RedHat Linux Setup
Setup for IMP, and other modules from horde.org, using CVS
Information
This documentation describes the setup of redhat linux 7.3 for the use of a webmail interface to a MS-Exchange server. The details contained herein will allow for a complete rebuild of this server should a catastrophe occur or hardware problems prevent the current system from working properly.
Details
| Name | Value | Notes |
|---|---|---|
| Version | RedHat Linux 7.3 | Custom Install |
| Hostname | www.ip-solutions.net | |
| Ip Address | xxx.xxx.xxx.xxx | |
| Subnet Mask | xxx.xxx.xxx.xxx | |
| MAC Address | 00:90:27:ea:a8:14 | onboard ethernet card |
| DNS - primary | xxx.xxx.xxx.xxx | |
| DNS - secondary | xxx.xxx.xxx.xxx | |
| Default Gateway | xxx.xxx.xxx.xxx | |
| Hard Drive 1 | IBM- 15GB | /dev/hda |
| Hard Drive 2 | IBM- 15GB | /dev/hdc |
| Tape Drive | Digital DEC SCSI | /dev/st0 |
| Disk Layout /dev/md0/dev/md2/dev/md1/dev/md3 |
/dev/hda1, /dev/hdc2/dev/hda2, /dev/hdc1/dev/hda3, /dev/hdc3/dev/hda5, /dev/hdc5/dev/hda6, /dev/hdc6/dev/hda7, /dev/hdc7 |
/boot, /boot2 (ext2)swap/ (ext3)/var (ext3,noatime)/home (ext3,noatime)/tmp (ext2)All Drives are RAID1 except for /boot,/boot2, and swap |
| TimeZone | America/Los_Angeles | Setup NTP |
| Root Password | PASSWORD | (initial password) |
| User | admin | (admin account) |
| Password (admin) | PASSWORD | (PLEASE CHANGE) |
| Redhat Network Username | ipsolutions | (for updating packages) |
| Redhat Network Password | PASSWORD | (don't change this) |
| Redhat Network Email | root@ip-solutions.net | (email to send alerts to) |
| Database Admin Account | user:root passwd:PASSWORD | mysql root user is different from unix root use |
| Webmail DB account | user:horde passwd:PASSWORD | This is the user for webmail |
Server Information
The file anaconda-ks.cfg residing in the /root directory can be used to rebuild the system in a completely unattended fashion. Because of the importance of this file a copy has been burned onto a CD-ROM. A how-to exists on using Kickstart to restore your system and is available at http://www.redhat.com/manuals/
Also the file install.log located in the /root directory contains all of the packages originally installed on this system.
Since the system will provide only a webserver, and ssh access all other services have been turned off and disabled. The system will act as an IMAP,LDAP,SMB client to a MS-Exchange server.
Any scripts providing additional services (such as backups) will be located in the directory /root/bin.
As soon as the initial installation completed an account was created to access the Redhat Update Network (similar to Windows Update) and install the latest releases of all packages and any security patches necessary.
During the course of the package upgrades the kernel was updated to version 2.4.18-17.7.x (RedHat Versioning). The package containing the CD-ROMS and disks therefore has two boot disks. One marked: ORIGINAL INSTALL DISK, and the other marked: CURRENT BOOT DISK.
Should an emergency arise either the current boot disk should be used or the disc 1 of the CD-ROMS's can be used. At the CD-ROM boot prompt type “linux rescue” and follow the steps presented. Even though it may appear to be a reinstallation it is indeed a rescue environment. Both boot disks were tested, and are working.
Server Security
The server is setup in such a way as to automatically download and install patches on a monthly basis. The kernel sources and binaries are excluded from this list as that may cause problems with upgrades. They however many be upgraded using up2date, under supervision, if necessary.
Also a host-based firewall has been setup. The firewall file is /etc/sysconfig/iptables. The firewall starts at boot time and can be stopped/started by running the command:
/etc/init.d/iptables stop/start. Stop/Start depends on whether or not you want the firewall disabled or enabled. IT IS HIGHLY RECOMMEND TO LEAVE THE FIREWALL RUNNING. The ruleset is fairly tight allowing only SSH/HTTP/HTTPS inbound for new connections and allowing the server to connect to any other system using any protocol (e.g. IMAP,LDAP,IRC...).
Web Server
The web server is running the latest version of Apache with PHP 4.2.2. The packages of PHP were downloaded from http://rpms.arvin.dk/php. The webroot is set to: /var/www/html and the directory horde underneath the webroot contains all of the directories that comprise webmail and it's modules.
The webmail program and it's modules were built from a CVS checkout of horde.org on 11/08/2002 This is the most current version of webmail (IMP) at this time. A process may be put into place to update the components of webmail on a frequent basis but has not been done at this time.
Also, a CVS checkout was done of the PEAR modules for PHP from the horde.org website. This was necessary because some of the PEAR modules included from horde.org were not available in the standard PEAR download. All rpm packages and any other addons are stored in the directory /root/addons and are also copied onto the CD-ROM that should be included in a packet This packet should be stored in a safe.
Database Server
In order to gain maximum function from webmail a database server is required. The selected DB server is MySQL. The Horde database, for webmail, is setup with an administrator account and also a user called horde that has access to the webmail db. Please see the table above for the correct usernames and passwords. Even though the mysql db admin name is “root” it is NOT the same as the Unix admin account.
Backups
A DDS-2 tape drive is attached via an Adapatec-2930 SCSI card. The device is known to the system as /dev/st0 and symbolically linked to /dev/tape.
In order to back up the system; log in as the user “admin” and type “sudo full_backup” on the command line. This will require a tape being present in the machine. These tapes should be labeled by date and preserved in a safe. An email will be sent to root@ip-solutions.net upon completion and the tape will automatically be ejected. All backups are made with the Unix dump command. Therefore any Unix administrator should be able to come in and perform a restore of the system.
Restores
The system can be restored using the Unix restore command. Restore follows the format of inserting the tape into the drive and typing:
restore -Cvf /dev/tape
at the command line to compare files on the tape with files on the filesystem. Since there is a good deal of different types of restores I will not cover that at this time. If you are unsure please call in a qualified Unix person and read the how-to's at http://howto.lycos.com/lycos, just search for “Unix restore”.
Horde modules Setup/Configuration
All commands are formatted using HTML pre tags to distinguish them from my own comments.
exec bash
cd /var/www/html
(your document root)
export CVSROOT=:pserver:cvsread@anoncvs.horde.org:/repository
cvs login
(password: horde)
cvs co horde
cd horde
cvs co imp
cvs co turba
cvs co kronolith
cvs co nag
cvs co mnemo
cvs co trean
cvs co passwd
cvs co gollem
(only if you want a web-based ftp client)
cvs co chora
(only if you want your cvs tree browseable)
cvs co ingo
(only if you can use sieve; ie -> cyrus imap server)
cd /var/www/html/horde/scripts/db
Edit the file mysql_create.sql and replace
PASSWORD('horde')
with your own password. Then type the following command:
mysql -u root mysql -p < mysql_create.sql
(Make sure mysqld is actually running before doing this) Then type the following command:
mysql -u root mysql -p < vfs.sql
cd /var/www/html/horde/config
for i in *.dist; do cp $i `basename $i .dist`; done
edit the file conf.php
If you use SSL then change the line
"$conf['use_ssl'] = 1"
Add your password for the database
$conf['sql']['password'] = 'YourHordeDBPassword';
If you are using IMP for authentication then uncomment the following lines (around line 155)
$conf['auth']['driver'] = 'application';
$conf['auth']['params']['app'] = 'imp';
If you use syslog to do your logging change these lines:
$conf['log']['type'] = 'syslog';
$conf['log']['name'] = LOG_LOCAL0;
You can store all of the users preferences in the sql db with the following line:
$conf['prefs']['driver'] = 'sql';
To use categories (which you'll need with some of the applications):
$conf['category']['driver'] = 'sql';
To set your mailer to smtp (i.e.-> send all mail through the virus scanning SMTP gateway):
$conf['mailer']['type'] = 'smtp';
$conf['mailer']['params'] = array('host' => 'smtp.example.com');
Setup a proper address for problem reporting:
$conf['problems']['email'] = 'webmaster@ip-solutions.net';
Add your administrators to the config file so that you can use the web-based horde configuration:
$conf['auth']['admins'] = array('admin@ip-solutions.net');
If you use LDAP for your users' global address book you may want to setup hooks.php
to grab their full name so that it can be displayed upon login.
Edit hooks.php around line 138 there is an example of getting a user's full
name. Simply replacing the
hostname and search base should be enough to have it work.
Comment out all of the other examples in the file as we won't be using them
in this how-to.
Next we need to edit registry.php and "turn off" the modules we won't
be using. This can accomplished
by the changes to the following lines:
Under "$this->applications['nic'] " change the "status"
to inactive. Repeat for any modules you won't be using. Please note that this
only hides the module from the horde toolbar. If you have downloaded the module(s)
it may still be reached through the URL.
Next move into the directory gollem/config:
cd /var/www/html/horde/gollem/config
Type the command:
for i in *.dist; do cp $i `basename $i .dist`; done
touch conf.php;chgrp apache;chmod g+rw conf.php
Edit the file backends.php and and replace the ftp server with your own hostname.
Unless you are using any of the other features in gollem you should comment
out the other examples.
Move into the imp/config directory
cd /var/www/html/horde/imp/config
Type the command:
for i in *.dist; do cp $i `basename $i .dist`; done
touch conf.php;chgrp apache;chmod g+rw conf.php
Edit the servers.php file, find the example that matches your IMAP server and
change it to meet your needs. Then comment out the rest of the examples (Unless
you have multiple servers).
NOTE: This part is necessary if using IMP as the horde authetication. Otherwise
the web-based administration will not work.
You also may want to edit the files header.txt and trailer.txt to make them
more appropriate for your site.
Move into the ingo/config directory (Only if you use Sieve):
cd /var/www/html/horde/ingo/config
Type the command:
for i in *.dist; do cp $i `basename $i .dist`; done
touch conf.php;chgrp apache;chmod g+rw conf.php
Edit the file backends.php and change the configuration to match your site.
Move into the kronolith/config directory:
cd /var/www/html/horde/kronolith/config
Type the command:
for i in *.dist; do cp $i `basename $i .dist`; done
touch conf.php;chgrp apache;chmod g+rw conf.php
Move into the drivers directory:
cd /var/www/html/kronolith/scripts/drivers/
Type the command:
mysql -u root horde -p < kronolith.sql
Move into the mnemo/config directory and rename the prefs.php.dist to prefs.php
Type the command:
touch conf.php;chgrp apache;chmod g+rw conf.php
Move into the drivers directory:
cd /var/www/html/horde/mnemo/scripts/drivers
Type the command:
mysql -u root horde -p mnemo_memos.sql
Move into the nag/config directory
cd /var/www/html/horde/nag/config
Type the command:
for i in *.dist; do cp $i `basename $i .dist`; done
touch conf.php;chgrp apache;chmod g+rw conf.php
Move into the drivers directory
cd /var/www/html/horde/nag/scripts/drivers
Type the command:
mysql -u root horde -p < nag_tasks.sql
Move into the passwd/config directory:
cd /var/www/html/horde/passwd/config
Type the command:
cp backends.php.dist backends.php
touch conf.php;chgrp apache;chmod g+rw conf.php
Edit the backend that you will be using to match your site and comment out the other examples. Move into the trean/config directory:
cd /var/www/html/horde/trean/config
Type the command:
cp prefs.php.dist prefs.php
touch conf.php;chgrp apache;chmod g+rw conf.php
Move into the turba/config directory:
cd /var/www/html/horde/turba/config
Type the command:
for i in *.dist; do cp $i `basename $i .dist`; done
touch conf.php;chgrp apache;chmod g+rw conf.php
Edit the file sources.php and comment out the examples you don't want. I usually get rid of all of the examples and leave only my LDAP global address book and the users' personal address books that we store in the sql database. You can usually use one of the LDAP examples and simply change it to meet your needs. Also don't forget to change the sql password for the users' personal address books.
The address books are shown in order that they reside in the file sources.php so if you want your personal address book to show first then add it above the LDAP entries.
Move into the scripts/drivers directory:
cd /var/www/html/horde/turba/scripts/drivers
Type the command:
mysql -u root horde -p < mysql_create.sql
Run the file set_perms.sh under /horde/scripts:
sh /var/www/html/horde/scripts/set_perms.sh
Answer the questions appropriately and the script will attempt to provide
more secure filesystem permissions.
NOTE: Doing this will prevent the configuration utility from writing the conf.php
files. We'll get around this by changing the conf.php files in each of the config
directories and making them group owned/writable by our web-server user.
Type the command:
find /var/www/html/horde -name conf.php -exec chmod g+rw {} \;
There are two more things that need to be done before we use the web-based configuration utility. The first is to configure kronolith (As of this writing kronolith is not included in the web-based config, this will probably change very soon).
To do so move into the kronolith/config directory:
cd /var/www/html/horde/kronolith/config
and edit the file conf.php. Since we are using SQL as a storage container for our calendar we need to setup the sql parameters. There is a sample sql configuration within the conf.php file. Simply uncomment the lines and replace the horde_db user password with the one that is pertinent to your site.
The second thing only applies if you are using IMP as your authentication.
Because horde requires IMP for authentication a working conf.php file will need
to be present in order to log into the horde framework.
You can use this conf.php
file so that the initial login to horde will work and you can configure the
rest of the applications. Since the file has php tags in it you will need to
add in the php start flag at the top of the file.
The other way to get around this is to set the horde authentication to auto
and set the user to your horde_db user. If you use this method remember to switch
the horde authentication to whatever method will be performing the authentication.
We are all done with the manual editing of the files and from here on out we will use the web-based configuration tool to do the rest of the configuration.
Log into the horde framework by visiting your website:
https://secure.ip-solutions.net/horde/ (is my example website)
Click on the Administration icon in the bottom menu and then the Configuration
Icon in the top menu. From here you can select the application that you want
to configure and click on the configure button. After you are done with filling
in the forms simply click on the "Generate Configuration" button and
you're done.
Copyright © 2004