D...U...
0130 - 73 59 8c 46 3d a4 47 58-b1 71 a3 32 b5 06 26 8c sY.F=.GX.q.2..&.
0140 - 27 88 9e 13 c8 12 5d 94-9b 24 54 10 aa 79 e5 b4 '.....]..$T..y..
0150 - 43 f5 5e 4c 01 dc 02 aa-69 02 37 71 4e 26 1c 0b C.^L....i.7qN&..
0160 - 40 19 c9 95 4d af 93 35-07 7a ff b1 96 7f 03 ce @...M..5.z......
0170 - 7a eb a2 1c 97 6b d2 97-d2 0f 1a f5 b2 af fb 65 z....k.........e
0180 - 86 b9 e3 38 30 ba f5 02-d6 6b fc da 94 93 8b b3 ...80....k......
0190 - 96 b5 b7 58 dc 36 55 6d-e9 47 e5 4a 33 1d b9 d9 ...X.6Um.G.J3...
01a0 - ec 33 e8 fb 58 c8 74 13-ff dd 40 b7 35 56 63 03 .3..X.t...@.5Vc.
01b0 - 9f 16 2f 72 be 56 56 c3-15 3a c3 10 09 f0 9d f2 ../r.VV..:......
01c0 - 42 52 5a ce d6 db 61 0e-d0 e2 ac 2e 9e 04 30 8e BRZ...a.......0.
01d0 - 0d d7 07 f9 3e 0a a8 3b-8d 11 5c 6e 21 47 28 2d ....>..;..\n!G(-
01e0 - 28 31 a6 3d d0 e9 2e 7a-de 4a 00 2a a8 6f 5d 82 (1.=...z.J.*.o].
01f0 - 45 df 3e 06 e3 11 e3 3c-b9 1e 34 b8 bd 60 fd a7 E.>....<..4..`..
0200 - a2 c1 c8 19 61 19 da 10-e4 c3 70 7e 5f ....a.....p~_
SSL_connect:SSLv3 read server key exchange A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0x196a050 [0x1a10908] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x196a050 [0x1a1add0] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7f 9d d2 3b 68 ..............;h
0010 - 49 c9 dd ed 4f 35 a0 70-3a 28 0f ce c1 5a 81 ce I...O5.p:(...Z..
0020 - cd 46 c5 e5 a4 44 25 04-4e b4 48 d8 3b a6 d4 44 .F...D%.N.H.;..D
0030 - 4e 9a dc 20 fa 52 9f eb-52 3b 3c 3e 34 dc ed 34 N.. .R..R;<>4..4
0040 - e5 b7 10 f9 6d 3a c0 84-64 bf b8 91 54 6c 37 1b ....m:..d...Tl7.
0050 - eb 75 7a 95 aa e8 83 6f-e0 16 f2 af 77 0f 7a 0c .uz....o....w.z.
0060 - a8 82 27 a4 a5 f2 f0 1b-d2 6e 46 c4 ef 10 7c 39 ..'......nF...|9
0070 - 6c 87 74 ec 68 7e d5 9a-10 ab 10 03 75 a2 fb 4b l.t.h~......u..K
0080 - 8c 49 4c da 64 49 bd 27-ba 51 a4 .IL.dI.'.Q.
SSL_connect:SSLv3 write client key exchange A
write to 0x196a050 [0x1a1add0] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x196a050 [0x1a1add0] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 b4 8a 74-4d a4 bf b1 54 04 8a 25 ....0..tM...T..%
0010 - 24 f8 81 f1 64 9f 1f 6d-fb bd a7 4c 57 6a a5 63 $...d..m...LWj.c
0020 - fb 3a dd 8e e3 f9 38 f6-22 fd 7e 42 81 2e a2 41 .:....8.".~B...A
0030 - 1f 74 d1 27 02 .t.'.
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 ca .....
read from 0x196a050 [0x1a10908] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 00 00-00 c0 6c f3 41 26 c8 6b ..........l.A&.k
0010 - 1e 9c 2e 78 af 75 b2 46-34 f4 30 c3 bd e4 ee 2f ...x.u.F4.0..../
0020 - f6 28 37 f6 7c 55 3b c7-08 ad 1e 48 f1 83 9f 9a .(7.|U;....H....
0030 - d4 ef 9b 7d 5a 9c f7 5b-92 e9 2f ca c3 e5 44 c7 ...}Z..[../...D.
0040 - 7a c1 ed db 98 1a 18 bd-25 30 3c 50 ad 96 23 22 z.......%0<P..#"
0050 - 7e a1 b7 eb 1d b5 cc 69-2a 43 63 13 4f 21 90 32 ~......i*Cc.O!.2
0060 - 87 94 0b 6a 66 da 99 fa-45 79 cc 53 29 35 59 0d ...jf...Ey.S)5Y.
0070 - 02 93 c6 c6 af f3 52 79-b5 36 c0 a6 4d 22 9f af ......Ry.6..M"..
0080 - 4a f2 86 b4 50 68 83 b1-ab a6 a6 ac 6e 4e 18 3d J...Ph......nN.=
0090 - 80 a7 b4 85 77 06 69 60-fa b2 22 9a 79 14 c6 3e ....w.i`..".y..>
00a0 - 3e 68 33 4e 1e a9 40 09-47 d0 02 97 8b ba 39 db >h3N..@.G.....9.
00b0 - 2f b1 1c 2e 66 49 d3 bc-99 cc 56 4f 1d f4 c6 7b /...fI....VO...{
00c0 - 58 3e 28 df b1 ce 2b 45-36 ca X>(...+E6.
SSL_connect:SSLv3 read server session ticket A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0x196a050 [0x1a10908] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x196a050 [0x1a10908] (48 bytes => 48 (0x30))
0000 - c0 79 35 bf c6 1e 7e d4-04 cf 68 c7 9d f5 9f 42 .y5...~...h....B
0010 - 03 91 5f 72 ae 5b ec a8-aa e7 af e8 f3 39 1b cd .._r.[.......9..
0020 - 13 05 56 f2 1b 28 c9 42-4b 67 88 48 20 c2 a5 06 ..V..(.BKg.H ...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIDAhUkMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNjE0MTIxOTAxWhcNMTEwNzE2MTU1NjE0WjCB2TEpMCcGA1UEBRMgMFRT
NVd6YXVRUko3c2MyYi1oVEd3SzF5eFNmRURwaEYxCzAJBgNVBAYTAkNBMRQwEgYD
VQQKEwthbHRlZXZlLmNvbTETMBEGA1UECxMKR1QxMzkwODgxNzExMC8GA1UECxMo
U2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMTErMCkGA1UE
CxMiRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gRnJlZVNTTDEUMBIGA1UEAxML
YWx0ZWV2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHtXUD
x6m1IbJ6m3CN8kRd4Bj0BVLGk9MXpTrHRgNo0QFTG+i400xWRrLKYzSILE97I0kH
7443XIqs14ib7aEBkLwy2EYwbYIzWeq1OCyKFuFj57o52Cr6imslRQvJTbjSvqk6
4/9hYPmkmU4/wiULIQfGGx5jcS49MUKYAfSIuIAmt79bALFXhrTYcObs6pjhF0Wn
/4Pgdm+KULsdy8WP9AGETlnDTShzcDnI2oVDuQeuVyYEJLLW1HwDr09yAI8g7SZ3
s79OAWKLYhsQFmWS9bta3INc8lbzYDQs72L07s8mbZtKXnQFdPsjhgdvz7BIbbot
iV0P4MABHJGvAF/zAgMBAAGjggEpMIIBJTAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2FsdGVldmUuY29tMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRz
c2wuY3JsMB0GA1UdDgQWBBShK06vVQh7NL50/FdB3ryP2UodyTAMBgNVHRMBAf8E
AjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3Ns
LWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBmi2+o1dKEx4kx+6W64RFeL2dv3w08CxpLrNk47ikKTdkGmCwlClm7OQOwzTsG
kz5ZkM8GF3R3u82RNNBvuY9TV+0UML3pbASEtvAWnSmbsUf4hGRfAzbq4dYTl1tQ
ubJZzPjvIwGZkW5e6NB3VDhJGFjnDlQ1wDe1nnmy1MbZ/ycx1L8ErtMKkEu8NLxT
+LznTCK3s7yM10FE/OBQLpqsulzuiAP8DlMyqt2kJO6mfD3cnXqCC5+4keChEnej
lffQxJ7x19mZaIDor61o9RpfZgZ4yVb4NjcW+n0n3x2i2HyMW1Dbxv4G/5aG9R/k
Nc7PQ2ZT2qFQtcBz7B70yCAT
-----END CERTIFICATE-----
subject=/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3984 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2880725EB8BDD73F469C17BCA54DF373DFE8EDE3D52A1C8F5E0A5919694FB111
Session-ID-ctx:
Master-Key: F329DEA0DF39FF181ACFBCA69BEC417D7CAA4399D73229A1D912CC8236A858FD099B834F5B32C9BF979C4B5948196FC9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 6c f3 41 26 c8 6b 1e 9c-2e 78 af 75 b2 46 34 f4 l.A&.k...x.u.F4.
0010 - 30 c3 bd e4 ee 2f f6 28-37 f6 7c 55 3b c7 08 ad 0..../.(7.|U;...
0020 - 1e 48 f1 83 9f 9a d4 ef-9b 7d 5a 9c f7 5b 92 e9 .H.......}Z..[..
0030 - 2f ca c3 e5 44 c7 7a c1-ed db 98 1a 18 bd 25 30 /...D.z.......%0
0040 - 3c 50 ad 96 23 22 7e a1-b7 eb 1d b5 cc 69 2a 43 <P..#"~......i*C
0050 - 63 13 4f 21 90 32 87 94-0b 6a 66 da 99 fa 45 79 c.O!.2...jf...Ey
0060 - cc 53 29 35 59 0d 02 93-c6 c6 af f3 52 79 b5 36 .S)5Y.......Ry.6
0070 - c0 a6 4d 22 9f af 4a f2-86 b4 50 68 83 b1 ab a6 ..M"..J...Ph....
0080 - a6 ac 6e 4e 18 3d 80 a7-b4 85 77 06 69 60 fa b2 ..nN.=....w.i`..
0090 - 22 9a 79 14 c6 3e 3e 68-33 4e 1e a9 40 09 47 d0 ".y..>>h3N..@.G.
00a0 - 02 97 8b ba 39 db 2f b1-1c 2e 66 49 d3 bc 99 cc ....9./...fI....
00b0 - 56 4f 1d f4 c6 7b 58 3e-28 df b1 ce 2b 45 36 ca VO...{X>(...+E6.

Compression: 1 (zlib compression)
Start Time: 1308161188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET
write to 0x196a050 [0x1a14e56] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a 4c 57-8c b9 d5 d4 c6 1b 56 ce .... .LW......V.
0010 - 93 b5 78 6b 5f 0e c5 a2-39 2a f9 7a 20 7d 68 85 ..xk_...9*.z }h.
0020 - af 52 e3 5f fc 17 03 01-00 20 c6 c4 19 74 61 64 .R._..... ...tad
0030 - 42 59 e0 52 3f 42 44 53-8b c9 40 69 1c 3d 9b 7f BY.R?BDS..@i.=..
0040 - aa e8 8f a4 5c de c9 d4-0a a4 ....\.....
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 60 ....`
read from 0x196a050 [0x1a10908] (96 bytes => 96 (0x60))
0000 - 46 4c 99 93 29 c9 ed 66-81 43 89 39 26 2b d1 b0 FL..)..f.C.9&+..
0010 - 19 73 eb 51 18 45 54 49-74 43 e0 92 1b f8 af f0 .s.Q.ETItC......
0020 - 0d e1 08 79 96 38 e1 5e-29 9d 66 9c 30 04 8e c4 ...y.8.^).f.0...
0030 - 10 83 49 7e 09 d7 8a ff-4b 11 f9 13 3e ac 77 73 ..I~....K...>.ws
0040 - e8 94 e3 f3 74 db 4e 5f-67 13 1d c4 3a 06 98 b3 ....t.N_g...:...
0050 - da 20 41 3c ca 9a fb 3f-f3 d7 64 a1 e9 f4 0a 98 . A<...?..d.....
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 15 03 01 ...
0005 - <SPACES/NULS>
read from 0x196a050 [0x1a10908] (32 bytes => 32 (0x20))
0000 - 2e bb a7 d6 dc ce 6c 34-dc 2e 43 c7 89 02 a9 5c ......l4..C....\
0010 - 3b 3e d0 43 1c ec fa c7-89 48 fd 76 58 82 ef 45 ;>.C.....H.vX..E
SSL3 alert read:warning:close notify
closed
write to 0x196a050 [0x1a14e53] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d8 6f 46-24 e9 fa 0c c9 9f aa 2d .... .oF$......-
0010 - db 69 2a d8 fb 61 66 b0-23 23 f9 a4 ac 49 b7 e6 .i*..af.##...I..
0020 - 31 73 56 05 ed 1sV..
SSL3 alert write:warning:close notify
</source>

Perfect!

=== Open Port 443 On The Firewall ===

At this point, if you try to connect to the SSL virtual host remotely, you will fail because port 443 is not yet open.

Use your favourite program to open inbound TCP port 443. I like to directly edit the firewall's config.

<source lang="bash">
vim /etc/sysconfig/iptables
</source>
<source lang="text">
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</source>
<source lang="bash">
/etc/init.d/iptables restart
</source>
<source lang="text">
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
</source>

=== Browse to the New Virtual Host ===

You should now be able to access the new SSL virtual host! Simply browse to https://alteeve.com (replace with your domain).

[[Image:SSL_Test_Page_01.png|thumb|center|741px|Test SSL virtual host in Firefox 4.]]

Note the 'alteeve.com' to the left of the address bar showing that the site is encrypted and verified!

== Common apachectl -t Configuration Problems ==

=== httpd: apr_sockaddr_info_get() failed for <domain> ===

Make sure that the hostname for the server resolves to an IP address. This is done by ensuring that the name returned by hostname has a [[DNS]] entry or has an entry in the /etc/hosts file.

=== [warn] NameVirtualHost *:80 has no VirtualHosts ===

This will be shown when no virtual host containers have been configured ye.

= PostgreSQL =

We need to initialize the postgres core databases before we can start it for the first time.

<source lang="bash">
/etc/init.d/postgresql initdb
</source>
<source lang="text">
Initializing database: [ OK ]
</source>

From now on, we can start PostgreSQL normally.

<source lang="bash">
/etc/init.d/postgresql restart
</source>
<source lang="text">
Stopping postgresql service: [ OK ]
Starting postgresql service: [ OK ]
</source>

Create the admin user called alteeve which will own the databases we will create and use.

<source lang="bash">
su - postgres
createuser -S -d -R alteeve
psql template1
</source>

At the shell, run the following:

<source lang="sql">
ALTER USER alteeve WITH PASSWORD 'secret';
</source>
<source lang="text">
ALTER ROLE
</source>
<source lang="sql">
\q
</source>

Tell PostgreSQL to require a password for the alteeve user.

<source lang="bash">
vim /var/lib/pgsql/data/pg_hba.conf
</source>
<source lang="diff">
--- /var/lib/pgsql/data/pg_hba.conf.orig 2011-06-15 17:57:25.666509143 -0400
+++ /var/lib/pgsql/data/pg_hba.conf 2011-06-15 17:58:54.077510393 -0400
@@ -65,6 +65,7 @@

# TYPE DATABASE USER CIDR-ADDRESS METHOD
+local all alteeve md5

# "local" is for Unix domain socket connections only
local all all ident
</source>

Reload PostgreSQL's configuration.

<source lang="bash">
/etc/init.d/postgresql reload
</source>

Now create a Database that is owned by the alteeve user, then connect to it to make sure we're asked for a password.

<source lang="bash">
su postgres -c "createdb an_wiki -O alteeve"
psql an_wiki -U alteeve
</source>
<source lang="text">
Password for user alteeve:
psql (8.4.7)
Type "help" for help.

an_wiki=>
</source>

Now load a database from a backup file.

<source lang="bash">
psql an_wiki -U alteeve -f /var/www/ssl_alteeve.com/temp/an_wiki_3.out
</source>
<source lang="text">
Password for user alteeve:
SET
SET
SET
SET
SET
CREATE SCHEMA
ALTER SCHEMA
CREATE LANGUAGE
psql:/var/www/ssl_alteeve.com/temp/an_wiki_3.out:27: ERROR: must be member of role "postgres"
SET
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
SET
SET
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
8
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
2500
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
4416
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3465
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
34
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
957
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3274
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3547
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3513
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TRIGGER
CREATE TRIGGER
CREATE TRIGGER
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
REVOKE
REVOKE
GRANT
GRANT
</source>

Voila!

== Media Wiki Problem ==

If you moved a MediaWiki DB and it generated an error like this in the log file:

<source lang="text">
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "objectcache" does not exist\nLINE 1: ...ECT /* SqlBagOStuff::get */ value,exptime FROM objectcach...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "l10n_cache" does not exist\nLINE 1: ... LCStore_DB::get 206.108.5.162 */ lc_value FROM l10n_cache...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
</source>

The fix is to run:

<source lang="sql">
ALTER DATABASE an_wiki SET search_path=mediawiki;
</source>

Of course, replace an_wiki with the name of your wiki database.

= MySQL =

Start MySQL for the first time:

<source lang="bash">
/etc/init.d/mysqld start
</source>
<source lang="text">
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h asakusa.alteeve.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]
Starting mysqld: [ OK ]
</source>

Secure the server.

<source lang="bash">
mysql_secure_installation
</source>
<source lang="text">
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
</source>

= BIND =

{{note|1=This is not meant to cover creating the actual zone files for DNS. It's goal is to setup BIND on your [[EL6]] server only.}}

This is the BIND named server that handles DNS resolution. It will be setup in two parts; The global options and then the zones file.

== Install bind ==

<source lang="bash">
yum install bind bind-libs bind-utils
</source>

== Global Configuration ==

Edit the main configuration file, making a backup first.

<source lang="bash">
cp /etc/named.conf /etc/named.conf.orig
vim /etc/named.conf
</source>

Enable queries on any interface and answer queries for any domain, not just ours. Edit or add the following;

<source lang="dot">
listen-on port 53 { any; };
allow-query { localhost; };
allow-query-cache { any; };
</source>

For now, we're going to disable DNSSEC. Make the following changes;

<source lang="dot">
dnssec-enable no;
dnssec-validation no;
</source>

Now tell bind where to look for a domain name's IP when we don't know. Add;

<source lang="dot">
forwarders {
// These are Google's open DNS servers
8.8.8.8;
8.8.4.4;
};
</source>

This server will have a slave, and we want to notify that slave when a record changes. Add;

<source lang="dot">
notify yes;
</source>

Done. I like to clean up the file to put the variables in line with one another. With this in mind, let's look at the changes as a unified diff;

<source lang="bash">
diff -u /etc/named.conf.orig /etc/named.conf
</source>
<source lang="diff">
--- /etc/named.conf.orig 2012-02-05 00:54:48.434068501 -0500
+++ /etc/named.conf 2012-02-05 13:45:16.484083319 -0500
@@ -8,18 +8,26 @@
//

options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ allow-query { any; };
+ allow-query-cache { any; };
+ recursion yes;
+ notify yes;
+
+ dnssec-enable no;
+ dnssec-validation no;
+ dnssec-lookaside auto;
+
+ forwarders {
+ // These are Google's open DNS servers
+ 8.8.8.8;
+ 8.8.4.4;
+ };

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
</source>

== Adding Zones ==

This is where we tell BIND which zones we have SOA for. This includes the pointers to the actual files on disk with each domain's information.

Backup then edit the zones file.

<source lang="bash">
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.orig
vim /etc/named.rfc1912.zones
</source>

In here is where we add the entries for the domains we have [[SOA]] for at the end of the file. These will differ for every install, so only two examples will be shown.

<source lang="dot">
// Our zones which this server is SOA for.
zone "45years.ca" IN {
type master;
file "/etc/named/db.45years.ca";
allow-transfer {
192.139.81.117;
};
};

zone "alteeve.com" in {
type master;
file "/etc/named/db.alteeve.com";
allow-transfer {
192.139.81.117;
};
};
</source>

This tutorial does not aim to cover actual zone files, but here is one for reference:

<source lang="bash">
cat /etc/named/db.45years.ca
</source>
<source lang="text">
$ORIGIN .
$TTL 600 ; Time To Live.
45years.ca IN SOA ns1.alteeve.com. admin.alteeve.com. (
2011081402 ; Serial Number (yyyymmdd##)
300 ; refresh (in seconds)
180 ; retry (in seconds)
600 ; expire (in seconds)
86400 ; minimum (in seconds)
)
NS ns1.alteeve.com.
NS ns2.alteeve.com.
A 192.139.81.121
MX 10 mail.45years.ca.
$ORIGIN 45years.ca.
localhost A 127.0.0.1
mail A 192.139.81.121
www CNAME 45years.ca.
</source>

== Adding a Firewall Entry ==

Assuming you have a firewall running, be sure to add an entry for [[TCP]] port 53.

== (Re)Start BIND ==

Once all the configuration files and domain zone files are in place, (re)start the named service.

<source lang="bash">
/etc/init.d/named restart
</source>
<source lang="text">
Stopping named: . [ OK ]
Starting named: [ OK ]
</source>

== Testing Name resolution ==

To properly test name resolution, you will want to resolve a domain we are [[SOA]] for and another domain which we are not. We will repeat this twice, once on the server and once from a remote machine to ensure that it is answering remote queries. Note that in the examples below, my DNS server's IP address is 78.46.37.135.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> alteeve.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns1.alteeve.com.
alteeve.com. 600 IN NS ns2.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 13:57:11 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> google.ca @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 300 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2967 IN NS f.root-servers.net.
. 2967 IN NS c.root-servers.net.
. 2967 IN NS b.root-servers.net.
. 2967 IN NS a.root-servers.net.
. 2967 IN NS k.root-servers.net.
. 2967 IN NS i.root-servers.net.
. 2967 IN NS e.root-servers.net.
. 2967 IN NS h.root-servers.net.
. 2967 IN NS l.root-servers.net.
. 2967 IN NS d.root-servers.net.
. 2967 IN NS j.root-servers.net.
. 2967 IN NS g.root-servers.net.
. 2967 IN NS m.root-servers.net.

;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 14:02:03 2012
;; MSG SIZE rcvd: 254
</source>

Now from a remote machine, repeat the same queries to ensure that our DNS server will respond to external queries.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> alteeve.com @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns2.alteeve.com.
alteeve.com. 600 IN NS ns1.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 138 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:09 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> google.ca @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 138 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2805 IN NS h.root-servers.net.
. 2805 IN NS c.root-servers.net.
. 2805 IN NS j.root-servers.net.
. 2805 IN NS i.root-servers.net.
. 2805 IN NS b.root-servers.net.
. 2805 IN NS m.root-servers.net.
. 2805 IN NS g.root-servers.net.
. 2805 IN NS d.root-servers.net.
. 2805 IN NS a.root-servers.net.
. 2805 IN NS l.root-servers.net.
. 2805 IN NS f.root-servers.net.
. 2805 IN NS k.root-servers.net.
. 2805 IN NS e.root-servers.net.

;; Query time: 140 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:31 2012
;; MSG SIZE rcvd: 254
</source>

Done!

= Email =

This is a pretty heavily customized postfix install using a custom schema. It was originally based on [http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch this Debian Etch] tutorial, but adapted for PostgreSQL. Much time has passed and the operating system is now significantly changed, but it's lineage is thus. A more recent, but still Debian-focused version of the tutorial [http://workaround.org/ispmail/squeeze/big-picture is here]. I also used [http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot this tutorial] to help sort out the PostgreSQL stuff.

This will use a few applications;
* Postfix - The program that receives email.
* PostgreSQL - The database used to validate the existence of email accounts and validates incoming user credentials.
* Dovecot - Takes email coming from postfix, via amavis, and records them to disk. It also answers requests from users wanting to check their email.
* Amavis - Filters incoming email for spam (via spamassassin) and virsus (via clamav)

We will also be using graylisting, which is a spam fighting tactic where the first email from a given user to one of our users is bounced for a few minutes. Proper mail servers will acknowledge the bound, wait the time and resend. Spam mailers though are usually fire-and-forget and will not resend, thus effectively blocking the spam message. This is a very effective method of blocking spam with minimal chance of losing real mail from real users. Any subsequent message from the user would be allowed through with no delay, provided the user had in fact resent the first message as requested.

== Install ==

To install the applications;

<source lang="bash">
yum install postfix postfix-perl-scripts dovecot dovecot-pgsql spamassassin postgresql-server postgresql-plperl mutt
</source>

== Configuring Postfix ==

Installation requires several steps. The AN!Console database must be loaded. Various applications need to be installed. Postfix, Dovecot and helper applications need to be configured and so on.

This tutorial uses the following values that you may need to adjust;
* Database name; an_tools
* Database user; alteeve
* Database password; secret
* Database host; 127.0.0.1

{{note|1=Do not use the database host "localhost" unless you are certain you can connect to the DB using a standard [[unix]] socket.}}

=== Building Support for PostgreSQL ===

{{warning|1=We need to build our own RPM in order to support postgresql. This means we will have to disable postfix from future updates, placing the onus on us to make sure critical updates are applied. This will require downloading the latest source RPMs, re-enabling postgres and recompile/reinstall.}}

Add the source [[RPM]] repository by adding the following;

<source lang="bash">
vim /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
# Source RPM repository
[base-source]
name=CentOS-$releasever - Base - Source
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://vault.centos.org/6.3/os/Source/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
</source>

Now download the source RPM for postfix.

<source lang="bash">
yumdownloader --source postfix
</source>
<source lang="text">
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
base | 3.7 kB 00:00
base-source | 1.9 kB 00:00
extras | 3.5 kB 00:00
updates | 3.5 kB 00:00
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
./postfix-2.6.6-2.el6.src.rpm already exists and appears to be complete
nikko:/etc/postfix# rm postfix-2.6.6-2.el6.src.rpm
rm: remove regular file `postfix-2.6.6-2.el6.src.rpm'? y
nikko:/etc/postfix# yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
postfix-2.6.6-2.el6.src.rpm | 3.3 MB 00:00
</source>

Now that we have the postfix source RPM, we will install it.

<source lang="bash">
rpm -Uvh postfix-2.6.6-2.el6.src.rpm
</source>
<source lang="text">
1:postfix warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
########################################### [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
</source>

Now edit the .spec file to enable postgres support.

<source lang="bash">
cp ~/rpmbuild/SPECS/postfix.spec ~/rpmbuild/SPECS/postfix.spec.orig
vim ~/rpmbuild/SPECS/postfix.spec
</source>

Make the following changes.

* Enable PostgreSQL support
<source lang="text">
%{?!PGSQL: %define PGSQL 1}
</source>

Increment the release version by one.
<source lang="text">
Release: 3%{?dist}
</source>

We can see the changes here:

<source lang="bash">
diff -u ~/rpmbuild/SPECS/postfix.spec.orig ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="diff">
--- /root/rpmbuild/SPECS/postfix.spec.orig 2012-02-11 16:54:54.495330859 -0500
+++ /root/rpmbuild/SPECS/postfix.spec 2012-02-11 16:53:39.873331101 -0500
@@ -1,5 +1,5 @@
%{?!MYSQL: %define MYSQL 1}
-%{?!PGSQL: %define PGSQL 0}
+%{?!PGSQL: %define PGSQL 1}
%define LDAP 2
%define PCRE 1
%define SASL 2
@@ -35,7 +35,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 2.6.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
</source>

Now rebuild the RPM, which means we need to install the build tools.

<source lang="bash">
yum groupinstall development
yum install db4-devel openldap-devel cyrus-sasl-devel pcre-devel mysql-devel postgresql-devel openssl-devel
rpmbuild -bb ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="text">
(compile output)
Processing files: postfix-debuginfo-2.6.6-3.el6.x86_64
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-debuginfo-2.6.6-3.el6.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.rymr5C
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd postfix-2.6.6
+ rm -rf /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
+ exit 0
</source>

Install the updated postfix.

<source lang="bash">
rpm -Uvh ~/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm ~/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
</source>
<source lang="text">
Preparing... ########################################### [100%]
1:postfix ########################################### [ 50%]
2:postfix-perl-scripts ########################################### [100%]
</source>

Now exclude postfix from future updates.

<source lang="bash">
cp /etc/yum.conf /etc/yum.conf.orig
vim /etc/yum.conf
diff -u /etc/yum.conf.orig /etc/yum.conf
</source>
<source lang="text">
--- /etc/yum.conf.orig 2012-02-11 16:59:53.720079168 -0500
+++ /etc/yum.conf 2012-02-11 17:00:47.013331283 -0500
@@ -10,6 +10,7 @@
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
+exclude=postfix*

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
</source>

=== Basic Postfix Configuration ===

Since we'll be using virtual domains, users, aliases and mailboxes, we'll need to start by commenting out some of the default options in Postfix. By default, Postfix is set up for small numbers of local users, and it only allows connections from the localhost. Our configuration will be more scalable, allowing many domains and users to be stored in the Postgres database.

Comment out the following:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# inet_interfaces = localhost
# mydestination = $myhostname, localhost.$mydomain, localhost
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
</source>

And uncomment/add these:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
inet_interfaces = all # allows us to connect and test from another machine
mynetworks = 192.168.1.0/32, 127.0.0.0/8 # use the IP or subnet of your test machine here
message_size_limit = 36700160 # increase max message size to 35MB to allow for ~25MB attachments
</source>

=== Setup Virtual Domain Lookup ===

This tells postfix how to find which domains we have.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM domains WHERE dom_name='%s'
</source>

Now tell Postfix to use this new file by appending the following to the main postfix configuration file.

<source lang="bash">
vim /etc/postfix/main.cf
</source>
<source lang="bash">
# Tell postfix to validate domains using our postgresql databae via the
# pgsql-virtual-mailbox-domains.cf
virtual_mailbox_domains=pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>

Now reload postfix;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now we can test that domains resolve. In my case, I will test the look-up for alteeve.com.

<source lang="bash">
postmap -q alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
1
</source>

Now make sure it returns nothing when query a bad domain.

<source lang="bash">
postmap -q example.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Mailbox Mapping ===

This section will tell postfix which users for a given domain are valid.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM email_file WHERE email='%s'
</source>

Tell postfix to use this new file when looking up users.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

And add:

<source lang="text">
# Tell postfix which table to look in when validating a local user via their
# email address.
virtual_mailbox_maps=pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>

Reload postfix.

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now do a test of a valid user, which should return 1, and an invalid user, which should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
1
</source>
<source lang="bash">
postmap -q nobody@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Email Forwards ===

This will allow for email addresses to be forwarded to other email addresses.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT fwd_destination FROM forwards WHERE fwd_source='%s'
</source>

Now tell postfix where to look.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

Add;

<source lang="text">
# This tells postfix where to forward incoming email to, where appropriate.
virtual_alias_maps=pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>

Reload;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

I've setup a forward where digimer@alteeve.com forwards to mkelly@alteeve.com, so we will use that for the next test.

<source lang="bash">
postmap -q digimer@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
mkelly@alteeve.com
</source>

An email address with no forward should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

Excellent.

=== Setup Postfix Mail Delivery via Dovecot ===

Define a mail transport method in the main Postfix config.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# this option is ignored, but may be useful for reference
virtual_mailbox_base=/email

# deliver mail via dovecot
virtual_transport = dovecot

# prevent postfix from sending multiple recipients per delivery request,
# since dovecot only supports one recipient for each delivery
dovecot_destination_recipient_limit = 1
</source>

Tell Postfix what virtual_transport "dovecot" means, and how to use it.
<source lang="bash">vim /etc/postfix/master.cf</source>
Append this for RHEL/CentOS 6 machines. For other distros, make sure that /usr/libexec/dovecot/deliver exists and change the path if necessary.
<source lang="bash">
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
</source>

=== Setup Postfix SMTP Authentication using Dovecot ===

Dovecot provides an SMTP authentication mechanism to Postfix called SASL. Enabling this will require users to authenticate against the server before sending mail.

<source lang="bash">vim /etc/postfix/main.cf</source>
Append the following to enable smtp authentication:
<source lang="bash">
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes

# allow authenticated users to send mail through Postfix SMTP
# more info at /usr/share/doc/postfix-2.6.6/README_FILES/SMTPD_ACCESS_README
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination

# general smtpd settings
# - reject clients that speak too early
# - reject mail from a null address to many recipients (usually spam)
smtpd_data_restrictions =
reject_unauth_pipelining
reject_multi_recipient_bounce
permit
</source>

== Configuring Dovecot ==

Dovecot handles writing incoming mail to the disk and moving/deleting mail as the user wishes. We're going to create a user and group called vmail which will be used to manage the email stored on disk.

<source lang="bash">
useradd -m vmail
mkdir /email
chown -R vmail:vmail /email
</source>

Dovecot is configured in /etc/dovecot and the main configuration file is dovecot.conf.

<source lang="bash">
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.conf
</source>

Dovecot uses .d style configuration files.

* Authentication

<source lang="bash">
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
vim /etc/dovecot/conf.d/10-auth.conf
</source>

Tell dovecot to accept plain-text passwords (needed for some old email clients, you may not need to enable this).

<source lang="text">
disable_plaintext_auth = no
</source>

Tell it not to use the database, and not local users for mail delivery.

<source lang="text">
#!include auth-system.conf.ext
!include auth-sql.conf.ext
</source>

* Mail store

Tell dovecot where to store the email. The %d tells dovecot to substitute the user's domain name and %n is substituted by the user's email name. For example, mkelly@alteeve.com becomes /email/alteeve.com/mkelly.

<source lang="bash">
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
vim /etc/dovecot/conf.d/10-mail.conf
</source>
<source lang="text">
mail_location = mbox:/email/%d/%n
</source>

=== Dovecot Authentication and SQL Settings ===

We need to tell dovecot where to look for passwords when authenticating a user. Where to look is controlled in the
auth-sql.conf.ext file and is broken down into user and password lookups. We will want to first tell Dovecot which user to use when accessing the mail store on disk.

<source lang="bash">
cp /etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/conf.d/auth-sql.conf.ext.orig
vim /etc/dovecot/conf.d/auth-sql.conf.ext
</source>
<source lang="text">
userdb {
driver = static
args = uid=vmail gid=vmail home=/email/%d/%n allow_all_users=yes
}
</source>

* Now configure the SQL server access details.

{{note|1=Make sure that PostgreSQL has sufficient max_connections set in /var/lib/pgsql/data/postgresql.conf to handle enough connections for the expected number of email connections, plus other connections from other applications.}}

<source lang="bash">
cp /usr/share/doc/dovecot-2.0.9/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
vim /etc/dovecot/dovecot-sql.conf.ext
</source>

Tell dovecot to use PostgreSQL.

<source lang="text">
driver = pgsql
</source>

Configure the connection string.

{{note|1=If your database uses a password with a space character in it, quote the password. Ie: password='super secret'.}}

<source lang="text">
connect = host=127.0.0.1 dbname=an_tools user=alteeve password=secret
</source>

Tell dovecot to accept plain-text passwords (this is needed for some stupid MS clients, this will probably change soon).

<source lang="text">
default_pass_scheme = PLAIN
</source>

Tell dovecot how to pull use the user's password.

<source lang="text">
password_query = SELECT email, password FROM email_password WHERE email='%u'
</source>

The last thing to setup is the user query. The query needs to return the [[UID]] and [[GID]] of the vmail user we setup earlier. To get it, you can use the id command.

<source lang="bash">
id vmail
</source>
<source lang="text">
uid=503(vmail) gid=503(vmail) groups=503(vmail)
</source>

The numbers we want are 503 and 503 for the UID and GID, respectively. Knowing this, we can set the userdb SQL string.

<source lang="text">
user_query = SELECT '/email/'||file AS email_dir, '503' AS uid, '503' AS gid FROM email_file WHERE email='%u'
</source>

=== Configure Listener Sockets ===

Setup the authentication socket to allow the vmail user. This will allow Dovecot to access the user authentication socket.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
</source>

Configure Dovecot to authenticate Postfix SMTP requests.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener smtp-auth {
mode = 0600
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
}
</source>

=== Enable Logging ===

This is very useful for debugging an initial setup. It will place details about login attempts in /var/log/maillog.

<source lang="bash">vim /etc/dovecot/conf.d/10-logging.conf</source>
<source lang="bash">
log_path = syslog
auth_verbose = yes
auth_debug = yes
mail_debug = yes
</source>

At this point, it's a good idea to restart the Postfix and Dovecot services, and test out the basic configuration.
<source lang="bash">
service postfix restart
service dovecot restart
</source>

Watch the maillog while attempting to authenticate with an email client like Thunderbird.
<source lang="bash">
tail -f /var/log/maillog
</source>

If basic authentication is working, we can go ahead and add another layer of complexity on top of it: SSL.

== SSL/TLS ==

Add TLS support to Postfix, to encrypt SMTP authentication traffic.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/ssl_mail.alteeve.ca.crt
smtpd_tls_key_file = /etc/pki/CA/private/mail.alteeve.ca.key
smtpd_tls_loglevel = 1
</source>

Add TLS support to Dovecot, to encrypt IMAP authentication traffic.
<source lang="bash">vim /etc/dovecot/conf.d/10-ssl.conf </source>
<source lang="bash">
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/pki/CA/ssl_mail.alteeve.ca.crt
ssl_key = </etc/pki/CA/private/mail.alteeve.ca.key

# PEM encoded trusted certificate authority. Otherwise your CA will be untrusted.
# This is the intermediary certificate.
ssl_ca = </etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Dovecot prefers the following permissions for SSL certs, so set them accordingly.
<source lang="bash">
chmod 0444 /etc/pki/CA/ssl_mail.alteeve.ca.crt
chmod 0400 /etc/pki/CA/private/mail.alteeve.ca.key
chmod 0400 /etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Restart Postfix and Dovecot, then change your Thunderbird server options to 'STARTTLS'. If you're still able to connect to the mail server and send mail, proceed to the next section.

== User Password Encryption ==

In addition to SSL/TSL, which only encrypts the transport of user credentials, we're also going to encrypt the passwords themselves. This will avoid storing any plaintext passwords in the Postgres database.

<source lang="bash">vim /etc/dovecot/conf.d/10-auth.conf</source>
Remove the "plain" authentication, and replace with cram-md5.
<source lang="bash">
disable_plaintext_auth = yes
auth_mechanisms = cram-md5
</source>

Any user credentials that were previously stored in plaintext will no longer work. To encrypt your password in a way that Dovecot recognizes, use the following command:
<source lang="bash">doveadm -v pw -s CRAM-MD5 -p mypassword</source>
It will return a hash like this.
<source lang="bash">
{CRAM-MD5}de5924752ad74e36bc271a8dc7fad4b2d341f21f05382f20dedf1fdfbd5a1717</source>

Take the entire hash, including the '{CRAM-MD5}' portion, and use it to replace the password entry in the database for that user. This will allow Dovecot to authenticate the user using the CRAM-MD5 auth mechanism.

To automate this process for all users in the database, you can look at the number of userid's there are and loop through them, encrypting and replacing each password.

<source lang="bash">
#!/bin/bash
#
# a script to encrypt the users.usr_password values of the an_tools database

export PGUSER="alteeve"
export PGPASSWORD='secret'

for usrid in {1..219}; do

# grab the user's password, removing whitespace
usrpass=$(psql -d an_tools -c "SELECT users.usr_password FROM users WHERE users.usr_id=$usrid;"\
| sed -n 3p | sed -e 's/^[ ]*//')

if [[ "$usrpass" == *CRAM* ]]; then
echo "Password for user #$usrid is already encrypted; skipping."
else
# encrypt and surround in single quotes for psql
encrypted=\'$(doveadm -v pw -s CRAM-MD5 -p "$usrpass")\'
echo "old password: [$usrpass] ; encrypted: $encrypted"

# set password to encrypted value
psql -d an_tools -c "UPDATE users SET usr_password=$encrypted WHERE usr_id=$usrid;"
fi
done

unset PGUSER
unset PGPASSWORD
</source>

== Postgrey Greylisting ==

Enabling postgrey for anti-spam greylisting.

First install the RPMForge repos. (See [http://dak1n1.com/blog/3-getting-more-from-yum-with-rpmforge-and-epel-repos Dakini's blog] for details.)

<source lang="bash">yum -y install postgrey</source>

Create the config file with the following options. This will delay mail from untrusted sources by 6 minutes. A legitimate mailserver will resend the request after that time, and be allowed through. But spam is generally sent out only once, so those messages will drop.
<source lang="bash">vim /etc/sysconfig/postgrey</source>
<source lang="bash">OPTIONS="--unix=/var/spool/postfix/postgrey/socket --delay=360"</source>

Ensure that Postgrey starts on boot.
<source lang="bash">chkconfig --levels 345 postgrey on</source>

<source lang="bash">/etc/postfix/main.cf</source>

Configure Postfix to check SMTP requests through Postgrey. Postgrey will decide if the mail should be blocked or accepted.
<source lang="bash">
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:postgrey/socket</source>

Restart Postfix and Postgrey to take affect.
<source lang="bash">
service postgrey start
service postfix restart
</source>

== RoundCube Web Mail ==

Install the packages (these require the [[EPEL]] repo);

<source lang="bash">
yum install roundcubemail php-pear-MDB2-Driver-pgsql
</source>

You need to set the timezone in the /etc/php.ini file.

<source lang="bash">
cp /etc/php.ini /etc/php.ini.orig
vim /etc/php.ini
</source>

Set date.timezone value. If you aren't sure of the format or name of your timezone, run tzselect and follow the prompts. We want America/Toronto.

<source lang="bash">
diff -u /etc/php.ini.orig /etc/php.ini
</source>
<source lang="diff">
--- /etc/php.ini.orig 2012-08-18 22:27:05.244670258 -0400
+++ /etc/php.ini 2012-08-18 21:49:37.926938864 -0400
@@ -943,7 +943,7 @@
[Date]
; Defines the default timezone used by the date functions
; http://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone
-;date.timezone =
+date.timezone = America/Toronto

; http://www.php.net/manual/en/datetime.configuration.php#ini.date.default-latitude
;date.default_latitude = 31.7667
</source>

Create the database for roundcube

<source lang="bash">
su - postgres
createdb -O alteeve -E UNICODE roundcubemail
psql -U alteeve -D roundcubemail
\i /usr/share/doc/roundcubemail-0.5.4/SQL/postgres.initial.sql
</source>

Edit main configuration file

<source lang="bash">
vim /etc/roundcubemail/main.inc.php
</source>
<source lang="bash">
$rcmail_config['default_host'] = 'localhost';
$rcmail_config['smtp_server'] = 'tls://mail.alteeve.ca';
$rcmail_config['smtp_user'] = '%u';
$rcmail_config['smtp_pass'] = '%p';
$rcmail_config['smtp_auth_type'] = 'CRAM-MD5';
$rcmail_config['force_https'] = true;
$rcmail_config['use_https'] = true;
$rcmail_config['login_autocomplete'] = 1;
</source>

Now setup roundcube for connecting to our DB;

<source lang="bash">
cp /etc/roundcubemail/db.inc.php /etc/roundcubemail/db.inc.php.orig
vim /etc/roundcubemail/db.inc.php
</source>

Now set the connection string. Note to switch the DB driver to pgsql.

<source lang="bash">
diff -u /etc/roundcubemail/db.inc.php.orig /etc/roundcubemail/db.inc.php
</source>
<source lang="diff">
--- /etc/roundcubemail/db.inc.php.orig 2012-05-06 13:53:52.000000000 -0400
+++ /etc/roundcubemail/db.inc.php 2012-05-06 15:45:30.000000000 -0400
@@ -18,7 +18,7 @@
// format is db_provider://user:password@host/database
// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php

-$rcmail_config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail';
+$rcmail_config['db_dsnw'] = 'pgsql://alteeve:secret@localhost/roundcubemail';
// postgres example: 'pgsql://roundcube:pass@localhost/roundcubemail';
// Warning: for SQLite use absolute path in DSN:
</source>

Now setup roundcube to communicate with the mail server.

<source lang="bash">
cp /etc/roundcubemail/main.inc.php /etc/roundcubemail/main.inc.php.orig
vim /etc/roundcubemail/main.inc.php
</source>

There are several variables to set. Our server will talk to localhost using [[tls]] on port 587 using [[CRAM_MD5]] encryption. We use, and require, [[https]] connections. There are a couple special values for querying the user's name and password from the database. Finally, we want to enable the user's browser's auto-complete functions and set the name shown to the users. Once all set, the diff should be similar to the one below.

<source lang="bash">
diff -u /etc/roundcubemail/main.inc.php.orig /etc/roundcubemail/main.inc.php
</source>
<source lang="diff">
--- /etc/roundcubemail/main.inc.php.orig 2012-05-06 13:53:59.000000000 -0400
+++ /etc/roundcubemail/main.inc.php 2012-07-06 14:59:07.000000000 -0400
@@ -65,7 +65,7 @@
// %n - http hostname ($_SERVER['SERVER_NAME'])
// %d - domain (http hostname without the first part)
// For example %n = mail.domain.tld, %d = domain.tld
-$rcmail_config['default_host'] = '';
+$rcmail_config['default_host'] = 'localhost';

// TCP port used for IMAP connections
$rcmail_config['default_port'] = 143;
@@ -121,22 +121,22 @@
// %d - domain (http hostname without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %d = domain.tld
-$rcmail_config['smtp_server'] = '';
+$rcmail_config['smtp_server'] = 'tls://mail.alteeve.ca';

// SMTP port (default is 25; 465 for SSL)
-$rcmail_config['smtp_port'] = 25;
+$rcmail_config['smtp_port'] = 587;

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
-$rcmail_config['smtp_user'] = '';
+$rcmail_config['smtp_user'] = '%u';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
-$rcmail_config['smtp_pass'] = '';
+$rcmail_config['smtp_pass'] = '%p';

// SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
// best server supported one)
-$rcmail_config['smtp_auth_type'] = '';
+$rcmail_config['smtp_auth_type'] = 'CRAM-MD5';

// Optional SMTP authentication identifier to be used as authorization proxy
$rcmail_config['smtp_auth_cid'] = null;
@@ -179,16 +179,16 @@
// enforce connections over https
// with this option enabled, all non-secure connections will be redirected.
// set the port for the ssl connection as value of this option if it differs from the default 443
-$rcmail_config['force_https'] = false;
+$rcmail_config['force_https'] = true;

// tell PHP that it should work as under secure connection
// even if it doesn't recognize it as secure ($_SERVER['HTTPS'] is not set)
// e.g. when you're running Roundcube behind a https proxy
-$rcmail_config['use_https'] = false;
+$rcmail_config['use_https'] = true;

// Allow browser-autocompletion on login form.
// 0 - disabled, 1 - username and host only, 2 - username, host, password
-$rcmail_config['login_autocomplete'] = 0;
+$rcmail_config['login_autocomplete'] = 1;

// If users authentication is not case sensitive this must be enabled.
// You can also use it to force conversion of logins to lower case.
@@ -261,7 +261,7 @@
$rcmail_config['useragent'] = 'Roundcube Webmail/'.RCMAIL_VERSION;

// use this name to compose page titles
-$rcmail_config['product_name'] = 'Roundcube Webmail';
+$rcmail_config['product_name'] = 'AN!Mail';

// try to load host-specific configuration
// see http://trac.roundcube.net/wiki/Howto_Config for more details
</source>

That should be it.

==== Adding a password-reset link to the login page ====

Edit the login page template to insert the AN!Console password recovery link.

<source lang="bash">
vim /usr/share/roundcubemail/skins/default/templates/login.html</source>

(The part we're adding is the '<a href=""></a>'. Other parts of the template file are included here as a reference.)
<source lang="bash">
<div id="login-form">
<div class="boxtitle"><roundcube:label name="welcome" /></div>
<div class="boxcontent">

<form name="form" action="./" method="post">
<roundcube:object name="loginform" form="form" />

<input type="submit" class="button mainaction" value="<roundcube:label name='login' />" />

</form>
<a href="../../cgi-bin/t/password.cgi">Forgot your password?</a>
</div>
</div>
</source>

= Thanks =

* To [http://planet-geek.com Dave Shevett] (aka: eidolon) and [http://codex.grimoire.ca/ Owen Jacobson] for answering my n00b SSL questions.


<source lang="bash">
</source>
<source lang="text">
</source>

{{footer}}

PPPower Server

2012-08-19T13:27:51Z

Dak1n1: /* RoundCube Web Mail */

{{howto_header}}

With tongue firmly in cheek, this is a tutorial on building an [[EL6]] server for hosting website and email using PostgreSQL, Postfix and Postgrey for mail and Apache for web. There are many canned and arguably superior was of accomplishing the same, but this is what I user for this server.

= Post OS Install =

First, some post-install preparation. We'll need to set up some basic security, a program to report server statistics, and some 3rd-party yum repositories for additional software.

Yum repo install.
<source lang="bash">yum -y install yum-protectbase
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt # import keys
rpm -K rpmforge-release-0.5.2-2.el6.rf.*.rpm # verify package integrity
rpm -i rpmforge-release-0.5.2-2.el6.rf.*.rpm # install
# install EPEL
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm
</source>

The yum-protectbase plugin will ensure that the 3rd-party repos play nicely and never overwrite the Base repos. To use this plugin with a specific repo, add protect=0 or protect=1 to the repo's config file.
<source lang="bash">
cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.orig
vim /etc/yum.repos.d/CentOS-Base.repo
# add protect=1 to each paragraph
diff -U 0 /etc/yum.repos.d/CentOS-Base.repo.orig /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
--- /etc/yum.repos.d/CentOS-Base.repo.orig 2012-05-07 01:07:47.688145406 -0400
+++ /etc/yum.repos.d/CentOS-Base.repo 2012-05-07 01:08:15.915322496 -0400
@@ -18,0 +19 @@
+protect=1
@@ -26,0 +28 @@
+protect=1
@@ -34,0 +37 @@
+protect=1
@@ -43,0 +47 @@
+protect=1
@@ -52,0 +57 @@
+protect=1
</source>

<source lang="bash">
cp /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.orig
vim /etc/yum.repos.d/epel.repo
# add protect=0 to each paragraph
diff -U 0 /etc/yum.repos.d/epel.repo.orig /etc/yum.repos.d/epel.repo
</source>
<source lang="bash">
--- /etc/yum.repos.d/epel.repo.orig 2012-05-07 01:08:58.279379860 -0400
+++ /etc/yum.repos.d/epel.repo 2012-05-07 01:09:18.144157701 -0400
@@ -8,0 +9 @@
+protect=0
@@ -17,0 +19 @@
+protect=0
@@ -26,0 +29 @@
+protect=0
</source>

=== Protecting against malicious users with Denyhosts. ===
Denyhosts is a daemon that watches for too many failed logins via ssh. It uses TCP-wrappers to deny the user access to ssh (or any service) on the server after X failed logins. It has the option to download a list of known malicious IPs and add them to /hosts.deny, making possible to block attackers before they attack the server.

Install denyhosts
<source lang="bash">yum -y install denyhosts</source>

Edit the config to your preferences.
<source lang="bash">
cp /etc/denyhosts.conf /etc/denyhosts.conf.orig
vim /etc/denyhosts.conf
</source>
<source lang="bash">
BLOCK_SERVICE = ALL
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
SYNC_DOWNLOAD = yes
</source>
<source lang="bash">
diff -U 0 /etc/denyhosts.conf.orig /etc/denyhosts.conf
</source>
<source lang="diff">
--- /etc/denyhosts.conf.orig 2012-05-13 02:33:05.584566483 -0400
+++ /etc/denyhosts.conf 2012-05-13 02:34:19.386558503 -0400
@@ -96 +96 @@
-#BLOCK_SERVICE = ALL
+BLOCK_SERVICE = ALL
@@ -98 +98 @@
-BLOCK_SERVICE = sshd
+#BLOCK_SERVICE = sshd
@@ -547 +547 @@
-#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
+SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
@@ -582 +582 @@
-#SYNC_DOWNLOAD = yes
+SYNC_DOWNLOAD = yes
</source>

White-list any trusted machines, including localhost.
<source lang="bash">
cp /etc/hosts.allow /etc/hosts.allow.orig
vim /etc/hosts.allow
</source>
<source lang="bash">
127.0.0.1
206.108.5.162
</source>
<source lang="bash">
diff -U 0 /etc/hosts.allow.orig /etc/hosts.allow
</source>
<source lang="diff">
--- /etc/hosts.allow.orig 2012-05-13 02:36:02.613767847 -0400
+++ /etc/hosts.allow 2012-05-13 02:40:37.473523845 -0400
@@ -10,0 +11,2 @@
+127.0.0.1
+206.108.5.162
</source>

Start the service.
<source lang="bash">
chkconfig denyhosts on
/etc/init.d/denyhosts start
</source>
<source lang="text">
Starting denyhosts: [ OK ]
</source>

=== Additional software to install ===
To view neatly-summarized daily logs, and system resource usage.
<source lang="bash">yum -y install logwatch htop</source>

Packages for web server and wiki install.
<source lang="bash">
yum install httpd httpd-tools postgresql-server postgresql-plperl postgresql-contrib postgresql mysql-server telnet mod_ssl mysql-server php-mysql gcc jwhois bind \
acpid bind-utils syslinux screen man bzip2 zip unzip php-pgsql php yum-utils
chkconfig acpid on
</source>

Packages that are currently needed for personal stuff.

<source lang="bash">
yum install perl-XML-Simple perl-MIME-Lite perl-DBD-MySQL perl-DBD-Pg perl-Digest-Perl-MD5 mod_auth_pgsql perl-Digest-SHA perl-CGI perl-Time-HiRes
</source>

= Apache =

Apache is configured first with a global configuration, which also defines the "default" website which is shown when the server is called by it's IP address (or by a domain that is not configured). Then with per-domain configurations known as "virtual host containers".

First, the global configuration and default domain. We will put our default website in /var/www/default/. So the first step is to create the needed directories.

<source lang="bash">
mkdir -p /var/www/default/{html,cgi-bin,logs}
chown -R apache:apache /var/www
</source>

Now to edit the configuration file.

<source lang="bash">
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig
vim /etc/httpd/conf/httpd.conf
</source>

{{note|1=This needs to be explained.}}

Make the following changes.

<source lang="bash">
diff -U 0 /etc/httpd/conf/httpd.conf.orig /etc/httpd/conf/httpd.conf
</source>
<source lang="diff">
--- /etc/httpd/conf/httpd.conf.orig 2012-05-13 19:32:07.718570148 -0400
+++ /etc/httpd/conf/httpd.conf 2012-05-13 21:48:18.439736244 -0400
@@ -103,6 +103,6 @@
-StartServers 8
-MinSpareServers 5
-MaxSpareServers 20
-ServerLimit 256
-MaxClients 256
-MaxRequestsPerChild 4000
+StartServers 16
+MinSpareServers 10
+MaxSpareServers 40
+ServerLimit 512
+MaxClients 512
+MaxRequestsPerChild 8000
@@ -119,5 +119,5 @@
-StartServers 4
-MaxClients 300
-MinSpareThreads 25
-MaxSpareThreads 75
-ThreadsPerChild 25
+StartServers 8
+MaxClients 600
+MinSpareThreads 50
+MaxSpareThreads 150
+ThreadsPerChild 50
@@ -262 +262 @@
-ServerAdmin root@localhost
+ServerAdmin admin@alteeve.com
@@ -276,0 +277 @@
+ServerName omiya.alteeve.ca:80
@@ -292 +293 @@
-DocumentRoot "/var/www/html"
+DocumentRoot "/var/www/default/html"
@@ -317 +318 @@
-<Directory "/var/www/html">
+<Directory "/var/www/default/html">
@@ -551 +552 @@
-Alias /icons/ "/var/www/icons/"
+Alias /icons/ "/var/www/default/icons/"
@@ -553 +554 @@
-<Directory "/var/www/icons">
+<Directory "/var/www/default/icons">
@@ -576 +577 @@
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+ScriptAlias /cgi-bin/ "/var/www/default/cgi-bin/"
@@ -582 +583 @@
-<Directory "/var/www/cgi-bin">
+<Directory "/var/www/default/cgi-bin">
@@ -855 +856 @@
-Alias /error/ "/var/www/error/"
+Alias /error/ "/var/www/default/error/"
@@ -859 +860 @@
- <Directory "/var/www/error">
+ <Directory "/var/www/default/error">
@@ -990 +991 @@
-#NameVirtualHost *:80
+NameVirtualHost *:80
@@ -1004,5 +1005,5 @@
-# ServerAdmin webmaster@dummy-host.example.com
-# DocumentRoot /www/docs/dummy-host.example.com
-# ServerName dummy-host.example.com
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+# ServerAdmin admin@alteeve.com
+# DocumentRoot /var/www/default/html
+# ServerName unknown.alteeve.com
+# ErrorLog /var/www/default/logs/error.log
+# CustomLog /var/www/default/logs/access.log common
@@ -1009,0 +1011 @@
+
</source>

After all changes, use this to make sure there are no syntax errors.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
[Sun May 13 21:48:11 2012] [warn] NameVirtualHost *:80 has no VirtualHosts
Syntax OK
</source>

Note that the [Sun May 13 21:48:11 2012] [warn] NameVirtualHost *:80 has no VirtualHosts is expected at this stage as we've not yet configured any virtual hosts.

All virtual host configuration files need to be created in the /etc/httpd/conf.d directory and the file must have the .conf suffix in order to be read by apache. These files will be read in order, so if you want to ensure that one file is read before another, as we will do shortly, you can prefix the configuration file with an integer to ensure read order.

I like to redirect all unknown server requests to http://unknown.alteeve.ca. For this, I will create an initial configuration file called 00_default.conf.

<source lang="bash">
vim /etc/httpd/conf.d/00_default.conf
</source>
<source lang="text">
<VirtualHost *:80>
ServerAdmin admin@alteeve.ca
DocumentRoot /var/www/default/html
ServerName unknown.alteeve.com
ErrorLog /var/www/default/logs/error.log
CustomLog /var/www/default/logs/access.log common
</VirtualHost>
</source>

Now we will do two kinds of checks; One for syntax and one to check the configuration of virtual host containers.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

We no longer see the warning from before as we now have our first virtual host configured.

<source lang="bash">
apachectl -S
</source>
<source lang="text">
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 omiya.alteeve.ca (/etc/httpd/conf.d/ssl.conf:74)
*:80 is a NameVirtualHost
default server unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
port 80 namevhost unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
Syntax OK
</source>

We can now start the web server for the first time.

<source lang="bash">
/etc/init.d/httpd start
</source>
<source lang="text">
Starting httpd: [ OK ]
</source>

Perfect! Time to configure some real domains.

== Common Virtual Host Configurations ==

All domains on this server will be housed under either:

* /var/www/domain.tld/{cgi-bin,html,logs,temp}

Or, for [[SSL]] encrypted domains;

* /var/www/ssl_domain.tld/{cgi-bin,html,logs,temp}

The four directories found under the domain are used for hosting executable scripts (cgi-bin), standard [[HTML]] websites or websites with in-line code like [[PHP]] (html), log files (logs) and an optional temporary directory used for staging files (temp).

== Standard Virtual Hosts ==

This section covers the configuration on standard virtual host containers (using [[TCP]] port 80).

In this example, we will setup the domain http://mizu-bu.org.

First, create the directories for the domain's files.

<source lang="bash">
mkdir -p /var/www/mizu-bu.org/{cgi-bin,html,logs,temp}
</source>

Now create the virtual host container's configuration file. Note that in this example, it is a [http://www.mediawiki.org/ MediaWiki] website, so we will tell apache to look for index.php files by default.

<source lang="bash">
vim /etc/httpd/conf.d/mizu-bu.org.conf
</source>
<source lang="text">
<VirtualHost *:80>
ServerAdmin digimer@alteeve.com

ServerName mizu-bu.org
ServerAlias www.mizu-bu.org

DirectoryIndex index.html

DocumentRoot /var/www/mizu-bu.org/html/
<Directory /var/www/mizu-bu.org/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride Options
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/mizu-bu.org/cgi-bin/
<Directory "/var/www/mizu-bu.org/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/mizu-bu.org/logs/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/mizu-bu.org/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

As before, test the syntax and virtual host configurations.

<source lang="bash">
apachectl -S
</source>
<source lang="text">
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 omiya.alteeve.ca (/etc/httpd/conf.d/ssl.conf:74)
*:80 is a NameVirtualHost
default server unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
port 80 namevhost unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
port 80 namevhost mizu-bu.org (/etc/httpd/conf.d/mizu-bu.org.conf:1)
Syntax OK
</source>


<source lang="bash">
</source>
<source lang="text">
</source>

== SSL Virtual Hosts ==

SSL provides for secure client to server communications.

=== Creating The Signed Certificate ===

This section assumes you are using a 3rd party signing authority. Specifically, I use http://www.trustico.ca/ (resellers of http://RapidSSL.com and others). This is also for a domain-specific certificate. Wildcard certificates will differ.

First, create 2048bit private key. Note that this will require a pass-phrase, which you will need to enter whenever the Apache daemon httpd daemon starts. If you do not want this, remove the -des3 switch.

<source lang="bash">
openssl genrsa -des3 -out /etc/pki/CA/private/alteeve.com.key 2048
</source>
<source lang="text">
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Verifying - Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
</source>

Now create a [[CSR]] (Certificate signing request) which we will send to the signing authority. Do not enter anything in the extra section below.

{{note|1=The Common Name must be the fully qualified domain name. In this example, I want to create a certificate for the domain https://alteeve.com, so I will enter alteeve.com. If you prefer to use a www. prefix, include it. I will rewrite requests using the www. prefix to not use it.}}

<source lang="bash">
openssl req -new -key /etc/pki/CA/private/alteeve.com.key -out alteeve.com.csr
</source>
<source lang="text">
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Oakville
Organization Name (eg, company) [Default Company Ltd]:Alteeve's Niche
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:alteeve.com
Email Address []:admin@alteeve.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</source>

Test that the CSR file is ok.

<source lang="bash">
openssl req -noout -text -in /etc/pki/CA/alteeve.com.csr
</source>
<source lang="text">
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Oakville, O=Alteeve's Niche, OU=IT, CN=alteeve.com/emailAddress=admin@alteeve.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
...
</source>

Copy the exact contents of the alteeve.com.csr file and provide it to your signing authority as per their instructions. Once you complete their CSR form, they should email you a signed certificate and an intermediary certificate. At this point, the CSR file is no longer needed.

Save the signed certificate:

<source lang="bash">
vim /etc/pki/CA/ssl_alteeve.com.crt
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

Save the intermediary certificate. Change the certificate name to that of your provider. If they provide you with this file, simply save it in the /etc/pki/CA/ directory.

<source lang="bash">
vim /etc/pki/CA/RapidSSL_CA_bundle.pem
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

=== Creating An SSL Virtual Host ===

Create a new virtual host container for the new SSL protected virtual host. We will leave the normal unencrypted virtual-host alone for now. Once we're done, we'll use it to capture and redirect http:// requests to their https:// equivalents. I make my virtual host directories writeable by my normal user account. Feel free to adapt this to your preferences.

Setup the directories and then create a trivial index.html file.

<source lang="bash">
mkdir ssl_alteeve.com/{cgi-bin,html,logs,temp} -p
chown apache:digimer ssl_alteeve.com -R
chmod g+w ssl_alteeve.com -R
vim /var/www/ssl_alteeve.com/html/index.html
</source>
<source lang="apache">
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
</source>

Now setup the Apache2 config. I like to use the ssl_ prefix for encrypted domains.

{{note|1=This example is for a MediaWiki virtual host with short URLs configured. You will want to adapt the values to suit your needs.}}

<source lang="bash">
vim /etc/httpd/conf.d/ssl_alteeve.com.conf
</source>
<source lang="apache">
<VirtualHost *:443>
ServerAdmin digimer@alteeve.com

ServerName alteeve.com

DirectoryIndex index.php index.html

# We can haz security?
SSLEngine on
SSLProtocol all
SSLCACertificateFile /etc/pki/CA/RapidSSL_CA_bundle.pem
SSLCertificateFile /etc/pki/CA/ssl_alteeve.com.crt
SSLCertificateKeyFile /etc/pki/CA/private/alteeve.com.key

DocumentRoot /var/www/ssl_alteeve.com/html/
Alias /w /var/www/ssl_alteeve.com/html/index.php
<Directory /var/www/ssl_alteeve.com/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/ssl_alteeve.com/cgi-bin/
<Directory "/var/www/ssl_alteeve.com/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/ssl_alteeve.com/logs/error.log
TransferLog /var/www/ssl_alteeve.com/logs/transfer.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/ssl_alteeve.com/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

==== Bad Identity Error ====

If you get an error about the server not providing identity information, you may have be loading images, CSS, javascript or similar using a URL from a remote domain with no SSL or badly configured SSL.

For example, on Firefox 4, you may see:

<source lang="text">
This web site does not supply identity information.

Your connection to this site is only partially encrypted, and does not prevent eavesdropping.
[ More Information ]
</source>

In my case, this turned out to be a problem where mediawiki was loading a Creative Commons logo from their server using http:// link to the icon. Once this was changed to https:// (in LocalSettings.php), the error went away.

=== Testing and Using the New Configuration ===

Test your new Apache configuration.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

Now restart Apache. Note that you will be asked to enter the pass-phrase you used when you created your private key.

<source lang="bash">
/etc/init.d/httpd restart
</source>
<source lang="text">
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server alteeve.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
</source>

{{warning|1=From now on, you will need to enter the pass-phrase to start Apache. Consider this when restarting your server and when deciding if you want the Apache server to start with your server. As my server is in a VM and it's underlying disk is also encrypted, I will enable it at boot time. I'll need to be watching the boot process anyway. This may not apply to you.}}

Now make sure that you can still connect to your server on [[TCP]] port 80 (normal http port). The contents after the GET request will obviously vary depending on your configuration:

<source lang="bash">
telnet localhost 80
</source>
<source lang="text">
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET
<head>
<title>Asakusa.alteeve.com</title>
</head>
<body>
Default - Requested domain not found
</body>
Connection closed by foreign host.
</source>

Now to check that the SSL port is listening properly. We can't use [[telnet]] because of the SSL encryption. Instead we will use openssl.

<source lang="bash">
openssl s_client -connect localhost:443 -state -debug
</source>
<source lang="text">
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x196a050 [0x1a0b3a0] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 4d f8 f4 a4 f9 ....l...h..M....
0010 - 07 b3 11 f8 3d ff 5d 80-ed 69 87 52 e2 60 80 57 ....=.]..i.R.`.W
0020 - 59 c7 83 4c ea 5b e5 37-06 e0 13 00 00 3a 00 39 Y..L.[.7.....:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............#
0071 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x196a050 [0x1a10900] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x196a050 [0x1a1090a] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4d f8 f4 a4-7d 35 00 74 24 43 bc c9 .1..M...}5.t$C..
0010 - 84 5d fe e3 90 1a e8 14-39 a1 b1 7e e8 19 c7 9f .]......9..~....
0020 - 45 20 d1 cb 00 00 39 01-00 09 ff 01 00 01 00 00 E ....9.........
0030 - 23 #
0033 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 0c 2c ....,
read from 0x196a050 [0x1a10908] (3116 bytes => 3116 (0xC2C))
0000 - 0b 00 0c 28 00 0c 25 00-04 c2 30 82 04 be 30 82 ...(..%...0...0.
0010 - 03 a6 a0 03 02 01 02 02-03 02 15 24 30 0d 06 09 ...........$0...
0020 - 2a 86 48 86 f7 0d 01 01-05 05 00 30 3c 31 0b 30 *.H........0<1.0
0030 - 09 06 03 55 04 06 13 02-55 53 31 17 30 15 06 03 ...U....US1.0...
0040 - 55 04 0a 13 0e 47 65 6f-54 72 75 73 74 2c 20 49 U....GeoTrust, I
0050 - 6e 63 2e 31 14 30 12 06-03 55 04 03 13 0b 52 61 nc.1.0...U....Ra
0060 - 70 69 64 53 53 4c 20 43-41 30 1e 17 0d 31 31 30 pidSSL CA0...110
0070 - 36 31 34 31 32 31 39 30-31 5a 17 0d 31 31 30 37 614121901Z..1107
0080 - 31 36 31 35 35 36 31 34-5a 30 81 d9 31 29 30 27 16155614Z0..1)0'
0090 - 06 03 55 04 05 13 20 30-54 53 35 57 7a 61 75 51 ..U... 0TS5WzauQ
00a0 - 52 4a 37 73 63 32 62 2d-68 54 47 77 4b 31 79 78 RJ7sc2b-hTGwK1yx
00b0 - 53 66 45 44 70 68 46 31-0b 30 09 06 03 55 04 06 SfEDphF1.0...U..
00c0 - 13 02 43 41 31 14 30 12-06 03 55 04 0a 13 0b 61 ..CA1.0...U....a
00d0 - 6c 74 65 65 76 65 2e 63-6f 6d 31 13 30 11 06 03 lteeve.com1.0...
00e0 - 55 04 0b 13 0a 47 54 31-33 39 30 38 38 31 37 31 U....GT139088171
00f0 - 31 30 2f 06 03 55 04 0b-13 28 53 65 65 20 77 77 10/..U...(See ww
0100 - 77 2e 72 61 70 69 64 73-73 6c 2e 63 6f 6d 2f 72 w.rapidssl.com/r
0110 - 65 73 6f 75 72 63 65 73-2f 63 70 73 20 28 63 29 esources/cps (c)
0120 - 31 31 31 2b 30 29 06 03-55 04 0b 13 22 44 6f 6d 111+0)..U..."Dom
0130 - 61 69 6e 20 43 6f 6e 74-72 6f 6c 20 56 61 6c 69 ain Control Vali
0140 - 64 61 74 65 64 20 2d 20-46 72 65 65 53 53 4c 31 dated - FreeSSL1
0150 - 14 30 12 06 03 55 04 03-13 0b 61 6c 74 65 65 76 .0...U....alteev
0160 - 65 2e 63 6f 6d 30 82 01-22 30 0d 06 09 2a 86 48 e.com0.."0...*.H
0170 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0..
0180 - 0a 02 82 01 01 00 c7 b5-75 03 c7 a9 b5 21 b2 7a ........u....!.z
0190 - 9b 70 8d f2 44 5d e0 18-f4 05 52 c6 93 d3 17 a5 .p..D]....R.....
01a0 - 3a c7 46 03 68 d1 01 53-1b e8 b8 d3 4c 56 46 b2 :.F.h..S....LVF.
01b0 - ca 63 34 88 2c 4f 7b 23-49 07 ef 8e 37 5c 8a ac .c4.,O{#I...7\..
01c0 - d7 88 9b ed a1 01 90 bc-32 d8 46 30 6d 82 33 59 ........2.F0m.3Y
01d0 - ea b5 38 2c 8a 16 e1 63-e7 ba 39 d8 2a fa 8a 6b ..8,...c..9.*..k
01e0 - 25 45 0b c9 4d b8 d2 be-a9 3a e3 ff 61 60 f9 a4 %E..M....:..a`..
01f0 - 99 4e 3f c2 25 0b 21 07-c6 1b 1e 63 71 2e 3d 31 .N?.%.!....cq.=1
0200 - 42 98 01 f4 88 b8 80 26-b7 bf 5b 00 b1 57 86 b4 B......&..[..W..
0210 - d8 70 e6 ec ea 98 e1 17-45 a7 ff 83 e0 76 6f 8a .p......E....vo.
0220 - 50 bb 1d cb c5 8f f4 01-84 4e 59 c3 4d 28 73 70 P........NY.M(sp
0230 - 39 c8 da 85 43 b9 07 ae-57 26 04 24 b2 d6 d4 7c 9...C...W&.$...|
0240 - 03 af 4f 72 00 8f 20 ed-26 77 b3 bf 4e 01 62 8b ..Or.. .&w..N.b.
0250 - 62 1b 10 16 65 92 f5 bb-5a dc 83 5c f2 56 f3 60 b...e...Z..\.V.`
0260 - 34 2c ef 62 f4 ee cf 26-6d 9b 4a 5e 74 05 74 fb 4,.b...&m.J^t.t.
0270 - 23 86 07 6f cf b0 48 6d-ba 2d 89 5d 0f e0 c0 01 #..o..Hm.-.]....
0280 - 1c 91 af 00 5f f3 02 03-01 00 01 a3 82 01 29 30 ...._.........)0
0290 - 82 01 25 30 1f 06 03 55-1d 23 04 18 30 16 80 14 ..%0...U.#..0...
02a0 - 6b 69 3d 6a 18 42 4a dd-8f 02 65 39 fd 35 24 86 ki=j.BJ...e9.5$.
02b0 - 78 91 16 30 30 0e 06 03-55 1d 0f 01 01 ff 04 04 x..00...U.......
02c0 - 03 02 05 a0 30 1d 06 03-55 1d 25 04 16 30 14 06 ....0...U.%..0..
02d0 - 08 2b 06 01 05 05 07 03-01 06 08 2b 06 01 05 05 .+.........+....
02e0 - 07 03 02 30 16 06 03 55-1d 11 04 0f 30 0d 82 0b ...0...U....0...
02f0 - 61 6c 74 65 65 76 65 2e-63 6f 6d 30 43 06 03 55 alteeve.com0C..U
0300 - 1d 1f 04 3c 30 3a 30 38-a0 36 a0 34 86 32 68 74 ...<0:08.6.4.2ht
0310 - 74 70 3a 2f 2f 72 61 70-69 64 73 73 6c 2d 63 72 tp://rapidssl-cr
0320 - 6c 2e 67 65 6f 74 72 75-73 74 2e 63 6f 6d 2f 63 l.geotrust.com/c
0330 - 72 6c 73 2f 72 61 70 69-64 73 73 6c 2e 63 72 6c rls/rapidssl.crl
0340 - 30 1d 06 03 55 1d 0e 04-16 04 14 a1 2b 4e af 55 0...U.......+N.U
0350 - 08 7b 34 be 74 fc 57 41-de bc 8f d9 4a 1d c9 30 .{4.t.WA....J..0
0360 - 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 49 06 ...U.......0.0I.
0370 - 08 2b 06 01 05 05 07 01-01 04 3d 30 3b 30 39 06 .+........=0;09.
0380 - 08 2b 06 01 05 05 07 30-02 86 2d 68 74 74 70 3a .+.....0..-http:
0390 - 2f 2f 72 61 70 69 64 73-73 6c 2d 61 69 61 2e 67 //rapidssl-aia.g
03a0 - 65 6f 74 72 75 73 74 2e-63 6f 6d 2f 72 61 70 69 eotrust.com/rapi
03b0 - 64 73 73 6c 2e 63 72 74-30 0d 06 09 2a 86 48 86 dssl.crt0...*.H.
03c0 - f7 0d 01 01 05 05 00 03-82 01 01 00 66 8b 6f a8 ............f.o.
03d0 - d5 d2 84 c7 89 31 fb a5-ba e1 11 5e 2f 67 6f df .....1.....^/go.
03e0 - 0d 3c 0b 1a 4b ac d9 38-ee 29 0a 4d d9 06 98 2c .<..K..8.).M...,
03f0 - 25 0a 59 bb 39 03 b0 cd-3b 06 93 3e 59 90 cf 06 %.Y.9...;..>Y...
0400 - 17 74 77 bb cd 91 34 d0-6f b9 8f 53 57 ed 14 30 .tw...4.o..SW..0
0410 - bd e9 6c 04 84 b6 f0 16-9d 29 9b b1 47 f8 84 64 ..l......)..G..d
0420 - 5f 03 36 ea e1 d6 13 97-5b 50 b9 b2 59 cc f8 ef _.6.....[P..Y...
0430 - 23 01 99 91 6e 5e e8 d0-77 54 38 49 18 58 e7 0e #...n^..wT8I.X..
0440 - 54 35 c0 37 b5 9e 79 b2-d4 c6 d9 ff 27 31 d4 bf T5.7..y.....'1..
0450 - 04 ae d3 0a 90 4b bc 34-bc 53 f8 bc e7 4c 22 b7 .....K.4.S...L".
0460 - b3 bc 8c d7 41 44 fc e0-50 2e 9a ac ba 5c ee 88 ....AD..P....\..
0470 - 03 fc 0e 53 32 aa dd a4-24 ee a6 7c 3d dc 9d 7a ...S2...$..|=..z
0480 - 82 0b 9f b8 91 e0 a1 12-77 a3 95 f7 d0 c4 9e f1 ........w.......
0490 - d7 d9 99 68 80 e8 af ad-68 f5 1a 5f 66 06 78 c9 ...h....h.._f.x.
04a0 - 56 f8 36 37 16 fa 7d 27-df 1d a2 d8 7c 8c 5b 50 V.67..}'....|.[P
04b0 - db c6 fe 06 ff 96 86 f5-1f e4 35 ce cf 43 66 53 ..........5..CfS
04c0 - da a1 50 b5 c0 73 ec 1e-f4 c8 20 13 00 03 d9 30 ..P..s.... ....0
04d0 - 82 03 d5 30 82 02 bd a0-03 02 01 02 02 03 02 36 ...0...........6
04e0 - d1 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
04f0 - 30 42 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 0B1.0...U....US1
0500 - 16 30 14 06 03 55 04 0a-13 0d 47 65 6f 54 72 75 .0...U....GeoTru
0510 - 73 74 20 49 6e 63 2e 31-1b 30 19 06 03 55 04 03 st Inc.1.0...U..
0520 - 13 12 47 65 6f 54 72 75-73 74 20 47 6c 6f 62 61 ..GeoTrust Globa
0530 - 6c 20 43 41 30 1e 17 0d-31 30 30 32 31 39 32 32 l CA0...10021922
0540 - 34 35 30 35 5a 17 0d 32-30 30 32 31 38 32 32 34 4505Z..200218224
0550 - 35 30 35 5a 30 3c 31 0b-30 09 06 03 55 04 06 13 505Z0<1.0...U...
0560 - 02 55 53 31 17 30 15 06-03 55 04 0a 13 0e 47 65 .US1.0...U....Ge
0570 - 6f 54 72 75 73 74 2c 20-49 6e 63 2e 31 14 30 12 oTrust, Inc.1.0.
0580 - 06 03 55 04 03 13 0b 52-61 70 69 64 53 53 4c 20 ..U....RapidSSL
0590 - 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H...
05a0 - 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0.....
05b0 - 01 01 00 c7 71 f8 56 c7-1e d9 cc b5 ad f6 b4 97 ....q.V.........
05c0 - a3 fb a1 e6 0b 50 5f 50-aa 3a da 0f fc 3d 29 24 .....P_P.:...=)$
05d0 - 43 c6 10 29 c1 fc 55 40-72 ee bd ea df 9f b6 41 C..)..U@r......A
05e0 - f4 48 4b c8 6e fe 4f 57-12 8b 5b fa 92 dd 5e e8 .HK.n.OW..[...^.
05f0 - ad f3 f0 1b b1 7b 4d fb-cf fd d1 e5 f8 e3 dc e7 .....{M.........
0600 - f5 73 7f df 01 49 cf 8c-56 c1 bd 37 e3 5b be b5 .s...I..V..7.[..
0610 - 4f 8b 8b f0 da 4f c7 e3-dd 55 47 69 df f2 5b 7b O....O...UGi..[{
0620 - 07 4f 3d e5 ac 21 c1 c8-1d 7a e8 e7 f6 0f a1 aa .O=..!...z......
0630 - f5 6f de a8 65 4f 10 89-9c 03 f3 89 7a a5 5e 01 .o..eO......z.^.
0640 - 72 33 ed a9 e9 5a 1e 79-f3 87 c8 df c8 c5 fc 37 r3...Z.y.......7
0650 - c8 9a 9a d7 b8 76 cc b0-3e e7 fd e6 54 ea df 5f .....v..>...T.._
0660 - 52 41 78 59 57 ad f1 12-d6 7f bc d5 9f 70 d3 05 RAxYW........p..
0670 - 6c fa a3 7d 67 58 dd 26-62 1d 31 92 0c 79 79 1c l..}gX.&b.1..yy.
0680 - 8e cf ca 7b c1 66 af a8-74 48 fb 8e 82 c2 9e 2c ...{.f..tH.....,
0690 - 99 5c 7b 2d 5d 9b bc 5b-57 9e 7c 3a 7a 13 ad f2 .\{-]..[W.|:z...
06a0 - a3 18 5b 2b 59 0f cd 5c-3a eb 68 33 c6 28 1d 82 ..[+Y..\:.h3.(..
06b0 - d1 50 8b 02 03 01 00 01-a3 81 d9 30 81 d6 30 0e .P.........0..0.
06c0 - 06 03 55 1d 0f 01 01 ff-04 04 03 02 01 06 30 1d ..U...........0.
06d0 - 06 03 55 1d 0e 04 16 04-14 6b 69 3d 6a 18 42 4a ..U......ki=j.BJ
06e0 - dd 8f 02 65 39 fd 35 24-86 78 91 16 30 30 1f 06 ...e9.5$.x..00..
06f0 - 03 55 1d 23 04 18 30 16-80 14 c0 7a 98 68 8d 89 .U.#..0....z.h..
0700 - fb ab 05 64 0c 11 7d aa-7d 65 b8 ca cc 4e 30 12 ...d..}.}e...N0.
0710 - 06 03 55 1d 13 01 01 ff-04 08 30 06 01 01 ff 02 ..U.......0.....
0720 - 01 00 30 3a 06 03 55 1d-1f 04 33 30 31 30 2f a0 ..0:..U...3010/.
0730 - 2d a0 2b 86 29 68 74 74-70 3a 2f 2f 63 72 6c 2e -.+.)http://crl.
0740 - 67 65 6f 74 72 75 73 74-2e 63 6f 6d 2f 63 72 6c geotrust.com/crl
0750 - 73 2f 67 74 67 6c 6f 62-61 6c 2e 63 72 6c 30 34 s/gtglobal.crl04
0760 - 06 08 2b 06 01 05 05 07-01 01 04 28 30 26 30 24 ..+........(0&0$
0770 - 06 08 2b 06 01 05 05 07-30 01 86 18 68 74 74 70 ..+.....0...http
0780 - 3a 2f 2f 6f 63 73 70 2e-67 65 6f 74 72 75 73 74 ://ocsp.geotrust
0790 - 2e 63 6f 6d 30 0d 06 09-2a 86 48 86 f7 0d 01 01 .com0...*.H.....
07a0 - 05 05 00 03 82 01 01 00-ab bc bc 0a 5d 18 94 e3 ............]...
07b0 - c1 b1 c3 a8 4c 55 d6 be-b4 98 f1 ee 3c 1c cd cf ....LU......<...
07c0 - f3 24 24 5c 96 03 27 58-fc 36 ae a2 2f 8f f1 fe .$$\..'X.6../...
07d0 - da 2b 02 c3 33 bd c8 dd-48 22 2b 60 0f a5 03 10 .+..3...H"+`....
07e0 - fd 77 f8 d0 ed 96 67 4f-fd ea 47 20 70 54 dc a9 .w....gO..G pT..
07f0 - 0c 55 7e e1 96 25 8a d9-b5 da 57 4a be 8d 8e 49 .U~..%....WJ...I
0800 - 43 63 a5 6c 4e 27 87 25-eb 5b 6d fe a2 7f 38 28 Cc.lN'.%.[m...8(
0810 - e0 36 ab ad 39 a5 a5 62-c4 b7 5c 58 2c aa 5d 01 .6..9..b..\X,.].
0820 - 60 a6 62 67 a3 c0 c7 62-23 f4 e7 6c 46 ee b5 d3 `.bg...b#..lF...
0830 - 80 6a 22 13 d2 2d 3f 74-4f ea af 8c 5f b4 38 9c .j"..-?tO..._.8.
0840 - db ae ce af 84 1e a6 f6-34 51 59 79 d3 e3 75 dc ........4QYy..u.
0850 - bc d7 f3 73 df 92 ec d2-20 59 6f 9c fb 95 f8 92 ...s.... Yo.....
0860 - 76 18 0a 7c 0f 2c a6 ca-de 8a 62 7b d8 f3 ce 5f v..|.,....b{..._
0870 - 68 bd 8f 3e c1 74 bb 15-72 3a 16 83 a9 0b e6 4d h..>.t..r:.....M
0880 - 99 9c d8 57 ec a8 01 51-c7 6f 57 34 5e ab 4a 2c ...W...Q.oW4^.J,
0890 - 42 f6 4f 1c 89 78 de 26-4e f5 6f 93 4c 15 6b 27 B.O..x.&N.o.L.k'
08a0 - 56 4d 00 54 6c 7a b7 b7-00 03 81 30 82 03 7d 30 VM.Tlz.....0..}0
08b0 - 82 02 e6 a0 03 02 01 02-02 03 12 bb e6 30 0d 06 .............0..
08c0 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 4e 31 0b .*.H........0N1.
08d0 - 30 09 06 03 55 04 06 13-02 55 53 31 10 30 0e 06 0...U....US1.0..
08e0 - 03 55 04 0a 13 07 45 71-75 69 66 61 78 31 2d 30 .U....Equifax1-0
08f0 - 2b 06 03 55 04 0b 13 24-45 71 75 69 66 61 78 20 +..U...$Equifax
0900 - 53 65 63 75 72 65 20 43-65 72 74 69 66 69 63 61 Secure Certifica
0910 - 74 65 20 41 75 74 68 6f-72 69 74 79 30 1e 17 0d te Authority0...
0920 - 30 32 30 35 32 31 30 34-30 30 30 30 5a 17 0d 31 020521040000Z..1
0930 - 38 30 38 32 31 30 34 30-30 30 30 5a 30 42 31 0b 80821040000Z0B1.
0940 - 30 09 06 03 55 04 06 13-02 55 53 31 16 30 14 06 0...U....US1.0..
0950 - 03 55 04 0a 13 0d 47 65-6f 54 72 75 73 74 20 49 .U....GeoTrust I
0960 - 6e 63 2e 31 1b 30 19 06-03 55 04 03 13 12 47 65 nc.1.0...U....Ge
0970 - 6f 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 43 41 oTrust Global CA
0980 - 30 82 01 22 30 0d 06 09-2a 86 48 86 f7 0d 01 01 0.."0...*.H.....
0990 - 01 05 00 03 82 01 0f 00-30 82 01 0a 02 82 01 01 ........0.......
09a0 - 00 da cc 18 63 30 fd f4-17 23 1a 56 7e 5b df 3c ....c0...#.V~[.<
09b0 - 6c 38 e4 71 b7 78 91 d4-bc a1 d8 4c f8 a8 43 b6 l8.q.x.....L..C.
09c0 - 03 e9 4d 21 07 08 88 da-58 2f 66 39 29 bd 05 78 ..M!....X/f9)..x
09d0 - 8b 9d 38 e8 05 b7 6a 7e-71 a4 e6 c4 60 a6 b0 ef ..8...j~q...`...
09e0 - 80 e4 89 28 0f 9e 25 d6-ed 83 f3 ad a6 91 c7 98 ...(..%.........
09f0 - c9 42 18 35 14 9d ad 98-46 92 2e 4f ca f1 87 43 .B.5....F..O...C
0a00 - c1 16 95 57 2d 50 ef 89-2d 80 7a 57 ad f2 ee 5f ...W-P..-.zW..._
0a10 - 6b d2 00 8d b9 14 f8 14-15 35 d9 c0 46 a3 7b 72 k........5..F.{r
0a20 - c8 91 bf c9 55 2b cd d0-97 3e 9c 26 64 cc df ce ....U+...>.&d...
0a30 - 83 19 71 ca 4e e6 d4 d5-7b a9 19 cd 55 de c8 ec ..q.N...{...U...
0a40 - d2 5e 38 53 e5 5c 4f 8c-2d fe 50 23 36 fc 66 e6 .^8S.\O.-.P#6.f.
0a50 - cb 8e a4 39 19 00 b7 95-02 39 91 0b 0e fe 38 2e ...9.....9....8.
0a60 - d1 1d 05 9a f6 4d 3e 6f-0f 07 1d af 2c 1e 8f 60 .....M>o....,..`
0a70 - 39 e2 fa 36 53 13 39 d4-5e 26 2b db 3d a8 14 bd 9..6S.9.^&+.=...
0a80 - 32 eb 18 03 28 52 04 71-e5 ab 33 3d e1 38 bb 07 2...(R.q..3=.8..
0a90 - 36 84 62 9c 79 ea 16 30-f4 5f c0 2b e8 71 6b e4 6.b.y..0._.+.qk.
0aa0 - f9 02 03 01 00 01 a3 81-f0 30 81 ed 30 1f 06 03 .........0..0...
0ab0 - 55 1d 23 04 18 30 16 80-14 48 e6 68 f9 2b d2 b2 U.#..0...H.h.+..
0ac0 - 95 d7 47 d8 23 20 10 4f-33 98 90 9f d4 30 1d 06 ..G.# .O3....0..
0ad0 - 03 55 1d 0e 04 16 04 14-c0 7a 98 68 8d 89 fb ab .U.......z.h....
0ae0 - 05 64 0c 11 7d aa 7d 65-b8 ca cc 4e 30 0f 06 03 .d..}.}e...N0...
0af0 - 55 1d 13 01 01 ff 04 05-30 03 01 01 ff 30 0e 06 U.......0....0..
0b00 - 03 55 1d 0f 01 01 ff 04-04 03 02 01 06 30 3a 06 .U...........0:.
0b10 - 03 55 1d 1f 04 33 30 31-30 2f a0 2d a0 2b 86 29 .U...3010/.-.+.)
0b20 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 67 65 6f 74 72 http://crl.geotr
0b30 - 75 73 74 2e 63 6f 6d 2f-63 72 6c 73 2f 73 65 63 ust.com/crls/sec
0b40 - 75 72 65 63 61 2e 63 72-6c 30 4e 06 03 55 1d 20 ureca.crl0N..U.
0b50 - 04 47 30 45 30 43 06 04-55 1d 20 00 30 3b 30 39 .G0E0C..U. .0;09
0b60 - 06 08 2b 06 01 05 05 07-02 01 16 2d 68 74 74 70 ..+........-http
0b70 - 73 3a 2f 2f 77 77 77 2e-67 65 6f 74 72 75 73 74 s://www.geotrust
0b80 - 2e 63 6f 6d 2f 72 65 73-6f 75 72 63 65 73 2f 72 .com/resources/r
0b90 - 65 70 6f 73 69 74 6f 72-79 30 0d 06 09 2a 86 48 epository0...*.H
0ba0 - 86 f7 0d 01 01 05 05 00-03 81 81 00 76 e1 12 6e ............v..n
0bb0 - 4e 4b 16 12 86 30 06 b2-81 08 cf f0 08 c7 c7 71 NK...0.........q
0bc0 - 7e 66 ee c2 ed d4 3b 1f-ff f0 f0 c8 4e d6 43 38 ~f....;.....N.C8
0bd0 - b0 b9 30 7d 18 d0 55 83-a2 6a cb 36 11 9c e8 48 ..0}..U..j.6...H
0be0 - 66 a3 6d 7f b8 13 d4 47-fe 8b 5a 5c 73 fc ae d9 f.m....G..Z\s...
0bf0 - 1b 32 19 38 ab 97 34 14-aa 96 d2 eb a3 1c 14 08 .2.8..4.........
0c00 - 49 b6 bb e5 91 ef 83 36-eb 1d 56 6f ca da bc 73 I......6..Vo...s
0c10 - 63 90 e4 7f 7b 3e 22 cb-3d 07 ed 5f 38 74 9c e3 c...{>".=.._8t..
0c20 - 03 50 4e a1 af 98 ee 61-f2 84 3f 12 .PN....a..?.
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF, C = CA, O = alteeve.com, OU = GT13908817, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - FreeSSL, CN = alteeve.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 0d .....
read from 0x196a050 [0x1a10908] (525 bytes => 525 (0x20D))
0000 - 0c 00 02 09 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 51 5c 13 33 38 >.$!.......Q\.38
0090 - 83 ef 76 6f 23 52 55 bf-23 ba 7f f0 a4 ca 35 01 ..vo#RU.#.....5.
00a0 - 9c 70 e1 61 b2 0d 7b 5c-1c 32 02 c1 ac 14 be e9 .p.a..{\.2......
00b0 - b9 7a 5d 11 9b 53 48 64-cd 12 b8 15 4c df cc 10 .z]..SHd....L...
00c0 - 4e 2b e7 cd 3f 33 68 1a-60 cc f7 18 25 7c e5 ca N+..?3h.`...%|..
00d0 - c8 cb 45 ba 2a 6d dc 84-5f 26 6f 9a a3 73 b9 7f ..E.*m.._&o..s..
00e0 - 02 cb 7b a7 ac 59 9f f3-6e c9 01 ed b9 35 99 49 ..{..Y..n....5.I
00f0 - 37 77 68 65 ec e2 f7 17-03 e7 f5 f5 86 33 e6 6c 7whe.........3.l
0100 - 06 3c 15 83 98 74 2e b9-83 31 11 01 00 20 6e 17 .<...t...1... n.
0110 - 3d 2d ec 3e 19 b2 9e 5b-37 38 3a 31 57 3d 0e c1 =-.>...[78:1W=..
0120 - 6b c4 b4 83 d9 6b f0 d3-44 db 9f 18 55 15 e1 09 k....k..D...U...
0130 - 73 59 8c 46 3d a4 47 58-b1 71 a3 32 b5 06 26 8c sY.F=.GX.q.2..&.
0140 - 27 88 9e 13 c8 12 5d 94-9b 24 54 10 aa 79 e5 b4 '.....]..$T..y..
0150 - 43 f5 5e 4c 01 dc 02 aa-69 02 37 71 4e 26 1c 0b C.^L....i.7qN&..
0160 - 40 19 c9 95 4d af 93 35-07 7a ff b1 96 7f 03 ce @...M..5.z......
0170 - 7a eb a2 1c 97 6b d2 97-d2 0f 1a f5 b2 af fb 65 z....k.........e
0180 - 86 b9 e3 38 30 ba f5 02-d6 6b fc da 94 93 8b b3 ...80....k......
0190 - 96 b5 b7 58 dc 36 55 6d-e9 47 e5 4a 33 1d b9 d9 ...X.6Um.G.J3...
01a0 - ec 33 e8 fb 58 c8 74 13-ff dd 40 b7 35 56 63 03 .3..X.t...@.5Vc.
01b0 - 9f 16 2f 72 be 56 56 c3-15 3a c3 10 09 f0 9d f2 ../r.VV..:......
01c0 - 42 52 5a ce d6 db 61 0e-d0 e2 ac 2e 9e 04 30 8e BRZ...a.......0.
01d0 - 0d d7 07 f9 3e 0a a8 3b-8d 11 5c 6e 21 47 28 2d ....>..;..\n!G(-
01e0 - 28 31 a6 3d d0 e9 2e 7a-de 4a 00 2a a8 6f 5d 82 (1.=...z.J.*.o].
01f0 - 45 df 3e 06 e3 11 e3 3c-b9 1e 34 b8 bd 60 fd a7 E.>....<..4..`..
0200 - a2 c1 c8 19 61 19 da 10-e4 c3 70 7e 5f ....a.....p~_
SSL_connect:SSLv3 read server key exchange A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0x196a050 [0x1a10908] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x196a050 [0x1a1add0] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7f 9d d2 3b 68 ..............;h
0010 - 49 c9 dd ed 4f 35 a0 70-3a 28 0f ce c1 5a 81 ce I...O5.p:(...Z..
0020 - cd 46 c5 e5 a4 44 25 04-4e b4 48 d8 3b a6 d4 44 .F...D%.N.H.;..D
0030 - 4e 9a dc 20 fa 52 9f eb-52 3b 3c 3e 34 dc ed 34 N.. .R..R;<>4..4
0040 - e5 b7 10 f9 6d 3a c0 84-64 bf b8 91 54 6c 37 1b ....m:..d...Tl7.
0050 - eb 75 7a 95 aa e8 83 6f-e0 16 f2 af 77 0f 7a 0c .uz....o....w.z.
0060 - a8 82 27 a4 a5 f2 f0 1b-d2 6e 46 c4 ef 10 7c 39 ..'......nF...|9
0070 - 6c 87 74 ec 68 7e d5 9a-10 ab 10 03 75 a2 fb 4b l.t.h~......u..K
0080 - 8c 49 4c da 64 49 bd 27-ba 51 a4 .IL.dI.'.Q.
SSL_connect:SSLv3 write client key exchange A
write to 0x196a050 [0x1a1add0] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x196a050 [0x1a1add0] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 b4 8a 74-4d a4 bf b1 54 04 8a 25 ....0..tM...T..%
0010 - 24 f8 81 f1 64 9f 1f 6d-fb bd a7 4c 57 6a a5 63 $...d..m...LWj.c
0020 - fb 3a dd 8e e3 f9 38 f6-22 fd 7e 42 81 2e a2 41 .:....8.".~B...A
0030 - 1f 74 d1 27 02 .t.'.
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 ca .....
read from 0x196a050 [0x1a10908] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 00 00-00 c0 6c f3 41 26 c8 6b ..........l.A&.k
0010 - 1e 9c 2e 78 af 75 b2 46-34 f4 30 c3 bd e4 ee 2f ...x.u.F4.0..../
0020 - f6 28 37 f6 7c 55 3b c7-08 ad 1e 48 f1 83 9f 9a .(7.|U;....H....
0030 - d4 ef 9b 7d 5a 9c f7 5b-92 e9 2f ca c3 e5 44 c7 ...}Z..[../...D.
0040 - 7a c1 ed db 98 1a 18 bd-25 30 3c 50 ad 96 23 22 z.......%0<P..#"
0050 - 7e a1 b7 eb 1d b5 cc 69-2a 43 63 13 4f 21 90 32 ~......i*Cc.O!.2
0060 - 87 94 0b 6a 66 da 99 fa-45 79 cc 53 29 35 59 0d ...jf...Ey.S)5Y.
0070 - 02 93 c6 c6 af f3 52 79-b5 36 c0 a6 4d 22 9f af ......Ry.6..M"..
0080 - 4a f2 86 b4 50 68 83 b1-ab a6 a6 ac 6e 4e 18 3d J...Ph......nN.=
0090 - 80 a7 b4 85 77 06 69 60-fa b2 22 9a 79 14 c6 3e ....w.i`..".y..>
00a0 - 3e 68 33 4e 1e a9 40 09-47 d0 02 97 8b ba 39 db >h3N..@.G.....9.
00b0 - 2f b1 1c 2e 66 49 d3 bc-99 cc 56 4f 1d f4 c6 7b /...fI....VO...{
00c0 - 58 3e 28 df b1 ce 2b 45-36 ca X>(...+E6.
SSL_connect:SSLv3 read server session ticket A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0x196a050 [0x1a10908] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x196a050 [0x1a10908] (48 bytes => 48 (0x30))
0000 - c0 79 35 bf c6 1e 7e d4-04 cf 68 c7 9d f5 9f 42 .y5...~...h....B
0010 - 03 91 5f 72 ae 5b ec a8-aa e7 af e8 f3 39 1b cd .._r.[.......9..
0020 - 13 05 56 f2 1b 28 c9 42-4b 67 88 48 20 c2 a5 06 ..V..(.BKg.H ...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIDAhUkMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNjE0MTIxOTAxWhcNMTEwNzE2MTU1NjE0WjCB2TEpMCcGA1UEBRMgMFRT
NVd6YXVRUko3c2MyYi1oVEd3SzF5eFNmRURwaEYxCzAJBgNVBAYTAkNBMRQwEgYD
VQQKEwthbHRlZXZlLmNvbTETMBEGA1UECxMKR1QxMzkwODgxNzExMC8GA1UECxMo
U2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMTErMCkGA1UE
CxMiRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gRnJlZVNTTDEUMBIGA1UEAxML
YWx0ZWV2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHtXUD
x6m1IbJ6m3CN8kRd4Bj0BVLGk9MXpTrHRgNo0QFTG+i400xWRrLKYzSILE97I0kH
7443XIqs14ib7aEBkLwy2EYwbYIzWeq1OCyKFuFj57o52Cr6imslRQvJTbjSvqk6
4/9hYPmkmU4/wiULIQfGGx5jcS49MUKYAfSIuIAmt79bALFXhrTYcObs6pjhF0Wn
/4Pgdm+KULsdy8WP9AGETlnDTShzcDnI2oVDuQeuVyYEJLLW1HwDr09yAI8g7SZ3
s79OAWKLYhsQFmWS9bta3INc8lbzYDQs72L07s8mbZtKXnQFdPsjhgdvz7BIbbot
iV0P4MABHJGvAF/zAgMBAAGjggEpMIIBJTAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2FsdGVldmUuY29tMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRz
c2wuY3JsMB0GA1UdDgQWBBShK06vVQh7NL50/FdB3ryP2UodyTAMBgNVHRMBAf8E
AjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3Ns
LWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBmi2+o1dKEx4kx+6W64RFeL2dv3w08CxpLrNk47ikKTdkGmCwlClm7OQOwzTsG
kz5ZkM8GF3R3u82RNNBvuY9TV+0UML3pbASEtvAWnSmbsUf4hGRfAzbq4dYTl1tQ
ubJZzPjvIwGZkW5e6NB3VDhJGFjnDlQ1wDe1nnmy1MbZ/ycx1L8ErtMKkEu8NLxT
+LznTCK3s7yM10FE/OBQLpqsulzuiAP8DlMyqt2kJO6mfD3cnXqCC5+4keChEnej
lffQxJ7x19mZaIDor61o9RpfZgZ4yVb4NjcW+n0n3x2i2HyMW1Dbxv4G/5aG9R/k
Nc7PQ2ZT2qFQtcBz7B70yCAT
-----END CERTIFICATE-----
subject=/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3984 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2880725EB8BDD73F469C17BCA54DF373DFE8EDE3D52A1C8F5E0A5919694FB111
Session-ID-ctx:
Master-Key: F329DEA0DF39FF181ACFBCA69BEC417D7CAA4399D73229A1D912CC8236A858FD099B834F5B32C9BF979C4B5948196FC9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 6c f3 41 26 c8 6b 1e 9c-2e 78 af 75 b2 46 34 f4 l.A&.k...x.u.F4.
0010 - 30 c3 bd e4 ee 2f f6 28-37 f6 7c 55 3b c7 08 ad 0..../.(7.|U;...
0020 - 1e 48 f1 83 9f 9a d4 ef-9b 7d 5a 9c f7 5b 92 e9 .H.......}Z..[..
0030 - 2f ca c3 e5 44 c7 7a c1-ed db 98 1a 18 bd 25 30 /...D.z.......%0
0040 - 3c 50 ad 96 23 22 7e a1-b7 eb 1d b5 cc 69 2a 43 <P..#"~......i*C
0050 - 63 13 4f 21 90 32 87 94-0b 6a 66 da 99 fa 45 79 c.O!.2...jf...Ey
0060 - cc 53 29 35 59 0d 02 93-c6 c6 af f3 52 79 b5 36 .S)5Y.......Ry.6
0070 - c0 a6 4d 22 9f af 4a f2-86 b4 50 68 83 b1 ab a6 ..M"..J...Ph....
0080 - a6 ac 6e 4e 18 3d 80 a7-b4 85 77 06 69 60 fa b2 ..nN.=....w.i`..
0090 - 22 9a 79 14 c6 3e 3e 68-33 4e 1e a9 40 09 47 d0 ".y..>>h3N..@.G.
00a0 - 02 97 8b ba 39 db 2f b1-1c 2e 66 49 d3 bc 99 cc ....9./...fI....
00b0 - 56 4f 1d f4 c6 7b 58 3e-28 df b1 ce 2b 45 36 ca VO...{X>(...+E6.

Compression: 1 (zlib compression)
Start Time: 1308161188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET
write to 0x196a050 [0x1a14e56] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a 4c 57-8c b9 d5 d4 c6 1b 56 ce .... .LW......V.
0010 - 93 b5 78 6b 5f 0e c5 a2-39 2a f9 7a 20 7d 68 85 ..xk_...9*.z }h.
0020 - af 52 e3 5f fc 17 03 01-00 20 c6 c4 19 74 61 64 .R._..... ...tad
0030 - 42 59 e0 52 3f 42 44 53-8b c9 40 69 1c 3d 9b 7f BY.R?BDS..@i.=..
0040 - aa e8 8f a4 5c de c9 d4-0a a4 ....\.....
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 60 ....`
read from 0x196a050 [0x1a10908] (96 bytes => 96 (0x60))
0000 - 46 4c 99 93 29 c9 ed 66-81 43 89 39 26 2b d1 b0 FL..)..f.C.9&+..
0010 - 19 73 eb 51 18 45 54 49-74 43 e0 92 1b f8 af f0 .s.Q.ETItC......
0020 - 0d e1 08 79 96 38 e1 5e-29 9d 66 9c 30 04 8e c4 ...y.8.^).f.0...
0030 - 10 83 49 7e 09 d7 8a ff-4b 11 f9 13 3e ac 77 73 ..I~....K...>.ws
0040 - e8 94 e3 f3 74 db 4e 5f-67 13 1d c4 3a 06 98 b3 ....t.N_g...:...
0050 - da 20 41 3c ca 9a fb 3f-f3 d7 64 a1 e9 f4 0a 98 . A<...?..d.....
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 15 03 01 ...
0005 - <SPACES/NULS>
read from 0x196a050 [0x1a10908] (32 bytes => 32 (0x20))
0000 - 2e bb a7 d6 dc ce 6c 34-dc 2e 43 c7 89 02 a9 5c ......l4..C....\
0010 - 3b 3e d0 43 1c ec fa c7-89 48 fd 76 58 82 ef 45 ;>.C.....H.vX..E
SSL3 alert read:warning:close notify
closed
write to 0x196a050 [0x1a14e53] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d8 6f 46-24 e9 fa 0c c9 9f aa 2d .... .oF$......-
0010 - db 69 2a d8 fb 61 66 b0-23 23 f9 a4 ac 49 b7 e6 .i*..af.##...I..
0020 - 31 73 56 05 ed 1sV..
SSL3 alert write:warning:close notify
</source>

Perfect!

=== Open Port 443 On The Firewall ===

At this point, if you try to connect to the SSL virtual host remotely, you will fail because port 443 is not yet open.

Use your favourite program to open inbound TCP port 443. I like to directly edit the firewall's config.

<source lang="bash">
vim /etc/sysconfig/iptables
</source>
<source lang="text">
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</source>
<source lang="bash">
/etc/init.d/iptables restart
</source>
<source lang="text">
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
</source>

=== Browse to the New Virtual Host ===

You should now be able to access the new SSL virtual host! Simply browse to https://alteeve.com (replace with your domain).

[[Image:SSL_Test_Page_01.png|thumb|center|741px|Test SSL virtual host in Firefox 4.]]

Note the 'alteeve.com' to the left of the address bar showing that the site is encrypted and verified!

== Common apachectl -t Configuration Problems ==

=== httpd: apr_sockaddr_info_get() failed for <domain> ===

Make sure that the hostname for the server resolves to an IP address. This is done by ensuring that the name returned by hostname has a [[DNS]] entry or has an entry in the /etc/hosts file.

=== [warn] NameVirtualHost *:80 has no VirtualHosts ===

This will be shown when no virtual host containers have been configured ye.

= PostgreSQL =

We need to initialize the postgres core databases before we can start it for the first time.

<source lang="bash">
/etc/init.d/postgresql initdb
</source>
<source lang="text">
Initializing database: [ OK ]
</source>

From now on, we can start PostgreSQL normally.

<source lang="bash">
/etc/init.d/postgresql restart
</source>
<source lang="text">
Stopping postgresql service: [ OK ]
Starting postgresql service: [ OK ]
</source>

Create the admin user called alteeve which will own the databases we will create and use.

<source lang="bash">
su - postgres
createuser -S -d -R alteeve
psql template1
</source>

At the shell, run the following:

<source lang="sql">
ALTER USER alteeve WITH PASSWORD 'secret';
</source>
<source lang="text">
ALTER ROLE
</source>
<source lang="sql">
\q
</source>

Tell PostgreSQL to require a password for the alteeve user.

<source lang="bash">
vim /var/lib/pgsql/data/pg_hba.conf
</source>
<source lang="diff">
--- /var/lib/pgsql/data/pg_hba.conf.orig 2011-06-15 17:57:25.666509143 -0400
+++ /var/lib/pgsql/data/pg_hba.conf 2011-06-15 17:58:54.077510393 -0400
@@ -65,6 +65,7 @@

# TYPE DATABASE USER CIDR-ADDRESS METHOD
+local all alteeve md5

# "local" is for Unix domain socket connections only
local all all ident
</source>

Reload PostgreSQL's configuration.

<source lang="bash">
/etc/init.d/postgresql reload
</source>

Now create a Database that is owned by the alteeve user, then connect to it to make sure we're asked for a password.

<source lang="bash">
su postgres -c "createdb an_wiki -O alteeve"
psql an_wiki -U alteeve
</source>
<source lang="text">
Password for user alteeve:
psql (8.4.7)
Type "help" for help.

an_wiki=>
</source>

Now load a database from a backup file.

<source lang="bash">
psql an_wiki -U alteeve -f /var/www/ssl_alteeve.com/temp/an_wiki_3.out
</source>
<source lang="text">
Password for user alteeve:
SET
SET
SET
SET
SET
CREATE SCHEMA
ALTER SCHEMA
CREATE LANGUAGE
psql:/var/www/ssl_alteeve.com/temp/an_wiki_3.out:27: ERROR: must be member of role "postgres"
SET
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
SET
SET
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
8
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
2500
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
4416
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3465
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
34
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
957
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3274
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3547
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3513
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TRIGGER
CREATE TRIGGER
CREATE TRIGGER
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
REVOKE
REVOKE
GRANT
GRANT
</source>

Voila!

== Media Wiki Problem ==

If you moved a MediaWiki DB and it generated an error like this in the log file:

<source lang="text">
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "objectcache" does not exist\nLINE 1: ...ECT /* SqlBagOStuff::get */ value,exptime FROM objectcach...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "l10n_cache" does not exist\nLINE 1: ... LCStore_DB::get 206.108.5.162 */ lc_value FROM l10n_cache...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
</source>

The fix is to run:

<source lang="sql">
ALTER DATABASE an_wiki SET search_path=mediawiki;
</source>

Of course, replace an_wiki with the name of your wiki database.

= MySQL =

Start MySQL for the first time:

<source lang="bash">
/etc/init.d/mysqld start
</source>
<source lang="text">
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h asakusa.alteeve.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]
Starting mysqld: [ OK ]
</source>

Secure the server.

<source lang="bash">
mysql_secure_installation
</source>
<source lang="text">
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
</source>

= BIND =

{{note|1=This is not meant to cover creating the actual zone files for DNS. It's goal is to setup BIND on your [[EL6]] server only.}}

This is the BIND named server that handles DNS resolution. It will be setup in two parts; The global options and then the zones file.

== Install bind ==

<source lang="bash">
yum install bind bind-libs bind-utils
</source>

== Global Configuration ==

Edit the main configuration file, making a backup first.

<source lang="bash">
cp /etc/named.conf /etc/named.conf.orig
vim /etc/named.conf
</source>

Enable queries on any interface and answer queries for any domain, not just ours. Edit or add the following;

<source lang="dot">
listen-on port 53 { any; };
allow-query { localhost; };
allow-query-cache { any; };
</source>

For now, we're going to disable DNSSEC. Make the following changes;

<source lang="dot">
dnssec-enable no;
dnssec-validation no;
</source>

Now tell bind where to look for a domain name's IP when we don't know. Add;

<source lang="dot">
forwarders {
// These are Google's open DNS servers
8.8.8.8;
8.8.4.4;
};
</source>

This server will have a slave, and we want to notify that slave when a record changes. Add;

<source lang="dot">
notify yes;
</source>

Done. I like to clean up the file to put the variables in line with one another. With this in mind, let's look at the changes as a unified diff;

<source lang="bash">
diff -u /etc/named.conf.orig /etc/named.conf
</source>
<source lang="diff">
--- /etc/named.conf.orig 2012-02-05 00:54:48.434068501 -0500
+++ /etc/named.conf 2012-02-05 13:45:16.484083319 -0500
@@ -8,18 +8,26 @@
//

options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ allow-query { any; };
+ allow-query-cache { any; };
+ recursion yes;
+ notify yes;
+
+ dnssec-enable no;
+ dnssec-validation no;
+ dnssec-lookaside auto;
+
+ forwarders {
+ // These are Google's open DNS servers
+ 8.8.8.8;
+ 8.8.4.4;
+ };

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
</source>

== Adding Zones ==

This is where we tell BIND which zones we have SOA for. This includes the pointers to the actual files on disk with each domain's information.

Backup then edit the zones file.

<source lang="bash">
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.orig
vim /etc/named.rfc1912.zones
</source>

In here is where we add the entries for the domains we have [[SOA]] for at the end of the file. These will differ for every install, so only two examples will be shown.

<source lang="dot">
// Our zones which this server is SOA for.
zone "45years.ca" IN {
type master;
file "/etc/named/db.45years.ca";
allow-transfer {
192.139.81.117;
};
};

zone "alteeve.com" in {
type master;
file "/etc/named/db.alteeve.com";
allow-transfer {
192.139.81.117;
};
};
</source>

This tutorial does not aim to cover actual zone files, but here is one for reference:

<source lang="bash">
cat /etc/named/db.45years.ca
</source>
<source lang="text">
$ORIGIN .
$TTL 600 ; Time To Live.
45years.ca IN SOA ns1.alteeve.com. admin.alteeve.com. (
2011081402 ; Serial Number (yyyymmdd##)
300 ; refresh (in seconds)
180 ; retry (in seconds)
600 ; expire (in seconds)
86400 ; minimum (in seconds)
)
NS ns1.alteeve.com.
NS ns2.alteeve.com.
A 192.139.81.121
MX 10 mail.45years.ca.
$ORIGIN 45years.ca.
localhost A 127.0.0.1
mail A 192.139.81.121
www CNAME 45years.ca.
</source>

== Adding a Firewall Entry ==

Assuming you have a firewall running, be sure to add an entry for [[TCP]] port 53.

== (Re)Start BIND ==

Once all the configuration files and domain zone files are in place, (re)start the named service.

<source lang="bash">
/etc/init.d/named restart
</source>
<source lang="text">
Stopping named: . [ OK ]
Starting named: [ OK ]
</source>

== Testing Name resolution ==

To properly test name resolution, you will want to resolve a domain we are [[SOA]] for and another domain which we are not. We will repeat this twice, once on the server and once from a remote machine to ensure that it is answering remote queries. Note that in the examples below, my DNS server's IP address is 78.46.37.135.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> alteeve.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns1.alteeve.com.
alteeve.com. 600 IN NS ns2.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 13:57:11 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> google.ca @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 300 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2967 IN NS f.root-servers.net.
. 2967 IN NS c.root-servers.net.
. 2967 IN NS b.root-servers.net.
. 2967 IN NS a.root-servers.net.
. 2967 IN NS k.root-servers.net.
. 2967 IN NS i.root-servers.net.
. 2967 IN NS e.root-servers.net.
. 2967 IN NS h.root-servers.net.
. 2967 IN NS l.root-servers.net.
. 2967 IN NS d.root-servers.net.
. 2967 IN NS j.root-servers.net.
. 2967 IN NS g.root-servers.net.
. 2967 IN NS m.root-servers.net.

;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 14:02:03 2012
;; MSG SIZE rcvd: 254
</source>

Now from a remote machine, repeat the same queries to ensure that our DNS server will respond to external queries.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> alteeve.com @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns2.alteeve.com.
alteeve.com. 600 IN NS ns1.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 138 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:09 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> google.ca @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 138 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2805 IN NS h.root-servers.net.
. 2805 IN NS c.root-servers.net.
. 2805 IN NS j.root-servers.net.
. 2805 IN NS i.root-servers.net.
. 2805 IN NS b.root-servers.net.
. 2805 IN NS m.root-servers.net.
. 2805 IN NS g.root-servers.net.
. 2805 IN NS d.root-servers.net.
. 2805 IN NS a.root-servers.net.
. 2805 IN NS l.root-servers.net.
. 2805 IN NS f.root-servers.net.
. 2805 IN NS k.root-servers.net.
. 2805 IN NS e.root-servers.net.

;; Query time: 140 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:31 2012
;; MSG SIZE rcvd: 254
</source>

Done!

= Email =

This is a pretty heavily customized postfix install using a custom schema. It was originally based on [http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch this Debian Etch] tutorial, but adapted for PostgreSQL. Much time has passed and the operating system is now significantly changed, but it's lineage is thus. A more recent, but still Debian-focused version of the tutorial [http://workaround.org/ispmail/squeeze/big-picture is here]. I also used [http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot this tutorial] to help sort out the PostgreSQL stuff.

This will use a few applications;
* Postfix - The program that receives email.
* PostgreSQL - The database used to validate the existence of email accounts and validates incoming user credentials.
* Dovecot - Takes email coming from postfix, via amavis, and records them to disk. It also answers requests from users wanting to check their email.
* Amavis - Filters incoming email for spam (via spamassassin) and virsus (via clamav)

We will also be using graylisting, which is a spam fighting tactic where the first email from a given user to one of our users is bounced for a few minutes. Proper mail servers will acknowledge the bound, wait the time and resend. Spam mailers though are usually fire-and-forget and will not resend, thus effectively blocking the spam message. This is a very effective method of blocking spam with minimal chance of losing real mail from real users. Any subsequent message from the user would be allowed through with no delay, provided the user had in fact resent the first message as requested.

== Install ==

To install the applications;

<source lang="bash">
yum install postfix postfix-perl-scripts dovecot dovecot-pgsql spamassassin postgresql-server postgresql-plperl mutt
</source>

== Configuring Postfix ==

Installation requires several steps. The AN!Console database must be loaded. Various applications need to be installed. Postfix, Dovecot and helper applications need to be configured and so on.

This tutorial uses the following values that you may need to adjust;
* Database name; an_tools
* Database user; alteeve
* Database password; secret
* Database host; 127.0.0.1

{{note|1=Do not use the database host "localhost" unless you are certain you can connect to the DB using a standard [[unix]] socket.}}

=== Building Support for PostgreSQL ===

{{warning|1=We need to build our own RPM in order to support postgresql. This means we will have to disable postfix from future updates, placing the onus on us to make sure critical updates are applied. This will require downloading the latest source RPMs, re-enabling postgres and recompile/reinstall.}}

Add the source [[RPM]] repository by adding the following;

<source lang="bash">
vim /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
# Source RPM repository
[base-source]
name=CentOS-$releasever - Base - Source
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://vault.centos.org/6.3/os/Source/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
</source>

Now download the source RPM for postfix.

<source lang="bash">
yumdownloader --source postfix
</source>
<source lang="text">
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
base | 3.7 kB 00:00
base-source | 1.9 kB 00:00
extras | 3.5 kB 00:00
updates | 3.5 kB 00:00
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
./postfix-2.6.6-2.el6.src.rpm already exists and appears to be complete
nikko:/etc/postfix# rm postfix-2.6.6-2.el6.src.rpm
rm: remove regular file `postfix-2.6.6-2.el6.src.rpm'? y
nikko:/etc/postfix# yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
postfix-2.6.6-2.el6.src.rpm | 3.3 MB 00:00
</source>

Now that we have the postfix source RPM, we will install it.

<source lang="bash">
rpm -Uvh postfix-2.6.6-2.el6.src.rpm
</source>
<source lang="text">
1:postfix warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
########################################### [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
</source>

Now edit the .spec file to enable postgres support.

<source lang="bash">
cp ~/rpmbuild/SPECS/postfix.spec ~/rpmbuild/SPECS/postfix.spec.orig
vim ~/rpmbuild/SPECS/postfix.spec
</source>

Make the following changes.

* Enable PostgreSQL support
<source lang="text">
%{?!PGSQL: %define PGSQL 1}
</source>

Increment the release version by one.
<source lang="text">
Release: 3%{?dist}
</source>

We can see the changes here:

<source lang="bash">
diff -u ~/rpmbuild/SPECS/postfix.spec.orig ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="diff">
--- /root/rpmbuild/SPECS/postfix.spec.orig 2012-02-11 16:54:54.495330859 -0500
+++ /root/rpmbuild/SPECS/postfix.spec 2012-02-11 16:53:39.873331101 -0500
@@ -1,5 +1,5 @@
%{?!MYSQL: %define MYSQL 1}
-%{?!PGSQL: %define PGSQL 0}
+%{?!PGSQL: %define PGSQL 1}
%define LDAP 2
%define PCRE 1
%define SASL 2
@@ -35,7 +35,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 2.6.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
</source>

Now rebuild the RPM, which means we need to install the build tools.

<source lang="bash">
yum groupinstall development
yum install db4-devel openldap-devel cyrus-sasl-devel pcre-devel mysql-devel postgresql-devel openssl-devel
rpmbuild -bb ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="text">
(compile output)
Processing files: postfix-debuginfo-2.6.6-3.el6.x86_64
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-debuginfo-2.6.6-3.el6.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.rymr5C
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd postfix-2.6.6
+ rm -rf /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
+ exit 0
</source>

Install the updated postfix.

<source lang="bash">
rpm -Uvh ~/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm ~/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
</source>
<source lang="text">
Preparing... ########################################### [100%]
1:postfix ########################################### [ 50%]
2:postfix-perl-scripts ########################################### [100%]
</source>

Now exclude postfix from future updates.

<source lang="bash">
cp /etc/yum.conf /etc/yum.conf.orig
vim /etc/yum.conf
diff -u /etc/yum.conf.orig /etc/yum.conf
</source>
<source lang="text">
--- /etc/yum.conf.orig 2012-02-11 16:59:53.720079168 -0500
+++ /etc/yum.conf 2012-02-11 17:00:47.013331283 -0500
@@ -10,6 +10,7 @@
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
+exclude=postfix*

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
</source>

=== Basic Postfix Configuration ===

Since we'll be using virtual domains, users, aliases and mailboxes, we'll need to start by commenting out some of the default options in Postfix. By default, Postfix is set up for small numbers of local users, and it only allows connections from the localhost. Our configuration will be more scalable, allowing many domains and users to be stored in the Postgres database.

Comment out the following:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# inet_interfaces = localhost
# mydestination = $myhostname, localhost.$mydomain, localhost
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
</source>

And uncomment/add these:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
inet_interfaces = all # allows us to connect and test from another machine
mynetworks = 192.168.1.0/32, 127.0.0.0/8 # use the IP or subnet of your test machine here
</source>

=== Setup Virtual Domain Lookup ===

This tells postfix how to find which domains we have.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM domains WHERE dom_name='%s'
</source>

Now tell Postfix to use this new file by appending the following to the main postfix configuration file.

<source lang="bash">
vim /etc/postfix/main.cf
</source>
<source lang="bash">
# Tell postfix to validate domains using our postgresql databae via the
# pgsql-virtual-mailbox-domains.cf
virtual_mailbox_domains=pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>

Now reload postfix;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now we can test that domains resolve. In my case, I will test the look-up for alteeve.com.

<source lang="bash">
postmap -q alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
1
</source>

Now make sure it returns nothing when query a bad domain.

<source lang="bash">
postmap -q example.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Mailbox Mapping ===

This section will tell postfix which users for a given domain are valid.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM email_file WHERE email='%s'
</source>

Tell postfix to use this new file when looking up users.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

And add:

<source lang="text">
# Tell postfix which table to look in when validating a local user via their
# email address.
virtual_mailbox_maps=pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>

Reload postfix.

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now do a test of a valid user, which should return 1, and an invalid user, which should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
1
</source>
<source lang="bash">
postmap -q nobody@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Email Forwards ===

This will allow for email addresses to be forwarded to other email addresses.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT fwd_destination FROM forwards WHERE fwd_source='%s'
</source>

Now tell postfix where to look.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

Add;

<source lang="text">
# This tells postfix where to forward incoming email to, where appropriate.
virtual_alias_maps=pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>

Reload;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

I've setup a forward where digimer@alteeve.com forwards to mkelly@alteeve.com, so we will use that for the next test.

<source lang="bash">
postmap -q digimer@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
mkelly@alteeve.com
</source>

An email address with no forward should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

Excellent.

=== Setup Postfix Mail Delivery via Dovecot ===

Define a mail transport method in the main Postfix config.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# this option is ignored, but may be useful for reference
virtual_mailbox_base=/email

# deliver mail via dovecot
virtual_transport = dovecot

# prevent postfix from sending multiple recipients per delivery request,
# since dovecot only supports one recipient for each delivery
dovecot_destination_recipient_limit = 1
</source>

Tell Postfix what virtual_transport "dovecot" means, and how to use it.
<source lang="bash">vim /etc/postfix/master.cf</source>
Append this for RHEL/CentOS 6 machines. For other distros, make sure that /usr/libexec/dovecot/deliver exists and change the path if necessary.
<source lang="bash">
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
</source>

=== Setup Postfix SMTP Authentication using Dovecot ===

Dovecot provides an SMTP authentication mechanism to Postfix called SASL. Enabling this will require users to authenticate against the server before sending mail.

<source lang="bash">vim /etc/postfix/main.cf</source>
Append the following to enable smtp authentication:
<source lang="bash">
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes

# allow authenticated users to send mail through Postfix SMTP
# more info at /usr/share/doc/postfix-2.6.6/README_FILES/SMTPD_ACCESS_README
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination

# general smtpd settings
# - reject clients that speak too early
# - reject mail from a null address to many recipients (usually spam)
smtpd_data_restrictions =
reject_unauth_pipelining
reject_multi_recipient_bounce
permit
</source>

== Configuring Dovecot ==

Dovecot handles writing incoming mail to the disk and moving/deleting mail as the user wishes. We're going to create a user and group called vmail which will be used to manage the email stored on disk.

<source lang="bash">
useradd -m vmail
mkdir /email
chown -R vmail:vmail /email
</source>

Dovecot is configured in /etc/dovecot and the main configuration file is dovecot.conf.

<source lang="bash">
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.conf
</source>

Dovecot uses .d style configuration files.

* Authentication

<source lang="bash">
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
vim /etc/dovecot/conf.d/10-auth.conf
</source>

Tell dovecot to accept plain-text passwords (needed for some old email clients, you may not need to enable this).

<source lang="text">
disable_plaintext_auth = no
</source>

Tell it not to use the database, and not local users for mail delivery.

<source lang="text">
#!include auth-system.conf.ext
!include auth-sql.conf.ext
</source>

* Mail store

Tell dovecot where to store the email. The %d tells dovecot to substitute the user's domain name and %n is substituted by the user's email name. For example, mkelly@alteeve.com becomes /email/alteeve.com/mkelly.

<source lang="bash">
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
vim /etc/dovecot/conf.d/10-mail.conf
</source>
<source lang="text">
mail_location = mbox:/email/%d/%n
</source>

=== Dovecot Authentication and SQL Settings ===

We need to tell dovecot where to look for passwords when authenticating a user. Where to look is controlled in the
auth-sql.conf.ext file and is broken down into user and password lookups. We will want to first tell Dovecot which user to use when accessing the mail store on disk.

<source lang="bash">
cp /etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/conf.d/auth-sql.conf.ext.orig
vim /etc/dovecot/conf.d/auth-sql.conf.ext
</source>
<source lang="text">
userdb {
driver = static
args = uid=vmail gid=vmail home=/email/%d/%n allow_all_users=yes
}
</source>

* Now configure the SQL server access details.

{{note|1=Make sure that PostgreSQL has sufficient max_connections set in /var/lib/pgsql/data/postgresql.conf to handle enough connections for the expected number of email connections, plus other connections from other applications.}}

<source lang="bash">
cp /usr/share/doc/dovecot-2.0.9/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
vim /etc/dovecot/dovecot-sql.conf.ext
</source>

Tell dovecot to use PostgreSQL.

<source lang="text">
driver = pgsql
</source>

Configure the connection string.

{{note|1=If your database uses a password with a space character in it, quote the password. Ie: password='super secret'.}}

<source lang="text">
connect = host=127.0.0.1 dbname=an_tools user=alteeve password=secret
</source>

Tell dovecot to accept plain-text passwords (this is needed for some stupid MS clients, this will probably change soon).

<source lang="text">
default_pass_scheme = PLAIN
</source>

Tell dovecot how to pull use the user's password.

<source lang="text">
password_query = SELECT email, password FROM email_password WHERE email='%u'
</source>

The last thing to setup is the user query. The query needs to return the [[UID]] and [[GID]] of the vmail user we setup earlier. To get it, you can use the id command.

<source lang="bash">
id vmail
</source>
<source lang="text">
uid=503(vmail) gid=503(vmail) groups=503(vmail)
</source>

The numbers we want are 503 and 503 for the UID and GID, respectively. Knowing this, we can set the userdb SQL string.

<source lang="text">
user_query = SELECT '/email/'||file AS email_dir, '503' AS uid, '503' AS gid FROM email_file WHERE email='%u'
</source>

=== Configure Listener Sockets ===

Setup the authentication socket to allow the vmail user. This will allow Dovecot to access the user authentication socket.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
</source>

Configure Dovecot to authenticate Postfix SMTP requests.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener smtp-auth {
mode = 0600
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
}
</source>

=== Enable Logging ===

This is very useful for debugging an initial setup. It will place details about login attempts in /var/log/maillog.

<source lang="bash">vim /etc/dovecot/conf.d/10-logging.conf</source>
<source lang="bash">
log_path = syslog
auth_verbose = yes
auth_debug = yes
mail_debug = yes
</source>

At this point, it's a good idea to restart the Postfix and Dovecot services, and test out the basic configuration.
<source lang="bash">
service postfix restart
service dovecot restart
</source>

Watch the maillog while attempting to authenticate with an email client like Thunderbird.
<source lang="bash">
tail -f /var/log/maillog
</source>

If basic authentication is working, we can go ahead and add another layer of complexity on top of it: SSL.

== SSL/TLS ==

Add TLS support to Postfix, to encrypt SMTP authentication traffic.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/ssl_mail.alteeve.ca.crt
smtpd_tls_key_file = /etc/pki/CA/private/mail.alteeve.ca.key
smtpd_tls_loglevel = 1
</source>

Add TLS support to Dovecot, to encrypt IMAP authentication traffic.
<source lang="bash">vim /etc/dovecot/conf.d/10-ssl.conf </source>
<source lang="bash">
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/pki/CA/ssl_mail.alteeve.ca.crt
ssl_key = </etc/pki/CA/private/mail.alteeve.ca.key

# PEM encoded trusted certificate authority. Otherwise your CA will be untrusted.
# This is the intermediary certificate.
ssl_ca = </etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Dovecot prefers the following permissions for SSL certs, so set them accordingly.
<source lang="bash">
chmod 0444 /etc/pki/CA/ssl_mail.alteeve.ca.crt
chmod 0400 /etc/pki/CA/private/mail.alteeve.ca.key
chmod 0400 /etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Restart Postfix and Dovecot, then change your Thunderbird server options to 'STARTTLS'. If you're still able to connect to the mail server and send mail, proceed to the next section.

== User Password Encryption ==

In addition to SSL/TSL, which only encrypts the transport of user credentials, we're also going to encrypt the passwords themselves. This will avoid storing any plaintext passwords in the Postgres database.

<source lang="bash">vim /etc/dovecot/conf.d/10-auth.conf</source>
Remove the "plain" authentication, and replace with cram-md5.
<source lang="bash">
disable_plaintext_auth = yes
auth_mechanisms = cram-md5
</source>

Any user credentials that were previously stored in plaintext will no longer work. To encrypt your password in a way that Dovecot recognizes, use the following command:
<source lang="bash">doveadm -v pw -s CRAM-MD5 -p mypassword</source>
It will return a hash like this.
<source lang="bash">
{CRAM-MD5}de5924752ad74e36bc271a8dc7fad4b2d341f21f05382f20dedf1fdfbd5a1717</source>

Take the entire hash, including the '{CRAM-MD5}' portion, and use it to replace the password entry in the database for that user. This will allow Dovecot to authenticate the user using the CRAM-MD5 auth mechanism.

To automate this process for all users in the database, you can look at the number of userid's there are and loop through them, encrypting and replacing each password.

<source lang="bash">
#!/bin/bash
#
# a script to encrypt the users.usr_password values of the an_tools database

export PGUSER="alteeve"
export PGPASSWORD='secret'

for usrid in {1..219}; do

# grab the user's password, removing whitespace
usrpass=$(psql -d an_tools -c "SELECT users.usr_password FROM users WHERE users.usr_id=$usrid;"\
| sed -n 3p | sed -e 's/^[ ]*//')

if [[ "$usrpass" == *CRAM* ]]; then
echo "Password for user #$usrid is already encrypted; skipping."
else
# encrypt and surround in single quotes for psql
encrypted=\'$(doveadm -v pw -s CRAM-MD5 -p "$usrpass")\'
echo "old password: [$usrpass] ; encrypted: $encrypted"

# set password to encrypted value
psql -d an_tools -c "UPDATE users SET usr_password=$encrypted WHERE usr_id=$usrid;"
fi
done

unset PGUSER
unset PGPASSWORD
</source>

== Postgrey Greylisting ==

Enabling postgrey for anti-spam greylisting.

First install the RPMForge repos. (See [http://dak1n1.com/blog/3-getting-more-from-yum-with-rpmforge-and-epel-repos Dakini's blog] for details.)

<source lang="bash">yum -y install postgrey</source>

Create the config file with the following options. This will delay mail from untrusted sources by 6 minutes. A legitimate mailserver will resend the request after that time, and be allowed through. But spam is generally sent out only once, so those messages will drop.
<source lang="bash">vim /etc/sysconfig/postgrey</source>
<source lang="bash">OPTIONS="--unix=/var/spool/postfix/postgrey/socket --delay=360"</source>

Ensure that Postgrey starts on boot.
<source lang="bash">chkconfig --levels 345 postgrey on</source>

<source lang="bash">/etc/postfix/main.cf</source>

Configure Postfix to check SMTP requests through Postgrey. Postgrey will decide if the mail should be blocked or accepted.
<source lang="bash">
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:postgrey/socket</source>

Restart Postfix and Postgrey to take affect.
<source lang="bash">
service postgrey start
service postfix restart
</source>

== RoundCube Web Mail ==

Install the packages (these require the [[EPEL]] repo);

<source lang="bash">
yum install roundcubemail php-pear-MDB2-Driver-pgsql
</source>

You need to set the timezone in the /etc/php.ini file.

<source lang="bash">
cp /etc/php.ini /etc/php.ini.orig
vim /etc/php.ini
</source>

Set date.timezone value. If you aren't sure of the format or name of your timezone, run tzselect and follow the prompts. We want America/Toronto.

<source lang="bash">
diff -u /etc/php.ini.orig /etc/php.ini
</source>
<source lang="diff">
--- /etc/php.ini.orig 2012-08-18 22:27:05.244670258 -0400
+++ /etc/php.ini 2012-08-18 21:49:37.926938864 -0400
@@ -943,7 +943,7 @@
[Date]
; Defines the default timezone used by the date functions
; http://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone
-;date.timezone =
+date.timezone = America/Toronto

; http://www.php.net/manual/en/datetime.configuration.php#ini.date.default-latitude
;date.default_latitude = 31.7667
</source>

Create the database for roundcube

<source lang="bash">
su - postgres
createdb -O alteeve -E UNICODE roundcubemail
psql -U alteeve -D roundcubemail
\i /usr/share/doc/roundcubemail-0.5.4/SQL/postgres.initial.sql
</source>

Edit main configuration file

<source lang="bash">
vim /etc/roundcubemail/main.inc.php
</source>
<source lang="bash">
$rcmail_config['default_host'] = 'localhost';
$rcmail_config['smtp_server'] = 'tls://mail.alteeve.ca';
$rcmail_config['smtp_user'] = '%u';
$rcmail_config['smtp_pass'] = '%p';
$rcmail_config['smtp_auth_type'] = 'CRAM-MD5';
$rcmail_config['force_https'] = true;
$rcmail_config['use_https'] = true;
$rcmail_config['login_autocomplete'] = 1;
</source>

Now setup roundcube for connecting to our DB;

<source lang="bash">
cp /etc/roundcubemail/db.inc.php /etc/roundcubemail/db.inc.php.orig
vim /etc/roundcubemail/db.inc.php
</source>

Now set the connection string. Note to switch the DB driver to pgsql.

<source lang="bash">
diff -u /etc/roundcubemail/db.inc.php.orig /etc/roundcubemail/db.inc.php
</source>
<source lang="diff">
--- /etc/roundcubemail/db.inc.php.orig 2012-05-06 13:53:52.000000000 -0400
+++ /etc/roundcubemail/db.inc.php 2012-05-06 15:45:30.000000000 -0400
@@ -18,7 +18,7 @@
// format is db_provider://user:password@host/database
// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php

-$rcmail_config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail';
+$rcmail_config['db_dsnw'] = 'pgsql://alteeve:secret@localhost/roundcubemail';
// postgres example: 'pgsql://roundcube:pass@localhost/roundcubemail';
// Warning: for SQLite use absolute path in DSN:
</source>

Now setup roundcube to communicate with the mail server.

<source lang="bash">
cp /etc/roundcubemail/main.inc.php /etc/roundcubemail/main.inc.php.orig
vim /etc/roundcubemail/main.inc.php
</source>

There are several variables to set. Our server will talk to localhost using [[tls]] on port 587 using [[CRAM_MD5]] encryption. We use, and require, [[https]] connections. There are a couple special values for querying the user's name and password from the database. Finally, we want to enable the user's browser's auto-complete functions and set the name shown to the users. Once all set, the diff should be similar to the one below.

<source lang="bash">
diff -u /etc/roundcubemail/main.inc.php.orig /etc/roundcubemail/main.inc.php
</source>
<source lang="diff">
--- /etc/roundcubemail/main.inc.php.orig 2012-05-06 13:53:59.000000000 -0400
+++ /etc/roundcubemail/main.inc.php 2012-07-06 14:59:07.000000000 -0400
@@ -65,7 +65,7 @@
// %n - http hostname ($_SERVER['SERVER_NAME'])
// %d - domain (http hostname without the first part)
// For example %n = mail.domain.tld, %d = domain.tld
-$rcmail_config['default_host'] = '';
+$rcmail_config['default_host'] = 'localhost';

// TCP port used for IMAP connections
$rcmail_config['default_port'] = 143;
@@ -121,22 +121,22 @@
// %d - domain (http hostname without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %d = domain.tld
-$rcmail_config['smtp_server'] = '';
+$rcmail_config['smtp_server'] = 'tls://mail.alteeve.ca';

// SMTP port (default is 25; 465 for SSL)
-$rcmail_config['smtp_port'] = 25;
+$rcmail_config['smtp_port'] = 587;

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
-$rcmail_config['smtp_user'] = '';
+$rcmail_config['smtp_user'] = '%u';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
-$rcmail_config['smtp_pass'] = '';
+$rcmail_config['smtp_pass'] = '%p';

// SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
// best server supported one)
-$rcmail_config['smtp_auth_type'] = '';
+$rcmail_config['smtp_auth_type'] = 'CRAM-MD5';

// Optional SMTP authentication identifier to be used as authorization proxy
$rcmail_config['smtp_auth_cid'] = null;
@@ -179,16 +179,16 @@
// enforce connections over https
// with this option enabled, all non-secure connections will be redirected.
// set the port for the ssl connection as value of this option if it differs from the default 443
-$rcmail_config['force_https'] = false;
+$rcmail_config['force_https'] = true;

// tell PHP that it should work as under secure connection
// even if it doesn't recognize it as secure ($_SERVER['HTTPS'] is not set)
// e.g. when you're running Roundcube behind a https proxy
-$rcmail_config['use_https'] = false;
+$rcmail_config['use_https'] = true;

// Allow browser-autocompletion on login form.
// 0 - disabled, 1 - username and host only, 2 - username, host, password
-$rcmail_config['login_autocomplete'] = 0;
+$rcmail_config['login_autocomplete'] = 1;

// If users authentication is not case sensitive this must be enabled.
// You can also use it to force conversion of logins to lower case.
@@ -261,7 +261,7 @@
$rcmail_config['useragent'] = 'Roundcube Webmail/'.RCMAIL_VERSION;

// use this name to compose page titles
-$rcmail_config['product_name'] = 'Roundcube Webmail';
+$rcmail_config['product_name'] = 'AN!Mail';

// try to load host-specific configuration
// see http://trac.roundcube.net/wiki/Howto_Config for more details
</source>

That should be it.

==== Adding a password-reset link to the login page ====

Edit the login page template to insert the AN!Console password recovery link.

<source lang="bash">
vim /usr/share/roundcubemail/skins/default/templates/login.html</source>

(The part we're adding is the '<a href=""></a>'. Other parts of the template file are included here as a reference.)
<source lang="bash">
<div id="login-form">
<div class="boxtitle"><roundcube:label name="welcome" /></div>
<div class="boxcontent">

<form name="form" action="./" method="post">
<roundcube:object name="loginform" form="form" />

<input type="submit" class="button mainaction" value="<roundcube:label name='login' />" />

</form>
<a href="../../cgi-bin/t/password.cgi">Forgot your password?</a>
</div>
</div>
</source>

= Thanks =

* To [http://planet-geek.com Dave Shevett] (aka: eidolon) and [http://codex.grimoire.ca/ Owen Jacobson] for answering my n00b SSL questions.


<source lang="bash">
</source>
<source lang="text">
</source>

{{footer}}

PPPower Server

2012-08-19T13:25:32Z

Dak1n1: /* RoundCube Web Mail */

{{howto_header}}

With tongue firmly in cheek, this is a tutorial on building an [[EL6]] server for hosting website and email using PostgreSQL, Postfix and Postgrey for mail and Apache for web. There are many canned and arguably superior was of accomplishing the same, but this is what I user for this server.

= Post OS Install =

First, some post-install preparation. We'll need to set up some basic security, a program to report server statistics, and some 3rd-party yum repositories for additional software.

Yum repo install.
<source lang="bash">yum -y install yum-protectbase
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt # import keys
rpm -K rpmforge-release-0.5.2-2.el6.rf.*.rpm # verify package integrity
rpm -i rpmforge-release-0.5.2-2.el6.rf.*.rpm # install
# install EPEL
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm
</source>

The yum-protectbase plugin will ensure that the 3rd-party repos play nicely and never overwrite the Base repos. To use this plugin with a specific repo, add protect=0 or protect=1 to the repo's config file.
<source lang="bash">
cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.orig
vim /etc/yum.repos.d/CentOS-Base.repo
# add protect=1 to each paragraph
diff -U 0 /etc/yum.repos.d/CentOS-Base.repo.orig /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
--- /etc/yum.repos.d/CentOS-Base.repo.orig 2012-05-07 01:07:47.688145406 -0400
+++ /etc/yum.repos.d/CentOS-Base.repo 2012-05-07 01:08:15.915322496 -0400
@@ -18,0 +19 @@
+protect=1
@@ -26,0 +28 @@
+protect=1
@@ -34,0 +37 @@
+protect=1
@@ -43,0 +47 @@
+protect=1
@@ -52,0 +57 @@
+protect=1
</source>

<source lang="bash">
cp /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.orig
vim /etc/yum.repos.d/epel.repo
# add protect=0 to each paragraph
diff -U 0 /etc/yum.repos.d/epel.repo.orig /etc/yum.repos.d/epel.repo
</source>
<source lang="bash">
--- /etc/yum.repos.d/epel.repo.orig 2012-05-07 01:08:58.279379860 -0400
+++ /etc/yum.repos.d/epel.repo 2012-05-07 01:09:18.144157701 -0400
@@ -8,0 +9 @@
+protect=0
@@ -17,0 +19 @@
+protect=0
@@ -26,0 +29 @@
+protect=0
</source>

=== Protecting against malicious users with Denyhosts. ===
Denyhosts is a daemon that watches for too many failed logins via ssh. It uses TCP-wrappers to deny the user access to ssh (or any service) on the server after X failed logins. It has the option to download a list of known malicious IPs and add them to /hosts.deny, making possible to block attackers before they attack the server.

Install denyhosts
<source lang="bash">yum -y install denyhosts</source>

Edit the config to your preferences.
<source lang="bash">
cp /etc/denyhosts.conf /etc/denyhosts.conf.orig
vim /etc/denyhosts.conf
</source>
<source lang="bash">
BLOCK_SERVICE = ALL
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
SYNC_DOWNLOAD = yes
</source>
<source lang="bash">
diff -U 0 /etc/denyhosts.conf.orig /etc/denyhosts.conf
</source>
<source lang="diff">
--- /etc/denyhosts.conf.orig 2012-05-13 02:33:05.584566483 -0400
+++ /etc/denyhosts.conf 2012-05-13 02:34:19.386558503 -0400
@@ -96 +96 @@
-#BLOCK_SERVICE = ALL
+BLOCK_SERVICE = ALL
@@ -98 +98 @@
-BLOCK_SERVICE = sshd
+#BLOCK_SERVICE = sshd
@@ -547 +547 @@
-#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
+SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
@@ -582 +582 @@
-#SYNC_DOWNLOAD = yes
+SYNC_DOWNLOAD = yes
</source>

White-list any trusted machines, including localhost.
<source lang="bash">
cp /etc/hosts.allow /etc/hosts.allow.orig
vim /etc/hosts.allow
</source>
<source lang="bash">
127.0.0.1
206.108.5.162
</source>
<source lang="bash">
diff -U 0 /etc/hosts.allow.orig /etc/hosts.allow
</source>
<source lang="diff">
--- /etc/hosts.allow.orig 2012-05-13 02:36:02.613767847 -0400
+++ /etc/hosts.allow 2012-05-13 02:40:37.473523845 -0400
@@ -10,0 +11,2 @@
+127.0.0.1
+206.108.5.162
</source>

Start the service.
<source lang="bash">
chkconfig denyhosts on
/etc/init.d/denyhosts start
</source>
<source lang="text">
Starting denyhosts: [ OK ]
</source>

=== Additional software to install ===
To view neatly-summarized daily logs, and system resource usage.
<source lang="bash">yum -y install logwatch htop</source>

Packages for web server and wiki install.
<source lang="bash">
yum install httpd httpd-tools postgresql-server postgresql-plperl postgresql-contrib postgresql mysql-server telnet mod_ssl mysql-server php-mysql gcc jwhois bind \
acpid bind-utils syslinux screen man bzip2 zip unzip php-pgsql php yum-utils
chkconfig acpid on
</source>

Packages that are currently needed for personal stuff.

<source lang="bash">
yum install perl-XML-Simple perl-MIME-Lite perl-DBD-MySQL perl-DBD-Pg perl-Digest-Perl-MD5 mod_auth_pgsql perl-Digest-SHA perl-CGI perl-Time-HiRes
</source>

= Apache =

Apache is configured first with a global configuration, which also defines the "default" website which is shown when the server is called by it's IP address (or by a domain that is not configured). Then with per-domain configurations known as "virtual host containers".

First, the global configuration and default domain. We will put our default website in /var/www/default/. So the first step is to create the needed directories.

<source lang="bash">
mkdir -p /var/www/default/{html,cgi-bin,logs}
chown -R apache:apache /var/www
</source>

Now to edit the configuration file.

<source lang="bash">
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig
vim /etc/httpd/conf/httpd.conf
</source>

{{note|1=This needs to be explained.}}

Make the following changes.

<source lang="bash">
diff -U 0 /etc/httpd/conf/httpd.conf.orig /etc/httpd/conf/httpd.conf
</source>
<source lang="diff">
--- /etc/httpd/conf/httpd.conf.orig 2012-05-13 19:32:07.718570148 -0400
+++ /etc/httpd/conf/httpd.conf 2012-05-13 21:48:18.439736244 -0400
@@ -103,6 +103,6 @@
-StartServers 8
-MinSpareServers 5
-MaxSpareServers 20
-ServerLimit 256
-MaxClients 256
-MaxRequestsPerChild 4000
+StartServers 16
+MinSpareServers 10
+MaxSpareServers 40
+ServerLimit 512
+MaxClients 512
+MaxRequestsPerChild 8000
@@ -119,5 +119,5 @@
-StartServers 4
-MaxClients 300
-MinSpareThreads 25
-MaxSpareThreads 75
-ThreadsPerChild 25
+StartServers 8
+MaxClients 600
+MinSpareThreads 50
+MaxSpareThreads 150
+ThreadsPerChild 50
@@ -262 +262 @@
-ServerAdmin root@localhost
+ServerAdmin admin@alteeve.com
@@ -276,0 +277 @@
+ServerName omiya.alteeve.ca:80
@@ -292 +293 @@
-DocumentRoot "/var/www/html"
+DocumentRoot "/var/www/default/html"
@@ -317 +318 @@
-<Directory "/var/www/html">
+<Directory "/var/www/default/html">
@@ -551 +552 @@
-Alias /icons/ "/var/www/icons/"
+Alias /icons/ "/var/www/default/icons/"
@@ -553 +554 @@
-<Directory "/var/www/icons">
+<Directory "/var/www/default/icons">
@@ -576 +577 @@
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+ScriptAlias /cgi-bin/ "/var/www/default/cgi-bin/"
@@ -582 +583 @@
-<Directory "/var/www/cgi-bin">
+<Directory "/var/www/default/cgi-bin">
@@ -855 +856 @@
-Alias /error/ "/var/www/error/"
+Alias /error/ "/var/www/default/error/"
@@ -859 +860 @@
- <Directory "/var/www/error">
+ <Directory "/var/www/default/error">
@@ -990 +991 @@
-#NameVirtualHost *:80
+NameVirtualHost *:80
@@ -1004,5 +1005,5 @@
-# ServerAdmin webmaster@dummy-host.example.com
-# DocumentRoot /www/docs/dummy-host.example.com
-# ServerName dummy-host.example.com
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+# ServerAdmin admin@alteeve.com
+# DocumentRoot /var/www/default/html
+# ServerName unknown.alteeve.com
+# ErrorLog /var/www/default/logs/error.log
+# CustomLog /var/www/default/logs/access.log common
@@ -1009,0 +1011 @@
+
</source>

After all changes, use this to make sure there are no syntax errors.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
[Sun May 13 21:48:11 2012] [warn] NameVirtualHost *:80 has no VirtualHosts
Syntax OK
</source>

Note that the [Sun May 13 21:48:11 2012] [warn] NameVirtualHost *:80 has no VirtualHosts is expected at this stage as we've not yet configured any virtual hosts.

All virtual host configuration files need to be created in the /etc/httpd/conf.d directory and the file must have the .conf suffix in order to be read by apache. These files will be read in order, so if you want to ensure that one file is read before another, as we will do shortly, you can prefix the configuration file with an integer to ensure read order.

I like to redirect all unknown server requests to http://unknown.alteeve.ca. For this, I will create an initial configuration file called 00_default.conf.

<source lang="bash">
vim /etc/httpd/conf.d/00_default.conf
</source>
<source lang="text">
<VirtualHost *:80>
ServerAdmin admin@alteeve.ca
DocumentRoot /var/www/default/html
ServerName unknown.alteeve.com
ErrorLog /var/www/default/logs/error.log
CustomLog /var/www/default/logs/access.log common
</VirtualHost>
</source>

Now we will do two kinds of checks; One for syntax and one to check the configuration of virtual host containers.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

We no longer see the warning from before as we now have our first virtual host configured.

<source lang="bash">
apachectl -S
</source>
<source lang="text">
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 omiya.alteeve.ca (/etc/httpd/conf.d/ssl.conf:74)
*:80 is a NameVirtualHost
default server unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
port 80 namevhost unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
Syntax OK
</source>

We can now start the web server for the first time.

<source lang="bash">
/etc/init.d/httpd start
</source>
<source lang="text">
Starting httpd: [ OK ]
</source>

Perfect! Time to configure some real domains.

== Common Virtual Host Configurations ==

All domains on this server will be housed under either:

* /var/www/domain.tld/{cgi-bin,html,logs,temp}

Or, for [[SSL]] encrypted domains;

* /var/www/ssl_domain.tld/{cgi-bin,html,logs,temp}

The four directories found under the domain are used for hosting executable scripts (cgi-bin), standard [[HTML]] websites or websites with in-line code like [[PHP]] (html), log files (logs) and an optional temporary directory used for staging files (temp).

== Standard Virtual Hosts ==

This section covers the configuration on standard virtual host containers (using [[TCP]] port 80).

In this example, we will setup the domain http://mizu-bu.org.

First, create the directories for the domain's files.

<source lang="bash">
mkdir -p /var/www/mizu-bu.org/{cgi-bin,html,logs,temp}
</source>

Now create the virtual host container's configuration file. Note that in this example, it is a [http://www.mediawiki.org/ MediaWiki] website, so we will tell apache to look for index.php files by default.

<source lang="bash">
vim /etc/httpd/conf.d/mizu-bu.org.conf
</source>
<source lang="text">
<VirtualHost *:80>
ServerAdmin digimer@alteeve.com

ServerName mizu-bu.org
ServerAlias www.mizu-bu.org

DirectoryIndex index.html

DocumentRoot /var/www/mizu-bu.org/html/
<Directory /var/www/mizu-bu.org/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride Options
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/mizu-bu.org/cgi-bin/
<Directory "/var/www/mizu-bu.org/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/mizu-bu.org/logs/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/mizu-bu.org/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

As before, test the syntax and virtual host configurations.

<source lang="bash">
apachectl -S
</source>
<source lang="text">
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 omiya.alteeve.ca (/etc/httpd/conf.d/ssl.conf:74)
*:80 is a NameVirtualHost
default server unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
port 80 namevhost unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
port 80 namevhost mizu-bu.org (/etc/httpd/conf.d/mizu-bu.org.conf:1)
Syntax OK
</source>


<source lang="bash">
</source>
<source lang="text">
</source>

== SSL Virtual Hosts ==

SSL provides for secure client to server communications.

=== Creating The Signed Certificate ===

This section assumes you are using a 3rd party signing authority. Specifically, I use http://www.trustico.ca/ (resellers of http://RapidSSL.com and others). This is also for a domain-specific certificate. Wildcard certificates will differ.

First, create 2048bit private key. Note that this will require a pass-phrase, which you will need to enter whenever the Apache daemon httpd daemon starts. If you do not want this, remove the -des3 switch.

<source lang="bash">
openssl genrsa -des3 -out /etc/pki/CA/private/alteeve.com.key 2048
</source>
<source lang="text">
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Verifying - Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
</source>

Now create a [[CSR]] (Certificate signing request) which we will send to the signing authority. Do not enter anything in the extra section below.

{{note|1=The Common Name must be the fully qualified domain name. In this example, I want to create a certificate for the domain https://alteeve.com, so I will enter alteeve.com. If you prefer to use a www. prefix, include it. I will rewrite requests using the www. prefix to not use it.}}

<source lang="bash">
openssl req -new -key /etc/pki/CA/private/alteeve.com.key -out alteeve.com.csr
</source>
<source lang="text">
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Oakville
Organization Name (eg, company) [Default Company Ltd]:Alteeve's Niche
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:alteeve.com
Email Address []:admin@alteeve.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</source>

Test that the CSR file is ok.

<source lang="bash">
openssl req -noout -text -in /etc/pki/CA/alteeve.com.csr
</source>
<source lang="text">
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Oakville, O=Alteeve's Niche, OU=IT, CN=alteeve.com/emailAddress=admin@alteeve.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
...
</source>

Copy the exact contents of the alteeve.com.csr file and provide it to your signing authority as per their instructions. Once you complete their CSR form, they should email you a signed certificate and an intermediary certificate. At this point, the CSR file is no longer needed.

Save the signed certificate:

<source lang="bash">
vim /etc/pki/CA/ssl_alteeve.com.crt
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

Save the intermediary certificate. Change the certificate name to that of your provider. If they provide you with this file, simply save it in the /etc/pki/CA/ directory.

<source lang="bash">
vim /etc/pki/CA/RapidSSL_CA_bundle.pem
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

=== Creating An SSL Virtual Host ===

Create a new virtual host container for the new SSL protected virtual host. We will leave the normal unencrypted virtual-host alone for now. Once we're done, we'll use it to capture and redirect http:// requests to their https:// equivalents. I make my virtual host directories writeable by my normal user account. Feel free to adapt this to your preferences.

Setup the directories and then create a trivial index.html file.

<source lang="bash">
mkdir ssl_alteeve.com/{cgi-bin,html,logs,temp} -p
chown apache:digimer ssl_alteeve.com -R
chmod g+w ssl_alteeve.com -R
vim /var/www/ssl_alteeve.com/html/index.html
</source>
<source lang="apache">
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
</source>

Now setup the Apache2 config. I like to use the ssl_ prefix for encrypted domains.

{{note|1=This example is for a MediaWiki virtual host with short URLs configured. You will want to adapt the values to suit your needs.}}

<source lang="bash">
vim /etc/httpd/conf.d/ssl_alteeve.com.conf
</source>
<source lang="apache">
<VirtualHost *:443>
ServerAdmin digimer@alteeve.com

ServerName alteeve.com

DirectoryIndex index.php index.html

# We can haz security?
SSLEngine on
SSLProtocol all
SSLCACertificateFile /etc/pki/CA/RapidSSL_CA_bundle.pem
SSLCertificateFile /etc/pki/CA/ssl_alteeve.com.crt
SSLCertificateKeyFile /etc/pki/CA/private/alteeve.com.key

DocumentRoot /var/www/ssl_alteeve.com/html/
Alias /w /var/www/ssl_alteeve.com/html/index.php
<Directory /var/www/ssl_alteeve.com/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/ssl_alteeve.com/cgi-bin/
<Directory "/var/www/ssl_alteeve.com/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/ssl_alteeve.com/logs/error.log
TransferLog /var/www/ssl_alteeve.com/logs/transfer.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/ssl_alteeve.com/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

==== Bad Identity Error ====

If you get an error about the server not providing identity information, you may have be loading images, CSS, javascript or similar using a URL from a remote domain with no SSL or badly configured SSL.

For example, on Firefox 4, you may see:

<source lang="text">
This web site does not supply identity information.

Your connection to this site is only partially encrypted, and does not prevent eavesdropping.
[ More Information ]
</source>

In my case, this turned out to be a problem where mediawiki was loading a Creative Commons logo from their server using http:// link to the icon. Once this was changed to https:// (in LocalSettings.php), the error went away.

=== Testing and Using the New Configuration ===

Test your new Apache configuration.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

Now restart Apache. Note that you will be asked to enter the pass-phrase you used when you created your private key.

<source lang="bash">
/etc/init.d/httpd restart
</source>
<source lang="text">
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server alteeve.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
</source>

{{warning|1=From now on, you will need to enter the pass-phrase to start Apache. Consider this when restarting your server and when deciding if you want the Apache server to start with your server. As my server is in a VM and it's underlying disk is also encrypted, I will enable it at boot time. I'll need to be watching the boot process anyway. This may not apply to you.}}

Now make sure that you can still connect to your server on [[TCP]] port 80 (normal http port). The contents after the GET request will obviously vary depending on your configuration:

<source lang="bash">
telnet localhost 80
</source>
<source lang="text">
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET
<head>
<title>Asakusa.alteeve.com</title>
</head>
<body>
Default - Requested domain not found
</body>
Connection closed by foreign host.
</source>

Now to check that the SSL port is listening properly. We can't use [[telnet]] because of the SSL encryption. Instead we will use openssl.

<source lang="bash">
openssl s_client -connect localhost:443 -state -debug
</source>
<source lang="text">
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x196a050 [0x1a0b3a0] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 4d f8 f4 a4 f9 ....l...h..M....
0010 - 07 b3 11 f8 3d ff 5d 80-ed 69 87 52 e2 60 80 57 ....=.]..i.R.`.W
0020 - 59 c7 83 4c ea 5b e5 37-06 e0 13 00 00 3a 00 39 Y..L.[.7.....:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............#
0071 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x196a050 [0x1a10900] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x196a050 [0x1a1090a] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4d f8 f4 a4-7d 35 00 74 24 43 bc c9 .1..M...}5.t$C..
0010 - 84 5d fe e3 90 1a e8 14-39 a1 b1 7e e8 19 c7 9f .]......9..~....
0020 - 45 20 d1 cb 00 00 39 01-00 09 ff 01 00 01 00 00 E ....9.........
0030 - 23 #
0033 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 0c 2c ....,
read from 0x196a050 [0x1a10908] (3116 bytes => 3116 (0xC2C))
0000 - 0b 00 0c 28 00 0c 25 00-04 c2 30 82 04 be 30 82 ...(..%...0...0.
0010 - 03 a6 a0 03 02 01 02 02-03 02 15 24 30 0d 06 09 ...........$0...
0020 - 2a 86 48 86 f7 0d 01 01-05 05 00 30 3c 31 0b 30 *.H........0<1.0
0030 - 09 06 03 55 04 06 13 02-55 53 31 17 30 15 06 03 ...U....US1.0...
0040 - 55 04 0a 13 0e 47 65 6f-54 72 75 73 74 2c 20 49 U....GeoTrust, I
0050 - 6e 63 2e 31 14 30 12 06-03 55 04 03 13 0b 52 61 nc.1.0...U....Ra
0060 - 70 69 64 53 53 4c 20 43-41 30 1e 17 0d 31 31 30 pidSSL CA0...110
0070 - 36 31 34 31 32 31 39 30-31 5a 17 0d 31 31 30 37 614121901Z..1107
0080 - 31 36 31 35 35 36 31 34-5a 30 81 d9 31 29 30 27 16155614Z0..1)0'
0090 - 06 03 55 04 05 13 20 30-54 53 35 57 7a 61 75 51 ..U... 0TS5WzauQ
00a0 - 52 4a 37 73 63 32 62 2d-68 54 47 77 4b 31 79 78 RJ7sc2b-hTGwK1yx
00b0 - 53 66 45 44 70 68 46 31-0b 30 09 06 03 55 04 06 SfEDphF1.0...U..
00c0 - 13 02 43 41 31 14 30 12-06 03 55 04 0a 13 0b 61 ..CA1.0...U....a
00d0 - 6c 74 65 65 76 65 2e 63-6f 6d 31 13 30 11 06 03 lteeve.com1.0...
00e0 - 55 04 0b 13 0a 47 54 31-33 39 30 38 38 31 37 31 U....GT139088171
00f0 - 31 30 2f 06 03 55 04 0b-13 28 53 65 65 20 77 77 10/..U...(See ww
0100 - 77 2e 72 61 70 69 64 73-73 6c 2e 63 6f 6d 2f 72 w.rapidssl.com/r
0110 - 65 73 6f 75 72 63 65 73-2f 63 70 73 20 28 63 29 esources/cps (c)
0120 - 31 31 31 2b 30 29 06 03-55 04 0b 13 22 44 6f 6d 111+0)..U..."Dom
0130 - 61 69 6e 20 43 6f 6e 74-72 6f 6c 20 56 61 6c 69 ain Control Vali
0140 - 64 61 74 65 64 20 2d 20-46 72 65 65 53 53 4c 31 dated - FreeSSL1
0150 - 14 30 12 06 03 55 04 03-13 0b 61 6c 74 65 65 76 .0...U....alteev
0160 - 65 2e 63 6f 6d 30 82 01-22 30 0d 06 09 2a 86 48 e.com0.."0...*.H
0170 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0..
0180 - 0a 02 82 01 01 00 c7 b5-75 03 c7 a9 b5 21 b2 7a ........u....!.z
0190 - 9b 70 8d f2 44 5d e0 18-f4 05 52 c6 93 d3 17 a5 .p..D]....R.....
01a0 - 3a c7 46 03 68 d1 01 53-1b e8 b8 d3 4c 56 46 b2 :.F.h..S....LVF.
01b0 - ca 63 34 88 2c 4f 7b 23-49 07 ef 8e 37 5c 8a ac .c4.,O{#I...7\..
01c0 - d7 88 9b ed a1 01 90 bc-32 d8 46 30 6d 82 33 59 ........2.F0m.3Y
01d0 - ea b5 38 2c 8a 16 e1 63-e7 ba 39 d8 2a fa 8a 6b ..8,...c..9.*..k
01e0 - 25 45 0b c9 4d b8 d2 be-a9 3a e3 ff 61 60 f9 a4 %E..M....:..a`..
01f0 - 99 4e 3f c2 25 0b 21 07-c6 1b 1e 63 71 2e 3d 31 .N?.%.!....cq.=1
0200 - 42 98 01 f4 88 b8 80 26-b7 bf 5b 00 b1 57 86 b4 B......&..[..W..
0210 - d8 70 e6 ec ea 98 e1 17-45 a7 ff 83 e0 76 6f 8a .p......E....vo.
0220 - 50 bb 1d cb c5 8f f4 01-84 4e 59 c3 4d 28 73 70 P........NY.M(sp
0230 - 39 c8 da 85 43 b9 07 ae-57 26 04 24 b2 d6 d4 7c 9...C...W&.$...|
0240 - 03 af 4f 72 00 8f 20 ed-26 77 b3 bf 4e 01 62 8b ..Or.. .&w..N.b.
0250 - 62 1b 10 16 65 92 f5 bb-5a dc 83 5c f2 56 f3 60 b...e...Z..\.V.`
0260 - 34 2c ef 62 f4 ee cf 26-6d 9b 4a 5e 74 05 74 fb 4,.b...&m.J^t.t.
0270 - 23 86 07 6f cf b0 48 6d-ba 2d 89 5d 0f e0 c0 01 #..o..Hm.-.]....
0280 - 1c 91 af 00 5f f3 02 03-01 00 01 a3 82 01 29 30 ...._.........)0
0290 - 82 01 25 30 1f 06 03 55-1d 23 04 18 30 16 80 14 ..%0...U.#..0...
02a0 - 6b 69 3d 6a 18 42 4a dd-8f 02 65 39 fd 35 24 86 ki=j.BJ...e9.5$.
02b0 - 78 91 16 30 30 0e 06 03-55 1d 0f 01 01 ff 04 04 x..00...U.......
02c0 - 03 02 05 a0 30 1d 06 03-55 1d 25 04 16 30 14 06 ....0...U.%..0..
02d0 - 08 2b 06 01 05 05 07 03-01 06 08 2b 06 01 05 05 .+.........+....
02e0 - 07 03 02 30 16 06 03 55-1d 11 04 0f 30 0d 82 0b ...0...U....0...
02f0 - 61 6c 74 65 65 76 65 2e-63 6f 6d 30 43 06 03 55 alteeve.com0C..U
0300 - 1d 1f 04 3c 30 3a 30 38-a0 36 a0 34 86 32 68 74 ...<0:08.6.4.2ht
0310 - 74 70 3a 2f 2f 72 61 70-69 64 73 73 6c 2d 63 72 tp://rapidssl-cr
0320 - 6c 2e 67 65 6f 74 72 75-73 74 2e 63 6f 6d 2f 63 l.geotrust.com/c
0330 - 72 6c 73 2f 72 61 70 69-64 73 73 6c 2e 63 72 6c rls/rapidssl.crl
0340 - 30 1d 06 03 55 1d 0e 04-16 04 14 a1 2b 4e af 55 0...U.......+N.U
0350 - 08 7b 34 be 74 fc 57 41-de bc 8f d9 4a 1d c9 30 .{4.t.WA....J..0
0360 - 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 49 06 ...U.......0.0I.
0370 - 08 2b 06 01 05 05 07 01-01 04 3d 30 3b 30 39 06 .+........=0;09.
0380 - 08 2b 06 01 05 05 07 30-02 86 2d 68 74 74 70 3a .+.....0..-http:
0390 - 2f 2f 72 61 70 69 64 73-73 6c 2d 61 69 61 2e 67 //rapidssl-aia.g
03a0 - 65 6f 74 72 75 73 74 2e-63 6f 6d 2f 72 61 70 69 eotrust.com/rapi
03b0 - 64 73 73 6c 2e 63 72 74-30 0d 06 09 2a 86 48 86 dssl.crt0...*.H.
03c0 - f7 0d 01 01 05 05 00 03-82 01 01 00 66 8b 6f a8 ............f.o.
03d0 - d5 d2 84 c7 89 31 fb a5-ba e1 11 5e 2f 67 6f df .....1.....^/go.
03e0 - 0d 3c 0b 1a 4b ac d9 38-ee 29 0a 4d d9 06 98 2c .<..K..8.).M...,
03f0 - 25 0a 59 bb 39 03 b0 cd-3b 06 93 3e 59 90 cf 06 %.Y.9...;..>Y...
0400 - 17 74 77 bb cd 91 34 d0-6f b9 8f 53 57 ed 14 30 .tw...4.o..SW..0
0410 - bd e9 6c 04 84 b6 f0 16-9d 29 9b b1 47 f8 84 64 ..l......)..G..d
0420 - 5f 03 36 ea e1 d6 13 97-5b 50 b9 b2 59 cc f8 ef _.6.....[P..Y...
0430 - 23 01 99 91 6e 5e e8 d0-77 54 38 49 18 58 e7 0e #...n^..wT8I.X..
0440 - 54 35 c0 37 b5 9e 79 b2-d4 c6 d9 ff 27 31 d4 bf T5.7..y.....'1..
0450 - 04 ae d3 0a 90 4b bc 34-bc 53 f8 bc e7 4c 22 b7 .....K.4.S...L".
0460 - b3 bc 8c d7 41 44 fc e0-50 2e 9a ac ba 5c ee 88 ....AD..P....\..
0470 - 03 fc 0e 53 32 aa dd a4-24 ee a6 7c 3d dc 9d 7a ...S2...$..|=..z
0480 - 82 0b 9f b8 91 e0 a1 12-77 a3 95 f7 d0 c4 9e f1 ........w.......
0490 - d7 d9 99 68 80 e8 af ad-68 f5 1a 5f 66 06 78 c9 ...h....h.._f.x.
04a0 - 56 f8 36 37 16 fa 7d 27-df 1d a2 d8 7c 8c 5b 50 V.67..}'....|.[P
04b0 - db c6 fe 06 ff 96 86 f5-1f e4 35 ce cf 43 66 53 ..........5..CfS
04c0 - da a1 50 b5 c0 73 ec 1e-f4 c8 20 13 00 03 d9 30 ..P..s.... ....0
04d0 - 82 03 d5 30 82 02 bd a0-03 02 01 02 02 03 02 36 ...0...........6
04e0 - d1 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
04f0 - 30 42 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 0B1.0...U....US1
0500 - 16 30 14 06 03 55 04 0a-13 0d 47 65 6f 54 72 75 .0...U....GeoTru
0510 - 73 74 20 49 6e 63 2e 31-1b 30 19 06 03 55 04 03 st Inc.1.0...U..
0520 - 13 12 47 65 6f 54 72 75-73 74 20 47 6c 6f 62 61 ..GeoTrust Globa
0530 - 6c 20 43 41 30 1e 17 0d-31 30 30 32 31 39 32 32 l CA0...10021922
0540 - 34 35 30 35 5a 17 0d 32-30 30 32 31 38 32 32 34 4505Z..200218224
0550 - 35 30 35 5a 30 3c 31 0b-30 09 06 03 55 04 06 13 505Z0<1.0...U...
0560 - 02 55 53 31 17 30 15 06-03 55 04 0a 13 0e 47 65 .US1.0...U....Ge
0570 - 6f 54 72 75 73 74 2c 20-49 6e 63 2e 31 14 30 12 oTrust, Inc.1.0.
0580 - 06 03 55 04 03 13 0b 52-61 70 69 64 53 53 4c 20 ..U....RapidSSL
0590 - 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H...
05a0 - 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0.....
05b0 - 01 01 00 c7 71 f8 56 c7-1e d9 cc b5 ad f6 b4 97 ....q.V.........
05c0 - a3 fb a1 e6 0b 50 5f 50-aa 3a da 0f fc 3d 29 24 .....P_P.:...=)$
05d0 - 43 c6 10 29 c1 fc 55 40-72 ee bd ea df 9f b6 41 C..)..U@r......A
05e0 - f4 48 4b c8 6e fe 4f 57-12 8b 5b fa 92 dd 5e e8 .HK.n.OW..[...^.
05f0 - ad f3 f0 1b b1 7b 4d fb-cf fd d1 e5 f8 e3 dc e7 .....{M.........
0600 - f5 73 7f df 01 49 cf 8c-56 c1 bd 37 e3 5b be b5 .s...I..V..7.[..
0610 - 4f 8b 8b f0 da 4f c7 e3-dd 55 47 69 df f2 5b 7b O....O...UGi..[{
0620 - 07 4f 3d e5 ac 21 c1 c8-1d 7a e8 e7 f6 0f a1 aa .O=..!...z......
0630 - f5 6f de a8 65 4f 10 89-9c 03 f3 89 7a a5 5e 01 .o..eO......z.^.
0640 - 72 33 ed a9 e9 5a 1e 79-f3 87 c8 df c8 c5 fc 37 r3...Z.y.......7
0650 - c8 9a 9a d7 b8 76 cc b0-3e e7 fd e6 54 ea df 5f .....v..>...T.._
0660 - 52 41 78 59 57 ad f1 12-d6 7f bc d5 9f 70 d3 05 RAxYW........p..
0670 - 6c fa a3 7d 67 58 dd 26-62 1d 31 92 0c 79 79 1c l..}gX.&b.1..yy.
0680 - 8e cf ca 7b c1 66 af a8-74 48 fb 8e 82 c2 9e 2c ...{.f..tH.....,
0690 - 99 5c 7b 2d 5d 9b bc 5b-57 9e 7c 3a 7a 13 ad f2 .\{-]..[W.|:z...
06a0 - a3 18 5b 2b 59 0f cd 5c-3a eb 68 33 c6 28 1d 82 ..[+Y..\:.h3.(..
06b0 - d1 50 8b 02 03 01 00 01-a3 81 d9 30 81 d6 30 0e .P.........0..0.
06c0 - 06 03 55 1d 0f 01 01 ff-04 04 03 02 01 06 30 1d ..U...........0.
06d0 - 06 03 55 1d 0e 04 16 04-14 6b 69 3d 6a 18 42 4a ..U......ki=j.BJ
06e0 - dd 8f 02 65 39 fd 35 24-86 78 91 16 30 30 1f 06 ...e9.5$.x..00..
06f0 - 03 55 1d 23 04 18 30 16-80 14 c0 7a 98 68 8d 89 .U.#..0....z.h..
0700 - fb ab 05 64 0c 11 7d aa-7d 65 b8 ca cc 4e 30 12 ...d..}.}e...N0.
0710 - 06 03 55 1d 13 01 01 ff-04 08 30 06 01 01 ff 02 ..U.......0.....
0720 - 01 00 30 3a 06 03 55 1d-1f 04 33 30 31 30 2f a0 ..0:..U...3010/.
0730 - 2d a0 2b 86 29 68 74 74-70 3a 2f 2f 63 72 6c 2e -.+.)http://crl.
0740 - 67 65 6f 74 72 75 73 74-2e 63 6f 6d 2f 63 72 6c geotrust.com/crl
0750 - 73 2f 67 74 67 6c 6f 62-61 6c 2e 63 72 6c 30 34 s/gtglobal.crl04
0760 - 06 08 2b 06 01 05 05 07-01 01 04 28 30 26 30 24 ..+........(0&0$
0770 - 06 08 2b 06 01 05 05 07-30 01 86 18 68 74 74 70 ..+.....0...http
0780 - 3a 2f 2f 6f 63 73 70 2e-67 65 6f 74 72 75 73 74 ://ocsp.geotrust
0790 - 2e 63 6f 6d 30 0d 06 09-2a 86 48 86 f7 0d 01 01 .com0...*.H.....
07a0 - 05 05 00 03 82 01 01 00-ab bc bc 0a 5d 18 94 e3 ............]...
07b0 - c1 b1 c3 a8 4c 55 d6 be-b4 98 f1 ee 3c 1c cd cf ....LU......<...
07c0 - f3 24 24 5c 96 03 27 58-fc 36 ae a2 2f 8f f1 fe .$$\..'X.6../...
07d0 - da 2b 02 c3 33 bd c8 dd-48 22 2b 60 0f a5 03 10 .+..3...H"+`....
07e0 - fd 77 f8 d0 ed 96 67 4f-fd ea 47 20 70 54 dc a9 .w....gO..G pT..
07f0 - 0c 55 7e e1 96 25 8a d9-b5 da 57 4a be 8d 8e 49 .U~..%....WJ...I
0800 - 43 63 a5 6c 4e 27 87 25-eb 5b 6d fe a2 7f 38 28 Cc.lN'.%.[m...8(
0810 - e0 36 ab ad 39 a5 a5 62-c4 b7 5c 58 2c aa 5d 01 .6..9..b..\X,.].
0820 - 60 a6 62 67 a3 c0 c7 62-23 f4 e7 6c 46 ee b5 d3 `.bg...b#..lF...
0830 - 80 6a 22 13 d2 2d 3f 74-4f ea af 8c 5f b4 38 9c .j"..-?tO..._.8.
0840 - db ae ce af 84 1e a6 f6-34 51 59 79 d3 e3 75 dc ........4QYy..u.
0850 - bc d7 f3 73 df 92 ec d2-20 59 6f 9c fb 95 f8 92 ...s.... Yo.....
0860 - 76 18 0a 7c 0f 2c a6 ca-de 8a 62 7b d8 f3 ce 5f v..|.,....b{..._
0870 - 68 bd 8f 3e c1 74 bb 15-72 3a 16 83 a9 0b e6 4d h..>.t..r:.....M
0880 - 99 9c d8 57 ec a8 01 51-c7 6f 57 34 5e ab 4a 2c ...W...Q.oW4^.J,
0890 - 42 f6 4f 1c 89 78 de 26-4e f5 6f 93 4c 15 6b 27 B.O..x.&N.o.L.k'
08a0 - 56 4d 00 54 6c 7a b7 b7-00 03 81 30 82 03 7d 30 VM.Tlz.....0..}0
08b0 - 82 02 e6 a0 03 02 01 02-02 03 12 bb e6 30 0d 06 .............0..
08c0 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 4e 31 0b .*.H........0N1.
08d0 - 30 09 06 03 55 04 06 13-02 55 53 31 10 30 0e 06 0...U....US1.0..
08e0 - 03 55 04 0a 13 07 45 71-75 69 66 61 78 31 2d 30 .U....Equifax1-0
08f0 - 2b 06 03 55 04 0b 13 24-45 71 75 69 66 61 78 20 +..U...$Equifax
0900 - 53 65 63 75 72 65 20 43-65 72 74 69 66 69 63 61 Secure Certifica
0910 - 74 65 20 41 75 74 68 6f-72 69 74 79 30 1e 17 0d te Authority0...
0920 - 30 32 30 35 32 31 30 34-30 30 30 30 5a 17 0d 31 020521040000Z..1
0930 - 38 30 38 32 31 30 34 30-30 30 30 5a 30 42 31 0b 80821040000Z0B1.
0940 - 30 09 06 03 55 04 06 13-02 55 53 31 16 30 14 06 0...U....US1.0..
0950 - 03 55 04 0a 13 0d 47 65-6f 54 72 75 73 74 20 49 .U....GeoTrust I
0960 - 6e 63 2e 31 1b 30 19 06-03 55 04 03 13 12 47 65 nc.1.0...U....Ge
0970 - 6f 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 43 41 oTrust Global CA
0980 - 30 82 01 22 30 0d 06 09-2a 86 48 86 f7 0d 01 01 0.."0...*.H.....
0990 - 01 05 00 03 82 01 0f 00-30 82 01 0a 02 82 01 01 ........0.......
09a0 - 00 da cc 18 63 30 fd f4-17 23 1a 56 7e 5b df 3c ....c0...#.V~[.<
09b0 - 6c 38 e4 71 b7 78 91 d4-bc a1 d8 4c f8 a8 43 b6 l8.q.x.....L..C.
09c0 - 03 e9 4d 21 07 08 88 da-58 2f 66 39 29 bd 05 78 ..M!....X/f9)..x
09d0 - 8b 9d 38 e8 05 b7 6a 7e-71 a4 e6 c4 60 a6 b0 ef ..8...j~q...`...
09e0 - 80 e4 89 28 0f 9e 25 d6-ed 83 f3 ad a6 91 c7 98 ...(..%.........
09f0 - c9 42 18 35 14 9d ad 98-46 92 2e 4f ca f1 87 43 .B.5....F..O...C
0a00 - c1 16 95 57 2d 50 ef 89-2d 80 7a 57 ad f2 ee 5f ...W-P..-.zW..._
0a10 - 6b d2 00 8d b9 14 f8 14-15 35 d9 c0 46 a3 7b 72 k........5..F.{r
0a20 - c8 91 bf c9 55 2b cd d0-97 3e 9c 26 64 cc df ce ....U+...>.&d...
0a30 - 83 19 71 ca 4e e6 d4 d5-7b a9 19 cd 55 de c8 ec ..q.N...{...U...
0a40 - d2 5e 38 53 e5 5c 4f 8c-2d fe 50 23 36 fc 66 e6 .^8S.\O.-.P#6.f.
0a50 - cb 8e a4 39 19 00 b7 95-02 39 91 0b 0e fe 38 2e ...9.....9....8.
0a60 - d1 1d 05 9a f6 4d 3e 6f-0f 07 1d af 2c 1e 8f 60 .....M>o....,..`
0a70 - 39 e2 fa 36 53 13 39 d4-5e 26 2b db 3d a8 14 bd 9..6S.9.^&+.=...
0a80 - 32 eb 18 03 28 52 04 71-e5 ab 33 3d e1 38 bb 07 2...(R.q..3=.8..
0a90 - 36 84 62 9c 79 ea 16 30-f4 5f c0 2b e8 71 6b e4 6.b.y..0._.+.qk.
0aa0 - f9 02 03 01 00 01 a3 81-f0 30 81 ed 30 1f 06 03 .........0..0...
0ab0 - 55 1d 23 04 18 30 16 80-14 48 e6 68 f9 2b d2 b2 U.#..0...H.h.+..
0ac0 - 95 d7 47 d8 23 20 10 4f-33 98 90 9f d4 30 1d 06 ..G.# .O3....0..
0ad0 - 03 55 1d 0e 04 16 04 14-c0 7a 98 68 8d 89 fb ab .U.......z.h....
0ae0 - 05 64 0c 11 7d aa 7d 65-b8 ca cc 4e 30 0f 06 03 .d..}.}e...N0...
0af0 - 55 1d 13 01 01 ff 04 05-30 03 01 01 ff 30 0e 06 U.......0....0..
0b00 - 03 55 1d 0f 01 01 ff 04-04 03 02 01 06 30 3a 06 .U...........0:.
0b10 - 03 55 1d 1f 04 33 30 31-30 2f a0 2d a0 2b 86 29 .U...3010/.-.+.)
0b20 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 67 65 6f 74 72 http://crl.geotr
0b30 - 75 73 74 2e 63 6f 6d 2f-63 72 6c 73 2f 73 65 63 ust.com/crls/sec
0b40 - 75 72 65 63 61 2e 63 72-6c 30 4e 06 03 55 1d 20 ureca.crl0N..U.
0b50 - 04 47 30 45 30 43 06 04-55 1d 20 00 30 3b 30 39 .G0E0C..U. .0;09
0b60 - 06 08 2b 06 01 05 05 07-02 01 16 2d 68 74 74 70 ..+........-http
0b70 - 73 3a 2f 2f 77 77 77 2e-67 65 6f 74 72 75 73 74 s://www.geotrust
0b80 - 2e 63 6f 6d 2f 72 65 73-6f 75 72 63 65 73 2f 72 .com/resources/r
0b90 - 65 70 6f 73 69 74 6f 72-79 30 0d 06 09 2a 86 48 epository0...*.H
0ba0 - 86 f7 0d 01 01 05 05 00-03 81 81 00 76 e1 12 6e ............v..n
0bb0 - 4e 4b 16 12 86 30 06 b2-81 08 cf f0 08 c7 c7 71 NK...0.........q
0bc0 - 7e 66 ee c2 ed d4 3b 1f-ff f0 f0 c8 4e d6 43 38 ~f....;.....N.C8
0bd0 - b0 b9 30 7d 18 d0 55 83-a2 6a cb 36 11 9c e8 48 ..0}..U..j.6...H
0be0 - 66 a3 6d 7f b8 13 d4 47-fe 8b 5a 5c 73 fc ae d9 f.m....G..Z\s...
0bf0 - 1b 32 19 38 ab 97 34 14-aa 96 d2 eb a3 1c 14 08 .2.8..4.........
0c00 - 49 b6 bb e5 91 ef 83 36-eb 1d 56 6f ca da bc 73 I......6..Vo...s
0c10 - 63 90 e4 7f 7b 3e 22 cb-3d 07 ed 5f 38 74 9c e3 c...{>".=.._8t..
0c20 - 03 50 4e a1 af 98 ee 61-f2 84 3f 12 .PN....a..?.
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF, C = CA, O = alteeve.com, OU = GT13908817, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - FreeSSL, CN = alteeve.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 0d .....
read from 0x196a050 [0x1a10908] (525 bytes => 525 (0x20D))
0000 - 0c 00 02 09 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 51 5c 13 33 38 >.$!.......Q\.38
0090 - 83 ef 76 6f 23 52 55 bf-23 ba 7f f0 a4 ca 35 01 ..vo#RU.#.....5.
00a0 - 9c 70 e1 61 b2 0d 7b 5c-1c 32 02 c1 ac 14 be e9 .p.a..{\.2......
00b0 - b9 7a 5d 11 9b 53 48 64-cd 12 b8 15 4c df cc 10 .z]..SHd....L...
00c0 - 4e 2b e7 cd 3f 33 68 1a-60 cc f7 18 25 7c e5 ca N+..?3h.`...%|..
00d0 - c8 cb 45 ba 2a 6d dc 84-5f 26 6f 9a a3 73 b9 7f ..E.*m.._&o..s..
00e0 - 02 cb 7b a7 ac 59 9f f3-6e c9 01 ed b9 35 99 49 ..{..Y..n....5.I
00f0 - 37 77 68 65 ec e2 f7 17-03 e7 f5 f5 86 33 e6 6c 7whe.........3.l
0100 - 06 3c 15 83 98 74 2e b9-83 31 11 01 00 20 6e 17 .<...t...1... n.
0110 - 3d 2d ec 3e 19 b2 9e 5b-37 38 3a 31 57 3d 0e c1 =-.>...[78:1W=..
0120 - 6b c4 b4 83 d9 6b f0 d3-44 db 9f 18 55 15 e1 09 k....k..D...U...
0130 - 73 59 8c 46 3d a4 47 58-b1 71 a3 32 b5 06 26 8c sY.F=.GX.q.2..&.
0140 - 27 88 9e 13 c8 12 5d 94-9b 24 54 10 aa 79 e5 b4 '.....]..$T..y..
0150 - 43 f5 5e 4c 01 dc 02 aa-69 02 37 71 4e 26 1c 0b C.^L....i.7qN&..
0160 - 40 19 c9 95 4d af 93 35-07 7a ff b1 96 7f 03 ce @...M..5.z......
0170 - 7a eb a2 1c 97 6b d2 97-d2 0f 1a f5 b2 af fb 65 z....k.........e
0180 - 86 b9 e3 38 30 ba f5 02-d6 6b fc da 94 93 8b b3 ...80....k......
0190 - 96 b5 b7 58 dc 36 55 6d-e9 47 e5 4a 33 1d b9 d9 ...X.6Um.G.J3...
01a0 - ec 33 e8 fb 58 c8 74 13-ff dd 40 b7 35 56 63 03 .3..X.t...@.5Vc.
01b0 - 9f 16 2f 72 be 56 56 c3-15 3a c3 10 09 f0 9d f2 ../r.VV..:......
01c0 - 42 52 5a ce d6 db 61 0e-d0 e2 ac 2e 9e 04 30 8e BRZ...a.......0.
01d0 - 0d d7 07 f9 3e 0a a8 3b-8d 11 5c 6e 21 47 28 2d ....>..;..\n!G(-
01e0 - 28 31 a6 3d d0 e9 2e 7a-de 4a 00 2a a8 6f 5d 82 (1.=...z.J.*.o].
01f0 - 45 df 3e 06 e3 11 e3 3c-b9 1e 34 b8 bd 60 fd a7 E.>....<..4..`..
0200 - a2 c1 c8 19 61 19 da 10-e4 c3 70 7e 5f ....a.....p~_
SSL_connect:SSLv3 read server key exchange A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0x196a050 [0x1a10908] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x196a050 [0x1a1add0] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7f 9d d2 3b 68 ..............;h
0010 - 49 c9 dd ed 4f 35 a0 70-3a 28 0f ce c1 5a 81 ce I...O5.p:(...Z..
0020 - cd 46 c5 e5 a4 44 25 04-4e b4 48 d8 3b a6 d4 44 .F...D%.N.H.;..D
0030 - 4e 9a dc 20 fa 52 9f eb-52 3b 3c 3e 34 dc ed 34 N.. .R..R;<>4..4
0040 - e5 b7 10 f9 6d 3a c0 84-64 bf b8 91 54 6c 37 1b ....m:..d...Tl7.
0050 - eb 75 7a 95 aa e8 83 6f-e0 16 f2 af 77 0f 7a 0c .uz....o....w.z.
0060 - a8 82 27 a4 a5 f2 f0 1b-d2 6e 46 c4 ef 10 7c 39 ..'......nF...|9
0070 - 6c 87 74 ec 68 7e d5 9a-10 ab 10 03 75 a2 fb 4b l.t.h~......u..K
0080 - 8c 49 4c da 64 49 bd 27-ba 51 a4 .IL.dI.'.Q.
SSL_connect:SSLv3 write client key exchange A
write to 0x196a050 [0x1a1add0] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x196a050 [0x1a1add0] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 b4 8a 74-4d a4 bf b1 54 04 8a 25 ....0..tM...T..%
0010 - 24 f8 81 f1 64 9f 1f 6d-fb bd a7 4c 57 6a a5 63 $...d..m...LWj.c
0020 - fb 3a dd 8e e3 f9 38 f6-22 fd 7e 42 81 2e a2 41 .:....8.".~B...A
0030 - 1f 74 d1 27 02 .t.'.
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 ca .....
read from 0x196a050 [0x1a10908] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 00 00-00 c0 6c f3 41 26 c8 6b ..........l.A&.k
0010 - 1e 9c 2e 78 af 75 b2 46-34 f4 30 c3 bd e4 ee 2f ...x.u.F4.0..../
0020 - f6 28 37 f6 7c 55 3b c7-08 ad 1e 48 f1 83 9f 9a .(7.|U;....H....
0030 - d4 ef 9b 7d 5a 9c f7 5b-92 e9 2f ca c3 e5 44 c7 ...}Z..[../...D.
0040 - 7a c1 ed db 98 1a 18 bd-25 30 3c 50 ad 96 23 22 z.......%0<P..#"
0050 - 7e a1 b7 eb 1d b5 cc 69-2a 43 63 13 4f 21 90 32 ~......i*Cc.O!.2
0060 - 87 94 0b 6a 66 da 99 fa-45 79 cc 53 29 35 59 0d ...jf...Ey.S)5Y.
0070 - 02 93 c6 c6 af f3 52 79-b5 36 c0 a6 4d 22 9f af ......Ry.6..M"..
0080 - 4a f2 86 b4 50 68 83 b1-ab a6 a6 ac 6e 4e 18 3d J...Ph......nN.=
0090 - 80 a7 b4 85 77 06 69 60-fa b2 22 9a 79 14 c6 3e ....w.i`..".y..>
00a0 - 3e 68 33 4e 1e a9 40 09-47 d0 02 97 8b ba 39 db >h3N..@.G.....9.
00b0 - 2f b1 1c 2e 66 49 d3 bc-99 cc 56 4f 1d f4 c6 7b /...fI....VO...{
00c0 - 58 3e 28 df b1 ce 2b 45-36 ca X>(...+E6.
SSL_connect:SSLv3 read server session ticket A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0x196a050 [0x1a10908] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x196a050 [0x1a10908] (48 bytes => 48 (0x30))
0000 - c0 79 35 bf c6 1e 7e d4-04 cf 68 c7 9d f5 9f 42 .y5...~...h....B
0010 - 03 91 5f 72 ae 5b ec a8-aa e7 af e8 f3 39 1b cd .._r.[.......9..
0020 - 13 05 56 f2 1b 28 c9 42-4b 67 88 48 20 c2 a5 06 ..V..(.BKg.H ...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIDAhUkMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNjE0MTIxOTAxWhcNMTEwNzE2MTU1NjE0WjCB2TEpMCcGA1UEBRMgMFRT
NVd6YXVRUko3c2MyYi1oVEd3SzF5eFNmRURwaEYxCzAJBgNVBAYTAkNBMRQwEgYD
VQQKEwthbHRlZXZlLmNvbTETMBEGA1UECxMKR1QxMzkwODgxNzExMC8GA1UECxMo
U2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMTErMCkGA1UE
CxMiRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gRnJlZVNTTDEUMBIGA1UEAxML
YWx0ZWV2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHtXUD
x6m1IbJ6m3CN8kRd4Bj0BVLGk9MXpTrHRgNo0QFTG+i400xWRrLKYzSILE97I0kH
7443XIqs14ib7aEBkLwy2EYwbYIzWeq1OCyKFuFj57o52Cr6imslRQvJTbjSvqk6
4/9hYPmkmU4/wiULIQfGGx5jcS49MUKYAfSIuIAmt79bALFXhrTYcObs6pjhF0Wn
/4Pgdm+KULsdy8WP9AGETlnDTShzcDnI2oVDuQeuVyYEJLLW1HwDr09yAI8g7SZ3
s79OAWKLYhsQFmWS9bta3INc8lbzYDQs72L07s8mbZtKXnQFdPsjhgdvz7BIbbot
iV0P4MABHJGvAF/zAgMBAAGjggEpMIIBJTAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2FsdGVldmUuY29tMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRz
c2wuY3JsMB0GA1UdDgQWBBShK06vVQh7NL50/FdB3ryP2UodyTAMBgNVHRMBAf8E
AjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3Ns
LWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBmi2+o1dKEx4kx+6W64RFeL2dv3w08CxpLrNk47ikKTdkGmCwlClm7OQOwzTsG
kz5ZkM8GF3R3u82RNNBvuY9TV+0UML3pbASEtvAWnSmbsUf4hGRfAzbq4dYTl1tQ
ubJZzPjvIwGZkW5e6NB3VDhJGFjnDlQ1wDe1nnmy1MbZ/ycx1L8ErtMKkEu8NLxT
+LznTCK3s7yM10FE/OBQLpqsulzuiAP8DlMyqt2kJO6mfD3cnXqCC5+4keChEnej
lffQxJ7x19mZaIDor61o9RpfZgZ4yVb4NjcW+n0n3x2i2HyMW1Dbxv4G/5aG9R/k
Nc7PQ2ZT2qFQtcBz7B70yCAT
-----END CERTIFICATE-----
subject=/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3984 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2880725EB8BDD73F469C17BCA54DF373DFE8EDE3D52A1C8F5E0A5919694FB111
Session-ID-ctx:
Master-Key: F329DEA0DF39FF181ACFBCA69BEC417D7CAA4399D73229A1D912CC8236A858FD099B834F5B32C9BF979C4B5948196FC9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 6c f3 41 26 c8 6b 1e 9c-2e 78 af 75 b2 46 34 f4 l.A&.k...x.u.F4.
0010 - 30 c3 bd e4 ee 2f f6 28-37 f6 7c 55 3b c7 08 ad 0..../.(7.|U;...
0020 - 1e 48 f1 83 9f 9a d4 ef-9b 7d 5a 9c f7 5b 92 e9 .H.......}Z..[..
0030 - 2f ca c3 e5 44 c7 7a c1-ed db 98 1a 18 bd 25 30 /...D.z.......%0
0040 - 3c 50 ad 96 23 22 7e a1-b7 eb 1d b5 cc 69 2a 43 <P..#"~......i*C
0050 - 63 13 4f 21 90 32 87 94-0b 6a 66 da 99 fa 45 79 c.O!.2...jf...Ey
0060 - cc 53 29 35 59 0d 02 93-c6 c6 af f3 52 79 b5 36 .S)5Y.......Ry.6
0070 - c0 a6 4d 22 9f af 4a f2-86 b4 50 68 83 b1 ab a6 ..M"..J...Ph....
0080 - a6 ac 6e 4e 18 3d 80 a7-b4 85 77 06 69 60 fa b2 ..nN.=....w.i`..
0090 - 22 9a 79 14 c6 3e 3e 68-33 4e 1e a9 40 09 47 d0 ".y..>>h3N..@.G.
00a0 - 02 97 8b ba 39 db 2f b1-1c 2e 66 49 d3 bc 99 cc ....9./...fI....
00b0 - 56 4f 1d f4 c6 7b 58 3e-28 df b1 ce 2b 45 36 ca VO...{X>(...+E6.

Compression: 1 (zlib compression)
Start Time: 1308161188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET
write to 0x196a050 [0x1a14e56] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a 4c 57-8c b9 d5 d4 c6 1b 56 ce .... .LW......V.
0010 - 93 b5 78 6b 5f 0e c5 a2-39 2a f9 7a 20 7d 68 85 ..xk_...9*.z }h.
0020 - af 52 e3 5f fc 17 03 01-00 20 c6 c4 19 74 61 64 .R._..... ...tad
0030 - 42 59 e0 52 3f 42 44 53-8b c9 40 69 1c 3d 9b 7f BY.R?BDS..@i.=..
0040 - aa e8 8f a4 5c de c9 d4-0a a4 ....\.....
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 60 ....`
read from 0x196a050 [0x1a10908] (96 bytes => 96 (0x60))
0000 - 46 4c 99 93 29 c9 ed 66-81 43 89 39 26 2b d1 b0 FL..)..f.C.9&+..
0010 - 19 73 eb 51 18 45 54 49-74 43 e0 92 1b f8 af f0 .s.Q.ETItC......
0020 - 0d e1 08 79 96 38 e1 5e-29 9d 66 9c 30 04 8e c4 ...y.8.^).f.0...
0030 - 10 83 49 7e 09 d7 8a ff-4b 11 f9 13 3e ac 77 73 ..I~....K...>.ws
0040 - e8 94 e3 f3 74 db 4e 5f-67 13 1d c4 3a 06 98 b3 ....t.N_g...:...
0050 - da 20 41 3c ca 9a fb 3f-f3 d7 64 a1 e9 f4 0a 98 . A<...?..d.....
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 15 03 01 ...
0005 - <SPACES/NULS>
read from 0x196a050 [0x1a10908] (32 bytes => 32 (0x20))
0000 - 2e bb a7 d6 dc ce 6c 34-dc 2e 43 c7 89 02 a9 5c ......l4..C....\
0010 - 3b 3e d0 43 1c ec fa c7-89 48 fd 76 58 82 ef 45 ;>.C.....H.vX..E
SSL3 alert read:warning:close notify
closed
write to 0x196a050 [0x1a14e53] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d8 6f 46-24 e9 fa 0c c9 9f aa 2d .... .oF$......-
0010 - db 69 2a d8 fb 61 66 b0-23 23 f9 a4 ac 49 b7 e6 .i*..af.##...I..
0020 - 31 73 56 05 ed 1sV..
SSL3 alert write:warning:close notify
</source>

Perfect!

=== Open Port 443 On The Firewall ===

At this point, if you try to connect to the SSL virtual host remotely, you will fail because port 443 is not yet open.

Use your favourite program to open inbound TCP port 443. I like to directly edit the firewall's config.

<source lang="bash">
vim /etc/sysconfig/iptables
</source>
<source lang="text">
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</source>
<source lang="bash">
/etc/init.d/iptables restart
</source>
<source lang="text">
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
</source>

=== Browse to the New Virtual Host ===

You should now be able to access the new SSL virtual host! Simply browse to https://alteeve.com (replace with your domain).

[[Image:SSL_Test_Page_01.png|thumb|center|741px|Test SSL virtual host in Firefox 4.]]

Note the 'alteeve.com' to the left of the address bar showing that the site is encrypted and verified!

== Common apachectl -t Configuration Problems ==

=== httpd: apr_sockaddr_info_get() failed for <domain> ===

Make sure that the hostname for the server resolves to an IP address. This is done by ensuring that the name returned by hostname has a [[DNS]] entry or has an entry in the /etc/hosts file.

=== [warn] NameVirtualHost *:80 has no VirtualHosts ===

This will be shown when no virtual host containers have been configured ye.

= PostgreSQL =

We need to initialize the postgres core databases before we can start it for the first time.

<source lang="bash">
/etc/init.d/postgresql initdb
</source>
<source lang="text">
Initializing database: [ OK ]
</source>

From now on, we can start PostgreSQL normally.

<source lang="bash">
/etc/init.d/postgresql restart
</source>
<source lang="text">
Stopping postgresql service: [ OK ]
Starting postgresql service: [ OK ]
</source>

Create the admin user called alteeve which will own the databases we will create and use.

<source lang="bash">
su - postgres
createuser -S -d -R alteeve
psql template1
</source>

At the shell, run the following:

<source lang="sql">
ALTER USER alteeve WITH PASSWORD 'secret';
</source>
<source lang="text">
ALTER ROLE
</source>
<source lang="sql">
\q
</source>

Tell PostgreSQL to require a password for the alteeve user.

<source lang="bash">
vim /var/lib/pgsql/data/pg_hba.conf
</source>
<source lang="diff">
--- /var/lib/pgsql/data/pg_hba.conf.orig 2011-06-15 17:57:25.666509143 -0400
+++ /var/lib/pgsql/data/pg_hba.conf 2011-06-15 17:58:54.077510393 -0400
@@ -65,6 +65,7 @@

# TYPE DATABASE USER CIDR-ADDRESS METHOD
+local all alteeve md5

# "local" is for Unix domain socket connections only
local all all ident
</source>

Reload PostgreSQL's configuration.

<source lang="bash">
/etc/init.d/postgresql reload
</source>

Now create a Database that is owned by the alteeve user, then connect to it to make sure we're asked for a password.

<source lang="bash">
su postgres -c "createdb an_wiki -O alteeve"
psql an_wiki -U alteeve
</source>
<source lang="text">
Password for user alteeve:
psql (8.4.7)
Type "help" for help.

an_wiki=>
</source>

Now load a database from a backup file.

<source lang="bash">
psql an_wiki -U alteeve -f /var/www/ssl_alteeve.com/temp/an_wiki_3.out
</source>
<source lang="text">
Password for user alteeve:
SET
SET
SET
SET
SET
CREATE SCHEMA
ALTER SCHEMA
CREATE LANGUAGE
psql:/var/www/ssl_alteeve.com/temp/an_wiki_3.out:27: ERROR: must be member of role "postgres"
SET
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
SET
SET
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
8
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
2500
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
4416
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3465
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
34
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
957
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3274
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3547
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3513
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TRIGGER
CREATE TRIGGER
CREATE TRIGGER
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
REVOKE
REVOKE
GRANT
GRANT
</source>

Voila!

== Media Wiki Problem ==

If you moved a MediaWiki DB and it generated an error like this in the log file:

<source lang="text">
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "objectcache" does not exist\nLINE 1: ...ECT /* SqlBagOStuff::get */ value,exptime FROM objectcach...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "l10n_cache" does not exist\nLINE 1: ... LCStore_DB::get 206.108.5.162 */ lc_value FROM l10n_cache...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
</source>

The fix is to run:

<source lang="sql">
ALTER DATABASE an_wiki SET search_path=mediawiki;
</source>

Of course, replace an_wiki with the name of your wiki database.

= MySQL =

Start MySQL for the first time:

<source lang="bash">
/etc/init.d/mysqld start
</source>
<source lang="text">
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h asakusa.alteeve.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]
Starting mysqld: [ OK ]
</source>

Secure the server.

<source lang="bash">
mysql_secure_installation
</source>
<source lang="text">
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
</source>

= BIND =

{{note|1=This is not meant to cover creating the actual zone files for DNS. It's goal is to setup BIND on your [[EL6]] server only.}}

This is the BIND named server that handles DNS resolution. It will be setup in two parts; The global options and then the zones file.

== Install bind ==

<source lang="bash">
yum install bind bind-libs bind-utils
</source>

== Global Configuration ==

Edit the main configuration file, making a backup first.

<source lang="bash">
cp /etc/named.conf /etc/named.conf.orig
vim /etc/named.conf
</source>

Enable queries on any interface and answer queries for any domain, not just ours. Edit or add the following;

<source lang="dot">
listen-on port 53 { any; };
allow-query { localhost; };
allow-query-cache { any; };
</source>

For now, we're going to disable DNSSEC. Make the following changes;

<source lang="dot">
dnssec-enable no;
dnssec-validation no;
</source>

Now tell bind where to look for a domain name's IP when we don't know. Add;

<source lang="dot">
forwarders {
// These are Google's open DNS servers
8.8.8.8;
8.8.4.4;
};
</source>

This server will have a slave, and we want to notify that slave when a record changes. Add;

<source lang="dot">
notify yes;
</source>

Done. I like to clean up the file to put the variables in line with one another. With this in mind, let's look at the changes as a unified diff;

<source lang="bash">
diff -u /etc/named.conf.orig /etc/named.conf
</source>
<source lang="diff">
--- /etc/named.conf.orig 2012-02-05 00:54:48.434068501 -0500
+++ /etc/named.conf 2012-02-05 13:45:16.484083319 -0500
@@ -8,18 +8,26 @@
//

options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ allow-query { any; };
+ allow-query-cache { any; };
+ recursion yes;
+ notify yes;
+
+ dnssec-enable no;
+ dnssec-validation no;
+ dnssec-lookaside auto;
+
+ forwarders {
+ // These are Google's open DNS servers
+ 8.8.8.8;
+ 8.8.4.4;
+ };

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
</source>

== Adding Zones ==

This is where we tell BIND which zones we have SOA for. This includes the pointers to the actual files on disk with each domain's information.

Backup then edit the zones file.

<source lang="bash">
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.orig
vim /etc/named.rfc1912.zones
</source>

In here is where we add the entries for the domains we have [[SOA]] for at the end of the file. These will differ for every install, so only two examples will be shown.

<source lang="dot">
// Our zones which this server is SOA for.
zone "45years.ca" IN {
type master;
file "/etc/named/db.45years.ca";
allow-transfer {
192.139.81.117;
};
};

zone "alteeve.com" in {
type master;
file "/etc/named/db.alteeve.com";
allow-transfer {
192.139.81.117;
};
};
</source>

This tutorial does not aim to cover actual zone files, but here is one for reference:

<source lang="bash">
cat /etc/named/db.45years.ca
</source>
<source lang="text">
$ORIGIN .
$TTL 600 ; Time To Live.
45years.ca IN SOA ns1.alteeve.com. admin.alteeve.com. (
2011081402 ; Serial Number (yyyymmdd##)
300 ; refresh (in seconds)
180 ; retry (in seconds)
600 ; expire (in seconds)
86400 ; minimum (in seconds)
)
NS ns1.alteeve.com.
NS ns2.alteeve.com.
A 192.139.81.121
MX 10 mail.45years.ca.
$ORIGIN 45years.ca.
localhost A 127.0.0.1
mail A 192.139.81.121
www CNAME 45years.ca.
</source>

== Adding a Firewall Entry ==

Assuming you have a firewall running, be sure to add an entry for [[TCP]] port 53.

== (Re)Start BIND ==

Once all the configuration files and domain zone files are in place, (re)start the named service.

<source lang="bash">
/etc/init.d/named restart
</source>
<source lang="text">
Stopping named: . [ OK ]
Starting named: [ OK ]
</source>

== Testing Name resolution ==

To properly test name resolution, you will want to resolve a domain we are [[SOA]] for and another domain which we are not. We will repeat this twice, once on the server and once from a remote machine to ensure that it is answering remote queries. Note that in the examples below, my DNS server's IP address is 78.46.37.135.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> alteeve.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns1.alteeve.com.
alteeve.com. 600 IN NS ns2.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 13:57:11 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> google.ca @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 300 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2967 IN NS f.root-servers.net.
. 2967 IN NS c.root-servers.net.
. 2967 IN NS b.root-servers.net.
. 2967 IN NS a.root-servers.net.
. 2967 IN NS k.root-servers.net.
. 2967 IN NS i.root-servers.net.
. 2967 IN NS e.root-servers.net.
. 2967 IN NS h.root-servers.net.
. 2967 IN NS l.root-servers.net.
. 2967 IN NS d.root-servers.net.
. 2967 IN NS j.root-servers.net.
. 2967 IN NS g.root-servers.net.
. 2967 IN NS m.root-servers.net.

;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 14:02:03 2012
;; MSG SIZE rcvd: 254
</source>

Now from a remote machine, repeat the same queries to ensure that our DNS server will respond to external queries.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> alteeve.com @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns2.alteeve.com.
alteeve.com. 600 IN NS ns1.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 138 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:09 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> google.ca @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 138 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2805 IN NS h.root-servers.net.
. 2805 IN NS c.root-servers.net.
. 2805 IN NS j.root-servers.net.
. 2805 IN NS i.root-servers.net.
. 2805 IN NS b.root-servers.net.
. 2805 IN NS m.root-servers.net.
. 2805 IN NS g.root-servers.net.
. 2805 IN NS d.root-servers.net.
. 2805 IN NS a.root-servers.net.
. 2805 IN NS l.root-servers.net.
. 2805 IN NS f.root-servers.net.
. 2805 IN NS k.root-servers.net.
. 2805 IN NS e.root-servers.net.

;; Query time: 140 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:31 2012
;; MSG SIZE rcvd: 254
</source>

Done!

= Email =

This is a pretty heavily customized postfix install using a custom schema. It was originally based on [http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch this Debian Etch] tutorial, but adapted for PostgreSQL. Much time has passed and the operating system is now significantly changed, but it's lineage is thus. A more recent, but still Debian-focused version of the tutorial [http://workaround.org/ispmail/squeeze/big-picture is here]. I also used [http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot this tutorial] to help sort out the PostgreSQL stuff.

This will use a few applications;
* Postfix - The program that receives email.
* PostgreSQL - The database used to validate the existence of email accounts and validates incoming user credentials.
* Dovecot - Takes email coming from postfix, via amavis, and records them to disk. It also answers requests from users wanting to check their email.
* Amavis - Filters incoming email for spam (via spamassassin) and virsus (via clamav)

We will also be using graylisting, which is a spam fighting tactic where the first email from a given user to one of our users is bounced for a few minutes. Proper mail servers will acknowledge the bound, wait the time and resend. Spam mailers though are usually fire-and-forget and will not resend, thus effectively blocking the spam message. This is a very effective method of blocking spam with minimal chance of losing real mail from real users. Any subsequent message from the user would be allowed through with no delay, provided the user had in fact resent the first message as requested.

== Install ==

To install the applications;

<source lang="bash">
yum install postfix postfix-perl-scripts dovecot dovecot-pgsql spamassassin postgresql-server postgresql-plperl mutt
</source>

== Configuring Postfix ==

Installation requires several steps. The AN!Console database must be loaded. Various applications need to be installed. Postfix, Dovecot and helper applications need to be configured and so on.

This tutorial uses the following values that you may need to adjust;
* Database name; an_tools
* Database user; alteeve
* Database password; secret
* Database host; 127.0.0.1

{{note|1=Do not use the database host "localhost" unless you are certain you can connect to the DB using a standard [[unix]] socket.}}

=== Building Support for PostgreSQL ===

{{warning|1=We need to build our own RPM in order to support postgresql. This means we will have to disable postfix from future updates, placing the onus on us to make sure critical updates are applied. This will require downloading the latest source RPMs, re-enabling postgres and recompile/reinstall.}}

Add the source [[RPM]] repository by adding the following;

<source lang="bash">
vim /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
# Source RPM repository
[base-source]
name=CentOS-$releasever - Base - Source
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://vault.centos.org/6.3/os/Source/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
</source>

Now download the source RPM for postfix.

<source lang="bash">
yumdownloader --source postfix
</source>
<source lang="text">
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
base | 3.7 kB 00:00
base-source | 1.9 kB 00:00
extras | 3.5 kB 00:00
updates | 3.5 kB 00:00
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
./postfix-2.6.6-2.el6.src.rpm already exists and appears to be complete
nikko:/etc/postfix# rm postfix-2.6.6-2.el6.src.rpm
rm: remove regular file `postfix-2.6.6-2.el6.src.rpm'? y
nikko:/etc/postfix# yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
postfix-2.6.6-2.el6.src.rpm | 3.3 MB 00:00
</source>

Now that we have the postfix source RPM, we will install it.

<source lang="bash">
rpm -Uvh postfix-2.6.6-2.el6.src.rpm
</source>
<source lang="text">
1:postfix warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
########################################### [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
</source>

Now edit the .spec file to enable postgres support.

<source lang="bash">
cp ~/rpmbuild/SPECS/postfix.spec ~/rpmbuild/SPECS/postfix.spec.orig
vim ~/rpmbuild/SPECS/postfix.spec
</source>

Make the following changes.

* Enable PostgreSQL support
<source lang="text">
%{?!PGSQL: %define PGSQL 1}
</source>

Increment the release version by one.
<source lang="text">
Release: 3%{?dist}
</source>

We can see the changes here:

<source lang="bash">
diff -u ~/rpmbuild/SPECS/postfix.spec.orig ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="diff">
--- /root/rpmbuild/SPECS/postfix.spec.orig 2012-02-11 16:54:54.495330859 -0500
+++ /root/rpmbuild/SPECS/postfix.spec 2012-02-11 16:53:39.873331101 -0500
@@ -1,5 +1,5 @@
%{?!MYSQL: %define MYSQL 1}
-%{?!PGSQL: %define PGSQL 0}
+%{?!PGSQL: %define PGSQL 1}
%define LDAP 2
%define PCRE 1
%define SASL 2
@@ -35,7 +35,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 2.6.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
</source>

Now rebuild the RPM, which means we need to install the build tools.

<source lang="bash">
yum groupinstall development
yum install db4-devel openldap-devel cyrus-sasl-devel pcre-devel mysql-devel postgresql-devel openssl-devel
rpmbuild -bb ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="text">
(compile output)
Processing files: postfix-debuginfo-2.6.6-3.el6.x86_64
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-debuginfo-2.6.6-3.el6.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.rymr5C
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd postfix-2.6.6
+ rm -rf /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
+ exit 0
</source>

Install the updated postfix.

<source lang="bash">
rpm -Uvh ~/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm ~/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
</source>
<source lang="text">
Preparing... ########################################### [100%]
1:postfix ########################################### [ 50%]
2:postfix-perl-scripts ########################################### [100%]
</source>

Now exclude postfix from future updates.

<source lang="bash">
cp /etc/yum.conf /etc/yum.conf.orig
vim /etc/yum.conf
diff -u /etc/yum.conf.orig /etc/yum.conf
</source>
<source lang="text">
--- /etc/yum.conf.orig 2012-02-11 16:59:53.720079168 -0500
+++ /etc/yum.conf 2012-02-11 17:00:47.013331283 -0500
@@ -10,6 +10,7 @@
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
+exclude=postfix*

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
</source>

=== Basic Postfix Configuration ===

Since we'll be using virtual domains, users, aliases and mailboxes, we'll need to start by commenting out some of the default options in Postfix. By default, Postfix is set up for small numbers of local users, and it only allows connections from the localhost. Our configuration will be more scalable, allowing many domains and users to be stored in the Postgres database.

Comment out the following:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# inet_interfaces = localhost
# mydestination = $myhostname, localhost.$mydomain, localhost
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
</source>

And uncomment/add these:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
inet_interfaces = all # allows us to connect and test from another machine
mynetworks = 192.168.1.0/32, 127.0.0.0/8 # use the IP or subnet of your test machine here
</source>

=== Setup Virtual Domain Lookup ===

This tells postfix how to find which domains we have.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM domains WHERE dom_name='%s'
</source>

Now tell Postfix to use this new file by appending the following to the main postfix configuration file.

<source lang="bash">
vim /etc/postfix/main.cf
</source>
<source lang="bash">
# Tell postfix to validate domains using our postgresql databae via the
# pgsql-virtual-mailbox-domains.cf
virtual_mailbox_domains=pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>

Now reload postfix;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now we can test that domains resolve. In my case, I will test the look-up for alteeve.com.

<source lang="bash">
postmap -q alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
1
</source>

Now make sure it returns nothing when query a bad domain.

<source lang="bash">
postmap -q example.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Mailbox Mapping ===

This section will tell postfix which users for a given domain are valid.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM email_file WHERE email='%s'
</source>

Tell postfix to use this new file when looking up users.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

And add:

<source lang="text">
# Tell postfix which table to look in when validating a local user via their
# email address.
virtual_mailbox_maps=pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>

Reload postfix.

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now do a test of a valid user, which should return 1, and an invalid user, which should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
1
</source>
<source lang="bash">
postmap -q nobody@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Email Forwards ===

This will allow for email addresses to be forwarded to other email addresses.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT fwd_destination FROM forwards WHERE fwd_source='%s'
</source>

Now tell postfix where to look.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

Add;

<source lang="text">
# This tells postfix where to forward incoming email to, where appropriate.
virtual_alias_maps=pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>

Reload;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

I've setup a forward where digimer@alteeve.com forwards to mkelly@alteeve.com, so we will use that for the next test.

<source lang="bash">
postmap -q digimer@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
mkelly@alteeve.com
</source>

An email address with no forward should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

Excellent.

=== Setup Postfix Mail Delivery via Dovecot ===

Define a mail transport method in the main Postfix config.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# this option is ignored, but may be useful for reference
virtual_mailbox_base=/email

# deliver mail via dovecot
virtual_transport = dovecot

# prevent postfix from sending multiple recipients per delivery request,
# since dovecot only supports one recipient for each delivery
dovecot_destination_recipient_limit = 1
</source>

Tell Postfix what virtual_transport "dovecot" means, and how to use it.
<source lang="bash">vim /etc/postfix/master.cf</source>
Append this for RHEL/CentOS 6 machines. For other distros, make sure that /usr/libexec/dovecot/deliver exists and change the path if necessary.
<source lang="bash">
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
</source>

=== Setup Postfix SMTP Authentication using Dovecot ===

Dovecot provides an SMTP authentication mechanism to Postfix called SASL. Enabling this will require users to authenticate against the server before sending mail.

<source lang="bash">vim /etc/postfix/main.cf</source>
Append the following to enable smtp authentication:
<source lang="bash">
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes

# allow authenticated users to send mail through Postfix SMTP
# more info at /usr/share/doc/postfix-2.6.6/README_FILES/SMTPD_ACCESS_README
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination

# general smtpd settings
# - reject clients that speak too early
# - reject mail from a null address to many recipients (usually spam)
smtpd_data_restrictions =
reject_unauth_pipelining
reject_multi_recipient_bounce
permit
</source>

== Configuring Dovecot ==

Dovecot handles writing incoming mail to the disk and moving/deleting mail as the user wishes. We're going to create a user and group called vmail which will be used to manage the email stored on disk.

<source lang="bash">
useradd -m vmail
mkdir /email
chown -R vmail:vmail /email
</source>

Dovecot is configured in /etc/dovecot and the main configuration file is dovecot.conf.

<source lang="bash">
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.conf
</source>

Dovecot uses .d style configuration files.

* Authentication

<source lang="bash">
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
vim /etc/dovecot/conf.d/10-auth.conf
</source>

Tell dovecot to accept plain-text passwords (needed for some old email clients, you may not need to enable this).

<source lang="text">
disable_plaintext_auth = no
</source>

Tell it not to use the database, and not local users for mail delivery.

<source lang="text">
#!include auth-system.conf.ext
!include auth-sql.conf.ext
</source>

* Mail store

Tell dovecot where to store the email. The %d tells dovecot to substitute the user's domain name and %n is substituted by the user's email name. For example, mkelly@alteeve.com becomes /email/alteeve.com/mkelly.

<source lang="bash">
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
vim /etc/dovecot/conf.d/10-mail.conf
</source>
<source lang="text">
mail_location = mbox:/email/%d/%n
</source>

=== Dovecot Authentication and SQL Settings ===

We need to tell dovecot where to look for passwords when authenticating a user. Where to look is controlled in the
auth-sql.conf.ext file and is broken down into user and password lookups. We will want to first tell Dovecot which user to use when accessing the mail store on disk.

<source lang="bash">
cp /etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/conf.d/auth-sql.conf.ext.orig
vim /etc/dovecot/conf.d/auth-sql.conf.ext
</source>
<source lang="text">
userdb {
driver = static
args = uid=vmail gid=vmail home=/email/%d/%n allow_all_users=yes
}
</source>

* Now configure the SQL server access details.

{{note|1=Make sure that PostgreSQL has sufficient max_connections set in /var/lib/pgsql/data/postgresql.conf to handle enough connections for the expected number of email connections, plus other connections from other applications.}}

<source lang="bash">
cp /usr/share/doc/dovecot-2.0.9/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
vim /etc/dovecot/dovecot-sql.conf.ext
</source>

Tell dovecot to use PostgreSQL.

<source lang="text">
driver = pgsql
</source>

Configure the connection string.

{{note|1=If your database uses a password with a space character in it, quote the password. Ie: password='super secret'.}}

<source lang="text">
connect = host=127.0.0.1 dbname=an_tools user=alteeve password=secret
</source>

Tell dovecot to accept plain-text passwords (this is needed for some stupid MS clients, this will probably change soon).

<source lang="text">
default_pass_scheme = PLAIN
</source>

Tell dovecot how to pull use the user's password.

<source lang="text">
password_query = SELECT email, password FROM email_password WHERE email='%u'
</source>

The last thing to setup is the user query. The query needs to return the [[UID]] and [[GID]] of the vmail user we setup earlier. To get it, you can use the id command.

<source lang="bash">
id vmail
</source>
<source lang="text">
uid=503(vmail) gid=503(vmail) groups=503(vmail)
</source>

The numbers we want are 503 and 503 for the UID and GID, respectively. Knowing this, we can set the userdb SQL string.

<source lang="text">
user_query = SELECT '/email/'||file AS email_dir, '503' AS uid, '503' AS gid FROM email_file WHERE email='%u'
</source>

=== Configure Listener Sockets ===

Setup the authentication socket to allow the vmail user. This will allow Dovecot to access the user authentication socket.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
</source>

Configure Dovecot to authenticate Postfix SMTP requests.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener smtp-auth {
mode = 0600
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
}
</source>

=== Enable Logging ===

This is very useful for debugging an initial setup. It will place details about login attempts in /var/log/maillog.

<source lang="bash">vim /etc/dovecot/conf.d/10-logging.conf</source>
<source lang="bash">
log_path = syslog
auth_verbose = yes
auth_debug = yes
mail_debug = yes
</source>

At this point, it's a good idea to restart the Postfix and Dovecot services, and test out the basic configuration.
<source lang="bash">
service postfix restart
service dovecot restart
</source>

Watch the maillog while attempting to authenticate with an email client like Thunderbird.
<source lang="bash">
tail -f /var/log/maillog
</source>

If basic authentication is working, we can go ahead and add another layer of complexity on top of it: SSL.

== SSL/TLS ==

Add TLS support to Postfix, to encrypt SMTP authentication traffic.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/ssl_mail.alteeve.ca.crt
smtpd_tls_key_file = /etc/pki/CA/private/mail.alteeve.ca.key
smtpd_tls_loglevel = 1
</source>

Add TLS support to Dovecot, to encrypt IMAP authentication traffic.
<source lang="bash">vim /etc/dovecot/conf.d/10-ssl.conf </source>
<source lang="bash">
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/pki/CA/ssl_mail.alteeve.ca.crt
ssl_key = </etc/pki/CA/private/mail.alteeve.ca.key

# PEM encoded trusted certificate authority. Otherwise your CA will be untrusted.
# This is the intermediary certificate.
ssl_ca = </etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Dovecot prefers the following permissions for SSL certs, so set them accordingly.
<source lang="bash">
chmod 0444 /etc/pki/CA/ssl_mail.alteeve.ca.crt
chmod 0400 /etc/pki/CA/private/mail.alteeve.ca.key
chmod 0400 /etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Restart Postfix and Dovecot, then change your Thunderbird server options to 'STARTTLS'. If you're still able to connect to the mail server and send mail, proceed to the next section.

== User Password Encryption ==

In addition to SSL/TSL, which only encrypts the transport of user credentials, we're also going to encrypt the passwords themselves. This will avoid storing any plaintext passwords in the Postgres database.

<source lang="bash">vim /etc/dovecot/conf.d/10-auth.conf</source>
Remove the "plain" authentication, and replace with cram-md5.
<source lang="bash">
disable_plaintext_auth = yes
auth_mechanisms = cram-md5
</source>

Any user credentials that were previously stored in plaintext will no longer work. To encrypt your password in a way that Dovecot recognizes, use the following command:
<source lang="bash">doveadm -v pw -s CRAM-MD5 -p mypassword</source>
It will return a hash like this.
<source lang="bash">
{CRAM-MD5}de5924752ad74e36bc271a8dc7fad4b2d341f21f05382f20dedf1fdfbd5a1717</source>

Take the entire hash, including the '{CRAM-MD5}' portion, and use it to replace the password entry in the database for that user. This will allow Dovecot to authenticate the user using the CRAM-MD5 auth mechanism.

To automate this process for all users in the database, you can look at the number of userid's there are and loop through them, encrypting and replacing each password.

<source lang="bash">
#!/bin/bash
#
# a script to encrypt the users.usr_password values of the an_tools database

export PGUSER="alteeve"
export PGPASSWORD='secret'

for usrid in {1..219}; do

# grab the user's password, removing whitespace
usrpass=$(psql -d an_tools -c "SELECT users.usr_password FROM users WHERE users.usr_id=$usrid;"\
| sed -n 3p | sed -e 's/^[ ]*//')

if [[ "$usrpass" == *CRAM* ]]; then
echo "Password for user #$usrid is already encrypted; skipping."
else
# encrypt and surround in single quotes for psql
encrypted=\'$(doveadm -v pw -s CRAM-MD5 -p "$usrpass")\'
echo "old password: [$usrpass] ; encrypted: $encrypted"

# set password to encrypted value
psql -d an_tools -c "UPDATE users SET usr_password=$encrypted WHERE usr_id=$usrid;"
fi
done

unset PGUSER
unset PGPASSWORD
</source>

== Postgrey Greylisting ==

Enabling postgrey for anti-spam greylisting.

First install the RPMForge repos. (See [http://dak1n1.com/blog/3-getting-more-from-yum-with-rpmforge-and-epel-repos Dakini's blog] for details.)

<source lang="bash">yum -y install postgrey</source>

Create the config file with the following options. This will delay mail from untrusted sources by 6 minutes. A legitimate mailserver will resend the request after that time, and be allowed through. But spam is generally sent out only once, so those messages will drop.
<source lang="bash">vim /etc/sysconfig/postgrey</source>
<source lang="bash">OPTIONS="--unix=/var/spool/postfix/postgrey/socket --delay=360"</source>

Ensure that Postgrey starts on boot.
<source lang="bash">chkconfig --levels 345 postgrey on</source>

<source lang="bash">/etc/postfix/main.cf</source>

Configure Postfix to check SMTP requests through Postgrey. Postgrey will decide if the mail should be blocked or accepted.
<source lang="bash">
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:postgrey/socket</source>

Restart Postfix and Postgrey to take affect.
<source lang="bash">
service postgrey start
service postfix restart
</source>

== RoundCube Web Mail ==

Install the packages (these require the [[EPEL]] repo);

<source lang="bash">
yum install roundcubemail php-pear-MDB2-Driver-pgsql
</source>

You need to set the timezone in the /etc/php.ini file.

<source lang="bash">
cp /etc/php.ini /etc/php.ini.orig
vim /etc/php.ini
</source>

Set date.timezone value. If you aren't sure of the format or name of your timezone, run tzselect and follow the prompts. We want America/Toronto.

<source lang="bash">
diff -u /etc/php.ini.orig /etc/php.ini
</source>
<source lang="diff">
--- /etc/php.ini.orig 2012-08-18 22:27:05.244670258 -0400
+++ /etc/php.ini 2012-08-18 21:49:37.926938864 -0400
@@ -943,7 +943,7 @@
[Date]
; Defines the default timezone used by the date functions
; http://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone
-;date.timezone =
+date.timezone = America/Toronto

; http://www.php.net/manual/en/datetime.configuration.php#ini.date.default-latitude
;date.default_latitude = 31.7667
</source>

Create the database for roundcube

<source lang="bash">
su - postgres
createdb -O alteeve -E UNICODE roundcubemail
psql -U alteeve -D roundcubemail
\i /usr/share/doc/roundcubemail-0.5.4/SQL/postgres.initial.sql
</source>

Now setup roundcube for connecting to our DB;

<source lang="bash">
cp /etc/roundcubemail/db.inc.php /etc/roundcubemail/db.inc.php.orig
vim /etc/roundcubemail/db.inc.php
</source>

Now set the connection string. Note to switch the DB driver to pgsql.

<source lang="bash">
diff -u /etc/roundcubemail/db.inc.php.orig /etc/roundcubemail/db.inc.php
</source>
<source lang="diff">
--- /etc/roundcubemail/db.inc.php.orig 2012-05-06 13:53:52.000000000 -0400
+++ /etc/roundcubemail/db.inc.php 2012-05-06 15:45:30.000000000 -0400
@@ -18,7 +18,7 @@
// format is db_provider://user:password@host/database
// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php

-$rcmail_config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail';
+$rcmail_config['db_dsnw'] = 'pgsql://alteeve:secret@localhost/roundcubemail';
// postgres example: 'pgsql://roundcube:pass@localhost/roundcubemail';
// Warning: for SQLite use absolute path in DSN:
</source>

Now setup roundcube to communicate with the mail server.

<source lang="bash">
cp /etc/roundcubemail/main.inc.php /etc/roundcubemail/main.inc.php.orig
vim /etc/roundcubemail/main.inc.php
</source>

There are several variables to set. Our server will talk to localhost using [[tls]] on port 587 using [[CRAM_MD5]] encryption. We use, and require, [[https]] connections. There are a couple special values for querying the user's name and password from the database. Finally, we want to enable the user's browser's auto-complete functions and set the name shown to the users. Once all set, the diff should be similar to the one below.

<source lang="bash">
diff -u /etc/roundcubemail/main.inc.php.orig /etc/roundcubemail/main.inc.php
</source>
<source lang="diff">
--- /etc/roundcubemail/main.inc.php.orig 2012-05-06 13:53:59.000000000 -0400
+++ /etc/roundcubemail/main.inc.php 2012-07-06 14:59:07.000000000 -0400
@@ -65,7 +65,7 @@
// %n - http hostname ($_SERVER['SERVER_NAME'])
// %d - domain (http hostname without the first part)
// For example %n = mail.domain.tld, %d = domain.tld
-$rcmail_config['default_host'] = '';
+$rcmail_config['default_host'] = 'localhost';

// TCP port used for IMAP connections
$rcmail_config['default_port'] = 143;
@@ -121,22 +121,22 @@
// %d - domain (http hostname without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %d = domain.tld
-$rcmail_config['smtp_server'] = '';
+$rcmail_config['smtp_server'] = 'tls://mail.alteeve.ca';

// SMTP port (default is 25; 465 for SSL)
-$rcmail_config['smtp_port'] = 25;
+$rcmail_config['smtp_port'] = 587;

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
-$rcmail_config['smtp_user'] = '';
+$rcmail_config['smtp_user'] = '%u';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
-$rcmail_config['smtp_pass'] = '';
+$rcmail_config['smtp_pass'] = '%p';

// SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
// best server supported one)
-$rcmail_config['smtp_auth_type'] = '';
+$rcmail_config['smtp_auth_type'] = 'CRAM-MD5';

// Optional SMTP authentication identifier to be used as authorization proxy
$rcmail_config['smtp_auth_cid'] = null;
@@ -179,16 +179,16 @@
// enforce connections over https
// with this option enabled, all non-secure connections will be redirected.
// set the port for the ssl connection as value of this option if it differs from the default 443
-$rcmail_config['force_https'] = false;
+$rcmail_config['force_https'] = true;

// tell PHP that it should work as under secure connection
// even if it doesn't recognize it as secure ($_SERVER['HTTPS'] is not set)
// e.g. when you're running Roundcube behind a https proxy
-$rcmail_config['use_https'] = false;
+$rcmail_config['use_https'] = true;

// Allow browser-autocompletion on login form.
// 0 - disabled, 1 - username and host only, 2 - username, host, password
-$rcmail_config['login_autocomplete'] = 0;
+$rcmail_config['login_autocomplete'] = 1;

// If users authentication is not case sensitive this must be enabled.
// You can also use it to force conversion of logins to lower case.
@@ -261,7 +261,7 @@
$rcmail_config['useragent'] = 'Roundcube Webmail/'.RCMAIL_VERSION;

// use this name to compose page titles
-$rcmail_config['product_name'] = 'Roundcube Webmail';
+$rcmail_config['product_name'] = 'AN!Mail';

// try to load host-specific configuration
// see http://trac.roundcube.net/wiki/Howto_Config for more details
</source>

That should be it.

==== Adding a password-reset link to the login page ====

Edit the login page template to insert the AN!Console password recovery link.

<source lang="bash">
vim /usr/share/roundcubemail/skins/default/templates/login.html</source>

(The part we're adding is the '<a href=""></a>'. Other parts of the template file are included here as a reference.)
<source lang="bash">
<div id="login-form">
<div class="boxtitle"><roundcube:label name="welcome" /></div>
<div class="boxcontent">

<form name="form" action="./" method="post">
<roundcube:object name="loginform" form="form" />

<input type="submit" class="button mainaction" value="<roundcube:label name='login' />" />

</form>
<a href="../../cgi-bin/t/password.cgi">Forgot your password?</a>
</div>
</div>
</source>

= Thanks =

* To [http://planet-geek.com Dave Shevett] (aka: eidolon) and [http://codex.grimoire.ca/ Owen Jacobson] for answering my n00b SSL questions.


<source lang="bash">
</source>
<source lang="text">
</source>

{{footer}}

PPPower Server

2012-06-15T22:11:43Z

Dak1n1: /* Adding a password-reset link to the login page */

{{howto_header}}

With tongue firmly in cheek, this is a tutorial on building an [[EL6]] server for hosting website and email using PostgreSQL, Postfix and Postgrey for mail and Apache for web. There are many canned and arguably superior was of accomplishing the same, but this is what I user for this server.

= Post OS Install =

First, some post-install preparation. We'll need to set up some basic security, a program to report server statistics, and some 3rd-party yum repositories for additional software.

Yum repo install.
<source lang="bash">yum -y install yum-protectbase
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt # import keys
rpm -K rpmforge-release-0.5.2-2.el6.rf.*.rpm # verify package integrity
rpm -i rpmforge-release-0.5.2-2.el6.rf.*.rpm # install
# install EPEL
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm
</source>

The yum-protectbase plugin will ensure that the 3rd-party repos play nicely and never overwrite the Base repos. To use this plugin with a specific repo, add protect=0 or protect=1 to the repo's config file.
<source lang="bash">
cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.orig
vim /etc/yum.repos.d/CentOS-Base.repo
# add protect=1 to each paragraph
diff -U 0 /etc/yum.repos.d/CentOS-Base.repo.orig /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
--- /etc/yum.repos.d/CentOS-Base.repo.orig 2012-05-07 01:07:47.688145406 -0400
+++ /etc/yum.repos.d/CentOS-Base.repo 2012-05-07 01:08:15.915322496 -0400
@@ -18,0 +19 @@
+protect=1
@@ -26,0 +28 @@
+protect=1
@@ -34,0 +37 @@
+protect=1
@@ -43,0 +47 @@
+protect=1
@@ -52,0 +57 @@
+protect=1
</source>

<source lang="bash">
cp /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.orig
vim /etc/yum.repos.d/epel.repo
# add protect=0 to each paragraph
diff -U 0 /etc/yum.repos.d/epel.repo.orig /etc/yum.repos.d/epel.repo
</source>
<source lang="bash">
--- /etc/yum.repos.d/epel.repo.orig 2012-05-07 01:08:58.279379860 -0400
+++ /etc/yum.repos.d/epel.repo 2012-05-07 01:09:18.144157701 -0400
@@ -8,0 +9 @@
+protect=0
@@ -17,0 +19 @@
+protect=0
@@ -26,0 +29 @@
+protect=0
</source>

=== Protecting against malicious users with Denyhosts. ===
Denyhosts is a daemon that watches for too many failed logins via ssh. It uses TCP-wrappers to deny the user access to ssh (or any service) on the server after X failed logins. It has the option to download a list of known malicious IPs and add them to /hosts.deny, making possible to block attackers before they attack the server.

Install denyhosts
<source lang="bash">yum -y install denyhosts</source>

Edit the config to your preferences.
<source lang="bash">
cp /etc/denyhosts.conf /etc/denyhosts.conf.orig
vim /etc/denyhosts.conf
</source>
<source lang="bash">
BLOCK_SERVICE = ALL
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
SYNC_DOWNLOAD = yes
</source>
<source lang="bash">
diff -U 0 /etc/denyhosts.conf.orig /etc/denyhosts.conf
</source>
<source lang="diff">
--- /etc/denyhosts.conf.orig 2012-05-13 02:33:05.584566483 -0400
+++ /etc/denyhosts.conf 2012-05-13 02:34:19.386558503 -0400
@@ -96 +96 @@
-#BLOCK_SERVICE = ALL
+BLOCK_SERVICE = ALL
@@ -98 +98 @@
-BLOCK_SERVICE = sshd
+#BLOCK_SERVICE = sshd
@@ -547 +547 @@
-#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
+SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
@@ -582 +582 @@
-#SYNC_DOWNLOAD = yes
+SYNC_DOWNLOAD = yes
</source>

White-list any trusted machines, including localhost.
<source lang="bash">
cp /etc/hosts.allow /etc/hosts.allow.orig
vim /etc/hosts.allow
</source>
<source lang="bash">
127.0.0.1
206.108.5.162
</source>
<source lang="bash">
diff -U 0 /etc/hosts.allow.orig /etc/hosts.allow
</source>
<source lang="diff">
--- /etc/hosts.allow.orig 2012-05-13 02:36:02.613767847 -0400
+++ /etc/hosts.allow 2012-05-13 02:40:37.473523845 -0400
@@ -10,0 +11,2 @@
+127.0.0.1
+206.108.5.162
</source>

Start the service.
<source lang="bash">
chkconfig denyhosts on
/etc/init.d/denyhosts start
</source>
<source lang="text">
Starting denyhosts: [ OK ]
</source>

=== Additional software to install ===
To view neatly-summarized daily logs, and system resource usage.
<source lang="bash">yum -y install logwatch htop</source>

Packages for web server and wiki install.
<source lang="bash">
yum install httpd httpd-tools postgresql-server postgresql-plperl postgresql-contrib postgresql mysql-server telnet mod_ssl mysql-server php-mysql gcc jwhois bind \
acpid bind-utils syslinux
chkconfig acpid on
</source>

Packages that are currently needed for personal stuff.

<source lang="bash">
yum install perl-XML-Simple perl-MIME-Lite perl-DBD-MySQL perl-DBD-Pg perl-Digest-Perl-MD5
</source>

= Apache =

Apache is configured first with a global configuration, which also defines the "default" website which is shown when the server is called by it's IP address (or by a domain that is not configured). Then with per-domain configurations known as "virtual host containers".

First, the global configuration and default domain. We will put our default website in /var/www/default/. So the first step is to create the needed directories.

<source lang="bash">
mkdir -p /var/www/default/{html,cgi-bin,logs}
chown -R apache:apache /var/www
</source>

Now to edit the configuration file.

<source lang="bash">
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig
vim /etc/httpd/conf/httpd.conf
</source>

{{note|1=This needs to be explained.}}

Make the following changes.

<source lang="bash">
diff -U 0 /etc/httpd/conf/httpd.conf.orig /etc/httpd/conf/httpd.conf
</source>
<source lang="diff">
--- /etc/httpd/conf/httpd.conf.orig 2012-05-13 19:32:07.718570148 -0400
+++ /etc/httpd/conf/httpd.conf 2012-05-13 21:48:18.439736244 -0400
@@ -103,6 +103,6 @@
-StartServers 8
-MinSpareServers 5
-MaxSpareServers 20
-ServerLimit 256
-MaxClients 256
-MaxRequestsPerChild 4000
+StartServers 16
+MinSpareServers 10
+MaxSpareServers 40
+ServerLimit 512
+MaxClients 512
+MaxRequestsPerChild 8000
@@ -119,5 +119,5 @@
-StartServers 4
-MaxClients 300
-MinSpareThreads 25
-MaxSpareThreads 75
-ThreadsPerChild 25
+StartServers 8
+MaxClients 600
+MinSpareThreads 50
+MaxSpareThreads 150
+ThreadsPerChild 50
@@ -262 +262 @@
-ServerAdmin root@localhost
+ServerAdmin admin@alteeve.com
@@ -276,0 +277 @@
+ServerName omiya.alteeve.ca:80
@@ -292 +293 @@
-DocumentRoot "/var/www/html"
+DocumentRoot "/var/www/default/html"
@@ -317 +318 @@
-<Directory "/var/www/html">
+<Directory "/var/www/default/html">
@@ -551 +552 @@
-Alias /icons/ "/var/www/icons/"
+Alias /icons/ "/var/www/default/icons/"
@@ -553 +554 @@
-<Directory "/var/www/icons">
+<Directory "/var/www/default/icons">
@@ -576 +577 @@
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+ScriptAlias /cgi-bin/ "/var/www/default/cgi-bin/"
@@ -582 +583 @@
-<Directory "/var/www/cgi-bin">
+<Directory "/var/www/default/cgi-bin">
@@ -855 +856 @@
-Alias /error/ "/var/www/error/"
+Alias /error/ "/var/www/default/error/"
@@ -859 +860 @@
- <Directory "/var/www/error">
+ <Directory "/var/www/default/error">
@@ -990 +991 @@
-#NameVirtualHost *:80
+NameVirtualHost *:80
@@ -1004,5 +1005,5 @@
-# ServerAdmin webmaster@dummy-host.example.com
-# DocumentRoot /www/docs/dummy-host.example.com
-# ServerName dummy-host.example.com
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+# ServerAdmin admin@alteeve.com
+# DocumentRoot /var/www/default/html
+# ServerName unknown.alteeve.com
+# ErrorLog /var/www/default/logs/error.log
+# CustomLog /var/www/default/logs/access.log common
@@ -1009,0 +1011 @@
+
</source>

After all changes, use this to make sure there are no syntax errors.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
[Sun May 13 21:48:11 2012] [warn] NameVirtualHost *:80 has no VirtualHosts
Syntax OK
</source>

Note that the [Sun May 13 21:48:11 2012] [warn] NameVirtualHost *:80 has no VirtualHosts is expected at this stage as we've not yet configured any virtual hosts.

All virtual host configuration files need to be created in the /etc/httpd/conf.d directory and the file must have the .conf suffix in order to be read by apache. These files will be read in order, so if you want to ensure that one file is read before another, as we will do shortly, you can prefix the configuration file with an integer to ensure read order.

I like to redirect all unknown server requests to http://unknown.alteeve.ca. For this, I will create an initial configuration file called 00_default.conf.

<source lang="bash">
vim /etc/httpd/conf.d/00_default.conf
</source>
<source lang="text">
<VirtualHost *:80>
ServerAdmin admin@alteeve.ca
DocumentRoot /var/www/default/html
ServerName unknown.alteeve.com
ErrorLog /var/www/default/logs/error.log
CustomLog /var/www/default/logs/access.log common
</VirtualHost>
</source>

Now we will do two kinds of checks; One for syntax and one to check the configuration of virtual host containers.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

We no longer see the warning from before as we now have our first virtual host configured.

<source lang="bash">
apachectl -S
</source>
<source lang="text">
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 omiya.alteeve.ca (/etc/httpd/conf.d/ssl.conf:74)
*:80 is a NameVirtualHost
default server unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
port 80 namevhost unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
Syntax OK
</source>

We can now start the web server for the first time.

<source lang="bash">
/etc/init.d/httpd start
</source>
<source lang="text">
Starting httpd: [ OK ]
</source>

Perfect! Time to configure some real domains.

== Common Virtual Host Configurations ==

All domains on this server will be housed under either:

* /var/www/domain.tld/{cgi-bin,html,logs,temp}

Or, for [[SSL]] encrypted domains;

* /var/www/ssl_domain.tld/{cgi-bin,html,logs,temp}

The four directories found under the domain are used for hosting executable scripts (cgi-bin), standard [[HTML]] websites or websites with in-line code like [[PHP]] (html), log files (logs) and an optional temporary directory used for staging files (temp).

== Standard Virtual Hosts ==

This section covers the configuration on standard virtual host containers (using [[TCP]] port 80).

In this example, we will setup the domain http://mizu-bu.org.

First, create the directories for the domain's files.

<source lang="bash">
mkdir -p /var/www/mizu-bu.org/{cgi-bin,html,logs,temp}
</source>

Now create the virtual host container's configuration file. Note that in this example, it is a [http://www.mediawiki.org/ MediaWiki] website, so we will tell apache to look for index.php files by default.

<source lang="bash">
vim /etc/httpd/conf.d/mizu-bu.org.conf
</source>
<source lang="text">
<VirtualHost *:80>
ServerAdmin digimer@alteeve.com

ServerName mizu-bu.org
ServerAlias www.mizu-bu.org

DirectoryIndex index.html

DocumentRoot /var/www/mizu-bu.org/html/
<Directory /var/www/mizu-bu.org/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride Options
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/mizu-bu.org/cgi-bin/
<Directory "/var/www/mizu-bu.org/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/mizu-bu.org/logs/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/mizu-bu.org/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

As before, test the syntax and virtual host configurations.

<source lang="bash">
apachectl -S
</source>
<source lang="text">
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 omiya.alteeve.ca (/etc/httpd/conf.d/ssl.conf:74)
*:80 is a NameVirtualHost
default server unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
port 80 namevhost unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
port 80 namevhost mizu-bu.org (/etc/httpd/conf.d/mizu-bu.org.conf:1)
Syntax OK
</source>


<source lang="bash">
</source>
<source lang="text">
</source>

== SSL Virtual Hosts ==

SSL provides for secure client to server communications.

=== Creating The Signed Certificate ===

This section assumes you are using a 3rd party signing authority. Specifically, I use http://www.trustico.ca/ (resellers of http://RapidSSL.com and others). This is also for a domain-specific certificate. Wildcard certificates will differ.

First, create 2048bit private key. Note that this will require a pass-phrase, which you will need to enter whenever the Apache daemon httpd daemon starts. If you do not want this, remove the -des3 switch.

<source lang="bash">
openssl genrsa -des3 -out /etc/pki/CA/private/alteeve.com.key 2048
</source>
<source lang="text">
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Verifying - Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
</source>

Now create a [[CSR]] (Certificate signing request) which we will send to the signing authority. Do not enter anything in the extra section below.

{{note|1=The Common Name must be the fully qualified domain name. In this example, I want to create a certificate for the domain https://alteeve.com, so I will enter alteeve.com. If you prefer to use a www. prefix, include it. I will rewrite requests using the www. prefix to not use it.}}

<source lang="bash">
openssl req -new -key /etc/pki/CA/private/alteeve.com.key -out alteeve.com.csr
</source>
<source lang="text">
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Oakville
Organization Name (eg, company) [Default Company Ltd]:Alteeve's Niche
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:alteeve.com
Email Address []:admin@alteeve.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</source>

Test that the CSR file is ok.

<source lang="bash">
openssl req -noout -text -in /etc/pki/CA/alteeve.com.csr
</source>
<source lang="text">
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Oakville, O=Alteeve's Niche, OU=IT, CN=alteeve.com/emailAddress=admin@alteeve.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
...
</source>

Copy the exact contents of the alteeve.com.csr file and provide it to your signing authority as per their instructions. Once you complete their CSR form, they should email you a signed certificate and an intermediary certificate. At this point, the CSR file is no longer needed.

Save the signed certificate:

<source lang="bash">
vim /etc/pki/CA/ssl_alteeve.com.crt
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

Save the intermediary certificate. Change the certificate name to that of your provider. If they provide you with this file, simply save it in the /etc/pki/CA/ directory.

<source lang="bash">
vim /etc/pki/CA/RapidSSL_CA_bundle.pem
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

=== Creating An SSL Virtual Host ===

Create a new virtual host container for the new SSL protected virtual host. We will leave the normal unencrypted virtual-host alone for now. Once we're done, we'll use it to capture and redirect http:// requests to their https:// equivalents. I make my virtual host directories writeable by my normal user account. Feel free to adapt this to your preferences.

Setup the directories and then create a trivial index.html file.

<source lang="bash">
mkdir ssl_alteeve.com/{cgi-bin,html,logs,temp} -p
chown apache:digimer ssl_alteeve.com -R
chmod g+w ssl_alteeve.com -R
vim /var/www/ssl_alteeve.com/html/index.html
</source>
<source lang="apache">
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
</source>

Now setup the Apache2 config. I like to use the ssl_ prefix for encrypted domains.

{{note|1=This example is for a MediaWiki virtual host with short URLs configured. You will want to adapt the values to suit your needs.}}

<source lang="bash">
vim /etc/httpd/conf.d/ssl_alteeve.com.conf
</source>
<source lang="apache">
<VirtualHost *:443>
ServerAdmin digimer@alteeve.com

ServerName alteeve.com

DirectoryIndex index.php index.html

# We can haz security?
SSLEngine on
SSLProtocol all
SSLCACertificateFile /etc/pki/CA/RapidSSL_CA_bundle.pem
SSLCertificateFile /etc/pki/CA/ssl_alteeve.com.crt
SSLCertificateKeyFile /etc/pki/CA/private/alteeve.com.key

DocumentRoot /var/www/ssl_alteeve.com/html/
Alias /w /var/www/ssl_alteeve.com/html/index.php
<Directory /var/www/ssl_alteeve.com/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/ssl_alteeve.com/cgi-bin/
<Directory "/var/www/ssl_alteeve.com/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/ssl_alteeve.com/logs/error.log
TransferLog /var/www/ssl_alteeve.com/logs/transfer.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/ssl_alteeve.com/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

==== Bad Identity Error ====

If you get an error about the server not providing identity information, you may have be loading images, CSS, javascript or similar using a URL from a remote domain with no SSL or badly configured SSL.

For example, on Firefox 4, you may see:

<source lang="text">
This web site does not supply identity information.

Your connection to this site is only partially encrypted, and does not prevent eavesdropping.
[ More Information ]
</source>

In my case, this turned out to be a problem where mediawiki was loading a Creative Commons logo from their server using http:// link to the icon. Once this was changed to https:// (in LocalSettings.php), the error went away.

=== Testing and Using the New Configuration ===

Test your new Apache configuration.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

Now restart Apache. Note that you will be asked to enter the pass-phrase you used when you created your private key.

<source lang="bash">
/etc/init.d/httpd restart
</source>
<source lang="text">
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server alteeve.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
</source>

{{warning|1=From now on, you will need to enter the pass-phrase to start Apache. Consider this when restarting your server and when deciding if you want the Apache server to start with your server. As my server is in a VM and it's underlying disk is also encrypted, I will enable it at boot time. I'll need to be watching the boot process anyway. This may not apply to you.}}

Now make sure that you can still connect to your server on [[TCP]] port 80 (normal http port). The contents after the GET request will obviously vary depending on your configuration:

<source lang="bash">
telnet localhost 80
</source>
<source lang="text">
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET
<head>
<title>Asakusa.alteeve.com</title>
</head>
<body>
Default - Requested domain not found
</body>
Connection closed by foreign host.
</source>

Now to check that the SSL port is listening properly. We can't use [[telnet]] because of the SSL encryption. Instead we will use openssl.

<source lang="bash">
openssl s_client -connect localhost:443 -state -debug
</source>
<source lang="text">
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x196a050 [0x1a0b3a0] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 4d f8 f4 a4 f9 ....l...h..M....
0010 - 07 b3 11 f8 3d ff 5d 80-ed 69 87 52 e2 60 80 57 ....=.]..i.R.`.W
0020 - 59 c7 83 4c ea 5b e5 37-06 e0 13 00 00 3a 00 39 Y..L.[.7.....:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............#
0071 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x196a050 [0x1a10900] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x196a050 [0x1a1090a] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4d f8 f4 a4-7d 35 00 74 24 43 bc c9 .1..M...}5.t$C..
0010 - 84 5d fe e3 90 1a e8 14-39 a1 b1 7e e8 19 c7 9f .]......9..~....
0020 - 45 20 d1 cb 00 00 39 01-00 09 ff 01 00 01 00 00 E ....9.........
0030 - 23 #
0033 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 0c 2c ....,
read from 0x196a050 [0x1a10908] (3116 bytes => 3116 (0xC2C))
0000 - 0b 00 0c 28 00 0c 25 00-04 c2 30 82 04 be 30 82 ...(..%...0...0.
0010 - 03 a6 a0 03 02 01 02 02-03 02 15 24 30 0d 06 09 ...........$0...
0020 - 2a 86 48 86 f7 0d 01 01-05 05 00 30 3c 31 0b 30 *.H........0<1.0
0030 - 09 06 03 55 04 06 13 02-55 53 31 17 30 15 06 03 ...U....US1.0...
0040 - 55 04 0a 13 0e 47 65 6f-54 72 75 73 74 2c 20 49 U....GeoTrust, I
0050 - 6e 63 2e 31 14 30 12 06-03 55 04 03 13 0b 52 61 nc.1.0...U....Ra
0060 - 70 69 64 53 53 4c 20 43-41 30 1e 17 0d 31 31 30 pidSSL CA0...110
0070 - 36 31 34 31 32 31 39 30-31 5a 17 0d 31 31 30 37 614121901Z..1107
0080 - 31 36 31 35 35 36 31 34-5a 30 81 d9 31 29 30 27 16155614Z0..1)0'
0090 - 06 03 55 04 05 13 20 30-54 53 35 57 7a 61 75 51 ..U... 0TS5WzauQ
00a0 - 52 4a 37 73 63 32 62 2d-68 54 47 77 4b 31 79 78 RJ7sc2b-hTGwK1yx
00b0 - 53 66 45 44 70 68 46 31-0b 30 09 06 03 55 04 06 SfEDphF1.0...U..
00c0 - 13 02 43 41 31 14 30 12-06 03 55 04 0a 13 0b 61 ..CA1.0...U....a
00d0 - 6c 74 65 65 76 65 2e 63-6f 6d 31 13 30 11 06 03 lteeve.com1.0...
00e0 - 55 04 0b 13 0a 47 54 31-33 39 30 38 38 31 37 31 U....GT139088171
00f0 - 31 30 2f 06 03 55 04 0b-13 28 53 65 65 20 77 77 10/..U...(See ww
0100 - 77 2e 72 61 70 69 64 73-73 6c 2e 63 6f 6d 2f 72 w.rapidssl.com/r
0110 - 65 73 6f 75 72 63 65 73-2f 63 70 73 20 28 63 29 esources/cps (c)
0120 - 31 31 31 2b 30 29 06 03-55 04 0b 13 22 44 6f 6d 111+0)..U..."Dom
0130 - 61 69 6e 20 43 6f 6e 74-72 6f 6c 20 56 61 6c 69 ain Control Vali
0140 - 64 61 74 65 64 20 2d 20-46 72 65 65 53 53 4c 31 dated - FreeSSL1
0150 - 14 30 12 06 03 55 04 03-13 0b 61 6c 74 65 65 76 .0...U....alteev
0160 - 65 2e 63 6f 6d 30 82 01-22 30 0d 06 09 2a 86 48 e.com0.."0...*.H
0170 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0..
0180 - 0a 02 82 01 01 00 c7 b5-75 03 c7 a9 b5 21 b2 7a ........u....!.z
0190 - 9b 70 8d f2 44 5d e0 18-f4 05 52 c6 93 d3 17 a5 .p..D]....R.....
01a0 - 3a c7 46 03 68 d1 01 53-1b e8 b8 d3 4c 56 46 b2 :.F.h..S....LVF.
01b0 - ca 63 34 88 2c 4f 7b 23-49 07 ef 8e 37 5c 8a ac .c4.,O{#I...7\..
01c0 - d7 88 9b ed a1 01 90 bc-32 d8 46 30 6d 82 33 59 ........2.F0m.3Y
01d0 - ea b5 38 2c 8a 16 e1 63-e7 ba 39 d8 2a fa 8a 6b ..8,...c..9.*..k
01e0 - 25 45 0b c9 4d b8 d2 be-a9 3a e3 ff 61 60 f9 a4 %E..M....:..a`..
01f0 - 99 4e 3f c2 25 0b 21 07-c6 1b 1e 63 71 2e 3d 31 .N?.%.!....cq.=1
0200 - 42 98 01 f4 88 b8 80 26-b7 bf 5b 00 b1 57 86 b4 B......&..[..W..
0210 - d8 70 e6 ec ea 98 e1 17-45 a7 ff 83 e0 76 6f 8a .p......E....vo.
0220 - 50 bb 1d cb c5 8f f4 01-84 4e 59 c3 4d 28 73 70 P........NY.M(sp
0230 - 39 c8 da 85 43 b9 07 ae-57 26 04 24 b2 d6 d4 7c 9...C...W&.$...|
0240 - 03 af 4f 72 00 8f 20 ed-26 77 b3 bf 4e 01 62 8b ..Or.. .&w..N.b.
0250 - 62 1b 10 16 65 92 f5 bb-5a dc 83 5c f2 56 f3 60 b...e...Z..\.V.`
0260 - 34 2c ef 62 f4 ee cf 26-6d 9b 4a 5e 74 05 74 fb 4,.b...&m.J^t.t.
0270 - 23 86 07 6f cf b0 48 6d-ba 2d 89 5d 0f e0 c0 01 #..o..Hm.-.]....
0280 - 1c 91 af 00 5f f3 02 03-01 00 01 a3 82 01 29 30 ...._.........)0
0290 - 82 01 25 30 1f 06 03 55-1d 23 04 18 30 16 80 14 ..%0...U.#..0...
02a0 - 6b 69 3d 6a 18 42 4a dd-8f 02 65 39 fd 35 24 86 ki=j.BJ...e9.5$.
02b0 - 78 91 16 30 30 0e 06 03-55 1d 0f 01 01 ff 04 04 x..00...U.......
02c0 - 03 02 05 a0 30 1d 06 03-55 1d 25 04 16 30 14 06 ....0...U.%..0..
02d0 - 08 2b 06 01 05 05 07 03-01 06 08 2b 06 01 05 05 .+.........+....
02e0 - 07 03 02 30 16 06 03 55-1d 11 04 0f 30 0d 82 0b ...0...U....0...
02f0 - 61 6c 74 65 65 76 65 2e-63 6f 6d 30 43 06 03 55 alteeve.com0C..U
0300 - 1d 1f 04 3c 30 3a 30 38-a0 36 a0 34 86 32 68 74 ...<0:08.6.4.2ht
0310 - 74 70 3a 2f 2f 72 61 70-69 64 73 73 6c 2d 63 72 tp://rapidssl-cr
0320 - 6c 2e 67 65 6f 74 72 75-73 74 2e 63 6f 6d 2f 63 l.geotrust.com/c
0330 - 72 6c 73 2f 72 61 70 69-64 73 73 6c 2e 63 72 6c rls/rapidssl.crl
0340 - 30 1d 06 03 55 1d 0e 04-16 04 14 a1 2b 4e af 55 0...U.......+N.U
0350 - 08 7b 34 be 74 fc 57 41-de bc 8f d9 4a 1d c9 30 .{4.t.WA....J..0
0360 - 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 49 06 ...U.......0.0I.
0370 - 08 2b 06 01 05 05 07 01-01 04 3d 30 3b 30 39 06 .+........=0;09.
0380 - 08 2b 06 01 05 05 07 30-02 86 2d 68 74 74 70 3a .+.....0..-http:
0390 - 2f 2f 72 61 70 69 64 73-73 6c 2d 61 69 61 2e 67 //rapidssl-aia.g
03a0 - 65 6f 74 72 75 73 74 2e-63 6f 6d 2f 72 61 70 69 eotrust.com/rapi
03b0 - 64 73 73 6c 2e 63 72 74-30 0d 06 09 2a 86 48 86 dssl.crt0...*.H.
03c0 - f7 0d 01 01 05 05 00 03-82 01 01 00 66 8b 6f a8 ............f.o.
03d0 - d5 d2 84 c7 89 31 fb a5-ba e1 11 5e 2f 67 6f df .....1.....^/go.
03e0 - 0d 3c 0b 1a 4b ac d9 38-ee 29 0a 4d d9 06 98 2c .<..K..8.).M...,
03f0 - 25 0a 59 bb 39 03 b0 cd-3b 06 93 3e 59 90 cf 06 %.Y.9...;..>Y...
0400 - 17 74 77 bb cd 91 34 d0-6f b9 8f 53 57 ed 14 30 .tw...4.o..SW..0
0410 - bd e9 6c 04 84 b6 f0 16-9d 29 9b b1 47 f8 84 64 ..l......)..G..d
0420 - 5f 03 36 ea e1 d6 13 97-5b 50 b9 b2 59 cc f8 ef _.6.....[P..Y...
0430 - 23 01 99 91 6e 5e e8 d0-77 54 38 49 18 58 e7 0e #...n^..wT8I.X..
0440 - 54 35 c0 37 b5 9e 79 b2-d4 c6 d9 ff 27 31 d4 bf T5.7..y.....'1..
0450 - 04 ae d3 0a 90 4b bc 34-bc 53 f8 bc e7 4c 22 b7 .....K.4.S...L".
0460 - b3 bc 8c d7 41 44 fc e0-50 2e 9a ac ba 5c ee 88 ....AD..P....\..
0470 - 03 fc 0e 53 32 aa dd a4-24 ee a6 7c 3d dc 9d 7a ...S2...$..|=..z
0480 - 82 0b 9f b8 91 e0 a1 12-77 a3 95 f7 d0 c4 9e f1 ........w.......
0490 - d7 d9 99 68 80 e8 af ad-68 f5 1a 5f 66 06 78 c9 ...h....h.._f.x.
04a0 - 56 f8 36 37 16 fa 7d 27-df 1d a2 d8 7c 8c 5b 50 V.67..}'....|.[P
04b0 - db c6 fe 06 ff 96 86 f5-1f e4 35 ce cf 43 66 53 ..........5..CfS
04c0 - da a1 50 b5 c0 73 ec 1e-f4 c8 20 13 00 03 d9 30 ..P..s.... ....0
04d0 - 82 03 d5 30 82 02 bd a0-03 02 01 02 02 03 02 36 ...0...........6
04e0 - d1 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
04f0 - 30 42 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 0B1.0...U....US1
0500 - 16 30 14 06 03 55 04 0a-13 0d 47 65 6f 54 72 75 .0...U....GeoTru
0510 - 73 74 20 49 6e 63 2e 31-1b 30 19 06 03 55 04 03 st Inc.1.0...U..
0520 - 13 12 47 65 6f 54 72 75-73 74 20 47 6c 6f 62 61 ..GeoTrust Globa
0530 - 6c 20 43 41 30 1e 17 0d-31 30 30 32 31 39 32 32 l CA0...10021922
0540 - 34 35 30 35 5a 17 0d 32-30 30 32 31 38 32 32 34 4505Z..200218224
0550 - 35 30 35 5a 30 3c 31 0b-30 09 06 03 55 04 06 13 505Z0<1.0...U...
0560 - 02 55 53 31 17 30 15 06-03 55 04 0a 13 0e 47 65 .US1.0...U....Ge
0570 - 6f 54 72 75 73 74 2c 20-49 6e 63 2e 31 14 30 12 oTrust, Inc.1.0.
0580 - 06 03 55 04 03 13 0b 52-61 70 69 64 53 53 4c 20 ..U....RapidSSL
0590 - 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H...
05a0 - 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0.....
05b0 - 01 01 00 c7 71 f8 56 c7-1e d9 cc b5 ad f6 b4 97 ....q.V.........
05c0 - a3 fb a1 e6 0b 50 5f 50-aa 3a da 0f fc 3d 29 24 .....P_P.:...=)$
05d0 - 43 c6 10 29 c1 fc 55 40-72 ee bd ea df 9f b6 41 C..)..U@r......A
05e0 - f4 48 4b c8 6e fe 4f 57-12 8b 5b fa 92 dd 5e e8 .HK.n.OW..[...^.
05f0 - ad f3 f0 1b b1 7b 4d fb-cf fd d1 e5 f8 e3 dc e7 .....{M.........
0600 - f5 73 7f df 01 49 cf 8c-56 c1 bd 37 e3 5b be b5 .s...I..V..7.[..
0610 - 4f 8b 8b f0 da 4f c7 e3-dd 55 47 69 df f2 5b 7b O....O...UGi..[{
0620 - 07 4f 3d e5 ac 21 c1 c8-1d 7a e8 e7 f6 0f a1 aa .O=..!...z......
0630 - f5 6f de a8 65 4f 10 89-9c 03 f3 89 7a a5 5e 01 .o..eO......z.^.
0640 - 72 33 ed a9 e9 5a 1e 79-f3 87 c8 df c8 c5 fc 37 r3...Z.y.......7
0650 - c8 9a 9a d7 b8 76 cc b0-3e e7 fd e6 54 ea df 5f .....v..>...T.._
0660 - 52 41 78 59 57 ad f1 12-d6 7f bc d5 9f 70 d3 05 RAxYW........p..
0670 - 6c fa a3 7d 67 58 dd 26-62 1d 31 92 0c 79 79 1c l..}gX.&b.1..yy.
0680 - 8e cf ca 7b c1 66 af a8-74 48 fb 8e 82 c2 9e 2c ...{.f..tH.....,
0690 - 99 5c 7b 2d 5d 9b bc 5b-57 9e 7c 3a 7a 13 ad f2 .\{-]..[W.|:z...
06a0 - a3 18 5b 2b 59 0f cd 5c-3a eb 68 33 c6 28 1d 82 ..[+Y..\:.h3.(..
06b0 - d1 50 8b 02 03 01 00 01-a3 81 d9 30 81 d6 30 0e .P.........0..0.
06c0 - 06 03 55 1d 0f 01 01 ff-04 04 03 02 01 06 30 1d ..U...........0.
06d0 - 06 03 55 1d 0e 04 16 04-14 6b 69 3d 6a 18 42 4a ..U......ki=j.BJ
06e0 - dd 8f 02 65 39 fd 35 24-86 78 91 16 30 30 1f 06 ...e9.5$.x..00..
06f0 - 03 55 1d 23 04 18 30 16-80 14 c0 7a 98 68 8d 89 .U.#..0....z.h..
0700 - fb ab 05 64 0c 11 7d aa-7d 65 b8 ca cc 4e 30 12 ...d..}.}e...N0.
0710 - 06 03 55 1d 13 01 01 ff-04 08 30 06 01 01 ff 02 ..U.......0.....
0720 - 01 00 30 3a 06 03 55 1d-1f 04 33 30 31 30 2f a0 ..0:..U...3010/.
0730 - 2d a0 2b 86 29 68 74 74-70 3a 2f 2f 63 72 6c 2e -.+.)http://crl.
0740 - 67 65 6f 74 72 75 73 74-2e 63 6f 6d 2f 63 72 6c geotrust.com/crl
0750 - 73 2f 67 74 67 6c 6f 62-61 6c 2e 63 72 6c 30 34 s/gtglobal.crl04
0760 - 06 08 2b 06 01 05 05 07-01 01 04 28 30 26 30 24 ..+........(0&0$
0770 - 06 08 2b 06 01 05 05 07-30 01 86 18 68 74 74 70 ..+.....0...http
0780 - 3a 2f 2f 6f 63 73 70 2e-67 65 6f 74 72 75 73 74 ://ocsp.geotrust
0790 - 2e 63 6f 6d 30 0d 06 09-2a 86 48 86 f7 0d 01 01 .com0...*.H.....
07a0 - 05 05 00 03 82 01 01 00-ab bc bc 0a 5d 18 94 e3 ............]...
07b0 - c1 b1 c3 a8 4c 55 d6 be-b4 98 f1 ee 3c 1c cd cf ....LU......<...
07c0 - f3 24 24 5c 96 03 27 58-fc 36 ae a2 2f 8f f1 fe .$$\..'X.6../...
07d0 - da 2b 02 c3 33 bd c8 dd-48 22 2b 60 0f a5 03 10 .+..3...H"+`....
07e0 - fd 77 f8 d0 ed 96 67 4f-fd ea 47 20 70 54 dc a9 .w....gO..G pT..
07f0 - 0c 55 7e e1 96 25 8a d9-b5 da 57 4a be 8d 8e 49 .U~..%....WJ...I
0800 - 43 63 a5 6c 4e 27 87 25-eb 5b 6d fe a2 7f 38 28 Cc.lN'.%.[m...8(
0810 - e0 36 ab ad 39 a5 a5 62-c4 b7 5c 58 2c aa 5d 01 .6..9..b..\X,.].
0820 - 60 a6 62 67 a3 c0 c7 62-23 f4 e7 6c 46 ee b5 d3 `.bg...b#..lF...
0830 - 80 6a 22 13 d2 2d 3f 74-4f ea af 8c 5f b4 38 9c .j"..-?tO..._.8.
0840 - db ae ce af 84 1e a6 f6-34 51 59 79 d3 e3 75 dc ........4QYy..u.
0850 - bc d7 f3 73 df 92 ec d2-20 59 6f 9c fb 95 f8 92 ...s.... Yo.....
0860 - 76 18 0a 7c 0f 2c a6 ca-de 8a 62 7b d8 f3 ce 5f v..|.,....b{..._
0870 - 68 bd 8f 3e c1 74 bb 15-72 3a 16 83 a9 0b e6 4d h..>.t..r:.....M
0880 - 99 9c d8 57 ec a8 01 51-c7 6f 57 34 5e ab 4a 2c ...W...Q.oW4^.J,
0890 - 42 f6 4f 1c 89 78 de 26-4e f5 6f 93 4c 15 6b 27 B.O..x.&N.o.L.k'
08a0 - 56 4d 00 54 6c 7a b7 b7-00 03 81 30 82 03 7d 30 VM.Tlz.....0..}0
08b0 - 82 02 e6 a0 03 02 01 02-02 03 12 bb e6 30 0d 06 .............0..
08c0 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 4e 31 0b .*.H........0N1.
08d0 - 30 09 06 03 55 04 06 13-02 55 53 31 10 30 0e 06 0...U....US1.0..
08e0 - 03 55 04 0a 13 07 45 71-75 69 66 61 78 31 2d 30 .U....Equifax1-0
08f0 - 2b 06 03 55 04 0b 13 24-45 71 75 69 66 61 78 20 +..U...$Equifax
0900 - 53 65 63 75 72 65 20 43-65 72 74 69 66 69 63 61 Secure Certifica
0910 - 74 65 20 41 75 74 68 6f-72 69 74 79 30 1e 17 0d te Authority0...
0920 - 30 32 30 35 32 31 30 34-30 30 30 30 5a 17 0d 31 020521040000Z..1
0930 - 38 30 38 32 31 30 34 30-30 30 30 5a 30 42 31 0b 80821040000Z0B1.
0940 - 30 09 06 03 55 04 06 13-02 55 53 31 16 30 14 06 0...U....US1.0..
0950 - 03 55 04 0a 13 0d 47 65-6f 54 72 75 73 74 20 49 .U....GeoTrust I
0960 - 6e 63 2e 31 1b 30 19 06-03 55 04 03 13 12 47 65 nc.1.0...U....Ge
0970 - 6f 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 43 41 oTrust Global CA
0980 - 30 82 01 22 30 0d 06 09-2a 86 48 86 f7 0d 01 01 0.."0...*.H.....
0990 - 01 05 00 03 82 01 0f 00-30 82 01 0a 02 82 01 01 ........0.......
09a0 - 00 da cc 18 63 30 fd f4-17 23 1a 56 7e 5b df 3c ....c0...#.V~[.<
09b0 - 6c 38 e4 71 b7 78 91 d4-bc a1 d8 4c f8 a8 43 b6 l8.q.x.....L..C.
09c0 - 03 e9 4d 21 07 08 88 da-58 2f 66 39 29 bd 05 78 ..M!....X/f9)..x
09d0 - 8b 9d 38 e8 05 b7 6a 7e-71 a4 e6 c4 60 a6 b0 ef ..8...j~q...`...
09e0 - 80 e4 89 28 0f 9e 25 d6-ed 83 f3 ad a6 91 c7 98 ...(..%.........
09f0 - c9 42 18 35 14 9d ad 98-46 92 2e 4f ca f1 87 43 .B.5....F..O...C
0a00 - c1 16 95 57 2d 50 ef 89-2d 80 7a 57 ad f2 ee 5f ...W-P..-.zW..._
0a10 - 6b d2 00 8d b9 14 f8 14-15 35 d9 c0 46 a3 7b 72 k........5..F.{r
0a20 - c8 91 bf c9 55 2b cd d0-97 3e 9c 26 64 cc df ce ....U+...>.&d...
0a30 - 83 19 71 ca 4e e6 d4 d5-7b a9 19 cd 55 de c8 ec ..q.N...{...U...
0a40 - d2 5e 38 53 e5 5c 4f 8c-2d fe 50 23 36 fc 66 e6 .^8S.\O.-.P#6.f.
0a50 - cb 8e a4 39 19 00 b7 95-02 39 91 0b 0e fe 38 2e ...9.....9....8.
0a60 - d1 1d 05 9a f6 4d 3e 6f-0f 07 1d af 2c 1e 8f 60 .....M>o....,..`
0a70 - 39 e2 fa 36 53 13 39 d4-5e 26 2b db 3d a8 14 bd 9..6S.9.^&+.=...
0a80 - 32 eb 18 03 28 52 04 71-e5 ab 33 3d e1 38 bb 07 2...(R.q..3=.8..
0a90 - 36 84 62 9c 79 ea 16 30-f4 5f c0 2b e8 71 6b e4 6.b.y..0._.+.qk.
0aa0 - f9 02 03 01 00 01 a3 81-f0 30 81 ed 30 1f 06 03 .........0..0...
0ab0 - 55 1d 23 04 18 30 16 80-14 48 e6 68 f9 2b d2 b2 U.#..0...H.h.+..
0ac0 - 95 d7 47 d8 23 20 10 4f-33 98 90 9f d4 30 1d 06 ..G.# .O3....0..
0ad0 - 03 55 1d 0e 04 16 04 14-c0 7a 98 68 8d 89 fb ab .U.......z.h....
0ae0 - 05 64 0c 11 7d aa 7d 65-b8 ca cc 4e 30 0f 06 03 .d..}.}e...N0...
0af0 - 55 1d 13 01 01 ff 04 05-30 03 01 01 ff 30 0e 06 U.......0....0..
0b00 - 03 55 1d 0f 01 01 ff 04-04 03 02 01 06 30 3a 06 .U...........0:.
0b10 - 03 55 1d 1f 04 33 30 31-30 2f a0 2d a0 2b 86 29 .U...3010/.-.+.)
0b20 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 67 65 6f 74 72 http://crl.geotr
0b30 - 75 73 74 2e 63 6f 6d 2f-63 72 6c 73 2f 73 65 63 ust.com/crls/sec
0b40 - 75 72 65 63 61 2e 63 72-6c 30 4e 06 03 55 1d 20 ureca.crl0N..U.
0b50 - 04 47 30 45 30 43 06 04-55 1d 20 00 30 3b 30 39 .G0E0C..U. .0;09
0b60 - 06 08 2b 06 01 05 05 07-02 01 16 2d 68 74 74 70 ..+........-http
0b70 - 73 3a 2f 2f 77 77 77 2e-67 65 6f 74 72 75 73 74 s://www.geotrust
0b80 - 2e 63 6f 6d 2f 72 65 73-6f 75 72 63 65 73 2f 72 .com/resources/r
0b90 - 65 70 6f 73 69 74 6f 72-79 30 0d 06 09 2a 86 48 epository0...*.H
0ba0 - 86 f7 0d 01 01 05 05 00-03 81 81 00 76 e1 12 6e ............v..n
0bb0 - 4e 4b 16 12 86 30 06 b2-81 08 cf f0 08 c7 c7 71 NK...0.........q
0bc0 - 7e 66 ee c2 ed d4 3b 1f-ff f0 f0 c8 4e d6 43 38 ~f....;.....N.C8
0bd0 - b0 b9 30 7d 18 d0 55 83-a2 6a cb 36 11 9c e8 48 ..0}..U..j.6...H
0be0 - 66 a3 6d 7f b8 13 d4 47-fe 8b 5a 5c 73 fc ae d9 f.m....G..Z\s...
0bf0 - 1b 32 19 38 ab 97 34 14-aa 96 d2 eb a3 1c 14 08 .2.8..4.........
0c00 - 49 b6 bb e5 91 ef 83 36-eb 1d 56 6f ca da bc 73 I......6..Vo...s
0c10 - 63 90 e4 7f 7b 3e 22 cb-3d 07 ed 5f 38 74 9c e3 c...{>".=.._8t..
0c20 - 03 50 4e a1 af 98 ee 61-f2 84 3f 12 .PN....a..?.
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF, C = CA, O = alteeve.com, OU = GT13908817, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - FreeSSL, CN = alteeve.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 0d .....
read from 0x196a050 [0x1a10908] (525 bytes => 525 (0x20D))
0000 - 0c 00 02 09 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 51 5c 13 33 38 >.$!.......Q\.38
0090 - 83 ef 76 6f 23 52 55 bf-23 ba 7f f0 a4 ca 35 01 ..vo#RU.#.....5.
00a0 - 9c 70 e1 61 b2 0d 7b 5c-1c 32 02 c1 ac 14 be e9 .p.a..{\.2......
00b0 - b9 7a 5d 11 9b 53 48 64-cd 12 b8 15 4c df cc 10 .z]..SHd....L...
00c0 - 4e 2b e7 cd 3f 33 68 1a-60 cc f7 18 25 7c e5 ca N+..?3h.`...%|..
00d0 - c8 cb 45 ba 2a 6d dc 84-5f 26 6f 9a a3 73 b9 7f ..E.*m.._&o..s..
00e0 - 02 cb 7b a7 ac 59 9f f3-6e c9 01 ed b9 35 99 49 ..{..Y..n....5.I
00f0 - 37 77 68 65 ec e2 f7 17-03 e7 f5 f5 86 33 e6 6c 7whe.........3.l
0100 - 06 3c 15 83 98 74 2e b9-83 31 11 01 00 20 6e 17 .<...t...1... n.
0110 - 3d 2d ec 3e 19 b2 9e 5b-37 38 3a 31 57 3d 0e c1 =-.>...[78:1W=..
0120 - 6b c4 b4 83 d9 6b f0 d3-44 db 9f 18 55 15 e1 09 k....k..D...U...
0130 - 73 59 8c 46 3d a4 47 58-b1 71 a3 32 b5 06 26 8c sY.F=.GX.q.2..&.
0140 - 27 88 9e 13 c8 12 5d 94-9b 24 54 10 aa 79 e5 b4 '.....]..$T..y..
0150 - 43 f5 5e 4c 01 dc 02 aa-69 02 37 71 4e 26 1c 0b C.^L....i.7qN&..
0160 - 40 19 c9 95 4d af 93 35-07 7a ff b1 96 7f 03 ce @...M..5.z......
0170 - 7a eb a2 1c 97 6b d2 97-d2 0f 1a f5 b2 af fb 65 z....k.........e
0180 - 86 b9 e3 38 30 ba f5 02-d6 6b fc da 94 93 8b b3 ...80....k......
0190 - 96 b5 b7 58 dc 36 55 6d-e9 47 e5 4a 33 1d b9 d9 ...X.6Um.G.J3...
01a0 - ec 33 e8 fb 58 c8 74 13-ff dd 40 b7 35 56 63 03 .3..X.t...@.5Vc.
01b0 - 9f 16 2f 72 be 56 56 c3-15 3a c3 10 09 f0 9d f2 ../r.VV..:......
01c0 - 42 52 5a ce d6 db 61 0e-d0 e2 ac 2e 9e 04 30 8e BRZ...a.......0.
01d0 - 0d d7 07 f9 3e 0a a8 3b-8d 11 5c 6e 21 47 28 2d ....>..;..\n!G(-
01e0 - 28 31 a6 3d d0 e9 2e 7a-de 4a 00 2a a8 6f 5d 82 (1.=...z.J.*.o].
01f0 - 45 df 3e 06 e3 11 e3 3c-b9 1e 34 b8 bd 60 fd a7 E.>....<..4..`..
0200 - a2 c1 c8 19 61 19 da 10-e4 c3 70 7e 5f ....a.....p~_
SSL_connect:SSLv3 read server key exchange A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0x196a050 [0x1a10908] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x196a050 [0x1a1add0] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7f 9d d2 3b 68 ..............;h
0010 - 49 c9 dd ed 4f 35 a0 70-3a 28 0f ce c1 5a 81 ce I...O5.p:(...Z..
0020 - cd 46 c5 e5 a4 44 25 04-4e b4 48 d8 3b a6 d4 44 .F...D%.N.H.;..D
0030 - 4e 9a dc 20 fa 52 9f eb-52 3b 3c 3e 34 dc ed 34 N.. .R..R;<>4..4
0040 - e5 b7 10 f9 6d 3a c0 84-64 bf b8 91 54 6c 37 1b ....m:..d...Tl7.
0050 - eb 75 7a 95 aa e8 83 6f-e0 16 f2 af 77 0f 7a 0c .uz....o....w.z.
0060 - a8 82 27 a4 a5 f2 f0 1b-d2 6e 46 c4 ef 10 7c 39 ..'......nF...|9
0070 - 6c 87 74 ec 68 7e d5 9a-10 ab 10 03 75 a2 fb 4b l.t.h~......u..K
0080 - 8c 49 4c da 64 49 bd 27-ba 51 a4 .IL.dI.'.Q.
SSL_connect:SSLv3 write client key exchange A
write to 0x196a050 [0x1a1add0] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x196a050 [0x1a1add0] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 b4 8a 74-4d a4 bf b1 54 04 8a 25 ....0..tM...T..%
0010 - 24 f8 81 f1 64 9f 1f 6d-fb bd a7 4c 57 6a a5 63 $...d..m...LWj.c
0020 - fb 3a dd 8e e3 f9 38 f6-22 fd 7e 42 81 2e a2 41 .:....8.".~B...A
0030 - 1f 74 d1 27 02 .t.'.
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 ca .....
read from 0x196a050 [0x1a10908] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 00 00-00 c0 6c f3 41 26 c8 6b ..........l.A&.k
0010 - 1e 9c 2e 78 af 75 b2 46-34 f4 30 c3 bd e4 ee 2f ...x.u.F4.0..../
0020 - f6 28 37 f6 7c 55 3b c7-08 ad 1e 48 f1 83 9f 9a .(7.|U;....H....
0030 - d4 ef 9b 7d 5a 9c f7 5b-92 e9 2f ca c3 e5 44 c7 ...}Z..[../...D.
0040 - 7a c1 ed db 98 1a 18 bd-25 30 3c 50 ad 96 23 22 z.......%0<P..#"
0050 - 7e a1 b7 eb 1d b5 cc 69-2a 43 63 13 4f 21 90 32 ~......i*Cc.O!.2
0060 - 87 94 0b 6a 66 da 99 fa-45 79 cc 53 29 35 59 0d ...jf...Ey.S)5Y.
0070 - 02 93 c6 c6 af f3 52 79-b5 36 c0 a6 4d 22 9f af ......Ry.6..M"..
0080 - 4a f2 86 b4 50 68 83 b1-ab a6 a6 ac 6e 4e 18 3d J...Ph......nN.=
0090 - 80 a7 b4 85 77 06 69 60-fa b2 22 9a 79 14 c6 3e ....w.i`..".y..>
00a0 - 3e 68 33 4e 1e a9 40 09-47 d0 02 97 8b ba 39 db >h3N..@.G.....9.
00b0 - 2f b1 1c 2e 66 49 d3 bc-99 cc 56 4f 1d f4 c6 7b /...fI....VO...{
00c0 - 58 3e 28 df b1 ce 2b 45-36 ca X>(...+E6.
SSL_connect:SSLv3 read server session ticket A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0x196a050 [0x1a10908] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x196a050 [0x1a10908] (48 bytes => 48 (0x30))
0000 - c0 79 35 bf c6 1e 7e d4-04 cf 68 c7 9d f5 9f 42 .y5...~...h....B
0010 - 03 91 5f 72 ae 5b ec a8-aa e7 af e8 f3 39 1b cd .._r.[.......9..
0020 - 13 05 56 f2 1b 28 c9 42-4b 67 88 48 20 c2 a5 06 ..V..(.BKg.H ...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIDAhUkMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNjE0MTIxOTAxWhcNMTEwNzE2MTU1NjE0WjCB2TEpMCcGA1UEBRMgMFRT
NVd6YXVRUko3c2MyYi1oVEd3SzF5eFNmRURwaEYxCzAJBgNVBAYTAkNBMRQwEgYD
VQQKEwthbHRlZXZlLmNvbTETMBEGA1UECxMKR1QxMzkwODgxNzExMC8GA1UECxMo
U2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMTErMCkGA1UE
CxMiRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gRnJlZVNTTDEUMBIGA1UEAxML
YWx0ZWV2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHtXUD
x6m1IbJ6m3CN8kRd4Bj0BVLGk9MXpTrHRgNo0QFTG+i400xWRrLKYzSILE97I0kH
7443XIqs14ib7aEBkLwy2EYwbYIzWeq1OCyKFuFj57o52Cr6imslRQvJTbjSvqk6
4/9hYPmkmU4/wiULIQfGGx5jcS49MUKYAfSIuIAmt79bALFXhrTYcObs6pjhF0Wn
/4Pgdm+KULsdy8WP9AGETlnDTShzcDnI2oVDuQeuVyYEJLLW1HwDr09yAI8g7SZ3
s79OAWKLYhsQFmWS9bta3INc8lbzYDQs72L07s8mbZtKXnQFdPsjhgdvz7BIbbot
iV0P4MABHJGvAF/zAgMBAAGjggEpMIIBJTAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2FsdGVldmUuY29tMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRz
c2wuY3JsMB0GA1UdDgQWBBShK06vVQh7NL50/FdB3ryP2UodyTAMBgNVHRMBAf8E
AjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3Ns
LWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBmi2+o1dKEx4kx+6W64RFeL2dv3w08CxpLrNk47ikKTdkGmCwlClm7OQOwzTsG
kz5ZkM8GF3R3u82RNNBvuY9TV+0UML3pbASEtvAWnSmbsUf4hGRfAzbq4dYTl1tQ
ubJZzPjvIwGZkW5e6NB3VDhJGFjnDlQ1wDe1nnmy1MbZ/ycx1L8ErtMKkEu8NLxT
+LznTCK3s7yM10FE/OBQLpqsulzuiAP8DlMyqt2kJO6mfD3cnXqCC5+4keChEnej
lffQxJ7x19mZaIDor61o9RpfZgZ4yVb4NjcW+n0n3x2i2HyMW1Dbxv4G/5aG9R/k
Nc7PQ2ZT2qFQtcBz7B70yCAT
-----END CERTIFICATE-----
subject=/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3984 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2880725EB8BDD73F469C17BCA54DF373DFE8EDE3D52A1C8F5E0A5919694FB111
Session-ID-ctx:
Master-Key: F329DEA0DF39FF181ACFBCA69BEC417D7CAA4399D73229A1D912CC8236A858FD099B834F5B32C9BF979C4B5948196FC9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 6c f3 41 26 c8 6b 1e 9c-2e 78 af 75 b2 46 34 f4 l.A&.k...x.u.F4.
0010 - 30 c3 bd e4 ee 2f f6 28-37 f6 7c 55 3b c7 08 ad 0..../.(7.|U;...
0020 - 1e 48 f1 83 9f 9a d4 ef-9b 7d 5a 9c f7 5b 92 e9 .H.......}Z..[..
0030 - 2f ca c3 e5 44 c7 7a c1-ed db 98 1a 18 bd 25 30 /...D.z.......%0
0040 - 3c 50 ad 96 23 22 7e a1-b7 eb 1d b5 cc 69 2a 43 <P..#"~......i*C
0050 - 63 13 4f 21 90 32 87 94-0b 6a 66 da 99 fa 45 79 c.O!.2...jf...Ey
0060 - cc 53 29 35 59 0d 02 93-c6 c6 af f3 52 79 b5 36 .S)5Y.......Ry.6
0070 - c0 a6 4d 22 9f af 4a f2-86 b4 50 68 83 b1 ab a6 ..M"..J...Ph....
0080 - a6 ac 6e 4e 18 3d 80 a7-b4 85 77 06 69 60 fa b2 ..nN.=....w.i`..
0090 - 22 9a 79 14 c6 3e 3e 68-33 4e 1e a9 40 09 47 d0 ".y..>>h3N..@.G.
00a0 - 02 97 8b ba 39 db 2f b1-1c 2e 66 49 d3 bc 99 cc ....9./...fI....
00b0 - 56 4f 1d f4 c6 7b 58 3e-28 df b1 ce 2b 45 36 ca VO...{X>(...+E6.

Compression: 1 (zlib compression)
Start Time: 1308161188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET
write to 0x196a050 [0x1a14e56] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a 4c 57-8c b9 d5 d4 c6 1b 56 ce .... .LW......V.
0010 - 93 b5 78 6b 5f 0e c5 a2-39 2a f9 7a 20 7d 68 85 ..xk_...9*.z }h.
0020 - af 52 e3 5f fc 17 03 01-00 20 c6 c4 19 74 61 64 .R._..... ...tad
0030 - 42 59 e0 52 3f 42 44 53-8b c9 40 69 1c 3d 9b 7f BY.R?BDS..@i.=..
0040 - aa e8 8f a4 5c de c9 d4-0a a4 ....\.....
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 60 ....`
read from 0x196a050 [0x1a10908] (96 bytes => 96 (0x60))
0000 - 46 4c 99 93 29 c9 ed 66-81 43 89 39 26 2b d1 b0 FL..)..f.C.9&+..
0010 - 19 73 eb 51 18 45 54 49-74 43 e0 92 1b f8 af f0 .s.Q.ETItC......
0020 - 0d e1 08 79 96 38 e1 5e-29 9d 66 9c 30 04 8e c4 ...y.8.^).f.0...
0030 - 10 83 49 7e 09 d7 8a ff-4b 11 f9 13 3e ac 77 73 ..I~....K...>.ws
0040 - e8 94 e3 f3 74 db 4e 5f-67 13 1d c4 3a 06 98 b3 ....t.N_g...:...
0050 - da 20 41 3c ca 9a fb 3f-f3 d7 64 a1 e9 f4 0a 98 . A<...?..d.....
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 15 03 01 ...
0005 - <SPACES/NULS>
read from 0x196a050 [0x1a10908] (32 bytes => 32 (0x20))
0000 - 2e bb a7 d6 dc ce 6c 34-dc 2e 43 c7 89 02 a9 5c ......l4..C....\
0010 - 3b 3e d0 43 1c ec fa c7-89 48 fd 76 58 82 ef 45 ;>.C.....H.vX..E
SSL3 alert read:warning:close notify
closed
write to 0x196a050 [0x1a14e53] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d8 6f 46-24 e9 fa 0c c9 9f aa 2d .... .oF$......-
0010 - db 69 2a d8 fb 61 66 b0-23 23 f9 a4 ac 49 b7 e6 .i*..af.##...I..
0020 - 31 73 56 05 ed 1sV..
SSL3 alert write:warning:close notify
</source>

Perfect!

=== Open Port 443 On The Firewall ===

At this point, if you try to connect to the SSL virtual host remotely, you will fail because port 443 is not yet open.

Use your favourite program to open inbound TCP port 443. I like to directly edit the firewall's config.

<source lang="bash">
vim /etc/sysconfig/iptables
</source>
<source lang="text">
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</source>
<source lang="bash">
/etc/init.d/iptables restart
</source>
<source lang="text">
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
</source>

=== Browse to the New Virtual Host ===

You should now be able to access the new SSL virtual host! Simply browse to https://alteeve.com (replace with your domain).

[[Image:SSL_Test_Page_01.png|thumb|center|741px|Test SSL virtual host in Firefox 4.]]

Note the 'alteeve.com' to the left of the address bar showing that the site is encrypted and verified!

== Common apachectl -t Configuration Problems ==

=== httpd: apr_sockaddr_info_get() failed for <domain> ===

Make sure that the hostname for the server resolves to an IP address. This is done by ensuring that the name returned by hostname has a [[DNS]] entry or has an entry in the /etc/hosts file.

=== [warn] NameVirtualHost *:80 has no VirtualHosts ===

This will be shown when no virtual host containers have been configured ye.

= PostgreSQL =

We need to initialize the postgres core databases before we can start it for the first time.

<source lang="bash">
/etc/init.d/postgresql initdb
</source>
<source lang="text">
Initializing database: [ OK ]
</source>

From now on, we can start PostgreSQL normally.

<source lang="bash">
/etc/init.d/postgresql restart
</source>
<source lang="text">
Stopping postgresql service: [ OK ]
Starting postgresql service: [ OK ]
</source>

Create the admin user called alteeve which will own the databases we will create and use.

<source lang="bash">
su - postgres
createuser -S -d -R alteeve
psql template1
</source>

At the shell, run the following:

<source lang="sql">
ALTER USER alteeve WITH PASSWORD 'secret';
</source>
<source lang="text">
ALTER ROLE
</source>
<source lang="sql">
\q
</source>

Tell PostgreSQL to require a password for the alteeve user.

<source lang="bash">
vim /var/lib/pgsql/data/pg_hba.conf
</source>
<source lang="diff">
--- /var/lib/pgsql/data/pg_hba.conf.orig 2011-06-15 17:57:25.666509143 -0400
+++ /var/lib/pgsql/data/pg_hba.conf 2011-06-15 17:58:54.077510393 -0400
@@ -65,6 +65,7 @@

# TYPE DATABASE USER CIDR-ADDRESS METHOD
+local all alteeve md5

# "local" is for Unix domain socket connections only
local all all ident
</source>

Reload PostgreSQL's configuration.

<source lang="bash">
/etc/init.d/postgresql reload
</source>

Now create a Database that is owned by the alteeve user, then connect to it to make sure we're asked for a password.

<source lang="bash">
su postgres -c "createdb an_wiki -O alteeve"
psql an_wiki -U alteeve
</source>
<source lang="text">
Password for user alteeve:
psql (8.4.7)
Type "help" for help.

an_wiki=>
</source>

Now load a database from a backup file.

<source lang="bash">
psql an_wiki -U alteeve -f /var/www/ssl_alteeve.com/temp/an_wiki_3.out
</source>
<source lang="text">
Password for user alteeve:
SET
SET
SET
SET
SET
CREATE SCHEMA
ALTER SCHEMA
CREATE LANGUAGE
psql:/var/www/ssl_alteeve.com/temp/an_wiki_3.out:27: ERROR: must be member of role "postgres"
SET
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
SET
SET
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
8
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
2500
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
4416
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3465
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
34
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
957
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3274
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3547
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3513
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TRIGGER
CREATE TRIGGER
CREATE TRIGGER
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
REVOKE
REVOKE
GRANT
GRANT
</source>

Voila!

== Media Wiki Problem ==

If you moved a MediaWiki DB and it generated an error like this in the log file:

<source lang="text">
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "objectcache" does not exist\nLINE 1: ...ECT /* SqlBagOStuff::get */ value,exptime FROM objectcach...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "l10n_cache" does not exist\nLINE 1: ... LCStore_DB::get 206.108.5.162 */ lc_value FROM l10n_cache...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
</source>

The fix is to run:

<source lang="sql">
ALTER DATABASE an_wiki SET search_path=mediawiki;
</source>

Of course, replace an_wiki with the name of your wiki database.

= MySQL =

Start MySQL for the first time:

<source lang="bash">
/etc/init.d/mysqld start
</source>
<source lang="text">
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h asakusa.alteeve.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]
Starting mysqld: [ OK ]
</source>

Secure the server.

<source lang="bash">
mysql_secure_installation
</source>
<source lang="text">
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
</source>

= BIND =

{{note|1=This is not meant to cover creating the actual zone files for DNS. It's goal is to setup BIND on your [[EL6]] server only.}}

This is the BIND named server that handles DNS resolution. It will be setup in two parts; The global options and then the zones file.

== Install bind ==

<source lang="bash">
yum install bind bind-libs bind-utils
</source>

== Global Configuration ==

Edit the main configuration file, making a backup first.

<source lang="bash">
cp /etc/named.conf /etc/named.conf.orig
vim /etc/named.conf
</source>

Enable queries on any interface and answer queries for any domain, not just ours. Edit or add the following;

<source lang="dot">
listen-on port 53 { any; };
allow-query { localhost; };
allow-query-cache { any; };
</source>

For now, we're going to disable DNSSEC. Make the following changes;

<source lang="dot">
dnssec-enable no;
dnssec-validation no;
</source>

Now tell bind where to look for a domain name's IP when we don't know. Add;

<source lang="dot">
forwarders {
// These are Google's open DNS servers
8.8.8.8;
8.8.4.4;
};
</source>

This server will have a slave, and we want to notify that slave when a record changes. Add;

<source lang="dot">
notify yes;
</source>

Done. I like to clean up the file to put the variables in line with one another. With this in mind, let's look at the changes as a unified diff;

<source lang="bash">
diff -u /etc/named.conf.orig /etc/named.conf
</source>
<source lang="diff">
--- /etc/named.conf.orig 2012-02-05 00:54:48.434068501 -0500
+++ /etc/named.conf 2012-02-05 13:45:16.484083319 -0500
@@ -8,18 +8,26 @@
//

options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ allow-query { any; };
+ allow-query-cache { any; };
+ recursion yes;
+ notify yes;
+
+ dnssec-enable no;
+ dnssec-validation no;
+ dnssec-lookaside auto;
+
+ forwarders {
+ // These are Google's open DNS servers
+ 8.8.8.8;
+ 8.8.4.4;
+ };

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
</source>

== Adding Zones ==

This is where we tell BIND which zones we have SOA for. This includes the pointers to the actual files on disk with each domain's information.

Backup then edit the zones file.

<source lang="bash">
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.orig
vim /etc/named.rfc1912.zones
</source>

In here is where we add the entries for the domains we have [[SOA]] for at the end of the file. These will differ for every install, so only two examples will be shown.

<source lang="dot">
// Our zones which this server is SOA for.
zone "45years.ca" IN {
type master;
file "/etc/named/db.45years.ca";
allow-transfer {
192.139.81.117;
};
};

zone "alteeve.com" in {
type master;
file "/etc/named/db.alteeve.com";
allow-transfer {
192.139.81.117;
};
};
</source>

This tutorial does not aim to cover actual zone files, but here is one for reference:

<source lang="bash">
cat /etc/named/db.45years.ca
</source>
<source lang="text">
$ORIGIN .
$TTL 600 ; Time To Live.
45years.ca IN SOA ns1.alteeve.com. admin.alteeve.com. (
2011081402 ; Serial Number (yyyymmdd##)
300 ; refresh (in seconds)
180 ; retry (in seconds)
600 ; expire (in seconds)
86400 ; minimum (in seconds)
)
NS ns1.alteeve.com.
NS ns2.alteeve.com.
A 192.139.81.121
MX 10 mail.45years.ca.
$ORIGIN 45years.ca.
localhost A 127.0.0.1
mail A 192.139.81.121
www CNAME 45years.ca.
</source>

== Adding a Firewall Entry ==

Assuming you have a firewall running, be sure to add an entry for [[TCP]] port 53.

== (Re)Start BIND ==

Once all the configuration files and domain zone files are in place, (re)start the named service.

<source lang="bash">
/etc/init.d/named restart
</source>
<source lang="text">
Stopping named: . [ OK ]
Starting named: [ OK ]
</source>

== Testing Name resolution ==

To properly test name resolution, you will want to resolve a domain we are [[SOA]] for and another domain which we are not. We will repeat this twice, once on the server and once from a remote machine to ensure that it is answering remote queries. Note that in the examples below, my DNS server's IP address is 78.46.37.135.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> alteeve.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns1.alteeve.com.
alteeve.com. 600 IN NS ns2.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 13:57:11 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> google.ca @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 300 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2967 IN NS f.root-servers.net.
. 2967 IN NS c.root-servers.net.
. 2967 IN NS b.root-servers.net.
. 2967 IN NS a.root-servers.net.
. 2967 IN NS k.root-servers.net.
. 2967 IN NS i.root-servers.net.
. 2967 IN NS e.root-servers.net.
. 2967 IN NS h.root-servers.net.
. 2967 IN NS l.root-servers.net.
. 2967 IN NS d.root-servers.net.
. 2967 IN NS j.root-servers.net.
. 2967 IN NS g.root-servers.net.
. 2967 IN NS m.root-servers.net.

;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 14:02:03 2012
;; MSG SIZE rcvd: 254
</source>

Now from a remote machine, repeat the same queries to ensure that our DNS server will respond to external queries.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> alteeve.com @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns2.alteeve.com.
alteeve.com. 600 IN NS ns1.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 138 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:09 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> google.ca @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 138 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2805 IN NS h.root-servers.net.
. 2805 IN NS c.root-servers.net.
. 2805 IN NS j.root-servers.net.
. 2805 IN NS i.root-servers.net.
. 2805 IN NS b.root-servers.net.
. 2805 IN NS m.root-servers.net.
. 2805 IN NS g.root-servers.net.
. 2805 IN NS d.root-servers.net.
. 2805 IN NS a.root-servers.net.
. 2805 IN NS l.root-servers.net.
. 2805 IN NS f.root-servers.net.
. 2805 IN NS k.root-servers.net.
. 2805 IN NS e.root-servers.net.

;; Query time: 140 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:31 2012
;; MSG SIZE rcvd: 254
</source>

Done!

= Email =

This is a pretty heavily customized postfix install using a custom schema. It was originally based on [http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch this Debian Etch] tutorial, but adapted for PostgreSQL. Much time has passed and the operating system is now significantly changed, but it's lineage is thus. A more recent, but still Debian-focused version of the tutorial [http://workaround.org/ispmail/squeeze/big-picture is here]. I also used [http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot this tutorial] to help sort out the PostgreSQL stuff.

This will use a few applications;
* Postfix - The program that receives email.
* PostgreSQL - The database used to validate the existence of email accounts and validates incoming user credentials.
* Dovecot - Takes email coming from postfix, via amavis, and records them to disk. It also answers requests from users wanting to check their email.
* Amavis - Filters incoming email for spam (via spamassassin) and virsus (via clamav)

We will also be using graylisting, which is a spam fighting tactic where the first email from a given user to one of our users is bounced for a few minutes. Proper mail servers will acknowledge the bound, wait the time and resend. Spam mailers though are usually fire-and-forget and will not resend, thus effectively blocking the spam message. This is a very effective method of blocking spam with minimal chance of losing real mail from real users. Any subsequent message from the user would be allowed through with no delay, provided the user had in fact resent the first message as requested.

== Install ==

To install the applications;

<source lang="bash">
yum install postfix postfix-perl-scripts dovecot dovecot-pgsql spamassassin postgresql-server postgresql-plperl mutt
</source>

== Configuring Postfix ==

Installation requires several steps. The AN!Console database must be loaded. Various applications need to be installed. Postfix, Dovecot and helper applications need to be configured and so on.

This tutorial uses the following values that you may need to adjust;
* Database name; an_tools
* Database user; alteeve
* Database password; secret
* Database host; 127.0.0.1

{{note|1=Do not use the database host "localhost" unless you are certain you can connect to the DB using a standard [[unix]] socket.}}

=== Building Support for PostgreSQL ===

{{warning|1=We need to build our own RPM in order to support postgresql. This means we will have to disable postfix from future updates, placing the onus on us to make sure critical updates are applied. This will require downloading the latest source RPMs, re-enabling postgres and recompile/reinstall.}}

Add the source [[RPM]] repository by adding the following;

<source lang="bash">
vim /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
# Source RPM repository
[base-source]
name=CentOS-$releasever - Base - Source
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://vault.centos.org/$releasever/os/SRPMS/
baseurl=http://vault.centos.org/6.0/os/SRPMS/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
</source>

Now download the source RPM for postfix.

<source lang="bash">
yumdownloader --source postfix
</source>
<source lang="text">
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
base | 3.7 kB 00:00
base-source | 1.9 kB 00:00
extras | 3.5 kB 00:00
updates | 3.5 kB 00:00
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
./postfix-2.6.6-2.el6.src.rpm already exists and appears to be complete
nikko:/etc/postfix# rm postfix-2.6.6-2.el6.src.rpm
rm: remove regular file `postfix-2.6.6-2.el6.src.rpm'? y
nikko:/etc/postfix# yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
postfix-2.6.6-2.el6.src.rpm | 3.3 MB 00:00
</source>

Now that we have the postfix source RPM, we will install it.

<source lang="bash">
rpm -Uvh postfix-2.6.6-2.el6.src.rpm
</source>
<source lang="text">
1:postfix warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
########################################### [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
</source>

Now edit the .spec file to enable postgres support.

<source lang="bash">
cp ~/rpmbuild/SPECS/postfix.spec ~/rpmbuild/SPECS/postfix.spec.orig
vim ~/rpmbuild/SPECS/postfix.spec
</source>

Make the following changes.

* Enable PostgreSQL support
<source lang="text">
%{?!PGSQL: %define PGSQL 1}
</source>

Increment the release version by one.
<source lang="text">
Release: 3%{?dist}
</source>

We can see the changes here:

<source lang="bash">
diff -u ~/rpmbuild/SPECS/postfix.spec.orig ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="diff">
--- /root/rpmbuild/SPECS/postfix.spec.orig 2012-02-11 16:54:54.495330859 -0500
+++ /root/rpmbuild/SPECS/postfix.spec 2012-02-11 16:53:39.873331101 -0500
@@ -1,5 +1,5 @@
%{?!MYSQL: %define MYSQL 1}
-%{?!PGSQL: %define PGSQL 0}
+%{?!PGSQL: %define PGSQL 1}
%define LDAP 2
%define PCRE 1
%define SASL 2
@@ -35,7 +35,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 2.6.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
</source>

Now rebuild the RPM, which means we need to install the build tools.

<source lang="bash">
yum groupinstall development
yum install db4-devel openldap-devel cyrus-sasl-devel pcre-devel mysql-devel postgresql-devel openssl-devel
rpmbuild -bb ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="text">
(compile output)
Processing files: postfix-debuginfo-2.6.6-3.el6.x86_64
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-debuginfo-2.6.6-3.el6.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.rymr5C
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd postfix-2.6.6
+ rm -rf /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
+ exit 0
</source>

Install the updated postfix.

<source lang="bash">
rpm -Uvh ~/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm ~/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
</source>
<source lang="text">
Preparing... ########################################### [100%]
1:postfix ########################################### [ 50%]
2:postfix-perl-scripts ########################################### [100%]
</source>

Now exclude postfix from future updates.

<source lang="bash">
cp /etc/yum.conf /etc/yum.conf.orig
vim /etc/yum.conf
diff -u /etc/yum.conf.orig /etc/yum.conf
</source>
<source lang="text">
--- /etc/yum.conf.orig 2012-02-11 16:59:53.720079168 -0500
+++ /etc/yum.conf 2012-02-11 17:00:47.013331283 -0500
@@ -10,6 +10,7 @@
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
+exclude=postfix*

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
</source>

=== Basic Postfix Configuration ===

Since we'll be using virtual domains, users, aliases and mailboxes, we'll need to start by commenting out some of the default options in Postfix. By default, Postfix is set up for small numbers of local users, and it only allows connections from the localhost. Our configuration will be more scalable, allowing many domains and users to be stored in the Postgres database.

Comment out the following:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# inet_interfaces = localhost
# mydestination = $myhostname, localhost.$mydomain, localhost
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
</source>

And uncomment/add these:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
inet_interfaces = all # allows us to connect and test from another machine
mynetworks = 192.168.1.0/32, 127.0.0.0/8 # use the IP or subnet of your test machine here
</source>

=== Setup Virtual Domain Lookup ===

This tells postfix how to find which domains we have.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM domains WHERE dom_name='%s'
</source>

Now tell Postfix to use this new file by appending the following to the main postfix configuration file.

<source lang="bash">
vim /etc/postfix/main.cf
</source>
<source lang="bash">
# Tell postfix to validate domains using our postgresql databae via the
# pgsql-virtual-mailbox-domains.cf
virtual_mailbox_domains=pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>

Now reload postfix;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now we can test that domains resolve. In my case, I will test the look-up for alteeve.com.

<source lang="bash">
postmap -q alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
1
</source>

Now make sure it returns nothing when query a bad domain.

<source lang="bash">
postmap -q example.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Mailbox Mapping ===

This section will tell postfix which users for a given domain are valid.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM email_file WHERE email='%s'
</source>

Tell postfix to use this new file when looking up users.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

And add:

<source lang="text">
# Tell postfix which table to look in when validating a local user via their
# email address.
virtual_mailbox_maps=pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>

Reload postfix.

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now do a test of a valid user, which should return 1, and an invalid user, which should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
1
</source>
<source lang="bash">
postmap -q nobody@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Email Forwards ===

This will allow for email addresses to be forwarded to other email addresses.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT fwd_destination FROM forwards WHERE fwd_source='%s'
</source>

Now tell postfix where to look.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

Add;

<source lang="text">
# This tells postfix where to forward incoming email to, where appropriate.
virtual_alias_maps=pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>

Reload;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

I've setup a forward where digimer@alteeve.com forwards to mkelly@alteeve.com, so we will use that for the next test.

<source lang="bash">
postmap -q digimer@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
mkelly@alteeve.com
</source>

An email address with no forward should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

Excellent.

=== Setup Postfix Mail Delivery via Dovecot ===

Define a mail transport method in the main Postfix config.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# this option is ignored, but may be useful for reference
virtual_mailbox_base=/email

# deliver mail via dovecot
virtual_transport = dovecot

# prevent postfix from sending multiple recipients per delivery request,
# since dovecot only supports one recipient for each delivery
dovecot_destination_recipient_limit = 1
</source>

Tell Postfix what virtual_transport "dovecot" means, and how to use it.
<source lang="bash">vim /etc/postfix/master.cf</source>
Append this for RHEL/CentOS 6 machines. For other distros, make sure that /usr/libexec/dovecot/deliver exists and change the path if necessary.
<source lang="bash">
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
</source>

=== Setup Postfix SMTP Authentication using Dovecot ===

Dovecot provides an SMTP authentication mechanism to Postfix called SASL. Enabling this will require users to authenticate against the server before sending mail.

<source lang="bash">vim /etc/postfix/main.cf</source>
Append the following to enable smtp authentication:
<source lang="bash">
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes

# allow authenticated users to send mail through Postfix SMTP
# more info at /usr/share/doc/postfix-2.6.6/README_FILES/SMTPD_ACCESS_README
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination

# general smtpd settings
# - reject clients that speak too early
# - reject mail from a null address to many recipients (usually spam)
smtpd_data_restrictions =
reject_unauth_pipelining
reject_multi_recipient_bounce
permit
</source>

== Configuring Dovecot ==

Dovecot handles writing incoming mail to the disk and moving/deleting mail as the user wishes. We're going to create a user and group called vmail which will be used to manage the email stored on disk.

<source lang="bash">
useradd -m vmail
mkdir /email
chown -R vmail:vmail /email
</source>

Dovecot is configured in /etc/dovecot and the main configuration file is dovecot.conf.

<source lang="bash">
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.conf
</source>

Dovecot uses .d style configuration files.

* Authentication

<source lang="bash">
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
vim /etc/dovecot/conf.d/10-auth.conf
</source>

Tell dovecot to accept plain-text passwords (needed for some old email clients, you may not need to enable this).

<source lang="text">
disable_plaintext_auth = no
</source>

Tell it not to use the database, and not local users for mail delivery.

<source lang="text">
#!include auth-system.conf.ext
!include auth-sql.conf.ext
</source>

* Mail store

Tell dovecot where to store the email. The %d tells dovecot to substitute the user's domain name and %n is substituted by the user's email name. For example, mkelly@alteeve.com becomes /email/alteeve.com/mkelly.

<source lang="bash">
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
vim /etc/dovecot/conf.d/10-mail.conf
</source>
<source lang="text">
mail_location = mbox:/email/%d/%n
</source>

=== Dovecot Authentication and SQL Settings ===

We need to tell dovecot where to look for passwords when authenticating a user. Where to look is controlled in the
auth-sql.conf.ext file and is broken down into user and password lookups. We will want to first tell Dovecot which user to use when accessing the mail store on disk.

<source lang="bash">
cp /etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/conf.d/auth-sql.conf.ext.orig
vim /etc/dovecot/conf.d/auth-sql.conf.ext
</source>
<source lang="text">
userdb {
driver = static
args = uid=vmail gid=vmail home=/email/%d/%n allow_all_users=yes
}
</source>

* Now configure the SQL server access details.

{{note|1=Make sure that PostgreSQL has sufficient max_connections set in /var/lib/pgsql/data/postgresql.conf to handle enough connections for the expected number of email connections, plus other connections from other applications.}}

<source lang="bash">
cp /usr/share/doc/dovecot-2.0.9/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
vim /etc/dovecot/dovecot-sql.conf.ext
</source>

Tell dovecot to use PostgreSQL.

<source lang="text">
driver = pgsql
</source>

Configure the connection string.

{{note|1=If your database uses a password with a space character in it, quote the password. Ie: password='super secret'.}}

<source lang="text">
connect = host=127.0.0.1 dbname=an_tools user=alteeve password=secret
</source>

Tell dovecot to accept plain-text passwords (this is needed for some stupid MS clients, this will probably change soon).

<source lang="text">
default_pass_scheme = PLAIN
</source>

Tell dovecot how to pull use the user's password.

<source lang="text">
password_query = SELECT email, password FROM email_password WHERE email='%u'
</source>

The last thing to setup is the user query. The query needs to return the [[UID]] and [[GID]] of the vmail user we setup earlier. To get it, you can use the id command.

<source lang="bash">
id vmail
</source>
<source lang="text">
uid=503(vmail) gid=503(vmail) groups=503(vmail)
</source>

The numbers we want are 503 and 503 for the UID and GID, respectively. Knowing this, we can set the userdb SQL string.

<source lang="text">
user_query = SELECT '/email/'||file AS email_dir, '503' AS uid, '503' AS gid FROM email_file WHERE email='%u'
</source>

=== Configure Listener Sockets ===

Setup the authentication socket to allow the vmail user. This will allow Dovecot to access the user authentication socket.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
</source>

Configure Dovecot to authenticate Postfix SMTP requests.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener smtp-auth {
mode = 0600
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
}
</source>

=== Enable Logging ===

This is very useful for debugging an initial setup. It will place details about login attempts in /var/log/maillog.

<source lang="bash">vim /etc/dovecot/conf.d/10-logging.conf</source>
<source lang="bash">
log_path = syslog
auth_verbose = yes
auth_debug = yes
mail_debug = yes
</source>

At this point, it's a good idea to restart the Postfix and Dovecot services, and test out the basic configuration.
<source lang="bash">
service postfix restart
service dovecot restart
</source>

Watch the maillog while attempting to authenticate with an email client like Thunderbird.
<source lang="bash">
tail -f /var/log/maillog
</source>

If basic authentication is working, we can go ahead and add another layer of complexity on top of it: SSL.

== SSL/TLS ==

Add TLS support to Postfix, to encrypt SMTP authentication traffic.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/ssl_mail.alteeve.ca.crt
smtpd_tls_key_file = /etc/pki/CA/private/mail.alteeve.ca.key
smtpd_tls_loglevel = 1
</source>

Add TLS support to Dovecot, to encrypt IMAP authentication traffic.
<source lang="bash">vim /etc/dovecot/conf.d/10-ssl.conf </source>
<source lang="bash">
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/pki/CA/ssl_mail.alteeve.ca.crt
ssl_key = </etc/pki/CA/private/mail.alteeve.ca.key

# PEM encoded trusted certificate authority. Otherwise your CA will be untrusted.
# This is the intermediary certificate.
ssl_ca = </etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Dovecot prefers the following permissions for SSL certs, so set them accordingly.
<source lang="bash">
chmod 0444 /etc/pki/CA/ssl_mail.alteeve.ca.crt
chmod 0400 /etc/pki/CA/private/mail.alteeve.ca.key
chmod 0400 /etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Restart Postfix and Dovecot, then change your Thunderbird server options to 'STARTTLS'. If you're still able to connect to the mail server and send mail, proceed to the next section.

== User Password Encryption ==

In addition to SSL/TSL, which only encrypts the transport of user credentials, we're also going to encrypt the passwords themselves. This will avoid storing any plaintext passwords in the Postgres database.

<source lang="bash">vim /etc/dovecot/conf.d/10-auth.conf</source>
Remove the "plain" authentication, and replace with cram-md5.
<source lang="bash">
disable_plaintext_auth = yes
auth_mechanisms = cram-md5
</source>

Any user credentials that were previously stored in plaintext will no longer work. To encrypt your password in a way that Dovecot recognizes, use the following command:
<source lang="bash">doveadm -v pw -s CRAM-MD5 -p mypassword</source>
It will return a hash like this.
<source lang="bash">
{CRAM-MD5}de5924752ad74e36bc271a8dc7fad4b2d341f21f05382f20dedf1fdfbd5a1717</source>

Take the entire hash, including the '{CRAM-MD5}' portion, and use it to replace the password entry in the database for that user. This will allow Dovecot to authenticate the user using the CRAM-MD5 auth mechanism.

To automate this process for all users in the database, you can look at the number of userid's there are and loop through them, encrypting and replacing each password.

<source lang="bash">
#!/bin/bash
#
# a script to encrypt the users.usr_password values of the an_tools database

export PGUSER="alteeve"
export PGPASSWORD='secret'

for usrid in {1..219}; do

# grab the user's password, removing whitespace
usrpass=$(psql -d an_tools -c "SELECT users.usr_password FROM users WHERE users.usr_id=$usrid;"\
| sed -n 3p | sed -e 's/^[ ]*//')

if [[ "$usrpass" == *CRAM* ]]; then
echo "Password for user #$usrid is already encrypted; skipping."
else
# encrypt and surround in single quotes for psql
encrypted=\'$(doveadm -v pw -s CRAM-MD5 -p "$usrpass")\'
echo "old password: [$usrpass] ; encrypted: $encrypted"

# set password to encrypted value
psql -d an_tools -c "UPDATE users SET usr_password=$encrypted WHERE usr_id=$usrid;"
fi
done

unset PGUSER
unset PGPASSWORD
</source>

== Postgrey Greylisting ==

Enabling postgrey for anti-spam greylisting.

First install the RPMForge repos. (See [http://dak1n1.com/blog/3-getting-more-from-yum-with-rpmforge-and-epel-repos Dakini's blog] for details.)

<source lang="bash">yum -y install postgrey</source>

Create the config file with the following options. This will delay mail from untrusted sources by 6 minutes. A legitimate mailserver will resend the request after that time, and be allowed through. But spam is generally sent out only once, so those messages will drop.
<source lang="bash">vim /etc/sysconfig/postgrey</source>
<source lang="bash">OPTIONS="--unix=/var/spool/postfix/postgrey/socket --delay=360"</source>

Ensure that Postgrey starts on boot.
<source lang="bash">chkconfig --levels 345 postgrey on</source>

<source lang="bash">/etc/postfix/main.cf</source>

Configure Postfix to check SMTP requests through Postgrey. Postgrey will decide if the mail should be blocked or accepted.
<source lang="bash">
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:postgrey/socket</source>

Restart Postfix and Postgrey to take affect.
<source lang="bash">
service postgrey start
service postfix restart
</source>

== RoundCube Web Mail ==
Poke dak1n1 to document this!

==== Adding a password-reset link to the login page ====
Edit the login page template to insert the link.
<source lang="bash">
vim /usr/share/roundcubemail/skins/default/templates/login.html</source>

(The part we're adding is the '<a href=""></a>'. Other parts of the template file are included here as a reference.)
<source lang="bash">
<div id="login-form">
<div class="boxtitle"><roundcube:label name="welcome" /></div>
<div class="boxcontent">

<form name="form" action="./" method="post">
<roundcube:object name="loginform" form="form" />

<input type="submit" class="button mainaction" value="<roundcube:label name='login' />" />

</form>
<a href="../../cgi-bin/t/password.cgi">Forgot your password?</a>
</div>
</div>
</source>
== Ooooold Notes ==

When prompted;
For 'Create directories for web-based administration ?' Choose 'Yes'.
For 'General type of configuration?', choose 'Local Only'.
For 'Mail Name', enter 'alteeve.com'.
For 'SSL certificate required', hit 'Ok'.
Create the database that we will use:
# su alteeve
$ createdb an_console
$ psql an_console
Now that we are in the new database we will need to load the AN!Console schema file.
# su postgres -c psql an_console -f /var/www/ssl_alteeve.com/cgi-bin/t/anc.pgsql.schema
On the Master node, we will create the directory where email will be stored.
# mkdir /ha/email
On the both nodes, we will create a link to the '/ha/email' directory off of root.
# ln -s /ha/email /email
Under this directory create another directory that is the domain name for the domains we will host mail for. Ie (no longer needed to be done manually, AN!Console will create directories for email as needed):
# mkdir /email/45years.ca
# mkdir /email/alteeve.com
And so on.
Go to the '/etc/postfix' directory and create these four files:
# vim /etc/postfix/psql-virtual_domains.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = domains
select_field = 'virtual'
where_field = dom_name
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_forwardings.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = forwards
select_field = fwd_destination
where_field = fwd_source
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_mailboxes.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_file
select_field = file
where_field = email
hosts = 127.0.0.1
Note: The table 'email_file' is actually a view that takes the email passed by postfix and splits it to generate a joined SELECT.
# vim /etc/postfix/psql-virtual_email2email.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_email
select_field = email
where_field = email
hosts = 127.0.0.1
Note: The table 'email_email' is actually a view that takes the email passed by postfix and returns the same email based on the DB entry. This is needed as a work-around for Postfix's habit of matching global forwards like '@domain -> user@domain' for all email to that domain, even what a given email address matches a user.
Now change the owner and permissions of those four files to NOT allow global reading as they contain our password.
# chown root:postfix /etc/postfix/psql-virtual_*
# chmod 640 /etc/postfix/psql-virtual_*
Now we will create a user account that will, in turn, own all the mail on the system. This user will not have shell access.
# adduser vmail
Enter a password, preferably one treated with the same care as the root password. You can leave all other options blank.
Now change the ownership of the mail store.
# chown -R vmail:vmail /email
# chmod -R 775 /email
Now we edit the main '/etc/postfix/main.cf' configuration file.
Make a backup of the original file “just in case”.
# cp /etc/postfix/main.cf /etc/postfix/main.cf.original
Now edit it:
# vim /etc/postfix/main.cf
There are several options to edit:
Please see 'Step 6' at: http://workaround.org/articles/ispmail-sarge/index.shtml.en for details on the options to set.
For 'inet_interface' enter 'all'.
For 'myhostname' use the cluster FQDN. Ie;
myhostname = nikko.alteeve.com
For 'mydestination' use only local names, NOT real domains we will host email for. Any mail sent to the domains specified here will go to local (shell) users.
mydestination = nikko.alteeve.com, localhost.alteeve.com, localhost
For 'mynetworks' set all the IP subnets we trust. Ie;
mynetworks = 192.139.81.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.0/24 127.0.0.0/8
We can ignore 'virtual_alias_domains' if it exists.
For 'virtual_alias_maps' we will set:
virtual_alias_maps = pgsql:/etc/postfix/psql-virtual_forwardings.cf pgsql:/etc/postfix/psql-virtual_email2email.cf
For 'virtual_mailbox_domains' we will set:
virtual_mailbox_domains = pgsql:/etc/postfix/psql-virtual_domains.cf
For 'virtual_mailbox_maps' we will set:
virtual_mailbox_maps = pgsql:/etc/postfix/psql-virtual_mailboxes.cf
For 'virtual_mailbox_base' (where the email will be stored on disk) we will set:
virtual_mailbox_base = /ha/email
For 'virtual_uid_maps' and 'virtual_gid_maps' we will enter the numerical UID and GID for the 'vmail' shell user we created earlier. To find what it's UID and GID is run:
# cat /etc/passwd | grep vmail
vmail:x:1001:1001:,,,:/home/vmail:/bin/bash
The first number is the UID, the second is the GID;
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
Set 'smtpd_sasl_auth_enable' to 'yes'.
Set 'broken_sasl_auth_clients' to 'yes'.
To enable relaying of local mail, trusted domains and SASL authenticated users and reject the rest set;
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
For 'smtpd_use_tls' the value should already be 'yes', but set it to such if not.
Lastly we'll set our certificate paths;
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
At this point we should be good to go. Restart postfix;
# /etc/init.d/postfix restart
If there were no errors in the restart, test the config by running;
# postfix check
If you get errors, fix 'em. Otherwise, so far so good!
Now to setup postfix to allow authentication of SMTP connections to allow relaying of messages from people (we trust) outside on the 'mynetworks' scope.
Create or edit the file '/etc/postfix/sasl/smtpd.conf'
# vim /etc/postfix/sasl/smtpd.conf
In it enter the lines:
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: pgsql
sql_hostnames: 127.0.0.1
sql_user: alteeve
sql_passwd: secret
sql_database: an_console
sql_select: SELECT passwd FROM email_passwd WHERE email='%u@%r'
log_level: 7
Now secure the file (it's got our DB password)
# chown root:postfix /etc/postfix/sasl/smtpd.conf
# chmod 640 /etc/postfix/sasl/smtpd.conf
Now we want to setup TLS to encrypt SMTP traffic. Be sure you are still in '/etc/postfix' as this is where you want the certificate files.
To create a 10-year certificate for our SMTP domain 'smtp.alteeve.com':
# openssl req -new -outform PEM -out /etc/postfix/smtpd.cert -newkey rsa:2048 -nodes -keyout /etc/postfix/smtpd.key -keyform PEM -days 3650 -x509
This will bring up a bunch of questions:
Country Name (2 letter code) [AU]: CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alteeve's Niche!
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, YOUR name) []:smtp.alteeve.com
Email Address []:admin@alteeve.com
This will create two files in your current directory; 'smtpd.key' and 'smtpd.cert'. You'll want to protect them.
# chown root:postfix smtpd.*
# chmod 640 smtpd.*
Now we need to setup POP3 and IMAP access so users can actually check their email.
Backup then edit '/etc/dovecot/dovecot.conf' to have:
protocols = pop3 imap
mail_location = mbox:/email/%d/%n
# passdb pam {
# }
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
# userdb passwd {
# }
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

# The default location for 'dovecot-sql.conf' is under '/usr/local/etc', be sure to
# change it!
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
user = root
}
Then create/edit '/etc/dovecot/dovecot-sql.conf':
driver = pgsql
connect = host=localhost dbname=an_console user=alteeve password=secret
default_pass_scheme = PLAIN
password_query = SELECT email, password FROM email_password WHERE email='%u'
user_query = SELECT '/email/'||file AS email_dir, '1001' AS uid, '1001' AS gid FROM email_file WHERE email='%u'
Now restart Dovecot:
# /etc/init.d/dovecot restart

= Thanks =

* To [http://planet-geek.com Dave Shevett] (aka: eidolon) and [http://codex.grimoire.ca/ Owen Jacobson] for answering my n00b SSL questions.


<source lang="bash">
</source>
<source lang="text">
</source>

{{footer}}

PPPower Server

2012-06-15T22:10:31Z

Dak1n1: /* Postgrey Greylisting */

{{howto_header}}

With tongue firmly in cheek, this is a tutorial on building an [[EL6]] server for hosting website and email using PostgreSQL, Postfix and Postgrey for mail and Apache for web. There are many canned and arguably superior was of accomplishing the same, but this is what I user for this server.

= Post OS Install =

First, some post-install preparation. We'll need to set up some basic security, a program to report server statistics, and some 3rd-party yum repositories for additional software.

Yum repo install.
<source lang="bash">yum -y install yum-protectbase
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt # import keys
rpm -K rpmforge-release-0.5.2-2.el6.rf.*.rpm # verify package integrity
rpm -i rpmforge-release-0.5.2-2.el6.rf.*.rpm # install
# install EPEL
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm
</source>

The yum-protectbase plugin will ensure that the 3rd-party repos play nicely and never overwrite the Base repos. To use this plugin with a specific repo, add protect=0 or protect=1 to the repo's config file.
<source lang="bash">
cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.orig
vim /etc/yum.repos.d/CentOS-Base.repo
# add protect=1 to each paragraph
diff -U 0 /etc/yum.repos.d/CentOS-Base.repo.orig /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
--- /etc/yum.repos.d/CentOS-Base.repo.orig 2012-05-07 01:07:47.688145406 -0400
+++ /etc/yum.repos.d/CentOS-Base.repo 2012-05-07 01:08:15.915322496 -0400
@@ -18,0 +19 @@
+protect=1
@@ -26,0 +28 @@
+protect=1
@@ -34,0 +37 @@
+protect=1
@@ -43,0 +47 @@
+protect=1
@@ -52,0 +57 @@
+protect=1
</source>

<source lang="bash">
cp /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.orig
vim /etc/yum.repos.d/epel.repo
# add protect=0 to each paragraph
diff -U 0 /etc/yum.repos.d/epel.repo.orig /etc/yum.repos.d/epel.repo
</source>
<source lang="bash">
--- /etc/yum.repos.d/epel.repo.orig 2012-05-07 01:08:58.279379860 -0400
+++ /etc/yum.repos.d/epel.repo 2012-05-07 01:09:18.144157701 -0400
@@ -8,0 +9 @@
+protect=0
@@ -17,0 +19 @@
+protect=0
@@ -26,0 +29 @@
+protect=0
</source>

=== Protecting against malicious users with Denyhosts. ===
Denyhosts is a daemon that watches for too many failed logins via ssh. It uses TCP-wrappers to deny the user access to ssh (or any service) on the server after X failed logins. It has the option to download a list of known malicious IPs and add them to /hosts.deny, making possible to block attackers before they attack the server.

Install denyhosts
<source lang="bash">yum -y install denyhosts</source>

Edit the config to your preferences.
<source lang="bash">
cp /etc/denyhosts.conf /etc/denyhosts.conf.orig
vim /etc/denyhosts.conf
</source>
<source lang="bash">
BLOCK_SERVICE = ALL
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
SYNC_DOWNLOAD = yes
</source>
<source lang="bash">
diff -U 0 /etc/denyhosts.conf.orig /etc/denyhosts.conf
</source>
<source lang="diff">
--- /etc/denyhosts.conf.orig 2012-05-13 02:33:05.584566483 -0400
+++ /etc/denyhosts.conf 2012-05-13 02:34:19.386558503 -0400
@@ -96 +96 @@
-#BLOCK_SERVICE = ALL
+BLOCK_SERVICE = ALL
@@ -98 +98 @@
-BLOCK_SERVICE = sshd
+#BLOCK_SERVICE = sshd
@@ -547 +547 @@
-#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
+SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
@@ -582 +582 @@
-#SYNC_DOWNLOAD = yes
+SYNC_DOWNLOAD = yes
</source>

White-list any trusted machines, including localhost.
<source lang="bash">
cp /etc/hosts.allow /etc/hosts.allow.orig
vim /etc/hosts.allow
</source>
<source lang="bash">
127.0.0.1
206.108.5.162
</source>
<source lang="bash">
diff -U 0 /etc/hosts.allow.orig /etc/hosts.allow
</source>
<source lang="diff">
--- /etc/hosts.allow.orig 2012-05-13 02:36:02.613767847 -0400
+++ /etc/hosts.allow 2012-05-13 02:40:37.473523845 -0400
@@ -10,0 +11,2 @@
+127.0.0.1
+206.108.5.162
</source>

Start the service.
<source lang="bash">
chkconfig denyhosts on
/etc/init.d/denyhosts start
</source>
<source lang="text">
Starting denyhosts: [ OK ]
</source>

=== Additional software to install ===
To view neatly-summarized daily logs, and system resource usage.
<source lang="bash">yum -y install logwatch htop</source>

Packages for web server and wiki install.
<source lang="bash">
yum install httpd httpd-tools postgresql-server postgresql-plperl postgresql-contrib postgresql mysql-server telnet mod_ssl mysql-server php-mysql gcc jwhois bind \
acpid bind-utils syslinux
chkconfig acpid on
</source>

Packages that are currently needed for personal stuff.

<source lang="bash">
yum install perl-XML-Simple perl-MIME-Lite perl-DBD-MySQL perl-DBD-Pg perl-Digest-Perl-MD5
</source>

= Apache =

Apache is configured first with a global configuration, which also defines the "default" website which is shown when the server is called by it's IP address (or by a domain that is not configured). Then with per-domain configurations known as "virtual host containers".

First, the global configuration and default domain. We will put our default website in /var/www/default/. So the first step is to create the needed directories.

<source lang="bash">
mkdir -p /var/www/default/{html,cgi-bin,logs}
chown -R apache:apache /var/www
</source>

Now to edit the configuration file.

<source lang="bash">
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig
vim /etc/httpd/conf/httpd.conf
</source>

{{note|1=This needs to be explained.}}

Make the following changes.

<source lang="bash">
diff -U 0 /etc/httpd/conf/httpd.conf.orig /etc/httpd/conf/httpd.conf
</source>
<source lang="diff">
--- /etc/httpd/conf/httpd.conf.orig 2012-05-13 19:32:07.718570148 -0400
+++ /etc/httpd/conf/httpd.conf 2012-05-13 21:48:18.439736244 -0400
@@ -103,6 +103,6 @@
-StartServers 8
-MinSpareServers 5
-MaxSpareServers 20
-ServerLimit 256
-MaxClients 256
-MaxRequestsPerChild 4000
+StartServers 16
+MinSpareServers 10
+MaxSpareServers 40
+ServerLimit 512
+MaxClients 512
+MaxRequestsPerChild 8000
@@ -119,5 +119,5 @@
-StartServers 4
-MaxClients 300
-MinSpareThreads 25
-MaxSpareThreads 75
-ThreadsPerChild 25
+StartServers 8
+MaxClients 600
+MinSpareThreads 50
+MaxSpareThreads 150
+ThreadsPerChild 50
@@ -262 +262 @@
-ServerAdmin root@localhost
+ServerAdmin admin@alteeve.com
@@ -276,0 +277 @@
+ServerName omiya.alteeve.ca:80
@@ -292 +293 @@
-DocumentRoot "/var/www/html"
+DocumentRoot "/var/www/default/html"
@@ -317 +318 @@
-<Directory "/var/www/html">
+<Directory "/var/www/default/html">
@@ -551 +552 @@
-Alias /icons/ "/var/www/icons/"
+Alias /icons/ "/var/www/default/icons/"
@@ -553 +554 @@
-<Directory "/var/www/icons">
+<Directory "/var/www/default/icons">
@@ -576 +577 @@
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+ScriptAlias /cgi-bin/ "/var/www/default/cgi-bin/"
@@ -582 +583 @@
-<Directory "/var/www/cgi-bin">
+<Directory "/var/www/default/cgi-bin">
@@ -855 +856 @@
-Alias /error/ "/var/www/error/"
+Alias /error/ "/var/www/default/error/"
@@ -859 +860 @@
- <Directory "/var/www/error">
+ <Directory "/var/www/default/error">
@@ -990 +991 @@
-#NameVirtualHost *:80
+NameVirtualHost *:80
@@ -1004,5 +1005,5 @@
-# ServerAdmin webmaster@dummy-host.example.com
-# DocumentRoot /www/docs/dummy-host.example.com
-# ServerName dummy-host.example.com
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+# ServerAdmin admin@alteeve.com
+# DocumentRoot /var/www/default/html
+# ServerName unknown.alteeve.com
+# ErrorLog /var/www/default/logs/error.log
+# CustomLog /var/www/default/logs/access.log common
@@ -1009,0 +1011 @@
+
</source>

After all changes, use this to make sure there are no syntax errors.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
[Sun May 13 21:48:11 2012] [warn] NameVirtualHost *:80 has no VirtualHosts
Syntax OK
</source>

Note that the [Sun May 13 21:48:11 2012] [warn] NameVirtualHost *:80 has no VirtualHosts is expected at this stage as we've not yet configured any virtual hosts.

All virtual host configuration files need to be created in the /etc/httpd/conf.d directory and the file must have the .conf suffix in order to be read by apache. These files will be read in order, so if you want to ensure that one file is read before another, as we will do shortly, you can prefix the configuration file with an integer to ensure read order.

I like to redirect all unknown server requests to http://unknown.alteeve.ca. For this, I will create an initial configuration file called 00_default.conf.

<source lang="bash">
vim /etc/httpd/conf.d/00_default.conf
</source>
<source lang="text">
<VirtualHost *:80>
ServerAdmin admin@alteeve.ca
DocumentRoot /var/www/default/html
ServerName unknown.alteeve.com
ErrorLog /var/www/default/logs/error.log
CustomLog /var/www/default/logs/access.log common
</VirtualHost>
</source>

Now we will do two kinds of checks; One for syntax and one to check the configuration of virtual host containers.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

We no longer see the warning from before as we now have our first virtual host configured.

<source lang="bash">
apachectl -S
</source>
<source lang="text">
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 omiya.alteeve.ca (/etc/httpd/conf.d/ssl.conf:74)
*:80 is a NameVirtualHost
default server unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
port 80 namevhost unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
Syntax OK
</source>

We can now start the web server for the first time.

<source lang="bash">
/etc/init.d/httpd start
</source>
<source lang="text">
Starting httpd: [ OK ]
</source>

Perfect! Time to configure some real domains.

== Common Virtual Host Configurations ==

All domains on this server will be housed under either:

* /var/www/domain.tld/{cgi-bin,html,logs,temp}

Or, for [[SSL]] encrypted domains;

* /var/www/ssl_domain.tld/{cgi-bin,html,logs,temp}

The four directories found under the domain are used for hosting executable scripts (cgi-bin), standard [[HTML]] websites or websites with in-line code like [[PHP]] (html), log files (logs) and an optional temporary directory used for staging files (temp).

== Standard Virtual Hosts ==

This section covers the configuration on standard virtual host containers (using [[TCP]] port 80).

In this example, we will setup the domain http://mizu-bu.org.

First, create the directories for the domain's files.

<source lang="bash">
mkdir -p /var/www/mizu-bu.org/{cgi-bin,html,logs,temp}
</source>

Now create the virtual host container's configuration file. Note that in this example, it is a [http://www.mediawiki.org/ MediaWiki] website, so we will tell apache to look for index.php files by default.

<source lang="bash">
vim /etc/httpd/conf.d/mizu-bu.org.conf
</source>
<source lang="text">
<VirtualHost *:80>
ServerAdmin digimer@alteeve.com

ServerName mizu-bu.org
ServerAlias www.mizu-bu.org

DirectoryIndex index.html

DocumentRoot /var/www/mizu-bu.org/html/
<Directory /var/www/mizu-bu.org/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride Options
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/mizu-bu.org/cgi-bin/
<Directory "/var/www/mizu-bu.org/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/mizu-bu.org/logs/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/mizu-bu.org/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

As before, test the syntax and virtual host configurations.

<source lang="bash">
apachectl -S
</source>
<source lang="text">
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 omiya.alteeve.ca (/etc/httpd/conf.d/ssl.conf:74)
*:80 is a NameVirtualHost
default server unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
port 80 namevhost unknown.alteeve.com (/etc/httpd/conf.d/00_default.conf:1)
port 80 namevhost mizu-bu.org (/etc/httpd/conf.d/mizu-bu.org.conf:1)
Syntax OK
</source>


<source lang="bash">
</source>
<source lang="text">
</source>

== SSL Virtual Hosts ==

SSL provides for secure client to server communications.

=== Creating The Signed Certificate ===

This section assumes you are using a 3rd party signing authority. Specifically, I use http://www.trustico.ca/ (resellers of http://RapidSSL.com and others). This is also for a domain-specific certificate. Wildcard certificates will differ.

First, create 2048bit private key. Note that this will require a pass-phrase, which you will need to enter whenever the Apache daemon httpd daemon starts. If you do not want this, remove the -des3 switch.

<source lang="bash">
openssl genrsa -des3 -out /etc/pki/CA/private/alteeve.com.key 2048
</source>
<source lang="text">
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Verifying - Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
</source>

Now create a [[CSR]] (Certificate signing request) which we will send to the signing authority. Do not enter anything in the extra section below.

{{note|1=The Common Name must be the fully qualified domain name. In this example, I want to create a certificate for the domain https://alteeve.com, so I will enter alteeve.com. If you prefer to use a www. prefix, include it. I will rewrite requests using the www. prefix to not use it.}}

<source lang="bash">
openssl req -new -key /etc/pki/CA/private/alteeve.com.key -out alteeve.com.csr
</source>
<source lang="text">
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Oakville
Organization Name (eg, company) [Default Company Ltd]:Alteeve's Niche
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:alteeve.com
Email Address []:admin@alteeve.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</source>

Test that the CSR file is ok.

<source lang="bash">
openssl req -noout -text -in /etc/pki/CA/alteeve.com.csr
</source>
<source lang="text">
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Oakville, O=Alteeve's Niche, OU=IT, CN=alteeve.com/emailAddress=admin@alteeve.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
...
</source>

Copy the exact contents of the alteeve.com.csr file and provide it to your signing authority as per their instructions. Once you complete their CSR form, they should email you a signed certificate and an intermediary certificate. At this point, the CSR file is no longer needed.

Save the signed certificate:

<source lang="bash">
vim /etc/pki/CA/ssl_alteeve.com.crt
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

Save the intermediary certificate. Change the certificate name to that of your provider. If they provide you with this file, simply save it in the /etc/pki/CA/ directory.

<source lang="bash">
vim /etc/pki/CA/RapidSSL_CA_bundle.pem
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

=== Creating An SSL Virtual Host ===

Create a new virtual host container for the new SSL protected virtual host. We will leave the normal unencrypted virtual-host alone for now. Once we're done, we'll use it to capture and redirect http:// requests to their https:// equivalents. I make my virtual host directories writeable by my normal user account. Feel free to adapt this to your preferences.

Setup the directories and then create a trivial index.html file.

<source lang="bash">
mkdir ssl_alteeve.com/{cgi-bin,html,logs,temp} -p
chown apache:digimer ssl_alteeve.com -R
chmod g+w ssl_alteeve.com -R
vim /var/www/ssl_alteeve.com/html/index.html
</source>
<source lang="apache">
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
</source>

Now setup the Apache2 config. I like to use the ssl_ prefix for encrypted domains.

{{note|1=This example is for a MediaWiki virtual host with short URLs configured. You will want to adapt the values to suit your needs.}}

<source lang="bash">
vim /etc/httpd/conf.d/ssl_alteeve.com.conf
</source>
<source lang="apache">
<VirtualHost *:443>
ServerAdmin digimer@alteeve.com

ServerName alteeve.com

DirectoryIndex index.php index.html

# We can haz security?
SSLEngine on
SSLProtocol all
SSLCACertificateFile /etc/pki/CA/RapidSSL_CA_bundle.pem
SSLCertificateFile /etc/pki/CA/ssl_alteeve.com.crt
SSLCertificateKeyFile /etc/pki/CA/private/alteeve.com.key

DocumentRoot /var/www/ssl_alteeve.com/html/
Alias /w /var/www/ssl_alteeve.com/html/index.php
<Directory /var/www/ssl_alteeve.com/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/ssl_alteeve.com/cgi-bin/
<Directory "/var/www/ssl_alteeve.com/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/ssl_alteeve.com/logs/error.log
TransferLog /var/www/ssl_alteeve.com/logs/transfer.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/ssl_alteeve.com/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

==== Bad Identity Error ====

If you get an error about the server not providing identity information, you may have be loading images, CSS, javascript or similar using a URL from a remote domain with no SSL or badly configured SSL.

For example, on Firefox 4, you may see:

<source lang="text">
This web site does not supply identity information.

Your connection to this site is only partially encrypted, and does not prevent eavesdropping.
[ More Information ]
</source>

In my case, this turned out to be a problem where mediawiki was loading a Creative Commons logo from their server using http:// link to the icon. Once this was changed to https:// (in LocalSettings.php), the error went away.

=== Testing and Using the New Configuration ===

Test your new Apache configuration.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

Now restart Apache. Note that you will be asked to enter the pass-phrase you used when you created your private key.

<source lang="bash">
/etc/init.d/httpd restart
</source>
<source lang="text">
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server alteeve.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
</source>

{{warning|1=From now on, you will need to enter the pass-phrase to start Apache. Consider this when restarting your server and when deciding if you want the Apache server to start with your server. As my server is in a VM and it's underlying disk is also encrypted, I will enable it at boot time. I'll need to be watching the boot process anyway. This may not apply to you.}}

Now make sure that you can still connect to your server on [[TCP]] port 80 (normal http port). The contents after the GET request will obviously vary depending on your configuration:

<source lang="bash">
telnet localhost 80
</source>
<source lang="text">
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET
<head>
<title>Asakusa.alteeve.com</title>
</head>
<body>
Default - Requested domain not found
</body>
Connection closed by foreign host.
</source>

Now to check that the SSL port is listening properly. We can't use [[telnet]] because of the SSL encryption. Instead we will use openssl.

<source lang="bash">
openssl s_client -connect localhost:443 -state -debug
</source>
<source lang="text">
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x196a050 [0x1a0b3a0] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 4d f8 f4 a4 f9 ....l...h..M....
0010 - 07 b3 11 f8 3d ff 5d 80-ed 69 87 52 e2 60 80 57 ....=.]..i.R.`.W
0020 - 59 c7 83 4c ea 5b e5 37-06 e0 13 00 00 3a 00 39 Y..L.[.7.....:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............#
0071 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x196a050 [0x1a10900] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x196a050 [0x1a1090a] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4d f8 f4 a4-7d 35 00 74 24 43 bc c9 .1..M...}5.t$C..
0010 - 84 5d fe e3 90 1a e8 14-39 a1 b1 7e e8 19 c7 9f .]......9..~....
0020 - 45 20 d1 cb 00 00 39 01-00 09 ff 01 00 01 00 00 E ....9.........
0030 - 23 #
0033 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 0c 2c ....,
read from 0x196a050 [0x1a10908] (3116 bytes => 3116 (0xC2C))
0000 - 0b 00 0c 28 00 0c 25 00-04 c2 30 82 04 be 30 82 ...(..%...0...0.
0010 - 03 a6 a0 03 02 01 02 02-03 02 15 24 30 0d 06 09 ...........$0...
0020 - 2a 86 48 86 f7 0d 01 01-05 05 00 30 3c 31 0b 30 *.H........0<1.0
0030 - 09 06 03 55 04 06 13 02-55 53 31 17 30 15 06 03 ...U....US1.0...
0040 - 55 04 0a 13 0e 47 65 6f-54 72 75 73 74 2c 20 49 U....GeoTrust, I
0050 - 6e 63 2e 31 14 30 12 06-03 55 04 03 13 0b 52 61 nc.1.0...U....Ra
0060 - 70 69 64 53 53 4c 20 43-41 30 1e 17 0d 31 31 30 pidSSL CA0...110
0070 - 36 31 34 31 32 31 39 30-31 5a 17 0d 31 31 30 37 614121901Z..1107
0080 - 31 36 31 35 35 36 31 34-5a 30 81 d9 31 29 30 27 16155614Z0..1)0'
0090 - 06 03 55 04 05 13 20 30-54 53 35 57 7a 61 75 51 ..U... 0TS5WzauQ
00a0 - 52 4a 37 73 63 32 62 2d-68 54 47 77 4b 31 79 78 RJ7sc2b-hTGwK1yx
00b0 - 53 66 45 44 70 68 46 31-0b 30 09 06 03 55 04 06 SfEDphF1.0...U..
00c0 - 13 02 43 41 31 14 30 12-06 03 55 04 0a 13 0b 61 ..CA1.0...U....a
00d0 - 6c 74 65 65 76 65 2e 63-6f 6d 31 13 30 11 06 03 lteeve.com1.0...
00e0 - 55 04 0b 13 0a 47 54 31-33 39 30 38 38 31 37 31 U....GT139088171
00f0 - 31 30 2f 06 03 55 04 0b-13 28 53 65 65 20 77 77 10/..U...(See ww
0100 - 77 2e 72 61 70 69 64 73-73 6c 2e 63 6f 6d 2f 72 w.rapidssl.com/r
0110 - 65 73 6f 75 72 63 65 73-2f 63 70 73 20 28 63 29 esources/cps (c)
0120 - 31 31 31 2b 30 29 06 03-55 04 0b 13 22 44 6f 6d 111+0)..U..."Dom
0130 - 61 69 6e 20 43 6f 6e 74-72 6f 6c 20 56 61 6c 69 ain Control Vali
0140 - 64 61 74 65 64 20 2d 20-46 72 65 65 53 53 4c 31 dated - FreeSSL1
0150 - 14 30 12 06 03 55 04 03-13 0b 61 6c 74 65 65 76 .0...U....alteev
0160 - 65 2e 63 6f 6d 30 82 01-22 30 0d 06 09 2a 86 48 e.com0.."0...*.H
0170 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0..
0180 - 0a 02 82 01 01 00 c7 b5-75 03 c7 a9 b5 21 b2 7a ........u....!.z
0190 - 9b 70 8d f2 44 5d e0 18-f4 05 52 c6 93 d3 17 a5 .p..D]....R.....
01a0 - 3a c7 46 03 68 d1 01 53-1b e8 b8 d3 4c 56 46 b2 :.F.h..S....LVF.
01b0 - ca 63 34 88 2c 4f 7b 23-49 07 ef 8e 37 5c 8a ac .c4.,O{#I...7\..
01c0 - d7 88 9b ed a1 01 90 bc-32 d8 46 30 6d 82 33 59 ........2.F0m.3Y
01d0 - ea b5 38 2c 8a 16 e1 63-e7 ba 39 d8 2a fa 8a 6b ..8,...c..9.*..k
01e0 - 25 45 0b c9 4d b8 d2 be-a9 3a e3 ff 61 60 f9 a4 %E..M....:..a`..
01f0 - 99 4e 3f c2 25 0b 21 07-c6 1b 1e 63 71 2e 3d 31 .N?.%.!....cq.=1
0200 - 42 98 01 f4 88 b8 80 26-b7 bf 5b 00 b1 57 86 b4 B......&..[..W..
0210 - d8 70 e6 ec ea 98 e1 17-45 a7 ff 83 e0 76 6f 8a .p......E....vo.
0220 - 50 bb 1d cb c5 8f f4 01-84 4e 59 c3 4d 28 73 70 P........NY.M(sp
0230 - 39 c8 da 85 43 b9 07 ae-57 26 04 24 b2 d6 d4 7c 9...C...W&.$...|
0240 - 03 af 4f 72 00 8f 20 ed-26 77 b3 bf 4e 01 62 8b ..Or.. .&w..N.b.
0250 - 62 1b 10 16 65 92 f5 bb-5a dc 83 5c f2 56 f3 60 b...e...Z..\.V.`
0260 - 34 2c ef 62 f4 ee cf 26-6d 9b 4a 5e 74 05 74 fb 4,.b...&m.J^t.t.
0270 - 23 86 07 6f cf b0 48 6d-ba 2d 89 5d 0f e0 c0 01 #..o..Hm.-.]....
0280 - 1c 91 af 00 5f f3 02 03-01 00 01 a3 82 01 29 30 ...._.........)0
0290 - 82 01 25 30 1f 06 03 55-1d 23 04 18 30 16 80 14 ..%0...U.#..0...
02a0 - 6b 69 3d 6a 18 42 4a dd-8f 02 65 39 fd 35 24 86 ki=j.BJ...e9.5$.
02b0 - 78 91 16 30 30 0e 06 03-55 1d 0f 01 01 ff 04 04 x..00...U.......
02c0 - 03 02 05 a0 30 1d 06 03-55 1d 25 04 16 30 14 06 ....0...U.%..0..
02d0 - 08 2b 06 01 05 05 07 03-01 06 08 2b 06 01 05 05 .+.........+....
02e0 - 07 03 02 30 16 06 03 55-1d 11 04 0f 30 0d 82 0b ...0...U....0...
02f0 - 61 6c 74 65 65 76 65 2e-63 6f 6d 30 43 06 03 55 alteeve.com0C..U
0300 - 1d 1f 04 3c 30 3a 30 38-a0 36 a0 34 86 32 68 74 ...<0:08.6.4.2ht
0310 - 74 70 3a 2f 2f 72 61 70-69 64 73 73 6c 2d 63 72 tp://rapidssl-cr
0320 - 6c 2e 67 65 6f 74 72 75-73 74 2e 63 6f 6d 2f 63 l.geotrust.com/c
0330 - 72 6c 73 2f 72 61 70 69-64 73 73 6c 2e 63 72 6c rls/rapidssl.crl
0340 - 30 1d 06 03 55 1d 0e 04-16 04 14 a1 2b 4e af 55 0...U.......+N.U
0350 - 08 7b 34 be 74 fc 57 41-de bc 8f d9 4a 1d c9 30 .{4.t.WA....J..0
0360 - 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 49 06 ...U.......0.0I.
0370 - 08 2b 06 01 05 05 07 01-01 04 3d 30 3b 30 39 06 .+........=0;09.
0380 - 08 2b 06 01 05 05 07 30-02 86 2d 68 74 74 70 3a .+.....0..-http:
0390 - 2f 2f 72 61 70 69 64 73-73 6c 2d 61 69 61 2e 67 //rapidssl-aia.g
03a0 - 65 6f 74 72 75 73 74 2e-63 6f 6d 2f 72 61 70 69 eotrust.com/rapi
03b0 - 64 73 73 6c 2e 63 72 74-30 0d 06 09 2a 86 48 86 dssl.crt0...*.H.
03c0 - f7 0d 01 01 05 05 00 03-82 01 01 00 66 8b 6f a8 ............f.o.
03d0 - d5 d2 84 c7 89 31 fb a5-ba e1 11 5e 2f 67 6f df .....1.....^/go.
03e0 - 0d 3c 0b 1a 4b ac d9 38-ee 29 0a 4d d9 06 98 2c .<..K..8.).M...,
03f0 - 25 0a 59 bb 39 03 b0 cd-3b 06 93 3e 59 90 cf 06 %.Y.9...;..>Y...
0400 - 17 74 77 bb cd 91 34 d0-6f b9 8f 53 57 ed 14 30 .tw...4.o..SW..0
0410 - bd e9 6c 04 84 b6 f0 16-9d 29 9b b1 47 f8 84 64 ..l......)..G..d
0420 - 5f 03 36 ea e1 d6 13 97-5b 50 b9 b2 59 cc f8 ef _.6.....[P..Y...
0430 - 23 01 99 91 6e 5e e8 d0-77 54 38 49 18 58 e7 0e #...n^..wT8I.X..
0440 - 54 35 c0 37 b5 9e 79 b2-d4 c6 d9 ff 27 31 d4 bf T5.7..y.....'1..
0450 - 04 ae d3 0a 90 4b bc 34-bc 53 f8 bc e7 4c 22 b7 .....K.4.S...L".
0460 - b3 bc 8c d7 41 44 fc e0-50 2e 9a ac ba 5c ee 88 ....AD..P....\..
0470 - 03 fc 0e 53 32 aa dd a4-24 ee a6 7c 3d dc 9d 7a ...S2...$..|=..z
0480 - 82 0b 9f b8 91 e0 a1 12-77 a3 95 f7 d0 c4 9e f1 ........w.......
0490 - d7 d9 99 68 80 e8 af ad-68 f5 1a 5f 66 06 78 c9 ...h....h.._f.x.
04a0 - 56 f8 36 37 16 fa 7d 27-df 1d a2 d8 7c 8c 5b 50 V.67..}'....|.[P
04b0 - db c6 fe 06 ff 96 86 f5-1f e4 35 ce cf 43 66 53 ..........5..CfS
04c0 - da a1 50 b5 c0 73 ec 1e-f4 c8 20 13 00 03 d9 30 ..P..s.... ....0
04d0 - 82 03 d5 30 82 02 bd a0-03 02 01 02 02 03 02 36 ...0...........6
04e0 - d1 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
04f0 - 30 42 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 0B1.0...U....US1
0500 - 16 30 14 06 03 55 04 0a-13 0d 47 65 6f 54 72 75 .0...U....GeoTru
0510 - 73 74 20 49 6e 63 2e 31-1b 30 19 06 03 55 04 03 st Inc.1.0...U..
0520 - 13 12 47 65 6f 54 72 75-73 74 20 47 6c 6f 62 61 ..GeoTrust Globa
0530 - 6c 20 43 41 30 1e 17 0d-31 30 30 32 31 39 32 32 l CA0...10021922
0540 - 34 35 30 35 5a 17 0d 32-30 30 32 31 38 32 32 34 4505Z..200218224
0550 - 35 30 35 5a 30 3c 31 0b-30 09 06 03 55 04 06 13 505Z0<1.0...U...
0560 - 02 55 53 31 17 30 15 06-03 55 04 0a 13 0e 47 65 .US1.0...U....Ge
0570 - 6f 54 72 75 73 74 2c 20-49 6e 63 2e 31 14 30 12 oTrust, Inc.1.0.
0580 - 06 03 55 04 03 13 0b 52-61 70 69 64 53 53 4c 20 ..U....RapidSSL
0590 - 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H...
05a0 - 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0.....
05b0 - 01 01 00 c7 71 f8 56 c7-1e d9 cc b5 ad f6 b4 97 ....q.V.........
05c0 - a3 fb a1 e6 0b 50 5f 50-aa 3a da 0f fc 3d 29 24 .....P_P.:...=)$
05d0 - 43 c6 10 29 c1 fc 55 40-72 ee bd ea df 9f b6 41 C..)..U@r......A
05e0 - f4 48 4b c8 6e fe 4f 57-12 8b 5b fa 92 dd 5e e8 .HK.n.OW..[...^.
05f0 - ad f3 f0 1b b1 7b 4d fb-cf fd d1 e5 f8 e3 dc e7 .....{M.........
0600 - f5 73 7f df 01 49 cf 8c-56 c1 bd 37 e3 5b be b5 .s...I..V..7.[..
0610 - 4f 8b 8b f0 da 4f c7 e3-dd 55 47 69 df f2 5b 7b O....O...UGi..[{
0620 - 07 4f 3d e5 ac 21 c1 c8-1d 7a e8 e7 f6 0f a1 aa .O=..!...z......
0630 - f5 6f de a8 65 4f 10 89-9c 03 f3 89 7a a5 5e 01 .o..eO......z.^.
0640 - 72 33 ed a9 e9 5a 1e 79-f3 87 c8 df c8 c5 fc 37 r3...Z.y.......7
0650 - c8 9a 9a d7 b8 76 cc b0-3e e7 fd e6 54 ea df 5f .....v..>...T.._
0660 - 52 41 78 59 57 ad f1 12-d6 7f bc d5 9f 70 d3 05 RAxYW........p..
0670 - 6c fa a3 7d 67 58 dd 26-62 1d 31 92 0c 79 79 1c l..}gX.&b.1..yy.
0680 - 8e cf ca 7b c1 66 af a8-74 48 fb 8e 82 c2 9e 2c ...{.f..tH.....,
0690 - 99 5c 7b 2d 5d 9b bc 5b-57 9e 7c 3a 7a 13 ad f2 .\{-]..[W.|:z...
06a0 - a3 18 5b 2b 59 0f cd 5c-3a eb 68 33 c6 28 1d 82 ..[+Y..\:.h3.(..
06b0 - d1 50 8b 02 03 01 00 01-a3 81 d9 30 81 d6 30 0e .P.........0..0.
06c0 - 06 03 55 1d 0f 01 01 ff-04 04 03 02 01 06 30 1d ..U...........0.
06d0 - 06 03 55 1d 0e 04 16 04-14 6b 69 3d 6a 18 42 4a ..U......ki=j.BJ
06e0 - dd 8f 02 65 39 fd 35 24-86 78 91 16 30 30 1f 06 ...e9.5$.x..00..
06f0 - 03 55 1d 23 04 18 30 16-80 14 c0 7a 98 68 8d 89 .U.#..0....z.h..
0700 - fb ab 05 64 0c 11 7d aa-7d 65 b8 ca cc 4e 30 12 ...d..}.}e...N0.
0710 - 06 03 55 1d 13 01 01 ff-04 08 30 06 01 01 ff 02 ..U.......0.....
0720 - 01 00 30 3a 06 03 55 1d-1f 04 33 30 31 30 2f a0 ..0:..U...3010/.
0730 - 2d a0 2b 86 29 68 74 74-70 3a 2f 2f 63 72 6c 2e -.+.)http://crl.
0740 - 67 65 6f 74 72 75 73 74-2e 63 6f 6d 2f 63 72 6c geotrust.com/crl
0750 - 73 2f 67 74 67 6c 6f 62-61 6c 2e 63 72 6c 30 34 s/gtglobal.crl04
0760 - 06 08 2b 06 01 05 05 07-01 01 04 28 30 26 30 24 ..+........(0&0$
0770 - 06 08 2b 06 01 05 05 07-30 01 86 18 68 74 74 70 ..+.....0...http
0780 - 3a 2f 2f 6f 63 73 70 2e-67 65 6f 74 72 75 73 74 ://ocsp.geotrust
0790 - 2e 63 6f 6d 30 0d 06 09-2a 86 48 86 f7 0d 01 01 .com0...*.H.....
07a0 - 05 05 00 03 82 01 01 00-ab bc bc 0a 5d 18 94 e3 ............]...
07b0 - c1 b1 c3 a8 4c 55 d6 be-b4 98 f1 ee 3c 1c cd cf ....LU......<...
07c0 - f3 24 24 5c 96 03 27 58-fc 36 ae a2 2f 8f f1 fe .$$\..'X.6../...
07d0 - da 2b 02 c3 33 bd c8 dd-48 22 2b 60 0f a5 03 10 .+..3...H"+`....
07e0 - fd 77 f8 d0 ed 96 67 4f-fd ea 47 20 70 54 dc a9 .w....gO..G pT..
07f0 - 0c 55 7e e1 96 25 8a d9-b5 da 57 4a be 8d 8e 49 .U~..%....WJ...I
0800 - 43 63 a5 6c 4e 27 87 25-eb 5b 6d fe a2 7f 38 28 Cc.lN'.%.[m...8(
0810 - e0 36 ab ad 39 a5 a5 62-c4 b7 5c 58 2c aa 5d 01 .6..9..b..\X,.].
0820 - 60 a6 62 67 a3 c0 c7 62-23 f4 e7 6c 46 ee b5 d3 `.bg...b#..lF...
0830 - 80 6a 22 13 d2 2d 3f 74-4f ea af 8c 5f b4 38 9c .j"..-?tO..._.8.
0840 - db ae ce af 84 1e a6 f6-34 51 59 79 d3 e3 75 dc ........4QYy..u.
0850 - bc d7 f3 73 df 92 ec d2-20 59 6f 9c fb 95 f8 92 ...s.... Yo.....
0860 - 76 18 0a 7c 0f 2c a6 ca-de 8a 62 7b d8 f3 ce 5f v..|.,....b{..._
0870 - 68 bd 8f 3e c1 74 bb 15-72 3a 16 83 a9 0b e6 4d h..>.t..r:.....M
0880 - 99 9c d8 57 ec a8 01 51-c7 6f 57 34 5e ab 4a 2c ...W...Q.oW4^.J,
0890 - 42 f6 4f 1c 89 78 de 26-4e f5 6f 93 4c 15 6b 27 B.O..x.&N.o.L.k'
08a0 - 56 4d 00 54 6c 7a b7 b7-00 03 81 30 82 03 7d 30 VM.Tlz.....0..}0
08b0 - 82 02 e6 a0 03 02 01 02-02 03 12 bb e6 30 0d 06 .............0..
08c0 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 4e 31 0b .*.H........0N1.
08d0 - 30 09 06 03 55 04 06 13-02 55 53 31 10 30 0e 06 0...U....US1.0..
08e0 - 03 55 04 0a 13 07 45 71-75 69 66 61 78 31 2d 30 .U....Equifax1-0
08f0 - 2b 06 03 55 04 0b 13 24-45 71 75 69 66 61 78 20 +..U...$Equifax
0900 - 53 65 63 75 72 65 20 43-65 72 74 69 66 69 63 61 Secure Certifica
0910 - 74 65 20 41 75 74 68 6f-72 69 74 79 30 1e 17 0d te Authority0...
0920 - 30 32 30 35 32 31 30 34-30 30 30 30 5a 17 0d 31 020521040000Z..1
0930 - 38 30 38 32 31 30 34 30-30 30 30 5a 30 42 31 0b 80821040000Z0B1.
0940 - 30 09 06 03 55 04 06 13-02 55 53 31 16 30 14 06 0...U....US1.0..
0950 - 03 55 04 0a 13 0d 47 65-6f 54 72 75 73 74 20 49 .U....GeoTrust I
0960 - 6e 63 2e 31 1b 30 19 06-03 55 04 03 13 12 47 65 nc.1.0...U....Ge
0970 - 6f 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 43 41 oTrust Global CA
0980 - 30 82 01 22 30 0d 06 09-2a 86 48 86 f7 0d 01 01 0.."0...*.H.....
0990 - 01 05 00 03 82 01 0f 00-30 82 01 0a 02 82 01 01 ........0.......
09a0 - 00 da cc 18 63 30 fd f4-17 23 1a 56 7e 5b df 3c ....c0...#.V~[.<
09b0 - 6c 38 e4 71 b7 78 91 d4-bc a1 d8 4c f8 a8 43 b6 l8.q.x.....L..C.
09c0 - 03 e9 4d 21 07 08 88 da-58 2f 66 39 29 bd 05 78 ..M!....X/f9)..x
09d0 - 8b 9d 38 e8 05 b7 6a 7e-71 a4 e6 c4 60 a6 b0 ef ..8...j~q...`...
09e0 - 80 e4 89 28 0f 9e 25 d6-ed 83 f3 ad a6 91 c7 98 ...(..%.........
09f0 - c9 42 18 35 14 9d ad 98-46 92 2e 4f ca f1 87 43 .B.5....F..O...C
0a00 - c1 16 95 57 2d 50 ef 89-2d 80 7a 57 ad f2 ee 5f ...W-P..-.zW..._
0a10 - 6b d2 00 8d b9 14 f8 14-15 35 d9 c0 46 a3 7b 72 k........5..F.{r
0a20 - c8 91 bf c9 55 2b cd d0-97 3e 9c 26 64 cc df ce ....U+...>.&d...
0a30 - 83 19 71 ca 4e e6 d4 d5-7b a9 19 cd 55 de c8 ec ..q.N...{...U...
0a40 - d2 5e 38 53 e5 5c 4f 8c-2d fe 50 23 36 fc 66 e6 .^8S.\O.-.P#6.f.
0a50 - cb 8e a4 39 19 00 b7 95-02 39 91 0b 0e fe 38 2e ...9.....9....8.
0a60 - d1 1d 05 9a f6 4d 3e 6f-0f 07 1d af 2c 1e 8f 60 .....M>o....,..`
0a70 - 39 e2 fa 36 53 13 39 d4-5e 26 2b db 3d a8 14 bd 9..6S.9.^&+.=...
0a80 - 32 eb 18 03 28 52 04 71-e5 ab 33 3d e1 38 bb 07 2...(R.q..3=.8..
0a90 - 36 84 62 9c 79 ea 16 30-f4 5f c0 2b e8 71 6b e4 6.b.y..0._.+.qk.
0aa0 - f9 02 03 01 00 01 a3 81-f0 30 81 ed 30 1f 06 03 .........0..0...
0ab0 - 55 1d 23 04 18 30 16 80-14 48 e6 68 f9 2b d2 b2 U.#..0...H.h.+..
0ac0 - 95 d7 47 d8 23 20 10 4f-33 98 90 9f d4 30 1d 06 ..G.# .O3....0..
0ad0 - 03 55 1d 0e 04 16 04 14-c0 7a 98 68 8d 89 fb ab .U.......z.h....
0ae0 - 05 64 0c 11 7d aa 7d 65-b8 ca cc 4e 30 0f 06 03 .d..}.}e...N0...
0af0 - 55 1d 13 01 01 ff 04 05-30 03 01 01 ff 30 0e 06 U.......0....0..
0b00 - 03 55 1d 0f 01 01 ff 04-04 03 02 01 06 30 3a 06 .U...........0:.
0b10 - 03 55 1d 1f 04 33 30 31-30 2f a0 2d a0 2b 86 29 .U...3010/.-.+.)
0b20 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 67 65 6f 74 72 http://crl.geotr
0b30 - 75 73 74 2e 63 6f 6d 2f-63 72 6c 73 2f 73 65 63 ust.com/crls/sec
0b40 - 75 72 65 63 61 2e 63 72-6c 30 4e 06 03 55 1d 20 ureca.crl0N..U.
0b50 - 04 47 30 45 30 43 06 04-55 1d 20 00 30 3b 30 39 .G0E0C..U. .0;09
0b60 - 06 08 2b 06 01 05 05 07-02 01 16 2d 68 74 74 70 ..+........-http
0b70 - 73 3a 2f 2f 77 77 77 2e-67 65 6f 74 72 75 73 74 s://www.geotrust
0b80 - 2e 63 6f 6d 2f 72 65 73-6f 75 72 63 65 73 2f 72 .com/resources/r
0b90 - 65 70 6f 73 69 74 6f 72-79 30 0d 06 09 2a 86 48 epository0...*.H
0ba0 - 86 f7 0d 01 01 05 05 00-03 81 81 00 76 e1 12 6e ............v..n
0bb0 - 4e 4b 16 12 86 30 06 b2-81 08 cf f0 08 c7 c7 71 NK...0.........q
0bc0 - 7e 66 ee c2 ed d4 3b 1f-ff f0 f0 c8 4e d6 43 38 ~f....;.....N.C8
0bd0 - b0 b9 30 7d 18 d0 55 83-a2 6a cb 36 11 9c e8 48 ..0}..U..j.6...H
0be0 - 66 a3 6d 7f b8 13 d4 47-fe 8b 5a 5c 73 fc ae d9 f.m....G..Z\s...
0bf0 - 1b 32 19 38 ab 97 34 14-aa 96 d2 eb a3 1c 14 08 .2.8..4.........
0c00 - 49 b6 bb e5 91 ef 83 36-eb 1d 56 6f ca da bc 73 I......6..Vo...s
0c10 - 63 90 e4 7f 7b 3e 22 cb-3d 07 ed 5f 38 74 9c e3 c...{>".=.._8t..
0c20 - 03 50 4e a1 af 98 ee 61-f2 84 3f 12 .PN....a..?.
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF, C = CA, O = alteeve.com, OU = GT13908817, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - FreeSSL, CN = alteeve.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 0d .....
read from 0x196a050 [0x1a10908] (525 bytes => 525 (0x20D))
0000 - 0c 00 02 09 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 51 5c 13 33 38 >.$!.......Q\.38
0090 - 83 ef 76 6f 23 52 55 bf-23 ba 7f f0 a4 ca 35 01 ..vo#RU.#.....5.
00a0 - 9c 70 e1 61 b2 0d 7b 5c-1c 32 02 c1 ac 14 be e9 .p.a..{\.2......
00b0 - b9 7a 5d 11 9b 53 48 64-cd 12 b8 15 4c df cc 10 .z]..SHd....L...
00c0 - 4e 2b e7 cd 3f 33 68 1a-60 cc f7 18 25 7c e5 ca N+..?3h.`...%|..
00d0 - c8 cb 45 ba 2a 6d dc 84-5f 26 6f 9a a3 73 b9 7f ..E.*m.._&o..s..
00e0 - 02 cb 7b a7 ac 59 9f f3-6e c9 01 ed b9 35 99 49 ..{..Y..n....5.I
00f0 - 37 77 68 65 ec e2 f7 17-03 e7 f5 f5 86 33 e6 6c 7whe.........3.l
0100 - 06 3c 15 83 98 74 2e b9-83 31 11 01 00 20 6e 17 .<...t...1... n.
0110 - 3d 2d ec 3e 19 b2 9e 5b-37 38 3a 31 57 3d 0e c1 =-.>...[78:1W=..
0120 - 6b c4 b4 83 d9 6b f0 d3-44 db 9f 18 55 15 e1 09 k....k..D...U...
0130 - 73 59 8c 46 3d a4 47 58-b1 71 a3 32 b5 06 26 8c sY.F=.GX.q.2..&.
0140 - 27 88 9e 13 c8 12 5d 94-9b 24 54 10 aa 79 e5 b4 '.....]..$T..y..
0150 - 43 f5 5e 4c 01 dc 02 aa-69 02 37 71 4e 26 1c 0b C.^L....i.7qN&..
0160 - 40 19 c9 95 4d af 93 35-07 7a ff b1 96 7f 03 ce @...M..5.z......
0170 - 7a eb a2 1c 97 6b d2 97-d2 0f 1a f5 b2 af fb 65 z....k.........e
0180 - 86 b9 e3 38 30 ba f5 02-d6 6b fc da 94 93 8b b3 ...80....k......
0190 - 96 b5 b7 58 dc 36 55 6d-e9 47 e5 4a 33 1d b9 d9 ...X.6Um.G.J3...
01a0 - ec 33 e8 fb 58 c8 74 13-ff dd 40 b7 35 56 63 03 .3..X.t...@.5Vc.
01b0 - 9f 16 2f 72 be 56 56 c3-15 3a c3 10 09 f0 9d f2 ../r.VV..:......
01c0 - 42 52 5a ce d6 db 61 0e-d0 e2 ac 2e 9e 04 30 8e BRZ...a.......0.
01d0 - 0d d7 07 f9 3e 0a a8 3b-8d 11 5c 6e 21 47 28 2d ....>..;..\n!G(-
01e0 - 28 31 a6 3d d0 e9 2e 7a-de 4a 00 2a a8 6f 5d 82 (1.=...z.J.*.o].
01f0 - 45 df 3e 06 e3 11 e3 3c-b9 1e 34 b8 bd 60 fd a7 E.>....<..4..`..
0200 - a2 c1 c8 19 61 19 da 10-e4 c3 70 7e 5f ....a.....p~_
SSL_connect:SSLv3 read server key exchange A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0x196a050 [0x1a10908] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x196a050 [0x1a1add0] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7f 9d d2 3b 68 ..............;h
0010 - 49 c9 dd ed 4f 35 a0 70-3a 28 0f ce c1 5a 81 ce I...O5.p:(...Z..
0020 - cd 46 c5 e5 a4 44 25 04-4e b4 48 d8 3b a6 d4 44 .F...D%.N.H.;..D
0030 - 4e 9a dc 20 fa 52 9f eb-52 3b 3c 3e 34 dc ed 34 N.. .R..R;<>4..4
0040 - e5 b7 10 f9 6d 3a c0 84-64 bf b8 91 54 6c 37 1b ....m:..d...Tl7.
0050 - eb 75 7a 95 aa e8 83 6f-e0 16 f2 af 77 0f 7a 0c .uz....o....w.z.
0060 - a8 82 27 a4 a5 f2 f0 1b-d2 6e 46 c4 ef 10 7c 39 ..'......nF...|9
0070 - 6c 87 74 ec 68 7e d5 9a-10 ab 10 03 75 a2 fb 4b l.t.h~......u..K
0080 - 8c 49 4c da 64 49 bd 27-ba 51 a4 .IL.dI.'.Q.
SSL_connect:SSLv3 write client key exchange A
write to 0x196a050 [0x1a1add0] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x196a050 [0x1a1add0] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 b4 8a 74-4d a4 bf b1 54 04 8a 25 ....0..tM...T..%
0010 - 24 f8 81 f1 64 9f 1f 6d-fb bd a7 4c 57 6a a5 63 $...d..m...LWj.c
0020 - fb 3a dd 8e e3 f9 38 f6-22 fd 7e 42 81 2e a2 41 .:....8.".~B...A
0030 - 1f 74 d1 27 02 .t.'.
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 ca .....
read from 0x196a050 [0x1a10908] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 00 00-00 c0 6c f3 41 26 c8 6b ..........l.A&.k
0010 - 1e 9c 2e 78 af 75 b2 46-34 f4 30 c3 bd e4 ee 2f ...x.u.F4.0..../
0020 - f6 28 37 f6 7c 55 3b c7-08 ad 1e 48 f1 83 9f 9a .(7.|U;....H....
0030 - d4 ef 9b 7d 5a 9c f7 5b-92 e9 2f ca c3 e5 44 c7 ...}Z..[../...D.
0040 - 7a c1 ed db 98 1a 18 bd-25 30 3c 50 ad 96 23 22 z.......%0<P..#"
0050 - 7e a1 b7 eb 1d b5 cc 69-2a 43 63 13 4f 21 90 32 ~......i*Cc.O!.2
0060 - 87 94 0b 6a 66 da 99 fa-45 79 cc 53 29 35 59 0d ...jf...Ey.S)5Y.
0070 - 02 93 c6 c6 af f3 52 79-b5 36 c0 a6 4d 22 9f af ......Ry.6..M"..
0080 - 4a f2 86 b4 50 68 83 b1-ab a6 a6 ac 6e 4e 18 3d J...Ph......nN.=
0090 - 80 a7 b4 85 77 06 69 60-fa b2 22 9a 79 14 c6 3e ....w.i`..".y..>
00a0 - 3e 68 33 4e 1e a9 40 09-47 d0 02 97 8b ba 39 db >h3N..@.G.....9.
00b0 - 2f b1 1c 2e 66 49 d3 bc-99 cc 56 4f 1d f4 c6 7b /...fI....VO...{
00c0 - 58 3e 28 df b1 ce 2b 45-36 ca X>(...+E6.
SSL_connect:SSLv3 read server session ticket A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0x196a050 [0x1a10908] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x196a050 [0x1a10908] (48 bytes => 48 (0x30))
0000 - c0 79 35 bf c6 1e 7e d4-04 cf 68 c7 9d f5 9f 42 .y5...~...h....B
0010 - 03 91 5f 72 ae 5b ec a8-aa e7 af e8 f3 39 1b cd .._r.[.......9..
0020 - 13 05 56 f2 1b 28 c9 42-4b 67 88 48 20 c2 a5 06 ..V..(.BKg.H ...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIDAhUkMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNjE0MTIxOTAxWhcNMTEwNzE2MTU1NjE0WjCB2TEpMCcGA1UEBRMgMFRT
NVd6YXVRUko3c2MyYi1oVEd3SzF5eFNmRURwaEYxCzAJBgNVBAYTAkNBMRQwEgYD
VQQKEwthbHRlZXZlLmNvbTETMBEGA1UECxMKR1QxMzkwODgxNzExMC8GA1UECxMo
U2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMTErMCkGA1UE
CxMiRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gRnJlZVNTTDEUMBIGA1UEAxML
YWx0ZWV2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHtXUD
x6m1IbJ6m3CN8kRd4Bj0BVLGk9MXpTrHRgNo0QFTG+i400xWRrLKYzSILE97I0kH
7443XIqs14ib7aEBkLwy2EYwbYIzWeq1OCyKFuFj57o52Cr6imslRQvJTbjSvqk6
4/9hYPmkmU4/wiULIQfGGx5jcS49MUKYAfSIuIAmt79bALFXhrTYcObs6pjhF0Wn
/4Pgdm+KULsdy8WP9AGETlnDTShzcDnI2oVDuQeuVyYEJLLW1HwDr09yAI8g7SZ3
s79OAWKLYhsQFmWS9bta3INc8lbzYDQs72L07s8mbZtKXnQFdPsjhgdvz7BIbbot
iV0P4MABHJGvAF/zAgMBAAGjggEpMIIBJTAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2FsdGVldmUuY29tMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRz
c2wuY3JsMB0GA1UdDgQWBBShK06vVQh7NL50/FdB3ryP2UodyTAMBgNVHRMBAf8E
AjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3Ns
LWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBmi2+o1dKEx4kx+6W64RFeL2dv3w08CxpLrNk47ikKTdkGmCwlClm7OQOwzTsG
kz5ZkM8GF3R3u82RNNBvuY9TV+0UML3pbASEtvAWnSmbsUf4hGRfAzbq4dYTl1tQ
ubJZzPjvIwGZkW5e6NB3VDhJGFjnDlQ1wDe1nnmy1MbZ/ycx1L8ErtMKkEu8NLxT
+LznTCK3s7yM10FE/OBQLpqsulzuiAP8DlMyqt2kJO6mfD3cnXqCC5+4keChEnej
lffQxJ7x19mZaIDor61o9RpfZgZ4yVb4NjcW+n0n3x2i2HyMW1Dbxv4G/5aG9R/k
Nc7PQ2ZT2qFQtcBz7B70yCAT
-----END CERTIFICATE-----
subject=/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3984 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2880725EB8BDD73F469C17BCA54DF373DFE8EDE3D52A1C8F5E0A5919694FB111
Session-ID-ctx:
Master-Key: F329DEA0DF39FF181ACFBCA69BEC417D7CAA4399D73229A1D912CC8236A858FD099B834F5B32C9BF979C4B5948196FC9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 6c f3 41 26 c8 6b 1e 9c-2e 78 af 75 b2 46 34 f4 l.A&.k...x.u.F4.
0010 - 30 c3 bd e4 ee 2f f6 28-37 f6 7c 55 3b c7 08 ad 0..../.(7.|U;...
0020 - 1e 48 f1 83 9f 9a d4 ef-9b 7d 5a 9c f7 5b 92 e9 .H.......}Z..[..
0030 - 2f ca c3 e5 44 c7 7a c1-ed db 98 1a 18 bd 25 30 /...D.z.......%0
0040 - 3c 50 ad 96 23 22 7e a1-b7 eb 1d b5 cc 69 2a 43 <P..#"~......i*C
0050 - 63 13 4f 21 90 32 87 94-0b 6a 66 da 99 fa 45 79 c.O!.2...jf...Ey
0060 - cc 53 29 35 59 0d 02 93-c6 c6 af f3 52 79 b5 36 .S)5Y.......Ry.6
0070 - c0 a6 4d 22 9f af 4a f2-86 b4 50 68 83 b1 ab a6 ..M"..J...Ph....
0080 - a6 ac 6e 4e 18 3d 80 a7-b4 85 77 06 69 60 fa b2 ..nN.=....w.i`..
0090 - 22 9a 79 14 c6 3e 3e 68-33 4e 1e a9 40 09 47 d0 ".y..>>h3N..@.G.
00a0 - 02 97 8b ba 39 db 2f b1-1c 2e 66 49 d3 bc 99 cc ....9./...fI....
00b0 - 56 4f 1d f4 c6 7b 58 3e-28 df b1 ce 2b 45 36 ca VO...{X>(...+E6.

Compression: 1 (zlib compression)
Start Time: 1308161188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET
write to 0x196a050 [0x1a14e56] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a 4c 57-8c b9 d5 d4 c6 1b 56 ce .... .LW......V.
0010 - 93 b5 78 6b 5f 0e c5 a2-39 2a f9 7a 20 7d 68 85 ..xk_...9*.z }h.
0020 - af 52 e3 5f fc 17 03 01-00 20 c6 c4 19 74 61 64 .R._..... ...tad
0030 - 42 59 e0 52 3f 42 44 53-8b c9 40 69 1c 3d 9b 7f BY.R?BDS..@i.=..
0040 - aa e8 8f a4 5c de c9 d4-0a a4 ....\.....
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 60 ....`
read from 0x196a050 [0x1a10908] (96 bytes => 96 (0x60))
0000 - 46 4c 99 93 29 c9 ed 66-81 43 89 39 26 2b d1 b0 FL..)..f.C.9&+..
0010 - 19 73 eb 51 18 45 54 49-74 43 e0 92 1b f8 af f0 .s.Q.ETItC......
0020 - 0d e1 08 79 96 38 e1 5e-29 9d 66 9c 30 04 8e c4 ...y.8.^).f.0...
0030 - 10 83 49 7e 09 d7 8a ff-4b 11 f9 13 3e ac 77 73 ..I~....K...>.ws
0040 - e8 94 e3 f3 74 db 4e 5f-67 13 1d c4 3a 06 98 b3 ....t.N_g...:...
0050 - da 20 41 3c ca 9a fb 3f-f3 d7 64 a1 e9 f4 0a 98 . A<...?..d.....
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 15 03 01 ...
0005 - <SPACES/NULS>
read from 0x196a050 [0x1a10908] (32 bytes => 32 (0x20))
0000 - 2e bb a7 d6 dc ce 6c 34-dc 2e 43 c7 89 02 a9 5c ......l4..C....\
0010 - 3b 3e d0 43 1c ec fa c7-89 48 fd 76 58 82 ef 45 ;>.C.....H.vX..E
SSL3 alert read:warning:close notify
closed
write to 0x196a050 [0x1a14e53] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d8 6f 46-24 e9 fa 0c c9 9f aa 2d .... .oF$......-
0010 - db 69 2a d8 fb 61 66 b0-23 23 f9 a4 ac 49 b7 e6 .i*..af.##...I..
0020 - 31 73 56 05 ed 1sV..
SSL3 alert write:warning:close notify
</source>

Perfect!

=== Open Port 443 On The Firewall ===

At this point, if you try to connect to the SSL virtual host remotely, you will fail because port 443 is not yet open.

Use your favourite program to open inbound TCP port 443. I like to directly edit the firewall's config.

<source lang="bash">
vim /etc/sysconfig/iptables
</source>
<source lang="text">
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</source>
<source lang="bash">
/etc/init.d/iptables restart
</source>
<source lang="text">
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
</source>

=== Browse to the New Virtual Host ===

You should now be able to access the new SSL virtual host! Simply browse to https://alteeve.com (replace with your domain).

[[Image:SSL_Test_Page_01.png|thumb|center|741px|Test SSL virtual host in Firefox 4.]]

Note the 'alteeve.com' to the left of the address bar showing that the site is encrypted and verified!

== Common apachectl -t Configuration Problems ==

=== httpd: apr_sockaddr_info_get() failed for <domain> ===

Make sure that the hostname for the server resolves to an IP address. This is done by ensuring that the name returned by hostname has a [[DNS]] entry or has an entry in the /etc/hosts file.

=== [warn] NameVirtualHost *:80 has no VirtualHosts ===

This will be shown when no virtual host containers have been configured ye.

= PostgreSQL =

We need to initialize the postgres core databases before we can start it for the first time.

<source lang="bash">
/etc/init.d/postgresql initdb
</source>
<source lang="text">
Initializing database: [ OK ]
</source>

From now on, we can start PostgreSQL normally.

<source lang="bash">
/etc/init.d/postgresql restart
</source>
<source lang="text">
Stopping postgresql service: [ OK ]
Starting postgresql service: [ OK ]
</source>

Create the admin user called alteeve which will own the databases we will create and use.

<source lang="bash">
su - postgres
createuser -S -d -R alteeve
psql template1
</source>

At the shell, run the following:

<source lang="sql">
ALTER USER alteeve WITH PASSWORD 'secret';
</source>
<source lang="text">
ALTER ROLE
</source>
<source lang="sql">
\q
</source>

Tell PostgreSQL to require a password for the alteeve user.

<source lang="bash">
vim /var/lib/pgsql/data/pg_hba.conf
</source>
<source lang="diff">
--- /var/lib/pgsql/data/pg_hba.conf.orig 2011-06-15 17:57:25.666509143 -0400
+++ /var/lib/pgsql/data/pg_hba.conf 2011-06-15 17:58:54.077510393 -0400
@@ -65,6 +65,7 @@

# TYPE DATABASE USER CIDR-ADDRESS METHOD
+local all alteeve md5

# "local" is for Unix domain socket connections only
local all all ident
</source>

Reload PostgreSQL's configuration.

<source lang="bash">
/etc/init.d/postgresql reload
</source>

Now create a Database that is owned by the alteeve user, then connect to it to make sure we're asked for a password.

<source lang="bash">
su postgres -c "createdb an_wiki -O alteeve"
psql an_wiki -U alteeve
</source>
<source lang="text">
Password for user alteeve:
psql (8.4.7)
Type "help" for help.

an_wiki=>
</source>

Now load a database from a backup file.

<source lang="bash">
psql an_wiki -U alteeve -f /var/www/ssl_alteeve.com/temp/an_wiki_3.out
</source>
<source lang="text">
Password for user alteeve:
SET
SET
SET
SET
SET
CREATE SCHEMA
ALTER SCHEMA
CREATE LANGUAGE
psql:/var/www/ssl_alteeve.com/temp/an_wiki_3.out:27: ERROR: must be member of role "postgres"
SET
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
SET
SET
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
8
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
2500
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
4416
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3465
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
34
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
957
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3274
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3547
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3513
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TRIGGER
CREATE TRIGGER
CREATE TRIGGER
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
REVOKE
REVOKE
GRANT
GRANT
</source>

Voila!

== Media Wiki Problem ==

If you moved a MediaWiki DB and it generated an error like this in the log file:

<source lang="text">
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "objectcache" does not exist\nLINE 1: ...ECT /* SqlBagOStuff::get */ value,exptime FROM objectcach...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "l10n_cache" does not exist\nLINE 1: ... LCStore_DB::get 206.108.5.162 */ lc_value FROM l10n_cache...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
</source>

The fix is to run:

<source lang="sql">
ALTER DATABASE an_wiki SET search_path=mediawiki;
</source>

Of course, replace an_wiki with the name of your wiki database.

= MySQL =

Start MySQL for the first time:

<source lang="bash">
/etc/init.d/mysqld start
</source>
<source lang="text">
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h asakusa.alteeve.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]
Starting mysqld: [ OK ]
</source>

Secure the server.

<source lang="bash">
mysql_secure_installation
</source>
<source lang="text">
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
</source>

= BIND =

{{note|1=This is not meant to cover creating the actual zone files for DNS. It's goal is to setup BIND on your [[EL6]] server only.}}

This is the BIND named server that handles DNS resolution. It will be setup in two parts; The global options and then the zones file.

== Install bind ==

<source lang="bash">
yum install bind bind-libs bind-utils
</source>

== Global Configuration ==

Edit the main configuration file, making a backup first.

<source lang="bash">
cp /etc/named.conf /etc/named.conf.orig
vim /etc/named.conf
</source>

Enable queries on any interface and answer queries for any domain, not just ours. Edit or add the following;

<source lang="dot">
listen-on port 53 { any; };
allow-query { localhost; };
allow-query-cache { any; };
</source>

For now, we're going to disable DNSSEC. Make the following changes;

<source lang="dot">
dnssec-enable no;
dnssec-validation no;
</source>

Now tell bind where to look for a domain name's IP when we don't know. Add;

<source lang="dot">
forwarders {
// These are Google's open DNS servers
8.8.8.8;
8.8.4.4;
};
</source>

This server will have a slave, and we want to notify that slave when a record changes. Add;

<source lang="dot">
notify yes;
</source>

Done. I like to clean up the file to put the variables in line with one another. With this in mind, let's look at the changes as a unified diff;

<source lang="bash">
diff -u /etc/named.conf.orig /etc/named.conf
</source>
<source lang="diff">
--- /etc/named.conf.orig 2012-02-05 00:54:48.434068501 -0500
+++ /etc/named.conf 2012-02-05 13:45:16.484083319 -0500
@@ -8,18 +8,26 @@
//

options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ allow-query { any; };
+ allow-query-cache { any; };
+ recursion yes;
+ notify yes;
+
+ dnssec-enable no;
+ dnssec-validation no;
+ dnssec-lookaside auto;
+
+ forwarders {
+ // These are Google's open DNS servers
+ 8.8.8.8;
+ 8.8.4.4;
+ };

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
</source>

== Adding Zones ==

This is where we tell BIND which zones we have SOA for. This includes the pointers to the actual files on disk with each domain's information.

Backup then edit the zones file.

<source lang="bash">
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.orig
vim /etc/named.rfc1912.zones
</source>

In here is where we add the entries for the domains we have [[SOA]] for at the end of the file. These will differ for every install, so only two examples will be shown.

<source lang="dot">
// Our zones which this server is SOA for.
zone "45years.ca" IN {
type master;
file "/etc/named/db.45years.ca";
allow-transfer {
192.139.81.117;
};
};

zone "alteeve.com" in {
type master;
file "/etc/named/db.alteeve.com";
allow-transfer {
192.139.81.117;
};
};
</source>

This tutorial does not aim to cover actual zone files, but here is one for reference:

<source lang="bash">
cat /etc/named/db.45years.ca
</source>
<source lang="text">
$ORIGIN .
$TTL 600 ; Time To Live.
45years.ca IN SOA ns1.alteeve.com. admin.alteeve.com. (
2011081402 ; Serial Number (yyyymmdd##)
300 ; refresh (in seconds)
180 ; retry (in seconds)
600 ; expire (in seconds)
86400 ; minimum (in seconds)
)
NS ns1.alteeve.com.
NS ns2.alteeve.com.
A 192.139.81.121
MX 10 mail.45years.ca.
$ORIGIN 45years.ca.
localhost A 127.0.0.1
mail A 192.139.81.121
www CNAME 45years.ca.
</source>

== Adding a Firewall Entry ==

Assuming you have a firewall running, be sure to add an entry for [[TCP]] port 53.

== (Re)Start BIND ==

Once all the configuration files and domain zone files are in place, (re)start the named service.

<source lang="bash">
/etc/init.d/named restart
</source>
<source lang="text">
Stopping named: . [ OK ]
Starting named: [ OK ]
</source>

== Testing Name resolution ==

To properly test name resolution, you will want to resolve a domain we are [[SOA]] for and another domain which we are not. We will repeat this twice, once on the server and once from a remote machine to ensure that it is answering remote queries. Note that in the examples below, my DNS server's IP address is 78.46.37.135.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> alteeve.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns1.alteeve.com.
alteeve.com. 600 IN NS ns2.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 13:57:11 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> google.ca @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 300 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2967 IN NS f.root-servers.net.
. 2967 IN NS c.root-servers.net.
. 2967 IN NS b.root-servers.net.
. 2967 IN NS a.root-servers.net.
. 2967 IN NS k.root-servers.net.
. 2967 IN NS i.root-servers.net.
. 2967 IN NS e.root-servers.net.
. 2967 IN NS h.root-servers.net.
. 2967 IN NS l.root-servers.net.
. 2967 IN NS d.root-servers.net.
. 2967 IN NS j.root-servers.net.
. 2967 IN NS g.root-servers.net.
. 2967 IN NS m.root-servers.net.

;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 14:02:03 2012
;; MSG SIZE rcvd: 254
</source>

Now from a remote machine, repeat the same queries to ensure that our DNS server will respond to external queries.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> alteeve.com @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns2.alteeve.com.
alteeve.com. 600 IN NS ns1.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 138 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:09 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> google.ca @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 138 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2805 IN NS h.root-servers.net.
. 2805 IN NS c.root-servers.net.
. 2805 IN NS j.root-servers.net.
. 2805 IN NS i.root-servers.net.
. 2805 IN NS b.root-servers.net.
. 2805 IN NS m.root-servers.net.
. 2805 IN NS g.root-servers.net.
. 2805 IN NS d.root-servers.net.
. 2805 IN NS a.root-servers.net.
. 2805 IN NS l.root-servers.net.
. 2805 IN NS f.root-servers.net.
. 2805 IN NS k.root-servers.net.
. 2805 IN NS e.root-servers.net.

;; Query time: 140 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:31 2012
;; MSG SIZE rcvd: 254
</source>

Done!

= Email =

This is a pretty heavily customized postfix install using a custom schema. It was originally based on [http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch this Debian Etch] tutorial, but adapted for PostgreSQL. Much time has passed and the operating system is now significantly changed, but it's lineage is thus. A more recent, but still Debian-focused version of the tutorial [http://workaround.org/ispmail/squeeze/big-picture is here]. I also used [http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot this tutorial] to help sort out the PostgreSQL stuff.

This will use a few applications;
* Postfix - The program that receives email.
* PostgreSQL - The database used to validate the existence of email accounts and validates incoming user credentials.
* Dovecot - Takes email coming from postfix, via amavis, and records them to disk. It also answers requests from users wanting to check their email.
* Amavis - Filters incoming email for spam (via spamassassin) and virsus (via clamav)

We will also be using graylisting, which is a spam fighting tactic where the first email from a given user to one of our users is bounced for a few minutes. Proper mail servers will acknowledge the bound, wait the time and resend. Spam mailers though are usually fire-and-forget and will not resend, thus effectively blocking the spam message. This is a very effective method of blocking spam with minimal chance of losing real mail from real users. Any subsequent message from the user would be allowed through with no delay, provided the user had in fact resent the first message as requested.

== Install ==

To install the applications;

<source lang="bash">
yum install postfix postfix-perl-scripts dovecot dovecot-pgsql spamassassin postgresql-server postgresql-plperl mutt
</source>

== Configuring Postfix ==

Installation requires several steps. The AN!Console database must be loaded. Various applications need to be installed. Postfix, Dovecot and helper applications need to be configured and so on.

This tutorial uses the following values that you may need to adjust;
* Database name; an_tools
* Database user; alteeve
* Database password; secret
* Database host; 127.0.0.1

{{note|1=Do not use the database host "localhost" unless you are certain you can connect to the DB using a standard [[unix]] socket.}}

=== Building Support for PostgreSQL ===

{{warning|1=We need to build our own RPM in order to support postgresql. This means we will have to disable postfix from future updates, placing the onus on us to make sure critical updates are applied. This will require downloading the latest source RPMs, re-enabling postgres and recompile/reinstall.}}

Add the source [[RPM]] repository by adding the following;

<source lang="bash">
vim /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
# Source RPM repository
[base-source]
name=CentOS-$releasever - Base - Source
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://vault.centos.org/$releasever/os/SRPMS/
baseurl=http://vault.centos.org/6.0/os/SRPMS/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
</source>

Now download the source RPM for postfix.

<source lang="bash">
yumdownloader --source postfix
</source>
<source lang="text">
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
base | 3.7 kB 00:00
base-source | 1.9 kB 00:00
extras | 3.5 kB 00:00
updates | 3.5 kB 00:00
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
./postfix-2.6.6-2.el6.src.rpm already exists and appears to be complete
nikko:/etc/postfix# rm postfix-2.6.6-2.el6.src.rpm
rm: remove regular file `postfix-2.6.6-2.el6.src.rpm'? y
nikko:/etc/postfix# yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
postfix-2.6.6-2.el6.src.rpm | 3.3 MB 00:00
</source>

Now that we have the postfix source RPM, we will install it.

<source lang="bash">
rpm -Uvh postfix-2.6.6-2.el6.src.rpm
</source>
<source lang="text">
1:postfix warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
########################################### [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
</source>

Now edit the .spec file to enable postgres support.

<source lang="bash">
cp ~/rpmbuild/SPECS/postfix.spec ~/rpmbuild/SPECS/postfix.spec.orig
vim ~/rpmbuild/SPECS/postfix.spec
</source>

Make the following changes.

* Enable PostgreSQL support
<source lang="text">
%{?!PGSQL: %define PGSQL 1}
</source>

Increment the release version by one.
<source lang="text">
Release: 3%{?dist}
</source>

We can see the changes here:

<source lang="bash">
diff -u ~/rpmbuild/SPECS/postfix.spec.orig ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="diff">
--- /root/rpmbuild/SPECS/postfix.spec.orig 2012-02-11 16:54:54.495330859 -0500
+++ /root/rpmbuild/SPECS/postfix.spec 2012-02-11 16:53:39.873331101 -0500
@@ -1,5 +1,5 @@
%{?!MYSQL: %define MYSQL 1}
-%{?!PGSQL: %define PGSQL 0}
+%{?!PGSQL: %define PGSQL 1}
%define LDAP 2
%define PCRE 1
%define SASL 2
@@ -35,7 +35,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 2.6.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
</source>

Now rebuild the RPM, which means we need to install the build tools.

<source lang="bash">
yum groupinstall development
yum install db4-devel openldap-devel cyrus-sasl-devel pcre-devel mysql-devel postgresql-devel openssl-devel
rpmbuild -bb ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="text">
(compile output)
Processing files: postfix-debuginfo-2.6.6-3.el6.x86_64
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-debuginfo-2.6.6-3.el6.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.rymr5C
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd postfix-2.6.6
+ rm -rf /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
+ exit 0
</source>

Install the updated postfix.

<source lang="bash">
rpm -Uvh ~/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm ~/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
</source>
<source lang="text">
Preparing... ########################################### [100%]
1:postfix ########################################### [ 50%]
2:postfix-perl-scripts ########################################### [100%]
</source>

Now exclude postfix from future updates.

<source lang="bash">
cp /etc/yum.conf /etc/yum.conf.orig
vim /etc/yum.conf
diff -u /etc/yum.conf.orig /etc/yum.conf
</source>
<source lang="text">
--- /etc/yum.conf.orig 2012-02-11 16:59:53.720079168 -0500
+++ /etc/yum.conf 2012-02-11 17:00:47.013331283 -0500
@@ -10,6 +10,7 @@
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
+exclude=postfix*

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
</source>

=== Basic Postfix Configuration ===

Since we'll be using virtual domains, users, aliases and mailboxes, we'll need to start by commenting out some of the default options in Postfix. By default, Postfix is set up for small numbers of local users, and it only allows connections from the localhost. Our configuration will be more scalable, allowing many domains and users to be stored in the Postgres database.

Comment out the following:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# inet_interfaces = localhost
# mydestination = $myhostname, localhost.$mydomain, localhost
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
</source>

And uncomment/add these:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
inet_interfaces = all # allows us to connect and test from another machine
mynetworks = 192.168.1.0/32, 127.0.0.0/8 # use the IP or subnet of your test machine here
</source>

=== Setup Virtual Domain Lookup ===

This tells postfix how to find which domains we have.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM domains WHERE dom_name='%s'
</source>

Now tell Postfix to use this new file by appending the following to the main postfix configuration file.

<source lang="bash">
vim /etc/postfix/main.cf
</source>
<source lang="bash">
# Tell postfix to validate domains using our postgresql databae via the
# pgsql-virtual-mailbox-domains.cf
virtual_mailbox_domains=pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>

Now reload postfix;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now we can test that domains resolve. In my case, I will test the look-up for alteeve.com.

<source lang="bash">
postmap -q alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
1
</source>

Now make sure it returns nothing when query a bad domain.

<source lang="bash">
postmap -q example.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Mailbox Mapping ===

This section will tell postfix which users for a given domain are valid.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM email_file WHERE email='%s'
</source>

Tell postfix to use this new file when looking up users.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

And add:

<source lang="text">
# Tell postfix which table to look in when validating a local user via their
# email address.
virtual_mailbox_maps=pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>

Reload postfix.

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now do a test of a valid user, which should return 1, and an invalid user, which should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
1
</source>
<source lang="bash">
postmap -q nobody@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Email Forwards ===

This will allow for email addresses to be forwarded to other email addresses.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT fwd_destination FROM forwards WHERE fwd_source='%s'
</source>

Now tell postfix where to look.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

Add;

<source lang="text">
# This tells postfix where to forward incoming email to, where appropriate.
virtual_alias_maps=pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>

Reload;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

I've setup a forward where digimer@alteeve.com forwards to mkelly@alteeve.com, so we will use that for the next test.

<source lang="bash">
postmap -q digimer@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
mkelly@alteeve.com
</source>

An email address with no forward should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

Excellent.

=== Setup Postfix Mail Delivery via Dovecot ===

Define a mail transport method in the main Postfix config.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# this option is ignored, but may be useful for reference
virtual_mailbox_base=/email

# deliver mail via dovecot
virtual_transport = dovecot

# prevent postfix from sending multiple recipients per delivery request,
# since dovecot only supports one recipient for each delivery
dovecot_destination_recipient_limit = 1
</source>

Tell Postfix what virtual_transport "dovecot" means, and how to use it.
<source lang="bash">vim /etc/postfix/master.cf</source>
Append this for RHEL/CentOS 6 machines. For other distros, make sure that /usr/libexec/dovecot/deliver exists and change the path if necessary.
<source lang="bash">
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
</source>

=== Setup Postfix SMTP Authentication using Dovecot ===

Dovecot provides an SMTP authentication mechanism to Postfix called SASL. Enabling this will require users to authenticate against the server before sending mail.

<source lang="bash">vim /etc/postfix/main.cf</source>
Append the following to enable smtp authentication:
<source lang="bash">
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes

# allow authenticated users to send mail through Postfix SMTP
# more info at /usr/share/doc/postfix-2.6.6/README_FILES/SMTPD_ACCESS_README
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination

# general smtpd settings
# - reject clients that speak too early
# - reject mail from a null address to many recipients (usually spam)
smtpd_data_restrictions =
reject_unauth_pipelining
reject_multi_recipient_bounce
permit
</source>

== Configuring Dovecot ==

Dovecot handles writing incoming mail to the disk and moving/deleting mail as the user wishes. We're going to create a user and group called vmail which will be used to manage the email stored on disk.

<source lang="bash">
useradd -m vmail
mkdir /email
chown -R vmail:vmail /email
</source>

Dovecot is configured in /etc/dovecot and the main configuration file is dovecot.conf.

<source lang="bash">
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.conf
</source>

Dovecot uses .d style configuration files.

* Authentication

<source lang="bash">
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
vim /etc/dovecot/conf.d/10-auth.conf
</source>

Tell dovecot to accept plain-text passwords (needed for some old email clients, you may not need to enable this).

<source lang="text">
disable_plaintext_auth = no
</source>

Tell it not to use the database, and not local users for mail delivery.

<source lang="text">
#!include auth-system.conf.ext
!include auth-sql.conf.ext
</source>

* Mail store

Tell dovecot where to store the email. The %d tells dovecot to substitute the user's domain name and %n is substituted by the user's email name. For example, mkelly@alteeve.com becomes /email/alteeve.com/mkelly.

<source lang="bash">
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
vim /etc/dovecot/conf.d/10-mail.conf
</source>
<source lang="text">
mail_location = mbox:/email/%d/%n
</source>

=== Dovecot Authentication and SQL Settings ===

We need to tell dovecot where to look for passwords when authenticating a user. Where to look is controlled in the
auth-sql.conf.ext file and is broken down into user and password lookups. We will want to first tell Dovecot which user to use when accessing the mail store on disk.

<source lang="bash">
cp /etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/conf.d/auth-sql.conf.ext.orig
vim /etc/dovecot/conf.d/auth-sql.conf.ext
</source>
<source lang="text">
userdb {
driver = static
args = uid=vmail gid=vmail home=/email/%d/%n allow_all_users=yes
}
</source>

* Now configure the SQL server access details.

{{note|1=Make sure that PostgreSQL has sufficient max_connections set in /var/lib/pgsql/data/postgresql.conf to handle enough connections for the expected number of email connections, plus other connections from other applications.}}

<source lang="bash">
cp /usr/share/doc/dovecot-2.0.9/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
vim /etc/dovecot/dovecot-sql.conf.ext
</source>

Tell dovecot to use PostgreSQL.

<source lang="text">
driver = pgsql
</source>

Configure the connection string.

{{note|1=If your database uses a password with a space character in it, quote the password. Ie: password='super secret'.}}

<source lang="text">
connect = host=127.0.0.1 dbname=an_tools user=alteeve password=secret
</source>

Tell dovecot to accept plain-text passwords (this is needed for some stupid MS clients, this will probably change soon).

<source lang="text">
default_pass_scheme = PLAIN
</source>

Tell dovecot how to pull use the user's password.

<source lang="text">
password_query = SELECT email, password FROM email_password WHERE email='%u'
</source>

The last thing to setup is the user query. The query needs to return the [[UID]] and [[GID]] of the vmail user we setup earlier. To get it, you can use the id command.

<source lang="bash">
id vmail
</source>
<source lang="text">
uid=503(vmail) gid=503(vmail) groups=503(vmail)
</source>

The numbers we want are 503 and 503 for the UID and GID, respectively. Knowing this, we can set the userdb SQL string.

<source lang="text">
user_query = SELECT '/email/'||file AS email_dir, '503' AS uid, '503' AS gid FROM email_file WHERE email='%u'
</source>

=== Configure Listener Sockets ===

Setup the authentication socket to allow the vmail user. This will allow Dovecot to access the user authentication socket.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
</source>

Configure Dovecot to authenticate Postfix SMTP requests.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener smtp-auth {
mode = 0600
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
}
</source>

=== Enable Logging ===

This is very useful for debugging an initial setup. It will place details about login attempts in /var/log/maillog.

<source lang="bash">vim /etc/dovecot/conf.d/10-logging.conf</source>
<source lang="bash">
log_path = syslog
auth_verbose = yes
auth_debug = yes
mail_debug = yes
</source>

At this point, it's a good idea to restart the Postfix and Dovecot services, and test out the basic configuration.
<source lang="bash">
service postfix restart
service dovecot restart
</source>

Watch the maillog while attempting to authenticate with an email client like Thunderbird.
<source lang="bash">
tail -f /var/log/maillog
</source>

If basic authentication is working, we can go ahead and add another layer of complexity on top of it: SSL.

== SSL/TLS ==

Add TLS support to Postfix, to encrypt SMTP authentication traffic.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/ssl_mail.alteeve.ca.crt
smtpd_tls_key_file = /etc/pki/CA/private/mail.alteeve.ca.key
smtpd_tls_loglevel = 1
</source>

Add TLS support to Dovecot, to encrypt IMAP authentication traffic.
<source lang="bash">vim /etc/dovecot/conf.d/10-ssl.conf </source>
<source lang="bash">
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/pki/CA/ssl_mail.alteeve.ca.crt
ssl_key = </etc/pki/CA/private/mail.alteeve.ca.key

# PEM encoded trusted certificate authority. Otherwise your CA will be untrusted.
# This is the intermediary certificate.
ssl_ca = </etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Dovecot prefers the following permissions for SSL certs, so set them accordingly.
<source lang="bash">
chmod 0444 /etc/pki/CA/ssl_mail.alteeve.ca.crt
chmod 0400 /etc/pki/CA/private/mail.alteeve.ca.key
chmod 0400 /etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Restart Postfix and Dovecot, then change your Thunderbird server options to 'STARTTLS'. If you're still able to connect to the mail server and send mail, proceed to the next section.

== User Password Encryption ==

In addition to SSL/TSL, which only encrypts the transport of user credentials, we're also going to encrypt the passwords themselves. This will avoid storing any plaintext passwords in the Postgres database.

<source lang="bash">vim /etc/dovecot/conf.d/10-auth.conf</source>
Remove the "plain" authentication, and replace with cram-md5.
<source lang="bash">
disable_plaintext_auth = yes
auth_mechanisms = cram-md5
</source>

Any user credentials that were previously stored in plaintext will no longer work. To encrypt your password in a way that Dovecot recognizes, use the following command:
<source lang="bash">doveadm -v pw -s CRAM-MD5 -p mypassword</source>
It will return a hash like this.
<source lang="bash">
{CRAM-MD5}de5924752ad74e36bc271a8dc7fad4b2d341f21f05382f20dedf1fdfbd5a1717</source>

Take the entire hash, including the '{CRAM-MD5}' portion, and use it to replace the password entry in the database for that user. This will allow Dovecot to authenticate the user using the CRAM-MD5 auth mechanism.

To automate this process for all users in the database, you can look at the number of userid's there are and loop through them, encrypting and replacing each password.

<source lang="bash">
#!/bin/bash
#
# a script to encrypt the users.usr_password values of the an_tools database

export PGUSER="alteeve"
export PGPASSWORD='secret'

for usrid in {1..219}; do

# grab the user's password, removing whitespace
usrpass=$(psql -d an_tools -c "SELECT users.usr_password FROM users WHERE users.usr_id=$usrid;"\
| sed -n 3p | sed -e 's/^[ ]*//')

if [[ "$usrpass" == *CRAM* ]]; then
echo "Password for user #$usrid is already encrypted; skipping."
else
# encrypt and surround in single quotes for psql
encrypted=\'$(doveadm -v pw -s CRAM-MD5 -p "$usrpass")\'
echo "old password: [$usrpass] ; encrypted: $encrypted"

# set password to encrypted value
psql -d an_tools -c "UPDATE users SET usr_password=$encrypted WHERE usr_id=$usrid;"
fi
done

unset PGUSER
unset PGPASSWORD
</source>

== Postgrey Greylisting ==

Enabling postgrey for anti-spam greylisting.

First install the RPMForge repos. (See [http://dak1n1.com/blog/3-getting-more-from-yum-with-rpmforge-and-epel-repos Dakini's blog] for details.)

<source lang="bash">yum -y install postgrey</source>

Create the config file with the following options. This will delay mail from untrusted sources by 6 minutes. A legitimate mailserver will resend the request after that time, and be allowed through. But spam is generally sent out only once, so those messages will drop.
<source lang="bash">vim /etc/sysconfig/postgrey</source>
<source lang="bash">OPTIONS="--unix=/var/spool/postfix/postgrey/socket --delay=360"</source>

Ensure that Postgrey starts on boot.
<source lang="bash">chkconfig --levels 345 postgrey on</source>

<source lang="bash">/etc/postfix/main.cf</source>

Configure Postfix to check SMTP requests through Postgrey. Postgrey will decide if the mail should be blocked or accepted.
<source lang="bash">
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:postgrey/socket</source>

Restart Postfix and Postgrey to take affect.
<source lang="bash">
service postgrey start
service postfix restart
</source>

== RoundCube Web Mail ==
Poke dak1n1 to document this!

==== Adding a password-reset link to the login page ====
Edit the login page template to insert the link.
<source lang="bash">
vim /usr/share/roundcubemail/skins/default/templates/login.html</source>

(The part we're adding is the '<a href=""></a>'. Other parts of the template file are included here as a reference.)
<source lang="bash">
<div id="login-form">
<div class="boxtitle"><roundcube:label name="welcome" /></div>
<div class="boxcontent">

<form name="form" action="./" method="post">
<roundcube:object name="loginform" form="form" />

<input type="submit" class="button mainaction" value="<roundcube:label name='login' />" />

</form>
<a href="../../cgi-bin/t/password.cgi">Forgot your password?</a>
</div>
</div>

== Ooooold Notes ==

When prompted;
For 'Create directories for web-based administration ?' Choose 'Yes'.
For 'General type of configuration?', choose 'Local Only'.
For 'Mail Name', enter 'alteeve.com'.
For 'SSL certificate required', hit 'Ok'.
Create the database that we will use:
# su alteeve
$ createdb an_console
$ psql an_console
Now that we are in the new database we will need to load the AN!Console schema file.
# su postgres -c psql an_console -f /var/www/ssl_alteeve.com/cgi-bin/t/anc.pgsql.schema
On the Master node, we will create the directory where email will be stored.
# mkdir /ha/email
On the both nodes, we will create a link to the '/ha/email' directory off of root.
# ln -s /ha/email /email
Under this directory create another directory that is the domain name for the domains we will host mail for. Ie (no longer needed to be done manually, AN!Console will create directories for email as needed):
# mkdir /email/45years.ca
# mkdir /email/alteeve.com
And so on.
Go to the '/etc/postfix' directory and create these four files:
# vim /etc/postfix/psql-virtual_domains.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = domains
select_field = 'virtual'
where_field = dom_name
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_forwardings.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = forwards
select_field = fwd_destination
where_field = fwd_source
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_mailboxes.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_file
select_field = file
where_field = email
hosts = 127.0.0.1
Note: The table 'email_file' is actually a view that takes the email passed by postfix and splits it to generate a joined SELECT.
# vim /etc/postfix/psql-virtual_email2email.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_email
select_field = email
where_field = email
hosts = 127.0.0.1
Note: The table 'email_email' is actually a view that takes the email passed by postfix and returns the same email based on the DB entry. This is needed as a work-around for Postfix's habit of matching global forwards like '@domain -> user@domain' for all email to that domain, even what a given email address matches a user.
Now change the owner and permissions of those four files to NOT allow global reading as they contain our password.
# chown root:postfix /etc/postfix/psql-virtual_*
# chmod 640 /etc/postfix/psql-virtual_*
Now we will create a user account that will, in turn, own all the mail on the system. This user will not have shell access.
# adduser vmail
Enter a password, preferably one treated with the same care as the root password. You can leave all other options blank.
Now change the ownership of the mail store.
# chown -R vmail:vmail /email
# chmod -R 775 /email
Now we edit the main '/etc/postfix/main.cf' configuration file.
Make a backup of the original file “just in case”.
# cp /etc/postfix/main.cf /etc/postfix/main.cf.original
Now edit it:
# vim /etc/postfix/main.cf
There are several options to edit:
Please see 'Step 6' at: http://workaround.org/articles/ispmail-sarge/index.shtml.en for details on the options to set.
For 'inet_interface' enter 'all'.
For 'myhostname' use the cluster FQDN. Ie;
myhostname = nikko.alteeve.com
For 'mydestination' use only local names, NOT real domains we will host email for. Any mail sent to the domains specified here will go to local (shell) users.
mydestination = nikko.alteeve.com, localhost.alteeve.com, localhost
For 'mynetworks' set all the IP subnets we trust. Ie;
mynetworks = 192.139.81.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.0/24 127.0.0.0/8
We can ignore 'virtual_alias_domains' if it exists.
For 'virtual_alias_maps' we will set:
virtual_alias_maps = pgsql:/etc/postfix/psql-virtual_forwardings.cf pgsql:/etc/postfix/psql-virtual_email2email.cf
For 'virtual_mailbox_domains' we will set:
virtual_mailbox_domains = pgsql:/etc/postfix/psql-virtual_domains.cf
For 'virtual_mailbox_maps' we will set:
virtual_mailbox_maps = pgsql:/etc/postfix/psql-virtual_mailboxes.cf
For 'virtual_mailbox_base' (where the email will be stored on disk) we will set:
virtual_mailbox_base = /ha/email
For 'virtual_uid_maps' and 'virtual_gid_maps' we will enter the numerical UID and GID for the 'vmail' shell user we created earlier. To find what it's UID and GID is run:
# cat /etc/passwd | grep vmail
vmail:x:1001:1001:,,,:/home/vmail:/bin/bash
The first number is the UID, the second is the GID;
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
Set 'smtpd_sasl_auth_enable' to 'yes'.
Set 'broken_sasl_auth_clients' to 'yes'.
To enable relaying of local mail, trusted domains and SASL authenticated users and reject the rest set;
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
For 'smtpd_use_tls' the value should already be 'yes', but set it to such if not.
Lastly we'll set our certificate paths;
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
At this point we should be good to go. Restart postfix;
# /etc/init.d/postfix restart
If there were no errors in the restart, test the config by running;
# postfix check
If you get errors, fix 'em. Otherwise, so far so good!
Now to setup postfix to allow authentication of SMTP connections to allow relaying of messages from people (we trust) outside on the 'mynetworks' scope.
Create or edit the file '/etc/postfix/sasl/smtpd.conf'
# vim /etc/postfix/sasl/smtpd.conf
In it enter the lines:
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: pgsql
sql_hostnames: 127.0.0.1
sql_user: alteeve
sql_passwd: secret
sql_database: an_console
sql_select: SELECT passwd FROM email_passwd WHERE email='%u@%r'
log_level: 7
Now secure the file (it's got our DB password)
# chown root:postfix /etc/postfix/sasl/smtpd.conf
# chmod 640 /etc/postfix/sasl/smtpd.conf
Now we want to setup TLS to encrypt SMTP traffic. Be sure you are still in '/etc/postfix' as this is where you want the certificate files.
To create a 10-year certificate for our SMTP domain 'smtp.alteeve.com':
# openssl req -new -outform PEM -out /etc/postfix/smtpd.cert -newkey rsa:2048 -nodes -keyout /etc/postfix/smtpd.key -keyform PEM -days 3650 -x509
This will bring up a bunch of questions:
Country Name (2 letter code) [AU]: CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alteeve's Niche!
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, YOUR name) []:smtp.alteeve.com
Email Address []:admin@alteeve.com
This will create two files in your current directory; 'smtpd.key' and 'smtpd.cert'. You'll want to protect them.
# chown root:postfix smtpd.*
# chmod 640 smtpd.*
Now we need to setup POP3 and IMAP access so users can actually check their email.
Backup then edit '/etc/dovecot/dovecot.conf' to have:
protocols = pop3 imap
mail_location = mbox:/email/%d/%n
# passdb pam {
# }
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
# userdb passwd {
# }
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

# The default location for 'dovecot-sql.conf' is under '/usr/local/etc', be sure to
# change it!
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
user = root
}
Then create/edit '/etc/dovecot/dovecot-sql.conf':
driver = pgsql
connect = host=localhost dbname=an_console user=alteeve password=secret
default_pass_scheme = PLAIN
password_query = SELECT email, password FROM email_password WHERE email='%u'
user_query = SELECT '/email/'||file AS email_dir, '1001' AS uid, '1001' AS gid FROM email_file WHERE email='%u'
Now restart Dovecot:
# /etc/init.d/dovecot restart

= Thanks =

* To [http://planet-geek.com Dave Shevett] (aka: eidolon) and [http://codex.grimoire.ca/ Owen Jacobson] for answering my n00b SSL questions.


<source lang="bash">
</source>
<source lang="text">
</source>

{{footer}}

PPPower Server

2012-05-07T18:19:16Z

Dak1n1: /* Post OS Install */

{{howto_header}}

With tongue firmly in cheek, this is a tutorial on building an [[EL6]] server for hosting website and email using PostgreSQL, Postfix and Postgrey for mail and Apache for web. There are many canned and arguably superior was of accomplishing the same, but this is what I user for this server.

= Post OS Install =

First, some post-install preparation. We'll need to set up some basic security, a program to report server statistics, and some 3rd-party yum repositories for additional software.

Yum repo install.
<source lang="bash">yum -y install yum-protectbase
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt # import keys
rpm -K rpmforge-release-0.5.2-2.el6.rf.*.rpm # verify package integrity
rpm -i rpmforge-release-0.5.2-2.el6.rf.*.rpm # install
# install EPEL
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm
</source>

The yum-protectbase plugin will ensure that the 3rd-party repos play nicely and never overwrite the Base repos. To use this plugin with a specific repo, add protect=0 or protect=1 to the repo's config file.
<source lang="bash">
cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.orig
vim /etc/yum.repos.d/CentOS-Base.repo
# add protect=1 to each paragraph
diff -U 0 /etc/yum.repos.d/CentOS-Base.repo.orig /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
--- /etc/yum.repos.d/CentOS-Base.repo.orig 2012-05-07 01:07:47.688145406 -0400
+++ /etc/yum.repos.d/CentOS-Base.repo 2012-05-07 01:08:15.915322496 -0400
@@ -18,0 +19 @@
+protect=1
@@ -26,0 +28 @@
+protect=1
@@ -34,0 +37 @@
+protect=1
@@ -43,0 +47 @@
+protect=1
@@ -52,0 +57 @@
+protect=1
</source>

<source lang="bash">
cp /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.orig
vim /etc/yum.repos.d/epel.repo
# add protect=0 to each paragraph
diff -U 0 /etc/yum.repos.d/epel.repo.orig /etc/yum.repos.d/epel.repo
</source>
<source lang="bash">
--- /etc/yum.repos.d/epel.repo.orig 2012-05-07 01:08:58.279379860 -0400
+++ /etc/yum.repos.d/epel.repo 2012-05-07 01:09:18.144157701 -0400
@@ -8,0 +9 @@
+protect=0
@@ -17,0 +19 @@
+protect=0
@@ -26,0 +29 @@
+protect=0
</source>

=== Protecting against malicious users with Denyhosts. ===
Denyhosts is a daemon that watches for too many failed logins via ssh. It uses TCP-wrappers to deny the user access to ssh (or any service) on the server after X failed logins. It has the option to download a list of known malicious IPs and add them to /hosts.deny, making possible to block attackers before they attack the server.

Install denyhosts
<source lang="bash">yum -y install denyhosts</source>

Edit the config to your preferences.
<source lang="bash">
vim /etc/denyhosts.conf
</source>
<source lang="bash">
BLOCK_SERVICE = ALL
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
SYNC_DOWNLOAD = yes
</source>

White-list any trusted machines, including localhost.
<source lang="bash">
vim /etc/hosts.allow
</source>
<source lang="bash">
127.0.0.1
</source>

Start the service.
<source lang="bash">
chkconfig denyhosts on
service denyhosts start
</source>

=== Additional software to install ===
To view neatly-summarized daily logs, and system resource usage.
<source lang="bash">yum -y install logwatch htop</source>

Packages for web server and wiki install.
<source lang="bash">
yum install httpd httpd-tools postgresql-server postgresql-plperl postgresql-contrib postgresql mysql-server telnet mod_ssl mysql-server php-mysql gcc jwhois bind
</source>

Packages that are currently needed for personal stuff.

<source lang="bash">
yum install perl-XML-Simple perl-MIME-Lite perl-DBD-MySQL perl-DBD-Pg
</source>

= Apache =

After all changes, use this to make sure there are no syntax errors.

<source lang="bash">
service httpd configtest
</source>
<source lang="text">
Syntax OK
</source>

{{note|1=This needs to be explained.}}

<source lang="bash">
diff -u httpd.conf.orig httpd.conf
</source>
<source lang="diff">
--- httpd.conf.orig 2010-05-28 03:11:06.000000000 -0400
+++ httpd.conf 2011-05-13 21:56:27.000000000 -0400
@@ -100,12 +100,12 @@
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
-StartServers 8
-MinSpareServers 5
-MaxSpareServers 20
-ServerLimit 256
-MaxClients 256
-MaxRequestsPerChild 4000
+StartServers 16
+MinSpareServers 10
+MaxSpareServers 40
+ServerLimit 512
+MaxClients 512
+MaxRequestsPerChild 8000
</IfModule>

# worker MPM
@@ -116,11 +116,11 @@
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
-StartServers 4
-MaxClients 300
-MinSpareThreads 25
-MaxSpareThreads 75
-ThreadsPerChild 25
+StartServers 8
+MaxClients 600
+MinSpareThreads 50
+MaxSpareThreads 150
+ThreadsPerChild 50
MaxRequestsPerChild 0
</IfModule>

@@ -259,7 +259,7 @@
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
-ServerAdmin root@localhost
+ServerAdmin admin@alteeve.com

#
# ServerName gives the name and port that the server uses to identify itself.
@@ -274,6 +274,7 @@
# redirections work in a sensible way.
#
#ServerName www.example.com:80
+#ServerName *:80

#
# UseCanonicalName: Determines how Apache constructs self-referencing
@@ -289,7 +290,7 @@
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
-DocumentRoot "/var/www/html"
+DocumentRoot "/var/www/default/html"

#
# Each directory to which Apache has access can be configured with respect
@@ -314,7 +315,7 @@
#
# This should be changed to whatever you set DocumentRoot to.
#
-<Directory "/var/www/html">
+<Directory "/var/www/default/html">

#
# Possible values for the Options directive are "None", "All",
@@ -548,9 +549,9 @@
# We include the /icons/ alias for FancyIndexed directory listings. If you
# do not use FancyIndexing, you may comment this out.
#
-Alias /icons/ "/var/www/icons/"
+Alias /icons/ "/var/www/default/icons/"

-<Directory "/var/www/icons">
+<Directory "/var/www/default/icons">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
@@ -573,13 +574,13 @@
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+ScriptAlias /cgi-bin/ "/var/www/default/cgi-bin/"

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
-<Directory "/var/www/cgi-bin">
+<Directory "/var/www/default/cgi-bin">
AllowOverride None
Options None
Order allow,deny
@@ -852,11 +853,11 @@
# copying them to /your/include/path/, even on a per-VirtualHost basis.
#

-Alias /error/ "/var/www/error/"
+Alias /error/ "/var/www/default/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
- <Directory "/var/www/error">
+ <Directory "/var/www/default/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
@@ -987,7 +988,7 @@
#
# Use name-based virtual hosting.
#
-#NameVirtualHost *:80
+NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
@@ -1001,9 +1002,10 @@
# server name.
#
#<VirtualHost *:80>
-# ServerAdmin webmaster@dummy-host.example.com
-# DocumentRoot /www/docs/dummy-host.example.com
-# ServerName dummy-host.example.com
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+# ServerAdmin admin@alteeve.com
+# DocumentRoot /var/www/default/html
+# ServerName unknown.alteeve.com
+# ErrorLog /var/www/default/logs/error.log
+# CustomLog /var/www/default/logs/access.log common
#</VirtualHost>
</source>

== SSL Virtual Hosts ==

SSL provides for secure client to server communications.

=== Creating The Signed Certificate ===

This section assumes you are using a 3rd party signing authority. Specifically, I use http://www.trustico.ca/ (resellers of http://RapidSSL.com and others). This is also for a domain-specific certificate. Wildcard certificates will differ.

First, create 2048bit private key. Note that this will require a pass-phrase, which you will need to enter whenever the Apache daemon httpd daemon starts. If you do not want this, remove the -des3 switch.

<source lang="bash">
openssl genrsa -des3 -out /etc/pki/CA/private/alteeve.com.key 2048
</source>
<source lang="text">
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Verifying - Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
</source>

Now create a [[CSR]] (Certificate signing request) which we will send to the signing authority. Do not enter anything in the extra section below.

{{note|1=The Common Name must be the fully qualified domain name. In this example, I want to create a certificate for the domain https://alteeve.com, so I will enter alteeve.com. If you prefer to use a www. prefix, include it. I will rewrite requests using the www. prefix to not use it.}}

<source lang="bash">
openssl req -new -key /etc/pki/CA/private/alteeve.com.key -out alteeve.com.csr
</source>
<source lang="text">
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Oakville
Organization Name (eg, company) [Default Company Ltd]:Alteeve's Niche
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:alteeve.com
Email Address []:admin@alteeve.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</source>

Test that the CSR file is ok.

<source lang="bash">
openssl req -noout -text -in /etc/pki/CA/alteeve.com.csr
</source>
<source lang="text">
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Oakville, O=Alteeve's Niche, OU=IT, CN=alteeve.com/emailAddress=admin@alteeve.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
...
</source>

Copy the exact contents of the alteeve.com.csr file and provide it to your signing authority as per their instructions. Once you complete their CSR form, they should email you a signed certificate and an intermediary certificate. At this point, the CSR file is no longer needed.

Save the signed certificate:

<source lang="bash">
vim /etc/pki/CA/ssl_alteeve.com.crt
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

Save the intermediary certificate. Change the certificate name to that of your provider. If they provide you with this file, simply save it in the /etc/pki/CA/ directory.

<source lang="bash">
vim /etc/pki/CA/RapidSSL_CA_bundle.pem
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

=== Creating An SSL Virtual Host ===

Create a new virtual host container for the new SSL protected virtual host. We will leave the normal unencrypted virtual-host alone for now. Once we're done, we'll use it to capture and redirect http:// requests to their https:// equivalents. I make my virtual host directories writeable by my normal user account. Feel free to adapt this to your preferences.

Setup the directories and then create a trivial index.html file.

<source lang="bash">
mkdir ssl_alteeve.com/{cgi-bin,html,logs,temp} -p
chown apache:digimer ssl_alteeve.com -R
chmod g+w ssl_alteeve.com -R
vim /var/www/ssl_alteeve.com/html/index.html
</source>
<source lang="apache">
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
</source>

Now setup the Apache2 config. I like to use the ssl_ prefix for encrypted domains.

{{note|1=This example is for a MediaWiki virtual host with short URLs configured. You will want to adapt the values to suit your needs.}}

<source lang="bash">
vim /etc/httpd/conf.d/ssl_alteeve.com.conf
</source>
<source lang="apache">
<VirtualHost *:443>
ServerAdmin digimer@alteeve.com

ServerName alteeve.com

DirectoryIndex index.php index.html

# We can haz security?
SSLEngine on
SSLProtocol all
SSLCACertificateFile /etc/pki/CA/RapidSSL_CA_bundle.pem
SSLCertificateFile /etc/pki/CA/ssl_alteeve.com.crt
SSLCertificateKeyFile /etc/pki/CA/private/alteeve.com.key

DocumentRoot /var/www/ssl_alteeve.com/html/
Alias /w /var/www/ssl_alteeve.com/html/index.php
<Directory /var/www/ssl_alteeve.com/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/ssl_alteeve.com/cgi-bin/
<Directory "/var/www/ssl_alteeve.com/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/ssl_alteeve.com/logs/error.log
TransferLog /var/www/ssl_alteeve.com/logs/transfer.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/ssl_alteeve.com/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

==== Bad Identity Error ====

If you get an error about the server not providing identity information, you may have be loading images, CSS, javascript or similar using a URL from a remote domain with no SSL or badly configured SSL.

For example, on Firefox 4, you may see:

<source lang="text">
This web site does not supply identity information.

Your connection to this site is only partially encrypted, and does not prevent eavesdropping.
[ More Information ]
</source>

In my case, this turned out to be a problem where mediawiki was loading a Creative Commons logo from their server using http:// link to the icon. Once this was changed to https:// (in LocalSettings.php), the error went away.

=== Testing and Using the New Configuration ===

Test your new Apache configuration.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

Now restart Apache. Note that you will be asked to enter the pass-phrase you used when you created your private key.

<source lang="bash">
/etc/init.d/httpd restart
</source>
<source lang="text">
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server alteeve.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
</source>

{{warning|1=From now on, you will need to enter the pass-phrase to start Apache. Consider this when restarting your server and when deciding if you want the Apache server to start with your server. As my server is in a VM and it's underlying disk is also encrypted, I will enable it at boot time. I'll need to be watching the boot process anyway. This may not apply to you.}}

Now make sure that you can still connect to your server on [[TCP]] port 80 (normal http port). The contents after the GET request will obviously vary depending on your configuration:

<source lang="bash">
telnet localhost 80
</source>
<source lang="text">
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET
<head>
<title>Asakusa.alteeve.com</title>
</head>
<body>
Default - Requested domain not found
</body>
Connection closed by foreign host.
</source>

Now to check that the SSL port is listening properly. We can't use [[telnet]] because of the SSL encryption. Instead we will use openssl.

<source lang="bash">
openssl s_client -connect localhost:443 -state -debug
</source>
<source lang="text">
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x196a050 [0x1a0b3a0] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 4d f8 f4 a4 f9 ....l...h..M....
0010 - 07 b3 11 f8 3d ff 5d 80-ed 69 87 52 e2 60 80 57 ....=.]..i.R.`.W
0020 - 59 c7 83 4c ea 5b e5 37-06 e0 13 00 00 3a 00 39 Y..L.[.7.....:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............#
0071 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x196a050 [0x1a10900] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x196a050 [0x1a1090a] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4d f8 f4 a4-7d 35 00 74 24 43 bc c9 .1..M...}5.t$C..
0010 - 84 5d fe e3 90 1a e8 14-39 a1 b1 7e e8 19 c7 9f .]......9..~....
0020 - 45 20 d1 cb 00 00 39 01-00 09 ff 01 00 01 00 00 E ....9.........
0030 - 23 #
0033 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 0c 2c ....,
read from 0x196a050 [0x1a10908] (3116 bytes => 3116 (0xC2C))
0000 - 0b 00 0c 28 00 0c 25 00-04 c2 30 82 04 be 30 82 ...(..%...0...0.
0010 - 03 a6 a0 03 02 01 02 02-03 02 15 24 30 0d 06 09 ...........$0...
0020 - 2a 86 48 86 f7 0d 01 01-05 05 00 30 3c 31 0b 30 *.H........0<1.0
0030 - 09 06 03 55 04 06 13 02-55 53 31 17 30 15 06 03 ...U....US1.0...
0040 - 55 04 0a 13 0e 47 65 6f-54 72 75 73 74 2c 20 49 U....GeoTrust, I
0050 - 6e 63 2e 31 14 30 12 06-03 55 04 03 13 0b 52 61 nc.1.0...U....Ra
0060 - 70 69 64 53 53 4c 20 43-41 30 1e 17 0d 31 31 30 pidSSL CA0...110
0070 - 36 31 34 31 32 31 39 30-31 5a 17 0d 31 31 30 37 614121901Z..1107
0080 - 31 36 31 35 35 36 31 34-5a 30 81 d9 31 29 30 27 16155614Z0..1)0'
0090 - 06 03 55 04 05 13 20 30-54 53 35 57 7a 61 75 51 ..U... 0TS5WzauQ
00a0 - 52 4a 37 73 63 32 62 2d-68 54 47 77 4b 31 79 78 RJ7sc2b-hTGwK1yx
00b0 - 53 66 45 44 70 68 46 31-0b 30 09 06 03 55 04 06 SfEDphF1.0...U..
00c0 - 13 02 43 41 31 14 30 12-06 03 55 04 0a 13 0b 61 ..CA1.0...U....a
00d0 - 6c 74 65 65 76 65 2e 63-6f 6d 31 13 30 11 06 03 lteeve.com1.0...
00e0 - 55 04 0b 13 0a 47 54 31-33 39 30 38 38 31 37 31 U....GT139088171
00f0 - 31 30 2f 06 03 55 04 0b-13 28 53 65 65 20 77 77 10/..U...(See ww
0100 - 77 2e 72 61 70 69 64 73-73 6c 2e 63 6f 6d 2f 72 w.rapidssl.com/r
0110 - 65 73 6f 75 72 63 65 73-2f 63 70 73 20 28 63 29 esources/cps (c)
0120 - 31 31 31 2b 30 29 06 03-55 04 0b 13 22 44 6f 6d 111+0)..U..."Dom
0130 - 61 69 6e 20 43 6f 6e 74-72 6f 6c 20 56 61 6c 69 ain Control Vali
0140 - 64 61 74 65 64 20 2d 20-46 72 65 65 53 53 4c 31 dated - FreeSSL1
0150 - 14 30 12 06 03 55 04 03-13 0b 61 6c 74 65 65 76 .0...U....alteev
0160 - 65 2e 63 6f 6d 30 82 01-22 30 0d 06 09 2a 86 48 e.com0.."0...*.H
0170 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0..
0180 - 0a 02 82 01 01 00 c7 b5-75 03 c7 a9 b5 21 b2 7a ........u....!.z
0190 - 9b 70 8d f2 44 5d e0 18-f4 05 52 c6 93 d3 17 a5 .p..D]....R.....
01a0 - 3a c7 46 03 68 d1 01 53-1b e8 b8 d3 4c 56 46 b2 :.F.h..S....LVF.
01b0 - ca 63 34 88 2c 4f 7b 23-49 07 ef 8e 37 5c 8a ac .c4.,O{#I...7\..
01c0 - d7 88 9b ed a1 01 90 bc-32 d8 46 30 6d 82 33 59 ........2.F0m.3Y
01d0 - ea b5 38 2c 8a 16 e1 63-e7 ba 39 d8 2a fa 8a 6b ..8,...c..9.*..k
01e0 - 25 45 0b c9 4d b8 d2 be-a9 3a e3 ff 61 60 f9 a4 %E..M....:..a`..
01f0 - 99 4e 3f c2 25 0b 21 07-c6 1b 1e 63 71 2e 3d 31 .N?.%.!....cq.=1
0200 - 42 98 01 f4 88 b8 80 26-b7 bf 5b 00 b1 57 86 b4 B......&..[..W..
0210 - d8 70 e6 ec ea 98 e1 17-45 a7 ff 83 e0 76 6f 8a .p......E....vo.
0220 - 50 bb 1d cb c5 8f f4 01-84 4e 59 c3 4d 28 73 70 P........NY.M(sp
0230 - 39 c8 da 85 43 b9 07 ae-57 26 04 24 b2 d6 d4 7c 9...C...W&.$...|
0240 - 03 af 4f 72 00 8f 20 ed-26 77 b3 bf 4e 01 62 8b ..Or.. .&w..N.b.
0250 - 62 1b 10 16 65 92 f5 bb-5a dc 83 5c f2 56 f3 60 b...e...Z..\.V.`
0260 - 34 2c ef 62 f4 ee cf 26-6d 9b 4a 5e 74 05 74 fb 4,.b...&m.J^t.t.
0270 - 23 86 07 6f cf b0 48 6d-ba 2d 89 5d 0f e0 c0 01 #..o..Hm.-.]....
0280 - 1c 91 af 00 5f f3 02 03-01 00 01 a3 82 01 29 30 ...._.........)0
0290 - 82 01 25 30 1f 06 03 55-1d 23 04 18 30 16 80 14 ..%0...U.#..0...
02a0 - 6b 69 3d 6a 18 42 4a dd-8f 02 65 39 fd 35 24 86 ki=j.BJ...e9.5$.
02b0 - 78 91 16 30 30 0e 06 03-55 1d 0f 01 01 ff 04 04 x..00...U.......
02c0 - 03 02 05 a0 30 1d 06 03-55 1d 25 04 16 30 14 06 ....0...U.%..0..
02d0 - 08 2b 06 01 05 05 07 03-01 06 08 2b 06 01 05 05 .+.........+....
02e0 - 07 03 02 30 16 06 03 55-1d 11 04 0f 30 0d 82 0b ...0...U....0...
02f0 - 61 6c 74 65 65 76 65 2e-63 6f 6d 30 43 06 03 55 alteeve.com0C..U
0300 - 1d 1f 04 3c 30 3a 30 38-a0 36 a0 34 86 32 68 74 ...<0:08.6.4.2ht
0310 - 74 70 3a 2f 2f 72 61 70-69 64 73 73 6c 2d 63 72 tp://rapidssl-cr
0320 - 6c 2e 67 65 6f 74 72 75-73 74 2e 63 6f 6d 2f 63 l.geotrust.com/c
0330 - 72 6c 73 2f 72 61 70 69-64 73 73 6c 2e 63 72 6c rls/rapidssl.crl
0340 - 30 1d 06 03 55 1d 0e 04-16 04 14 a1 2b 4e af 55 0...U.......+N.U
0350 - 08 7b 34 be 74 fc 57 41-de bc 8f d9 4a 1d c9 30 .{4.t.WA....J..0
0360 - 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 49 06 ...U.......0.0I.
0370 - 08 2b 06 01 05 05 07 01-01 04 3d 30 3b 30 39 06 .+........=0;09.
0380 - 08 2b 06 01 05 05 07 30-02 86 2d 68 74 74 70 3a .+.....0..-http:
0390 - 2f 2f 72 61 70 69 64 73-73 6c 2d 61 69 61 2e 67 //rapidssl-aia.g
03a0 - 65 6f 74 72 75 73 74 2e-63 6f 6d 2f 72 61 70 69 eotrust.com/rapi
03b0 - 64 73 73 6c 2e 63 72 74-30 0d 06 09 2a 86 48 86 dssl.crt0...*.H.
03c0 - f7 0d 01 01 05 05 00 03-82 01 01 00 66 8b 6f a8 ............f.o.
03d0 - d5 d2 84 c7 89 31 fb a5-ba e1 11 5e 2f 67 6f df .....1.....^/go.
03e0 - 0d 3c 0b 1a 4b ac d9 38-ee 29 0a 4d d9 06 98 2c .<..K..8.).M...,
03f0 - 25 0a 59 bb 39 03 b0 cd-3b 06 93 3e 59 90 cf 06 %.Y.9...;..>Y...
0400 - 17 74 77 bb cd 91 34 d0-6f b9 8f 53 57 ed 14 30 .tw...4.o..SW..0
0410 - bd e9 6c 04 84 b6 f0 16-9d 29 9b b1 47 f8 84 64 ..l......)..G..d
0420 - 5f 03 36 ea e1 d6 13 97-5b 50 b9 b2 59 cc f8 ef _.6.....[P..Y...
0430 - 23 01 99 91 6e 5e e8 d0-77 54 38 49 18 58 e7 0e #...n^..wT8I.X..
0440 - 54 35 c0 37 b5 9e 79 b2-d4 c6 d9 ff 27 31 d4 bf T5.7..y.....'1..
0450 - 04 ae d3 0a 90 4b bc 34-bc 53 f8 bc e7 4c 22 b7 .....K.4.S...L".
0460 - b3 bc 8c d7 41 44 fc e0-50 2e 9a ac ba 5c ee 88 ....AD..P....\..
0470 - 03 fc 0e 53 32 aa dd a4-24 ee a6 7c 3d dc 9d 7a ...S2...$..|=..z
0480 - 82 0b 9f b8 91 e0 a1 12-77 a3 95 f7 d0 c4 9e f1 ........w.......
0490 - d7 d9 99 68 80 e8 af ad-68 f5 1a 5f 66 06 78 c9 ...h....h.._f.x.
04a0 - 56 f8 36 37 16 fa 7d 27-df 1d a2 d8 7c 8c 5b 50 V.67..}'....|.[P
04b0 - db c6 fe 06 ff 96 86 f5-1f e4 35 ce cf 43 66 53 ..........5..CfS
04c0 - da a1 50 b5 c0 73 ec 1e-f4 c8 20 13 00 03 d9 30 ..P..s.... ....0
04d0 - 82 03 d5 30 82 02 bd a0-03 02 01 02 02 03 02 36 ...0...........6
04e0 - d1 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
04f0 - 30 42 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 0B1.0...U....US1
0500 - 16 30 14 06 03 55 04 0a-13 0d 47 65 6f 54 72 75 .0...U....GeoTru
0510 - 73 74 20 49 6e 63 2e 31-1b 30 19 06 03 55 04 03 st Inc.1.0...U..
0520 - 13 12 47 65 6f 54 72 75-73 74 20 47 6c 6f 62 61 ..GeoTrust Globa
0530 - 6c 20 43 41 30 1e 17 0d-31 30 30 32 31 39 32 32 l CA0...10021922
0540 - 34 35 30 35 5a 17 0d 32-30 30 32 31 38 32 32 34 4505Z..200218224
0550 - 35 30 35 5a 30 3c 31 0b-30 09 06 03 55 04 06 13 505Z0<1.0...U...
0560 - 02 55 53 31 17 30 15 06-03 55 04 0a 13 0e 47 65 .US1.0...U....Ge
0570 - 6f 54 72 75 73 74 2c 20-49 6e 63 2e 31 14 30 12 oTrust, Inc.1.0.
0580 - 06 03 55 04 03 13 0b 52-61 70 69 64 53 53 4c 20 ..U....RapidSSL
0590 - 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H...
05a0 - 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0.....
05b0 - 01 01 00 c7 71 f8 56 c7-1e d9 cc b5 ad f6 b4 97 ....q.V.........
05c0 - a3 fb a1 e6 0b 50 5f 50-aa 3a da 0f fc 3d 29 24 .....P_P.:...=)$
05d0 - 43 c6 10 29 c1 fc 55 40-72 ee bd ea df 9f b6 41 C..)..U@r......A
05e0 - f4 48 4b c8 6e fe 4f 57-12 8b 5b fa 92 dd 5e e8 .HK.n.OW..[...^.
05f0 - ad f3 f0 1b b1 7b 4d fb-cf fd d1 e5 f8 e3 dc e7 .....{M.........
0600 - f5 73 7f df 01 49 cf 8c-56 c1 bd 37 e3 5b be b5 .s...I..V..7.[..
0610 - 4f 8b 8b f0 da 4f c7 e3-dd 55 47 69 df f2 5b 7b O....O...UGi..[{
0620 - 07 4f 3d e5 ac 21 c1 c8-1d 7a e8 e7 f6 0f a1 aa .O=..!...z......
0630 - f5 6f de a8 65 4f 10 89-9c 03 f3 89 7a a5 5e 01 .o..eO......z.^.
0640 - 72 33 ed a9 e9 5a 1e 79-f3 87 c8 df c8 c5 fc 37 r3...Z.y.......7
0650 - c8 9a 9a d7 b8 76 cc b0-3e e7 fd e6 54 ea df 5f .....v..>...T.._
0660 - 52 41 78 59 57 ad f1 12-d6 7f bc d5 9f 70 d3 05 RAxYW........p..
0670 - 6c fa a3 7d 67 58 dd 26-62 1d 31 92 0c 79 79 1c l..}gX.&b.1..yy.
0680 - 8e cf ca 7b c1 66 af a8-74 48 fb 8e 82 c2 9e 2c ...{.f..tH.....,
0690 - 99 5c 7b 2d 5d 9b bc 5b-57 9e 7c 3a 7a 13 ad f2 .\{-]..[W.|:z...
06a0 - a3 18 5b 2b 59 0f cd 5c-3a eb 68 33 c6 28 1d 82 ..[+Y..\:.h3.(..
06b0 - d1 50 8b 02 03 01 00 01-a3 81 d9 30 81 d6 30 0e .P.........0..0.
06c0 - 06 03 55 1d 0f 01 01 ff-04 04 03 02 01 06 30 1d ..U...........0.
06d0 - 06 03 55 1d 0e 04 16 04-14 6b 69 3d 6a 18 42 4a ..U......ki=j.BJ
06e0 - dd 8f 02 65 39 fd 35 24-86 78 91 16 30 30 1f 06 ...e9.5$.x..00..
06f0 - 03 55 1d 23 04 18 30 16-80 14 c0 7a 98 68 8d 89 .U.#..0....z.h..
0700 - fb ab 05 64 0c 11 7d aa-7d 65 b8 ca cc 4e 30 12 ...d..}.}e...N0.
0710 - 06 03 55 1d 13 01 01 ff-04 08 30 06 01 01 ff 02 ..U.......0.....
0720 - 01 00 30 3a 06 03 55 1d-1f 04 33 30 31 30 2f a0 ..0:..U...3010/.
0730 - 2d a0 2b 86 29 68 74 74-70 3a 2f 2f 63 72 6c 2e -.+.)http://crl.
0740 - 67 65 6f 74 72 75 73 74-2e 63 6f 6d 2f 63 72 6c geotrust.com/crl
0750 - 73 2f 67 74 67 6c 6f 62-61 6c 2e 63 72 6c 30 34 s/gtglobal.crl04
0760 - 06 08 2b 06 01 05 05 07-01 01 04 28 30 26 30 24 ..+........(0&0$
0770 - 06 08 2b 06 01 05 05 07-30 01 86 18 68 74 74 70 ..+.....0...http
0780 - 3a 2f 2f 6f 63 73 70 2e-67 65 6f 74 72 75 73 74 ://ocsp.geotrust
0790 - 2e 63 6f 6d 30 0d 06 09-2a 86 48 86 f7 0d 01 01 .com0...*.H.....
07a0 - 05 05 00 03 82 01 01 00-ab bc bc 0a 5d 18 94 e3 ............]...
07b0 - c1 b1 c3 a8 4c 55 d6 be-b4 98 f1 ee 3c 1c cd cf ....LU......<...
07c0 - f3 24 24 5c 96 03 27 58-fc 36 ae a2 2f 8f f1 fe .$$\..'X.6../...
07d0 - da 2b 02 c3 33 bd c8 dd-48 22 2b 60 0f a5 03 10 .+..3...H"+`....
07e0 - fd 77 f8 d0 ed 96 67 4f-fd ea 47 20 70 54 dc a9 .w....gO..G pT..
07f0 - 0c 55 7e e1 96 25 8a d9-b5 da 57 4a be 8d 8e 49 .U~..%....WJ...I
0800 - 43 63 a5 6c 4e 27 87 25-eb 5b 6d fe a2 7f 38 28 Cc.lN'.%.[m...8(
0810 - e0 36 ab ad 39 a5 a5 62-c4 b7 5c 58 2c aa 5d 01 .6..9..b..\X,.].
0820 - 60 a6 62 67 a3 c0 c7 62-23 f4 e7 6c 46 ee b5 d3 `.bg...b#..lF...
0830 - 80 6a 22 13 d2 2d 3f 74-4f ea af 8c 5f b4 38 9c .j"..-?tO..._.8.
0840 - db ae ce af 84 1e a6 f6-34 51 59 79 d3 e3 75 dc ........4QYy..u.
0850 - bc d7 f3 73 df 92 ec d2-20 59 6f 9c fb 95 f8 92 ...s.... Yo.....
0860 - 76 18 0a 7c 0f 2c a6 ca-de 8a 62 7b d8 f3 ce 5f v..|.,....b{..._
0870 - 68 bd 8f 3e c1 74 bb 15-72 3a 16 83 a9 0b e6 4d h..>.t..r:.....M
0880 - 99 9c d8 57 ec a8 01 51-c7 6f 57 34 5e ab 4a 2c ...W...Q.oW4^.J,
0890 - 42 f6 4f 1c 89 78 de 26-4e f5 6f 93 4c 15 6b 27 B.O..x.&N.o.L.k'
08a0 - 56 4d 00 54 6c 7a b7 b7-00 03 81 30 82 03 7d 30 VM.Tlz.....0..}0
08b0 - 82 02 e6 a0 03 02 01 02-02 03 12 bb e6 30 0d 06 .............0..
08c0 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 4e 31 0b .*.H........0N1.
08d0 - 30 09 06 03 55 04 06 13-02 55 53 31 10 30 0e 06 0...U....US1.0..
08e0 - 03 55 04 0a 13 07 45 71-75 69 66 61 78 31 2d 30 .U....Equifax1-0
08f0 - 2b 06 03 55 04 0b 13 24-45 71 75 69 66 61 78 20 +..U...$Equifax
0900 - 53 65 63 75 72 65 20 43-65 72 74 69 66 69 63 61 Secure Certifica
0910 - 74 65 20 41 75 74 68 6f-72 69 74 79 30 1e 17 0d te Authority0...
0920 - 30 32 30 35 32 31 30 34-30 30 30 30 5a 17 0d 31 020521040000Z..1
0930 - 38 30 38 32 31 30 34 30-30 30 30 5a 30 42 31 0b 80821040000Z0B1.
0940 - 30 09 06 03 55 04 06 13-02 55 53 31 16 30 14 06 0...U....US1.0..
0950 - 03 55 04 0a 13 0d 47 65-6f 54 72 75 73 74 20 49 .U....GeoTrust I
0960 - 6e 63 2e 31 1b 30 19 06-03 55 04 03 13 12 47 65 nc.1.0...U....Ge
0970 - 6f 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 43 41 oTrust Global CA
0980 - 30 82 01 22 30 0d 06 09-2a 86 48 86 f7 0d 01 01 0.."0...*.H.....
0990 - 01 05 00 03 82 01 0f 00-30 82 01 0a 02 82 01 01 ........0.......
09a0 - 00 da cc 18 63 30 fd f4-17 23 1a 56 7e 5b df 3c ....c0...#.V~[.<
09b0 - 6c 38 e4 71 b7 78 91 d4-bc a1 d8 4c f8 a8 43 b6 l8.q.x.....L..C.
09c0 - 03 e9 4d 21 07 08 88 da-58 2f 66 39 29 bd 05 78 ..M!....X/f9)..x
09d0 - 8b 9d 38 e8 05 b7 6a 7e-71 a4 e6 c4 60 a6 b0 ef ..8...j~q...`...
09e0 - 80 e4 89 28 0f 9e 25 d6-ed 83 f3 ad a6 91 c7 98 ...(..%.........
09f0 - c9 42 18 35 14 9d ad 98-46 92 2e 4f ca f1 87 43 .B.5....F..O...C
0a00 - c1 16 95 57 2d 50 ef 89-2d 80 7a 57 ad f2 ee 5f ...W-P..-.zW..._
0a10 - 6b d2 00 8d b9 14 f8 14-15 35 d9 c0 46 a3 7b 72 k........5..F.{r
0a20 - c8 91 bf c9 55 2b cd d0-97 3e 9c 26 64 cc df ce ....U+...>.&d...
0a30 - 83 19 71 ca 4e e6 d4 d5-7b a9 19 cd 55 de c8 ec ..q.N...{...U...
0a40 - d2 5e 38 53 e5 5c 4f 8c-2d fe 50 23 36 fc 66 e6 .^8S.\O.-.P#6.f.
0a50 - cb 8e a4 39 19 00 b7 95-02 39 91 0b 0e fe 38 2e ...9.....9....8.
0a60 - d1 1d 05 9a f6 4d 3e 6f-0f 07 1d af 2c 1e 8f 60 .....M>o....,..`
0a70 - 39 e2 fa 36 53 13 39 d4-5e 26 2b db 3d a8 14 bd 9..6S.9.^&+.=...
0a80 - 32 eb 18 03 28 52 04 71-e5 ab 33 3d e1 38 bb 07 2...(R.q..3=.8..
0a90 - 36 84 62 9c 79 ea 16 30-f4 5f c0 2b e8 71 6b e4 6.b.y..0._.+.qk.
0aa0 - f9 02 03 01 00 01 a3 81-f0 30 81 ed 30 1f 06 03 .........0..0...
0ab0 - 55 1d 23 04 18 30 16 80-14 48 e6 68 f9 2b d2 b2 U.#..0...H.h.+..
0ac0 - 95 d7 47 d8 23 20 10 4f-33 98 90 9f d4 30 1d 06 ..G.# .O3....0..
0ad0 - 03 55 1d 0e 04 16 04 14-c0 7a 98 68 8d 89 fb ab .U.......z.h....
0ae0 - 05 64 0c 11 7d aa 7d 65-b8 ca cc 4e 30 0f 06 03 .d..}.}e...N0...
0af0 - 55 1d 13 01 01 ff 04 05-30 03 01 01 ff 30 0e 06 U.......0....0..
0b00 - 03 55 1d 0f 01 01 ff 04-04 03 02 01 06 30 3a 06 .U...........0:.
0b10 - 03 55 1d 1f 04 33 30 31-30 2f a0 2d a0 2b 86 29 .U...3010/.-.+.)
0b20 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 67 65 6f 74 72 http://crl.geotr
0b30 - 75 73 74 2e 63 6f 6d 2f-63 72 6c 73 2f 73 65 63 ust.com/crls/sec
0b40 - 75 72 65 63 61 2e 63 72-6c 30 4e 06 03 55 1d 20 ureca.crl0N..U.
0b50 - 04 47 30 45 30 43 06 04-55 1d 20 00 30 3b 30 39 .G0E0C..U. .0;09
0b60 - 06 08 2b 06 01 05 05 07-02 01 16 2d 68 74 74 70 ..+........-http
0b70 - 73 3a 2f 2f 77 77 77 2e-67 65 6f 74 72 75 73 74 s://www.geotrust
0b80 - 2e 63 6f 6d 2f 72 65 73-6f 75 72 63 65 73 2f 72 .com/resources/r
0b90 - 65 70 6f 73 69 74 6f 72-79 30 0d 06 09 2a 86 48 epository0...*.H
0ba0 - 86 f7 0d 01 01 05 05 00-03 81 81 00 76 e1 12 6e ............v..n
0bb0 - 4e 4b 16 12 86 30 06 b2-81 08 cf f0 08 c7 c7 71 NK...0.........q
0bc0 - 7e 66 ee c2 ed d4 3b 1f-ff f0 f0 c8 4e d6 43 38 ~f....;.....N.C8
0bd0 - b0 b9 30 7d 18 d0 55 83-a2 6a cb 36 11 9c e8 48 ..0}..U..j.6...H
0be0 - 66 a3 6d 7f b8 13 d4 47-fe 8b 5a 5c 73 fc ae d9 f.m....G..Z\s...
0bf0 - 1b 32 19 38 ab 97 34 14-aa 96 d2 eb a3 1c 14 08 .2.8..4.........
0c00 - 49 b6 bb e5 91 ef 83 36-eb 1d 56 6f ca da bc 73 I......6..Vo...s
0c10 - 63 90 e4 7f 7b 3e 22 cb-3d 07 ed 5f 38 74 9c e3 c...{>".=.._8t..
0c20 - 03 50 4e a1 af 98 ee 61-f2 84 3f 12 .PN....a..?.
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF, C = CA, O = alteeve.com, OU = GT13908817, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - FreeSSL, CN = alteeve.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 0d .....
read from 0x196a050 [0x1a10908] (525 bytes => 525 (0x20D))
0000 - 0c 00 02 09 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 51 5c 13 33 38 >.$!.......Q\.38
0090 - 83 ef 76 6f 23 52 55 bf-23 ba 7f f0 a4 ca 35 01 ..vo#RU.#.....5.
00a0 - 9c 70 e1 61 b2 0d 7b 5c-1c 32 02 c1 ac 14 be e9 .p.a..{\.2......
00b0 - b9 7a 5d 11 9b 53 48 64-cd 12 b8 15 4c df cc 10 .z]..SHd....L...
00c0 - 4e 2b e7 cd 3f 33 68 1a-60 cc f7 18 25 7c e5 ca N+..?3h.`...%|..
00d0 - c8 cb 45 ba 2a 6d dc 84-5f 26 6f 9a a3 73 b9 7f ..E.*m.._&o..s..
00e0 - 02 cb 7b a7 ac 59 9f f3-6e c9 01 ed b9 35 99 49 ..{..Y..n....5.I
00f0 - 37 77 68 65 ec e2 f7 17-03 e7 f5 f5 86 33 e6 6c 7whe.........3.l
0100 - 06 3c 15 83 98 74 2e b9-83 31 11 01 00 20 6e 17 .<...t...1... n.
0110 - 3d 2d ec 3e 19 b2 9e 5b-37 38 3a 31 57 3d 0e c1 =-.>...[78:1W=..
0120 - 6b c4 b4 83 d9 6b f0 d3-44 db 9f 18 55 15 e1 09 k....k..D...U...
0130 - 73 59 8c 46 3d a4 47 58-b1 71 a3 32 b5 06 26 8c sY.F=.GX.q.2..&.
0140 - 27 88 9e 13 c8 12 5d 94-9b 24 54 10 aa 79 e5 b4 '.....]..$T..y..
0150 - 43 f5 5e 4c 01 dc 02 aa-69 02 37 71 4e 26 1c 0b C.^L....i.7qN&..
0160 - 40 19 c9 95 4d af 93 35-07 7a ff b1 96 7f 03 ce @...M..5.z......
0170 - 7a eb a2 1c 97 6b d2 97-d2 0f 1a f5 b2 af fb 65 z....k.........e
0180 - 86 b9 e3 38 30 ba f5 02-d6 6b fc da 94 93 8b b3 ...80....k......
0190 - 96 b5 b7 58 dc 36 55 6d-e9 47 e5 4a 33 1d b9 d9 ...X.6Um.G.J3...
01a0 - ec 33 e8 fb 58 c8 74 13-ff dd 40 b7 35 56 63 03 .3..X.t...@.5Vc.
01b0 - 9f 16 2f 72 be 56 56 c3-15 3a c3 10 09 f0 9d f2 ../r.VV..:......
01c0 - 42 52 5a ce d6 db 61 0e-d0 e2 ac 2e 9e 04 30 8e BRZ...a.......0.
01d0 - 0d d7 07 f9 3e 0a a8 3b-8d 11 5c 6e 21 47 28 2d ....>..;..\n!G(-
01e0 - 28 31 a6 3d d0 e9 2e 7a-de 4a 00 2a a8 6f 5d 82 (1.=...z.J.*.o].
01f0 - 45 df 3e 06 e3 11 e3 3c-b9 1e 34 b8 bd 60 fd a7 E.>....<..4..`..
0200 - a2 c1 c8 19 61 19 da 10-e4 c3 70 7e 5f ....a.....p~_
SSL_connect:SSLv3 read server key exchange A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0x196a050 [0x1a10908] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x196a050 [0x1a1add0] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7f 9d d2 3b 68 ..............;h
0010 - 49 c9 dd ed 4f 35 a0 70-3a 28 0f ce c1 5a 81 ce I...O5.p:(...Z..
0020 - cd 46 c5 e5 a4 44 25 04-4e b4 48 d8 3b a6 d4 44 .F...D%.N.H.;..D
0030 - 4e 9a dc 20 fa 52 9f eb-52 3b 3c 3e 34 dc ed 34 N.. .R..R;<>4..4
0040 - e5 b7 10 f9 6d 3a c0 84-64 bf b8 91 54 6c 37 1b ....m:..d...Tl7.
0050 - eb 75 7a 95 aa e8 83 6f-e0 16 f2 af 77 0f 7a 0c .uz....o....w.z.
0060 - a8 82 27 a4 a5 f2 f0 1b-d2 6e 46 c4 ef 10 7c 39 ..'......nF...|9
0070 - 6c 87 74 ec 68 7e d5 9a-10 ab 10 03 75 a2 fb 4b l.t.h~......u..K
0080 - 8c 49 4c da 64 49 bd 27-ba 51 a4 .IL.dI.'.Q.
SSL_connect:SSLv3 write client key exchange A
write to 0x196a050 [0x1a1add0] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x196a050 [0x1a1add0] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 b4 8a 74-4d a4 bf b1 54 04 8a 25 ....0..tM...T..%
0010 - 24 f8 81 f1 64 9f 1f 6d-fb bd a7 4c 57 6a a5 63 $...d..m...LWj.c
0020 - fb 3a dd 8e e3 f9 38 f6-22 fd 7e 42 81 2e a2 41 .:....8.".~B...A
0030 - 1f 74 d1 27 02 .t.'.
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 ca .....
read from 0x196a050 [0x1a10908] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 00 00-00 c0 6c f3 41 26 c8 6b ..........l.A&.k
0010 - 1e 9c 2e 78 af 75 b2 46-34 f4 30 c3 bd e4 ee 2f ...x.u.F4.0..../
0020 - f6 28 37 f6 7c 55 3b c7-08 ad 1e 48 f1 83 9f 9a .(7.|U;....H....
0030 - d4 ef 9b 7d 5a 9c f7 5b-92 e9 2f ca c3 e5 44 c7 ...}Z..[../...D.
0040 - 7a c1 ed db 98 1a 18 bd-25 30 3c 50 ad 96 23 22 z.......%0<P..#"
0050 - 7e a1 b7 eb 1d b5 cc 69-2a 43 63 13 4f 21 90 32 ~......i*Cc.O!.2
0060 - 87 94 0b 6a 66 da 99 fa-45 79 cc 53 29 35 59 0d ...jf...Ey.S)5Y.
0070 - 02 93 c6 c6 af f3 52 79-b5 36 c0 a6 4d 22 9f af ......Ry.6..M"..
0080 - 4a f2 86 b4 50 68 83 b1-ab a6 a6 ac 6e 4e 18 3d J...Ph......nN.=
0090 - 80 a7 b4 85 77 06 69 60-fa b2 22 9a 79 14 c6 3e ....w.i`..".y..>
00a0 - 3e 68 33 4e 1e a9 40 09-47 d0 02 97 8b ba 39 db >h3N..@.G.....9.
00b0 - 2f b1 1c 2e 66 49 d3 bc-99 cc 56 4f 1d f4 c6 7b /...fI....VO...{
00c0 - 58 3e 28 df b1 ce 2b 45-36 ca X>(...+E6.
SSL_connect:SSLv3 read server session ticket A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0x196a050 [0x1a10908] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x196a050 [0x1a10908] (48 bytes => 48 (0x30))
0000 - c0 79 35 bf c6 1e 7e d4-04 cf 68 c7 9d f5 9f 42 .y5...~...h....B
0010 - 03 91 5f 72 ae 5b ec a8-aa e7 af e8 f3 39 1b cd .._r.[.......9..
0020 - 13 05 56 f2 1b 28 c9 42-4b 67 88 48 20 c2 a5 06 ..V..(.BKg.H ...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIDAhUkMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNjE0MTIxOTAxWhcNMTEwNzE2MTU1NjE0WjCB2TEpMCcGA1UEBRMgMFRT
NVd6YXVRUko3c2MyYi1oVEd3SzF5eFNmRURwaEYxCzAJBgNVBAYTAkNBMRQwEgYD
VQQKEwthbHRlZXZlLmNvbTETMBEGA1UECxMKR1QxMzkwODgxNzExMC8GA1UECxMo
U2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMTErMCkGA1UE
CxMiRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gRnJlZVNTTDEUMBIGA1UEAxML
YWx0ZWV2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHtXUD
x6m1IbJ6m3CN8kRd4Bj0BVLGk9MXpTrHRgNo0QFTG+i400xWRrLKYzSILE97I0kH
7443XIqs14ib7aEBkLwy2EYwbYIzWeq1OCyKFuFj57o52Cr6imslRQvJTbjSvqk6
4/9hYPmkmU4/wiULIQfGGx5jcS49MUKYAfSIuIAmt79bALFXhrTYcObs6pjhF0Wn
/4Pgdm+KULsdy8WP9AGETlnDTShzcDnI2oVDuQeuVyYEJLLW1HwDr09yAI8g7SZ3
s79OAWKLYhsQFmWS9bta3INc8lbzYDQs72L07s8mbZtKXnQFdPsjhgdvz7BIbbot
iV0P4MABHJGvAF/zAgMBAAGjggEpMIIBJTAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2FsdGVldmUuY29tMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRz
c2wuY3JsMB0GA1UdDgQWBBShK06vVQh7NL50/FdB3ryP2UodyTAMBgNVHRMBAf8E
AjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3Ns
LWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBmi2+o1dKEx4kx+6W64RFeL2dv3w08CxpLrNk47ikKTdkGmCwlClm7OQOwzTsG
kz5ZkM8GF3R3u82RNNBvuY9TV+0UML3pbASEtvAWnSmbsUf4hGRfAzbq4dYTl1tQ
ubJZzPjvIwGZkW5e6NB3VDhJGFjnDlQ1wDe1nnmy1MbZ/ycx1L8ErtMKkEu8NLxT
+LznTCK3s7yM10FE/OBQLpqsulzuiAP8DlMyqt2kJO6mfD3cnXqCC5+4keChEnej
lffQxJ7x19mZaIDor61o9RpfZgZ4yVb4NjcW+n0n3x2i2HyMW1Dbxv4G/5aG9R/k
Nc7PQ2ZT2qFQtcBz7B70yCAT
-----END CERTIFICATE-----
subject=/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3984 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2880725EB8BDD73F469C17BCA54DF373DFE8EDE3D52A1C8F5E0A5919694FB111
Session-ID-ctx:
Master-Key: F329DEA0DF39FF181ACFBCA69BEC417D7CAA4399D73229A1D912CC8236A858FD099B834F5B32C9BF979C4B5948196FC9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 6c f3 41 26 c8 6b 1e 9c-2e 78 af 75 b2 46 34 f4 l.A&.k...x.u.F4.
0010 - 30 c3 bd e4 ee 2f f6 28-37 f6 7c 55 3b c7 08 ad 0..../.(7.|U;...
0020 - 1e 48 f1 83 9f 9a d4 ef-9b 7d 5a 9c f7 5b 92 e9 .H.......}Z..[..
0030 - 2f ca c3 e5 44 c7 7a c1-ed db 98 1a 18 bd 25 30 /...D.z.......%0
0040 - 3c 50 ad 96 23 22 7e a1-b7 eb 1d b5 cc 69 2a 43 <P..#"~......i*C
0050 - 63 13 4f 21 90 32 87 94-0b 6a 66 da 99 fa 45 79 c.O!.2...jf...Ey
0060 - cc 53 29 35 59 0d 02 93-c6 c6 af f3 52 79 b5 36 .S)5Y.......Ry.6
0070 - c0 a6 4d 22 9f af 4a f2-86 b4 50 68 83 b1 ab a6 ..M"..J...Ph....
0080 - a6 ac 6e 4e 18 3d 80 a7-b4 85 77 06 69 60 fa b2 ..nN.=....w.i`..
0090 - 22 9a 79 14 c6 3e 3e 68-33 4e 1e a9 40 09 47 d0 ".y..>>h3N..@.G.
00a0 - 02 97 8b ba 39 db 2f b1-1c 2e 66 49 d3 bc 99 cc ....9./...fI....
00b0 - 56 4f 1d f4 c6 7b 58 3e-28 df b1 ce 2b 45 36 ca VO...{X>(...+E6.

Compression: 1 (zlib compression)
Start Time: 1308161188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET
write to 0x196a050 [0x1a14e56] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a 4c 57-8c b9 d5 d4 c6 1b 56 ce .... .LW......V.
0010 - 93 b5 78 6b 5f 0e c5 a2-39 2a f9 7a 20 7d 68 85 ..xk_...9*.z }h.
0020 - af 52 e3 5f fc 17 03 01-00 20 c6 c4 19 74 61 64 .R._..... ...tad
0030 - 42 59 e0 52 3f 42 44 53-8b c9 40 69 1c 3d 9b 7f BY.R?BDS..@i.=..
0040 - aa e8 8f a4 5c de c9 d4-0a a4 ....\.....
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 60 ....`
read from 0x196a050 [0x1a10908] (96 bytes => 96 (0x60))
0000 - 46 4c 99 93 29 c9 ed 66-81 43 89 39 26 2b d1 b0 FL..)..f.C.9&+..
0010 - 19 73 eb 51 18 45 54 49-74 43 e0 92 1b f8 af f0 .s.Q.ETItC......
0020 - 0d e1 08 79 96 38 e1 5e-29 9d 66 9c 30 04 8e c4 ...y.8.^).f.0...
0030 - 10 83 49 7e 09 d7 8a ff-4b 11 f9 13 3e ac 77 73 ..I~....K...>.ws
0040 - e8 94 e3 f3 74 db 4e 5f-67 13 1d c4 3a 06 98 b3 ....t.N_g...:...
0050 - da 20 41 3c ca 9a fb 3f-f3 d7 64 a1 e9 f4 0a 98 . A<...?..d.....
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 15 03 01 ...
0005 - <SPACES/NULS>
read from 0x196a050 [0x1a10908] (32 bytes => 32 (0x20))
0000 - 2e bb a7 d6 dc ce 6c 34-dc 2e 43 c7 89 02 a9 5c ......l4..C....\
0010 - 3b 3e d0 43 1c ec fa c7-89 48 fd 76 58 82 ef 45 ;>.C.....H.vX..E
SSL3 alert read:warning:close notify
closed
write to 0x196a050 [0x1a14e53] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d8 6f 46-24 e9 fa 0c c9 9f aa 2d .... .oF$......-
0010 - db 69 2a d8 fb 61 66 b0-23 23 f9 a4 ac 49 b7 e6 .i*..af.##...I..
0020 - 31 73 56 05 ed 1sV..
SSL3 alert write:warning:close notify
</source>

Perfect!

=== Open Port 443 On The Firewall ===

At this point, if you try to connect to the SSL virtual host remotely, you will fail because port 443 is not yet open.

Use your favourite program to open inbound TCP port 443. I like to directly edit the firewall's config.

<source lang="bash">
vim /etc/sysconfig/iptables
</source>
<source lang="text">
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</source>
<source lang="bash">
/etc/init.d/iptables restart
</source>
<source lang="text">
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
</source>

=== Browse to the New Virtual Host ===

You should now be able to access the new SSL virtual host! Simply browse to https://alteeve.com (replace with your domain).

[[Image:SSL_Test_Page_01.png|thumb|center|741px|Test SSL virtual host in Firefox 4.]]

Note the 'alteeve.com' to the left of the address bar showing that the site is encrypted and verified!

= PostgreSQL =

We need to initialize the postgres core databases before we can start it for the first time.

<source lang="bash">
service postgresql initdb
</source>
<source lang="text">
Initializing database: [ OK ]
</source>

From now on, we can start PostgreSQL normally.

<source lang="bash">
/etc/init.d/postgresql restart
</source>
<source lang="text">
Stopping postgresql service: [ OK ]
Starting postgresql service: [ OK ]
</source>

Create the admin user called alteeve which will own the databases we will create and use.

<source lang="bash">
su - postgres
createuser -S -d -R alteeve
psql template1
</source>

At the shell, run the following:

<source lang="sql">
ALTER USER alteeve WITH PASSWORD 'secret';
</source>
<source lang="text">
ALTER ROLE
</source>
<source lang="sql">
\q
</source>

Tell PostgreSQL to require a password for the alteeve user.

<source lang="bash">
vim /var/lib/pgsql/data/pg_hba.conf
</source>
<source lang="diff">
--- /var/lib/pgsql/data/pg_hba.conf.orig 2011-06-15 17:57:25.666509143 -0400
+++ /var/lib/pgsql/data/pg_hba.conf 2011-06-15 17:58:54.077510393 -0400
@@ -65,6 +65,7 @@

# TYPE DATABASE USER CIDR-ADDRESS METHOD
+local all alteeve md5

# "local" is for Unix domain socket connections only
local all all ident
</source>

Reload PostgreSQL's configuration.

<source lang="bash">
/etc/init.d/postgresql reload
</source>

Now create a Database that is owned by the alteeve user, then connect to it to make sure we're asked for a password.

<source lang="bash">
su postgres -c "createdb an_wiki -O alteeve"
psql an_wiki -U alteeve
</source>
<source lang="text">
Password for user alteeve:
psql (8.4.7)
Type "help" for help.

an_wiki=>
</source>

Now load a database from a backup file.

<source lang="bash">
psql an_wiki -U alteeve -f /var/www/ssl_alteeve.com/temp/an_wiki_3.out
</source>
<source lang="text">
Password for user alteeve:
SET
SET
SET
SET
SET
CREATE SCHEMA
ALTER SCHEMA
CREATE LANGUAGE
psql:/var/www/ssl_alteeve.com/temp/an_wiki_3.out:27: ERROR: must be member of role "postgres"
SET
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
SET
SET
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
8
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
2500
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
4416
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3465
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
34
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
957
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3274
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3547
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3513
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TRIGGER
CREATE TRIGGER
CREATE TRIGGER
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
REVOKE
REVOKE
GRANT
GRANT
</source>

Voila!

== Media Wiki Problem ==

If you moved a MediaWiki DB and it generated an error like this in the log file:

<source lang="text">
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "objectcache" does not exist\nLINE 1: ...ECT /* SqlBagOStuff::get */ value,exptime FROM objectcach...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "l10n_cache" does not exist\nLINE 1: ... LCStore_DB::get 206.108.5.162 */ lc_value FROM l10n_cache...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
</source>

The fix is to run:

<source lang="sql">
ALTER DATABASE an_wiki SET search_path=mediawiki;
</source>

Of course, replace an_wiki with the name of your wiki database.

= MySQL =

Start MySQL for the first time:

<source lang="bash">
/etc/init.d/mysqld start
</source>
<source lang="text">
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h asakusa.alteeve.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]
Starting mysqld: [ OK ]
</source>

Secure the server.

<source lang="bash">
mysql_secure_installation
</source>
<source lang="text">
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
</source>

= BIND =

{{note|1=This is not meant to cover creating the actual zone files for DNS. It's goal is to setup BIND on your [[EL6]] server only.}}

This is the BIND named server that handles DNS resolution. It will be setup in two parts; The global options and then the zones file.

== Install bind ==

<source lang="bash">
yum install bind bind-libs bind-utils
</source>

== Global Configuration ==

Edit the main configuration file, making a backup first.

<source lang="bash">
cp /etc/named.conf /etc/named.conf.orig
vim /etc/named.conf
</source>

Enable queries on any interface and answer queries for any domain, not just ours. Edit or add the following;

<source lang="dot">
listen-on port 53 { any; };
allow-query { localhost; };
allow-query-cache { any; };
</source>

For now, we're going to disable DNSSEC. Make the following changes;

<source lang="dot">
dnssec-enable no;
dnssec-validation no;
</source>

Now tell bind where to look for a domain name's IP when we don't know. Add;

<source lang="dot">
forwarders {
// These are Google's open DNS servers
8.8.8.8;
8.8.4.4;
};
</source>

This server will have a slave, and we want to notify that slave when a record changes. Add;

<source lang="dot">
notify yes;
</source>

Done. I like to clean up the file to put the variables in line with one another. With this in mind, let's look at the changes as a unified diff;

<source lang="bash">
diff -u /etc/named.conf.orig /etc/named.conf
</source>
<source lang="diff">
--- /etc/named.conf.orig 2012-02-05 00:54:48.434068501 -0500
+++ /etc/named.conf 2012-02-05 13:45:16.484083319 -0500
@@ -8,18 +8,26 @@
//

options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ allow-query { any; };
+ allow-query-cache { any; };
+ recursion yes;
+ notify yes;
+
+ dnssec-enable no;
+ dnssec-validation no;
+ dnssec-lookaside auto;
+
+ forwarders {
+ // These are Google's open DNS servers
+ 8.8.8.8;
+ 8.8.4.4;
+ };

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
</source>

== Adding Zones ==

This is where we tell BIND which zones we have SOA for. This includes the pointers to the actual files on disk with each domain's information.

Backup then edit the zones file.

<source lang="bash">
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.orig
vim /etc/named.rfc1912.zones
</source>

In here is where we add the entries for the domains we have [[SOA]] for at the end of the file. These will differ for every install, so only two examples will be shown.

<source lang="dot">
// Our zones which this server is SOA for.
zone "45years.ca" IN {
type master;
file "/etc/named/db.45years.ca";
allow-transfer {
192.139.81.117;
};
};

zone "alteeve.com" in {
type master;
file "/etc/named/db.alteeve.com";
allow-transfer {
192.139.81.117;
};
};
</source>

This tutorial does not aim to cover actual zone files, but here is one for reference:

<source lang="bash">
cat /etc/named/db.45years.ca
</source>
<source lang="text">
$ORIGIN .
$TTL 600 ; Time To Live.
45years.ca IN SOA ns1.alteeve.com. admin.alteeve.com. (
2011081402 ; Serial Number (yyyymmdd##)
300 ; refresh (in seconds)
180 ; retry (in seconds)
600 ; expire (in seconds)
86400 ; minimum (in seconds)
)
NS ns1.alteeve.com.
NS ns2.alteeve.com.
A 192.139.81.121
MX 10 mail.45years.ca.
$ORIGIN 45years.ca.
localhost A 127.0.0.1
mail A 192.139.81.121
www CNAME 45years.ca.
</source>

== Adding a Firewall Entry ==

Assuming you have a firewall running, be sure to add an entry for [[TCP]] port 53.

== (Re)Start BIND ==

Once all the configuration files and domain zone files are in place, (re)start the named service.

<source lang="bash">
/etc/init.d/named restart
</source>
<source lang="text">
Stopping named: . [ OK ]
Starting named: [ OK ]
</source>

== Testing Name resolution ==

To properly test name resolution, you will want to resolve a domain we are [[SOA]] for and another domain which we are not. We will repeat this twice, once on the server and once from a remote machine to ensure that it is answering remote queries. Note that in the examples below, my DNS server's IP address is 78.46.37.135.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> alteeve.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns1.alteeve.com.
alteeve.com. 600 IN NS ns2.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 13:57:11 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> google.ca @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 300 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2967 IN NS f.root-servers.net.
. 2967 IN NS c.root-servers.net.
. 2967 IN NS b.root-servers.net.
. 2967 IN NS a.root-servers.net.
. 2967 IN NS k.root-servers.net.
. 2967 IN NS i.root-servers.net.
. 2967 IN NS e.root-servers.net.
. 2967 IN NS h.root-servers.net.
. 2967 IN NS l.root-servers.net.
. 2967 IN NS d.root-servers.net.
. 2967 IN NS j.root-servers.net.
. 2967 IN NS g.root-servers.net.
. 2967 IN NS m.root-servers.net.

;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 14:02:03 2012
;; MSG SIZE rcvd: 254
</source>

Now from a remote machine, repeat the same queries to ensure that our DNS server will respond to external queries.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> alteeve.com @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns2.alteeve.com.
alteeve.com. 600 IN NS ns1.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 138 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:09 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> google.ca @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 138 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2805 IN NS h.root-servers.net.
. 2805 IN NS c.root-servers.net.
. 2805 IN NS j.root-servers.net.
. 2805 IN NS i.root-servers.net.
. 2805 IN NS b.root-servers.net.
. 2805 IN NS m.root-servers.net.
. 2805 IN NS g.root-servers.net.
. 2805 IN NS d.root-servers.net.
. 2805 IN NS a.root-servers.net.
. 2805 IN NS l.root-servers.net.
. 2805 IN NS f.root-servers.net.
. 2805 IN NS k.root-servers.net.
. 2805 IN NS e.root-servers.net.

;; Query time: 140 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:31 2012
;; MSG SIZE rcvd: 254
</source>

Done!

= Email =

This is a pretty heavily customized postfix install using a custom schema. It was originally based on [http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch this Debian Etch] tutorial, but adapted for PostgreSQL. Much time has passed and the operating system is now significantly changed, but it's lineage is thus. A more recent, but still Debian-focused version of the tutorial [http://workaround.org/ispmail/squeeze/big-picture is here]. I also used [http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot this tutorial] to help sort out the PostgreSQL stuff.

This will use a few applications;
* Postfix - The program that receives email.
* PostgreSQL - The database used to validate the existence of email accounts and validates incoming user credentials.
* Dovecot - Takes email coming from postfix, via amavis, and records them to disk. It also answers requests from users wanting to check their email.
* Amavis - Filters incoming email for spam (via spamassassin) and virsus (via clamav)

We will also be using graylisting, which is a spam fighting tactic where the first email from a given user to one of our users is bounced for a few minutes. Proper mail servers will acknowledge the bound, wait the time and resend. Spam mailers though are usually fire-and-forget and will not resend, thus effectively blocking the spam message. This is a very effective method of blocking spam with minimal chance of losing real mail from real users. Any subsequent message from the user would be allowed through with no delay, provided the user had in fact resent the first message as requested.

== Install ==

To install the applications;

<source lang="bash">
yum install postfix postfix-perl-scripts dovecot dovecot-pgsql spamassassin postgresql-server postgresql-plperl mutt
</source>

== Configuring Postfix ==

Installation requires several steps. The AN!Console database must be loaded. Various applications need to be installed. Postfix, Dovecot and helper applications need to be configured and so on.

This tutorial uses the following values that you may need to adjust;
* Database name; an_tools
* Database user; alteeve
* Database password; secret
* Database host; 127.0.0.1

{{note|1=Do not use the database host "localhost" unless you are certain you can connect to the DB using a standard [[unix]] socket.}}

=== Building Support for PostgreSQL ===

{{warning|1=We need to build our own RPM in order to support postgresql. This means we will have to disable postfix from future updates, placing the onus on us to make sure critical updates are applied. This will require downloading the latest source RPMs, re-enabling postgres and recompile/reinstall.}}

Add the source [[RPM]] repository by adding the following;

<source lang="bash">
vim /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
# Source RPM repository
[base-source]
name=CentOS-$releasever - Base - Source
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://vault.centos.org/$releasever/os/SRPMS/
baseurl=http://vault.centos.org/6.0/os/SRPMS/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
</source>

Now download the source RPM for postfix.

<source lang="bash">
yumdownloader --source postfix
</source>
<source lang="text">
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
base | 3.7 kB 00:00
base-source | 1.9 kB 00:00
extras | 3.5 kB 00:00
updates | 3.5 kB 00:00
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
./postfix-2.6.6-2.el6.src.rpm already exists and appears to be complete
nikko:/etc/postfix# rm postfix-2.6.6-2.el6.src.rpm
rm: remove regular file `postfix-2.6.6-2.el6.src.rpm'? y
nikko:/etc/postfix# yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
postfix-2.6.6-2.el6.src.rpm | 3.3 MB 00:00
</source>

Now that we have the postfix source RPM, we will install it.

<source lang="bash">
rpm -Uvh postfix-2.6.6-2.el6.src.rpm
</source>
<source lang="text">
1:postfix warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
########################################### [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
</source>

Now edit the .spec file to enable postgres support.

<source lang="bash">
cp ~/rpmbuild/SPECS/postfix.spec ~/rpmbuild/SPECS/postfix.spec.orig
vim ~/rpmbuild/SPECS/postfix.spec
</source>

Make the following changes.

* Enable PostgreSQL support
<source lang="text">
%{?!PGSQL: %define PGSQL 1}
</source>

Increment the release version by one.
<source lang="text">
Release: 3%{?dist}
</source>

We can see the changes here:

<source lang="bash">
diff -u ~/rpmbuild/SPECS/postfix.spec.orig ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="diff">
--- /root/rpmbuild/SPECS/postfix.spec.orig 2012-02-11 16:54:54.495330859 -0500
+++ /root/rpmbuild/SPECS/postfix.spec 2012-02-11 16:53:39.873331101 -0500
@@ -1,5 +1,5 @@
%{?!MYSQL: %define MYSQL 1}
-%{?!PGSQL: %define PGSQL 0}
+%{?!PGSQL: %define PGSQL 1}
%define LDAP 2
%define PCRE 1
%define SASL 2
@@ -35,7 +35,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 2.6.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
</source>

Now rebuild the RPM, which means we need to install the build tools.

<source lang="bash">
yum groupinstall development
yum install db4-devel openldap-devel cyrus-sasl-devel pcre-devel mysql-devel postgresql-devel openssl-devel
rpmbuild -bb ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="text">
(compile output)
Processing files: postfix-debuginfo-2.6.6-3.el6.x86_64
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-debuginfo-2.6.6-3.el6.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.rymr5C
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd postfix-2.6.6
+ rm -rf /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
+ exit 0
</source>

Install the updated postfix.

<source lang="bash">
rpm -Uvh ~/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm ~/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
</source>
<source lang="text">
Preparing... ########################################### [100%]
1:postfix ########################################### [ 50%]
2:postfix-perl-scripts ########################################### [100%]
</source>

Now exclude postfix from future updates.

<source lang="bash">
cp /etc/yum.conf /etc/yum.conf.orig
vim /etc/yum.conf
diff -u /etc/yum.conf.orig /etc/yum.conf
</source>
<source lang="text">
--- /etc/yum.conf.orig 2012-02-11 16:59:53.720079168 -0500
+++ /etc/yum.conf 2012-02-11 17:00:47.013331283 -0500
@@ -10,6 +10,7 @@
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
+exclude=postfix*

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
</source>

=== Basic Postfix Configuration ===

Since we'll be using virtual domains, users, aliases and mailboxes, we'll need to start by commenting out some of the default options in Postfix. By default, Postfix is set up for small numbers of local users, and it only allows connections from the localhost. Our configuration will be more scalable, allowing many domains and users to be stored in the Postgres database.

Comment out the following:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# inet_interfaces = localhost
# mydestination = $myhostname, localhost.$mydomain, localhost
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
</source>

And uncomment/add these:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
inet_interfaces = all # allows us to connect and test from another machine
mynetworks = 192.168.1.0/32, 127.0.0.0/8 # use the IP or subnet of your test machine here
</source>

=== Setup Virtual Domain Lookup ===

This tells postfix how to find which domains we have.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM domains WHERE dom_name='%s'
</source>

Now tell Postfix to use this new file by appending the following to the main postfix configuration file.

<source lang="bash">
vim /etc/postfix/main.cf
</source>
<source lang="bash">
# Tell postfix to validate domains using our postgresql databae via the
# pgsql-virtual-mailbox-domains.cf
virtual_mailbox_domains=pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>

Now reload postfix;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now we can test that domains resolve. In my case, I will test the look-up for alteeve.com.

<source lang="bash">
postmap -q alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
1
</source>

Now make sure it returns nothing when query a bad domain.

<source lang="bash">
postmap -q example.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Mailbox Mapping ===

This section will tell postfix which users for a given domain are valid.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM email_file WHERE email='%s'
</source>

Tell postfix to use this new file when looking up users.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

And add:

<source lang="text">
# Tell postfix which table to look in when validating a local user via their
# email address.
virtual_mailbox_maps=pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>

Reload postfix.

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now do a test of a valid user, which should return 1, and an invalid user, which should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
1
</source>
<source lang="bash">
postmap -q nobody@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Email Forwards ===

This will allow for email addresses to be forwarded to other email addresses.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT fwd_destination FROM forwards WHERE fwd_source='%s'
</source>

Now tell postfix where to look.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

Add;

<source lang="text">
# This tells postfix where to forward incoming email to, where appropriate.
virtual_alias_maps=pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>

Reload;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

I've setup a forward where digimer@alteeve.com forwards to mkelly@alteeve.com, so we will use that for the next test.

<source lang="bash">
postmap -q digimer@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
mkelly@alteeve.com
</source>

An email address with no forward should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

Excellent.

=== Setup Postfix Mail Delivery via Dovecot ===

Define a mail transport method in the main Postfix config.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# this option is ignored, but may be useful for reference
virtual_mailbox_base=/email

# deliver mail via dovecot
virtual_transport = dovecot

# prevent postfix from sending multiple recipients per delivery request,
# since dovecot only supports one recipient for each delivery
dovecot_destination_recipient_limit = 1
</source>

Tell Postfix what virtual_transport "dovecot" means, and how to use it.
<source lang="bash">vim /etc/postfix/master.cf</source>
Append this for RHEL/CentOS 6 machines. For other distros, make sure that /usr/libexec/dovecot/deliver exists and change the path if necessary.
<source lang="bash">
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
</source>

=== Setup Postfix SMTP Authentication using Dovecot ===

Dovecot provides an SMTP authentication mechanism to Postfix called SASL. Enabling this will require users to authenticate against the server before sending mail.

<source lang="bash">vim /etc/postfix/main.cf</source>
Append the following to enable smtp authentication:
<source lang="bash">
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes

# allow authenticated users to send mail through Postfix SMTP
# more info at /usr/share/doc/postfix-2.6.6/README_FILES/SMTPD_ACCESS_README
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination

# general smtpd settings
# - reject clients that speak too early
# - reject mail from a null address to many recipients (usually spam)
smtpd_data_restrictions =
reject_unauth_pipelining
reject_multi_recipient_bounce
permit
</source>

== Configuring Dovecot ==

Dovecot handles writing incoming mail to the disk and moving/deleting mail as the user wishes. We're going to create a user and group called vmail which will be used to manage the email stored on disk.

<source lang="bash">
useradd -m vmail
mkdir /email
chown -R vmail:vmail /email
</source>

Dovecot is configured in /etc/dovecot and the main configuration file is dovecot.conf.

<source lang="bash">
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.conf
</source>

Dovecot uses .d style configuration files.

* Authentication

<source lang="bash">
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
vim /etc/dovecot/conf.d/10-auth.conf
</source>

Tell dovecot to accept plain-text passwords (needed for some old email clients, you may not need to enable this).

<source lang="text">
disable_plaintext_auth = no
</source>

Tell it not to use the database, and not local users for mail delivery.

<source lang="text">
#!include auth-system.conf.ext
!include auth-sql.conf.ext
</source>

* Mail store

Tell dovecot where to store the email. The %d tells dovecot to substitute the user's domain name and %n is substituted by the user's email name. For example, mkelly@alteeve.com becomes /email/alteeve.com/mkelly.

<source lang="bash">
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
vim /etc/dovecot/conf.d/10-mail.conf
</source>
<source lang="text">
mail_location = mbox:/email/%d/%n
</source>

=== Dovecot Authentication and SQL Settings ===

We need to tell dovecot where to look for passwords when authenticating a user. Where to look is controlled in the
auth-sql.conf.ext file and is broken down into user and password lookups. We will want to first tell Dovecot which user to use when accessing the mail store on disk.

<source lang="bash">
cp /etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/conf.d/auth-sql.conf.ext.orig
vim /etc/dovecot/conf.d/auth-sql.conf.ext
</source>
<source lang="text">
userdb {
driver = static
args = uid=vmail gid=vmail home=/email/%d/%n allow_all_users=yes
}
</source>

* Now configure the SQL server access details.

{{note|1=Make sure that PostgreSQL has sufficient max_connections set in /var/lib/pgsql/data/postgresql.conf to handle enough connections for the expected number of email connections, plus other connections from other applications.}}

<source lang="bash">
cp /usr/share/doc/dovecot-2.0.9/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
vim /etc/dovecot/dovecot-sql.conf.ext
</source>

Tell dovecot to use PostgreSQL.

<source lang="text">
driver = pgsql
</source>

Configure the connection string.

{{note|1=If your database uses a password with a space character in it, quote the password. Ie: password='super secret'.}}

<source lang="text">
connect = host=127.0.0.1 dbname=an_tools user=alteeve password=secret
</source>

Tell dovecot to accept plain-text passwords (this is needed for some stupid MS clients, this will probably change soon).

<source lang="text">
default_pass_scheme = PLAIN
</source>

Tell dovecot how to pull use the user's password.

<source lang="text">
password_query = SELECT email, password FROM email_password WHERE email='%u'
</source>

The last thing to setup is the user query. The query needs to return the [[UID]] and [[GID]] of the vmail user we setup earlier. To get it, you can use the id command.

<source lang="bash">
id vmail
</source>
<source lang="text">
uid=503(vmail) gid=503(vmail) groups=503(vmail)
</source>

The numbers we want are 503 and 503 for the UID and GID, respectively. Knowing this, we can set the userdb SQL string.

<source lang="text">
user_query = SELECT '/email/'||file AS email_dir, '503' AS uid, '503' AS gid FROM email_file WHERE email='%u'
</source>

=== Configure Listener Sockets ===

Setup the authentication socket to allow the vmail user. This will allow Dovecot to access the user authentication socket.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
</source>

Configure Dovecot to authenticate Postfix SMTP requests.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener smtp-auth {
mode = 0600
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
}
</source>

=== Enable Logging ===

This is very useful for debugging an initial setup. It will place details about login attempts in /var/log/maillog.

<source lang="bash">vim /etc/dovecot/conf.d/10-logging.conf</source>
<source lang="bash">
log_path = syslog
auth_verbose = yes
auth_debug = yes
mail_debug = yes
</source>

At this point, it's a good idea to restart the Postfix and Dovecot services, and test out the basic configuration.
<source lang="bash">
service postfix restart
service dovecot restart
</source>

Watch the maillog while attempting to authenticate with an email client like Thunderbird.
<source lang="bash">
tail -f /var/log/maillog
</source>

If basic authentication is working, we can go ahead and add another layer of complexity on top of it: SSL.

== SSL/TLS ==

Add TLS support to Postfix, to encrypt SMTP authentication traffic.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/ssl_mail.alteeve.ca.crt
smtpd_tls_key_file = /etc/pki/CA/private/mail.alteeve.ca.key
smtpd_tls_loglevel = 1
</source>

Add TLS support to Dovecot, to encrypt IMAP authentication traffic.
<source lang="bash">vim /etc/dovecot/conf.d/10-ssl.conf </source>
<source lang="bash">
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/pki/CA/ssl_mail.alteeve.ca.crt
ssl_key = </etc/pki/CA/private/mail.alteeve.ca.key

# PEM encoded trusted certificate authority. Otherwise your CA will be untrusted.
# This is the intermediary certificate.
ssl_ca = </etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Dovecot prefers the following permissions for SSL certs, so set them accordingly.
<source lang="bash">
chmod 0444 /etc/pki/CA/ssl_mail.alteeve.ca.crt
chmod 0400 /etc/pki/CA/private/mail.alteeve.ca.key
chmod 0400 /etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Restart Postfix and Dovecot, then change your Thunderbird server options to 'STARTTLS'. If you're still able to connect to the mail server and send mail, proceed to the next section.

== User Password Encryption ==

In addition to SSL/TSL, which only encrypts the transport of user credentials, we're also going to encrypt the passwords themselves. This will avoid storing any plaintext passwords in the Postgres database.

<source lang="bash">vim /etc/dovecot/conf.d/10-auth.conf</source>
Remove the "plain" authentication, and replace with cram-md5.
<source lang="bash">
disable_plaintext_auth = yes
auth_mechanisms = cram-md5
</source>

Any user credentials that were previously stored in plaintext will no longer work. To encrypt your password in a way that Dovecot recognizes, use the following command:
<source lang="bash">doveadm -v pw -s CRAM-MD5 -p mypassword</source>
It will return a hash like this.
<source lang="bash">
{CRAM-MD5}de5924752ad74e36bc271a8dc7fad4b2d341f21f05382f20dedf1fdfbd5a1717</source>

Take the entire hash, including the '{CRAM-MD5}' portion, and use it to replace the password entry in the database for that user. This will allow Dovecot to authenticate the user using the CRAM-MD5 auth mechanism.

To automate this process for all users in the database, you can look at the number of userid's there are and loop through them, encrypting and replacing each password.

<source lang="bash">
#!/bin/bash
#
# a script to encrypt the users.usr_password values of the an_tools database

export PGUSER="alteeve"
export PGPASSWORD='secret'

for usrid in {1..219}; do

# grab the user's password, removing whitespace
usrpass=$(psql -d an_tools -c "SELECT users.usr_password FROM users WHERE users.usr_id=$usrid;"\
| sed -n 3p | sed -e 's/^[ ]*//')

if [[ "$usrpass" == *CRAM* ]]; then
echo "Password for user #$usrid is already encrypted; skipping."
else
# encrypt and surround in single quotes for psql
encrypted=\'$(doveadm -v pw -s CRAM-MD5 -p "$usrpass")\'
echo "old password: [$usrpass] ; encrypted: $encrypted"

# set password to encrypted value
psql -d an_tools -c "UPDATE users SET usr_password=$encrypted WHERE usr_id=$usrid;"
fi
done

unset PGUSER
unset PGPASSWORD
</source>

== Postgrey Greylisting ==

Enabling postgrey for anti-spam greylisting.

First install the RPMForge repos. (See [http://dak1n1.com/blog/3-getting-more-from-yum-with-rpmforge-and-epel-repos Dakini's blog] for details.)

<source lang="bash">yum -y install postgrey</source>

Create the config file with the following options. This will delay mail from untrusted sources by 6 minutes. A legitimate mailserver will resend the request after that time, and be allowed through. But spam is generally sent out only once, so those messages will drop.
<source lang="bash">vim /etc/sysconfig/postgrey</source>
<source lang="bash">OPTIONS="--unix=/var/spool/postfix/postgrey/socket --delay=360"</source>

Ensure that Postgrey starts on boot.
<source lang="bash">chkconfig --levels 345 postgrey on</source>

<source lang="bash">/etc/postfix/main.cf</source>

Configure Postfix to check SMTP requests through Postgrey. Postgrey will decide if the mail should be blocked or accepted.
<source lang="bash">
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:postgrey/socket</source>

Restart Postfix and Postgrey to take affect.
<source lang="bash">
service postgrey start
service postfix restart
</source>

== Ooooold Notes ==

When prompted;
For 'Create directories for web-based administration ?' Choose 'Yes'.
For 'General type of configuration?', choose 'Local Only'.
For 'Mail Name', enter 'alteeve.com'.
For 'SSL certificate required', hit 'Ok'.
Create the database that we will use:
# su alteeve
$ createdb an_console
$ psql an_console
Now that we are in the new database we will need to load the AN!Console schema file.
# su postgres -c psql an_console -f /var/www/ssl_alteeve.com/cgi-bin/t/anc.pgsql.schema
On the Master node, we will create the directory where email will be stored.
# mkdir /ha/email
On the both nodes, we will create a link to the '/ha/email' directory off of root.
# ln -s /ha/email /email
Under this directory create another directory that is the domain name for the domains we will host mail for. Ie (no longer needed to be done manually, AN!Console will create directories for email as needed):
# mkdir /email/45years.ca
# mkdir /email/alteeve.com
And so on.
Go to the '/etc/postfix' directory and create these four files:
# vim /etc/postfix/psql-virtual_domains.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = domains
select_field = 'virtual'
where_field = dom_name
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_forwardings.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = forwards
select_field = fwd_destination
where_field = fwd_source
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_mailboxes.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_file
select_field = file
where_field = email
hosts = 127.0.0.1
Note: The table 'email_file' is actually a view that takes the email passed by postfix and splits it to generate a joined SELECT.
# vim /etc/postfix/psql-virtual_email2email.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_email
select_field = email
where_field = email
hosts = 127.0.0.1
Note: The table 'email_email' is actually a view that takes the email passed by postfix and returns the same email based on the DB entry. This is needed as a work-around for Postfix's habit of matching global forwards like '@domain -> user@domain' for all email to that domain, even what a given email address matches a user.
Now change the owner and permissions of those four files to NOT allow global reading as they contain our password.
# chown root:postfix /etc/postfix/psql-virtual_*
# chmod 640 /etc/postfix/psql-virtual_*
Now we will create a user account that will, in turn, own all the mail on the system. This user will not have shell access.
# adduser vmail
Enter a password, preferably one treated with the same care as the root password. You can leave all other options blank.
Now change the ownership of the mail store.
# chown -R vmail:vmail /email
# chmod -R 775 /email
Now we edit the main '/etc/postfix/main.cf' configuration file.
Make a backup of the original file “just in case”.
# cp /etc/postfix/main.cf /etc/postfix/main.cf.original
Now edit it:
# vim /etc/postfix/main.cf
There are several options to edit:
Please see 'Step 6' at: http://workaround.org/articles/ispmail-sarge/index.shtml.en for details on the options to set.
For 'inet_interface' enter 'all'.
For 'myhostname' use the cluster FQDN. Ie;
myhostname = nikko.alteeve.com
For 'mydestination' use only local names, NOT real domains we will host email for. Any mail sent to the domains specified here will go to local (shell) users.
mydestination = nikko.alteeve.com, localhost.alteeve.com, localhost
For 'mynetworks' set all the IP subnets we trust. Ie;
mynetworks = 192.139.81.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.0/24 127.0.0.0/8
We can ignore 'virtual_alias_domains' if it exists.
For 'virtual_alias_maps' we will set:
virtual_alias_maps = pgsql:/etc/postfix/psql-virtual_forwardings.cf pgsql:/etc/postfix/psql-virtual_email2email.cf
For 'virtual_mailbox_domains' we will set:
virtual_mailbox_domains = pgsql:/etc/postfix/psql-virtual_domains.cf
For 'virtual_mailbox_maps' we will set:
virtual_mailbox_maps = pgsql:/etc/postfix/psql-virtual_mailboxes.cf
For 'virtual_mailbox_base' (where the email will be stored on disk) we will set:
virtual_mailbox_base = /ha/email
For 'virtual_uid_maps' and 'virtual_gid_maps' we will enter the numerical UID and GID for the 'vmail' shell user we created earlier. To find what it's UID and GID is run:
# cat /etc/passwd | grep vmail
vmail:x:1001:1001:,,,:/home/vmail:/bin/bash
The first number is the UID, the second is the GID;
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
Set 'smtpd_sasl_auth_enable' to 'yes'.
Set 'broken_sasl_auth_clients' to 'yes'.
To enable relaying of local mail, trusted domains and SASL authenticated users and reject the rest set;
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
For 'smtpd_use_tls' the value should already be 'yes', but set it to such if not.
Lastly we'll set our certificate paths;
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
At this point we should be good to go. Restart postfix;
# /etc/init.d/postfix restart
If there were no errors in the restart, test the config by running;
# postfix check
If you get errors, fix 'em. Otherwise, so far so good!
Now to setup postfix to allow authentication of SMTP connections to allow relaying of messages from people (we trust) outside on the 'mynetworks' scope.
Create or edit the file '/etc/postfix/sasl/smtpd.conf'
# vim /etc/postfix/sasl/smtpd.conf
In it enter the lines:
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: pgsql
sql_hostnames: 127.0.0.1
sql_user: alteeve
sql_passwd: secret
sql_database: an_console
sql_select: SELECT passwd FROM email_passwd WHERE email='%u@%r'
log_level: 7
Now secure the file (it's got our DB password)
# chown root:postfix /etc/postfix/sasl/smtpd.conf
# chmod 640 /etc/postfix/sasl/smtpd.conf
Now we want to setup TLS to encrypt SMTP traffic. Be sure you are still in '/etc/postfix' as this is where you want the certificate files.
To create a 10-year certificate for our SMTP domain 'smtp.alteeve.com':
# openssl req -new -outform PEM -out /etc/postfix/smtpd.cert -newkey rsa:2048 -nodes -keyout /etc/postfix/smtpd.key -keyform PEM -days 3650 -x509
This will bring up a bunch of questions:
Country Name (2 letter code) [AU]: CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alteeve's Niche!
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, YOUR name) []:smtp.alteeve.com
Email Address []:admin@alteeve.com
This will create two files in your current directory; 'smtpd.key' and 'smtpd.cert'. You'll want to protect them.
# chown root:postfix smtpd.*
# chmod 640 smtpd.*
Now we need to setup POP3 and IMAP access so users can actually check their email.
Backup then edit '/etc/dovecot/dovecot.conf' to have:
protocols = pop3 imap
mail_location = mbox:/email/%d/%n
# passdb pam {
# }
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
# userdb passwd {
# }
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

# The default location for 'dovecot-sql.conf' is under '/usr/local/etc', be sure to
# change it!
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
user = root
}
Then create/edit '/etc/dovecot/dovecot-sql.conf':
driver = pgsql
connect = host=localhost dbname=an_console user=alteeve password=secret
default_pass_scheme = PLAIN
password_query = SELECT email, password FROM email_password WHERE email='%u'
user_query = SELECT '/email/'||file AS email_dir, '1001' AS uid, '1001' AS gid FROM email_file WHERE email='%u'
Now restart Dovecot:
# /etc/init.d/dovecot restart

= Thanks =

* To [http://planet-geek.com Dave Shevett] (aka: eidolon) and [http://codex.grimoire.ca/ Owen Jacobson] for answering my n00b SSL questions.


<source lang="bash">
</source>
<source lang="text">
</source>

{{footer}}

PPPower Server

2012-05-06T17:51:55Z

Dak1n1: /* Protecting against malicious users with Denyhosts. */

{{howto_header}}

With tongue firmly in cheek, this is a tutorial on building an [[EL6]] server for hosting website and email using PostgreSQL, Postfix and Postgrey for mail and Apache for web. There are many canned and arguably superior was of accomplishing the same, but this is what I user for this server.

= Post OS Install =

First, some post-install preparation. We'll need to set up some basic security, a program to report server statistics, and some 3rd-party yum repositories for additional software.

Yum repo install.
<source lang="bash">yum -y install yum-protectbase
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt # import keys
rpm -K rpmforge-release-0.5.2-2.el6.rf.*.rpm # verify package integrity
rpm -i rpmforge-release-0.5.2-2.el6.rf.*.rpm # install
# install EPEL
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm
</source>

The yum-protectbase plugin will ensure that the 3rd-party repos play nicely and never overwrite the Base repos. To use this plugin with a specific repo, add 'protect=0' or protect=1 to the repo's config file.
<source lang="bash">vim /etc/yum.repos.d/CentOS-Base.repo
# add protect=1 to each section</source>

<source lang="bash">vim /etc/yum.repos.d/epel.repo
# add protect=0 to each section</source>

=== Protecting against malicious users with Denyhosts. ===
Denyhosts is a daemon that watches for too many failed logins via ssh. It uses TCP-wrappers to deny the user access to ssh (or any service) on the server after X failed logins. It has the option to download a list of known malicious IPs and add them to /hosts.deny, making possible to block attackers before they attack the server.

Install denyhosts
<source lang="bash">yum -y install denyhosts</source>

Edit the config to your preferences.
<source lang="bash">vim /etc/denyhosts.conf
BLOCK_SERVICE = ALL
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
SYNC_DOWNLOAD = yes
</source>

White-list any trusted machines, including localhost.
<source lang="bash">vim /etc/hosts.allow
127.0.0.1</source>

Start the service.
<source lang="bash">service denyhosts start
chkconfig denyhosts on</source>

=== Additional software to install ===
To view neatly-summarized daily logs, and system resource usage.
<source lang="bash">yum -y install logwatch htop</source>

Packages for web server and wiki install.
<source lang="bash">
yum install httpd httpd-tools postgresql-server postgresql-plperl postgresql-contrib postgresql mysql-server telnet mod_ssl mysql-server php-mysql gcc jwhois bind
</source>

Packages that are currently needed for personal stuff.

<source lang="bash">
yum install perl-XML-Simple perl-MIME-Lite perl-DBD-MySQL perl-DBD-Pg
</source>

= Apache =

After all changes, use this to make sure there are no syntax errors.

<source lang="bash">
service httpd configtest
</source>
<source lang="text">
Syntax OK
</source>

{{note|1=This needs to be explained.}}

<source lang="bash">
diff -u httpd.conf.orig httpd.conf
</source>
<source lang="diff">
--- httpd.conf.orig 2010-05-28 03:11:06.000000000 -0400
+++ httpd.conf 2011-05-13 21:56:27.000000000 -0400
@@ -100,12 +100,12 @@
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
-StartServers 8
-MinSpareServers 5
-MaxSpareServers 20
-ServerLimit 256
-MaxClients 256
-MaxRequestsPerChild 4000
+StartServers 16
+MinSpareServers 10
+MaxSpareServers 40
+ServerLimit 512
+MaxClients 512
+MaxRequestsPerChild 8000
</IfModule>

# worker MPM
@@ -116,11 +116,11 @@
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
-StartServers 4
-MaxClients 300
-MinSpareThreads 25
-MaxSpareThreads 75
-ThreadsPerChild 25
+StartServers 8
+MaxClients 600
+MinSpareThreads 50
+MaxSpareThreads 150
+ThreadsPerChild 50
MaxRequestsPerChild 0
</IfModule>

@@ -259,7 +259,7 @@
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
-ServerAdmin root@localhost
+ServerAdmin admin@alteeve.com

#
# ServerName gives the name and port that the server uses to identify itself.
@@ -274,6 +274,7 @@
# redirections work in a sensible way.
#
#ServerName www.example.com:80
+#ServerName *:80

#
# UseCanonicalName: Determines how Apache constructs self-referencing
@@ -289,7 +290,7 @@
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
-DocumentRoot "/var/www/html"
+DocumentRoot "/var/www/default/html"

#
# Each directory to which Apache has access can be configured with respect
@@ -314,7 +315,7 @@
#
# This should be changed to whatever you set DocumentRoot to.
#
-<Directory "/var/www/html">
+<Directory "/var/www/default/html">

#
# Possible values for the Options directive are "None", "All",
@@ -548,9 +549,9 @@
# We include the /icons/ alias for FancyIndexed directory listings. If you
# do not use FancyIndexing, you may comment this out.
#
-Alias /icons/ "/var/www/icons/"
+Alias /icons/ "/var/www/default/icons/"

-<Directory "/var/www/icons">
+<Directory "/var/www/default/icons">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
@@ -573,13 +574,13 @@
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+ScriptAlias /cgi-bin/ "/var/www/default/cgi-bin/"

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
-<Directory "/var/www/cgi-bin">
+<Directory "/var/www/default/cgi-bin">
AllowOverride None
Options None
Order allow,deny
@@ -852,11 +853,11 @@
# copying them to /your/include/path/, even on a per-VirtualHost basis.
#

-Alias /error/ "/var/www/error/"
+Alias /error/ "/var/www/default/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
- <Directory "/var/www/error">
+ <Directory "/var/www/default/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
@@ -987,7 +988,7 @@
#
# Use name-based virtual hosting.
#
-#NameVirtualHost *:80
+NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
@@ -1001,9 +1002,10 @@
# server name.
#
#<VirtualHost *:80>
-# ServerAdmin webmaster@dummy-host.example.com
-# DocumentRoot /www/docs/dummy-host.example.com
-# ServerName dummy-host.example.com
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+# ServerAdmin admin@alteeve.com
+# DocumentRoot /var/www/default/html
+# ServerName unknown.alteeve.com
+# ErrorLog /var/www/default/logs/error.log
+# CustomLog /var/www/default/logs/access.log common
#</VirtualHost>
</source>

== SSL Virtual Hosts ==

SSL provides for secure client to server communications.

=== Creating The Signed Certificate ===

This section assumes you are using a 3rd party signing authority. Specifically, I use http://www.trustico.ca/ (resellers of http://RapidSSL.com and others). This is also for a domain-specific certificate. Wildcard certificates will differ.

First, create 2048bit private key. Note that this will require a pass-phrase, which you will need to enter whenever the Apache daemon httpd daemon starts. If you do not want this, remove the -des3 switch.

<source lang="bash">
openssl genrsa -des3 -out /etc/pki/CA/private/alteeve.com.key 2048
</source>
<source lang="text">
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Verifying - Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
</source>

Now create a [[CSR]] (Certificate signing request) which we will send to the signing authority. Do not enter anything in the extra section below.

{{note|1=The Common Name must be the fully qualified domain name. In this example, I want to create a certificate for the domain https://alteeve.com, so I will enter alteeve.com. If you prefer to use a www. prefix, include it. I will rewrite requests using the www. prefix to not use it.}}

<source lang="bash">
openssl req -new -key /etc/pki/CA/private/alteeve.com.key -out alteeve.com.csr
</source>
<source lang="text">
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Oakville
Organization Name (eg, company) [Default Company Ltd]:Alteeve's Niche
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:alteeve.com
Email Address []:admin@alteeve.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</source>

Test that the CSR file is ok.

<source lang="bash">
openssl req -noout -text -in /etc/pki/CA/alteeve.com.csr
</source>
<source lang="text">
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Oakville, O=Alteeve's Niche, OU=IT, CN=alteeve.com/emailAddress=admin@alteeve.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
...
</source>

Copy the exact contents of the alteeve.com.csr file and provide it to your signing authority as per their instructions. Once you complete their CSR form, they should email you a signed certificate and an intermediary certificate. At this point, the CSR file is no longer needed.

Save the signed certificate:

<source lang="bash">
vim /etc/pki/CA/ssl_alteeve.com.crt
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

Save the intermediary certificate. Change the certificate name to that of your provider. If they provide you with this file, simply save it in the /etc/pki/CA/ directory.

<source lang="bash">
vim /etc/pki/CA/RapidSSL_CA_bundle.pem
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

=== Creating An SSL Virtual Host ===

Create a new virtual host container for the new SSL protected virtual host. We will leave the normal unencrypted virtual-host alone for now. Once we're done, we'll use it to capture and redirect http:// requests to their https:// equivalents. I make my virtual host directories writeable by my normal user account. Feel free to adapt this to your preferences.

Setup the directories and then create a trivial index.html file.

<source lang="bash">
mkdir ssl_alteeve.com/{cgi-bin,html,logs,temp} -p
chown apache:digimer ssl_alteeve.com -R
chmod g+w ssl_alteeve.com -R
vim /var/www/ssl_alteeve.com/html/index.html
</source>
<source lang="apache">
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
</source>

Now setup the Apache2 config. I like to use the ssl_ prefix for encrypted domains.

{{note|1=This example is for a MediaWiki virtual host with short URLs configured. You will want to adapt the values to suit your needs.}}

<source lang="bash">
vim /etc/httpd/conf.d/ssl_alteeve.com.conf
</source>
<source lang="apache">
<VirtualHost *:443>
ServerAdmin digimer@alteeve.com

ServerName alteeve.com

DirectoryIndex index.php index.html

# We can haz security?
SSLEngine on
SSLProtocol all
SSLCACertificateFile /etc/pki/CA/RapidSSL_CA_bundle.pem
SSLCertificateFile /etc/pki/CA/ssl_alteeve.com.crt
SSLCertificateKeyFile /etc/pki/CA/private/alteeve.com.key

DocumentRoot /var/www/ssl_alteeve.com/html/
Alias /w /var/www/ssl_alteeve.com/html/index.php
<Directory /var/www/ssl_alteeve.com/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/ssl_alteeve.com/cgi-bin/
<Directory "/var/www/ssl_alteeve.com/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/ssl_alteeve.com/logs/error.log
TransferLog /var/www/ssl_alteeve.com/logs/transfer.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/ssl_alteeve.com/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

==== Bad Identity Error ====

If you get an error about the server not providing identity information, you may have be loading images, CSS, javascript or similar using a URL from a remote domain with no SSL or badly configured SSL.

For example, on Firefox 4, you may see:

<source lang="text">
This web site does not supply identity information.

Your connection to this site is only partially encrypted, and does not prevent eavesdropping.
[ More Information ]
</source>

In my case, this turned out to be a problem where mediawiki was loading a Creative Commons logo from their server using http:// link to the icon. Once this was changed to https:// (in LocalSettings.php), the error went away.

=== Testing and Using the New Configuration ===

Test your new Apache configuration.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

Now restart Apache. Note that you will be asked to enter the pass-phrase you used when you created your private key.

<source lang="bash">
/etc/init.d/httpd restart
</source>
<source lang="text">
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server alteeve.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
</source>

{{warning|1=From now on, you will need to enter the pass-phrase to start Apache. Consider this when restarting your server and when deciding if you want the Apache server to start with your server. As my server is in a VM and it's underlying disk is also encrypted, I will enable it at boot time. I'll need to be watching the boot process anyway. This may not apply to you.}}

Now make sure that you can still connect to your server on [[TCP]] port 80 (normal http port). The contents after the GET request will obviously vary depending on your configuration:

<source lang="bash">
telnet localhost 80
</source>
<source lang="text">
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET
<head>
<title>Asakusa.alteeve.com</title>
</head>
<body>
Default - Requested domain not found
</body>
Connection closed by foreign host.
</source>

Now to check that the SSL port is listening properly. We can't use [[telnet]] because of the SSL encryption. Instead we will use openssl.

<source lang="bash">
openssl s_client -connect localhost:443 -state -debug
</source>
<source lang="text">
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x196a050 [0x1a0b3a0] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 4d f8 f4 a4 f9 ....l...h..M....
0010 - 07 b3 11 f8 3d ff 5d 80-ed 69 87 52 e2 60 80 57 ....=.]..i.R.`.W
0020 - 59 c7 83 4c ea 5b e5 37-06 e0 13 00 00 3a 00 39 Y..L.[.7.....:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............#
0071 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x196a050 [0x1a10900] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x196a050 [0x1a1090a] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4d f8 f4 a4-7d 35 00 74 24 43 bc c9 .1..M...}5.t$C..
0010 - 84 5d fe e3 90 1a e8 14-39 a1 b1 7e e8 19 c7 9f .]......9..~....
0020 - 45 20 d1 cb 00 00 39 01-00 09 ff 01 00 01 00 00 E ....9.........
0030 - 23 #
0033 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 0c 2c ....,
read from 0x196a050 [0x1a10908] (3116 bytes => 3116 (0xC2C))
0000 - 0b 00 0c 28 00 0c 25 00-04 c2 30 82 04 be 30 82 ...(..%...0...0.
0010 - 03 a6 a0 03 02 01 02 02-03 02 15 24 30 0d 06 09 ...........$0...
0020 - 2a 86 48 86 f7 0d 01 01-05 05 00 30 3c 31 0b 30 *.H........0<1.0
0030 - 09 06 03 55 04 06 13 02-55 53 31 17 30 15 06 03 ...U....US1.0...
0040 - 55 04 0a 13 0e 47 65 6f-54 72 75 73 74 2c 20 49 U....GeoTrust, I
0050 - 6e 63 2e 31 14 30 12 06-03 55 04 03 13 0b 52 61 nc.1.0...U....Ra
0060 - 70 69 64 53 53 4c 20 43-41 30 1e 17 0d 31 31 30 pidSSL CA0...110
0070 - 36 31 34 31 32 31 39 30-31 5a 17 0d 31 31 30 37 614121901Z..1107
0080 - 31 36 31 35 35 36 31 34-5a 30 81 d9 31 29 30 27 16155614Z0..1)0'
0090 - 06 03 55 04 05 13 20 30-54 53 35 57 7a 61 75 51 ..U... 0TS5WzauQ
00a0 - 52 4a 37 73 63 32 62 2d-68 54 47 77 4b 31 79 78 RJ7sc2b-hTGwK1yx
00b0 - 53 66 45 44 70 68 46 31-0b 30 09 06 03 55 04 06 SfEDphF1.0...U..
00c0 - 13 02 43 41 31 14 30 12-06 03 55 04 0a 13 0b 61 ..CA1.0...U....a
00d0 - 6c 74 65 65 76 65 2e 63-6f 6d 31 13 30 11 06 03 lteeve.com1.0...
00e0 - 55 04 0b 13 0a 47 54 31-33 39 30 38 38 31 37 31 U....GT139088171
00f0 - 31 30 2f 06 03 55 04 0b-13 28 53 65 65 20 77 77 10/..U...(See ww
0100 - 77 2e 72 61 70 69 64 73-73 6c 2e 63 6f 6d 2f 72 w.rapidssl.com/r
0110 - 65 73 6f 75 72 63 65 73-2f 63 70 73 20 28 63 29 esources/cps (c)
0120 - 31 31 31 2b 30 29 06 03-55 04 0b 13 22 44 6f 6d 111+0)..U..."Dom
0130 - 61 69 6e 20 43 6f 6e 74-72 6f 6c 20 56 61 6c 69 ain Control Vali
0140 - 64 61 74 65 64 20 2d 20-46 72 65 65 53 53 4c 31 dated - FreeSSL1
0150 - 14 30 12 06 03 55 04 03-13 0b 61 6c 74 65 65 76 .0...U....alteev
0160 - 65 2e 63 6f 6d 30 82 01-22 30 0d 06 09 2a 86 48 e.com0.."0...*.H
0170 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0..
0180 - 0a 02 82 01 01 00 c7 b5-75 03 c7 a9 b5 21 b2 7a ........u....!.z
0190 - 9b 70 8d f2 44 5d e0 18-f4 05 52 c6 93 d3 17 a5 .p..D]....R.....
01a0 - 3a c7 46 03 68 d1 01 53-1b e8 b8 d3 4c 56 46 b2 :.F.h..S....LVF.
01b0 - ca 63 34 88 2c 4f 7b 23-49 07 ef 8e 37 5c 8a ac .c4.,O{#I...7\..
01c0 - d7 88 9b ed a1 01 90 bc-32 d8 46 30 6d 82 33 59 ........2.F0m.3Y
01d0 - ea b5 38 2c 8a 16 e1 63-e7 ba 39 d8 2a fa 8a 6b ..8,...c..9.*..k
01e0 - 25 45 0b c9 4d b8 d2 be-a9 3a e3 ff 61 60 f9 a4 %E..M....:..a`..
01f0 - 99 4e 3f c2 25 0b 21 07-c6 1b 1e 63 71 2e 3d 31 .N?.%.!....cq.=1
0200 - 42 98 01 f4 88 b8 80 26-b7 bf 5b 00 b1 57 86 b4 B......&..[..W..
0210 - d8 70 e6 ec ea 98 e1 17-45 a7 ff 83 e0 76 6f 8a .p......E....vo.
0220 - 50 bb 1d cb c5 8f f4 01-84 4e 59 c3 4d 28 73 70 P........NY.M(sp
0230 - 39 c8 da 85 43 b9 07 ae-57 26 04 24 b2 d6 d4 7c 9...C...W&.$...|
0240 - 03 af 4f 72 00 8f 20 ed-26 77 b3 bf 4e 01 62 8b ..Or.. .&w..N.b.
0250 - 62 1b 10 16 65 92 f5 bb-5a dc 83 5c f2 56 f3 60 b...e...Z..\.V.`
0260 - 34 2c ef 62 f4 ee cf 26-6d 9b 4a 5e 74 05 74 fb 4,.b...&m.J^t.t.
0270 - 23 86 07 6f cf b0 48 6d-ba 2d 89 5d 0f e0 c0 01 #..o..Hm.-.]....
0280 - 1c 91 af 00 5f f3 02 03-01 00 01 a3 82 01 29 30 ...._.........)0
0290 - 82 01 25 30 1f 06 03 55-1d 23 04 18 30 16 80 14 ..%0...U.#..0...
02a0 - 6b 69 3d 6a 18 42 4a dd-8f 02 65 39 fd 35 24 86 ki=j.BJ...e9.5$.
02b0 - 78 91 16 30 30 0e 06 03-55 1d 0f 01 01 ff 04 04 x..00...U.......
02c0 - 03 02 05 a0 30 1d 06 03-55 1d 25 04 16 30 14 06 ....0...U.%..0..
02d0 - 08 2b 06 01 05 05 07 03-01 06 08 2b 06 01 05 05 .+.........+....
02e0 - 07 03 02 30 16 06 03 55-1d 11 04 0f 30 0d 82 0b ...0...U....0...
02f0 - 61 6c 74 65 65 76 65 2e-63 6f 6d 30 43 06 03 55 alteeve.com0C..U
0300 - 1d 1f 04 3c 30 3a 30 38-a0 36 a0 34 86 32 68 74 ...<0:08.6.4.2ht
0310 - 74 70 3a 2f 2f 72 61 70-69 64 73 73 6c 2d 63 72 tp://rapidssl-cr
0320 - 6c 2e 67 65 6f 74 72 75-73 74 2e 63 6f 6d 2f 63 l.geotrust.com/c
0330 - 72 6c 73 2f 72 61 70 69-64 73 73 6c 2e 63 72 6c rls/rapidssl.crl
0340 - 30 1d 06 03 55 1d 0e 04-16 04 14 a1 2b 4e af 55 0...U.......+N.U
0350 - 08 7b 34 be 74 fc 57 41-de bc 8f d9 4a 1d c9 30 .{4.t.WA....J..0
0360 - 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 49 06 ...U.......0.0I.
0370 - 08 2b 06 01 05 05 07 01-01 04 3d 30 3b 30 39 06 .+........=0;09.
0380 - 08 2b 06 01 05 05 07 30-02 86 2d 68 74 74 70 3a .+.....0..-http:
0390 - 2f 2f 72 61 70 69 64 73-73 6c 2d 61 69 61 2e 67 //rapidssl-aia.g
03a0 - 65 6f 74 72 75 73 74 2e-63 6f 6d 2f 72 61 70 69 eotrust.com/rapi
03b0 - 64 73 73 6c 2e 63 72 74-30 0d 06 09 2a 86 48 86 dssl.crt0...*.H.
03c0 - f7 0d 01 01 05 05 00 03-82 01 01 00 66 8b 6f a8 ............f.o.
03d0 - d5 d2 84 c7 89 31 fb a5-ba e1 11 5e 2f 67 6f df .....1.....^/go.
03e0 - 0d 3c 0b 1a 4b ac d9 38-ee 29 0a 4d d9 06 98 2c .<..K..8.).M...,
03f0 - 25 0a 59 bb 39 03 b0 cd-3b 06 93 3e 59 90 cf 06 %.Y.9...;..>Y...
0400 - 17 74 77 bb cd 91 34 d0-6f b9 8f 53 57 ed 14 30 .tw...4.o..SW..0
0410 - bd e9 6c 04 84 b6 f0 16-9d 29 9b b1 47 f8 84 64 ..l......)..G..d
0420 - 5f 03 36 ea e1 d6 13 97-5b 50 b9 b2 59 cc f8 ef _.6.....[P..Y...
0430 - 23 01 99 91 6e 5e e8 d0-77 54 38 49 18 58 e7 0e #...n^..wT8I.X..
0440 - 54 35 c0 37 b5 9e 79 b2-d4 c6 d9 ff 27 31 d4 bf T5.7..y.....'1..
0450 - 04 ae d3 0a 90 4b bc 34-bc 53 f8 bc e7 4c 22 b7 .....K.4.S...L".
0460 - b3 bc 8c d7 41 44 fc e0-50 2e 9a ac ba 5c ee 88 ....AD..P....\..
0470 - 03 fc 0e 53 32 aa dd a4-24 ee a6 7c 3d dc 9d 7a ...S2...$..|=..z
0480 - 82 0b 9f b8 91 e0 a1 12-77 a3 95 f7 d0 c4 9e f1 ........w.......
0490 - d7 d9 99 68 80 e8 af ad-68 f5 1a 5f 66 06 78 c9 ...h....h.._f.x.
04a0 - 56 f8 36 37 16 fa 7d 27-df 1d a2 d8 7c 8c 5b 50 V.67..}'....|.[P
04b0 - db c6 fe 06 ff 96 86 f5-1f e4 35 ce cf 43 66 53 ..........5..CfS
04c0 - da a1 50 b5 c0 73 ec 1e-f4 c8 20 13 00 03 d9 30 ..P..s.... ....0
04d0 - 82 03 d5 30 82 02 bd a0-03 02 01 02 02 03 02 36 ...0...........6
04e0 - d1 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
04f0 - 30 42 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 0B1.0...U....US1
0500 - 16 30 14 06 03 55 04 0a-13 0d 47 65 6f 54 72 75 .0...U....GeoTru
0510 - 73 74 20 49 6e 63 2e 31-1b 30 19 06 03 55 04 03 st Inc.1.0...U..
0520 - 13 12 47 65 6f 54 72 75-73 74 20 47 6c 6f 62 61 ..GeoTrust Globa
0530 - 6c 20 43 41 30 1e 17 0d-31 30 30 32 31 39 32 32 l CA0...10021922
0540 - 34 35 30 35 5a 17 0d 32-30 30 32 31 38 32 32 34 4505Z..200218224
0550 - 35 30 35 5a 30 3c 31 0b-30 09 06 03 55 04 06 13 505Z0<1.0...U...
0560 - 02 55 53 31 17 30 15 06-03 55 04 0a 13 0e 47 65 .US1.0...U....Ge
0570 - 6f 54 72 75 73 74 2c 20-49 6e 63 2e 31 14 30 12 oTrust, Inc.1.0.
0580 - 06 03 55 04 03 13 0b 52-61 70 69 64 53 53 4c 20 ..U....RapidSSL
0590 - 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H...
05a0 - 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0.....
05b0 - 01 01 00 c7 71 f8 56 c7-1e d9 cc b5 ad f6 b4 97 ....q.V.........
05c0 - a3 fb a1 e6 0b 50 5f 50-aa 3a da 0f fc 3d 29 24 .....P_P.:...=)$
05d0 - 43 c6 10 29 c1 fc 55 40-72 ee bd ea df 9f b6 41 C..)..U@r......A
05e0 - f4 48 4b c8 6e fe 4f 57-12 8b 5b fa 92 dd 5e e8 .HK.n.OW..[...^.
05f0 - ad f3 f0 1b b1 7b 4d fb-cf fd d1 e5 f8 e3 dc e7 .....{M.........
0600 - f5 73 7f df 01 49 cf 8c-56 c1 bd 37 e3 5b be b5 .s...I..V..7.[..
0610 - 4f 8b 8b f0 da 4f c7 e3-dd 55 47 69 df f2 5b 7b O....O...UGi..[{
0620 - 07 4f 3d e5 ac 21 c1 c8-1d 7a e8 e7 f6 0f a1 aa .O=..!...z......
0630 - f5 6f de a8 65 4f 10 89-9c 03 f3 89 7a a5 5e 01 .o..eO......z.^.
0640 - 72 33 ed a9 e9 5a 1e 79-f3 87 c8 df c8 c5 fc 37 r3...Z.y.......7
0650 - c8 9a 9a d7 b8 76 cc b0-3e e7 fd e6 54 ea df 5f .....v..>...T.._
0660 - 52 41 78 59 57 ad f1 12-d6 7f bc d5 9f 70 d3 05 RAxYW........p..
0670 - 6c fa a3 7d 67 58 dd 26-62 1d 31 92 0c 79 79 1c l..}gX.&b.1..yy.
0680 - 8e cf ca 7b c1 66 af a8-74 48 fb 8e 82 c2 9e 2c ...{.f..tH.....,
0690 - 99 5c 7b 2d 5d 9b bc 5b-57 9e 7c 3a 7a 13 ad f2 .\{-]..[W.|:z...
06a0 - a3 18 5b 2b 59 0f cd 5c-3a eb 68 33 c6 28 1d 82 ..[+Y..\:.h3.(..
06b0 - d1 50 8b 02 03 01 00 01-a3 81 d9 30 81 d6 30 0e .P.........0..0.
06c0 - 06 03 55 1d 0f 01 01 ff-04 04 03 02 01 06 30 1d ..U...........0.
06d0 - 06 03 55 1d 0e 04 16 04-14 6b 69 3d 6a 18 42 4a ..U......ki=j.BJ
06e0 - dd 8f 02 65 39 fd 35 24-86 78 91 16 30 30 1f 06 ...e9.5$.x..00..
06f0 - 03 55 1d 23 04 18 30 16-80 14 c0 7a 98 68 8d 89 .U.#..0....z.h..
0700 - fb ab 05 64 0c 11 7d aa-7d 65 b8 ca cc 4e 30 12 ...d..}.}e...N0.
0710 - 06 03 55 1d 13 01 01 ff-04 08 30 06 01 01 ff 02 ..U.......0.....
0720 - 01 00 30 3a 06 03 55 1d-1f 04 33 30 31 30 2f a0 ..0:..U...3010/.
0730 - 2d a0 2b 86 29 68 74 74-70 3a 2f 2f 63 72 6c 2e -.+.)http://crl.
0740 - 67 65 6f 74 72 75 73 74-2e 63 6f 6d 2f 63 72 6c geotrust.com/crl
0750 - 73 2f 67 74 67 6c 6f 62-61 6c 2e 63 72 6c 30 34 s/gtglobal.crl04
0760 - 06 08 2b 06 01 05 05 07-01 01 04 28 30 26 30 24 ..+........(0&0$
0770 - 06 08 2b 06 01 05 05 07-30 01 86 18 68 74 74 70 ..+.....0...http
0780 - 3a 2f 2f 6f 63 73 70 2e-67 65 6f 74 72 75 73 74 ://ocsp.geotrust
0790 - 2e 63 6f 6d 30 0d 06 09-2a 86 48 86 f7 0d 01 01 .com0...*.H.....
07a0 - 05 05 00 03 82 01 01 00-ab bc bc 0a 5d 18 94 e3 ............]...
07b0 - c1 b1 c3 a8 4c 55 d6 be-b4 98 f1 ee 3c 1c cd cf ....LU......<...
07c0 - f3 24 24 5c 96 03 27 58-fc 36 ae a2 2f 8f f1 fe .$$\..'X.6../...
07d0 - da 2b 02 c3 33 bd c8 dd-48 22 2b 60 0f a5 03 10 .+..3...H"+`....
07e0 - fd 77 f8 d0 ed 96 67 4f-fd ea 47 20 70 54 dc a9 .w....gO..G pT..
07f0 - 0c 55 7e e1 96 25 8a d9-b5 da 57 4a be 8d 8e 49 .U~..%....WJ...I
0800 - 43 63 a5 6c 4e 27 87 25-eb 5b 6d fe a2 7f 38 28 Cc.lN'.%.[m...8(
0810 - e0 36 ab ad 39 a5 a5 62-c4 b7 5c 58 2c aa 5d 01 .6..9..b..\X,.].
0820 - 60 a6 62 67 a3 c0 c7 62-23 f4 e7 6c 46 ee b5 d3 `.bg...b#..lF...
0830 - 80 6a 22 13 d2 2d 3f 74-4f ea af 8c 5f b4 38 9c .j"..-?tO..._.8.
0840 - db ae ce af 84 1e a6 f6-34 51 59 79 d3 e3 75 dc ........4QYy..u.
0850 - bc d7 f3 73 df 92 ec d2-20 59 6f 9c fb 95 f8 92 ...s.... Yo.....
0860 - 76 18 0a 7c 0f 2c a6 ca-de 8a 62 7b d8 f3 ce 5f v..|.,....b{..._
0870 - 68 bd 8f 3e c1 74 bb 15-72 3a 16 83 a9 0b e6 4d h..>.t..r:.....M
0880 - 99 9c d8 57 ec a8 01 51-c7 6f 57 34 5e ab 4a 2c ...W...Q.oW4^.J,
0890 - 42 f6 4f 1c 89 78 de 26-4e f5 6f 93 4c 15 6b 27 B.O..x.&N.o.L.k'
08a0 - 56 4d 00 54 6c 7a b7 b7-00 03 81 30 82 03 7d 30 VM.Tlz.....0..}0
08b0 - 82 02 e6 a0 03 02 01 02-02 03 12 bb e6 30 0d 06 .............0..
08c0 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 4e 31 0b .*.H........0N1.
08d0 - 30 09 06 03 55 04 06 13-02 55 53 31 10 30 0e 06 0...U....US1.0..
08e0 - 03 55 04 0a 13 07 45 71-75 69 66 61 78 31 2d 30 .U....Equifax1-0
08f0 - 2b 06 03 55 04 0b 13 24-45 71 75 69 66 61 78 20 +..U...$Equifax
0900 - 53 65 63 75 72 65 20 43-65 72 74 69 66 69 63 61 Secure Certifica
0910 - 74 65 20 41 75 74 68 6f-72 69 74 79 30 1e 17 0d te Authority0...
0920 - 30 32 30 35 32 31 30 34-30 30 30 30 5a 17 0d 31 020521040000Z..1
0930 - 38 30 38 32 31 30 34 30-30 30 30 5a 30 42 31 0b 80821040000Z0B1.
0940 - 30 09 06 03 55 04 06 13-02 55 53 31 16 30 14 06 0...U....US1.0..
0950 - 03 55 04 0a 13 0d 47 65-6f 54 72 75 73 74 20 49 .U....GeoTrust I
0960 - 6e 63 2e 31 1b 30 19 06-03 55 04 03 13 12 47 65 nc.1.0...U....Ge
0970 - 6f 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 43 41 oTrust Global CA
0980 - 30 82 01 22 30 0d 06 09-2a 86 48 86 f7 0d 01 01 0.."0...*.H.....
0990 - 01 05 00 03 82 01 0f 00-30 82 01 0a 02 82 01 01 ........0.......
09a0 - 00 da cc 18 63 30 fd f4-17 23 1a 56 7e 5b df 3c ....c0...#.V~[.<
09b0 - 6c 38 e4 71 b7 78 91 d4-bc a1 d8 4c f8 a8 43 b6 l8.q.x.....L..C.
09c0 - 03 e9 4d 21 07 08 88 da-58 2f 66 39 29 bd 05 78 ..M!....X/f9)..x
09d0 - 8b 9d 38 e8 05 b7 6a 7e-71 a4 e6 c4 60 a6 b0 ef ..8...j~q...`...
09e0 - 80 e4 89 28 0f 9e 25 d6-ed 83 f3 ad a6 91 c7 98 ...(..%.........
09f0 - c9 42 18 35 14 9d ad 98-46 92 2e 4f ca f1 87 43 .B.5....F..O...C
0a00 - c1 16 95 57 2d 50 ef 89-2d 80 7a 57 ad f2 ee 5f ...W-P..-.zW..._
0a10 - 6b d2 00 8d b9 14 f8 14-15 35 d9 c0 46 a3 7b 72 k........5..F.{r
0a20 - c8 91 bf c9 55 2b cd d0-97 3e 9c 26 64 cc df ce ....U+...>.&d...
0a30 - 83 19 71 ca 4e e6 d4 d5-7b a9 19 cd 55 de c8 ec ..q.N...{...U...
0a40 - d2 5e 38 53 e5 5c 4f 8c-2d fe 50 23 36 fc 66 e6 .^8S.\O.-.P#6.f.
0a50 - cb 8e a4 39 19 00 b7 95-02 39 91 0b 0e fe 38 2e ...9.....9....8.
0a60 - d1 1d 05 9a f6 4d 3e 6f-0f 07 1d af 2c 1e 8f 60 .....M>o....,..`
0a70 - 39 e2 fa 36 53 13 39 d4-5e 26 2b db 3d a8 14 bd 9..6S.9.^&+.=...
0a80 - 32 eb 18 03 28 52 04 71-e5 ab 33 3d e1 38 bb 07 2...(R.q..3=.8..
0a90 - 36 84 62 9c 79 ea 16 30-f4 5f c0 2b e8 71 6b e4 6.b.y..0._.+.qk.
0aa0 - f9 02 03 01 00 01 a3 81-f0 30 81 ed 30 1f 06 03 .........0..0...
0ab0 - 55 1d 23 04 18 30 16 80-14 48 e6 68 f9 2b d2 b2 U.#..0...H.h.+..
0ac0 - 95 d7 47 d8 23 20 10 4f-33 98 90 9f d4 30 1d 06 ..G.# .O3....0..
0ad0 - 03 55 1d 0e 04 16 04 14-c0 7a 98 68 8d 89 fb ab .U.......z.h....
0ae0 - 05 64 0c 11 7d aa 7d 65-b8 ca cc 4e 30 0f 06 03 .d..}.}e...N0...
0af0 - 55 1d 13 01 01 ff 04 05-30 03 01 01 ff 30 0e 06 U.......0....0..
0b00 - 03 55 1d 0f 01 01 ff 04-04 03 02 01 06 30 3a 06 .U...........0:.
0b10 - 03 55 1d 1f 04 33 30 31-30 2f a0 2d a0 2b 86 29 .U...3010/.-.+.)
0b20 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 67 65 6f 74 72 http://crl.geotr
0b30 - 75 73 74 2e 63 6f 6d 2f-63 72 6c 73 2f 73 65 63 ust.com/crls/sec
0b40 - 75 72 65 63 61 2e 63 72-6c 30 4e 06 03 55 1d 20 ureca.crl0N..U.
0b50 - 04 47 30 45 30 43 06 04-55 1d 20 00 30 3b 30 39 .G0E0C..U. .0;09
0b60 - 06 08 2b 06 01 05 05 07-02 01 16 2d 68 74 74 70 ..+........-http
0b70 - 73 3a 2f 2f 77 77 77 2e-67 65 6f 74 72 75 73 74 s://www.geotrust
0b80 - 2e 63 6f 6d 2f 72 65 73-6f 75 72 63 65 73 2f 72 .com/resources/r
0b90 - 65 70 6f 73 69 74 6f 72-79 30 0d 06 09 2a 86 48 epository0...*.H
0ba0 - 86 f7 0d 01 01 05 05 00-03 81 81 00 76 e1 12 6e ............v..n
0bb0 - 4e 4b 16 12 86 30 06 b2-81 08 cf f0 08 c7 c7 71 NK...0.........q
0bc0 - 7e 66 ee c2 ed d4 3b 1f-ff f0 f0 c8 4e d6 43 38 ~f....;.....N.C8
0bd0 - b0 b9 30 7d 18 d0 55 83-a2 6a cb 36 11 9c e8 48 ..0}..U..j.6...H
0be0 - 66 a3 6d 7f b8 13 d4 47-fe 8b 5a 5c 73 fc ae d9 f.m....G..Z\s...
0bf0 - 1b 32 19 38 ab 97 34 14-aa 96 d2 eb a3 1c 14 08 .2.8..4.........
0c00 - 49 b6 bb e5 91 ef 83 36-eb 1d 56 6f ca da bc 73 I......6..Vo...s
0c10 - 63 90 e4 7f 7b 3e 22 cb-3d 07 ed 5f 38 74 9c e3 c...{>".=.._8t..
0c20 - 03 50 4e a1 af 98 ee 61-f2 84 3f 12 .PN....a..?.
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF, C = CA, O = alteeve.com, OU = GT13908817, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - FreeSSL, CN = alteeve.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 0d .....
read from 0x196a050 [0x1a10908] (525 bytes => 525 (0x20D))
0000 - 0c 00 02 09 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 51 5c 13 33 38 >.$!.......Q\.38
0090 - 83 ef 76 6f 23 52 55 bf-23 ba 7f f0 a4 ca 35 01 ..vo#RU.#.....5.
00a0 - 9c 70 e1 61 b2 0d 7b 5c-1c 32 02 c1 ac 14 be e9 .p.a..{\.2......
00b0 - b9 7a 5d 11 9b 53 48 64-cd 12 b8 15 4c df cc 10 .z]..SHd....L...
00c0 - 4e 2b e7 cd 3f 33 68 1a-60 cc f7 18 25 7c e5 ca N+..?3h.`...%|..
00d0 - c8 cb 45 ba 2a 6d dc 84-5f 26 6f 9a a3 73 b9 7f ..E.*m.._&o..s..
00e0 - 02 cb 7b a7 ac 59 9f f3-6e c9 01 ed b9 35 99 49 ..{..Y..n....5.I
00f0 - 37 77 68 65 ec e2 f7 17-03 e7 f5 f5 86 33 e6 6c 7whe.........3.l
0100 - 06 3c 15 83 98 74 2e b9-83 31 11 01 00 20 6e 17 .<...t...1... n.
0110 - 3d 2d ec 3e 19 b2 9e 5b-37 38 3a 31 57 3d 0e c1 =-.>...[78:1W=..
0120 - 6b c4 b4 83 d9 6b f0 d3-44 db 9f 18 55 15 e1 09 k....k..D...U...
0130 - 73 59 8c 46 3d a4 47 58-b1 71 a3 32 b5 06 26 8c sY.F=.GX.q.2..&.
0140 - 27 88 9e 13 c8 12 5d 94-9b 24 54 10 aa 79 e5 b4 '.....]..$T..y..
0150 - 43 f5 5e 4c 01 dc 02 aa-69 02 37 71 4e 26 1c 0b C.^L....i.7qN&..
0160 - 40 19 c9 95 4d af 93 35-07 7a ff b1 96 7f 03 ce @...M..5.z......
0170 - 7a eb a2 1c 97 6b d2 97-d2 0f 1a f5 b2 af fb 65 z....k.........e
0180 - 86 b9 e3 38 30 ba f5 02-d6 6b fc da 94 93 8b b3 ...80....k......
0190 - 96 b5 b7 58 dc 36 55 6d-e9 47 e5 4a 33 1d b9 d9 ...X.6Um.G.J3...
01a0 - ec 33 e8 fb 58 c8 74 13-ff dd 40 b7 35 56 63 03 .3..X.t...@.5Vc.
01b0 - 9f 16 2f 72 be 56 56 c3-15 3a c3 10 09 f0 9d f2 ../r.VV..:......
01c0 - 42 52 5a ce d6 db 61 0e-d0 e2 ac 2e 9e 04 30 8e BRZ...a.......0.
01d0 - 0d d7 07 f9 3e 0a a8 3b-8d 11 5c 6e 21 47 28 2d ....>..;..\n!G(-
01e0 - 28 31 a6 3d d0 e9 2e 7a-de 4a 00 2a a8 6f 5d 82 (1.=...z.J.*.o].
01f0 - 45 df 3e 06 e3 11 e3 3c-b9 1e 34 b8 bd 60 fd a7 E.>....<..4..`..
0200 - a2 c1 c8 19 61 19 da 10-e4 c3 70 7e 5f ....a.....p~_
SSL_connect:SSLv3 read server key exchange A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0x196a050 [0x1a10908] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x196a050 [0x1a1add0] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7f 9d d2 3b 68 ..............;h
0010 - 49 c9 dd ed 4f 35 a0 70-3a 28 0f ce c1 5a 81 ce I...O5.p:(...Z..
0020 - cd 46 c5 e5 a4 44 25 04-4e b4 48 d8 3b a6 d4 44 .F...D%.N.H.;..D
0030 - 4e 9a dc 20 fa 52 9f eb-52 3b 3c 3e 34 dc ed 34 N.. .R..R;<>4..4
0040 - e5 b7 10 f9 6d 3a c0 84-64 bf b8 91 54 6c 37 1b ....m:..d...Tl7.
0050 - eb 75 7a 95 aa e8 83 6f-e0 16 f2 af 77 0f 7a 0c .uz....o....w.z.
0060 - a8 82 27 a4 a5 f2 f0 1b-d2 6e 46 c4 ef 10 7c 39 ..'......nF...|9
0070 - 6c 87 74 ec 68 7e d5 9a-10 ab 10 03 75 a2 fb 4b l.t.h~......u..K
0080 - 8c 49 4c da 64 49 bd 27-ba 51 a4 .IL.dI.'.Q.
SSL_connect:SSLv3 write client key exchange A
write to 0x196a050 [0x1a1add0] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x196a050 [0x1a1add0] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 b4 8a 74-4d a4 bf b1 54 04 8a 25 ....0..tM...T..%
0010 - 24 f8 81 f1 64 9f 1f 6d-fb bd a7 4c 57 6a a5 63 $...d..m...LWj.c
0020 - fb 3a dd 8e e3 f9 38 f6-22 fd 7e 42 81 2e a2 41 .:....8.".~B...A
0030 - 1f 74 d1 27 02 .t.'.
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 ca .....
read from 0x196a050 [0x1a10908] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 00 00-00 c0 6c f3 41 26 c8 6b ..........l.A&.k
0010 - 1e 9c 2e 78 af 75 b2 46-34 f4 30 c3 bd e4 ee 2f ...x.u.F4.0..../
0020 - f6 28 37 f6 7c 55 3b c7-08 ad 1e 48 f1 83 9f 9a .(7.|U;....H....
0030 - d4 ef 9b 7d 5a 9c f7 5b-92 e9 2f ca c3 e5 44 c7 ...}Z..[../...D.
0040 - 7a c1 ed db 98 1a 18 bd-25 30 3c 50 ad 96 23 22 z.......%0<P..#"
0050 - 7e a1 b7 eb 1d b5 cc 69-2a 43 63 13 4f 21 90 32 ~......i*Cc.O!.2
0060 - 87 94 0b 6a 66 da 99 fa-45 79 cc 53 29 35 59 0d ...jf...Ey.S)5Y.
0070 - 02 93 c6 c6 af f3 52 79-b5 36 c0 a6 4d 22 9f af ......Ry.6..M"..
0080 - 4a f2 86 b4 50 68 83 b1-ab a6 a6 ac 6e 4e 18 3d J...Ph......nN.=
0090 - 80 a7 b4 85 77 06 69 60-fa b2 22 9a 79 14 c6 3e ....w.i`..".y..>
00a0 - 3e 68 33 4e 1e a9 40 09-47 d0 02 97 8b ba 39 db >h3N..@.G.....9.
00b0 - 2f b1 1c 2e 66 49 d3 bc-99 cc 56 4f 1d f4 c6 7b /...fI....VO...{
00c0 - 58 3e 28 df b1 ce 2b 45-36 ca X>(...+E6.
SSL_connect:SSLv3 read server session ticket A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0x196a050 [0x1a10908] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x196a050 [0x1a10908] (48 bytes => 48 (0x30))
0000 - c0 79 35 bf c6 1e 7e d4-04 cf 68 c7 9d f5 9f 42 .y5...~...h....B
0010 - 03 91 5f 72 ae 5b ec a8-aa e7 af e8 f3 39 1b cd .._r.[.......9..
0020 - 13 05 56 f2 1b 28 c9 42-4b 67 88 48 20 c2 a5 06 ..V..(.BKg.H ...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIDAhUkMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNjE0MTIxOTAxWhcNMTEwNzE2MTU1NjE0WjCB2TEpMCcGA1UEBRMgMFRT
NVd6YXVRUko3c2MyYi1oVEd3SzF5eFNmRURwaEYxCzAJBgNVBAYTAkNBMRQwEgYD
VQQKEwthbHRlZXZlLmNvbTETMBEGA1UECxMKR1QxMzkwODgxNzExMC8GA1UECxMo
U2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMTErMCkGA1UE
CxMiRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gRnJlZVNTTDEUMBIGA1UEAxML
YWx0ZWV2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHtXUD
x6m1IbJ6m3CN8kRd4Bj0BVLGk9MXpTrHRgNo0QFTG+i400xWRrLKYzSILE97I0kH
7443XIqs14ib7aEBkLwy2EYwbYIzWeq1OCyKFuFj57o52Cr6imslRQvJTbjSvqk6
4/9hYPmkmU4/wiULIQfGGx5jcS49MUKYAfSIuIAmt79bALFXhrTYcObs6pjhF0Wn
/4Pgdm+KULsdy8WP9AGETlnDTShzcDnI2oVDuQeuVyYEJLLW1HwDr09yAI8g7SZ3
s79OAWKLYhsQFmWS9bta3INc8lbzYDQs72L07s8mbZtKXnQFdPsjhgdvz7BIbbot
iV0P4MABHJGvAF/zAgMBAAGjggEpMIIBJTAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2FsdGVldmUuY29tMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRz
c2wuY3JsMB0GA1UdDgQWBBShK06vVQh7NL50/FdB3ryP2UodyTAMBgNVHRMBAf8E
AjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3Ns
LWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBmi2+o1dKEx4kx+6W64RFeL2dv3w08CxpLrNk47ikKTdkGmCwlClm7OQOwzTsG
kz5ZkM8GF3R3u82RNNBvuY9TV+0UML3pbASEtvAWnSmbsUf4hGRfAzbq4dYTl1tQ
ubJZzPjvIwGZkW5e6NB3VDhJGFjnDlQ1wDe1nnmy1MbZ/ycx1L8ErtMKkEu8NLxT
+LznTCK3s7yM10FE/OBQLpqsulzuiAP8DlMyqt2kJO6mfD3cnXqCC5+4keChEnej
lffQxJ7x19mZaIDor61o9RpfZgZ4yVb4NjcW+n0n3x2i2HyMW1Dbxv4G/5aG9R/k
Nc7PQ2ZT2qFQtcBz7B70yCAT
-----END CERTIFICATE-----
subject=/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3984 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2880725EB8BDD73F469C17BCA54DF373DFE8EDE3D52A1C8F5E0A5919694FB111
Session-ID-ctx:
Master-Key: F329DEA0DF39FF181ACFBCA69BEC417D7CAA4399D73229A1D912CC8236A858FD099B834F5B32C9BF979C4B5948196FC9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 6c f3 41 26 c8 6b 1e 9c-2e 78 af 75 b2 46 34 f4 l.A&.k...x.u.F4.
0010 - 30 c3 bd e4 ee 2f f6 28-37 f6 7c 55 3b c7 08 ad 0..../.(7.|U;...
0020 - 1e 48 f1 83 9f 9a d4 ef-9b 7d 5a 9c f7 5b 92 e9 .H.......}Z..[..
0030 - 2f ca c3 e5 44 c7 7a c1-ed db 98 1a 18 bd 25 30 /...D.z.......%0
0040 - 3c 50 ad 96 23 22 7e a1-b7 eb 1d b5 cc 69 2a 43 <P..#"~......i*C
0050 - 63 13 4f 21 90 32 87 94-0b 6a 66 da 99 fa 45 79 c.O!.2...jf...Ey
0060 - cc 53 29 35 59 0d 02 93-c6 c6 af f3 52 79 b5 36 .S)5Y.......Ry.6
0070 - c0 a6 4d 22 9f af 4a f2-86 b4 50 68 83 b1 ab a6 ..M"..J...Ph....
0080 - a6 ac 6e 4e 18 3d 80 a7-b4 85 77 06 69 60 fa b2 ..nN.=....w.i`..
0090 - 22 9a 79 14 c6 3e 3e 68-33 4e 1e a9 40 09 47 d0 ".y..>>h3N..@.G.
00a0 - 02 97 8b ba 39 db 2f b1-1c 2e 66 49 d3 bc 99 cc ....9./...fI....
00b0 - 56 4f 1d f4 c6 7b 58 3e-28 df b1 ce 2b 45 36 ca VO...{X>(...+E6.

Compression: 1 (zlib compression)
Start Time: 1308161188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET
write to 0x196a050 [0x1a14e56] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a 4c 57-8c b9 d5 d4 c6 1b 56 ce .... .LW......V.
0010 - 93 b5 78 6b 5f 0e c5 a2-39 2a f9 7a 20 7d 68 85 ..xk_...9*.z }h.
0020 - af 52 e3 5f fc 17 03 01-00 20 c6 c4 19 74 61 64 .R._..... ...tad
0030 - 42 59 e0 52 3f 42 44 53-8b c9 40 69 1c 3d 9b 7f BY.R?BDS..@i.=..
0040 - aa e8 8f a4 5c de c9 d4-0a a4 ....\.....
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 60 ....`
read from 0x196a050 [0x1a10908] (96 bytes => 96 (0x60))
0000 - 46 4c 99 93 29 c9 ed 66-81 43 89 39 26 2b d1 b0 FL..)..f.C.9&+..
0010 - 19 73 eb 51 18 45 54 49-74 43 e0 92 1b f8 af f0 .s.Q.ETItC......
0020 - 0d e1 08 79 96 38 e1 5e-29 9d 66 9c 30 04 8e c4 ...y.8.^).f.0...
0030 - 10 83 49 7e 09 d7 8a ff-4b 11 f9 13 3e ac 77 73 ..I~....K...>.ws
0040 - e8 94 e3 f3 74 db 4e 5f-67 13 1d c4 3a 06 98 b3 ....t.N_g...:...
0050 - da 20 41 3c ca 9a fb 3f-f3 d7 64 a1 e9 f4 0a 98 . A<...?..d.....
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 15 03 01 ...
0005 - <SPACES/NULS>
read from 0x196a050 [0x1a10908] (32 bytes => 32 (0x20))
0000 - 2e bb a7 d6 dc ce 6c 34-dc 2e 43 c7 89 02 a9 5c ......l4..C....\
0010 - 3b 3e d0 43 1c ec fa c7-89 48 fd 76 58 82 ef 45 ;>.C.....H.vX..E
SSL3 alert read:warning:close notify
closed
write to 0x196a050 [0x1a14e53] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d8 6f 46-24 e9 fa 0c c9 9f aa 2d .... .oF$......-
0010 - db 69 2a d8 fb 61 66 b0-23 23 f9 a4 ac 49 b7 e6 .i*..af.##...I..
0020 - 31 73 56 05 ed 1sV..
SSL3 alert write:warning:close notify
</source>

Perfect!

=== Open Port 443 On The Firewall ===

At this point, if you try to connect to the SSL virtual host remotely, you will fail because port 443 is not yet open.

Use your favourite program to open inbound TCP port 443. I like to directly edit the firewall's config.

<source lang="bash">
vim /etc/sysconfig/iptables
</source>
<source lang="text">
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</source>
<source lang="bash">
/etc/init.d/iptables restart
</source>
<source lang="text">
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
</source>

=== Browse to the New Virtual Host ===

You should now be able to access the new SSL virtual host! Simply browse to https://alteeve.com (replace with your domain).

[[Image:SSL_Test_Page_01.png|thumb|center|741px|Test SSL virtual host in Firefox 4.]]

Note the 'alteeve.com' to the left of the address bar showing that the site is encrypted and verified!

= PostgreSQL =

We need to initialize the postgres core databases before we can start it for the first time.

<source lang="bash">
service postgresql initdb
</source>
<source lang="text">
Initializing database: [ OK ]
</source>

From now on, we can start PostgreSQL normally.

<source lang="bash">
/etc/init.d/postgresql restart
</source>
<source lang="text">
Stopping postgresql service: [ OK ]
Starting postgresql service: [ OK ]
</source>

Create the admin user called alteeve which will own the databases we will create and use.

<source lang="bash">
su - postgres
createuser -S -d -R alteeve
psql template1
</source>

At the shell, run the following:

<source lang="sql">
ALTER USER alteeve WITH PASSWORD 'secret';
</source>
<source lang="text">
ALTER ROLE
</source>
<source lang="sql">
\q
</source>

Tell PostgreSQL to require a password for the alteeve user.

<source lang="bash">
vim /var/lib/pgsql/data/pg_hba.conf
</source>
<source lang="diff">
--- /var/lib/pgsql/data/pg_hba.conf.orig 2011-06-15 17:57:25.666509143 -0400
+++ /var/lib/pgsql/data/pg_hba.conf 2011-06-15 17:58:54.077510393 -0400
@@ -65,6 +65,7 @@

# TYPE DATABASE USER CIDR-ADDRESS METHOD
+local all alteeve md5

# "local" is for Unix domain socket connections only
local all all ident
</source>

Reload PostgreSQL's configuration.

<source lang="bash">
/etc/init.d/postgresql reload
</source>

Now create a Database that is owned by the alteeve user, then connect to it to make sure we're asked for a password.

<source lang="bash">
su postgres -c "createdb an_wiki -O alteeve"
psql an_wiki -U alteeve
</source>
<source lang="text">
Password for user alteeve:
psql (8.4.7)
Type "help" for help.

an_wiki=>
</source>

Now load a database from a backup file.

<source lang="bash">
psql an_wiki -U alteeve -f /var/www/ssl_alteeve.com/temp/an_wiki_3.out
</source>
<source lang="text">
Password for user alteeve:
SET
SET
SET
SET
SET
CREATE SCHEMA
ALTER SCHEMA
CREATE LANGUAGE
psql:/var/www/ssl_alteeve.com/temp/an_wiki_3.out:27: ERROR: must be member of role "postgres"
SET
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
SET
SET
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
8
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
2500
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
4416
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3465
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
34
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
957
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3274
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3547
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3513
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TRIGGER
CREATE TRIGGER
CREATE TRIGGER
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
REVOKE
REVOKE
GRANT
GRANT
</source>

Voila!

== Media Wiki Problem ==

If you moved a MediaWiki DB and it generated an error like this in the log file:

<source lang="text">
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "objectcache" does not exist\nLINE 1: ...ECT /* SqlBagOStuff::get */ value,exptime FROM objectcach...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "l10n_cache" does not exist\nLINE 1: ... LCStore_DB::get 206.108.5.162 */ lc_value FROM l10n_cache...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
</source>

The fix is to run:

<source lang="sql">
ALTER DATABASE an_wiki SET search_path=mediawiki;
</source>

Of course, replace an_wiki with the name of your wiki database.

= MySQL =

Start MySQL for the first time:

<source lang="bash">
/etc/init.d/mysqld start
</source>
<source lang="text">
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h asakusa.alteeve.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]
Starting mysqld: [ OK ]
</source>

Secure the server.

<source lang="bash">
mysql_secure_installation
</source>
<source lang="text">
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
</source>

= BIND =

{{note|1=This is not meant to cover creating the actual zone files for DNS. It's goal is to setup BIND on your [[EL6]] server only.}}

This is the BIND named server that handles DNS resolution. It will be setup in two parts; The global options and then the zones file.

== Install bind ==

<source lang="bash">
yum install bind bind-libs bind-utils
</source>

== Global Configuration ==

Edit the main configuration file, making a backup first.

<source lang="bash">
cp /etc/named.conf /etc/named.conf.orig
vim /etc/named.conf
</source>

Enable queries on any interface and answer queries for any domain, not just ours. Edit or add the following;

<source lang="dot">
listen-on port 53 { any; };
allow-query { localhost; };
allow-query-cache { any; };
</source>

For now, we're going to disable DNSSEC. Make the following changes;

<source lang="dot">
dnssec-enable no;
dnssec-validation no;
</source>

Now tell bind where to look for a domain name's IP when we don't know. Add;

<source lang="dot">
forwarders {
// These are Google's open DNS servers
8.8.8.8;
8.8.4.4;
};
</source>

This server will have a slave, and we want to notify that slave when a record changes. Add;

<source lang="dot">
notify yes;
</source>

Done. I like to clean up the file to put the variables in line with one another. With this in mind, let's look at the changes as a unified diff;

<source lang="bash">
diff -u /etc/named.conf.orig /etc/named.conf
</source>
<source lang="diff">
--- /etc/named.conf.orig 2012-02-05 00:54:48.434068501 -0500
+++ /etc/named.conf 2012-02-05 13:45:16.484083319 -0500
@@ -8,18 +8,26 @@
//

options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ allow-query { any; };
+ allow-query-cache { any; };
+ recursion yes;
+ notify yes;
+
+ dnssec-enable no;
+ dnssec-validation no;
+ dnssec-lookaside auto;
+
+ forwarders {
+ // These are Google's open DNS servers
+ 8.8.8.8;
+ 8.8.4.4;
+ };

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
</source>

== Adding Zones ==

This is where we tell BIND which zones we have SOA for. This includes the pointers to the actual files on disk with each domain's information.

Backup then edit the zones file.

<source lang="bash">
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.orig
vim /etc/named.rfc1912.zones
</source>

In here is where we add the entries for the domains we have [[SOA]] for at the end of the file. These will differ for every install, so only two examples will be shown.

<source lang="dot">
// Our zones which this server is SOA for.
zone "45years.ca" IN {
type master;
file "/etc/named/db.45years.ca";
allow-transfer {
192.139.81.117;
};
};

zone "alteeve.com" in {
type master;
file "/etc/named/db.alteeve.com";
allow-transfer {
192.139.81.117;
};
};
</source>

This tutorial does not aim to cover actual zone files, but here is one for reference:

<source lang="bash">
cat /etc/named/db.45years.ca
</source>
<source lang="text">
$ORIGIN .
$TTL 600 ; Time To Live.
45years.ca IN SOA ns1.alteeve.com. admin.alteeve.com. (
2011081402 ; Serial Number (yyyymmdd##)
300 ; refresh (in seconds)
180 ; retry (in seconds)
600 ; expire (in seconds)
86400 ; minimum (in seconds)
)
NS ns1.alteeve.com.
NS ns2.alteeve.com.
A 192.139.81.121
MX 10 mail.45years.ca.
$ORIGIN 45years.ca.
localhost A 127.0.0.1
mail A 192.139.81.121
www CNAME 45years.ca.
</source>

== Adding a Firewall Entry ==

Assuming you have a firewall running, be sure to add an entry for [[TCP]] port 53.

== (Re)Start BIND ==

Once all the configuration files and domain zone files are in place, (re)start the named service.

<source lang="bash">
/etc/init.d/named restart
</source>
<source lang="text">
Stopping named: . [ OK ]
Starting named: [ OK ]
</source>

== Testing Name resolution ==

To properly test name resolution, you will want to resolve a domain we are [[SOA]] for and another domain which we are not. We will repeat this twice, once on the server and once from a remote machine to ensure that it is answering remote queries. Note that in the examples below, my DNS server's IP address is 78.46.37.135.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> alteeve.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns1.alteeve.com.
alteeve.com. 600 IN NS ns2.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 13:57:11 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> google.ca @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 300 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2967 IN NS f.root-servers.net.
. 2967 IN NS c.root-servers.net.
. 2967 IN NS b.root-servers.net.
. 2967 IN NS a.root-servers.net.
. 2967 IN NS k.root-servers.net.
. 2967 IN NS i.root-servers.net.
. 2967 IN NS e.root-servers.net.
. 2967 IN NS h.root-servers.net.
. 2967 IN NS l.root-servers.net.
. 2967 IN NS d.root-servers.net.
. 2967 IN NS j.root-servers.net.
. 2967 IN NS g.root-servers.net.
. 2967 IN NS m.root-servers.net.

;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 14:02:03 2012
;; MSG SIZE rcvd: 254
</source>

Now from a remote machine, repeat the same queries to ensure that our DNS server will respond to external queries.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> alteeve.com @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns2.alteeve.com.
alteeve.com. 600 IN NS ns1.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 138 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:09 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> google.ca @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 138 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2805 IN NS h.root-servers.net.
. 2805 IN NS c.root-servers.net.
. 2805 IN NS j.root-servers.net.
. 2805 IN NS i.root-servers.net.
. 2805 IN NS b.root-servers.net.
. 2805 IN NS m.root-servers.net.
. 2805 IN NS g.root-servers.net.
. 2805 IN NS d.root-servers.net.
. 2805 IN NS a.root-servers.net.
. 2805 IN NS l.root-servers.net.
. 2805 IN NS f.root-servers.net.
. 2805 IN NS k.root-servers.net.
. 2805 IN NS e.root-servers.net.

;; Query time: 140 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:31 2012
;; MSG SIZE rcvd: 254
</source>

Done!

= Email =

This is a pretty heavily customized postfix install using a custom schema. It was originally based on [http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch this Debian Etch] tutorial, but adapted for PostgreSQL. Much time has passed and the operating system is now significantly changed, but it's lineage is thus. A more recent, but still Debian-focused version of the tutorial [http://workaround.org/ispmail/squeeze/big-picture is here]. I also used [http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot this tutorial] to help sort out the PostgreSQL stuff.

This will use a few applications;
* Postfix - The program that receives email.
* PostgreSQL - The database used to validate the existence of email accounts and validates incoming user credentials.
* Dovecot - Takes email coming from postfix, via amavis, and records them to disk. It also answers requests from users wanting to check their email.
* Amavis - Filters incoming email for spam (via spamassassin) and virsus (via clamav)

We will also be using graylisting, which is a spam fighting tactic where the first email from a given user to one of our users is bounced for a few minutes. Proper mail servers will acknowledge the bound, wait the time and resend. Spam mailers though are usually fire-and-forget and will not resend, thus effectively blocking the spam message. This is a very effective method of blocking spam with minimal chance of losing real mail from real users. Any subsequent message from the user would be allowed through with no delay, provided the user had in fact resent the first message as requested.

== Install ==

To install the applications;

<source lang="bash">
yum install postfix postfix-perl-scripts dovecot dovecot-pgsql spamassassin postgresql-server postgresql-plperl mutt
</source>

== Configuring Postfix ==

Installation requires several steps. The AN!Console database must be loaded. Various applications need to be installed. Postfix, Dovecot and helper applications need to be configured and so on.

This tutorial uses the following values that you may need to adjust;
* Database name; an_tools
* Database user; alteeve
* Database password; secret
* Database host; 127.0.0.1

{{note|1=Do not use the database host "localhost" unless you are certain you can connect to the DB using a standard [[unix]] socket.}}

=== Building Support for PostgreSQL ===

{{warning|1=We need to build our own RPM in order to support postgresql. This means we will have to disable postfix from future updates, placing the onus on us to make sure critical updates are applied. This will require downloading the latest source RPMs, re-enabling postgres and recompile/reinstall.}}

Add the source [[RPM]] repository by adding the following;

<source lang="bash">
vim /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
# Source RPM repository
[base-source]
name=CentOS-$releasever - Base - Source
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://vault.centos.org/$releasever/os/SRPMS/
baseurl=http://vault.centos.org/6.0/os/SRPMS/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
</source>

Now download the source RPM for postfix.

<source lang="bash">
yumdownloader --source postfix
</source>
<source lang="text">
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
base | 3.7 kB 00:00
base-source | 1.9 kB 00:00
extras | 3.5 kB 00:00
updates | 3.5 kB 00:00
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
./postfix-2.6.6-2.el6.src.rpm already exists and appears to be complete
nikko:/etc/postfix# rm postfix-2.6.6-2.el6.src.rpm
rm: remove regular file `postfix-2.6.6-2.el6.src.rpm'? y
nikko:/etc/postfix# yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
postfix-2.6.6-2.el6.src.rpm | 3.3 MB 00:00
</source>

Now that we have the postfix source RPM, we will install it.

<source lang="bash">
rpm -Uvh postfix-2.6.6-2.el6.src.rpm
</source>
<source lang="text">
1:postfix warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
########################################### [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
</source>

Now edit the .spec file to enable postgres support.

<source lang="bash">
cp ~/rpmbuild/SPECS/postfix.spec ~/rpmbuild/SPECS/postfix.spec.orig
vim ~/rpmbuild/SPECS/postfix.spec
</source>

Make the following changes.

* Enable PostgreSQL support
<source lang="text">
%{?!PGSQL: %define PGSQL 1}
</source>

Increment the release version by one.
<source lang="text">
Release: 3%{?dist}
</source>

We can see the changes here:

<source lang="bash">
diff -u ~/rpmbuild/SPECS/postfix.spec.orig ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="diff">
--- /root/rpmbuild/SPECS/postfix.spec.orig 2012-02-11 16:54:54.495330859 -0500
+++ /root/rpmbuild/SPECS/postfix.spec 2012-02-11 16:53:39.873331101 -0500
@@ -1,5 +1,5 @@
%{?!MYSQL: %define MYSQL 1}
-%{?!PGSQL: %define PGSQL 0}
+%{?!PGSQL: %define PGSQL 1}
%define LDAP 2
%define PCRE 1
%define SASL 2
@@ -35,7 +35,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 2.6.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
</source>

Now rebuild the RPM, which means we need to install the build tools.

<source lang="bash">
yum groupinstall development
yum install db4-devel openldap-devel cyrus-sasl-devel pcre-devel mysql-devel postgresql-devel openssl-devel
rpmbuild -bb ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="text">
(compile output)
Processing files: postfix-debuginfo-2.6.6-3.el6.x86_64
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-debuginfo-2.6.6-3.el6.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.rymr5C
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd postfix-2.6.6
+ rm -rf /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
+ exit 0
</source>

Install the updated postfix.

<source lang="bash">
rpm -Uvh ~/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm ~/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
</source>
<source lang="text">
Preparing... ########################################### [100%]
1:postfix ########################################### [ 50%]
2:postfix-perl-scripts ########################################### [100%]
</source>

Now exclude postfix from future updates.

<source lang="bash">
cp /etc/yum.conf /etc/yum.conf.orig
vim /etc/yum.conf
diff -u /etc/yum.conf.orig /etc/yum.conf
</source>
<source lang="text">
--- /etc/yum.conf.orig 2012-02-11 16:59:53.720079168 -0500
+++ /etc/yum.conf 2012-02-11 17:00:47.013331283 -0500
@@ -10,6 +10,7 @@
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
+exclude=postfix*

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
</source>

=== Basic Postfix Configuration ===

Since we'll be using virtual domains, users, aliases and mailboxes, we'll need to start by commenting out some of the default options in Postfix. By default, Postfix is set up for small numbers of local users, and it only allows connections from the localhost. Our configuration will be more scalable, allowing many domains and users to be stored in the Postgres database.

Comment out the following:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# inet_interfaces = localhost
# mydestination = $myhostname, localhost.$mydomain, localhost
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
</source>

And uncomment/add these:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
inet_interfaces = all # allows us to connect and test from another machine
mynetworks = 192.168.1.0/32, 127.0.0.0/8 # use the IP or subnet of your test machine here
</source>

=== Setup Virtual Domain Lookup ===

This tells postfix how to find which domains we have.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM domains WHERE dom_name='%s'
</source>

Now tell Postfix to use this new file by appending the following to the main postfix configuration file.

<source lang="bash">
vim /etc/postfix/main.cf
</source>
<source lang="bash">
# Tell postfix to validate domains using our postgresql databae via the
# pgsql-virtual-mailbox-domains.cf
virtual_mailbox_domains=pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>

Now reload postfix;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now we can test that domains resolve. In my case, I will test the look-up for alteeve.com.

<source lang="bash">
postmap -q alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
1
</source>

Now make sure it returns nothing when query a bad domain.

<source lang="bash">
postmap -q example.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Mailbox Mapping ===

This section will tell postfix which users for a given domain are valid.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM email_file WHERE email='%s'
</source>

Tell postfix to use this new file when looking up users.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

And add:

<source lang="text">
# Tell postfix which table to look in when validating a local user via their
# email address.
virtual_mailbox_maps=pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>

Reload postfix.

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now do a test of a valid user, which should return 1, and an invalid user, which should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
1
</source>
<source lang="bash">
postmap -q nobody@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Email Forwards ===

This will allow for email addresses to be forwarded to other email addresses.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT fwd_destination FROM forwards WHERE fwd_source='%s'
</source>

Now tell postfix where to look.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

Add;

<source lang="text">
# This tells postfix where to forward incoming email to, where appropriate.
virtual_alias_maps=pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>

Reload;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

I've setup a forward where digimer@alteeve.com forwards to mkelly@alteeve.com, so we will use that for the next test.

<source lang="bash">
postmap -q digimer@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
mkelly@alteeve.com
</source>

An email address with no forward should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

Excellent.

=== Setup Postfix Mail Delivery via Dovecot ===

Define a mail transport method in the main Postfix config.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# this option is ignored, but may be useful for reference
virtual_mailbox_base=/email

# deliver mail via dovecot
virtual_transport = dovecot

# prevent postfix from sending multiple recipients per delivery request,
# since dovecot only supports one recipient for each delivery
dovecot_destination_recipient_limit = 1
</source>

Tell Postfix what virtual_transport "dovecot" means, and how to use it.
<source lang="bash">vim /etc/postfix/master.cf</source>
Append this for RHEL/CentOS 6 machines. For other distros, make sure that /usr/libexec/dovecot/deliver exists and change the path if necessary.
<source lang="bash">
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
</source>

=== Setup Postfix SMTP Authentication using Dovecot ===

Dovecot provides an SMTP authentication mechanism to Postfix called SASL. Enabling this will require users to authenticate against the server before sending mail.

<source lang="bash">vim /etc/postfix/main.cf</source>
Append the following to enable smtp authentication:
<source lang="bash">
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes

# allow authenticated users to send mail through Postfix SMTP
# more info at /usr/share/doc/postfix-2.6.6/README_FILES/SMTPD_ACCESS_README
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination

# general smtpd settings
# - reject clients that speak too early
# - reject mail from a null address to many recipients (usually spam)
smtpd_data_restrictions =
reject_unauth_pipelining
reject_multi_recipient_bounce
permit
</source>

== Configuring Dovecot ==

Dovecot handles writing incoming mail to the disk and moving/deleting mail as the user wishes. We're going to create a user and group called vmail which will be used to manage the email stored on disk.

<source lang="bash">
useradd -m vmail
mkdir /email
chown -R vmail:vmail /email
</source>

Dovecot is configured in /etc/dovecot and the main configuration file is dovecot.conf.

<source lang="bash">
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.conf
</source>

Dovecot uses .d style configuration files.

* Authentication

<source lang="bash">
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
vim /etc/dovecot/conf.d/10-auth.conf
</source>

Tell dovecot to accept plain-text passwords (needed for some old email clients, you may not need to enable this).

<source lang="text">
disable_plaintext_auth = no
</source>

Tell it not to use the database, and not local users for mail delivery.

<source lang="text">
#!include auth-system.conf.ext
!include auth-sql.conf.ext
</source>

* Mail store

Tell dovecot where to store the email. The %d tells dovecot to substitute the user's domain name and %n is substituted by the user's email name. For example, mkelly@alteeve.com becomes /email/alteeve.com/mkelly.

<source lang="bash">
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
vim /etc/dovecot/conf.d/10-mail.conf
</source>
<source lang="text">
mail_location = mbox:/email/%d/%n
</source>

=== Dovecot Authentication and SQL Settings ===

We need to tell dovecot where to look for passwords when authenticating a user. Where to look is controlled in the
auth-sql.conf.ext file and is broken down into user and password lookups. We will want to first tell Dovecot which user to use when accessing the mail store on disk.

<source lang="bash">
cp /etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/conf.d/auth-sql.conf.ext.orig
vim /etc/dovecot/conf.d/auth-sql.conf.ext
</source>
<source lang="text">
userdb {
driver = static
args = uid=vmail gid=vmail home=/email/%d/%n allow_all_users=yes
}
</source>

* Now configure the SQL server access details.

{{note|1=Make sure that PostgreSQL has sufficient max_connections set in /var/lib/pgsql/data/postgresql.conf to handle enough connections for the expected number of email connections, plus other connections from other applications.}}

<source lang="bash">
cp /usr/share/doc/dovecot-2.0.9/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
vim /etc/dovecot/dovecot-sql.conf.ext
</source>

Tell dovecot to use PostgreSQL.

<source lang="text">
driver = pgsql
</source>

Configure the connection string.

{{note|1=If your database uses a password with a space character in it, quote the password. Ie: password='super secret'.}}

<source lang="text">
connect = host=127.0.0.1 dbname=an_tools user=alteeve password=secret
</source>

Tell dovecot to accept plain-text passwords (this is needed for some stupid MS clients, this will probably change soon).

<source lang="text">
default_pass_scheme = PLAIN
</source>

Tell dovecot how to pull use the user's password.

<source lang="text">
password_query = SELECT email, password FROM email_password WHERE email='%u'
</source>

The last thing to setup is the user query. The query needs to return the [[UID]] and [[GID]] of the vmail user we setup earlier. To get it, you can use the id command.

<source lang="bash">
id vmail
</source>
<source lang="text">
uid=503(vmail) gid=503(vmail) groups=503(vmail)
</source>

The numbers we want are 503 and 503 for the UID and GID, respectively. Knowing this, we can set the userdb SQL string.

<source lang="text">
user_query = SELECT '/email/'||file AS email_dir, '503' AS uid, '503' AS gid FROM email_file WHERE email='%u'
</source>

=== Configure Listener Sockets ===

Setup the authentication socket to allow the vmail user. This will allow Dovecot to access the user authentication socket.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
</source>

Configure Dovecot to authenticate Postfix SMTP requests.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener smtp-auth {
mode = 0600
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
}
</source>

=== Enable Logging ===

This is very useful for debugging an initial setup. It will place details about login attempts in /var/log/maillog.

<source lang="bash">vim /etc/dovecot/conf.d/10-logging.conf</source>
<source lang="bash">
log_path = syslog
auth_verbose = yes
auth_debug = yes
mail_debug = yes
</source>

At this point, it's a good idea to restart the Postfix and Dovecot services, and test out the basic configuration.
<source lang="bash">
service postfix restart
service dovecot restart
</source>

Watch the maillog while attempting to authenticate with an email client like Thunderbird.
<source lang="bash">
tail -f /var/log/maillog
</source>

If basic authentication is working, we can go ahead and add another layer of complexity on top of it: SSL.

== SSL/TLS ==

Add TLS support to Postfix, to encrypt SMTP authentication traffic.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/ssl_mail.alteeve.ca.crt
smtpd_tls_key_file = /etc/pki/CA/private/mail.alteeve.ca.key
smtpd_tls_loglevel = 1
</source>

Add TLS support to Dovecot, to encrypt IMAP authentication traffic.
<source lang="bash">vim /etc/dovecot/conf.d/10-ssl.conf </source>
<source lang="bash">
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/pki/CA/ssl_mail.alteeve.ca.crt
ssl_key = </etc/pki/CA/private/mail.alteeve.ca.key

# PEM encoded trusted certificate authority. Otherwise your CA will be untrusted.
# This is the intermediary certificate.
ssl_ca = </etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Dovecot prefers the following permissions for SSL certs, so set them accordingly.
<source lang="bash">
chmod 0444 /etc/pki/CA/ssl_mail.alteeve.ca.crt
chmod 0400 /etc/pki/CA/private/mail.alteeve.ca.key
chmod 0400 /etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Restart Postfix and Dovecot, then change your Thunderbird server options to 'STARTTLS'. If you're still able to connect to the mail server and send mail, proceed to the next section.

== User Password Encryption ==

In addition to SSL/TSL, which only encrypts the transport of user credentials, we're also going to encrypt the passwords themselves. This will avoid storing any plaintext passwords in the Postgres database.

<source lang="bash">vim /etc/dovecot/conf.d/10-auth.conf</source>
Remove the "plain" authentication, and replace with cram-md5.
<source lang="bash">
disable_plaintext_auth = yes
auth_mechanisms = cram-md5
</source>

Any user credentials that were previously stored in plaintext will no longer work. To encrypt your password in a way that Dovecot recognizes, use the following command:
<source lang="bash">doveadm -v pw -s CRAM-MD5 -p mypassword</source>
It will return a hash like this.
<source lang="bash">
{CRAM-MD5}de5924752ad74e36bc271a8dc7fad4b2d341f21f05382f20dedf1fdfbd5a1717</source>

Take the entire hash, including the '{CRAM-MD5}' portion, and use it to replace the password entry in the database for that user. This will allow Dovecot to authenticate the user using the CRAM-MD5 auth mechanism.

To automate this process for all users in the database, you can look at the number of userid's there are and loop through them, encrypting and replacing each password.

<source lang="bash">
#!/bin/bash
#
# a script to encrypt the users.usr_password values of the an_tools database

export PGUSER="alteeve"
export PGPASSWORD='secret'

for usrid in {1..219}; do

# grab the user's password, removing whitespace
usrpass=$(psql -d an_tools -c "SELECT users.usr_password FROM users WHERE users.usr_id=$usrid;"\
| sed -n 3p | sed -e 's/^[ ]*//')

if [[ "$usrpass" == *CRAM* ]]; then
echo "Password for user #$usrid is already encrypted; skipping."
else
# encrypt and surround in single quotes for psql
encrypted=\'$(doveadm -v pw -s CRAM-MD5 -p "$usrpass")\'
echo "old password: [$usrpass] ; encrypted: $encrypted"

# set password to encrypted value
psql -d an_tools -c "UPDATE users SET usr_password=$encrypted WHERE usr_id=$usrid;"
fi
done

unset PGUSER
unset PGPASSWORD
</source>

== Postgrey Greylisting ==

Enabling postgrey for anti-spam greylisting.

First install the RPMForge repos. (See [http://dak1n1.com/blog/3-getting-more-from-yum-with-rpmforge-and-epel-repos Dakini's blog] for details.)

<source lang="bash">yum -y install postgrey</source>

Create the config file with the following options. This will delay mail from untrusted sources by 6 minutes. A legitimate mailserver will resend the request after that time, and be allowed through. But spam is generally sent out only once, so those messages will drop.
<source lang="bash">vim /etc/sysconfig/postgrey</source>
<source lang="bash">OPTIONS="--unix=/var/spool/postfix/postgrey/socket --delay=360"</source>

Ensure that Postgrey starts on boot.
<source lang="bash">chkconfig --levels 345 postgrey on</source>

<source lang="bash">/etc/postfix/main.cf</source>

Configure Postfix to check SMTP requests through Postgrey. Postgrey will decide if the mail should be blocked or accepted.
<source lang="bash">
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:postgrey/socket</source>

Restart Postfix and Postgrey to take affect.
<source lang="bash">
service postgrey start
service postfix restart
</source>

== Ooooold Notes ==

When prompted;
For 'Create directories for web-based administration ?' Choose 'Yes'.
For 'General type of configuration?', choose 'Local Only'.
For 'Mail Name', enter 'alteeve.com'.
For 'SSL certificate required', hit 'Ok'.
Create the database that we will use:
# su alteeve
$ createdb an_console
$ psql an_console
Now that we are in the new database we will need to load the AN!Console schema file.
# su postgres -c psql an_console -f /var/www/ssl_alteeve.com/cgi-bin/t/anc.pgsql.schema
On the Master node, we will create the directory where email will be stored.
# mkdir /ha/email
On the both nodes, we will create a link to the '/ha/email' directory off of root.
# ln -s /ha/email /email
Under this directory create another directory that is the domain name for the domains we will host mail for. Ie (no longer needed to be done manually, AN!Console will create directories for email as needed):
# mkdir /email/45years.ca
# mkdir /email/alteeve.com
And so on.
Go to the '/etc/postfix' directory and create these four files:
# vim /etc/postfix/psql-virtual_domains.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = domains
select_field = 'virtual'
where_field = dom_name
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_forwardings.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = forwards
select_field = fwd_destination
where_field = fwd_source
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_mailboxes.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_file
select_field = file
where_field = email
hosts = 127.0.0.1
Note: The table 'email_file' is actually a view that takes the email passed by postfix and splits it to generate a joined SELECT.
# vim /etc/postfix/psql-virtual_email2email.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_email
select_field = email
where_field = email
hosts = 127.0.0.1
Note: The table 'email_email' is actually a view that takes the email passed by postfix and returns the same email based on the DB entry. This is needed as a work-around for Postfix's habit of matching global forwards like '@domain -> user@domain' for all email to that domain, even what a given email address matches a user.
Now change the owner and permissions of those four files to NOT allow global reading as they contain our password.
# chown root:postfix /etc/postfix/psql-virtual_*
# chmod 640 /etc/postfix/psql-virtual_*
Now we will create a user account that will, in turn, own all the mail on the system. This user will not have shell access.
# adduser vmail
Enter a password, preferably one treated with the same care as the root password. You can leave all other options blank.
Now change the ownership of the mail store.
# chown -R vmail:vmail /email
# chmod -R 775 /email
Now we edit the main '/etc/postfix/main.cf' configuration file.
Make a backup of the original file “just in case”.
# cp /etc/postfix/main.cf /etc/postfix/main.cf.original
Now edit it:
# vim /etc/postfix/main.cf
There are several options to edit:
Please see 'Step 6' at: http://workaround.org/articles/ispmail-sarge/index.shtml.en for details on the options to set.
For 'inet_interface' enter 'all'.
For 'myhostname' use the cluster FQDN. Ie;
myhostname = nikko.alteeve.com
For 'mydestination' use only local names, NOT real domains we will host email for. Any mail sent to the domains specified here will go to local (shell) users.
mydestination = nikko.alteeve.com, localhost.alteeve.com, localhost
For 'mynetworks' set all the IP subnets we trust. Ie;
mynetworks = 192.139.81.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.0/24 127.0.0.0/8
We can ignore 'virtual_alias_domains' if it exists.
For 'virtual_alias_maps' we will set:
virtual_alias_maps = pgsql:/etc/postfix/psql-virtual_forwardings.cf pgsql:/etc/postfix/psql-virtual_email2email.cf
For 'virtual_mailbox_domains' we will set:
virtual_mailbox_domains = pgsql:/etc/postfix/psql-virtual_domains.cf
For 'virtual_mailbox_maps' we will set:
virtual_mailbox_maps = pgsql:/etc/postfix/psql-virtual_mailboxes.cf
For 'virtual_mailbox_base' (where the email will be stored on disk) we will set:
virtual_mailbox_base = /ha/email
For 'virtual_uid_maps' and 'virtual_gid_maps' we will enter the numerical UID and GID for the 'vmail' shell user we created earlier. To find what it's UID and GID is run:
# cat /etc/passwd | grep vmail
vmail:x:1001:1001:,,,:/home/vmail:/bin/bash
The first number is the UID, the second is the GID;
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
Set 'smtpd_sasl_auth_enable' to 'yes'.
Set 'broken_sasl_auth_clients' to 'yes'.
To enable relaying of local mail, trusted domains and SASL authenticated users and reject the rest set;
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
For 'smtpd_use_tls' the value should already be 'yes', but set it to such if not.
Lastly we'll set our certificate paths;
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
At this point we should be good to go. Restart postfix;
# /etc/init.d/postfix restart
If there were no errors in the restart, test the config by running;
# postfix check
If you get errors, fix 'em. Otherwise, so far so good!
Now to setup postfix to allow authentication of SMTP connections to allow relaying of messages from people (we trust) outside on the 'mynetworks' scope.
Create or edit the file '/etc/postfix/sasl/smtpd.conf'
# vim /etc/postfix/sasl/smtpd.conf
In it enter the lines:
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: pgsql
sql_hostnames: 127.0.0.1
sql_user: alteeve
sql_passwd: secret
sql_database: an_console
sql_select: SELECT passwd FROM email_passwd WHERE email='%u@%r'
log_level: 7
Now secure the file (it's got our DB password)
# chown root:postfix /etc/postfix/sasl/smtpd.conf
# chmod 640 /etc/postfix/sasl/smtpd.conf
Now we want to setup TLS to encrypt SMTP traffic. Be sure you are still in '/etc/postfix' as this is where you want the certificate files.
To create a 10-year certificate for our SMTP domain 'smtp.alteeve.com':
# openssl req -new -outform PEM -out /etc/postfix/smtpd.cert -newkey rsa:2048 -nodes -keyout /etc/postfix/smtpd.key -keyform PEM -days 3650 -x509
This will bring up a bunch of questions:
Country Name (2 letter code) [AU]: CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alteeve's Niche!
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, YOUR name) []:smtp.alteeve.com
Email Address []:admin@alteeve.com
This will create two files in your current directory; 'smtpd.key' and 'smtpd.cert'. You'll want to protect them.
# chown root:postfix smtpd.*
# chmod 640 smtpd.*
Now we need to setup POP3 and IMAP access so users can actually check their email.
Backup then edit '/etc/dovecot/dovecot.conf' to have:
protocols = pop3 imap
mail_location = mbox:/email/%d/%n
# passdb pam {
# }
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
# userdb passwd {
# }
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

# The default location for 'dovecot-sql.conf' is under '/usr/local/etc', be sure to
# change it!
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
user = root
}
Then create/edit '/etc/dovecot/dovecot-sql.conf':
driver = pgsql
connect = host=localhost dbname=an_console user=alteeve password=secret
default_pass_scheme = PLAIN
password_query = SELECT email, password FROM email_password WHERE email='%u'
user_query = SELECT '/email/'||file AS email_dir, '1001' AS uid, '1001' AS gid FROM email_file WHERE email='%u'
Now restart Dovecot:
# /etc/init.d/dovecot restart

= Thanks =

* To [http://planet-geek.com Dave Shevett] (aka: eidolon) and [http://codex.grimoire.ca/ Owen Jacobson] for answering my n00b SSL questions.


<source lang="bash">
</source>
<source lang="text">
</source>

{{footer}}

PPPower Server

2012-05-06T17:50:05Z

Dak1n1: /* Protecting against malicious users with Denyhosts. */

{{howto_header}}

With tongue firmly in cheek, this is a tutorial on building an [[EL6]] server for hosting website and email using PostgreSQL, Postfix and Postgrey for mail and Apache for web. There are many canned and arguably superior was of accomplishing the same, but this is what I user for this server.

= Post OS Install =

First, some post-install preparation. We'll need to set up some basic security, a program to report server statistics, and some 3rd-party yum repositories for additional software.

Yum repo install.
<source lang="bash">yum -y install yum-protectbase
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt # import keys
rpm -K rpmforge-release-0.5.2-2.el6.rf.*.rpm # verify package integrity
rpm -i rpmforge-release-0.5.2-2.el6.rf.*.rpm # install
# install EPEL
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm
</source>

The yum-protectbase plugin will ensure that the 3rd-party repos play nicely and never overwrite the Base repos. To use this plugin with a specific repo, add 'protect=0' or protect=1 to the repo's config file.
<source lang="bash">vim /etc/yum.repos.d/CentOS-Base.repo
# add protect=1 to each section</source>

<source lang="bash">vim /etc/yum.repos.d/epel.repo
# add protect=0 to each section</source>

=== Protecting against malicious users with Denyhosts. ===
Denyhosts is a daemon that watches for too many failed logins via ssh. It uses TCP-wrappers to deny the user access to ssh (or any service) on the server after X failed logins. It has the option to download a list of known malicious IPs and add them to /hosts.deny, making possible to block attackers before they attack the server.

Install denyhosts
<source lang="bash">yum -y install denyhosts</source>

Edit the config to your preferences.
<source lang="bash">vim /etc/denyhosts.conf
BLOCK_SERVICE = ALL
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
SYNC_DOWNLOAD = yes
</source>

White-list any trusted machines, including localhost.
<source lang="bash">vim /etc/hosts.allow
127.0.0.1</source>

Start the service.
<source lang="bash">service denyhosts start
chkconfig denyhosts on</source>

Additional useful software. (For neatly summarizing daily logs and viewing system resource usage.)
<source lang="bash">yum -y install logwatch htop</source>

Packages for web server and wiki install.
<source lang="bash">
yum install httpd httpd-tools postgresql-server postgresql-plperl postgresql-contrib postgresql mysql-server telnet mod_ssl mysql-server php-mysql gcc jwhois bind
</source>

Packages that are currently needed for personal stuff.

<source lang="bash">
yum install perl-XML-Simple perl-MIME-Lite perl-DBD-MySQL perl-DBD-Pg
</source>

= Apache =

After all changes, use this to make sure there are no syntax errors.

<source lang="bash">
service httpd configtest
</source>
<source lang="text">
Syntax OK
</source>

{{note|1=This needs to be explained.}}

<source lang="bash">
diff -u httpd.conf.orig httpd.conf
</source>
<source lang="diff">
--- httpd.conf.orig 2010-05-28 03:11:06.000000000 -0400
+++ httpd.conf 2011-05-13 21:56:27.000000000 -0400
@@ -100,12 +100,12 @@
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
-StartServers 8
-MinSpareServers 5
-MaxSpareServers 20
-ServerLimit 256
-MaxClients 256
-MaxRequestsPerChild 4000
+StartServers 16
+MinSpareServers 10
+MaxSpareServers 40
+ServerLimit 512
+MaxClients 512
+MaxRequestsPerChild 8000
</IfModule>

# worker MPM
@@ -116,11 +116,11 @@
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
-StartServers 4
-MaxClients 300
-MinSpareThreads 25
-MaxSpareThreads 75
-ThreadsPerChild 25
+StartServers 8
+MaxClients 600
+MinSpareThreads 50
+MaxSpareThreads 150
+ThreadsPerChild 50
MaxRequestsPerChild 0
</IfModule>

@@ -259,7 +259,7 @@
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
-ServerAdmin root@localhost
+ServerAdmin admin@alteeve.com

#
# ServerName gives the name and port that the server uses to identify itself.
@@ -274,6 +274,7 @@
# redirections work in a sensible way.
#
#ServerName www.example.com:80
+#ServerName *:80

#
# UseCanonicalName: Determines how Apache constructs self-referencing
@@ -289,7 +290,7 @@
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
-DocumentRoot "/var/www/html"
+DocumentRoot "/var/www/default/html"

#
# Each directory to which Apache has access can be configured with respect
@@ -314,7 +315,7 @@
#
# This should be changed to whatever you set DocumentRoot to.
#
-<Directory "/var/www/html">
+<Directory "/var/www/default/html">

#
# Possible values for the Options directive are "None", "All",
@@ -548,9 +549,9 @@
# We include the /icons/ alias for FancyIndexed directory listings. If you
# do not use FancyIndexing, you may comment this out.
#
-Alias /icons/ "/var/www/icons/"
+Alias /icons/ "/var/www/default/icons/"

-<Directory "/var/www/icons">
+<Directory "/var/www/default/icons">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
@@ -573,13 +574,13 @@
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+ScriptAlias /cgi-bin/ "/var/www/default/cgi-bin/"

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
-<Directory "/var/www/cgi-bin">
+<Directory "/var/www/default/cgi-bin">
AllowOverride None
Options None
Order allow,deny
@@ -852,11 +853,11 @@
# copying them to /your/include/path/, even on a per-VirtualHost basis.
#

-Alias /error/ "/var/www/error/"
+Alias /error/ "/var/www/default/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
- <Directory "/var/www/error">
+ <Directory "/var/www/default/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
@@ -987,7 +988,7 @@
#
# Use name-based virtual hosting.
#
-#NameVirtualHost *:80
+NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
@@ -1001,9 +1002,10 @@
# server name.
#
#<VirtualHost *:80>
-# ServerAdmin webmaster@dummy-host.example.com
-# DocumentRoot /www/docs/dummy-host.example.com
-# ServerName dummy-host.example.com
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+# ServerAdmin admin@alteeve.com
+# DocumentRoot /var/www/default/html
+# ServerName unknown.alteeve.com
+# ErrorLog /var/www/default/logs/error.log
+# CustomLog /var/www/default/logs/access.log common
#</VirtualHost>
</source>

== SSL Virtual Hosts ==

SSL provides for secure client to server communications.

=== Creating The Signed Certificate ===

This section assumes you are using a 3rd party signing authority. Specifically, I use http://www.trustico.ca/ (resellers of http://RapidSSL.com and others). This is also for a domain-specific certificate. Wildcard certificates will differ.

First, create 2048bit private key. Note that this will require a pass-phrase, which you will need to enter whenever the Apache daemon httpd daemon starts. If you do not want this, remove the -des3 switch.

<source lang="bash">
openssl genrsa -des3 -out /etc/pki/CA/private/alteeve.com.key 2048
</source>
<source lang="text">
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Verifying - Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
</source>

Now create a [[CSR]] (Certificate signing request) which we will send to the signing authority. Do not enter anything in the extra section below.

{{note|1=The Common Name must be the fully qualified domain name. In this example, I want to create a certificate for the domain https://alteeve.com, so I will enter alteeve.com. If you prefer to use a www. prefix, include it. I will rewrite requests using the www. prefix to not use it.}}

<source lang="bash">
openssl req -new -key /etc/pki/CA/private/alteeve.com.key -out alteeve.com.csr
</source>
<source lang="text">
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Oakville
Organization Name (eg, company) [Default Company Ltd]:Alteeve's Niche
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:alteeve.com
Email Address []:admin@alteeve.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</source>

Test that the CSR file is ok.

<source lang="bash">
openssl req -noout -text -in /etc/pki/CA/alteeve.com.csr
</source>
<source lang="text">
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Oakville, O=Alteeve's Niche, OU=IT, CN=alteeve.com/emailAddress=admin@alteeve.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
...
</source>

Copy the exact contents of the alteeve.com.csr file and provide it to your signing authority as per their instructions. Once you complete their CSR form, they should email you a signed certificate and an intermediary certificate. At this point, the CSR file is no longer needed.

Save the signed certificate:

<source lang="bash">
vim /etc/pki/CA/ssl_alteeve.com.crt
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

Save the intermediary certificate. Change the certificate name to that of your provider. If they provide you with this file, simply save it in the /etc/pki/CA/ directory.

<source lang="bash">
vim /etc/pki/CA/RapidSSL_CA_bundle.pem
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

=== Creating An SSL Virtual Host ===

Create a new virtual host container for the new SSL protected virtual host. We will leave the normal unencrypted virtual-host alone for now. Once we're done, we'll use it to capture and redirect http:// requests to their https:// equivalents. I make my virtual host directories writeable by my normal user account. Feel free to adapt this to your preferences.

Setup the directories and then create a trivial index.html file.

<source lang="bash">
mkdir ssl_alteeve.com/{cgi-bin,html,logs,temp} -p
chown apache:digimer ssl_alteeve.com -R
chmod g+w ssl_alteeve.com -R
vim /var/www/ssl_alteeve.com/html/index.html
</source>
<source lang="apache">
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
</source>

Now setup the Apache2 config. I like to use the ssl_ prefix for encrypted domains.

{{note|1=This example is for a MediaWiki virtual host with short URLs configured. You will want to adapt the values to suit your needs.}}

<source lang="bash">
vim /etc/httpd/conf.d/ssl_alteeve.com.conf
</source>
<source lang="apache">
<VirtualHost *:443>
ServerAdmin digimer@alteeve.com

ServerName alteeve.com

DirectoryIndex index.php index.html

# We can haz security?
SSLEngine on
SSLProtocol all
SSLCACertificateFile /etc/pki/CA/RapidSSL_CA_bundle.pem
SSLCertificateFile /etc/pki/CA/ssl_alteeve.com.crt
SSLCertificateKeyFile /etc/pki/CA/private/alteeve.com.key

DocumentRoot /var/www/ssl_alteeve.com/html/
Alias /w /var/www/ssl_alteeve.com/html/index.php
<Directory /var/www/ssl_alteeve.com/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/ssl_alteeve.com/cgi-bin/
<Directory "/var/www/ssl_alteeve.com/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/ssl_alteeve.com/logs/error.log
TransferLog /var/www/ssl_alteeve.com/logs/transfer.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/ssl_alteeve.com/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

==== Bad Identity Error ====

If you get an error about the server not providing identity information, you may have be loading images, CSS, javascript or similar using a URL from a remote domain with no SSL or badly configured SSL.

For example, on Firefox 4, you may see:

<source lang="text">
This web site does not supply identity information.

Your connection to this site is only partially encrypted, and does not prevent eavesdropping.
[ More Information ]
</source>

In my case, this turned out to be a problem where mediawiki was loading a Creative Commons logo from their server using http:// link to the icon. Once this was changed to https:// (in LocalSettings.php), the error went away.

=== Testing and Using the New Configuration ===

Test your new Apache configuration.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

Now restart Apache. Note that you will be asked to enter the pass-phrase you used when you created your private key.

<source lang="bash">
/etc/init.d/httpd restart
</source>
<source lang="text">
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server alteeve.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
</source>

{{warning|1=From now on, you will need to enter the pass-phrase to start Apache. Consider this when restarting your server and when deciding if you want the Apache server to start with your server. As my server is in a VM and it's underlying disk is also encrypted, I will enable it at boot time. I'll need to be watching the boot process anyway. This may not apply to you.}}

Now make sure that you can still connect to your server on [[TCP]] port 80 (normal http port). The contents after the GET request will obviously vary depending on your configuration:

<source lang="bash">
telnet localhost 80
</source>
<source lang="text">
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET
<head>
<title>Asakusa.alteeve.com</title>
</head>
<body>
Default - Requested domain not found
</body>
Connection closed by foreign host.
</source>

Now to check that the SSL port is listening properly. We can't use [[telnet]] because of the SSL encryption. Instead we will use openssl.

<source lang="bash">
openssl s_client -connect localhost:443 -state -debug
</source>
<source lang="text">
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x196a050 [0x1a0b3a0] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 4d f8 f4 a4 f9 ....l...h..M....
0010 - 07 b3 11 f8 3d ff 5d 80-ed 69 87 52 e2 60 80 57 ....=.]..i.R.`.W
0020 - 59 c7 83 4c ea 5b e5 37-06 e0 13 00 00 3a 00 39 Y..L.[.7.....:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............#
0071 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x196a050 [0x1a10900] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x196a050 [0x1a1090a] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4d f8 f4 a4-7d 35 00 74 24 43 bc c9 .1..M...}5.t$C..
0010 - 84 5d fe e3 90 1a e8 14-39 a1 b1 7e e8 19 c7 9f .]......9..~....
0020 - 45 20 d1 cb 00 00 39 01-00 09 ff 01 00 01 00 00 E ....9.........
0030 - 23 #
0033 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 0c 2c ....,
read from 0x196a050 [0x1a10908] (3116 bytes => 3116 (0xC2C))
0000 - 0b 00 0c 28 00 0c 25 00-04 c2 30 82 04 be 30 82 ...(..%...0...0.
0010 - 03 a6 a0 03 02 01 02 02-03 02 15 24 30 0d 06 09 ...........$0...
0020 - 2a 86 48 86 f7 0d 01 01-05 05 00 30 3c 31 0b 30 *.H........0<1.0
0030 - 09 06 03 55 04 06 13 02-55 53 31 17 30 15 06 03 ...U....US1.0...
0040 - 55 04 0a 13 0e 47 65 6f-54 72 75 73 74 2c 20 49 U....GeoTrust, I
0050 - 6e 63 2e 31 14 30 12 06-03 55 04 03 13 0b 52 61 nc.1.0...U....Ra
0060 - 70 69 64 53 53 4c 20 43-41 30 1e 17 0d 31 31 30 pidSSL CA0...110
0070 - 36 31 34 31 32 31 39 30-31 5a 17 0d 31 31 30 37 614121901Z..1107
0080 - 31 36 31 35 35 36 31 34-5a 30 81 d9 31 29 30 27 16155614Z0..1)0'
0090 - 06 03 55 04 05 13 20 30-54 53 35 57 7a 61 75 51 ..U... 0TS5WzauQ
00a0 - 52 4a 37 73 63 32 62 2d-68 54 47 77 4b 31 79 78 RJ7sc2b-hTGwK1yx
00b0 - 53 66 45 44 70 68 46 31-0b 30 09 06 03 55 04 06 SfEDphF1.0...U..
00c0 - 13 02 43 41 31 14 30 12-06 03 55 04 0a 13 0b 61 ..CA1.0...U....a
00d0 - 6c 74 65 65 76 65 2e 63-6f 6d 31 13 30 11 06 03 lteeve.com1.0...
00e0 - 55 04 0b 13 0a 47 54 31-33 39 30 38 38 31 37 31 U....GT139088171
00f0 - 31 30 2f 06 03 55 04 0b-13 28 53 65 65 20 77 77 10/..U...(See ww
0100 - 77 2e 72 61 70 69 64 73-73 6c 2e 63 6f 6d 2f 72 w.rapidssl.com/r
0110 - 65 73 6f 75 72 63 65 73-2f 63 70 73 20 28 63 29 esources/cps (c)
0120 - 31 31 31 2b 30 29 06 03-55 04 0b 13 22 44 6f 6d 111+0)..U..."Dom
0130 - 61 69 6e 20 43 6f 6e 74-72 6f 6c 20 56 61 6c 69 ain Control Vali
0140 - 64 61 74 65 64 20 2d 20-46 72 65 65 53 53 4c 31 dated - FreeSSL1
0150 - 14 30 12 06 03 55 04 03-13 0b 61 6c 74 65 65 76 .0...U....alteev
0160 - 65 2e 63 6f 6d 30 82 01-22 30 0d 06 09 2a 86 48 e.com0.."0...*.H
0170 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0..
0180 - 0a 02 82 01 01 00 c7 b5-75 03 c7 a9 b5 21 b2 7a ........u....!.z
0190 - 9b 70 8d f2 44 5d e0 18-f4 05 52 c6 93 d3 17 a5 .p..D]....R.....
01a0 - 3a c7 46 03 68 d1 01 53-1b e8 b8 d3 4c 56 46 b2 :.F.h..S....LVF.
01b0 - ca 63 34 88 2c 4f 7b 23-49 07 ef 8e 37 5c 8a ac .c4.,O{#I...7\..
01c0 - d7 88 9b ed a1 01 90 bc-32 d8 46 30 6d 82 33 59 ........2.F0m.3Y
01d0 - ea b5 38 2c 8a 16 e1 63-e7 ba 39 d8 2a fa 8a 6b ..8,...c..9.*..k
01e0 - 25 45 0b c9 4d b8 d2 be-a9 3a e3 ff 61 60 f9 a4 %E..M....:..a`..
01f0 - 99 4e 3f c2 25 0b 21 07-c6 1b 1e 63 71 2e 3d 31 .N?.%.!....cq.=1
0200 - 42 98 01 f4 88 b8 80 26-b7 bf 5b 00 b1 57 86 b4 B......&..[..W..
0210 - d8 70 e6 ec ea 98 e1 17-45 a7 ff 83 e0 76 6f 8a .p......E....vo.
0220 - 50 bb 1d cb c5 8f f4 01-84 4e 59 c3 4d 28 73 70 P........NY.M(sp
0230 - 39 c8 da 85 43 b9 07 ae-57 26 04 24 b2 d6 d4 7c 9...C...W&.$...|
0240 - 03 af 4f 72 00 8f 20 ed-26 77 b3 bf 4e 01 62 8b ..Or.. .&w..N.b.
0250 - 62 1b 10 16 65 92 f5 bb-5a dc 83 5c f2 56 f3 60 b...e...Z..\.V.`
0260 - 34 2c ef 62 f4 ee cf 26-6d 9b 4a 5e 74 05 74 fb 4,.b...&m.J^t.t.
0270 - 23 86 07 6f cf b0 48 6d-ba 2d 89 5d 0f e0 c0 01 #..o..Hm.-.]....
0280 - 1c 91 af 00 5f f3 02 03-01 00 01 a3 82 01 29 30 ...._.........)0
0290 - 82 01 25 30 1f 06 03 55-1d 23 04 18 30 16 80 14 ..%0...U.#..0...
02a0 - 6b 69 3d 6a 18 42 4a dd-8f 02 65 39 fd 35 24 86 ki=j.BJ...e9.5$.
02b0 - 78 91 16 30 30 0e 06 03-55 1d 0f 01 01 ff 04 04 x..00...U.......
02c0 - 03 02 05 a0 30 1d 06 03-55 1d 25 04 16 30 14 06 ....0...U.%..0..
02d0 - 08 2b 06 01 05 05 07 03-01 06 08 2b 06 01 05 05 .+.........+....
02e0 - 07 03 02 30 16 06 03 55-1d 11 04 0f 30 0d 82 0b ...0...U....0...
02f0 - 61 6c 74 65 65 76 65 2e-63 6f 6d 30 43 06 03 55 alteeve.com0C..U
0300 - 1d 1f 04 3c 30 3a 30 38-a0 36 a0 34 86 32 68 74 ...<0:08.6.4.2ht
0310 - 74 70 3a 2f 2f 72 61 70-69 64 73 73 6c 2d 63 72 tp://rapidssl-cr
0320 - 6c 2e 67 65 6f 74 72 75-73 74 2e 63 6f 6d 2f 63 l.geotrust.com/c
0330 - 72 6c 73 2f 72 61 70 69-64 73 73 6c 2e 63 72 6c rls/rapidssl.crl
0340 - 30 1d 06 03 55 1d 0e 04-16 04 14 a1 2b 4e af 55 0...U.......+N.U
0350 - 08 7b 34 be 74 fc 57 41-de bc 8f d9 4a 1d c9 30 .{4.t.WA....J..0
0360 - 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 49 06 ...U.......0.0I.
0370 - 08 2b 06 01 05 05 07 01-01 04 3d 30 3b 30 39 06 .+........=0;09.
0380 - 08 2b 06 01 05 05 07 30-02 86 2d 68 74 74 70 3a .+.....0..-http:
0390 - 2f 2f 72 61 70 69 64 73-73 6c 2d 61 69 61 2e 67 //rapidssl-aia.g
03a0 - 65 6f 74 72 75 73 74 2e-63 6f 6d 2f 72 61 70 69 eotrust.com/rapi
03b0 - 64 73 73 6c 2e 63 72 74-30 0d 06 09 2a 86 48 86 dssl.crt0...*.H.
03c0 - f7 0d 01 01 05 05 00 03-82 01 01 00 66 8b 6f a8 ............f.o.
03d0 - d5 d2 84 c7 89 31 fb a5-ba e1 11 5e 2f 67 6f df .....1.....^/go.
03e0 - 0d 3c 0b 1a 4b ac d9 38-ee 29 0a 4d d9 06 98 2c .<..K..8.).M...,
03f0 - 25 0a 59 bb 39 03 b0 cd-3b 06 93 3e 59 90 cf 06 %.Y.9...;..>Y...
0400 - 17 74 77 bb cd 91 34 d0-6f b9 8f 53 57 ed 14 30 .tw...4.o..SW..0
0410 - bd e9 6c 04 84 b6 f0 16-9d 29 9b b1 47 f8 84 64 ..l......)..G..d
0420 - 5f 03 36 ea e1 d6 13 97-5b 50 b9 b2 59 cc f8 ef _.6.....[P..Y...
0430 - 23 01 99 91 6e 5e e8 d0-77 54 38 49 18 58 e7 0e #...n^..wT8I.X..
0440 - 54 35 c0 37 b5 9e 79 b2-d4 c6 d9 ff 27 31 d4 bf T5.7..y.....'1..
0450 - 04 ae d3 0a 90 4b bc 34-bc 53 f8 bc e7 4c 22 b7 .....K.4.S...L".
0460 - b3 bc 8c d7 41 44 fc e0-50 2e 9a ac ba 5c ee 88 ....AD..P....\..
0470 - 03 fc 0e 53 32 aa dd a4-24 ee a6 7c 3d dc 9d 7a ...S2...$..|=..z
0480 - 82 0b 9f b8 91 e0 a1 12-77 a3 95 f7 d0 c4 9e f1 ........w.......
0490 - d7 d9 99 68 80 e8 af ad-68 f5 1a 5f 66 06 78 c9 ...h....h.._f.x.
04a0 - 56 f8 36 37 16 fa 7d 27-df 1d a2 d8 7c 8c 5b 50 V.67..}'....|.[P
04b0 - db c6 fe 06 ff 96 86 f5-1f e4 35 ce cf 43 66 53 ..........5..CfS
04c0 - da a1 50 b5 c0 73 ec 1e-f4 c8 20 13 00 03 d9 30 ..P..s.... ....0
04d0 - 82 03 d5 30 82 02 bd a0-03 02 01 02 02 03 02 36 ...0...........6
04e0 - d1 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
04f0 - 30 42 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 0B1.0...U....US1
0500 - 16 30 14 06 03 55 04 0a-13 0d 47 65 6f 54 72 75 .0...U....GeoTru
0510 - 73 74 20 49 6e 63 2e 31-1b 30 19 06 03 55 04 03 st Inc.1.0...U..
0520 - 13 12 47 65 6f 54 72 75-73 74 20 47 6c 6f 62 61 ..GeoTrust Globa
0530 - 6c 20 43 41 30 1e 17 0d-31 30 30 32 31 39 32 32 l CA0...10021922
0540 - 34 35 30 35 5a 17 0d 32-30 30 32 31 38 32 32 34 4505Z..200218224
0550 - 35 30 35 5a 30 3c 31 0b-30 09 06 03 55 04 06 13 505Z0<1.0...U...
0560 - 02 55 53 31 17 30 15 06-03 55 04 0a 13 0e 47 65 .US1.0...U....Ge
0570 - 6f 54 72 75 73 74 2c 20-49 6e 63 2e 31 14 30 12 oTrust, Inc.1.0.
0580 - 06 03 55 04 03 13 0b 52-61 70 69 64 53 53 4c 20 ..U....RapidSSL
0590 - 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H...
05a0 - 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0.....
05b0 - 01 01 00 c7 71 f8 56 c7-1e d9 cc b5 ad f6 b4 97 ....q.V.........
05c0 - a3 fb a1 e6 0b 50 5f 50-aa 3a da 0f fc 3d 29 24 .....P_P.:...=)$
05d0 - 43 c6 10 29 c1 fc 55 40-72 ee bd ea df 9f b6 41 C..)..U@r......A
05e0 - f4 48 4b c8 6e fe 4f 57-12 8b 5b fa 92 dd 5e e8 .HK.n.OW..[...^.
05f0 - ad f3 f0 1b b1 7b 4d fb-cf fd d1 e5 f8 e3 dc e7 .....{M.........
0600 - f5 73 7f df 01 49 cf 8c-56 c1 bd 37 e3 5b be b5 .s...I..V..7.[..
0610 - 4f 8b 8b f0 da 4f c7 e3-dd 55 47 69 df f2 5b 7b O....O...UGi..[{
0620 - 07 4f 3d e5 ac 21 c1 c8-1d 7a e8 e7 f6 0f a1 aa .O=..!...z......
0630 - f5 6f de a8 65 4f 10 89-9c 03 f3 89 7a a5 5e 01 .o..eO......z.^.
0640 - 72 33 ed a9 e9 5a 1e 79-f3 87 c8 df c8 c5 fc 37 r3...Z.y.......7
0650 - c8 9a 9a d7 b8 76 cc b0-3e e7 fd e6 54 ea df 5f .....v..>...T.._
0660 - 52 41 78 59 57 ad f1 12-d6 7f bc d5 9f 70 d3 05 RAxYW........p..
0670 - 6c fa a3 7d 67 58 dd 26-62 1d 31 92 0c 79 79 1c l..}gX.&b.1..yy.
0680 - 8e cf ca 7b c1 66 af a8-74 48 fb 8e 82 c2 9e 2c ...{.f..tH.....,
0690 - 99 5c 7b 2d 5d 9b bc 5b-57 9e 7c 3a 7a 13 ad f2 .\{-]..[W.|:z...
06a0 - a3 18 5b 2b 59 0f cd 5c-3a eb 68 33 c6 28 1d 82 ..[+Y..\:.h3.(..
06b0 - d1 50 8b 02 03 01 00 01-a3 81 d9 30 81 d6 30 0e .P.........0..0.
06c0 - 06 03 55 1d 0f 01 01 ff-04 04 03 02 01 06 30 1d ..U...........0.
06d0 - 06 03 55 1d 0e 04 16 04-14 6b 69 3d 6a 18 42 4a ..U......ki=j.BJ
06e0 - dd 8f 02 65 39 fd 35 24-86 78 91 16 30 30 1f 06 ...e9.5$.x..00..
06f0 - 03 55 1d 23 04 18 30 16-80 14 c0 7a 98 68 8d 89 .U.#..0....z.h..
0700 - fb ab 05 64 0c 11 7d aa-7d 65 b8 ca cc 4e 30 12 ...d..}.}e...N0.
0710 - 06 03 55 1d 13 01 01 ff-04 08 30 06 01 01 ff 02 ..U.......0.....
0720 - 01 00 30 3a 06 03 55 1d-1f 04 33 30 31 30 2f a0 ..0:..U...3010/.
0730 - 2d a0 2b 86 29 68 74 74-70 3a 2f 2f 63 72 6c 2e -.+.)http://crl.
0740 - 67 65 6f 74 72 75 73 74-2e 63 6f 6d 2f 63 72 6c geotrust.com/crl
0750 - 73 2f 67 74 67 6c 6f 62-61 6c 2e 63 72 6c 30 34 s/gtglobal.crl04
0760 - 06 08 2b 06 01 05 05 07-01 01 04 28 30 26 30 24 ..+........(0&0$
0770 - 06 08 2b 06 01 05 05 07-30 01 86 18 68 74 74 70 ..+.....0...http
0780 - 3a 2f 2f 6f 63 73 70 2e-67 65 6f 74 72 75 73 74 ://ocsp.geotrust
0790 - 2e 63 6f 6d 30 0d 06 09-2a 86 48 86 f7 0d 01 01 .com0...*.H.....
07a0 - 05 05 00 03 82 01 01 00-ab bc bc 0a 5d 18 94 e3 ............]...
07b0 - c1 b1 c3 a8 4c 55 d6 be-b4 98 f1 ee 3c 1c cd cf ....LU......<...
07c0 - f3 24 24 5c 96 03 27 58-fc 36 ae a2 2f 8f f1 fe .$$\..'X.6../...
07d0 - da 2b 02 c3 33 bd c8 dd-48 22 2b 60 0f a5 03 10 .+..3...H"+`....
07e0 - fd 77 f8 d0 ed 96 67 4f-fd ea 47 20 70 54 dc a9 .w....gO..G pT..
07f0 - 0c 55 7e e1 96 25 8a d9-b5 da 57 4a be 8d 8e 49 .U~..%....WJ...I
0800 - 43 63 a5 6c 4e 27 87 25-eb 5b 6d fe a2 7f 38 28 Cc.lN'.%.[m...8(
0810 - e0 36 ab ad 39 a5 a5 62-c4 b7 5c 58 2c aa 5d 01 .6..9..b..\X,.].
0820 - 60 a6 62 67 a3 c0 c7 62-23 f4 e7 6c 46 ee b5 d3 `.bg...b#..lF...
0830 - 80 6a 22 13 d2 2d 3f 74-4f ea af 8c 5f b4 38 9c .j"..-?tO..._.8.
0840 - db ae ce af 84 1e a6 f6-34 51 59 79 d3 e3 75 dc ........4QYy..u.
0850 - bc d7 f3 73 df 92 ec d2-20 59 6f 9c fb 95 f8 92 ...s.... Yo.....
0860 - 76 18 0a 7c 0f 2c a6 ca-de 8a 62 7b d8 f3 ce 5f v..|.,....b{..._
0870 - 68 bd 8f 3e c1 74 bb 15-72 3a 16 83 a9 0b e6 4d h..>.t..r:.....M
0880 - 99 9c d8 57 ec a8 01 51-c7 6f 57 34 5e ab 4a 2c ...W...Q.oW4^.J,
0890 - 42 f6 4f 1c 89 78 de 26-4e f5 6f 93 4c 15 6b 27 B.O..x.&N.o.L.k'
08a0 - 56 4d 00 54 6c 7a b7 b7-00 03 81 30 82 03 7d 30 VM.Tlz.....0..}0
08b0 - 82 02 e6 a0 03 02 01 02-02 03 12 bb e6 30 0d 06 .............0..
08c0 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 4e 31 0b .*.H........0N1.
08d0 - 30 09 06 03 55 04 06 13-02 55 53 31 10 30 0e 06 0...U....US1.0..
08e0 - 03 55 04 0a 13 07 45 71-75 69 66 61 78 31 2d 30 .U....Equifax1-0
08f0 - 2b 06 03 55 04 0b 13 24-45 71 75 69 66 61 78 20 +..U...$Equifax
0900 - 53 65 63 75 72 65 20 43-65 72 74 69 66 69 63 61 Secure Certifica
0910 - 74 65 20 41 75 74 68 6f-72 69 74 79 30 1e 17 0d te Authority0...
0920 - 30 32 30 35 32 31 30 34-30 30 30 30 5a 17 0d 31 020521040000Z..1
0930 - 38 30 38 32 31 30 34 30-30 30 30 5a 30 42 31 0b 80821040000Z0B1.
0940 - 30 09 06 03 55 04 06 13-02 55 53 31 16 30 14 06 0...U....US1.0..
0950 - 03 55 04 0a 13 0d 47 65-6f 54 72 75 73 74 20 49 .U....GeoTrust I
0960 - 6e 63 2e 31 1b 30 19 06-03 55 04 03 13 12 47 65 nc.1.0...U....Ge
0970 - 6f 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 43 41 oTrust Global CA
0980 - 30 82 01 22 30 0d 06 09-2a 86 48 86 f7 0d 01 01 0.."0...*.H.....
0990 - 01 05 00 03 82 01 0f 00-30 82 01 0a 02 82 01 01 ........0.......
09a0 - 00 da cc 18 63 30 fd f4-17 23 1a 56 7e 5b df 3c ....c0...#.V~[.<
09b0 - 6c 38 e4 71 b7 78 91 d4-bc a1 d8 4c f8 a8 43 b6 l8.q.x.....L..C.
09c0 - 03 e9 4d 21 07 08 88 da-58 2f 66 39 29 bd 05 78 ..M!....X/f9)..x
09d0 - 8b 9d 38 e8 05 b7 6a 7e-71 a4 e6 c4 60 a6 b0 ef ..8...j~q...`...
09e0 - 80 e4 89 28 0f 9e 25 d6-ed 83 f3 ad a6 91 c7 98 ...(..%.........
09f0 - c9 42 18 35 14 9d ad 98-46 92 2e 4f ca f1 87 43 .B.5....F..O...C
0a00 - c1 16 95 57 2d 50 ef 89-2d 80 7a 57 ad f2 ee 5f ...W-P..-.zW..._
0a10 - 6b d2 00 8d b9 14 f8 14-15 35 d9 c0 46 a3 7b 72 k........5..F.{r
0a20 - c8 91 bf c9 55 2b cd d0-97 3e 9c 26 64 cc df ce ....U+...>.&d...
0a30 - 83 19 71 ca 4e e6 d4 d5-7b a9 19 cd 55 de c8 ec ..q.N...{...U...
0a40 - d2 5e 38 53 e5 5c 4f 8c-2d fe 50 23 36 fc 66 e6 .^8S.\O.-.P#6.f.
0a50 - cb 8e a4 39 19 00 b7 95-02 39 91 0b 0e fe 38 2e ...9.....9....8.
0a60 - d1 1d 05 9a f6 4d 3e 6f-0f 07 1d af 2c 1e 8f 60 .....M>o....,..`
0a70 - 39 e2 fa 36 53 13 39 d4-5e 26 2b db 3d a8 14 bd 9..6S.9.^&+.=...
0a80 - 32 eb 18 03 28 52 04 71-e5 ab 33 3d e1 38 bb 07 2...(R.q..3=.8..
0a90 - 36 84 62 9c 79 ea 16 30-f4 5f c0 2b e8 71 6b e4 6.b.y..0._.+.qk.
0aa0 - f9 02 03 01 00 01 a3 81-f0 30 81 ed 30 1f 06 03 .........0..0...
0ab0 - 55 1d 23 04 18 30 16 80-14 48 e6 68 f9 2b d2 b2 U.#..0...H.h.+..
0ac0 - 95 d7 47 d8 23 20 10 4f-33 98 90 9f d4 30 1d 06 ..G.# .O3....0..
0ad0 - 03 55 1d 0e 04 16 04 14-c0 7a 98 68 8d 89 fb ab .U.......z.h....
0ae0 - 05 64 0c 11 7d aa 7d 65-b8 ca cc 4e 30 0f 06 03 .d..}.}e...N0...
0af0 - 55 1d 13 01 01 ff 04 05-30 03 01 01 ff 30 0e 06 U.......0....0..
0b00 - 03 55 1d 0f 01 01 ff 04-04 03 02 01 06 30 3a 06 .U...........0:.
0b10 - 03 55 1d 1f 04 33 30 31-30 2f a0 2d a0 2b 86 29 .U...3010/.-.+.)
0b20 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 67 65 6f 74 72 http://crl.geotr
0b30 - 75 73 74 2e 63 6f 6d 2f-63 72 6c 73 2f 73 65 63 ust.com/crls/sec
0b40 - 75 72 65 63 61 2e 63 72-6c 30 4e 06 03 55 1d 20 ureca.crl0N..U.
0b50 - 04 47 30 45 30 43 06 04-55 1d 20 00 30 3b 30 39 .G0E0C..U. .0;09
0b60 - 06 08 2b 06 01 05 05 07-02 01 16 2d 68 74 74 70 ..+........-http
0b70 - 73 3a 2f 2f 77 77 77 2e-67 65 6f 74 72 75 73 74 s://www.geotrust
0b80 - 2e 63 6f 6d 2f 72 65 73-6f 75 72 63 65 73 2f 72 .com/resources/r
0b90 - 65 70 6f 73 69 74 6f 72-79 30 0d 06 09 2a 86 48 epository0...*.H
0ba0 - 86 f7 0d 01 01 05 05 00-03 81 81 00 76 e1 12 6e ............v..n
0bb0 - 4e 4b 16 12 86 30 06 b2-81 08 cf f0 08 c7 c7 71 NK...0.........q
0bc0 - 7e 66 ee c2 ed d4 3b 1f-ff f0 f0 c8 4e d6 43 38 ~f....;.....N.C8
0bd0 - b0 b9 30 7d 18 d0 55 83-a2 6a cb 36 11 9c e8 48 ..0}..U..j.6...H
0be0 - 66 a3 6d 7f b8 13 d4 47-fe 8b 5a 5c 73 fc ae d9 f.m....G..Z\s...
0bf0 - 1b 32 19 38 ab 97 34 14-aa 96 d2 eb a3 1c 14 08 .2.8..4.........
0c00 - 49 b6 bb e5 91 ef 83 36-eb 1d 56 6f ca da bc 73 I......6..Vo...s
0c10 - 63 90 e4 7f 7b 3e 22 cb-3d 07 ed 5f 38 74 9c e3 c...{>".=.._8t..
0c20 - 03 50 4e a1 af 98 ee 61-f2 84 3f 12 .PN....a..?.
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF, C = CA, O = alteeve.com, OU = GT13908817, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - FreeSSL, CN = alteeve.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 0d .....
read from 0x196a050 [0x1a10908] (525 bytes => 525 (0x20D))
0000 - 0c 00 02 09 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 51 5c 13 33 38 >.$!.......Q\.38
0090 - 83 ef 76 6f 23 52 55 bf-23 ba 7f f0 a4 ca 35 01 ..vo#RU.#.....5.
00a0 - 9c 70 e1 61 b2 0d 7b 5c-1c 32 02 c1 ac 14 be e9 .p.a..{\.2......
00b0 - b9 7a 5d 11 9b 53 48 64-cd 12 b8 15 4c df cc 10 .z]..SHd....L...
00c0 - 4e 2b e7 cd 3f 33 68 1a-60 cc f7 18 25 7c e5 ca N+..?3h.`...%|..
00d0 - c8 cb 45 ba 2a 6d dc 84-5f 26 6f 9a a3 73 b9 7f ..E.*m.._&o..s..
00e0 - 02 cb 7b a7 ac 59 9f f3-6e c9 01 ed b9 35 99 49 ..{..Y..n....5.I
00f0 - 37 77 68 65 ec e2 f7 17-03 e7 f5 f5 86 33 e6 6c 7whe.........3.l
0100 - 06 3c 15 83 98 74 2e b9-83 31 11 01 00 20 6e 17 .<...t...1... n.
0110 - 3d 2d ec 3e 19 b2 9e 5b-37 38 3a 31 57 3d 0e c1 =-.>...[78:1W=..
0120 - 6b c4 b4 83 d9 6b f0 d3-44 db 9f 18 55 15 e1 09 k....k..D...U...
0130 - 73 59 8c 46 3d a4 47 58-b1 71 a3 32 b5 06 26 8c sY.F=.GX.q.2..&.
0140 - 27 88 9e 13 c8 12 5d 94-9b 24 54 10 aa 79 e5 b4 '.....]..$T..y..
0150 - 43 f5 5e 4c 01 dc 02 aa-69 02 37 71 4e 26 1c 0b C.^L....i.7qN&..
0160 - 40 19 c9 95 4d af 93 35-07 7a ff b1 96 7f 03 ce @...M..5.z......
0170 - 7a eb a2 1c 97 6b d2 97-d2 0f 1a f5 b2 af fb 65 z....k.........e
0180 - 86 b9 e3 38 30 ba f5 02-d6 6b fc da 94 93 8b b3 ...80....k......
0190 - 96 b5 b7 58 dc 36 55 6d-e9 47 e5 4a 33 1d b9 d9 ...X.6Um.G.J3...
01a0 - ec 33 e8 fb 58 c8 74 13-ff dd 40 b7 35 56 63 03 .3..X.t...@.5Vc.
01b0 - 9f 16 2f 72 be 56 56 c3-15 3a c3 10 09 f0 9d f2 ../r.VV..:......
01c0 - 42 52 5a ce d6 db 61 0e-d0 e2 ac 2e 9e 04 30 8e BRZ...a.......0.
01d0 - 0d d7 07 f9 3e 0a a8 3b-8d 11 5c 6e 21 47 28 2d ....>..;..\n!G(-
01e0 - 28 31 a6 3d d0 e9 2e 7a-de 4a 00 2a a8 6f 5d 82 (1.=...z.J.*.o].
01f0 - 45 df 3e 06 e3 11 e3 3c-b9 1e 34 b8 bd 60 fd a7 E.>....<..4..`..
0200 - a2 c1 c8 19 61 19 da 10-e4 c3 70 7e 5f ....a.....p~_
SSL_connect:SSLv3 read server key exchange A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0x196a050 [0x1a10908] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x196a050 [0x1a1add0] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7f 9d d2 3b 68 ..............;h
0010 - 49 c9 dd ed 4f 35 a0 70-3a 28 0f ce c1 5a 81 ce I...O5.p:(...Z..
0020 - cd 46 c5 e5 a4 44 25 04-4e b4 48 d8 3b a6 d4 44 .F...D%.N.H.;..D
0030 - 4e 9a dc 20 fa 52 9f eb-52 3b 3c 3e 34 dc ed 34 N.. .R..R;<>4..4
0040 - e5 b7 10 f9 6d 3a c0 84-64 bf b8 91 54 6c 37 1b ....m:..d...Tl7.
0050 - eb 75 7a 95 aa e8 83 6f-e0 16 f2 af 77 0f 7a 0c .uz....o....w.z.
0060 - a8 82 27 a4 a5 f2 f0 1b-d2 6e 46 c4 ef 10 7c 39 ..'......nF...|9
0070 - 6c 87 74 ec 68 7e d5 9a-10 ab 10 03 75 a2 fb 4b l.t.h~......u..K
0080 - 8c 49 4c da 64 49 bd 27-ba 51 a4 .IL.dI.'.Q.
SSL_connect:SSLv3 write client key exchange A
write to 0x196a050 [0x1a1add0] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x196a050 [0x1a1add0] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 b4 8a 74-4d a4 bf b1 54 04 8a 25 ....0..tM...T..%
0010 - 24 f8 81 f1 64 9f 1f 6d-fb bd a7 4c 57 6a a5 63 $...d..m...LWj.c
0020 - fb 3a dd 8e e3 f9 38 f6-22 fd 7e 42 81 2e a2 41 .:....8.".~B...A
0030 - 1f 74 d1 27 02 .t.'.
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 ca .....
read from 0x196a050 [0x1a10908] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 00 00-00 c0 6c f3 41 26 c8 6b ..........l.A&.k
0010 - 1e 9c 2e 78 af 75 b2 46-34 f4 30 c3 bd e4 ee 2f ...x.u.F4.0..../
0020 - f6 28 37 f6 7c 55 3b c7-08 ad 1e 48 f1 83 9f 9a .(7.|U;....H....
0030 - d4 ef 9b 7d 5a 9c f7 5b-92 e9 2f ca c3 e5 44 c7 ...}Z..[../...D.
0040 - 7a c1 ed db 98 1a 18 bd-25 30 3c 50 ad 96 23 22 z.......%0<P..#"
0050 - 7e a1 b7 eb 1d b5 cc 69-2a 43 63 13 4f 21 90 32 ~......i*Cc.O!.2
0060 - 87 94 0b 6a 66 da 99 fa-45 79 cc 53 29 35 59 0d ...jf...Ey.S)5Y.
0070 - 02 93 c6 c6 af f3 52 79-b5 36 c0 a6 4d 22 9f af ......Ry.6..M"..
0080 - 4a f2 86 b4 50 68 83 b1-ab a6 a6 ac 6e 4e 18 3d J...Ph......nN.=
0090 - 80 a7 b4 85 77 06 69 60-fa b2 22 9a 79 14 c6 3e ....w.i`..".y..>
00a0 - 3e 68 33 4e 1e a9 40 09-47 d0 02 97 8b ba 39 db >h3N..@.G.....9.
00b0 - 2f b1 1c 2e 66 49 d3 bc-99 cc 56 4f 1d f4 c6 7b /...fI....VO...{
00c0 - 58 3e 28 df b1 ce 2b 45-36 ca X>(...+E6.
SSL_connect:SSLv3 read server session ticket A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0x196a050 [0x1a10908] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x196a050 [0x1a10908] (48 bytes => 48 (0x30))
0000 - c0 79 35 bf c6 1e 7e d4-04 cf 68 c7 9d f5 9f 42 .y5...~...h....B
0010 - 03 91 5f 72 ae 5b ec a8-aa e7 af e8 f3 39 1b cd .._r.[.......9..
0020 - 13 05 56 f2 1b 28 c9 42-4b 67 88 48 20 c2 a5 06 ..V..(.BKg.H ...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIDAhUkMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNjE0MTIxOTAxWhcNMTEwNzE2MTU1NjE0WjCB2TEpMCcGA1UEBRMgMFRT
NVd6YXVRUko3c2MyYi1oVEd3SzF5eFNmRURwaEYxCzAJBgNVBAYTAkNBMRQwEgYD
VQQKEwthbHRlZXZlLmNvbTETMBEGA1UECxMKR1QxMzkwODgxNzExMC8GA1UECxMo
U2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMTErMCkGA1UE
CxMiRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gRnJlZVNTTDEUMBIGA1UEAxML
YWx0ZWV2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHtXUD
x6m1IbJ6m3CN8kRd4Bj0BVLGk9MXpTrHRgNo0QFTG+i400xWRrLKYzSILE97I0kH
7443XIqs14ib7aEBkLwy2EYwbYIzWeq1OCyKFuFj57o52Cr6imslRQvJTbjSvqk6
4/9hYPmkmU4/wiULIQfGGx5jcS49MUKYAfSIuIAmt79bALFXhrTYcObs6pjhF0Wn
/4Pgdm+KULsdy8WP9AGETlnDTShzcDnI2oVDuQeuVyYEJLLW1HwDr09yAI8g7SZ3
s79OAWKLYhsQFmWS9bta3INc8lbzYDQs72L07s8mbZtKXnQFdPsjhgdvz7BIbbot
iV0P4MABHJGvAF/zAgMBAAGjggEpMIIBJTAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2FsdGVldmUuY29tMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRz
c2wuY3JsMB0GA1UdDgQWBBShK06vVQh7NL50/FdB3ryP2UodyTAMBgNVHRMBAf8E
AjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3Ns
LWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBmi2+o1dKEx4kx+6W64RFeL2dv3w08CxpLrNk47ikKTdkGmCwlClm7OQOwzTsG
kz5ZkM8GF3R3u82RNNBvuY9TV+0UML3pbASEtvAWnSmbsUf4hGRfAzbq4dYTl1tQ
ubJZzPjvIwGZkW5e6NB3VDhJGFjnDlQ1wDe1nnmy1MbZ/ycx1L8ErtMKkEu8NLxT
+LznTCK3s7yM10FE/OBQLpqsulzuiAP8DlMyqt2kJO6mfD3cnXqCC5+4keChEnej
lffQxJ7x19mZaIDor61o9RpfZgZ4yVb4NjcW+n0n3x2i2HyMW1Dbxv4G/5aG9R/k
Nc7PQ2ZT2qFQtcBz7B70yCAT
-----END CERTIFICATE-----
subject=/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3984 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2880725EB8BDD73F469C17BCA54DF373DFE8EDE3D52A1C8F5E0A5919694FB111
Session-ID-ctx:
Master-Key: F329DEA0DF39FF181ACFBCA69BEC417D7CAA4399D73229A1D912CC8236A858FD099B834F5B32C9BF979C4B5948196FC9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 6c f3 41 26 c8 6b 1e 9c-2e 78 af 75 b2 46 34 f4 l.A&.k...x.u.F4.
0010 - 30 c3 bd e4 ee 2f f6 28-37 f6 7c 55 3b c7 08 ad 0..../.(7.|U;...
0020 - 1e 48 f1 83 9f 9a d4 ef-9b 7d 5a 9c f7 5b 92 e9 .H.......}Z..[..
0030 - 2f ca c3 e5 44 c7 7a c1-ed db 98 1a 18 bd 25 30 /...D.z.......%0
0040 - 3c 50 ad 96 23 22 7e a1-b7 eb 1d b5 cc 69 2a 43 <P..#"~......i*C
0050 - 63 13 4f 21 90 32 87 94-0b 6a 66 da 99 fa 45 79 c.O!.2...jf...Ey
0060 - cc 53 29 35 59 0d 02 93-c6 c6 af f3 52 79 b5 36 .S)5Y.......Ry.6
0070 - c0 a6 4d 22 9f af 4a f2-86 b4 50 68 83 b1 ab a6 ..M"..J...Ph....
0080 - a6 ac 6e 4e 18 3d 80 a7-b4 85 77 06 69 60 fa b2 ..nN.=....w.i`..
0090 - 22 9a 79 14 c6 3e 3e 68-33 4e 1e a9 40 09 47 d0 ".y..>>h3N..@.G.
00a0 - 02 97 8b ba 39 db 2f b1-1c 2e 66 49 d3 bc 99 cc ....9./...fI....
00b0 - 56 4f 1d f4 c6 7b 58 3e-28 df b1 ce 2b 45 36 ca VO...{X>(...+E6.

Compression: 1 (zlib compression)
Start Time: 1308161188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET
write to 0x196a050 [0x1a14e56] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a 4c 57-8c b9 d5 d4 c6 1b 56 ce .... .LW......V.
0010 - 93 b5 78 6b 5f 0e c5 a2-39 2a f9 7a 20 7d 68 85 ..xk_...9*.z }h.
0020 - af 52 e3 5f fc 17 03 01-00 20 c6 c4 19 74 61 64 .R._..... ...tad
0030 - 42 59 e0 52 3f 42 44 53-8b c9 40 69 1c 3d 9b 7f BY.R?BDS..@i.=..
0040 - aa e8 8f a4 5c de c9 d4-0a a4 ....\.....
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 60 ....`
read from 0x196a050 [0x1a10908] (96 bytes => 96 (0x60))
0000 - 46 4c 99 93 29 c9 ed 66-81 43 89 39 26 2b d1 b0 FL..)..f.C.9&+..
0010 - 19 73 eb 51 18 45 54 49-74 43 e0 92 1b f8 af f0 .s.Q.ETItC......
0020 - 0d e1 08 79 96 38 e1 5e-29 9d 66 9c 30 04 8e c4 ...y.8.^).f.0...
0030 - 10 83 49 7e 09 d7 8a ff-4b 11 f9 13 3e ac 77 73 ..I~....K...>.ws
0040 - e8 94 e3 f3 74 db 4e 5f-67 13 1d c4 3a 06 98 b3 ....t.N_g...:...
0050 - da 20 41 3c ca 9a fb 3f-f3 d7 64 a1 e9 f4 0a 98 . A<...?..d.....
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 15 03 01 ...
0005 - <SPACES/NULS>
read from 0x196a050 [0x1a10908] (32 bytes => 32 (0x20))
0000 - 2e bb a7 d6 dc ce 6c 34-dc 2e 43 c7 89 02 a9 5c ......l4..C....\
0010 - 3b 3e d0 43 1c ec fa c7-89 48 fd 76 58 82 ef 45 ;>.C.....H.vX..E
SSL3 alert read:warning:close notify
closed
write to 0x196a050 [0x1a14e53] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d8 6f 46-24 e9 fa 0c c9 9f aa 2d .... .oF$......-
0010 - db 69 2a d8 fb 61 66 b0-23 23 f9 a4 ac 49 b7 e6 .i*..af.##...I..
0020 - 31 73 56 05 ed 1sV..
SSL3 alert write:warning:close notify
</source>

Perfect!

=== Open Port 443 On The Firewall ===

At this point, if you try to connect to the SSL virtual host remotely, you will fail because port 443 is not yet open.

Use your favourite program to open inbound TCP port 443. I like to directly edit the firewall's config.

<source lang="bash">
vim /etc/sysconfig/iptables
</source>
<source lang="text">
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</source>
<source lang="bash">
/etc/init.d/iptables restart
</source>
<source lang="text">
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
</source>

=== Browse to the New Virtual Host ===

You should now be able to access the new SSL virtual host! Simply browse to https://alteeve.com (replace with your domain).

[[Image:SSL_Test_Page_01.png|thumb|center|741px|Test SSL virtual host in Firefox 4.]]

Note the 'alteeve.com' to the left of the address bar showing that the site is encrypted and verified!

= PostgreSQL =

We need to initialize the postgres core databases before we can start it for the first time.

<source lang="bash">
service postgresql initdb
</source>
<source lang="text">
Initializing database: [ OK ]
</source>

From now on, we can start PostgreSQL normally.

<source lang="bash">
/etc/init.d/postgresql restart
</source>
<source lang="text">
Stopping postgresql service: [ OK ]
Starting postgresql service: [ OK ]
</source>

Create the admin user called alteeve which will own the databases we will create and use.

<source lang="bash">
su - postgres
createuser -S -d -R alteeve
psql template1
</source>

At the shell, run the following:

<source lang="sql">
ALTER USER alteeve WITH PASSWORD 'secret';
</source>
<source lang="text">
ALTER ROLE
</source>
<source lang="sql">
\q
</source>

Tell PostgreSQL to require a password for the alteeve user.

<source lang="bash">
vim /var/lib/pgsql/data/pg_hba.conf
</source>
<source lang="diff">
--- /var/lib/pgsql/data/pg_hba.conf.orig 2011-06-15 17:57:25.666509143 -0400
+++ /var/lib/pgsql/data/pg_hba.conf 2011-06-15 17:58:54.077510393 -0400
@@ -65,6 +65,7 @@

# TYPE DATABASE USER CIDR-ADDRESS METHOD
+local all alteeve md5

# "local" is for Unix domain socket connections only
local all all ident
</source>

Reload PostgreSQL's configuration.

<source lang="bash">
/etc/init.d/postgresql reload
</source>

Now create a Database that is owned by the alteeve user, then connect to it to make sure we're asked for a password.

<source lang="bash">
su postgres -c "createdb an_wiki -O alteeve"
psql an_wiki -U alteeve
</source>
<source lang="text">
Password for user alteeve:
psql (8.4.7)
Type "help" for help.

an_wiki=>
</source>

Now load a database from a backup file.

<source lang="bash">
psql an_wiki -U alteeve -f /var/www/ssl_alteeve.com/temp/an_wiki_3.out
</source>
<source lang="text">
Password for user alteeve:
SET
SET
SET
SET
SET
CREATE SCHEMA
ALTER SCHEMA
CREATE LANGUAGE
psql:/var/www/ssl_alteeve.com/temp/an_wiki_3.out:27: ERROR: must be member of role "postgres"
SET
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
SET
SET
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
8
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
2500
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
4416
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3465
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
34
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
957
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3274
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3547
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3513
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TRIGGER
CREATE TRIGGER
CREATE TRIGGER
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
REVOKE
REVOKE
GRANT
GRANT
</source>

Voila!

== Media Wiki Problem ==

If you moved a MediaWiki DB and it generated an error like this in the log file:

<source lang="text">
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "objectcache" does not exist\nLINE 1: ...ECT /* SqlBagOStuff::get */ value,exptime FROM objectcach...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "l10n_cache" does not exist\nLINE 1: ... LCStore_DB::get 206.108.5.162 */ lc_value FROM l10n_cache...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
</source>

The fix is to run:

<source lang="sql">
ALTER DATABASE an_wiki SET search_path=mediawiki;
</source>

Of course, replace an_wiki with the name of your wiki database.

= MySQL =

Start MySQL for the first time:

<source lang="bash">
/etc/init.d/mysqld start
</source>
<source lang="text">
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h asakusa.alteeve.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]
Starting mysqld: [ OK ]
</source>

Secure the server.

<source lang="bash">
mysql_secure_installation
</source>
<source lang="text">
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
</source>

= BIND =

{{note|1=This is not meant to cover creating the actual zone files for DNS. It's goal is to setup BIND on your [[EL6]] server only.}}

This is the BIND named server that handles DNS resolution. It will be setup in two parts; The global options and then the zones file.

== Install bind ==

<source lang="bash">
yum install bind bind-libs bind-utils
</source>

== Global Configuration ==

Edit the main configuration file, making a backup first.

<source lang="bash">
cp /etc/named.conf /etc/named.conf.orig
vim /etc/named.conf
</source>

Enable queries on any interface and answer queries for any domain, not just ours. Edit or add the following;

<source lang="dot">
listen-on port 53 { any; };
allow-query { localhost; };
allow-query-cache { any; };
</source>

For now, we're going to disable DNSSEC. Make the following changes;

<source lang="dot">
dnssec-enable no;
dnssec-validation no;
</source>

Now tell bind where to look for a domain name's IP when we don't know. Add;

<source lang="dot">
forwarders {
// These are Google's open DNS servers
8.8.8.8;
8.8.4.4;
};
</source>

This server will have a slave, and we want to notify that slave when a record changes. Add;

<source lang="dot">
notify yes;
</source>

Done. I like to clean up the file to put the variables in line with one another. With this in mind, let's look at the changes as a unified diff;

<source lang="bash">
diff -u /etc/named.conf.orig /etc/named.conf
</source>
<source lang="diff">
--- /etc/named.conf.orig 2012-02-05 00:54:48.434068501 -0500
+++ /etc/named.conf 2012-02-05 13:45:16.484083319 -0500
@@ -8,18 +8,26 @@
//

options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ allow-query { any; };
+ allow-query-cache { any; };
+ recursion yes;
+ notify yes;
+
+ dnssec-enable no;
+ dnssec-validation no;
+ dnssec-lookaside auto;
+
+ forwarders {
+ // These are Google's open DNS servers
+ 8.8.8.8;
+ 8.8.4.4;
+ };

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
</source>

== Adding Zones ==

This is where we tell BIND which zones we have SOA for. This includes the pointers to the actual files on disk with each domain's information.

Backup then edit the zones file.

<source lang="bash">
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.orig
vim /etc/named.rfc1912.zones
</source>

In here is where we add the entries for the domains we have [[SOA]] for at the end of the file. These will differ for every install, so only two examples will be shown.

<source lang="dot">
// Our zones which this server is SOA for.
zone "45years.ca" IN {
type master;
file "/etc/named/db.45years.ca";
allow-transfer {
192.139.81.117;
};
};

zone "alteeve.com" in {
type master;
file "/etc/named/db.alteeve.com";
allow-transfer {
192.139.81.117;
};
};
</source>

This tutorial does not aim to cover actual zone files, but here is one for reference:

<source lang="bash">
cat /etc/named/db.45years.ca
</source>
<source lang="text">
$ORIGIN .
$TTL 600 ; Time To Live.
45years.ca IN SOA ns1.alteeve.com. admin.alteeve.com. (
2011081402 ; Serial Number (yyyymmdd##)
300 ; refresh (in seconds)
180 ; retry (in seconds)
600 ; expire (in seconds)
86400 ; minimum (in seconds)
)
NS ns1.alteeve.com.
NS ns2.alteeve.com.
A 192.139.81.121
MX 10 mail.45years.ca.
$ORIGIN 45years.ca.
localhost A 127.0.0.1
mail A 192.139.81.121
www CNAME 45years.ca.
</source>

== Adding a Firewall Entry ==

Assuming you have a firewall running, be sure to add an entry for [[TCP]] port 53.

== (Re)Start BIND ==

Once all the configuration files and domain zone files are in place, (re)start the named service.

<source lang="bash">
/etc/init.d/named restart
</source>
<source lang="text">
Stopping named: . [ OK ]
Starting named: [ OK ]
</source>

== Testing Name resolution ==

To properly test name resolution, you will want to resolve a domain we are [[SOA]] for and another domain which we are not. We will repeat this twice, once on the server and once from a remote machine to ensure that it is answering remote queries. Note that in the examples below, my DNS server's IP address is 78.46.37.135.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> alteeve.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns1.alteeve.com.
alteeve.com. 600 IN NS ns2.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 13:57:11 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> google.ca @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 300 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2967 IN NS f.root-servers.net.
. 2967 IN NS c.root-servers.net.
. 2967 IN NS b.root-servers.net.
. 2967 IN NS a.root-servers.net.
. 2967 IN NS k.root-servers.net.
. 2967 IN NS i.root-servers.net.
. 2967 IN NS e.root-servers.net.
. 2967 IN NS h.root-servers.net.
. 2967 IN NS l.root-servers.net.
. 2967 IN NS d.root-servers.net.
. 2967 IN NS j.root-servers.net.
. 2967 IN NS g.root-servers.net.
. 2967 IN NS m.root-servers.net.

;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 14:02:03 2012
;; MSG SIZE rcvd: 254
</source>

Now from a remote machine, repeat the same queries to ensure that our DNS server will respond to external queries.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> alteeve.com @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns2.alteeve.com.
alteeve.com. 600 IN NS ns1.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 138 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:09 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> google.ca @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 138 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2805 IN NS h.root-servers.net.
. 2805 IN NS c.root-servers.net.
. 2805 IN NS j.root-servers.net.
. 2805 IN NS i.root-servers.net.
. 2805 IN NS b.root-servers.net.
. 2805 IN NS m.root-servers.net.
. 2805 IN NS g.root-servers.net.
. 2805 IN NS d.root-servers.net.
. 2805 IN NS a.root-servers.net.
. 2805 IN NS l.root-servers.net.
. 2805 IN NS f.root-servers.net.
. 2805 IN NS k.root-servers.net.
. 2805 IN NS e.root-servers.net.

;; Query time: 140 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:31 2012
;; MSG SIZE rcvd: 254
</source>

Done!

= Email =

This is a pretty heavily customized postfix install using a custom schema. It was originally based on [http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch this Debian Etch] tutorial, but adapted for PostgreSQL. Much time has passed and the operating system is now significantly changed, but it's lineage is thus. A more recent, but still Debian-focused version of the tutorial [http://workaround.org/ispmail/squeeze/big-picture is here]. I also used [http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot this tutorial] to help sort out the PostgreSQL stuff.

This will use a few applications;
* Postfix - The program that receives email.
* PostgreSQL - The database used to validate the existence of email accounts and validates incoming user credentials.
* Dovecot - Takes email coming from postfix, via amavis, and records them to disk. It also answers requests from users wanting to check their email.
* Amavis - Filters incoming email for spam (via spamassassin) and virsus (via clamav)

We will also be using graylisting, which is a spam fighting tactic where the first email from a given user to one of our users is bounced for a few minutes. Proper mail servers will acknowledge the bound, wait the time and resend. Spam mailers though are usually fire-and-forget and will not resend, thus effectively blocking the spam message. This is a very effective method of blocking spam with minimal chance of losing real mail from real users. Any subsequent message from the user would be allowed through with no delay, provided the user had in fact resent the first message as requested.

== Install ==

To install the applications;

<source lang="bash">
yum install postfix postfix-perl-scripts dovecot dovecot-pgsql spamassassin postgresql-server postgresql-plperl mutt
</source>

== Configuring Postfix ==

Installation requires several steps. The AN!Console database must be loaded. Various applications need to be installed. Postfix, Dovecot and helper applications need to be configured and so on.

This tutorial uses the following values that you may need to adjust;
* Database name; an_tools
* Database user; alteeve
* Database password; secret
* Database host; 127.0.0.1

{{note|1=Do not use the database host "localhost" unless you are certain you can connect to the DB using a standard [[unix]] socket.}}

=== Building Support for PostgreSQL ===

{{warning|1=We need to build our own RPM in order to support postgresql. This means we will have to disable postfix from future updates, placing the onus on us to make sure critical updates are applied. This will require downloading the latest source RPMs, re-enabling postgres and recompile/reinstall.}}

Add the source [[RPM]] repository by adding the following;

<source lang="bash">
vim /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
# Source RPM repository
[base-source]
name=CentOS-$releasever - Base - Source
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://vault.centos.org/$releasever/os/SRPMS/
baseurl=http://vault.centos.org/6.0/os/SRPMS/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
</source>

Now download the source RPM for postfix.

<source lang="bash">
yumdownloader --source postfix
</source>
<source lang="text">
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
base | 3.7 kB 00:00
base-source | 1.9 kB 00:00
extras | 3.5 kB 00:00
updates | 3.5 kB 00:00
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
./postfix-2.6.6-2.el6.src.rpm already exists and appears to be complete
nikko:/etc/postfix# rm postfix-2.6.6-2.el6.src.rpm
rm: remove regular file `postfix-2.6.6-2.el6.src.rpm'? y
nikko:/etc/postfix# yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
postfix-2.6.6-2.el6.src.rpm | 3.3 MB 00:00
</source>

Now that we have the postfix source RPM, we will install it.

<source lang="bash">
rpm -Uvh postfix-2.6.6-2.el6.src.rpm
</source>
<source lang="text">
1:postfix warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
########################################### [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
</source>

Now edit the .spec file to enable postgres support.

<source lang="bash">
cp ~/rpmbuild/SPECS/postfix.spec ~/rpmbuild/SPECS/postfix.spec.orig
vim ~/rpmbuild/SPECS/postfix.spec
</source>

Make the following changes.

* Enable PostgreSQL support
<source lang="text">
%{?!PGSQL: %define PGSQL 1}
</source>

Increment the release version by one.
<source lang="text">
Release: 3%{?dist}
</source>

We can see the changes here:

<source lang="bash">
diff -u ~/rpmbuild/SPECS/postfix.spec.orig ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="diff">
--- /root/rpmbuild/SPECS/postfix.spec.orig 2012-02-11 16:54:54.495330859 -0500
+++ /root/rpmbuild/SPECS/postfix.spec 2012-02-11 16:53:39.873331101 -0500
@@ -1,5 +1,5 @@
%{?!MYSQL: %define MYSQL 1}
-%{?!PGSQL: %define PGSQL 0}
+%{?!PGSQL: %define PGSQL 1}
%define LDAP 2
%define PCRE 1
%define SASL 2
@@ -35,7 +35,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 2.6.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
</source>

Now rebuild the RPM, which means we need to install the build tools.

<source lang="bash">
yum groupinstall development
yum install db4-devel openldap-devel cyrus-sasl-devel pcre-devel mysql-devel postgresql-devel openssl-devel
rpmbuild -bb ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="text">
(compile output)
Processing files: postfix-debuginfo-2.6.6-3.el6.x86_64
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-debuginfo-2.6.6-3.el6.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.rymr5C
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd postfix-2.6.6
+ rm -rf /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
+ exit 0
</source>

Install the updated postfix.

<source lang="bash">
rpm -Uvh ~/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm ~/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
</source>
<source lang="text">
Preparing... ########################################### [100%]
1:postfix ########################################### [ 50%]
2:postfix-perl-scripts ########################################### [100%]
</source>

Now exclude postfix from future updates.

<source lang="bash">
cp /etc/yum.conf /etc/yum.conf.orig
vim /etc/yum.conf
diff -u /etc/yum.conf.orig /etc/yum.conf
</source>
<source lang="text">
--- /etc/yum.conf.orig 2012-02-11 16:59:53.720079168 -0500
+++ /etc/yum.conf 2012-02-11 17:00:47.013331283 -0500
@@ -10,6 +10,7 @@
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
+exclude=postfix*

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
</source>

=== Basic Postfix Configuration ===

Since we'll be using virtual domains, users, aliases and mailboxes, we'll need to start by commenting out some of the default options in Postfix. By default, Postfix is set up for small numbers of local users, and it only allows connections from the localhost. Our configuration will be more scalable, allowing many domains and users to be stored in the Postgres database.

Comment out the following:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# inet_interfaces = localhost
# mydestination = $myhostname, localhost.$mydomain, localhost
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
</source>

And uncomment/add these:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
inet_interfaces = all # allows us to connect and test from another machine
mynetworks = 192.168.1.0/32, 127.0.0.0/8 # use the IP or subnet of your test machine here
</source>

=== Setup Virtual Domain Lookup ===

This tells postfix how to find which domains we have.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM domains WHERE dom_name='%s'
</source>

Now tell Postfix to use this new file by appending the following to the main postfix configuration file.

<source lang="bash">
vim /etc/postfix/main.cf
</source>
<source lang="bash">
# Tell postfix to validate domains using our postgresql databae via the
# pgsql-virtual-mailbox-domains.cf
virtual_mailbox_domains=pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>

Now reload postfix;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now we can test that domains resolve. In my case, I will test the look-up for alteeve.com.

<source lang="bash">
postmap -q alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
1
</source>

Now make sure it returns nothing when query a bad domain.

<source lang="bash">
postmap -q example.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Mailbox Mapping ===

This section will tell postfix which users for a given domain are valid.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM email_file WHERE email='%s'
</source>

Tell postfix to use this new file when looking up users.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

And add:

<source lang="text">
# Tell postfix which table to look in when validating a local user via their
# email address.
virtual_mailbox_maps=pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>

Reload postfix.

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now do a test of a valid user, which should return 1, and an invalid user, which should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
1
</source>
<source lang="bash">
postmap -q nobody@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Email Forwards ===

This will allow for email addresses to be forwarded to other email addresses.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT fwd_destination FROM forwards WHERE fwd_source='%s'
</source>

Now tell postfix where to look.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

Add;

<source lang="text">
# This tells postfix where to forward incoming email to, where appropriate.
virtual_alias_maps=pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>

Reload;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

I've setup a forward where digimer@alteeve.com forwards to mkelly@alteeve.com, so we will use that for the next test.

<source lang="bash">
postmap -q digimer@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
mkelly@alteeve.com
</source>

An email address with no forward should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

Excellent.

=== Setup Postfix Mail Delivery via Dovecot ===

Define a mail transport method in the main Postfix config.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# this option is ignored, but may be useful for reference
virtual_mailbox_base=/email

# deliver mail via dovecot
virtual_transport = dovecot

# prevent postfix from sending multiple recipients per delivery request,
# since dovecot only supports one recipient for each delivery
dovecot_destination_recipient_limit = 1
</source>

Tell Postfix what virtual_transport "dovecot" means, and how to use it.
<source lang="bash">vim /etc/postfix/master.cf</source>
Append this for RHEL/CentOS 6 machines. For other distros, make sure that /usr/libexec/dovecot/deliver exists and change the path if necessary.
<source lang="bash">
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
</source>

=== Setup Postfix SMTP Authentication using Dovecot ===

Dovecot provides an SMTP authentication mechanism to Postfix called SASL. Enabling this will require users to authenticate against the server before sending mail.

<source lang="bash">vim /etc/postfix/main.cf</source>
Append the following to enable smtp authentication:
<source lang="bash">
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes

# allow authenticated users to send mail through Postfix SMTP
# more info at /usr/share/doc/postfix-2.6.6/README_FILES/SMTPD_ACCESS_README
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination

# general smtpd settings
# - reject clients that speak too early
# - reject mail from a null address to many recipients (usually spam)
smtpd_data_restrictions =
reject_unauth_pipelining
reject_multi_recipient_bounce
permit
</source>

== Configuring Dovecot ==

Dovecot handles writing incoming mail to the disk and moving/deleting mail as the user wishes. We're going to create a user and group called vmail which will be used to manage the email stored on disk.

<source lang="bash">
useradd -m vmail
mkdir /email
chown -R vmail:vmail /email
</source>

Dovecot is configured in /etc/dovecot and the main configuration file is dovecot.conf.

<source lang="bash">
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.conf
</source>

Dovecot uses .d style configuration files.

* Authentication

<source lang="bash">
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
vim /etc/dovecot/conf.d/10-auth.conf
</source>

Tell dovecot to accept plain-text passwords (needed for some old email clients, you may not need to enable this).

<source lang="text">
disable_plaintext_auth = no
</source>

Tell it not to use the database, and not local users for mail delivery.

<source lang="text">
#!include auth-system.conf.ext
!include auth-sql.conf.ext
</source>

* Mail store

Tell dovecot where to store the email. The %d tells dovecot to substitute the user's domain name and %n is substituted by the user's email name. For example, mkelly@alteeve.com becomes /email/alteeve.com/mkelly.

<source lang="bash">
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
vim /etc/dovecot/conf.d/10-mail.conf
</source>
<source lang="text">
mail_location = mbox:/email/%d/%n
</source>

=== Dovecot Authentication and SQL Settings ===

We need to tell dovecot where to look for passwords when authenticating a user. Where to look is controlled in the
auth-sql.conf.ext file and is broken down into user and password lookups. We will want to first tell Dovecot which user to use when accessing the mail store on disk.

<source lang="bash">
cp /etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/conf.d/auth-sql.conf.ext.orig
vim /etc/dovecot/conf.d/auth-sql.conf.ext
</source>
<source lang="text">
userdb {
driver = static
args = uid=vmail gid=vmail home=/email/%d/%n allow_all_users=yes
}
</source>

* Now configure the SQL server access details.

{{note|1=Make sure that PostgreSQL has sufficient max_connections set in /var/lib/pgsql/data/postgresql.conf to handle enough connections for the expected number of email connections, plus other connections from other applications.}}

<source lang="bash">
cp /usr/share/doc/dovecot-2.0.9/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
vim /etc/dovecot/dovecot-sql.conf.ext
</source>

Tell dovecot to use PostgreSQL.

<source lang="text">
driver = pgsql
</source>

Configure the connection string.

{{note|1=If your database uses a password with a space character in it, quote the password. Ie: password='super secret'.}}

<source lang="text">
connect = host=127.0.0.1 dbname=an_tools user=alteeve password=secret
</source>

Tell dovecot to accept plain-text passwords (this is needed for some stupid MS clients, this will probably change soon).

<source lang="text">
default_pass_scheme = PLAIN
</source>

Tell dovecot how to pull use the user's password.

<source lang="text">
password_query = SELECT email, password FROM email_password WHERE email='%u'
</source>

The last thing to setup is the user query. The query needs to return the [[UID]] and [[GID]] of the vmail user we setup earlier. To get it, you can use the id command.

<source lang="bash">
id vmail
</source>
<source lang="text">
uid=503(vmail) gid=503(vmail) groups=503(vmail)
</source>

The numbers we want are 503 and 503 for the UID and GID, respectively. Knowing this, we can set the userdb SQL string.

<source lang="text">
user_query = SELECT '/email/'||file AS email_dir, '503' AS uid, '503' AS gid FROM email_file WHERE email='%u'
</source>

=== Configure Listener Sockets ===

Setup the authentication socket to allow the vmail user. This will allow Dovecot to access the user authentication socket.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
</source>

Configure Dovecot to authenticate Postfix SMTP requests.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener smtp-auth {
mode = 0600
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
}
</source>

=== Enable Logging ===

This is very useful for debugging an initial setup. It will place details about login attempts in /var/log/maillog.

<source lang="bash">vim /etc/dovecot/conf.d/10-logging.conf</source>
<source lang="bash">
log_path = syslog
auth_verbose = yes
auth_debug = yes
mail_debug = yes
</source>

At this point, it's a good idea to restart the Postfix and Dovecot services, and test out the basic configuration.
<source lang="bash">
service postfix restart
service dovecot restart
</source>

Watch the maillog while attempting to authenticate with an email client like Thunderbird.
<source lang="bash">
tail -f /var/log/maillog
</source>

If basic authentication is working, we can go ahead and add another layer of complexity on top of it: SSL.

== SSL/TLS ==

Add TLS support to Postfix, to encrypt SMTP authentication traffic.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/ssl_mail.alteeve.ca.crt
smtpd_tls_key_file = /etc/pki/CA/private/mail.alteeve.ca.key
smtpd_tls_loglevel = 1
</source>

Add TLS support to Dovecot, to encrypt IMAP authentication traffic.
<source lang="bash">vim /etc/dovecot/conf.d/10-ssl.conf </source>
<source lang="bash">
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/pki/CA/ssl_mail.alteeve.ca.crt
ssl_key = </etc/pki/CA/private/mail.alteeve.ca.key

# PEM encoded trusted certificate authority. Otherwise your CA will be untrusted.
# This is the intermediary certificate.
ssl_ca = </etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Dovecot prefers the following permissions for SSL certs, so set them accordingly.
<source lang="bash">
chmod 0444 /etc/pki/CA/ssl_mail.alteeve.ca.crt
chmod 0400 /etc/pki/CA/private/mail.alteeve.ca.key
chmod 0400 /etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Restart Postfix and Dovecot, then change your Thunderbird server options to 'STARTTLS'. If you're still able to connect to the mail server and send mail, proceed to the next section.

== User Password Encryption ==

In addition to SSL/TSL, which only encrypts the transport of user credentials, we're also going to encrypt the passwords themselves. This will avoid storing any plaintext passwords in the Postgres database.

<source lang="bash">vim /etc/dovecot/conf.d/10-auth.conf</source>
Remove the "plain" authentication, and replace with cram-md5.
<source lang="bash">
disable_plaintext_auth = yes
auth_mechanisms = cram-md5
</source>

Any user credentials that were previously stored in plaintext will no longer work. To encrypt your password in a way that Dovecot recognizes, use the following command:
<source lang="bash">doveadm -v pw -s CRAM-MD5 -p mypassword</source>
It will return a hash like this.
<source lang="bash">
{CRAM-MD5}de5924752ad74e36bc271a8dc7fad4b2d341f21f05382f20dedf1fdfbd5a1717</source>

Take the entire hash, including the '{CRAM-MD5}' portion, and use it to replace the password entry in the database for that user. This will allow Dovecot to authenticate the user using the CRAM-MD5 auth mechanism.

To automate this process for all users in the database, you can look at the number of userid's there are and loop through them, encrypting and replacing each password.

<source lang="bash">
#!/bin/bash
#
# a script to encrypt the users.usr_password values of the an_tools database

export PGUSER="alteeve"
export PGPASSWORD='secret'

for usrid in {1..219}; do

# grab the user's password, removing whitespace
usrpass=$(psql -d an_tools -c "SELECT users.usr_password FROM users WHERE users.usr_id=$usrid;"\
| sed -n 3p | sed -e 's/^[ ]*//')

if [[ "$usrpass" == *CRAM* ]]; then
echo "Password for user #$usrid is already encrypted; skipping."
else
# encrypt and surround in single quotes for psql
encrypted=\'$(doveadm -v pw -s CRAM-MD5 -p "$usrpass")\'
echo "old password: [$usrpass] ; encrypted: $encrypted"

# set password to encrypted value
psql -d an_tools -c "UPDATE users SET usr_password=$encrypted WHERE usr_id=$usrid;"
fi
done

unset PGUSER
unset PGPASSWORD
</source>

== Postgrey Greylisting ==

Enabling postgrey for anti-spam greylisting.

First install the RPMForge repos. (See [http://dak1n1.com/blog/3-getting-more-from-yum-with-rpmforge-and-epel-repos Dakini's blog] for details.)

<source lang="bash">yum -y install postgrey</source>

Create the config file with the following options. This will delay mail from untrusted sources by 6 minutes. A legitimate mailserver will resend the request after that time, and be allowed through. But spam is generally sent out only once, so those messages will drop.
<source lang="bash">vim /etc/sysconfig/postgrey</source>
<source lang="bash">OPTIONS="--unix=/var/spool/postfix/postgrey/socket --delay=360"</source>

Ensure that Postgrey starts on boot.
<source lang="bash">chkconfig --levels 345 postgrey on</source>

<source lang="bash">/etc/postfix/main.cf</source>

Configure Postfix to check SMTP requests through Postgrey. Postgrey will decide if the mail should be blocked or accepted.
<source lang="bash">
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:postgrey/socket</source>

Restart Postfix and Postgrey to take affect.
<source lang="bash">
service postgrey start
service postfix restart
</source>

== Ooooold Notes ==

When prompted;
For 'Create directories for web-based administration ?' Choose 'Yes'.
For 'General type of configuration?', choose 'Local Only'.
For 'Mail Name', enter 'alteeve.com'.
For 'SSL certificate required', hit 'Ok'.
Create the database that we will use:
# su alteeve
$ createdb an_console
$ psql an_console
Now that we are in the new database we will need to load the AN!Console schema file.
# su postgres -c psql an_console -f /var/www/ssl_alteeve.com/cgi-bin/t/anc.pgsql.schema
On the Master node, we will create the directory where email will be stored.
# mkdir /ha/email
On the both nodes, we will create a link to the '/ha/email' directory off of root.
# ln -s /ha/email /email
Under this directory create another directory that is the domain name for the domains we will host mail for. Ie (no longer needed to be done manually, AN!Console will create directories for email as needed):
# mkdir /email/45years.ca
# mkdir /email/alteeve.com
And so on.
Go to the '/etc/postfix' directory and create these four files:
# vim /etc/postfix/psql-virtual_domains.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = domains
select_field = 'virtual'
where_field = dom_name
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_forwardings.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = forwards
select_field = fwd_destination
where_field = fwd_source
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_mailboxes.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_file
select_field = file
where_field = email
hosts = 127.0.0.1
Note: The table 'email_file' is actually a view that takes the email passed by postfix and splits it to generate a joined SELECT.
# vim /etc/postfix/psql-virtual_email2email.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_email
select_field = email
where_field = email
hosts = 127.0.0.1
Note: The table 'email_email' is actually a view that takes the email passed by postfix and returns the same email based on the DB entry. This is needed as a work-around for Postfix's habit of matching global forwards like '@domain -> user@domain' for all email to that domain, even what a given email address matches a user.
Now change the owner and permissions of those four files to NOT allow global reading as they contain our password.
# chown root:postfix /etc/postfix/psql-virtual_*
# chmod 640 /etc/postfix/psql-virtual_*
Now we will create a user account that will, in turn, own all the mail on the system. This user will not have shell access.
# adduser vmail
Enter a password, preferably one treated with the same care as the root password. You can leave all other options blank.
Now change the ownership of the mail store.
# chown -R vmail:vmail /email
# chmod -R 775 /email
Now we edit the main '/etc/postfix/main.cf' configuration file.
Make a backup of the original file “just in case”.
# cp /etc/postfix/main.cf /etc/postfix/main.cf.original
Now edit it:
# vim /etc/postfix/main.cf
There are several options to edit:
Please see 'Step 6' at: http://workaround.org/articles/ispmail-sarge/index.shtml.en for details on the options to set.
For 'inet_interface' enter 'all'.
For 'myhostname' use the cluster FQDN. Ie;
myhostname = nikko.alteeve.com
For 'mydestination' use only local names, NOT real domains we will host email for. Any mail sent to the domains specified here will go to local (shell) users.
mydestination = nikko.alteeve.com, localhost.alteeve.com, localhost
For 'mynetworks' set all the IP subnets we trust. Ie;
mynetworks = 192.139.81.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.0/24 127.0.0.0/8
We can ignore 'virtual_alias_domains' if it exists.
For 'virtual_alias_maps' we will set:
virtual_alias_maps = pgsql:/etc/postfix/psql-virtual_forwardings.cf pgsql:/etc/postfix/psql-virtual_email2email.cf
For 'virtual_mailbox_domains' we will set:
virtual_mailbox_domains = pgsql:/etc/postfix/psql-virtual_domains.cf
For 'virtual_mailbox_maps' we will set:
virtual_mailbox_maps = pgsql:/etc/postfix/psql-virtual_mailboxes.cf
For 'virtual_mailbox_base' (where the email will be stored on disk) we will set:
virtual_mailbox_base = /ha/email
For 'virtual_uid_maps' and 'virtual_gid_maps' we will enter the numerical UID and GID for the 'vmail' shell user we created earlier. To find what it's UID and GID is run:
# cat /etc/passwd | grep vmail
vmail:x:1001:1001:,,,:/home/vmail:/bin/bash
The first number is the UID, the second is the GID;
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
Set 'smtpd_sasl_auth_enable' to 'yes'.
Set 'broken_sasl_auth_clients' to 'yes'.
To enable relaying of local mail, trusted domains and SASL authenticated users and reject the rest set;
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
For 'smtpd_use_tls' the value should already be 'yes', but set it to such if not.
Lastly we'll set our certificate paths;
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
At this point we should be good to go. Restart postfix;
# /etc/init.d/postfix restart
If there were no errors in the restart, test the config by running;
# postfix check
If you get errors, fix 'em. Otherwise, so far so good!
Now to setup postfix to allow authentication of SMTP connections to allow relaying of messages from people (we trust) outside on the 'mynetworks' scope.
Create or edit the file '/etc/postfix/sasl/smtpd.conf'
# vim /etc/postfix/sasl/smtpd.conf
In it enter the lines:
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: pgsql
sql_hostnames: 127.0.0.1
sql_user: alteeve
sql_passwd: secret
sql_database: an_console
sql_select: SELECT passwd FROM email_passwd WHERE email='%u@%r'
log_level: 7
Now secure the file (it's got our DB password)
# chown root:postfix /etc/postfix/sasl/smtpd.conf
# chmod 640 /etc/postfix/sasl/smtpd.conf
Now we want to setup TLS to encrypt SMTP traffic. Be sure you are still in '/etc/postfix' as this is where you want the certificate files.
To create a 10-year certificate for our SMTP domain 'smtp.alteeve.com':
# openssl req -new -outform PEM -out /etc/postfix/smtpd.cert -newkey rsa:2048 -nodes -keyout /etc/postfix/smtpd.key -keyform PEM -days 3650 -x509
This will bring up a bunch of questions:
Country Name (2 letter code) [AU]: CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alteeve's Niche!
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, YOUR name) []:smtp.alteeve.com
Email Address []:admin@alteeve.com
This will create two files in your current directory; 'smtpd.key' and 'smtpd.cert'. You'll want to protect them.
# chown root:postfix smtpd.*
# chmod 640 smtpd.*
Now we need to setup POP3 and IMAP access so users can actually check their email.
Backup then edit '/etc/dovecot/dovecot.conf' to have:
protocols = pop3 imap
mail_location = mbox:/email/%d/%n
# passdb pam {
# }
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
# userdb passwd {
# }
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

# The default location for 'dovecot-sql.conf' is under '/usr/local/etc', be sure to
# change it!
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
user = root
}
Then create/edit '/etc/dovecot/dovecot-sql.conf':
driver = pgsql
connect = host=localhost dbname=an_console user=alteeve password=secret
default_pass_scheme = PLAIN
password_query = SELECT email, password FROM email_password WHERE email='%u'
user_query = SELECT '/email/'||file AS email_dir, '1001' AS uid, '1001' AS gid FROM email_file WHERE email='%u'
Now restart Dovecot:
# /etc/init.d/dovecot restart

= Thanks =

* To [http://planet-geek.com Dave Shevett] (aka: eidolon) and [http://codex.grimoire.ca/ Owen Jacobson] for answering my n00b SSL questions.


<source lang="bash">
</source>
<source lang="text">
</source>

{{footer}}

PPPower Server

2012-05-06T17:46:26Z

Dak1n1: /* Post OS Install */

{{howto_header}}

With tongue firmly in cheek, this is a tutorial on building an [[EL6]] server for hosting website and email using PostgreSQL, Postfix and Postgrey for mail and Apache for web. There are many canned and arguably superior was of accomplishing the same, but this is what I user for this server.

= Post OS Install =

First, some post-install preparation. We'll need to set up some basic security, a program to report server statistics, and some 3rd-party yum repositories for additional software.

Yum repo install.
<source lang="bash">yum -y install yum-protectbase
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt # import keys
rpm -K rpmforge-release-0.5.2-2.el6.rf.*.rpm # verify package integrity
rpm -i rpmforge-release-0.5.2-2.el6.rf.*.rpm # install
# install EPEL
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm
</source>

The yum-protectbase plugin will ensure that the 3rd-party repos play nicely and never overwrite the Base repos. To use this plugin with a specific repo, add 'protect=0' or protect=1 to the repo's config file.
<source lang="bash">vim /etc/yum.repos.d/CentOS-Base.repo
# add protect=1 to each section</source>

<source lang="bash">vim /etc/yum.repos.d/epel.repo
# add protect=0 to each section</source>

=== Protecting against malicious users with Denyhosts. ===
Denyhosts is a daemon that watches for too many failed logins via ssh. It uses TCP-wrappers to deny the user access to ssh (or any service) on the server after X failed logins. It has the option to download a list of known malicious IPs and add them to /hosts.deny, making possible to block attackers before they attack the server.

Install denyhosts
<source lang="bash">yum -y install denyhosts</source>

Edit the config to your preferences.
<source lang="bash">vim /etc/denyhosts.conf
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
SYNC_DOWNLOAD = yes
</source>

White-list any trusted machines, including localhost.
<source lang="bash">vim /etc/hosts.allow
127.0.0.1</source>

Start the service.
<source lang="bash">service denyhosts start
chkconfig denyhosts on</source>

Packages for web server and wiki install.
<source lang="bash">
yum install httpd httpd-tools postgresql-server postgresql-plperl postgresql-contrib postgresql mysql-server telnet mod_ssl mysql-server php-mysql gcc jwhois bind
</source>

Packages that are currently needed for personal stuff.

<source lang="bash">
yum install perl-XML-Simple perl-MIME-Lite perl-DBD-MySQL perl-DBD-Pg
</source>

= Apache =

After all changes, use this to make sure there are no syntax errors.

<source lang="bash">
service httpd configtest
</source>
<source lang="text">
Syntax OK
</source>

{{note|1=This needs to be explained.}}

<source lang="bash">
diff -u httpd.conf.orig httpd.conf
</source>
<source lang="diff">
--- httpd.conf.orig 2010-05-28 03:11:06.000000000 -0400
+++ httpd.conf 2011-05-13 21:56:27.000000000 -0400
@@ -100,12 +100,12 @@
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
-StartServers 8
-MinSpareServers 5
-MaxSpareServers 20
-ServerLimit 256
-MaxClients 256
-MaxRequestsPerChild 4000
+StartServers 16
+MinSpareServers 10
+MaxSpareServers 40
+ServerLimit 512
+MaxClients 512
+MaxRequestsPerChild 8000
</IfModule>

# worker MPM
@@ -116,11 +116,11 @@
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
-StartServers 4
-MaxClients 300
-MinSpareThreads 25
-MaxSpareThreads 75
-ThreadsPerChild 25
+StartServers 8
+MaxClients 600
+MinSpareThreads 50
+MaxSpareThreads 150
+ThreadsPerChild 50
MaxRequestsPerChild 0
</IfModule>

@@ -259,7 +259,7 @@
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
-ServerAdmin root@localhost
+ServerAdmin admin@alteeve.com

#
# ServerName gives the name and port that the server uses to identify itself.
@@ -274,6 +274,7 @@
# redirections work in a sensible way.
#
#ServerName www.example.com:80
+#ServerName *:80

#
# UseCanonicalName: Determines how Apache constructs self-referencing
@@ -289,7 +290,7 @@
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
-DocumentRoot "/var/www/html"
+DocumentRoot "/var/www/default/html"

#
# Each directory to which Apache has access can be configured with respect
@@ -314,7 +315,7 @@
#
# This should be changed to whatever you set DocumentRoot to.
#
-<Directory "/var/www/html">
+<Directory "/var/www/default/html">

#
# Possible values for the Options directive are "None", "All",
@@ -548,9 +549,9 @@
# We include the /icons/ alias for FancyIndexed directory listings. If you
# do not use FancyIndexing, you may comment this out.
#
-Alias /icons/ "/var/www/icons/"
+Alias /icons/ "/var/www/default/icons/"

-<Directory "/var/www/icons">
+<Directory "/var/www/default/icons">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
@@ -573,13 +574,13 @@
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+ScriptAlias /cgi-bin/ "/var/www/default/cgi-bin/"

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
-<Directory "/var/www/cgi-bin">
+<Directory "/var/www/default/cgi-bin">
AllowOverride None
Options None
Order allow,deny
@@ -852,11 +853,11 @@
# copying them to /your/include/path/, even on a per-VirtualHost basis.
#

-Alias /error/ "/var/www/error/"
+Alias /error/ "/var/www/default/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
- <Directory "/var/www/error">
+ <Directory "/var/www/default/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
@@ -987,7 +988,7 @@
#
# Use name-based virtual hosting.
#
-#NameVirtualHost *:80
+NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
@@ -1001,9 +1002,10 @@
# server name.
#
#<VirtualHost *:80>
-# ServerAdmin webmaster@dummy-host.example.com
-# DocumentRoot /www/docs/dummy-host.example.com
-# ServerName dummy-host.example.com
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+# ServerAdmin admin@alteeve.com
+# DocumentRoot /var/www/default/html
+# ServerName unknown.alteeve.com
+# ErrorLog /var/www/default/logs/error.log
+# CustomLog /var/www/default/logs/access.log common
#</VirtualHost>
</source>

== SSL Virtual Hosts ==

SSL provides for secure client to server communications.

=== Creating The Signed Certificate ===

This section assumes you are using a 3rd party signing authority. Specifically, I use http://www.trustico.ca/ (resellers of http://RapidSSL.com and others). This is also for a domain-specific certificate. Wildcard certificates will differ.

First, create 2048bit private key. Note that this will require a pass-phrase, which you will need to enter whenever the Apache daemon httpd daemon starts. If you do not want this, remove the -des3 switch.

<source lang="bash">
openssl genrsa -des3 -out /etc/pki/CA/private/alteeve.com.key 2048
</source>
<source lang="text">
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Verifying - Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
</source>

Now create a [[CSR]] (Certificate signing request) which we will send to the signing authority. Do not enter anything in the extra section below.

{{note|1=The Common Name must be the fully qualified domain name. In this example, I want to create a certificate for the domain https://alteeve.com, so I will enter alteeve.com. If you prefer to use a www. prefix, include it. I will rewrite requests using the www. prefix to not use it.}}

<source lang="bash">
openssl req -new -key /etc/pki/CA/private/alteeve.com.key -out alteeve.com.csr
</source>
<source lang="text">
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Oakville
Organization Name (eg, company) [Default Company Ltd]:Alteeve's Niche
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:alteeve.com
Email Address []:admin@alteeve.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</source>

Test that the CSR file is ok.

<source lang="bash">
openssl req -noout -text -in /etc/pki/CA/alteeve.com.csr
</source>
<source lang="text">
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Oakville, O=Alteeve's Niche, OU=IT, CN=alteeve.com/emailAddress=admin@alteeve.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
...
</source>

Copy the exact contents of the alteeve.com.csr file and provide it to your signing authority as per their instructions. Once you complete their CSR form, they should email you a signed certificate and an intermediary certificate. At this point, the CSR file is no longer needed.

Save the signed certificate:

<source lang="bash">
vim /etc/pki/CA/ssl_alteeve.com.crt
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

Save the intermediary certificate. Change the certificate name to that of your provider. If they provide you with this file, simply save it in the /etc/pki/CA/ directory.

<source lang="bash">
vim /etc/pki/CA/RapidSSL_CA_bundle.pem
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

=== Creating An SSL Virtual Host ===

Create a new virtual host container for the new SSL protected virtual host. We will leave the normal unencrypted virtual-host alone for now. Once we're done, we'll use it to capture and redirect http:// requests to their https:// equivalents. I make my virtual host directories writeable by my normal user account. Feel free to adapt this to your preferences.

Setup the directories and then create a trivial index.html file.

<source lang="bash">
mkdir ssl_alteeve.com/{cgi-bin,html,logs,temp} -p
chown apache:digimer ssl_alteeve.com -R
chmod g+w ssl_alteeve.com -R
vim /var/www/ssl_alteeve.com/html/index.html
</source>
<source lang="apache">
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
</source>

Now setup the Apache2 config. I like to use the ssl_ prefix for encrypted domains.

{{note|1=This example is for a MediaWiki virtual host with short URLs configured. You will want to adapt the values to suit your needs.}}

<source lang="bash">
vim /etc/httpd/conf.d/ssl_alteeve.com.conf
</source>
<source lang="apache">
<VirtualHost *:443>
ServerAdmin digimer@alteeve.com

ServerName alteeve.com

DirectoryIndex index.php index.html

# We can haz security?
SSLEngine on
SSLProtocol all
SSLCACertificateFile /etc/pki/CA/RapidSSL_CA_bundle.pem
SSLCertificateFile /etc/pki/CA/ssl_alteeve.com.crt
SSLCertificateKeyFile /etc/pki/CA/private/alteeve.com.key

DocumentRoot /var/www/ssl_alteeve.com/html/
Alias /w /var/www/ssl_alteeve.com/html/index.php
<Directory /var/www/ssl_alteeve.com/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/ssl_alteeve.com/cgi-bin/
<Directory "/var/www/ssl_alteeve.com/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/ssl_alteeve.com/logs/error.log
TransferLog /var/www/ssl_alteeve.com/logs/transfer.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/ssl_alteeve.com/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

==== Bad Identity Error ====

If you get an error about the server not providing identity information, you may have be loading images, CSS, javascript or similar using a URL from a remote domain with no SSL or badly configured SSL.

For example, on Firefox 4, you may see:

<source lang="text">
This web site does not supply identity information.

Your connection to this site is only partially encrypted, and does not prevent eavesdropping.
[ More Information ]
</source>

In my case, this turned out to be a problem where mediawiki was loading a Creative Commons logo from their server using http:// link to the icon. Once this was changed to https:// (in LocalSettings.php), the error went away.

=== Testing and Using the New Configuration ===

Test your new Apache configuration.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

Now restart Apache. Note that you will be asked to enter the pass-phrase you used when you created your private key.

<source lang="bash">
/etc/init.d/httpd restart
</source>
<source lang="text">
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server alteeve.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
</source>

{{warning|1=From now on, you will need to enter the pass-phrase to start Apache. Consider this when restarting your server and when deciding if you want the Apache server to start with your server. As my server is in a VM and it's underlying disk is also encrypted, I will enable it at boot time. I'll need to be watching the boot process anyway. This may not apply to you.}}

Now make sure that you can still connect to your server on [[TCP]] port 80 (normal http port). The contents after the GET request will obviously vary depending on your configuration:

<source lang="bash">
telnet localhost 80
</source>
<source lang="text">
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET
<head>
<title>Asakusa.alteeve.com</title>
</head>
<body>
Default - Requested domain not found
</body>
Connection closed by foreign host.
</source>

Now to check that the SSL port is listening properly. We can't use [[telnet]] because of the SSL encryption. Instead we will use openssl.

<source lang="bash">
openssl s_client -connect localhost:443 -state -debug
</source>
<source lang="text">
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x196a050 [0x1a0b3a0] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 4d f8 f4 a4 f9 ....l...h..M....
0010 - 07 b3 11 f8 3d ff 5d 80-ed 69 87 52 e2 60 80 57 ....=.]..i.R.`.W
0020 - 59 c7 83 4c ea 5b e5 37-06 e0 13 00 00 3a 00 39 Y..L.[.7.....:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............#
0071 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x196a050 [0x1a10900] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x196a050 [0x1a1090a] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4d f8 f4 a4-7d 35 00 74 24 43 bc c9 .1..M...}5.t$C..
0010 - 84 5d fe e3 90 1a e8 14-39 a1 b1 7e e8 19 c7 9f .]......9..~....
0020 - 45 20 d1 cb 00 00 39 01-00 09 ff 01 00 01 00 00 E ....9.........
0030 - 23 #
0033 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 0c 2c ....,
read from 0x196a050 [0x1a10908] (3116 bytes => 3116 (0xC2C))
0000 - 0b 00 0c 28 00 0c 25 00-04 c2 30 82 04 be 30 82 ...(..%...0...0.
0010 - 03 a6 a0 03 02 01 02 02-03 02 15 24 30 0d 06 09 ...........$0...
0020 - 2a 86 48 86 f7 0d 01 01-05 05 00 30 3c 31 0b 30 *.H........0<1.0
0030 - 09 06 03 55 04 06 13 02-55 53 31 17 30 15 06 03 ...U....US1.0...
0040 - 55 04 0a 13 0e 47 65 6f-54 72 75 73 74 2c 20 49 U....GeoTrust, I
0050 - 6e 63 2e 31 14 30 12 06-03 55 04 03 13 0b 52 61 nc.1.0...U....Ra
0060 - 70 69 64 53 53 4c 20 43-41 30 1e 17 0d 31 31 30 pidSSL CA0...110
0070 - 36 31 34 31 32 31 39 30-31 5a 17 0d 31 31 30 37 614121901Z..1107
0080 - 31 36 31 35 35 36 31 34-5a 30 81 d9 31 29 30 27 16155614Z0..1)0'
0090 - 06 03 55 04 05 13 20 30-54 53 35 57 7a 61 75 51 ..U... 0TS5WzauQ
00a0 - 52 4a 37 73 63 32 62 2d-68 54 47 77 4b 31 79 78 RJ7sc2b-hTGwK1yx
00b0 - 53 66 45 44 70 68 46 31-0b 30 09 06 03 55 04 06 SfEDphF1.0...U..
00c0 - 13 02 43 41 31 14 30 12-06 03 55 04 0a 13 0b 61 ..CA1.0...U....a
00d0 - 6c 74 65 65 76 65 2e 63-6f 6d 31 13 30 11 06 03 lteeve.com1.0...
00e0 - 55 04 0b 13 0a 47 54 31-33 39 30 38 38 31 37 31 U....GT139088171
00f0 - 31 30 2f 06 03 55 04 0b-13 28 53 65 65 20 77 77 10/..U...(See ww
0100 - 77 2e 72 61 70 69 64 73-73 6c 2e 63 6f 6d 2f 72 w.rapidssl.com/r
0110 - 65 73 6f 75 72 63 65 73-2f 63 70 73 20 28 63 29 esources/cps (c)
0120 - 31 31 31 2b 30 29 06 03-55 04 0b 13 22 44 6f 6d 111+0)..U..."Dom
0130 - 61 69 6e 20 43 6f 6e 74-72 6f 6c 20 56 61 6c 69 ain Control Vali
0140 - 64 61 74 65 64 20 2d 20-46 72 65 65 53 53 4c 31 dated - FreeSSL1
0150 - 14 30 12 06 03 55 04 03-13 0b 61 6c 74 65 65 76 .0...U....alteev
0160 - 65 2e 63 6f 6d 30 82 01-22 30 0d 06 09 2a 86 48 e.com0.."0...*.H
0170 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0..
0180 - 0a 02 82 01 01 00 c7 b5-75 03 c7 a9 b5 21 b2 7a ........u....!.z
0190 - 9b 70 8d f2 44 5d e0 18-f4 05 52 c6 93 d3 17 a5 .p..D]....R.....
01a0 - 3a c7 46 03 68 d1 01 53-1b e8 b8 d3 4c 56 46 b2 :.F.h..S....LVF.
01b0 - ca 63 34 88 2c 4f 7b 23-49 07 ef 8e 37 5c 8a ac .c4.,O{#I...7\..
01c0 - d7 88 9b ed a1 01 90 bc-32 d8 46 30 6d 82 33 59 ........2.F0m.3Y
01d0 - ea b5 38 2c 8a 16 e1 63-e7 ba 39 d8 2a fa 8a 6b ..8,...c..9.*..k
01e0 - 25 45 0b c9 4d b8 d2 be-a9 3a e3 ff 61 60 f9 a4 %E..M....:..a`..
01f0 - 99 4e 3f c2 25 0b 21 07-c6 1b 1e 63 71 2e 3d 31 .N?.%.!....cq.=1
0200 - 42 98 01 f4 88 b8 80 26-b7 bf 5b 00 b1 57 86 b4 B......&..[..W..
0210 - d8 70 e6 ec ea 98 e1 17-45 a7 ff 83 e0 76 6f 8a .p......E....vo.
0220 - 50 bb 1d cb c5 8f f4 01-84 4e 59 c3 4d 28 73 70 P........NY.M(sp
0230 - 39 c8 da 85 43 b9 07 ae-57 26 04 24 b2 d6 d4 7c 9...C...W&.$...|
0240 - 03 af 4f 72 00 8f 20 ed-26 77 b3 bf 4e 01 62 8b ..Or.. .&w..N.b.
0250 - 62 1b 10 16 65 92 f5 bb-5a dc 83 5c f2 56 f3 60 b...e...Z..\.V.`
0260 - 34 2c ef 62 f4 ee cf 26-6d 9b 4a 5e 74 05 74 fb 4,.b...&m.J^t.t.
0270 - 23 86 07 6f cf b0 48 6d-ba 2d 89 5d 0f e0 c0 01 #..o..Hm.-.]....
0280 - 1c 91 af 00 5f f3 02 03-01 00 01 a3 82 01 29 30 ...._.........)0
0290 - 82 01 25 30 1f 06 03 55-1d 23 04 18 30 16 80 14 ..%0...U.#..0...
02a0 - 6b 69 3d 6a 18 42 4a dd-8f 02 65 39 fd 35 24 86 ki=j.BJ...e9.5$.
02b0 - 78 91 16 30 30 0e 06 03-55 1d 0f 01 01 ff 04 04 x..00...U.......
02c0 - 03 02 05 a0 30 1d 06 03-55 1d 25 04 16 30 14 06 ....0...U.%..0..
02d0 - 08 2b 06 01 05 05 07 03-01 06 08 2b 06 01 05 05 .+.........+....
02e0 - 07 03 02 30 16 06 03 55-1d 11 04 0f 30 0d 82 0b ...0...U....0...
02f0 - 61 6c 74 65 65 76 65 2e-63 6f 6d 30 43 06 03 55 alteeve.com0C..U
0300 - 1d 1f 04 3c 30 3a 30 38-a0 36 a0 34 86 32 68 74 ...<0:08.6.4.2ht
0310 - 74 70 3a 2f 2f 72 61 70-69 64 73 73 6c 2d 63 72 tp://rapidssl-cr
0320 - 6c 2e 67 65 6f 74 72 75-73 74 2e 63 6f 6d 2f 63 l.geotrust.com/c
0330 - 72 6c 73 2f 72 61 70 69-64 73 73 6c 2e 63 72 6c rls/rapidssl.crl
0340 - 30 1d 06 03 55 1d 0e 04-16 04 14 a1 2b 4e af 55 0...U.......+N.U
0350 - 08 7b 34 be 74 fc 57 41-de bc 8f d9 4a 1d c9 30 .{4.t.WA....J..0
0360 - 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 49 06 ...U.......0.0I.
0370 - 08 2b 06 01 05 05 07 01-01 04 3d 30 3b 30 39 06 .+........=0;09.
0380 - 08 2b 06 01 05 05 07 30-02 86 2d 68 74 74 70 3a .+.....0..-http:
0390 - 2f 2f 72 61 70 69 64 73-73 6c 2d 61 69 61 2e 67 //rapidssl-aia.g
03a0 - 65 6f 74 72 75 73 74 2e-63 6f 6d 2f 72 61 70 69 eotrust.com/rapi
03b0 - 64 73 73 6c 2e 63 72 74-30 0d 06 09 2a 86 48 86 dssl.crt0...*.H.
03c0 - f7 0d 01 01 05 05 00 03-82 01 01 00 66 8b 6f a8 ............f.o.
03d0 - d5 d2 84 c7 89 31 fb a5-ba e1 11 5e 2f 67 6f df .....1.....^/go.
03e0 - 0d 3c 0b 1a 4b ac d9 38-ee 29 0a 4d d9 06 98 2c .<..K..8.).M...,
03f0 - 25 0a 59 bb 39 03 b0 cd-3b 06 93 3e 59 90 cf 06 %.Y.9...;..>Y...
0400 - 17 74 77 bb cd 91 34 d0-6f b9 8f 53 57 ed 14 30 .tw...4.o..SW..0
0410 - bd e9 6c 04 84 b6 f0 16-9d 29 9b b1 47 f8 84 64 ..l......)..G..d
0420 - 5f 03 36 ea e1 d6 13 97-5b 50 b9 b2 59 cc f8 ef _.6.....[P..Y...
0430 - 23 01 99 91 6e 5e e8 d0-77 54 38 49 18 58 e7 0e #...n^..wT8I.X..
0440 - 54 35 c0 37 b5 9e 79 b2-d4 c6 d9 ff 27 31 d4 bf T5.7..y.....'1..
0450 - 04 ae d3 0a 90 4b bc 34-bc 53 f8 bc e7 4c 22 b7 .....K.4.S...L".
0460 - b3 bc 8c d7 41 44 fc e0-50 2e 9a ac ba 5c ee 88 ....AD..P....\..
0470 - 03 fc 0e 53 32 aa dd a4-24 ee a6 7c 3d dc 9d 7a ...S2...$..|=..z
0480 - 82 0b 9f b8 91 e0 a1 12-77 a3 95 f7 d0 c4 9e f1 ........w.......
0490 - d7 d9 99 68 80 e8 af ad-68 f5 1a 5f 66 06 78 c9 ...h....h.._f.x.
04a0 - 56 f8 36 37 16 fa 7d 27-df 1d a2 d8 7c 8c 5b 50 V.67..}'....|.[P
04b0 - db c6 fe 06 ff 96 86 f5-1f e4 35 ce cf 43 66 53 ..........5..CfS
04c0 - da a1 50 b5 c0 73 ec 1e-f4 c8 20 13 00 03 d9 30 ..P..s.... ....0
04d0 - 82 03 d5 30 82 02 bd a0-03 02 01 02 02 03 02 36 ...0...........6
04e0 - d1 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
04f0 - 30 42 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 0B1.0...U....US1
0500 - 16 30 14 06 03 55 04 0a-13 0d 47 65 6f 54 72 75 .0...U....GeoTru
0510 - 73 74 20 49 6e 63 2e 31-1b 30 19 06 03 55 04 03 st Inc.1.0...U..
0520 - 13 12 47 65 6f 54 72 75-73 74 20 47 6c 6f 62 61 ..GeoTrust Globa
0530 - 6c 20 43 41 30 1e 17 0d-31 30 30 32 31 39 32 32 l CA0...10021922
0540 - 34 35 30 35 5a 17 0d 32-30 30 32 31 38 32 32 34 4505Z..200218224
0550 - 35 30 35 5a 30 3c 31 0b-30 09 06 03 55 04 06 13 505Z0<1.0...U...
0560 - 02 55 53 31 17 30 15 06-03 55 04 0a 13 0e 47 65 .US1.0...U....Ge
0570 - 6f 54 72 75 73 74 2c 20-49 6e 63 2e 31 14 30 12 oTrust, Inc.1.0.
0580 - 06 03 55 04 03 13 0b 52-61 70 69 64 53 53 4c 20 ..U....RapidSSL
0590 - 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H...
05a0 - 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0.....
05b0 - 01 01 00 c7 71 f8 56 c7-1e d9 cc b5 ad f6 b4 97 ....q.V.........
05c0 - a3 fb a1 e6 0b 50 5f 50-aa 3a da 0f fc 3d 29 24 .....P_P.:...=)$
05d0 - 43 c6 10 29 c1 fc 55 40-72 ee bd ea df 9f b6 41 C..)..U@r......A
05e0 - f4 48 4b c8 6e fe 4f 57-12 8b 5b fa 92 dd 5e e8 .HK.n.OW..[...^.
05f0 - ad f3 f0 1b b1 7b 4d fb-cf fd d1 e5 f8 e3 dc e7 .....{M.........
0600 - f5 73 7f df 01 49 cf 8c-56 c1 bd 37 e3 5b be b5 .s...I..V..7.[..
0610 - 4f 8b 8b f0 da 4f c7 e3-dd 55 47 69 df f2 5b 7b O....O...UGi..[{
0620 - 07 4f 3d e5 ac 21 c1 c8-1d 7a e8 e7 f6 0f a1 aa .O=..!...z......
0630 - f5 6f de a8 65 4f 10 89-9c 03 f3 89 7a a5 5e 01 .o..eO......z.^.
0640 - 72 33 ed a9 e9 5a 1e 79-f3 87 c8 df c8 c5 fc 37 r3...Z.y.......7
0650 - c8 9a 9a d7 b8 76 cc b0-3e e7 fd e6 54 ea df 5f .....v..>...T.._
0660 - 52 41 78 59 57 ad f1 12-d6 7f bc d5 9f 70 d3 05 RAxYW........p..
0670 - 6c fa a3 7d 67 58 dd 26-62 1d 31 92 0c 79 79 1c l..}gX.&b.1..yy.
0680 - 8e cf ca 7b c1 66 af a8-74 48 fb 8e 82 c2 9e 2c ...{.f..tH.....,
0690 - 99 5c 7b 2d 5d 9b bc 5b-57 9e 7c 3a 7a 13 ad f2 .\{-]..[W.|:z...
06a0 - a3 18 5b 2b 59 0f cd 5c-3a eb 68 33 c6 28 1d 82 ..[+Y..\:.h3.(..
06b0 - d1 50 8b 02 03 01 00 01-a3 81 d9 30 81 d6 30 0e .P.........0..0.
06c0 - 06 03 55 1d 0f 01 01 ff-04 04 03 02 01 06 30 1d ..U...........0.
06d0 - 06 03 55 1d 0e 04 16 04-14 6b 69 3d 6a 18 42 4a ..U......ki=j.BJ
06e0 - dd 8f 02 65 39 fd 35 24-86 78 91 16 30 30 1f 06 ...e9.5$.x..00..
06f0 - 03 55 1d 23 04 18 30 16-80 14 c0 7a 98 68 8d 89 .U.#..0....z.h..
0700 - fb ab 05 64 0c 11 7d aa-7d 65 b8 ca cc 4e 30 12 ...d..}.}e...N0.
0710 - 06 03 55 1d 13 01 01 ff-04 08 30 06 01 01 ff 02 ..U.......0.....
0720 - 01 00 30 3a 06 03 55 1d-1f 04 33 30 31 30 2f a0 ..0:..U...3010/.
0730 - 2d a0 2b 86 29 68 74 74-70 3a 2f 2f 63 72 6c 2e -.+.)http://crl.
0740 - 67 65 6f 74 72 75 73 74-2e 63 6f 6d 2f 63 72 6c geotrust.com/crl
0750 - 73 2f 67 74 67 6c 6f 62-61 6c 2e 63 72 6c 30 34 s/gtglobal.crl04
0760 - 06 08 2b 06 01 05 05 07-01 01 04 28 30 26 30 24 ..+........(0&0$
0770 - 06 08 2b 06 01 05 05 07-30 01 86 18 68 74 74 70 ..+.....0...http
0780 - 3a 2f 2f 6f 63 73 70 2e-67 65 6f 74 72 75 73 74 ://ocsp.geotrust
0790 - 2e 63 6f 6d 30 0d 06 09-2a 86 48 86 f7 0d 01 01 .com0...*.H.....
07a0 - 05 05 00 03 82 01 01 00-ab bc bc 0a 5d 18 94 e3 ............]...
07b0 - c1 b1 c3 a8 4c 55 d6 be-b4 98 f1 ee 3c 1c cd cf ....LU......<...
07c0 - f3 24 24 5c 96 03 27 58-fc 36 ae a2 2f 8f f1 fe .$$\..'X.6../...
07d0 - da 2b 02 c3 33 bd c8 dd-48 22 2b 60 0f a5 03 10 .+..3...H"+`....
07e0 - fd 77 f8 d0 ed 96 67 4f-fd ea 47 20 70 54 dc a9 .w....gO..G pT..
07f0 - 0c 55 7e e1 96 25 8a d9-b5 da 57 4a be 8d 8e 49 .U~..%....WJ...I
0800 - 43 63 a5 6c 4e 27 87 25-eb 5b 6d fe a2 7f 38 28 Cc.lN'.%.[m...8(
0810 - e0 36 ab ad 39 a5 a5 62-c4 b7 5c 58 2c aa 5d 01 .6..9..b..\X,.].
0820 - 60 a6 62 67 a3 c0 c7 62-23 f4 e7 6c 46 ee b5 d3 `.bg...b#..lF...
0830 - 80 6a 22 13 d2 2d 3f 74-4f ea af 8c 5f b4 38 9c .j"..-?tO..._.8.
0840 - db ae ce af 84 1e a6 f6-34 51 59 79 d3 e3 75 dc ........4QYy..u.
0850 - bc d7 f3 73 df 92 ec d2-20 59 6f 9c fb 95 f8 92 ...s.... Yo.....
0860 - 76 18 0a 7c 0f 2c a6 ca-de 8a 62 7b d8 f3 ce 5f v..|.,....b{..._
0870 - 68 bd 8f 3e c1 74 bb 15-72 3a 16 83 a9 0b e6 4d h..>.t..r:.....M
0880 - 99 9c d8 57 ec a8 01 51-c7 6f 57 34 5e ab 4a 2c ...W...Q.oW4^.J,
0890 - 42 f6 4f 1c 89 78 de 26-4e f5 6f 93 4c 15 6b 27 B.O..x.&N.o.L.k'
08a0 - 56 4d 00 54 6c 7a b7 b7-00 03 81 30 82 03 7d 30 VM.Tlz.....0..}0
08b0 - 82 02 e6 a0 03 02 01 02-02 03 12 bb e6 30 0d 06 .............0..
08c0 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 4e 31 0b .*.H........0N1.
08d0 - 30 09 06 03 55 04 06 13-02 55 53 31 10 30 0e 06 0...U....US1.0..
08e0 - 03 55 04 0a 13 07 45 71-75 69 66 61 78 31 2d 30 .U....Equifax1-0
08f0 - 2b 06 03 55 04 0b 13 24-45 71 75 69 66 61 78 20 +..U...$Equifax
0900 - 53 65 63 75 72 65 20 43-65 72 74 69 66 69 63 61 Secure Certifica
0910 - 74 65 20 41 75 74 68 6f-72 69 74 79 30 1e 17 0d te Authority0...
0920 - 30 32 30 35 32 31 30 34-30 30 30 30 5a 17 0d 31 020521040000Z..1
0930 - 38 30 38 32 31 30 34 30-30 30 30 5a 30 42 31 0b 80821040000Z0B1.
0940 - 30 09 06 03 55 04 06 13-02 55 53 31 16 30 14 06 0...U....US1.0..
0950 - 03 55 04 0a 13 0d 47 65-6f 54 72 75 73 74 20 49 .U....GeoTrust I
0960 - 6e 63 2e 31 1b 30 19 06-03 55 04 03 13 12 47 65 nc.1.0...U....Ge
0970 - 6f 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 43 41 oTrust Global CA
0980 - 30 82 01 22 30 0d 06 09-2a 86 48 86 f7 0d 01 01 0.."0...*.H.....
0990 - 01 05 00 03 82 01 0f 00-30 82 01 0a 02 82 01 01 ........0.......
09a0 - 00 da cc 18 63 30 fd f4-17 23 1a 56 7e 5b df 3c ....c0...#.V~[.<
09b0 - 6c 38 e4 71 b7 78 91 d4-bc a1 d8 4c f8 a8 43 b6 l8.q.x.....L..C.
09c0 - 03 e9 4d 21 07 08 88 da-58 2f 66 39 29 bd 05 78 ..M!....X/f9)..x
09d0 - 8b 9d 38 e8 05 b7 6a 7e-71 a4 e6 c4 60 a6 b0 ef ..8...j~q...`...
09e0 - 80 e4 89 28 0f 9e 25 d6-ed 83 f3 ad a6 91 c7 98 ...(..%.........
09f0 - c9 42 18 35 14 9d ad 98-46 92 2e 4f ca f1 87 43 .B.5....F..O...C
0a00 - c1 16 95 57 2d 50 ef 89-2d 80 7a 57 ad f2 ee 5f ...W-P..-.zW..._
0a10 - 6b d2 00 8d b9 14 f8 14-15 35 d9 c0 46 a3 7b 72 k........5..F.{r
0a20 - c8 91 bf c9 55 2b cd d0-97 3e 9c 26 64 cc df ce ....U+...>.&d...
0a30 - 83 19 71 ca 4e e6 d4 d5-7b a9 19 cd 55 de c8 ec ..q.N...{...U...
0a40 - d2 5e 38 53 e5 5c 4f 8c-2d fe 50 23 36 fc 66 e6 .^8S.\O.-.P#6.f.
0a50 - cb 8e a4 39 19 00 b7 95-02 39 91 0b 0e fe 38 2e ...9.....9....8.
0a60 - d1 1d 05 9a f6 4d 3e 6f-0f 07 1d af 2c 1e 8f 60 .....M>o....,..`
0a70 - 39 e2 fa 36 53 13 39 d4-5e 26 2b db 3d a8 14 bd 9..6S.9.^&+.=...
0a80 - 32 eb 18 03 28 52 04 71-e5 ab 33 3d e1 38 bb 07 2...(R.q..3=.8..
0a90 - 36 84 62 9c 79 ea 16 30-f4 5f c0 2b e8 71 6b e4 6.b.y..0._.+.qk.
0aa0 - f9 02 03 01 00 01 a3 81-f0 30 81 ed 30 1f 06 03 .........0..0...
0ab0 - 55 1d 23 04 18 30 16 80-14 48 e6 68 f9 2b d2 b2 U.#..0...H.h.+..
0ac0 - 95 d7 47 d8 23 20 10 4f-33 98 90 9f d4 30 1d 06 ..G.# .O3....0..
0ad0 - 03 55 1d 0e 04 16 04 14-c0 7a 98 68 8d 89 fb ab .U.......z.h....
0ae0 - 05 64 0c 11 7d aa 7d 65-b8 ca cc 4e 30 0f 06 03 .d..}.}e...N0...
0af0 - 55 1d 13 01 01 ff 04 05-30 03 01 01 ff 30 0e 06 U.......0....0..
0b00 - 03 55 1d 0f 01 01 ff 04-04 03 02 01 06 30 3a 06 .U...........0:.
0b10 - 03 55 1d 1f 04 33 30 31-30 2f a0 2d a0 2b 86 29 .U...3010/.-.+.)
0b20 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 67 65 6f 74 72 http://crl.geotr
0b30 - 75 73 74 2e 63 6f 6d 2f-63 72 6c 73 2f 73 65 63 ust.com/crls/sec
0b40 - 75 72 65 63 61 2e 63 72-6c 30 4e 06 03 55 1d 20 ureca.crl0N..U.
0b50 - 04 47 30 45 30 43 06 04-55 1d 20 00 30 3b 30 39 .G0E0C..U. .0;09
0b60 - 06 08 2b 06 01 05 05 07-02 01 16 2d 68 74 74 70 ..+........-http
0b70 - 73 3a 2f 2f 77 77 77 2e-67 65 6f 74 72 75 73 74 s://www.geotrust
0b80 - 2e 63 6f 6d 2f 72 65 73-6f 75 72 63 65 73 2f 72 .com/resources/r
0b90 - 65 70 6f 73 69 74 6f 72-79 30 0d 06 09 2a 86 48 epository0...*.H
0ba0 - 86 f7 0d 01 01 05 05 00-03 81 81 00 76 e1 12 6e ............v..n
0bb0 - 4e 4b 16 12 86 30 06 b2-81 08 cf f0 08 c7 c7 71 NK...0.........q
0bc0 - 7e 66 ee c2 ed d4 3b 1f-ff f0 f0 c8 4e d6 43 38 ~f....;.....N.C8
0bd0 - b0 b9 30 7d 18 d0 55 83-a2 6a cb 36 11 9c e8 48 ..0}..U..j.6...H
0be0 - 66 a3 6d 7f b8 13 d4 47-fe 8b 5a 5c 73 fc ae d9 f.m....G..Z\s...
0bf0 - 1b 32 19 38 ab 97 34 14-aa 96 d2 eb a3 1c 14 08 .2.8..4.........
0c00 - 49 b6 bb e5 91 ef 83 36-eb 1d 56 6f ca da bc 73 I......6..Vo...s
0c10 - 63 90 e4 7f 7b 3e 22 cb-3d 07 ed 5f 38 74 9c e3 c...{>".=.._8t..
0c20 - 03 50 4e a1 af 98 ee 61-f2 84 3f 12 .PN....a..?.
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF, C = CA, O = alteeve.com, OU = GT13908817, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - FreeSSL, CN = alteeve.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 0d .....
read from 0x196a050 [0x1a10908] (525 bytes => 525 (0x20D))
0000 - 0c 00 02 09 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 51 5c 13 33 38 >.$!.......Q\.38
0090 - 83 ef 76 6f 23 52 55 bf-23 ba 7f f0 a4 ca 35 01 ..vo#RU.#.....5.
00a0 - 9c 70 e1 61 b2 0d 7b 5c-1c 32 02 c1 ac 14 be e9 .p.a..{\.2......
00b0 - b9 7a 5d 11 9b 53 48 64-cd 12 b8 15 4c df cc 10 .z]..SHd....L...
00c0 - 4e 2b e7 cd 3f 33 68 1a-60 cc f7 18 25 7c e5 ca N+..?3h.`...%|..
00d0 - c8 cb 45 ba 2a 6d dc 84-5f 26 6f 9a a3 73 b9 7f ..E.*m.._&o..s..
00e0 - 02 cb 7b a7 ac 59 9f f3-6e c9 01 ed b9 35 99 49 ..{..Y..n....5.I
00f0 - 37 77 68 65 ec e2 f7 17-03 e7 f5 f5 86 33 e6 6c 7whe.........3.l
0100 - 06 3c 15 83 98 74 2e b9-83 31 11 01 00 20 6e 17 .<...t...1... n.
0110 - 3d 2d ec 3e 19 b2 9e 5b-37 38 3a 31 57 3d 0e c1 =-.>...[78:1W=..
0120 - 6b c4 b4 83 d9 6b f0 d3-44 db 9f 18 55 15 e1 09 k....k..D...U...
0130 - 73 59 8c 46 3d a4 47 58-b1 71 a3 32 b5 06 26 8c sY.F=.GX.q.2..&.
0140 - 27 88 9e 13 c8 12 5d 94-9b 24 54 10 aa 79 e5 b4 '.....]..$T..y..
0150 - 43 f5 5e 4c 01 dc 02 aa-69 02 37 71 4e 26 1c 0b C.^L....i.7qN&..
0160 - 40 19 c9 95 4d af 93 35-07 7a ff b1 96 7f 03 ce @...M..5.z......
0170 - 7a eb a2 1c 97 6b d2 97-d2 0f 1a f5 b2 af fb 65 z....k.........e
0180 - 86 b9 e3 38 30 ba f5 02-d6 6b fc da 94 93 8b b3 ...80....k......
0190 - 96 b5 b7 58 dc 36 55 6d-e9 47 e5 4a 33 1d b9 d9 ...X.6Um.G.J3...
01a0 - ec 33 e8 fb 58 c8 74 13-ff dd 40 b7 35 56 63 03 .3..X.t...@.5Vc.
01b0 - 9f 16 2f 72 be 56 56 c3-15 3a c3 10 09 f0 9d f2 ../r.VV..:......
01c0 - 42 52 5a ce d6 db 61 0e-d0 e2 ac 2e 9e 04 30 8e BRZ...a.......0.
01d0 - 0d d7 07 f9 3e 0a a8 3b-8d 11 5c 6e 21 47 28 2d ....>..;..\n!G(-
01e0 - 28 31 a6 3d d0 e9 2e 7a-de 4a 00 2a a8 6f 5d 82 (1.=...z.J.*.o].
01f0 - 45 df 3e 06 e3 11 e3 3c-b9 1e 34 b8 bd 60 fd a7 E.>....<..4..`..
0200 - a2 c1 c8 19 61 19 da 10-e4 c3 70 7e 5f ....a.....p~_
SSL_connect:SSLv3 read server key exchange A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0x196a050 [0x1a10908] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x196a050 [0x1a1add0] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7f 9d d2 3b 68 ..............;h
0010 - 49 c9 dd ed 4f 35 a0 70-3a 28 0f ce c1 5a 81 ce I...O5.p:(...Z..
0020 - cd 46 c5 e5 a4 44 25 04-4e b4 48 d8 3b a6 d4 44 .F...D%.N.H.;..D
0030 - 4e 9a dc 20 fa 52 9f eb-52 3b 3c 3e 34 dc ed 34 N.. .R..R;<>4..4
0040 - e5 b7 10 f9 6d 3a c0 84-64 bf b8 91 54 6c 37 1b ....m:..d...Tl7.
0050 - eb 75 7a 95 aa e8 83 6f-e0 16 f2 af 77 0f 7a 0c .uz....o....w.z.
0060 - a8 82 27 a4 a5 f2 f0 1b-d2 6e 46 c4 ef 10 7c 39 ..'......nF...|9
0070 - 6c 87 74 ec 68 7e d5 9a-10 ab 10 03 75 a2 fb 4b l.t.h~......u..K
0080 - 8c 49 4c da 64 49 bd 27-ba 51 a4 .IL.dI.'.Q.
SSL_connect:SSLv3 write client key exchange A
write to 0x196a050 [0x1a1add0] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x196a050 [0x1a1add0] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 b4 8a 74-4d a4 bf b1 54 04 8a 25 ....0..tM...T..%
0010 - 24 f8 81 f1 64 9f 1f 6d-fb bd a7 4c 57 6a a5 63 $...d..m...LWj.c
0020 - fb 3a dd 8e e3 f9 38 f6-22 fd 7e 42 81 2e a2 41 .:....8.".~B...A
0030 - 1f 74 d1 27 02 .t.'.
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 ca .....
read from 0x196a050 [0x1a10908] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 00 00-00 c0 6c f3 41 26 c8 6b ..........l.A&.k
0010 - 1e 9c 2e 78 af 75 b2 46-34 f4 30 c3 bd e4 ee 2f ...x.u.F4.0..../
0020 - f6 28 37 f6 7c 55 3b c7-08 ad 1e 48 f1 83 9f 9a .(7.|U;....H....
0030 - d4 ef 9b 7d 5a 9c f7 5b-92 e9 2f ca c3 e5 44 c7 ...}Z..[../...D.
0040 - 7a c1 ed db 98 1a 18 bd-25 30 3c 50 ad 96 23 22 z.......%0<P..#"
0050 - 7e a1 b7 eb 1d b5 cc 69-2a 43 63 13 4f 21 90 32 ~......i*Cc.O!.2
0060 - 87 94 0b 6a 66 da 99 fa-45 79 cc 53 29 35 59 0d ...jf...Ey.S)5Y.
0070 - 02 93 c6 c6 af f3 52 79-b5 36 c0 a6 4d 22 9f af ......Ry.6..M"..
0080 - 4a f2 86 b4 50 68 83 b1-ab a6 a6 ac 6e 4e 18 3d J...Ph......nN.=
0090 - 80 a7 b4 85 77 06 69 60-fa b2 22 9a 79 14 c6 3e ....w.i`..".y..>
00a0 - 3e 68 33 4e 1e a9 40 09-47 d0 02 97 8b ba 39 db >h3N..@.G.....9.
00b0 - 2f b1 1c 2e 66 49 d3 bc-99 cc 56 4f 1d f4 c6 7b /...fI....VO...{
00c0 - 58 3e 28 df b1 ce 2b 45-36 ca X>(...+E6.
SSL_connect:SSLv3 read server session ticket A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0x196a050 [0x1a10908] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x196a050 [0x1a10908] (48 bytes => 48 (0x30))
0000 - c0 79 35 bf c6 1e 7e d4-04 cf 68 c7 9d f5 9f 42 .y5...~...h....B
0010 - 03 91 5f 72 ae 5b ec a8-aa e7 af e8 f3 39 1b cd .._r.[.......9..
0020 - 13 05 56 f2 1b 28 c9 42-4b 67 88 48 20 c2 a5 06 ..V..(.BKg.H ...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIDAhUkMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNjE0MTIxOTAxWhcNMTEwNzE2MTU1NjE0WjCB2TEpMCcGA1UEBRMgMFRT
NVd6YXVRUko3c2MyYi1oVEd3SzF5eFNmRURwaEYxCzAJBgNVBAYTAkNBMRQwEgYD
VQQKEwthbHRlZXZlLmNvbTETMBEGA1UECxMKR1QxMzkwODgxNzExMC8GA1UECxMo
U2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMTErMCkGA1UE
CxMiRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gRnJlZVNTTDEUMBIGA1UEAxML
YWx0ZWV2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHtXUD
x6m1IbJ6m3CN8kRd4Bj0BVLGk9MXpTrHRgNo0QFTG+i400xWRrLKYzSILE97I0kH
7443XIqs14ib7aEBkLwy2EYwbYIzWeq1OCyKFuFj57o52Cr6imslRQvJTbjSvqk6
4/9hYPmkmU4/wiULIQfGGx5jcS49MUKYAfSIuIAmt79bALFXhrTYcObs6pjhF0Wn
/4Pgdm+KULsdy8WP9AGETlnDTShzcDnI2oVDuQeuVyYEJLLW1HwDr09yAI8g7SZ3
s79OAWKLYhsQFmWS9bta3INc8lbzYDQs72L07s8mbZtKXnQFdPsjhgdvz7BIbbot
iV0P4MABHJGvAF/zAgMBAAGjggEpMIIBJTAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2FsdGVldmUuY29tMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRz
c2wuY3JsMB0GA1UdDgQWBBShK06vVQh7NL50/FdB3ryP2UodyTAMBgNVHRMBAf8E
AjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3Ns
LWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBmi2+o1dKEx4kx+6W64RFeL2dv3w08CxpLrNk47ikKTdkGmCwlClm7OQOwzTsG
kz5ZkM8GF3R3u82RNNBvuY9TV+0UML3pbASEtvAWnSmbsUf4hGRfAzbq4dYTl1tQ
ubJZzPjvIwGZkW5e6NB3VDhJGFjnDlQ1wDe1nnmy1MbZ/ycx1L8ErtMKkEu8NLxT
+LznTCK3s7yM10FE/OBQLpqsulzuiAP8DlMyqt2kJO6mfD3cnXqCC5+4keChEnej
lffQxJ7x19mZaIDor61o9RpfZgZ4yVb4NjcW+n0n3x2i2HyMW1Dbxv4G/5aG9R/k
Nc7PQ2ZT2qFQtcBz7B70yCAT
-----END CERTIFICATE-----
subject=/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3984 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2880725EB8BDD73F469C17BCA54DF373DFE8EDE3D52A1C8F5E0A5919694FB111
Session-ID-ctx:
Master-Key: F329DEA0DF39FF181ACFBCA69BEC417D7CAA4399D73229A1D912CC8236A858FD099B834F5B32C9BF979C4B5948196FC9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 6c f3 41 26 c8 6b 1e 9c-2e 78 af 75 b2 46 34 f4 l.A&.k...x.u.F4.
0010 - 30 c3 bd e4 ee 2f f6 28-37 f6 7c 55 3b c7 08 ad 0..../.(7.|U;...
0020 - 1e 48 f1 83 9f 9a d4 ef-9b 7d 5a 9c f7 5b 92 e9 .H.......}Z..[..
0030 - 2f ca c3 e5 44 c7 7a c1-ed db 98 1a 18 bd 25 30 /...D.z.......%0
0040 - 3c 50 ad 96 23 22 7e a1-b7 eb 1d b5 cc 69 2a 43 <P..#"~......i*C
0050 - 63 13 4f 21 90 32 87 94-0b 6a 66 da 99 fa 45 79 c.O!.2...jf...Ey
0060 - cc 53 29 35 59 0d 02 93-c6 c6 af f3 52 79 b5 36 .S)5Y.......Ry.6
0070 - c0 a6 4d 22 9f af 4a f2-86 b4 50 68 83 b1 ab a6 ..M"..J...Ph....
0080 - a6 ac 6e 4e 18 3d 80 a7-b4 85 77 06 69 60 fa b2 ..nN.=....w.i`..
0090 - 22 9a 79 14 c6 3e 3e 68-33 4e 1e a9 40 09 47 d0 ".y..>>h3N..@.G.
00a0 - 02 97 8b ba 39 db 2f b1-1c 2e 66 49 d3 bc 99 cc ....9./...fI....
00b0 - 56 4f 1d f4 c6 7b 58 3e-28 df b1 ce 2b 45 36 ca VO...{X>(...+E6.

Compression: 1 (zlib compression)
Start Time: 1308161188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET
write to 0x196a050 [0x1a14e56] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a 4c 57-8c b9 d5 d4 c6 1b 56 ce .... .LW......V.
0010 - 93 b5 78 6b 5f 0e c5 a2-39 2a f9 7a 20 7d 68 85 ..xk_...9*.z }h.
0020 - af 52 e3 5f fc 17 03 01-00 20 c6 c4 19 74 61 64 .R._..... ...tad
0030 - 42 59 e0 52 3f 42 44 53-8b c9 40 69 1c 3d 9b 7f BY.R?BDS..@i.=..
0040 - aa e8 8f a4 5c de c9 d4-0a a4 ....\.....
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 60 ....`
read from 0x196a050 [0x1a10908] (96 bytes => 96 (0x60))
0000 - 46 4c 99 93 29 c9 ed 66-81 43 89 39 26 2b d1 b0 FL..)..f.C.9&+..
0010 - 19 73 eb 51 18 45 54 49-74 43 e0 92 1b f8 af f0 .s.Q.ETItC......
0020 - 0d e1 08 79 96 38 e1 5e-29 9d 66 9c 30 04 8e c4 ...y.8.^).f.0...
0030 - 10 83 49 7e 09 d7 8a ff-4b 11 f9 13 3e ac 77 73 ..I~....K...>.ws
0040 - e8 94 e3 f3 74 db 4e 5f-67 13 1d c4 3a 06 98 b3 ....t.N_g...:...
0050 - da 20 41 3c ca 9a fb 3f-f3 d7 64 a1 e9 f4 0a 98 . A<...?..d.....
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 15 03 01 ...
0005 - <SPACES/NULS>
read from 0x196a050 [0x1a10908] (32 bytes => 32 (0x20))
0000 - 2e bb a7 d6 dc ce 6c 34-dc 2e 43 c7 89 02 a9 5c ......l4..C....\
0010 - 3b 3e d0 43 1c ec fa c7-89 48 fd 76 58 82 ef 45 ;>.C.....H.vX..E
SSL3 alert read:warning:close notify
closed
write to 0x196a050 [0x1a14e53] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d8 6f 46-24 e9 fa 0c c9 9f aa 2d .... .oF$......-
0010 - db 69 2a d8 fb 61 66 b0-23 23 f9 a4 ac 49 b7 e6 .i*..af.##...I..
0020 - 31 73 56 05 ed 1sV..
SSL3 alert write:warning:close notify
</source>

Perfect!

=== Open Port 443 On The Firewall ===

At this point, if you try to connect to the SSL virtual host remotely, you will fail because port 443 is not yet open.

Use your favourite program to open inbound TCP port 443. I like to directly edit the firewall's config.

<source lang="bash">
vim /etc/sysconfig/iptables
</source>
<source lang="text">
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</source>
<source lang="bash">
/etc/init.d/iptables restart
</source>
<source lang="text">
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
</source>

=== Browse to the New Virtual Host ===

You should now be able to access the new SSL virtual host! Simply browse to https://alteeve.com (replace with your domain).

[[Image:SSL_Test_Page_01.png|thumb|center|741px|Test SSL virtual host in Firefox 4.]]

Note the 'alteeve.com' to the left of the address bar showing that the site is encrypted and verified!

= PostgreSQL =

We need to initialize the postgres core databases before we can start it for the first time.

<source lang="bash">
service postgresql initdb
</source>
<source lang="text">
Initializing database: [ OK ]
</source>

From now on, we can start PostgreSQL normally.

<source lang="bash">
/etc/init.d/postgresql restart
</source>
<source lang="text">
Stopping postgresql service: [ OK ]
Starting postgresql service: [ OK ]
</source>

Create the admin user called alteeve which will own the databases we will create and use.

<source lang="bash">
su - postgres
createuser -S -d -R alteeve
psql template1
</source>

At the shell, run the following:

<source lang="sql">
ALTER USER alteeve WITH PASSWORD 'secret';
</source>
<source lang="text">
ALTER ROLE
</source>
<source lang="sql">
\q
</source>

Tell PostgreSQL to require a password for the alteeve user.

<source lang="bash">
vim /var/lib/pgsql/data/pg_hba.conf
</source>
<source lang="diff">
--- /var/lib/pgsql/data/pg_hba.conf.orig 2011-06-15 17:57:25.666509143 -0400
+++ /var/lib/pgsql/data/pg_hba.conf 2011-06-15 17:58:54.077510393 -0400
@@ -65,6 +65,7 @@

# TYPE DATABASE USER CIDR-ADDRESS METHOD
+local all alteeve md5

# "local" is for Unix domain socket connections only
local all all ident
</source>

Reload PostgreSQL's configuration.

<source lang="bash">
/etc/init.d/postgresql reload
</source>

Now create a Database that is owned by the alteeve user, then connect to it to make sure we're asked for a password.

<source lang="bash">
su postgres -c "createdb an_wiki -O alteeve"
psql an_wiki -U alteeve
</source>
<source lang="text">
Password for user alteeve:
psql (8.4.7)
Type "help" for help.

an_wiki=>
</source>

Now load a database from a backup file.

<source lang="bash">
psql an_wiki -U alteeve -f /var/www/ssl_alteeve.com/temp/an_wiki_3.out
</source>
<source lang="text">
Password for user alteeve:
SET
SET
SET
SET
SET
CREATE SCHEMA
ALTER SCHEMA
CREATE LANGUAGE
psql:/var/www/ssl_alteeve.com/temp/an_wiki_3.out:27: ERROR: must be member of role "postgres"
SET
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
SET
SET
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
8
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
2500
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
4416
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3465
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
34
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
957
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3274
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3547
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3513
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TRIGGER
CREATE TRIGGER
CREATE TRIGGER
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
REVOKE
REVOKE
GRANT
GRANT
</source>

Voila!

== Media Wiki Problem ==

If you moved a MediaWiki DB and it generated an error like this in the log file:

<source lang="text">
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "objectcache" does not exist\nLINE 1: ...ECT /* SqlBagOStuff::get */ value,exptime FROM objectcach...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "l10n_cache" does not exist\nLINE 1: ... LCStore_DB::get 206.108.5.162 */ lc_value FROM l10n_cache...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
</source>

The fix is to run:

<source lang="sql">
ALTER DATABASE an_wiki SET search_path=mediawiki;
</source>

Of course, replace an_wiki with the name of your wiki database.

= MySQL =

Start MySQL for the first time:

<source lang="bash">
/etc/init.d/mysqld start
</source>
<source lang="text">
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h asakusa.alteeve.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]
Starting mysqld: [ OK ]
</source>

Secure the server.

<source lang="bash">
mysql_secure_installation
</source>
<source lang="text">
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
</source>

= BIND =

{{note|1=This is not meant to cover creating the actual zone files for DNS. It's goal is to setup BIND on your [[EL6]] server only.}}

This is the BIND named server that handles DNS resolution. It will be setup in two parts; The global options and then the zones file.

== Install bind ==

<source lang="bash">
yum install bind bind-libs bind-utils
</source>

== Global Configuration ==

Edit the main configuration file, making a backup first.

<source lang="bash">
cp /etc/named.conf /etc/named.conf.orig
vim /etc/named.conf
</source>

Enable queries on any interface and answer queries for any domain, not just ours. Edit or add the following;

<source lang="dot">
listen-on port 53 { any; };
allow-query { localhost; };
allow-query-cache { any; };
</source>

For now, we're going to disable DNSSEC. Make the following changes;

<source lang="dot">
dnssec-enable no;
dnssec-validation no;
</source>

Now tell bind where to look for a domain name's IP when we don't know. Add;

<source lang="dot">
forwarders {
// These are Google's open DNS servers
8.8.8.8;
8.8.4.4;
};
</source>

This server will have a slave, and we want to notify that slave when a record changes. Add;

<source lang="dot">
notify yes;
</source>

Done. I like to clean up the file to put the variables in line with one another. With this in mind, let's look at the changes as a unified diff;

<source lang="bash">
diff -u /etc/named.conf.orig /etc/named.conf
</source>
<source lang="diff">
--- /etc/named.conf.orig 2012-02-05 00:54:48.434068501 -0500
+++ /etc/named.conf 2012-02-05 13:45:16.484083319 -0500
@@ -8,18 +8,26 @@
//

options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ allow-query { any; };
+ allow-query-cache { any; };
+ recursion yes;
+ notify yes;
+
+ dnssec-enable no;
+ dnssec-validation no;
+ dnssec-lookaside auto;
+
+ forwarders {
+ // These are Google's open DNS servers
+ 8.8.8.8;
+ 8.8.4.4;
+ };

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
</source>

== Adding Zones ==

This is where we tell BIND which zones we have SOA for. This includes the pointers to the actual files on disk with each domain's information.

Backup then edit the zones file.

<source lang="bash">
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.orig
vim /etc/named.rfc1912.zones
</source>

In here is where we add the entries for the domains we have [[SOA]] for at the end of the file. These will differ for every install, so only two examples will be shown.

<source lang="dot">
// Our zones which this server is SOA for.
zone "45years.ca" IN {
type master;
file "/etc/named/db.45years.ca";
allow-transfer {
192.139.81.117;
};
};

zone "alteeve.com" in {
type master;
file "/etc/named/db.alteeve.com";
allow-transfer {
192.139.81.117;
};
};
</source>

This tutorial does not aim to cover actual zone files, but here is one for reference:

<source lang="bash">
cat /etc/named/db.45years.ca
</source>
<source lang="text">
$ORIGIN .
$TTL 600 ; Time To Live.
45years.ca IN SOA ns1.alteeve.com. admin.alteeve.com. (
2011081402 ; Serial Number (yyyymmdd##)
300 ; refresh (in seconds)
180 ; retry (in seconds)
600 ; expire (in seconds)
86400 ; minimum (in seconds)
)
NS ns1.alteeve.com.
NS ns2.alteeve.com.
A 192.139.81.121
MX 10 mail.45years.ca.
$ORIGIN 45years.ca.
localhost A 127.0.0.1
mail A 192.139.81.121
www CNAME 45years.ca.
</source>

== Adding a Firewall Entry ==

Assuming you have a firewall running, be sure to add an entry for [[TCP]] port 53.

== (Re)Start BIND ==

Once all the configuration files and domain zone files are in place, (re)start the named service.

<source lang="bash">
/etc/init.d/named restart
</source>
<source lang="text">
Stopping named: . [ OK ]
Starting named: [ OK ]
</source>

== Testing Name resolution ==

To properly test name resolution, you will want to resolve a domain we are [[SOA]] for and another domain which we are not. We will repeat this twice, once on the server and once from a remote machine to ensure that it is answering remote queries. Note that in the examples below, my DNS server's IP address is 78.46.37.135.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> alteeve.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns1.alteeve.com.
alteeve.com. 600 IN NS ns2.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 13:57:11 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> google.ca @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 300 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2967 IN NS f.root-servers.net.
. 2967 IN NS c.root-servers.net.
. 2967 IN NS b.root-servers.net.
. 2967 IN NS a.root-servers.net.
. 2967 IN NS k.root-servers.net.
. 2967 IN NS i.root-servers.net.
. 2967 IN NS e.root-servers.net.
. 2967 IN NS h.root-servers.net.
. 2967 IN NS l.root-servers.net.
. 2967 IN NS d.root-servers.net.
. 2967 IN NS j.root-servers.net.
. 2967 IN NS g.root-servers.net.
. 2967 IN NS m.root-servers.net.

;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 14:02:03 2012
;; MSG SIZE rcvd: 254
</source>

Now from a remote machine, repeat the same queries to ensure that our DNS server will respond to external queries.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> alteeve.com @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns2.alteeve.com.
alteeve.com. 600 IN NS ns1.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 138 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:09 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> google.ca @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 138 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2805 IN NS h.root-servers.net.
. 2805 IN NS c.root-servers.net.
. 2805 IN NS j.root-servers.net.
. 2805 IN NS i.root-servers.net.
. 2805 IN NS b.root-servers.net.
. 2805 IN NS m.root-servers.net.
. 2805 IN NS g.root-servers.net.
. 2805 IN NS d.root-servers.net.
. 2805 IN NS a.root-servers.net.
. 2805 IN NS l.root-servers.net.
. 2805 IN NS f.root-servers.net.
. 2805 IN NS k.root-servers.net.
. 2805 IN NS e.root-servers.net.

;; Query time: 140 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:31 2012
;; MSG SIZE rcvd: 254
</source>

Done!

= Email =

This is a pretty heavily customized postfix install using a custom schema. It was originally based on [http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch this Debian Etch] tutorial, but adapted for PostgreSQL. Much time has passed and the operating system is now significantly changed, but it's lineage is thus. A more recent, but still Debian-focused version of the tutorial [http://workaround.org/ispmail/squeeze/big-picture is here]. I also used [http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot this tutorial] to help sort out the PostgreSQL stuff.

This will use a few applications;
* Postfix - The program that receives email.
* PostgreSQL - The database used to validate the existence of email accounts and validates incoming user credentials.
* Dovecot - Takes email coming from postfix, via amavis, and records them to disk. It also answers requests from users wanting to check their email.
* Amavis - Filters incoming email for spam (via spamassassin) and virsus (via clamav)

We will also be using graylisting, which is a spam fighting tactic where the first email from a given user to one of our users is bounced for a few minutes. Proper mail servers will acknowledge the bound, wait the time and resend. Spam mailers though are usually fire-and-forget and will not resend, thus effectively blocking the spam message. This is a very effective method of blocking spam with minimal chance of losing real mail from real users. Any subsequent message from the user would be allowed through with no delay, provided the user had in fact resent the first message as requested.

== Install ==

To install the applications;

<source lang="bash">
yum install postfix postfix-perl-scripts dovecot dovecot-pgsql spamassassin postgresql-server postgresql-plperl mutt
</source>

== Configuring Postfix ==

Installation requires several steps. The AN!Console database must be loaded. Various applications need to be installed. Postfix, Dovecot and helper applications need to be configured and so on.

This tutorial uses the following values that you may need to adjust;
* Database name; an_tools
* Database user; alteeve
* Database password; secret
* Database host; 127.0.0.1

{{note|1=Do not use the database host "localhost" unless you are certain you can connect to the DB using a standard [[unix]] socket.}}

=== Building Support for PostgreSQL ===

{{warning|1=We need to build our own RPM in order to support postgresql. This means we will have to disable postfix from future updates, placing the onus on us to make sure critical updates are applied. This will require downloading the latest source RPMs, re-enabling postgres and recompile/reinstall.}}

Add the source [[RPM]] repository by adding the following;

<source lang="bash">
vim /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
# Source RPM repository
[base-source]
name=CentOS-$releasever - Base - Source
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://vault.centos.org/$releasever/os/SRPMS/
baseurl=http://vault.centos.org/6.0/os/SRPMS/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
</source>

Now download the source RPM for postfix.

<source lang="bash">
yumdownloader --source postfix
</source>
<source lang="text">
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
base | 3.7 kB 00:00
base-source | 1.9 kB 00:00
extras | 3.5 kB 00:00
updates | 3.5 kB 00:00
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
./postfix-2.6.6-2.el6.src.rpm already exists and appears to be complete
nikko:/etc/postfix# rm postfix-2.6.6-2.el6.src.rpm
rm: remove regular file `postfix-2.6.6-2.el6.src.rpm'? y
nikko:/etc/postfix# yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
postfix-2.6.6-2.el6.src.rpm | 3.3 MB 00:00
</source>

Now that we have the postfix source RPM, we will install it.

<source lang="bash">
rpm -Uvh postfix-2.6.6-2.el6.src.rpm
</source>
<source lang="text">
1:postfix warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
########################################### [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
</source>

Now edit the .spec file to enable postgres support.

<source lang="bash">
cp ~/rpmbuild/SPECS/postfix.spec ~/rpmbuild/SPECS/postfix.spec.orig
vim ~/rpmbuild/SPECS/postfix.spec
</source>

Make the following changes.

* Enable PostgreSQL support
<source lang="text">
%{?!PGSQL: %define PGSQL 1}
</source>

Increment the release version by one.
<source lang="text">
Release: 3%{?dist}
</source>

We can see the changes here:

<source lang="bash">
diff -u ~/rpmbuild/SPECS/postfix.spec.orig ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="diff">
--- /root/rpmbuild/SPECS/postfix.spec.orig 2012-02-11 16:54:54.495330859 -0500
+++ /root/rpmbuild/SPECS/postfix.spec 2012-02-11 16:53:39.873331101 -0500
@@ -1,5 +1,5 @@
%{?!MYSQL: %define MYSQL 1}
-%{?!PGSQL: %define PGSQL 0}
+%{?!PGSQL: %define PGSQL 1}
%define LDAP 2
%define PCRE 1
%define SASL 2
@@ -35,7 +35,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 2.6.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
</source>

Now rebuild the RPM, which means we need to install the build tools.

<source lang="bash">
yum groupinstall development
yum install db4-devel openldap-devel cyrus-sasl-devel pcre-devel mysql-devel postgresql-devel openssl-devel
rpmbuild -bb ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="text">
(compile output)
Processing files: postfix-debuginfo-2.6.6-3.el6.x86_64
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-debuginfo-2.6.6-3.el6.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.rymr5C
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd postfix-2.6.6
+ rm -rf /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
+ exit 0
</source>

Install the updated postfix.

<source lang="bash">
rpm -Uvh ~/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm ~/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
</source>
<source lang="text">
Preparing... ########################################### [100%]
1:postfix ########################################### [ 50%]
2:postfix-perl-scripts ########################################### [100%]
</source>

Now exclude postfix from future updates.

<source lang="bash">
cp /etc/yum.conf /etc/yum.conf.orig
vim /etc/yum.conf
diff -u /etc/yum.conf.orig /etc/yum.conf
</source>
<source lang="text">
--- /etc/yum.conf.orig 2012-02-11 16:59:53.720079168 -0500
+++ /etc/yum.conf 2012-02-11 17:00:47.013331283 -0500
@@ -10,6 +10,7 @@
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
+exclude=postfix*

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
</source>

=== Basic Postfix Configuration ===

Since we'll be using virtual domains, users, aliases and mailboxes, we'll need to start by commenting out some of the default options in Postfix. By default, Postfix is set up for small numbers of local users, and it only allows connections from the localhost. Our configuration will be more scalable, allowing many domains and users to be stored in the Postgres database.

Comment out the following:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# inet_interfaces = localhost
# mydestination = $myhostname, localhost.$mydomain, localhost
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
</source>

And uncomment/add these:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
inet_interfaces = all # allows us to connect and test from another machine
mynetworks = 192.168.1.0/32, 127.0.0.0/8 # use the IP or subnet of your test machine here
</source>

=== Setup Virtual Domain Lookup ===

This tells postfix how to find which domains we have.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM domains WHERE dom_name='%s'
</source>

Now tell Postfix to use this new file by appending the following to the main postfix configuration file.

<source lang="bash">
vim /etc/postfix/main.cf
</source>
<source lang="bash">
# Tell postfix to validate domains using our postgresql databae via the
# pgsql-virtual-mailbox-domains.cf
virtual_mailbox_domains=pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>

Now reload postfix;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now we can test that domains resolve. In my case, I will test the look-up for alteeve.com.

<source lang="bash">
postmap -q alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
1
</source>

Now make sure it returns nothing when query a bad domain.

<source lang="bash">
postmap -q example.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Mailbox Mapping ===

This section will tell postfix which users for a given domain are valid.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM email_file WHERE email='%s'
</source>

Tell postfix to use this new file when looking up users.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

And add:

<source lang="text">
# Tell postfix which table to look in when validating a local user via their
# email address.
virtual_mailbox_maps=pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>

Reload postfix.

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now do a test of a valid user, which should return 1, and an invalid user, which should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
1
</source>
<source lang="bash">
postmap -q nobody@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Email Forwards ===

This will allow for email addresses to be forwarded to other email addresses.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT fwd_destination FROM forwards WHERE fwd_source='%s'
</source>

Now tell postfix where to look.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

Add;

<source lang="text">
# This tells postfix where to forward incoming email to, where appropriate.
virtual_alias_maps=pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>

Reload;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

I've setup a forward where digimer@alteeve.com forwards to mkelly@alteeve.com, so we will use that for the next test.

<source lang="bash">
postmap -q digimer@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
mkelly@alteeve.com
</source>

An email address with no forward should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

Excellent.

=== Setup Postfix Mail Delivery via Dovecot ===

Define a mail transport method in the main Postfix config.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# this option is ignored, but may be useful for reference
virtual_mailbox_base=/email

# deliver mail via dovecot
virtual_transport = dovecot

# prevent postfix from sending multiple recipients per delivery request,
# since dovecot only supports one recipient for each delivery
dovecot_destination_recipient_limit = 1
</source>

Tell Postfix what virtual_transport "dovecot" means, and how to use it.
<source lang="bash">vim /etc/postfix/master.cf</source>
Append this for RHEL/CentOS 6 machines. For other distros, make sure that /usr/libexec/dovecot/deliver exists and change the path if necessary.
<source lang="bash">
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
</source>

=== Setup Postfix SMTP Authentication using Dovecot ===

Dovecot provides an SMTP authentication mechanism to Postfix called SASL. Enabling this will require users to authenticate against the server before sending mail.

<source lang="bash">vim /etc/postfix/main.cf</source>
Append the following to enable smtp authentication:
<source lang="bash">
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes

# allow authenticated users to send mail through Postfix SMTP
# more info at /usr/share/doc/postfix-2.6.6/README_FILES/SMTPD_ACCESS_README
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination

# general smtpd settings
# - reject clients that speak too early
# - reject mail from a null address to many recipients (usually spam)
smtpd_data_restrictions =
reject_unauth_pipelining
reject_multi_recipient_bounce
permit
</source>

== Configuring Dovecot ==

Dovecot handles writing incoming mail to the disk and moving/deleting mail as the user wishes. We're going to create a user and group called vmail which will be used to manage the email stored on disk.

<source lang="bash">
useradd -m vmail
mkdir /email
chown -R vmail:vmail /email
</source>

Dovecot is configured in /etc/dovecot and the main configuration file is dovecot.conf.

<source lang="bash">
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.conf
</source>

Dovecot uses .d style configuration files.

* Authentication

<source lang="bash">
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
vim /etc/dovecot/conf.d/10-auth.conf
</source>

Tell dovecot to accept plain-text passwords (needed for some old email clients, you may not need to enable this).

<source lang="text">
disable_plaintext_auth = no
</source>

Tell it not to use the database, and not local users for mail delivery.

<source lang="text">
#!include auth-system.conf.ext
!include auth-sql.conf.ext
</source>

* Mail store

Tell dovecot where to store the email. The %d tells dovecot to substitute the user's domain name and %n is substituted by the user's email name. For example, mkelly@alteeve.com becomes /email/alteeve.com/mkelly.

<source lang="bash">
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
vim /etc/dovecot/conf.d/10-mail.conf
</source>
<source lang="text">
mail_location = mbox:/email/%d/%n
</source>

=== Dovecot Authentication and SQL Settings ===

We need to tell dovecot where to look for passwords when authenticating a user. Where to look is controlled in the
auth-sql.conf.ext file and is broken down into user and password lookups. We will want to first tell Dovecot which user to use when accessing the mail store on disk.

<source lang="bash">
cp /etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/conf.d/auth-sql.conf.ext.orig
vim /etc/dovecot/conf.d/auth-sql.conf.ext
</source>
<source lang="text">
userdb {
driver = static
args = uid=vmail gid=vmail home=/email/%d/%n allow_all_users=yes
}
</source>

* Now configure the SQL server access details.

{{note|1=Make sure that PostgreSQL has sufficient max_connections set in /var/lib/pgsql/data/postgresql.conf to handle enough connections for the expected number of email connections, plus other connections from other applications.}}

<source lang="bash">
cp /usr/share/doc/dovecot-2.0.9/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
vim /etc/dovecot/dovecot-sql.conf.ext
</source>

Tell dovecot to use PostgreSQL.

<source lang="text">
driver = pgsql
</source>

Configure the connection string.

{{note|1=If your database uses a password with a space character in it, quote the password. Ie: password='super secret'.}}

<source lang="text">
connect = host=127.0.0.1 dbname=an_tools user=alteeve password=secret
</source>

Tell dovecot to accept plain-text passwords (this is needed for some stupid MS clients, this will probably change soon).

<source lang="text">
default_pass_scheme = PLAIN
</source>

Tell dovecot how to pull use the user's password.

<source lang="text">
password_query = SELECT email, password FROM email_password WHERE email='%u'
</source>

The last thing to setup is the user query. The query needs to return the [[UID]] and [[GID]] of the vmail user we setup earlier. To get it, you can use the id command.

<source lang="bash">
id vmail
</source>
<source lang="text">
uid=503(vmail) gid=503(vmail) groups=503(vmail)
</source>

The numbers we want are 503 and 503 for the UID and GID, respectively. Knowing this, we can set the userdb SQL string.

<source lang="text">
user_query = SELECT '/email/'||file AS email_dir, '503' AS uid, '503' AS gid FROM email_file WHERE email='%u'
</source>

=== Configure Listener Sockets ===

Setup the authentication socket to allow the vmail user. This will allow Dovecot to access the user authentication socket.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
</source>

Configure Dovecot to authenticate Postfix SMTP requests.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener smtp-auth {
mode = 0600
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
}
</source>

=== Enable Logging ===

This is very useful for debugging an initial setup. It will place details about login attempts in /var/log/maillog.

<source lang="bash">vim /etc/dovecot/conf.d/10-logging.conf</source>
<source lang="bash">
log_path = syslog
auth_verbose = yes
auth_debug = yes
mail_debug = yes
</source>

At this point, it's a good idea to restart the Postfix and Dovecot services, and test out the basic configuration.
<source lang="bash">
service postfix restart
service dovecot restart
</source>

Watch the maillog while attempting to authenticate with an email client like Thunderbird.
<source lang="bash">
tail -f /var/log/maillog
</source>

If basic authentication is working, we can go ahead and add another layer of complexity on top of it: SSL.

== SSL/TLS ==

Add TLS support to Postfix, to encrypt SMTP authentication traffic.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/ssl_mail.alteeve.ca.crt
smtpd_tls_key_file = /etc/pki/CA/private/mail.alteeve.ca.key
smtpd_tls_loglevel = 1
</source>

Add TLS support to Dovecot, to encrypt IMAP authentication traffic.
<source lang="bash">vim /etc/dovecot/conf.d/10-ssl.conf </source>
<source lang="bash">
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/pki/CA/ssl_mail.alteeve.ca.crt
ssl_key = </etc/pki/CA/private/mail.alteeve.ca.key

# PEM encoded trusted certificate authority. Otherwise your CA will be untrusted.
# This is the intermediary certificate.
ssl_ca = </etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Dovecot prefers the following permissions for SSL certs, so set them accordingly.
<source lang="bash">
chmod 0444 /etc/pki/CA/ssl_mail.alteeve.ca.crt
chmod 0400 /etc/pki/CA/private/mail.alteeve.ca.key
chmod 0400 /etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Restart Postfix and Dovecot, then change your Thunderbird server options to 'STARTTLS'. If you're still able to connect to the mail server and send mail, proceed to the next section.

== User Password Encryption ==

In addition to SSL/TSL, which only encrypts the transport of user credentials, we're also going to encrypt the passwords themselves. This will avoid storing any plaintext passwords in the Postgres database.

<source lang="bash">vim /etc/dovecot/conf.d/10-auth.conf</source>
Remove the "plain" authentication, and replace with cram-md5.
<source lang="bash">
disable_plaintext_auth = yes
auth_mechanisms = cram-md5
</source>

Any user credentials that were previously stored in plaintext will no longer work. To encrypt your password in a way that Dovecot recognizes, use the following command:
<source lang="bash">doveadm -v pw -s CRAM-MD5 -p mypassword</source>
It will return a hash like this.
<source lang="bash">
{CRAM-MD5}de5924752ad74e36bc271a8dc7fad4b2d341f21f05382f20dedf1fdfbd5a1717</source>

Take the entire hash, including the '{CRAM-MD5}' portion, and use it to replace the password entry in the database for that user. This will allow Dovecot to authenticate the user using the CRAM-MD5 auth mechanism.

To automate this process for all users in the database, you can look at the number of userid's there are and loop through them, encrypting and replacing each password.

<source lang="bash">
#!/bin/bash
#
# a script to encrypt the users.usr_password values of the an_tools database

export PGUSER="alteeve"
export PGPASSWORD='secret'

for usrid in {1..219}; do

# grab the user's password, removing whitespace
usrpass=$(psql -d an_tools -c "SELECT users.usr_password FROM users WHERE users.usr_id=$usrid;"\
| sed -n 3p | sed -e 's/^[ ]*//')

if [[ "$usrpass" == *CRAM* ]]; then
echo "Password for user #$usrid is already encrypted; skipping."
else
# encrypt and surround in single quotes for psql
encrypted=\'$(doveadm -v pw -s CRAM-MD5 -p "$usrpass")\'
echo "old password: [$usrpass] ; encrypted: $encrypted"

# set password to encrypted value
psql -d an_tools -c "UPDATE users SET usr_password=$encrypted WHERE usr_id=$usrid;"
fi
done

unset PGUSER
unset PGPASSWORD
</source>

== Postgrey Greylisting ==

Enabling postgrey for anti-spam greylisting.

First install the RPMForge repos. (See [http://dak1n1.com/blog/3-getting-more-from-yum-with-rpmforge-and-epel-repos Dakini's blog] for details.)

<source lang="bash">yum -y install postgrey</source>

Create the config file with the following options. This will delay mail from untrusted sources by 6 minutes. A legitimate mailserver will resend the request after that time, and be allowed through. But spam is generally sent out only once, so those messages will drop.
<source lang="bash">vim /etc/sysconfig/postgrey</source>
<source lang="bash">OPTIONS="--unix=/var/spool/postfix/postgrey/socket --delay=360"</source>

Ensure that Postgrey starts on boot.
<source lang="bash">chkconfig --levels 345 postgrey on</source>

<source lang="bash">/etc/postfix/main.cf</source>

Configure Postfix to check SMTP requests through Postgrey. Postgrey will decide if the mail should be blocked or accepted.
<source lang="bash">
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:postgrey/socket</source>

Restart Postfix and Postgrey to take affect.
<source lang="bash">
service postgrey start
service postfix restart
</source>

== Ooooold Notes ==

When prompted;
For 'Create directories for web-based administration ?' Choose 'Yes'.
For 'General type of configuration?', choose 'Local Only'.
For 'Mail Name', enter 'alteeve.com'.
For 'SSL certificate required', hit 'Ok'.
Create the database that we will use:
# su alteeve
$ createdb an_console
$ psql an_console
Now that we are in the new database we will need to load the AN!Console schema file.
# su postgres -c psql an_console -f /var/www/ssl_alteeve.com/cgi-bin/t/anc.pgsql.schema
On the Master node, we will create the directory where email will be stored.
# mkdir /ha/email
On the both nodes, we will create a link to the '/ha/email' directory off of root.
# ln -s /ha/email /email
Under this directory create another directory that is the domain name for the domains we will host mail for. Ie (no longer needed to be done manually, AN!Console will create directories for email as needed):
# mkdir /email/45years.ca
# mkdir /email/alteeve.com
And so on.
Go to the '/etc/postfix' directory and create these four files:
# vim /etc/postfix/psql-virtual_domains.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = domains
select_field = 'virtual'
where_field = dom_name
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_forwardings.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = forwards
select_field = fwd_destination
where_field = fwd_source
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_mailboxes.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_file
select_field = file
where_field = email
hosts = 127.0.0.1
Note: The table 'email_file' is actually a view that takes the email passed by postfix and splits it to generate a joined SELECT.
# vim /etc/postfix/psql-virtual_email2email.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_email
select_field = email
where_field = email
hosts = 127.0.0.1
Note: The table 'email_email' is actually a view that takes the email passed by postfix and returns the same email based on the DB entry. This is needed as a work-around for Postfix's habit of matching global forwards like '@domain -> user@domain' for all email to that domain, even what a given email address matches a user.
Now change the owner and permissions of those four files to NOT allow global reading as they contain our password.
# chown root:postfix /etc/postfix/psql-virtual_*
# chmod 640 /etc/postfix/psql-virtual_*
Now we will create a user account that will, in turn, own all the mail on the system. This user will not have shell access.
# adduser vmail
Enter a password, preferably one treated with the same care as the root password. You can leave all other options blank.
Now change the ownership of the mail store.
# chown -R vmail:vmail /email
# chmod -R 775 /email
Now we edit the main '/etc/postfix/main.cf' configuration file.
Make a backup of the original file “just in case”.
# cp /etc/postfix/main.cf /etc/postfix/main.cf.original
Now edit it:
# vim /etc/postfix/main.cf
There are several options to edit:
Please see 'Step 6' at: http://workaround.org/articles/ispmail-sarge/index.shtml.en for details on the options to set.
For 'inet_interface' enter 'all'.
For 'myhostname' use the cluster FQDN. Ie;
myhostname = nikko.alteeve.com
For 'mydestination' use only local names, NOT real domains we will host email for. Any mail sent to the domains specified here will go to local (shell) users.
mydestination = nikko.alteeve.com, localhost.alteeve.com, localhost
For 'mynetworks' set all the IP subnets we trust. Ie;
mynetworks = 192.139.81.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.0/24 127.0.0.0/8
We can ignore 'virtual_alias_domains' if it exists.
For 'virtual_alias_maps' we will set:
virtual_alias_maps = pgsql:/etc/postfix/psql-virtual_forwardings.cf pgsql:/etc/postfix/psql-virtual_email2email.cf
For 'virtual_mailbox_domains' we will set:
virtual_mailbox_domains = pgsql:/etc/postfix/psql-virtual_domains.cf
For 'virtual_mailbox_maps' we will set:
virtual_mailbox_maps = pgsql:/etc/postfix/psql-virtual_mailboxes.cf
For 'virtual_mailbox_base' (where the email will be stored on disk) we will set:
virtual_mailbox_base = /ha/email
For 'virtual_uid_maps' and 'virtual_gid_maps' we will enter the numerical UID and GID for the 'vmail' shell user we created earlier. To find what it's UID and GID is run:
# cat /etc/passwd | grep vmail
vmail:x:1001:1001:,,,:/home/vmail:/bin/bash
The first number is the UID, the second is the GID;
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
Set 'smtpd_sasl_auth_enable' to 'yes'.
Set 'broken_sasl_auth_clients' to 'yes'.
To enable relaying of local mail, trusted domains and SASL authenticated users and reject the rest set;
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
For 'smtpd_use_tls' the value should already be 'yes', but set it to such if not.
Lastly we'll set our certificate paths;
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
At this point we should be good to go. Restart postfix;
# /etc/init.d/postfix restart
If there were no errors in the restart, test the config by running;
# postfix check
If you get errors, fix 'em. Otherwise, so far so good!
Now to setup postfix to allow authentication of SMTP connections to allow relaying of messages from people (we trust) outside on the 'mynetworks' scope.
Create or edit the file '/etc/postfix/sasl/smtpd.conf'
# vim /etc/postfix/sasl/smtpd.conf
In it enter the lines:
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: pgsql
sql_hostnames: 127.0.0.1
sql_user: alteeve
sql_passwd: secret
sql_database: an_console
sql_select: SELECT passwd FROM email_passwd WHERE email='%u@%r'
log_level: 7
Now secure the file (it's got our DB password)
# chown root:postfix /etc/postfix/sasl/smtpd.conf
# chmod 640 /etc/postfix/sasl/smtpd.conf
Now we want to setup TLS to encrypt SMTP traffic. Be sure you are still in '/etc/postfix' as this is where you want the certificate files.
To create a 10-year certificate for our SMTP domain 'smtp.alteeve.com':
# openssl req -new -outform PEM -out /etc/postfix/smtpd.cert -newkey rsa:2048 -nodes -keyout /etc/postfix/smtpd.key -keyform PEM -days 3650 -x509
This will bring up a bunch of questions:
Country Name (2 letter code) [AU]: CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alteeve's Niche!
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, YOUR name) []:smtp.alteeve.com
Email Address []:admin@alteeve.com
This will create two files in your current directory; 'smtpd.key' and 'smtpd.cert'. You'll want to protect them.
# chown root:postfix smtpd.*
# chmod 640 smtpd.*
Now we need to setup POP3 and IMAP access so users can actually check their email.
Backup then edit '/etc/dovecot/dovecot.conf' to have:
protocols = pop3 imap
mail_location = mbox:/email/%d/%n
# passdb pam {
# }
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
# userdb passwd {
# }
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

# The default location for 'dovecot-sql.conf' is under '/usr/local/etc', be sure to
# change it!
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
user = root
}
Then create/edit '/etc/dovecot/dovecot-sql.conf':
driver = pgsql
connect = host=localhost dbname=an_console user=alteeve password=secret
default_pass_scheme = PLAIN
password_query = SELECT email, password FROM email_password WHERE email='%u'
user_query = SELECT '/email/'||file AS email_dir, '1001' AS uid, '1001' AS gid FROM email_file WHERE email='%u'
Now restart Dovecot:
# /etc/init.d/dovecot restart

= Thanks =

* To [http://planet-geek.com Dave Shevett] (aka: eidolon) and [http://codex.grimoire.ca/ Owen Jacobson] for answering my n00b SSL questions.


<source lang="bash">
</source>
<source lang="text">
</source>

{{footer}}

PPPower Server

2012-03-25T17:47:44Z

Dak1n1: /* Setup Postfix SMTP Authentication using Dovecot */

{{howto_header}}

With tongue firmly in cheek, this is a tutorial on building an [[EL6]] server for hosting website and email using PostgreSQL, Postfix and Postgrey for mail and Apache for web. There are many canned and arguably superior was of accomplishing the same, but this is what I user for this server.

= Post OS Install =

First, the packages we will want to install:

<source lang="bash">
yum install httpd httpd-tools postgresql-server postgresql-plperl postgresql-contrib postgresql mysql-server telnet mod_ssl mysql-server php-mysql gcc jwhois bind
</source>

Packages that are currently needed for personal stuff.

<source lang="bash">
yum install perl-XML-Simple perl-MIME-Lite perl-DBD-MySQL perl-DBD-Pg
</source>

= Apache =

After all changes, use this to make sure there are no syntax errors.

<source lang="bash">
service httpd configtest
</source>
<source lang="text">
Syntax OK
</source>

{{note|1=This needs to be explained.}}

<source lang="bash">
diff -u httpd.conf.orig httpd.conf
</source>
<source lang="diff">
--- httpd.conf.orig 2010-05-28 03:11:06.000000000 -0400
+++ httpd.conf 2011-05-13 21:56:27.000000000 -0400
@@ -100,12 +100,12 @@
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
-StartServers 8
-MinSpareServers 5
-MaxSpareServers 20
-ServerLimit 256
-MaxClients 256
-MaxRequestsPerChild 4000
+StartServers 16
+MinSpareServers 10
+MaxSpareServers 40
+ServerLimit 512
+MaxClients 512
+MaxRequestsPerChild 8000
</IfModule>

# worker MPM
@@ -116,11 +116,11 @@
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
-StartServers 4
-MaxClients 300
-MinSpareThreads 25
-MaxSpareThreads 75
-ThreadsPerChild 25
+StartServers 8
+MaxClients 600
+MinSpareThreads 50
+MaxSpareThreads 150
+ThreadsPerChild 50
MaxRequestsPerChild 0
</IfModule>

@@ -259,7 +259,7 @@
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
-ServerAdmin root@localhost
+ServerAdmin admin@alteeve.com

#
# ServerName gives the name and port that the server uses to identify itself.
@@ -274,6 +274,7 @@
# redirections work in a sensible way.
#
#ServerName www.example.com:80
+#ServerName *:80

#
# UseCanonicalName: Determines how Apache constructs self-referencing
@@ -289,7 +290,7 @@
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
-DocumentRoot "/var/www/html"
+DocumentRoot "/var/www/default/html"

#
# Each directory to which Apache has access can be configured with respect
@@ -314,7 +315,7 @@
#
# This should be changed to whatever you set DocumentRoot to.
#
-<Directory "/var/www/html">
+<Directory "/var/www/default/html">

#
# Possible values for the Options directive are "None", "All",
@@ -548,9 +549,9 @@
# We include the /icons/ alias for FancyIndexed directory listings. If you
# do not use FancyIndexing, you may comment this out.
#
-Alias /icons/ "/var/www/icons/"
+Alias /icons/ "/var/www/default/icons/"

-<Directory "/var/www/icons">
+<Directory "/var/www/default/icons">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
@@ -573,13 +574,13 @@
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+ScriptAlias /cgi-bin/ "/var/www/default/cgi-bin/"

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
-<Directory "/var/www/cgi-bin">
+<Directory "/var/www/default/cgi-bin">
AllowOverride None
Options None
Order allow,deny
@@ -852,11 +853,11 @@
# copying them to /your/include/path/, even on a per-VirtualHost basis.
#

-Alias /error/ "/var/www/error/"
+Alias /error/ "/var/www/default/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
- <Directory "/var/www/error">
+ <Directory "/var/www/default/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
@@ -987,7 +988,7 @@
#
# Use name-based virtual hosting.
#
-#NameVirtualHost *:80
+NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
@@ -1001,9 +1002,10 @@
# server name.
#
#<VirtualHost *:80>
-# ServerAdmin webmaster@dummy-host.example.com
-# DocumentRoot /www/docs/dummy-host.example.com
-# ServerName dummy-host.example.com
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+# ServerAdmin admin@alteeve.com
+# DocumentRoot /var/www/default/html
+# ServerName unknown.alteeve.com
+# ErrorLog /var/www/default/logs/error.log
+# CustomLog /var/www/default/logs/access.log common
#</VirtualHost>
</source>

== SSL Virtual Hosts ==

SSL provides for secure client to server communications.

=== Creating The Signed Certificate ===

This section assumes you are using a 3rd party signing authority. Specifically, I use http://www.trustico.ca/ (resellers of http://RapidSSL.com and others). This is also for a domain-specific certificate. Wildcard certificates will differ.

First, create 2048bit private key. Note that this will require a pass-phrase, which you will need to enter whenever the Apache daemon httpd daemon starts. If you do not want this, remove the -des3 switch.

<source lang="bash">
openssl genrsa -des3 -out /etc/pki/CA/private/alteeve.com.key 2048
</source>
<source lang="text">
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Verifying - Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
</source>

Now create a [[CSR]] (Certificate signing request) which we will send to the signing authority. Do not enter anything in the extra section below.

{{note|1=The Common Name must be the fully qualified domain name. In this example, I want to create a certificate for the domain https://alteeve.com, so I will enter alteeve.com. If you prefer to use a www. prefix, include it. I will rewrite requests using the www. prefix to not use it.}}

<source lang="bash">
openssl req -new -key /etc/pki/CA/private/alteeve.com.key -out alteeve.com.csr
</source>
<source lang="text">
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Oakville
Organization Name (eg, company) [Default Company Ltd]:Alteeve's Niche
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:alteeve.com
Email Address []:admin@alteeve.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</source>

Test that the CSR file is ok.

<source lang="bash">
openssl req -noout -text -in /etc/pki/CA/alteeve.com.csr
</source>
<source lang="text">
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Oakville, O=Alteeve's Niche, OU=IT, CN=alteeve.com/emailAddress=admin@alteeve.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
...
</source>

Copy the exact contents of the alteeve.com.csr file and provide it to your signing authority as per their instructions. Once you complete their CSR form, they should email you a signed certificate and an intermediary certificate. At this point, the CSR file is no longer needed.

Save the signed certificate:

<source lang="bash">
vim /etc/pki/CA/ssl_alteeve.com.crt
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

Save the intermediary certificate. Change the certificate name to that of your provider. If they provide you with this file, simply save it in the /etc/pki/CA/ directory.

<source lang="bash">
vim /etc/pki/CA/RapidSSL_CA_bundle.pem
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

=== Creating An SSL Virtual Host ===

Create a new virtual host container for the new SSL protected virtual host. We will leave the normal unencrypted virtual-host alone for now. Once we're done, we'll use it to capture and redirect http:// requests to their https:// equivalents. I make my virtual host directories writeable by my normal user account. Feel free to adapt this to your preferences.

Setup the directories and then create a trivial index.html file.

<source lang="bash">
mkdir ssl_alteeve.com/{cgi-bin,html,logs,temp} -p
chown apache:digimer ssl_alteeve.com -R
chmod g+w ssl_alteeve.com -R
vim /var/www/ssl_alteeve.com/html/index.html
</source>
<source lang="apache">
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
</source>

Now setup the Apache2 config. I like to use the ssl_ prefix for encrypted domains.

{{note|1=This example is for a MediaWiki virtual host with short URLs configured. You will want to adapt the values to suit your needs.}}

<source lang="bash">
vim /etc/httpd/conf.d/ssl_alteeve.com.conf
</source>
<source lang="apache">
<VirtualHost *:443>
ServerAdmin digimer@alteeve.com

ServerName alteeve.com

DirectoryIndex index.php index.html

# We can haz security?
SSLEngine on
SSLProtocol all
SSLCACertificateFile /etc/pki/CA/RapidSSL_CA_bundle.pem
SSLCertificateFile /etc/pki/CA/ssl_alteeve.com.crt
SSLCertificateKeyFile /etc/pki/CA/private/alteeve.com.key

DocumentRoot /var/www/ssl_alteeve.com/html/
Alias /w /var/www/ssl_alteeve.com/html/index.php
<Directory /var/www/ssl_alteeve.com/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/ssl_alteeve.com/cgi-bin/
<Directory "/var/www/ssl_alteeve.com/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/ssl_alteeve.com/logs/error.log
TransferLog /var/www/ssl_alteeve.com/logs/transfer.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/ssl_alteeve.com/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

==== Bad Identity Error ====

If you get an error about the server not providing identity information, you may have be loading images, CSS, javascript or similar using a URL from a remote domain with no SSL or badly configured SSL.

For example, on Firefox 4, you may see:

<source lang="text">
This web site does not supply identity information.

Your connection to this site is only partially encrypted, and does not prevent eavesdropping.
[ More Information ]
</source>

In my case, this turned out to be a problem where mediawiki was loading a Creative Commons logo from their server using http:// link to the icon. Once this was changed to https:// (in LocalSettings.php), the error went away.

=== Testing and Using the New Configuration ===

Test your new Apache configuration.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

Now restart Apache. Note that you will be asked to enter the pass-phrase you used when you created your private key.

<source lang="bash">
/etc/init.d/httpd restart
</source>
<source lang="text">
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server alteeve.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
</source>

{{warning|1=From now on, you will need to enter the pass-phrase to start Apache. Consider this when restarting your server and when deciding if you want the Apache server to start with your server. As my server is in a VM and it's underlying disk is also encrypted, I will enable it at boot time. I'll need to be watching the boot process anyway. This may not apply to you.}}

Now make sure that you can still connect to your server on [[TCP]] port 80 (normal http port). The contents after the GET request will obviously vary depending on your configuration:

<source lang="bash">
telnet localhost 80
</source>
<source lang="text">
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET
<head>
<title>Asakusa.alteeve.com</title>
</head>
<body>
Default - Requested domain not found
</body>
Connection closed by foreign host.
</source>

Now to check that the SSL port is listening properly. We can't use [[telnet]] because of the SSL encryption. Instead we will use openssl.

<source lang="bash">
openssl s_client -connect localhost:443 -state -debug
</source>
<source lang="text">
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x196a050 [0x1a0b3a0] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 4d f8 f4 a4 f9 ....l...h..M....
0010 - 07 b3 11 f8 3d ff 5d 80-ed 69 87 52 e2 60 80 57 ....=.]..i.R.`.W
0020 - 59 c7 83 4c ea 5b e5 37-06 e0 13 00 00 3a 00 39 Y..L.[.7.....:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............#
0071 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x196a050 [0x1a10900] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x196a050 [0x1a1090a] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4d f8 f4 a4-7d 35 00 74 24 43 bc c9 .1..M...}5.t$C..
0010 - 84 5d fe e3 90 1a e8 14-39 a1 b1 7e e8 19 c7 9f .]......9..~....
0020 - 45 20 d1 cb 00 00 39 01-00 09 ff 01 00 01 00 00 E ....9.........
0030 - 23 #
0033 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 0c 2c ....,
read from 0x196a050 [0x1a10908] (3116 bytes => 3116 (0xC2C))
0000 - 0b 00 0c 28 00 0c 25 00-04 c2 30 82 04 be 30 82 ...(..%...0...0.
0010 - 03 a6 a0 03 02 01 02 02-03 02 15 24 30 0d 06 09 ...........$0...
0020 - 2a 86 48 86 f7 0d 01 01-05 05 00 30 3c 31 0b 30 *.H........0<1.0
0030 - 09 06 03 55 04 06 13 02-55 53 31 17 30 15 06 03 ...U....US1.0...
0040 - 55 04 0a 13 0e 47 65 6f-54 72 75 73 74 2c 20 49 U....GeoTrust, I
0050 - 6e 63 2e 31 14 30 12 06-03 55 04 03 13 0b 52 61 nc.1.0...U....Ra
0060 - 70 69 64 53 53 4c 20 43-41 30 1e 17 0d 31 31 30 pidSSL CA0...110
0070 - 36 31 34 31 32 31 39 30-31 5a 17 0d 31 31 30 37 614121901Z..1107
0080 - 31 36 31 35 35 36 31 34-5a 30 81 d9 31 29 30 27 16155614Z0..1)0'
0090 - 06 03 55 04 05 13 20 30-54 53 35 57 7a 61 75 51 ..U... 0TS5WzauQ
00a0 - 52 4a 37 73 63 32 62 2d-68 54 47 77 4b 31 79 78 RJ7sc2b-hTGwK1yx
00b0 - 53 66 45 44 70 68 46 31-0b 30 09 06 03 55 04 06 SfEDphF1.0...U..
00c0 - 13 02 43 41 31 14 30 12-06 03 55 04 0a 13 0b 61 ..CA1.0...U....a
00d0 - 6c 74 65 65 76 65 2e 63-6f 6d 31 13 30 11 06 03 lteeve.com1.0...
00e0 - 55 04 0b 13 0a 47 54 31-33 39 30 38 38 31 37 31 U....GT139088171
00f0 - 31 30 2f 06 03 55 04 0b-13 28 53 65 65 20 77 77 10/..U...(See ww
0100 - 77 2e 72 61 70 69 64 73-73 6c 2e 63 6f 6d 2f 72 w.rapidssl.com/r
0110 - 65 73 6f 75 72 63 65 73-2f 63 70 73 20 28 63 29 esources/cps (c)
0120 - 31 31 31 2b 30 29 06 03-55 04 0b 13 22 44 6f 6d 111+0)..U..."Dom
0130 - 61 69 6e 20 43 6f 6e 74-72 6f 6c 20 56 61 6c 69 ain Control Vali
0140 - 64 61 74 65 64 20 2d 20-46 72 65 65 53 53 4c 31 dated - FreeSSL1
0150 - 14 30 12 06 03 55 04 03-13 0b 61 6c 74 65 65 76 .0...U....alteev
0160 - 65 2e 63 6f 6d 30 82 01-22 30 0d 06 09 2a 86 48 e.com0.."0...*.H
0170 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0..
0180 - 0a 02 82 01 01 00 c7 b5-75 03 c7 a9 b5 21 b2 7a ........u....!.z
0190 - 9b 70 8d f2 44 5d e0 18-f4 05 52 c6 93 d3 17 a5 .p..D]....R.....
01a0 - 3a c7 46 03 68 d1 01 53-1b e8 b8 d3 4c 56 46 b2 :.F.h..S....LVF.
01b0 - ca 63 34 88 2c 4f 7b 23-49 07 ef 8e 37 5c 8a ac .c4.,O{#I...7\..
01c0 - d7 88 9b ed a1 01 90 bc-32 d8 46 30 6d 82 33 59 ........2.F0m.3Y
01d0 - ea b5 38 2c 8a 16 e1 63-e7 ba 39 d8 2a fa 8a 6b ..8,...c..9.*..k
01e0 - 25 45 0b c9 4d b8 d2 be-a9 3a e3 ff 61 60 f9 a4 %E..M....:..a`..
01f0 - 99 4e 3f c2 25 0b 21 07-c6 1b 1e 63 71 2e 3d 31 .N?.%.!....cq.=1
0200 - 42 98 01 f4 88 b8 80 26-b7 bf 5b 00 b1 57 86 b4 B......&..[..W..
0210 - d8 70 e6 ec ea 98 e1 17-45 a7 ff 83 e0 76 6f 8a .p......E....vo.
0220 - 50 bb 1d cb c5 8f f4 01-84 4e 59 c3 4d 28 73 70 P........NY.M(sp
0230 - 39 c8 da 85 43 b9 07 ae-57 26 04 24 b2 d6 d4 7c 9...C...W&.$...|
0240 - 03 af 4f 72 00 8f 20 ed-26 77 b3 bf 4e 01 62 8b ..Or.. .&w..N.b.
0250 - 62 1b 10 16 65 92 f5 bb-5a dc 83 5c f2 56 f3 60 b...e...Z..\.V.`
0260 - 34 2c ef 62 f4 ee cf 26-6d 9b 4a 5e 74 05 74 fb 4,.b...&m.J^t.t.
0270 - 23 86 07 6f cf b0 48 6d-ba 2d 89 5d 0f e0 c0 01 #..o..Hm.-.]....
0280 - 1c 91 af 00 5f f3 02 03-01 00 01 a3 82 01 29 30 ...._.........)0
0290 - 82 01 25 30 1f 06 03 55-1d 23 04 18 30 16 80 14 ..%0...U.#..0...
02a0 - 6b 69 3d 6a 18 42 4a dd-8f 02 65 39 fd 35 24 86 ki=j.BJ...e9.5$.
02b0 - 78 91 16 30 30 0e 06 03-55 1d 0f 01 01 ff 04 04 x..00...U.......
02c0 - 03 02 05 a0 30 1d 06 03-55 1d 25 04 16 30 14 06 ....0...U.%..0..
02d0 - 08 2b 06 01 05 05 07 03-01 06 08 2b 06 01 05 05 .+.........+....
02e0 - 07 03 02 30 16 06 03 55-1d 11 04 0f 30 0d 82 0b ...0...U....0...
02f0 - 61 6c 74 65 65 76 65 2e-63 6f 6d 30 43 06 03 55 alteeve.com0C..U
0300 - 1d 1f 04 3c 30 3a 30 38-a0 36 a0 34 86 32 68 74 ...<0:08.6.4.2ht
0310 - 74 70 3a 2f 2f 72 61 70-69 64 73 73 6c 2d 63 72 tp://rapidssl-cr
0320 - 6c 2e 67 65 6f 74 72 75-73 74 2e 63 6f 6d 2f 63 l.geotrust.com/c
0330 - 72 6c 73 2f 72 61 70 69-64 73 73 6c 2e 63 72 6c rls/rapidssl.crl
0340 - 30 1d 06 03 55 1d 0e 04-16 04 14 a1 2b 4e af 55 0...U.......+N.U
0350 - 08 7b 34 be 74 fc 57 41-de bc 8f d9 4a 1d c9 30 .{4.t.WA....J..0
0360 - 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 49 06 ...U.......0.0I.
0370 - 08 2b 06 01 05 05 07 01-01 04 3d 30 3b 30 39 06 .+........=0;09.
0380 - 08 2b 06 01 05 05 07 30-02 86 2d 68 74 74 70 3a .+.....0..-http:
0390 - 2f 2f 72 61 70 69 64 73-73 6c 2d 61 69 61 2e 67 //rapidssl-aia.g
03a0 - 65 6f 74 72 75 73 74 2e-63 6f 6d 2f 72 61 70 69 eotrust.com/rapi
03b0 - 64 73 73 6c 2e 63 72 74-30 0d 06 09 2a 86 48 86 dssl.crt0...*.H.
03c0 - f7 0d 01 01 05 05 00 03-82 01 01 00 66 8b 6f a8 ............f.o.
03d0 - d5 d2 84 c7 89 31 fb a5-ba e1 11 5e 2f 67 6f df .....1.....^/go.
03e0 - 0d 3c 0b 1a 4b ac d9 38-ee 29 0a 4d d9 06 98 2c .<..K..8.).M...,
03f0 - 25 0a 59 bb 39 03 b0 cd-3b 06 93 3e 59 90 cf 06 %.Y.9...;..>Y...
0400 - 17 74 77 bb cd 91 34 d0-6f b9 8f 53 57 ed 14 30 .tw...4.o..SW..0
0410 - bd e9 6c 04 84 b6 f0 16-9d 29 9b b1 47 f8 84 64 ..l......)..G..d
0420 - 5f 03 36 ea e1 d6 13 97-5b 50 b9 b2 59 cc f8 ef _.6.....[P..Y...
0430 - 23 01 99 91 6e 5e e8 d0-77 54 38 49 18 58 e7 0e #...n^..wT8I.X..
0440 - 54 35 c0 37 b5 9e 79 b2-d4 c6 d9 ff 27 31 d4 bf T5.7..y.....'1..
0450 - 04 ae d3 0a 90 4b bc 34-bc 53 f8 bc e7 4c 22 b7 .....K.4.S...L".
0460 - b3 bc 8c d7 41 44 fc e0-50 2e 9a ac ba 5c ee 88 ....AD..P....\..
0470 - 03 fc 0e 53 32 aa dd a4-24 ee a6 7c 3d dc 9d 7a ...S2...$..|=..z
0480 - 82 0b 9f b8 91 e0 a1 12-77 a3 95 f7 d0 c4 9e f1 ........w.......
0490 - d7 d9 99 68 80 e8 af ad-68 f5 1a 5f 66 06 78 c9 ...h....h.._f.x.
04a0 - 56 f8 36 37 16 fa 7d 27-df 1d a2 d8 7c 8c 5b 50 V.67..}'....|.[P
04b0 - db c6 fe 06 ff 96 86 f5-1f e4 35 ce cf 43 66 53 ..........5..CfS
04c0 - da a1 50 b5 c0 73 ec 1e-f4 c8 20 13 00 03 d9 30 ..P..s.... ....0
04d0 - 82 03 d5 30 82 02 bd a0-03 02 01 02 02 03 02 36 ...0...........6
04e0 - d1 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
04f0 - 30 42 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 0B1.0...U....US1
0500 - 16 30 14 06 03 55 04 0a-13 0d 47 65 6f 54 72 75 .0...U....GeoTru
0510 - 73 74 20 49 6e 63 2e 31-1b 30 19 06 03 55 04 03 st Inc.1.0...U..
0520 - 13 12 47 65 6f 54 72 75-73 74 20 47 6c 6f 62 61 ..GeoTrust Globa
0530 - 6c 20 43 41 30 1e 17 0d-31 30 30 32 31 39 32 32 l CA0...10021922
0540 - 34 35 30 35 5a 17 0d 32-30 30 32 31 38 32 32 34 4505Z..200218224
0550 - 35 30 35 5a 30 3c 31 0b-30 09 06 03 55 04 06 13 505Z0<1.0...U...
0560 - 02 55 53 31 17 30 15 06-03 55 04 0a 13 0e 47 65 .US1.0...U....Ge
0570 - 6f 54 72 75 73 74 2c 20-49 6e 63 2e 31 14 30 12 oTrust, Inc.1.0.
0580 - 06 03 55 04 03 13 0b 52-61 70 69 64 53 53 4c 20 ..U....RapidSSL
0590 - 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H...
05a0 - 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0.....
05b0 - 01 01 00 c7 71 f8 56 c7-1e d9 cc b5 ad f6 b4 97 ....q.V.........
05c0 - a3 fb a1 e6 0b 50 5f 50-aa 3a da 0f fc 3d 29 24 .....P_P.:...=)$
05d0 - 43 c6 10 29 c1 fc 55 40-72 ee bd ea df 9f b6 41 C..)..U@r......A
05e0 - f4 48 4b c8 6e fe 4f 57-12 8b 5b fa 92 dd 5e e8 .HK.n.OW..[...^.
05f0 - ad f3 f0 1b b1 7b 4d fb-cf fd d1 e5 f8 e3 dc e7 .....{M.........
0600 - f5 73 7f df 01 49 cf 8c-56 c1 bd 37 e3 5b be b5 .s...I..V..7.[..
0610 - 4f 8b 8b f0 da 4f c7 e3-dd 55 47 69 df f2 5b 7b O....O...UGi..[{
0620 - 07 4f 3d e5 ac 21 c1 c8-1d 7a e8 e7 f6 0f a1 aa .O=..!...z......
0630 - f5 6f de a8 65 4f 10 89-9c 03 f3 89 7a a5 5e 01 .o..eO......z.^.
0640 - 72 33 ed a9 e9 5a 1e 79-f3 87 c8 df c8 c5 fc 37 r3...Z.y.......7
0650 - c8 9a 9a d7 b8 76 cc b0-3e e7 fd e6 54 ea df 5f .....v..>...T.._
0660 - 52 41 78 59 57 ad f1 12-d6 7f bc d5 9f 70 d3 05 RAxYW........p..
0670 - 6c fa a3 7d 67 58 dd 26-62 1d 31 92 0c 79 79 1c l..}gX.&b.1..yy.
0680 - 8e cf ca 7b c1 66 af a8-74 48 fb 8e 82 c2 9e 2c ...{.f..tH.....,
0690 - 99 5c 7b 2d 5d 9b bc 5b-57 9e 7c 3a 7a 13 ad f2 .\{-]..[W.|:z...
06a0 - a3 18 5b 2b 59 0f cd 5c-3a eb 68 33 c6 28 1d 82 ..[+Y..\:.h3.(..
06b0 - d1 50 8b 02 03 01 00 01-a3 81 d9 30 81 d6 30 0e .P.........0..0.
06c0 - 06 03 55 1d 0f 01 01 ff-04 04 03 02 01 06 30 1d ..U...........0.
06d0 - 06 03 55 1d 0e 04 16 04-14 6b 69 3d 6a 18 42 4a ..U......ki=j.BJ
06e0 - dd 8f 02 65 39 fd 35 24-86 78 91 16 30 30 1f 06 ...e9.5$.x..00..
06f0 - 03 55 1d 23 04 18 30 16-80 14 c0 7a 98 68 8d 89 .U.#..0....z.h..
0700 - fb ab 05 64 0c 11 7d aa-7d 65 b8 ca cc 4e 30 12 ...d..}.}e...N0.
0710 - 06 03 55 1d 13 01 01 ff-04 08 30 06 01 01 ff 02 ..U.......0.....
0720 - 01 00 30 3a 06 03 55 1d-1f 04 33 30 31 30 2f a0 ..0:..U...3010/.
0730 - 2d a0 2b 86 29 68 74 74-70 3a 2f 2f 63 72 6c 2e -.+.)http://crl.
0740 - 67 65 6f 74 72 75 73 74-2e 63 6f 6d 2f 63 72 6c geotrust.com/crl
0750 - 73 2f 67 74 67 6c 6f 62-61 6c 2e 63 72 6c 30 34 s/gtglobal.crl04
0760 - 06 08 2b 06 01 05 05 07-01 01 04 28 30 26 30 24 ..+........(0&0$
0770 - 06 08 2b 06 01 05 05 07-30 01 86 18 68 74 74 70 ..+.....0...http
0780 - 3a 2f 2f 6f 63 73 70 2e-67 65 6f 74 72 75 73 74 ://ocsp.geotrust
0790 - 2e 63 6f 6d 30 0d 06 09-2a 86 48 86 f7 0d 01 01 .com0...*.H.....
07a0 - 05 05 00 03 82 01 01 00-ab bc bc 0a 5d 18 94 e3 ............]...
07b0 - c1 b1 c3 a8 4c 55 d6 be-b4 98 f1 ee 3c 1c cd cf ....LU......<...
07c0 - f3 24 24 5c 96 03 27 58-fc 36 ae a2 2f 8f f1 fe .$$\..'X.6../...
07d0 - da 2b 02 c3 33 bd c8 dd-48 22 2b 60 0f a5 03 10 .+..3...H"+`....
07e0 - fd 77 f8 d0 ed 96 67 4f-fd ea 47 20 70 54 dc a9 .w....gO..G pT..
07f0 - 0c 55 7e e1 96 25 8a d9-b5 da 57 4a be 8d 8e 49 .U~..%....WJ...I
0800 - 43 63 a5 6c 4e 27 87 25-eb 5b 6d fe a2 7f 38 28 Cc.lN'.%.[m...8(
0810 - e0 36 ab ad 39 a5 a5 62-c4 b7 5c 58 2c aa 5d 01 .6..9..b..\X,.].
0820 - 60 a6 62 67 a3 c0 c7 62-23 f4 e7 6c 46 ee b5 d3 `.bg...b#..lF...
0830 - 80 6a 22 13 d2 2d 3f 74-4f ea af 8c 5f b4 38 9c .j"..-?tO..._.8.
0840 - db ae ce af 84 1e a6 f6-34 51 59 79 d3 e3 75 dc ........4QYy..u.
0850 - bc d7 f3 73 df 92 ec d2-20 59 6f 9c fb 95 f8 92 ...s.... Yo.....
0860 - 76 18 0a 7c 0f 2c a6 ca-de 8a 62 7b d8 f3 ce 5f v..|.,....b{..._
0870 - 68 bd 8f 3e c1 74 bb 15-72 3a 16 83 a9 0b e6 4d h..>.t..r:.....M
0880 - 99 9c d8 57 ec a8 01 51-c7 6f 57 34 5e ab 4a 2c ...W...Q.oW4^.J,
0890 - 42 f6 4f 1c 89 78 de 26-4e f5 6f 93 4c 15 6b 27 B.O..x.&N.o.L.k'
08a0 - 56 4d 00 54 6c 7a b7 b7-00 03 81 30 82 03 7d 30 VM.Tlz.....0..}0
08b0 - 82 02 e6 a0 03 02 01 02-02 03 12 bb e6 30 0d 06 .............0..
08c0 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 4e 31 0b .*.H........0N1.
08d0 - 30 09 06 03 55 04 06 13-02 55 53 31 10 30 0e 06 0...U....US1.0..
08e0 - 03 55 04 0a 13 07 45 71-75 69 66 61 78 31 2d 30 .U....Equifax1-0
08f0 - 2b 06 03 55 04 0b 13 24-45 71 75 69 66 61 78 20 +..U...$Equifax
0900 - 53 65 63 75 72 65 20 43-65 72 74 69 66 69 63 61 Secure Certifica
0910 - 74 65 20 41 75 74 68 6f-72 69 74 79 30 1e 17 0d te Authority0...
0920 - 30 32 30 35 32 31 30 34-30 30 30 30 5a 17 0d 31 020521040000Z..1
0930 - 38 30 38 32 31 30 34 30-30 30 30 5a 30 42 31 0b 80821040000Z0B1.
0940 - 30 09 06 03 55 04 06 13-02 55 53 31 16 30 14 06 0...U....US1.0..
0950 - 03 55 04 0a 13 0d 47 65-6f 54 72 75 73 74 20 49 .U....GeoTrust I
0960 - 6e 63 2e 31 1b 30 19 06-03 55 04 03 13 12 47 65 nc.1.0...U....Ge
0970 - 6f 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 43 41 oTrust Global CA
0980 - 30 82 01 22 30 0d 06 09-2a 86 48 86 f7 0d 01 01 0.."0...*.H.....
0990 - 01 05 00 03 82 01 0f 00-30 82 01 0a 02 82 01 01 ........0.......
09a0 - 00 da cc 18 63 30 fd f4-17 23 1a 56 7e 5b df 3c ....c0...#.V~[.<
09b0 - 6c 38 e4 71 b7 78 91 d4-bc a1 d8 4c f8 a8 43 b6 l8.q.x.....L..C.
09c0 - 03 e9 4d 21 07 08 88 da-58 2f 66 39 29 bd 05 78 ..M!....X/f9)..x
09d0 - 8b 9d 38 e8 05 b7 6a 7e-71 a4 e6 c4 60 a6 b0 ef ..8...j~q...`...
09e0 - 80 e4 89 28 0f 9e 25 d6-ed 83 f3 ad a6 91 c7 98 ...(..%.........
09f0 - c9 42 18 35 14 9d ad 98-46 92 2e 4f ca f1 87 43 .B.5....F..O...C
0a00 - c1 16 95 57 2d 50 ef 89-2d 80 7a 57 ad f2 ee 5f ...W-P..-.zW..._
0a10 - 6b d2 00 8d b9 14 f8 14-15 35 d9 c0 46 a3 7b 72 k........5..F.{r
0a20 - c8 91 bf c9 55 2b cd d0-97 3e 9c 26 64 cc df ce ....U+...>.&d...
0a30 - 83 19 71 ca 4e e6 d4 d5-7b a9 19 cd 55 de c8 ec ..q.N...{...U...
0a40 - d2 5e 38 53 e5 5c 4f 8c-2d fe 50 23 36 fc 66 e6 .^8S.\O.-.P#6.f.
0a50 - cb 8e a4 39 19 00 b7 95-02 39 91 0b 0e fe 38 2e ...9.....9....8.
0a60 - d1 1d 05 9a f6 4d 3e 6f-0f 07 1d af 2c 1e 8f 60 .....M>o....,..`
0a70 - 39 e2 fa 36 53 13 39 d4-5e 26 2b db 3d a8 14 bd 9..6S.9.^&+.=...
0a80 - 32 eb 18 03 28 52 04 71-e5 ab 33 3d e1 38 bb 07 2...(R.q..3=.8..
0a90 - 36 84 62 9c 79 ea 16 30-f4 5f c0 2b e8 71 6b e4 6.b.y..0._.+.qk.
0aa0 - f9 02 03 01 00 01 a3 81-f0 30 81 ed 30 1f 06 03 .........0..0...
0ab0 - 55 1d 23 04 18 30 16 80-14 48 e6 68 f9 2b d2 b2 U.#..0...H.h.+..
0ac0 - 95 d7 47 d8 23 20 10 4f-33 98 90 9f d4 30 1d 06 ..G.# .O3....0..
0ad0 - 03 55 1d 0e 04 16 04 14-c0 7a 98 68 8d 89 fb ab .U.......z.h....
0ae0 - 05 64 0c 11 7d aa 7d 65-b8 ca cc 4e 30 0f 06 03 .d..}.}e...N0...
0af0 - 55 1d 13 01 01 ff 04 05-30 03 01 01 ff 30 0e 06 U.......0....0..
0b00 - 03 55 1d 0f 01 01 ff 04-04 03 02 01 06 30 3a 06 .U...........0:.
0b10 - 03 55 1d 1f 04 33 30 31-30 2f a0 2d a0 2b 86 29 .U...3010/.-.+.)
0b20 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 67 65 6f 74 72 http://crl.geotr
0b30 - 75 73 74 2e 63 6f 6d 2f-63 72 6c 73 2f 73 65 63 ust.com/crls/sec
0b40 - 75 72 65 63 61 2e 63 72-6c 30 4e 06 03 55 1d 20 ureca.crl0N..U.
0b50 - 04 47 30 45 30 43 06 04-55 1d 20 00 30 3b 30 39 .G0E0C..U. .0;09
0b60 - 06 08 2b 06 01 05 05 07-02 01 16 2d 68 74 74 70 ..+........-http
0b70 - 73 3a 2f 2f 77 77 77 2e-67 65 6f 74 72 75 73 74 s://www.geotrust
0b80 - 2e 63 6f 6d 2f 72 65 73-6f 75 72 63 65 73 2f 72 .com/resources/r
0b90 - 65 70 6f 73 69 74 6f 72-79 30 0d 06 09 2a 86 48 epository0...*.H
0ba0 - 86 f7 0d 01 01 05 05 00-03 81 81 00 76 e1 12 6e ............v..n
0bb0 - 4e 4b 16 12 86 30 06 b2-81 08 cf f0 08 c7 c7 71 NK...0.........q
0bc0 - 7e 66 ee c2 ed d4 3b 1f-ff f0 f0 c8 4e d6 43 38 ~f....;.....N.C8
0bd0 - b0 b9 30 7d 18 d0 55 83-a2 6a cb 36 11 9c e8 48 ..0}..U..j.6...H
0be0 - 66 a3 6d 7f b8 13 d4 47-fe 8b 5a 5c 73 fc ae d9 f.m....G..Z\s...
0bf0 - 1b 32 19 38 ab 97 34 14-aa 96 d2 eb a3 1c 14 08 .2.8..4.........
0c00 - 49 b6 bb e5 91 ef 83 36-eb 1d 56 6f ca da bc 73 I......6..Vo...s
0c10 - 63 90 e4 7f 7b 3e 22 cb-3d 07 ed 5f 38 74 9c e3 c...{>".=.._8t..
0c20 - 03 50 4e a1 af 98 ee 61-f2 84 3f 12 .PN....a..?.
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF, C = CA, O = alteeve.com, OU = GT13908817, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - FreeSSL, CN = alteeve.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 0d .....
read from 0x196a050 [0x1a10908] (525 bytes => 525 (0x20D))
0000 - 0c 00 02 09 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 51 5c 13 33 38 >.$!.......Q\.38
0090 - 83 ef 76 6f 23 52 55 bf-23 ba 7f f0 a4 ca 35 01 ..vo#RU.#.....5.
00a0 - 9c 70 e1 61 b2 0d 7b 5c-1c 32 02 c1 ac 14 be e9 .p.a..{\.2......
00b0 - b9 7a 5d 11 9b 53 48 64-cd 12 b8 15 4c df cc 10 .z]..SHd....L...
00c0 - 4e 2b e7 cd 3f 33 68 1a-60 cc f7 18 25 7c e5 ca N+..?3h.`...%|..
00d0 - c8 cb 45 ba 2a 6d dc 84-5f 26 6f 9a a3 73 b9 7f ..E.*m.._&o..s..
00e0 - 02 cb 7b a7 ac 59 9f f3-6e c9 01 ed b9 35 99 49 ..{..Y..n....5.I
00f0 - 37 77 68 65 ec e2 f7 17-03 e7 f5 f5 86 33 e6 6c 7whe.........3.l
0100 - 06 3c 15 83 98 74 2e b9-83 31 11 01 00 20 6e 17 .<...t...1... n.
0110 - 3d 2d ec 3e 19 b2 9e 5b-37 38 3a 31 57 3d 0e c1 =-.>...[78:1W=..
0120 - 6b c4 b4 83 d9 6b f0 d3-44 db 9f 18 55 15 e1 09 k....k..D...U...
0130 - 73 59 8c 46 3d a4 47 58-b1 71 a3 32 b5 06 26 8c sY.F=.GX.q.2..&.
0140 - 27 88 9e 13 c8 12 5d 94-9b 24 54 10 aa 79 e5 b4 '.....]..$T..y..
0150 - 43 f5 5e 4c 01 dc 02 aa-69 02 37 71 4e 26 1c 0b C.^L....i.7qN&..
0160 - 40 19 c9 95 4d af 93 35-07 7a ff b1 96 7f 03 ce @...M..5.z......
0170 - 7a eb a2 1c 97 6b d2 97-d2 0f 1a f5 b2 af fb 65 z....k.........e
0180 - 86 b9 e3 38 30 ba f5 02-d6 6b fc da 94 93 8b b3 ...80....k......
0190 - 96 b5 b7 58 dc 36 55 6d-e9 47 e5 4a 33 1d b9 d9 ...X.6Um.G.J3...
01a0 - ec 33 e8 fb 58 c8 74 13-ff dd 40 b7 35 56 63 03 .3..X.t...@.5Vc.
01b0 - 9f 16 2f 72 be 56 56 c3-15 3a c3 10 09 f0 9d f2 ../r.VV..:......
01c0 - 42 52 5a ce d6 db 61 0e-d0 e2 ac 2e 9e 04 30 8e BRZ...a.......0.
01d0 - 0d d7 07 f9 3e 0a a8 3b-8d 11 5c 6e 21 47 28 2d ....>..;..\n!G(-
01e0 - 28 31 a6 3d d0 e9 2e 7a-de 4a 00 2a a8 6f 5d 82 (1.=...z.J.*.o].
01f0 - 45 df 3e 06 e3 11 e3 3c-b9 1e 34 b8 bd 60 fd a7 E.>....<..4..`..
0200 - a2 c1 c8 19 61 19 da 10-e4 c3 70 7e 5f ....a.....p~_
SSL_connect:SSLv3 read server key exchange A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0x196a050 [0x1a10908] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x196a050 [0x1a1add0] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7f 9d d2 3b 68 ..............;h
0010 - 49 c9 dd ed 4f 35 a0 70-3a 28 0f ce c1 5a 81 ce I...O5.p:(...Z..
0020 - cd 46 c5 e5 a4 44 25 04-4e b4 48 d8 3b a6 d4 44 .F...D%.N.H.;..D
0030 - 4e 9a dc 20 fa 52 9f eb-52 3b 3c 3e 34 dc ed 34 N.. .R..R;<>4..4
0040 - e5 b7 10 f9 6d 3a c0 84-64 bf b8 91 54 6c 37 1b ....m:..d...Tl7.
0050 - eb 75 7a 95 aa e8 83 6f-e0 16 f2 af 77 0f 7a 0c .uz....o....w.z.
0060 - a8 82 27 a4 a5 f2 f0 1b-d2 6e 46 c4 ef 10 7c 39 ..'......nF...|9
0070 - 6c 87 74 ec 68 7e d5 9a-10 ab 10 03 75 a2 fb 4b l.t.h~......u..K
0080 - 8c 49 4c da 64 49 bd 27-ba 51 a4 .IL.dI.'.Q.
SSL_connect:SSLv3 write client key exchange A
write to 0x196a050 [0x1a1add0] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x196a050 [0x1a1add0] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 b4 8a 74-4d a4 bf b1 54 04 8a 25 ....0..tM...T..%
0010 - 24 f8 81 f1 64 9f 1f 6d-fb bd a7 4c 57 6a a5 63 $...d..m...LWj.c
0020 - fb 3a dd 8e e3 f9 38 f6-22 fd 7e 42 81 2e a2 41 .:....8.".~B...A
0030 - 1f 74 d1 27 02 .t.'.
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 ca .....
read from 0x196a050 [0x1a10908] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 00 00-00 c0 6c f3 41 26 c8 6b ..........l.A&.k
0010 - 1e 9c 2e 78 af 75 b2 46-34 f4 30 c3 bd e4 ee 2f ...x.u.F4.0..../
0020 - f6 28 37 f6 7c 55 3b c7-08 ad 1e 48 f1 83 9f 9a .(7.|U;....H....
0030 - d4 ef 9b 7d 5a 9c f7 5b-92 e9 2f ca c3 e5 44 c7 ...}Z..[../...D.
0040 - 7a c1 ed db 98 1a 18 bd-25 30 3c 50 ad 96 23 22 z.......%0<P..#"
0050 - 7e a1 b7 eb 1d b5 cc 69-2a 43 63 13 4f 21 90 32 ~......i*Cc.O!.2
0060 - 87 94 0b 6a 66 da 99 fa-45 79 cc 53 29 35 59 0d ...jf...Ey.S)5Y.
0070 - 02 93 c6 c6 af f3 52 79-b5 36 c0 a6 4d 22 9f af ......Ry.6..M"..
0080 - 4a f2 86 b4 50 68 83 b1-ab a6 a6 ac 6e 4e 18 3d J...Ph......nN.=
0090 - 80 a7 b4 85 77 06 69 60-fa b2 22 9a 79 14 c6 3e ....w.i`..".y..>
00a0 - 3e 68 33 4e 1e a9 40 09-47 d0 02 97 8b ba 39 db >h3N..@.G.....9.
00b0 - 2f b1 1c 2e 66 49 d3 bc-99 cc 56 4f 1d f4 c6 7b /...fI....VO...{
00c0 - 58 3e 28 df b1 ce 2b 45-36 ca X>(...+E6.
SSL_connect:SSLv3 read server session ticket A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0x196a050 [0x1a10908] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x196a050 [0x1a10908] (48 bytes => 48 (0x30))
0000 - c0 79 35 bf c6 1e 7e d4-04 cf 68 c7 9d f5 9f 42 .y5...~...h....B
0010 - 03 91 5f 72 ae 5b ec a8-aa e7 af e8 f3 39 1b cd .._r.[.......9..
0020 - 13 05 56 f2 1b 28 c9 42-4b 67 88 48 20 c2 a5 06 ..V..(.BKg.H ...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIDAhUkMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNjE0MTIxOTAxWhcNMTEwNzE2MTU1NjE0WjCB2TEpMCcGA1UEBRMgMFRT
NVd6YXVRUko3c2MyYi1oVEd3SzF5eFNmRURwaEYxCzAJBgNVBAYTAkNBMRQwEgYD
VQQKEwthbHRlZXZlLmNvbTETMBEGA1UECxMKR1QxMzkwODgxNzExMC8GA1UECxMo
U2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMTErMCkGA1UE
CxMiRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gRnJlZVNTTDEUMBIGA1UEAxML
YWx0ZWV2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHtXUD
x6m1IbJ6m3CN8kRd4Bj0BVLGk9MXpTrHRgNo0QFTG+i400xWRrLKYzSILE97I0kH
7443XIqs14ib7aEBkLwy2EYwbYIzWeq1OCyKFuFj57o52Cr6imslRQvJTbjSvqk6
4/9hYPmkmU4/wiULIQfGGx5jcS49MUKYAfSIuIAmt79bALFXhrTYcObs6pjhF0Wn
/4Pgdm+KULsdy8WP9AGETlnDTShzcDnI2oVDuQeuVyYEJLLW1HwDr09yAI8g7SZ3
s79OAWKLYhsQFmWS9bta3INc8lbzYDQs72L07s8mbZtKXnQFdPsjhgdvz7BIbbot
iV0P4MABHJGvAF/zAgMBAAGjggEpMIIBJTAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2FsdGVldmUuY29tMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRz
c2wuY3JsMB0GA1UdDgQWBBShK06vVQh7NL50/FdB3ryP2UodyTAMBgNVHRMBAf8E
AjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3Ns
LWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBmi2+o1dKEx4kx+6W64RFeL2dv3w08CxpLrNk47ikKTdkGmCwlClm7OQOwzTsG
kz5ZkM8GF3R3u82RNNBvuY9TV+0UML3pbASEtvAWnSmbsUf4hGRfAzbq4dYTl1tQ
ubJZzPjvIwGZkW5e6NB3VDhJGFjnDlQ1wDe1nnmy1MbZ/ycx1L8ErtMKkEu8NLxT
+LznTCK3s7yM10FE/OBQLpqsulzuiAP8DlMyqt2kJO6mfD3cnXqCC5+4keChEnej
lffQxJ7x19mZaIDor61o9RpfZgZ4yVb4NjcW+n0n3x2i2HyMW1Dbxv4G/5aG9R/k
Nc7PQ2ZT2qFQtcBz7B70yCAT
-----END CERTIFICATE-----
subject=/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3984 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2880725EB8BDD73F469C17BCA54DF373DFE8EDE3D52A1C8F5E0A5919694FB111
Session-ID-ctx:
Master-Key: F329DEA0DF39FF181ACFBCA69BEC417D7CAA4399D73229A1D912CC8236A858FD099B834F5B32C9BF979C4B5948196FC9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 6c f3 41 26 c8 6b 1e 9c-2e 78 af 75 b2 46 34 f4 l.A&.k...x.u.F4.
0010 - 30 c3 bd e4 ee 2f f6 28-37 f6 7c 55 3b c7 08 ad 0..../.(7.|U;...
0020 - 1e 48 f1 83 9f 9a d4 ef-9b 7d 5a 9c f7 5b 92 e9 .H.......}Z..[..
0030 - 2f ca c3 e5 44 c7 7a c1-ed db 98 1a 18 bd 25 30 /...D.z.......%0
0040 - 3c 50 ad 96 23 22 7e a1-b7 eb 1d b5 cc 69 2a 43 <P..#"~......i*C
0050 - 63 13 4f 21 90 32 87 94-0b 6a 66 da 99 fa 45 79 c.O!.2...jf...Ey
0060 - cc 53 29 35 59 0d 02 93-c6 c6 af f3 52 79 b5 36 .S)5Y.......Ry.6
0070 - c0 a6 4d 22 9f af 4a f2-86 b4 50 68 83 b1 ab a6 ..M"..J...Ph....
0080 - a6 ac 6e 4e 18 3d 80 a7-b4 85 77 06 69 60 fa b2 ..nN.=....w.i`..
0090 - 22 9a 79 14 c6 3e 3e 68-33 4e 1e a9 40 09 47 d0 ".y..>>h3N..@.G.
00a0 - 02 97 8b ba 39 db 2f b1-1c 2e 66 49 d3 bc 99 cc ....9./...fI....
00b0 - 56 4f 1d f4 c6 7b 58 3e-28 df b1 ce 2b 45 36 ca VO...{X>(...+E6.

Compression: 1 (zlib compression)
Start Time: 1308161188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET
write to 0x196a050 [0x1a14e56] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a 4c 57-8c b9 d5 d4 c6 1b 56 ce .... .LW......V.
0010 - 93 b5 78 6b 5f 0e c5 a2-39 2a f9 7a 20 7d 68 85 ..xk_...9*.z }h.
0020 - af 52 e3 5f fc 17 03 01-00 20 c6 c4 19 74 61 64 .R._..... ...tad
0030 - 42 59 e0 52 3f 42 44 53-8b c9 40 69 1c 3d 9b 7f BY.R?BDS..@i.=..
0040 - aa e8 8f a4 5c de c9 d4-0a a4 ....\.....
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 60 ....`
read from 0x196a050 [0x1a10908] (96 bytes => 96 (0x60))
0000 - 46 4c 99 93 29 c9 ed 66-81 43 89 39 26 2b d1 b0 FL..)..f.C.9&+..
0010 - 19 73 eb 51 18 45 54 49-74 43 e0 92 1b f8 af f0 .s.Q.ETItC......
0020 - 0d e1 08 79 96 38 e1 5e-29 9d 66 9c 30 04 8e c4 ...y.8.^).f.0...
0030 - 10 83 49 7e 09 d7 8a ff-4b 11 f9 13 3e ac 77 73 ..I~....K...>.ws
0040 - e8 94 e3 f3 74 db 4e 5f-67 13 1d c4 3a 06 98 b3 ....t.N_g...:...
0050 - da 20 41 3c ca 9a fb 3f-f3 d7 64 a1 e9 f4 0a 98 . A<...?..d.....
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 15 03 01 ...
0005 - <SPACES/NULS>
read from 0x196a050 [0x1a10908] (32 bytes => 32 (0x20))
0000 - 2e bb a7 d6 dc ce 6c 34-dc 2e 43 c7 89 02 a9 5c ......l4..C....\
0010 - 3b 3e d0 43 1c ec fa c7-89 48 fd 76 58 82 ef 45 ;>.C.....H.vX..E
SSL3 alert read:warning:close notify
closed
write to 0x196a050 [0x1a14e53] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d8 6f 46-24 e9 fa 0c c9 9f aa 2d .... .oF$......-
0010 - db 69 2a d8 fb 61 66 b0-23 23 f9 a4 ac 49 b7 e6 .i*..af.##...I..
0020 - 31 73 56 05 ed 1sV..
SSL3 alert write:warning:close notify
</source>

Perfect!

=== Open Port 443 On The Firewall ===

At this point, if you try to connect to the SSL virtual host remotely, you will fail because port 443 is not yet open.

Use your favourite program to open inbound TCP port 443. I like to directly edit the firewall's config.

<source lang="bash">
vim /etc/sysconfig/iptables
</source>
<source lang="text">
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</source>
<source lang="bash">
/etc/init.d/iptables restart
</source>
<source lang="text">
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
</source>

=== Browse to the New Virtual Host ===

You should now be able to access the new SSL virtual host! Simply browse to https://alteeve.com (replace with your domain).

[[Image:SSL_Test_Page_01.png|thumb|center|741px|Test SSL virtual host in Firefox 4.]]

Note the 'alteeve.com' to the left of the address bar showing that the site is encrypted and verified!

= PostgreSQL =

We need to initialize the postgres core databases before we can start it for the first time.

<source lang="bash">
service postgresql initdb
</source>
<source lang="text">
Initializing database: [ OK ]
</source>

From now on, we can start PostgreSQL normally.

<source lang="bash">
/etc/init.d/postgresql restart
</source>
<source lang="text">
Stopping postgresql service: [ OK ]
Starting postgresql service: [ OK ]
</source>

Create the admin user called alteeve which will own the databases we will create and use.

<source lang="bash">
su - postgres
createuser -S -d -R alteeve
psql template1
</source>

At the shell, run the following:

<source lang="sql">
ALTER USER alteeve WITH PASSWORD 'secret';
</source>
<source lang="text">
ALTER ROLE
</source>
<source lang="sql">
\q
</source>

Tell PostgreSQL to require a password for the alteeve user.

<source lang="bash">
vim /var/lib/pgsql/data/pg_hba.conf
</source>
<source lang="diff">
--- /var/lib/pgsql/data/pg_hba.conf.orig 2011-06-15 17:57:25.666509143 -0400
+++ /var/lib/pgsql/data/pg_hba.conf 2011-06-15 17:58:54.077510393 -0400
@@ -65,6 +65,7 @@

# TYPE DATABASE USER CIDR-ADDRESS METHOD
+local all alteeve md5

# "local" is for Unix domain socket connections only
local all all ident
</source>

Reload PostgreSQL's configuration.

<source lang="bash">
/etc/init.d/postgresql reload
</source>

Now create a Database that is owned by the alteeve user, then connect to it to make sure we're asked for a password.

<source lang="bash">
su postgres -c "createdb an_wiki -O alteeve"
psql an_wiki -U alteeve
</source>
<source lang="text">
Password for user alteeve:
psql (8.4.7)
Type "help" for help.

an_wiki=>
</source>

Now load a database from a backup file.

<source lang="bash">
psql an_wiki -U alteeve -f /var/www/ssl_alteeve.com/temp/an_wiki_3.out
</source>
<source lang="text">
Password for user alteeve:
SET
SET
SET
SET
SET
CREATE SCHEMA
ALTER SCHEMA
CREATE LANGUAGE
psql:/var/www/ssl_alteeve.com/temp/an_wiki_3.out:27: ERROR: must be member of role "postgres"
SET
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
SET
SET
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
8
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
2500
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
4416
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3465
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
34
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
957
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3274
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3547
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3513
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TRIGGER
CREATE TRIGGER
CREATE TRIGGER
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
REVOKE
REVOKE
GRANT
GRANT
</source>

Voila!

== Media Wiki Problem ==

If you moved a MediaWiki DB and it generated an error like this in the log file:

<source lang="text">
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "objectcache" does not exist\nLINE 1: ...ECT /* SqlBagOStuff::get */ value,exptime FROM objectcach...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "l10n_cache" does not exist\nLINE 1: ... LCStore_DB::get 206.108.5.162 */ lc_value FROM l10n_cache...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
</source>

The fix is to run:

<source lang="sql">
ALTER DATABASE an_wiki SET search_path=mediawiki;
</source>

Of course, replace an_wiki with the name of your wiki database.

= MySQL =

Start MySQL for the first time:

<source lang="bash">
/etc/init.d/mysqld start
</source>
<source lang="text">
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h asakusa.alteeve.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]
Starting mysqld: [ OK ]
</source>

Secure the server.

<source lang="bash">
mysql_secure_installation
</source>
<source lang="text">
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
</source>

= BIND =

{{note|1=This is not meant to cover creating the actual zone files for DNS. It's goal is to setup BIND on your [[EL6]] server only.}}

This is the BIND named server that handles DNS resolution. It will be setup in two parts; The global options and then the zones file.

== Install bind ==

<source lang="bash">
yum install bind bind-libs bind-utils
</source>

== Global Configuration ==

Edit the main configuration file, making a backup first.

<source lang="bash">
cp /etc/named.conf /etc/named.conf.orig
vim /etc/named.conf
</source>

Enable queries on any interface and answer queries for any domain, not just ours. Edit or add the following;

<source lang="dot">
listen-on port 53 { any; };
allow-query { localhost; };
allow-query-cache { any; };
</source>

For now, we're going to disable DNSSEC. Make the following changes;

<source lang="dot">
dnssec-enable no;
dnssec-validation no;
</source>

Now tell bind where to look for a domain name's IP when we don't know. Add;

<source lang="dot">
forwarders {
// These are Google's open DNS servers
8.8.8.8;
8.8.4.4;
};
</source>

This server will have a slave, and we want to notify that slave when a record changes. Add;

<source lang="dot">
notify yes;
</source>

Done. I like to clean up the file to put the variables in line with one another. With this in mind, let's look at the changes as a unified diff;

<source lang="bash">
diff -u /etc/named.conf.orig /etc/named.conf
</source>
<source lang="diff">
--- /etc/named.conf.orig 2012-02-05 00:54:48.434068501 -0500
+++ /etc/named.conf 2012-02-05 13:45:16.484083319 -0500
@@ -8,18 +8,26 @@
//

options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ allow-query { any; };
+ allow-query-cache { any; };
+ recursion yes;
+ notify yes;
+
+ dnssec-enable no;
+ dnssec-validation no;
+ dnssec-lookaside auto;
+
+ forwarders {
+ // These are Google's open DNS servers
+ 8.8.8.8;
+ 8.8.4.4;
+ };

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
</source>

== Adding Zones ==

This is where we tell BIND which zones we have SOA for. This includes the pointers to the actual files on disk with each domain's information.

Backup then edit the zones file.

<source lang="bash">
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.orig
vim /etc/named.rfc1912.zones
</source>

In here is where we add the entries for the domains we have [[SOA]] for at the end of the file. These will differ for every install, so only two examples will be shown.

<source lang="dot">
// Our zones which this server is SOA for.
zone "45years.ca" IN {
type master;
file "/etc/named/db.45years.ca";
allow-transfer {
192.139.81.117;
};
};

zone "alteeve.com" in {
type master;
file "/etc/named/db.alteeve.com";
allow-transfer {
192.139.81.117;
};
};
</source>

This tutorial does not aim to cover actual zone files, but here is one for reference:

<source lang="bash">
cat /etc/named/db.45years.ca
</source>
<source lang="text">
$ORIGIN .
$TTL 600 ; Time To Live.
45years.ca IN SOA ns1.alteeve.com. admin.alteeve.com. (
2011081402 ; Serial Number (yyyymmdd##)
300 ; refresh (in seconds)
180 ; retry (in seconds)
600 ; expire (in seconds)
86400 ; minimum (in seconds)
)
NS ns1.alteeve.com.
NS ns2.alteeve.com.
A 192.139.81.121
MX 10 mail.45years.ca.
$ORIGIN 45years.ca.
localhost A 127.0.0.1
mail A 192.139.81.121
www CNAME 45years.ca.
</source>

== Adding a Firewall Entry ==

Assuming you have a firewall running, be sure to add an entry for [[TCP]] port 53.

== (Re)Start BIND ==

Once all the configuration files and domain zone files are in place, (re)start the named service.

<source lang="bash">
/etc/init.d/named restart
</source>
<source lang="text">
Stopping named: . [ OK ]
Starting named: [ OK ]
</source>

== Testing Name resolution ==

To properly test name resolution, you will want to resolve a domain we are [[SOA]] for and another domain which we are not. We will repeat this twice, once on the server and once from a remote machine to ensure that it is answering remote queries. Note that in the examples below, my DNS server's IP address is 78.46.37.135.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> alteeve.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns1.alteeve.com.
alteeve.com. 600 IN NS ns2.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 13:57:11 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> google.ca @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 300 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2967 IN NS f.root-servers.net.
. 2967 IN NS c.root-servers.net.
. 2967 IN NS b.root-servers.net.
. 2967 IN NS a.root-servers.net.
. 2967 IN NS k.root-servers.net.
. 2967 IN NS i.root-servers.net.
. 2967 IN NS e.root-servers.net.
. 2967 IN NS h.root-servers.net.
. 2967 IN NS l.root-servers.net.
. 2967 IN NS d.root-servers.net.
. 2967 IN NS j.root-servers.net.
. 2967 IN NS g.root-servers.net.
. 2967 IN NS m.root-servers.net.

;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 14:02:03 2012
;; MSG SIZE rcvd: 254
</source>

Now from a remote machine, repeat the same queries to ensure that our DNS server will respond to external queries.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> alteeve.com @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns2.alteeve.com.
alteeve.com. 600 IN NS ns1.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 138 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:09 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> google.ca @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 138 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2805 IN NS h.root-servers.net.
. 2805 IN NS c.root-servers.net.
. 2805 IN NS j.root-servers.net.
. 2805 IN NS i.root-servers.net.
. 2805 IN NS b.root-servers.net.
. 2805 IN NS m.root-servers.net.
. 2805 IN NS g.root-servers.net.
. 2805 IN NS d.root-servers.net.
. 2805 IN NS a.root-servers.net.
. 2805 IN NS l.root-servers.net.
. 2805 IN NS f.root-servers.net.
. 2805 IN NS k.root-servers.net.
. 2805 IN NS e.root-servers.net.

;; Query time: 140 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:31 2012
;; MSG SIZE rcvd: 254
</source>

Done!

= Email =

This is a pretty heavily customized postfix install using a custom schema. It was originally based on [http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch this Debian Etch] tutorial, but adapted for PostgreSQL. Much time has passed and the operating system is now significantly changed, but it's lineage is thus. A more recent, but still Debian-focused version of the tutorial [http://workaround.org/ispmail/squeeze/big-picture is here]. I also used [http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot this tutorial] to help sort out the PostgreSQL stuff.

This will use a few applications;
* Postfix - The program that receives email.
* PostgreSQL - The database used to validate the existence of email accounts and validates incoming user credentials.
* Dovecot - Takes email coming from postfix, via amavis, and records them to disk. It also answers requests from users wanting to check their email.
* Amavis - Filters incoming email for spam (via spamassassin) and virsus (via clamav)

We will also be using graylisting, which is a spam fighting tactic where the first email from a given user to one of our users is bounced for a few minutes. Proper mail servers will acknowledge the bound, wait the time and resend. Spam mailers though are usually fire-and-forget and will not resend, thus effectively blocking the spam message. This is a very effective method of blocking spam with minimal chance of losing real mail from real users. Any subsequent message from the user would be allowed through with no delay, provided the user had in fact resent the first message as requested.

== Install ==

To install the applications;

<source lang="bash">
yum install postfix postfix-perl-scripts dovecot dovecot-pgsql spamassassin postgresql-server postgresql-plperl mutt
</source>

== Configuring Postfix ==

Installation requires several steps. The AN!Console database must be loaded. Various applications need to be installed. Postfix, Dovecot and helper applications need to be configured and so on.

This tutorial uses the following values that you may need to adjust;
* Database name; an_tools
* Database user; alteeve
* Database password; secret
* Database host; 127.0.0.1

{{note|1=Do not use the database host "localhost" unless you are certain you can connect to the DB using a standard [[unix]] socket.}}

=== Building Support for PostgreSQL ===

{{warning|1=We need to build our own RPM in order to support postgresql. This means we will have to disable postfix from future updates, placing the onus on us to make sure critical updates are applied. This will require downloading the latest source RPMs, re-enabling postgres and recompile/reinstall.}}

Add the source [[RPM]] repository by adding the following;

<source lang="bash">
vim /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
# Source RPM repository
[base-source]
name=CentOS-$releasever - Base - Source
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://vault.centos.org/$releasever/os/SRPMS/
baseurl=http://vault.centos.org/6.0/os/SRPMS/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
</source>

Now download the source RPM for postfix.

<source lang="bash">
yumdownloader --source postfix
</source>
<source lang="text">
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
base | 3.7 kB 00:00
base-source | 1.9 kB 00:00
extras | 3.5 kB 00:00
updates | 3.5 kB 00:00
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
./postfix-2.6.6-2.el6.src.rpm already exists and appears to be complete
nikko:/etc/postfix# rm postfix-2.6.6-2.el6.src.rpm
rm: remove regular file `postfix-2.6.6-2.el6.src.rpm'? y
nikko:/etc/postfix# yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
postfix-2.6.6-2.el6.src.rpm | 3.3 MB 00:00
</source>

Now that we have the postfix source RPM, we will install it.

<source lang="bash">
rpm -Uvh postfix-2.6.6-2.el6.src.rpm
</source>
<source lang="text">
1:postfix warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
########################################### [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
</source>

Now edit the .spec file to enable postgres support.

<source lang="bash">
cp ~/rpmbuild/SPECS/postfix.spec ~/rpmbuild/SPECS/postfix.spec.orig
vim ~/rpmbuild/SPECS/postfix.spec
</source>

Make the following changes.

* Enable PostgreSQL support
<source lang="text">
%{?!PGSQL: %define PGSQL 1}
</source>

Increment the release version by one.
<source lang="text">
Release: 3%{?dist}
</source>

We can see the changes here:

<source lang="bash">
diff -u ~/rpmbuild/SPECS/postfix.spec.orig ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="diff">
--- /root/rpmbuild/SPECS/postfix.spec.orig 2012-02-11 16:54:54.495330859 -0500
+++ /root/rpmbuild/SPECS/postfix.spec 2012-02-11 16:53:39.873331101 -0500
@@ -1,5 +1,5 @@
%{?!MYSQL: %define MYSQL 1}
-%{?!PGSQL: %define PGSQL 0}
+%{?!PGSQL: %define PGSQL 1}
%define LDAP 2
%define PCRE 1
%define SASL 2
@@ -35,7 +35,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 2.6.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
</source>

Now rebuild the RPM, which means we need to install the build tools.

<source lang="bash">
yum groupinstall development
yum install db4-devel openldap-devel cyrus-sasl-devel pcre-devel mysql-devel postgresql-devel openssl-devel
rpmbuild -bb ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="text">
(compile output)
Processing files: postfix-debuginfo-2.6.6-3.el6.x86_64
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-debuginfo-2.6.6-3.el6.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.rymr5C
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd postfix-2.6.6
+ rm -rf /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
+ exit 0
</source>

Install the updated postfix.

<source lang="bash">
rpm -Uvh ~/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm ~/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
</source>
<source lang="text">
Preparing... ########################################### [100%]
1:postfix ########################################### [ 50%]
2:postfix-perl-scripts ########################################### [100%]
</source>

Now exclude postfix from future updates.

<source lang="bash">
cp /etc/yum.conf /etc/yum.conf.orig
vim /etc/yum.conf
diff -u /etc/yum.conf.orig /etc/yum.conf
</source>
<source lang="text">
--- /etc/yum.conf.orig 2012-02-11 16:59:53.720079168 -0500
+++ /etc/yum.conf 2012-02-11 17:00:47.013331283 -0500
@@ -10,6 +10,7 @@
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
+exclude=postfix*

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
</source>

=== Basic Postfix Configuration ===

Since we'll be using virtual domains, users, aliases and mailboxes, we'll need to start by commenting out some of the default options in Postfix. By default, Postfix is set up for small numbers of local users, and it only allows connections from the localhost. Our configuration will be more scalable, allowing many domains and users to be stored in the Postgres database.

Comment out the following:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# inet_interfaces = localhost
# mydestination = $myhostname, localhost.$mydomain, localhost
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
</source>

And uncomment/add these:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
inet_interfaces = all # allows us to connect and test from another machine
mynetworks = 192.168.1.0/32, 127.0.0.0/8 # use the IP or subnet of your test machine here
</source>

=== Setup Virtual Domain Lookup ===

This tells postfix how to find which domains we have.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM domains WHERE dom_name='%s'
</source>

Now tell Postfix to use this new file by appending the following to the main postfix configuration file.

<source lang="bash">
vim /etc/postfix/main.cf
</source>
<source lang="bash">
# Tell postfix to validate domains using our postgresql databae via the
# pgsql-virtual-mailbox-domains.cf
virtual_mailbox_domains=pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>

Now reload postfix;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now we can test that domains resolve. In my case, I will test the look-up for alteeve.com.

<source lang="bash">
postmap -q alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
1
</source>

Now make sure it returns nothing when query a bad domain.

<source lang="bash">
postmap -q example.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Mailbox Mapping ===

This section will tell postfix which users for a given domain are valid.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM email_file WHERE email='%s'
</source>

Tell postfix to use this new file when looking up users.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

And add:

<source lang="text">
# Tell postfix which table to look in when validating a local user via their
# email address.
virtual_mailbox_maps=pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>

Reload postfix.

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now do a test of a valid user, which should return 1, and an invalid user, which should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
1
</source>
<source lang="bash">
postmap -q nobody@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Email Forwards ===

This will allow for email addresses to be forwarded to other email addresses.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT fwd_destination FROM forwards WHERE fwd_source='%s'
</source>

Now tell postfix where to look.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

Add;

<source lang="text">
# This tells postfix where to forward incoming email to, where appropriate.
virtual_alias_maps=pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>

Reload;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

I've setup a forward where digimer@alteeve.com forwards to mkelly@alteeve.com, so we will use that for the next test.

<source lang="bash">
postmap -q digimer@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
mkelly@alteeve.com
</source>

An email address with no forward should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

Excellent.

=== Setup Postfix Mail Delivery via Dovecot ===

Define a mail transport method in the main Postfix config.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# this option is ignored, but may be useful for reference
virtual_mailbox_base=/email

# deliver mail via dovecot
virtual_transport = dovecot

# prevent postfix from sending multiple recipients per delivery request,
# since dovecot only supports one recipient for each delivery
dovecot_destination_recipient_limit = 1
</source>

Tell Postfix what virtual_transport "dovecot" means, and how to use it.
<source lang="bash">vim /etc/postfix/master.cf</source>
Append this for RHEL/CentOS 6 machines. For other distros, make sure that /usr/libexec/dovecot/deliver exists and change the path if necessary.
<source lang="bash">
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
</source>

=== Setup Postfix SMTP Authentication using Dovecot ===

Dovecot provides an SMTP authentication mechanism to Postfix called SASL. Enabling this will require users to authenticate against the server before sending mail.

<source lang="bash">vim /etc/postfix/main.cf</source>
Append the following to enable smtp authentication:
<source lang="bash">
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes

# allow authenticated users to send mail through Postfix SMTP
# more info at /usr/share/doc/postfix-2.6.6/README_FILES/SMTPD_ACCESS_README
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination

# general smtpd settings
# - reject clients that speak too early
# - reject mail from a null address to many recipients (usually spam)
smtpd_data_restrictions =
reject_unauth_pipelining
reject_multi_recipient_bounce
permit
</source>

== Configuring Dovecot ==

Dovecot handles writing incoming mail to the disk and moving/deleting mail as the user wishes. We're going to create a user and group called vmail which will be used to manage the email stored on disk.

<source lang="bash">
useradd -m vmail
mkdir /email
chown -R vmail:vmail /email
</source>

Dovecot is configured in /etc/dovecot and the main configuration file is dovecot.conf.

<source lang="bash">
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.conf
</source>

Dovecot uses .d style configuration files.

* Authentication

<source lang="bash">
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
vim /etc/dovecot/conf.d/10-auth.conf
</source>

Tell dovecot to accept plain-text passwords (needed for some old email clients, you may not need to enable this).

<source lang="text">
disable_plaintext_auth = no
</source>

Tell it not to use the database, and not local users for mail delivery.

<source lang="text">
#!include auth-system.conf.ext
!include auth-sql.conf.ext
</source>

* Mail store

Tell dovecot where to store the email. The %d tells dovecot to substitute the user's domain name and %n is substituted by the user's email name. For example, mkelly@alteeve.com becomes /email/alteeve.com/mkelly.

<source lang="bash">
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
vim /etc/dovecot/conf.d/10-mail.conf
</source>
<source lang="text">
mail_location = mbox:/email/%d/%n
</source>

=== Dovecot Authentication and SQL Settings ===

We need to tell dovecot where to look for passwords when authenticating a user. Where to look is controlled in the
auth-sql.conf.ext file and is broken down into user and password lookups. We will want to first tell Dovecot which user to use when accessing the mail store on disk.

<source lang="bash">
cp /etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/conf.d/auth-sql.conf.ext.orig
vim /etc/dovecot/conf.d/auth-sql.conf.ext
</source>
<source lang="text">
userdb {
driver = static
args = uid=vmail gid=vmail home=/email/%d/%n allow_all_users=yes
}
</source>

* Now configure the SQL server access details.

{{note|1=Make sure that PostgreSQL has sufficient max_connections set in /var/lib/pgsql/data/postgresql.conf to handle enough connections for the expected number of email connections, plus other connections from other applications.}}

<source lang="bash">
cp /usr/share/doc/dovecot-2.0.9/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
vim /etc/dovecot/dovecot-sql.conf.ext
</source>

Tell dovecot to use PostgreSQL.

<source lang="text">
driver = pgsql
</source>

Configure the connection string.

{{note|1=If your database uses a password with a space character in it, quote the password. Ie: password='super secret'.}}

<source lang="text">
connect = host=127.0.0.1 dbname=an_tools user=alteeve password=secret
</source>

Tell dovecot to accept plain-text passwords (this is needed for some stupid MS clients, this will probably change soon).

<source lang="text">
default_pass_scheme = PLAIN
</source>

Tell dovecot how to pull use the user's password.

<source lang="text">
password_query = SELECT email, password FROM email_password WHERE email='%u'
</source>

The last thing to setup is the user query. The query needs to return the [[UID]] and [[GID]] of the vmail user we setup earlier. To get it, you can use the id command.

<source lang="bash">
id vmail
</source>
<source lang="text">
uid=503(vmail) gid=503(vmail) groups=503(vmail)
</source>

The numbers we want are 503 and 503 for the UID and GID, respectively. Knowing this, we can set the userdb SQL string.

<source lang="text">
user_query = SELECT '/email/'||file AS email_dir, '503' AS uid, '503' AS gid FROM email_file WHERE email='%u'
</source>

=== Configure Listener Sockets ===

Setup the authentication socket to allow the vmail user. This will allow Dovecot to access the user authentication socket.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
</source>

Configure Dovecot to authenticate Postfix SMTP requests.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener smtp-auth {
mode = 0600
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
}
</source>

=== Enable Logging ===

This is very useful for debugging an initial setup. It will place details about login attempts in /var/log/maillog.

<source lang="bash">vim /etc/dovecot/conf.d/10-logging.conf</source>
<source lang="bash">
log_path = syslog
auth_verbose = yes
auth_debug = yes
mail_debug = yes
</source>

At this point, it's a good idea to restart the Postfix and Dovecot services, and test out the basic configuration.
<source lang="bash">
service postfix restart
service dovecot restart
</source>

Watch the maillog while attempting to authenticate with an email client like Thunderbird.
<source lang="bash">
tail -f /var/log/maillog
</source>

If basic authentication is working, we can go ahead and add another layer of complexity on top of it: SSL.

== SSL/TLS ==

Add TLS support to Postfix, to encrypt SMTP authentication traffic.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/ssl_mail.alteeve.ca.crt
smtpd_tls_key_file = /etc/pki/CA/private/mail.alteeve.ca.key
smtpd_tls_loglevel = 1
</source>

Add TLS support to Dovecot, to encrypt IMAP authentication traffic.
<source lang="bash">vim /etc/dovecot/conf.d/10-ssl.conf </source>
<source lang="bash">
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/pki/CA/ssl_mail.alteeve.ca.crt
ssl_key = </etc/pki/CA/private/mail.alteeve.ca.key

# PEM encoded trusted certificate authority. Otherwise your CA will be untrusted.
# This is the intermediary certificate.
ssl_ca = </etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Dovecot prefers the following permissions for SSL certs, so set them accordingly.
<source lang="bash">
chmod 0444 /etc/pki/CA/ssl_mail.alteeve.ca.crt
chmod 0400 /etc/pki/CA/private/mail.alteeve.ca.key
chmod 0400 /etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Restart Postfix and Dovecot, then change your Thunderbird server options to 'STARTTLS'. If you're still able to connect to the mail server and send mail, proceed to the next section.

== User Password Encryption ==

In addition to SSL/TSL, which only encrypts the transport of user credentials, we're also going to encrypt the passwords themselves. This will avoid storing any plaintext passwords in the Postgres database.

<source lang="bash">vim /etc/dovecot/conf.d/10-auth.conf</source>
Remove the "plain" authentication, and replace with cram-md5.
<source lang="bash">
disable_plaintext_auth = yes
auth_mechanisms = cram-md5
</source>

Any user credentials that were previously stored in plaintext will no longer work. To encrypt your password in a way that Dovecot recognizes, use the following command:
<source lang="bash">doveadm -v pw -s CRAM-MD5 -p mypassword</source>
It will return a hash like this.
<source lang="bash">
{CRAM-MD5}de5924752ad74e36bc271a8dc7fad4b2d341f21f05382f20dedf1fdfbd5a1717</source>

Take the entire hash, including the '{CRAM-MD5}' portion, and use it to replace the password entry in the database for that user. This will allow Dovecot to authenticate the user using the CRAM-MD5 auth mechanism.

To automate this process for all users in the database, you can look at the number of userid's there are and loop through them, encrypting and replacing each password.

<source lang="bash">
#!/bin/bash
#
# a script to encrypt the users.usr_password values of the an_tools database

export PGUSER="alteeve"
export PGPASSWORD='secret'

for usrid in {1..219}; do

# grab the user's password, removing whitespace
usrpass=$(psql -d an_tools -c "SELECT users.usr_password FROM users WHERE users.usr_id=$usrid;"\
| sed -n 3p | sed -e 's/^[ ]*//')

if [[ "$usrpass" == *CRAM* ]]; then
echo "Password for user #$usrid is already encrypted; skipping."
else
# encrypt and surround in single quotes for psql
encrypted=\'$(doveadm -v pw -s CRAM-MD5 -p "$usrpass")\'
echo "old password: [$usrpass] ; encrypted: $encrypted"

# set password to encrypted value
psql -d an_tools -c "UPDATE users SET usr_password=$encrypted WHERE usr_id=$usrid;"
fi
done

unset PGUSER
unset PGPASSWORD
</source>

== Postgrey Greylisting ==

Enabling postgrey for anti-spam greylisting.

First install the RPMForge repos. (See [http://dak1n1.com/blog/3-getting-more-from-yum-with-rpmforge-and-epel-repos Dakini's blog] for details.)

<source lang="bash">yum -y install postgrey</source>

Create the config file with the following options. This will delay mail from untrusted sources by 6 minutes. A legitimate mailserver will resend the request after that time, and be allowed through. But spam is generally sent out only once, so those messages will drop.
<source lang="bash">vim /etc/sysconfig/postgrey</source>
<source lang="bash">OPTIONS="--unix=/var/spool/postfix/postgrey/socket --delay=360"</source>

Ensure that Postgrey starts on boot.
<source lang="bash">chkconfig --levels 345 postgrey on</source>

<source lang="bash">/etc/postfix/main.cf</source>

Configure Postfix to check SMTP requests through Postgrey. Postgrey will decide if the mail should be blocked or accepted.
<source lang="bash">
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:postgrey/socket</source>

Restart Postfix and Postgrey to take affect.
<source lang="bash">
service postgrey start
service postfix restart
</source>

== Ooooold Notes ==

When prompted;
For 'Create directories for web-based administration ?' Choose 'Yes'.
For 'General type of configuration?', choose 'Local Only'.
For 'Mail Name', enter 'alteeve.com'.
For 'SSL certificate required', hit 'Ok'.
Create the database that we will use:
# su alteeve
$ createdb an_console
$ psql an_console
Now that we are in the new database we will need to load the AN!Console schema file.
# su postgres -c psql an_console -f /var/www/ssl_alteeve.com/cgi-bin/t/anc.pgsql.schema
On the Master node, we will create the directory where email will be stored.
# mkdir /ha/email
On the both nodes, we will create a link to the '/ha/email' directory off of root.
# ln -s /ha/email /email
Under this directory create another directory that is the domain name for the domains we will host mail for. Ie (no longer needed to be done manually, AN!Console will create directories for email as needed):
# mkdir /email/45years.ca
# mkdir /email/alteeve.com
And so on.
Go to the '/etc/postfix' directory and create these four files:
# vim /etc/postfix/psql-virtual_domains.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = domains
select_field = 'virtual'
where_field = dom_name
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_forwardings.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = forwards
select_field = fwd_destination
where_field = fwd_source
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_mailboxes.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_file
select_field = file
where_field = email
hosts = 127.0.0.1
Note: The table 'email_file' is actually a view that takes the email passed by postfix and splits it to generate a joined SELECT.
# vim /etc/postfix/psql-virtual_email2email.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_email
select_field = email
where_field = email
hosts = 127.0.0.1
Note: The table 'email_email' is actually a view that takes the email passed by postfix and returns the same email based on the DB entry. This is needed as a work-around for Postfix's habit of matching global forwards like '@domain -> user@domain' for all email to that domain, even what a given email address matches a user.
Now change the owner and permissions of those four files to NOT allow global reading as they contain our password.
# chown root:postfix /etc/postfix/psql-virtual_*
# chmod 640 /etc/postfix/psql-virtual_*
Now we will create a user account that will, in turn, own all the mail on the system. This user will not have shell access.
# adduser vmail
Enter a password, preferably one treated with the same care as the root password. You can leave all other options blank.
Now change the ownership of the mail store.
# chown -R vmail:vmail /email
# chmod -R 775 /email
Now we edit the main '/etc/postfix/main.cf' configuration file.
Make a backup of the original file “just in case”.
# cp /etc/postfix/main.cf /etc/postfix/main.cf.original
Now edit it:
# vim /etc/postfix/main.cf
There are several options to edit:
Please see 'Step 6' at: http://workaround.org/articles/ispmail-sarge/index.shtml.en for details on the options to set.
For 'inet_interface' enter 'all'.
For 'myhostname' use the cluster FQDN. Ie;
myhostname = nikko.alteeve.com
For 'mydestination' use only local names, NOT real domains we will host email for. Any mail sent to the domains specified here will go to local (shell) users.
mydestination = nikko.alteeve.com, localhost.alteeve.com, localhost
For 'mynetworks' set all the IP subnets we trust. Ie;
mynetworks = 192.139.81.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.0/24 127.0.0.0/8
We can ignore 'virtual_alias_domains' if it exists.
For 'virtual_alias_maps' we will set:
virtual_alias_maps = pgsql:/etc/postfix/psql-virtual_forwardings.cf pgsql:/etc/postfix/psql-virtual_email2email.cf
For 'virtual_mailbox_domains' we will set:
virtual_mailbox_domains = pgsql:/etc/postfix/psql-virtual_domains.cf
For 'virtual_mailbox_maps' we will set:
virtual_mailbox_maps = pgsql:/etc/postfix/psql-virtual_mailboxes.cf
For 'virtual_mailbox_base' (where the email will be stored on disk) we will set:
virtual_mailbox_base = /ha/email
For 'virtual_uid_maps' and 'virtual_gid_maps' we will enter the numerical UID and GID for the 'vmail' shell user we created earlier. To find what it's UID and GID is run:
# cat /etc/passwd | grep vmail
vmail:x:1001:1001:,,,:/home/vmail:/bin/bash
The first number is the UID, the second is the GID;
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
Set 'smtpd_sasl_auth_enable' to 'yes'.
Set 'broken_sasl_auth_clients' to 'yes'.
To enable relaying of local mail, trusted domains and SASL authenticated users and reject the rest set;
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
For 'smtpd_use_tls' the value should already be 'yes', but set it to such if not.
Lastly we'll set our certificate paths;
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
At this point we should be good to go. Restart postfix;
# /etc/init.d/postfix restart
If there were no errors in the restart, test the config by running;
# postfix check
If you get errors, fix 'em. Otherwise, so far so good!
Now to setup postfix to allow authentication of SMTP connections to allow relaying of messages from people (we trust) outside on the 'mynetworks' scope.
Create or edit the file '/etc/postfix/sasl/smtpd.conf'
# vim /etc/postfix/sasl/smtpd.conf
In it enter the lines:
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: pgsql
sql_hostnames: 127.0.0.1
sql_user: alteeve
sql_passwd: secret
sql_database: an_console
sql_select: SELECT passwd FROM email_passwd WHERE email='%u@%r'
log_level: 7
Now secure the file (it's got our DB password)
# chown root:postfix /etc/postfix/sasl/smtpd.conf
# chmod 640 /etc/postfix/sasl/smtpd.conf
Now we want to setup TLS to encrypt SMTP traffic. Be sure you are still in '/etc/postfix' as this is where you want the certificate files.
To create a 10-year certificate for our SMTP domain 'smtp.alteeve.com':
# openssl req -new -outform PEM -out /etc/postfix/smtpd.cert -newkey rsa:2048 -nodes -keyout /etc/postfix/smtpd.key -keyform PEM -days 3650 -x509
This will bring up a bunch of questions:
Country Name (2 letter code) [AU]: CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alteeve's Niche!
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, YOUR name) []:smtp.alteeve.com
Email Address []:admin@alteeve.com
This will create two files in your current directory; 'smtpd.key' and 'smtpd.cert'. You'll want to protect them.
# chown root:postfix smtpd.*
# chmod 640 smtpd.*
Now we need to setup POP3 and IMAP access so users can actually check their email.
Backup then edit '/etc/dovecot/dovecot.conf' to have:
protocols = pop3 imap
mail_location = mbox:/email/%d/%n
# passdb pam {
# }
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
# userdb passwd {
# }
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

# The default location for 'dovecot-sql.conf' is under '/usr/local/etc', be sure to
# change it!
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
user = root
}
Then create/edit '/etc/dovecot/dovecot-sql.conf':
driver = pgsql
connect = host=localhost dbname=an_console user=alteeve password=secret
default_pass_scheme = PLAIN
password_query = SELECT email, password FROM email_password WHERE email='%u'
user_query = SELECT '/email/'||file AS email_dir, '1001' AS uid, '1001' AS gid FROM email_file WHERE email='%u'
Now restart Dovecot:
# /etc/init.d/dovecot restart

= Thanks =

* To [http://planet-geek.com Dave Shevett] (aka: eidolon) and [http://codex.grimoire.ca/ Owen Jacobson] for answering my n00b SSL questions.


<source lang="bash">
</source>
<source lang="text">
</source>

{{footer}}

PPPower Server

2012-03-25T17:46:14Z

Dak1n1: /* Postgrey Greylisting */

{{howto_header}}

With tongue firmly in cheek, this is a tutorial on building an [[EL6]] server for hosting website and email using PostgreSQL, Postfix and Postgrey for mail and Apache for web. There are many canned and arguably superior was of accomplishing the same, but this is what I user for this server.

= Post OS Install =

First, the packages we will want to install:

<source lang="bash">
yum install httpd httpd-tools postgresql-server postgresql-plperl postgresql-contrib postgresql mysql-server telnet mod_ssl mysql-server php-mysql gcc jwhois bind
</source>

Packages that are currently needed for personal stuff.

<source lang="bash">
yum install perl-XML-Simple perl-MIME-Lite perl-DBD-MySQL perl-DBD-Pg
</source>

= Apache =

After all changes, use this to make sure there are no syntax errors.

<source lang="bash">
service httpd configtest
</source>
<source lang="text">
Syntax OK
</source>

{{note|1=This needs to be explained.}}

<source lang="bash">
diff -u httpd.conf.orig httpd.conf
</source>
<source lang="diff">
--- httpd.conf.orig 2010-05-28 03:11:06.000000000 -0400
+++ httpd.conf 2011-05-13 21:56:27.000000000 -0400
@@ -100,12 +100,12 @@
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
-StartServers 8
-MinSpareServers 5
-MaxSpareServers 20
-ServerLimit 256
-MaxClients 256
-MaxRequestsPerChild 4000
+StartServers 16
+MinSpareServers 10
+MaxSpareServers 40
+ServerLimit 512
+MaxClients 512
+MaxRequestsPerChild 8000
</IfModule>

# worker MPM
@@ -116,11 +116,11 @@
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
-StartServers 4
-MaxClients 300
-MinSpareThreads 25
-MaxSpareThreads 75
-ThreadsPerChild 25
+StartServers 8
+MaxClients 600
+MinSpareThreads 50
+MaxSpareThreads 150
+ThreadsPerChild 50
MaxRequestsPerChild 0
</IfModule>

@@ -259,7 +259,7 @@
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
-ServerAdmin root@localhost
+ServerAdmin admin@alteeve.com

#
# ServerName gives the name and port that the server uses to identify itself.
@@ -274,6 +274,7 @@
# redirections work in a sensible way.
#
#ServerName www.example.com:80
+#ServerName *:80

#
# UseCanonicalName: Determines how Apache constructs self-referencing
@@ -289,7 +290,7 @@
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
-DocumentRoot "/var/www/html"
+DocumentRoot "/var/www/default/html"

#
# Each directory to which Apache has access can be configured with respect
@@ -314,7 +315,7 @@
#
# This should be changed to whatever you set DocumentRoot to.
#
-<Directory "/var/www/html">
+<Directory "/var/www/default/html">

#
# Possible values for the Options directive are "None", "All",
@@ -548,9 +549,9 @@
# We include the /icons/ alias for FancyIndexed directory listings. If you
# do not use FancyIndexing, you may comment this out.
#
-Alias /icons/ "/var/www/icons/"
+Alias /icons/ "/var/www/default/icons/"

-<Directory "/var/www/icons">
+<Directory "/var/www/default/icons">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
@@ -573,13 +574,13 @@
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+ScriptAlias /cgi-bin/ "/var/www/default/cgi-bin/"

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
-<Directory "/var/www/cgi-bin">
+<Directory "/var/www/default/cgi-bin">
AllowOverride None
Options None
Order allow,deny
@@ -852,11 +853,11 @@
# copying them to /your/include/path/, even on a per-VirtualHost basis.
#

-Alias /error/ "/var/www/error/"
+Alias /error/ "/var/www/default/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
- <Directory "/var/www/error">
+ <Directory "/var/www/default/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
@@ -987,7 +988,7 @@
#
# Use name-based virtual hosting.
#
-#NameVirtualHost *:80
+NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
@@ -1001,9 +1002,10 @@
# server name.
#
#<VirtualHost *:80>
-# ServerAdmin webmaster@dummy-host.example.com
-# DocumentRoot /www/docs/dummy-host.example.com
-# ServerName dummy-host.example.com
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+# ServerAdmin admin@alteeve.com
+# DocumentRoot /var/www/default/html
+# ServerName unknown.alteeve.com
+# ErrorLog /var/www/default/logs/error.log
+# CustomLog /var/www/default/logs/access.log common
#</VirtualHost>
</source>

== SSL Virtual Hosts ==

SSL provides for secure client to server communications.

=== Creating The Signed Certificate ===

This section assumes you are using a 3rd party signing authority. Specifically, I use http://www.trustico.ca/ (resellers of http://RapidSSL.com and others). This is also for a domain-specific certificate. Wildcard certificates will differ.

First, create 2048bit private key. Note that this will require a pass-phrase, which you will need to enter whenever the Apache daemon httpd daemon starts. If you do not want this, remove the -des3 switch.

<source lang="bash">
openssl genrsa -des3 -out /etc/pki/CA/private/alteeve.com.key 2048
</source>
<source lang="text">
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Verifying - Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
</source>

Now create a [[CSR]] (Certificate signing request) which we will send to the signing authority. Do not enter anything in the extra section below.

{{note|1=The Common Name must be the fully qualified domain name. In this example, I want to create a certificate for the domain https://alteeve.com, so I will enter alteeve.com. If you prefer to use a www. prefix, include it. I will rewrite requests using the www. prefix to not use it.}}

<source lang="bash">
openssl req -new -key /etc/pki/CA/private/alteeve.com.key -out alteeve.com.csr
</source>
<source lang="text">
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Oakville
Organization Name (eg, company) [Default Company Ltd]:Alteeve's Niche
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:alteeve.com
Email Address []:admin@alteeve.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</source>

Test that the CSR file is ok.

<source lang="bash">
openssl req -noout -text -in /etc/pki/CA/alteeve.com.csr
</source>
<source lang="text">
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Oakville, O=Alteeve's Niche, OU=IT, CN=alteeve.com/emailAddress=admin@alteeve.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
...
</source>

Copy the exact contents of the alteeve.com.csr file and provide it to your signing authority as per their instructions. Once you complete their CSR form, they should email you a signed certificate and an intermediary certificate. At this point, the CSR file is no longer needed.

Save the signed certificate:

<source lang="bash">
vim /etc/pki/CA/ssl_alteeve.com.crt
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

Save the intermediary certificate. Change the certificate name to that of your provider. If they provide you with this file, simply save it in the /etc/pki/CA/ directory.

<source lang="bash">
vim /etc/pki/CA/RapidSSL_CA_bundle.pem
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

=== Creating An SSL Virtual Host ===

Create a new virtual host container for the new SSL protected virtual host. We will leave the normal unencrypted virtual-host alone for now. Once we're done, we'll use it to capture and redirect http:// requests to their https:// equivalents. I make my virtual host directories writeable by my normal user account. Feel free to adapt this to your preferences.

Setup the directories and then create a trivial index.html file.

<source lang="bash">
mkdir ssl_alteeve.com/{cgi-bin,html,logs,temp} -p
chown apache:digimer ssl_alteeve.com -R
chmod g+w ssl_alteeve.com -R
vim /var/www/ssl_alteeve.com/html/index.html
</source>
<source lang="apache">
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
</source>

Now setup the Apache2 config. I like to use the ssl_ prefix for encrypted domains.

{{note|1=This example is for a MediaWiki virtual host with short URLs configured. You will want to adapt the values to suit your needs.}}

<source lang="bash">
vim /etc/httpd/conf.d/ssl_alteeve.com.conf
</source>
<source lang="apache">
<VirtualHost *:443>
ServerAdmin digimer@alteeve.com

ServerName alteeve.com

DirectoryIndex index.php index.html

# We can haz security?
SSLEngine on
SSLProtocol all
SSLCACertificateFile /etc/pki/CA/RapidSSL_CA_bundle.pem
SSLCertificateFile /etc/pki/CA/ssl_alteeve.com.crt
SSLCertificateKeyFile /etc/pki/CA/private/alteeve.com.key

DocumentRoot /var/www/ssl_alteeve.com/html/
Alias /w /var/www/ssl_alteeve.com/html/index.php
<Directory /var/www/ssl_alteeve.com/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/ssl_alteeve.com/cgi-bin/
<Directory "/var/www/ssl_alteeve.com/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/ssl_alteeve.com/logs/error.log
TransferLog /var/www/ssl_alteeve.com/logs/transfer.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/ssl_alteeve.com/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

==== Bad Identity Error ====

If you get an error about the server not providing identity information, you may have be loading images, CSS, javascript or similar using a URL from a remote domain with no SSL or badly configured SSL.

For example, on Firefox 4, you may see:

<source lang="text">
This web site does not supply identity information.

Your connection to this site is only partially encrypted, and does not prevent eavesdropping.
[ More Information ]
</source>

In my case, this turned out to be a problem where mediawiki was loading a Creative Commons logo from their server using http:// link to the icon. Once this was changed to https:// (in LocalSettings.php), the error went away.

=== Testing and Using the New Configuration ===

Test your new Apache configuration.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

Now restart Apache. Note that you will be asked to enter the pass-phrase you used when you created your private key.

<source lang="bash">
/etc/init.d/httpd restart
</source>
<source lang="text">
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server alteeve.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
</source>

{{warning|1=From now on, you will need to enter the pass-phrase to start Apache. Consider this when restarting your server and when deciding if you want the Apache server to start with your server. As my server is in a VM and it's underlying disk is also encrypted, I will enable it at boot time. I'll need to be watching the boot process anyway. This may not apply to you.}}

Now make sure that you can still connect to your server on [[TCP]] port 80 (normal http port). The contents after the GET request will obviously vary depending on your configuration:

<source lang="bash">
telnet localhost 80
</source>
<source lang="text">
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET
<head>
<title>Asakusa.alteeve.com</title>
</head>
<body>
Default - Requested domain not found
</body>
Connection closed by foreign host.
</source>

Now to check that the SSL port is listening properly. We can't use [[telnet]] because of the SSL encryption. Instead we will use openssl.

<source lang="bash">
openssl s_client -connect localhost:443 -state -debug
</source>
<source lang="text">
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x196a050 [0x1a0b3a0] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 4d f8 f4 a4 f9 ....l...h..M....
0010 - 07 b3 11 f8 3d ff 5d 80-ed 69 87 52 e2 60 80 57 ....=.]..i.R.`.W
0020 - 59 c7 83 4c ea 5b e5 37-06 e0 13 00 00 3a 00 39 Y..L.[.7.....:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............#
0071 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x196a050 [0x1a10900] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x196a050 [0x1a1090a] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4d f8 f4 a4-7d 35 00 74 24 43 bc c9 .1..M...}5.t$C..
0010 - 84 5d fe e3 90 1a e8 14-39 a1 b1 7e e8 19 c7 9f .]......9..~....
0020 - 45 20 d1 cb 00 00 39 01-00 09 ff 01 00 01 00 00 E ....9.........
0030 - 23 #
0033 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 0c 2c ....,
read from 0x196a050 [0x1a10908] (3116 bytes => 3116 (0xC2C))
0000 - 0b 00 0c 28 00 0c 25 00-04 c2 30 82 04 be 30 82 ...(..%...0...0.
0010 - 03 a6 a0 03 02 01 02 02-03 02 15 24 30 0d 06 09 ...........$0...
0020 - 2a 86 48 86 f7 0d 01 01-05 05 00 30 3c 31 0b 30 *.H........0<1.0
0030 - 09 06 03 55 04 06 13 02-55 53 31 17 30 15 06 03 ...U....US1.0...
0040 - 55 04 0a 13 0e 47 65 6f-54 72 75 73 74 2c 20 49 U....GeoTrust, I
0050 - 6e 63 2e 31 14 30 12 06-03 55 04 03 13 0b 52 61 nc.1.0...U....Ra
0060 - 70 69 64 53 53 4c 20 43-41 30 1e 17 0d 31 31 30 pidSSL CA0...110
0070 - 36 31 34 31 32 31 39 30-31 5a 17 0d 31 31 30 37 614121901Z..1107
0080 - 31 36 31 35 35 36 31 34-5a 30 81 d9 31 29 30 27 16155614Z0..1)0'
0090 - 06 03 55 04 05 13 20 30-54 53 35 57 7a 61 75 51 ..U... 0TS5WzauQ
00a0 - 52 4a 37 73 63 32 62 2d-68 54 47 77 4b 31 79 78 RJ7sc2b-hTGwK1yx
00b0 - 53 66 45 44 70 68 46 31-0b 30 09 06 03 55 04 06 SfEDphF1.0...U..
00c0 - 13 02 43 41 31 14 30 12-06 03 55 04 0a 13 0b 61 ..CA1.0...U....a
00d0 - 6c 74 65 65 76 65 2e 63-6f 6d 31 13 30 11 06 03 lteeve.com1.0...
00e0 - 55 04 0b 13 0a 47 54 31-33 39 30 38 38 31 37 31 U....GT139088171
00f0 - 31 30 2f 06 03 55 04 0b-13 28 53 65 65 20 77 77 10/..U...(See ww
0100 - 77 2e 72 61 70 69 64 73-73 6c 2e 63 6f 6d 2f 72 w.rapidssl.com/r
0110 - 65 73 6f 75 72 63 65 73-2f 63 70 73 20 28 63 29 esources/cps (c)
0120 - 31 31 31 2b 30 29 06 03-55 04 0b 13 22 44 6f 6d 111+0)..U..."Dom
0130 - 61 69 6e 20 43 6f 6e 74-72 6f 6c 20 56 61 6c 69 ain Control Vali
0140 - 64 61 74 65 64 20 2d 20-46 72 65 65 53 53 4c 31 dated - FreeSSL1
0150 - 14 30 12 06 03 55 04 03-13 0b 61 6c 74 65 65 76 .0...U....alteev
0160 - 65 2e 63 6f 6d 30 82 01-22 30 0d 06 09 2a 86 48 e.com0.."0...*.H
0170 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0..
0180 - 0a 02 82 01 01 00 c7 b5-75 03 c7 a9 b5 21 b2 7a ........u....!.z
0190 - 9b 70 8d f2 44 5d e0 18-f4 05 52 c6 93 d3 17 a5 .p..D]....R.....
01a0 - 3a c7 46 03 68 d1 01 53-1b e8 b8 d3 4c 56 46 b2 :.F.h..S....LVF.
01b0 - ca 63 34 88 2c 4f 7b 23-49 07 ef 8e 37 5c 8a ac .c4.,O{#I...7\..
01c0 - d7 88 9b ed a1 01 90 bc-32 d8 46 30 6d 82 33 59 ........2.F0m.3Y
01d0 - ea b5 38 2c 8a 16 e1 63-e7 ba 39 d8 2a fa 8a 6b ..8,...c..9.*..k
01e0 - 25 45 0b c9 4d b8 d2 be-a9 3a e3 ff 61 60 f9 a4 %E..M....:..a`..
01f0 - 99 4e 3f c2 25 0b 21 07-c6 1b 1e 63 71 2e 3d 31 .N?.%.!....cq.=1
0200 - 42 98 01 f4 88 b8 80 26-b7 bf 5b 00 b1 57 86 b4 B......&..[..W..
0210 - d8 70 e6 ec ea 98 e1 17-45 a7 ff 83 e0 76 6f 8a .p......E....vo.
0220 - 50 bb 1d cb c5 8f f4 01-84 4e 59 c3 4d 28 73 70 P........NY.M(sp
0230 - 39 c8 da 85 43 b9 07 ae-57 26 04 24 b2 d6 d4 7c 9...C...W&.$...|
0240 - 03 af 4f 72 00 8f 20 ed-26 77 b3 bf 4e 01 62 8b ..Or.. .&w..N.b.
0250 - 62 1b 10 16 65 92 f5 bb-5a dc 83 5c f2 56 f3 60 b...e...Z..\.V.`
0260 - 34 2c ef 62 f4 ee cf 26-6d 9b 4a 5e 74 05 74 fb 4,.b...&m.J^t.t.
0270 - 23 86 07 6f cf b0 48 6d-ba 2d 89 5d 0f e0 c0 01 #..o..Hm.-.]....
0280 - 1c 91 af 00 5f f3 02 03-01 00 01 a3 82 01 29 30 ...._.........)0
0290 - 82 01 25 30 1f 06 03 55-1d 23 04 18 30 16 80 14 ..%0...U.#..0...
02a0 - 6b 69 3d 6a 18 42 4a dd-8f 02 65 39 fd 35 24 86 ki=j.BJ...e9.5$.
02b0 - 78 91 16 30 30 0e 06 03-55 1d 0f 01 01 ff 04 04 x..00...U.......
02c0 - 03 02 05 a0 30 1d 06 03-55 1d 25 04 16 30 14 06 ....0...U.%..0..
02d0 - 08 2b 06 01 05 05 07 03-01 06 08 2b 06 01 05 05 .+.........+....
02e0 - 07 03 02 30 16 06 03 55-1d 11 04 0f 30 0d 82 0b ...0...U....0...
02f0 - 61 6c 74 65 65 76 65 2e-63 6f 6d 30 43 06 03 55 alteeve.com0C..U
0300 - 1d 1f 04 3c 30 3a 30 38-a0 36 a0 34 86 32 68 74 ...<0:08.6.4.2ht
0310 - 74 70 3a 2f 2f 72 61 70-69 64 73 73 6c 2d 63 72 tp://rapidssl-cr
0320 - 6c 2e 67 65 6f 74 72 75-73 74 2e 63 6f 6d 2f 63 l.geotrust.com/c
0330 - 72 6c 73 2f 72 61 70 69-64 73 73 6c 2e 63 72 6c rls/rapidssl.crl
0340 - 30 1d 06 03 55 1d 0e 04-16 04 14 a1 2b 4e af 55 0...U.......+N.U
0350 - 08 7b 34 be 74 fc 57 41-de bc 8f d9 4a 1d c9 30 .{4.t.WA....J..0
0360 - 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 49 06 ...U.......0.0I.
0370 - 08 2b 06 01 05 05 07 01-01 04 3d 30 3b 30 39 06 .+........=0;09.
0380 - 08 2b 06 01 05 05 07 30-02 86 2d 68 74 74 70 3a .+.....0..-http:
0390 - 2f 2f 72 61 70 69 64 73-73 6c 2d 61 69 61 2e 67 //rapidssl-aia.g
03a0 - 65 6f 74 72 75 73 74 2e-63 6f 6d 2f 72 61 70 69 eotrust.com/rapi
03b0 - 64 73 73 6c 2e 63 72 74-30 0d 06 09 2a 86 48 86 dssl.crt0...*.H.
03c0 - f7 0d 01 01 05 05 00 03-82 01 01 00 66 8b 6f a8 ............f.o.
03d0 - d5 d2 84 c7 89 31 fb a5-ba e1 11 5e 2f 67 6f df .....1.....^/go.
03e0 - 0d 3c 0b 1a 4b ac d9 38-ee 29 0a 4d d9 06 98 2c .<..K..8.).M...,
03f0 - 25 0a 59 bb 39 03 b0 cd-3b 06 93 3e 59 90 cf 06 %.Y.9...;..>Y...
0400 - 17 74 77 bb cd 91 34 d0-6f b9 8f 53 57 ed 14 30 .tw...4.o..SW..0
0410 - bd e9 6c 04 84 b6 f0 16-9d 29 9b b1 47 f8 84 64 ..l......)..G..d
0420 - 5f 03 36 ea e1 d6 13 97-5b 50 b9 b2 59 cc f8 ef _.6.....[P..Y...
0430 - 23 01 99 91 6e 5e e8 d0-77 54 38 49 18 58 e7 0e #...n^..wT8I.X..
0440 - 54 35 c0 37 b5 9e 79 b2-d4 c6 d9 ff 27 31 d4 bf T5.7..y.....'1..
0450 - 04 ae d3 0a 90 4b bc 34-bc 53 f8 bc e7 4c 22 b7 .....K.4.S...L".
0460 - b3 bc 8c d7 41 44 fc e0-50 2e 9a ac ba 5c ee 88 ....AD..P....\..
0470 - 03 fc 0e 53 32 aa dd a4-24 ee a6 7c 3d dc 9d 7a ...S2...$..|=..z
0480 - 82 0b 9f b8 91 e0 a1 12-77 a3 95 f7 d0 c4 9e f1 ........w.......
0490 - d7 d9 99 68 80 e8 af ad-68 f5 1a 5f 66 06 78 c9 ...h....h.._f.x.
04a0 - 56 f8 36 37 16 fa 7d 27-df 1d a2 d8 7c 8c 5b 50 V.67..}'....|.[P
04b0 - db c6 fe 06 ff 96 86 f5-1f e4 35 ce cf 43 66 53 ..........5..CfS
04c0 - da a1 50 b5 c0 73 ec 1e-f4 c8 20 13 00 03 d9 30 ..P..s.... ....0
04d0 - 82 03 d5 30 82 02 bd a0-03 02 01 02 02 03 02 36 ...0...........6
04e0 - d1 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
04f0 - 30 42 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 0B1.0...U....US1
0500 - 16 30 14 06 03 55 04 0a-13 0d 47 65 6f 54 72 75 .0...U....GeoTru
0510 - 73 74 20 49 6e 63 2e 31-1b 30 19 06 03 55 04 03 st Inc.1.0...U..
0520 - 13 12 47 65 6f 54 72 75-73 74 20 47 6c 6f 62 61 ..GeoTrust Globa
0530 - 6c 20 43 41 30 1e 17 0d-31 30 30 32 31 39 32 32 l CA0...10021922
0540 - 34 35 30 35 5a 17 0d 32-30 30 32 31 38 32 32 34 4505Z..200218224
0550 - 35 30 35 5a 30 3c 31 0b-30 09 06 03 55 04 06 13 505Z0<1.0...U...
0560 - 02 55 53 31 17 30 15 06-03 55 04 0a 13 0e 47 65 .US1.0...U....Ge
0570 - 6f 54 72 75 73 74 2c 20-49 6e 63 2e 31 14 30 12 oTrust, Inc.1.0.
0580 - 06 03 55 04 03 13 0b 52-61 70 69 64 53 53 4c 20 ..U....RapidSSL
0590 - 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H...
05a0 - 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0.....
05b0 - 01 01 00 c7 71 f8 56 c7-1e d9 cc b5 ad f6 b4 97 ....q.V.........
05c0 - a3 fb a1 e6 0b 50 5f 50-aa 3a da 0f fc 3d 29 24 .....P_P.:...=)$
05d0 - 43 c6 10 29 c1 fc 55 40-72 ee bd ea df 9f b6 41 C..)..U@r......A
05e0 - f4 48 4b c8 6e fe 4f 57-12 8b 5b fa 92 dd 5e e8 .HK.n.OW..[...^.
05f0 - ad f3 f0 1b b1 7b 4d fb-cf fd d1 e5 f8 e3 dc e7 .....{M.........
0600 - f5 73 7f df 01 49 cf 8c-56 c1 bd 37 e3 5b be b5 .s...I..V..7.[..
0610 - 4f 8b 8b f0 da 4f c7 e3-dd 55 47 69 df f2 5b 7b O....O...UGi..[{
0620 - 07 4f 3d e5 ac 21 c1 c8-1d 7a e8 e7 f6 0f a1 aa .O=..!...z......
0630 - f5 6f de a8 65 4f 10 89-9c 03 f3 89 7a a5 5e 01 .o..eO......z.^.
0640 - 72 33 ed a9 e9 5a 1e 79-f3 87 c8 df c8 c5 fc 37 r3...Z.y.......7
0650 - c8 9a 9a d7 b8 76 cc b0-3e e7 fd e6 54 ea df 5f .....v..>...T.._
0660 - 52 41 78 59 57 ad f1 12-d6 7f bc d5 9f 70 d3 05 RAxYW........p..
0670 - 6c fa a3 7d 67 58 dd 26-62 1d 31 92 0c 79 79 1c l..}gX.&b.1..yy.
0680 - 8e cf ca 7b c1 66 af a8-74 48 fb 8e 82 c2 9e 2c ...{.f..tH.....,
0690 - 99 5c 7b 2d 5d 9b bc 5b-57 9e 7c 3a 7a 13 ad f2 .\{-]..[W.|:z...
06a0 - a3 18 5b 2b 59 0f cd 5c-3a eb 68 33 c6 28 1d 82 ..[+Y..\:.h3.(..
06b0 - d1 50 8b 02 03 01 00 01-a3 81 d9 30 81 d6 30 0e .P.........0..0.
06c0 - 06 03 55 1d 0f 01 01 ff-04 04 03 02 01 06 30 1d ..U...........0.
06d0 - 06 03 55 1d 0e 04 16 04-14 6b 69 3d 6a 18 42 4a ..U......ki=j.BJ
06e0 - dd 8f 02 65 39 fd 35 24-86 78 91 16 30 30 1f 06 ...e9.5$.x..00..
06f0 - 03 55 1d 23 04 18 30 16-80 14 c0 7a 98 68 8d 89 .U.#..0....z.h..
0700 - fb ab 05 64 0c 11 7d aa-7d 65 b8 ca cc 4e 30 12 ...d..}.}e...N0.
0710 - 06 03 55 1d 13 01 01 ff-04 08 30 06 01 01 ff 02 ..U.......0.....
0720 - 01 00 30 3a 06 03 55 1d-1f 04 33 30 31 30 2f a0 ..0:..U...3010/.
0730 - 2d a0 2b 86 29 68 74 74-70 3a 2f 2f 63 72 6c 2e -.+.)http://crl.
0740 - 67 65 6f 74 72 75 73 74-2e 63 6f 6d 2f 63 72 6c geotrust.com/crl
0750 - 73 2f 67 74 67 6c 6f 62-61 6c 2e 63 72 6c 30 34 s/gtglobal.crl04
0760 - 06 08 2b 06 01 05 05 07-01 01 04 28 30 26 30 24 ..+........(0&0$
0770 - 06 08 2b 06 01 05 05 07-30 01 86 18 68 74 74 70 ..+.....0...http
0780 - 3a 2f 2f 6f 63 73 70 2e-67 65 6f 74 72 75 73 74 ://ocsp.geotrust
0790 - 2e 63 6f 6d 30 0d 06 09-2a 86 48 86 f7 0d 01 01 .com0...*.H.....
07a0 - 05 05 00 03 82 01 01 00-ab bc bc 0a 5d 18 94 e3 ............]...
07b0 - c1 b1 c3 a8 4c 55 d6 be-b4 98 f1 ee 3c 1c cd cf ....LU......<...
07c0 - f3 24 24 5c 96 03 27 58-fc 36 ae a2 2f 8f f1 fe .$$\..'X.6../...
07d0 - da 2b 02 c3 33 bd c8 dd-48 22 2b 60 0f a5 03 10 .+..3...H"+`....
07e0 - fd 77 f8 d0 ed 96 67 4f-fd ea 47 20 70 54 dc a9 .w....gO..G pT..
07f0 - 0c 55 7e e1 96 25 8a d9-b5 da 57 4a be 8d 8e 49 .U~..%....WJ...I
0800 - 43 63 a5 6c 4e 27 87 25-eb 5b 6d fe a2 7f 38 28 Cc.lN'.%.[m...8(
0810 - e0 36 ab ad 39 a5 a5 62-c4 b7 5c 58 2c aa 5d 01 .6..9..b..\X,.].
0820 - 60 a6 62 67 a3 c0 c7 62-23 f4 e7 6c 46 ee b5 d3 `.bg...b#..lF...
0830 - 80 6a 22 13 d2 2d 3f 74-4f ea af 8c 5f b4 38 9c .j"..-?tO..._.8.
0840 - db ae ce af 84 1e a6 f6-34 51 59 79 d3 e3 75 dc ........4QYy..u.
0850 - bc d7 f3 73 df 92 ec d2-20 59 6f 9c fb 95 f8 92 ...s.... Yo.....
0860 - 76 18 0a 7c 0f 2c a6 ca-de 8a 62 7b d8 f3 ce 5f v..|.,....b{..._
0870 - 68 bd 8f 3e c1 74 bb 15-72 3a 16 83 a9 0b e6 4d h..>.t..r:.....M
0880 - 99 9c d8 57 ec a8 01 51-c7 6f 57 34 5e ab 4a 2c ...W...Q.oW4^.J,
0890 - 42 f6 4f 1c 89 78 de 26-4e f5 6f 93 4c 15 6b 27 B.O..x.&N.o.L.k'
08a0 - 56 4d 00 54 6c 7a b7 b7-00 03 81 30 82 03 7d 30 VM.Tlz.....0..}0
08b0 - 82 02 e6 a0 03 02 01 02-02 03 12 bb e6 30 0d 06 .............0..
08c0 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 4e 31 0b .*.H........0N1.
08d0 - 30 09 06 03 55 04 06 13-02 55 53 31 10 30 0e 06 0...U....US1.0..
08e0 - 03 55 04 0a 13 07 45 71-75 69 66 61 78 31 2d 30 .U....Equifax1-0
08f0 - 2b 06 03 55 04 0b 13 24-45 71 75 69 66 61 78 20 +..U...$Equifax
0900 - 53 65 63 75 72 65 20 43-65 72 74 69 66 69 63 61 Secure Certifica
0910 - 74 65 20 41 75 74 68 6f-72 69 74 79 30 1e 17 0d te Authority0...
0920 - 30 32 30 35 32 31 30 34-30 30 30 30 5a 17 0d 31 020521040000Z..1
0930 - 38 30 38 32 31 30 34 30-30 30 30 5a 30 42 31 0b 80821040000Z0B1.
0940 - 30 09 06 03 55 04 06 13-02 55 53 31 16 30 14 06 0...U....US1.0..
0950 - 03 55 04 0a 13 0d 47 65-6f 54 72 75 73 74 20 49 .U....GeoTrust I
0960 - 6e 63 2e 31 1b 30 19 06-03 55 04 03 13 12 47 65 nc.1.0...U....Ge
0970 - 6f 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 43 41 oTrust Global CA
0980 - 30 82 01 22 30 0d 06 09-2a 86 48 86 f7 0d 01 01 0.."0...*.H.....
0990 - 01 05 00 03 82 01 0f 00-30 82 01 0a 02 82 01 01 ........0.......
09a0 - 00 da cc 18 63 30 fd f4-17 23 1a 56 7e 5b df 3c ....c0...#.V~[.<
09b0 - 6c 38 e4 71 b7 78 91 d4-bc a1 d8 4c f8 a8 43 b6 l8.q.x.....L..C.
09c0 - 03 e9 4d 21 07 08 88 da-58 2f 66 39 29 bd 05 78 ..M!....X/f9)..x
09d0 - 8b 9d 38 e8 05 b7 6a 7e-71 a4 e6 c4 60 a6 b0 ef ..8...j~q...`...
09e0 - 80 e4 89 28 0f 9e 25 d6-ed 83 f3 ad a6 91 c7 98 ...(..%.........
09f0 - c9 42 18 35 14 9d ad 98-46 92 2e 4f ca f1 87 43 .B.5....F..O...C
0a00 - c1 16 95 57 2d 50 ef 89-2d 80 7a 57 ad f2 ee 5f ...W-P..-.zW..._
0a10 - 6b d2 00 8d b9 14 f8 14-15 35 d9 c0 46 a3 7b 72 k........5..F.{r
0a20 - c8 91 bf c9 55 2b cd d0-97 3e 9c 26 64 cc df ce ....U+...>.&d...
0a30 - 83 19 71 ca 4e e6 d4 d5-7b a9 19 cd 55 de c8 ec ..q.N...{...U...
0a40 - d2 5e 38 53 e5 5c 4f 8c-2d fe 50 23 36 fc 66 e6 .^8S.\O.-.P#6.f.
0a50 - cb 8e a4 39 19 00 b7 95-02 39 91 0b 0e fe 38 2e ...9.....9....8.
0a60 - d1 1d 05 9a f6 4d 3e 6f-0f 07 1d af 2c 1e 8f 60 .....M>o....,..`
0a70 - 39 e2 fa 36 53 13 39 d4-5e 26 2b db 3d a8 14 bd 9..6S.9.^&+.=...
0a80 - 32 eb 18 03 28 52 04 71-e5 ab 33 3d e1 38 bb 07 2...(R.q..3=.8..
0a90 - 36 84 62 9c 79 ea 16 30-f4 5f c0 2b e8 71 6b e4 6.b.y..0._.+.qk.
0aa0 - f9 02 03 01 00 01 a3 81-f0 30 81 ed 30 1f 06 03 .........0..0...
0ab0 - 55 1d 23 04 18 30 16 80-14 48 e6 68 f9 2b d2 b2 U.#..0...H.h.+..
0ac0 - 95 d7 47 d8 23 20 10 4f-33 98 90 9f d4 30 1d 06 ..G.# .O3....0..
0ad0 - 03 55 1d 0e 04 16 04 14-c0 7a 98 68 8d 89 fb ab .U.......z.h....
0ae0 - 05 64 0c 11 7d aa 7d 65-b8 ca cc 4e 30 0f 06 03 .d..}.}e...N0...
0af0 - 55 1d 13 01 01 ff 04 05-30 03 01 01 ff 30 0e 06 U.......0....0..
0b00 - 03 55 1d 0f 01 01 ff 04-04 03 02 01 06 30 3a 06 .U...........0:.
0b10 - 03 55 1d 1f 04 33 30 31-30 2f a0 2d a0 2b 86 29 .U...3010/.-.+.)
0b20 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 67 65 6f 74 72 http://crl.geotr
0b30 - 75 73 74 2e 63 6f 6d 2f-63 72 6c 73 2f 73 65 63 ust.com/crls/sec
0b40 - 75 72 65 63 61 2e 63 72-6c 30 4e 06 03 55 1d 20 ureca.crl0N..U.
0b50 - 04 47 30 45 30 43 06 04-55 1d 20 00 30 3b 30 39 .G0E0C..U. .0;09
0b60 - 06 08 2b 06 01 05 05 07-02 01 16 2d 68 74 74 70 ..+........-http
0b70 - 73 3a 2f 2f 77 77 77 2e-67 65 6f 74 72 75 73 74 s://www.geotrust
0b80 - 2e 63 6f 6d 2f 72 65 73-6f 75 72 63 65 73 2f 72 .com/resources/r
0b90 - 65 70 6f 73 69 74 6f 72-79 30 0d 06 09 2a 86 48 epository0...*.H
0ba0 - 86 f7 0d 01 01 05 05 00-03 81 81 00 76 e1 12 6e ............v..n
0bb0 - 4e 4b 16 12 86 30 06 b2-81 08 cf f0 08 c7 c7 71 NK...0.........q
0bc0 - 7e 66 ee c2 ed d4 3b 1f-ff f0 f0 c8 4e d6 43 38 ~f....;.....N.C8
0bd0 - b0 b9 30 7d 18 d0 55 83-a2 6a cb 36 11 9c e8 48 ..0}..U..j.6...H
0be0 - 66 a3 6d 7f b8 13 d4 47-fe 8b 5a 5c 73 fc ae d9 f.m....G..Z\s...
0bf0 - 1b 32 19 38 ab 97 34 14-aa 96 d2 eb a3 1c 14 08 .2.8..4.........
0c00 - 49 b6 bb e5 91 ef 83 36-eb 1d 56 6f ca da bc 73 I......6..Vo...s
0c10 - 63 90 e4 7f 7b 3e 22 cb-3d 07 ed 5f 38 74 9c e3 c...{>".=.._8t..
0c20 - 03 50 4e a1 af 98 ee 61-f2 84 3f 12 .PN....a..?.
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF, C = CA, O = alteeve.com, OU = GT13908817, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - FreeSSL, CN = alteeve.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 0d .....
read from 0x196a050 [0x1a10908] (525 bytes => 525 (0x20D))
0000 - 0c 00 02 09 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 51 5c 13 33 38 >.$!.......Q\.38
0090 - 83 ef 76 6f 23 52 55 bf-23 ba 7f f0 a4 ca 35 01 ..vo#RU.#.....5.
00a0 - 9c 70 e1 61 b2 0d 7b 5c-1c 32 02 c1 ac 14 be e9 .p.a..{\.2......
00b0 - b9 7a 5d 11 9b 53 48 64-cd 12 b8 15 4c df cc 10 .z]..SHd....L...
00c0 - 4e 2b e7 cd 3f 33 68 1a-60 cc f7 18 25 7c e5 ca N+..?3h.`...%|..
00d0 - c8 cb 45 ba 2a 6d dc 84-5f 26 6f 9a a3 73 b9 7f ..E.*m.._&o..s..
00e0 - 02 cb 7b a7 ac 59 9f f3-6e c9 01 ed b9 35 99 49 ..{..Y..n....5.I
00f0 - 37 77 68 65 ec e2 f7 17-03 e7 f5 f5 86 33 e6 6c 7whe.........3.l
0100 - 06 3c 15 83 98 74 2e b9-83 31 11 01 00 20 6e 17 .<...t...1... n.
0110 - 3d 2d ec 3e 19 b2 9e 5b-37 38 3a 31 57 3d 0e c1 =-.>...[78:1W=..
0120 - 6b c4 b4 83 d9 6b f0 d3-44 db 9f 18 55 15 e1 09 k....k..D...U...
0130 - 73 59 8c 46 3d a4 47 58-b1 71 a3 32 b5 06 26 8c sY.F=.GX.q.2..&.
0140 - 27 88 9e 13 c8 12 5d 94-9b 24 54 10 aa 79 e5 b4 '.....]..$T..y..
0150 - 43 f5 5e 4c 01 dc 02 aa-69 02 37 71 4e 26 1c 0b C.^L....i.7qN&..
0160 - 40 19 c9 95 4d af 93 35-07 7a ff b1 96 7f 03 ce @...M..5.z......
0170 - 7a eb a2 1c 97 6b d2 97-d2 0f 1a f5 b2 af fb 65 z....k.........e
0180 - 86 b9 e3 38 30 ba f5 02-d6 6b fc da 94 93 8b b3 ...80....k......
0190 - 96 b5 b7 58 dc 36 55 6d-e9 47 e5 4a 33 1d b9 d9 ...X.6Um.G.J3...
01a0 - ec 33 e8 fb 58 c8 74 13-ff dd 40 b7 35 56 63 03 .3..X.t...@.5Vc.
01b0 - 9f 16 2f 72 be 56 56 c3-15 3a c3 10 09 f0 9d f2 ../r.VV..:......
01c0 - 42 52 5a ce d6 db 61 0e-d0 e2 ac 2e 9e 04 30 8e BRZ...a.......0.
01d0 - 0d d7 07 f9 3e 0a a8 3b-8d 11 5c 6e 21 47 28 2d ....>..;..\n!G(-
01e0 - 28 31 a6 3d d0 e9 2e 7a-de 4a 00 2a a8 6f 5d 82 (1.=...z.J.*.o].
01f0 - 45 df 3e 06 e3 11 e3 3c-b9 1e 34 b8 bd 60 fd a7 E.>....<..4..`..
0200 - a2 c1 c8 19 61 19 da 10-e4 c3 70 7e 5f ....a.....p~_
SSL_connect:SSLv3 read server key exchange A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0x196a050 [0x1a10908] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x196a050 [0x1a1add0] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7f 9d d2 3b 68 ..............;h
0010 - 49 c9 dd ed 4f 35 a0 70-3a 28 0f ce c1 5a 81 ce I...O5.p:(...Z..
0020 - cd 46 c5 e5 a4 44 25 04-4e b4 48 d8 3b a6 d4 44 .F...D%.N.H.;..D
0030 - 4e 9a dc 20 fa 52 9f eb-52 3b 3c 3e 34 dc ed 34 N.. .R..R;<>4..4
0040 - e5 b7 10 f9 6d 3a c0 84-64 bf b8 91 54 6c 37 1b ....m:..d...Tl7.
0050 - eb 75 7a 95 aa e8 83 6f-e0 16 f2 af 77 0f 7a 0c .uz....o....w.z.
0060 - a8 82 27 a4 a5 f2 f0 1b-d2 6e 46 c4 ef 10 7c 39 ..'......nF...|9
0070 - 6c 87 74 ec 68 7e d5 9a-10 ab 10 03 75 a2 fb 4b l.t.h~......u..K
0080 - 8c 49 4c da 64 49 bd 27-ba 51 a4 .IL.dI.'.Q.
SSL_connect:SSLv3 write client key exchange A
write to 0x196a050 [0x1a1add0] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x196a050 [0x1a1add0] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 b4 8a 74-4d a4 bf b1 54 04 8a 25 ....0..tM...T..%
0010 - 24 f8 81 f1 64 9f 1f 6d-fb bd a7 4c 57 6a a5 63 $...d..m...LWj.c
0020 - fb 3a dd 8e e3 f9 38 f6-22 fd 7e 42 81 2e a2 41 .:....8.".~B...A
0030 - 1f 74 d1 27 02 .t.'.
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 ca .....
read from 0x196a050 [0x1a10908] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 00 00-00 c0 6c f3 41 26 c8 6b ..........l.A&.k
0010 - 1e 9c 2e 78 af 75 b2 46-34 f4 30 c3 bd e4 ee 2f ...x.u.F4.0..../
0020 - f6 28 37 f6 7c 55 3b c7-08 ad 1e 48 f1 83 9f 9a .(7.|U;....H....
0030 - d4 ef 9b 7d 5a 9c f7 5b-92 e9 2f ca c3 e5 44 c7 ...}Z..[../...D.
0040 - 7a c1 ed db 98 1a 18 bd-25 30 3c 50 ad 96 23 22 z.......%0<P..#"
0050 - 7e a1 b7 eb 1d b5 cc 69-2a 43 63 13 4f 21 90 32 ~......i*Cc.O!.2
0060 - 87 94 0b 6a 66 da 99 fa-45 79 cc 53 29 35 59 0d ...jf...Ey.S)5Y.
0070 - 02 93 c6 c6 af f3 52 79-b5 36 c0 a6 4d 22 9f af ......Ry.6..M"..
0080 - 4a f2 86 b4 50 68 83 b1-ab a6 a6 ac 6e 4e 18 3d J...Ph......nN.=
0090 - 80 a7 b4 85 77 06 69 60-fa b2 22 9a 79 14 c6 3e ....w.i`..".y..>
00a0 - 3e 68 33 4e 1e a9 40 09-47 d0 02 97 8b ba 39 db >h3N..@.G.....9.
00b0 - 2f b1 1c 2e 66 49 d3 bc-99 cc 56 4f 1d f4 c6 7b /...fI....VO...{
00c0 - 58 3e 28 df b1 ce 2b 45-36 ca X>(...+E6.
SSL_connect:SSLv3 read server session ticket A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0x196a050 [0x1a10908] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x196a050 [0x1a10908] (48 bytes => 48 (0x30))
0000 - c0 79 35 bf c6 1e 7e d4-04 cf 68 c7 9d f5 9f 42 .y5...~...h....B
0010 - 03 91 5f 72 ae 5b ec a8-aa e7 af e8 f3 39 1b cd .._r.[.......9..
0020 - 13 05 56 f2 1b 28 c9 42-4b 67 88 48 20 c2 a5 06 ..V..(.BKg.H ...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIDAhUkMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNjE0MTIxOTAxWhcNMTEwNzE2MTU1NjE0WjCB2TEpMCcGA1UEBRMgMFRT
NVd6YXVRUko3c2MyYi1oVEd3SzF5eFNmRURwaEYxCzAJBgNVBAYTAkNBMRQwEgYD
VQQKEwthbHRlZXZlLmNvbTETMBEGA1UECxMKR1QxMzkwODgxNzExMC8GA1UECxMo
U2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMTErMCkGA1UE
CxMiRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gRnJlZVNTTDEUMBIGA1UEAxML
YWx0ZWV2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHtXUD
x6m1IbJ6m3CN8kRd4Bj0BVLGk9MXpTrHRgNo0QFTG+i400xWRrLKYzSILE97I0kH
7443XIqs14ib7aEBkLwy2EYwbYIzWeq1OCyKFuFj57o52Cr6imslRQvJTbjSvqk6
4/9hYPmkmU4/wiULIQfGGx5jcS49MUKYAfSIuIAmt79bALFXhrTYcObs6pjhF0Wn
/4Pgdm+KULsdy8WP9AGETlnDTShzcDnI2oVDuQeuVyYEJLLW1HwDr09yAI8g7SZ3
s79OAWKLYhsQFmWS9bta3INc8lbzYDQs72L07s8mbZtKXnQFdPsjhgdvz7BIbbot
iV0P4MABHJGvAF/zAgMBAAGjggEpMIIBJTAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2FsdGVldmUuY29tMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRz
c2wuY3JsMB0GA1UdDgQWBBShK06vVQh7NL50/FdB3ryP2UodyTAMBgNVHRMBAf8E
AjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3Ns
LWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBmi2+o1dKEx4kx+6W64RFeL2dv3w08CxpLrNk47ikKTdkGmCwlClm7OQOwzTsG
kz5ZkM8GF3R3u82RNNBvuY9TV+0UML3pbASEtvAWnSmbsUf4hGRfAzbq4dYTl1tQ
ubJZzPjvIwGZkW5e6NB3VDhJGFjnDlQ1wDe1nnmy1MbZ/ycx1L8ErtMKkEu8NLxT
+LznTCK3s7yM10FE/OBQLpqsulzuiAP8DlMyqt2kJO6mfD3cnXqCC5+4keChEnej
lffQxJ7x19mZaIDor61o9RpfZgZ4yVb4NjcW+n0n3x2i2HyMW1Dbxv4G/5aG9R/k
Nc7PQ2ZT2qFQtcBz7B70yCAT
-----END CERTIFICATE-----
subject=/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3984 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2880725EB8BDD73F469C17BCA54DF373DFE8EDE3D52A1C8F5E0A5919694FB111
Session-ID-ctx:
Master-Key: F329DEA0DF39FF181ACFBCA69BEC417D7CAA4399D73229A1D912CC8236A858FD099B834F5B32C9BF979C4B5948196FC9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 6c f3 41 26 c8 6b 1e 9c-2e 78 af 75 b2 46 34 f4 l.A&.k...x.u.F4.
0010 - 30 c3 bd e4 ee 2f f6 28-37 f6 7c 55 3b c7 08 ad 0..../.(7.|U;...
0020 - 1e 48 f1 83 9f 9a d4 ef-9b 7d 5a 9c f7 5b 92 e9 .H.......}Z..[..
0030 - 2f ca c3 e5 44 c7 7a c1-ed db 98 1a 18 bd 25 30 /...D.z.......%0
0040 - 3c 50 ad 96 23 22 7e a1-b7 eb 1d b5 cc 69 2a 43 <P..#"~......i*C
0050 - 63 13 4f 21 90 32 87 94-0b 6a 66 da 99 fa 45 79 c.O!.2...jf...Ey
0060 - cc 53 29 35 59 0d 02 93-c6 c6 af f3 52 79 b5 36 .S)5Y.......Ry.6
0070 - c0 a6 4d 22 9f af 4a f2-86 b4 50 68 83 b1 ab a6 ..M"..J...Ph....
0080 - a6 ac 6e 4e 18 3d 80 a7-b4 85 77 06 69 60 fa b2 ..nN.=....w.i`..
0090 - 22 9a 79 14 c6 3e 3e 68-33 4e 1e a9 40 09 47 d0 ".y..>>h3N..@.G.
00a0 - 02 97 8b ba 39 db 2f b1-1c 2e 66 49 d3 bc 99 cc ....9./...fI....
00b0 - 56 4f 1d f4 c6 7b 58 3e-28 df b1 ce 2b 45 36 ca VO...{X>(...+E6.

Compression: 1 (zlib compression)
Start Time: 1308161188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET
write to 0x196a050 [0x1a14e56] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a 4c 57-8c b9 d5 d4 c6 1b 56 ce .... .LW......V.
0010 - 93 b5 78 6b 5f 0e c5 a2-39 2a f9 7a 20 7d 68 85 ..xk_...9*.z }h.
0020 - af 52 e3 5f fc 17 03 01-00 20 c6 c4 19 74 61 64 .R._..... ...tad
0030 - 42 59 e0 52 3f 42 44 53-8b c9 40 69 1c 3d 9b 7f BY.R?BDS..@i.=..
0040 - aa e8 8f a4 5c de c9 d4-0a a4 ....\.....
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 60 ....`
read from 0x196a050 [0x1a10908] (96 bytes => 96 (0x60))
0000 - 46 4c 99 93 29 c9 ed 66-81 43 89 39 26 2b d1 b0 FL..)..f.C.9&+..
0010 - 19 73 eb 51 18 45 54 49-74 43 e0 92 1b f8 af f0 .s.Q.ETItC......
0020 - 0d e1 08 79 96 38 e1 5e-29 9d 66 9c 30 04 8e c4 ...y.8.^).f.0...
0030 - 10 83 49 7e 09 d7 8a ff-4b 11 f9 13 3e ac 77 73 ..I~....K...>.ws
0040 - e8 94 e3 f3 74 db 4e 5f-67 13 1d c4 3a 06 98 b3 ....t.N_g...:...
0050 - da 20 41 3c ca 9a fb 3f-f3 d7 64 a1 e9 f4 0a 98 . A<...?..d.....
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 15 03 01 ...
0005 - <SPACES/NULS>
read from 0x196a050 [0x1a10908] (32 bytes => 32 (0x20))
0000 - 2e bb a7 d6 dc ce 6c 34-dc 2e 43 c7 89 02 a9 5c ......l4..C....\
0010 - 3b 3e d0 43 1c ec fa c7-89 48 fd 76 58 82 ef 45 ;>.C.....H.vX..E
SSL3 alert read:warning:close notify
closed
write to 0x196a050 [0x1a14e53] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d8 6f 46-24 e9 fa 0c c9 9f aa 2d .... .oF$......-
0010 - db 69 2a d8 fb 61 66 b0-23 23 f9 a4 ac 49 b7 e6 .i*..af.##...I..
0020 - 31 73 56 05 ed 1sV..
SSL3 alert write:warning:close notify
</source>

Perfect!

=== Open Port 443 On The Firewall ===

At this point, if you try to connect to the SSL virtual host remotely, you will fail because port 443 is not yet open.

Use your favourite program to open inbound TCP port 443. I like to directly edit the firewall's config.

<source lang="bash">
vim /etc/sysconfig/iptables
</source>
<source lang="text">
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</source>
<source lang="bash">
/etc/init.d/iptables restart
</source>
<source lang="text">
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
</source>

=== Browse to the New Virtual Host ===

You should now be able to access the new SSL virtual host! Simply browse to https://alteeve.com (replace with your domain).

[[Image:SSL_Test_Page_01.png|thumb|center|741px|Test SSL virtual host in Firefox 4.]]

Note the 'alteeve.com' to the left of the address bar showing that the site is encrypted and verified!

= PostgreSQL =

We need to initialize the postgres core databases before we can start it for the first time.

<source lang="bash">
service postgresql initdb
</source>
<source lang="text">
Initializing database: [ OK ]
</source>

From now on, we can start PostgreSQL normally.

<source lang="bash">
/etc/init.d/postgresql restart
</source>
<source lang="text">
Stopping postgresql service: [ OK ]
Starting postgresql service: [ OK ]
</source>

Create the admin user called alteeve which will own the databases we will create and use.

<source lang="bash">
su - postgres
createuser -S -d -R alteeve
psql template1
</source>

At the shell, run the following:

<source lang="sql">
ALTER USER alteeve WITH PASSWORD 'secret';
</source>
<source lang="text">
ALTER ROLE
</source>
<source lang="sql">
\q
</source>

Tell PostgreSQL to require a password for the alteeve user.

<source lang="bash">
vim /var/lib/pgsql/data/pg_hba.conf
</source>
<source lang="diff">
--- /var/lib/pgsql/data/pg_hba.conf.orig 2011-06-15 17:57:25.666509143 -0400
+++ /var/lib/pgsql/data/pg_hba.conf 2011-06-15 17:58:54.077510393 -0400
@@ -65,6 +65,7 @@

# TYPE DATABASE USER CIDR-ADDRESS METHOD
+local all alteeve md5

# "local" is for Unix domain socket connections only
local all all ident
</source>

Reload PostgreSQL's configuration.

<source lang="bash">
/etc/init.d/postgresql reload
</source>

Now create a Database that is owned by the alteeve user, then connect to it to make sure we're asked for a password.

<source lang="bash">
su postgres -c "createdb an_wiki -O alteeve"
psql an_wiki -U alteeve
</source>
<source lang="text">
Password for user alteeve:
psql (8.4.7)
Type "help" for help.

an_wiki=>
</source>

Now load a database from a backup file.

<source lang="bash">
psql an_wiki -U alteeve -f /var/www/ssl_alteeve.com/temp/an_wiki_3.out
</source>
<source lang="text">
Password for user alteeve:
SET
SET
SET
SET
SET
CREATE SCHEMA
ALTER SCHEMA
CREATE LANGUAGE
psql:/var/www/ssl_alteeve.com/temp/an_wiki_3.out:27: ERROR: must be member of role "postgres"
SET
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
SET
SET
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
8
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
2500
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
4416
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3465
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
34
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
957
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3274
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3547
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3513
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TRIGGER
CREATE TRIGGER
CREATE TRIGGER
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
REVOKE
REVOKE
GRANT
GRANT
</source>

Voila!

== Media Wiki Problem ==

If you moved a MediaWiki DB and it generated an error like this in the log file:

<source lang="text">
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "objectcache" does not exist\nLINE 1: ...ECT /* SqlBagOStuff::get */ value,exptime FROM objectcach...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "l10n_cache" does not exist\nLINE 1: ... LCStore_DB::get 206.108.5.162 */ lc_value FROM l10n_cache...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
</source>

The fix is to run:

<source lang="sql">
ALTER DATABASE an_wiki SET search_path=mediawiki;
</source>

Of course, replace an_wiki with the name of your wiki database.

= MySQL =

Start MySQL for the first time:

<source lang="bash">
/etc/init.d/mysqld start
</source>
<source lang="text">
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h asakusa.alteeve.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]
Starting mysqld: [ OK ]
</source>

Secure the server.

<source lang="bash">
mysql_secure_installation
</source>
<source lang="text">
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
</source>

= BIND =

{{note|1=This is not meant to cover creating the actual zone files for DNS. It's goal is to setup BIND on your [[EL6]] server only.}}

This is the BIND named server that handles DNS resolution. It will be setup in two parts; The global options and then the zones file.

== Install bind ==

<source lang="bash">
yum install bind bind-libs bind-utils
</source>

== Global Configuration ==

Edit the main configuration file, making a backup first.

<source lang="bash">
cp /etc/named.conf /etc/named.conf.orig
vim /etc/named.conf
</source>

Enable queries on any interface and answer queries for any domain, not just ours. Edit or add the following;

<source lang="dot">
listen-on port 53 { any; };
allow-query { localhost; };
allow-query-cache { any; };
</source>

For now, we're going to disable DNSSEC. Make the following changes;

<source lang="dot">
dnssec-enable no;
dnssec-validation no;
</source>

Now tell bind where to look for a domain name's IP when we don't know. Add;

<source lang="dot">
forwarders {
// These are Google's open DNS servers
8.8.8.8;
8.8.4.4;
};
</source>

This server will have a slave, and we want to notify that slave when a record changes. Add;

<source lang="dot">
notify yes;
</source>

Done. I like to clean up the file to put the variables in line with one another. With this in mind, let's look at the changes as a unified diff;

<source lang="bash">
diff -u /etc/named.conf.orig /etc/named.conf
</source>
<source lang="diff">
--- /etc/named.conf.orig 2012-02-05 00:54:48.434068501 -0500
+++ /etc/named.conf 2012-02-05 13:45:16.484083319 -0500
@@ -8,18 +8,26 @@
//

options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ allow-query { any; };
+ allow-query-cache { any; };
+ recursion yes;
+ notify yes;
+
+ dnssec-enable no;
+ dnssec-validation no;
+ dnssec-lookaside auto;
+
+ forwarders {
+ // These are Google's open DNS servers
+ 8.8.8.8;
+ 8.8.4.4;
+ };

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
</source>

== Adding Zones ==

This is where we tell BIND which zones we have SOA for. This includes the pointers to the actual files on disk with each domain's information.

Backup then edit the zones file.

<source lang="bash">
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.orig
vim /etc/named.rfc1912.zones
</source>

In here is where we add the entries for the domains we have [[SOA]] for at the end of the file. These will differ for every install, so only two examples will be shown.

<source lang="dot">
// Our zones which this server is SOA for.
zone "45years.ca" IN {
type master;
file "/etc/named/db.45years.ca";
allow-transfer {
192.139.81.117;
};
};

zone "alteeve.com" in {
type master;
file "/etc/named/db.alteeve.com";
allow-transfer {
192.139.81.117;
};
};
</source>

This tutorial does not aim to cover actual zone files, but here is one for reference:

<source lang="bash">
cat /etc/named/db.45years.ca
</source>
<source lang="text">
$ORIGIN .
$TTL 600 ; Time To Live.
45years.ca IN SOA ns1.alteeve.com. admin.alteeve.com. (
2011081402 ; Serial Number (yyyymmdd##)
300 ; refresh (in seconds)
180 ; retry (in seconds)
600 ; expire (in seconds)
86400 ; minimum (in seconds)
)
NS ns1.alteeve.com.
NS ns2.alteeve.com.
A 192.139.81.121
MX 10 mail.45years.ca.
$ORIGIN 45years.ca.
localhost A 127.0.0.1
mail A 192.139.81.121
www CNAME 45years.ca.
</source>

== Adding a Firewall Entry ==

Assuming you have a firewall running, be sure to add an entry for [[TCP]] port 53.

== (Re)Start BIND ==

Once all the configuration files and domain zone files are in place, (re)start the named service.

<source lang="bash">
/etc/init.d/named restart
</source>
<source lang="text">
Stopping named: . [ OK ]
Starting named: [ OK ]
</source>

== Testing Name resolution ==

To properly test name resolution, you will want to resolve a domain we are [[SOA]] for and another domain which we are not. We will repeat this twice, once on the server and once from a remote machine to ensure that it is answering remote queries. Note that in the examples below, my DNS server's IP address is 78.46.37.135.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> alteeve.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns1.alteeve.com.
alteeve.com. 600 IN NS ns2.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 13:57:11 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> google.ca @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 300 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2967 IN NS f.root-servers.net.
. 2967 IN NS c.root-servers.net.
. 2967 IN NS b.root-servers.net.
. 2967 IN NS a.root-servers.net.
. 2967 IN NS k.root-servers.net.
. 2967 IN NS i.root-servers.net.
. 2967 IN NS e.root-servers.net.
. 2967 IN NS h.root-servers.net.
. 2967 IN NS l.root-servers.net.
. 2967 IN NS d.root-servers.net.
. 2967 IN NS j.root-servers.net.
. 2967 IN NS g.root-servers.net.
. 2967 IN NS m.root-servers.net.

;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 14:02:03 2012
;; MSG SIZE rcvd: 254
</source>

Now from a remote machine, repeat the same queries to ensure that our DNS server will respond to external queries.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> alteeve.com @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns2.alteeve.com.
alteeve.com. 600 IN NS ns1.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 138 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:09 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> google.ca @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 138 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2805 IN NS h.root-servers.net.
. 2805 IN NS c.root-servers.net.
. 2805 IN NS j.root-servers.net.
. 2805 IN NS i.root-servers.net.
. 2805 IN NS b.root-servers.net.
. 2805 IN NS m.root-servers.net.
. 2805 IN NS g.root-servers.net.
. 2805 IN NS d.root-servers.net.
. 2805 IN NS a.root-servers.net.
. 2805 IN NS l.root-servers.net.
. 2805 IN NS f.root-servers.net.
. 2805 IN NS k.root-servers.net.
. 2805 IN NS e.root-servers.net.

;; Query time: 140 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:31 2012
;; MSG SIZE rcvd: 254
</source>

Done!

= Email =

This is a pretty heavily customized postfix install using a custom schema. It was originally based on [http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch this Debian Etch] tutorial, but adapted for PostgreSQL. Much time has passed and the operating system is now significantly changed, but it's lineage is thus. A more recent, but still Debian-focused version of the tutorial [http://workaround.org/ispmail/squeeze/big-picture is here]. I also used [http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot this tutorial] to help sort out the PostgreSQL stuff.

This will use a few applications;
* Postfix - The program that receives email.
* PostgreSQL - The database used to validate the existence of email accounts and validates incoming user credentials.
* Dovecot - Takes email coming from postfix, via amavis, and records them to disk. It also answers requests from users wanting to check their email.
* Amavis - Filters incoming email for spam (via spamassassin) and virsus (via clamav)

We will also be using graylisting, which is a spam fighting tactic where the first email from a given user to one of our users is bounced for a few minutes. Proper mail servers will acknowledge the bound, wait the time and resend. Spam mailers though are usually fire-and-forget and will not resend, thus effectively blocking the spam message. This is a very effective method of blocking spam with minimal chance of losing real mail from real users. Any subsequent message from the user would be allowed through with no delay, provided the user had in fact resent the first message as requested.

== Install ==

To install the applications;

<source lang="bash">
yum install postfix postfix-perl-scripts dovecot dovecot-pgsql spamassassin postgresql-server postgresql-plperl mutt
</source>

== Configuring Postfix ==

Installation requires several steps. The AN!Console database must be loaded. Various applications need to be installed. Postfix, Dovecot and helper applications need to be configured and so on.

This tutorial uses the following values that you may need to adjust;
* Database name; an_tools
* Database user; alteeve
* Database password; secret
* Database host; 127.0.0.1

{{note|1=Do not use the database host "localhost" unless you are certain you can connect to the DB using a standard [[unix]] socket.}}

=== Building Support for PostgreSQL ===

{{warning|1=We need to build our own RPM in order to support postgresql. This means we will have to disable postfix from future updates, placing the onus on us to make sure critical updates are applied. This will require downloading the latest source RPMs, re-enabling postgres and recompile/reinstall.}}

Add the source [[RPM]] repository by adding the following;

<source lang="bash">
vim /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
# Source RPM repository
[base-source]
name=CentOS-$releasever - Base - Source
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://vault.centos.org/$releasever/os/SRPMS/
baseurl=http://vault.centos.org/6.0/os/SRPMS/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
</source>

Now download the source RPM for postfix.

<source lang="bash">
yumdownloader --source postfix
</source>
<source lang="text">
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
base | 3.7 kB 00:00
base-source | 1.9 kB 00:00
extras | 3.5 kB 00:00
updates | 3.5 kB 00:00
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
./postfix-2.6.6-2.el6.src.rpm already exists and appears to be complete
nikko:/etc/postfix# rm postfix-2.6.6-2.el6.src.rpm
rm: remove regular file `postfix-2.6.6-2.el6.src.rpm'? y
nikko:/etc/postfix# yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
postfix-2.6.6-2.el6.src.rpm | 3.3 MB 00:00
</source>

Now that we have the postfix source RPM, we will install it.

<source lang="bash">
rpm -Uvh postfix-2.6.6-2.el6.src.rpm
</source>
<source lang="text">
1:postfix warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
########################################### [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
</source>

Now edit the .spec file to enable postgres support.

<source lang="bash">
cp ~/rpmbuild/SPECS/postfix.spec ~/rpmbuild/SPECS/postfix.spec.orig
vim ~/rpmbuild/SPECS/postfix.spec
</source>

Make the following changes.

* Enable PostgreSQL support
<source lang="text">
%{?!PGSQL: %define PGSQL 1}
</source>

Increment the release version by one.
<source lang="text">
Release: 3%{?dist}
</source>

We can see the changes here:

<source lang="bash">
diff -u ~/rpmbuild/SPECS/postfix.spec.orig ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="diff">
--- /root/rpmbuild/SPECS/postfix.spec.orig 2012-02-11 16:54:54.495330859 -0500
+++ /root/rpmbuild/SPECS/postfix.spec 2012-02-11 16:53:39.873331101 -0500
@@ -1,5 +1,5 @@
%{?!MYSQL: %define MYSQL 1}
-%{?!PGSQL: %define PGSQL 0}
+%{?!PGSQL: %define PGSQL 1}
%define LDAP 2
%define PCRE 1
%define SASL 2
@@ -35,7 +35,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 2.6.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
</source>

Now rebuild the RPM, which means we need to install the build tools.

<source lang="bash">
yum groupinstall development
yum install db4-devel openldap-devel cyrus-sasl-devel pcre-devel mysql-devel postgresql-devel openssl-devel
rpmbuild -bb ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="text">
(compile output)
Processing files: postfix-debuginfo-2.6.6-3.el6.x86_64
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-debuginfo-2.6.6-3.el6.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.rymr5C
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd postfix-2.6.6
+ rm -rf /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
+ exit 0
</source>

Install the updated postfix.

<source lang="bash">
rpm -Uvh ~/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm ~/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
</source>
<source lang="text">
Preparing... ########################################### [100%]
1:postfix ########################################### [ 50%]
2:postfix-perl-scripts ########################################### [100%]
</source>

Now exclude postfix from future updates.

<source lang="bash">
cp /etc/yum.conf /etc/yum.conf.orig
vim /etc/yum.conf
diff -u /etc/yum.conf.orig /etc/yum.conf
</source>
<source lang="text">
--- /etc/yum.conf.orig 2012-02-11 16:59:53.720079168 -0500
+++ /etc/yum.conf 2012-02-11 17:00:47.013331283 -0500
@@ -10,6 +10,7 @@
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
+exclude=postfix*

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
</source>

=== Basic Postfix Configuration ===

Since we'll be using virtual domains, users, aliases and mailboxes, we'll need to start by commenting out some of the default options in Postfix. By default, Postfix is set up for small numbers of local users, and it only allows connections from the localhost. Our configuration will be more scalable, allowing many domains and users to be stored in the Postgres database.

Comment out the following:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# inet_interfaces = localhost
# mydestination = $myhostname, localhost.$mydomain, localhost
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
</source>

And uncomment/add these:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
inet_interfaces = all # allows us to connect and test from another machine
mynetworks = 192.168.1.0/32, 127.0.0.0/8 # use the IP or subnet of your test machine here
</source>

=== Setup Virtual Domain Lookup ===

This tells postfix how to find which domains we have.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM domains WHERE dom_name='%s'
</source>

Now tell Postfix to use this new file by appending the following to the main postfix configuration file.

<source lang="bash">
vim /etc/postfix/main.cf
</source>
<source lang="bash">
# Tell postfix to validate domains using our postgresql databae via the
# pgsql-virtual-mailbox-domains.cf
virtual_mailbox_domains=pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>

Now reload postfix;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now we can test that domains resolve. In my case, I will test the look-up for alteeve.com.

<source lang="bash">
postmap -q alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
1
</source>

Now make sure it returns nothing when query a bad domain.

<source lang="bash">
postmap -q example.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Mailbox Mapping ===

This section will tell postfix which users for a given domain are valid.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM email_file WHERE email='%s'
</source>

Tell postfix to use this new file when looking up users.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

And add:

<source lang="text">
# Tell postfix which table to look in when validating a local user via their
# email address.
virtual_mailbox_maps=pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>

Reload postfix.

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now do a test of a valid user, which should return 1, and an invalid user, which should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
1
</source>
<source lang="bash">
postmap -q nobody@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Email Forwards ===

This will allow for email addresses to be forwarded to other email addresses.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT fwd_destination FROM forwards WHERE fwd_source='%s'
</source>

Now tell postfix where to look.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

Add;

<source lang="text">
# This tells postfix where to forward incoming email to, where appropriate.
virtual_alias_maps=pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>

Reload;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

I've setup a forward where digimer@alteeve.com forwards to mkelly@alteeve.com, so we will use that for the next test.

<source lang="bash">
postmap -q digimer@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
mkelly@alteeve.com
</source>

An email address with no forward should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

Excellent.

=== Setup Postfix Mail Delivery via Dovecot ===

Define a mail transport method in the main Postfix config.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# this option is ignored, but may be useful for reference
virtual_mailbox_base=/email

# deliver mail via dovecot
virtual_transport = dovecot

# prevent postfix from sending multiple recipients per delivery request,
# since dovecot only supports one recipient for each delivery
dovecot_destination_recipient_limit = 1
</source>

Tell Postfix what virtual_transport "dovecot" means, and how to use it.
<source lang="bash">vim /etc/postfix/master.cf</source>
Append this for RHEL/CentOS 6 machines. For other distros, make sure that /usr/libexec/dovecot/deliver exists and change the path if necessary.
<source lang="bash">
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
</source>

=== Setup Postfix SMTP Authentication using Dovecot ===

Dovecot provides an SMTP authentication mechanism to Postfix called SASL. Enabling this will require users to authenticate against the server before sending mail.

<source lang="bash">vim /etc/postfix/main.cf</source>
Append the following to enable smtp authentication:
<source lang="bash">
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes

# allow authenticated users to send mail through Postfix SMTP
# more info at /usr/share/doc/postfix-2.6.6/README_FILES/SMTPD_ACCESS_README
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
</source>

== Configuring Dovecot ==

Dovecot handles writing incoming mail to the disk and moving/deleting mail as the user wishes. We're going to create a user and group called vmail which will be used to manage the email stored on disk.

<source lang="bash">
useradd -m vmail
mkdir /email
chown -R vmail:vmail /email
</source>

Dovecot is configured in /etc/dovecot and the main configuration file is dovecot.conf.

<source lang="bash">
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.conf
</source>

Dovecot uses .d style configuration files.

* Authentication

<source lang="bash">
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
vim /etc/dovecot/conf.d/10-auth.conf
</source>

Tell dovecot to accept plain-text passwords (needed for some old email clients, you may not need to enable this).

<source lang="text">
disable_plaintext_auth = no
</source>

Tell it not to use the database, and not local users for mail delivery.

<source lang="text">
#!include auth-system.conf.ext
!include auth-sql.conf.ext
</source>

* Mail store

Tell dovecot where to store the email. The %d tells dovecot to substitute the user's domain name and %n is substituted by the user's email name. For example, mkelly@alteeve.com becomes /email/alteeve.com/mkelly.

<source lang="bash">
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
vim /etc/dovecot/conf.d/10-mail.conf
</source>
<source lang="text">
mail_location = mbox:/email/%d/%n
</source>

=== Dovecot Authentication and SQL Settings ===

We need to tell dovecot where to look for passwords when authenticating a user. Where to look is controlled in the
auth-sql.conf.ext file and is broken down into user and password lookups. We will want to first tell Dovecot which user to use when accessing the mail store on disk.

<source lang="bash">
cp /etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/conf.d/auth-sql.conf.ext.orig
vim /etc/dovecot/conf.d/auth-sql.conf.ext
</source>
<source lang="text">
userdb {
driver = static
args = uid=vmail gid=vmail home=/email/%d/%n allow_all_users=yes
}
</source>

* Now configure the SQL server access details.

{{note|1=Make sure that PostgreSQL has sufficient max_connections set in /var/lib/pgsql/data/postgresql.conf to handle enough connections for the expected number of email connections, plus other connections from other applications.}}

<source lang="bash">
cp /usr/share/doc/dovecot-2.0.9/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
vim /etc/dovecot/dovecot-sql.conf.ext
</source>

Tell dovecot to use PostgreSQL.

<source lang="text">
driver = pgsql
</source>

Configure the connection string.

{{note|1=If your database uses a password with a space character in it, quote the password. Ie: password='super secret'.}}

<source lang="text">
connect = host=127.0.0.1 dbname=an_tools user=alteeve password=secret
</source>

Tell dovecot to accept plain-text passwords (this is needed for some stupid MS clients, this will probably change soon).

<source lang="text">
default_pass_scheme = PLAIN
</source>

Tell dovecot how to pull use the user's password.

<source lang="text">
password_query = SELECT email, password FROM email_password WHERE email='%u'
</source>

The last thing to setup is the user query. The query needs to return the [[UID]] and [[GID]] of the vmail user we setup earlier. To get it, you can use the id command.

<source lang="bash">
id vmail
</source>
<source lang="text">
uid=503(vmail) gid=503(vmail) groups=503(vmail)
</source>

The numbers we want are 503 and 503 for the UID and GID, respectively. Knowing this, we can set the userdb SQL string.

<source lang="text">
user_query = SELECT '/email/'||file AS email_dir, '503' AS uid, '503' AS gid FROM email_file WHERE email='%u'
</source>

=== Configure Listener Sockets ===

Setup the authentication socket to allow the vmail user. This will allow Dovecot to access the user authentication socket.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
</source>

Configure Dovecot to authenticate Postfix SMTP requests.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener smtp-auth {
mode = 0600
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
}
</source>

=== Enable Logging ===

This is very useful for debugging an initial setup. It will place details about login attempts in /var/log/maillog.

<source lang="bash">vim /etc/dovecot/conf.d/10-logging.conf</source>
<source lang="bash">
log_path = syslog
auth_verbose = yes
auth_debug = yes
mail_debug = yes
</source>

At this point, it's a good idea to restart the Postfix and Dovecot services, and test out the basic configuration.
<source lang="bash">
service postfix restart
service dovecot restart
</source>

Watch the maillog while attempting to authenticate with an email client like Thunderbird.
<source lang="bash">
tail -f /var/log/maillog
</source>

If basic authentication is working, we can go ahead and add another layer of complexity on top of it: SSL.

== SSL/TLS ==

Add TLS support to Postfix, to encrypt SMTP authentication traffic.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/ssl_mail.alteeve.ca.crt
smtpd_tls_key_file = /etc/pki/CA/private/mail.alteeve.ca.key
smtpd_tls_loglevel = 1
</source>

Add TLS support to Dovecot, to encrypt IMAP authentication traffic.
<source lang="bash">vim /etc/dovecot/conf.d/10-ssl.conf </source>
<source lang="bash">
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/pki/CA/ssl_mail.alteeve.ca.crt
ssl_key = </etc/pki/CA/private/mail.alteeve.ca.key

# PEM encoded trusted certificate authority. Otherwise your CA will be untrusted.
# This is the intermediary certificate.
ssl_ca = </etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Dovecot prefers the following permissions for SSL certs, so set them accordingly.
<source lang="bash">
chmod 0444 /etc/pki/CA/ssl_mail.alteeve.ca.crt
chmod 0400 /etc/pki/CA/private/mail.alteeve.ca.key
chmod 0400 /etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Restart Postfix and Dovecot, then change your Thunderbird server options to 'STARTTLS'. If you're still able to connect to the mail server and send mail, proceed to the next section.

== User Password Encryption ==

In addition to SSL/TSL, which only encrypts the transport of user credentials, we're also going to encrypt the passwords themselves. This will avoid storing any plaintext passwords in the Postgres database.

<source lang="bash">vim /etc/dovecot/conf.d/10-auth.conf</source>
Remove the "plain" authentication, and replace with cram-md5.
<source lang="bash">
disable_plaintext_auth = yes
auth_mechanisms = cram-md5
</source>

Any user credentials that were previously stored in plaintext will no longer work. To encrypt your password in a way that Dovecot recognizes, use the following command:
<source lang="bash">doveadm -v pw -s CRAM-MD5 -p mypassword</source>
It will return a hash like this.
<source lang="bash">
{CRAM-MD5}de5924752ad74e36bc271a8dc7fad4b2d341f21f05382f20dedf1fdfbd5a1717</source>

Take the entire hash, including the '{CRAM-MD5}' portion, and use it to replace the password entry in the database for that user. This will allow Dovecot to authenticate the user using the CRAM-MD5 auth mechanism.

To automate this process for all users in the database, you can look at the number of userid's there are and loop through them, encrypting and replacing each password.

<source lang="bash">
#!/bin/bash
#
# a script to encrypt the users.usr_password values of the an_tools database

export PGUSER="alteeve"
export PGPASSWORD='secret'

for usrid in {1..219}; do

# grab the user's password, removing whitespace
usrpass=$(psql -d an_tools -c "SELECT users.usr_password FROM users WHERE users.usr_id=$usrid;"\
| sed -n 3p | sed -e 's/^[ ]*//')

if [[ "$usrpass" == *CRAM* ]]; then
echo "Password for user #$usrid is already encrypted; skipping."
else
# encrypt and surround in single quotes for psql
encrypted=\'$(doveadm -v pw -s CRAM-MD5 -p "$usrpass")\'
echo "old password: [$usrpass] ; encrypted: $encrypted"

# set password to encrypted value
psql -d an_tools -c "UPDATE users SET usr_password=$encrypted WHERE usr_id=$usrid;"
fi
done

unset PGUSER
unset PGPASSWORD
</source>

== Postgrey Greylisting ==

Enabling postgrey for anti-spam greylisting.

First install the RPMForge repos. (See [http://dak1n1.com/blog/3-getting-more-from-yum-with-rpmforge-and-epel-repos Dakini's blog] for details.)

<source lang="bash">yum -y install postgrey</source>

Create the config file with the following options. This will delay mail from untrusted sources by 6 minutes. A legitimate mailserver will resend the request after that time, and be allowed through. But spam is generally sent out only once, so those messages will drop.
<source lang="bash">vim /etc/sysconfig/postgrey</source>
<source lang="bash">OPTIONS="--unix=/var/spool/postfix/postgrey/socket --delay=360"</source>

Ensure that Postgrey starts on boot.
<source lang="bash">chkconfig --levels 345 postgrey on</source>

<source lang="bash">/etc/postfix/main.cf</source>

Configure Postfix to check SMTP requests through Postgrey. Postgrey will decide if the mail should be blocked or accepted.
<source lang="bash">
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:postgrey/socket</source>

Restart Postfix and Postgrey to take affect.
<source lang="bash">
service postgrey start
service postfix restart
</source>

== Ooooold Notes ==

When prompted;
For 'Create directories for web-based administration ?' Choose 'Yes'.
For 'General type of configuration?', choose 'Local Only'.
For 'Mail Name', enter 'alteeve.com'.
For 'SSL certificate required', hit 'Ok'.
Create the database that we will use:
# su alteeve
$ createdb an_console
$ psql an_console
Now that we are in the new database we will need to load the AN!Console schema file.
# su postgres -c psql an_console -f /var/www/ssl_alteeve.com/cgi-bin/t/anc.pgsql.schema
On the Master node, we will create the directory where email will be stored.
# mkdir /ha/email
On the both nodes, we will create a link to the '/ha/email' directory off of root.
# ln -s /ha/email /email
Under this directory create another directory that is the domain name for the domains we will host mail for. Ie (no longer needed to be done manually, AN!Console will create directories for email as needed):
# mkdir /email/45years.ca
# mkdir /email/alteeve.com
And so on.
Go to the '/etc/postfix' directory and create these four files:
# vim /etc/postfix/psql-virtual_domains.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = domains
select_field = 'virtual'
where_field = dom_name
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_forwardings.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = forwards
select_field = fwd_destination
where_field = fwd_source
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_mailboxes.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_file
select_field = file
where_field = email
hosts = 127.0.0.1
Note: The table 'email_file' is actually a view that takes the email passed by postfix and splits it to generate a joined SELECT.
# vim /etc/postfix/psql-virtual_email2email.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_email
select_field = email
where_field = email
hosts = 127.0.0.1
Note: The table 'email_email' is actually a view that takes the email passed by postfix and returns the same email based on the DB entry. This is needed as a work-around for Postfix's habit of matching global forwards like '@domain -> user@domain' for all email to that domain, even what a given email address matches a user.
Now change the owner and permissions of those four files to NOT allow global reading as they contain our password.
# chown root:postfix /etc/postfix/psql-virtual_*
# chmod 640 /etc/postfix/psql-virtual_*
Now we will create a user account that will, in turn, own all the mail on the system. This user will not have shell access.
# adduser vmail
Enter a password, preferably one treated with the same care as the root password. You can leave all other options blank.
Now change the ownership of the mail store.
# chown -R vmail:vmail /email
# chmod -R 775 /email
Now we edit the main '/etc/postfix/main.cf' configuration file.
Make a backup of the original file “just in case”.
# cp /etc/postfix/main.cf /etc/postfix/main.cf.original
Now edit it:
# vim /etc/postfix/main.cf
There are several options to edit:
Please see 'Step 6' at: http://workaround.org/articles/ispmail-sarge/index.shtml.en for details on the options to set.
For 'inet_interface' enter 'all'.
For 'myhostname' use the cluster FQDN. Ie;
myhostname = nikko.alteeve.com
For 'mydestination' use only local names, NOT real domains we will host email for. Any mail sent to the domains specified here will go to local (shell) users.
mydestination = nikko.alteeve.com, localhost.alteeve.com, localhost
For 'mynetworks' set all the IP subnets we trust. Ie;
mynetworks = 192.139.81.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.0/24 127.0.0.0/8
We can ignore 'virtual_alias_domains' if it exists.
For 'virtual_alias_maps' we will set:
virtual_alias_maps = pgsql:/etc/postfix/psql-virtual_forwardings.cf pgsql:/etc/postfix/psql-virtual_email2email.cf
For 'virtual_mailbox_domains' we will set:
virtual_mailbox_domains = pgsql:/etc/postfix/psql-virtual_domains.cf
For 'virtual_mailbox_maps' we will set:
virtual_mailbox_maps = pgsql:/etc/postfix/psql-virtual_mailboxes.cf
For 'virtual_mailbox_base' (where the email will be stored on disk) we will set:
virtual_mailbox_base = /ha/email
For 'virtual_uid_maps' and 'virtual_gid_maps' we will enter the numerical UID and GID for the 'vmail' shell user we created earlier. To find what it's UID and GID is run:
# cat /etc/passwd | grep vmail
vmail:x:1001:1001:,,,:/home/vmail:/bin/bash
The first number is the UID, the second is the GID;
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
Set 'smtpd_sasl_auth_enable' to 'yes'.
Set 'broken_sasl_auth_clients' to 'yes'.
To enable relaying of local mail, trusted domains and SASL authenticated users and reject the rest set;
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
For 'smtpd_use_tls' the value should already be 'yes', but set it to such if not.
Lastly we'll set our certificate paths;
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
At this point we should be good to go. Restart postfix;
# /etc/init.d/postfix restart
If there were no errors in the restart, test the config by running;
# postfix check
If you get errors, fix 'em. Otherwise, so far so good!
Now to setup postfix to allow authentication of SMTP connections to allow relaying of messages from people (we trust) outside on the 'mynetworks' scope.
Create or edit the file '/etc/postfix/sasl/smtpd.conf'
# vim /etc/postfix/sasl/smtpd.conf
In it enter the lines:
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: pgsql
sql_hostnames: 127.0.0.1
sql_user: alteeve
sql_passwd: secret
sql_database: an_console
sql_select: SELECT passwd FROM email_passwd WHERE email='%u@%r'
log_level: 7
Now secure the file (it's got our DB password)
# chown root:postfix /etc/postfix/sasl/smtpd.conf
# chmod 640 /etc/postfix/sasl/smtpd.conf
Now we want to setup TLS to encrypt SMTP traffic. Be sure you are still in '/etc/postfix' as this is where you want the certificate files.
To create a 10-year certificate for our SMTP domain 'smtp.alteeve.com':
# openssl req -new -outform PEM -out /etc/postfix/smtpd.cert -newkey rsa:2048 -nodes -keyout /etc/postfix/smtpd.key -keyform PEM -days 3650 -x509
This will bring up a bunch of questions:
Country Name (2 letter code) [AU]: CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alteeve's Niche!
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, YOUR name) []:smtp.alteeve.com
Email Address []:admin@alteeve.com
This will create two files in your current directory; 'smtpd.key' and 'smtpd.cert'. You'll want to protect them.
# chown root:postfix smtpd.*
# chmod 640 smtpd.*
Now we need to setup POP3 and IMAP access so users can actually check their email.
Backup then edit '/etc/dovecot/dovecot.conf' to have:
protocols = pop3 imap
mail_location = mbox:/email/%d/%n
# passdb pam {
# }
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
# userdb passwd {
# }
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

# The default location for 'dovecot-sql.conf' is under '/usr/local/etc', be sure to
# change it!
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
user = root
}
Then create/edit '/etc/dovecot/dovecot-sql.conf':
driver = pgsql
connect = host=localhost dbname=an_console user=alteeve password=secret
default_pass_scheme = PLAIN
password_query = SELECT email, password FROM email_password WHERE email='%u'
user_query = SELECT '/email/'||file AS email_dir, '1001' AS uid, '1001' AS gid FROM email_file WHERE email='%u'
Now restart Dovecot:
# /etc/init.d/dovecot restart

= Thanks =

* To [http://planet-geek.com Dave Shevett] (aka: eidolon) and [http://codex.grimoire.ca/ Owen Jacobson] for answering my n00b SSL questions.


<source lang="bash">
</source>
<source lang="text">
</source>

{{footer}}

PPPower Server

2012-03-25T17:41:28Z

Dak1n1: /* Postgrey Greylisting */

{{howto_header}}

With tongue firmly in cheek, this is a tutorial on building an [[EL6]] server for hosting website and email using PostgreSQL, Postfix and Postgrey for mail and Apache for web. There are many canned and arguably superior was of accomplishing the same, but this is what I user for this server.

= Post OS Install =

First, the packages we will want to install:

<source lang="bash">
yum install httpd httpd-tools postgresql-server postgresql-plperl postgresql-contrib postgresql mysql-server telnet mod_ssl mysql-server php-mysql gcc jwhois bind
</source>

Packages that are currently needed for personal stuff.

<source lang="bash">
yum install perl-XML-Simple perl-MIME-Lite perl-DBD-MySQL perl-DBD-Pg
</source>

= Apache =

After all changes, use this to make sure there are no syntax errors.

<source lang="bash">
service httpd configtest
</source>
<source lang="text">
Syntax OK
</source>

{{note|1=This needs to be explained.}}

<source lang="bash">
diff -u httpd.conf.orig httpd.conf
</source>
<source lang="diff">
--- httpd.conf.orig 2010-05-28 03:11:06.000000000 -0400
+++ httpd.conf 2011-05-13 21:56:27.000000000 -0400
@@ -100,12 +100,12 @@
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
-StartServers 8
-MinSpareServers 5
-MaxSpareServers 20
-ServerLimit 256
-MaxClients 256
-MaxRequestsPerChild 4000
+StartServers 16
+MinSpareServers 10
+MaxSpareServers 40
+ServerLimit 512
+MaxClients 512
+MaxRequestsPerChild 8000
</IfModule>

# worker MPM
@@ -116,11 +116,11 @@
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
-StartServers 4
-MaxClients 300
-MinSpareThreads 25
-MaxSpareThreads 75
-ThreadsPerChild 25
+StartServers 8
+MaxClients 600
+MinSpareThreads 50
+MaxSpareThreads 150
+ThreadsPerChild 50
MaxRequestsPerChild 0
</IfModule>

@@ -259,7 +259,7 @@
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
-ServerAdmin root@localhost
+ServerAdmin admin@alteeve.com

#
# ServerName gives the name and port that the server uses to identify itself.
@@ -274,6 +274,7 @@
# redirections work in a sensible way.
#
#ServerName www.example.com:80
+#ServerName *:80

#
# UseCanonicalName: Determines how Apache constructs self-referencing
@@ -289,7 +290,7 @@
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
-DocumentRoot "/var/www/html"
+DocumentRoot "/var/www/default/html"

#
# Each directory to which Apache has access can be configured with respect
@@ -314,7 +315,7 @@
#
# This should be changed to whatever you set DocumentRoot to.
#
-<Directory "/var/www/html">
+<Directory "/var/www/default/html">

#
# Possible values for the Options directive are "None", "All",
@@ -548,9 +549,9 @@
# We include the /icons/ alias for FancyIndexed directory listings. If you
# do not use FancyIndexing, you may comment this out.
#
-Alias /icons/ "/var/www/icons/"
+Alias /icons/ "/var/www/default/icons/"

-<Directory "/var/www/icons">
+<Directory "/var/www/default/icons">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
@@ -573,13 +574,13 @@
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+ScriptAlias /cgi-bin/ "/var/www/default/cgi-bin/"

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
-<Directory "/var/www/cgi-bin">
+<Directory "/var/www/default/cgi-bin">
AllowOverride None
Options None
Order allow,deny
@@ -852,11 +853,11 @@
# copying them to /your/include/path/, even on a per-VirtualHost basis.
#

-Alias /error/ "/var/www/error/"
+Alias /error/ "/var/www/default/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
- <Directory "/var/www/error">
+ <Directory "/var/www/default/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
@@ -987,7 +988,7 @@
#
# Use name-based virtual hosting.
#
-#NameVirtualHost *:80
+NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
@@ -1001,9 +1002,10 @@
# server name.
#
#<VirtualHost *:80>
-# ServerAdmin webmaster@dummy-host.example.com
-# DocumentRoot /www/docs/dummy-host.example.com
-# ServerName dummy-host.example.com
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+# ServerAdmin admin@alteeve.com
+# DocumentRoot /var/www/default/html
+# ServerName unknown.alteeve.com
+# ErrorLog /var/www/default/logs/error.log
+# CustomLog /var/www/default/logs/access.log common
#</VirtualHost>
</source>

== SSL Virtual Hosts ==

SSL provides for secure client to server communications.

=== Creating The Signed Certificate ===

This section assumes you are using a 3rd party signing authority. Specifically, I use http://www.trustico.ca/ (resellers of http://RapidSSL.com and others). This is also for a domain-specific certificate. Wildcard certificates will differ.

First, create 2048bit private key. Note that this will require a pass-phrase, which you will need to enter whenever the Apache daemon httpd daemon starts. If you do not want this, remove the -des3 switch.

<source lang="bash">
openssl genrsa -des3 -out /etc/pki/CA/private/alteeve.com.key 2048
</source>
<source lang="text">
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Verifying - Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
</source>

Now create a [[CSR]] (Certificate signing request) which we will send to the signing authority. Do not enter anything in the extra section below.

{{note|1=The Common Name must be the fully qualified domain name. In this example, I want to create a certificate for the domain https://alteeve.com, so I will enter alteeve.com. If you prefer to use a www. prefix, include it. I will rewrite requests using the www. prefix to not use it.}}

<source lang="bash">
openssl req -new -key /etc/pki/CA/private/alteeve.com.key -out alteeve.com.csr
</source>
<source lang="text">
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Oakville
Organization Name (eg, company) [Default Company Ltd]:Alteeve's Niche
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:alteeve.com
Email Address []:admin@alteeve.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</source>

Test that the CSR file is ok.

<source lang="bash">
openssl req -noout -text -in /etc/pki/CA/alteeve.com.csr
</source>
<source lang="text">
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Oakville, O=Alteeve's Niche, OU=IT, CN=alteeve.com/emailAddress=admin@alteeve.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
...
</source>

Copy the exact contents of the alteeve.com.csr file and provide it to your signing authority as per their instructions. Once you complete their CSR form, they should email you a signed certificate and an intermediary certificate. At this point, the CSR file is no longer needed.

Save the signed certificate:

<source lang="bash">
vim /etc/pki/CA/ssl_alteeve.com.crt
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

Save the intermediary certificate. Change the certificate name to that of your provider. If they provide you with this file, simply save it in the /etc/pki/CA/ directory.

<source lang="bash">
vim /etc/pki/CA/RapidSSL_CA_bundle.pem
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

=== Creating An SSL Virtual Host ===

Create a new virtual host container for the new SSL protected virtual host. We will leave the normal unencrypted virtual-host alone for now. Once we're done, we'll use it to capture and redirect http:// requests to their https:// equivalents. I make my virtual host directories writeable by my normal user account. Feel free to adapt this to your preferences.

Setup the directories and then create a trivial index.html file.

<source lang="bash">
mkdir ssl_alteeve.com/{cgi-bin,html,logs,temp} -p
chown apache:digimer ssl_alteeve.com -R
chmod g+w ssl_alteeve.com -R
vim /var/www/ssl_alteeve.com/html/index.html
</source>
<source lang="apache">
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
</source>

Now setup the Apache2 config. I like to use the ssl_ prefix for encrypted domains.

{{note|1=This example is for a MediaWiki virtual host with short URLs configured. You will want to adapt the values to suit your needs.}}

<source lang="bash">
vim /etc/httpd/conf.d/ssl_alteeve.com.conf
</source>
<source lang="apache">
<VirtualHost *:443>
ServerAdmin digimer@alteeve.com

ServerName alteeve.com

DirectoryIndex index.php index.html

# We can haz security?
SSLEngine on
SSLProtocol all
SSLCACertificateFile /etc/pki/CA/RapidSSL_CA_bundle.pem
SSLCertificateFile /etc/pki/CA/ssl_alteeve.com.crt
SSLCertificateKeyFile /etc/pki/CA/private/alteeve.com.key

DocumentRoot /var/www/ssl_alteeve.com/html/
Alias /w /var/www/ssl_alteeve.com/html/index.php
<Directory /var/www/ssl_alteeve.com/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/ssl_alteeve.com/cgi-bin/
<Directory "/var/www/ssl_alteeve.com/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/ssl_alteeve.com/logs/error.log
TransferLog /var/www/ssl_alteeve.com/logs/transfer.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/ssl_alteeve.com/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

==== Bad Identity Error ====

If you get an error about the server not providing identity information, you may have be loading images, CSS, javascript or similar using a URL from a remote domain with no SSL or badly configured SSL.

For example, on Firefox 4, you may see:

<source lang="text">
This web site does not supply identity information.

Your connection to this site is only partially encrypted, and does not prevent eavesdropping.
[ More Information ]
</source>

In my case, this turned out to be a problem where mediawiki was loading a Creative Commons logo from their server using http:// link to the icon. Once this was changed to https:// (in LocalSettings.php), the error went away.

=== Testing and Using the New Configuration ===

Test your new Apache configuration.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

Now restart Apache. Note that you will be asked to enter the pass-phrase you used when you created your private key.

<source lang="bash">
/etc/init.d/httpd restart
</source>
<source lang="text">
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server alteeve.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
</source>

{{warning|1=From now on, you will need to enter the pass-phrase to start Apache. Consider this when restarting your server and when deciding if you want the Apache server to start with your server. As my server is in a VM and it's underlying disk is also encrypted, I will enable it at boot time. I'll need to be watching the boot process anyway. This may not apply to you.}}

Now make sure that you can still connect to your server on [[TCP]] port 80 (normal http port). The contents after the GET request will obviously vary depending on your configuration:

<source lang="bash">
telnet localhost 80
</source>
<source lang="text">
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET
<head>
<title>Asakusa.alteeve.com</title>
</head>
<body>
Default - Requested domain not found
</body>
Connection closed by foreign host.
</source>

Now to check that the SSL port is listening properly. We can't use [[telnet]] because of the SSL encryption. Instead we will use openssl.

<source lang="bash">
openssl s_client -connect localhost:443 -state -debug
</source>
<source lang="text">
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x196a050 [0x1a0b3a0] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 4d f8 f4 a4 f9 ....l...h..M....
0010 - 07 b3 11 f8 3d ff 5d 80-ed 69 87 52 e2 60 80 57 ....=.]..i.R.`.W
0020 - 59 c7 83 4c ea 5b e5 37-06 e0 13 00 00 3a 00 39 Y..L.[.7.....:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............#
0071 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x196a050 [0x1a10900] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x196a050 [0x1a1090a] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4d f8 f4 a4-7d 35 00 74 24 43 bc c9 .1..M...}5.t$C..
0010 - 84 5d fe e3 90 1a e8 14-39 a1 b1 7e e8 19 c7 9f .]......9..~....
0020 - 45 20 d1 cb 00 00 39 01-00 09 ff 01 00 01 00 00 E ....9.........
0030 - 23 #
0033 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 0c 2c ....,
read from 0x196a050 [0x1a10908] (3116 bytes => 3116 (0xC2C))
0000 - 0b 00 0c 28 00 0c 25 00-04 c2 30 82 04 be 30 82 ...(..%...0...0.
0010 - 03 a6 a0 03 02 01 02 02-03 02 15 24 30 0d 06 09 ...........$0...
0020 - 2a 86 48 86 f7 0d 01 01-05 05 00 30 3c 31 0b 30 *.H........0<1.0
0030 - 09 06 03 55 04 06 13 02-55 53 31 17 30 15 06 03 ...U....US1.0...
0040 - 55 04 0a 13 0e 47 65 6f-54 72 75 73 74 2c 20 49 U....GeoTrust, I
0050 - 6e 63 2e 31 14 30 12 06-03 55 04 03 13 0b 52 61 nc.1.0...U....Ra
0060 - 70 69 64 53 53 4c 20 43-41 30 1e 17 0d 31 31 30 pidSSL CA0...110
0070 - 36 31 34 31 32 31 39 30-31 5a 17 0d 31 31 30 37 614121901Z..1107
0080 - 31 36 31 35 35 36 31 34-5a 30 81 d9 31 29 30 27 16155614Z0..1)0'
0090 - 06 03 55 04 05 13 20 30-54 53 35 57 7a 61 75 51 ..U... 0TS5WzauQ
00a0 - 52 4a 37 73 63 32 62 2d-68 54 47 77 4b 31 79 78 RJ7sc2b-hTGwK1yx
00b0 - 53 66 45 44 70 68 46 31-0b 30 09 06 03 55 04 06 SfEDphF1.0...U..
00c0 - 13 02 43 41 31 14 30 12-06 03 55 04 0a 13 0b 61 ..CA1.0...U....a
00d0 - 6c 74 65 65 76 65 2e 63-6f 6d 31 13 30 11 06 03 lteeve.com1.0...
00e0 - 55 04 0b 13 0a 47 54 31-33 39 30 38 38 31 37 31 U....GT139088171
00f0 - 31 30 2f 06 03 55 04 0b-13 28 53 65 65 20 77 77 10/..U...(See ww
0100 - 77 2e 72 61 70 69 64 73-73 6c 2e 63 6f 6d 2f 72 w.rapidssl.com/r
0110 - 65 73 6f 75 72 63 65 73-2f 63 70 73 20 28 63 29 esources/cps (c)
0120 - 31 31 31 2b 30 29 06 03-55 04 0b 13 22 44 6f 6d 111+0)..U..."Dom
0130 - 61 69 6e 20 43 6f 6e 74-72 6f 6c 20 56 61 6c 69 ain Control Vali
0140 - 64 61 74 65 64 20 2d 20-46 72 65 65 53 53 4c 31 dated - FreeSSL1
0150 - 14 30 12 06 03 55 04 03-13 0b 61 6c 74 65 65 76 .0...U....alteev
0160 - 65 2e 63 6f 6d 30 82 01-22 30 0d 06 09 2a 86 48 e.com0.."0...*.H
0170 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0..
0180 - 0a 02 82 01 01 00 c7 b5-75 03 c7 a9 b5 21 b2 7a ........u....!.z
0190 - 9b 70 8d f2 44 5d e0 18-f4 05 52 c6 93 d3 17 a5 .p..D]....R.....
01a0 - 3a c7 46 03 68 d1 01 53-1b e8 b8 d3 4c 56 46 b2 :.F.h..S....LVF.
01b0 - ca 63 34 88 2c 4f 7b 23-49 07 ef 8e 37 5c 8a ac .c4.,O{#I...7\..
01c0 - d7 88 9b ed a1 01 90 bc-32 d8 46 30 6d 82 33 59 ........2.F0m.3Y
01d0 - ea b5 38 2c 8a 16 e1 63-e7 ba 39 d8 2a fa 8a 6b ..8,...c..9.*..k
01e0 - 25 45 0b c9 4d b8 d2 be-a9 3a e3 ff 61 60 f9 a4 %E..M....:..a`..
01f0 - 99 4e 3f c2 25 0b 21 07-c6 1b 1e 63 71 2e 3d 31 .N?.%.!....cq.=1
0200 - 42 98 01 f4 88 b8 80 26-b7 bf 5b 00 b1 57 86 b4 B......&..[..W..
0210 - d8 70 e6 ec ea 98 e1 17-45 a7 ff 83 e0 76 6f 8a .p......E....vo.
0220 - 50 bb 1d cb c5 8f f4 01-84 4e 59 c3 4d 28 73 70 P........NY.M(sp
0230 - 39 c8 da 85 43 b9 07 ae-57 26 04 24 b2 d6 d4 7c 9...C...W&.$...|
0240 - 03 af 4f 72 00 8f 20 ed-26 77 b3 bf 4e 01 62 8b ..Or.. .&w..N.b.
0250 - 62 1b 10 16 65 92 f5 bb-5a dc 83 5c f2 56 f3 60 b...e...Z..\.V.`
0260 - 34 2c ef 62 f4 ee cf 26-6d 9b 4a 5e 74 05 74 fb 4,.b...&m.J^t.t.
0270 - 23 86 07 6f cf b0 48 6d-ba 2d 89 5d 0f e0 c0 01 #..o..Hm.-.]....
0280 - 1c 91 af 00 5f f3 02 03-01 00 01 a3 82 01 29 30 ...._.........)0
0290 - 82 01 25 30 1f 06 03 55-1d 23 04 18 30 16 80 14 ..%0...U.#..0...
02a0 - 6b 69 3d 6a 18 42 4a dd-8f 02 65 39 fd 35 24 86 ki=j.BJ...e9.5$.
02b0 - 78 91 16 30 30 0e 06 03-55 1d 0f 01 01 ff 04 04 x..00...U.......
02c0 - 03 02 05 a0 30 1d 06 03-55 1d 25 04 16 30 14 06 ....0...U.%..0..
02d0 - 08 2b 06 01 05 05 07 03-01 06 08 2b 06 01 05 05 .+.........+....
02e0 - 07 03 02 30 16 06 03 55-1d 11 04 0f 30 0d 82 0b ...0...U....0...
02f0 - 61 6c 74 65 65 76 65 2e-63 6f 6d 30 43 06 03 55 alteeve.com0C..U
0300 - 1d 1f 04 3c 30 3a 30 38-a0 36 a0 34 86 32 68 74 ...<0:08.6.4.2ht
0310 - 74 70 3a 2f 2f 72 61 70-69 64 73 73 6c 2d 63 72 tp://rapidssl-cr
0320 - 6c 2e 67 65 6f 74 72 75-73 74 2e 63 6f 6d 2f 63 l.geotrust.com/c
0330 - 72 6c 73 2f 72 61 70 69-64 73 73 6c 2e 63 72 6c rls/rapidssl.crl
0340 - 30 1d 06 03 55 1d 0e 04-16 04 14 a1 2b 4e af 55 0...U.......+N.U
0350 - 08 7b 34 be 74 fc 57 41-de bc 8f d9 4a 1d c9 30 .{4.t.WA....J..0
0360 - 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 49 06 ...U.......0.0I.
0370 - 08 2b 06 01 05 05 07 01-01 04 3d 30 3b 30 39 06 .+........=0;09.
0380 - 08 2b 06 01 05 05 07 30-02 86 2d 68 74 74 70 3a .+.....0..-http:
0390 - 2f 2f 72 61 70 69 64 73-73 6c 2d 61 69 61 2e 67 //rapidssl-aia.g
03a0 - 65 6f 74 72 75 73 74 2e-63 6f 6d 2f 72 61 70 69 eotrust.com/rapi
03b0 - 64 73 73 6c 2e 63 72 74-30 0d 06 09 2a 86 48 86 dssl.crt0...*.H.
03c0 - f7 0d 01 01 05 05 00 03-82 01 01 00 66 8b 6f a8 ............f.o.
03d0 - d5 d2 84 c7 89 31 fb a5-ba e1 11 5e 2f 67 6f df .....1.....^/go.
03e0 - 0d 3c 0b 1a 4b ac d9 38-ee 29 0a 4d d9 06 98 2c .<..K..8.).M...,
03f0 - 25 0a 59 bb 39 03 b0 cd-3b 06 93 3e 59 90 cf 06 %.Y.9...;..>Y...
0400 - 17 74 77 bb cd 91 34 d0-6f b9 8f 53 57 ed 14 30 .tw...4.o..SW..0
0410 - bd e9 6c 04 84 b6 f0 16-9d 29 9b b1 47 f8 84 64 ..l......)..G..d
0420 - 5f 03 36 ea e1 d6 13 97-5b 50 b9 b2 59 cc f8 ef _.6.....[P..Y...
0430 - 23 01 99 91 6e 5e e8 d0-77 54 38 49 18 58 e7 0e #...n^..wT8I.X..
0440 - 54 35 c0 37 b5 9e 79 b2-d4 c6 d9 ff 27 31 d4 bf T5.7..y.....'1..
0450 - 04 ae d3 0a 90 4b bc 34-bc 53 f8 bc e7 4c 22 b7 .....K.4.S...L".
0460 - b3 bc 8c d7 41 44 fc e0-50 2e 9a ac ba 5c ee 88 ....AD..P....\..
0470 - 03 fc 0e 53 32 aa dd a4-24 ee a6 7c 3d dc 9d 7a ...S2...$..|=..z
0480 - 82 0b 9f b8 91 e0 a1 12-77 a3 95 f7 d0 c4 9e f1 ........w.......
0490 - d7 d9 99 68 80 e8 af ad-68 f5 1a 5f 66 06 78 c9 ...h....h.._f.x.
04a0 - 56 f8 36 37 16 fa 7d 27-df 1d a2 d8 7c 8c 5b 50 V.67..}'....|.[P
04b0 - db c6 fe 06 ff 96 86 f5-1f e4 35 ce cf 43 66 53 ..........5..CfS
04c0 - da a1 50 b5 c0 73 ec 1e-f4 c8 20 13 00 03 d9 30 ..P..s.... ....0
04d0 - 82 03 d5 30 82 02 bd a0-03 02 01 02 02 03 02 36 ...0...........6
04e0 - d1 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
04f0 - 30 42 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 0B1.0...U....US1
0500 - 16 30 14 06 03 55 04 0a-13 0d 47 65 6f 54 72 75 .0...U....GeoTru
0510 - 73 74 20 49 6e 63 2e 31-1b 30 19 06 03 55 04 03 st Inc.1.0...U..
0520 - 13 12 47 65 6f 54 72 75-73 74 20 47 6c 6f 62 61 ..GeoTrust Globa
0530 - 6c 20 43 41 30 1e 17 0d-31 30 30 32 31 39 32 32 l CA0...10021922
0540 - 34 35 30 35 5a 17 0d 32-30 30 32 31 38 32 32 34 4505Z..200218224
0550 - 35 30 35 5a 30 3c 31 0b-30 09 06 03 55 04 06 13 505Z0<1.0...U...
0560 - 02 55 53 31 17 30 15 06-03 55 04 0a 13 0e 47 65 .US1.0...U....Ge
0570 - 6f 54 72 75 73 74 2c 20-49 6e 63 2e 31 14 30 12 oTrust, Inc.1.0.
0580 - 06 03 55 04 03 13 0b 52-61 70 69 64 53 53 4c 20 ..U....RapidSSL
0590 - 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H...
05a0 - 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0.....
05b0 - 01 01 00 c7 71 f8 56 c7-1e d9 cc b5 ad f6 b4 97 ....q.V.........
05c0 - a3 fb a1 e6 0b 50 5f 50-aa 3a da 0f fc 3d 29 24 .....P_P.:...=)$
05d0 - 43 c6 10 29 c1 fc 55 40-72 ee bd ea df 9f b6 41 C..)..U@r......A
05e0 - f4 48 4b c8 6e fe 4f 57-12 8b 5b fa 92 dd 5e e8 .HK.n.OW..[...^.
05f0 - ad f3 f0 1b b1 7b 4d fb-cf fd d1 e5 f8 e3 dc e7 .....{M.........
0600 - f5 73 7f df 01 49 cf 8c-56 c1 bd 37 e3 5b be b5 .s...I..V..7.[..
0610 - 4f 8b 8b f0 da 4f c7 e3-dd 55 47 69 df f2 5b 7b O....O...UGi..[{
0620 - 07 4f 3d e5 ac 21 c1 c8-1d 7a e8 e7 f6 0f a1 aa .O=..!...z......
0630 - f5 6f de a8 65 4f 10 89-9c 03 f3 89 7a a5 5e 01 .o..eO......z.^.
0640 - 72 33 ed a9 e9 5a 1e 79-f3 87 c8 df c8 c5 fc 37 r3...Z.y.......7
0650 - c8 9a 9a d7 b8 76 cc b0-3e e7 fd e6 54 ea df 5f .....v..>...T.._
0660 - 52 41 78 59 57 ad f1 12-d6 7f bc d5 9f 70 d3 05 RAxYW........p..
0670 - 6c fa a3 7d 67 58 dd 26-62 1d 31 92 0c 79 79 1c l..}gX.&b.1..yy.
0680 - 8e cf ca 7b c1 66 af a8-74 48 fb 8e 82 c2 9e 2c ...{.f..tH.....,
0690 - 99 5c 7b 2d 5d 9b bc 5b-57 9e 7c 3a 7a 13 ad f2 .\{-]..[W.|:z...
06a0 - a3 18 5b 2b 59 0f cd 5c-3a eb 68 33 c6 28 1d 82 ..[+Y..\:.h3.(..
06b0 - d1 50 8b 02 03 01 00 01-a3 81 d9 30 81 d6 30 0e .P.........0..0.
06c0 - 06 03 55 1d 0f 01 01 ff-04 04 03 02 01 06 30 1d ..U...........0.
06d0 - 06 03 55 1d 0e 04 16 04-14 6b 69 3d 6a 18 42 4a ..U......ki=j.BJ
06e0 - dd 8f 02 65 39 fd 35 24-86 78 91 16 30 30 1f 06 ...e9.5$.x..00..
06f0 - 03 55 1d 23 04 18 30 16-80 14 c0 7a 98 68 8d 89 .U.#..0....z.h..
0700 - fb ab 05 64 0c 11 7d aa-7d 65 b8 ca cc 4e 30 12 ...d..}.}e...N0.
0710 - 06 03 55 1d 13 01 01 ff-04 08 30 06 01 01 ff 02 ..U.......0.....
0720 - 01 00 30 3a 06 03 55 1d-1f 04 33 30 31 30 2f a0 ..0:..U...3010/.
0730 - 2d a0 2b 86 29 68 74 74-70 3a 2f 2f 63 72 6c 2e -.+.)http://crl.
0740 - 67 65 6f 74 72 75 73 74-2e 63 6f 6d 2f 63 72 6c geotrust.com/crl
0750 - 73 2f 67 74 67 6c 6f 62-61 6c 2e 63 72 6c 30 34 s/gtglobal.crl04
0760 - 06 08 2b 06 01 05 05 07-01 01 04 28 30 26 30 24 ..+........(0&0$
0770 - 06 08 2b 06 01 05 05 07-30 01 86 18 68 74 74 70 ..+.....0...http
0780 - 3a 2f 2f 6f 63 73 70 2e-67 65 6f 74 72 75 73 74 ://ocsp.geotrust
0790 - 2e 63 6f 6d 30 0d 06 09-2a 86 48 86 f7 0d 01 01 .com0...*.H.....
07a0 - 05 05 00 03 82 01 01 00-ab bc bc 0a 5d 18 94 e3 ............]...
07b0 - c1 b1 c3 a8 4c 55 d6 be-b4 98 f1 ee 3c 1c cd cf ....LU......<...
07c0 - f3 24 24 5c 96 03 27 58-fc 36 ae a2 2f 8f f1 fe .$$\..'X.6../...
07d0 - da 2b 02 c3 33 bd c8 dd-48 22 2b 60 0f a5 03 10 .+..3...H"+`....
07e0 - fd 77 f8 d0 ed 96 67 4f-fd ea 47 20 70 54 dc a9 .w....gO..G pT..
07f0 - 0c 55 7e e1 96 25 8a d9-b5 da 57 4a be 8d 8e 49 .U~..%....WJ...I
0800 - 43 63 a5 6c 4e 27 87 25-eb 5b 6d fe a2 7f 38 28 Cc.lN'.%.[m...8(
0810 - e0 36 ab ad 39 a5 a5 62-c4 b7 5c 58 2c aa 5d 01 .6..9..b..\X,.].
0820 - 60 a6 62 67 a3 c0 c7 62-23 f4 e7 6c 46 ee b5 d3 `.bg...b#..lF...
0830 - 80 6a 22 13 d2 2d 3f 74-4f ea af 8c 5f b4 38 9c .j"..-?tO..._.8.
0840 - db ae ce af 84 1e a6 f6-34 51 59 79 d3 e3 75 dc ........4QYy..u.
0850 - bc d7 f3 73 df 92 ec d2-20 59 6f 9c fb 95 f8 92 ...s.... Yo.....
0860 - 76 18 0a 7c 0f 2c a6 ca-de 8a 62 7b d8 f3 ce 5f v..|.,....b{..._
0870 - 68 bd 8f 3e c1 74 bb 15-72 3a 16 83 a9 0b e6 4d h..>.t..r:.....M
0880 - 99 9c d8 57 ec a8 01 51-c7 6f 57 34 5e ab 4a 2c ...W...Q.oW4^.J,
0890 - 42 f6 4f 1c 89 78 de 26-4e f5 6f 93 4c 15 6b 27 B.O..x.&N.o.L.k'
08a0 - 56 4d 00 54 6c 7a b7 b7-00 03 81 30 82 03 7d 30 VM.Tlz.....0..}0
08b0 - 82 02 e6 a0 03 02 01 02-02 03 12 bb e6 30 0d 06 .............0..
08c0 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 4e 31 0b .*.H........0N1.
08d0 - 30 09 06 03 55 04 06 13-02 55 53 31 10 30 0e 06 0...U....US1.0..
08e0 - 03 55 04 0a 13 07 45 71-75 69 66 61 78 31 2d 30 .U....Equifax1-0
08f0 - 2b 06 03 55 04 0b 13 24-45 71 75 69 66 61 78 20 +..U...$Equifax
0900 - 53 65 63 75 72 65 20 43-65 72 74 69 66 69 63 61 Secure Certifica
0910 - 74 65 20 41 75 74 68 6f-72 69 74 79 30 1e 17 0d te Authority0...
0920 - 30 32 30 35 32 31 30 34-30 30 30 30 5a 17 0d 31 020521040000Z..1
0930 - 38 30 38 32 31 30 34 30-30 30 30 5a 30 42 31 0b 80821040000Z0B1.
0940 - 30 09 06 03 55 04 06 13-02 55 53 31 16 30 14 06 0...U....US1.0..
0950 - 03 55 04 0a 13 0d 47 65-6f 54 72 75 73 74 20 49 .U....GeoTrust I
0960 - 6e 63 2e 31 1b 30 19 06-03 55 04 03 13 12 47 65 nc.1.0...U....Ge
0970 - 6f 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 43 41 oTrust Global CA
0980 - 30 82 01 22 30 0d 06 09-2a 86 48 86 f7 0d 01 01 0.."0...*.H.....
0990 - 01 05 00 03 82 01 0f 00-30 82 01 0a 02 82 01 01 ........0.......
09a0 - 00 da cc 18 63 30 fd f4-17 23 1a 56 7e 5b df 3c ....c0...#.V~[.<
09b0 - 6c 38 e4 71 b7 78 91 d4-bc a1 d8 4c f8 a8 43 b6 l8.q.x.....L..C.
09c0 - 03 e9 4d 21 07 08 88 da-58 2f 66 39 29 bd 05 78 ..M!....X/f9)..x
09d0 - 8b 9d 38 e8 05 b7 6a 7e-71 a4 e6 c4 60 a6 b0 ef ..8...j~q...`...
09e0 - 80 e4 89 28 0f 9e 25 d6-ed 83 f3 ad a6 91 c7 98 ...(..%.........
09f0 - c9 42 18 35 14 9d ad 98-46 92 2e 4f ca f1 87 43 .B.5....F..O...C
0a00 - c1 16 95 57 2d 50 ef 89-2d 80 7a 57 ad f2 ee 5f ...W-P..-.zW..._
0a10 - 6b d2 00 8d b9 14 f8 14-15 35 d9 c0 46 a3 7b 72 k........5..F.{r
0a20 - c8 91 bf c9 55 2b cd d0-97 3e 9c 26 64 cc df ce ....U+...>.&d...
0a30 - 83 19 71 ca 4e e6 d4 d5-7b a9 19 cd 55 de c8 ec ..q.N...{...U...
0a40 - d2 5e 38 53 e5 5c 4f 8c-2d fe 50 23 36 fc 66 e6 .^8S.\O.-.P#6.f.
0a50 - cb 8e a4 39 19 00 b7 95-02 39 91 0b 0e fe 38 2e ...9.....9....8.
0a60 - d1 1d 05 9a f6 4d 3e 6f-0f 07 1d af 2c 1e 8f 60 .....M>o....,..`
0a70 - 39 e2 fa 36 53 13 39 d4-5e 26 2b db 3d a8 14 bd 9..6S.9.^&+.=...
0a80 - 32 eb 18 03 28 52 04 71-e5 ab 33 3d e1 38 bb 07 2...(R.q..3=.8..
0a90 - 36 84 62 9c 79 ea 16 30-f4 5f c0 2b e8 71 6b e4 6.b.y..0._.+.qk.
0aa0 - f9 02 03 01 00 01 a3 81-f0 30 81 ed 30 1f 06 03 .........0..0...
0ab0 - 55 1d 23 04 18 30 16 80-14 48 e6 68 f9 2b d2 b2 U.#..0...H.h.+..
0ac0 - 95 d7 47 d8 23 20 10 4f-33 98 90 9f d4 30 1d 06 ..G.# .O3....0..
0ad0 - 03 55 1d 0e 04 16 04 14-c0 7a 98 68 8d 89 fb ab .U.......z.h....
0ae0 - 05 64 0c 11 7d aa 7d 65-b8 ca cc 4e 30 0f 06 03 .d..}.}e...N0...
0af0 - 55 1d 13 01 01 ff 04 05-30 03 01 01 ff 30 0e 06 U.......0....0..
0b00 - 03 55 1d 0f 01 01 ff 04-04 03 02 01 06 30 3a 06 .U...........0:.
0b10 - 03 55 1d 1f 04 33 30 31-30 2f a0 2d a0 2b 86 29 .U...3010/.-.+.)
0b20 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 67 65 6f 74 72 http://crl.geotr
0b30 - 75 73 74 2e 63 6f 6d 2f-63 72 6c 73 2f 73 65 63 ust.com/crls/sec
0b40 - 75 72 65 63 61 2e 63 72-6c 30 4e 06 03 55 1d 20 ureca.crl0N..U.
0b50 - 04 47 30 45 30 43 06 04-55 1d 20 00 30 3b 30 39 .G0E0C..U. .0;09
0b60 - 06 08 2b 06 01 05 05 07-02 01 16 2d 68 74 74 70 ..+........-http
0b70 - 73 3a 2f 2f 77 77 77 2e-67 65 6f 74 72 75 73 74 s://www.geotrust
0b80 - 2e 63 6f 6d 2f 72 65 73-6f 75 72 63 65 73 2f 72 .com/resources/r
0b90 - 65 70 6f 73 69 74 6f 72-79 30 0d 06 09 2a 86 48 epository0...*.H
0ba0 - 86 f7 0d 01 01 05 05 00-03 81 81 00 76 e1 12 6e ............v..n
0bb0 - 4e 4b 16 12 86 30 06 b2-81 08 cf f0 08 c7 c7 71 NK...0.........q
0bc0 - 7e 66 ee c2 ed d4 3b 1f-ff f0 f0 c8 4e d6 43 38 ~f....;.....N.C8
0bd0 - b0 b9 30 7d 18 d0 55 83-a2 6a cb 36 11 9c e8 48 ..0}..U..j.6...H
0be0 - 66 a3 6d 7f b8 13 d4 47-fe 8b 5a 5c 73 fc ae d9 f.m....G..Z\s...
0bf0 - 1b 32 19 38 ab 97 34 14-aa 96 d2 eb a3 1c 14 08 .2.8..4.........
0c00 - 49 b6 bb e5 91 ef 83 36-eb 1d 56 6f ca da bc 73 I......6..Vo...s
0c10 - 63 90 e4 7f 7b 3e 22 cb-3d 07 ed 5f 38 74 9c e3 c...{>".=.._8t..
0c20 - 03 50 4e a1 af 98 ee 61-f2 84 3f 12 .PN....a..?.
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF, C = CA, O = alteeve.com, OU = GT13908817, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - FreeSSL, CN = alteeve.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 0d .....
read from 0x196a050 [0x1a10908] (525 bytes => 525 (0x20D))
0000 - 0c 00 02 09 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 51 5c 13 33 38 >.$!.......Q\.38
0090 - 83 ef 76 6f 23 52 55 bf-23 ba 7f f0 a4 ca 35 01 ..vo#RU.#.....5.
00a0 - 9c 70 e1 61 b2 0d 7b 5c-1c 32 02 c1 ac 14 be e9 .p.a..{\.2......
00b0 - b9 7a 5d 11 9b 53 48 64-cd 12 b8 15 4c df cc 10 .z]..SHd....L...
00c0 - 4e 2b e7 cd 3f 33 68 1a-60 cc f7 18 25 7c e5 ca N+..?3h.`...%|..
00d0 - c8 cb 45 ba 2a 6d dc 84-5f 26 6f 9a a3 73 b9 7f ..E.*m.._&o..s..
00e0 - 02 cb 7b a7 ac 59 9f f3-6e c9 01 ed b9 35 99 49 ..{..Y..n....5.I
00f0 - 37 77 68 65 ec e2 f7 17-03 e7 f5 f5 86 33 e6 6c 7whe.........3.l
0100 - 06 3c 15 83 98 74 2e b9-83 31 11 01 00 20 6e 17 .<...t...1... n.
0110 - 3d 2d ec 3e 19 b2 9e 5b-37 38 3a 31 57 3d 0e c1 =-.>...[78:1W=..
0120 - 6b c4 b4 83 d9 6b f0 d3-44 db 9f 18 55 15 e1 09 k....k..D...U...
0130 - 73 59 8c 46 3d a4 47 58-b1 71 a3 32 b5 06 26 8c sY.F=.GX.q.2..&.
0140 - 27 88 9e 13 c8 12 5d 94-9b 24 54 10 aa 79 e5 b4 '.....]..$T..y..
0150 - 43 f5 5e 4c 01 dc 02 aa-69 02 37 71 4e 26 1c 0b C.^L....i.7qN&..
0160 - 40 19 c9 95 4d af 93 35-07 7a ff b1 96 7f 03 ce @...M..5.z......
0170 - 7a eb a2 1c 97 6b d2 97-d2 0f 1a f5 b2 af fb 65 z....k.........e
0180 - 86 b9 e3 38 30 ba f5 02-d6 6b fc da 94 93 8b b3 ...80....k......
0190 - 96 b5 b7 58 dc 36 55 6d-e9 47 e5 4a 33 1d b9 d9 ...X.6Um.G.J3...
01a0 - ec 33 e8 fb 58 c8 74 13-ff dd 40 b7 35 56 63 03 .3..X.t...@.5Vc.
01b0 - 9f 16 2f 72 be 56 56 c3-15 3a c3 10 09 f0 9d f2 ../r.VV..:......
01c0 - 42 52 5a ce d6 db 61 0e-d0 e2 ac 2e 9e 04 30 8e BRZ...a.......0.
01d0 - 0d d7 07 f9 3e 0a a8 3b-8d 11 5c 6e 21 47 28 2d ....>..;..\n!G(-
01e0 - 28 31 a6 3d d0 e9 2e 7a-de 4a 00 2a a8 6f 5d 82 (1.=...z.J.*.o].
01f0 - 45 df 3e 06 e3 11 e3 3c-b9 1e 34 b8 bd 60 fd a7 E.>....<..4..`..
0200 - a2 c1 c8 19 61 19 da 10-e4 c3 70 7e 5f ....a.....p~_
SSL_connect:SSLv3 read server key exchange A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0x196a050 [0x1a10908] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x196a050 [0x1a1add0] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7f 9d d2 3b 68 ..............;h
0010 - 49 c9 dd ed 4f 35 a0 70-3a 28 0f ce c1 5a 81 ce I...O5.p:(...Z..
0020 - cd 46 c5 e5 a4 44 25 04-4e b4 48 d8 3b a6 d4 44 .F...D%.N.H.;..D
0030 - 4e 9a dc 20 fa 52 9f eb-52 3b 3c 3e 34 dc ed 34 N.. .R..R;<>4..4
0040 - e5 b7 10 f9 6d 3a c0 84-64 bf b8 91 54 6c 37 1b ....m:..d...Tl7.
0050 - eb 75 7a 95 aa e8 83 6f-e0 16 f2 af 77 0f 7a 0c .uz....o....w.z.
0060 - a8 82 27 a4 a5 f2 f0 1b-d2 6e 46 c4 ef 10 7c 39 ..'......nF...|9
0070 - 6c 87 74 ec 68 7e d5 9a-10 ab 10 03 75 a2 fb 4b l.t.h~......u..K
0080 - 8c 49 4c da 64 49 bd 27-ba 51 a4 .IL.dI.'.Q.
SSL_connect:SSLv3 write client key exchange A
write to 0x196a050 [0x1a1add0] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x196a050 [0x1a1add0] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 b4 8a 74-4d a4 bf b1 54 04 8a 25 ....0..tM...T..%
0010 - 24 f8 81 f1 64 9f 1f 6d-fb bd a7 4c 57 6a a5 63 $...d..m...LWj.c
0020 - fb 3a dd 8e e3 f9 38 f6-22 fd 7e 42 81 2e a2 41 .:....8.".~B...A
0030 - 1f 74 d1 27 02 .t.'.
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 ca .....
read from 0x196a050 [0x1a10908] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 00 00-00 c0 6c f3 41 26 c8 6b ..........l.A&.k
0010 - 1e 9c 2e 78 af 75 b2 46-34 f4 30 c3 bd e4 ee 2f ...x.u.F4.0..../
0020 - f6 28 37 f6 7c 55 3b c7-08 ad 1e 48 f1 83 9f 9a .(7.|U;....H....
0030 - d4 ef 9b 7d 5a 9c f7 5b-92 e9 2f ca c3 e5 44 c7 ...}Z..[../...D.
0040 - 7a c1 ed db 98 1a 18 bd-25 30 3c 50 ad 96 23 22 z.......%0<P..#"
0050 - 7e a1 b7 eb 1d b5 cc 69-2a 43 63 13 4f 21 90 32 ~......i*Cc.O!.2
0060 - 87 94 0b 6a 66 da 99 fa-45 79 cc 53 29 35 59 0d ...jf...Ey.S)5Y.
0070 - 02 93 c6 c6 af f3 52 79-b5 36 c0 a6 4d 22 9f af ......Ry.6..M"..
0080 - 4a f2 86 b4 50 68 83 b1-ab a6 a6 ac 6e 4e 18 3d J...Ph......nN.=
0090 - 80 a7 b4 85 77 06 69 60-fa b2 22 9a 79 14 c6 3e ....w.i`..".y..>
00a0 - 3e 68 33 4e 1e a9 40 09-47 d0 02 97 8b ba 39 db >h3N..@.G.....9.
00b0 - 2f b1 1c 2e 66 49 d3 bc-99 cc 56 4f 1d f4 c6 7b /...fI....VO...{
00c0 - 58 3e 28 df b1 ce 2b 45-36 ca X>(...+E6.
SSL_connect:SSLv3 read server session ticket A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0x196a050 [0x1a10908] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x196a050 [0x1a10908] (48 bytes => 48 (0x30))
0000 - c0 79 35 bf c6 1e 7e d4-04 cf 68 c7 9d f5 9f 42 .y5...~...h....B
0010 - 03 91 5f 72 ae 5b ec a8-aa e7 af e8 f3 39 1b cd .._r.[.......9..
0020 - 13 05 56 f2 1b 28 c9 42-4b 67 88 48 20 c2 a5 06 ..V..(.BKg.H ...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIDAhUkMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNjE0MTIxOTAxWhcNMTEwNzE2MTU1NjE0WjCB2TEpMCcGA1UEBRMgMFRT
NVd6YXVRUko3c2MyYi1oVEd3SzF5eFNmRURwaEYxCzAJBgNVBAYTAkNBMRQwEgYD
VQQKEwthbHRlZXZlLmNvbTETMBEGA1UECxMKR1QxMzkwODgxNzExMC8GA1UECxMo
U2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMTErMCkGA1UE
CxMiRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gRnJlZVNTTDEUMBIGA1UEAxML
YWx0ZWV2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHtXUD
x6m1IbJ6m3CN8kRd4Bj0BVLGk9MXpTrHRgNo0QFTG+i400xWRrLKYzSILE97I0kH
7443XIqs14ib7aEBkLwy2EYwbYIzWeq1OCyKFuFj57o52Cr6imslRQvJTbjSvqk6
4/9hYPmkmU4/wiULIQfGGx5jcS49MUKYAfSIuIAmt79bALFXhrTYcObs6pjhF0Wn
/4Pgdm+KULsdy8WP9AGETlnDTShzcDnI2oVDuQeuVyYEJLLW1HwDr09yAI8g7SZ3
s79OAWKLYhsQFmWS9bta3INc8lbzYDQs72L07s8mbZtKXnQFdPsjhgdvz7BIbbot
iV0P4MABHJGvAF/zAgMBAAGjggEpMIIBJTAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2FsdGVldmUuY29tMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRz
c2wuY3JsMB0GA1UdDgQWBBShK06vVQh7NL50/FdB3ryP2UodyTAMBgNVHRMBAf8E
AjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3Ns
LWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBmi2+o1dKEx4kx+6W64RFeL2dv3w08CxpLrNk47ikKTdkGmCwlClm7OQOwzTsG
kz5ZkM8GF3R3u82RNNBvuY9TV+0UML3pbASEtvAWnSmbsUf4hGRfAzbq4dYTl1tQ
ubJZzPjvIwGZkW5e6NB3VDhJGFjnDlQ1wDe1nnmy1MbZ/ycx1L8ErtMKkEu8NLxT
+LznTCK3s7yM10FE/OBQLpqsulzuiAP8DlMyqt2kJO6mfD3cnXqCC5+4keChEnej
lffQxJ7x19mZaIDor61o9RpfZgZ4yVb4NjcW+n0n3x2i2HyMW1Dbxv4G/5aG9R/k
Nc7PQ2ZT2qFQtcBz7B70yCAT
-----END CERTIFICATE-----
subject=/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3984 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2880725EB8BDD73F469C17BCA54DF373DFE8EDE3D52A1C8F5E0A5919694FB111
Session-ID-ctx:
Master-Key: F329DEA0DF39FF181ACFBCA69BEC417D7CAA4399D73229A1D912CC8236A858FD099B834F5B32C9BF979C4B5948196FC9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 6c f3 41 26 c8 6b 1e 9c-2e 78 af 75 b2 46 34 f4 l.A&.k...x.u.F4.
0010 - 30 c3 bd e4 ee 2f f6 28-37 f6 7c 55 3b c7 08 ad 0..../.(7.|U;...
0020 - 1e 48 f1 83 9f 9a d4 ef-9b 7d 5a 9c f7 5b 92 e9 .H.......}Z..[..
0030 - 2f ca c3 e5 44 c7 7a c1-ed db 98 1a 18 bd 25 30 /...D.z.......%0
0040 - 3c 50 ad 96 23 22 7e a1-b7 eb 1d b5 cc 69 2a 43 <P..#"~......i*C
0050 - 63 13 4f 21 90 32 87 94-0b 6a 66 da 99 fa 45 79 c.O!.2...jf...Ey
0060 - cc 53 29 35 59 0d 02 93-c6 c6 af f3 52 79 b5 36 .S)5Y.......Ry.6
0070 - c0 a6 4d 22 9f af 4a f2-86 b4 50 68 83 b1 ab a6 ..M"..J...Ph....
0080 - a6 ac 6e 4e 18 3d 80 a7-b4 85 77 06 69 60 fa b2 ..nN.=....w.i`..
0090 - 22 9a 79 14 c6 3e 3e 68-33 4e 1e a9 40 09 47 d0 ".y..>>h3N..@.G.
00a0 - 02 97 8b ba 39 db 2f b1-1c 2e 66 49 d3 bc 99 cc ....9./...fI....
00b0 - 56 4f 1d f4 c6 7b 58 3e-28 df b1 ce 2b 45 36 ca VO...{X>(...+E6.

Compression: 1 (zlib compression)
Start Time: 1308161188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET
write to 0x196a050 [0x1a14e56] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a 4c 57-8c b9 d5 d4 c6 1b 56 ce .... .LW......V.
0010 - 93 b5 78 6b 5f 0e c5 a2-39 2a f9 7a 20 7d 68 85 ..xk_...9*.z }h.
0020 - af 52 e3 5f fc 17 03 01-00 20 c6 c4 19 74 61 64 .R._..... ...tad
0030 - 42 59 e0 52 3f 42 44 53-8b c9 40 69 1c 3d 9b 7f BY.R?BDS..@i.=..
0040 - aa e8 8f a4 5c de c9 d4-0a a4 ....\.....
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 60 ....`
read from 0x196a050 [0x1a10908] (96 bytes => 96 (0x60))
0000 - 46 4c 99 93 29 c9 ed 66-81 43 89 39 26 2b d1 b0 FL..)..f.C.9&+..
0010 - 19 73 eb 51 18 45 54 49-74 43 e0 92 1b f8 af f0 .s.Q.ETItC......
0020 - 0d e1 08 79 96 38 e1 5e-29 9d 66 9c 30 04 8e c4 ...y.8.^).f.0...
0030 - 10 83 49 7e 09 d7 8a ff-4b 11 f9 13 3e ac 77 73 ..I~....K...>.ws
0040 - e8 94 e3 f3 74 db 4e 5f-67 13 1d c4 3a 06 98 b3 ....t.N_g...:...
0050 - da 20 41 3c ca 9a fb 3f-f3 d7 64 a1 e9 f4 0a 98 . A<...?..d.....
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 15 03 01 ...
0005 - <SPACES/NULS>
read from 0x196a050 [0x1a10908] (32 bytes => 32 (0x20))
0000 - 2e bb a7 d6 dc ce 6c 34-dc 2e 43 c7 89 02 a9 5c ......l4..C....\
0010 - 3b 3e d0 43 1c ec fa c7-89 48 fd 76 58 82 ef 45 ;>.C.....H.vX..E
SSL3 alert read:warning:close notify
closed
write to 0x196a050 [0x1a14e53] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d8 6f 46-24 e9 fa 0c c9 9f aa 2d .... .oF$......-
0010 - db 69 2a d8 fb 61 66 b0-23 23 f9 a4 ac 49 b7 e6 .i*..af.##...I..
0020 - 31 73 56 05 ed 1sV..
SSL3 alert write:warning:close notify
</source>

Perfect!

=== Open Port 443 On The Firewall ===

At this point, if you try to connect to the SSL virtual host remotely, you will fail because port 443 is not yet open.

Use your favourite program to open inbound TCP port 443. I like to directly edit the firewall's config.

<source lang="bash">
vim /etc/sysconfig/iptables
</source>
<source lang="text">
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</source>
<source lang="bash">
/etc/init.d/iptables restart
</source>
<source lang="text">
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
</source>

=== Browse to the New Virtual Host ===

You should now be able to access the new SSL virtual host! Simply browse to https://alteeve.com (replace with your domain).

[[Image:SSL_Test_Page_01.png|thumb|center|741px|Test SSL virtual host in Firefox 4.]]

Note the 'alteeve.com' to the left of the address bar showing that the site is encrypted and verified!

= PostgreSQL =

We need to initialize the postgres core databases before we can start it for the first time.

<source lang="bash">
service postgresql initdb
</source>
<source lang="text">
Initializing database: [ OK ]
</source>

From now on, we can start PostgreSQL normally.

<source lang="bash">
/etc/init.d/postgresql restart
</source>
<source lang="text">
Stopping postgresql service: [ OK ]
Starting postgresql service: [ OK ]
</source>

Create the admin user called alteeve which will own the databases we will create and use.

<source lang="bash">
su - postgres
createuser -S -d -R alteeve
psql template1
</source>

At the shell, run the following:

<source lang="sql">
ALTER USER alteeve WITH PASSWORD 'secret';
</source>
<source lang="text">
ALTER ROLE
</source>
<source lang="sql">
\q
</source>

Tell PostgreSQL to require a password for the alteeve user.

<source lang="bash">
vim /var/lib/pgsql/data/pg_hba.conf
</source>
<source lang="diff">
--- /var/lib/pgsql/data/pg_hba.conf.orig 2011-06-15 17:57:25.666509143 -0400
+++ /var/lib/pgsql/data/pg_hba.conf 2011-06-15 17:58:54.077510393 -0400
@@ -65,6 +65,7 @@

# TYPE DATABASE USER CIDR-ADDRESS METHOD
+local all alteeve md5

# "local" is for Unix domain socket connections only
local all all ident
</source>

Reload PostgreSQL's configuration.

<source lang="bash">
/etc/init.d/postgresql reload
</source>

Now create a Database that is owned by the alteeve user, then connect to it to make sure we're asked for a password.

<source lang="bash">
su postgres -c "createdb an_wiki -O alteeve"
psql an_wiki -U alteeve
</source>
<source lang="text">
Password for user alteeve:
psql (8.4.7)
Type "help" for help.

an_wiki=>
</source>

Now load a database from a backup file.

<source lang="bash">
psql an_wiki -U alteeve -f /var/www/ssl_alteeve.com/temp/an_wiki_3.out
</source>
<source lang="text">
Password for user alteeve:
SET
SET
SET
SET
SET
CREATE SCHEMA
ALTER SCHEMA
CREATE LANGUAGE
psql:/var/www/ssl_alteeve.com/temp/an_wiki_3.out:27: ERROR: must be member of role "postgres"
SET
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
SET
SET
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
8
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
2500
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
4416
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3465
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
34
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
957
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3274
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3547
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3513
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TRIGGER
CREATE TRIGGER
CREATE TRIGGER
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
REVOKE
REVOKE
GRANT
GRANT
</source>

Voila!

== Media Wiki Problem ==

If you moved a MediaWiki DB and it generated an error like this in the log file:

<source lang="text">
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "objectcache" does not exist\nLINE 1: ...ECT /* SqlBagOStuff::get */ value,exptime FROM objectcach...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "l10n_cache" does not exist\nLINE 1: ... LCStore_DB::get 206.108.5.162 */ lc_value FROM l10n_cache...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
</source>

The fix is to run:

<source lang="sql">
ALTER DATABASE an_wiki SET search_path=mediawiki;
</source>

Of course, replace an_wiki with the name of your wiki database.

= MySQL =

Start MySQL for the first time:

<source lang="bash">
/etc/init.d/mysqld start
</source>
<source lang="text">
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h asakusa.alteeve.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]
Starting mysqld: [ OK ]
</source>

Secure the server.

<source lang="bash">
mysql_secure_installation
</source>
<source lang="text">
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
</source>

= BIND =

{{note|1=This is not meant to cover creating the actual zone files for DNS. It's goal is to setup BIND on your [[EL6]] server only.}}

This is the BIND named server that handles DNS resolution. It will be setup in two parts; The global options and then the zones file.

== Install bind ==

<source lang="bash">
yum install bind bind-libs bind-utils
</source>

== Global Configuration ==

Edit the main configuration file, making a backup first.

<source lang="bash">
cp /etc/named.conf /etc/named.conf.orig
vim /etc/named.conf
</source>

Enable queries on any interface and answer queries for any domain, not just ours. Edit or add the following;

<source lang="dot">
listen-on port 53 { any; };
allow-query { localhost; };
allow-query-cache { any; };
</source>

For now, we're going to disable DNSSEC. Make the following changes;

<source lang="dot">
dnssec-enable no;
dnssec-validation no;
</source>

Now tell bind where to look for a domain name's IP when we don't know. Add;

<source lang="dot">
forwarders {
// These are Google's open DNS servers
8.8.8.8;
8.8.4.4;
};
</source>

This server will have a slave, and we want to notify that slave when a record changes. Add;

<source lang="dot">
notify yes;
</source>

Done. I like to clean up the file to put the variables in line with one another. With this in mind, let's look at the changes as a unified diff;

<source lang="bash">
diff -u /etc/named.conf.orig /etc/named.conf
</source>
<source lang="diff">
--- /etc/named.conf.orig 2012-02-05 00:54:48.434068501 -0500
+++ /etc/named.conf 2012-02-05 13:45:16.484083319 -0500
@@ -8,18 +8,26 @@
//

options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ allow-query { any; };
+ allow-query-cache { any; };
+ recursion yes;
+ notify yes;
+
+ dnssec-enable no;
+ dnssec-validation no;
+ dnssec-lookaside auto;
+
+ forwarders {
+ // These are Google's open DNS servers
+ 8.8.8.8;
+ 8.8.4.4;
+ };

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
</source>

== Adding Zones ==

This is where we tell BIND which zones we have SOA for. This includes the pointers to the actual files on disk with each domain's information.

Backup then edit the zones file.

<source lang="bash">
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.orig
vim /etc/named.rfc1912.zones
</source>

In here is where we add the entries for the domains we have [[SOA]] for at the end of the file. These will differ for every install, so only two examples will be shown.

<source lang="dot">
// Our zones which this server is SOA for.
zone "45years.ca" IN {
type master;
file "/etc/named/db.45years.ca";
allow-transfer {
192.139.81.117;
};
};

zone "alteeve.com" in {
type master;
file "/etc/named/db.alteeve.com";
allow-transfer {
192.139.81.117;
};
};
</source>

This tutorial does not aim to cover actual zone files, but here is one for reference:

<source lang="bash">
cat /etc/named/db.45years.ca
</source>
<source lang="text">
$ORIGIN .
$TTL 600 ; Time To Live.
45years.ca IN SOA ns1.alteeve.com. admin.alteeve.com. (
2011081402 ; Serial Number (yyyymmdd##)
300 ; refresh (in seconds)
180 ; retry (in seconds)
600 ; expire (in seconds)
86400 ; minimum (in seconds)
)
NS ns1.alteeve.com.
NS ns2.alteeve.com.
A 192.139.81.121
MX 10 mail.45years.ca.
$ORIGIN 45years.ca.
localhost A 127.0.0.1
mail A 192.139.81.121
www CNAME 45years.ca.
</source>

== Adding a Firewall Entry ==

Assuming you have a firewall running, be sure to add an entry for [[TCP]] port 53.

== (Re)Start BIND ==

Once all the configuration files and domain zone files are in place, (re)start the named service.

<source lang="bash">
/etc/init.d/named restart
</source>
<source lang="text">
Stopping named: . [ OK ]
Starting named: [ OK ]
</source>

== Testing Name resolution ==

To properly test name resolution, you will want to resolve a domain we are [[SOA]] for and another domain which we are not. We will repeat this twice, once on the server and once from a remote machine to ensure that it is answering remote queries. Note that in the examples below, my DNS server's IP address is 78.46.37.135.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> alteeve.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns1.alteeve.com.
alteeve.com. 600 IN NS ns2.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 13:57:11 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> google.ca @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 300 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2967 IN NS f.root-servers.net.
. 2967 IN NS c.root-servers.net.
. 2967 IN NS b.root-servers.net.
. 2967 IN NS a.root-servers.net.
. 2967 IN NS k.root-servers.net.
. 2967 IN NS i.root-servers.net.
. 2967 IN NS e.root-servers.net.
. 2967 IN NS h.root-servers.net.
. 2967 IN NS l.root-servers.net.
. 2967 IN NS d.root-servers.net.
. 2967 IN NS j.root-servers.net.
. 2967 IN NS g.root-servers.net.
. 2967 IN NS m.root-servers.net.

;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 14:02:03 2012
;; MSG SIZE rcvd: 254
</source>

Now from a remote machine, repeat the same queries to ensure that our DNS server will respond to external queries.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> alteeve.com @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns2.alteeve.com.
alteeve.com. 600 IN NS ns1.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 138 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:09 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> google.ca @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 138 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2805 IN NS h.root-servers.net.
. 2805 IN NS c.root-servers.net.
. 2805 IN NS j.root-servers.net.
. 2805 IN NS i.root-servers.net.
. 2805 IN NS b.root-servers.net.
. 2805 IN NS m.root-servers.net.
. 2805 IN NS g.root-servers.net.
. 2805 IN NS d.root-servers.net.
. 2805 IN NS a.root-servers.net.
. 2805 IN NS l.root-servers.net.
. 2805 IN NS f.root-servers.net.
. 2805 IN NS k.root-servers.net.
. 2805 IN NS e.root-servers.net.

;; Query time: 140 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:31 2012
;; MSG SIZE rcvd: 254
</source>

Done!

= Email =

This is a pretty heavily customized postfix install using a custom schema. It was originally based on [http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch this Debian Etch] tutorial, but adapted for PostgreSQL. Much time has passed and the operating system is now significantly changed, but it's lineage is thus. A more recent, but still Debian-focused version of the tutorial [http://workaround.org/ispmail/squeeze/big-picture is here]. I also used [http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot this tutorial] to help sort out the PostgreSQL stuff.

This will use a few applications;
* Postfix - The program that receives email.
* PostgreSQL - The database used to validate the existence of email accounts and validates incoming user credentials.
* Dovecot - Takes email coming from postfix, via amavis, and records them to disk. It also answers requests from users wanting to check their email.
* Amavis - Filters incoming email for spam (via spamassassin) and virsus (via clamav)

We will also be using graylisting, which is a spam fighting tactic where the first email from a given user to one of our users is bounced for a few minutes. Proper mail servers will acknowledge the bound, wait the time and resend. Spam mailers though are usually fire-and-forget and will not resend, thus effectively blocking the spam message. This is a very effective method of blocking spam with minimal chance of losing real mail from real users. Any subsequent message from the user would be allowed through with no delay, provided the user had in fact resent the first message as requested.

== Install ==

To install the applications;

<source lang="bash">
yum install postfix postfix-perl-scripts dovecot dovecot-pgsql spamassassin postgresql-server postgresql-plperl mutt
</source>

== Configuring Postfix ==

Installation requires several steps. The AN!Console database must be loaded. Various applications need to be installed. Postfix, Dovecot and helper applications need to be configured and so on.

This tutorial uses the following values that you may need to adjust;
* Database name; an_tools
* Database user; alteeve
* Database password; secret
* Database host; 127.0.0.1

{{note|1=Do not use the database host "localhost" unless you are certain you can connect to the DB using a standard [[unix]] socket.}}

=== Building Support for PostgreSQL ===

{{warning|1=We need to build our own RPM in order to support postgresql. This means we will have to disable postfix from future updates, placing the onus on us to make sure critical updates are applied. This will require downloading the latest source RPMs, re-enabling postgres and recompile/reinstall.}}

Add the source [[RPM]] repository by adding the following;

<source lang="bash">
vim /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
# Source RPM repository
[base-source]
name=CentOS-$releasever - Base - Source
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://vault.centos.org/$releasever/os/SRPMS/
baseurl=http://vault.centos.org/6.0/os/SRPMS/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
</source>

Now download the source RPM for postfix.

<source lang="bash">
yumdownloader --source postfix
</source>
<source lang="text">
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
base | 3.7 kB 00:00
base-source | 1.9 kB 00:00
extras | 3.5 kB 00:00
updates | 3.5 kB 00:00
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
./postfix-2.6.6-2.el6.src.rpm already exists and appears to be complete
nikko:/etc/postfix# rm postfix-2.6.6-2.el6.src.rpm
rm: remove regular file `postfix-2.6.6-2.el6.src.rpm'? y
nikko:/etc/postfix# yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
postfix-2.6.6-2.el6.src.rpm | 3.3 MB 00:00
</source>

Now that we have the postfix source RPM, we will install it.

<source lang="bash">
rpm -Uvh postfix-2.6.6-2.el6.src.rpm
</source>
<source lang="text">
1:postfix warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
########################################### [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
</source>

Now edit the .spec file to enable postgres support.

<source lang="bash">
cp ~/rpmbuild/SPECS/postfix.spec ~/rpmbuild/SPECS/postfix.spec.orig
vim ~/rpmbuild/SPECS/postfix.spec
</source>

Make the following changes.

* Enable PostgreSQL support
<source lang="text">
%{?!PGSQL: %define PGSQL 1}
</source>

Increment the release version by one.
<source lang="text">
Release: 3%{?dist}
</source>

We can see the changes here:

<source lang="bash">
diff -u ~/rpmbuild/SPECS/postfix.spec.orig ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="diff">
--- /root/rpmbuild/SPECS/postfix.spec.orig 2012-02-11 16:54:54.495330859 -0500
+++ /root/rpmbuild/SPECS/postfix.spec 2012-02-11 16:53:39.873331101 -0500
@@ -1,5 +1,5 @@
%{?!MYSQL: %define MYSQL 1}
-%{?!PGSQL: %define PGSQL 0}
+%{?!PGSQL: %define PGSQL 1}
%define LDAP 2
%define PCRE 1
%define SASL 2
@@ -35,7 +35,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 2.6.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
</source>

Now rebuild the RPM, which means we need to install the build tools.

<source lang="bash">
yum groupinstall development
yum install db4-devel openldap-devel cyrus-sasl-devel pcre-devel mysql-devel postgresql-devel openssl-devel
rpmbuild -bb ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="text">
(compile output)
Processing files: postfix-debuginfo-2.6.6-3.el6.x86_64
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-debuginfo-2.6.6-3.el6.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.rymr5C
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd postfix-2.6.6
+ rm -rf /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
+ exit 0
</source>

Install the updated postfix.

<source lang="bash">
rpm -Uvh ~/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm ~/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
</source>
<source lang="text">
Preparing... ########################################### [100%]
1:postfix ########################################### [ 50%]
2:postfix-perl-scripts ########################################### [100%]
</source>

Now exclude postfix from future updates.

<source lang="bash">
cp /etc/yum.conf /etc/yum.conf.orig
vim /etc/yum.conf
diff -u /etc/yum.conf.orig /etc/yum.conf
</source>
<source lang="text">
--- /etc/yum.conf.orig 2012-02-11 16:59:53.720079168 -0500
+++ /etc/yum.conf 2012-02-11 17:00:47.013331283 -0500
@@ -10,6 +10,7 @@
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
+exclude=postfix*

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
</source>

=== Basic Postfix Configuration ===

Since we'll be using virtual domains, users, aliases and mailboxes, we'll need to start by commenting out some of the default options in Postfix. By default, Postfix is set up for small numbers of local users, and it only allows connections from the localhost. Our configuration will be more scalable, allowing many domains and users to be stored in the Postgres database.

Comment out the following:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# inet_interfaces = localhost
# mydestination = $myhostname, localhost.$mydomain, localhost
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
</source>

And uncomment/add these:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
inet_interfaces = all # allows us to connect and test from another machine
mynetworks = 192.168.1.0/32, 127.0.0.0/8 # use the IP or subnet of your test machine here
</source>

=== Setup Virtual Domain Lookup ===

This tells postfix how to find which domains we have.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM domains WHERE dom_name='%s'
</source>

Now tell Postfix to use this new file by appending the following to the main postfix configuration file.

<source lang="bash">
vim /etc/postfix/main.cf
</source>
<source lang="bash">
# Tell postfix to validate domains using our postgresql databae via the
# pgsql-virtual-mailbox-domains.cf
virtual_mailbox_domains=pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>

Now reload postfix;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now we can test that domains resolve. In my case, I will test the look-up for alteeve.com.

<source lang="bash">
postmap -q alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
1
</source>

Now make sure it returns nothing when query a bad domain.

<source lang="bash">
postmap -q example.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Mailbox Mapping ===

This section will tell postfix which users for a given domain are valid.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM email_file WHERE email='%s'
</source>

Tell postfix to use this new file when looking up users.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

And add:

<source lang="text">
# Tell postfix which table to look in when validating a local user via their
# email address.
virtual_mailbox_maps=pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>

Reload postfix.

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now do a test of a valid user, which should return 1, and an invalid user, which should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
1
</source>
<source lang="bash">
postmap -q nobody@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Email Forwards ===

This will allow for email addresses to be forwarded to other email addresses.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT fwd_destination FROM forwards WHERE fwd_source='%s'
</source>

Now tell postfix where to look.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

Add;

<source lang="text">
# This tells postfix where to forward incoming email to, where appropriate.
virtual_alias_maps=pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>

Reload;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

I've setup a forward where digimer@alteeve.com forwards to mkelly@alteeve.com, so we will use that for the next test.

<source lang="bash">
postmap -q digimer@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
mkelly@alteeve.com
</source>

An email address with no forward should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

Excellent.

=== Setup Postfix Mail Delivery via Dovecot ===

Define a mail transport method in the main Postfix config.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# this option is ignored, but may be useful for reference
virtual_mailbox_base=/email

# deliver mail via dovecot
virtual_transport = dovecot

# prevent postfix from sending multiple recipients per delivery request,
# since dovecot only supports one recipient for each delivery
dovecot_destination_recipient_limit = 1
</source>

Tell Postfix what virtual_transport "dovecot" means, and how to use it.
<source lang="bash">vim /etc/postfix/master.cf</source>
Append this for RHEL/CentOS 6 machines. For other distros, make sure that /usr/libexec/dovecot/deliver exists and change the path if necessary.
<source lang="bash">
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
</source>

=== Setup Postfix SMTP Authentication using Dovecot ===

Dovecot provides an SMTP authentication mechanism to Postfix called SASL. Enabling this will require users to authenticate against the server before sending mail.

<source lang="bash">vim /etc/postfix/main.cf</source>
Append the following to enable smtp authentication:
<source lang="bash">
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes

# allow authenticated users to send mail through Postfix SMTP
# more info at /usr/share/doc/postfix-2.6.6/README_FILES/SMTPD_ACCESS_README
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
</source>

== Configuring Dovecot ==

Dovecot handles writing incoming mail to the disk and moving/deleting mail as the user wishes. We're going to create a user and group called vmail which will be used to manage the email stored on disk.

<source lang="bash">
useradd -m vmail
mkdir /email
chown -R vmail:vmail /email
</source>

Dovecot is configured in /etc/dovecot and the main configuration file is dovecot.conf.

<source lang="bash">
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.conf
</source>

Dovecot uses .d style configuration files.

* Authentication

<source lang="bash">
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
vim /etc/dovecot/conf.d/10-auth.conf
</source>

Tell dovecot to accept plain-text passwords (needed for some old email clients, you may not need to enable this).

<source lang="text">
disable_plaintext_auth = no
</source>

Tell it not to use the database, and not local users for mail delivery.

<source lang="text">
#!include auth-system.conf.ext
!include auth-sql.conf.ext
</source>

* Mail store

Tell dovecot where to store the email. The %d tells dovecot to substitute the user's domain name and %n is substituted by the user's email name. For example, mkelly@alteeve.com becomes /email/alteeve.com/mkelly.

<source lang="bash">
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
vim /etc/dovecot/conf.d/10-mail.conf
</source>
<source lang="text">
mail_location = mbox:/email/%d/%n
</source>

=== Dovecot Authentication and SQL Settings ===

We need to tell dovecot where to look for passwords when authenticating a user. Where to look is controlled in the
auth-sql.conf.ext file and is broken down into user and password lookups. We will want to first tell Dovecot which user to use when accessing the mail store on disk.

<source lang="bash">
cp /etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/conf.d/auth-sql.conf.ext.orig
vim /etc/dovecot/conf.d/auth-sql.conf.ext
</source>
<source lang="text">
userdb {
driver = static
args = uid=vmail gid=vmail home=/email/%d/%n allow_all_users=yes
}
</source>

* Now configure the SQL server access details.

{{note|1=Make sure that PostgreSQL has sufficient max_connections set in /var/lib/pgsql/data/postgresql.conf to handle enough connections for the expected number of email connections, plus other connections from other applications.}}

<source lang="bash">
cp /usr/share/doc/dovecot-2.0.9/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
vim /etc/dovecot/dovecot-sql.conf.ext
</source>

Tell dovecot to use PostgreSQL.

<source lang="text">
driver = pgsql
</source>

Configure the connection string.

{{note|1=If your database uses a password with a space character in it, quote the password. Ie: password='super secret'.}}

<source lang="text">
connect = host=127.0.0.1 dbname=an_tools user=alteeve password=secret
</source>

Tell dovecot to accept plain-text passwords (this is needed for some stupid MS clients, this will probably change soon).

<source lang="text">
default_pass_scheme = PLAIN
</source>

Tell dovecot how to pull use the user's password.

<source lang="text">
password_query = SELECT email, password FROM email_password WHERE email='%u'
</source>

The last thing to setup is the user query. The query needs to return the [[UID]] and [[GID]] of the vmail user we setup earlier. To get it, you can use the id command.

<source lang="bash">
id vmail
</source>
<source lang="text">
uid=503(vmail) gid=503(vmail) groups=503(vmail)
</source>

The numbers we want are 503 and 503 for the UID and GID, respectively. Knowing this, we can set the userdb SQL string.

<source lang="text">
user_query = SELECT '/email/'||file AS email_dir, '503' AS uid, '503' AS gid FROM email_file WHERE email='%u'
</source>

=== Configure Listener Sockets ===

Setup the authentication socket to allow the vmail user. This will allow Dovecot to access the user authentication socket.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
</source>

Configure Dovecot to authenticate Postfix SMTP requests.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener smtp-auth {
mode = 0600
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
}
</source>

=== Enable Logging ===

This is very useful for debugging an initial setup. It will place details about login attempts in /var/log/maillog.

<source lang="bash">vim /etc/dovecot/conf.d/10-logging.conf</source>
<source lang="bash">
log_path = syslog
auth_verbose = yes
auth_debug = yes
mail_debug = yes
</source>

At this point, it's a good idea to restart the Postfix and Dovecot services, and test out the basic configuration.
<source lang="bash">
service postfix restart
service dovecot restart
</source>

Watch the maillog while attempting to authenticate with an email client like Thunderbird.
<source lang="bash">
tail -f /var/log/maillog
</source>

If basic authentication is working, we can go ahead and add another layer of complexity on top of it: SSL.

== SSL/TLS ==

Add TLS support to Postfix, to encrypt SMTP authentication traffic.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/ssl_mail.alteeve.ca.crt
smtpd_tls_key_file = /etc/pki/CA/private/mail.alteeve.ca.key
smtpd_tls_loglevel = 1
</source>

Add TLS support to Dovecot, to encrypt IMAP authentication traffic.
<source lang="bash">vim /etc/dovecot/conf.d/10-ssl.conf </source>
<source lang="bash">
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/pki/CA/ssl_mail.alteeve.ca.crt
ssl_key = </etc/pki/CA/private/mail.alteeve.ca.key

# PEM encoded trusted certificate authority. Otherwise your CA will be untrusted.
# This is the intermediary certificate.
ssl_ca = </etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Dovecot prefers the following permissions for SSL certs, so set them accordingly.
<source lang="bash">
chmod 0444 /etc/pki/CA/ssl_mail.alteeve.ca.crt
chmod 0400 /etc/pki/CA/private/mail.alteeve.ca.key
chmod 0400 /etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Restart Postfix and Dovecot, then change your Thunderbird server options to 'STARTTLS'. If you're still able to connect to the mail server and send mail, proceed to the next section.

== User Password Encryption ==

In addition to SSL/TSL, which only encrypts the transport of user credentials, we're also going to encrypt the passwords themselves. This will avoid storing any plaintext passwords in the Postgres database.

<source lang="bash">vim /etc/dovecot/conf.d/10-auth.conf</source>
Remove the "plain" authentication, and replace with cram-md5.
<source lang="bash">
disable_plaintext_auth = yes
auth_mechanisms = cram-md5
</source>

Any user credentials that were previously stored in plaintext will no longer work. To encrypt your password in a way that Dovecot recognizes, use the following command:
<source lang="bash">doveadm -v pw -s CRAM-MD5 -p mypassword</source>
It will return a hash like this.
<source lang="bash">
{CRAM-MD5}de5924752ad74e36bc271a8dc7fad4b2d341f21f05382f20dedf1fdfbd5a1717</source>

Take the entire hash, including the '{CRAM-MD5}' portion, and use it to replace the password entry in the database for that user. This will allow Dovecot to authenticate the user using the CRAM-MD5 auth mechanism.

To automate this process for all users in the database, you can look at the number of userid's there are and loop through them, encrypting and replacing each password.

<source lang="bash">
#!/bin/bash
#
# a script to encrypt the users.usr_password values of the an_tools database

export PGUSER="alteeve"
export PGPASSWORD='secret'

for usrid in {1..219}; do

# grab the user's password, removing whitespace
usrpass=$(psql -d an_tools -c "SELECT users.usr_password FROM users WHERE users.usr_id=$usrid;"\
| sed -n 3p | sed -e 's/^[ ]*//')

if [[ "$usrpass" == *CRAM* ]]; then
echo "Password for user #$usrid is already encrypted; skipping."
else
# encrypt and surround in single quotes for psql
encrypted=\'$(doveadm -v pw -s CRAM-MD5 -p "$usrpass")\'
echo "old password: [$usrpass] ; encrypted: $encrypted"

# set password to encrypted value
psql -d an_tools -c "UPDATE users SET usr_password=$encrypted WHERE usr_id=$usrid;"
fi
done

unset PGUSER
unset PGPASSWORD
</source>

== Postgrey Greylisting ==

Enabling postgrey for anti-spam greylisting.

First install the RPMForge repos. (See [http://dak1n1.com/blog/3-getting-more-from-yum-with-rpmforge-and-epel-repos Dakini's blog] for details.)

<source lang="bash">yum -y install postgrey</source>

Create the config file with the following options.
<source lang="bash">vim /etc/sysconfig/postgrey</source>
<source lang="bash">OPTIONS="--unix=/var/spool/postfix/postgrey/socket --delay=360"</source>

Ensure that Postgrey starts on boot.
<source lang="bash">chkconfig --levels 345 postgrey on</source>

<source lang="bash">/etc/postfix/main.cf</source>

Configure Postfix to check SMTP requests through Postgrey. Postgrey will decide if the mail should be blocked or accepted.
<source lang="bash">
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:postgrey/socket</source>

Restart Postfix and Postgrey to take affect.
<source lang="bash">
service postgrey start
service postfix restart
</source>

== Ooooold Notes ==

When prompted;
For 'Create directories for web-based administration ?' Choose 'Yes'.
For 'General type of configuration?', choose 'Local Only'.
For 'Mail Name', enter 'alteeve.com'.
For 'SSL certificate required', hit 'Ok'.
Create the database that we will use:
# su alteeve
$ createdb an_console
$ psql an_console
Now that we are in the new database we will need to load the AN!Console schema file.
# su postgres -c psql an_console -f /var/www/ssl_alteeve.com/cgi-bin/t/anc.pgsql.schema
On the Master node, we will create the directory where email will be stored.
# mkdir /ha/email
On the both nodes, we will create a link to the '/ha/email' directory off of root.
# ln -s /ha/email /email
Under this directory create another directory that is the domain name for the domains we will host mail for. Ie (no longer needed to be done manually, AN!Console will create directories for email as needed):
# mkdir /email/45years.ca
# mkdir /email/alteeve.com
And so on.
Go to the '/etc/postfix' directory and create these four files:
# vim /etc/postfix/psql-virtual_domains.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = domains
select_field = 'virtual'
where_field = dom_name
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_forwardings.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = forwards
select_field = fwd_destination
where_field = fwd_source
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_mailboxes.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_file
select_field = file
where_field = email
hosts = 127.0.0.1
Note: The table 'email_file' is actually a view that takes the email passed by postfix and splits it to generate a joined SELECT.
# vim /etc/postfix/psql-virtual_email2email.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_email
select_field = email
where_field = email
hosts = 127.0.0.1
Note: The table 'email_email' is actually a view that takes the email passed by postfix and returns the same email based on the DB entry. This is needed as a work-around for Postfix's habit of matching global forwards like '@domain -> user@domain' for all email to that domain, even what a given email address matches a user.
Now change the owner and permissions of those four files to NOT allow global reading as they contain our password.
# chown root:postfix /etc/postfix/psql-virtual_*
# chmod 640 /etc/postfix/psql-virtual_*
Now we will create a user account that will, in turn, own all the mail on the system. This user will not have shell access.
# adduser vmail
Enter a password, preferably one treated with the same care as the root password. You can leave all other options blank.
Now change the ownership of the mail store.
# chown -R vmail:vmail /email
# chmod -R 775 /email
Now we edit the main '/etc/postfix/main.cf' configuration file.
Make a backup of the original file “just in case”.
# cp /etc/postfix/main.cf /etc/postfix/main.cf.original
Now edit it:
# vim /etc/postfix/main.cf
There are several options to edit:
Please see 'Step 6' at: http://workaround.org/articles/ispmail-sarge/index.shtml.en for details on the options to set.
For 'inet_interface' enter 'all'.
For 'myhostname' use the cluster FQDN. Ie;
myhostname = nikko.alteeve.com
For 'mydestination' use only local names, NOT real domains we will host email for. Any mail sent to the domains specified here will go to local (shell) users.
mydestination = nikko.alteeve.com, localhost.alteeve.com, localhost
For 'mynetworks' set all the IP subnets we trust. Ie;
mynetworks = 192.139.81.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.0/24 127.0.0.0/8
We can ignore 'virtual_alias_domains' if it exists.
For 'virtual_alias_maps' we will set:
virtual_alias_maps = pgsql:/etc/postfix/psql-virtual_forwardings.cf pgsql:/etc/postfix/psql-virtual_email2email.cf
For 'virtual_mailbox_domains' we will set:
virtual_mailbox_domains = pgsql:/etc/postfix/psql-virtual_domains.cf
For 'virtual_mailbox_maps' we will set:
virtual_mailbox_maps = pgsql:/etc/postfix/psql-virtual_mailboxes.cf
For 'virtual_mailbox_base' (where the email will be stored on disk) we will set:
virtual_mailbox_base = /ha/email
For 'virtual_uid_maps' and 'virtual_gid_maps' we will enter the numerical UID and GID for the 'vmail' shell user we created earlier. To find what it's UID and GID is run:
# cat /etc/passwd | grep vmail
vmail:x:1001:1001:,,,:/home/vmail:/bin/bash
The first number is the UID, the second is the GID;
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
Set 'smtpd_sasl_auth_enable' to 'yes'.
Set 'broken_sasl_auth_clients' to 'yes'.
To enable relaying of local mail, trusted domains and SASL authenticated users and reject the rest set;
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
For 'smtpd_use_tls' the value should already be 'yes', but set it to such if not.
Lastly we'll set our certificate paths;
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
At this point we should be good to go. Restart postfix;
# /etc/init.d/postfix restart
If there were no errors in the restart, test the config by running;
# postfix check
If you get errors, fix 'em. Otherwise, so far so good!
Now to setup postfix to allow authentication of SMTP connections to allow relaying of messages from people (we trust) outside on the 'mynetworks' scope.
Create or edit the file '/etc/postfix/sasl/smtpd.conf'
# vim /etc/postfix/sasl/smtpd.conf
In it enter the lines:
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: pgsql
sql_hostnames: 127.0.0.1
sql_user: alteeve
sql_passwd: secret
sql_database: an_console
sql_select: SELECT passwd FROM email_passwd WHERE email='%u@%r'
log_level: 7
Now secure the file (it's got our DB password)
# chown root:postfix /etc/postfix/sasl/smtpd.conf
# chmod 640 /etc/postfix/sasl/smtpd.conf
Now we want to setup TLS to encrypt SMTP traffic. Be sure you are still in '/etc/postfix' as this is where you want the certificate files.
To create a 10-year certificate for our SMTP domain 'smtp.alteeve.com':
# openssl req -new -outform PEM -out /etc/postfix/smtpd.cert -newkey rsa:2048 -nodes -keyout /etc/postfix/smtpd.key -keyform PEM -days 3650 -x509
This will bring up a bunch of questions:
Country Name (2 letter code) [AU]: CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alteeve's Niche!
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, YOUR name) []:smtp.alteeve.com
Email Address []:admin@alteeve.com
This will create two files in your current directory; 'smtpd.key' and 'smtpd.cert'. You'll want to protect them.
# chown root:postfix smtpd.*
# chmod 640 smtpd.*
Now we need to setup POP3 and IMAP access so users can actually check their email.
Backup then edit '/etc/dovecot/dovecot.conf' to have:
protocols = pop3 imap
mail_location = mbox:/email/%d/%n
# passdb pam {
# }
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
# userdb passwd {
# }
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

# The default location for 'dovecot-sql.conf' is under '/usr/local/etc', be sure to
# change it!
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
user = root
}
Then create/edit '/etc/dovecot/dovecot-sql.conf':
driver = pgsql
connect = host=localhost dbname=an_console user=alteeve password=secret
default_pass_scheme = PLAIN
password_query = SELECT email, password FROM email_password WHERE email='%u'
user_query = SELECT '/email/'||file AS email_dir, '1001' AS uid, '1001' AS gid FROM email_file WHERE email='%u'
Now restart Dovecot:
# /etc/init.d/dovecot restart

= Thanks =

* To [http://planet-geek.com Dave Shevett] (aka: eidolon) and [http://codex.grimoire.ca/ Owen Jacobson] for answering my n00b SSL questions.


<source lang="bash">
</source>
<source lang="text">
</source>

{{footer}}

PPPower Server

2012-03-25T17:38:40Z

Dak1n1: /* Postgrey Greylisting */

{{howto_header}}

With tongue firmly in cheek, this is a tutorial on building an [[EL6]] server for hosting website and email using PostgreSQL, Postfix and Postgrey for mail and Apache for web. There are many canned and arguably superior was of accomplishing the same, but this is what I user for this server.

= Post OS Install =

First, the packages we will want to install:

<source lang="bash">
yum install httpd httpd-tools postgresql-server postgresql-plperl postgresql-contrib postgresql mysql-server telnet mod_ssl mysql-server php-mysql gcc jwhois bind
</source>

Packages that are currently needed for personal stuff.

<source lang="bash">
yum install perl-XML-Simple perl-MIME-Lite perl-DBD-MySQL perl-DBD-Pg
</source>

= Apache =

After all changes, use this to make sure there are no syntax errors.

<source lang="bash">
service httpd configtest
</source>
<source lang="text">
Syntax OK
</source>

{{note|1=This needs to be explained.}}

<source lang="bash">
diff -u httpd.conf.orig httpd.conf
</source>
<source lang="diff">
--- httpd.conf.orig 2010-05-28 03:11:06.000000000 -0400
+++ httpd.conf 2011-05-13 21:56:27.000000000 -0400
@@ -100,12 +100,12 @@
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
-StartServers 8
-MinSpareServers 5
-MaxSpareServers 20
-ServerLimit 256
-MaxClients 256
-MaxRequestsPerChild 4000
+StartServers 16
+MinSpareServers 10
+MaxSpareServers 40
+ServerLimit 512
+MaxClients 512
+MaxRequestsPerChild 8000
</IfModule>

# worker MPM
@@ -116,11 +116,11 @@
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
-StartServers 4
-MaxClients 300
-MinSpareThreads 25
-MaxSpareThreads 75
-ThreadsPerChild 25
+StartServers 8
+MaxClients 600
+MinSpareThreads 50
+MaxSpareThreads 150
+ThreadsPerChild 50
MaxRequestsPerChild 0
</IfModule>

@@ -259,7 +259,7 @@
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
-ServerAdmin root@localhost
+ServerAdmin admin@alteeve.com

#
# ServerName gives the name and port that the server uses to identify itself.
@@ -274,6 +274,7 @@
# redirections work in a sensible way.
#
#ServerName www.example.com:80
+#ServerName *:80

#
# UseCanonicalName: Determines how Apache constructs self-referencing
@@ -289,7 +290,7 @@
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
-DocumentRoot "/var/www/html"
+DocumentRoot "/var/www/default/html"

#
# Each directory to which Apache has access can be configured with respect
@@ -314,7 +315,7 @@
#
# This should be changed to whatever you set DocumentRoot to.
#
-<Directory "/var/www/html">
+<Directory "/var/www/default/html">

#
# Possible values for the Options directive are "None", "All",
@@ -548,9 +549,9 @@
# We include the /icons/ alias for FancyIndexed directory listings. If you
# do not use FancyIndexing, you may comment this out.
#
-Alias /icons/ "/var/www/icons/"
+Alias /icons/ "/var/www/default/icons/"

-<Directory "/var/www/icons">
+<Directory "/var/www/default/icons">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
@@ -573,13 +574,13 @@
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+ScriptAlias /cgi-bin/ "/var/www/default/cgi-bin/"

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
-<Directory "/var/www/cgi-bin">
+<Directory "/var/www/default/cgi-bin">
AllowOverride None
Options None
Order allow,deny
@@ -852,11 +853,11 @@
# copying them to /your/include/path/, even on a per-VirtualHost basis.
#

-Alias /error/ "/var/www/error/"
+Alias /error/ "/var/www/default/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
- <Directory "/var/www/error">
+ <Directory "/var/www/default/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
@@ -987,7 +988,7 @@
#
# Use name-based virtual hosting.
#
-#NameVirtualHost *:80
+NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
@@ -1001,9 +1002,10 @@
# server name.
#
#<VirtualHost *:80>
-# ServerAdmin webmaster@dummy-host.example.com
-# DocumentRoot /www/docs/dummy-host.example.com
-# ServerName dummy-host.example.com
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+# ServerAdmin admin@alteeve.com
+# DocumentRoot /var/www/default/html
+# ServerName unknown.alteeve.com
+# ErrorLog /var/www/default/logs/error.log
+# CustomLog /var/www/default/logs/access.log common
#</VirtualHost>
</source>

== SSL Virtual Hosts ==

SSL provides for secure client to server communications.

=== Creating The Signed Certificate ===

This section assumes you are using a 3rd party signing authority. Specifically, I use http://www.trustico.ca/ (resellers of http://RapidSSL.com and others). This is also for a domain-specific certificate. Wildcard certificates will differ.

First, create 2048bit private key. Note that this will require a pass-phrase, which you will need to enter whenever the Apache daemon httpd daemon starts. If you do not want this, remove the -des3 switch.

<source lang="bash">
openssl genrsa -des3 -out /etc/pki/CA/private/alteeve.com.key 2048
</source>
<source lang="text">
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Verifying - Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
</source>

Now create a [[CSR]] (Certificate signing request) which we will send to the signing authority. Do not enter anything in the extra section below.

{{note|1=The Common Name must be the fully qualified domain name. In this example, I want to create a certificate for the domain https://alteeve.com, so I will enter alteeve.com. If you prefer to use a www. prefix, include it. I will rewrite requests using the www. prefix to not use it.}}

<source lang="bash">
openssl req -new -key /etc/pki/CA/private/alteeve.com.key -out alteeve.com.csr
</source>
<source lang="text">
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Oakville
Organization Name (eg, company) [Default Company Ltd]:Alteeve's Niche
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:alteeve.com
Email Address []:admin@alteeve.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</source>

Test that the CSR file is ok.

<source lang="bash">
openssl req -noout -text -in /etc/pki/CA/alteeve.com.csr
</source>
<source lang="text">
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Oakville, O=Alteeve's Niche, OU=IT, CN=alteeve.com/emailAddress=admin@alteeve.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
...
</source>

Copy the exact contents of the alteeve.com.csr file and provide it to your signing authority as per their instructions. Once you complete their CSR form, they should email you a signed certificate and an intermediary certificate. At this point, the CSR file is no longer needed.

Save the signed certificate:

<source lang="bash">
vim /etc/pki/CA/ssl_alteeve.com.crt
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

Save the intermediary certificate. Change the certificate name to that of your provider. If they provide you with this file, simply save it in the /etc/pki/CA/ directory.

<source lang="bash">
vim /etc/pki/CA/RapidSSL_CA_bundle.pem
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

=== Creating An SSL Virtual Host ===

Create a new virtual host container for the new SSL protected virtual host. We will leave the normal unencrypted virtual-host alone for now. Once we're done, we'll use it to capture and redirect http:// requests to their https:// equivalents. I make my virtual host directories writeable by my normal user account. Feel free to adapt this to your preferences.

Setup the directories and then create a trivial index.html file.

<source lang="bash">
mkdir ssl_alteeve.com/{cgi-bin,html,logs,temp} -p
chown apache:digimer ssl_alteeve.com -R
chmod g+w ssl_alteeve.com -R
vim /var/www/ssl_alteeve.com/html/index.html
</source>
<source lang="apache">
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
</source>

Now setup the Apache2 config. I like to use the ssl_ prefix for encrypted domains.

{{note|1=This example is for a MediaWiki virtual host with short URLs configured. You will want to adapt the values to suit your needs.}}

<source lang="bash">
vim /etc/httpd/conf.d/ssl_alteeve.com.conf
</source>
<source lang="apache">
<VirtualHost *:443>
ServerAdmin digimer@alteeve.com

ServerName alteeve.com

DirectoryIndex index.php index.html

# We can haz security?
SSLEngine on
SSLProtocol all
SSLCACertificateFile /etc/pki/CA/RapidSSL_CA_bundle.pem
SSLCertificateFile /etc/pki/CA/ssl_alteeve.com.crt
SSLCertificateKeyFile /etc/pki/CA/private/alteeve.com.key

DocumentRoot /var/www/ssl_alteeve.com/html/
Alias /w /var/www/ssl_alteeve.com/html/index.php
<Directory /var/www/ssl_alteeve.com/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/ssl_alteeve.com/cgi-bin/
<Directory "/var/www/ssl_alteeve.com/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/ssl_alteeve.com/logs/error.log
TransferLog /var/www/ssl_alteeve.com/logs/transfer.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/ssl_alteeve.com/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

==== Bad Identity Error ====

If you get an error about the server not providing identity information, you may have be loading images, CSS, javascript or similar using a URL from a remote domain with no SSL or badly configured SSL.

For example, on Firefox 4, you may see:

<source lang="text">
This web site does not supply identity information.

Your connection to this site is only partially encrypted, and does not prevent eavesdropping.
[ More Information ]
</source>

In my case, this turned out to be a problem where mediawiki was loading a Creative Commons logo from their server using http:// link to the icon. Once this was changed to https:// (in LocalSettings.php), the error went away.

=== Testing and Using the New Configuration ===

Test your new Apache configuration.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

Now restart Apache. Note that you will be asked to enter the pass-phrase you used when you created your private key.

<source lang="bash">
/etc/init.d/httpd restart
</source>
<source lang="text">
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server alteeve.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
</source>

{{warning|1=From now on, you will need to enter the pass-phrase to start Apache. Consider this when restarting your server and when deciding if you want the Apache server to start with your server. As my server is in a VM and it's underlying disk is also encrypted, I will enable it at boot time. I'll need to be watching the boot process anyway. This may not apply to you.}}

Now make sure that you can still connect to your server on [[TCP]] port 80 (normal http port). The contents after the GET request will obviously vary depending on your configuration:

<source lang="bash">
telnet localhost 80
</source>
<source lang="text">
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET
<head>
<title>Asakusa.alteeve.com</title>
</head>
<body>
Default - Requested domain not found
</body>
Connection closed by foreign host.
</source>

Now to check that the SSL port is listening properly. We can't use [[telnet]] because of the SSL encryption. Instead we will use openssl.

<source lang="bash">
openssl s_client -connect localhost:443 -state -debug
</source>
<source lang="text">
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x196a050 [0x1a0b3a0] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 4d f8 f4 a4 f9 ....l...h..M....
0010 - 07 b3 11 f8 3d ff 5d 80-ed 69 87 52 e2 60 80 57 ....=.]..i.R.`.W
0020 - 59 c7 83 4c ea 5b e5 37-06 e0 13 00 00 3a 00 39 Y..L.[.7.....:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............#
0071 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x196a050 [0x1a10900] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x196a050 [0x1a1090a] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4d f8 f4 a4-7d 35 00 74 24 43 bc c9 .1..M...}5.t$C..
0010 - 84 5d fe e3 90 1a e8 14-39 a1 b1 7e e8 19 c7 9f .]......9..~....
0020 - 45 20 d1 cb 00 00 39 01-00 09 ff 01 00 01 00 00 E ....9.........
0030 - 23 #
0033 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 0c 2c ....,
read from 0x196a050 [0x1a10908] (3116 bytes => 3116 (0xC2C))
0000 - 0b 00 0c 28 00 0c 25 00-04 c2 30 82 04 be 30 82 ...(..%...0...0.
0010 - 03 a6 a0 03 02 01 02 02-03 02 15 24 30 0d 06 09 ...........$0...
0020 - 2a 86 48 86 f7 0d 01 01-05 05 00 30 3c 31 0b 30 *.H........0<1.0
0030 - 09 06 03 55 04 06 13 02-55 53 31 17 30 15 06 03 ...U....US1.0...
0040 - 55 04 0a 13 0e 47 65 6f-54 72 75 73 74 2c 20 49 U....GeoTrust, I
0050 - 6e 63 2e 31 14 30 12 06-03 55 04 03 13 0b 52 61 nc.1.0...U....Ra
0060 - 70 69 64 53 53 4c 20 43-41 30 1e 17 0d 31 31 30 pidSSL CA0...110
0070 - 36 31 34 31 32 31 39 30-31 5a 17 0d 31 31 30 37 614121901Z..1107
0080 - 31 36 31 35 35 36 31 34-5a 30 81 d9 31 29 30 27 16155614Z0..1)0'
0090 - 06 03 55 04 05 13 20 30-54 53 35 57 7a 61 75 51 ..U... 0TS5WzauQ
00a0 - 52 4a 37 73 63 32 62 2d-68 54 47 77 4b 31 79 78 RJ7sc2b-hTGwK1yx
00b0 - 53 66 45 44 70 68 46 31-0b 30 09 06 03 55 04 06 SfEDphF1.0...U..
00c0 - 13 02 43 41 31 14 30 12-06 03 55 04 0a 13 0b 61 ..CA1.0...U....a
00d0 - 6c 74 65 65 76 65 2e 63-6f 6d 31 13 30 11 06 03 lteeve.com1.0...
00e0 - 55 04 0b 13 0a 47 54 31-33 39 30 38 38 31 37 31 U....GT139088171
00f0 - 31 30 2f 06 03 55 04 0b-13 28 53 65 65 20 77 77 10/..U...(See ww
0100 - 77 2e 72 61 70 69 64 73-73 6c 2e 63 6f 6d 2f 72 w.rapidssl.com/r
0110 - 65 73 6f 75 72 63 65 73-2f 63 70 73 20 28 63 29 esources/cps (c)
0120 - 31 31 31 2b 30 29 06 03-55 04 0b 13 22 44 6f 6d 111+0)..U..."Dom
0130 - 61 69 6e 20 43 6f 6e 74-72 6f 6c 20 56 61 6c 69 ain Control Vali
0140 - 64 61 74 65 64 20 2d 20-46 72 65 65 53 53 4c 31 dated - FreeSSL1
0150 - 14 30 12 06 03 55 04 03-13 0b 61 6c 74 65 65 76 .0...U....alteev
0160 - 65 2e 63 6f 6d 30 82 01-22 30 0d 06 09 2a 86 48 e.com0.."0...*.H
0170 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0..
0180 - 0a 02 82 01 01 00 c7 b5-75 03 c7 a9 b5 21 b2 7a ........u....!.z
0190 - 9b 70 8d f2 44 5d e0 18-f4 05 52 c6 93 d3 17 a5 .p..D]....R.....
01a0 - 3a c7 46 03 68 d1 01 53-1b e8 b8 d3 4c 56 46 b2 :.F.h..S....LVF.
01b0 - ca 63 34 88 2c 4f 7b 23-49 07 ef 8e 37 5c 8a ac .c4.,O{#I...7\..
01c0 - d7 88 9b ed a1 01 90 bc-32 d8 46 30 6d 82 33 59 ........2.F0m.3Y
01d0 - ea b5 38 2c 8a 16 e1 63-e7 ba 39 d8 2a fa 8a 6b ..8,...c..9.*..k
01e0 - 25 45 0b c9 4d b8 d2 be-a9 3a e3 ff 61 60 f9 a4 %E..M....:..a`..
01f0 - 99 4e 3f c2 25 0b 21 07-c6 1b 1e 63 71 2e 3d 31 .N?.%.!....cq.=1
0200 - 42 98 01 f4 88 b8 80 26-b7 bf 5b 00 b1 57 86 b4 B......&..[..W..
0210 - d8 70 e6 ec ea 98 e1 17-45 a7 ff 83 e0 76 6f 8a .p......E....vo.
0220 - 50 bb 1d cb c5 8f f4 01-84 4e 59 c3 4d 28 73 70 P........NY.M(sp
0230 - 39 c8 da 85 43 b9 07 ae-57 26 04 24 b2 d6 d4 7c 9...C...W&.$...|
0240 - 03 af 4f 72 00 8f 20 ed-26 77 b3 bf 4e 01 62 8b ..Or.. .&w..N.b.
0250 - 62 1b 10 16 65 92 f5 bb-5a dc 83 5c f2 56 f3 60 b...e...Z..\.V.`
0260 - 34 2c ef 62 f4 ee cf 26-6d 9b 4a 5e 74 05 74 fb 4,.b...&m.J^t.t.
0270 - 23 86 07 6f cf b0 48 6d-ba 2d 89 5d 0f e0 c0 01 #..o..Hm.-.]....
0280 - 1c 91 af 00 5f f3 02 03-01 00 01 a3 82 01 29 30 ...._.........)0
0290 - 82 01 25 30 1f 06 03 55-1d 23 04 18 30 16 80 14 ..%0...U.#..0...
02a0 - 6b 69 3d 6a 18 42 4a dd-8f 02 65 39 fd 35 24 86 ki=j.BJ...e9.5$.
02b0 - 78 91 16 30 30 0e 06 03-55 1d 0f 01 01 ff 04 04 x..00...U.......
02c0 - 03 02 05 a0 30 1d 06 03-55 1d 25 04 16 30 14 06 ....0...U.%..0..
02d0 - 08 2b 06 01 05 05 07 03-01 06 08 2b 06 01 05 05 .+.........+....
02e0 - 07 03 02 30 16 06 03 55-1d 11 04 0f 30 0d 82 0b ...0...U....0...
02f0 - 61 6c 74 65 65 76 65 2e-63 6f 6d 30 43 06 03 55 alteeve.com0C..U
0300 - 1d 1f 04 3c 30 3a 30 38-a0 36 a0 34 86 32 68 74 ...<0:08.6.4.2ht
0310 - 74 70 3a 2f 2f 72 61 70-69 64 73 73 6c 2d 63 72 tp://rapidssl-cr
0320 - 6c 2e 67 65 6f 74 72 75-73 74 2e 63 6f 6d 2f 63 l.geotrust.com/c
0330 - 72 6c 73 2f 72 61 70 69-64 73 73 6c 2e 63 72 6c rls/rapidssl.crl
0340 - 30 1d 06 03 55 1d 0e 04-16 04 14 a1 2b 4e af 55 0...U.......+N.U
0350 - 08 7b 34 be 74 fc 57 41-de bc 8f d9 4a 1d c9 30 .{4.t.WA....J..0
0360 - 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 49 06 ...U.......0.0I.
0370 - 08 2b 06 01 05 05 07 01-01 04 3d 30 3b 30 39 06 .+........=0;09.
0380 - 08 2b 06 01 05 05 07 30-02 86 2d 68 74 74 70 3a .+.....0..-http:
0390 - 2f 2f 72 61 70 69 64 73-73 6c 2d 61 69 61 2e 67 //rapidssl-aia.g
03a0 - 65 6f 74 72 75 73 74 2e-63 6f 6d 2f 72 61 70 69 eotrust.com/rapi
03b0 - 64 73 73 6c 2e 63 72 74-30 0d 06 09 2a 86 48 86 dssl.crt0...*.H.
03c0 - f7 0d 01 01 05 05 00 03-82 01 01 00 66 8b 6f a8 ............f.o.
03d0 - d5 d2 84 c7 89 31 fb a5-ba e1 11 5e 2f 67 6f df .....1.....^/go.
03e0 - 0d 3c 0b 1a 4b ac d9 38-ee 29 0a 4d d9 06 98 2c .<..K..8.).M...,
03f0 - 25 0a 59 bb 39 03 b0 cd-3b 06 93 3e 59 90 cf 06 %.Y.9...;..>Y...
0400 - 17 74 77 bb cd 91 34 d0-6f b9 8f 53 57 ed 14 30 .tw...4.o..SW..0
0410 - bd e9 6c 04 84 b6 f0 16-9d 29 9b b1 47 f8 84 64 ..l......)..G..d
0420 - 5f 03 36 ea e1 d6 13 97-5b 50 b9 b2 59 cc f8 ef _.6.....[P..Y...
0430 - 23 01 99 91 6e 5e e8 d0-77 54 38 49 18 58 e7 0e #...n^..wT8I.X..
0440 - 54 35 c0 37 b5 9e 79 b2-d4 c6 d9 ff 27 31 d4 bf T5.7..y.....'1..
0450 - 04 ae d3 0a 90 4b bc 34-bc 53 f8 bc e7 4c 22 b7 .....K.4.S...L".
0460 - b3 bc 8c d7 41 44 fc e0-50 2e 9a ac ba 5c ee 88 ....AD..P....\..
0470 - 03 fc 0e 53 32 aa dd a4-24 ee a6 7c 3d dc 9d 7a ...S2...$..|=..z
0480 - 82 0b 9f b8 91 e0 a1 12-77 a3 95 f7 d0 c4 9e f1 ........w.......
0490 - d7 d9 99 68 80 e8 af ad-68 f5 1a 5f 66 06 78 c9 ...h....h.._f.x.
04a0 - 56 f8 36 37 16 fa 7d 27-df 1d a2 d8 7c 8c 5b 50 V.67..}'....|.[P
04b0 - db c6 fe 06 ff 96 86 f5-1f e4 35 ce cf 43 66 53 ..........5..CfS
04c0 - da a1 50 b5 c0 73 ec 1e-f4 c8 20 13 00 03 d9 30 ..P..s.... ....0
04d0 - 82 03 d5 30 82 02 bd a0-03 02 01 02 02 03 02 36 ...0...........6
04e0 - d1 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
04f0 - 30 42 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 0B1.0...U....US1
0500 - 16 30 14 06 03 55 04 0a-13 0d 47 65 6f 54 72 75 .0...U....GeoTru
0510 - 73 74 20 49 6e 63 2e 31-1b 30 19 06 03 55 04 03 st Inc.1.0...U..
0520 - 13 12 47 65 6f 54 72 75-73 74 20 47 6c 6f 62 61 ..GeoTrust Globa
0530 - 6c 20 43 41 30 1e 17 0d-31 30 30 32 31 39 32 32 l CA0...10021922
0540 - 34 35 30 35 5a 17 0d 32-30 30 32 31 38 32 32 34 4505Z..200218224
0550 - 35 30 35 5a 30 3c 31 0b-30 09 06 03 55 04 06 13 505Z0<1.0...U...
0560 - 02 55 53 31 17 30 15 06-03 55 04 0a 13 0e 47 65 .US1.0...U....Ge
0570 - 6f 54 72 75 73 74 2c 20-49 6e 63 2e 31 14 30 12 oTrust, Inc.1.0.
0580 - 06 03 55 04 03 13 0b 52-61 70 69 64 53 53 4c 20 ..U....RapidSSL
0590 - 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H...
05a0 - 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0.....
05b0 - 01 01 00 c7 71 f8 56 c7-1e d9 cc b5 ad f6 b4 97 ....q.V.........
05c0 - a3 fb a1 e6 0b 50 5f 50-aa 3a da 0f fc 3d 29 24 .....P_P.:...=)$
05d0 - 43 c6 10 29 c1 fc 55 40-72 ee bd ea df 9f b6 41 C..)..U@r......A
05e0 - f4 48 4b c8 6e fe 4f 57-12 8b 5b fa 92 dd 5e e8 .HK.n.OW..[...^.
05f0 - ad f3 f0 1b b1 7b 4d fb-cf fd d1 e5 f8 e3 dc e7 .....{M.........
0600 - f5 73 7f df 01 49 cf 8c-56 c1 bd 37 e3 5b be b5 .s...I..V..7.[..
0610 - 4f 8b 8b f0 da 4f c7 e3-dd 55 47 69 df f2 5b 7b O....O...UGi..[{
0620 - 07 4f 3d e5 ac 21 c1 c8-1d 7a e8 e7 f6 0f a1 aa .O=..!...z......
0630 - f5 6f de a8 65 4f 10 89-9c 03 f3 89 7a a5 5e 01 .o..eO......z.^.
0640 - 72 33 ed a9 e9 5a 1e 79-f3 87 c8 df c8 c5 fc 37 r3...Z.y.......7
0650 - c8 9a 9a d7 b8 76 cc b0-3e e7 fd e6 54 ea df 5f .....v..>...T.._
0660 - 52 41 78 59 57 ad f1 12-d6 7f bc d5 9f 70 d3 05 RAxYW........p..
0670 - 6c fa a3 7d 67 58 dd 26-62 1d 31 92 0c 79 79 1c l..}gX.&b.1..yy.
0680 - 8e cf ca 7b c1 66 af a8-74 48 fb 8e 82 c2 9e 2c ...{.f..tH.....,
0690 - 99 5c 7b 2d 5d 9b bc 5b-57 9e 7c 3a 7a 13 ad f2 .\{-]..[W.|:z...
06a0 - a3 18 5b 2b 59 0f cd 5c-3a eb 68 33 c6 28 1d 82 ..[+Y..\:.h3.(..
06b0 - d1 50 8b 02 03 01 00 01-a3 81 d9 30 81 d6 30 0e .P.........0..0.
06c0 - 06 03 55 1d 0f 01 01 ff-04 04 03 02 01 06 30 1d ..U...........0.
06d0 - 06 03 55 1d 0e 04 16 04-14 6b 69 3d 6a 18 42 4a ..U......ki=j.BJ
06e0 - dd 8f 02 65 39 fd 35 24-86 78 91 16 30 30 1f 06 ...e9.5$.x..00..
06f0 - 03 55 1d 23 04 18 30 16-80 14 c0 7a 98 68 8d 89 .U.#..0....z.h..
0700 - fb ab 05 64 0c 11 7d aa-7d 65 b8 ca cc 4e 30 12 ...d..}.}e...N0.
0710 - 06 03 55 1d 13 01 01 ff-04 08 30 06 01 01 ff 02 ..U.......0.....
0720 - 01 00 30 3a 06 03 55 1d-1f 04 33 30 31 30 2f a0 ..0:..U...3010/.
0730 - 2d a0 2b 86 29 68 74 74-70 3a 2f 2f 63 72 6c 2e -.+.)http://crl.
0740 - 67 65 6f 74 72 75 73 74-2e 63 6f 6d 2f 63 72 6c geotrust.com/crl
0750 - 73 2f 67 74 67 6c 6f 62-61 6c 2e 63 72 6c 30 34 s/gtglobal.crl04
0760 - 06 08 2b 06 01 05 05 07-01 01 04 28 30 26 30 24 ..+........(0&0$
0770 - 06 08 2b 06 01 05 05 07-30 01 86 18 68 74 74 70 ..+.....0...http
0780 - 3a 2f 2f 6f 63 73 70 2e-67 65 6f 74 72 75 73 74 ://ocsp.geotrust
0790 - 2e 63 6f 6d 30 0d 06 09-2a 86 48 86 f7 0d 01 01 .com0...*.H.....
07a0 - 05 05 00 03 82 01 01 00-ab bc bc 0a 5d 18 94 e3 ............]...
07b0 - c1 b1 c3 a8 4c 55 d6 be-b4 98 f1 ee 3c 1c cd cf ....LU......<...
07c0 - f3 24 24 5c 96 03 27 58-fc 36 ae a2 2f 8f f1 fe .$$\..'X.6../...
07d0 - da 2b 02 c3 33 bd c8 dd-48 22 2b 60 0f a5 03 10 .+..3...H"+`....
07e0 - fd 77 f8 d0 ed 96 67 4f-fd ea 47 20 70 54 dc a9 .w....gO..G pT..
07f0 - 0c 55 7e e1 96 25 8a d9-b5 da 57 4a be 8d 8e 49 .U~..%....WJ...I
0800 - 43 63 a5 6c 4e 27 87 25-eb 5b 6d fe a2 7f 38 28 Cc.lN'.%.[m...8(
0810 - e0 36 ab ad 39 a5 a5 62-c4 b7 5c 58 2c aa 5d 01 .6..9..b..\X,.].
0820 - 60 a6 62 67 a3 c0 c7 62-23 f4 e7 6c 46 ee b5 d3 `.bg...b#..lF...
0830 - 80 6a 22 13 d2 2d 3f 74-4f ea af 8c 5f b4 38 9c .j"..-?tO..._.8.
0840 - db ae ce af 84 1e a6 f6-34 51 59 79 d3 e3 75 dc ........4QYy..u.
0850 - bc d7 f3 73 df 92 ec d2-20 59 6f 9c fb 95 f8 92 ...s.... Yo.....
0860 - 76 18 0a 7c 0f 2c a6 ca-de 8a 62 7b d8 f3 ce 5f v..|.,....b{..._
0870 - 68 bd 8f 3e c1 74 bb 15-72 3a 16 83 a9 0b e6 4d h..>.t..r:.....M
0880 - 99 9c d8 57 ec a8 01 51-c7 6f 57 34 5e ab 4a 2c ...W...Q.oW4^.J,
0890 - 42 f6 4f 1c 89 78 de 26-4e f5 6f 93 4c 15 6b 27 B.O..x.&N.o.L.k'
08a0 - 56 4d 00 54 6c 7a b7 b7-00 03 81 30 82 03 7d 30 VM.Tlz.....0..}0
08b0 - 82 02 e6 a0 03 02 01 02-02 03 12 bb e6 30 0d 06 .............0..
08c0 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 4e 31 0b .*.H........0N1.
08d0 - 30 09 06 03 55 04 06 13-02 55 53 31 10 30 0e 06 0...U....US1.0..
08e0 - 03 55 04 0a 13 07 45 71-75 69 66 61 78 31 2d 30 .U....Equifax1-0
08f0 - 2b 06 03 55 04 0b 13 24-45 71 75 69 66 61 78 20 +..U...$Equifax
0900 - 53 65 63 75 72 65 20 43-65 72 74 69 66 69 63 61 Secure Certifica
0910 - 74 65 20 41 75 74 68 6f-72 69 74 79 30 1e 17 0d te Authority0...
0920 - 30 32 30 35 32 31 30 34-30 30 30 30 5a 17 0d 31 020521040000Z..1
0930 - 38 30 38 32 31 30 34 30-30 30 30 5a 30 42 31 0b 80821040000Z0B1.
0940 - 30 09 06 03 55 04 06 13-02 55 53 31 16 30 14 06 0...U....US1.0..
0950 - 03 55 04 0a 13 0d 47 65-6f 54 72 75 73 74 20 49 .U....GeoTrust I
0960 - 6e 63 2e 31 1b 30 19 06-03 55 04 03 13 12 47 65 nc.1.0...U....Ge
0970 - 6f 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 43 41 oTrust Global CA
0980 - 30 82 01 22 30 0d 06 09-2a 86 48 86 f7 0d 01 01 0.."0...*.H.....
0990 - 01 05 00 03 82 01 0f 00-30 82 01 0a 02 82 01 01 ........0.......
09a0 - 00 da cc 18 63 30 fd f4-17 23 1a 56 7e 5b df 3c ....c0...#.V~[.<
09b0 - 6c 38 e4 71 b7 78 91 d4-bc a1 d8 4c f8 a8 43 b6 l8.q.x.....L..C.
09c0 - 03 e9 4d 21 07 08 88 da-58 2f 66 39 29 bd 05 78 ..M!....X/f9)..x
09d0 - 8b 9d 38 e8 05 b7 6a 7e-71 a4 e6 c4 60 a6 b0 ef ..8...j~q...`...
09e0 - 80 e4 89 28 0f 9e 25 d6-ed 83 f3 ad a6 91 c7 98 ...(..%.........
09f0 - c9 42 18 35 14 9d ad 98-46 92 2e 4f ca f1 87 43 .B.5....F..O...C
0a00 - c1 16 95 57 2d 50 ef 89-2d 80 7a 57 ad f2 ee 5f ...W-P..-.zW..._
0a10 - 6b d2 00 8d b9 14 f8 14-15 35 d9 c0 46 a3 7b 72 k........5..F.{r
0a20 - c8 91 bf c9 55 2b cd d0-97 3e 9c 26 64 cc df ce ....U+...>.&d...
0a30 - 83 19 71 ca 4e e6 d4 d5-7b a9 19 cd 55 de c8 ec ..q.N...{...U...
0a40 - d2 5e 38 53 e5 5c 4f 8c-2d fe 50 23 36 fc 66 e6 .^8S.\O.-.P#6.f.
0a50 - cb 8e a4 39 19 00 b7 95-02 39 91 0b 0e fe 38 2e ...9.....9....8.
0a60 - d1 1d 05 9a f6 4d 3e 6f-0f 07 1d af 2c 1e 8f 60 .....M>o....,..`
0a70 - 39 e2 fa 36 53 13 39 d4-5e 26 2b db 3d a8 14 bd 9..6S.9.^&+.=...
0a80 - 32 eb 18 03 28 52 04 71-e5 ab 33 3d e1 38 bb 07 2...(R.q..3=.8..
0a90 - 36 84 62 9c 79 ea 16 30-f4 5f c0 2b e8 71 6b e4 6.b.y..0._.+.qk.
0aa0 - f9 02 03 01 00 01 a3 81-f0 30 81 ed 30 1f 06 03 .........0..0...
0ab0 - 55 1d 23 04 18 30 16 80-14 48 e6 68 f9 2b d2 b2 U.#..0...H.h.+..
0ac0 - 95 d7 47 d8 23 20 10 4f-33 98 90 9f d4 30 1d 06 ..G.# .O3....0..
0ad0 - 03 55 1d 0e 04 16 04 14-c0 7a 98 68 8d 89 fb ab .U.......z.h....
0ae0 - 05 64 0c 11 7d aa 7d 65-b8 ca cc 4e 30 0f 06 03 .d..}.}e...N0...
0af0 - 55 1d 13 01 01 ff 04 05-30 03 01 01 ff 30 0e 06 U.......0....0..
0b00 - 03 55 1d 0f 01 01 ff 04-04 03 02 01 06 30 3a 06 .U...........0:.
0b10 - 03 55 1d 1f 04 33 30 31-30 2f a0 2d a0 2b 86 29 .U...3010/.-.+.)
0b20 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 67 65 6f 74 72 http://crl.geotr
0b30 - 75 73 74 2e 63 6f 6d 2f-63 72 6c 73 2f 73 65 63 ust.com/crls/sec
0b40 - 75 72 65 63 61 2e 63 72-6c 30 4e 06 03 55 1d 20 ureca.crl0N..U.
0b50 - 04 47 30 45 30 43 06 04-55 1d 20 00 30 3b 30 39 .G0E0C..U. .0;09
0b60 - 06 08 2b 06 01 05 05 07-02 01 16 2d 68 74 74 70 ..+........-http
0b70 - 73 3a 2f 2f 77 77 77 2e-67 65 6f 74 72 75 73 74 s://www.geotrust
0b80 - 2e 63 6f 6d 2f 72 65 73-6f 75 72 63 65 73 2f 72 .com/resources/r
0b90 - 65 70 6f 73 69 74 6f 72-79 30 0d 06 09 2a 86 48 epository0...*.H
0ba0 - 86 f7 0d 01 01 05 05 00-03 81 81 00 76 e1 12 6e ............v..n
0bb0 - 4e 4b 16 12 86 30 06 b2-81 08 cf f0 08 c7 c7 71 NK...0.........q
0bc0 - 7e 66 ee c2 ed d4 3b 1f-ff f0 f0 c8 4e d6 43 38 ~f....;.....N.C8
0bd0 - b0 b9 30 7d 18 d0 55 83-a2 6a cb 36 11 9c e8 48 ..0}..U..j.6...H
0be0 - 66 a3 6d 7f b8 13 d4 47-fe 8b 5a 5c 73 fc ae d9 f.m....G..Z\s...
0bf0 - 1b 32 19 38 ab 97 34 14-aa 96 d2 eb a3 1c 14 08 .2.8..4.........
0c00 - 49 b6 bb e5 91 ef 83 36-eb 1d 56 6f ca da bc 73 I......6..Vo...s
0c10 - 63 90 e4 7f 7b 3e 22 cb-3d 07 ed 5f 38 74 9c e3 c...{>".=.._8t..
0c20 - 03 50 4e a1 af 98 ee 61-f2 84 3f 12 .PN....a..?.
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF, C = CA, O = alteeve.com, OU = GT13908817, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - FreeSSL, CN = alteeve.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 0d .....
read from 0x196a050 [0x1a10908] (525 bytes => 525 (0x20D))
0000 - 0c 00 02 09 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 51 5c 13 33 38 >.$!.......Q\.38
0090 - 83 ef 76 6f 23 52 55 bf-23 ba 7f f0 a4 ca 35 01 ..vo#RU.#.....5.
00a0 - 9c 70 e1 61 b2 0d 7b 5c-1c 32 02 c1 ac 14 be e9 .p.a..{\.2......
00b0 - b9 7a 5d 11 9b 53 48 64-cd 12 b8 15 4c df cc 10 .z]..SHd....L...
00c0 - 4e 2b e7 cd 3f 33 68 1a-60 cc f7 18 25 7c e5 ca N+..?3h.`...%|..
00d0 - c8 cb 45 ba 2a 6d dc 84-5f 26 6f 9a a3 73 b9 7f ..E.*m.._&o..s..
00e0 - 02 cb 7b a7 ac 59 9f f3-6e c9 01 ed b9 35 99 49 ..{..Y..n....5.I
00f0 - 37 77 68 65 ec e2 f7 17-03 e7 f5 f5 86 33 e6 6c 7whe.........3.l
0100 - 06 3c 15 83 98 74 2e b9-83 31 11 01 00 20 6e 17 .<...t...1... n.
0110 - 3d 2d ec 3e 19 b2 9e 5b-37 38 3a 31 57 3d 0e c1 =-.>...[78:1W=..
0120 - 6b c4 b4 83 d9 6b f0 d3-44 db 9f 18 55 15 e1 09 k....k..D...U...
0130 - 73 59 8c 46 3d a4 47 58-b1 71 a3 32 b5 06 26 8c sY.F=.GX.q.2..&.
0140 - 27 88 9e 13 c8 12 5d 94-9b 24 54 10 aa 79 e5 b4 '.....]..$T..y..
0150 - 43 f5 5e 4c 01 dc 02 aa-69 02 37 71 4e 26 1c 0b C.^L....i.7qN&..
0160 - 40 19 c9 95 4d af 93 35-07 7a ff b1 96 7f 03 ce @...M..5.z......
0170 - 7a eb a2 1c 97 6b d2 97-d2 0f 1a f5 b2 af fb 65 z....k.........e
0180 - 86 b9 e3 38 30 ba f5 02-d6 6b fc da 94 93 8b b3 ...80....k......
0190 - 96 b5 b7 58 dc 36 55 6d-e9 47 e5 4a 33 1d b9 d9 ...X.6Um.G.J3...
01a0 - ec 33 e8 fb 58 c8 74 13-ff dd 40 b7 35 56 63 03 .3..X.t...@.5Vc.
01b0 - 9f 16 2f 72 be 56 56 c3-15 3a c3 10 09 f0 9d f2 ../r.VV..:......
01c0 - 42 52 5a ce d6 db 61 0e-d0 e2 ac 2e 9e 04 30 8e BRZ...a.......0.
01d0 - 0d d7 07 f9 3e 0a a8 3b-8d 11 5c 6e 21 47 28 2d ....>..;..\n!G(-
01e0 - 28 31 a6 3d d0 e9 2e 7a-de 4a 00 2a a8 6f 5d 82 (1.=...z.J.*.o].
01f0 - 45 df 3e 06 e3 11 e3 3c-b9 1e 34 b8 bd 60 fd a7 E.>....<..4..`..
0200 - a2 c1 c8 19 61 19 da 10-e4 c3 70 7e 5f ....a.....p~_
SSL_connect:SSLv3 read server key exchange A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0x196a050 [0x1a10908] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x196a050 [0x1a1add0] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7f 9d d2 3b 68 ..............;h
0010 - 49 c9 dd ed 4f 35 a0 70-3a 28 0f ce c1 5a 81 ce I...O5.p:(...Z..
0020 - cd 46 c5 e5 a4 44 25 04-4e b4 48 d8 3b a6 d4 44 .F...D%.N.H.;..D
0030 - 4e 9a dc 20 fa 52 9f eb-52 3b 3c 3e 34 dc ed 34 N.. .R..R;<>4..4
0040 - e5 b7 10 f9 6d 3a c0 84-64 bf b8 91 54 6c 37 1b ....m:..d...Tl7.
0050 - eb 75 7a 95 aa e8 83 6f-e0 16 f2 af 77 0f 7a 0c .uz....o....w.z.
0060 - a8 82 27 a4 a5 f2 f0 1b-d2 6e 46 c4 ef 10 7c 39 ..'......nF...|9
0070 - 6c 87 74 ec 68 7e d5 9a-10 ab 10 03 75 a2 fb 4b l.t.h~......u..K
0080 - 8c 49 4c da 64 49 bd 27-ba 51 a4 .IL.dI.'.Q.
SSL_connect:SSLv3 write client key exchange A
write to 0x196a050 [0x1a1add0] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x196a050 [0x1a1add0] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 b4 8a 74-4d a4 bf b1 54 04 8a 25 ....0..tM...T..%
0010 - 24 f8 81 f1 64 9f 1f 6d-fb bd a7 4c 57 6a a5 63 $...d..m...LWj.c
0020 - fb 3a dd 8e e3 f9 38 f6-22 fd 7e 42 81 2e a2 41 .:....8.".~B...A
0030 - 1f 74 d1 27 02 .t.'.
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 ca .....
read from 0x196a050 [0x1a10908] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 00 00-00 c0 6c f3 41 26 c8 6b ..........l.A&.k
0010 - 1e 9c 2e 78 af 75 b2 46-34 f4 30 c3 bd e4 ee 2f ...x.u.F4.0..../
0020 - f6 28 37 f6 7c 55 3b c7-08 ad 1e 48 f1 83 9f 9a .(7.|U;....H....
0030 - d4 ef 9b 7d 5a 9c f7 5b-92 e9 2f ca c3 e5 44 c7 ...}Z..[../...D.
0040 - 7a c1 ed db 98 1a 18 bd-25 30 3c 50 ad 96 23 22 z.......%0<P..#"
0050 - 7e a1 b7 eb 1d b5 cc 69-2a 43 63 13 4f 21 90 32 ~......i*Cc.O!.2
0060 - 87 94 0b 6a 66 da 99 fa-45 79 cc 53 29 35 59 0d ...jf...Ey.S)5Y.
0070 - 02 93 c6 c6 af f3 52 79-b5 36 c0 a6 4d 22 9f af ......Ry.6..M"..
0080 - 4a f2 86 b4 50 68 83 b1-ab a6 a6 ac 6e 4e 18 3d J...Ph......nN.=
0090 - 80 a7 b4 85 77 06 69 60-fa b2 22 9a 79 14 c6 3e ....w.i`..".y..>
00a0 - 3e 68 33 4e 1e a9 40 09-47 d0 02 97 8b ba 39 db >h3N..@.G.....9.
00b0 - 2f b1 1c 2e 66 49 d3 bc-99 cc 56 4f 1d f4 c6 7b /...fI....VO...{
00c0 - 58 3e 28 df b1 ce 2b 45-36 ca X>(...+E6.
SSL_connect:SSLv3 read server session ticket A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0x196a050 [0x1a10908] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x196a050 [0x1a10908] (48 bytes => 48 (0x30))
0000 - c0 79 35 bf c6 1e 7e d4-04 cf 68 c7 9d f5 9f 42 .y5...~...h....B
0010 - 03 91 5f 72 ae 5b ec a8-aa e7 af e8 f3 39 1b cd .._r.[.......9..
0020 - 13 05 56 f2 1b 28 c9 42-4b 67 88 48 20 c2 a5 06 ..V..(.BKg.H ...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIDAhUkMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNjE0MTIxOTAxWhcNMTEwNzE2MTU1NjE0WjCB2TEpMCcGA1UEBRMgMFRT
NVd6YXVRUko3c2MyYi1oVEd3SzF5eFNmRURwaEYxCzAJBgNVBAYTAkNBMRQwEgYD
VQQKEwthbHRlZXZlLmNvbTETMBEGA1UECxMKR1QxMzkwODgxNzExMC8GA1UECxMo
U2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMTErMCkGA1UE
CxMiRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gRnJlZVNTTDEUMBIGA1UEAxML
YWx0ZWV2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHtXUD
x6m1IbJ6m3CN8kRd4Bj0BVLGk9MXpTrHRgNo0QFTG+i400xWRrLKYzSILE97I0kH
7443XIqs14ib7aEBkLwy2EYwbYIzWeq1OCyKFuFj57o52Cr6imslRQvJTbjSvqk6
4/9hYPmkmU4/wiULIQfGGx5jcS49MUKYAfSIuIAmt79bALFXhrTYcObs6pjhF0Wn
/4Pgdm+KULsdy8WP9AGETlnDTShzcDnI2oVDuQeuVyYEJLLW1HwDr09yAI8g7SZ3
s79OAWKLYhsQFmWS9bta3INc8lbzYDQs72L07s8mbZtKXnQFdPsjhgdvz7BIbbot
iV0P4MABHJGvAF/zAgMBAAGjggEpMIIBJTAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2FsdGVldmUuY29tMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRz
c2wuY3JsMB0GA1UdDgQWBBShK06vVQh7NL50/FdB3ryP2UodyTAMBgNVHRMBAf8E
AjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3Ns
LWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBmi2+o1dKEx4kx+6W64RFeL2dv3w08CxpLrNk47ikKTdkGmCwlClm7OQOwzTsG
kz5ZkM8GF3R3u82RNNBvuY9TV+0UML3pbASEtvAWnSmbsUf4hGRfAzbq4dYTl1tQ
ubJZzPjvIwGZkW5e6NB3VDhJGFjnDlQ1wDe1nnmy1MbZ/ycx1L8ErtMKkEu8NLxT
+LznTCK3s7yM10FE/OBQLpqsulzuiAP8DlMyqt2kJO6mfD3cnXqCC5+4keChEnej
lffQxJ7x19mZaIDor61o9RpfZgZ4yVb4NjcW+n0n3x2i2HyMW1Dbxv4G/5aG9R/k
Nc7PQ2ZT2qFQtcBz7B70yCAT
-----END CERTIFICATE-----
subject=/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3984 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2880725EB8BDD73F469C17BCA54DF373DFE8EDE3D52A1C8F5E0A5919694FB111
Session-ID-ctx:
Master-Key: F329DEA0DF39FF181ACFBCA69BEC417D7CAA4399D73229A1D912CC8236A858FD099B834F5B32C9BF979C4B5948196FC9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 6c f3 41 26 c8 6b 1e 9c-2e 78 af 75 b2 46 34 f4 l.A&.k...x.u.F4.
0010 - 30 c3 bd e4 ee 2f f6 28-37 f6 7c 55 3b c7 08 ad 0..../.(7.|U;...
0020 - 1e 48 f1 83 9f 9a d4 ef-9b 7d 5a 9c f7 5b 92 e9 .H.......}Z..[..
0030 - 2f ca c3 e5 44 c7 7a c1-ed db 98 1a 18 bd 25 30 /...D.z.......%0
0040 - 3c 50 ad 96 23 22 7e a1-b7 eb 1d b5 cc 69 2a 43 <P..#"~......i*C
0050 - 63 13 4f 21 90 32 87 94-0b 6a 66 da 99 fa 45 79 c.O!.2...jf...Ey
0060 - cc 53 29 35 59 0d 02 93-c6 c6 af f3 52 79 b5 36 .S)5Y.......Ry.6
0070 - c0 a6 4d 22 9f af 4a f2-86 b4 50 68 83 b1 ab a6 ..M"..J...Ph....
0080 - a6 ac 6e 4e 18 3d 80 a7-b4 85 77 06 69 60 fa b2 ..nN.=....w.i`..
0090 - 22 9a 79 14 c6 3e 3e 68-33 4e 1e a9 40 09 47 d0 ".y..>>h3N..@.G.
00a0 - 02 97 8b ba 39 db 2f b1-1c 2e 66 49 d3 bc 99 cc ....9./...fI....
00b0 - 56 4f 1d f4 c6 7b 58 3e-28 df b1 ce 2b 45 36 ca VO...{X>(...+E6.

Compression: 1 (zlib compression)
Start Time: 1308161188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET
write to 0x196a050 [0x1a14e56] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a 4c 57-8c b9 d5 d4 c6 1b 56 ce .... .LW......V.
0010 - 93 b5 78 6b 5f 0e c5 a2-39 2a f9 7a 20 7d 68 85 ..xk_...9*.z }h.
0020 - af 52 e3 5f fc 17 03 01-00 20 c6 c4 19 74 61 64 .R._..... ...tad
0030 - 42 59 e0 52 3f 42 44 53-8b c9 40 69 1c 3d 9b 7f BY.R?BDS..@i.=..
0040 - aa e8 8f a4 5c de c9 d4-0a a4 ....\.....
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 60 ....`
read from 0x196a050 [0x1a10908] (96 bytes => 96 (0x60))
0000 - 46 4c 99 93 29 c9 ed 66-81 43 89 39 26 2b d1 b0 FL..)..f.C.9&+..
0010 - 19 73 eb 51 18 45 54 49-74 43 e0 92 1b f8 af f0 .s.Q.ETItC......
0020 - 0d e1 08 79 96 38 e1 5e-29 9d 66 9c 30 04 8e c4 ...y.8.^).f.0...
0030 - 10 83 49 7e 09 d7 8a ff-4b 11 f9 13 3e ac 77 73 ..I~....K...>.ws
0040 - e8 94 e3 f3 74 db 4e 5f-67 13 1d c4 3a 06 98 b3 ....t.N_g...:...
0050 - da 20 41 3c ca 9a fb 3f-f3 d7 64 a1 e9 f4 0a 98 . A<...?..d.....
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 15 03 01 ...
0005 - <SPACES/NULS>
read from 0x196a050 [0x1a10908] (32 bytes => 32 (0x20))
0000 - 2e bb a7 d6 dc ce 6c 34-dc 2e 43 c7 89 02 a9 5c ......l4..C....\
0010 - 3b 3e d0 43 1c ec fa c7-89 48 fd 76 58 82 ef 45 ;>.C.....H.vX..E
SSL3 alert read:warning:close notify
closed
write to 0x196a050 [0x1a14e53] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d8 6f 46-24 e9 fa 0c c9 9f aa 2d .... .oF$......-
0010 - db 69 2a d8 fb 61 66 b0-23 23 f9 a4 ac 49 b7 e6 .i*..af.##...I..
0020 - 31 73 56 05 ed 1sV..
SSL3 alert write:warning:close notify
</source>

Perfect!

=== Open Port 443 On The Firewall ===

At this point, if you try to connect to the SSL virtual host remotely, you will fail because port 443 is not yet open.

Use your favourite program to open inbound TCP port 443. I like to directly edit the firewall's config.

<source lang="bash">
vim /etc/sysconfig/iptables
</source>
<source lang="text">
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</source>
<source lang="bash">
/etc/init.d/iptables restart
</source>
<source lang="text">
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
</source>

=== Browse to the New Virtual Host ===

You should now be able to access the new SSL virtual host! Simply browse to https://alteeve.com (replace with your domain).

[[Image:SSL_Test_Page_01.png|thumb|center|741px|Test SSL virtual host in Firefox 4.]]

Note the 'alteeve.com' to the left of the address bar showing that the site is encrypted and verified!

= PostgreSQL =

We need to initialize the postgres core databases before we can start it for the first time.

<source lang="bash">
service postgresql initdb
</source>
<source lang="text">
Initializing database: [ OK ]
</source>

From now on, we can start PostgreSQL normally.

<source lang="bash">
/etc/init.d/postgresql restart
</source>
<source lang="text">
Stopping postgresql service: [ OK ]
Starting postgresql service: [ OK ]
</source>

Create the admin user called alteeve which will own the databases we will create and use.

<source lang="bash">
su - postgres
createuser -S -d -R alteeve
psql template1
</source>

At the shell, run the following:

<source lang="sql">
ALTER USER alteeve WITH PASSWORD 'secret';
</source>
<source lang="text">
ALTER ROLE
</source>
<source lang="sql">
\q
</source>

Tell PostgreSQL to require a password for the alteeve user.

<source lang="bash">
vim /var/lib/pgsql/data/pg_hba.conf
</source>
<source lang="diff">
--- /var/lib/pgsql/data/pg_hba.conf.orig 2011-06-15 17:57:25.666509143 -0400
+++ /var/lib/pgsql/data/pg_hba.conf 2011-06-15 17:58:54.077510393 -0400
@@ -65,6 +65,7 @@

# TYPE DATABASE USER CIDR-ADDRESS METHOD
+local all alteeve md5

# "local" is for Unix domain socket connections only
local all all ident
</source>

Reload PostgreSQL's configuration.

<source lang="bash">
/etc/init.d/postgresql reload
</source>

Now create a Database that is owned by the alteeve user, then connect to it to make sure we're asked for a password.

<source lang="bash">
su postgres -c "createdb an_wiki -O alteeve"
psql an_wiki -U alteeve
</source>
<source lang="text">
Password for user alteeve:
psql (8.4.7)
Type "help" for help.

an_wiki=>
</source>

Now load a database from a backup file.

<source lang="bash">
psql an_wiki -U alteeve -f /var/www/ssl_alteeve.com/temp/an_wiki_3.out
</source>
<source lang="text">
Password for user alteeve:
SET
SET
SET
SET
SET
CREATE SCHEMA
ALTER SCHEMA
CREATE LANGUAGE
psql:/var/www/ssl_alteeve.com/temp/an_wiki_3.out:27: ERROR: must be member of role "postgres"
SET
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
SET
SET
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
8
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
2500
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
4416
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3465
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
34
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
957
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3274
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3547
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3513
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TRIGGER
CREATE TRIGGER
CREATE TRIGGER
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
REVOKE
REVOKE
GRANT
GRANT
</source>

Voila!

== Media Wiki Problem ==

If you moved a MediaWiki DB and it generated an error like this in the log file:

<source lang="text">
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "objectcache" does not exist\nLINE 1: ...ECT /* SqlBagOStuff::get */ value,exptime FROM objectcach...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "l10n_cache" does not exist\nLINE 1: ... LCStore_DB::get 206.108.5.162 */ lc_value FROM l10n_cache...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
</source>

The fix is to run:

<source lang="sql">
ALTER DATABASE an_wiki SET search_path=mediawiki;
</source>

Of course, replace an_wiki with the name of your wiki database.

= MySQL =

Start MySQL for the first time:

<source lang="bash">
/etc/init.d/mysqld start
</source>
<source lang="text">
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h asakusa.alteeve.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]
Starting mysqld: [ OK ]
</source>

Secure the server.

<source lang="bash">
mysql_secure_installation
</source>
<source lang="text">
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
</source>

= BIND =

{{note|1=This is not meant to cover creating the actual zone files for DNS. It's goal is to setup BIND on your [[EL6]] server only.}}

This is the BIND named server that handles DNS resolution. It will be setup in two parts; The global options and then the zones file.

== Install bind ==

<source lang="bash">
yum install bind bind-libs bind-utils
</source>

== Global Configuration ==

Edit the main configuration file, making a backup first.

<source lang="bash">
cp /etc/named.conf /etc/named.conf.orig
vim /etc/named.conf
</source>

Enable queries on any interface and answer queries for any domain, not just ours. Edit or add the following;

<source lang="dot">
listen-on port 53 { any; };
allow-query { localhost; };
allow-query-cache { any; };
</source>

For now, we're going to disable DNSSEC. Make the following changes;

<source lang="dot">
dnssec-enable no;
dnssec-validation no;
</source>

Now tell bind where to look for a domain name's IP when we don't know. Add;

<source lang="dot">
forwarders {
// These are Google's open DNS servers
8.8.8.8;
8.8.4.4;
};
</source>

This server will have a slave, and we want to notify that slave when a record changes. Add;

<source lang="dot">
notify yes;
</source>

Done. I like to clean up the file to put the variables in line with one another. With this in mind, let's look at the changes as a unified diff;

<source lang="bash">
diff -u /etc/named.conf.orig /etc/named.conf
</source>
<source lang="diff">
--- /etc/named.conf.orig 2012-02-05 00:54:48.434068501 -0500
+++ /etc/named.conf 2012-02-05 13:45:16.484083319 -0500
@@ -8,18 +8,26 @@
//

options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ allow-query { any; };
+ allow-query-cache { any; };
+ recursion yes;
+ notify yes;
+
+ dnssec-enable no;
+ dnssec-validation no;
+ dnssec-lookaside auto;
+
+ forwarders {
+ // These are Google's open DNS servers
+ 8.8.8.8;
+ 8.8.4.4;
+ };

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
</source>

== Adding Zones ==

This is where we tell BIND which zones we have SOA for. This includes the pointers to the actual files on disk with each domain's information.

Backup then edit the zones file.

<source lang="bash">
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.orig
vim /etc/named.rfc1912.zones
</source>

In here is where we add the entries for the domains we have [[SOA]] for at the end of the file. These will differ for every install, so only two examples will be shown.

<source lang="dot">
// Our zones which this server is SOA for.
zone "45years.ca" IN {
type master;
file "/etc/named/db.45years.ca";
allow-transfer {
192.139.81.117;
};
};

zone "alteeve.com" in {
type master;
file "/etc/named/db.alteeve.com";
allow-transfer {
192.139.81.117;
};
};
</source>

This tutorial does not aim to cover actual zone files, but here is one for reference:

<source lang="bash">
cat /etc/named/db.45years.ca
</source>
<source lang="text">
$ORIGIN .
$TTL 600 ; Time To Live.
45years.ca IN SOA ns1.alteeve.com. admin.alteeve.com. (
2011081402 ; Serial Number (yyyymmdd##)
300 ; refresh (in seconds)
180 ; retry (in seconds)
600 ; expire (in seconds)
86400 ; minimum (in seconds)
)
NS ns1.alteeve.com.
NS ns2.alteeve.com.
A 192.139.81.121
MX 10 mail.45years.ca.
$ORIGIN 45years.ca.
localhost A 127.0.0.1
mail A 192.139.81.121
www CNAME 45years.ca.
</source>

== Adding a Firewall Entry ==

Assuming you have a firewall running, be sure to add an entry for [[TCP]] port 53.

== (Re)Start BIND ==

Once all the configuration files and domain zone files are in place, (re)start the named service.

<source lang="bash">
/etc/init.d/named restart
</source>
<source lang="text">
Stopping named: . [ OK ]
Starting named: [ OK ]
</source>

== Testing Name resolution ==

To properly test name resolution, you will want to resolve a domain we are [[SOA]] for and another domain which we are not. We will repeat this twice, once on the server and once from a remote machine to ensure that it is answering remote queries. Note that in the examples below, my DNS server's IP address is 78.46.37.135.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> alteeve.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns1.alteeve.com.
alteeve.com. 600 IN NS ns2.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 13:57:11 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> google.ca @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 300 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2967 IN NS f.root-servers.net.
. 2967 IN NS c.root-servers.net.
. 2967 IN NS b.root-servers.net.
. 2967 IN NS a.root-servers.net.
. 2967 IN NS k.root-servers.net.
. 2967 IN NS i.root-servers.net.
. 2967 IN NS e.root-servers.net.
. 2967 IN NS h.root-servers.net.
. 2967 IN NS l.root-servers.net.
. 2967 IN NS d.root-servers.net.
. 2967 IN NS j.root-servers.net.
. 2967 IN NS g.root-servers.net.
. 2967 IN NS m.root-servers.net.

;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 14:02:03 2012
;; MSG SIZE rcvd: 254
</source>

Now from a remote machine, repeat the same queries to ensure that our DNS server will respond to external queries.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> alteeve.com @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns2.alteeve.com.
alteeve.com. 600 IN NS ns1.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 138 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:09 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> google.ca @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 138 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2805 IN NS h.root-servers.net.
. 2805 IN NS c.root-servers.net.
. 2805 IN NS j.root-servers.net.
. 2805 IN NS i.root-servers.net.
. 2805 IN NS b.root-servers.net.
. 2805 IN NS m.root-servers.net.
. 2805 IN NS g.root-servers.net.
. 2805 IN NS d.root-servers.net.
. 2805 IN NS a.root-servers.net.
. 2805 IN NS l.root-servers.net.
. 2805 IN NS f.root-servers.net.
. 2805 IN NS k.root-servers.net.
. 2805 IN NS e.root-servers.net.

;; Query time: 140 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:31 2012
;; MSG SIZE rcvd: 254
</source>

Done!

= Email =

This is a pretty heavily customized postfix install using a custom schema. It was originally based on [http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch this Debian Etch] tutorial, but adapted for PostgreSQL. Much time has passed and the operating system is now significantly changed, but it's lineage is thus. A more recent, but still Debian-focused version of the tutorial [http://workaround.org/ispmail/squeeze/big-picture is here]. I also used [http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot this tutorial] to help sort out the PostgreSQL stuff.

This will use a few applications;
* Postfix - The program that receives email.
* PostgreSQL - The database used to validate the existence of email accounts and validates incoming user credentials.
* Dovecot - Takes email coming from postfix, via amavis, and records them to disk. It also answers requests from users wanting to check their email.
* Amavis - Filters incoming email for spam (via spamassassin) and virsus (via clamav)

We will also be using graylisting, which is a spam fighting tactic where the first email from a given user to one of our users is bounced for a few minutes. Proper mail servers will acknowledge the bound, wait the time and resend. Spam mailers though are usually fire-and-forget and will not resend, thus effectively blocking the spam message. This is a very effective method of blocking spam with minimal chance of losing real mail from real users. Any subsequent message from the user would be allowed through with no delay, provided the user had in fact resent the first message as requested.

== Install ==

To install the applications;

<source lang="bash">
yum install postfix postfix-perl-scripts dovecot dovecot-pgsql spamassassin postgresql-server postgresql-plperl mutt
</source>

== Configuring Postfix ==

Installation requires several steps. The AN!Console database must be loaded. Various applications need to be installed. Postfix, Dovecot and helper applications need to be configured and so on.

This tutorial uses the following values that you may need to adjust;
* Database name; an_tools
* Database user; alteeve
* Database password; secret
* Database host; 127.0.0.1

{{note|1=Do not use the database host "localhost" unless you are certain you can connect to the DB using a standard [[unix]] socket.}}

=== Building Support for PostgreSQL ===

{{warning|1=We need to build our own RPM in order to support postgresql. This means we will have to disable postfix from future updates, placing the onus on us to make sure critical updates are applied. This will require downloading the latest source RPMs, re-enabling postgres and recompile/reinstall.}}

Add the source [[RPM]] repository by adding the following;

<source lang="bash">
vim /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
# Source RPM repository
[base-source]
name=CentOS-$releasever - Base - Source
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://vault.centos.org/$releasever/os/SRPMS/
baseurl=http://vault.centos.org/6.0/os/SRPMS/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
</source>

Now download the source RPM for postfix.

<source lang="bash">
yumdownloader --source postfix
</source>
<source lang="text">
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
base | 3.7 kB 00:00
base-source | 1.9 kB 00:00
extras | 3.5 kB 00:00
updates | 3.5 kB 00:00
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
./postfix-2.6.6-2.el6.src.rpm already exists and appears to be complete
nikko:/etc/postfix# rm postfix-2.6.6-2.el6.src.rpm
rm: remove regular file `postfix-2.6.6-2.el6.src.rpm'? y
nikko:/etc/postfix# yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
postfix-2.6.6-2.el6.src.rpm | 3.3 MB 00:00
</source>

Now that we have the postfix source RPM, we will install it.

<source lang="bash">
rpm -Uvh postfix-2.6.6-2.el6.src.rpm
</source>
<source lang="text">
1:postfix warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
########################################### [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
</source>

Now edit the .spec file to enable postgres support.

<source lang="bash">
cp ~/rpmbuild/SPECS/postfix.spec ~/rpmbuild/SPECS/postfix.spec.orig
vim ~/rpmbuild/SPECS/postfix.spec
</source>

Make the following changes.

* Enable PostgreSQL support
<source lang="text">
%{?!PGSQL: %define PGSQL 1}
</source>

Increment the release version by one.
<source lang="text">
Release: 3%{?dist}
</source>

We can see the changes here:

<source lang="bash">
diff -u ~/rpmbuild/SPECS/postfix.spec.orig ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="diff">
--- /root/rpmbuild/SPECS/postfix.spec.orig 2012-02-11 16:54:54.495330859 -0500
+++ /root/rpmbuild/SPECS/postfix.spec 2012-02-11 16:53:39.873331101 -0500
@@ -1,5 +1,5 @@
%{?!MYSQL: %define MYSQL 1}
-%{?!PGSQL: %define PGSQL 0}
+%{?!PGSQL: %define PGSQL 1}
%define LDAP 2
%define PCRE 1
%define SASL 2
@@ -35,7 +35,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 2.6.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
</source>

Now rebuild the RPM, which means we need to install the build tools.

<source lang="bash">
yum groupinstall development
yum install db4-devel openldap-devel cyrus-sasl-devel pcre-devel mysql-devel postgresql-devel openssl-devel
rpmbuild -bb ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="text">
(compile output)
Processing files: postfix-debuginfo-2.6.6-3.el6.x86_64
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-debuginfo-2.6.6-3.el6.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.rymr5C
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd postfix-2.6.6
+ rm -rf /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
+ exit 0
</source>

Install the updated postfix.

<source lang="bash">
rpm -Uvh ~/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm ~/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
</source>
<source lang="text">
Preparing... ########################################### [100%]
1:postfix ########################################### [ 50%]
2:postfix-perl-scripts ########################################### [100%]
</source>

Now exclude postfix from future updates.

<source lang="bash">
cp /etc/yum.conf /etc/yum.conf.orig
vim /etc/yum.conf
diff -u /etc/yum.conf.orig /etc/yum.conf
</source>
<source lang="text">
--- /etc/yum.conf.orig 2012-02-11 16:59:53.720079168 -0500
+++ /etc/yum.conf 2012-02-11 17:00:47.013331283 -0500
@@ -10,6 +10,7 @@
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
+exclude=postfix*

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
</source>

=== Basic Postfix Configuration ===

Since we'll be using virtual domains, users, aliases and mailboxes, we'll need to start by commenting out some of the default options in Postfix. By default, Postfix is set up for small numbers of local users, and it only allows connections from the localhost. Our configuration will be more scalable, allowing many domains and users to be stored in the Postgres database.

Comment out the following:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# inet_interfaces = localhost
# mydestination = $myhostname, localhost.$mydomain, localhost
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
</source>

And uncomment/add these:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
inet_interfaces = all # allows us to connect and test from another machine
mynetworks = 192.168.1.0/32, 127.0.0.0/8 # use the IP or subnet of your test machine here
</source>

=== Setup Virtual Domain Lookup ===

This tells postfix how to find which domains we have.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM domains WHERE dom_name='%s'
</source>

Now tell Postfix to use this new file by appending the following to the main postfix configuration file.

<source lang="bash">
vim /etc/postfix/main.cf
</source>
<source lang="bash">
# Tell postfix to validate domains using our postgresql databae via the
# pgsql-virtual-mailbox-domains.cf
virtual_mailbox_domains=pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>

Now reload postfix;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now we can test that domains resolve. In my case, I will test the look-up for alteeve.com.

<source lang="bash">
postmap -q alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
1
</source>

Now make sure it returns nothing when query a bad domain.

<source lang="bash">
postmap -q example.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Mailbox Mapping ===

This section will tell postfix which users for a given domain are valid.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM email_file WHERE email='%s'
</source>

Tell postfix to use this new file when looking up users.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

And add:

<source lang="text">
# Tell postfix which table to look in when validating a local user via their
# email address.
virtual_mailbox_maps=pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>

Reload postfix.

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now do a test of a valid user, which should return 1, and an invalid user, which should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
1
</source>
<source lang="bash">
postmap -q nobody@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Email Forwards ===

This will allow for email addresses to be forwarded to other email addresses.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT fwd_destination FROM forwards WHERE fwd_source='%s'
</source>

Now tell postfix where to look.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

Add;

<source lang="text">
# This tells postfix where to forward incoming email to, where appropriate.
virtual_alias_maps=pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>

Reload;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

I've setup a forward where digimer@alteeve.com forwards to mkelly@alteeve.com, so we will use that for the next test.

<source lang="bash">
postmap -q digimer@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
mkelly@alteeve.com
</source>

An email address with no forward should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

Excellent.

=== Setup Postfix Mail Delivery via Dovecot ===

Define a mail transport method in the main Postfix config.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# this option is ignored, but may be useful for reference
virtual_mailbox_base=/email

# deliver mail via dovecot
virtual_transport = dovecot

# prevent postfix from sending multiple recipients per delivery request,
# since dovecot only supports one recipient for each delivery
dovecot_destination_recipient_limit = 1
</source>

Tell Postfix what virtual_transport "dovecot" means, and how to use it.
<source lang="bash">vim /etc/postfix/master.cf</source>
Append this for RHEL/CentOS 6 machines. For other distros, make sure that /usr/libexec/dovecot/deliver exists and change the path if necessary.
<source lang="bash">
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
</source>

=== Setup Postfix SMTP Authentication using Dovecot ===

Dovecot provides an SMTP authentication mechanism to Postfix called SASL. Enabling this will require users to authenticate against the server before sending mail.

<source lang="bash">vim /etc/postfix/main.cf</source>
Append the following to enable smtp authentication:
<source lang="bash">
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes

# allow authenticated users to send mail through Postfix SMTP
# more info at /usr/share/doc/postfix-2.6.6/README_FILES/SMTPD_ACCESS_README
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
</source>

== Configuring Dovecot ==

Dovecot handles writing incoming mail to the disk and moving/deleting mail as the user wishes. We're going to create a user and group called vmail which will be used to manage the email stored on disk.

<source lang="bash">
useradd -m vmail
mkdir /email
chown -R vmail:vmail /email
</source>

Dovecot is configured in /etc/dovecot and the main configuration file is dovecot.conf.

<source lang="bash">
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.conf
</source>

Dovecot uses .d style configuration files.

* Authentication

<source lang="bash">
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
vim /etc/dovecot/conf.d/10-auth.conf
</source>

Tell dovecot to accept plain-text passwords (needed for some old email clients, you may not need to enable this).

<source lang="text">
disable_plaintext_auth = no
</source>

Tell it not to use the database, and not local users for mail delivery.

<source lang="text">
#!include auth-system.conf.ext
!include auth-sql.conf.ext
</source>

* Mail store

Tell dovecot where to store the email. The %d tells dovecot to substitute the user's domain name and %n is substituted by the user's email name. For example, mkelly@alteeve.com becomes /email/alteeve.com/mkelly.

<source lang="bash">
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
vim /etc/dovecot/conf.d/10-mail.conf
</source>
<source lang="text">
mail_location = mbox:/email/%d/%n
</source>

=== Dovecot Authentication and SQL Settings ===

We need to tell dovecot where to look for passwords when authenticating a user. Where to look is controlled in the
auth-sql.conf.ext file and is broken down into user and password lookups. We will want to first tell Dovecot which user to use when accessing the mail store on disk.

<source lang="bash">
cp /etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/conf.d/auth-sql.conf.ext.orig
vim /etc/dovecot/conf.d/auth-sql.conf.ext
</source>
<source lang="text">
userdb {
driver = static
args = uid=vmail gid=vmail home=/email/%d/%n allow_all_users=yes
}
</source>

* Now configure the SQL server access details.

{{note|1=Make sure that PostgreSQL has sufficient max_connections set in /var/lib/pgsql/data/postgresql.conf to handle enough connections for the expected number of email connections, plus other connections from other applications.}}

<source lang="bash">
cp /usr/share/doc/dovecot-2.0.9/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
vim /etc/dovecot/dovecot-sql.conf.ext
</source>

Tell dovecot to use PostgreSQL.

<source lang="text">
driver = pgsql
</source>

Configure the connection string.

{{note|1=If your database uses a password with a space character in it, quote the password. Ie: password='super secret'.}}

<source lang="text">
connect = host=127.0.0.1 dbname=an_tools user=alteeve password=secret
</source>

Tell dovecot to accept plain-text passwords (this is needed for some stupid MS clients, this will probably change soon).

<source lang="text">
default_pass_scheme = PLAIN
</source>

Tell dovecot how to pull use the user's password.

<source lang="text">
password_query = SELECT email, password FROM email_password WHERE email='%u'
</source>

The last thing to setup is the user query. The query needs to return the [[UID]] and [[GID]] of the vmail user we setup earlier. To get it, you can use the id command.

<source lang="bash">
id vmail
</source>
<source lang="text">
uid=503(vmail) gid=503(vmail) groups=503(vmail)
</source>

The numbers we want are 503 and 503 for the UID and GID, respectively. Knowing this, we can set the userdb SQL string.

<source lang="text">
user_query = SELECT '/email/'||file AS email_dir, '503' AS uid, '503' AS gid FROM email_file WHERE email='%u'
</source>

=== Configure Listener Sockets ===

Setup the authentication socket to allow the vmail user. This will allow Dovecot to access the user authentication socket.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
</source>

Configure Dovecot to authenticate Postfix SMTP requests.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener smtp-auth {
mode = 0600
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
}
</source>

=== Enable Logging ===

This is very useful for debugging an initial setup. It will place details about login attempts in /var/log/maillog.

<source lang="bash">vim /etc/dovecot/conf.d/10-logging.conf</source>
<source lang="bash">
log_path = syslog
auth_verbose = yes
auth_debug = yes
mail_debug = yes
</source>

At this point, it's a good idea to restart the Postfix and Dovecot services, and test out the basic configuration.
<source lang="bash">
service postfix restart
service dovecot restart
</source>

Watch the maillog while attempting to authenticate with an email client like Thunderbird.
<source lang="bash">
tail -f /var/log/maillog
</source>

If basic authentication is working, we can go ahead and add another layer of complexity on top of it: SSL.

== SSL/TLS ==

Add TLS support to Postfix, to encrypt SMTP authentication traffic.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/ssl_mail.alteeve.ca.crt
smtpd_tls_key_file = /etc/pki/CA/private/mail.alteeve.ca.key
smtpd_tls_loglevel = 1
</source>

Add TLS support to Dovecot, to encrypt IMAP authentication traffic.
<source lang="bash">vim /etc/dovecot/conf.d/10-ssl.conf </source>
<source lang="bash">
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/pki/CA/ssl_mail.alteeve.ca.crt
ssl_key = </etc/pki/CA/private/mail.alteeve.ca.key

# PEM encoded trusted certificate authority. Otherwise your CA will be untrusted.
# This is the intermediary certificate.
ssl_ca = </etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Dovecot prefers the following permissions for SSL certs, so set them accordingly.
<source lang="bash">
chmod 0444 /etc/pki/CA/ssl_mail.alteeve.ca.crt
chmod 0400 /etc/pki/CA/private/mail.alteeve.ca.key
chmod 0400 /etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Restart Postfix and Dovecot, then change your Thunderbird server options to 'STARTTLS'. If you're still able to connect to the mail server and send mail, proceed to the next section.

== User Password Encryption ==

In addition to SSL/TSL, which only encrypts the transport of user credentials, we're also going to encrypt the passwords themselves. This will avoid storing any plaintext passwords in the Postgres database.

<source lang="bash">vim /etc/dovecot/conf.d/10-auth.conf</source>
Remove the "plain" authentication, and replace with cram-md5.
<source lang="bash">
disable_plaintext_auth = yes
auth_mechanisms = cram-md5
</source>

Any user credentials that were previously stored in plaintext will no longer work. To encrypt your password in a way that Dovecot recognizes, use the following command:
<source lang="bash">doveadm -v pw -s CRAM-MD5 -p mypassword</source>
It will return a hash like this.
<source lang="bash">
{CRAM-MD5}de5924752ad74e36bc271a8dc7fad4b2d341f21f05382f20dedf1fdfbd5a1717</source>

Take the entire hash, including the '{CRAM-MD5}' portion, and use it to replace the password entry in the database for that user. This will allow Dovecot to authenticate the user using the CRAM-MD5 auth mechanism.

To automate this process for all users in the database, you can look at the number of userid's there are and loop through them, encrypting and replacing each password.

<source lang="bash">
#!/bin/bash
#
# a script to encrypt the users.usr_password values of the an_tools database

export PGUSER="alteeve"
export PGPASSWORD='secret'

for usrid in {1..219}; do

# grab the user's password, removing whitespace
usrpass=$(psql -d an_tools -c "SELECT users.usr_password FROM users WHERE users.usr_id=$usrid;"\
| sed -n 3p | sed -e 's/^[ ]*//')

if [[ "$usrpass" == *CRAM* ]]; then
echo "Password for user #$usrid is already encrypted; skipping."
else
# encrypt and surround in single quotes for psql
encrypted=\'$(doveadm -v pw -s CRAM-MD5 -p "$usrpass")\'
echo "old password: [$usrpass] ; encrypted: $encrypted"

# set password to encrypted value
psql -d an_tools -c "UPDATE users SET usr_password=$encrypted WHERE usr_id=$usrid;"
fi
done

unset PGUSER
unset PGPASSWORD
</source>

== Postgrey Greylisting ==

Enabling postgrey for anti-spam greylisting.

First install the RPMForge repos. (See [http://dak1n1.com/blog/3-getting-more-from-yum-with-rpmforge-and-epel-repos Dakini's blog] for details.)

<source lang="bash">yum -y install postgrey</source>

Create the config file with the following options.
<source lang="bash">vim /etc/sysconfig/postgrey</source>
<source lang="bash">OPTIONS="--unix=/var/spool/postfix/postgrey/socket --delay=360"</source>

Ensure that Postgrey starts on boot.
<source lang="bash">chkconfig --levels 345 postgrey on</source>

<source lang="bash">/etc/postfix/main.cf</source>
<source lang="bash">
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:postgrey/socket</source>

Restart Postfix and Postgrey to take affect.
<source lang="bash">
service postgrey start
service postfix restart
</source>

== Ooooold Notes ==

When prompted;
For 'Create directories for web-based administration ?' Choose 'Yes'.
For 'General type of configuration?', choose 'Local Only'.
For 'Mail Name', enter 'alteeve.com'.
For 'SSL certificate required', hit 'Ok'.
Create the database that we will use:
# su alteeve
$ createdb an_console
$ psql an_console
Now that we are in the new database we will need to load the AN!Console schema file.
# su postgres -c psql an_console -f /var/www/ssl_alteeve.com/cgi-bin/t/anc.pgsql.schema
On the Master node, we will create the directory where email will be stored.
# mkdir /ha/email
On the both nodes, we will create a link to the '/ha/email' directory off of root.
# ln -s /ha/email /email
Under this directory create another directory that is the domain name for the domains we will host mail for. Ie (no longer needed to be done manually, AN!Console will create directories for email as needed):
# mkdir /email/45years.ca
# mkdir /email/alteeve.com
And so on.
Go to the '/etc/postfix' directory and create these four files:
# vim /etc/postfix/psql-virtual_domains.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = domains
select_field = 'virtual'
where_field = dom_name
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_forwardings.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = forwards
select_field = fwd_destination
where_field = fwd_source
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_mailboxes.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_file
select_field = file
where_field = email
hosts = 127.0.0.1
Note: The table 'email_file' is actually a view that takes the email passed by postfix and splits it to generate a joined SELECT.
# vim /etc/postfix/psql-virtual_email2email.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_email
select_field = email
where_field = email
hosts = 127.0.0.1
Note: The table 'email_email' is actually a view that takes the email passed by postfix and returns the same email based on the DB entry. This is needed as a work-around for Postfix's habit of matching global forwards like '@domain -> user@domain' for all email to that domain, even what a given email address matches a user.
Now change the owner and permissions of those four files to NOT allow global reading as they contain our password.
# chown root:postfix /etc/postfix/psql-virtual_*
# chmod 640 /etc/postfix/psql-virtual_*
Now we will create a user account that will, in turn, own all the mail on the system. This user will not have shell access.
# adduser vmail
Enter a password, preferably one treated with the same care as the root password. You can leave all other options blank.
Now change the ownership of the mail store.
# chown -R vmail:vmail /email
# chmod -R 775 /email
Now we edit the main '/etc/postfix/main.cf' configuration file.
Make a backup of the original file “just in case”.
# cp /etc/postfix/main.cf /etc/postfix/main.cf.original
Now edit it:
# vim /etc/postfix/main.cf
There are several options to edit:
Please see 'Step 6' at: http://workaround.org/articles/ispmail-sarge/index.shtml.en for details on the options to set.
For 'inet_interface' enter 'all'.
For 'myhostname' use the cluster FQDN. Ie;
myhostname = nikko.alteeve.com
For 'mydestination' use only local names, NOT real domains we will host email for. Any mail sent to the domains specified here will go to local (shell) users.
mydestination = nikko.alteeve.com, localhost.alteeve.com, localhost
For 'mynetworks' set all the IP subnets we trust. Ie;
mynetworks = 192.139.81.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.0/24 127.0.0.0/8
We can ignore 'virtual_alias_domains' if it exists.
For 'virtual_alias_maps' we will set:
virtual_alias_maps = pgsql:/etc/postfix/psql-virtual_forwardings.cf pgsql:/etc/postfix/psql-virtual_email2email.cf
For 'virtual_mailbox_domains' we will set:
virtual_mailbox_domains = pgsql:/etc/postfix/psql-virtual_domains.cf
For 'virtual_mailbox_maps' we will set:
virtual_mailbox_maps = pgsql:/etc/postfix/psql-virtual_mailboxes.cf
For 'virtual_mailbox_base' (where the email will be stored on disk) we will set:
virtual_mailbox_base = /ha/email
For 'virtual_uid_maps' and 'virtual_gid_maps' we will enter the numerical UID and GID for the 'vmail' shell user we created earlier. To find what it's UID and GID is run:
# cat /etc/passwd | grep vmail
vmail:x:1001:1001:,,,:/home/vmail:/bin/bash
The first number is the UID, the second is the GID;
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
Set 'smtpd_sasl_auth_enable' to 'yes'.
Set 'broken_sasl_auth_clients' to 'yes'.
To enable relaying of local mail, trusted domains and SASL authenticated users and reject the rest set;
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
For 'smtpd_use_tls' the value should already be 'yes', but set it to such if not.
Lastly we'll set our certificate paths;
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
At this point we should be good to go. Restart postfix;
# /etc/init.d/postfix restart
If there were no errors in the restart, test the config by running;
# postfix check
If you get errors, fix 'em. Otherwise, so far so good!
Now to setup postfix to allow authentication of SMTP connections to allow relaying of messages from people (we trust) outside on the 'mynetworks' scope.
Create or edit the file '/etc/postfix/sasl/smtpd.conf'
# vim /etc/postfix/sasl/smtpd.conf
In it enter the lines:
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: pgsql
sql_hostnames: 127.0.0.1
sql_user: alteeve
sql_passwd: secret
sql_database: an_console
sql_select: SELECT passwd FROM email_passwd WHERE email='%u@%r'
log_level: 7
Now secure the file (it's got our DB password)
# chown root:postfix /etc/postfix/sasl/smtpd.conf
# chmod 640 /etc/postfix/sasl/smtpd.conf
Now we want to setup TLS to encrypt SMTP traffic. Be sure you are still in '/etc/postfix' as this is where you want the certificate files.
To create a 10-year certificate for our SMTP domain 'smtp.alteeve.com':
# openssl req -new -outform PEM -out /etc/postfix/smtpd.cert -newkey rsa:2048 -nodes -keyout /etc/postfix/smtpd.key -keyform PEM -days 3650 -x509
This will bring up a bunch of questions:
Country Name (2 letter code) [AU]: CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alteeve's Niche!
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, YOUR name) []:smtp.alteeve.com
Email Address []:admin@alteeve.com
This will create two files in your current directory; 'smtpd.key' and 'smtpd.cert'. You'll want to protect them.
# chown root:postfix smtpd.*
# chmod 640 smtpd.*
Now we need to setup POP3 and IMAP access so users can actually check their email.
Backup then edit '/etc/dovecot/dovecot.conf' to have:
protocols = pop3 imap
mail_location = mbox:/email/%d/%n
# passdb pam {
# }
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
# userdb passwd {
# }
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

# The default location for 'dovecot-sql.conf' is under '/usr/local/etc', be sure to
# change it!
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
user = root
}
Then create/edit '/etc/dovecot/dovecot-sql.conf':
driver = pgsql
connect = host=localhost dbname=an_console user=alteeve password=secret
default_pass_scheme = PLAIN
password_query = SELECT email, password FROM email_password WHERE email='%u'
user_query = SELECT '/email/'||file AS email_dir, '1001' AS uid, '1001' AS gid FROM email_file WHERE email='%u'
Now restart Dovecot:
# /etc/init.d/dovecot restart

= Thanks =

* To [http://planet-geek.com Dave Shevett] (aka: eidolon) and [http://codex.grimoire.ca/ Owen Jacobson] for answering my n00b SSL questions.


<source lang="bash">
</source>
<source lang="text">
</source>

{{footer}}

PPPower Server

2012-03-25T17:37:39Z

Dak1n1:

{{howto_header}}

With tongue firmly in cheek, this is a tutorial on building an [[EL6]] server for hosting website and email using PostgreSQL, Postfix and Postgrey for mail and Apache for web. There are many canned and arguably superior was of accomplishing the same, but this is what I user for this server.

= Post OS Install =

First, the packages we will want to install:

<source lang="bash">
yum install httpd httpd-tools postgresql-server postgresql-plperl postgresql-contrib postgresql mysql-server telnet mod_ssl mysql-server php-mysql gcc jwhois bind
</source>

Packages that are currently needed for personal stuff.

<source lang="bash">
yum install perl-XML-Simple perl-MIME-Lite perl-DBD-MySQL perl-DBD-Pg
</source>

= Apache =

After all changes, use this to make sure there are no syntax errors.

<source lang="bash">
service httpd configtest
</source>
<source lang="text">
Syntax OK
</source>

{{note|1=This needs to be explained.}}

<source lang="bash">
diff -u httpd.conf.orig httpd.conf
</source>
<source lang="diff">
--- httpd.conf.orig 2010-05-28 03:11:06.000000000 -0400
+++ httpd.conf 2011-05-13 21:56:27.000000000 -0400
@@ -100,12 +100,12 @@
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
-StartServers 8
-MinSpareServers 5
-MaxSpareServers 20
-ServerLimit 256
-MaxClients 256
-MaxRequestsPerChild 4000
+StartServers 16
+MinSpareServers 10
+MaxSpareServers 40
+ServerLimit 512
+MaxClients 512
+MaxRequestsPerChild 8000
</IfModule>

# worker MPM
@@ -116,11 +116,11 @@
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
-StartServers 4
-MaxClients 300
-MinSpareThreads 25
-MaxSpareThreads 75
-ThreadsPerChild 25
+StartServers 8
+MaxClients 600
+MinSpareThreads 50
+MaxSpareThreads 150
+ThreadsPerChild 50
MaxRequestsPerChild 0
</IfModule>

@@ -259,7 +259,7 @@
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
-ServerAdmin root@localhost
+ServerAdmin admin@alteeve.com

#
# ServerName gives the name and port that the server uses to identify itself.
@@ -274,6 +274,7 @@
# redirections work in a sensible way.
#
#ServerName www.example.com:80
+#ServerName *:80

#
# UseCanonicalName: Determines how Apache constructs self-referencing
@@ -289,7 +290,7 @@
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
-DocumentRoot "/var/www/html"
+DocumentRoot "/var/www/default/html"

#
# Each directory to which Apache has access can be configured with respect
@@ -314,7 +315,7 @@
#
# This should be changed to whatever you set DocumentRoot to.
#
-<Directory "/var/www/html">
+<Directory "/var/www/default/html">

#
# Possible values for the Options directive are "None", "All",
@@ -548,9 +549,9 @@
# We include the /icons/ alias for FancyIndexed directory listings. If you
# do not use FancyIndexing, you may comment this out.
#
-Alias /icons/ "/var/www/icons/"
+Alias /icons/ "/var/www/default/icons/"

-<Directory "/var/www/icons">
+<Directory "/var/www/default/icons">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
@@ -573,13 +574,13 @@
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+ScriptAlias /cgi-bin/ "/var/www/default/cgi-bin/"

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
-<Directory "/var/www/cgi-bin">
+<Directory "/var/www/default/cgi-bin">
AllowOverride None
Options None
Order allow,deny
@@ -852,11 +853,11 @@
# copying them to /your/include/path/, even on a per-VirtualHost basis.
#

-Alias /error/ "/var/www/error/"
+Alias /error/ "/var/www/default/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
- <Directory "/var/www/error">
+ <Directory "/var/www/default/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
@@ -987,7 +988,7 @@
#
# Use name-based virtual hosting.
#
-#NameVirtualHost *:80
+NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
@@ -1001,9 +1002,10 @@
# server name.
#
#<VirtualHost *:80>
-# ServerAdmin webmaster@dummy-host.example.com
-# DocumentRoot /www/docs/dummy-host.example.com
-# ServerName dummy-host.example.com
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+# ServerAdmin admin@alteeve.com
+# DocumentRoot /var/www/default/html
+# ServerName unknown.alteeve.com
+# ErrorLog /var/www/default/logs/error.log
+# CustomLog /var/www/default/logs/access.log common
#</VirtualHost>
</source>

== SSL Virtual Hosts ==

SSL provides for secure client to server communications.

=== Creating The Signed Certificate ===

This section assumes you are using a 3rd party signing authority. Specifically, I use http://www.trustico.ca/ (resellers of http://RapidSSL.com and others). This is also for a domain-specific certificate. Wildcard certificates will differ.

First, create 2048bit private key. Note that this will require a pass-phrase, which you will need to enter whenever the Apache daemon httpd daemon starts. If you do not want this, remove the -des3 switch.

<source lang="bash">
openssl genrsa -des3 -out /etc/pki/CA/private/alteeve.com.key 2048
</source>
<source lang="text">
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Verifying - Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
</source>

Now create a [[CSR]] (Certificate signing request) which we will send to the signing authority. Do not enter anything in the extra section below.

{{note|1=The Common Name must be the fully qualified domain name. In this example, I want to create a certificate for the domain https://alteeve.com, so I will enter alteeve.com. If you prefer to use a www. prefix, include it. I will rewrite requests using the www. prefix to not use it.}}

<source lang="bash">
openssl req -new -key /etc/pki/CA/private/alteeve.com.key -out alteeve.com.csr
</source>
<source lang="text">
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Oakville
Organization Name (eg, company) [Default Company Ltd]:Alteeve's Niche
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:alteeve.com
Email Address []:admin@alteeve.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</source>

Test that the CSR file is ok.

<source lang="bash">
openssl req -noout -text -in /etc/pki/CA/alteeve.com.csr
</source>
<source lang="text">
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Oakville, O=Alteeve's Niche, OU=IT, CN=alteeve.com/emailAddress=admin@alteeve.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
...
</source>

Copy the exact contents of the alteeve.com.csr file and provide it to your signing authority as per their instructions. Once you complete their CSR form, they should email you a signed certificate and an intermediary certificate. At this point, the CSR file is no longer needed.

Save the signed certificate:

<source lang="bash">
vim /etc/pki/CA/ssl_alteeve.com.crt
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

Save the intermediary certificate. Change the certificate name to that of your provider. If they provide you with this file, simply save it in the /etc/pki/CA/ directory.

<source lang="bash">
vim /etc/pki/CA/RapidSSL_CA_bundle.pem
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

=== Creating An SSL Virtual Host ===

Create a new virtual host container for the new SSL protected virtual host. We will leave the normal unencrypted virtual-host alone for now. Once we're done, we'll use it to capture and redirect http:// requests to their https:// equivalents. I make my virtual host directories writeable by my normal user account. Feel free to adapt this to your preferences.

Setup the directories and then create a trivial index.html file.

<source lang="bash">
mkdir ssl_alteeve.com/{cgi-bin,html,logs,temp} -p
chown apache:digimer ssl_alteeve.com -R
chmod g+w ssl_alteeve.com -R
vim /var/www/ssl_alteeve.com/html/index.html
</source>
<source lang="apache">
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
</source>

Now setup the Apache2 config. I like to use the ssl_ prefix for encrypted domains.

{{note|1=This example is for a MediaWiki virtual host with short URLs configured. You will want to adapt the values to suit your needs.}}

<source lang="bash">
vim /etc/httpd/conf.d/ssl_alteeve.com.conf
</source>
<source lang="apache">
<VirtualHost *:443>
ServerAdmin digimer@alteeve.com

ServerName alteeve.com

DirectoryIndex index.php index.html

# We can haz security?
SSLEngine on
SSLProtocol all
SSLCACertificateFile /etc/pki/CA/RapidSSL_CA_bundle.pem
SSLCertificateFile /etc/pki/CA/ssl_alteeve.com.crt
SSLCertificateKeyFile /etc/pki/CA/private/alteeve.com.key

DocumentRoot /var/www/ssl_alteeve.com/html/
Alias /w /var/www/ssl_alteeve.com/html/index.php
<Directory /var/www/ssl_alteeve.com/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/ssl_alteeve.com/cgi-bin/
<Directory "/var/www/ssl_alteeve.com/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/ssl_alteeve.com/logs/error.log
TransferLog /var/www/ssl_alteeve.com/logs/transfer.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/ssl_alteeve.com/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

==== Bad Identity Error ====

If you get an error about the server not providing identity information, you may have be loading images, CSS, javascript or similar using a URL from a remote domain with no SSL or badly configured SSL.

For example, on Firefox 4, you may see:

<source lang="text">
This web site does not supply identity information.

Your connection to this site is only partially encrypted, and does not prevent eavesdropping.
[ More Information ]
</source>

In my case, this turned out to be a problem where mediawiki was loading a Creative Commons logo from their server using http:// link to the icon. Once this was changed to https:// (in LocalSettings.php), the error went away.

=== Testing and Using the New Configuration ===

Test your new Apache configuration.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

Now restart Apache. Note that you will be asked to enter the pass-phrase you used when you created your private key.

<source lang="bash">
/etc/init.d/httpd restart
</source>
<source lang="text">
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server alteeve.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
</source>

{{warning|1=From now on, you will need to enter the pass-phrase to start Apache. Consider this when restarting your server and when deciding if you want the Apache server to start with your server. As my server is in a VM and it's underlying disk is also encrypted, I will enable it at boot time. I'll need to be watching the boot process anyway. This may not apply to you.}}

Now make sure that you can still connect to your server on [[TCP]] port 80 (normal http port). The contents after the GET request will obviously vary depending on your configuration:

<source lang="bash">
telnet localhost 80
</source>
<source lang="text">
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET
<head>
<title>Asakusa.alteeve.com</title>
</head>
<body>
Default - Requested domain not found
</body>
Connection closed by foreign host.
</source>

Now to check that the SSL port is listening properly. We can't use [[telnet]] because of the SSL encryption. Instead we will use openssl.

<source lang="bash">
openssl s_client -connect localhost:443 -state -debug
</source>
<source lang="text">
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x196a050 [0x1a0b3a0] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 4d f8 f4 a4 f9 ....l...h..M....
0010 - 07 b3 11 f8 3d ff 5d 80-ed 69 87 52 e2 60 80 57 ....=.]..i.R.`.W
0020 - 59 c7 83 4c ea 5b e5 37-06 e0 13 00 00 3a 00 39 Y..L.[.7.....:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............#
0071 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x196a050 [0x1a10900] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x196a050 [0x1a1090a] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4d f8 f4 a4-7d 35 00 74 24 43 bc c9 .1..M...}5.t$C..
0010 - 84 5d fe e3 90 1a e8 14-39 a1 b1 7e e8 19 c7 9f .]......9..~....
0020 - 45 20 d1 cb 00 00 39 01-00 09 ff 01 00 01 00 00 E ....9.........
0030 - 23 #
0033 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 0c 2c ....,
read from 0x196a050 [0x1a10908] (3116 bytes => 3116 (0xC2C))
0000 - 0b 00 0c 28 00 0c 25 00-04 c2 30 82 04 be 30 82 ...(..%...0...0.
0010 - 03 a6 a0 03 02 01 02 02-03 02 15 24 30 0d 06 09 ...........$0...
0020 - 2a 86 48 86 f7 0d 01 01-05 05 00 30 3c 31 0b 30 *.H........0<1.0
0030 - 09 06 03 55 04 06 13 02-55 53 31 17 30 15 06 03 ...U....US1.0...
0040 - 55 04 0a 13 0e 47 65 6f-54 72 75 73 74 2c 20 49 U....GeoTrust, I
0050 - 6e 63 2e 31 14 30 12 06-03 55 04 03 13 0b 52 61 nc.1.0...U....Ra
0060 - 70 69 64 53 53 4c 20 43-41 30 1e 17 0d 31 31 30 pidSSL CA0...110
0070 - 36 31 34 31 32 31 39 30-31 5a 17 0d 31 31 30 37 614121901Z..1107
0080 - 31 36 31 35 35 36 31 34-5a 30 81 d9 31 29 30 27 16155614Z0..1)0'
0090 - 06 03 55 04 05 13 20 30-54 53 35 57 7a 61 75 51 ..U... 0TS5WzauQ
00a0 - 52 4a 37 73 63 32 62 2d-68 54 47 77 4b 31 79 78 RJ7sc2b-hTGwK1yx
00b0 - 53 66 45 44 70 68 46 31-0b 30 09 06 03 55 04 06 SfEDphF1.0...U..
00c0 - 13 02 43 41 31 14 30 12-06 03 55 04 0a 13 0b 61 ..CA1.0...U....a
00d0 - 6c 74 65 65 76 65 2e 63-6f 6d 31 13 30 11 06 03 lteeve.com1.0...
00e0 - 55 04 0b 13 0a 47 54 31-33 39 30 38 38 31 37 31 U....GT139088171
00f0 - 31 30 2f 06 03 55 04 0b-13 28 53 65 65 20 77 77 10/..U...(See ww
0100 - 77 2e 72 61 70 69 64 73-73 6c 2e 63 6f 6d 2f 72 w.rapidssl.com/r
0110 - 65 73 6f 75 72 63 65 73-2f 63 70 73 20 28 63 29 esources/cps (c)
0120 - 31 31 31 2b 30 29 06 03-55 04 0b 13 22 44 6f 6d 111+0)..U..."Dom
0130 - 61 69 6e 20 43 6f 6e 74-72 6f 6c 20 56 61 6c 69 ain Control Vali
0140 - 64 61 74 65 64 20 2d 20-46 72 65 65 53 53 4c 31 dated - FreeSSL1
0150 - 14 30 12 06 03 55 04 03-13 0b 61 6c 74 65 65 76 .0...U....alteev
0160 - 65 2e 63 6f 6d 30 82 01-22 30 0d 06 09 2a 86 48 e.com0.."0...*.H
0170 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0..
0180 - 0a 02 82 01 01 00 c7 b5-75 03 c7 a9 b5 21 b2 7a ........u....!.z
0190 - 9b 70 8d f2 44 5d e0 18-f4 05 52 c6 93 d3 17 a5 .p..D]....R.....
01a0 - 3a c7 46 03 68 d1 01 53-1b e8 b8 d3 4c 56 46 b2 :.F.h..S....LVF.
01b0 - ca 63 34 88 2c 4f 7b 23-49 07 ef 8e 37 5c 8a ac .c4.,O{#I...7\..
01c0 - d7 88 9b ed a1 01 90 bc-32 d8 46 30 6d 82 33 59 ........2.F0m.3Y
01d0 - ea b5 38 2c 8a 16 e1 63-e7 ba 39 d8 2a fa 8a 6b ..8,...c..9.*..k
01e0 - 25 45 0b c9 4d b8 d2 be-a9 3a e3 ff 61 60 f9 a4 %E..M....:..a`..
01f0 - 99 4e 3f c2 25 0b 21 07-c6 1b 1e 63 71 2e 3d 31 .N?.%.!....cq.=1
0200 - 42 98 01 f4 88 b8 80 26-b7 bf 5b 00 b1 57 86 b4 B......&..[..W..
0210 - d8 70 e6 ec ea 98 e1 17-45 a7 ff 83 e0 76 6f 8a .p......E....vo.
0220 - 50 bb 1d cb c5 8f f4 01-84 4e 59 c3 4d 28 73 70 P........NY.M(sp
0230 - 39 c8 da 85 43 b9 07 ae-57 26 04 24 b2 d6 d4 7c 9...C...W&.$...|
0240 - 03 af 4f 72 00 8f 20 ed-26 77 b3 bf 4e 01 62 8b ..Or.. .&w..N.b.
0250 - 62 1b 10 16 65 92 f5 bb-5a dc 83 5c f2 56 f3 60 b...e...Z..\.V.`
0260 - 34 2c ef 62 f4 ee cf 26-6d 9b 4a 5e 74 05 74 fb 4,.b...&m.J^t.t.
0270 - 23 86 07 6f cf b0 48 6d-ba 2d 89 5d 0f e0 c0 01 #..o..Hm.-.]....
0280 - 1c 91 af 00 5f f3 02 03-01 00 01 a3 82 01 29 30 ...._.........)0
0290 - 82 01 25 30 1f 06 03 55-1d 23 04 18 30 16 80 14 ..%0...U.#..0...
02a0 - 6b 69 3d 6a 18 42 4a dd-8f 02 65 39 fd 35 24 86 ki=j.BJ...e9.5$.
02b0 - 78 91 16 30 30 0e 06 03-55 1d 0f 01 01 ff 04 04 x..00...U.......
02c0 - 03 02 05 a0 30 1d 06 03-55 1d 25 04 16 30 14 06 ....0...U.%..0..
02d0 - 08 2b 06 01 05 05 07 03-01 06 08 2b 06 01 05 05 .+.........+....
02e0 - 07 03 02 30 16 06 03 55-1d 11 04 0f 30 0d 82 0b ...0...U....0...
02f0 - 61 6c 74 65 65 76 65 2e-63 6f 6d 30 43 06 03 55 alteeve.com0C..U
0300 - 1d 1f 04 3c 30 3a 30 38-a0 36 a0 34 86 32 68 74 ...<0:08.6.4.2ht
0310 - 74 70 3a 2f 2f 72 61 70-69 64 73 73 6c 2d 63 72 tp://rapidssl-cr
0320 - 6c 2e 67 65 6f 74 72 75-73 74 2e 63 6f 6d 2f 63 l.geotrust.com/c
0330 - 72 6c 73 2f 72 61 70 69-64 73 73 6c 2e 63 72 6c rls/rapidssl.crl
0340 - 30 1d 06 03 55 1d 0e 04-16 04 14 a1 2b 4e af 55 0...U.......+N.U
0350 - 08 7b 34 be 74 fc 57 41-de bc 8f d9 4a 1d c9 30 .{4.t.WA....J..0
0360 - 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 49 06 ...U.......0.0I.
0370 - 08 2b 06 01 05 05 07 01-01 04 3d 30 3b 30 39 06 .+........=0;09.
0380 - 08 2b 06 01 05 05 07 30-02 86 2d 68 74 74 70 3a .+.....0..-http:
0390 - 2f 2f 72 61 70 69 64 73-73 6c 2d 61 69 61 2e 67 //rapidssl-aia.g
03a0 - 65 6f 74 72 75 73 74 2e-63 6f 6d 2f 72 61 70 69 eotrust.com/rapi
03b0 - 64 73 73 6c 2e 63 72 74-30 0d 06 09 2a 86 48 86 dssl.crt0...*.H.
03c0 - f7 0d 01 01 05 05 00 03-82 01 01 00 66 8b 6f a8 ............f.o.
03d0 - d5 d2 84 c7 89 31 fb a5-ba e1 11 5e 2f 67 6f df .....1.....^/go.
03e0 - 0d 3c 0b 1a 4b ac d9 38-ee 29 0a 4d d9 06 98 2c .<..K..8.).M...,
03f0 - 25 0a 59 bb 39 03 b0 cd-3b 06 93 3e 59 90 cf 06 %.Y.9...;..>Y...
0400 - 17 74 77 bb cd 91 34 d0-6f b9 8f 53 57 ed 14 30 .tw...4.o..SW..0
0410 - bd e9 6c 04 84 b6 f0 16-9d 29 9b b1 47 f8 84 64 ..l......)..G..d
0420 - 5f 03 36 ea e1 d6 13 97-5b 50 b9 b2 59 cc f8 ef _.6.....[P..Y...
0430 - 23 01 99 91 6e 5e e8 d0-77 54 38 49 18 58 e7 0e #...n^..wT8I.X..
0440 - 54 35 c0 37 b5 9e 79 b2-d4 c6 d9 ff 27 31 d4 bf T5.7..y.....'1..
0450 - 04 ae d3 0a 90 4b bc 34-bc 53 f8 bc e7 4c 22 b7 .....K.4.S...L".
0460 - b3 bc 8c d7 41 44 fc e0-50 2e 9a ac ba 5c ee 88 ....AD..P....\..
0470 - 03 fc 0e 53 32 aa dd a4-24 ee a6 7c 3d dc 9d 7a ...S2...$..|=..z
0480 - 82 0b 9f b8 91 e0 a1 12-77 a3 95 f7 d0 c4 9e f1 ........w.......
0490 - d7 d9 99 68 80 e8 af ad-68 f5 1a 5f 66 06 78 c9 ...h....h.._f.x.
04a0 - 56 f8 36 37 16 fa 7d 27-df 1d a2 d8 7c 8c 5b 50 V.67..}'....|.[P
04b0 - db c6 fe 06 ff 96 86 f5-1f e4 35 ce cf 43 66 53 ..........5..CfS
04c0 - da a1 50 b5 c0 73 ec 1e-f4 c8 20 13 00 03 d9 30 ..P..s.... ....0
04d0 - 82 03 d5 30 82 02 bd a0-03 02 01 02 02 03 02 36 ...0...........6
04e0 - d1 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
04f0 - 30 42 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 0B1.0...U....US1
0500 - 16 30 14 06 03 55 04 0a-13 0d 47 65 6f 54 72 75 .0...U....GeoTru
0510 - 73 74 20 49 6e 63 2e 31-1b 30 19 06 03 55 04 03 st Inc.1.0...U..
0520 - 13 12 47 65 6f 54 72 75-73 74 20 47 6c 6f 62 61 ..GeoTrust Globa
0530 - 6c 20 43 41 30 1e 17 0d-31 30 30 32 31 39 32 32 l CA0...10021922
0540 - 34 35 30 35 5a 17 0d 32-30 30 32 31 38 32 32 34 4505Z..200218224
0550 - 35 30 35 5a 30 3c 31 0b-30 09 06 03 55 04 06 13 505Z0<1.0...U...
0560 - 02 55 53 31 17 30 15 06-03 55 04 0a 13 0e 47 65 .US1.0...U....Ge
0570 - 6f 54 72 75 73 74 2c 20-49 6e 63 2e 31 14 30 12 oTrust, Inc.1.0.
0580 - 06 03 55 04 03 13 0b 52-61 70 69 64 53 53 4c 20 ..U....RapidSSL
0590 - 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H...
05a0 - 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0.....
05b0 - 01 01 00 c7 71 f8 56 c7-1e d9 cc b5 ad f6 b4 97 ....q.V.........
05c0 - a3 fb a1 e6 0b 50 5f 50-aa 3a da 0f fc 3d 29 24 .....P_P.:...=)$
05d0 - 43 c6 10 29 c1 fc 55 40-72 ee bd ea df 9f b6 41 C..)..U@r......A
05e0 - f4 48 4b c8 6e fe 4f 57-12 8b 5b fa 92 dd 5e e8 .HK.n.OW..[...^.
05f0 - ad f3 f0 1b b1 7b 4d fb-cf fd d1 e5 f8 e3 dc e7 .....{M.........
0600 - f5 73 7f df 01 49 cf 8c-56 c1 bd 37 e3 5b be b5 .s...I..V..7.[..
0610 - 4f 8b 8b f0 da 4f c7 e3-dd 55 47 69 df f2 5b 7b O....O...UGi..[{
0620 - 07 4f 3d e5 ac 21 c1 c8-1d 7a e8 e7 f6 0f a1 aa .O=..!...z......
0630 - f5 6f de a8 65 4f 10 89-9c 03 f3 89 7a a5 5e 01 .o..eO......z.^.
0640 - 72 33 ed a9 e9 5a 1e 79-f3 87 c8 df c8 c5 fc 37 r3...Z.y.......7
0650 - c8 9a 9a d7 b8 76 cc b0-3e e7 fd e6 54 ea df 5f .....v..>...T.._
0660 - 52 41 78 59 57 ad f1 12-d6 7f bc d5 9f 70 d3 05 RAxYW........p..
0670 - 6c fa a3 7d 67 58 dd 26-62 1d 31 92 0c 79 79 1c l..}gX.&b.1..yy.
0680 - 8e cf ca 7b c1 66 af a8-74 48 fb 8e 82 c2 9e 2c ...{.f..tH.....,
0690 - 99 5c 7b 2d 5d 9b bc 5b-57 9e 7c 3a 7a 13 ad f2 .\{-]..[W.|:z...
06a0 - a3 18 5b 2b 59 0f cd 5c-3a eb 68 33 c6 28 1d 82 ..[+Y..\:.h3.(..
06b0 - d1 50 8b 02 03 01 00 01-a3 81 d9 30 81 d6 30 0e .P.........0..0.
06c0 - 06 03 55 1d 0f 01 01 ff-04 04 03 02 01 06 30 1d ..U...........0.
06d0 - 06 03 55 1d 0e 04 16 04-14 6b 69 3d 6a 18 42 4a ..U......ki=j.BJ
06e0 - dd 8f 02 65 39 fd 35 24-86 78 91 16 30 30 1f 06 ...e9.5$.x..00..
06f0 - 03 55 1d 23 04 18 30 16-80 14 c0 7a 98 68 8d 89 .U.#..0....z.h..
0700 - fb ab 05 64 0c 11 7d aa-7d 65 b8 ca cc 4e 30 12 ...d..}.}e...N0.
0710 - 06 03 55 1d 13 01 01 ff-04 08 30 06 01 01 ff 02 ..U.......0.....
0720 - 01 00 30 3a 06 03 55 1d-1f 04 33 30 31 30 2f a0 ..0:..U...3010/.
0730 - 2d a0 2b 86 29 68 74 74-70 3a 2f 2f 63 72 6c 2e -.+.)http://crl.
0740 - 67 65 6f 74 72 75 73 74-2e 63 6f 6d 2f 63 72 6c geotrust.com/crl
0750 - 73 2f 67 74 67 6c 6f 62-61 6c 2e 63 72 6c 30 34 s/gtglobal.crl04
0760 - 06 08 2b 06 01 05 05 07-01 01 04 28 30 26 30 24 ..+........(0&0$
0770 - 06 08 2b 06 01 05 05 07-30 01 86 18 68 74 74 70 ..+.....0...http
0780 - 3a 2f 2f 6f 63 73 70 2e-67 65 6f 74 72 75 73 74 ://ocsp.geotrust
0790 - 2e 63 6f 6d 30 0d 06 09-2a 86 48 86 f7 0d 01 01 .com0...*.H.....
07a0 - 05 05 00 03 82 01 01 00-ab bc bc 0a 5d 18 94 e3 ............]...
07b0 - c1 b1 c3 a8 4c 55 d6 be-b4 98 f1 ee 3c 1c cd cf ....LU......<...
07c0 - f3 24 24 5c 96 03 27 58-fc 36 ae a2 2f 8f f1 fe .$$\..'X.6../...
07d0 - da 2b 02 c3 33 bd c8 dd-48 22 2b 60 0f a5 03 10 .+..3...H"+`....
07e0 - fd 77 f8 d0 ed 96 67 4f-fd ea 47 20 70 54 dc a9 .w....gO..G pT..
07f0 - 0c 55 7e e1 96 25 8a d9-b5 da 57 4a be 8d 8e 49 .U~..%....WJ...I
0800 - 43 63 a5 6c 4e 27 87 25-eb 5b 6d fe a2 7f 38 28 Cc.lN'.%.[m...8(
0810 - e0 36 ab ad 39 a5 a5 62-c4 b7 5c 58 2c aa 5d 01 .6..9..b..\X,.].
0820 - 60 a6 62 67 a3 c0 c7 62-23 f4 e7 6c 46 ee b5 d3 `.bg...b#..lF...
0830 - 80 6a 22 13 d2 2d 3f 74-4f ea af 8c 5f b4 38 9c .j"..-?tO..._.8.
0840 - db ae ce af 84 1e a6 f6-34 51 59 79 d3 e3 75 dc ........4QYy..u.
0850 - bc d7 f3 73 df 92 ec d2-20 59 6f 9c fb 95 f8 92 ...s.... Yo.....
0860 - 76 18 0a 7c 0f 2c a6 ca-de 8a 62 7b d8 f3 ce 5f v..|.,....b{..._
0870 - 68 bd 8f 3e c1 74 bb 15-72 3a 16 83 a9 0b e6 4d h..>.t..r:.....M
0880 - 99 9c d8 57 ec a8 01 51-c7 6f 57 34 5e ab 4a 2c ...W...Q.oW4^.J,
0890 - 42 f6 4f 1c 89 78 de 26-4e f5 6f 93 4c 15 6b 27 B.O..x.&N.o.L.k'
08a0 - 56 4d 00 54 6c 7a b7 b7-00 03 81 30 82 03 7d 30 VM.Tlz.....0..}0
08b0 - 82 02 e6 a0 03 02 01 02-02 03 12 bb e6 30 0d 06 .............0..
08c0 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 4e 31 0b .*.H........0N1.
08d0 - 30 09 06 03 55 04 06 13-02 55 53 31 10 30 0e 06 0...U....US1.0..
08e0 - 03 55 04 0a 13 07 45 71-75 69 66 61 78 31 2d 30 .U....Equifax1-0
08f0 - 2b 06 03 55 04 0b 13 24-45 71 75 69 66 61 78 20 +..U...$Equifax
0900 - 53 65 63 75 72 65 20 43-65 72 74 69 66 69 63 61 Secure Certifica
0910 - 74 65 20 41 75 74 68 6f-72 69 74 79 30 1e 17 0d te Authority0...
0920 - 30 32 30 35 32 31 30 34-30 30 30 30 5a 17 0d 31 020521040000Z..1
0930 - 38 30 38 32 31 30 34 30-30 30 30 5a 30 42 31 0b 80821040000Z0B1.
0940 - 30 09 06 03 55 04 06 13-02 55 53 31 16 30 14 06 0...U....US1.0..
0950 - 03 55 04 0a 13 0d 47 65-6f 54 72 75 73 74 20 49 .U....GeoTrust I
0960 - 6e 63 2e 31 1b 30 19 06-03 55 04 03 13 12 47 65 nc.1.0...U....Ge
0970 - 6f 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 43 41 oTrust Global CA
0980 - 30 82 01 22 30 0d 06 09-2a 86 48 86 f7 0d 01 01 0.."0...*.H.....
0990 - 01 05 00 03 82 01 0f 00-30 82 01 0a 02 82 01 01 ........0.......
09a0 - 00 da cc 18 63 30 fd f4-17 23 1a 56 7e 5b df 3c ....c0...#.V~[.<
09b0 - 6c 38 e4 71 b7 78 91 d4-bc a1 d8 4c f8 a8 43 b6 l8.q.x.....L..C.
09c0 - 03 e9 4d 21 07 08 88 da-58 2f 66 39 29 bd 05 78 ..M!....X/f9)..x
09d0 - 8b 9d 38 e8 05 b7 6a 7e-71 a4 e6 c4 60 a6 b0 ef ..8...j~q...`...
09e0 - 80 e4 89 28 0f 9e 25 d6-ed 83 f3 ad a6 91 c7 98 ...(..%.........
09f0 - c9 42 18 35 14 9d ad 98-46 92 2e 4f ca f1 87 43 .B.5....F..O...C
0a00 - c1 16 95 57 2d 50 ef 89-2d 80 7a 57 ad f2 ee 5f ...W-P..-.zW..._
0a10 - 6b d2 00 8d b9 14 f8 14-15 35 d9 c0 46 a3 7b 72 k........5..F.{r
0a20 - c8 91 bf c9 55 2b cd d0-97 3e 9c 26 64 cc df ce ....U+...>.&d...
0a30 - 83 19 71 ca 4e e6 d4 d5-7b a9 19 cd 55 de c8 ec ..q.N...{...U...
0a40 - d2 5e 38 53 e5 5c 4f 8c-2d fe 50 23 36 fc 66 e6 .^8S.\O.-.P#6.f.
0a50 - cb 8e a4 39 19 00 b7 95-02 39 91 0b 0e fe 38 2e ...9.....9....8.
0a60 - d1 1d 05 9a f6 4d 3e 6f-0f 07 1d af 2c 1e 8f 60 .....M>o....,..`
0a70 - 39 e2 fa 36 53 13 39 d4-5e 26 2b db 3d a8 14 bd 9..6S.9.^&+.=...
0a80 - 32 eb 18 03 28 52 04 71-e5 ab 33 3d e1 38 bb 07 2...(R.q..3=.8..
0a90 - 36 84 62 9c 79 ea 16 30-f4 5f c0 2b e8 71 6b e4 6.b.y..0._.+.qk.
0aa0 - f9 02 03 01 00 01 a3 81-f0 30 81 ed 30 1f 06 03 .........0..0...
0ab0 - 55 1d 23 04 18 30 16 80-14 48 e6 68 f9 2b d2 b2 U.#..0...H.h.+..
0ac0 - 95 d7 47 d8 23 20 10 4f-33 98 90 9f d4 30 1d 06 ..G.# .O3....0..
0ad0 - 03 55 1d 0e 04 16 04 14-c0 7a 98 68 8d 89 fb ab .U.......z.h....
0ae0 - 05 64 0c 11 7d aa 7d 65-b8 ca cc 4e 30 0f 06 03 .d..}.}e...N0...
0af0 - 55 1d 13 01 01 ff 04 05-30 03 01 01 ff 30 0e 06 U.......0....0..
0b00 - 03 55 1d 0f 01 01 ff 04-04 03 02 01 06 30 3a 06 .U...........0:.
0b10 - 03 55 1d 1f 04 33 30 31-30 2f a0 2d a0 2b 86 29 .U...3010/.-.+.)
0b20 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 67 65 6f 74 72 http://crl.geotr
0b30 - 75 73 74 2e 63 6f 6d 2f-63 72 6c 73 2f 73 65 63 ust.com/crls/sec
0b40 - 75 72 65 63 61 2e 63 72-6c 30 4e 06 03 55 1d 20 ureca.crl0N..U.
0b50 - 04 47 30 45 30 43 06 04-55 1d 20 00 30 3b 30 39 .G0E0C..U. .0;09
0b60 - 06 08 2b 06 01 05 05 07-02 01 16 2d 68 74 74 70 ..+........-http
0b70 - 73 3a 2f 2f 77 77 77 2e-67 65 6f 74 72 75 73 74 s://www.geotrust
0b80 - 2e 63 6f 6d 2f 72 65 73-6f 75 72 63 65 73 2f 72 .com/resources/r
0b90 - 65 70 6f 73 69 74 6f 72-79 30 0d 06 09 2a 86 48 epository0...*.H
0ba0 - 86 f7 0d 01 01 05 05 00-03 81 81 00 76 e1 12 6e ............v..n
0bb0 - 4e 4b 16 12 86 30 06 b2-81 08 cf f0 08 c7 c7 71 NK...0.........q
0bc0 - 7e 66 ee c2 ed d4 3b 1f-ff f0 f0 c8 4e d6 43 38 ~f....;.....N.C8
0bd0 - b0 b9 30 7d 18 d0 55 83-a2 6a cb 36 11 9c e8 48 ..0}..U..j.6...H
0be0 - 66 a3 6d 7f b8 13 d4 47-fe 8b 5a 5c 73 fc ae d9 f.m....G..Z\s...
0bf0 - 1b 32 19 38 ab 97 34 14-aa 96 d2 eb a3 1c 14 08 .2.8..4.........
0c00 - 49 b6 bb e5 91 ef 83 36-eb 1d 56 6f ca da bc 73 I......6..Vo...s
0c10 - 63 90 e4 7f 7b 3e 22 cb-3d 07 ed 5f 38 74 9c e3 c...{>".=.._8t..
0c20 - 03 50 4e a1 af 98 ee 61-f2 84 3f 12 .PN....a..?.
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF, C = CA, O = alteeve.com, OU = GT13908817, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - FreeSSL, CN = alteeve.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 0d .....
read from 0x196a050 [0x1a10908] (525 bytes => 525 (0x20D))
0000 - 0c 00 02 09 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 51 5c 13 33 38 >.$!.......Q\.38
0090 - 83 ef 76 6f 23 52 55 bf-23 ba 7f f0 a4 ca 35 01 ..vo#RU.#.....5.
00a0 - 9c 70 e1 61 b2 0d 7b 5c-1c 32 02 c1 ac 14 be e9 .p.a..{\.2......
00b0 - b9 7a 5d 11 9b 53 48 64-cd 12 b8 15 4c df cc 10 .z]..SHd....L...
00c0 - 4e 2b e7 cd 3f 33 68 1a-60 cc f7 18 25 7c e5 ca N+..?3h.`...%|..
00d0 - c8 cb 45 ba 2a 6d dc 84-5f 26 6f 9a a3 73 b9 7f ..E.*m.._&o..s..
00e0 - 02 cb 7b a7 ac 59 9f f3-6e c9 01 ed b9 35 99 49 ..{..Y..n....5.I
00f0 - 37 77 68 65 ec e2 f7 17-03 e7 f5 f5 86 33 e6 6c 7whe.........3.l
0100 - 06 3c 15 83 98 74 2e b9-83 31 11 01 00 20 6e 17 .<...t...1... n.
0110 - 3d 2d ec 3e 19 b2 9e 5b-37 38 3a 31 57 3d 0e c1 =-.>...[78:1W=..
0120 - 6b c4 b4 83 d9 6b f0 d3-44 db 9f 18 55 15 e1 09 k....k..D...U...
0130 - 73 59 8c 46 3d a4 47 58-b1 71 a3 32 b5 06 26 8c sY.F=.GX.q.2..&.
0140 - 27 88 9e 13 c8 12 5d 94-9b 24 54 10 aa 79 e5 b4 '.....]..$T..y..
0150 - 43 f5 5e 4c 01 dc 02 aa-69 02 37 71 4e 26 1c 0b C.^L....i.7qN&..
0160 - 40 19 c9 95 4d af 93 35-07 7a ff b1 96 7f 03 ce @...M..5.z......
0170 - 7a eb a2 1c 97 6b d2 97-d2 0f 1a f5 b2 af fb 65 z....k.........e
0180 - 86 b9 e3 38 30 ba f5 02-d6 6b fc da 94 93 8b b3 ...80....k......
0190 - 96 b5 b7 58 dc 36 55 6d-e9 47 e5 4a 33 1d b9 d9 ...X.6Um.G.J3...
01a0 - ec 33 e8 fb 58 c8 74 13-ff dd 40 b7 35 56 63 03 .3..X.t...@.5Vc.
01b0 - 9f 16 2f 72 be 56 56 c3-15 3a c3 10 09 f0 9d f2 ../r.VV..:......
01c0 - 42 52 5a ce d6 db 61 0e-d0 e2 ac 2e 9e 04 30 8e BRZ...a.......0.
01d0 - 0d d7 07 f9 3e 0a a8 3b-8d 11 5c 6e 21 47 28 2d ....>..;..\n!G(-
01e0 - 28 31 a6 3d d0 e9 2e 7a-de 4a 00 2a a8 6f 5d 82 (1.=...z.J.*.o].
01f0 - 45 df 3e 06 e3 11 e3 3c-b9 1e 34 b8 bd 60 fd a7 E.>....<..4..`..
0200 - a2 c1 c8 19 61 19 da 10-e4 c3 70 7e 5f ....a.....p~_
SSL_connect:SSLv3 read server key exchange A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0x196a050 [0x1a10908] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x196a050 [0x1a1add0] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7f 9d d2 3b 68 ..............;h
0010 - 49 c9 dd ed 4f 35 a0 70-3a 28 0f ce c1 5a 81 ce I...O5.p:(...Z..
0020 - cd 46 c5 e5 a4 44 25 04-4e b4 48 d8 3b a6 d4 44 .F...D%.N.H.;..D
0030 - 4e 9a dc 20 fa 52 9f eb-52 3b 3c 3e 34 dc ed 34 N.. .R..R;<>4..4
0040 - e5 b7 10 f9 6d 3a c0 84-64 bf b8 91 54 6c 37 1b ....m:..d...Tl7.
0050 - eb 75 7a 95 aa e8 83 6f-e0 16 f2 af 77 0f 7a 0c .uz....o....w.z.
0060 - a8 82 27 a4 a5 f2 f0 1b-d2 6e 46 c4 ef 10 7c 39 ..'......nF...|9
0070 - 6c 87 74 ec 68 7e d5 9a-10 ab 10 03 75 a2 fb 4b l.t.h~......u..K
0080 - 8c 49 4c da 64 49 bd 27-ba 51 a4 .IL.dI.'.Q.
SSL_connect:SSLv3 write client key exchange A
write to 0x196a050 [0x1a1add0] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x196a050 [0x1a1add0] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 b4 8a 74-4d a4 bf b1 54 04 8a 25 ....0..tM...T..%
0010 - 24 f8 81 f1 64 9f 1f 6d-fb bd a7 4c 57 6a a5 63 $...d..m...LWj.c
0020 - fb 3a dd 8e e3 f9 38 f6-22 fd 7e 42 81 2e a2 41 .:....8.".~B...A
0030 - 1f 74 d1 27 02 .t.'.
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 ca .....
read from 0x196a050 [0x1a10908] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 00 00-00 c0 6c f3 41 26 c8 6b ..........l.A&.k
0010 - 1e 9c 2e 78 af 75 b2 46-34 f4 30 c3 bd e4 ee 2f ...x.u.F4.0..../
0020 - f6 28 37 f6 7c 55 3b c7-08 ad 1e 48 f1 83 9f 9a .(7.|U;....H....
0030 - d4 ef 9b 7d 5a 9c f7 5b-92 e9 2f ca c3 e5 44 c7 ...}Z..[../...D.
0040 - 7a c1 ed db 98 1a 18 bd-25 30 3c 50 ad 96 23 22 z.......%0<P..#"
0050 - 7e a1 b7 eb 1d b5 cc 69-2a 43 63 13 4f 21 90 32 ~......i*Cc.O!.2
0060 - 87 94 0b 6a 66 da 99 fa-45 79 cc 53 29 35 59 0d ...jf...Ey.S)5Y.
0070 - 02 93 c6 c6 af f3 52 79-b5 36 c0 a6 4d 22 9f af ......Ry.6..M"..
0080 - 4a f2 86 b4 50 68 83 b1-ab a6 a6 ac 6e 4e 18 3d J...Ph......nN.=
0090 - 80 a7 b4 85 77 06 69 60-fa b2 22 9a 79 14 c6 3e ....w.i`..".y..>
00a0 - 3e 68 33 4e 1e a9 40 09-47 d0 02 97 8b ba 39 db >h3N..@.G.....9.
00b0 - 2f b1 1c 2e 66 49 d3 bc-99 cc 56 4f 1d f4 c6 7b /...fI....VO...{
00c0 - 58 3e 28 df b1 ce 2b 45-36 ca X>(...+E6.
SSL_connect:SSLv3 read server session ticket A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0x196a050 [0x1a10908] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x196a050 [0x1a10908] (48 bytes => 48 (0x30))
0000 - c0 79 35 bf c6 1e 7e d4-04 cf 68 c7 9d f5 9f 42 .y5...~...h....B
0010 - 03 91 5f 72 ae 5b ec a8-aa e7 af e8 f3 39 1b cd .._r.[.......9..
0020 - 13 05 56 f2 1b 28 c9 42-4b 67 88 48 20 c2 a5 06 ..V..(.BKg.H ...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIDAhUkMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNjE0MTIxOTAxWhcNMTEwNzE2MTU1NjE0WjCB2TEpMCcGA1UEBRMgMFRT
NVd6YXVRUko3c2MyYi1oVEd3SzF5eFNmRURwaEYxCzAJBgNVBAYTAkNBMRQwEgYD
VQQKEwthbHRlZXZlLmNvbTETMBEGA1UECxMKR1QxMzkwODgxNzExMC8GA1UECxMo
U2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMTErMCkGA1UE
CxMiRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gRnJlZVNTTDEUMBIGA1UEAxML
YWx0ZWV2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHtXUD
x6m1IbJ6m3CN8kRd4Bj0BVLGk9MXpTrHRgNo0QFTG+i400xWRrLKYzSILE97I0kH
7443XIqs14ib7aEBkLwy2EYwbYIzWeq1OCyKFuFj57o52Cr6imslRQvJTbjSvqk6
4/9hYPmkmU4/wiULIQfGGx5jcS49MUKYAfSIuIAmt79bALFXhrTYcObs6pjhF0Wn
/4Pgdm+KULsdy8WP9AGETlnDTShzcDnI2oVDuQeuVyYEJLLW1HwDr09yAI8g7SZ3
s79OAWKLYhsQFmWS9bta3INc8lbzYDQs72L07s8mbZtKXnQFdPsjhgdvz7BIbbot
iV0P4MABHJGvAF/zAgMBAAGjggEpMIIBJTAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2FsdGVldmUuY29tMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRz
c2wuY3JsMB0GA1UdDgQWBBShK06vVQh7NL50/FdB3ryP2UodyTAMBgNVHRMBAf8E
AjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3Ns
LWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBmi2+o1dKEx4kx+6W64RFeL2dv3w08CxpLrNk47ikKTdkGmCwlClm7OQOwzTsG
kz5ZkM8GF3R3u82RNNBvuY9TV+0UML3pbASEtvAWnSmbsUf4hGRfAzbq4dYTl1tQ
ubJZzPjvIwGZkW5e6NB3VDhJGFjnDlQ1wDe1nnmy1MbZ/ycx1L8ErtMKkEu8NLxT
+LznTCK3s7yM10FE/OBQLpqsulzuiAP8DlMyqt2kJO6mfD3cnXqCC5+4keChEnej
lffQxJ7x19mZaIDor61o9RpfZgZ4yVb4NjcW+n0n3x2i2HyMW1Dbxv4G/5aG9R/k
Nc7PQ2ZT2qFQtcBz7B70yCAT
-----END CERTIFICATE-----
subject=/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3984 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2880725EB8BDD73F469C17BCA54DF373DFE8EDE3D52A1C8F5E0A5919694FB111
Session-ID-ctx:
Master-Key: F329DEA0DF39FF181ACFBCA69BEC417D7CAA4399D73229A1D912CC8236A858FD099B834F5B32C9BF979C4B5948196FC9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 6c f3 41 26 c8 6b 1e 9c-2e 78 af 75 b2 46 34 f4 l.A&.k...x.u.F4.
0010 - 30 c3 bd e4 ee 2f f6 28-37 f6 7c 55 3b c7 08 ad 0..../.(7.|U;...
0020 - 1e 48 f1 83 9f 9a d4 ef-9b 7d 5a 9c f7 5b 92 e9 .H.......}Z..[..
0030 - 2f ca c3 e5 44 c7 7a c1-ed db 98 1a 18 bd 25 30 /...D.z.......%0
0040 - 3c 50 ad 96 23 22 7e a1-b7 eb 1d b5 cc 69 2a 43 <P..#"~......i*C
0050 - 63 13 4f 21 90 32 87 94-0b 6a 66 da 99 fa 45 79 c.O!.2...jf...Ey
0060 - cc 53 29 35 59 0d 02 93-c6 c6 af f3 52 79 b5 36 .S)5Y.......Ry.6
0070 - c0 a6 4d 22 9f af 4a f2-86 b4 50 68 83 b1 ab a6 ..M"..J...Ph....
0080 - a6 ac 6e 4e 18 3d 80 a7-b4 85 77 06 69 60 fa b2 ..nN.=....w.i`..
0090 - 22 9a 79 14 c6 3e 3e 68-33 4e 1e a9 40 09 47 d0 ".y..>>h3N..@.G.
00a0 - 02 97 8b ba 39 db 2f b1-1c 2e 66 49 d3 bc 99 cc ....9./...fI....
00b0 - 56 4f 1d f4 c6 7b 58 3e-28 df b1 ce 2b 45 36 ca VO...{X>(...+E6.

Compression: 1 (zlib compression)
Start Time: 1308161188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET
write to 0x196a050 [0x1a14e56] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a 4c 57-8c b9 d5 d4 c6 1b 56 ce .... .LW......V.
0010 - 93 b5 78 6b 5f 0e c5 a2-39 2a f9 7a 20 7d 68 85 ..xk_...9*.z }h.
0020 - af 52 e3 5f fc 17 03 01-00 20 c6 c4 19 74 61 64 .R._..... ...tad
0030 - 42 59 e0 52 3f 42 44 53-8b c9 40 69 1c 3d 9b 7f BY.R?BDS..@i.=..
0040 - aa e8 8f a4 5c de c9 d4-0a a4 ....\.....
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 60 ....`
read from 0x196a050 [0x1a10908] (96 bytes => 96 (0x60))
0000 - 46 4c 99 93 29 c9 ed 66-81 43 89 39 26 2b d1 b0 FL..)..f.C.9&+..
0010 - 19 73 eb 51 18 45 54 49-74 43 e0 92 1b f8 af f0 .s.Q.ETItC......
0020 - 0d e1 08 79 96 38 e1 5e-29 9d 66 9c 30 04 8e c4 ...y.8.^).f.0...
0030 - 10 83 49 7e 09 d7 8a ff-4b 11 f9 13 3e ac 77 73 ..I~....K...>.ws
0040 - e8 94 e3 f3 74 db 4e 5f-67 13 1d c4 3a 06 98 b3 ....t.N_g...:...
0050 - da 20 41 3c ca 9a fb 3f-f3 d7 64 a1 e9 f4 0a 98 . A<...?..d.....
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 15 03 01 ...
0005 - <SPACES/NULS>
read from 0x196a050 [0x1a10908] (32 bytes => 32 (0x20))
0000 - 2e bb a7 d6 dc ce 6c 34-dc 2e 43 c7 89 02 a9 5c ......l4..C....\
0010 - 3b 3e d0 43 1c ec fa c7-89 48 fd 76 58 82 ef 45 ;>.C.....H.vX..E
SSL3 alert read:warning:close notify
closed
write to 0x196a050 [0x1a14e53] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d8 6f 46-24 e9 fa 0c c9 9f aa 2d .... .oF$......-
0010 - db 69 2a d8 fb 61 66 b0-23 23 f9 a4 ac 49 b7 e6 .i*..af.##...I..
0020 - 31 73 56 05 ed 1sV..
SSL3 alert write:warning:close notify
</source>

Perfect!

=== Open Port 443 On The Firewall ===

At this point, if you try to connect to the SSL virtual host remotely, you will fail because port 443 is not yet open.

Use your favourite program to open inbound TCP port 443. I like to directly edit the firewall's config.

<source lang="bash">
vim /etc/sysconfig/iptables
</source>
<source lang="text">
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</source>
<source lang="bash">
/etc/init.d/iptables restart
</source>
<source lang="text">
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
</source>

=== Browse to the New Virtual Host ===

You should now be able to access the new SSL virtual host! Simply browse to https://alteeve.com (replace with your domain).

[[Image:SSL_Test_Page_01.png|thumb|center|741px|Test SSL virtual host in Firefox 4.]]

Note the 'alteeve.com' to the left of the address bar showing that the site is encrypted and verified!

= PostgreSQL =

We need to initialize the postgres core databases before we can start it for the first time.

<source lang="bash">
service postgresql initdb
</source>
<source lang="text">
Initializing database: [ OK ]
</source>

From now on, we can start PostgreSQL normally.

<source lang="bash">
/etc/init.d/postgresql restart
</source>
<source lang="text">
Stopping postgresql service: [ OK ]
Starting postgresql service: [ OK ]
</source>

Create the admin user called alteeve which will own the databases we will create and use.

<source lang="bash">
su - postgres
createuser -S -d -R alteeve
psql template1
</source>

At the shell, run the following:

<source lang="sql">
ALTER USER alteeve WITH PASSWORD 'secret';
</source>
<source lang="text">
ALTER ROLE
</source>
<source lang="sql">
\q
</source>

Tell PostgreSQL to require a password for the alteeve user.

<source lang="bash">
vim /var/lib/pgsql/data/pg_hba.conf
</source>
<source lang="diff">
--- /var/lib/pgsql/data/pg_hba.conf.orig 2011-06-15 17:57:25.666509143 -0400
+++ /var/lib/pgsql/data/pg_hba.conf 2011-06-15 17:58:54.077510393 -0400
@@ -65,6 +65,7 @@

# TYPE DATABASE USER CIDR-ADDRESS METHOD
+local all alteeve md5

# "local" is for Unix domain socket connections only
local all all ident
</source>

Reload PostgreSQL's configuration.

<source lang="bash">
/etc/init.d/postgresql reload
</source>

Now create a Database that is owned by the alteeve user, then connect to it to make sure we're asked for a password.

<source lang="bash">
su postgres -c "createdb an_wiki -O alteeve"
psql an_wiki -U alteeve
</source>
<source lang="text">
Password for user alteeve:
psql (8.4.7)
Type "help" for help.

an_wiki=>
</source>

Now load a database from a backup file.

<source lang="bash">
psql an_wiki -U alteeve -f /var/www/ssl_alteeve.com/temp/an_wiki_3.out
</source>
<source lang="text">
Password for user alteeve:
SET
SET
SET
SET
SET
CREATE SCHEMA
ALTER SCHEMA
CREATE LANGUAGE
psql:/var/www/ssl_alteeve.com/temp/an_wiki_3.out:27: ERROR: must be member of role "postgres"
SET
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
SET
SET
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
8
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
2500
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
4416
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3465
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
34
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
957
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3274
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3547
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3513
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TRIGGER
CREATE TRIGGER
CREATE TRIGGER
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
REVOKE
REVOKE
GRANT
GRANT
</source>

Voila!

== Media Wiki Problem ==

If you moved a MediaWiki DB and it generated an error like this in the log file:

<source lang="text">
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "objectcache" does not exist\nLINE 1: ...ECT /* SqlBagOStuff::get */ value,exptime FROM objectcach...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "l10n_cache" does not exist\nLINE 1: ... LCStore_DB::get 206.108.5.162 */ lc_value FROM l10n_cache...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
</source>

The fix is to run:

<source lang="sql">
ALTER DATABASE an_wiki SET search_path=mediawiki;
</source>

Of course, replace an_wiki with the name of your wiki database.

= MySQL =

Start MySQL for the first time:

<source lang="bash">
/etc/init.d/mysqld start
</source>
<source lang="text">
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h asakusa.alteeve.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]
Starting mysqld: [ OK ]
</source>

Secure the server.

<source lang="bash">
mysql_secure_installation
</source>
<source lang="text">
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
</source>

= BIND =

{{note|1=This is not meant to cover creating the actual zone files for DNS. It's goal is to setup BIND on your [[EL6]] server only.}}

This is the BIND named server that handles DNS resolution. It will be setup in two parts; The global options and then the zones file.

== Install bind ==

<source lang="bash">
yum install bind bind-libs bind-utils
</source>

== Global Configuration ==

Edit the main configuration file, making a backup first.

<source lang="bash">
cp /etc/named.conf /etc/named.conf.orig
vim /etc/named.conf
</source>

Enable queries on any interface and answer queries for any domain, not just ours. Edit or add the following;

<source lang="dot">
listen-on port 53 { any; };
allow-query { localhost; };
allow-query-cache { any; };
</source>

For now, we're going to disable DNSSEC. Make the following changes;

<source lang="dot">
dnssec-enable no;
dnssec-validation no;
</source>

Now tell bind where to look for a domain name's IP when we don't know. Add;

<source lang="dot">
forwarders {
// These are Google's open DNS servers
8.8.8.8;
8.8.4.4;
};
</source>

This server will have a slave, and we want to notify that slave when a record changes. Add;

<source lang="dot">
notify yes;
</source>

Done. I like to clean up the file to put the variables in line with one another. With this in mind, let's look at the changes as a unified diff;

<source lang="bash">
diff -u /etc/named.conf.orig /etc/named.conf
</source>
<source lang="diff">
--- /etc/named.conf.orig 2012-02-05 00:54:48.434068501 -0500
+++ /etc/named.conf 2012-02-05 13:45:16.484083319 -0500
@@ -8,18 +8,26 @@
//

options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ allow-query { any; };
+ allow-query-cache { any; };
+ recursion yes;
+ notify yes;
+
+ dnssec-enable no;
+ dnssec-validation no;
+ dnssec-lookaside auto;
+
+ forwarders {
+ // These are Google's open DNS servers
+ 8.8.8.8;
+ 8.8.4.4;
+ };

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
</source>

== Adding Zones ==

This is where we tell BIND which zones we have SOA for. This includes the pointers to the actual files on disk with each domain's information.

Backup then edit the zones file.

<source lang="bash">
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.orig
vim /etc/named.rfc1912.zones
</source>

In here is where we add the entries for the domains we have [[SOA]] for at the end of the file. These will differ for every install, so only two examples will be shown.

<source lang="dot">
// Our zones which this server is SOA for.
zone "45years.ca" IN {
type master;
file "/etc/named/db.45years.ca";
allow-transfer {
192.139.81.117;
};
};

zone "alteeve.com" in {
type master;
file "/etc/named/db.alteeve.com";
allow-transfer {
192.139.81.117;
};
};
</source>

This tutorial does not aim to cover actual zone files, but here is one for reference:

<source lang="bash">
cat /etc/named/db.45years.ca
</source>
<source lang="text">
$ORIGIN .
$TTL 600 ; Time To Live.
45years.ca IN SOA ns1.alteeve.com. admin.alteeve.com. (
2011081402 ; Serial Number (yyyymmdd##)
300 ; refresh (in seconds)
180 ; retry (in seconds)
600 ; expire (in seconds)
86400 ; minimum (in seconds)
)
NS ns1.alteeve.com.
NS ns2.alteeve.com.
A 192.139.81.121
MX 10 mail.45years.ca.
$ORIGIN 45years.ca.
localhost A 127.0.0.1
mail A 192.139.81.121
www CNAME 45years.ca.
</source>

== Adding a Firewall Entry ==

Assuming you have a firewall running, be sure to add an entry for [[TCP]] port 53.

== (Re)Start BIND ==

Once all the configuration files and domain zone files are in place, (re)start the named service.

<source lang="bash">
/etc/init.d/named restart
</source>
<source lang="text">
Stopping named: . [ OK ]
Starting named: [ OK ]
</source>

== Testing Name resolution ==

To properly test name resolution, you will want to resolve a domain we are [[SOA]] for and another domain which we are not. We will repeat this twice, once on the server and once from a remote machine to ensure that it is answering remote queries. Note that in the examples below, my DNS server's IP address is 78.46.37.135.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> alteeve.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns1.alteeve.com.
alteeve.com. 600 IN NS ns2.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 13:57:11 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> google.ca @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 300 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2967 IN NS f.root-servers.net.
. 2967 IN NS c.root-servers.net.
. 2967 IN NS b.root-servers.net.
. 2967 IN NS a.root-servers.net.
. 2967 IN NS k.root-servers.net.
. 2967 IN NS i.root-servers.net.
. 2967 IN NS e.root-servers.net.
. 2967 IN NS h.root-servers.net.
. 2967 IN NS l.root-servers.net.
. 2967 IN NS d.root-servers.net.
. 2967 IN NS j.root-servers.net.
. 2967 IN NS g.root-servers.net.
. 2967 IN NS m.root-servers.net.

;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 14:02:03 2012
;; MSG SIZE rcvd: 254
</source>

Now from a remote machine, repeat the same queries to ensure that our DNS server will respond to external queries.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> alteeve.com @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns2.alteeve.com.
alteeve.com. 600 IN NS ns1.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 138 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:09 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> google.ca @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 138 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2805 IN NS h.root-servers.net.
. 2805 IN NS c.root-servers.net.
. 2805 IN NS j.root-servers.net.
. 2805 IN NS i.root-servers.net.
. 2805 IN NS b.root-servers.net.
. 2805 IN NS m.root-servers.net.
. 2805 IN NS g.root-servers.net.
. 2805 IN NS d.root-servers.net.
. 2805 IN NS a.root-servers.net.
. 2805 IN NS l.root-servers.net.
. 2805 IN NS f.root-servers.net.
. 2805 IN NS k.root-servers.net.
. 2805 IN NS e.root-servers.net.

;; Query time: 140 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:31 2012
;; MSG SIZE rcvd: 254
</source>

Done!

= Email =

This is a pretty heavily customized postfix install using a custom schema. It was originally based on [http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch this Debian Etch] tutorial, but adapted for PostgreSQL. Much time has passed and the operating system is now significantly changed, but it's lineage is thus. A more recent, but still Debian-focused version of the tutorial [http://workaround.org/ispmail/squeeze/big-picture is here]. I also used [http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot this tutorial] to help sort out the PostgreSQL stuff.

This will use a few applications;
* Postfix - The program that receives email.
* PostgreSQL - The database used to validate the existence of email accounts and validates incoming user credentials.
* Dovecot - Takes email coming from postfix, via amavis, and records them to disk. It also answers requests from users wanting to check their email.
* Amavis - Filters incoming email for spam (via spamassassin) and virsus (via clamav)

We will also be using graylisting, which is a spam fighting tactic where the first email from a given user to one of our users is bounced for a few minutes. Proper mail servers will acknowledge the bound, wait the time and resend. Spam mailers though are usually fire-and-forget and will not resend, thus effectively blocking the spam message. This is a very effective method of blocking spam with minimal chance of losing real mail from real users. Any subsequent message from the user would be allowed through with no delay, provided the user had in fact resent the first message as requested.

== Install ==

To install the applications;

<source lang="bash">
yum install postfix postfix-perl-scripts dovecot dovecot-pgsql spamassassin postgresql-server postgresql-plperl mutt
</source>

== Configuring Postfix ==

Installation requires several steps. The AN!Console database must be loaded. Various applications need to be installed. Postfix, Dovecot and helper applications need to be configured and so on.

This tutorial uses the following values that you may need to adjust;
* Database name; an_tools
* Database user; alteeve
* Database password; secret
* Database host; 127.0.0.1

{{note|1=Do not use the database host "localhost" unless you are certain you can connect to the DB using a standard [[unix]] socket.}}

=== Building Support for PostgreSQL ===

{{warning|1=We need to build our own RPM in order to support postgresql. This means we will have to disable postfix from future updates, placing the onus on us to make sure critical updates are applied. This will require downloading the latest source RPMs, re-enabling postgres and recompile/reinstall.}}

Add the source [[RPM]] repository by adding the following;

<source lang="bash">
vim /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
# Source RPM repository
[base-source]
name=CentOS-$releasever - Base - Source
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://vault.centos.org/$releasever/os/SRPMS/
baseurl=http://vault.centos.org/6.0/os/SRPMS/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
</source>

Now download the source RPM for postfix.

<source lang="bash">
yumdownloader --source postfix
</source>
<source lang="text">
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
base | 3.7 kB 00:00
base-source | 1.9 kB 00:00
extras | 3.5 kB 00:00
updates | 3.5 kB 00:00
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
./postfix-2.6.6-2.el6.src.rpm already exists and appears to be complete
nikko:/etc/postfix# rm postfix-2.6.6-2.el6.src.rpm
rm: remove regular file `postfix-2.6.6-2.el6.src.rpm'? y
nikko:/etc/postfix# yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
postfix-2.6.6-2.el6.src.rpm | 3.3 MB 00:00
</source>

Now that we have the postfix source RPM, we will install it.

<source lang="bash">
rpm -Uvh postfix-2.6.6-2.el6.src.rpm
</source>
<source lang="text">
1:postfix warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
########################################### [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
</source>

Now edit the .spec file to enable postgres support.

<source lang="bash">
cp ~/rpmbuild/SPECS/postfix.spec ~/rpmbuild/SPECS/postfix.spec.orig
vim ~/rpmbuild/SPECS/postfix.spec
</source>

Make the following changes.

* Enable PostgreSQL support
<source lang="text">
%{?!PGSQL: %define PGSQL 1}
</source>

Increment the release version by one.
<source lang="text">
Release: 3%{?dist}
</source>

We can see the changes here:

<source lang="bash">
diff -u ~/rpmbuild/SPECS/postfix.spec.orig ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="diff">
--- /root/rpmbuild/SPECS/postfix.spec.orig 2012-02-11 16:54:54.495330859 -0500
+++ /root/rpmbuild/SPECS/postfix.spec 2012-02-11 16:53:39.873331101 -0500
@@ -1,5 +1,5 @@
%{?!MYSQL: %define MYSQL 1}
-%{?!PGSQL: %define PGSQL 0}
+%{?!PGSQL: %define PGSQL 1}
%define LDAP 2
%define PCRE 1
%define SASL 2
@@ -35,7 +35,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 2.6.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
</source>

Now rebuild the RPM, which means we need to install the build tools.

<source lang="bash">
yum groupinstall development
yum install db4-devel openldap-devel cyrus-sasl-devel pcre-devel mysql-devel postgresql-devel openssl-devel
rpmbuild -bb ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="text">
(compile output)
Processing files: postfix-debuginfo-2.6.6-3.el6.x86_64
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-debuginfo-2.6.6-3.el6.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.rymr5C
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd postfix-2.6.6
+ rm -rf /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
+ exit 0
</source>

Install the updated postfix.

<source lang="bash">
rpm -Uvh ~/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm ~/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
</source>
<source lang="text">
Preparing... ########################################### [100%]
1:postfix ########################################### [ 50%]
2:postfix-perl-scripts ########################################### [100%]
</source>

Now exclude postfix from future updates.

<source lang="bash">
cp /etc/yum.conf /etc/yum.conf.orig
vim /etc/yum.conf
diff -u /etc/yum.conf.orig /etc/yum.conf
</source>
<source lang="text">
--- /etc/yum.conf.orig 2012-02-11 16:59:53.720079168 -0500
+++ /etc/yum.conf 2012-02-11 17:00:47.013331283 -0500
@@ -10,6 +10,7 @@
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
+exclude=postfix*

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
</source>

=== Basic Postfix Configuration ===

Since we'll be using virtual domains, users, aliases and mailboxes, we'll need to start by commenting out some of the default options in Postfix. By default, Postfix is set up for small numbers of local users, and it only allows connections from the localhost. Our configuration will be more scalable, allowing many domains and users to be stored in the Postgres database.

Comment out the following:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# inet_interfaces = localhost
# mydestination = $myhostname, localhost.$mydomain, localhost
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
</source>

And uncomment/add these:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
inet_interfaces = all # allows us to connect and test from another machine
mynetworks = 192.168.1.0/32, 127.0.0.0/8 # use the IP or subnet of your test machine here
</source>

=== Setup Virtual Domain Lookup ===

This tells postfix how to find which domains we have.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM domains WHERE dom_name='%s'
</source>

Now tell Postfix to use this new file by appending the following to the main postfix configuration file.

<source lang="bash">
vim /etc/postfix/main.cf
</source>
<source lang="bash">
# Tell postfix to validate domains using our postgresql databae via the
# pgsql-virtual-mailbox-domains.cf
virtual_mailbox_domains=pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>

Now reload postfix;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now we can test that domains resolve. In my case, I will test the look-up for alteeve.com.

<source lang="bash">
postmap -q alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
1
</source>

Now make sure it returns nothing when query a bad domain.

<source lang="bash">
postmap -q example.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Mailbox Mapping ===

This section will tell postfix which users for a given domain are valid.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM email_file WHERE email='%s'
</source>

Tell postfix to use this new file when looking up users.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

And add:

<source lang="text">
# Tell postfix which table to look in when validating a local user via their
# email address.
virtual_mailbox_maps=pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>

Reload postfix.

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now do a test of a valid user, which should return 1, and an invalid user, which should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
1
</source>
<source lang="bash">
postmap -q nobody@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Email Forwards ===

This will allow for email addresses to be forwarded to other email addresses.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT fwd_destination FROM forwards WHERE fwd_source='%s'
</source>

Now tell postfix where to look.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

Add;

<source lang="text">
# This tells postfix where to forward incoming email to, where appropriate.
virtual_alias_maps=pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>

Reload;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

I've setup a forward where digimer@alteeve.com forwards to mkelly@alteeve.com, so we will use that for the next test.

<source lang="bash">
postmap -q digimer@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
mkelly@alteeve.com
</source>

An email address with no forward should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

Excellent.

=== Setup Postfix Mail Delivery via Dovecot ===

Define a mail transport method in the main Postfix config.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# this option is ignored, but may be useful for reference
virtual_mailbox_base=/email

# deliver mail via dovecot
virtual_transport = dovecot

# prevent postfix from sending multiple recipients per delivery request,
# since dovecot only supports one recipient for each delivery
dovecot_destination_recipient_limit = 1
</source>

Tell Postfix what virtual_transport "dovecot" means, and how to use it.
<source lang="bash">vim /etc/postfix/master.cf</source>
Append this for RHEL/CentOS 6 machines. For other distros, make sure that /usr/libexec/dovecot/deliver exists and change the path if necessary.
<source lang="bash">
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
</source>

=== Setup Postfix SMTP Authentication using Dovecot ===

Dovecot provides an SMTP authentication mechanism to Postfix called SASL. Enabling this will require users to authenticate against the server before sending mail.

<source lang="bash">vim /etc/postfix/main.cf</source>
Append the following to enable smtp authentication:
<source lang="bash">
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes

# allow authenticated users to send mail through Postfix SMTP
# more info at /usr/share/doc/postfix-2.6.6/README_FILES/SMTPD_ACCESS_README
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
</source>

== Configuring Dovecot ==

Dovecot handles writing incoming mail to the disk and moving/deleting mail as the user wishes. We're going to create a user and group called vmail which will be used to manage the email stored on disk.

<source lang="bash">
useradd -m vmail
mkdir /email
chown -R vmail:vmail /email
</source>

Dovecot is configured in /etc/dovecot and the main configuration file is dovecot.conf.

<source lang="bash">
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.conf
</source>

Dovecot uses .d style configuration files.

* Authentication

<source lang="bash">
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
vim /etc/dovecot/conf.d/10-auth.conf
</source>

Tell dovecot to accept plain-text passwords (needed for some old email clients, you may not need to enable this).

<source lang="text">
disable_plaintext_auth = no
</source>

Tell it not to use the database, and not local users for mail delivery.

<source lang="text">
#!include auth-system.conf.ext
!include auth-sql.conf.ext
</source>

* Mail store

Tell dovecot where to store the email. The %d tells dovecot to substitute the user's domain name and %n is substituted by the user's email name. For example, mkelly@alteeve.com becomes /email/alteeve.com/mkelly.

<source lang="bash">
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
vim /etc/dovecot/conf.d/10-mail.conf
</source>
<source lang="text">
mail_location = mbox:/email/%d/%n
</source>

=== Dovecot Authentication and SQL Settings ===

We need to tell dovecot where to look for passwords when authenticating a user. Where to look is controlled in the
auth-sql.conf.ext file and is broken down into user and password lookups. We will want to first tell Dovecot which user to use when accessing the mail store on disk.

<source lang="bash">
cp /etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/conf.d/auth-sql.conf.ext.orig
vim /etc/dovecot/conf.d/auth-sql.conf.ext
</source>
<source lang="text">
userdb {
driver = static
args = uid=vmail gid=vmail home=/email/%d/%n allow_all_users=yes
}
</source>

* Now configure the SQL server access details.

{{note|1=Make sure that PostgreSQL has sufficient max_connections set in /var/lib/pgsql/data/postgresql.conf to handle enough connections for the expected number of email connections, plus other connections from other applications.}}

<source lang="bash">
cp /usr/share/doc/dovecot-2.0.9/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
vim /etc/dovecot/dovecot-sql.conf.ext
</source>

Tell dovecot to use PostgreSQL.

<source lang="text">
driver = pgsql
</source>

Configure the connection string.

{{note|1=If your database uses a password with a space character in it, quote the password. Ie: password='super secret'.}}

<source lang="text">
connect = host=127.0.0.1 dbname=an_tools user=alteeve password=secret
</source>

Tell dovecot to accept plain-text passwords (this is needed for some stupid MS clients, this will probably change soon).

<source lang="text">
default_pass_scheme = PLAIN
</source>

Tell dovecot how to pull use the user's password.

<source lang="text">
password_query = SELECT email, password FROM email_password WHERE email='%u'
</source>

The last thing to setup is the user query. The query needs to return the [[UID]] and [[GID]] of the vmail user we setup earlier. To get it, you can use the id command.

<source lang="bash">
id vmail
</source>
<source lang="text">
uid=503(vmail) gid=503(vmail) groups=503(vmail)
</source>

The numbers we want are 503 and 503 for the UID and GID, respectively. Knowing this, we can set the userdb SQL string.

<source lang="text">
user_query = SELECT '/email/'||file AS email_dir, '503' AS uid, '503' AS gid FROM email_file WHERE email='%u'
</source>

=== Configure Listener Sockets ===

Setup the authentication socket to allow the vmail user. This will allow Dovecot to access the user authentication socket.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
</source>

Configure Dovecot to authenticate Postfix SMTP requests.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener smtp-auth {
mode = 0600
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
}
</source>

=== Enable Logging ===

This is very useful for debugging an initial setup. It will place details about login attempts in /var/log/maillog.

<source lang="bash">vim /etc/dovecot/conf.d/10-logging.conf</source>
<source lang="bash">
log_path = syslog
auth_verbose = yes
auth_debug = yes
mail_debug = yes
</source>

At this point, it's a good idea to restart the Postfix and Dovecot services, and test out the basic configuration.
<source lang="bash">
service postfix restart
service dovecot restart
</source>

Watch the maillog while attempting to authenticate with an email client like Thunderbird.
<source lang="bash">
tail -f /var/log/maillog
</source>

If basic authentication is working, we can go ahead and add another layer of complexity on top of it: SSL.

== SSL/TLS ==

Add TLS support to Postfix, to encrypt SMTP authentication traffic.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/ssl_mail.alteeve.ca.crt
smtpd_tls_key_file = /etc/pki/CA/private/mail.alteeve.ca.key
smtpd_tls_loglevel = 1
</source>

Add TLS support to Dovecot, to encrypt IMAP authentication traffic.
<source lang="bash">vim /etc/dovecot/conf.d/10-ssl.conf </source>
<source lang="bash">
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/pki/CA/ssl_mail.alteeve.ca.crt
ssl_key = </etc/pki/CA/private/mail.alteeve.ca.key

# PEM encoded trusted certificate authority. Otherwise your CA will be untrusted.
# This is the intermediary certificate.
ssl_ca = </etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Dovecot prefers the following permissions for SSL certs, so set them accordingly.
<source lang="bash">
chmod 0444 /etc/pki/CA/ssl_mail.alteeve.ca.crt
chmod 0400 /etc/pki/CA/private/mail.alteeve.ca.key
chmod 0400 /etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Restart Postfix and Dovecot, then change your Thunderbird server options to 'STARTTLS'. If you're still able to connect to the mail server and send mail, proceed to the next section.

== User Password Encryption ==

In addition to SSL/TSL, which only encrypts the transport of user credentials, we're also going to encrypt the passwords themselves. This will avoid storing any plaintext passwords in the Postgres database.

<source lang="bash">vim /etc/dovecot/conf.d/10-auth.conf</source>
Remove the "plain" authentication, and replace with cram-md5.
<source lang="bash">
disable_plaintext_auth = yes
auth_mechanisms = cram-md5
</source>

Any user credentials that were previously stored in plaintext will no longer work. To encrypt your password in a way that Dovecot recognizes, use the following command:
<source lang="bash">doveadm -v pw -s CRAM-MD5 -p mypassword</source>
It will return a hash like this.
<source lang="bash">
{CRAM-MD5}de5924752ad74e36bc271a8dc7fad4b2d341f21f05382f20dedf1fdfbd5a1717</source>

Take the entire hash, including the '{CRAM-MD5}' portion, and use it to replace the password entry in the database for that user. This will allow Dovecot to authenticate the user using the CRAM-MD5 auth mechanism.

To automate this process for all users in the database, you can look at the number of userid's there are and loop through them, encrypting and replacing each password.

<source lang="bash">
#!/bin/bash
#
# a script to encrypt the users.usr_password values of the an_tools database

export PGUSER="alteeve"
export PGPASSWORD='secret'

for usrid in {1..219}; do

# grab the user's password, removing whitespace
usrpass=$(psql -d an_tools -c "SELECT users.usr_password FROM users WHERE users.usr_id=$usrid;"\
| sed -n 3p | sed -e 's/^[ ]*//')

if [[ "$usrpass" == *CRAM* ]]; then
echo "Password for user #$usrid is already encrypted; skipping."
else
# encrypt and surround in single quotes for psql
encrypted=\'$(doveadm -v pw -s CRAM-MD5 -p "$usrpass")\'
echo "old password: [$usrpass] ; encrypted: $encrypted"

# set password to encrypted value
psql -d an_tools -c "UPDATE users SET usr_password=$encrypted WHERE usr_id=$usrid;"
fi
done

unset PGUSER
unset PGPASSWORD
</source>

== Postgrey Greylisting ==

Enabling postgrey for anti-spam greylisting.

First install the RPMForge repos. (See [http://dak1n1.com/blog/3-getting-more-from-yum-with-rpmforge-and-epel-repos Dakini's blog] for details.)

<source="bash">yum -y install postgrey</source>

Create the config file with the following options.
<source="bash">vim /etc/sysconfig/postgrey</source>
<source="bash">OPTIONS="--unix=/var/spool/postfix/postgrey/socket --delay=360"</source>

Ensure that Postgrey starts on boot.
<source="bash">chkconfig --levels 345 postgrey on</source>

<source="bash">/etc/postfix/main.cf</source>
<source="bash">
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_policy_service unix:postgrey/socket</source>

Restart Postfix and Postgrey to take affect.
<source="bash">
service postgrey start
service postfix restart
</source>

== Ooooold Notes ==

When prompted;
For 'Create directories for web-based administration ?' Choose 'Yes'.
For 'General type of configuration?', choose 'Local Only'.
For 'Mail Name', enter 'alteeve.com'.
For 'SSL certificate required', hit 'Ok'.
Create the database that we will use:
# su alteeve
$ createdb an_console
$ psql an_console
Now that we are in the new database we will need to load the AN!Console schema file.
# su postgres -c psql an_console -f /var/www/ssl_alteeve.com/cgi-bin/t/anc.pgsql.schema
On the Master node, we will create the directory where email will be stored.
# mkdir /ha/email
On the both nodes, we will create a link to the '/ha/email' directory off of root.
# ln -s /ha/email /email
Under this directory create another directory that is the domain name for the domains we will host mail for. Ie (no longer needed to be done manually, AN!Console will create directories for email as needed):
# mkdir /email/45years.ca
# mkdir /email/alteeve.com
And so on.
Go to the '/etc/postfix' directory and create these four files:
# vim /etc/postfix/psql-virtual_domains.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = domains
select_field = 'virtual'
where_field = dom_name
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_forwardings.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = forwards
select_field = fwd_destination
where_field = fwd_source
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_mailboxes.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_file
select_field = file
where_field = email
hosts = 127.0.0.1
Note: The table 'email_file' is actually a view that takes the email passed by postfix and splits it to generate a joined SELECT.
# vim /etc/postfix/psql-virtual_email2email.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_email
select_field = email
where_field = email
hosts = 127.0.0.1
Note: The table 'email_email' is actually a view that takes the email passed by postfix and returns the same email based on the DB entry. This is needed as a work-around for Postfix's habit of matching global forwards like '@domain -> user@domain' for all email to that domain, even what a given email address matches a user.
Now change the owner and permissions of those four files to NOT allow global reading as they contain our password.
# chown root:postfix /etc/postfix/psql-virtual_*
# chmod 640 /etc/postfix/psql-virtual_*
Now we will create a user account that will, in turn, own all the mail on the system. This user will not have shell access.
# adduser vmail
Enter a password, preferably one treated with the same care as the root password. You can leave all other options blank.
Now change the ownership of the mail store.
# chown -R vmail:vmail /email
# chmod -R 775 /email
Now we edit the main '/etc/postfix/main.cf' configuration file.
Make a backup of the original file “just in case”.
# cp /etc/postfix/main.cf /etc/postfix/main.cf.original
Now edit it:
# vim /etc/postfix/main.cf
There are several options to edit:
Please see 'Step 6' at: http://workaround.org/articles/ispmail-sarge/index.shtml.en for details on the options to set.
For 'inet_interface' enter 'all'.
For 'myhostname' use the cluster FQDN. Ie;
myhostname = nikko.alteeve.com
For 'mydestination' use only local names, NOT real domains we will host email for. Any mail sent to the domains specified here will go to local (shell) users.
mydestination = nikko.alteeve.com, localhost.alteeve.com, localhost
For 'mynetworks' set all the IP subnets we trust. Ie;
mynetworks = 192.139.81.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.0/24 127.0.0.0/8
We can ignore 'virtual_alias_domains' if it exists.
For 'virtual_alias_maps' we will set:
virtual_alias_maps = pgsql:/etc/postfix/psql-virtual_forwardings.cf pgsql:/etc/postfix/psql-virtual_email2email.cf
For 'virtual_mailbox_domains' we will set:
virtual_mailbox_domains = pgsql:/etc/postfix/psql-virtual_domains.cf
For 'virtual_mailbox_maps' we will set:
virtual_mailbox_maps = pgsql:/etc/postfix/psql-virtual_mailboxes.cf
For 'virtual_mailbox_base' (where the email will be stored on disk) we will set:
virtual_mailbox_base = /ha/email
For 'virtual_uid_maps' and 'virtual_gid_maps' we will enter the numerical UID and GID for the 'vmail' shell user we created earlier. To find what it's UID and GID is run:
# cat /etc/passwd | grep vmail
vmail:x:1001:1001:,,,:/home/vmail:/bin/bash
The first number is the UID, the second is the GID;
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
Set 'smtpd_sasl_auth_enable' to 'yes'.
Set 'broken_sasl_auth_clients' to 'yes'.
To enable relaying of local mail, trusted domains and SASL authenticated users and reject the rest set;
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
For 'smtpd_use_tls' the value should already be 'yes', but set it to such if not.
Lastly we'll set our certificate paths;
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
At this point we should be good to go. Restart postfix;
# /etc/init.d/postfix restart
If there were no errors in the restart, test the config by running;
# postfix check
If you get errors, fix 'em. Otherwise, so far so good!
Now to setup postfix to allow authentication of SMTP connections to allow relaying of messages from people (we trust) outside on the 'mynetworks' scope.
Create or edit the file '/etc/postfix/sasl/smtpd.conf'
# vim /etc/postfix/sasl/smtpd.conf
In it enter the lines:
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: pgsql
sql_hostnames: 127.0.0.1
sql_user: alteeve
sql_passwd: secret
sql_database: an_console
sql_select: SELECT passwd FROM email_passwd WHERE email='%u@%r'
log_level: 7
Now secure the file (it's got our DB password)
# chown root:postfix /etc/postfix/sasl/smtpd.conf
# chmod 640 /etc/postfix/sasl/smtpd.conf
Now we want to setup TLS to encrypt SMTP traffic. Be sure you are still in '/etc/postfix' as this is where you want the certificate files.
To create a 10-year certificate for our SMTP domain 'smtp.alteeve.com':
# openssl req -new -outform PEM -out /etc/postfix/smtpd.cert -newkey rsa:2048 -nodes -keyout /etc/postfix/smtpd.key -keyform PEM -days 3650 -x509
This will bring up a bunch of questions:
Country Name (2 letter code) [AU]: CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alteeve's Niche!
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, YOUR name) []:smtp.alteeve.com
Email Address []:admin@alteeve.com
This will create two files in your current directory; 'smtpd.key' and 'smtpd.cert'. You'll want to protect them.
# chown root:postfix smtpd.*
# chmod 640 smtpd.*
Now we need to setup POP3 and IMAP access so users can actually check their email.
Backup then edit '/etc/dovecot/dovecot.conf' to have:
protocols = pop3 imap
mail_location = mbox:/email/%d/%n
# passdb pam {
# }
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
# userdb passwd {
# }
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

# The default location for 'dovecot-sql.conf' is under '/usr/local/etc', be sure to
# change it!
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
user = root
}
Then create/edit '/etc/dovecot/dovecot-sql.conf':
driver = pgsql
connect = host=localhost dbname=an_console user=alteeve password=secret
default_pass_scheme = PLAIN
password_query = SELECT email, password FROM email_password WHERE email='%u'
user_query = SELECT '/email/'||file AS email_dir, '1001' AS uid, '1001' AS gid FROM email_file WHERE email='%u'
Now restart Dovecot:
# /etc/init.d/dovecot restart

= Thanks =

* To [http://planet-geek.com Dave Shevett] (aka: eidolon) and [http://codex.grimoire.ca/ Owen Jacobson] for answering my n00b SSL questions.


<source lang="bash">
</source>
<source lang="text">
</source>

{{footer}}

PPPower Server

2012-03-25T17:27:40Z

Dak1n1:

{{howto_header}}

With tongue firmly in cheek, this is a tutorial on building an [[EL6]] server for hosting website and email using PostgreSQL, Postfix and Postgrey for mail and Apache for web. There are many canned and arguably superior was of accomplishing the same, but this is what I user for this server.

= Post OS Install =

First, the packages we will want to install:

<source lang="bash">
yum install httpd httpd-tools postgresql-server postgresql-plperl postgresql-contrib postgresql mysql-server telnet mod_ssl mysql-server php-mysql gcc jwhois bind
</source>

Packages that are currently needed for personal stuff.

<source lang="bash">
yum install perl-XML-Simple perl-MIME-Lite perl-DBD-MySQL perl-DBD-Pg
</source>

= Apache =

After all changes, use this to make sure there are no syntax errors.

<source lang="bash">
service httpd configtest
</source>
<source lang="text">
Syntax OK
</source>

{{note|1=This needs to be explained.}}

<source lang="bash">
diff -u httpd.conf.orig httpd.conf
</source>
<source lang="diff">
--- httpd.conf.orig 2010-05-28 03:11:06.000000000 -0400
+++ httpd.conf 2011-05-13 21:56:27.000000000 -0400
@@ -100,12 +100,12 @@
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
-StartServers 8
-MinSpareServers 5
-MaxSpareServers 20
-ServerLimit 256
-MaxClients 256
-MaxRequestsPerChild 4000
+StartServers 16
+MinSpareServers 10
+MaxSpareServers 40
+ServerLimit 512
+MaxClients 512
+MaxRequestsPerChild 8000
</IfModule>

# worker MPM
@@ -116,11 +116,11 @@
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
-StartServers 4
-MaxClients 300
-MinSpareThreads 25
-MaxSpareThreads 75
-ThreadsPerChild 25
+StartServers 8
+MaxClients 600
+MinSpareThreads 50
+MaxSpareThreads 150
+ThreadsPerChild 50
MaxRequestsPerChild 0
</IfModule>

@@ -259,7 +259,7 @@
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
-ServerAdmin root@localhost
+ServerAdmin admin@alteeve.com

#
# ServerName gives the name and port that the server uses to identify itself.
@@ -274,6 +274,7 @@
# redirections work in a sensible way.
#
#ServerName www.example.com:80
+#ServerName *:80

#
# UseCanonicalName: Determines how Apache constructs self-referencing
@@ -289,7 +290,7 @@
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
-DocumentRoot "/var/www/html"
+DocumentRoot "/var/www/default/html"

#
# Each directory to which Apache has access can be configured with respect
@@ -314,7 +315,7 @@
#
# This should be changed to whatever you set DocumentRoot to.
#
-<Directory "/var/www/html">
+<Directory "/var/www/default/html">

#
# Possible values for the Options directive are "None", "All",
@@ -548,9 +549,9 @@
# We include the /icons/ alias for FancyIndexed directory listings. If you
# do not use FancyIndexing, you may comment this out.
#
-Alias /icons/ "/var/www/icons/"
+Alias /icons/ "/var/www/default/icons/"

-<Directory "/var/www/icons">
+<Directory "/var/www/default/icons">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
@@ -573,13 +574,13 @@
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+ScriptAlias /cgi-bin/ "/var/www/default/cgi-bin/"

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
-<Directory "/var/www/cgi-bin">
+<Directory "/var/www/default/cgi-bin">
AllowOverride None
Options None
Order allow,deny
@@ -852,11 +853,11 @@
# copying them to /your/include/path/, even on a per-VirtualHost basis.
#

-Alias /error/ "/var/www/error/"
+Alias /error/ "/var/www/default/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
- <Directory "/var/www/error">
+ <Directory "/var/www/default/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
@@ -987,7 +988,7 @@
#
# Use name-based virtual hosting.
#
-#NameVirtualHost *:80
+NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
@@ -1001,9 +1002,10 @@
# server name.
#
#<VirtualHost *:80>
-# ServerAdmin webmaster@dummy-host.example.com
-# DocumentRoot /www/docs/dummy-host.example.com
-# ServerName dummy-host.example.com
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+# ServerAdmin admin@alteeve.com
+# DocumentRoot /var/www/default/html
+# ServerName unknown.alteeve.com
+# ErrorLog /var/www/default/logs/error.log
+# CustomLog /var/www/default/logs/access.log common
#</VirtualHost>
</source>

== SSL Virtual Hosts ==

SSL provides for secure client to server communications.

=== Creating The Signed Certificate ===

This section assumes you are using a 3rd party signing authority. Specifically, I use http://www.trustico.ca/ (resellers of http://RapidSSL.com and others). This is also for a domain-specific certificate. Wildcard certificates will differ.

First, create 2048bit private key. Note that this will require a pass-phrase, which you will need to enter whenever the Apache daemon httpd daemon starts. If you do not want this, remove the -des3 switch.

<source lang="bash">
openssl genrsa -des3 -out /etc/pki/CA/private/alteeve.com.key 2048
</source>
<source lang="text">
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Verifying - Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
</source>

Now create a [[CSR]] (Certificate signing request) which we will send to the signing authority. Do not enter anything in the extra section below.

{{note|1=The Common Name must be the fully qualified domain name. In this example, I want to create a certificate for the domain https://alteeve.com, so I will enter alteeve.com. If you prefer to use a www. prefix, include it. I will rewrite requests using the www. prefix to not use it.}}

<source lang="bash">
openssl req -new -key /etc/pki/CA/private/alteeve.com.key -out alteeve.com.csr
</source>
<source lang="text">
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Oakville
Organization Name (eg, company) [Default Company Ltd]:Alteeve's Niche
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:alteeve.com
Email Address []:admin@alteeve.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</source>

Test that the CSR file is ok.

<source lang="bash">
openssl req -noout -text -in /etc/pki/CA/alteeve.com.csr
</source>
<source lang="text">
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Oakville, O=Alteeve's Niche, OU=IT, CN=alteeve.com/emailAddress=admin@alteeve.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
...
</source>

Copy the exact contents of the alteeve.com.csr file and provide it to your signing authority as per their instructions. Once you complete their CSR form, they should email you a signed certificate and an intermediary certificate. At this point, the CSR file is no longer needed.

Save the signed certificate:

<source lang="bash">
vim /etc/pki/CA/ssl_alteeve.com.crt
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

Save the intermediary certificate. Change the certificate name to that of your provider. If they provide you with this file, simply save it in the /etc/pki/CA/ directory.

<source lang="bash">
vim /etc/pki/CA/RapidSSL_CA_bundle.pem
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

=== Creating An SSL Virtual Host ===

Create a new virtual host container for the new SSL protected virtual host. We will leave the normal unencrypted virtual-host alone for now. Once we're done, we'll use it to capture and redirect http:// requests to their https:// equivalents. I make my virtual host directories writeable by my normal user account. Feel free to adapt this to your preferences.

Setup the directories and then create a trivial index.html file.

<source lang="bash">
mkdir ssl_alteeve.com/{cgi-bin,html,logs,temp} -p
chown apache:digimer ssl_alteeve.com -R
chmod g+w ssl_alteeve.com -R
vim /var/www/ssl_alteeve.com/html/index.html
</source>
<source lang="apache">
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
</source>

Now setup the Apache2 config. I like to use the ssl_ prefix for encrypted domains.

{{note|1=This example is for a MediaWiki virtual host with short URLs configured. You will want to adapt the values to suit your needs.}}

<source lang="bash">
vim /etc/httpd/conf.d/ssl_alteeve.com.conf
</source>
<source lang="apache">
<VirtualHost *:443>
ServerAdmin digimer@alteeve.com

ServerName alteeve.com

DirectoryIndex index.php index.html

# We can haz security?
SSLEngine on
SSLProtocol all
SSLCACertificateFile /etc/pki/CA/RapidSSL_CA_bundle.pem
SSLCertificateFile /etc/pki/CA/ssl_alteeve.com.crt
SSLCertificateKeyFile /etc/pki/CA/private/alteeve.com.key

DocumentRoot /var/www/ssl_alteeve.com/html/
Alias /w /var/www/ssl_alteeve.com/html/index.php
<Directory /var/www/ssl_alteeve.com/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/ssl_alteeve.com/cgi-bin/
<Directory "/var/www/ssl_alteeve.com/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/ssl_alteeve.com/logs/error.log
TransferLog /var/www/ssl_alteeve.com/logs/transfer.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/ssl_alteeve.com/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

==== Bad Identity Error ====

If you get an error about the server not providing identity information, you may have be loading images, CSS, javascript or similar using a URL from a remote domain with no SSL or badly configured SSL.

For example, on Firefox 4, you may see:

<source lang="text">
This web site does not supply identity information.

Your connection to this site is only partially encrypted, and does not prevent eavesdropping.
[ More Information ]
</source>

In my case, this turned out to be a problem where mediawiki was loading a Creative Commons logo from their server using http:// link to the icon. Once this was changed to https:// (in LocalSettings.php), the error went away.

=== Testing and Using the New Configuration ===

Test your new Apache configuration.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

Now restart Apache. Note that you will be asked to enter the pass-phrase you used when you created your private key.

<source lang="bash">
/etc/init.d/httpd restart
</source>
<source lang="text">
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server alteeve.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
</source>

{{warning|1=From now on, you will need to enter the pass-phrase to start Apache. Consider this when restarting your server and when deciding if you want the Apache server to start with your server. As my server is in a VM and it's underlying disk is also encrypted, I will enable it at boot time. I'll need to be watching the boot process anyway. This may not apply to you.}}

Now make sure that you can still connect to your server on [[TCP]] port 80 (normal http port). The contents after the GET request will obviously vary depending on your configuration:

<source lang="bash">
telnet localhost 80
</source>
<source lang="text">
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET
<head>
<title>Asakusa.alteeve.com</title>
</head>
<body>
Default - Requested domain not found
</body>
Connection closed by foreign host.
</source>

Now to check that the SSL port is listening properly. We can't use [[telnet]] because of the SSL encryption. Instead we will use openssl.

<source lang="bash">
openssl s_client -connect localhost:443 -state -debug
</source>
<source lang="text">
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x196a050 [0x1a0b3a0] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 4d f8 f4 a4 f9 ....l...h..M....
0010 - 07 b3 11 f8 3d ff 5d 80-ed 69 87 52 e2 60 80 57 ....=.]..i.R.`.W
0020 - 59 c7 83 4c ea 5b e5 37-06 e0 13 00 00 3a 00 39 Y..L.[.7.....:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............#
0071 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x196a050 [0x1a10900] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x196a050 [0x1a1090a] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4d f8 f4 a4-7d 35 00 74 24 43 bc c9 .1..M...}5.t$C..
0010 - 84 5d fe e3 90 1a e8 14-39 a1 b1 7e e8 19 c7 9f .]......9..~....
0020 - 45 20 d1 cb 00 00 39 01-00 09 ff 01 00 01 00 00 E ....9.........
0030 - 23 #
0033 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 0c 2c ....,
read from 0x196a050 [0x1a10908] (3116 bytes => 3116 (0xC2C))
0000 - 0b 00 0c 28 00 0c 25 00-04 c2 30 82 04 be 30 82 ...(..%...0...0.
0010 - 03 a6 a0 03 02 01 02 02-03 02 15 24 30 0d 06 09 ...........$0...
0020 - 2a 86 48 86 f7 0d 01 01-05 05 00 30 3c 31 0b 30 *.H........0<1.0
0030 - 09 06 03 55 04 06 13 02-55 53 31 17 30 15 06 03 ...U....US1.0...
0040 - 55 04 0a 13 0e 47 65 6f-54 72 75 73 74 2c 20 49 U....GeoTrust, I
0050 - 6e 63 2e 31 14 30 12 06-03 55 04 03 13 0b 52 61 nc.1.0...U....Ra
0060 - 70 69 64 53 53 4c 20 43-41 30 1e 17 0d 31 31 30 pidSSL CA0...110
0070 - 36 31 34 31 32 31 39 30-31 5a 17 0d 31 31 30 37 614121901Z..1107
0080 - 31 36 31 35 35 36 31 34-5a 30 81 d9 31 29 30 27 16155614Z0..1)0'
0090 - 06 03 55 04 05 13 20 30-54 53 35 57 7a 61 75 51 ..U... 0TS5WzauQ
00a0 - 52 4a 37 73 63 32 62 2d-68 54 47 77 4b 31 79 78 RJ7sc2b-hTGwK1yx
00b0 - 53 66 45 44 70 68 46 31-0b 30 09 06 03 55 04 06 SfEDphF1.0...U..
00c0 - 13 02 43 41 31 14 30 12-06 03 55 04 0a 13 0b 61 ..CA1.0...U....a
00d0 - 6c 74 65 65 76 65 2e 63-6f 6d 31 13 30 11 06 03 lteeve.com1.0...
00e0 - 55 04 0b 13 0a 47 54 31-33 39 30 38 38 31 37 31 U....GT139088171
00f0 - 31 30 2f 06 03 55 04 0b-13 28 53 65 65 20 77 77 10/..U...(See ww
0100 - 77 2e 72 61 70 69 64 73-73 6c 2e 63 6f 6d 2f 72 w.rapidssl.com/r
0110 - 65 73 6f 75 72 63 65 73-2f 63 70 73 20 28 63 29 esources/cps (c)
0120 - 31 31 31 2b 30 29 06 03-55 04 0b 13 22 44 6f 6d 111+0)..U..."Dom
0130 - 61 69 6e 20 43 6f 6e 74-72 6f 6c 20 56 61 6c 69 ain Control Vali
0140 - 64 61 74 65 64 20 2d 20-46 72 65 65 53 53 4c 31 dated - FreeSSL1
0150 - 14 30 12 06 03 55 04 03-13 0b 61 6c 74 65 65 76 .0...U....alteev
0160 - 65 2e 63 6f 6d 30 82 01-22 30 0d 06 09 2a 86 48 e.com0.."0...*.H
0170 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0..
0180 - 0a 02 82 01 01 00 c7 b5-75 03 c7 a9 b5 21 b2 7a ........u....!.z
0190 - 9b 70 8d f2 44 5d e0 18-f4 05 52 c6 93 d3 17 a5 .p..D]....R.....
01a0 - 3a c7 46 03 68 d1 01 53-1b e8 b8 d3 4c 56 46 b2 :.F.h..S....LVF.
01b0 - ca 63 34 88 2c 4f 7b 23-49 07 ef 8e 37 5c 8a ac .c4.,O{#I...7\..
01c0 - d7 88 9b ed a1 01 90 bc-32 d8 46 30 6d 82 33 59 ........2.F0m.3Y
01d0 - ea b5 38 2c 8a 16 e1 63-e7 ba 39 d8 2a fa 8a 6b ..8,...c..9.*..k
01e0 - 25 45 0b c9 4d b8 d2 be-a9 3a e3 ff 61 60 f9 a4 %E..M....:..a`..
01f0 - 99 4e 3f c2 25 0b 21 07-c6 1b 1e 63 71 2e 3d 31 .N?.%.!....cq.=1
0200 - 42 98 01 f4 88 b8 80 26-b7 bf 5b 00 b1 57 86 b4 B......&..[..W..
0210 - d8 70 e6 ec ea 98 e1 17-45 a7 ff 83 e0 76 6f 8a .p......E....vo.
0220 - 50 bb 1d cb c5 8f f4 01-84 4e 59 c3 4d 28 73 70 P........NY.M(sp
0230 - 39 c8 da 85 43 b9 07 ae-57 26 04 24 b2 d6 d4 7c 9...C...W&.$...|
0240 - 03 af 4f 72 00 8f 20 ed-26 77 b3 bf 4e 01 62 8b ..Or.. .&w..N.b.
0250 - 62 1b 10 16 65 92 f5 bb-5a dc 83 5c f2 56 f3 60 b...e...Z..\.V.`
0260 - 34 2c ef 62 f4 ee cf 26-6d 9b 4a 5e 74 05 74 fb 4,.b...&m.J^t.t.
0270 - 23 86 07 6f cf b0 48 6d-ba 2d 89 5d 0f e0 c0 01 #..o..Hm.-.]....
0280 - 1c 91 af 00 5f f3 02 03-01 00 01 a3 82 01 29 30 ...._.........)0
0290 - 82 01 25 30 1f 06 03 55-1d 23 04 18 30 16 80 14 ..%0...U.#..0...
02a0 - 6b 69 3d 6a 18 42 4a dd-8f 02 65 39 fd 35 24 86 ki=j.BJ...e9.5$.
02b0 - 78 91 16 30 30 0e 06 03-55 1d 0f 01 01 ff 04 04 x..00...U.......
02c0 - 03 02 05 a0 30 1d 06 03-55 1d 25 04 16 30 14 06 ....0...U.%..0..
02d0 - 08 2b 06 01 05 05 07 03-01 06 08 2b 06 01 05 05 .+.........+....
02e0 - 07 03 02 30 16 06 03 55-1d 11 04 0f 30 0d 82 0b ...0...U....0...
02f0 - 61 6c 74 65 65 76 65 2e-63 6f 6d 30 43 06 03 55 alteeve.com0C..U
0300 - 1d 1f 04 3c 30 3a 30 38-a0 36 a0 34 86 32 68 74 ...<0:08.6.4.2ht
0310 - 74 70 3a 2f 2f 72 61 70-69 64 73 73 6c 2d 63 72 tp://rapidssl-cr
0320 - 6c 2e 67 65 6f 74 72 75-73 74 2e 63 6f 6d 2f 63 l.geotrust.com/c
0330 - 72 6c 73 2f 72 61 70 69-64 73 73 6c 2e 63 72 6c rls/rapidssl.crl
0340 - 30 1d 06 03 55 1d 0e 04-16 04 14 a1 2b 4e af 55 0...U.......+N.U
0350 - 08 7b 34 be 74 fc 57 41-de bc 8f d9 4a 1d c9 30 .{4.t.WA....J..0
0360 - 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 49 06 ...U.......0.0I.
0370 - 08 2b 06 01 05 05 07 01-01 04 3d 30 3b 30 39 06 .+........=0;09.
0380 - 08 2b 06 01 05 05 07 30-02 86 2d 68 74 74 70 3a .+.....0..-http:
0390 - 2f 2f 72 61 70 69 64 73-73 6c 2d 61 69 61 2e 67 //rapidssl-aia.g
03a0 - 65 6f 74 72 75 73 74 2e-63 6f 6d 2f 72 61 70 69 eotrust.com/rapi
03b0 - 64 73 73 6c 2e 63 72 74-30 0d 06 09 2a 86 48 86 dssl.crt0...*.H.
03c0 - f7 0d 01 01 05 05 00 03-82 01 01 00 66 8b 6f a8 ............f.o.
03d0 - d5 d2 84 c7 89 31 fb a5-ba e1 11 5e 2f 67 6f df .....1.....^/go.
03e0 - 0d 3c 0b 1a 4b ac d9 38-ee 29 0a 4d d9 06 98 2c .<..K..8.).M...,
03f0 - 25 0a 59 bb 39 03 b0 cd-3b 06 93 3e 59 90 cf 06 %.Y.9...;..>Y...
0400 - 17 74 77 bb cd 91 34 d0-6f b9 8f 53 57 ed 14 30 .tw...4.o..SW..0
0410 - bd e9 6c 04 84 b6 f0 16-9d 29 9b b1 47 f8 84 64 ..l......)..G..d
0420 - 5f 03 36 ea e1 d6 13 97-5b 50 b9 b2 59 cc f8 ef _.6.....[P..Y...
0430 - 23 01 99 91 6e 5e e8 d0-77 54 38 49 18 58 e7 0e #...n^..wT8I.X..
0440 - 54 35 c0 37 b5 9e 79 b2-d4 c6 d9 ff 27 31 d4 bf T5.7..y.....'1..
0450 - 04 ae d3 0a 90 4b bc 34-bc 53 f8 bc e7 4c 22 b7 .....K.4.S...L".
0460 - b3 bc 8c d7 41 44 fc e0-50 2e 9a ac ba 5c ee 88 ....AD..P....\..
0470 - 03 fc 0e 53 32 aa dd a4-24 ee a6 7c 3d dc 9d 7a ...S2...$..|=..z
0480 - 82 0b 9f b8 91 e0 a1 12-77 a3 95 f7 d0 c4 9e f1 ........w.......
0490 - d7 d9 99 68 80 e8 af ad-68 f5 1a 5f 66 06 78 c9 ...h....h.._f.x.
04a0 - 56 f8 36 37 16 fa 7d 27-df 1d a2 d8 7c 8c 5b 50 V.67..}'....|.[P
04b0 - db c6 fe 06 ff 96 86 f5-1f e4 35 ce cf 43 66 53 ..........5..CfS
04c0 - da a1 50 b5 c0 73 ec 1e-f4 c8 20 13 00 03 d9 30 ..P..s.... ....0
04d0 - 82 03 d5 30 82 02 bd a0-03 02 01 02 02 03 02 36 ...0...........6
04e0 - d1 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
04f0 - 30 42 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 0B1.0...U....US1
0500 - 16 30 14 06 03 55 04 0a-13 0d 47 65 6f 54 72 75 .0...U....GeoTru
0510 - 73 74 20 49 6e 63 2e 31-1b 30 19 06 03 55 04 03 st Inc.1.0...U..
0520 - 13 12 47 65 6f 54 72 75-73 74 20 47 6c 6f 62 61 ..GeoTrust Globa
0530 - 6c 20 43 41 30 1e 17 0d-31 30 30 32 31 39 32 32 l CA0...10021922
0540 - 34 35 30 35 5a 17 0d 32-30 30 32 31 38 32 32 34 4505Z..200218224
0550 - 35 30 35 5a 30 3c 31 0b-30 09 06 03 55 04 06 13 505Z0<1.0...U...
0560 - 02 55 53 31 17 30 15 06-03 55 04 0a 13 0e 47 65 .US1.0...U....Ge
0570 - 6f 54 72 75 73 74 2c 20-49 6e 63 2e 31 14 30 12 oTrust, Inc.1.0.
0580 - 06 03 55 04 03 13 0b 52-61 70 69 64 53 53 4c 20 ..U....RapidSSL
0590 - 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H...
05a0 - 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0.....
05b0 - 01 01 00 c7 71 f8 56 c7-1e d9 cc b5 ad f6 b4 97 ....q.V.........
05c0 - a3 fb a1 e6 0b 50 5f 50-aa 3a da 0f fc 3d 29 24 .....P_P.:...=)$
05d0 - 43 c6 10 29 c1 fc 55 40-72 ee bd ea df 9f b6 41 C..)..U@r......A
05e0 - f4 48 4b c8 6e fe 4f 57-12 8b 5b fa 92 dd 5e e8 .HK.n.OW..[...^.
05f0 - ad f3 f0 1b b1 7b 4d fb-cf fd d1 e5 f8 e3 dc e7 .....{M.........
0600 - f5 73 7f df 01 49 cf 8c-56 c1 bd 37 e3 5b be b5 .s...I..V..7.[..
0610 - 4f 8b 8b f0 da 4f c7 e3-dd 55 47 69 df f2 5b 7b O....O...UGi..[{
0620 - 07 4f 3d e5 ac 21 c1 c8-1d 7a e8 e7 f6 0f a1 aa .O=..!...z......
0630 - f5 6f de a8 65 4f 10 89-9c 03 f3 89 7a a5 5e 01 .o..eO......z.^.
0640 - 72 33 ed a9 e9 5a 1e 79-f3 87 c8 df c8 c5 fc 37 r3...Z.y.......7
0650 - c8 9a 9a d7 b8 76 cc b0-3e e7 fd e6 54 ea df 5f .....v..>...T.._
0660 - 52 41 78 59 57 ad f1 12-d6 7f bc d5 9f 70 d3 05 RAxYW........p..
0670 - 6c fa a3 7d 67 58 dd 26-62 1d 31 92 0c 79 79 1c l..}gX.&b.1..yy.
0680 - 8e cf ca 7b c1 66 af a8-74 48 fb 8e 82 c2 9e 2c ...{.f..tH.....,
0690 - 99 5c 7b 2d 5d 9b bc 5b-57 9e 7c 3a 7a 13 ad f2 .\{-]..[W.|:z...
06a0 - a3 18 5b 2b 59 0f cd 5c-3a eb 68 33 c6 28 1d 82 ..[+Y..\:.h3.(..
06b0 - d1 50 8b 02 03 01 00 01-a3 81 d9 30 81 d6 30 0e .P.........0..0.
06c0 - 06 03 55 1d 0f 01 01 ff-04 04 03 02 01 06 30 1d ..U...........0.
06d0 - 06 03 55 1d 0e 04 16 04-14 6b 69 3d 6a 18 42 4a ..U......ki=j.BJ
06e0 - dd 8f 02 65 39 fd 35 24-86 78 91 16 30 30 1f 06 ...e9.5$.x..00..
06f0 - 03 55 1d 23 04 18 30 16-80 14 c0 7a 98 68 8d 89 .U.#..0....z.h..
0700 - fb ab 05 64 0c 11 7d aa-7d 65 b8 ca cc 4e 30 12 ...d..}.}e...N0.
0710 - 06 03 55 1d 13 01 01 ff-04 08 30 06 01 01 ff 02 ..U.......0.....
0720 - 01 00 30 3a 06 03 55 1d-1f 04 33 30 31 30 2f a0 ..0:..U...3010/.
0730 - 2d a0 2b 86 29 68 74 74-70 3a 2f 2f 63 72 6c 2e -.+.)http://crl.
0740 - 67 65 6f 74 72 75 73 74-2e 63 6f 6d 2f 63 72 6c geotrust.com/crl
0750 - 73 2f 67 74 67 6c 6f 62-61 6c 2e 63 72 6c 30 34 s/gtglobal.crl04
0760 - 06 08 2b 06 01 05 05 07-01 01 04 28 30 26 30 24 ..+........(0&0$
0770 - 06 08 2b 06 01 05 05 07-30 01 86 18 68 74 74 70 ..+.....0...http
0780 - 3a 2f 2f 6f 63 73 70 2e-67 65 6f 74 72 75 73 74 ://ocsp.geotrust
0790 - 2e 63 6f 6d 30 0d 06 09-2a 86 48 86 f7 0d 01 01 .com0...*.H.....
07a0 - 05 05 00 03 82 01 01 00-ab bc bc 0a 5d 18 94 e3 ............]...
07b0 - c1 b1 c3 a8 4c 55 d6 be-b4 98 f1 ee 3c 1c cd cf ....LU......<...
07c0 - f3 24 24 5c 96 03 27 58-fc 36 ae a2 2f 8f f1 fe .$$\..'X.6../...
07d0 - da 2b 02 c3 33 bd c8 dd-48 22 2b 60 0f a5 03 10 .+..3...H"+`....
07e0 - fd 77 f8 d0 ed 96 67 4f-fd ea 47 20 70 54 dc a9 .w....gO..G pT..
07f0 - 0c 55 7e e1 96 25 8a d9-b5 da 57 4a be 8d 8e 49 .U~..%....WJ...I
0800 - 43 63 a5 6c 4e 27 87 25-eb 5b 6d fe a2 7f 38 28 Cc.lN'.%.[m...8(
0810 - e0 36 ab ad 39 a5 a5 62-c4 b7 5c 58 2c aa 5d 01 .6..9..b..\X,.].
0820 - 60 a6 62 67 a3 c0 c7 62-23 f4 e7 6c 46 ee b5 d3 `.bg...b#..lF...
0830 - 80 6a 22 13 d2 2d 3f 74-4f ea af 8c 5f b4 38 9c .j"..-?tO..._.8.
0840 - db ae ce af 84 1e a6 f6-34 51 59 79 d3 e3 75 dc ........4QYy..u.
0850 - bc d7 f3 73 df 92 ec d2-20 59 6f 9c fb 95 f8 92 ...s.... Yo.....
0860 - 76 18 0a 7c 0f 2c a6 ca-de 8a 62 7b d8 f3 ce 5f v..|.,....b{..._
0870 - 68 bd 8f 3e c1 74 bb 15-72 3a 16 83 a9 0b e6 4d h..>.t..r:.....M
0880 - 99 9c d8 57 ec a8 01 51-c7 6f 57 34 5e ab 4a 2c ...W...Q.oW4^.J,
0890 - 42 f6 4f 1c 89 78 de 26-4e f5 6f 93 4c 15 6b 27 B.O..x.&N.o.L.k'
08a0 - 56 4d 00 54 6c 7a b7 b7-00 03 81 30 82 03 7d 30 VM.Tlz.....0..}0
08b0 - 82 02 e6 a0 03 02 01 02-02 03 12 bb e6 30 0d 06 .............0..
08c0 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 4e 31 0b .*.H........0N1.
08d0 - 30 09 06 03 55 04 06 13-02 55 53 31 10 30 0e 06 0...U....US1.0..
08e0 - 03 55 04 0a 13 07 45 71-75 69 66 61 78 31 2d 30 .U....Equifax1-0
08f0 - 2b 06 03 55 04 0b 13 24-45 71 75 69 66 61 78 20 +..U...$Equifax
0900 - 53 65 63 75 72 65 20 43-65 72 74 69 66 69 63 61 Secure Certifica
0910 - 74 65 20 41 75 74 68 6f-72 69 74 79 30 1e 17 0d te Authority0...
0920 - 30 32 30 35 32 31 30 34-30 30 30 30 5a 17 0d 31 020521040000Z..1
0930 - 38 30 38 32 31 30 34 30-30 30 30 5a 30 42 31 0b 80821040000Z0B1.
0940 - 30 09 06 03 55 04 06 13-02 55 53 31 16 30 14 06 0...U....US1.0..
0950 - 03 55 04 0a 13 0d 47 65-6f 54 72 75 73 74 20 49 .U....GeoTrust I
0960 - 6e 63 2e 31 1b 30 19 06-03 55 04 03 13 12 47 65 nc.1.0...U....Ge
0970 - 6f 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 43 41 oTrust Global CA
0980 - 30 82 01 22 30 0d 06 09-2a 86 48 86 f7 0d 01 01 0.."0...*.H.....
0990 - 01 05 00 03 82 01 0f 00-30 82 01 0a 02 82 01 01 ........0.......
09a0 - 00 da cc 18 63 30 fd f4-17 23 1a 56 7e 5b df 3c ....c0...#.V~[.<
09b0 - 6c 38 e4 71 b7 78 91 d4-bc a1 d8 4c f8 a8 43 b6 l8.q.x.....L..C.
09c0 - 03 e9 4d 21 07 08 88 da-58 2f 66 39 29 bd 05 78 ..M!....X/f9)..x
09d0 - 8b 9d 38 e8 05 b7 6a 7e-71 a4 e6 c4 60 a6 b0 ef ..8...j~q...`...
09e0 - 80 e4 89 28 0f 9e 25 d6-ed 83 f3 ad a6 91 c7 98 ...(..%.........
09f0 - c9 42 18 35 14 9d ad 98-46 92 2e 4f ca f1 87 43 .B.5....F..O...C
0a00 - c1 16 95 57 2d 50 ef 89-2d 80 7a 57 ad f2 ee 5f ...W-P..-.zW..._
0a10 - 6b d2 00 8d b9 14 f8 14-15 35 d9 c0 46 a3 7b 72 k........5..F.{r
0a20 - c8 91 bf c9 55 2b cd d0-97 3e 9c 26 64 cc df ce ....U+...>.&d...
0a30 - 83 19 71 ca 4e e6 d4 d5-7b a9 19 cd 55 de c8 ec ..q.N...{...U...
0a40 - d2 5e 38 53 e5 5c 4f 8c-2d fe 50 23 36 fc 66 e6 .^8S.\O.-.P#6.f.
0a50 - cb 8e a4 39 19 00 b7 95-02 39 91 0b 0e fe 38 2e ...9.....9....8.
0a60 - d1 1d 05 9a f6 4d 3e 6f-0f 07 1d af 2c 1e 8f 60 .....M>o....,..`
0a70 - 39 e2 fa 36 53 13 39 d4-5e 26 2b db 3d a8 14 bd 9..6S.9.^&+.=...
0a80 - 32 eb 18 03 28 52 04 71-e5 ab 33 3d e1 38 bb 07 2...(R.q..3=.8..
0a90 - 36 84 62 9c 79 ea 16 30-f4 5f c0 2b e8 71 6b e4 6.b.y..0._.+.qk.
0aa0 - f9 02 03 01 00 01 a3 81-f0 30 81 ed 30 1f 06 03 .........0..0...
0ab0 - 55 1d 23 04 18 30 16 80-14 48 e6 68 f9 2b d2 b2 U.#..0...H.h.+..
0ac0 - 95 d7 47 d8 23 20 10 4f-33 98 90 9f d4 30 1d 06 ..G.# .O3....0..
0ad0 - 03 55 1d 0e 04 16 04 14-c0 7a 98 68 8d 89 fb ab .U.......z.h....
0ae0 - 05 64 0c 11 7d aa 7d 65-b8 ca cc 4e 30 0f 06 03 .d..}.}e...N0...
0af0 - 55 1d 13 01 01 ff 04 05-30 03 01 01 ff 30 0e 06 U.......0....0..
0b00 - 03 55 1d 0f 01 01 ff 04-04 03 02 01 06 30 3a 06 .U...........0:.
0b10 - 03 55 1d 1f 04 33 30 31-30 2f a0 2d a0 2b 86 29 .U...3010/.-.+.)
0b20 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 67 65 6f 74 72 http://crl.geotr
0b30 - 75 73 74 2e 63 6f 6d 2f-63 72 6c 73 2f 73 65 63 ust.com/crls/sec
0b40 - 75 72 65 63 61 2e 63 72-6c 30 4e 06 03 55 1d 20 ureca.crl0N..U.
0b50 - 04 47 30 45 30 43 06 04-55 1d 20 00 30 3b 30 39 .G0E0C..U. .0;09
0b60 - 06 08 2b 06 01 05 05 07-02 01 16 2d 68 74 74 70 ..+........-http
0b70 - 73 3a 2f 2f 77 77 77 2e-67 65 6f 74 72 75 73 74 s://www.geotrust
0b80 - 2e 63 6f 6d 2f 72 65 73-6f 75 72 63 65 73 2f 72 .com/resources/r
0b90 - 65 70 6f 73 69 74 6f 72-79 30 0d 06 09 2a 86 48 epository0...*.H
0ba0 - 86 f7 0d 01 01 05 05 00-03 81 81 00 76 e1 12 6e ............v..n
0bb0 - 4e 4b 16 12 86 30 06 b2-81 08 cf f0 08 c7 c7 71 NK...0.........q
0bc0 - 7e 66 ee c2 ed d4 3b 1f-ff f0 f0 c8 4e d6 43 38 ~f....;.....N.C8
0bd0 - b0 b9 30 7d 18 d0 55 83-a2 6a cb 36 11 9c e8 48 ..0}..U..j.6...H
0be0 - 66 a3 6d 7f b8 13 d4 47-fe 8b 5a 5c 73 fc ae d9 f.m....G..Z\s...
0bf0 - 1b 32 19 38 ab 97 34 14-aa 96 d2 eb a3 1c 14 08 .2.8..4.........
0c00 - 49 b6 bb e5 91 ef 83 36-eb 1d 56 6f ca da bc 73 I......6..Vo...s
0c10 - 63 90 e4 7f 7b 3e 22 cb-3d 07 ed 5f 38 74 9c e3 c...{>".=.._8t..
0c20 - 03 50 4e a1 af 98 ee 61-f2 84 3f 12 .PN....a..?.
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF, C = CA, O = alteeve.com, OU = GT13908817, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - FreeSSL, CN = alteeve.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 0d .....
read from 0x196a050 [0x1a10908] (525 bytes => 525 (0x20D))
0000 - 0c 00 02 09 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 51 5c 13 33 38 >.$!.......Q\.38
0090 - 83 ef 76 6f 23 52 55 bf-23 ba 7f f0 a4 ca 35 01 ..vo#RU.#.....5.
00a0 - 9c 70 e1 61 b2 0d 7b 5c-1c 32 02 c1 ac 14 be e9 .p.a..{\.2......
00b0 - b9 7a 5d 11 9b 53 48 64-cd 12 b8 15 4c df cc 10 .z]..SHd....L...
00c0 - 4e 2b e7 cd 3f 33 68 1a-60 cc f7 18 25 7c e5 ca N+..?3h.`...%|..
00d0 - c8 cb 45 ba 2a 6d dc 84-5f 26 6f 9a a3 73 b9 7f ..E.*m.._&o..s..
00e0 - 02 cb 7b a7 ac 59 9f f3-6e c9 01 ed b9 35 99 49 ..{..Y..n....5.I
00f0 - 37 77 68 65 ec e2 f7 17-03 e7 f5 f5 86 33 e6 6c 7whe.........3.l
0100 - 06 3c 15 83 98 74 2e b9-83 31 11 01 00 20 6e 17 .<...t...1... n.
0110 - 3d 2d ec 3e 19 b2 9e 5b-37 38 3a 31 57 3d 0e c1 =-.>...[78:1W=..
0120 - 6b c4 b4 83 d9 6b f0 d3-44 db 9f 18 55 15 e1 09 k....k..D...U...
0130 - 73 59 8c 46 3d a4 47 58-b1 71 a3 32 b5 06 26 8c sY.F=.GX.q.2..&.
0140 - 27 88 9e 13 c8 12 5d 94-9b 24 54 10 aa 79 e5 b4 '.....]..$T..y..
0150 - 43 f5 5e 4c 01 dc 02 aa-69 02 37 71 4e 26 1c 0b C.^L....i.7qN&..
0160 - 40 19 c9 95 4d af 93 35-07 7a ff b1 96 7f 03 ce @...M..5.z......
0170 - 7a eb a2 1c 97 6b d2 97-d2 0f 1a f5 b2 af fb 65 z....k.........e
0180 - 86 b9 e3 38 30 ba f5 02-d6 6b fc da 94 93 8b b3 ...80....k......
0190 - 96 b5 b7 58 dc 36 55 6d-e9 47 e5 4a 33 1d b9 d9 ...X.6Um.G.J3...
01a0 - ec 33 e8 fb 58 c8 74 13-ff dd 40 b7 35 56 63 03 .3..X.t...@.5Vc.
01b0 - 9f 16 2f 72 be 56 56 c3-15 3a c3 10 09 f0 9d f2 ../r.VV..:......
01c0 - 42 52 5a ce d6 db 61 0e-d0 e2 ac 2e 9e 04 30 8e BRZ...a.......0.
01d0 - 0d d7 07 f9 3e 0a a8 3b-8d 11 5c 6e 21 47 28 2d ....>..;..\n!G(-
01e0 - 28 31 a6 3d d0 e9 2e 7a-de 4a 00 2a a8 6f 5d 82 (1.=...z.J.*.o].
01f0 - 45 df 3e 06 e3 11 e3 3c-b9 1e 34 b8 bd 60 fd a7 E.>....<..4..`..
0200 - a2 c1 c8 19 61 19 da 10-e4 c3 70 7e 5f ....a.....p~_
SSL_connect:SSLv3 read server key exchange A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0x196a050 [0x1a10908] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x196a050 [0x1a1add0] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7f 9d d2 3b 68 ..............;h
0010 - 49 c9 dd ed 4f 35 a0 70-3a 28 0f ce c1 5a 81 ce I...O5.p:(...Z..
0020 - cd 46 c5 e5 a4 44 25 04-4e b4 48 d8 3b a6 d4 44 .F...D%.N.H.;..D
0030 - 4e 9a dc 20 fa 52 9f eb-52 3b 3c 3e 34 dc ed 34 N.. .R..R;<>4..4
0040 - e5 b7 10 f9 6d 3a c0 84-64 bf b8 91 54 6c 37 1b ....m:..d...Tl7.
0050 - eb 75 7a 95 aa e8 83 6f-e0 16 f2 af 77 0f 7a 0c .uz....o....w.z.
0060 - a8 82 27 a4 a5 f2 f0 1b-d2 6e 46 c4 ef 10 7c 39 ..'......nF...|9
0070 - 6c 87 74 ec 68 7e d5 9a-10 ab 10 03 75 a2 fb 4b l.t.h~......u..K
0080 - 8c 49 4c da 64 49 bd 27-ba 51 a4 .IL.dI.'.Q.
SSL_connect:SSLv3 write client key exchange A
write to 0x196a050 [0x1a1add0] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x196a050 [0x1a1add0] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 b4 8a 74-4d a4 bf b1 54 04 8a 25 ....0..tM...T..%
0010 - 24 f8 81 f1 64 9f 1f 6d-fb bd a7 4c 57 6a a5 63 $...d..m...LWj.c
0020 - fb 3a dd 8e e3 f9 38 f6-22 fd 7e 42 81 2e a2 41 .:....8.".~B...A
0030 - 1f 74 d1 27 02 .t.'.
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 ca .....
read from 0x196a050 [0x1a10908] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 00 00-00 c0 6c f3 41 26 c8 6b ..........l.A&.k
0010 - 1e 9c 2e 78 af 75 b2 46-34 f4 30 c3 bd e4 ee 2f ...x.u.F4.0..../
0020 - f6 28 37 f6 7c 55 3b c7-08 ad 1e 48 f1 83 9f 9a .(7.|U;....H....
0030 - d4 ef 9b 7d 5a 9c f7 5b-92 e9 2f ca c3 e5 44 c7 ...}Z..[../...D.
0040 - 7a c1 ed db 98 1a 18 bd-25 30 3c 50 ad 96 23 22 z.......%0<P..#"
0050 - 7e a1 b7 eb 1d b5 cc 69-2a 43 63 13 4f 21 90 32 ~......i*Cc.O!.2
0060 - 87 94 0b 6a 66 da 99 fa-45 79 cc 53 29 35 59 0d ...jf...Ey.S)5Y.
0070 - 02 93 c6 c6 af f3 52 79-b5 36 c0 a6 4d 22 9f af ......Ry.6..M"..
0080 - 4a f2 86 b4 50 68 83 b1-ab a6 a6 ac 6e 4e 18 3d J...Ph......nN.=
0090 - 80 a7 b4 85 77 06 69 60-fa b2 22 9a 79 14 c6 3e ....w.i`..".y..>
00a0 - 3e 68 33 4e 1e a9 40 09-47 d0 02 97 8b ba 39 db >h3N..@.G.....9.
00b0 - 2f b1 1c 2e 66 49 d3 bc-99 cc 56 4f 1d f4 c6 7b /...fI....VO...{
00c0 - 58 3e 28 df b1 ce 2b 45-36 ca X>(...+E6.
SSL_connect:SSLv3 read server session ticket A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0x196a050 [0x1a10908] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x196a050 [0x1a10908] (48 bytes => 48 (0x30))
0000 - c0 79 35 bf c6 1e 7e d4-04 cf 68 c7 9d f5 9f 42 .y5...~...h....B
0010 - 03 91 5f 72 ae 5b ec a8-aa e7 af e8 f3 39 1b cd .._r.[.......9..
0020 - 13 05 56 f2 1b 28 c9 42-4b 67 88 48 20 c2 a5 06 ..V..(.BKg.H ...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIDAhUkMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNjE0MTIxOTAxWhcNMTEwNzE2MTU1NjE0WjCB2TEpMCcGA1UEBRMgMFRT
NVd6YXVRUko3c2MyYi1oVEd3SzF5eFNmRURwaEYxCzAJBgNVBAYTAkNBMRQwEgYD
VQQKEwthbHRlZXZlLmNvbTETMBEGA1UECxMKR1QxMzkwODgxNzExMC8GA1UECxMo
U2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMTErMCkGA1UE
CxMiRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gRnJlZVNTTDEUMBIGA1UEAxML
YWx0ZWV2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHtXUD
x6m1IbJ6m3CN8kRd4Bj0BVLGk9MXpTrHRgNo0QFTG+i400xWRrLKYzSILE97I0kH
7443XIqs14ib7aEBkLwy2EYwbYIzWeq1OCyKFuFj57o52Cr6imslRQvJTbjSvqk6
4/9hYPmkmU4/wiULIQfGGx5jcS49MUKYAfSIuIAmt79bALFXhrTYcObs6pjhF0Wn
/4Pgdm+KULsdy8WP9AGETlnDTShzcDnI2oVDuQeuVyYEJLLW1HwDr09yAI8g7SZ3
s79OAWKLYhsQFmWS9bta3INc8lbzYDQs72L07s8mbZtKXnQFdPsjhgdvz7BIbbot
iV0P4MABHJGvAF/zAgMBAAGjggEpMIIBJTAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2FsdGVldmUuY29tMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRz
c2wuY3JsMB0GA1UdDgQWBBShK06vVQh7NL50/FdB3ryP2UodyTAMBgNVHRMBAf8E
AjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3Ns
LWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBmi2+o1dKEx4kx+6W64RFeL2dv3w08CxpLrNk47ikKTdkGmCwlClm7OQOwzTsG
kz5ZkM8GF3R3u82RNNBvuY9TV+0UML3pbASEtvAWnSmbsUf4hGRfAzbq4dYTl1tQ
ubJZzPjvIwGZkW5e6NB3VDhJGFjnDlQ1wDe1nnmy1MbZ/ycx1L8ErtMKkEu8NLxT
+LznTCK3s7yM10FE/OBQLpqsulzuiAP8DlMyqt2kJO6mfD3cnXqCC5+4keChEnej
lffQxJ7x19mZaIDor61o9RpfZgZ4yVb4NjcW+n0n3x2i2HyMW1Dbxv4G/5aG9R/k
Nc7PQ2ZT2qFQtcBz7B70yCAT
-----END CERTIFICATE-----
subject=/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3984 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2880725EB8BDD73F469C17BCA54DF373DFE8EDE3D52A1C8F5E0A5919694FB111
Session-ID-ctx:
Master-Key: F329DEA0DF39FF181ACFBCA69BEC417D7CAA4399D73229A1D912CC8236A858FD099B834F5B32C9BF979C4B5948196FC9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 6c f3 41 26 c8 6b 1e 9c-2e 78 af 75 b2 46 34 f4 l.A&.k...x.u.F4.
0010 - 30 c3 bd e4 ee 2f f6 28-37 f6 7c 55 3b c7 08 ad 0..../.(7.|U;...
0020 - 1e 48 f1 83 9f 9a d4 ef-9b 7d 5a 9c f7 5b 92 e9 .H.......}Z..[..
0030 - 2f ca c3 e5 44 c7 7a c1-ed db 98 1a 18 bd 25 30 /...D.z.......%0
0040 - 3c 50 ad 96 23 22 7e a1-b7 eb 1d b5 cc 69 2a 43 <P..#"~......i*C
0050 - 63 13 4f 21 90 32 87 94-0b 6a 66 da 99 fa 45 79 c.O!.2...jf...Ey
0060 - cc 53 29 35 59 0d 02 93-c6 c6 af f3 52 79 b5 36 .S)5Y.......Ry.6
0070 - c0 a6 4d 22 9f af 4a f2-86 b4 50 68 83 b1 ab a6 ..M"..J...Ph....
0080 - a6 ac 6e 4e 18 3d 80 a7-b4 85 77 06 69 60 fa b2 ..nN.=....w.i`..
0090 - 22 9a 79 14 c6 3e 3e 68-33 4e 1e a9 40 09 47 d0 ".y..>>h3N..@.G.
00a0 - 02 97 8b ba 39 db 2f b1-1c 2e 66 49 d3 bc 99 cc ....9./...fI....
00b0 - 56 4f 1d f4 c6 7b 58 3e-28 df b1 ce 2b 45 36 ca VO...{X>(...+E6.

Compression: 1 (zlib compression)
Start Time: 1308161188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET
write to 0x196a050 [0x1a14e56] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a 4c 57-8c b9 d5 d4 c6 1b 56 ce .... .LW......V.
0010 - 93 b5 78 6b 5f 0e c5 a2-39 2a f9 7a 20 7d 68 85 ..xk_...9*.z }h.
0020 - af 52 e3 5f fc 17 03 01-00 20 c6 c4 19 74 61 64 .R._..... ...tad
0030 - 42 59 e0 52 3f 42 44 53-8b c9 40 69 1c 3d 9b 7f BY.R?BDS..@i.=..
0040 - aa e8 8f a4 5c de c9 d4-0a a4 ....\.....
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 60 ....`
read from 0x196a050 [0x1a10908] (96 bytes => 96 (0x60))
0000 - 46 4c 99 93 29 c9 ed 66-81 43 89 39 26 2b d1 b0 FL..)..f.C.9&+..
0010 - 19 73 eb 51 18 45 54 49-74 43 e0 92 1b f8 af f0 .s.Q.ETItC......
0020 - 0d e1 08 79 96 38 e1 5e-29 9d 66 9c 30 04 8e c4 ...y.8.^).f.0...
0030 - 10 83 49 7e 09 d7 8a ff-4b 11 f9 13 3e ac 77 73 ..I~....K...>.ws
0040 - e8 94 e3 f3 74 db 4e 5f-67 13 1d c4 3a 06 98 b3 ....t.N_g...:...
0050 - da 20 41 3c ca 9a fb 3f-f3 d7 64 a1 e9 f4 0a 98 . A<...?..d.....
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 15 03 01 ...
0005 - <SPACES/NULS>
read from 0x196a050 [0x1a10908] (32 bytes => 32 (0x20))
0000 - 2e bb a7 d6 dc ce 6c 34-dc 2e 43 c7 89 02 a9 5c ......l4..C....\
0010 - 3b 3e d0 43 1c ec fa c7-89 48 fd 76 58 82 ef 45 ;>.C.....H.vX..E
SSL3 alert read:warning:close notify
closed
write to 0x196a050 [0x1a14e53] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d8 6f 46-24 e9 fa 0c c9 9f aa 2d .... .oF$......-
0010 - db 69 2a d8 fb 61 66 b0-23 23 f9 a4 ac 49 b7 e6 .i*..af.##...I..
0020 - 31 73 56 05 ed 1sV..
SSL3 alert write:warning:close notify
</source>

Perfect!

=== Open Port 443 On The Firewall ===

At this point, if you try to connect to the SSL virtual host remotely, you will fail because port 443 is not yet open.

Use your favourite program to open inbound TCP port 443. I like to directly edit the firewall's config.

<source lang="bash">
vim /etc/sysconfig/iptables
</source>
<source lang="text">
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</source>
<source lang="bash">
/etc/init.d/iptables restart
</source>
<source lang="text">
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
</source>

=== Browse to the New Virtual Host ===

You should now be able to access the new SSL virtual host! Simply browse to https://alteeve.com (replace with your domain).

[[Image:SSL_Test_Page_01.png|thumb|center|741px|Test SSL virtual host in Firefox 4.]]

Note the 'alteeve.com' to the left of the address bar showing that the site is encrypted and verified!

= PostgreSQL =

We need to initialize the postgres core databases before we can start it for the first time.

<source lang="bash">
service postgresql initdb
</source>
<source lang="text">
Initializing database: [ OK ]
</source>

From now on, we can start PostgreSQL normally.

<source lang="bash">
/etc/init.d/postgresql restart
</source>
<source lang="text">
Stopping postgresql service: [ OK ]
Starting postgresql service: [ OK ]
</source>

Create the admin user called alteeve which will own the databases we will create and use.

<source lang="bash">
su - postgres
createuser -S -d -R alteeve
psql template1
</source>

At the shell, run the following:

<source lang="sql">
ALTER USER alteeve WITH PASSWORD 'secret';
</source>
<source lang="text">
ALTER ROLE
</source>
<source lang="sql">
\q
</source>

Tell PostgreSQL to require a password for the alteeve user.

<source lang="bash">
vim /var/lib/pgsql/data/pg_hba.conf
</source>
<source lang="diff">
--- /var/lib/pgsql/data/pg_hba.conf.orig 2011-06-15 17:57:25.666509143 -0400
+++ /var/lib/pgsql/data/pg_hba.conf 2011-06-15 17:58:54.077510393 -0400
@@ -65,6 +65,7 @@

# TYPE DATABASE USER CIDR-ADDRESS METHOD
+local all alteeve md5

# "local" is for Unix domain socket connections only
local all all ident
</source>

Reload PostgreSQL's configuration.

<source lang="bash">
/etc/init.d/postgresql reload
</source>

Now create a Database that is owned by the alteeve user, then connect to it to make sure we're asked for a password.

<source lang="bash">
su postgres -c "createdb an_wiki -O alteeve"
psql an_wiki -U alteeve
</source>
<source lang="text">
Password for user alteeve:
psql (8.4.7)
Type "help" for help.

an_wiki=>
</source>

Now load a database from a backup file.

<source lang="bash">
psql an_wiki -U alteeve -f /var/www/ssl_alteeve.com/temp/an_wiki_3.out
</source>
<source lang="text">
Password for user alteeve:
SET
SET
SET
SET
SET
CREATE SCHEMA
ALTER SCHEMA
CREATE LANGUAGE
psql:/var/www/ssl_alteeve.com/temp/an_wiki_3.out:27: ERROR: must be member of role "postgres"
SET
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
SET
SET
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
8
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
2500
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
4416
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3465
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
34
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
957
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3274
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3547
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3513
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TRIGGER
CREATE TRIGGER
CREATE TRIGGER
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
REVOKE
REVOKE
GRANT
GRANT
</source>

Voila!

== Media Wiki Problem ==

If you moved a MediaWiki DB and it generated an error like this in the log file:

<source lang="text">
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "objectcache" does not exist\nLINE 1: ...ECT /* SqlBagOStuff::get */ value,exptime FROM objectcach...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "l10n_cache" does not exist\nLINE 1: ... LCStore_DB::get 206.108.5.162 */ lc_value FROM l10n_cache...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
</source>

The fix is to run:

<source lang="sql">
ALTER DATABASE an_wiki SET search_path=mediawiki;
</source>

Of course, replace an_wiki with the name of your wiki database.

= MySQL =

Start MySQL for the first time:

<source lang="bash">
/etc/init.d/mysqld start
</source>
<source lang="text">
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h asakusa.alteeve.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]
Starting mysqld: [ OK ]
</source>

Secure the server.

<source lang="bash">
mysql_secure_installation
</source>
<source lang="text">
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
</source>

= BIND =

{{note|1=This is not meant to cover creating the actual zone files for DNS. It's goal is to setup BIND on your [[EL6]] server only.}}

This is the BIND named server that handles DNS resolution. It will be setup in two parts; The global options and then the zones file.

== Install bind ==

<source lang="bash">
yum install bind bind-libs bind-utils
</source>

== Global Configuration ==

Edit the main configuration file, making a backup first.

<source lang="bash">
cp /etc/named.conf /etc/named.conf.orig
vim /etc/named.conf
</source>

Enable queries on any interface and answer queries for any domain, not just ours. Edit or add the following;

<source lang="dot">
listen-on port 53 { any; };
allow-query { localhost; };
allow-query-cache { any; };
</source>

For now, we're going to disable DNSSEC. Make the following changes;

<source lang="dot">
dnssec-enable no;
dnssec-validation no;
</source>

Now tell bind where to look for a domain name's IP when we don't know. Add;

<source lang="dot">
forwarders {
// These are Google's open DNS servers
8.8.8.8;
8.8.4.4;
};
</source>

This server will have a slave, and we want to notify that slave when a record changes. Add;

<source lang="dot">
notify yes;
</source>

Done. I like to clean up the file to put the variables in line with one another. With this in mind, let's look at the changes as a unified diff;

<source lang="bash">
diff -u /etc/named.conf.orig /etc/named.conf
</source>
<source lang="diff">
--- /etc/named.conf.orig 2012-02-05 00:54:48.434068501 -0500
+++ /etc/named.conf 2012-02-05 13:45:16.484083319 -0500
@@ -8,18 +8,26 @@
//

options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ allow-query { any; };
+ allow-query-cache { any; };
+ recursion yes;
+ notify yes;
+
+ dnssec-enable no;
+ dnssec-validation no;
+ dnssec-lookaside auto;
+
+ forwarders {
+ // These are Google's open DNS servers
+ 8.8.8.8;
+ 8.8.4.4;
+ };

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
</source>

== Adding Zones ==

This is where we tell BIND which zones we have SOA for. This includes the pointers to the actual files on disk with each domain's information.

Backup then edit the zones file.

<source lang="bash">
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.orig
vim /etc/named.rfc1912.zones
</source>

In here is where we add the entries for the domains we have [[SOA]] for at the end of the file. These will differ for every install, so only two examples will be shown.

<source lang="dot">
// Our zones which this server is SOA for.
zone "45years.ca" IN {
type master;
file "/etc/named/db.45years.ca";
allow-transfer {
192.139.81.117;
};
};

zone "alteeve.com" in {
type master;
file "/etc/named/db.alteeve.com";
allow-transfer {
192.139.81.117;
};
};
</source>

This tutorial does not aim to cover actual zone files, but here is one for reference:

<source lang="bash">
cat /etc/named/db.45years.ca
</source>
<source lang="text">
$ORIGIN .
$TTL 600 ; Time To Live.
45years.ca IN SOA ns1.alteeve.com. admin.alteeve.com. (
2011081402 ; Serial Number (yyyymmdd##)
300 ; refresh (in seconds)
180 ; retry (in seconds)
600 ; expire (in seconds)
86400 ; minimum (in seconds)
)
NS ns1.alteeve.com.
NS ns2.alteeve.com.
A 192.139.81.121
MX 10 mail.45years.ca.
$ORIGIN 45years.ca.
localhost A 127.0.0.1
mail A 192.139.81.121
www CNAME 45years.ca.
</source>

== Adding a Firewall Entry ==

Assuming you have a firewall running, be sure to add an entry for [[TCP]] port 53.

== (Re)Start BIND ==

Once all the configuration files and domain zone files are in place, (re)start the named service.

<source lang="bash">
/etc/init.d/named restart
</source>
<source lang="text">
Stopping named: . [ OK ]
Starting named: [ OK ]
</source>

== Testing Name resolution ==

To properly test name resolution, you will want to resolve a domain we are [[SOA]] for and another domain which we are not. We will repeat this twice, once on the server and once from a remote machine to ensure that it is answering remote queries. Note that in the examples below, my DNS server's IP address is 78.46.37.135.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> alteeve.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns1.alteeve.com.
alteeve.com. 600 IN NS ns2.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 13:57:11 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> google.ca @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 300 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2967 IN NS f.root-servers.net.
. 2967 IN NS c.root-servers.net.
. 2967 IN NS b.root-servers.net.
. 2967 IN NS a.root-servers.net.
. 2967 IN NS k.root-servers.net.
. 2967 IN NS i.root-servers.net.
. 2967 IN NS e.root-servers.net.
. 2967 IN NS h.root-servers.net.
. 2967 IN NS l.root-servers.net.
. 2967 IN NS d.root-servers.net.
. 2967 IN NS j.root-servers.net.
. 2967 IN NS g.root-servers.net.
. 2967 IN NS m.root-servers.net.

;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 14:02:03 2012
;; MSG SIZE rcvd: 254
</source>

Now from a remote machine, repeat the same queries to ensure that our DNS server will respond to external queries.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> alteeve.com @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns2.alteeve.com.
alteeve.com. 600 IN NS ns1.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 138 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:09 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> google.ca @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 138 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2805 IN NS h.root-servers.net.
. 2805 IN NS c.root-servers.net.
. 2805 IN NS j.root-servers.net.
. 2805 IN NS i.root-servers.net.
. 2805 IN NS b.root-servers.net.
. 2805 IN NS m.root-servers.net.
. 2805 IN NS g.root-servers.net.
. 2805 IN NS d.root-servers.net.
. 2805 IN NS a.root-servers.net.
. 2805 IN NS l.root-servers.net.
. 2805 IN NS f.root-servers.net.
. 2805 IN NS k.root-servers.net.
. 2805 IN NS e.root-servers.net.

;; Query time: 140 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:31 2012
;; MSG SIZE rcvd: 254
</source>

Done!

= Email =

This is a pretty heavily customized postfix install using a custom schema. It was originally based on [http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch this Debian Etch] tutorial, but adapted for PostgreSQL. Much time has passed and the operating system is now significantly changed, but it's lineage is thus. A more recent, but still Debian-focused version of the tutorial [http://workaround.org/ispmail/squeeze/big-picture is here]. I also used [http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot this tutorial] to help sort out the PostgreSQL stuff.

This will use a few applications;
* Postfix - The program that receives email.
* PostgreSQL - The database used to validate the existence of email accounts and validates incoming user credentials.
* Dovecot - Takes email coming from postfix, via amavis, and records them to disk. It also answers requests from users wanting to check their email.
* Amavis - Filters incoming email for spam (via spamassassin) and virsus (via clamav)

We will also be using graylisting, which is a spam fighting tactic where the first email from a given user to one of our users is bounced for a few minutes. Proper mail servers will acknowledge the bound, wait the time and resend. Spam mailers though are usually fire-and-forget and will not resend, thus effectively blocking the spam message. This is a very effective method of blocking spam with minimal chance of losing real mail from real users. Any subsequent message from the user would be allowed through with no delay, provided the user had in fact resent the first message as requested.

== Install ==

To install the applications;

<source lang="bash">
yum install postfix postfix-perl-scripts dovecot dovecot-pgsql spamassassin postgresql-server postgresql-plperl mutt
</source>

== Configuring Postfix ==

Installation requires several steps. The AN!Console database must be loaded. Various applications need to be installed. Postfix, Dovecot and helper applications need to be configured and so on.

This tutorial uses the following values that you may need to adjust;
* Database name; an_tools
* Database user; alteeve
* Database password; secret
* Database host; 127.0.0.1

{{note|1=Do not use the database host "localhost" unless you are certain you can connect to the DB using a standard [[unix]] socket.}}

=== Building Support for PostgreSQL ===

{{warning|1=We need to build our own RPM in order to support postgresql. This means we will have to disable postfix from future updates, placing the onus on us to make sure critical updates are applied. This will require downloading the latest source RPMs, re-enabling postgres and recompile/reinstall.}}

Add the source [[RPM]] repository by adding the following;

<source lang="bash">
vim /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
# Source RPM repository
[base-source]
name=CentOS-$releasever - Base - Source
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://vault.centos.org/$releasever/os/SRPMS/
baseurl=http://vault.centos.org/6.0/os/SRPMS/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
</source>

Now download the source RPM for postfix.

<source lang="bash">
yumdownloader --source postfix
</source>
<source lang="text">
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
base | 3.7 kB 00:00
base-source | 1.9 kB 00:00
extras | 3.5 kB 00:00
updates | 3.5 kB 00:00
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
./postfix-2.6.6-2.el6.src.rpm already exists and appears to be complete
nikko:/etc/postfix# rm postfix-2.6.6-2.el6.src.rpm
rm: remove regular file `postfix-2.6.6-2.el6.src.rpm'? y
nikko:/etc/postfix# yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
postfix-2.6.6-2.el6.src.rpm | 3.3 MB 00:00
</source>

Now that we have the postfix source RPM, we will install it.

<source lang="bash">
rpm -Uvh postfix-2.6.6-2.el6.src.rpm
</source>
<source lang="text">
1:postfix warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
########################################### [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
</source>

Now edit the .spec file to enable postgres support.

<source lang="bash">
cp ~/rpmbuild/SPECS/postfix.spec ~/rpmbuild/SPECS/postfix.spec.orig
vim ~/rpmbuild/SPECS/postfix.spec
</source>

Make the following changes.

* Enable PostgreSQL support
<source lang="text">
%{?!PGSQL: %define PGSQL 1}
</source>

Increment the release version by one.
<source lang="text">
Release: 3%{?dist}
</source>

We can see the changes here:

<source lang="bash">
diff -u ~/rpmbuild/SPECS/postfix.spec.orig ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="diff">
--- /root/rpmbuild/SPECS/postfix.spec.orig 2012-02-11 16:54:54.495330859 -0500
+++ /root/rpmbuild/SPECS/postfix.spec 2012-02-11 16:53:39.873331101 -0500
@@ -1,5 +1,5 @@
%{?!MYSQL: %define MYSQL 1}
-%{?!PGSQL: %define PGSQL 0}
+%{?!PGSQL: %define PGSQL 1}
%define LDAP 2
%define PCRE 1
%define SASL 2
@@ -35,7 +35,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 2.6.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
</source>

Now rebuild the RPM, which means we need to install the build tools.

<source lang="bash">
yum groupinstall development
yum install db4-devel openldap-devel cyrus-sasl-devel pcre-devel mysql-devel postgresql-devel openssl-devel
rpmbuild -bb ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="text">
(compile output)
Processing files: postfix-debuginfo-2.6.6-3.el6.x86_64
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-debuginfo-2.6.6-3.el6.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.rymr5C
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd postfix-2.6.6
+ rm -rf /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
+ exit 0
</source>

Install the updated postfix.

<source lang="bash">
rpm -Uvh ~/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm ~/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
</source>
<source lang="text">
Preparing... ########################################### [100%]
1:postfix ########################################### [ 50%]
2:postfix-perl-scripts ########################################### [100%]
</source>

Now exclude postfix from future updates.

<source lang="bash">
cp /etc/yum.conf /etc/yum.conf.orig
vim /etc/yum.conf
diff -u /etc/yum.conf.orig /etc/yum.conf
</source>
<source lang="text">
--- /etc/yum.conf.orig 2012-02-11 16:59:53.720079168 -0500
+++ /etc/yum.conf 2012-02-11 17:00:47.013331283 -0500
@@ -10,6 +10,7 @@
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
+exclude=postfix*

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
</source>

=== Basic Postfix Configuration ===

Since we'll be using virtual domains, users, aliases and mailboxes, we'll need to start by commenting out some of the default options in Postfix. By default, Postfix is set up for small numbers of local users, and it only allows connections from the localhost. Our configuration will be more scalable, allowing many domains and users to be stored in the Postgres database.

Comment out the following:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# inet_interfaces = localhost
# mydestination = $myhostname, localhost.$mydomain, localhost
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
</source>

And uncomment/add these:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
inet_interfaces = all # allows us to connect and test from another machine
mynetworks = 192.168.1.0/32, 127.0.0.0/8 # use the IP or subnet of your test machine here
</source>

=== Setup Virtual Domain Lookup ===

This tells postfix how to find which domains we have.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM domains WHERE dom_name='%s'
</source>

Now tell Postfix to use this new file by appending the following to the main postfix configuration file.

<source lang="bash">
vim /etc/postfix/main.cf
</source>
<source lang="bash">
# Tell postfix to validate domains using our postgresql databae via the
# pgsql-virtual-mailbox-domains.cf
virtual_mailbox_domains=pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>

Now reload postfix;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now we can test that domains resolve. In my case, I will test the look-up for alteeve.com.

<source lang="bash">
postmap -q alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
1
</source>

Now make sure it returns nothing when query a bad domain.

<source lang="bash">
postmap -q example.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Mailbox Mapping ===

This section will tell postfix which users for a given domain are valid.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM email_file WHERE email='%s'
</source>

Tell postfix to use this new file when looking up users.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

And add:

<source lang="text">
# Tell postfix which table to look in when validating a local user via their
# email address.
virtual_mailbox_maps=pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>

Reload postfix.

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now do a test of a valid user, which should return 1, and an invalid user, which should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
1
</source>
<source lang="bash">
postmap -q nobody@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Email Forwards ===

This will allow for email addresses to be forwarded to other email addresses.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT fwd_destination FROM forwards WHERE fwd_source='%s'
</source>

Now tell postfix where to look.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

Add;

<source lang="text">
# This tells postfix where to forward incoming email to, where appropriate.
virtual_alias_maps=pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>

Reload;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

I've setup a forward where digimer@alteeve.com forwards to mkelly@alteeve.com, so we will use that for the next test.

<source lang="bash">
postmap -q digimer@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
mkelly@alteeve.com
</source>

An email address with no forward should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

Excellent.

=== Setup Postfix Mail Delivery via Dovecot ===

Define a mail transport method in the main Postfix config.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# this option is ignored, but may be useful for reference
virtual_mailbox_base=/email

# deliver mail via dovecot
virtual_transport = dovecot

# prevent postfix from sending multiple recipients per delivery request,
# since dovecot only supports one recipient for each delivery
dovecot_destination_recipient_limit = 1
</source>

Tell Postfix what virtual_transport "dovecot" means, and how to use it.
<source lang="bash">vim /etc/postfix/master.cf</source>
Append this for RHEL/CentOS 6 machines. For other distros, make sure that /usr/libexec/dovecot/deliver exists and change the path if necessary.
<source lang="bash">
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
</source>

=== Setup Postfix SMTP Authentication using Dovecot ===

Dovecot provides an SMTP authentication mechanism to Postfix called SASL. Enabling this will require users to authenticate against the server before sending mail.

<source lang="bash">vim /etc/postfix/main.cf</source>
Append the following to enable smtp authentication:
<source lang="bash">
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes

# allow authenticated users to send mail through Postfix SMTP
# more info at /usr/share/doc/postfix-2.6.6/README_FILES/SMTPD_ACCESS_README
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
</source>

== Configuring Dovecot ==

Dovecot handles writing incoming mail to the disk and moving/deleting mail as the user wishes. We're going to create a user and group called vmail which will be used to manage the email stored on disk.

<source lang="bash">
useradd -m vmail
mkdir /email
chown -R vmail:vmail /email
</source>

Dovecot is configured in /etc/dovecot and the main configuration file is dovecot.conf.

<source lang="bash">
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.conf
</source>

Dovecot uses .d style configuration files.

* Authentication

<source lang="bash">
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
vim /etc/dovecot/conf.d/10-auth.conf
</source>

Tell dovecot to accept plain-text passwords (needed for some old email clients, you may not need to enable this).

<source lang="text">
disable_plaintext_auth = no
</source>

Tell it not to use the database, and not local users for mail delivery.

<source lang="text">
#!include auth-system.conf.ext
!include auth-sql.conf.ext
</source>

* Mail store

Tell dovecot where to store the email. The %d tells dovecot to substitute the user's domain name and %n is substituted by the user's email name. For example, mkelly@alteeve.com becomes /email/alteeve.com/mkelly.

<source lang="bash">
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
vim /etc/dovecot/conf.d/10-mail.conf
</source>
<source lang="text">
mail_location = mbox:/email/%d/%n
</source>

=== Dovecot Authentication and SQL Settings ===

We need to tell dovecot where to look for passwords when authenticating a user. Where to look is controlled in the
auth-sql.conf.ext file and is broken down into user and password lookups. We will want to first tell Dovecot which user to use when accessing the mail store on disk.

<source lang="bash">
cp /etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/conf.d/auth-sql.conf.ext.orig
vim /etc/dovecot/conf.d/auth-sql.conf.ext
</source>
<source lang="text">
userdb {
driver = static
args = uid=vmail gid=vmail home=/email/%d/%n allow_all_users=yes
}
</source>

* Now configure the SQL server access details.

{{note|1=Make sure that PostgreSQL has sufficient max_connections set in /var/lib/pgsql/data/postgresql.conf to handle enough connections for the expected number of email connections, plus other connections from other applications.}}

<source lang="bash">
cp /usr/share/doc/dovecot-2.0.9/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
vim /etc/dovecot/dovecot-sql.conf.ext
</source>

Tell dovecot to use PostgreSQL.

<source lang="text">
driver = pgsql
</source>

Configure the connection string.

{{note|1=If your database uses a password with a space character in it, quote the password. Ie: password='super secret'.}}

<source lang="text">
connect = host=127.0.0.1 dbname=an_tools user=alteeve password=secret
</source>

Tell dovecot to accept plain-text passwords (this is needed for some stupid MS clients, this will probably change soon).

<source lang="text">
default_pass_scheme = PLAIN
</source>

Tell dovecot how to pull use the user's password.

<source lang="text">
password_query = SELECT email, password FROM email_password WHERE email='%u'
</source>

The last thing to setup is the user query. The query needs to return the [[UID]] and [[GID]] of the vmail user we setup earlier. To get it, you can use the id command.

<source lang="bash">
id vmail
</source>
<source lang="text">
uid=503(vmail) gid=503(vmail) groups=503(vmail)
</source>

The numbers we want are 503 and 503 for the UID and GID, respectively. Knowing this, we can set the userdb SQL string.

<source lang="text">
user_query = SELECT '/email/'||file AS email_dir, '503' AS uid, '503' AS gid FROM email_file WHERE email='%u'
</source>

=== Configure Listener Sockets ===

Setup the authentication socket to allow the vmail user. This will allow Dovecot to access the user authentication socket.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
</source>

Configure Dovecot to authenticate Postfix SMTP requests.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener smtp-auth {
mode = 0600
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
}
</source>

=== Enable Logging ===

This is very useful for debugging an initial setup. It will place details about login attempts in /var/log/maillog.

<source lang="bash">vim /etc/dovecot/conf.d/10-logging.conf</source>
<source lang="bash">
log_path = syslog
auth_verbose = yes
auth_debug = yes
mail_debug = yes
</source>

At this point, it's a good idea to restart the Postfix and Dovecot services, and test out the basic configuration.
<source lang="bash">
service postfix restart
service dovecot restart
</source>

Watch the maillog while attempting to authenticate with an email client like Thunderbird.
<source lang="bash">
tail -f /var/log/maillog
</source>

If basic authentication is working, we can go ahead and add another layer of complexity on top of it: SSL.

== SSL/TLS ==

Add TLS support to Postfix, to encrypt SMTP authentication traffic.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/ssl_mail.alteeve.ca.crt
smtpd_tls_key_file = /etc/pki/CA/private/mail.alteeve.ca.key
smtpd_tls_loglevel = 1
</source>

Add TLS support to Dovecot, to encrypt IMAP authentication traffic.
<source lang="bash">vim /etc/dovecot/conf.d/10-ssl.conf </source>
<source lang="bash">
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/pki/CA/ssl_mail.alteeve.ca.crt
ssl_key = </etc/pki/CA/private/mail.alteeve.ca.key

# PEM encoded trusted certificate authority. Otherwise your CA will be untrusted.
# This is the intermediary certificate.
ssl_ca = </etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Dovecot prefers the following permissions for SSL certs, so set them accordingly.
<source lang="bash">
chmod 0444 /etc/pki/CA/ssl_mail.alteeve.ca.crt
chmod 0400 /etc/pki/CA/private/mail.alteeve.ca.key
chmod 0400 /etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Restart Postfix and Dovecot, then change your Thunderbird server options to 'STARTTLS'. If you're still able to connect to the mail server and send mail, proceed to the next section.

== User Password Encryption ==

In addition to SSL/TSL, which only encrypts the transport of user credentials, we're also going to encrypt the passwords themselves. This will avoid storing any plaintext passwords in the Postgres database.

<source lang="bash">vim /etc/dovecot/conf.d/10-auth.conf</source>
Remove the "plain" authentication, and replace with cram-md5.
<source lang="bash">
disable_plaintext_auth = yes
auth_mechanisms = cram-md5
</source>

Any user credentials that were previously stored in plaintext will no longer work. To encrypt your password in a way that Dovecot recognizes, use the following command:
<source lang="bash">doveadm -v pw -s CRAM-MD5 -p mypassword</source>
It will return a hash like this.
<source lang="bash">
{CRAM-MD5}de5924752ad74e36bc271a8dc7fad4b2d341f21f05382f20dedf1fdfbd5a1717</source>

Take the entire hash, including the '{CRAM-MD5}' portion, and use it to replace the password entry in the database for that user. This will allow Dovecot to authenticate the user using the CRAM-MD5 auth mechanism.

To automate this process for all users in the database, you can look at the number of userid's there are and loop through them, encrypting and replacing each password.

<source lang="bash">
#!/bin/bash
#
# a script to encrypt the users.usr_password values of the an_tools database

export PGUSER="alteeve"
export PGPASSWORD='secret'

for usrid in {1..219}; do

# grab the user's password, removing whitespace
usrpass=$(psql -d an_tools -c "SELECT users.usr_password FROM users WHERE users.usr_id=$usrid;"\
| sed -n 3p | sed -e 's/^[ ]*//')

if [[ "$usrpass" == *CRAM* ]]; then
echo "Password for user #$usrid is already encrypted; skipping."
else
# encrypt and surround in single quotes for psql
encrypted=\'$(doveadm -v pw -s CRAM-MD5 -p "$usrpass")\'
echo "old password: [$usrpass] ; encrypted: $encrypted"

# set password to encrypted value
psql -d an_tools -c "UPDATE users SET usr_password=$encrypted WHERE usr_id=$usrid;"
fi
done

unset PGUSER
unset PGPASSWORD
</source>

== Ooooold Notes ==

When prompted;
For 'Create directories for web-based administration ?' Choose 'Yes'.
For 'General type of configuration?', choose 'Local Only'.
For 'Mail Name', enter 'alteeve.com'.
For 'SSL certificate required', hit 'Ok'.
Create the database that we will use:
# su alteeve
$ createdb an_console
$ psql an_console
Now that we are in the new database we will need to load the AN!Console schema file.
# su postgres -c psql an_console -f /var/www/ssl_alteeve.com/cgi-bin/t/anc.pgsql.schema
On the Master node, we will create the directory where email will be stored.
# mkdir /ha/email
On the both nodes, we will create a link to the '/ha/email' directory off of root.
# ln -s /ha/email /email
Under this directory create another directory that is the domain name for the domains we will host mail for. Ie (no longer needed to be done manually, AN!Console will create directories for email as needed):
# mkdir /email/45years.ca
# mkdir /email/alteeve.com
And so on.
Go to the '/etc/postfix' directory and create these four files:
# vim /etc/postfix/psql-virtual_domains.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = domains
select_field = 'virtual'
where_field = dom_name
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_forwardings.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = forwards
select_field = fwd_destination
where_field = fwd_source
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_mailboxes.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_file
select_field = file
where_field = email
hosts = 127.0.0.1
Note: The table 'email_file' is actually a view that takes the email passed by postfix and splits it to generate a joined SELECT.
# vim /etc/postfix/psql-virtual_email2email.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_email
select_field = email
where_field = email
hosts = 127.0.0.1
Note: The table 'email_email' is actually a view that takes the email passed by postfix and returns the same email based on the DB entry. This is needed as a work-around for Postfix's habit of matching global forwards like '@domain -> user@domain' for all email to that domain, even what a given email address matches a user.
Now change the owner and permissions of those four files to NOT allow global reading as they contain our password.
# chown root:postfix /etc/postfix/psql-virtual_*
# chmod 640 /etc/postfix/psql-virtual_*
Now we will create a user account that will, in turn, own all the mail on the system. This user will not have shell access.
# adduser vmail
Enter a password, preferably one treated with the same care as the root password. You can leave all other options blank.
Now change the ownership of the mail store.
# chown -R vmail:vmail /email
# chmod -R 775 /email
Now we edit the main '/etc/postfix/main.cf' configuration file.
Make a backup of the original file “just in case”.
# cp /etc/postfix/main.cf /etc/postfix/main.cf.original
Now edit it:
# vim /etc/postfix/main.cf
There are several options to edit:
Please see 'Step 6' at: http://workaround.org/articles/ispmail-sarge/index.shtml.en for details on the options to set.
For 'inet_interface' enter 'all'.
For 'myhostname' use the cluster FQDN. Ie;
myhostname = nikko.alteeve.com
For 'mydestination' use only local names, NOT real domains we will host email for. Any mail sent to the domains specified here will go to local (shell) users.
mydestination = nikko.alteeve.com, localhost.alteeve.com, localhost
For 'mynetworks' set all the IP subnets we trust. Ie;
mynetworks = 192.139.81.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.0/24 127.0.0.0/8
We can ignore 'virtual_alias_domains' if it exists.
For 'virtual_alias_maps' we will set:
virtual_alias_maps = pgsql:/etc/postfix/psql-virtual_forwardings.cf pgsql:/etc/postfix/psql-virtual_email2email.cf
For 'virtual_mailbox_domains' we will set:
virtual_mailbox_domains = pgsql:/etc/postfix/psql-virtual_domains.cf
For 'virtual_mailbox_maps' we will set:
virtual_mailbox_maps = pgsql:/etc/postfix/psql-virtual_mailboxes.cf
For 'virtual_mailbox_base' (where the email will be stored on disk) we will set:
virtual_mailbox_base = /ha/email
For 'virtual_uid_maps' and 'virtual_gid_maps' we will enter the numerical UID and GID for the 'vmail' shell user we created earlier. To find what it's UID and GID is run:
# cat /etc/passwd | grep vmail
vmail:x:1001:1001:,,,:/home/vmail:/bin/bash
The first number is the UID, the second is the GID;
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
Set 'smtpd_sasl_auth_enable' to 'yes'.
Set 'broken_sasl_auth_clients' to 'yes'.
To enable relaying of local mail, trusted domains and SASL authenticated users and reject the rest set;
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
For 'smtpd_use_tls' the value should already be 'yes', but set it to such if not.
Lastly we'll set our certificate paths;
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
At this point we should be good to go. Restart postfix;
# /etc/init.d/postfix restart
If there were no errors in the restart, test the config by running;
# postfix check
If you get errors, fix 'em. Otherwise, so far so good!
Now to setup postfix to allow authentication of SMTP connections to allow relaying of messages from people (we trust) outside on the 'mynetworks' scope.
Create or edit the file '/etc/postfix/sasl/smtpd.conf'
# vim /etc/postfix/sasl/smtpd.conf
In it enter the lines:
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: pgsql
sql_hostnames: 127.0.0.1
sql_user: alteeve
sql_passwd: secret
sql_database: an_console
sql_select: SELECT passwd FROM email_passwd WHERE email='%u@%r'
log_level: 7
Now secure the file (it's got our DB password)
# chown root:postfix /etc/postfix/sasl/smtpd.conf
# chmod 640 /etc/postfix/sasl/smtpd.conf
Now we want to setup TLS to encrypt SMTP traffic. Be sure you are still in '/etc/postfix' as this is where you want the certificate files.
To create a 10-year certificate for our SMTP domain 'smtp.alteeve.com':
# openssl req -new -outform PEM -out /etc/postfix/smtpd.cert -newkey rsa:2048 -nodes -keyout /etc/postfix/smtpd.key -keyform PEM -days 3650 -x509
This will bring up a bunch of questions:
Country Name (2 letter code) [AU]: CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alteeve's Niche!
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, YOUR name) []:smtp.alteeve.com
Email Address []:admin@alteeve.com
This will create two files in your current directory; 'smtpd.key' and 'smtpd.cert'. You'll want to protect them.
# chown root:postfix smtpd.*
# chmod 640 smtpd.*
Now we need to setup POP3 and IMAP access so users can actually check their email.
Backup then edit '/etc/dovecot/dovecot.conf' to have:
protocols = pop3 imap
mail_location = mbox:/email/%d/%n
# passdb pam {
# }
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
# userdb passwd {
# }
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

# The default location for 'dovecot-sql.conf' is under '/usr/local/etc', be sure to
# change it!
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
user = root
}
Then create/edit '/etc/dovecot/dovecot-sql.conf':
driver = pgsql
connect = host=localhost dbname=an_console user=alteeve password=secret
default_pass_scheme = PLAIN
password_query = SELECT email, password FROM email_password WHERE email='%u'
user_query = SELECT '/email/'||file AS email_dir, '1001' AS uid, '1001' AS gid FROM email_file WHERE email='%u'
Now restart Dovecot:
# /etc/init.d/dovecot restart

= Thanks =

* To [http://planet-geek.com Dave Shevett] (aka: eidolon) and [http://codex.grimoire.ca/ Owen Jacobson] for answering my n00b SSL questions.


<source lang="bash">
</source>
<source lang="text">
</source>

{{footer}}

PPPower Server

2012-03-25T17:24:26Z

Dak1n1: /* User Password Encryption */

{{howto_header}}

With tongue firmly in cheek, this is a tutorial on building an [[EL6]] server for hosting website and email using PostgreSQL, Postfix and Postgrey for mail and Apache for web. There are many canned and arguably superior was of accomplishing the same, but this is what I user for this server.

= Post OS Install =

First, the packages we will want to install:

<source lang="bash">
yum install httpd httpd-tools postgresql-server postgresql-plperl postgresql-contrib postgresql mysql-server telnet mod_ssl mysql-server php-mysql gcc jwhois bind
</source>

Packages that are currently needed for personal stuff.

<source lang="bash">
yum install perl-XML-Simple perl-MIME-Lite perl-DBD-MySQL perl-DBD-Pg
</source>

= Apache =

After all changes, use this to make sure there are no syntax errors.

<source lang="bash">
service httpd configtest
</source>
<source lang="text">
Syntax OK
</source>

{{note|1=This needs to be explained.}}

<source lang="bash">
diff -u httpd.conf.orig httpd.conf
</source>
<source lang="diff">
--- httpd.conf.orig 2010-05-28 03:11:06.000000000 -0400
+++ httpd.conf 2011-05-13 21:56:27.000000000 -0400
@@ -100,12 +100,12 @@
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
-StartServers 8
-MinSpareServers 5
-MaxSpareServers 20
-ServerLimit 256
-MaxClients 256
-MaxRequestsPerChild 4000
+StartServers 16
+MinSpareServers 10
+MaxSpareServers 40
+ServerLimit 512
+MaxClients 512
+MaxRequestsPerChild 8000
</IfModule>

# worker MPM
@@ -116,11 +116,11 @@
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
-StartServers 4
-MaxClients 300
-MinSpareThreads 25
-MaxSpareThreads 75
-ThreadsPerChild 25
+StartServers 8
+MaxClients 600
+MinSpareThreads 50
+MaxSpareThreads 150
+ThreadsPerChild 50
MaxRequestsPerChild 0
</IfModule>

@@ -259,7 +259,7 @@
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
-ServerAdmin root@localhost
+ServerAdmin admin@alteeve.com

#
# ServerName gives the name and port that the server uses to identify itself.
@@ -274,6 +274,7 @@
# redirections work in a sensible way.
#
#ServerName www.example.com:80
+#ServerName *:80

#
# UseCanonicalName: Determines how Apache constructs self-referencing
@@ -289,7 +290,7 @@
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
-DocumentRoot "/var/www/html"
+DocumentRoot "/var/www/default/html"

#
# Each directory to which Apache has access can be configured with respect
@@ -314,7 +315,7 @@
#
# This should be changed to whatever you set DocumentRoot to.
#
-<Directory "/var/www/html">
+<Directory "/var/www/default/html">

#
# Possible values for the Options directive are "None", "All",
@@ -548,9 +549,9 @@
# We include the /icons/ alias for FancyIndexed directory listings. If you
# do not use FancyIndexing, you may comment this out.
#
-Alias /icons/ "/var/www/icons/"
+Alias /icons/ "/var/www/default/icons/"

-<Directory "/var/www/icons">
+<Directory "/var/www/default/icons">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
@@ -573,13 +574,13 @@
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+ScriptAlias /cgi-bin/ "/var/www/default/cgi-bin/"

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
-<Directory "/var/www/cgi-bin">
+<Directory "/var/www/default/cgi-bin">
AllowOverride None
Options None
Order allow,deny
@@ -852,11 +853,11 @@
# copying them to /your/include/path/, even on a per-VirtualHost basis.
#

-Alias /error/ "/var/www/error/"
+Alias /error/ "/var/www/default/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
- <Directory "/var/www/error">
+ <Directory "/var/www/default/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
@@ -987,7 +988,7 @@
#
# Use name-based virtual hosting.
#
-#NameVirtualHost *:80
+NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
@@ -1001,9 +1002,10 @@
# server name.
#
#<VirtualHost *:80>
-# ServerAdmin webmaster@dummy-host.example.com
-# DocumentRoot /www/docs/dummy-host.example.com
-# ServerName dummy-host.example.com
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+# ServerAdmin admin@alteeve.com
+# DocumentRoot /var/www/default/html
+# ServerName unknown.alteeve.com
+# ErrorLog /var/www/default/logs/error.log
+# CustomLog /var/www/default/logs/access.log common
#</VirtualHost>
</source>

== SSL Virtual Hosts ==

SSL provides for secure client to server communications.

=== Creating The Signed Certificate ===

This section assumes you are using a 3rd party signing authority. Specifically, I use http://www.trustico.ca/ (resellers of http://RapidSSL.com and others). This is also for a domain-specific certificate. Wildcard certificates will differ.

First, create 2048bit private key. Note that this will require a pass-phrase, which you will need to enter whenever the Apache daemon httpd daemon starts. If you do not want this, remove the -des3 switch.

<source lang="bash">
openssl genrsa -des3 -out /etc/pki/CA/private/alteeve.com.key 2048
</source>
<source lang="text">
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Verifying - Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
</source>

Now create a [[CSR]] (Certificate signing request) which we will send to the signing authority. Do not enter anything in the extra section below.

{{note|1=The Common Name must be the fully qualified domain name. In this example, I want to create a certificate for the domain https://alteeve.com, so I will enter alteeve.com. If you prefer to use a www. prefix, include it. I will rewrite requests using the www. prefix to not use it.}}

<source lang="bash">
openssl req -new -key /etc/pki/CA/private/alteeve.com.key -out alteeve.com.csr
</source>
<source lang="text">
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Oakville
Organization Name (eg, company) [Default Company Ltd]:Alteeve's Niche
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:alteeve.com
Email Address []:admin@alteeve.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</source>

Test that the CSR file is ok.

<source lang="bash">
openssl req -noout -text -in /etc/pki/CA/alteeve.com.csr
</source>
<source lang="text">
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Oakville, O=Alteeve's Niche, OU=IT, CN=alteeve.com/emailAddress=admin@alteeve.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
...
</source>

Copy the exact contents of the alteeve.com.csr file and provide it to your signing authority as per their instructions. Once you complete their CSR form, they should email you a signed certificate and an intermediary certificate. At this point, the CSR file is no longer needed.

Save the signed certificate:

<source lang="bash">
vim /etc/pki/CA/ssl_alteeve.com.crt
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

Save the intermediary certificate. Change the certificate name to that of your provider. If they provide you with this file, simply save it in the /etc/pki/CA/ directory.

<source lang="bash">
vim /etc/pki/CA/RapidSSL_CA_bundle.pem
</source>
<source lang="text">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</source>

=== Creating An SSL Virtual Host ===

Create a new virtual host container for the new SSL protected virtual host. We will leave the normal unencrypted virtual-host alone for now. Once we're done, we'll use it to capture and redirect http:// requests to their https:// equivalents. I make my virtual host directories writeable by my normal user account. Feel free to adapt this to your preferences.

Setup the directories and then create a trivial index.html file.

<source lang="bash">
mkdir ssl_alteeve.com/{cgi-bin,html,logs,temp} -p
chown apache:digimer ssl_alteeve.com -R
chmod g+w ssl_alteeve.com -R
vim /var/www/ssl_alteeve.com/html/index.html
</source>
<source lang="apache">
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
</source>

Now setup the Apache2 config. I like to use the ssl_ prefix for encrypted domains.

{{note|1=This example is for a MediaWiki virtual host with short URLs configured. You will want to adapt the values to suit your needs.}}

<source lang="bash">
vim /etc/httpd/conf.d/ssl_alteeve.com.conf
</source>
<source lang="apache">
<VirtualHost *:443>
ServerAdmin digimer@alteeve.com

ServerName alteeve.com

DirectoryIndex index.php index.html

# We can haz security?
SSLEngine on
SSLProtocol all
SSLCACertificateFile /etc/pki/CA/RapidSSL_CA_bundle.pem
SSLCertificateFile /etc/pki/CA/ssl_alteeve.com.crt
SSLCertificateKeyFile /etc/pki/CA/private/alteeve.com.key

DocumentRoot /var/www/ssl_alteeve.com/html/
Alias /w /var/www/ssl_alteeve.com/html/index.php
<Directory /var/www/ssl_alteeve.com/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/ssl_alteeve.com/cgi-bin/
<Directory "/var/www/ssl_alteeve.com/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/www/ssl_alteeve.com/logs/error.log
TransferLog /var/www/ssl_alteeve.com/logs/transfer.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/www/ssl_alteeve.com/logs/access.log combined
ServerSignature On
</VirtualHost>
</source>

==== Bad Identity Error ====

If you get an error about the server not providing identity information, you may have be loading images, CSS, javascript or similar using a URL from a remote domain with no SSL or badly configured SSL.

For example, on Firefox 4, you may see:

<source lang="text">
This web site does not supply identity information.

Your connection to this site is only partially encrypted, and does not prevent eavesdropping.
[ More Information ]
</source>

In my case, this turned out to be a problem where mediawiki was loading a Creative Commons logo from their server using http:// link to the icon. Once this was changed to https:// (in LocalSettings.php), the error went away.

=== Testing and Using the New Configuration ===

Test your new Apache configuration.

<source lang="bash">
apachectl -t
</source>
<source lang="text">
Syntax OK
</source>

Now restart Apache. Note that you will be asked to enter the pass-phrase you used when you created your private key.

<source lang="bash">
/etc/init.d/httpd restart
</source>
<source lang="text">
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server alteeve.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
</source>

{{warning|1=From now on, you will need to enter the pass-phrase to start Apache. Consider this when restarting your server and when deciding if you want the Apache server to start with your server. As my server is in a VM and it's underlying disk is also encrypted, I will enable it at boot time. I'll need to be watching the boot process anyway. This may not apply to you.}}

Now make sure that you can still connect to your server on [[TCP]] port 80 (normal http port). The contents after the GET request will obviously vary depending on your configuration:

<source lang="bash">
telnet localhost 80
</source>
<source lang="text">
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET
<head>
<title>Asakusa.alteeve.com</title>
</head>
<body>
Default - Requested domain not found
</body>
Connection closed by foreign host.
</source>

Now to check that the SSL port is listening properly. We can't use [[telnet]] because of the SSL encryption. Instead we will use openssl.

<source lang="bash">
openssl s_client -connect localhost:443 -state -debug
</source>
<source lang="text">
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x196a050 [0x1a0b3a0] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 4d f8 f4 a4 f9 ....l...h..M....
0010 - 07 b3 11 f8 3d ff 5d 80-ed 69 87 52 e2 60 80 57 ....=.]..i.R.`.W
0020 - 59 c7 83 4c ea 5b e5 37-06 e0 13 00 00 3a 00 39 Y..L.[.7.....:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............#
0071 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x196a050 [0x1a10900] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x196a050 [0x1a1090a] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4d f8 f4 a4-7d 35 00 74 24 43 bc c9 .1..M...}5.t$C..
0010 - 84 5d fe e3 90 1a e8 14-39 a1 b1 7e e8 19 c7 9f .]......9..~....
0020 - 45 20 d1 cb 00 00 39 01-00 09 ff 01 00 01 00 00 E ....9.........
0030 - 23 #
0033 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 0c 2c ....,
read from 0x196a050 [0x1a10908] (3116 bytes => 3116 (0xC2C))
0000 - 0b 00 0c 28 00 0c 25 00-04 c2 30 82 04 be 30 82 ...(..%...0...0.
0010 - 03 a6 a0 03 02 01 02 02-03 02 15 24 30 0d 06 09 ...........$0...
0020 - 2a 86 48 86 f7 0d 01 01-05 05 00 30 3c 31 0b 30 *.H........0<1.0
0030 - 09 06 03 55 04 06 13 02-55 53 31 17 30 15 06 03 ...U....US1.0...
0040 - 55 04 0a 13 0e 47 65 6f-54 72 75 73 74 2c 20 49 U....GeoTrust, I
0050 - 6e 63 2e 31 14 30 12 06-03 55 04 03 13 0b 52 61 nc.1.0...U....Ra
0060 - 70 69 64 53 53 4c 20 43-41 30 1e 17 0d 31 31 30 pidSSL CA0...110
0070 - 36 31 34 31 32 31 39 30-31 5a 17 0d 31 31 30 37 614121901Z..1107
0080 - 31 36 31 35 35 36 31 34-5a 30 81 d9 31 29 30 27 16155614Z0..1)0'
0090 - 06 03 55 04 05 13 20 30-54 53 35 57 7a 61 75 51 ..U... 0TS5WzauQ
00a0 - 52 4a 37 73 63 32 62 2d-68 54 47 77 4b 31 79 78 RJ7sc2b-hTGwK1yx
00b0 - 53 66 45 44 70 68 46 31-0b 30 09 06 03 55 04 06 SfEDphF1.0...U..
00c0 - 13 02 43 41 31 14 30 12-06 03 55 04 0a 13 0b 61 ..CA1.0...U....a
00d0 - 6c 74 65 65 76 65 2e 63-6f 6d 31 13 30 11 06 03 lteeve.com1.0...
00e0 - 55 04 0b 13 0a 47 54 31-33 39 30 38 38 31 37 31 U....GT139088171
00f0 - 31 30 2f 06 03 55 04 0b-13 28 53 65 65 20 77 77 10/..U...(See ww
0100 - 77 2e 72 61 70 69 64 73-73 6c 2e 63 6f 6d 2f 72 w.rapidssl.com/r
0110 - 65 73 6f 75 72 63 65 73-2f 63 70 73 20 28 63 29 esources/cps (c)
0120 - 31 31 31 2b 30 29 06 03-55 04 0b 13 22 44 6f 6d 111+0)..U..."Dom
0130 - 61 69 6e 20 43 6f 6e 74-72 6f 6c 20 56 61 6c 69 ain Control Vali
0140 - 64 61 74 65 64 20 2d 20-46 72 65 65 53 53 4c 31 dated - FreeSSL1
0150 - 14 30 12 06 03 55 04 03-13 0b 61 6c 74 65 65 76 .0...U....alteev
0160 - 65 2e 63 6f 6d 30 82 01-22 30 0d 06 09 2a 86 48 e.com0.."0...*.H
0170 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0..
0180 - 0a 02 82 01 01 00 c7 b5-75 03 c7 a9 b5 21 b2 7a ........u....!.z
0190 - 9b 70 8d f2 44 5d e0 18-f4 05 52 c6 93 d3 17 a5 .p..D]....R.....
01a0 - 3a c7 46 03 68 d1 01 53-1b e8 b8 d3 4c 56 46 b2 :.F.h..S....LVF.
01b0 - ca 63 34 88 2c 4f 7b 23-49 07 ef 8e 37 5c 8a ac .c4.,O{#I...7\..
01c0 - d7 88 9b ed a1 01 90 bc-32 d8 46 30 6d 82 33 59 ........2.F0m.3Y
01d0 - ea b5 38 2c 8a 16 e1 63-e7 ba 39 d8 2a fa 8a 6b ..8,...c..9.*..k
01e0 - 25 45 0b c9 4d b8 d2 be-a9 3a e3 ff 61 60 f9 a4 %E..M....:..a`..
01f0 - 99 4e 3f c2 25 0b 21 07-c6 1b 1e 63 71 2e 3d 31 .N?.%.!....cq.=1
0200 - 42 98 01 f4 88 b8 80 26-b7 bf 5b 00 b1 57 86 b4 B......&..[..W..
0210 - d8 70 e6 ec ea 98 e1 17-45 a7 ff 83 e0 76 6f 8a .p......E....vo.
0220 - 50 bb 1d cb c5 8f f4 01-84 4e 59 c3 4d 28 73 70 P........NY.M(sp
0230 - 39 c8 da 85 43 b9 07 ae-57 26 04 24 b2 d6 d4 7c 9...C...W&.$...|
0240 - 03 af 4f 72 00 8f 20 ed-26 77 b3 bf 4e 01 62 8b ..Or.. .&w..N.b.
0250 - 62 1b 10 16 65 92 f5 bb-5a dc 83 5c f2 56 f3 60 b...e...Z..\.V.`
0260 - 34 2c ef 62 f4 ee cf 26-6d 9b 4a 5e 74 05 74 fb 4,.b...&m.J^t.t.
0270 - 23 86 07 6f cf b0 48 6d-ba 2d 89 5d 0f e0 c0 01 #..o..Hm.-.]....
0280 - 1c 91 af 00 5f f3 02 03-01 00 01 a3 82 01 29 30 ...._.........)0
0290 - 82 01 25 30 1f 06 03 55-1d 23 04 18 30 16 80 14 ..%0...U.#..0...
02a0 - 6b 69 3d 6a 18 42 4a dd-8f 02 65 39 fd 35 24 86 ki=j.BJ...e9.5$.
02b0 - 78 91 16 30 30 0e 06 03-55 1d 0f 01 01 ff 04 04 x..00...U.......
02c0 - 03 02 05 a0 30 1d 06 03-55 1d 25 04 16 30 14 06 ....0...U.%..0..
02d0 - 08 2b 06 01 05 05 07 03-01 06 08 2b 06 01 05 05 .+.........+....
02e0 - 07 03 02 30 16 06 03 55-1d 11 04 0f 30 0d 82 0b ...0...U....0...
02f0 - 61 6c 74 65 65 76 65 2e-63 6f 6d 30 43 06 03 55 alteeve.com0C..U
0300 - 1d 1f 04 3c 30 3a 30 38-a0 36 a0 34 86 32 68 74 ...<0:08.6.4.2ht
0310 - 74 70 3a 2f 2f 72 61 70-69 64 73 73 6c 2d 63 72 tp://rapidssl-cr
0320 - 6c 2e 67 65 6f 74 72 75-73 74 2e 63 6f 6d 2f 63 l.geotrust.com/c
0330 - 72 6c 73 2f 72 61 70 69-64 73 73 6c 2e 63 72 6c rls/rapidssl.crl
0340 - 30 1d 06 03 55 1d 0e 04-16 04 14 a1 2b 4e af 55 0...U.......+N.U
0350 - 08 7b 34 be 74 fc 57 41-de bc 8f d9 4a 1d c9 30 .{4.t.WA....J..0
0360 - 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 49 06 ...U.......0.0I.
0370 - 08 2b 06 01 05 05 07 01-01 04 3d 30 3b 30 39 06 .+........=0;09.
0380 - 08 2b 06 01 05 05 07 30-02 86 2d 68 74 74 70 3a .+.....0..-http:
0390 - 2f 2f 72 61 70 69 64 73-73 6c 2d 61 69 61 2e 67 //rapidssl-aia.g
03a0 - 65 6f 74 72 75 73 74 2e-63 6f 6d 2f 72 61 70 69 eotrust.com/rapi
03b0 - 64 73 73 6c 2e 63 72 74-30 0d 06 09 2a 86 48 86 dssl.crt0...*.H.
03c0 - f7 0d 01 01 05 05 00 03-82 01 01 00 66 8b 6f a8 ............f.o.
03d0 - d5 d2 84 c7 89 31 fb a5-ba e1 11 5e 2f 67 6f df .....1.....^/go.
03e0 - 0d 3c 0b 1a 4b ac d9 38-ee 29 0a 4d d9 06 98 2c .<..K..8.).M...,
03f0 - 25 0a 59 bb 39 03 b0 cd-3b 06 93 3e 59 90 cf 06 %.Y.9...;..>Y...
0400 - 17 74 77 bb cd 91 34 d0-6f b9 8f 53 57 ed 14 30 .tw...4.o..SW..0
0410 - bd e9 6c 04 84 b6 f0 16-9d 29 9b b1 47 f8 84 64 ..l......)..G..d
0420 - 5f 03 36 ea e1 d6 13 97-5b 50 b9 b2 59 cc f8 ef _.6.....[P..Y...
0430 - 23 01 99 91 6e 5e e8 d0-77 54 38 49 18 58 e7 0e #...n^..wT8I.X..
0440 - 54 35 c0 37 b5 9e 79 b2-d4 c6 d9 ff 27 31 d4 bf T5.7..y.....'1..
0450 - 04 ae d3 0a 90 4b bc 34-bc 53 f8 bc e7 4c 22 b7 .....K.4.S...L".
0460 - b3 bc 8c d7 41 44 fc e0-50 2e 9a ac ba 5c ee 88 ....AD..P....\..
0470 - 03 fc 0e 53 32 aa dd a4-24 ee a6 7c 3d dc 9d 7a ...S2...$..|=..z
0480 - 82 0b 9f b8 91 e0 a1 12-77 a3 95 f7 d0 c4 9e f1 ........w.......
0490 - d7 d9 99 68 80 e8 af ad-68 f5 1a 5f 66 06 78 c9 ...h....h.._f.x.
04a0 - 56 f8 36 37 16 fa 7d 27-df 1d a2 d8 7c 8c 5b 50 V.67..}'....|.[P
04b0 - db c6 fe 06 ff 96 86 f5-1f e4 35 ce cf 43 66 53 ..........5..CfS
04c0 - da a1 50 b5 c0 73 ec 1e-f4 c8 20 13 00 03 d9 30 ..P..s.... ....0
04d0 - 82 03 d5 30 82 02 bd a0-03 02 01 02 02 03 02 36 ...0...........6
04e0 - d1 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
04f0 - 30 42 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 0B1.0...U....US1
0500 - 16 30 14 06 03 55 04 0a-13 0d 47 65 6f 54 72 75 .0...U....GeoTru
0510 - 73 74 20 49 6e 63 2e 31-1b 30 19 06 03 55 04 03 st Inc.1.0...U..
0520 - 13 12 47 65 6f 54 72 75-73 74 20 47 6c 6f 62 61 ..GeoTrust Globa
0530 - 6c 20 43 41 30 1e 17 0d-31 30 30 32 31 39 32 32 l CA0...10021922
0540 - 34 35 30 35 5a 17 0d 32-30 30 32 31 38 32 32 34 4505Z..200218224
0550 - 35 30 35 5a 30 3c 31 0b-30 09 06 03 55 04 06 13 505Z0<1.0...U...
0560 - 02 55 53 31 17 30 15 06-03 55 04 0a 13 0e 47 65 .US1.0...U....Ge
0570 - 6f 54 72 75 73 74 2c 20-49 6e 63 2e 31 14 30 12 oTrust, Inc.1.0.
0580 - 06 03 55 04 03 13 0b 52-61 70 69 64 53 53 4c 20 ..U....RapidSSL
0590 - 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H...
05a0 - 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0.....
05b0 - 01 01 00 c7 71 f8 56 c7-1e d9 cc b5 ad f6 b4 97 ....q.V.........
05c0 - a3 fb a1 e6 0b 50 5f 50-aa 3a da 0f fc 3d 29 24 .....P_P.:...=)$
05d0 - 43 c6 10 29 c1 fc 55 40-72 ee bd ea df 9f b6 41 C..)..U@r......A
05e0 - f4 48 4b c8 6e fe 4f 57-12 8b 5b fa 92 dd 5e e8 .HK.n.OW..[...^.
05f0 - ad f3 f0 1b b1 7b 4d fb-cf fd d1 e5 f8 e3 dc e7 .....{M.........
0600 - f5 73 7f df 01 49 cf 8c-56 c1 bd 37 e3 5b be b5 .s...I..V..7.[..
0610 - 4f 8b 8b f0 da 4f c7 e3-dd 55 47 69 df f2 5b 7b O....O...UGi..[{
0620 - 07 4f 3d e5 ac 21 c1 c8-1d 7a e8 e7 f6 0f a1 aa .O=..!...z......
0630 - f5 6f de a8 65 4f 10 89-9c 03 f3 89 7a a5 5e 01 .o..eO......z.^.
0640 - 72 33 ed a9 e9 5a 1e 79-f3 87 c8 df c8 c5 fc 37 r3...Z.y.......7
0650 - c8 9a 9a d7 b8 76 cc b0-3e e7 fd e6 54 ea df 5f .....v..>...T.._
0660 - 52 41 78 59 57 ad f1 12-d6 7f bc d5 9f 70 d3 05 RAxYW........p..
0670 - 6c fa a3 7d 67 58 dd 26-62 1d 31 92 0c 79 79 1c l..}gX.&b.1..yy.
0680 - 8e cf ca 7b c1 66 af a8-74 48 fb 8e 82 c2 9e 2c ...{.f..tH.....,
0690 - 99 5c 7b 2d 5d 9b bc 5b-57 9e 7c 3a 7a 13 ad f2 .\{-]..[W.|:z...
06a0 - a3 18 5b 2b 59 0f cd 5c-3a eb 68 33 c6 28 1d 82 ..[+Y..\:.h3.(..
06b0 - d1 50 8b 02 03 01 00 01-a3 81 d9 30 81 d6 30 0e .P.........0..0.
06c0 - 06 03 55 1d 0f 01 01 ff-04 04 03 02 01 06 30 1d ..U...........0.
06d0 - 06 03 55 1d 0e 04 16 04-14 6b 69 3d 6a 18 42 4a ..U......ki=j.BJ
06e0 - dd 8f 02 65 39 fd 35 24-86 78 91 16 30 30 1f 06 ...e9.5$.x..00..
06f0 - 03 55 1d 23 04 18 30 16-80 14 c0 7a 98 68 8d 89 .U.#..0....z.h..
0700 - fb ab 05 64 0c 11 7d aa-7d 65 b8 ca cc 4e 30 12 ...d..}.}e...N0.
0710 - 06 03 55 1d 13 01 01 ff-04 08 30 06 01 01 ff 02 ..U.......0.....
0720 - 01 00 30 3a 06 03 55 1d-1f 04 33 30 31 30 2f a0 ..0:..U...3010/.
0730 - 2d a0 2b 86 29 68 74 74-70 3a 2f 2f 63 72 6c 2e -.+.)http://crl.
0740 - 67 65 6f 74 72 75 73 74-2e 63 6f 6d 2f 63 72 6c geotrust.com/crl
0750 - 73 2f 67 74 67 6c 6f 62-61 6c 2e 63 72 6c 30 34 s/gtglobal.crl04
0760 - 06 08 2b 06 01 05 05 07-01 01 04 28 30 26 30 24 ..+........(0&0$
0770 - 06 08 2b 06 01 05 05 07-30 01 86 18 68 74 74 70 ..+.....0...http
0780 - 3a 2f 2f 6f 63 73 70 2e-67 65 6f 74 72 75 73 74 ://ocsp.geotrust
0790 - 2e 63 6f 6d 30 0d 06 09-2a 86 48 86 f7 0d 01 01 .com0...*.H.....
07a0 - 05 05 00 03 82 01 01 00-ab bc bc 0a 5d 18 94 e3 ............]...
07b0 - c1 b1 c3 a8 4c 55 d6 be-b4 98 f1 ee 3c 1c cd cf ....LU......<...
07c0 - f3 24 24 5c 96 03 27 58-fc 36 ae a2 2f 8f f1 fe .$$\..'X.6../...
07d0 - da 2b 02 c3 33 bd c8 dd-48 22 2b 60 0f a5 03 10 .+..3...H"+`....
07e0 - fd 77 f8 d0 ed 96 67 4f-fd ea 47 20 70 54 dc a9 .w....gO..G pT..
07f0 - 0c 55 7e e1 96 25 8a d9-b5 da 57 4a be 8d 8e 49 .U~..%....WJ...I
0800 - 43 63 a5 6c 4e 27 87 25-eb 5b 6d fe a2 7f 38 28 Cc.lN'.%.[m...8(
0810 - e0 36 ab ad 39 a5 a5 62-c4 b7 5c 58 2c aa 5d 01 .6..9..b..\X,.].
0820 - 60 a6 62 67 a3 c0 c7 62-23 f4 e7 6c 46 ee b5 d3 `.bg...b#..lF...
0830 - 80 6a 22 13 d2 2d 3f 74-4f ea af 8c 5f b4 38 9c .j"..-?tO..._.8.
0840 - db ae ce af 84 1e a6 f6-34 51 59 79 d3 e3 75 dc ........4QYy..u.
0850 - bc d7 f3 73 df 92 ec d2-20 59 6f 9c fb 95 f8 92 ...s.... Yo.....
0860 - 76 18 0a 7c 0f 2c a6 ca-de 8a 62 7b d8 f3 ce 5f v..|.,....b{..._
0870 - 68 bd 8f 3e c1 74 bb 15-72 3a 16 83 a9 0b e6 4d h..>.t..r:.....M
0880 - 99 9c d8 57 ec a8 01 51-c7 6f 57 34 5e ab 4a 2c ...W...Q.oW4^.J,
0890 - 42 f6 4f 1c 89 78 de 26-4e f5 6f 93 4c 15 6b 27 B.O..x.&N.o.L.k'
08a0 - 56 4d 00 54 6c 7a b7 b7-00 03 81 30 82 03 7d 30 VM.Tlz.....0..}0
08b0 - 82 02 e6 a0 03 02 01 02-02 03 12 bb e6 30 0d 06 .............0..
08c0 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 4e 31 0b .*.H........0N1.
08d0 - 30 09 06 03 55 04 06 13-02 55 53 31 10 30 0e 06 0...U....US1.0..
08e0 - 03 55 04 0a 13 07 45 71-75 69 66 61 78 31 2d 30 .U....Equifax1-0
08f0 - 2b 06 03 55 04 0b 13 24-45 71 75 69 66 61 78 20 +..U...$Equifax
0900 - 53 65 63 75 72 65 20 43-65 72 74 69 66 69 63 61 Secure Certifica
0910 - 74 65 20 41 75 74 68 6f-72 69 74 79 30 1e 17 0d te Authority0...
0920 - 30 32 30 35 32 31 30 34-30 30 30 30 5a 17 0d 31 020521040000Z..1
0930 - 38 30 38 32 31 30 34 30-30 30 30 5a 30 42 31 0b 80821040000Z0B1.
0940 - 30 09 06 03 55 04 06 13-02 55 53 31 16 30 14 06 0...U....US1.0..
0950 - 03 55 04 0a 13 0d 47 65-6f 54 72 75 73 74 20 49 .U....GeoTrust I
0960 - 6e 63 2e 31 1b 30 19 06-03 55 04 03 13 12 47 65 nc.1.0...U....Ge
0970 - 6f 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 43 41 oTrust Global CA
0980 - 30 82 01 22 30 0d 06 09-2a 86 48 86 f7 0d 01 01 0.."0...*.H.....
0990 - 01 05 00 03 82 01 0f 00-30 82 01 0a 02 82 01 01 ........0.......
09a0 - 00 da cc 18 63 30 fd f4-17 23 1a 56 7e 5b df 3c ....c0...#.V~[.<
09b0 - 6c 38 e4 71 b7 78 91 d4-bc a1 d8 4c f8 a8 43 b6 l8.q.x.....L..C.
09c0 - 03 e9 4d 21 07 08 88 da-58 2f 66 39 29 bd 05 78 ..M!....X/f9)..x
09d0 - 8b 9d 38 e8 05 b7 6a 7e-71 a4 e6 c4 60 a6 b0 ef ..8...j~q...`...
09e0 - 80 e4 89 28 0f 9e 25 d6-ed 83 f3 ad a6 91 c7 98 ...(..%.........
09f0 - c9 42 18 35 14 9d ad 98-46 92 2e 4f ca f1 87 43 .B.5....F..O...C
0a00 - c1 16 95 57 2d 50 ef 89-2d 80 7a 57 ad f2 ee 5f ...W-P..-.zW..._
0a10 - 6b d2 00 8d b9 14 f8 14-15 35 d9 c0 46 a3 7b 72 k........5..F.{r
0a20 - c8 91 bf c9 55 2b cd d0-97 3e 9c 26 64 cc df ce ....U+...>.&d...
0a30 - 83 19 71 ca 4e e6 d4 d5-7b a9 19 cd 55 de c8 ec ..q.N...{...U...
0a40 - d2 5e 38 53 e5 5c 4f 8c-2d fe 50 23 36 fc 66 e6 .^8S.\O.-.P#6.f.
0a50 - cb 8e a4 39 19 00 b7 95-02 39 91 0b 0e fe 38 2e ...9.....9....8.
0a60 - d1 1d 05 9a f6 4d 3e 6f-0f 07 1d af 2c 1e 8f 60 .....M>o....,..`
0a70 - 39 e2 fa 36 53 13 39 d4-5e 26 2b db 3d a8 14 bd 9..6S.9.^&+.=...
0a80 - 32 eb 18 03 28 52 04 71-e5 ab 33 3d e1 38 bb 07 2...(R.q..3=.8..
0a90 - 36 84 62 9c 79 ea 16 30-f4 5f c0 2b e8 71 6b e4 6.b.y..0._.+.qk.
0aa0 - f9 02 03 01 00 01 a3 81-f0 30 81 ed 30 1f 06 03 .........0..0...
0ab0 - 55 1d 23 04 18 30 16 80-14 48 e6 68 f9 2b d2 b2 U.#..0...H.h.+..
0ac0 - 95 d7 47 d8 23 20 10 4f-33 98 90 9f d4 30 1d 06 ..G.# .O3....0..
0ad0 - 03 55 1d 0e 04 16 04 14-c0 7a 98 68 8d 89 fb ab .U.......z.h....
0ae0 - 05 64 0c 11 7d aa 7d 65-b8 ca cc 4e 30 0f 06 03 .d..}.}e...N0...
0af0 - 55 1d 13 01 01 ff 04 05-30 03 01 01 ff 30 0e 06 U.......0....0..
0b00 - 03 55 1d 0f 01 01 ff 04-04 03 02 01 06 30 3a 06 .U...........0:.
0b10 - 03 55 1d 1f 04 33 30 31-30 2f a0 2d a0 2b 86 29 .U...3010/.-.+.)
0b20 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 67 65 6f 74 72 http://crl.geotr
0b30 - 75 73 74 2e 63 6f 6d 2f-63 72 6c 73 2f 73 65 63 ust.com/crls/sec
0b40 - 75 72 65 63 61 2e 63 72-6c 30 4e 06 03 55 1d 20 ureca.crl0N..U.
0b50 - 04 47 30 45 30 43 06 04-55 1d 20 00 30 3b 30 39 .G0E0C..U. .0;09
0b60 - 06 08 2b 06 01 05 05 07-02 01 16 2d 68 74 74 70 ..+........-http
0b70 - 73 3a 2f 2f 77 77 77 2e-67 65 6f 74 72 75 73 74 s://www.geotrust
0b80 - 2e 63 6f 6d 2f 72 65 73-6f 75 72 63 65 73 2f 72 .com/resources/r
0b90 - 65 70 6f 73 69 74 6f 72-79 30 0d 06 09 2a 86 48 epository0...*.H
0ba0 - 86 f7 0d 01 01 05 05 00-03 81 81 00 76 e1 12 6e ............v..n
0bb0 - 4e 4b 16 12 86 30 06 b2-81 08 cf f0 08 c7 c7 71 NK...0.........q
0bc0 - 7e 66 ee c2 ed d4 3b 1f-ff f0 f0 c8 4e d6 43 38 ~f....;.....N.C8
0bd0 - b0 b9 30 7d 18 d0 55 83-a2 6a cb 36 11 9c e8 48 ..0}..U..j.6...H
0be0 - 66 a3 6d 7f b8 13 d4 47-fe 8b 5a 5c 73 fc ae d9 f.m....G..Z\s...
0bf0 - 1b 32 19 38 ab 97 34 14-aa 96 d2 eb a3 1c 14 08 .2.8..4.........
0c00 - 49 b6 bb e5 91 ef 83 36-eb 1d 56 6f ca da bc 73 I......6..Vo...s
0c10 - 63 90 e4 7f 7b 3e 22 cb-3d 07 ed 5f 38 74 9c e3 c...{>".=.._8t..
0c20 - 03 50 4e a1 af 98 ee 61-f2 84 3f 12 .PN....a..?.
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF, C = CA, O = alteeve.com, OU = GT13908817, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - FreeSSL, CN = alteeve.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 0d .....
read from 0x196a050 [0x1a10908] (525 bytes => 525 (0x20D))
0000 - 0c 00 02 09 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 51 5c 13 33 38 >.$!.......Q\.38
0090 - 83 ef 76 6f 23 52 55 bf-23 ba 7f f0 a4 ca 35 01 ..vo#RU.#.....5.
00a0 - 9c 70 e1 61 b2 0d 7b 5c-1c 32 02 c1 ac 14 be e9 .p.a..{\.2......
00b0 - b9 7a 5d 11 9b 53 48 64-cd 12 b8 15 4c df cc 10 .z]..SHd....L...
00c0 - 4e 2b e7 cd 3f 33 68 1a-60 cc f7 18 25 7c e5 ca N+..?3h.`...%|..
00d0 - c8 cb 45 ba 2a 6d dc 84-5f 26 6f 9a a3 73 b9 7f ..E.*m.._&o..s..
00e0 - 02 cb 7b a7 ac 59 9f f3-6e c9 01 ed b9 35 99 49 ..{..Y..n....5.I
00f0 - 37 77 68 65 ec e2 f7 17-03 e7 f5 f5 86 33 e6 6c 7whe.........3.l
0100 - 06 3c 15 83 98 74 2e b9-83 31 11 01 00 20 6e 17 .<...t...1... n.
0110 - 3d 2d ec 3e 19 b2 9e 5b-37 38 3a 31 57 3d 0e c1 =-.>...[78:1W=..
0120 - 6b c4 b4 83 d9 6b f0 d3-44 db 9f 18 55 15 e1 09 k....k..D...U...
0130 - 73 59 8c 46 3d a4 47 58-b1 71 a3 32 b5 06 26 8c sY.F=.GX.q.2..&.
0140 - 27 88 9e 13 c8 12 5d 94-9b 24 54 10 aa 79 e5 b4 '.....]..$T..y..
0150 - 43 f5 5e 4c 01 dc 02 aa-69 02 37 71 4e 26 1c 0b C.^L....i.7qN&..
0160 - 40 19 c9 95 4d af 93 35-07 7a ff b1 96 7f 03 ce @...M..5.z......
0170 - 7a eb a2 1c 97 6b d2 97-d2 0f 1a f5 b2 af fb 65 z....k.........e
0180 - 86 b9 e3 38 30 ba f5 02-d6 6b fc da 94 93 8b b3 ...80....k......
0190 - 96 b5 b7 58 dc 36 55 6d-e9 47 e5 4a 33 1d b9 d9 ...X.6Um.G.J3...
01a0 - ec 33 e8 fb 58 c8 74 13-ff dd 40 b7 35 56 63 03 .3..X.t...@.5Vc.
01b0 - 9f 16 2f 72 be 56 56 c3-15 3a c3 10 09 f0 9d f2 ../r.VV..:......
01c0 - 42 52 5a ce d6 db 61 0e-d0 e2 ac 2e 9e 04 30 8e BRZ...a.......0.
01d0 - 0d d7 07 f9 3e 0a a8 3b-8d 11 5c 6e 21 47 28 2d ....>..;..\n!G(-
01e0 - 28 31 a6 3d d0 e9 2e 7a-de 4a 00 2a a8 6f 5d 82 (1.=...z.J.*.o].
01f0 - 45 df 3e 06 e3 11 e3 3c-b9 1e 34 b8 bd 60 fd a7 E.>....<..4..`..
0200 - a2 c1 c8 19 61 19 da 10-e4 c3 70 7e 5f ....a.....p~_
SSL_connect:SSLv3 read server key exchange A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0x196a050 [0x1a10908] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x196a050 [0x1a1add0] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7f 9d d2 3b 68 ..............;h
0010 - 49 c9 dd ed 4f 35 a0 70-3a 28 0f ce c1 5a 81 ce I...O5.p:(...Z..
0020 - cd 46 c5 e5 a4 44 25 04-4e b4 48 d8 3b a6 d4 44 .F...D%.N.H.;..D
0030 - 4e 9a dc 20 fa 52 9f eb-52 3b 3c 3e 34 dc ed 34 N.. .R..R;<>4..4
0040 - e5 b7 10 f9 6d 3a c0 84-64 bf b8 91 54 6c 37 1b ....m:..d...Tl7.
0050 - eb 75 7a 95 aa e8 83 6f-e0 16 f2 af 77 0f 7a 0c .uz....o....w.z.
0060 - a8 82 27 a4 a5 f2 f0 1b-d2 6e 46 c4 ef 10 7c 39 ..'......nF...|9
0070 - 6c 87 74 ec 68 7e d5 9a-10 ab 10 03 75 a2 fb 4b l.t.h~......u..K
0080 - 8c 49 4c da 64 49 bd 27-ba 51 a4 .IL.dI.'.Q.
SSL_connect:SSLv3 write client key exchange A
write to 0x196a050 [0x1a1add0] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x196a050 [0x1a1add0] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 b4 8a 74-4d a4 bf b1 54 04 8a 25 ....0..tM...T..%
0010 - 24 f8 81 f1 64 9f 1f 6d-fb bd a7 4c 57 6a a5 63 $...d..m...LWj.c
0020 - fb 3a dd 8e e3 f9 38 f6-22 fd 7e 42 81 2e a2 41 .:....8.".~B...A
0030 - 1f 74 d1 27 02 .t.'.
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 ca .....
read from 0x196a050 [0x1a10908] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 00 00-00 c0 6c f3 41 26 c8 6b ..........l.A&.k
0010 - 1e 9c 2e 78 af 75 b2 46-34 f4 30 c3 bd e4 ee 2f ...x.u.F4.0..../
0020 - f6 28 37 f6 7c 55 3b c7-08 ad 1e 48 f1 83 9f 9a .(7.|U;....H....
0030 - d4 ef 9b 7d 5a 9c f7 5b-92 e9 2f ca c3 e5 44 c7 ...}Z..[../...D.
0040 - 7a c1 ed db 98 1a 18 bd-25 30 3c 50 ad 96 23 22 z.......%0<P..#"
0050 - 7e a1 b7 eb 1d b5 cc 69-2a 43 63 13 4f 21 90 32 ~......i*Cc.O!.2
0060 - 87 94 0b 6a 66 da 99 fa-45 79 cc 53 29 35 59 0d ...jf...Ey.S)5Y.
0070 - 02 93 c6 c6 af f3 52 79-b5 36 c0 a6 4d 22 9f af ......Ry.6..M"..
0080 - 4a f2 86 b4 50 68 83 b1-ab a6 a6 ac 6e 4e 18 3d J...Ph......nN.=
0090 - 80 a7 b4 85 77 06 69 60-fa b2 22 9a 79 14 c6 3e ....w.i`..".y..>
00a0 - 3e 68 33 4e 1e a9 40 09-47 d0 02 97 8b ba 39 db >h3N..@.G.....9.
00b0 - 2f b1 1c 2e 66 49 d3 bc-99 cc 56 4f 1d f4 c6 7b /...fI....VO...{
00c0 - 58 3e 28 df b1 ce 2b 45-36 ca X>(...+E6.
SSL_connect:SSLv3 read server session ticket A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0x196a050 [0x1a10908] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x196a050 [0x1a10908] (48 bytes => 48 (0x30))
0000 - c0 79 35 bf c6 1e 7e d4-04 cf 68 c7 9d f5 9f 42 .y5...~...h....B
0010 - 03 91 5f 72 ae 5b ec a8-aa e7 af e8 f3 39 1b cd .._r.[.......9..
0020 - 13 05 56 f2 1b 28 c9 42-4b 67 88 48 20 c2 a5 06 ..V..(.BKg.H ...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIDAhUkMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNjE0MTIxOTAxWhcNMTEwNzE2MTU1NjE0WjCB2TEpMCcGA1UEBRMgMFRT
NVd6YXVRUko3c2MyYi1oVEd3SzF5eFNmRURwaEYxCzAJBgNVBAYTAkNBMRQwEgYD
VQQKEwthbHRlZXZlLmNvbTETMBEGA1UECxMKR1QxMzkwODgxNzExMC8GA1UECxMo
U2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMTErMCkGA1UE
CxMiRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gRnJlZVNTTDEUMBIGA1UEAxML
YWx0ZWV2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHtXUD
x6m1IbJ6m3CN8kRd4Bj0BVLGk9MXpTrHRgNo0QFTG+i400xWRrLKYzSILE97I0kH
7443XIqs14ib7aEBkLwy2EYwbYIzWeq1OCyKFuFj57o52Cr6imslRQvJTbjSvqk6
4/9hYPmkmU4/wiULIQfGGx5jcS49MUKYAfSIuIAmt79bALFXhrTYcObs6pjhF0Wn
/4Pgdm+KULsdy8WP9AGETlnDTShzcDnI2oVDuQeuVyYEJLLW1HwDr09yAI8g7SZ3
s79OAWKLYhsQFmWS9bta3INc8lbzYDQs72L07s8mbZtKXnQFdPsjhgdvz7BIbbot
iV0P4MABHJGvAF/zAgMBAAGjggEpMIIBJTAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2FsdGVldmUuY29tMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRz
c2wuY3JsMB0GA1UdDgQWBBShK06vVQh7NL50/FdB3ryP2UodyTAMBgNVHRMBAf8E
AjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3Ns
LWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBmi2+o1dKEx4kx+6W64RFeL2dv3w08CxpLrNk47ikKTdkGmCwlClm7OQOwzTsG
kz5ZkM8GF3R3u82RNNBvuY9TV+0UML3pbASEtvAWnSmbsUf4hGRfAzbq4dYTl1tQ
ubJZzPjvIwGZkW5e6NB3VDhJGFjnDlQ1wDe1nnmy1MbZ/ycx1L8ErtMKkEu8NLxT
+LznTCK3s7yM10FE/OBQLpqsulzuiAP8DlMyqt2kJO6mfD3cnXqCC5+4keChEnej
lffQxJ7x19mZaIDor61o9RpfZgZ4yVb4NjcW+n0n3x2i2HyMW1Dbxv4G/5aG9R/k
Nc7PQ2ZT2qFQtcBz7B70yCAT
-----END CERTIFICATE-----
subject=/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3984 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2880725EB8BDD73F469C17BCA54DF373DFE8EDE3D52A1C8F5E0A5919694FB111
Session-ID-ctx:
Master-Key: F329DEA0DF39FF181ACFBCA69BEC417D7CAA4399D73229A1D912CC8236A858FD099B834F5B32C9BF979C4B5948196FC9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 6c f3 41 26 c8 6b 1e 9c-2e 78 af 75 b2 46 34 f4 l.A&.k...x.u.F4.
0010 - 30 c3 bd e4 ee 2f f6 28-37 f6 7c 55 3b c7 08 ad 0..../.(7.|U;...
0020 - 1e 48 f1 83 9f 9a d4 ef-9b 7d 5a 9c f7 5b 92 e9 .H.......}Z..[..
0030 - 2f ca c3 e5 44 c7 7a c1-ed db 98 1a 18 bd 25 30 /...D.z.......%0
0040 - 3c 50 ad 96 23 22 7e a1-b7 eb 1d b5 cc 69 2a 43 <P..#"~......i*C
0050 - 63 13 4f 21 90 32 87 94-0b 6a 66 da 99 fa 45 79 c.O!.2...jf...Ey
0060 - cc 53 29 35 59 0d 02 93-c6 c6 af f3 52 79 b5 36 .S)5Y.......Ry.6
0070 - c0 a6 4d 22 9f af 4a f2-86 b4 50 68 83 b1 ab a6 ..M"..J...Ph....
0080 - a6 ac 6e 4e 18 3d 80 a7-b4 85 77 06 69 60 fa b2 ..nN.=....w.i`..
0090 - 22 9a 79 14 c6 3e 3e 68-33 4e 1e a9 40 09 47 d0 ".y..>>h3N..@.G.
00a0 - 02 97 8b ba 39 db 2f b1-1c 2e 66 49 d3 bc 99 cc ....9./...fI....
00b0 - 56 4f 1d f4 c6 7b 58 3e-28 df b1 ce 2b 45 36 ca VO...{X>(...+E6.

Compression: 1 (zlib compression)
Start Time: 1308161188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET
write to 0x196a050 [0x1a14e56] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a 4c 57-8c b9 d5 d4 c6 1b 56 ce .... .LW......V.
0010 - 93 b5 78 6b 5f 0e c5 a2-39 2a f9 7a 20 7d 68 85 ..xk_...9*.z }h.
0020 - af 52 e3 5f fc 17 03 01-00 20 c6 c4 19 74 61 64 .R._..... ...tad
0030 - 42 59 e0 52 3f 42 44 53-8b c9 40 69 1c 3d 9b 7f BY.R?BDS..@i.=..
0040 - aa e8 8f a4 5c de c9 d4-0a a4 ....\.....
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 60 ....`
read from 0x196a050 [0x1a10908] (96 bytes => 96 (0x60))
0000 - 46 4c 99 93 29 c9 ed 66-81 43 89 39 26 2b d1 b0 FL..)..f.C.9&+..
0010 - 19 73 eb 51 18 45 54 49-74 43 e0 92 1b f8 af f0 .s.Q.ETItC......
0020 - 0d e1 08 79 96 38 e1 5e-29 9d 66 9c 30 04 8e c4 ...y.8.^).f.0...
0030 - 10 83 49 7e 09 d7 8a ff-4b 11 f9 13 3e ac 77 73 ..I~....K...>.ws
0040 - e8 94 e3 f3 74 db 4e 5f-67 13 1d c4 3a 06 98 b3 ....t.N_g...:...
0050 - da 20 41 3c ca 9a fb 3f-f3 d7 64 a1 e9 f4 0a 98 . A<...?..d.....
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 15 03 01 ...
0005 - <SPACES/NULS>
read from 0x196a050 [0x1a10908] (32 bytes => 32 (0x20))
0000 - 2e bb a7 d6 dc ce 6c 34-dc 2e 43 c7 89 02 a9 5c ......l4..C....\
0010 - 3b 3e d0 43 1c ec fa c7-89 48 fd 76 58 82 ef 45 ;>.C.....H.vX..E
SSL3 alert read:warning:close notify
closed
write to 0x196a050 [0x1a14e53] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d8 6f 46-24 e9 fa 0c c9 9f aa 2d .... .oF$......-
0010 - db 69 2a d8 fb 61 66 b0-23 23 f9 a4 ac 49 b7 e6 .i*..af.##...I..
0020 - 31 73 56 05 ed 1sV..
SSL3 alert write:warning:close notify
</source>

Perfect!

=== Open Port 443 On The Firewall ===

At this point, if you try to connect to the SSL virtual host remotely, you will fail because port 443 is not yet open.

Use your favourite program to open inbound TCP port 443. I like to directly edit the firewall's config.

<source lang="bash">
vim /etc/sysconfig/iptables
</source>
<source lang="text">
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</source>
<source lang="bash">
/etc/init.d/iptables restart
</source>
<source lang="text">
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
</source>

=== Browse to the New Virtual Host ===

You should now be able to access the new SSL virtual host! Simply browse to https://alteeve.com (replace with your domain).

[[Image:SSL_Test_Page_01.png|thumb|center|741px|Test SSL virtual host in Firefox 4.]]

Note the 'alteeve.com' to the left of the address bar showing that the site is encrypted and verified!

= PostgreSQL =

We need to initialize the postgres core databases before we can start it for the first time.

<source lang="bash">
service postgresql initdb
</source>
<source lang="text">
Initializing database: [ OK ]
</source>

From now on, we can start PostgreSQL normally.

<source lang="bash">
/etc/init.d/postgresql restart
</source>
<source lang="text">
Stopping postgresql service: [ OK ]
Starting postgresql service: [ OK ]
</source>

Create the admin user called alteeve which will own the databases we will create and use.

<source lang="bash">
su - postgres
createuser -S -d -R alteeve
psql template1
</source>

At the shell, run the following:

<source lang="sql">
ALTER USER alteeve WITH PASSWORD 'secret';
</source>
<source lang="text">
ALTER ROLE
</source>
<source lang="sql">
\q
</source>

Tell PostgreSQL to require a password for the alteeve user.

<source lang="bash">
vim /var/lib/pgsql/data/pg_hba.conf
</source>
<source lang="diff">
--- /var/lib/pgsql/data/pg_hba.conf.orig 2011-06-15 17:57:25.666509143 -0400
+++ /var/lib/pgsql/data/pg_hba.conf 2011-06-15 17:58:54.077510393 -0400
@@ -65,6 +65,7 @@

# TYPE DATABASE USER CIDR-ADDRESS METHOD
+local all alteeve md5

# "local" is for Unix domain socket connections only
local all all ident
</source>

Reload PostgreSQL's configuration.

<source lang="bash">
/etc/init.d/postgresql reload
</source>

Now create a Database that is owned by the alteeve user, then connect to it to make sure we're asked for a password.

<source lang="bash">
su postgres -c "createdb an_wiki -O alteeve"
psql an_wiki -U alteeve
</source>
<source lang="text">
Password for user alteeve:
psql (8.4.7)
Type "help" for help.

an_wiki=>
</source>

Now load a database from a backup file.

<source lang="bash">
psql an_wiki -U alteeve -f /var/www/ssl_alteeve.com/temp/an_wiki_3.out
</source>
<source lang="text">
Password for user alteeve:
SET
SET
SET
SET
SET
CREATE SCHEMA
ALTER SCHEMA
CREATE LANGUAGE
psql:/var/www/ssl_alteeve.com/temp/an_wiki_3.out:27: ERROR: must be member of role "postgres"
SET
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
SET
SET
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
8
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
2500
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
4416
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3465
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
34
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
957
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3274
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3547
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3513
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)

CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TRIGGER
CREATE TRIGGER
CREATE TRIGGER
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
REVOKE
REVOKE
GRANT
GRANT
</source>

Voila!

== Media Wiki Problem ==

If you moved a MediaWiki DB and it generated an error like this in the log file:

<source lang="text">
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "objectcache" does not exist\nLINE 1: ...ECT /* SqlBagOStuff::get */ value,exptime FROM objectcach...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "l10n_cache" does not exist\nLINE 1: ... LCStore_DB::get 206.108.5.162 */ lc_value FROM l10n_cache...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
</source>

The fix is to run:

<source lang="sql">
ALTER DATABASE an_wiki SET search_path=mediawiki;
</source>

Of course, replace an_wiki with the name of your wiki database.

= MySQL =

Start MySQL for the first time:

<source lang="bash">
/etc/init.d/mysqld start
</source>
<source lang="text">
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h asakusa.alteeve.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

[ OK ]
Starting mysqld: [ OK ]
</source>

Secure the server.

<source lang="bash">
mysql_secure_installation
</source>
<source lang="text">
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!
</source>

= BIND =

{{note|1=This is not meant to cover creating the actual zone files for DNS. It's goal is to setup BIND on your [[EL6]] server only.}}

This is the BIND named server that handles DNS resolution. It will be setup in two parts; The global options and then the zones file.

== Install bind ==

<source lang="bash">
yum install bind bind-libs bind-utils
</source>

== Global Configuration ==

Edit the main configuration file, making a backup first.

<source lang="bash">
cp /etc/named.conf /etc/named.conf.orig
vim /etc/named.conf
</source>

Enable queries on any interface and answer queries for any domain, not just ours. Edit or add the following;

<source lang="dot">
listen-on port 53 { any; };
allow-query { localhost; };
allow-query-cache { any; };
</source>

For now, we're going to disable DNSSEC. Make the following changes;

<source lang="dot">
dnssec-enable no;
dnssec-validation no;
</source>

Now tell bind where to look for a domain name's IP when we don't know. Add;

<source lang="dot">
forwarders {
// These are Google's open DNS servers
8.8.8.8;
8.8.4.4;
};
</source>

This server will have a slave, and we want to notify that slave when a record changes. Add;

<source lang="dot">
notify yes;
</source>

Done. I like to clean up the file to put the variables in line with one another. With this in mind, let's look at the changes as a unified diff;

<source lang="bash">
diff -u /etc/named.conf.orig /etc/named.conf
</source>
<source lang="diff">
--- /etc/named.conf.orig 2012-02-05 00:54:48.434068501 -0500
+++ /etc/named.conf 2012-02-05 13:45:16.484083319 -0500
@@ -8,18 +8,26 @@
//

options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ allow-query { any; };
+ allow-query-cache { any; };
+ recursion yes;
+ notify yes;
+
+ dnssec-enable no;
+ dnssec-validation no;
+ dnssec-lookaside auto;
+
+ forwarders {
+ // These are Google's open DNS servers
+ 8.8.8.8;
+ 8.8.4.4;
+ };

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
</source>

== Adding Zones ==

This is where we tell BIND which zones we have SOA for. This includes the pointers to the actual files on disk with each domain's information.

Backup then edit the zones file.

<source lang="bash">
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.orig
vim /etc/named.rfc1912.zones
</source>

In here is where we add the entries for the domains we have [[SOA]] for at the end of the file. These will differ for every install, so only two examples will be shown.

<source lang="dot">
// Our zones which this server is SOA for.
zone "45years.ca" IN {
type master;
file "/etc/named/db.45years.ca";
allow-transfer {
192.139.81.117;
};
};

zone "alteeve.com" in {
type master;
file "/etc/named/db.alteeve.com";
allow-transfer {
192.139.81.117;
};
};
</source>

This tutorial does not aim to cover actual zone files, but here is one for reference:

<source lang="bash">
cat /etc/named/db.45years.ca
</source>
<source lang="text">
$ORIGIN .
$TTL 600 ; Time To Live.
45years.ca IN SOA ns1.alteeve.com. admin.alteeve.com. (
2011081402 ; Serial Number (yyyymmdd##)
300 ; refresh (in seconds)
180 ; retry (in seconds)
600 ; expire (in seconds)
86400 ; minimum (in seconds)
)
NS ns1.alteeve.com.
NS ns2.alteeve.com.
A 192.139.81.121
MX 10 mail.45years.ca.
$ORIGIN 45years.ca.
localhost A 127.0.0.1
mail A 192.139.81.121
www CNAME 45years.ca.
</source>

== Adding a Firewall Entry ==

Assuming you have a firewall running, be sure to add an entry for [[TCP]] port 53.

== (Re)Start BIND ==

Once all the configuration files and domain zone files are in place, (re)start the named service.

<source lang="bash">
/etc/init.d/named restart
</source>
<source lang="text">
Stopping named: . [ OK ]
Starting named: [ OK ]
</source>

== Testing Name resolution ==

To properly test name resolution, you will want to resolve a domain we are [[SOA]] for and another domain which we are not. We will repeat this twice, once on the server and once from a remote machine to ensure that it is answering remote queries. Note that in the examples below, my DNS server's IP address is 78.46.37.135.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> alteeve.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns1.alteeve.com.
alteeve.com. 600 IN NS ns2.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 13:57:11 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @localhost
</source>
<source lang="text">
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> google.ca @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 300 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2967 IN NS f.root-servers.net.
. 2967 IN NS c.root-servers.net.
. 2967 IN NS b.root-servers.net.
. 2967 IN NS a.root-servers.net.
. 2967 IN NS k.root-servers.net.
. 2967 IN NS i.root-servers.net.
. 2967 IN NS e.root-servers.net.
. 2967 IN NS h.root-servers.net.
. 2967 IN NS l.root-servers.net.
. 2967 IN NS d.root-servers.net.
. 2967 IN NS j.root-servers.net.
. 2967 IN NS g.root-servers.net.
. 2967 IN NS m.root-servers.net.

;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 14:02:03 2012
;; MSG SIZE rcvd: 254
</source>

Now from a remote machine, repeat the same queries to ensure that our DNS server will respond to external queries.

On the server;

Query alteeve.com, which we're SOA for.

<source lang="bash">
dig alteeve.com @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> alteeve.com @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;alteeve.com. IN A

;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121

;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns2.alteeve.com.
alteeve.com. 600 IN NS ns1.alteeve.com.

;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119

;; Query time: 138 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:09 2012
;; MSG SIZE rcvd: 113
</source>

Now query google.ca which we obviously are not SOA for.

<source lang="bash">
dig google.ca @78.46.37.135
</source>
<source lang="text">
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> google.ca @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google.ca. IN A

;; ANSWER SECTION:
google.ca. 138 IN A 74.125.232.56

;; AUTHORITY SECTION:
. 2805 IN NS h.root-servers.net.
. 2805 IN NS c.root-servers.net.
. 2805 IN NS j.root-servers.net.
. 2805 IN NS i.root-servers.net.
. 2805 IN NS b.root-servers.net.
. 2805 IN NS m.root-servers.net.
. 2805 IN NS g.root-servers.net.
. 2805 IN NS d.root-servers.net.
. 2805 IN NS a.root-servers.net.
. 2805 IN NS l.root-servers.net.
. 2805 IN NS f.root-servers.net.
. 2805 IN NS k.root-servers.net.
. 2805 IN NS e.root-servers.net.

;; Query time: 140 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:31 2012
;; MSG SIZE rcvd: 254
</source>

Done!

= Email =

This is a pretty heavily customized postfix install using a custom schema. It was originally based on [http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch this Debian Etch] tutorial, but adapted for PostgreSQL. Much time has passed and the operating system is now significantly changed, but it's lineage is thus. A more recent, but still Debian-focused version of the tutorial [http://workaround.org/ispmail/squeeze/big-picture is here]. I also used [http://en.gentoo-wiki.com/wiki/Mail_server_using_Postfix_and_Dovecot this tutorial] to help sort out the PostgreSQL stuff.

This will use a few applications;
* Postfix - The program that receives email.
* PostgreSQL - The database used to validate the existence of email accounts and validates incoming user credentials.
* Dovecot - Takes email coming from postfix, via amavis, and records them to disk. It also answers requests from users wanting to check their email.
* Amavis - Filters incoming email for spam (via spamassassin) and virsus (via clamav)

We will also be using graylisting, which is a spam fighting tactic where the first email from a given user to one of our users is bounced for a few minutes. Proper mail servers will acknowledge the bound, wait the time and resend. Spam mailers though are usually fire-and-forget and will not resend, thus effectively blocking the spam message. This is a very effective method of blocking spam with minimal chance of losing real mail from real users. Any subsequent message from the user would be allowed through with no delay, provided the user had in fact resent the first message as requested.

== Install ==

To install the applications;

<source lang="bash">
yum install postfix postfix-perl-scripts dovecot dovecot-pgsql spamassassin postgresql-server postgresql-plperl mutt
</source>

== Configuring Postfix ==

Installation requires several steps. The AN!Console database must be loaded. Various applications need to be installed. Postfix, Dovecot and helper applications need to be configured and so on.

This tutorial uses the following values that you may need to adjust;
* Database name; an_tools
* Database user; alteeve
* Database password; secret
* Database host; 127.0.0.1

{{note|1=Do not use the database host "localhost" unless you are certain you can connect to the DB using a standard [[unix]] socket.}}

=== Building Support for PostgreSQL ===

{{warning|1=We need to build our own RPM in order to support postgresql. This means we will have to disable postfix from future updates, placing the onus on us to make sure critical updates are applied. This will require downloading the latest source RPMs, re-enabling postgres and recompile/reinstall.}}

Add the source [[RPM]] repository by adding the following;

<source lang="bash">
vim /etc/yum.repos.d/CentOS-Base.repo
</source>
<source lang="bash">
# Source RPM repository
[base-source]
name=CentOS-$releasever - Base - Source
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://vault.centos.org/$releasever/os/SRPMS/
baseurl=http://vault.centos.org/6.0/os/SRPMS/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
</source>

Now download the source RPM for postfix.

<source lang="bash">
yumdownloader --source postfix
</source>
<source lang="text">
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
base | 3.7 kB 00:00
base-source | 1.9 kB 00:00
extras | 3.5 kB 00:00
updates | 3.5 kB 00:00
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
./postfix-2.6.6-2.el6.src.rpm already exists and appears to be complete
nikko:/etc/postfix# rm postfix-2.6.6-2.el6.src.rpm
rm: remove regular file `postfix-2.6.6-2.el6.src.rpm'? y
nikko:/etc/postfix# yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
postfix-2.6.6-2.el6.src.rpm | 3.3 MB 00:00
</source>

Now that we have the postfix source RPM, we will install it.

<source lang="bash">
rpm -Uvh postfix-2.6.6-2.el6.src.rpm
</source>
<source lang="text">
1:postfix warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
########################################### [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
</source>

Now edit the .spec file to enable postgres support.

<source lang="bash">
cp ~/rpmbuild/SPECS/postfix.spec ~/rpmbuild/SPECS/postfix.spec.orig
vim ~/rpmbuild/SPECS/postfix.spec
</source>

Make the following changes.

* Enable PostgreSQL support
<source lang="text">
%{?!PGSQL: %define PGSQL 1}
</source>

Increment the release version by one.
<source lang="text">
Release: 3%{?dist}
</source>

We can see the changes here:

<source lang="bash">
diff -u ~/rpmbuild/SPECS/postfix.spec.orig ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="diff">
--- /root/rpmbuild/SPECS/postfix.spec.orig 2012-02-11 16:54:54.495330859 -0500
+++ /root/rpmbuild/SPECS/postfix.spec 2012-02-11 16:53:39.873331101 -0500
@@ -1,5 +1,5 @@
%{?!MYSQL: %define MYSQL 1}
-%{?!PGSQL: %define PGSQL 0}
+%{?!PGSQL: %define PGSQL 1}
%define LDAP 2
%define PCRE 1
%define SASL 2
@@ -35,7 +35,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 2.6.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
</source>

Now rebuild the RPM, which means we need to install the build tools.

<source lang="bash">
yum groupinstall development
yum install db4-devel openldap-devel cyrus-sasl-devel pcre-devel mysql-devel postgresql-devel openssl-devel
rpmbuild -bb ~/rpmbuild/SPECS/postfix.spec
</source>
<source lang="text">
(compile output)
Processing files: postfix-debuginfo-2.6.6-3.el6.x86_64
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-debuginfo-2.6.6-3.el6.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.rymr5C
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd postfix-2.6.6
+ rm -rf /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
+ exit 0
</source>

Install the updated postfix.

<source lang="bash">
rpm -Uvh ~/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm ~/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
</source>
<source lang="text">
Preparing... ########################################### [100%]
1:postfix ########################################### [ 50%]
2:postfix-perl-scripts ########################################### [100%]
</source>

Now exclude postfix from future updates.

<source lang="bash">
cp /etc/yum.conf /etc/yum.conf.orig
vim /etc/yum.conf
diff -u /etc/yum.conf.orig /etc/yum.conf
</source>
<source lang="text">
--- /etc/yum.conf.orig 2012-02-11 16:59:53.720079168 -0500
+++ /etc/yum.conf 2012-02-11 17:00:47.013331283 -0500
@@ -10,6 +10,7 @@
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
+exclude=postfix*

# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
</source>

=== Basic Postfix Configuration ===

Since we'll be using virtual domains, users, aliases and mailboxes, we'll need to start by commenting out some of the default options in Postfix. By default, Postfix is set up for small numbers of local users, and it only allows connections from the localhost. Our configuration will be more scalable, allowing many domains and users to be stored in the Postgres database.

Comment out the following:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# inet_interfaces = localhost
# mydestination = $myhostname, localhost.$mydomain, localhost
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
</source>

And uncomment/add these:
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
inet_interfaces = all # allows us to connect and test from another machine
mynetworks = 192.168.1.0/32, 127.0.0.0/8 # use the IP or subnet of your test machine here
</source>

=== Setup Virtual Domain Lookup ===

This tells postfix how to find which domains we have.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM domains WHERE dom_name='%s'
</source>

Now tell Postfix to use this new file by appending the following to the main postfix configuration file.

<source lang="bash">
vim /etc/postfix/main.cf
</source>
<source lang="bash">
# Tell postfix to validate domains using our postgresql databae via the
# pgsql-virtual-mailbox-domains.cf
virtual_mailbox_domains=pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>

Now reload postfix;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now we can test that domains resolve. In my case, I will test the look-up for alteeve.com.

<source lang="bash">
postmap -q alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
1
</source>

Now make sure it returns nothing when query a bad domain.

<source lang="bash">
postmap -q example.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Mailbox Mapping ===

This section will tell postfix which users for a given domain are valid.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM email_file WHERE email='%s'
</source>

Tell postfix to use this new file when looking up users.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

And add:

<source lang="text">
# Tell postfix which table to look in when validating a local user via their
# email address.
virtual_mailbox_maps=pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>

Reload postfix.

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

Now do a test of a valid user, which should return 1, and an invalid user, which should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
1
</source>
<source lang="bash">
postmap -q nobody@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

=== Setup Email Forwards ===

This will allow for email addresses to be forwarded to other email addresses.

<source lang="bash">
vim /etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT fwd_destination FROM forwards WHERE fwd_source='%s'
</source>

Now tell postfix where to look.

<source lang="bash">
vim /etc/postfix/main.cf
</source>

Add;

<source lang="text">
# This tells postfix where to forward incoming email to, where appropriate.
virtual_alias_maps=pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>

Reload;

<source lang="bash">
/etc/init.d/postfix reload
</source>
<source lang="text">
Reloading postfix: [ OK ]
</source>

I've setup a forward where digimer@alteeve.com forwards to mkelly@alteeve.com, so we will use that for the next test.

<source lang="bash">
postmap -q digimer@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
mkelly@alteeve.com
</source>

An email address with no forward should return nothing.

<source lang="bash">
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf
</source>
<source lang="text">
<nothing returned>
</source>

Excellent.

=== Setup Postfix Mail Delivery via Dovecot ===

Define a mail transport method in the main Postfix config.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
# this option is ignored, but may be useful for reference
virtual_mailbox_base=/email

# deliver mail via dovecot
virtual_transport = dovecot

# prevent postfix from sending multiple recipients per delivery request,
# since dovecot only supports one recipient for each delivery
dovecot_destination_recipient_limit = 1
</source>

Tell Postfix what virtual_transport "dovecot" means, and how to use it.
<source lang="bash">vim /etc/postfix/master.cf</source>
Append this for RHEL/CentOS 6 machines. For other distros, make sure that /usr/libexec/dovecot/deliver exists and change the path if necessary.
<source lang="bash">
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
</source>

=== Setup Postfix SMTP Authentication using Dovecot ===

Dovecot provides an SMTP authentication mechanism to Postfix called SASL. Enabling this will require users to authenticate against the server before sending mail.

<source lang="bash">vim /etc/postfix/main.cf</source>
Append the following to enable smtp authentication:
<source lang="bash">
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes

# allow authenticated users to send mail through Postfix SMTP
# more info at /usr/share/doc/postfix-2.6.6/README_FILES/SMTPD_ACCESS_README
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
</source>

== Configuring Dovecot ==

Dovecot handles writing incoming mail to the disk and moving/deleting mail as the user wishes. We're going to create a user and group called vmail which will be used to manage the email stored on disk.

<source lang="bash">
useradd -m vmail
mkdir /email
chown -R vmail:vmail /email
</source>

Dovecot is configured in /etc/dovecot and the main configuration file is dovecot.conf.

<source lang="bash">
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.conf
</source>

Dovecot uses .d style configuration files.

* Authentication

<source lang="bash">
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
vim /etc/dovecot/conf.d/10-auth.conf
</source>

Tell dovecot to accept plain-text passwords (needed for some old email clients, you may not need to enable this).

<source lang="text">
disable_plaintext_auth = no
</source>

Tell it not to use the database, and not local users for mail delivery.

<source lang="text">
#!include auth-system.conf.ext
!include auth-sql.conf.ext
</source>

* Mail store

Tell dovecot where to store the email. The %d tells dovecot to substitute the user's domain name and %n is substituted by the user's email name. For example, mkelly@alteeve.com becomes /email/alteeve.com/mkelly.

<source lang="bash">
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
vim /etc/dovecot/conf.d/10-mail.conf
</source>
<source lang="text">
mail_location = mbox:/email/%d/%n
</source>

=== Dovecot Authentication and SQL Settings ===

We need to tell dovecot where to look for passwords when authenticating a user. Where to look is controlled in the
auth-sql.conf.ext file and is broken down into user and password lookups. We will want to first tell Dovecot which user to use when accessing the mail store on disk.

<source lang="bash">
cp /etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/conf.d/auth-sql.conf.ext.orig
vim /etc/dovecot/conf.d/auth-sql.conf.ext
</source>
<source lang="text">
userdb {
driver = static
args = uid=vmail gid=vmail home=/email/%d/%n allow_all_users=yes
}
</source>

* Now configure the SQL server access details.

{{note|1=Make sure that PostgreSQL has sufficient max_connections set in /var/lib/pgsql/data/postgresql.conf to handle enough connections for the expected number of email connections, plus other connections from other applications.}}

<source lang="bash">
cp /usr/share/doc/dovecot-2.0.9/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
vim /etc/dovecot/dovecot-sql.conf.ext
</source>

Tell dovecot to use PostgreSQL.

<source lang="text">
driver = pgsql
</source>

Configure the connection string.

{{note|1=If your database uses a password with a space character in it, quote the password. Ie: password='super secret'.}}

<source lang="text">
connect = host=127.0.0.1 dbname=an_tools user=alteeve password=secret
</source>

Tell dovecot to accept plain-text passwords (this is needed for some stupid MS clients, this will probably change soon).

<source lang="text">
default_pass_scheme = PLAIN
</source>

Tell dovecot how to pull use the user's password.

<source lang="text">
password_query = SELECT email, password FROM email_password WHERE email='%u'
</source>

The last thing to setup is the user query. The query needs to return the [[UID]] and [[GID]] of the vmail user we setup earlier. To get it, you can use the id command.

<source lang="bash">
id vmail
</source>
<source lang="text">
uid=503(vmail) gid=503(vmail) groups=503(vmail)
</source>

The numbers we want are 503 and 503 for the UID and GID, respectively. Knowing this, we can set the userdb SQL string.

<source lang="text">
user_query = SELECT '/email/'||file AS email_dir, '503' AS uid, '503' AS gid FROM email_file WHERE email='%u'
</source>

=== Configure Listener Sockets ===

Setup the authentication socket to allow the vmail user. This will allow Dovecot to access the user authentication socket.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}
</source>

Configure Dovecot to authenticate Postfix SMTP requests.
<source lang="bash">vim /etc/dovecot/conf.d/10-master.conf</source>
<source lang="bash">
unix_listener smtp-auth {
mode = 0600
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
}
</source>

=== Enable Logging ===

This is very useful for debugging an initial setup. It will place details about login attempts in /var/log/maillog.

<source lang="bash">vim /etc/dovecot/conf.d/10-logging.conf</source>
<source lang="bash">
log_path = syslog
auth_verbose = yes
auth_debug = yes
mail_debug = yes
</source>

At this point, it's a good idea to restart the Postfix and Dovecot services, and test out the basic configuration.
<source lang="bash">
service postfix restart
service dovecot restart
</source>

Watch the maillog while attempting to authenticate with an email client like Thunderbird.
<source lang="bash">
tail -f /var/log/maillog
</source>

If basic authentication is working, we can go ahead and add another layer of complexity on top of it: SSL.

== SSL/TLS ==

Add TLS support to Postfix, to encrypt SMTP authentication traffic.
<source lang="bash">vim /etc/postfix/main.cf</source>
<source lang="bash">
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/ssl_mail.alteeve.ca.crt
smtpd_tls_key_file = /etc/pki/CA/private/mail.alteeve.ca.key
smtpd_tls_loglevel = 1
</source>

Add TLS support to Dovecot, to encrypt IMAP authentication traffic.
<source lang="bash">vim /etc/dovecot/conf.d/10-ssl.conf </source>
<source lang="bash">
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/pki/CA/ssl_mail.alteeve.ca.crt
ssl_key = </etc/pki/CA/private/mail.alteeve.ca.key

# PEM encoded trusted certificate authority. Otherwise your CA will be untrusted.
# This is the intermediary certificate.
ssl_ca = </etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Dovecot prefers the following permissions for SSL certs, so set them accordingly.
<source lang="bash">
chmod 0444 /etc/pki/CA/ssl_mail.alteeve.ca.crt
chmod 0400 /etc/pki/CA/private/mail.alteeve.ca.key
chmod 0400 /etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pem
</source>

Restart Postfix and Dovecot, then change your Thunderbird server options to 'STARTTLS'. If you're still able to connect to the mail server and send mail, proceed to the next section.

== User Password Encryption ==

In addition to SSL/TSL, which only encrypts the transport of user credentials, we're also going to encrypt the passwords themselves. This will avoid storing any plaintext passwords in the Postgres database.

<source lang="bash">vim /etc/dovecot/conf.d/10-auth.conf</source>
Remove the "plain" authentication, and replace with cram-md5.
<source lang="bash">
auth_mechanisms = cram-md5
</source>

Any user credentials that were previously stored in plaintext will no longer work. To encrypt your password in a way that Dovecot recognizes, use the following command:
<source lang="bash">doveadm -v pw -s CRAM-MD5 -p mypassword</source>
It will return a hash like this.
<source lang="bash">
{CRAM-MD5}de5924752ad74e36bc271a8dc7fad4b2d341f21f05382f20dedf1fdfbd5a1717</source>

Take the entire hash, including the '{CRAM-MD5}' portion, and use it to replace the password entry in the database for that user. This will allow Dovecot to authenticate the user using the CRAM-MD5 auth mechanism.

To automate this process for all users in the database, you can look at the number of userid's there are and loop through them, encrypting and replacing each password.

<source lang="bash">
#!/bin/bash
#
# a script to encrypt the users.usr_password values of the an_tools database

export PGUSER="alteeve"
export PGPASSWORD='secret'

for usrid in {1..219}; do

# grab the user's password, removing whitespace
usrpass=$(psql -d an_tools -c "SELECT users.usr_password FROM users WHERE users.usr_id=$usrid;"\
| sed -n 3p | sed -e 's/^[ ]*//')

if [[ "$usrpass" == *CRAM* ]]; then
echo "Password for user #$usrid is already encrypted; skipping."
else
# encrypt and surround in single quotes for psql
encrypted=\'$(doveadm -v pw -s CRAM-MD5 -p "$usrpass")\'
echo "old password: [$usrpass] ; encrypted: $encrypted"

# set password to encrypted value
psql -d an_tools -c "UPDATE users SET usr_password=$encrypted WHERE usr_id=$usrid;"
fi
done

unset PGUSER
unset PGPASSWORD
</source>

== Ooooold Notes ==

When prompted;
For 'Create directories for web-based administration ?' Choose 'Yes'.
For 'General type of configuration?', choose 'Local Only'.
For 'Mail Name', enter 'alteeve.com'.
For 'SSL certificate required', hit 'Ok'.
Create the database that we will use:
# su alteeve
$ createdb an_console
$ psql an_console
Now that we are in the new database we will need to load the AN!Console schema file.
# su postgres -c psql an_console -f /var/www/ssl_alteeve.com/cgi-bin/t/anc.pgsql.schema
On the Master node, we will create the directory where email will be stored.
# mkdir /ha/email
On the both nodes, we will create a link to the '/ha/email' directory off of root.
# ln -s /ha/email /email
Under this directory create another directory that is the domain name for the domains we will host mail for. Ie (no longer needed to be done manually, AN!Console will create directories for email as needed):
# mkdir /email/45years.ca
# mkdir /email/alteeve.com
And so on.
Go to the '/etc/postfix' directory and create these four files:
# vim /etc/postfix/psql-virtual_domains.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = domains
select_field = 'virtual'
where_field = dom_name
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_forwardings.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = forwards
select_field = fwd_destination
where_field = fwd_source
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_mailboxes.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_file
select_field = file
where_field = email
hosts = 127.0.0.1
Note: The table 'email_file' is actually a view that takes the email passed by postfix and splits it to generate a joined SELECT.
# vim /etc/postfix/psql-virtual_email2email.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_email
select_field = email
where_field = email
hosts = 127.0.0.1
Note: The table 'email_email' is actually a view that takes the email passed by postfix and returns the same email based on the DB entry. This is needed as a work-around for Postfix's habit of matching global forwards like '@domain -> user@domain' for all email to that domain, even what a given email address matches a user.
Now change the owner and permissions of those four files to NOT allow global reading as they contain our password.
# chown root:postfix /etc/postfix/psql-virtual_*
# chmod 640 /etc/postfix/psql-virtual_*
Now we will create a user account that will, in turn, own all the mail on the system. This user will not have shell access.
# adduser vmail
Enter a password, preferably one treated with the same care as the root password. You can leave all other options blank.
Now change the ownership of the mail store.
# chown -R vmail:vmail /email
# chmod -R 775 /email
Now we edit the main '/etc/postfix/main.cf' configuration file.
Make a backup of the original file “just in case”.
# cp /etc/postfix/main.cf /etc/postfix/main.cf.original
Now edit it:
# vim /etc/postfix/main.cf
There are several options to edit:
Please see 'Step 6' at: http://workaround.org/articles/ispmail-sarge/index.shtml.en for details on the options to set.
For 'inet_interface' enter 'all'.
For 'myhostname' use the cluster FQDN. Ie;
myhostname = nikko.alteeve.com
For 'mydestination' use only local names, NOT real domains we will host email for. Any mail sent to the domains specified here will go to local (shell) users.
mydestination = nikko.alteeve.com, localhost.alteeve.com, localhost
For 'mynetworks' set all the IP subnets we trust. Ie;
mynetworks = 192.139.81.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.0/24 127.0.0.0/8
We can ignore 'virtual_alias_domains' if it exists.
For 'virtual_alias_maps' we will set:
virtual_alias_maps = pgsql:/etc/postfix/psql-virtual_forwardings.cf pgsql:/etc/postfix/psql-virtual_email2email.cf
For 'virtual_mailbox_domains' we will set:
virtual_mailbox_domains = pgsql:/etc/postfix/psql-virtual_domains.cf
For 'virtual_mailbox_maps' we will set:
virtual_mailbox_maps = pgsql:/etc/postfix/psql-virtual_mailboxes.cf
For 'virtual_mailbox_base' (where the email will be stored on disk) we will set:
virtual_mailbox_base = /ha/email
For 'virtual_uid_maps' and 'virtual_gid_maps' we will enter the numerical UID and GID for the 'vmail' shell user we created earlier. To find what it's UID and GID is run:
# cat /etc/passwd | grep vmail
vmail:x:1001:1001:,,,:/home/vmail:/bin/bash
The first number is the UID, the second is the GID;
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
Set 'smtpd_sasl_auth_enable' to 'yes'.
Set 'broken_sasl_auth_clients' to 'yes'.
To enable relaying of local mail, trusted domains and SASL authenticated users and reject the rest set;
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
For 'smtpd_use_tls' the value should already be 'yes', but set it to such if not.
Lastly we'll set our certificate paths;
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
At this point we should be good to go. Restart postfix;
# /etc/init.d/postfix restart
If there were no errors in the restart, test the config by running;
# postfix check
If you get errors, fix 'em. Otherwise, so far so good!
Now to setup postfix to allow authentication of SMTP connections to allow relaying of messages from people (we trust) outside on the 'mynetworks' scope.
Create or edit the file '/etc/postfix/sasl/smtpd.conf'
# vim /etc/postfix/sasl/smtpd.conf
In it enter the lines:
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: pgsql
sql_hostnames: 127.0.0.1
sql_user: alteeve
sql_passwd: secret
sql_database: an_console
sql_select: SELECT passwd FROM email_passwd WHERE email='%u@%r'
log_level: 7
Now secure the file (it's got our DB password)
# chown root:postfix /etc/postfix/sasl/smtpd.conf
# chmod 640 /etc/postfix/sasl/smtpd.conf
Now we want to setup TLS to encrypt SMTP traffic. Be sure you are still in '/etc/postfix' as this is where you want the certificate files.
To create a 10-year certificate for our SMTP domain 'smtp.alteeve.com':
# openssl req -new -outform PEM -out /etc/postfix/smtpd.cert -newkey rsa:2048 -nodes -keyout /etc/postfix/smtpd.key -keyform PEM -days 3650 -x509
This will bring up a bunch of questions:
Country Name (2 letter code) [AU]: CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alteeve's Niche!
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, YOUR name) []:smtp.alteeve.com
Email Address []:admin@alteeve.com
This will create two files in your current directory; 'smtpd.key' and 'smtpd.cert'. You'll want to protect them.
# chown root:postfix smtpd.*
# chmod 640 smtpd.*
Now we need to setup POP3 and IMAP access so users can actually check their email.
Backup then edit '/etc/dovecot/dovecot.conf' to have:
protocols = pop3 imap
mail_location = mbox:/email/%d/%n
# passdb pam {
# }
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
# userdb passwd {
# }
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

# The default location for 'dovecot-sql.conf' is under '/usr/local/etc', be sure to
# change it!
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
user = root
}
Then create/edit '/etc/dovecot/dovecot-sql.conf':
driver = pgsql
connect = host=localhost dbname=an_console user=alteeve password=secret
default_pass_scheme = PLAIN
password_query = SELECT email, password FROM email_password WHERE email='%u'
user_query = SELECT '/email/'||file AS email_dir, '1001' AS uid, '1001' AS gid FROM email_file WHERE email='%u'
Now restart Dovecot:
# /etc/init.d/dovecot restart

= Thanks =

* To [http://planet-geek.com Dave Shevett] (aka: eidolon) and [http://codex.grimoire.ca/ Owen Jacobson] for answering my n00b SSL questions.


<source lang="bash">
</source>
<source lang="text">
</source>

{{footer}}