1. Install Apache2, MySql server and PHP5 with required modules. You may already have some or all of these packages installed.

apt-get install apache2 php5-cli php5 mysql-server libdbd-mysql-perl php5-gd php5-mysql libapache2-mod-php5


2. Download the latest version of MailWatch

wget http://downloads.sourceforge.net/project/mailwatch/mailwatch/1.0.5/mailwatch-1.0.5.tar.gz


At the time this tutorial was written, version 1.0.5 was the latest version. Check this location for latest version: http://sourceforge.net/projects/mailwatch/files/

3. Extract and enter the mailwatch directory

tar zxvf mailwatch-1.0.5.tar.gz
cd mailwatch-1.0.5


4. Create the database and tables

mysql -p < create.sql


5. Create a MySql user used for MailScanner logging (mysql -u root -p)

GRANT ALL ON mailscanner.* TO '{username}'@'localhost' IDENTIFIED BY '{password}';
FLUSH PRIVILEGES;


Replace {username} and {password} with a username and password of choice.

6. Configure the MailScanner logger (pico MailWatch.pm)

my($db_user) = '{username}';
my($db_pass) = '{password}';


On line 43 and 44, input your MySql user created in step 5

7. Move the MailScanner logger to correct directory

mv MailWatch.pm /usr/share/MailScanner/MailScanner/CustomFunctions/


8. Edit Mail Scanner config to enable MailWatch logger (pico /etc/MailScanner/MailScanner.conf)

Always Looked Up Last = &MailWatchLogging


9. Create a MailWatch web admin user (mysql -u root -p)

USE mailscanner;
INSERT INTO users VALUES ('{username}',md5('{password}'),'Administrator name','A','0','0','0','0','0');


Replace {username} and {password} with a username and password used to enter the web interface.

10. Move the web interface to the web server's root

mv mailscanner /var/www/mailwatch


11. Make the temp and cache directories writeable

chmod 777 /var/www/mailwatch/temp
chmod 777 /var/www/mailwatch/images/cache


12. Copy the example config file

mv /var/www/mailwatch/conf.php.example /var/www/mailwatch/conf.php


13. Configure the web interface (pico /var/www/mailwatch/conf.php)

define('DB_USER', '{username}');
define('DB_PASS', '{password}');
define('MAILWATCH_HOME', '/var/www/mailscanner');


Type the MySql username and password created in step 5

14. Install PEAR PHP framework

apt-get install php-pear


15. Install required PEAR packages

pear install DB
pear install DB_Pager
pear install Mail_mimeDecode-1.5.1


16. On line 37, add /usr/share/php to the mailwatch include path (pico /var/www/mailwatch/functions.php)

ini_set('include_path','.:'.MAILWATCH_HOME.'/pear:'.MAILWATCH_HOME.'/fpdf:'.MAILWATCH_HOME.'/xmlrpc:/usr/share/php');


17. Restart Apache and MailScanner

/etc/init.d/apache2 restart
/etc/init.d/mailscanner restart


18. You're all set. Enter the web interface at this location http://yourserver/mailwatch

1. Install the PEAR framework

get install php-pear


2. Restart apache

/etc/init.d/apace2 restart


3. Install a PEAR package (optional)

pear install Net_Ping-2.4.5


You can install any PEAR package using this command but in this example we'll install the Net_Ping package

4. Here's a sample PHP code to use the Net_Ping package (optional)

require_once "Net/Ping.php";
$ping = Net_Ping::factory();
 
$host = 'debiantutorials.com';
$count = 3;
 
if (PEAR::isError($ping))
{
    echo $ping->getMessage();
}
else
{
    $ping->setArgs(array('count' => $count));
    $res = $ping->ping($host);
    foreach ($res->_raw_data as $line)
    {
        echo $line . "\n";
    }
}


This code will ping the host debiantutorials.com three times and echo the results

In this tutorial, it's assumed that you have already installed Postfix with MySql backend using this tutorial: Installing Postfix with MySql backend and SASL for SMTP authentication

1. Install PHP5-CLI (Command Line Interpreter) if it's not already installed

apt-get install php5-cli


2. Create a MySql table for goldfish and a user that has only read access to the users table and read/update access to the autoresponder table (mysql -u root -p)

USE mail;
 
CREATE TABLE autoresponder (
email varchar(255) NOT NULL,
descname varchar(255) default NULL,
`from` date NOT NULL,
`to` date NOT NULL,
message text NOT NULL,
enabled tinyint(4) NOT NULL default '0',
subject varchar(255) NOT NULL,
PRIMARY KEY (email),
FULLTEXT KEY message (message)
) TYPE=MyISAM;
 
-- Insert a sample out of office message for the
-- e-mail address email@example.com
-- Goldfish automatically enables and disables the out of office
-- message according to the from and to dates
-- (in this case: 7th of august to 14th of august 2010)
INSERT INTO autoresponder ('email@example.com', 'Your name', '2010-08-07', '2010-08-14', 'Your message', '1', 'Your subject');
 
GRANT SELECT,UPDATE ON mail.autoresponder TO '{username}'@'localhost' IDENTIFIED BY '{password}';
GRANT SELECT ON mail.users TO '{username}'@'localhost' IDENTIFIED BY '{password}';
FLUSH PRIVILEGES;
 
exit;


Replace {username} and {password} with selected username and password that will be used by goldfish

We'll use the mail database that was created in the Postfix installation tutorial.

3. Download goldfish and put it to any location on the server. In this example I'll place it in /usr/local/goldfish

mkdir /usr/local/goldfish
wget http://www.remofritzsche.com/projects/goldfish/download/goldfish-1.1-STABLE.tar.gz
tar zxvf goldfish-1.1-STABLE.tar.gz
mv goldfish-1.1-STABLE/* /usr/local/goldfish/
rm goldfish-1.1-STABLE* -rf # Clean up


1.1 was the latest stable version when this tutorial was written. Check this location for updated version: http://www.remofritzsche.com/projects/goldfish/download/

4. Configure database information in goldfish (pico /usr/local/goldfish/autoresponder.php)

/* Database information */
$conf['mysql_host'] = "localhost";
$conf['mysql_user'] = "{username}";
$conf['mysql_password'] = "{password}";
$conf['mysql_database'] = "mail";


Input your MySql server information and the login created in step 2. mysql_host should be localhost in most cases and the mysql_database should be mail (if you didn't choose another name for the database when Postfix was installed with MySql backend)

5. Configure database queries in goldfish (pico /usr/local/goldfish/autoresponder.php)

/* Database Queries */
 
# This query has to return the path (`path`) of the corresponding
# maildir-Mailbox with email-address %m
$conf['q_mailbox_path'] = "SELECT CONCAT('/home/vmail/', SUBSTRING_INDEX(email,'@',-1), '/', SUBSTRING_INDEX(email,'@',1), '/') as `path` FROM users WHERE `email` = '%m'";


The database queries begin on line 56 in version 1.1. Replace the q_mailbox_path query with the one shown above. The only change is that the table name is changed from view_users to users.

6. Make the vmail user the owner of the goldfish directory and make the php file executable. The vmail user was created when you installed Postfix.

chown vmail /usr/local/goldfish -R
chmod 700 /usr/local/goldfish/autoresponder.php


7. Create a cronjob to run goldfish every 5 minutes as the vmail user. It must be running as a user that can read the maildir mailboxes currently located in /home/vmail. (crontab -e)

*/5 * * * * vmail /usr/local/goldfish/autoresponder.php


It implements most required features of the SSH 2 protocol, and other features such as X11 and authentication agent forwarding.

1. Install dropbear

apt-get install dropbear


2. Stop OpenSSH server (you won't loose your SSH connection)

/etc/init.d/ssh stop


2. Enable dropbear (pico /etc/default/dropbear)

NO_START=0


3. Start dropbear

/etc/init.d/dropbear start


4. Remove OpenSSH server

apt-get remove openssh-server


1. Install fail2ban

apt-get install fail2ban


2. Test by connecting via ssh and making three incorrect password attempts. By default fail2ban blocks the IP address for 10 minutes.

You can tail the fail2ban log file to monitor actions:

tail -f /var/log/fail2ban.log


Sample results

2010-06-21 22:27:58,953 fail2ban.jail : INFO Jail 'ssh' started
2010-06-21 22:29:36,430 fail2ban.actions: WARNING [ssh] Ban 192.168.1.18


1. Install DKIM filter

apt-get install dkim-filter


2. Create a key for each domain verified

mkdir -p /etc/dkim/keys/domain1.com
cd /etc/dkim/keys/domain1.com
dkim-genkey -r -d domain1.com


Replace domain1.com with the domain that this mail server should authenticate using DKIM

3. Add a line for each domain to dkim-keys.conf file (pico /etc/dkim-keys.conf)

*@domain1.com:domain1.com:/etc/dkim/keys/domain1.com/default.private


Replace domain1.com with the domain that this mail server should authenticate using DKIM

4. Add a TXT record to the DNS for the domain being authenticated using DKIM. The record is automatically created and stored in /etc/dkim/keys/domain1.com/default.txt. You just need to add it to the DNS server. (cat /etc/dkim/keys/domain1.com/default.txt)

Here's a sample output:

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8IQNYlS+8jyrbAxNsghsPrWYgOQQWI0Ab4e9MToZYLTBGI41V3Zet5Awrt19nMIUlTpuE+/YVnjP/pu3fgeYkoe6NUzp+oEcWAioQXBmx0njigac7iJ/I0naTP1xTrDacnwsTp/F+lMwGgjiHpaJA7iBmL0AfYMXlTBo5pFog2QIDAQAB" ; ----- DKIM default for domain1.com


Repeat steps 2, 3 and 4 for every domain that this server should authenticate using DKIM.

5. Uncomment line 37 to make DKIM filter use the dkim-keys.conf file to look up domains available (pico /etc/dkim-filter.conf)

KeyList /etc/dkim-keys.conf


6. Add a inet socket that Postfix can communicate with (pico /etc/default/dkim-filter)

SOCKET="inet:8891@localhost"


7. Restart DKIM filter

/etc/init.d/dkim-filter restart


8. Configure Postfix to query DKIM filter using the socket created earlier. Add these lines to main.cf (pico /etc/postfix/main.cf)

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891


9. Reload Postfix config

postfix reload


1. Install MySqlTuner

apt-get install mysqltuner


2. Run MySqlTuner

mysqltuner


Input your MySql administrative login and password

Please enter your MySQL administrative login:
Please enter your MySQL administrative password:


Here are sample results:

-------- General Statistics --------------------------------------------------
[!!] There is a new version of MySQLTuner available
[OK] Currently running supported MySQL version 5.0.51a-24+lenny2-log
[OK] Operating on 32-bit architecture with less than 2GB RAM
 
-------- Storage Engine Statistics -------------------------------------------
[--] Status: +Archive -BDB -Federated +InnoDB -ISAM -NDBCluster
[--] Data in MyISAM tables: 98M (Tables: 81)
[!!] InnoDB is enabled but isn't being used
 
-------- Performance Metrics -------------------------------------------------
[--] Up for: 56d 10h 58m 7s (137M q [28.243 qps], 3M conn, TX: 2B, RX: 1B)
[--] Reads / Writes: 90% / 10%
[--] Total buffers: 2.6M per thread and 106.0M global
[OK] Maximum possible memory usage: 368.5M (18% of installed RAM)
[OK] Slow queries: 0% (75K/137M)
[!!] Highest connection usage: 100% (101/100)
[OK] Key buffer size / total MyISAM indexes: 64.0M/79.3M
[OK] Key buffer hit rate: 100.0%
[OK] Query cache efficiency: 78.4%
[!!] Query cache prunes per day: 269788
[OK] Sorts requiring temporary tables: 0%
[!!] Temporary tables created on disk: 99%
[OK] Thread cache hit rate: 99%
[!!] Table cache hit rate: 1%
[OK] Open file limit used: 27%
[OK] Table locks acquired immediately: 99%
 
-------- Recommendations -----------------------------------------------------
General recommendations:
Add skip-innodb to MySQL configuration to disable InnoDB
Reduce or eliminate persistent connections to reduce connection usage
When making adjustments, make tmp_table_size/max_heap_table_size equal
Reduce your SELECT DISTINCT queries without LIMIT clauses
Increase table_cache gradually to avoid file descriptor limits
Variables to adjust:
max_connections (> 100)
wait_timeout (< 28800)
interactive_timeout (< 28800)
query_cache_size (> 16M)
tmp_table_size (> 32M)
max_heap_table_size (> 16M)
table_cache (> 200)


3. Adjust your MySql config file (/etc/mysql/my.cnf) according to the recommendations. Don't increase or decrease the values too much because it may have negative impact on the server. If this is a production server, just make minor changes each time and test again a few hours/days later and adjust the values again if needed. It may take a few days to figure out the best values for your server.

4. Restart MySql after you have made changes to the config file

/etc/init.d/mysql restart


The Recursor is used by several of the largest Internet providers of the world, including AOL, Shaw Cable and Neuf Cegetel.

1. Install the pdns-recursor package

apt-get install pdns-recursor


2. Configure the server to listen to all interfaces and allow queries from the local network (pico /etc/powerdns/recursor.conf)

allow-from=192.168.1.0/24
local-address=0.0.0.0


Replace 192.168.1.0/24 with your local network or the network allowed to query the resolving NS server.

3. Restart the DNS server

/etc/init.d/pdns-recursor restart


1. Install HAVP

apt-get install havp


2. Start HAVP if it didn't start after the installation

/etc/init.d/havp start


It's ready, by default HAVP listens on port 8080. You can configure your web browser to use the server as a proxy.

You can customize the error pages by editing the html files in this directory: /etc/havp/templates/en/

1. Install rinetd

apt-get install rinetd


2. Add some forwarding rules (pico /etc/rinetd.conf)

# bindadress bindport connectaddress connectport
0.0.0.0 80 209.85.229.104 80 # HTTP
0.0.0.0 110 209.85.229.109 110 # POP3
0.0.0.0 143 209.85.229.109 143 # IMAP


These rules will forward all http, pop3 and imap connections to Google's web, pop3 and imap servers. It's just an example but it may make more sense to forward for example port 80 on a public IP address to the internal network to a server that does not have a public IP address.

3. Restart rinetd

/etc/init.d/rinetd restart


Now enter http://youserver in a web browser and you'll see Google search.