PPPower Server
With tongue firmly in cheek, this is a tutorial on building an EL6 server for hosting website and email using PostgreSQL, Postfix and Postgrey for mail and Apache for web. There are many canned and arguably superior was of accomplishing the same, but this is what I user for this server.
Post OS Install
First, the packages we will want to install:
yum install httpd httpd-tools postgresql-server postgresql-plperl postgresql-contrib postgresql mysql-server telnet mod_ssl mysql-server php-mysql gcc jwhois bind
Packages that are currently needed for personal stuff.
yum install perl-XML-Simple perl-MIME-Lite perl-DBD-MySQL perl-DBD-Pg
Apache
After all changes, use this to make sure there are no syntax errors.
service httpd configtest
Syntax OK
 |
Note: This needs to be explained. |
diff -u httpd.conf.orig httpd.conf
--- httpd.conf.orig 2010-05-28 03:11:06.000000000 -0400
+++ httpd.conf 2011-05-13 21:56:27.000000000 -0400
@@ -100,12 +100,12 @@
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
-StartServers 8
-MinSpareServers 5
-MaxSpareServers 20
-ServerLimit 256
-MaxClients 256
-MaxRequestsPerChild 4000
+StartServers 16
+MinSpareServers 10
+MaxSpareServers 40
+ServerLimit 512
+MaxClients 512
+MaxRequestsPerChild 8000
</IfModule>
# worker MPM
@@ -116,11 +116,11 @@
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
-StartServers 4
-MaxClients 300
-MinSpareThreads 25
-MaxSpareThreads 75
-ThreadsPerChild 25
+StartServers 8
+MaxClients 600
+MinSpareThreads 50
+MaxSpareThreads 150
+ThreadsPerChild 50
MaxRequestsPerChild 0
</IfModule>
@@ -259,7 +259,7 @@
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
-ServerAdmin root@localhost
+ServerAdmin admin@alteeve.com
#
# ServerName gives the name and port that the server uses to identify itself.
@@ -274,6 +274,7 @@
# redirections work in a sensible way.
#
#ServerName www.example.com:80
+#ServerName *:80
#
# UseCanonicalName: Determines how Apache constructs self-referencing
@@ -289,7 +290,7 @@
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
-DocumentRoot "/var/www/html"
+DocumentRoot "/var/www/default/html"
#
# Each directory to which Apache has access can be configured with respect
@@ -314,7 +315,7 @@
#
# This should be changed to whatever you set DocumentRoot to.
#
-<Directory "/var/www/html">
+<Directory "/var/www/default/html">
#
# Possible values for the Options directive are "None", "All",
@@ -548,9 +549,9 @@
# We include the /icons/ alias for FancyIndexed directory listings. If you
# do not use FancyIndexing, you may comment this out.
#
-Alias /icons/ "/var/www/icons/"
+Alias /icons/ "/var/www/default/icons/"
-<Directory "/var/www/icons">
+<Directory "/var/www/default/icons">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
@@ -573,13 +574,13 @@
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
-ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+ScriptAlias /cgi-bin/ "/var/www/default/cgi-bin/"
#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
-<Directory "/var/www/cgi-bin">
+<Directory "/var/www/default/cgi-bin">
AllowOverride None
Options None
Order allow,deny
@@ -852,11 +853,11 @@
# copying them to /your/include/path/, even on a per-VirtualHost basis.
#
-Alias /error/ "/var/www/error/"
+Alias /error/ "/var/www/default/error/"
<IfModule mod_negotiation.c>
<IfModule mod_include.c>
- <Directory "/var/www/error">
+ <Directory "/var/www/default/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
@@ -987,7 +988,7 @@
#
# Use name-based virtual hosting.
#
-#NameVirtualHost *:80
+NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
@@ -1001,9 +1002,10 @@
# server name.
#
#<VirtualHost *:80>
-# ServerAdmin webmaster@dummy-host.example.com
-# DocumentRoot /www/docs/dummy-host.example.com
-# ServerName dummy-host.example.com
-# ErrorLog logs/dummy-host.example.com-error_log
-# CustomLog logs/dummy-host.example.com-access_log common
+# ServerAdmin admin@alteeve.com
+# DocumentRoot /var/www/default/html
+# ServerName unknown.alteeve.com
+# ErrorLog /var/www/default/logs/error.log
+# CustomLog /var/www/default/logs/access.log common
#</VirtualHost>
SSL Virtual Hosts
SSL provides for secure client to server communications.
Creating The Signed Certificate
This section assumes you are using a 3rd party signing authority. Specifically, I use http://www.trustico.ca/ (resellers of http://RapidSSL.com and others). This is also for a domain-specific certificate. Wildcard certificates will differ.
First, create 2048bit private key. Note that this will require a pass-phrase, which you will need to enter whenever the Apache daemon httpd daemon starts. If you do not want this, remove the -des3 switch.
openssl genrsa -des3 -out /etc/pki/CA/private/alteeve.com.key 2048
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Verifying - Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
Now create a CSR (Certificate signing request) which we will send to the signing authority. Do not enter anything in the extra section below.
|
Note: The Common Name must be the fully qualified domain name. In this example, I want to create a certificate for the domain https://alteeve.com, so I will enter alteeve.com. If you prefer to use a www. prefix, include it. I will rewrite requests using the www. prefix to not use it. |
openssl req -new -key /etc/pki/CA/private/alteeve.com.key -out alteeve.com.csr
Enter pass phrase for /etc/pki/CA/private/alteeve.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:Ontario
Locality Name (eg, city) [Default City]:Oakville
Organization Name (eg, company) [Default Company Ltd]:Alteeve's Niche
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:alteeve.com
Email Address []:admin@alteeve.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Test that the CSR file is ok.
openssl req -noout -text -in /etc/pki/CA/alteeve.com.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Ontario, L=Oakville, O=Alteeve's Niche, OU=IT, CN=alteeve.com/emailAddress=admin@alteeve.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
...
Copy the exact contents of the alteeve.com.csr file and provide it to your signing authority as per their instructions. Once you complete their CSR form, they should email you a signed certificate and an intermediary certificate. At this point, the CSR file is no longer needed.
Save the signed certificate:
vim /etc/pki/CA/ssl_alteeve.com.crt
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Save the intermediary certificate. Change the certificate name to that of your provider. If they provide you with this file, simply save it in the /etc/pki/CA/ directory.
vim /etc/pki/CA/RapidSSL_CA_bundle.pem
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Creating An SSL Virtual Host
Create a new virtual host container for the new SSL protected virtual host. We will leave the normal unencrypted virtual-host alone for now. Once we're done, we'll use it to capture and redirect http:// requests to their https:// equivalents. I make my virtual host directories writeable by my normal user account. Feel free to adapt this to your preferences.
Setup the directories and then create a trivial index.html file.
mkdir ssl_alteeve.com/{cgi-bin,html,logs,temp} -p
chown apache:digimer ssl_alteeve.com -R
chmod g+w ssl_alteeve.com -R
vim /var/www/ssl_alteeve.com/html/index.html
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
Now setup the Apache2 config. I like to use the ssl_ prefix for encrypted domains.
|
Note: This example is for a MediaWiki virtual host with short URLs configured. You will want to adapt the values to suit your needs. |
vim /etc/httpd/conf.d/ssl_alteeve.com.conf
<VirtualHost *:443>
ServerAdmin digimer@alteeve.com
ServerName alteeve.com
DirectoryIndex index.php index.html
# We can haz security?
SSLEngine on
SSLProtocol all
SSLCACertificateFile /etc/pki/CA/RapidSSL_CA_bundle.pem
SSLCertificateFile /etc/pki/CA/ssl_alteeve.com.crt
SSLCertificateKeyFile /etc/pki/CA/private/alteeve.com.key
DocumentRoot /var/www/ssl_alteeve.com/html/
Alias /w /var/www/ssl_alteeve.com/html/index.php
<Directory /var/www/ssl_alteeve.com/html>
Options +Includes Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /var/www/ssl_alteeve.com/cgi-bin/
<Directory "/var/www/ssl_alteeve.com/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/www/ssl_alteeve.com/logs/error.log
TransferLog /var/www/ssl_alteeve.com/logs/transfer.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug
CustomLog /var/www/ssl_alteeve.com/logs/access.log combined
ServerSignature On
</VirtualHost>
Bad Identity Error
If you get an error about the server not providing identity information, you may have be loading images, CSS, javascript or similar using a URL from a remote domain with no SSL or badly configured SSL.
For example, on Firefox 4, you may see:
This web site does not supply identity information.
Your connection to this site is only partially encrypted, and does not prevent eavesdropping.
[ More Information ]
In my case, this turned out to be a problem where mediawiki was loading a Creative Commons logo from their server using http:// link to the icon. Once this was changed to https:// (in LocalSettings.php), the error went away.
Testing and Using the New Configuration
Test your new Apache configuration.
apachectl -t
Syntax OK
Now restart Apache. Note that you will be asked to enter the pass-phrase you used when you created your private key.
/etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server alteeve.com:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
[ OK ]
 |
Warning: From now on, you will need to enter the pass-phrase to start Apache. Consider this when restarting your server and when deciding if you want the Apache server to start with your server. As my server is in a VM and it's underlying disk is also encrypted, I will enable it at boot time. I'll need to be watching the boot process anyway. This may not apply to you. |
Now make sure that you can still connect to your server on TCP port 80 (normal http port). The contents after the GET request will obviously vary depending on your configuration:
telnet localhost 80
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET
<head>
<title>Asakusa.alteeve.com</title>
</head>
<body>
Default - Requested domain not found
</body>
Connection closed by foreign host.
Now to check that the SSL port is listening properly. We can't use telnet because of the SSL encryption. Instead we will use openssl.
openssl s_client -connect localhost:443 -state -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x196a050 [0x1a0b3a0] (113 bytes => 113 (0x71))
0000 - 16 03 01 00 6c 01 00 00-68 03 01 4d f8 f4 a4 f9 ....l...h..M....
0010 - 07 b3 11 f8 3d ff 5d 80-ed 69 87 52 e2 60 80 57 ....=.]..i.R.`.W
0020 - 59 c7 83 4c ea 5b e5 37-06 e0 13 00 00 3a 00 39 Y..L.[.7.....:.9
0030 - 00 38 00 88 00 87 00 35-00 84 00 16 00 13 00 0a .8.....5........
0040 - 00 33 00 32 00 9a 00 99-00 45 00 44 00 2f 00 96 .3.2.....E.D./..
0050 - 00 41 00 05 00 04 00 15-00 12 00 09 00 14 00 11 .A..............
0060 - 00 08 00 06 00 03 00 ff-02 01 00 00 04 00 23 ..............#
0071 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 0x196a050 [0x1a10900] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 35 02 ....5.
0007 - <SPACES/NULS>
read from 0x196a050 [0x1a1090a] (51 bytes => 51 (0x33))
0000 - 00 31 03 01 4d f8 f4 a4-7d 35 00 74 24 43 bc c9 .1..M...}5.t$C..
0010 - 84 5d fe e3 90 1a e8 14-39 a1 b1 7e e8 19 c7 9f .]......9..~....
0020 - 45 20 d1 cb 00 00 39 01-00 09 ff 01 00 01 00 00 E ....9.........
0030 - 23 #
0033 - <SPACES/NULS>
SSL_connect:SSLv3 read server hello A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 0c 2c ....,
read from 0x196a050 [0x1a10908] (3116 bytes => 3116 (0xC2C))
0000 - 0b 00 0c 28 00 0c 25 00-04 c2 30 82 04 be 30 82 ...(..%...0...0.
0010 - 03 a6 a0 03 02 01 02 02-03 02 15 24 30 0d 06 09 ...........$0...
0020 - 2a 86 48 86 f7 0d 01 01-05 05 00 30 3c 31 0b 30 *.H........0<1.0
0030 - 09 06 03 55 04 06 13 02-55 53 31 17 30 15 06 03 ...U....US1.0...
0040 - 55 04 0a 13 0e 47 65 6f-54 72 75 73 74 2c 20 49 U....GeoTrust, I
0050 - 6e 63 2e 31 14 30 12 06-03 55 04 03 13 0b 52 61 nc.1.0...U....Ra
0060 - 70 69 64 53 53 4c 20 43-41 30 1e 17 0d 31 31 30 pidSSL CA0...110
0070 - 36 31 34 31 32 31 39 30-31 5a 17 0d 31 31 30 37 614121901Z..1107
0080 - 31 36 31 35 35 36 31 34-5a 30 81 d9 31 29 30 27 16155614Z0..1)0'
0090 - 06 03 55 04 05 13 20 30-54 53 35 57 7a 61 75 51 ..U... 0TS5WzauQ
00a0 - 52 4a 37 73 63 32 62 2d-68 54 47 77 4b 31 79 78 RJ7sc2b-hTGwK1yx
00b0 - 53 66 45 44 70 68 46 31-0b 30 09 06 03 55 04 06 SfEDphF1.0...U..
00c0 - 13 02 43 41 31 14 30 12-06 03 55 04 0a 13 0b 61 ..CA1.0...U....a
00d0 - 6c 74 65 65 76 65 2e 63-6f 6d 31 13 30 11 06 03 lteeve.com1.0...
00e0 - 55 04 0b 13 0a 47 54 31-33 39 30 38 38 31 37 31 U....GT139088171
00f0 - 31 30 2f 06 03 55 04 0b-13 28 53 65 65 20 77 77 10/..U...(See ww
0100 - 77 2e 72 61 70 69 64 73-73 6c 2e 63 6f 6d 2f 72 w.rapidssl.com/r
0110 - 65 73 6f 75 72 63 65 73-2f 63 70 73 20 28 63 29 esources/cps (c)
0120 - 31 31 31 2b 30 29 06 03-55 04 0b 13 22 44 6f 6d 111+0)..U..."Dom
0130 - 61 69 6e 20 43 6f 6e 74-72 6f 6c 20 56 61 6c 69 ain Control Vali
0140 - 64 61 74 65 64 20 2d 20-46 72 65 65 53 53 4c 31 dated - FreeSSL1
0150 - 14 30 12 06 03 55 04 03-13 0b 61 6c 74 65 65 76 .0...U....alteev
0160 - 65 2e 63 6f 6d 30 82 01-22 30 0d 06 09 2a 86 48 e.com0.."0...*.H
0170 - 86 f7 0d 01 01 01 05 00-03 82 01 0f 00 30 82 01 .............0..
0180 - 0a 02 82 01 01 00 c7 b5-75 03 c7 a9 b5 21 b2 7a ........u....!.z
0190 - 9b 70 8d f2 44 5d e0 18-f4 05 52 c6 93 d3 17 a5 .p..D]....R.....
01a0 - 3a c7 46 03 68 d1 01 53-1b e8 b8 d3 4c 56 46 b2 :.F.h..S....LVF.
01b0 - ca 63 34 88 2c 4f 7b 23-49 07 ef 8e 37 5c 8a ac .c4.,O{#I...7\..
01c0 - d7 88 9b ed a1 01 90 bc-32 d8 46 30 6d 82 33 59 ........2.F0m.3Y
01d0 - ea b5 38 2c 8a 16 e1 63-e7 ba 39 d8 2a fa 8a 6b ..8,...c..9.*..k
01e0 - 25 45 0b c9 4d b8 d2 be-a9 3a e3 ff 61 60 f9 a4 %E..M....:..a`..
01f0 - 99 4e 3f c2 25 0b 21 07-c6 1b 1e 63 71 2e 3d 31 .N?.%.!....cq.=1
0200 - 42 98 01 f4 88 b8 80 26-b7 bf 5b 00 b1 57 86 b4 B......&..[..W..
0210 - d8 70 e6 ec ea 98 e1 17-45 a7 ff 83 e0 76 6f 8a .p......E....vo.
0220 - 50 bb 1d cb c5 8f f4 01-84 4e 59 c3 4d 28 73 70 P........NY.M(sp
0230 - 39 c8 da 85 43 b9 07 ae-57 26 04 24 b2 d6 d4 7c 9...C...W&.$...|
0240 - 03 af 4f 72 00 8f 20 ed-26 77 b3 bf 4e 01 62 8b ..Or.. .&w..N.b.
0250 - 62 1b 10 16 65 92 f5 bb-5a dc 83 5c f2 56 f3 60 b...e...Z..\.V.`
0260 - 34 2c ef 62 f4 ee cf 26-6d 9b 4a 5e 74 05 74 fb 4,.b...&m.J^t.t.
0270 - 23 86 07 6f cf b0 48 6d-ba 2d 89 5d 0f e0 c0 01 #..o..Hm.-.]....
0280 - 1c 91 af 00 5f f3 02 03-01 00 01 a3 82 01 29 30 ...._.........)0
0290 - 82 01 25 30 1f 06 03 55-1d 23 04 18 30 16 80 14 ..%0...U.#..0...
02a0 - 6b 69 3d 6a 18 42 4a dd-8f 02 65 39 fd 35 24 86 ki=j.BJ...e9.5$.
02b0 - 78 91 16 30 30 0e 06 03-55 1d 0f 01 01 ff 04 04 x..00...U.......
02c0 - 03 02 05 a0 30 1d 06 03-55 1d 25 04 16 30 14 06 ....0...U.%..0..
02d0 - 08 2b 06 01 05 05 07 03-01 06 08 2b 06 01 05 05 .+.........+....
02e0 - 07 03 02 30 16 06 03 55-1d 11 04 0f 30 0d 82 0b ...0...U....0...
02f0 - 61 6c 74 65 65 76 65 2e-63 6f 6d 30 43 06 03 55 alteeve.com0C..U
0300 - 1d 1f 04 3c 30 3a 30 38-a0 36 a0 34 86 32 68 74 ...<0:08.6.4.2ht
0310 - 74 70 3a 2f 2f 72 61 70-69 64 73 73 6c 2d 63 72 tp://rapidssl-cr
0320 - 6c 2e 67 65 6f 74 72 75-73 74 2e 63 6f 6d 2f 63 l.geotrust.com/c
0330 - 72 6c 73 2f 72 61 70 69-64 73 73 6c 2e 63 72 6c rls/rapidssl.crl
0340 - 30 1d 06 03 55 1d 0e 04-16 04 14 a1 2b 4e af 55 0...U.......+N.U
0350 - 08 7b 34 be 74 fc 57 41-de bc 8f d9 4a 1d c9 30 .{4.t.WA....J..0
0360 - 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 49 06 ...U.......0.0I.
0370 - 08 2b 06 01 05 05 07 01-01 04 3d 30 3b 30 39 06 .+........=0;09.
0380 - 08 2b 06 01 05 05 07 30-02 86 2d 68 74 74 70 3a .+.....0..-http:
0390 - 2f 2f 72 61 70 69 64 73-73 6c 2d 61 69 61 2e 67 //rapidssl-aia.g
03a0 - 65 6f 74 72 75 73 74 2e-63 6f 6d 2f 72 61 70 69 eotrust.com/rapi
03b0 - 64 73 73 6c 2e 63 72 74-30 0d 06 09 2a 86 48 86 dssl.crt0...*.H.
03c0 - f7 0d 01 01 05 05 00 03-82 01 01 00 66 8b 6f a8 ............f.o.
03d0 - d5 d2 84 c7 89 31 fb a5-ba e1 11 5e 2f 67 6f df .....1.....^/go.
03e0 - 0d 3c 0b 1a 4b ac d9 38-ee 29 0a 4d d9 06 98 2c .<..K..8.).M...,
03f0 - 25 0a 59 bb 39 03 b0 cd-3b 06 93 3e 59 90 cf 06 %.Y.9...;..>Y...
0400 - 17 74 77 bb cd 91 34 d0-6f b9 8f 53 57 ed 14 30 .tw...4.o..SW..0
0410 - bd e9 6c 04 84 b6 f0 16-9d 29 9b b1 47 f8 84 64 ..l......)..G..d
0420 - 5f 03 36 ea e1 d6 13 97-5b 50 b9 b2 59 cc f8 ef _.6.....[P..Y...
0430 - 23 01 99 91 6e 5e e8 d0-77 54 38 49 18 58 e7 0e #...n^..wT8I.X..
0440 - 54 35 c0 37 b5 9e 79 b2-d4 c6 d9 ff 27 31 d4 bf T5.7..y.....'1..
0450 - 04 ae d3 0a 90 4b bc 34-bc 53 f8 bc e7 4c 22 b7 .....K.4.S...L".
0460 - b3 bc 8c d7 41 44 fc e0-50 2e 9a ac ba 5c ee 88 ....AD..P....\..
0470 - 03 fc 0e 53 32 aa dd a4-24 ee a6 7c 3d dc 9d 7a ...S2...$..|=..z
0480 - 82 0b 9f b8 91 e0 a1 12-77 a3 95 f7 d0 c4 9e f1 ........w.......
0490 - d7 d9 99 68 80 e8 af ad-68 f5 1a 5f 66 06 78 c9 ...h....h.._f.x.
04a0 - 56 f8 36 37 16 fa 7d 27-df 1d a2 d8 7c 8c 5b 50 V.67..}'....|.[P
04b0 - db c6 fe 06 ff 96 86 f5-1f e4 35 ce cf 43 66 53 ..........5..CfS
04c0 - da a1 50 b5 c0 73 ec 1e-f4 c8 20 13 00 03 d9 30 ..P..s.... ....0
04d0 - 82 03 d5 30 82 02 bd a0-03 02 01 02 02 03 02 36 ...0...........6
04e0 - d1 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H........
04f0 - 30 42 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 0B1.0...U....US1
0500 - 16 30 14 06 03 55 04 0a-13 0d 47 65 6f 54 72 75 .0...U....GeoTru
0510 - 73 74 20 49 6e 63 2e 31-1b 30 19 06 03 55 04 03 st Inc.1.0...U..
0520 - 13 12 47 65 6f 54 72 75-73 74 20 47 6c 6f 62 61 ..GeoTrust Globa
0530 - 6c 20 43 41 30 1e 17 0d-31 30 30 32 31 39 32 32 l CA0...10021922
0540 - 34 35 30 35 5a 17 0d 32-30 30 32 31 38 32 32 34 4505Z..200218224
0550 - 35 30 35 5a 30 3c 31 0b-30 09 06 03 55 04 06 13 505Z0<1.0...U...
0560 - 02 55 53 31 17 30 15 06-03 55 04 0a 13 0e 47 65 .US1.0...U....Ge
0570 - 6f 54 72 75 73 74 2c 20-49 6e 63 2e 31 14 30 12 oTrust, Inc.1.0.
0580 - 06 03 55 04 03 13 0b 52-61 70 69 64 53 53 4c 20 ..U....RapidSSL
0590 - 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H...
05a0 - 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0.....
05b0 - 01 01 00 c7 71 f8 56 c7-1e d9 cc b5 ad f6 b4 97 ....q.V.........
05c0 - a3 fb a1 e6 0b 50 5f 50-aa 3a da 0f fc 3d 29 24 .....P_P.:...=)$
05d0 - 43 c6 10 29 c1 fc 55 40-72 ee bd ea df 9f b6 41 C..)..U@r......A
05e0 - f4 48 4b c8 6e fe 4f 57-12 8b 5b fa 92 dd 5e e8 .HK.n.OW..[...^.
05f0 - ad f3 f0 1b b1 7b 4d fb-cf fd d1 e5 f8 e3 dc e7 .....{M.........
0600 - f5 73 7f df 01 49 cf 8c-56 c1 bd 37 e3 5b be b5 .s...I..V..7.[..
0610 - 4f 8b 8b f0 da 4f c7 e3-dd 55 47 69 df f2 5b 7b O....O...UGi..[{
0620 - 07 4f 3d e5 ac 21 c1 c8-1d 7a e8 e7 f6 0f a1 aa .O=..!...z......
0630 - f5 6f de a8 65 4f 10 89-9c 03 f3 89 7a a5 5e 01 .o..eO......z.^.
0640 - 72 33 ed a9 e9 5a 1e 79-f3 87 c8 df c8 c5 fc 37 r3...Z.y.......7
0650 - c8 9a 9a d7 b8 76 cc b0-3e e7 fd e6 54 ea df 5f .....v..>...T.._
0660 - 52 41 78 59 57 ad f1 12-d6 7f bc d5 9f 70 d3 05 RAxYW........p..
0670 - 6c fa a3 7d 67 58 dd 26-62 1d 31 92 0c 79 79 1c l..}gX.&b.1..yy.
0680 - 8e cf ca 7b c1 66 af a8-74 48 fb 8e 82 c2 9e 2c ...{.f..tH.....,
0690 - 99 5c 7b 2d 5d 9b bc 5b-57 9e 7c 3a 7a 13 ad f2 .\{-]..[W.|:z...
06a0 - a3 18 5b 2b 59 0f cd 5c-3a eb 68 33 c6 28 1d 82 ..[+Y..\:.h3.(..
06b0 - d1 50 8b 02 03 01 00 01-a3 81 d9 30 81 d6 30 0e .P.........0..0.
06c0 - 06 03 55 1d 0f 01 01 ff-04 04 03 02 01 06 30 1d ..U...........0.
06d0 - 06 03 55 1d 0e 04 16 04-14 6b 69 3d 6a 18 42 4a ..U......ki=j.BJ
06e0 - dd 8f 02 65 39 fd 35 24-86 78 91 16 30 30 1f 06 ...e9.5$.x..00..
06f0 - 03 55 1d 23 04 18 30 16-80 14 c0 7a 98 68 8d 89 .U.#..0....z.h..
0700 - fb ab 05 64 0c 11 7d aa-7d 65 b8 ca cc 4e 30 12 ...d..}.}e...N0.
0710 - 06 03 55 1d 13 01 01 ff-04 08 30 06 01 01 ff 02 ..U.......0.....
0720 - 01 00 30 3a 06 03 55 1d-1f 04 33 30 31 30 2f a0 ..0:..U...3010/.
0730 - 2d a0 2b 86 29 68 74 74-70 3a 2f 2f 63 72 6c 2e -.+.)http://crl.
0740 - 67 65 6f 74 72 75 73 74-2e 63 6f 6d 2f 63 72 6c geotrust.com/crl
0750 - 73 2f 67 74 67 6c 6f 62-61 6c 2e 63 72 6c 30 34 s/gtglobal.crl04
0760 - 06 08 2b 06 01 05 05 07-01 01 04 28 30 26 30 24 ..+........(0&0$
0770 - 06 08 2b 06 01 05 05 07-30 01 86 18 68 74 74 70 ..+.....0...http
0780 - 3a 2f 2f 6f 63 73 70 2e-67 65 6f 74 72 75 73 74 ://ocsp.geotrust
0790 - 2e 63 6f 6d 30 0d 06 09-2a 86 48 86 f7 0d 01 01 .com0...*.H.....
07a0 - 05 05 00 03 82 01 01 00-ab bc bc 0a 5d 18 94 e3 ............]...
07b0 - c1 b1 c3 a8 4c 55 d6 be-b4 98 f1 ee 3c 1c cd cf ....LU......<...
07c0 - f3 24 24 5c 96 03 27 58-fc 36 ae a2 2f 8f f1 fe .$$\..'X.6../...
07d0 - da 2b 02 c3 33 bd c8 dd-48 22 2b 60 0f a5 03 10 .+..3...H"+`....
07e0 - fd 77 f8 d0 ed 96 67 4f-fd ea 47 20 70 54 dc a9 .w....gO..G pT..
07f0 - 0c 55 7e e1 96 25 8a d9-b5 da 57 4a be 8d 8e 49 .U~..%....WJ...I
0800 - 43 63 a5 6c 4e 27 87 25-eb 5b 6d fe a2 7f 38 28 Cc.lN'.%.[m...8(
0810 - e0 36 ab ad 39 a5 a5 62-c4 b7 5c 58 2c aa 5d 01 .6..9..b..\X,.].
0820 - 60 a6 62 67 a3 c0 c7 62-23 f4 e7 6c 46 ee b5 d3 `.bg...b#..lF...
0830 - 80 6a 22 13 d2 2d 3f 74-4f ea af 8c 5f b4 38 9c .j"..-?tO..._.8.
0840 - db ae ce af 84 1e a6 f6-34 51 59 79 d3 e3 75 dc ........4QYy..u.
0850 - bc d7 f3 73 df 92 ec d2-20 59 6f 9c fb 95 f8 92 ...s.... Yo.....
0860 - 76 18 0a 7c 0f 2c a6 ca-de 8a 62 7b d8 f3 ce 5f v..|.,....b{..._
0870 - 68 bd 8f 3e c1 74 bb 15-72 3a 16 83 a9 0b e6 4d h..>.t..r:.....M
0880 - 99 9c d8 57 ec a8 01 51-c7 6f 57 34 5e ab 4a 2c ...W...Q.oW4^.J,
0890 - 42 f6 4f 1c 89 78 de 26-4e f5 6f 93 4c 15 6b 27 B.O..x.&N.o.L.k'
08a0 - 56 4d 00 54 6c 7a b7 b7-00 03 81 30 82 03 7d 30 VM.Tlz.....0..}0
08b0 - 82 02 e6 a0 03 02 01 02-02 03 12 bb e6 30 0d 06 .............0..
08c0 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 4e 31 0b .*.H........0N1.
08d0 - 30 09 06 03 55 04 06 13-02 55 53 31 10 30 0e 06 0...U....US1.0..
08e0 - 03 55 04 0a 13 07 45 71-75 69 66 61 78 31 2d 30 .U....Equifax1-0
08f0 - 2b 06 03 55 04 0b 13 24-45 71 75 69 66 61 78 20 +..U...$Equifax
0900 - 53 65 63 75 72 65 20 43-65 72 74 69 66 69 63 61 Secure Certifica
0910 - 74 65 20 41 75 74 68 6f-72 69 74 79 30 1e 17 0d te Authority0...
0920 - 30 32 30 35 32 31 30 34-30 30 30 30 5a 17 0d 31 020521040000Z..1
0930 - 38 30 38 32 31 30 34 30-30 30 30 5a 30 42 31 0b 80821040000Z0B1.
0940 - 30 09 06 03 55 04 06 13-02 55 53 31 16 30 14 06 0...U....US1.0..
0950 - 03 55 04 0a 13 0d 47 65-6f 54 72 75 73 74 20 49 .U....GeoTrust I
0960 - 6e 63 2e 31 1b 30 19 06-03 55 04 03 13 12 47 65 nc.1.0...U....Ge
0970 - 6f 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 43 41 oTrust Global CA
0980 - 30 82 01 22 30 0d 06 09-2a 86 48 86 f7 0d 01 01 0.."0...*.H.....
0990 - 01 05 00 03 82 01 0f 00-30 82 01 0a 02 82 01 01 ........0.......
09a0 - 00 da cc 18 63 30 fd f4-17 23 1a 56 7e 5b df 3c ....c0...#.V~[.<
09b0 - 6c 38 e4 71 b7 78 91 d4-bc a1 d8 4c f8 a8 43 b6 l8.q.x.....L..C.
09c0 - 03 e9 4d 21 07 08 88 da-58 2f 66 39 29 bd 05 78 ..M!....X/f9)..x
09d0 - 8b 9d 38 e8 05 b7 6a 7e-71 a4 e6 c4 60 a6 b0 ef ..8...j~q...`...
09e0 - 80 e4 89 28 0f 9e 25 d6-ed 83 f3 ad a6 91 c7 98 ...(..%.........
09f0 - c9 42 18 35 14 9d ad 98-46 92 2e 4f ca f1 87 43 .B.5....F..O...C
0a00 - c1 16 95 57 2d 50 ef 89-2d 80 7a 57 ad f2 ee 5f ...W-P..-.zW..._
0a10 - 6b d2 00 8d b9 14 f8 14-15 35 d9 c0 46 a3 7b 72 k........5..F.{r
0a20 - c8 91 bf c9 55 2b cd d0-97 3e 9c 26 64 cc df ce ....U+...>.&d...
0a30 - 83 19 71 ca 4e e6 d4 d5-7b a9 19 cd 55 de c8 ec ..q.N...{...U...
0a40 - d2 5e 38 53 e5 5c 4f 8c-2d fe 50 23 36 fc 66 e6 .^8S.\O.-.P#6.f.
0a50 - cb 8e a4 39 19 00 b7 95-02 39 91 0b 0e fe 38 2e ...9.....9....8.
0a60 - d1 1d 05 9a f6 4d 3e 6f-0f 07 1d af 2c 1e 8f 60 .....M>o....,..`
0a70 - 39 e2 fa 36 53 13 39 d4-5e 26 2b db 3d a8 14 bd 9..6S.9.^&+.=...
0a80 - 32 eb 18 03 28 52 04 71-e5 ab 33 3d e1 38 bb 07 2...(R.q..3=.8..
0a90 - 36 84 62 9c 79 ea 16 30-f4 5f c0 2b e8 71 6b e4 6.b.y..0._.+.qk.
0aa0 - f9 02 03 01 00 01 a3 81-f0 30 81 ed 30 1f 06 03 .........0..0...
0ab0 - 55 1d 23 04 18 30 16 80-14 48 e6 68 f9 2b d2 b2 U.#..0...H.h.+..
0ac0 - 95 d7 47 d8 23 20 10 4f-33 98 90 9f d4 30 1d 06 ..G.# .O3....0..
0ad0 - 03 55 1d 0e 04 16 04 14-c0 7a 98 68 8d 89 fb ab .U.......z.h....
0ae0 - 05 64 0c 11 7d aa 7d 65-b8 ca cc 4e 30 0f 06 03 .d..}.}e...N0...
0af0 - 55 1d 13 01 01 ff 04 05-30 03 01 01 ff 30 0e 06 U.......0....0..
0b00 - 03 55 1d 0f 01 01 ff 04-04 03 02 01 06 30 3a 06 .U...........0:.
0b10 - 03 55 1d 1f 04 33 30 31-30 2f a0 2d a0 2b 86 29 .U...3010/.-.+.)
0b20 - 68 74 74 70 3a 2f 2f 63-72 6c 2e 67 65 6f 74 72 http://crl.geotr
0b30 - 75 73 74 2e 63 6f 6d 2f-63 72 6c 73 2f 73 65 63 ust.com/crls/sec
0b40 - 75 72 65 63 61 2e 63 72-6c 30 4e 06 03 55 1d 20 ureca.crl0N..U.
0b50 - 04 47 30 45 30 43 06 04-55 1d 20 00 30 3b 30 39 .G0E0C..U. .0;09
0b60 - 06 08 2b 06 01 05 05 07-02 01 16 2d 68 74 74 70 ..+........-http
0b70 - 73 3a 2f 2f 77 77 77 2e-67 65 6f 74 72 75 73 74 s://www.geotrust
0b80 - 2e 63 6f 6d 2f 72 65 73-6f 75 72 63 65 73 2f 72 .com/resources/r
0b90 - 65 70 6f 73 69 74 6f 72-79 30 0d 06 09 2a 86 48 epository0...*.H
0ba0 - 86 f7 0d 01 01 05 05 00-03 81 81 00 76 e1 12 6e ............v..n
0bb0 - 4e 4b 16 12 86 30 06 b2-81 08 cf f0 08 c7 c7 71 NK...0.........q
0bc0 - 7e 66 ee c2 ed d4 3b 1f-ff f0 f0 c8 4e d6 43 38 ~f....;.....N.C8
0bd0 - b0 b9 30 7d 18 d0 55 83-a2 6a cb 36 11 9c e8 48 ..0}..U..j.6...H
0be0 - 66 a3 6d 7f b8 13 d4 47-fe 8b 5a 5c 73 fc ae d9 f.m....G..Z\s...
0bf0 - 1b 32 19 38 ab 97 34 14-aa 96 d2 eb a3 1c 14 08 .2.8..4.........
0c00 - 49 b6 bb e5 91 ef 83 36-eb 1d 56 6f ca da bc 73 I......6..Vo...s
0c10 - 63 90 e4 7f 7b 3e 22 cb-3d 07 ed 5f 38 74 9c e3 c...{>".=.._8t..
0c20 - 03 50 4e a1 af 98 ee 61-f2 84 3f 12 .PN....a..?.
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF, C = CA, O = alteeve.com, OU = GT13908817, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - FreeSSL, CN = alteeve.com
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 0d .....
read from 0x196a050 [0x1a10908] (525 bytes => 525 (0x20D))
0000 - 0c 00 02 09 00 80 d6 7d-e4 40 cb bb dc 19 36 d6 .......}.@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81 ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4 t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32 ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16 JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39 b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 51 5c 13 33 38 >.$!.......Q\.38
0090 - 83 ef 76 6f 23 52 55 bf-23 ba 7f f0 a4 ca 35 01 ..vo#RU.#.....5.
00a0 - 9c 70 e1 61 b2 0d 7b 5c-1c 32 02 c1 ac 14 be e9 .p.a..{\.2......
00b0 - b9 7a 5d 11 9b 53 48 64-cd 12 b8 15 4c df cc 10 .z]..SHd....L...
00c0 - 4e 2b e7 cd 3f 33 68 1a-60 cc f7 18 25 7c e5 ca N+..?3h.`...%|..
00d0 - c8 cb 45 ba 2a 6d dc 84-5f 26 6f 9a a3 73 b9 7f ..E.*m.._&o..s..
00e0 - 02 cb 7b a7 ac 59 9f f3-6e c9 01 ed b9 35 99 49 ..{..Y..n....5.I
00f0 - 37 77 68 65 ec e2 f7 17-03 e7 f5 f5 86 33 e6 6c 7whe.........3.l
0100 - 06 3c 15 83 98 74 2e b9-83 31 11 01 00 20 6e 17 .<...t...1... n.
0110 - 3d 2d ec 3e 19 b2 9e 5b-37 38 3a 31 57 3d 0e c1 =-.>...[78:1W=..
0120 - 6b c4 b4 83 d9 6b f0 d3-44 db 9f 18 55 15 e1 09 k....k..D...U...
0130 - 73 59 8c 46 3d a4 47 58-b1 71 a3 32 b5 06 26 8c sY.F=.GX.q.2..&.
0140 - 27 88 9e 13 c8 12 5d 94-9b 24 54 10 aa 79 e5 b4 '.....]..$T..y..
0150 - 43 f5 5e 4c 01 dc 02 aa-69 02 37 71 4e 26 1c 0b C.^L....i.7qN&..
0160 - 40 19 c9 95 4d af 93 35-07 7a ff b1 96 7f 03 ce @...M..5.z......
0170 - 7a eb a2 1c 97 6b d2 97-d2 0f 1a f5 b2 af fb 65 z....k.........e
0180 - 86 b9 e3 38 30 ba f5 02-d6 6b fc da 94 93 8b b3 ...80....k......
0190 - 96 b5 b7 58 dc 36 55 6d-e9 47 e5 4a 33 1d b9 d9 ...X.6Um.G.J3...
01a0 - ec 33 e8 fb 58 c8 74 13-ff dd 40 b7 35 56 63 03 .3..X.t...@.5Vc.
01b0 - 9f 16 2f 72 be 56 56 c3-15 3a c3 10 09 f0 9d f2 ../r.VV..:......
01c0 - 42 52 5a ce d6 db 61 0e-d0 e2 ac 2e 9e 04 30 8e BRZ...a.......0.
01d0 - 0d d7 07 f9 3e 0a a8 3b-8d 11 5c 6e 21 47 28 2d ....>..;..\n!G(-
01e0 - 28 31 a6 3d d0 e9 2e 7a-de 4a 00 2a a8 6f 5d 82 (1.=...z.J.*.o].
01f0 - 45 df 3e 06 e3 11 e3 3c-b9 1e 34 b8 bd 60 fd a7 E.>....<..4..`..
0200 - a2 c1 c8 19 61 19 da 10-e4 c3 70 7e 5f ....a.....p~_
SSL_connect:SSLv3 read server key exchange A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0x196a050 [0x1a10908] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
SSL_connect:SSLv3 read server done A
write to 0x196a050 [0x1a1add0] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 7f 9d d2 3b 68 ..............;h
0010 - 49 c9 dd ed 4f 35 a0 70-3a 28 0f ce c1 5a 81 ce I...O5.p:(...Z..
0020 - cd 46 c5 e5 a4 44 25 04-4e b4 48 d8 3b a6 d4 44 .F...D%.N.H.;..D
0030 - 4e 9a dc 20 fa 52 9f eb-52 3b 3c 3e 34 dc ed 34 N.. .R..R;<>4..4
0040 - e5 b7 10 f9 6d 3a c0 84-64 bf b8 91 54 6c 37 1b ....m:..d...Tl7.
0050 - eb 75 7a 95 aa e8 83 6f-e0 16 f2 af 77 0f 7a 0c .uz....o....w.z.
0060 - a8 82 27 a4 a5 f2 f0 1b-d2 6e 46 c4 ef 10 7c 39 ..'......nF...|9
0070 - 6c 87 74 ec 68 7e d5 9a-10 ab 10 03 75 a2 fb 4b l.t.h~......u..K
0080 - 8c 49 4c da 64 49 bd 27-ba 51 a4 .IL.dI.'.Q.
SSL_connect:SSLv3 write client key exchange A
write to 0x196a050 [0x1a1add0] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 0x196a050 [0x1a1add0] (53 bytes => 53 (0x35))
0000 - 16 03 01 00 30 b4 8a 74-4d a4 bf b1 54 04 8a 25 ....0..tM...T..%
0010 - 24 f8 81 f1 64 9f 1f 6d-fb bd a7 4c 57 6a a5 63 $...d..m...LWj.c
0020 - fb 3a dd 8e e3 f9 38 f6-22 fd 7e 42 81 2e a2 41 .:....8.".~B...A
0030 - 1f 74 d1 27 02 .t.'.
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 ca .....
read from 0x196a050 [0x1a10908] (202 bytes => 202 (0xCA))
0000 - 04 00 00 c6 00 00 00 00-00 c0 6c f3 41 26 c8 6b ..........l.A&.k
0010 - 1e 9c 2e 78 af 75 b2 46-34 f4 30 c3 bd e4 ee 2f ...x.u.F4.0..../
0020 - f6 28 37 f6 7c 55 3b c7-08 ad 1e 48 f1 83 9f 9a .(7.|U;....H....
0030 - d4 ef 9b 7d 5a 9c f7 5b-92 e9 2f ca c3 e5 44 c7 ...}Z..[../...D.
0040 - 7a c1 ed db 98 1a 18 bd-25 30 3c 50 ad 96 23 22 z.......%0<P..#"
0050 - 7e a1 b7 eb 1d b5 cc 69-2a 43 63 13 4f 21 90 32 ~......i*Cc.O!.2
0060 - 87 94 0b 6a 66 da 99 fa-45 79 cc 53 29 35 59 0d ...jf...Ey.S)5Y.
0070 - 02 93 c6 c6 af f3 52 79-b5 36 c0 a6 4d 22 9f af ......Ry.6..M"..
0080 - 4a f2 86 b4 50 68 83 b1-ab a6 a6 ac 6e 4e 18 3d J...Ph......nN.=
0090 - 80 a7 b4 85 77 06 69 60-fa b2 22 9a 79 14 c6 3e ....w.i`..".y..>
00a0 - 3e 68 33 4e 1e a9 40 09-47 d0 02 97 8b ba 39 db >h3N..@.G.....9.
00b0 - 2f b1 1c 2e 66 49 d3 bc-99 cc 56 4f 1d f4 c6 7b /...fI....VO...{
00c0 - 58 3e 28 df b1 ce 2b 45-36 ca X>(...+E6.
SSL_connect:SSLv3 read server session ticket A
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0x196a050 [0x1a10908] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x196a050 [0x1a10908] (48 bytes => 48 (0x30))
0000 - c0 79 35 bf c6 1e 7e d4-04 cf 68 c7 9d f5 9f 42 .y5...~...h....B
0010 - 03 91 5f 72 ae 5b ec a8-aa e7 af e8 f3 39 1b cd .._r.[.......9..
0020 - 13 05 56 f2 1b 28 c9 42-4b 67 88 48 20 c2 a5 06 ..V..(.BKg.H ...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIDAhUkMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNjE0MTIxOTAxWhcNMTEwNzE2MTU1NjE0WjCB2TEpMCcGA1UEBRMgMFRT
NVd6YXVRUko3c2MyYi1oVEd3SzF5eFNmRURwaEYxCzAJBgNVBAYTAkNBMRQwEgYD
VQQKEwthbHRlZXZlLmNvbTETMBEGA1UECxMKR1QxMzkwODgxNzExMC8GA1UECxMo
U2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMTErMCkGA1UE
CxMiRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gRnJlZVNTTDEUMBIGA1UEAxML
YWx0ZWV2ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHtXUD
x6m1IbJ6m3CN8kRd4Bj0BVLGk9MXpTrHRgNo0QFTG+i400xWRrLKYzSILE97I0kH
7443XIqs14ib7aEBkLwy2EYwbYIzWeq1OCyKFuFj57o52Cr6imslRQvJTbjSvqk6
4/9hYPmkmU4/wiULIQfGGx5jcS49MUKYAfSIuIAmt79bALFXhrTYcObs6pjhF0Wn
/4Pgdm+KULsdy8WP9AGETlnDTShzcDnI2oVDuQeuVyYEJLLW1HwDr09yAI8g7SZ3
s79OAWKLYhsQFmWS9bta3INc8lbzYDQs72L07s8mbZtKXnQFdPsjhgdvz7BIbbot
iV0P4MABHJGvAF/zAgMBAAGjggEpMIIBJTAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBYGA1UdEQQPMA2CC2FsdGVldmUuY29tMEMGA1UdHwQ8MDowOKA2
oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRz
c2wuY3JsMB0GA1UdDgQWBBShK06vVQh7NL50/FdB3ryP2UodyTAMBgNVHRMBAf8E
AjAAMEkGCCsGAQUFBwEBBD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3Ns
LWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBmi2+o1dKEx4kx+6W64RFeL2dv3w08CxpLrNk47ikKTdkGmCwlClm7OQOwzTsG
kz5ZkM8GF3R3u82RNNBvuY9TV+0UML3pbASEtvAWnSmbsUf4hGRfAzbq4dYTl1tQ
ubJZzPjvIwGZkW5e6NB3VDhJGFjnDlQ1wDe1nnmy1MbZ/ycx1L8ErtMKkEu8NLxT
+LznTCK3s7yM10FE/OBQLpqsulzuiAP8DlMyqt2kJO6mfD3cnXqCC5+4keChEnej
lffQxJ7x19mZaIDor61o9RpfZgZ4yVb4NjcW+n0n3x2i2HyMW1Dbxv4G/5aG9R/k
Nc7PQ2ZT2qFQtcBz7B70yCAT
-----END CERTIFICATE-----
subject=/serialNumber=0TS5WzauQRJ7sc2b-hTGwK1yxSfEDphF/C=CA/O=alteeve.com/OU=GT13908817/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - FreeSSL/CN=alteeve.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3984 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2880725EB8BDD73F469C17BCA54DF373DFE8EDE3D52A1C8F5E0A5919694FB111
Session-ID-ctx:
Master-Key: F329DEA0DF39FF181ACFBCA69BEC417D7CAA4399D73229A1D912CC8236A858FD099B834F5B32C9BF979C4B5948196FC9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 6c f3 41 26 c8 6b 1e 9c-2e 78 af 75 b2 46 34 f4 l.A&.k...x.u.F4.
0010 - 30 c3 bd e4 ee 2f f6 28-37 f6 7c 55 3b c7 08 ad 0..../.(7.|U;...
0020 - 1e 48 f1 83 9f 9a d4 ef-9b 7d 5a 9c f7 5b 92 e9 .H.......}Z..[..
0030 - 2f ca c3 e5 44 c7 7a c1-ed db 98 1a 18 bd 25 30 /...D.z.......%0
0040 - 3c 50 ad 96 23 22 7e a1-b7 eb 1d b5 cc 69 2a 43 <P..#"~......i*C
0050 - 63 13 4f 21 90 32 87 94-0b 6a 66 da 99 fa 45 79 c.O!.2...jf...Ey
0060 - cc 53 29 35 59 0d 02 93-c6 c6 af f3 52 79 b5 36 .S)5Y.......Ry.6
0070 - c0 a6 4d 22 9f af 4a f2-86 b4 50 68 83 b1 ab a6 ..M"..J...Ph....
0080 - a6 ac 6e 4e 18 3d 80 a7-b4 85 77 06 69 60 fa b2 ..nN.=....w.i`..
0090 - 22 9a 79 14 c6 3e 3e 68-33 4e 1e a9 40 09 47 d0 ".y..>>h3N..@.G.
00a0 - 02 97 8b ba 39 db 2f b1-1c 2e 66 49 d3 bc 99 cc ....9./...fI....
00b0 - 56 4f 1d f4 c6 7b 58 3e-28 df b1 ce 2b 45 36 ca VO...{X>(...+E6.
Compression: 1 (zlib compression)
Start Time: 1308161188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET
write to 0x196a050 [0x1a14e56] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a 4c 57-8c b9 d5 d4 c6 1b 56 ce .... .LW......V.
0010 - 93 b5 78 6b 5f 0e c5 a2-39 2a f9 7a 20 7d 68 85 ..xk_...9*.z }h.
0020 - af 52 e3 5f fc 17 03 01-00 20 c6 c4 19 74 61 64 .R._..... ...tad
0030 - 42 59 e0 52 3f 42 44 53-8b c9 40 69 1c 3d 9b 7f BY.R?BDS..@i.=..
0040 - aa e8 8f a4 5c de c9 d4-0a a4 ....\.....
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 60 ....`
read from 0x196a050 [0x1a10908] (96 bytes => 96 (0x60))
0000 - 46 4c 99 93 29 c9 ed 66-81 43 89 39 26 2b d1 b0 FL..)..f.C.9&+..
0010 - 19 73 eb 51 18 45 54 49-74 43 e0 92 1b f8 af f0 .s.Q.ETItC......
0020 - 0d e1 08 79 96 38 e1 5e-29 9d 66 9c 30 04 8e c4 ...y.8.^).f.0...
0030 - 10 83 49 7e 09 d7 8a ff-4b 11 f9 13 3e ac 77 73 ..I~....K...>.ws
0040 - e8 94 e3 f3 74 db 4e 5f-67 13 1d c4 3a 06 98 b3 ....t.N_g...:...
0050 - da 20 41 3c ca 9a fb 3f-f3 d7 64 a1 e9 f4 0a 98 . A<...?..d.....
<head>
<title>AN!Wiki - SSL Test Server</title>
</head>
<body>
<h1>SSL Test</h1>
</body>
read from 0x196a050 [0x1a10903] (5 bytes => 5 (0x5))
0000 - 15 03 01 ...
0005 - <SPACES/NULS>
read from 0x196a050 [0x1a10908] (32 bytes => 32 (0x20))
0000 - 2e bb a7 d6 dc ce 6c 34-dc 2e 43 c7 89 02 a9 5c ......l4..C....\
0010 - 3b 3e d0 43 1c ec fa c7-89 48 fd 76 58 82 ef 45 ;>.C.....H.vX..E
SSL3 alert read:warning:close notify
closed
write to 0x196a050 [0x1a14e53] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 d8 6f 46-24 e9 fa 0c c9 9f aa 2d .... .oF$......-
0010 - db 69 2a d8 fb 61 66 b0-23 23 f9 a4 ac 49 b7 e6 .i*..af.##...I..
0020 - 31 73 56 05 ed 1sV..
SSL3 alert write:warning:close notify
Perfect!
Open Port 443 On The Firewall
At this point, if you try to connect to the SSL virtual host remotely, you will fail because port 443 is not yet open.
Use your favourite program to open inbound TCP port 443. I like to directly edit the firewall's config.
vim /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
/etc/init.d/iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
Browse to the New Virtual Host
You should now be able to access the new SSL virtual host! Simply browse to https://alteeve.com (replace with your domain).
Note the 'alteeve.com' to the left of the address bar showing that the site is encrypted and verified!
PostgreSQL
We need to initialize the postgres core databases before we can start it for the first time.
service postgresql initdb
Initializing database: [ OK ]
From now on, we can start PostgreSQL normally.
/etc/init.d/postgresql restart
Stopping postgresql service: [ OK ]
Starting postgresql service: [ OK ]
Create the admin user called alteeve which will own the databases we will create and use.
su - postgres
createuser -S -d -R alteeve
psql template1
At the shell, run the following:
ALTER USER alteeve WITH PASSWORD 'secret';
ALTER ROLE
\q
Tell PostgreSQL to require a password for the alteeve user.
vim /var/lib/pgsql/data/pg_hba.conf
--- /var/lib/pgsql/data/pg_hba.conf.orig 2011-06-15 17:57:25.666509143 -0400
+++ /var/lib/pgsql/data/pg_hba.conf 2011-06-15 17:58:54.077510393 -0400
@@ -65,6 +65,7 @@
# TYPE DATABASE USER CIDR-ADDRESS METHOD
+local all alteeve md5
# "local" is for Unix domain socket connections only
local all all ident
Reload PostgreSQL's configuration.
/etc/init.d/postgresql reload
Now create a Database that is owned by the alteeve user, then connect to it to make sure we're asked for a password.
su postgres -c "createdb an_wiki -O alteeve"
psql an_wiki -U alteeve
Password for user alteeve:
psql (8.4.7)
Type "help" for help.
an_wiki=>
Now load a database from a backup file.
psql an_wiki -U alteeve -f /var/www/ssl_alteeve.com/temp/an_wiki_3.out
Password for user alteeve:
SET
SET
SET
SET
SET
CREATE SCHEMA
ALTER SCHEMA
CREATE LANGUAGE
psql:/var/www/ssl_alteeve.com/temp/an_wiki_3.out:27: ERROR: must be member of role "postgres"
SET
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
CREATE FUNCTION
ALTER FUNCTION
SET
SET
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
8
(1 row)
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
2500
(1 row)
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
4416
(1 row)
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3465
(1 row)
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
34
(1 row)
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
957
(1 row)
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3274
(1 row)
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3547
(1 row)
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
3513
(1 row)
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE SEQUENCE
ALTER TABLE
setval
--------
1
(1 row)
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TRIGGER
CREATE TRIGGER
CREATE TRIGGER
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
ALTER TABLE
REVOKE
REVOKE
GRANT
GRANT
Voila!
Media Wiki Problem
If you moved a MediaWiki DB and it generated an error like this in the log file:
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "objectcache" does not exist\nLINE 1: ...ECT /* SqlBagOStuff::get */ value,exptime FROM objectcach...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
[Wed Jun 15 21:37:20 2011] [error] [client 206.108.5.162] PHP Warning: pg_query(): Query failed: ERROR: relation "l10n_cache" does not exist\nLINE 1: ... LCStore_DB::get 206.108.5.162 */ lc_value FROM l10n_cache...\n
^ in /var/www/ssl_alteeve.com/html/includes/db/DatabasePostgres.php on line 584
The fix is to run:
ALTER DATABASE an_wiki SET search_path=mediawiki;
Of course, replace an_wiki with the name of your wiki database.
MySQL
Start MySQL for the first time:
/etc/init.d/mysqld start
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK
To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system
PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h asakusa.alteeve.com password 'new-password'
Alternatively you can run:
/usr/bin/mysql_secure_installation
which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.
See the manual for more instructions.
You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &
You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl
Please report any problems with the /usr/bin/mysqlbug script!
[ OK ]
Starting mysqld: [ OK ]
Secure the server.
mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n]
... Success!
By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n]
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MySQL
installation should now be secure.
Thanks for using MySQL!
BIND
|
Note: This is not meant to cover creating the actual zone files for DNS. It's goal is to setup BIND on your EL6 server only. |
This is the BIND named server that handles DNS resolution. It will be setup in two parts; The global options and then the zones file.
Install bind
yum install bind bind-libs bind-utils
Global Configuration
Edit the main configuration file, making a backup first.
cp /etc/named.conf /etc/named.conf.orig
vim /etc/named.conf
Enable queries on any interface and answer queries for any domain, not just ours. Edit or add the following;
listen-on port 53 { any; };
allow-query { localhost; };
allow-query-cache { any; };
For now, we're going to disable DNSSEC. Make the following changes;
dnssec-enable no;
dnssec-validation no;
Now tell bind where to look for a domain name's IP when we don't know. Add;
forwarders {
// These are Google's open DNS servers
8.8.8.8;
8.8.4.4;
};
This server will have a slave, and we want to notify that slave when a record changes. Add;
notify yes;
Done. I like to clean up the file to put the variables in line with one another. With this in mind, let's look at the changes as a unified diff;
diff -u /etc/named.conf.orig /etc/named.conf
--- /etc/named.conf.orig 2012-02-05 00:54:48.434068501 -0500
+++ /etc/named.conf 2012-02-05 13:45:16.484083319 -0500
@@ -8,18 +8,26 @@
//
options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- allow-query { localhost; };
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
- dnssec-lookaside auto;
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ allow-query { any; };
+ allow-query-cache { any; };
+ recursion yes;
+ notify yes;
+
+ dnssec-enable no;
+ dnssec-validation no;
+ dnssec-lookaside auto;
+
+ forwarders {
+ // These are Google's open DNS servers
+ 8.8.8.8;
+ 8.8.4.4;
+ };
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
Adding Zones
This is where we tell BIND which zones we have SOA for. This includes the pointers to the actual files on disk with each domain's information.
Backup then edit the zones file.
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.orig
vim /etc/named.rfc1912.zones
In here is where we add the entries for the domains we have SOA for at the end of the file. These will differ for every install, so only two examples will be shown.
// Our zones which this server is SOA for.
zone "45years.ca" IN {
type master;
file "/etc/named/db.45years.ca";
allow-transfer {
192.139.81.117;
};
};
zone "alteeve.com" in {
type master;
file "/etc/named/db.alteeve.com";
allow-transfer {
192.139.81.117;
};
};
This tutorial does not aim to cover actual zone files, but here is one for reference:
cat /etc/named/db.45years.ca
$ORIGIN .
$TTL 600 ; Time To Live.
45years.ca IN SOA ns1.alteeve.com. admin.alteeve.com. (
2011081402 ; Serial Number (yyyymmdd##)
300 ; refresh (in seconds)
180 ; retry (in seconds)
600 ; expire (in seconds)
86400 ; minimum (in seconds)
)
NS ns1.alteeve.com.
NS ns2.alteeve.com.
A 192.139.81.121
MX 10 mail.45years.ca.
$ORIGIN 45years.ca.
localhost A 127.0.0.1
mail A 192.139.81.121
www CNAME 45years.ca.
Adding a Firewall Entry
Assuming you have a firewall running, be sure to add an entry for TCP port 53.
(Re)Start BIND
Once all the configuration files and domain zone files are in place, (re)start the named service.
/etc/init.d/named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
Testing Name resolution
To properly test name resolution, you will want to resolve a domain we are SOA for and another domain which we are not. We will repeat this twice, once on the server and once from a remote machine to ensure that it is answering remote queries. Note that in the examples below, my DNS server's IP address is 78.46.37.135.
On the server;
Query alteeve.com, which we're SOA for.
dig alteeve.com @localhost
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> alteeve.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;alteeve.com. IN A
;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121
;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns1.alteeve.com.
alteeve.com. 600 IN NS ns2.alteeve.com.
;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 13:57:11 2012
;; MSG SIZE rcvd: 113
Now query google.ca which we obviously are not SOA for.
dig google.ca @localhost
; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> google.ca @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56760
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;google.ca. IN A
;; ANSWER SECTION:
google.ca. 300 IN A 74.125.232.56
;; AUTHORITY SECTION:
. 2967 IN NS f.root-servers.net.
. 2967 IN NS c.root-servers.net.
. 2967 IN NS b.root-servers.net.
. 2967 IN NS a.root-servers.net.
. 2967 IN NS k.root-servers.net.
. 2967 IN NS i.root-servers.net.
. 2967 IN NS e.root-servers.net.
. 2967 IN NS h.root-servers.net.
. 2967 IN NS l.root-servers.net.
. 2967 IN NS d.root-servers.net.
. 2967 IN NS j.root-servers.net.
. 2967 IN NS g.root-servers.net.
. 2967 IN NS m.root-servers.net.
;; Query time: 12 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Feb 5 14:02:03 2012
;; MSG SIZE rcvd: 254
Now from a remote machine, repeat the same queries to ensure that our DNS server will respond to external queries.
On the server;
Query alteeve.com, which we're SOA for.
dig alteeve.com @78.46.37.135
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> alteeve.com @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;alteeve.com. IN A
;; ANSWER SECTION:
alteeve.com. 600 IN A 192.139.81.121
;; AUTHORITY SECTION:
alteeve.com. 600 IN NS ns2.alteeve.com.
alteeve.com. 600 IN NS ns1.alteeve.com.
;; ADDITIONAL SECTION:
ns1.alteeve.com. 600 IN A 192.139.81.117
ns2.alteeve.com. 600 IN A 192.139.81.119
;; Query time: 138 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:09 2012
;; MSG SIZE rcvd: 113
Now query google.ca which we obviously are not SOA for.
dig google.ca @78.46.37.135
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc16 <<>> google.ca @78.46.37.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;google.ca. IN A
;; ANSWER SECTION:
google.ca. 138 IN A 74.125.232.56
;; AUTHORITY SECTION:
. 2805 IN NS h.root-servers.net.
. 2805 IN NS c.root-servers.net.
. 2805 IN NS j.root-servers.net.
. 2805 IN NS i.root-servers.net.
. 2805 IN NS b.root-servers.net.
. 2805 IN NS m.root-servers.net.
. 2805 IN NS g.root-servers.net.
. 2805 IN NS d.root-servers.net.
. 2805 IN NS a.root-servers.net.
. 2805 IN NS l.root-servers.net.
. 2805 IN NS f.root-servers.net.
. 2805 IN NS k.root-servers.net.
. 2805 IN NS e.root-servers.net.
;; Query time: 140 msec
;; SERVER: 78.46.37.135#53(78.46.37.135)
;; WHEN: Sun Feb 5 14:04:31 2012
;; MSG SIZE rcvd: 254
Done!
This is a pretty heavily customized postfix install using a custom schema. It was originally based on this Debian Etch tutorial, but adapted for PostgreSQL. Much time has passed and the operating system is now significantly changed, but it's lineage is thus. A more recent, but still Debian-focused version of the tutorial is here. I also used this tutorial to help sort out the PostgreSQL stuff.
This will use a few applications;
- Postfix - The program that receives email.
- PostgreSQL - The database used to validate the existence of email accounts and validates incoming user credentials.
- Dovecot - Takes email coming from postfix, via amavis, and records them to disk. It also answers requests from users wanting to check their email.
- Amavis - Filters incoming email for spam (via spamassassin) and virsus (via clamav)
We will also be using graylisting, which is a spam fighting tactic where the first email from a given user to one of our users is bounced for a few minutes. Proper mail servers will acknowledge the bound, wait the time and resend. Spam mailers though are usually fire-and-forget and will not resend, thus effectively blocking the spam message. This is a very effective method of blocking spam with minimal chance of losing real mail from real users. Any subsequent message from the user would be allowed through with no delay, provided the user had in fact resent the first message as requested.
Install
To install the applications;
yum install postfix postfix-perl-scripts dovecot dovecot-pgsql spamassassin postgresql-server postgresql-plperl mutt
Configuring Postfix
Installation requires several steps. The AN!Console database must be loaded. Various applications need to be installed. Postfix, Dovecot and helper applications need to be configured and so on.
This tutorial uses the following values that you may need to adjust;
- Database name; an_tools
- Database user; alteeve
- Database password; secret
- Database host; 127.0.0.1
|
Note: Do not use the database host "localhost" unless you are certain you can connect to the DB using a standard unix socket. |
Building Support for PostgreSQL
|
Warning: We need to build our own RPM in order to support postgresql. This means we will have to disable postfix from future updates, placing the onus on us to make sure critical updates are applied. This will require downloading the latest source RPMs, re-enabling postgres and recompile/reinstall. |
Add the source RPM repository by adding the following;
vim /etc/yum.repos.d/CentOS-Base.repo
# Source RPM repository
[base-source]
name=CentOS-$releasever - Base - Source
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://vault.centos.org/$releasever/os/SRPMS/
baseurl=http://vault.centos.org/6.0/os/SRPMS/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
Now download the source RPM for postfix.
yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
base | 3.7 kB 00:00
base-source | 1.9 kB 00:00
extras | 3.5 kB 00:00
updates | 3.5 kB 00:00
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
./postfix-2.6.6-2.el6.src.rpm already exists and appears to be complete
nikko:/etc/postfix# rm postfix-2.6.6-2.el6.src.rpm
rm: remove regular file `postfix-2.6.6-2.el6.src.rpm'? y
nikko:/etc/postfix# yumdownloader --source postfix
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.vieth-server.de
* extras: centos.vieth-server.de
* updates: centos.vieth-server.de
No source RPM found for 2:postfix-2.6.6-2.2.el6_1.x86_64
postfix-2.6.6-2.el6.src.rpm | 3.3 MB 00:00
Now that we have the postfix source RPM, we will install it.
rpm -Uvh postfix-2.6.6-2.el6.src.rpm
1:postfix warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
########################################### [100%]
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
Now edit the .spec file to enable postgres support.
cp ~/rpmbuild/SPECS/postfix.spec ~/rpmbuild/SPECS/postfix.spec.orig
vim ~/rpmbuild/SPECS/postfix.spec
Make the following changes.
- Enable PostgreSQL support
%{?!PGSQL: %define PGSQL 1}
Increment the release version by one.
Release: 3%{?dist}
We can see the changes here:
diff -u ~/rpmbuild/SPECS/postfix.spec.orig ~/rpmbuild/SPECS/postfix.spec
--- /root/rpmbuild/SPECS/postfix.spec.orig 2012-02-11 16:54:54.495330859 -0500
+++ /root/rpmbuild/SPECS/postfix.spec 2012-02-11 16:53:39.873331101 -0500
@@ -1,5 +1,5 @@
%{?!MYSQL: %define MYSQL 1}
-%{?!PGSQL: %define PGSQL 0}
+%{?!PGSQL: %define PGSQL 1}
%define LDAP 2
%define PCRE 1
%define SASL 2
@@ -35,7 +35,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 2.6.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 2
Group: System Environment/Daemons
URL: http://www.postfix.org
Now rebuild the RPM, which means we need to install the build tools.
yum groupinstall development
yum install db4-devel openldap-devel cyrus-sasl-devel pcre-devel mysql-devel postgresql-devel openssl-devel
rpmbuild -bb ~/rpmbuild/SPECS/postfix.spec
(compile output)
Processing files: postfix-debuginfo-2.6.6-3.el6.x86_64
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/postfix-debuginfo-2.6.6-3.el6.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.rymr5C
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd postfix-2.6.6
+ rm -rf /root/rpmbuild/BUILDROOT/postfix-2.6.6-3.el6.x86_64
+ exit 0
Install the updated postfix.
rpm -Uvh ~/rpmbuild/RPMS/x86_64/postfix-2.6.6-3.el6.x86_64.rpm ~/rpmbuild/RPMS/x86_64/postfix-perl-scripts-2.6.6-3.el6.x86_64.rpm
Preparing... ########################################### [100%]
1:postfix ########################################### [ 50%]
2:postfix-perl-scripts ########################################### [100%]
Now exclude postfix from future updates.
cp /etc/yum.conf /etc/yum.conf.orig
vim /etc/yum.conf
diff -u /etc/yum.conf.orig /etc/yum.conf
--- /etc/yum.conf.orig 2012-02-11 16:59:53.720079168 -0500
+++ /etc/yum.conf 2012-02-11 17:00:47.013331283 -0500
@@ -10,6 +10,7 @@
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
+exclude=postfix*
# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
Basic Postfix Configuration
Since we'll be using virtual domains, users, aliases and mailboxes, we'll need to start by commenting out some of the default options in Postfix. By default, Postfix is set up for small numbers of local users, and it only allows connections from the localhost. Our configuration will be more scalable, allowing many domains and users to be stored in the Postgres database.
Comment out the following:
vim /etc/postfix/main.cf
# inet_interfaces = localhost
# mydestination = $myhostname, localhost.$mydomain, localhost
# alias_maps = hash:/etc/aliases
# alias_database = hash:/etc/aliases
And uncomment/add these:
vim /etc/postfix/main.cf
inet_interfaces = all # allows us to connect and test from another machine
mynetworks = 192.168.1.0/32, 127.0.0.0/8 # use the IP or subnet of your test machine here
Setup Virtual Domain Lookup
This tells postfix how to find which domains we have.
vim /etc/postfix/pgsql-virtual-mailbox-domains.cf
user = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM domains WHERE dom_name='%s'
Now tell Postfix to use this new file by appending the following to the main postfix configuration file.
vim /etc/postfix/main.cf# Tell postfix to validate domains using our postgresql databae via the
# pgsql-virtual-mailbox-domains.cf
virtual_mailbox_domains=pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cfNow reload postfix;
/etc/init.d/postfix reloadReloading postfix: [ OK ]Now we can test that domains resolve. In my case, I will test the look-up for alteeve.com.
postmap -q alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf1Now make sure it returns nothing when query a bad domain.
postmap -q example.com pgsql:/etc/postfix/pgsql-virtual-mailbox-domains.cf<nothing returned>Setup Mailbox Mapping
This section will tell postfix which users for a given domain are valid.
vim /etc/postfix/pgsql-virtual-mailbox-maps.cfuser = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT 1 FROM email_file WHERE email='%s'Tell postfix to use this new file when looking up users.
vim /etc/postfix/main.cfAnd add:
# Tell postfix which table to look in when validating a local user via their
# email address.
virtual_mailbox_maps=pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cfReload postfix.
/etc/init.d/postfix reloadReloading postfix: [ OK ]Now do a test of a valid user, which should return 1, and an invalid user, which should return nothing.
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf1postmap -q nobody@alteeve.com pgsql:/etc/postfix/pgsql-virtual-mailbox-maps.cf<nothing returned>Setup Email Forwards
This will allow for email addresses to be forwarded to other email addresses.
vim /etc/postfix/pgsql-virtual-alias-maps.cfuser = alteeve
password = secret
hosts = 127.0.0.1
dbname = an_tools
query = SELECT fwd_destination FROM forwards WHERE fwd_source='%s'Now tell postfix where to look.
vim /etc/postfix/main.cfAdd;
# This tells postfix where to forward incoming email to, where appropriate.
virtual_alias_maps=pgsql:/etc/postfix/pgsql-virtual-alias-maps.cfReload;
/etc/init.d/postfix reloadReloading postfix: [ OK ]I've setup a forward where digimer@alteeve.com forwards to mkelly@alteeve.com, so we will use that for the next test.
postmap -q digimer@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cfmkelly@alteeve.comAn email address with no forward should return nothing.
postmap -q mkelly@alteeve.com pgsql:/etc/postfix/pgsql-virtual-alias-maps.cf<nothing returned>Excellent.
Setup Postfix Mail Delivery via Dovecot
Define a mail transport method in the main Postfix config.
vim /etc/postfix/main.cf# this option is ignored, but may be useful for reference
virtual_mailbox_base=/email
# deliver mail via dovecot
virtual_transport = dovecot
# prevent postfix from sending multiple recipients per delivery request,
# since dovecot only supports one recipient for each delivery
dovecot_destination_recipient_limit = 1Tell Postfix what virtual_transport "dovecot" means, and how to use it.
vim /etc/postfix/master.cfAppend this for RHEL/CentOS 6 machines. For other distros, make sure that /usr/libexec/dovecot/deliver exists and change the path if necessary.
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}Setup Postfix SMTP Authentication using Dovecot
Dovecot provides an SMTP authentication mechanism to Postfix called SASL. Enabling this will require users to authenticate against the server before sending mail.
vim /etc/postfix/main.cfAppend the following to enable smtp authentication:
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes
# allow authenticated users to send mail through Postfix SMTP
# more info at /usr/share/doc/postfix-2.6.6/README_FILES/SMTPD_ACCESS_README
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destinationConfiguring Dovecot
Dovecot handles writing incoming mail to the disk and moving/deleting mail as the user wishes. We're going to create a user and group called vmail which will be used to manage the email stored on disk.
useradd -m vmail
mkdir /email
chown -R vmail:vmail /emailDovecot is configured in /etc/dovecot and the main configuration file is dovecot.conf.
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
vim /etc/dovecot/dovecot.confDovecot uses .d style configuration files.
- Authentication
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
vim /etc/dovecot/conf.d/10-auth.confTell dovecot to accept plain-text passwords (needed for some old email clients, you may not need to enable this).
disable_plaintext_auth = noTell it not to use the database, and not local users for mail delivery.
#!include auth-system.conf.ext
!include auth-sql.conf.ext- Mail store
Tell dovecot where to store the email. The %d tells dovecot to substitute the user's domain name and %n is substituted by the user's email name. For example, mkelly@alteeve.com becomes /email/alteeve.com/mkelly.
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
vim /etc/dovecot/conf.d/10-mail.confmail_location = mbox:/email/%d/%nDovecot Authentication and SQL Settings
We need to tell dovecot where to look for passwords when authenticating a user. Where to look is controlled in the auth-sql.conf.ext file and is broken down into user and password lookups. We will want to first tell Dovecot which user to use when accessing the mail store on disk.
cp /etc/dovecot/conf.d/auth-sql.conf.ext /etc/dovecot/conf.d/auth-sql.conf.ext.orig
vim /etc/dovecot/conf.d/auth-sql.conf.extuserdb {
driver = static
args = uid=vmail gid=vmail home=/email/%d/%n allow_all_users=yes
}- Now configure the SQL server access details.
|
Note: Make sure that PostgreSQL has sufficient max_connections set in /var/lib/pgsql/data/postgresql.conf to handle enough connections for the expected number of email connections, plus other connections from other applications. |
cp /usr/share/doc/dovecot-2.0.9/example-config/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext
chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
vim /etc/dovecot/dovecot-sql.conf.extTell dovecot to use PostgreSQL.
driver = pgsqlConfigure the connection string.
|
Note: If your database uses a password with a space character in it, quote the password. Ie: password='super secret'. |
connect = host=127.0.0.1 dbname=an_tools user=alteeve password=secretTell dovecot to accept plain-text passwords (this is needed for some stupid MS clients, this will probably change soon).
default_pass_scheme = PLAINTell dovecot how to pull use the user's password.
password_query = SELECT email, password FROM email_password WHERE email='%u'The last thing to setup is the user query. The query needs to return the UID and GID of the vmail user we setup earlier. To get it, you can use the id command.
id vmailuid=503(vmail) gid=503(vmail) groups=503(vmail)The numbers we want are 503 and 503 for the UID and GID, respectively. Knowing this, we can set the userdb SQL string.
user_query = SELECT '/email/'||file AS email_dir, '503' AS uid, '503' AS gid FROM email_file WHERE email='%u'Configure Listener Sockets
Setup the authentication socket to allow the vmail user. This will allow Dovecot to access the user authentication socket.
vim /etc/dovecot/conf.d/10-master.conf unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
}Configure Dovecot to authenticate Postfix SMTP requests.
vim /etc/dovecot/conf.d/10-master.conf unix_listener smtp-auth {
mode = 0600
user = postfix
group = postfix
path = /var/spool/postfix/private/auth
}Enable Logging
This is very useful for debugging an initial setup. It will place details about login attempts in /var/log/maillog.
vim /etc/dovecot/conf.d/10-logging.conflog_path = syslog
auth_verbose = yes
auth_debug = yes
mail_debug = yesAt this point, it's a good idea to restart the Postfix and Dovecot services, and test out the basic configuration.
service postfix restart
service dovecot restartWatch the maillog while attempting to authenticate with an email client like Thunderbird.
tail -f /var/log/maillogIf basic authentication is working, we can go ahead and add another layer of complexity on top of it: SSL.
SSL/TLS
Add TLS support to Postfix, to encrypt SMTP authentication traffic.
vim /etc/postfix/main.cfsmtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/ssl_mail.alteeve.ca.crt
smtpd_tls_key_file = /etc/pki/CA/private/mail.alteeve.ca.key
smtpd_tls_loglevel = 1Add TLS support to Dovecot, to encrypt IMAP authentication traffic.
vim /etc/dovecot/conf.d/10-ssl.confssl = yes
# PEM encoded X.509 SSL/TLS certificate and private key.
ssl_cert = </etc/pki/CA/ssl_mail.alteeve.ca.crt
ssl_key = </etc/pki/CA/private/mail.alteeve.ca.key
# PEM encoded trusted certificate authority. Otherwise your CA will be untrusted.
# This is the intermediary certificate.
ssl_ca = </etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pemDovecot prefers the following permissions for SSL certs, so set them accordingly.
chmod 0444 /etc/pki/CA/ssl_mail.alteeve.ca.crt
chmod 0400 /etc/pki/CA/private/mail.alteeve.ca.key
chmod 0400 /etc/pki/CA/RapidSSL_CA_bundle_alteeve.ca.pemRestart Postfix and Dovecot, then change your Thunderbird server options to 'STARTTLS'. If you're still able to connect to the mail server and send mail, proceed to the next section.
User Password Encryption
In addition to SSL/TSL, which only encrypts the transport of user credentials, we're also going to encrypt the passwords themselves. This will avoid storing any plaintext passwords in the Postgres database.
vim /etc/dovecot/conf.d/10-auth.confRemove the "plain" authentication, and replace with cram-md5.
auth_mechanisms = cram-md5Any user credentials that were previously stored in plaintext will no longer work. To encrypt your password in a way that Dovecot recognizes, use the following command:
doveadm -v pw -s CRAM-MD5 -p mypasswordIt will return a hash like this.
{CRAM-MD5}de5924752ad74e36bc271a8dc7fad4b2d341f21f05382f20dedf1fdfbd5a1717Take the entire hash, including the '{CRAM-MD5}' portion, and use it to replace the password entry in the database for that user. This will allow Dovecot to authenticate the user using the CRAM-MD5 auth mechanism.
To automate this process for all users in the database, you can look at the number of userid's there are and loop through them, encrypting and replacing each password.
#!/bin/bash
#
# a script to encrypt the users.usr_password values of the an_tools database
export PGUSER="alteeve"
export PGPASSWORD='secret'
for usrid in {1..219}; do
# grab the user's password, removing whitespace
usrpass=$(psql -d an_tools -c "SELECT users.usr_password FROM users WHERE users.usr_id=$usrid;" | sed -n 3p | sed -e 's/^[ ]*//')
if [[ "$usrpass" == *CRAM* ]]; then
echo "Password for user #$usrid is already encrypted; skipping."
else
# encrypt and surround in single quotes for psql
encrypted=\'$(doveadm -v pw -s CRAM-MD5 -p "$usrpass")\'
echo "old password: [$usrpass] ; encrypted: $encrypted"
# set password to encrypted value
psql -d an_tools -c "UPDATE users SET usr_password=$encrypted WHERE usr_id=$usrid;"
fi
done
unset PGUSER
unset PGPASSWORD
== Ooooold Notes ==
When prompted;
For 'Create directories for web-based administration ?' Choose 'Yes'.
For 'General type of configuration?', choose 'Local Only'.
For 'Mail Name', enter 'alteeve.com'.
For 'SSL certificate required', hit 'Ok'.
Create the database that we will use:
# su alteeve
$ createdb an_console
$ psql an_console
Now that we are in the new database we will need to load the AN!Console schema file.
# su postgres -c psql an_console -f /var/www/ssl_alteeve.com/cgi-bin/t/anc.pgsql.schema
On the Master node, we will create the directory where email will be stored.
# mkdir /ha/email
On the both nodes, we will create a link to the '/ha/email' directory off of root.
# ln -s /ha/email /email
Under this directory create another directory that is the domain name for the domains we will host mail for. Ie (no longer needed to be done manually, AN!Console will create directories for email as needed):
# mkdir /email/45years.ca
# mkdir /email/alteeve.com
And so on.
Go to the '/etc/postfix' directory and create these four files:
# vim /etc/postfix/psql-virtual_domains.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = domains
select_field = 'virtual'
where_field = dom_name
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_forwardings.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = forwards
select_field = fwd_destination
where_field = fwd_source
hosts = 127.0.0.1
# vim /etc/postfix/psql-virtual_mailboxes.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_file
select_field = file
where_field = email
hosts = 127.0.0.1
Note: The table 'email_file' is actually a view that takes the email passed by postfix and splits it to generate a joined SELECT.
# vim /etc/postfix/psql-virtual_email2email.cf
In it enter the lines:
user = alteeve
password = secret
dbname = an_console
table = email_email
select_field = email
where_field = email
hosts = 127.0.0.1
Note: The table 'email_email' is actually a view that takes the email passed by postfix and returns the same email based on the DB entry. This is needed as a work-around for Postfix's habit of matching global forwards like '@domain -> user@domain' for all email to that domain, even what a given email address matches a user.
Now change the owner and permissions of those four files to NOT allow global reading as they contain our password.
# chown root:postfix /etc/postfix/psql-virtual_*
# chmod 640 /etc/postfix/psql-virtual_*
Now we will create a user account that will, in turn, own all the mail on the system. This user will not have shell access.
# adduser vmail
Enter a password, preferably one treated with the same care as the root password. You can leave all other options blank.
Now change the ownership of the mail store.
# chown -R vmail:vmail /email
# chmod -R 775 /email
Now we edit the main '/etc/postfix/main.cf' configuration file.
Make a backup of the original file “just in case”.
# cp /etc/postfix/main.cf /etc/postfix/main.cf.original
Now edit it:
# vim /etc/postfix/main.cf
There are several options to edit:
Please see 'Step 6' at: http://workaround.org/articles/ispmail-sarge/index.shtml.en for details on the options to set.
For 'inet_interface' enter 'all'.
For 'myhostname' use the cluster FQDN. Ie;
myhostname = nikko.alteeve.com
For 'mydestination' use only local names, NOT real domains we will host email for. Any mail sent to the domains specified here will go to local (shell) users.
mydestination = nikko.alteeve.com, localhost.alteeve.com, localhost
For 'mynetworks' set all the IP subnets we trust. Ie;
mynetworks = 192.139.81.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.0/24 127.0.0.0/8
We can ignore 'virtual_alias_domains' if it exists.
For 'virtual_alias_maps' we will set:
virtual_alias_maps = pgsql:/etc/postfix/psql-virtual_forwardings.cf pgsql:/etc/postfix/psql-virtual_email2email.cf
For 'virtual_mailbox_domains' we will set:
virtual_mailbox_domains = pgsql:/etc/postfix/psql-virtual_domains.cf
For 'virtual_mailbox_maps' we will set:
virtual_mailbox_maps = pgsql:/etc/postfix/psql-virtual_mailboxes.cf
For 'virtual_mailbox_base' (where the email will be stored on disk) we will set:
virtual_mailbox_base = /ha/email
For 'virtual_uid_maps' and 'virtual_gid_maps' we will enter the numerical UID and GID for the 'vmail' shell user we created earlier. To find what it's UID and GID is run:
# cat /etc/passwd | grep vmail
vmail:x:1001:1001:,,,:/home/vmail:/bin/bash
The first number is the UID, the second is the GID;
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
Set 'smtpd_sasl_auth_enable' to 'yes'.
Set 'broken_sasl_auth_clients' to 'yes'.
To enable relaying of local mail, trusted domains and SASL authenticated users and reject the rest set;
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
For 'smtpd_use_tls' the value should already be 'yes', but set it to such if not.
Lastly we'll set our certificate paths;
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
At this point we should be good to go. Restart postfix;
# /etc/init.d/postfix restart
If there were no errors in the restart, test the config by running;
# postfix check
If you get errors, fix 'em. Otherwise, so far so good!
Now to setup postfix to allow authentication of SMTP connections to allow relaying of messages from people (we trust) outside on the 'mynetworks' scope.
Create or edit the file '/etc/postfix/sasl/smtpd.conf'
# vim /etc/postfix/sasl/smtpd.conf
In it enter the lines:
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: pgsql
sql_hostnames: 127.0.0.1
sql_user: alteeve
sql_passwd: secret
sql_database: an_console
sql_select: SELECT passwd FROM email_passwd WHERE email='%u@%r'
log_level: 7
Now secure the file (it's got our DB password)
# chown root:postfix /etc/postfix/sasl/smtpd.conf
# chmod 640 /etc/postfix/sasl/smtpd.conf
Now we want to setup TLS to encrypt SMTP traffic. Be sure you are still in '/etc/postfix' as this is where you want the certificate files.
To create a 10-year certificate for our SMTP domain 'smtp.alteeve.com':
# openssl req -new -outform PEM -out /etc/postfix/smtpd.cert -newkey rsa:2048 -nodes -keyout /etc/postfix/smtpd.key -keyform PEM -days 3650 -x509
This will bring up a bunch of questions:
Country Name (2 letter code) [AU]: CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alteeve's Niche!
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, YOUR name) []:smtp.alteeve.com
Email Address []:admin@alteeve.com
This will create two files in your current directory; 'smtpd.key' and 'smtpd.cert'. You'll want to protect them.
# chown root:postfix smtpd.*
# chmod 640 smtpd.*
Now we need to setup POP3 and IMAP access so users can actually check their email.
Backup then edit '/etc/dovecot/dovecot.conf' to have:
protocols = pop3 imap
mail_location = mbox:/email/%d/%n
# passdb pam {
# }
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
# userdb passwd {
# }
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
# The default location for 'dovecot-sql.conf' is under '/usr/local/etc', be sure to
# change it!
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
user = root
}
Then create/edit '/etc/dovecot/dovecot-sql.conf':
driver = pgsql
connect = host=localhost dbname=an_console user=alteeve password=secret
default_pass_scheme = PLAIN
password_query = SELECT email, password FROM email_password WHERE email='%u'
user_query = SELECT '/email/'||file AS email_dir, '1001' AS uid, '1001' AS gid FROM email_file WHERE email='%u'
Now restart Dovecot:
# /etc/init.d/dovecot restart
= Thanks =
* To [http://planet-geek.com Dave Shevett] (aka: eidolon) and [http://codex.grimoire.ca/ Owen Jacobson] for answering my n00b SSL questions.
<span class="code"></span>
<source lang="bash">
| Any questions, feedback, advice, complaints or meanderings are welcome. | |||
| Alteeve's Niche! | Enterprise Support: Alteeve Support |
Community Support | |
| © Alteeve's Niche! Inc. 1997-2024 | Anvil! "Intelligent Availability®" Platform | ||
| legal stuff: All info is provided "As-Is". Do not use anything here unless you are willing and able to take responsibility for your own actions. | |||