July 30th, 2010 by jde

Postfix Tutorial – Step 4

Dovecot – imap/pop3

Dovecot is probably already installed, because we added the Dovecot opton for Postfix. For Dovecot I added the MANAGESIEVE option but still dovecot-managesieve was not installed as a dependency So let’s install the sieve ports…

# cd /usr/ports/mail/dovecot-sieve/
# make install clean
# cd ../dovecot-managesieve/
# make install clean

Add the vmail user:

# adduser
Username: vmail
Full name: vmail
Uid (Leave empty for default): 5000
Login group [vmail]:
Login group is vmail. Invite vmail into other groups? []:
Login class [default]:
Shell (sh csh tcsh nologin) [sh]: nologin
Home directory [/home/vmail]: /usr/local/virtual
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]: yes
Lock out the account after creation? [no]:
Username   : vmail
Password   :
Full Name  : vmail
Uid        : 5000
Class      :
Groups     : vmail
Home       : /usr/local/virtual
Home Mode  :
Shell      : /usr/sbin/nologin
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (vmail) to the user database.
Add another user? (yes/no): no
Goodbye!

Create dovecot’s logfiles:

# mkdir /var/log/dovecot
# touch /var/log/dovecot/dovecot-deliver.log
# touch /var/log/dovecot/dovecot.log
# chown -R vmail:vmail /var/log/dovecot

Open /usr/local/etc/dovecot.conf

And make sure you edit these sections:

protocols = imap imaps managesieve

disable_plaintext_auth = no

log_path = /var/log/dovecot/dovecot.log

ssl = no

mail_location = maildir:/usr/local/virtual/%d/%n/Maildir

protocol lda {
  log_path = /var/log/dovecot/dovecot-deliver.log
  auth_socket_path = /var/run/dovecot/auth-master
  postmaster_address = postmaster@yourdomain.com
  #mail_plugins = sieve

  [other stuff here....]
}

auth default {
  mechanisms = plain login
  passdb sql {
    args = /usr/local/etc/dovecot-sql.conf
  }
  userdb static {
    args = uid=5000 gid=5000 home=/usr/local/virtual/%d/%n allow_all_users=yes
  }

  socket listen {
    master {
      path = /var/run/dovecot/auth-master
      mode = 0600
      user = vmail
      #group =
    }
    client {
      path = /var/run/dovecot/auth-client
      mode = 0660
      user = postfix
      group = postfix
    }
  }
}

auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes

Fiks permissions on the file:

# chgrp vmail /usr/local/etc/dovecot.conf
# chmod g+r /usr/local/etc/dovecot.conf

Create /usr/local/etc/dovecot-sql.conf with the following content:

driver = mysql
connect = host=127.0.0.1 dbname=postfix user=postfix password=secret_password
default_pass_scheme = MD5-CRYPT
password_query = SELECT username as user, password FROM mailbox WHERE username='%u';

Make sure that both postfix and dovecot are enabled in /etc/rc.conf

posfix_enable="YES"
dovecot_enable="YES"

Start them:

# /usr/local/etc/rc.d/postfix start
# /usr/local/etc/rc.d/dovecot start

July 30th, 2010 by jde

Postfix Tutorial – Step 3

Postfix

Install postfix:

# cd /usr/ports/mail/postfix
# make install clean

Options for postfix 2.7.1,1 

[X] PCRE       Perl Compatible Regular Expressions
[ ] SASL2      Cyrus SASLv2 (Simple Auth. and Sec. Layer)
[X] DOVECOT    Dovecot SASL authentication method
[ ] SASLKRB5   If your SASL req. Kerberos5 select this option
[ ] SASLKMIT   If your SASL req. MIT Kerberos5 select this option
[X] TLS        Enable SSL and TLS support
[ ] BDB        Berkeley DB (choose version with WITH_BDB_VER)
[X] MYSQL      MySQL maps (choose version with WITH_MYSQL_VER)
[ ] PGSQL      PostgreSQL maps (choose with DEFAULT_PGSQL_VER)
[ ] OPENLDAP   OpenLDAP maps (choose ver. with WITH_OPENLDAP_VER
[ ] CDB        CDB maps lookups
[ ] NIS        NIS maps lookups
[ ] VDA        VDA (Virtual Delivery Agent 32Bit)
[ ] TEST       SMTP/LMTP test server and generator
[ ] INST_BASE  Install into /usr and /etc/postfix

In /etc/rc.conf

postfix_enable="YES"

Sendmail is the standard MTA of various UNIX platforms. Since I am using Postfix instead, let’s disable it:

Open /etc/rc.conf and add:

sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

Also disable some Sendmail-specific daily maintenance routines in your /etc/periodic.conf file (If you don’t have a periodic.conf file in /etc, you must create it by making a copy of /etc/default/periodic.conf):

daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

Find any running sendmail processes an kill them. Here’s an example:

# ps -ax | grep sendmail
440 ?? Ss 0:56.33 sendmail: accepting connections (sendmail)
444 ?? Is 0:00.81 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail)
# kill -9 440
# kill -9 444

FreeBSD generates daily mails with system information to the root user. You must redirect these mails to an actual mail account:

# cd /etc/mail/
# vim aliases

Find root: me@my.domain and correct the address to reflect one of the email accounts you’ve just created in the mailbox table.

Next you must run the newaliases command. It creates both /etc/aliases.db and /etc/mail/aliases.db and therefore we will convert the one in /etc to a soft link that points to the one in /etc/mail.

# newaliases
# rm /etc/aliases.db
# ln -s /etc/mail/aliases.db /etc/aliases.db

Configure main.cf

# vim /usr/local/etc/postfix/main.cf

Change myhostname and mydomain, and uncomment the rest of the lines show here:

myhostname = example.domain.tld
mydomain = domain.tld
myorigin = $mydomain

mydestination = $myhostname, localhost.$mydomain, localhost
local_recipient_maps = unix:passwd.byname $alias_maps

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

home_mailbox = Maildir/

#Pipe mail per receipient
default_destination_recipient_limit = 1

#Pass incoming mail to dovecot
virtual_transport=dovecot
dovecot_destination_recipient_limit = 1

# configuration related to MySQL.
virtual_alias_maps = mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /usr/local/virtual
virtual_mailbox_domains = mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_mailbox_limit = 51200000
virtual_minimum_uid = 5000
virtual_uid_maps = static:5000

Virtual maps

The three settings: virtual_alias_maps, virtual_mailbox_domains and virtual_mailbox_maps each refer to a file. Create these files in /usr/local/etc/postfix/ with the following content (remember to replace password with the password for the ‘postfix’ database user):

mysql_virtual_alias_maps.cf

user = postfix
password = password
hosts = localhost
dbname = postfix
query = SELECT goto FROM alias WHERE address='%s'

mysql_virtual_domains_maps.cf:

user = postfix
password = password
hosts = localhost
dbname = postfix
query = SELECT description FROM domain WHERE domain='%s'

mysql_virtual_mailbox_maps.cf

user = postfix
password = password
hosts = localhost
dbname = postfix
query = SELECT maildir FROM mailbox WHERE username='%s'

You can check your maps like this:

# postmap -q nerdgirl.dk mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf
NerdGirl

Make sure that only ‘root’ and the ‘postfix’ user can read the “.cf” files – after all your database password is stored there:

# cd /usr/local/etc/postfix/
# chgrp postfix mysql_virtual_*.cf
# chmod u=rw,g=r,o= mysql_virtual_*.cf

Configure master.cf

Add these lines in /usr/local/etc/postfix/master.cf

dovecot   unix  -       n       n       -       -       pipe
   flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -d ${recipient}

The second line must be indended with spaces.

July 30th, 2010 by jde

Postfix Tutorial – Step 1

Mail setup considerations

• Choosing MTA
• Virtual users vs. local users
• mbox vs. maildir
• SMTP authentication
• The final setup

Before you enter the exciting world of MTA, SMTP, IMAP, POP and all there happy little friends you must consider the fact that running a mail server these days is fairly complicated. Sending and receiving email isn’t that hard, but you’ll realize that…

• an open relay is a bad thing …
• emails contain virus and spam…
• sending passwords in clear text is a security risk…
• it’s nice to have webmail access…
• filtering rules are better if they are handled by the server and not the client…

Soon you will find your self buried in a pile of software like Postfix, Amavis, Spamassassin and Dovecot, trying to make them all play nicely together.

Consider yourself warned!

Choosing MTA

An MTA (Mail Transfer Agent)  is a program that transfers mail between computers. The MTA works behind the scenes, while the user usually interacts with another program, the mail user agent (MUA).

There’s a lot of MTA’s to choose from. FreeBSD comes with Sendmail, the standard MTA under most variants of the Unix operating system. Sendmail is too old and too complicated and therefore not recommended. There a plenty of others to choose from (Exim, Postfix, Qmail and so on).

As a newbie it is almost impossible to make a sensible choice. My advice to you is: ask your friends or consult homepages and newsgroups via Google. Use words like “MTA”, “MTS” and “review” in your search. When you have an idea of which MTA you want, check for howto’s and tutorials that will help you get started. If you only find little or nothing, you might have to reconsider.

Virtual users vs. local users

A local user, is a user with a physical account on the server. These users are created with `adduser`.

A virtual user does not exist on the server. These users often reside in a database.

If your mailusers don’t need direct access to the server, for example via ssh, there’s no need to clutter the system with homedirs. Physical users is also always a security risk. Only server administrators should have physical accounts.

Virtual users is a bit more difficult to setup initially, but since they don’t have access to the server, you don’t have to worry about them.

There’s a lot of other advantages when using virtual users, that I’m sure you’ll discover along the way.

Email storage – mbox vs. maildir

The mbox format concatenates individual messages together in a single file. Only one process can access the mbox file in read/write mode, which means everyone else has to wait for an update to complete (file locking).

The maildir type stores each message in a file of its own. No locking is required. Multiple processes can use maildirs at the same time.

Both have advantages and disadvantages, but as I understand the maildir format is the safest and fastest. If you want to read more about this topic, make a “mbox vs maildir” -Google search

A third but not widely used method is to store mail in a database. But reading a file is much faster than reading from a database, which is probably the reason people avoid this.

SMTP authentication and TLS

In the “old” days, users only authenticated themselves when receiving mail via POP3/IMAP. As a result of that, POP3 and IMAP has built in support for authentication. But to effectively prevent spammers from relaying through your mailserver, it is necessary also to authenticate when sending mail and thus ensuring that everyone using your system, is a legal user.

But when users login, the information is transported to the server in clear text. Someone “listening” to the communication could grab the information and exploit the user account. This means that any communication between client and server should be enctrypted. For that purpose you can use TLS (Transport Layer Security).

The final setup

I have decided to go with this setup:

Note: I have an older tutorial with Courier IMAP instead of Dovecot, which is still available here.

July 30th, 2010 by jde

Postfix Tutorial – Step 2

Database preparations

This mail setup is based on virtual users stored in a MySQL database. If MySQL is not installed yet, please do so and return to this page when you’re done.

The database is identical to the one I used with my old setup. It works, but some of the fields are not in use any more.

The following queries will create the postfix database and the database user ‘postfix’.

Instead of the command prompt, you may want to use phpMyAdmin for this.

Replace secret_pass with a password of your choice.

CREATE DATABASE postfix;

CREATE USER 'postfix'@'localhost' IDENTIFIED BY 'secret_pass';
GRANT SELECT ON `postfix` . * TO 'postfix'@'localhost';
FLUSH PRIVILEGES;

USE postfix;

CREATE TABLE alias (
 address varchar(255) NOT NULL default '',
 goto text NOT NULL,
 domain varchar(255) NOT NULL default '',
 created datetime NOT NULL default '0000-00-00 00:00:00',
 modified datetime NOT NULL default '0000-00-00 00:00:00',
 active tinyint(4) NOT NULL default '1',
 PRIMARY KEY (address),
 KEY address (address)
) TYPE=MyISAM COMMENT='Postfix Admin - Virtual Aliases';

CREATE TABLE domain (
 domain varchar(255) NOT NULL default '',
 description varchar(255) NOT NULL default '',
 aliases int(10) NOT NULL default '-1',
 mailboxes int(10) NOT NULL default '-1',
 maxquota int(10) NOT NULL default '-1',
 created datetime NOT NULL default '0000-00-00 00:00:00',
 modified datetime NOT NULL default '0000-00-00 00:00:00',
 active tinyint(4) NOT NULL default '1',
 PRIMARY KEY (domain),
 KEY domain (domain)
) TYPE=MyISAM COMMENT='Postfix Admin - Virtual Domains';

CREATE TABLE mailbox (
 username varchar(255) NOT NULL default '',
 password varchar(255) NOT NULL default '',
 name varchar(255) NOT NULL default '',
 maildir varchar(255) NOT NULL default '',
 quota int(10) NOT NULL default '-1',
 domain varchar(255) NOT NULL default '',
 created datetime NOT NULL default '0000-00-00 00:00:00',
 modified datetime NOT NULL default '0000-00-00 00:00:00',
 active tinyint(4) NOT NULL default '1',
 PRIMARY KEY (username),
 KEY username (username)
) TYPE=MyISAM COMMENT='Postfix Admin - Virtual Mailboxes';

Heres an example of how to use the above tables:

The table ‘domain’, contains the domains hosted on your server. Replace domain.tld with one of your own domains:

INSERT INTO domain (domain,description) VALUES ('domain.tld','Description of your choice');

The next step demonstrates how to create a mailuser belonging to the above domain. Replace user@domain.tld, Full name and secret_pass with values of your choice. First you need to generate an MD5-crypt password (MD5 is too easy to crack, and therefore MD5-crypt is better). Dovecot has a function to generate such a password, but since you have not installed Dovecot yet please go to step three, install Postfix (which will also install Dovecot) and then continue from here:

# rehash
# dovecotpw -s MD5-CRYPT -p secret_pass
{MD5-CRYPT}$1$7KAL0/7C$xpACuJX5DarLgFH.tGV6M/

You are now ready to add the new account in the mailbox table:

INSERT INTO mailbox (username,password,name,maildir)
VALUES ('user@domain.tld','{MD5-CRYPT}$1$7KAL0/7C$xpACuJX5DarLgFH.tGV6M/',
'Full name','user@domain.tld/');

The table architecture is mainly a copy of my old setup, and therefore some of the fields are not used any more. But it works as is. Remove unused table fields.

July 30th, 2010 by jde

Basic configuration

In the early days there was only one configuration file for Apache (httpd.conf). Over time it has been split into several files, each containing a specific category of directives (httpd-vhosts.conf, httpd-ssl.conf etc, etc). The original httpd.conf is still available at the root of the Apache configuration directory /usr/local/etc/apache22. The others are located in the /extra folder.

Open /usr/local/etc/apache22/httpd.conf and change the following values:

ServerAdmin your_email@address.tld
ServerName www.address.tld:80
ServerRoot "/usr/local"
DocumentRoot "/usr/local/www"
Directory "/usr/local/www"
  AllowOverride None
DirectoryIndex index.php index.html

ServerAdmin: Apache will display this address in the browser if something goes wrong.
ServerName: This is the site that will be displayed if none of the virtual hosts matches the request.
AllowOverride: If set to “None” any .htaccess files will be ignored. If you want maximum performance, you should avoid htaccess files and use the *.conf files instead.
DirectoryIndex: Add filenames which must be recognized as site index files. This is the file Apache will display if the request does not contain a specific page.

Virtual host configuration

The place to add virtual hosts is /usr/local/etc/apache22/extra/httpd-vhosts.conf:

The directives in httpd.conf are global… That is, they are implied for virtual hosts unless another value is specified.
Directives inside a virtual host overwrites any global directive and applies only to the virtual host where it is specified.

The following example is a namebased virtual host. Note the * in the first line. This is where you would put an IP address if you wanted to create an IP-based virtual host.
The former is most widely used since most people only have one IP address for the server.

<VirtualHost *:80>
ServerAdmin webmaster@domain.tld
DocumentRoot /usr/local/www/domain.tld
ServerName www.domain.tld
ErrorLog /usr/local/www/logs/www.domain.tld-error_log
CustomLog /usr/local/www/logs/www.domain.tld-access_log common
</VirtualHost>

This will tell Apache to look in /usr/local/www/domain.tld/ if a request is made for www.domain.tld. Also note ErrorLog and CustomLog – this is where error and access logs are written.

You can add as many virtual hosts as you like. Just enclose each host between a <VirtualHost *:80> and </VirtualHost>

It’s just as easy to create subdomains:

<VirtualHost *:80>
ServerAdmin webmaster@example.tld
DocumentRoot /usr/local/www/mysub.example.tld
ServerName mysub.example.tld
ErrorLog /usr/local/www/logs/mysub.example.tld-error_log
CustomLog /usr/local/www/logs/mysub.example.tld-access_log common
</VirtualHost>

Note: If you plan to use a subdomain for mail accounts, you must create an A record in DNS, unless the main domain is specified in DNS with a wildcard. You must also create an MX record pointing to the subdomain.

Don’t forget to create all the directories referenced in the virtual host (just the directories – you don’t need to create the log files in advance, Apache will create them the first time they are needed).

If you want to prevent directory listings in folders not containing an index file, add this to the virtual host:

<Directory /usr/local/www/domain.tld>
Options -Indexes
</Directory>

You must restart Apache to make any changes take effect.

# apachectl stop
# apachectl start

… or

# apachectl restart

July 29th, 2010 by jde

FreeBSD 8.1
Apache 2.2

Installation

# cd /usr/ports/www/apache22
# make install clean

You are presented with a lot of options. If you are new to Apache you probably don’t know half of them. But it is safe to just install it with the default selection. You can always reinstall Apache if you missed something.

See if it starts without any complaints:

# rehash
# apachectl start

Start your browser at go to http://your.ip.address.here (e.g http://12.3.4.56). If you see the words “It works!”, you’re good to go

Common startup errors

Error:

apr_sockaddr_info_get() failed for server.example.com
Could not reliably determine the servers fully qualified domain name using 127.0.0.1 for ServerName

Solution:

Configure /etc/hosts by replacing my.domain with your hostname. If you are not sure about your hostname, run the `hostname` command.
So if your hostname is penguin.myservers.com, this is what your hosts file should look like (replace the 12.3.4.56 IP with your public IP address).

::1               localhost localhost.penguin.myservers.com
127.0.0.1         localhost localhost.penguin.myservers.com
12.3.4.56         penguin.myservers.com penguin

Error:

[warn] (2)No such file or directory:Failed to enable the ‘httpready’ Accept Filter 

Solution:

# kldload accf_http

In /boot/loader.conf add this line:

accf_http_load="YES"

July 29th, 2010 by jde

FreeBSD 8.1
MySQL 5.1
phpMyAdmin 3.3

phpMyAdmin is a nice webbased gui to administer MySQL databases. It is for developers and system adminstrators who has in-depth knowledge of database systems – it is NOT for ordinary users.

Installation:

# cd /usr/ports/databases/phpmyadmin
# make install clean
Options for phpMyAdmin 3.3.4
[ ] SUPHP    suPHP support
[X] BZ2      bzip2 library support
[X] GD       GD library support
[X] MYSQLI   Improved MySQL support
[X] OPENSSL  OpenSSL support
[X] PDF      PDFlib support (implies GD)
[X] ZLIB     ZLIB support
[X] MCRYPT   MCrypt library support
[X] ZIP      Zip compression support

Configuration

After installation you need to configure Apache. First you must decide how you want to access phpMyAdmin:

1. http://www.existing-site.com/pma
2. http://pma.existing-site.com

If #1 is your choice, the only thing you need to do is adding an alias within the VirtualHost of existing-site.com

<VirtualHost *:80>
  DocumentRoot /usr/local/www/existing-site.com
  ServerName www.existing-site.com
  ServerAlias existing-site.com
  Alias /pma/ "/usr/local/www/phpMyAdmin/"
  Alias /pma "/usr/local/www/phpMyAdmin"
  (etc, etc...)
</VirtualHost>

If #2 is your choice, you’ll need to add  a new VirtualHost:

<VirtualHost *:80>
  DocumentRoot /usr/local/www/phpMyAdmin
  ServerName pma.existing-site.com
  (etc, etc...)
</VirtualHost>
 

After that, restart Apache and you’re basically done…

Every user in the mysql database now has access through phpMyAdmin. Therefore it is a good idea to tell phpMyAdmin who isn’t allowed.
Also phpMyAdmin will complain, if ‘blowfish_secret’ is not set. So this is my configuration:

$cfg['blowfish_secret'] = 'ollah';

$i = 0;

$i++;
$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array(
'deny postfix from all',
'deny squirrelmail from all',
'deny spamassassin from all'
);

Every configuration option available is documented at the PmaWiki

July 29th, 2010 by jde

FreeBSD 8.1
MySQL 5.1.48

MySQL is a very fast, reliable and light-weight database server – with MySQL you can go a long way with a single-server setup. The thing I really like about it, is that it is a transparent easy-to-use system – you don’t need a master degree to run it… and by the way, it’s free.

• Installing MySQL
• Setting the root password
• How to start and stop the MySQL server
• Security
• Admin interface for MySQL
• MySQL configuration file

Installing MySQL

Install MySQL prior to any other software which depend on it. This ensures that you get your preferred version.

You need two applications … the MySQL server and the MySQL client. Both are found in /usr/ports/databases/. If you install the server first the client will also be installed automatically.

# cd /usr/ports/databases/mysql51-server/
# make install clean

After installation you must enable mysql in /etc/rc.conf to make it start up automatically after a reboot. Add this line:

mysql_enable="YES"

Setting the root password

When MySQL is installed and enabled, you can start it and choose a password for root…

# rehash
# cd /usr/local/etc/rc.d/mysql-server start
# mysqladmin -u root password my_secret_password

Change “my_secret_password” to a password of your own choice. If you use copy/paste and accidently set the password to “my_secret_password” (as I did – doh!), you can change it again like this:

# mysqladmin -u root -p password new_secret_password
Enter password: my_secret_password

How to start and stop the MySQL server

This is how to start and stop the server

cd /usr/local/etc/rc.d/
./mysql-server stop
./mysql-server start

You can check the processlist to see if it’s actually running:

ps -ax | grep mysql
65368 p0 S 0:00.3-8 [mysqld]

Unless you’ve started mysql with the skip-networking option, you should also see it listening on port 3306:

Use [CTRL]+[C] to quit the connection after line 6:

telnet 127.0.0.1 3306
Trying 127.0.0.1...
Connected to localhost.example.tld.
Escape character is '^]'.
8
5.0.18-logR'i\qEDc,H|X#Dmw2/3T0
Connection closed by foreign host.

If you are having trouble stopping mysql, use mysqladmin to shut it down:

# mysqladmin -u root -p shutdown
Password:

After this, you can start it again with ./mysql-server start as shown earlier.

When you want to login and do stuff with MySQL, this is how to do it

mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.1.48

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| test               |
+--------------------+
3 rows in set (0.08 sec)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> exit
Bye

If you want to type characters with umlauts, accents or special characters like æ, ø and å, you have to enable your shell / console for 8 Bit encoding.. click here to see how.

Security

Quote from freebsd diary

I only connect to my database server from localhost. So there is no need for network connections. Therefore, I add this flag to mysql-server: –skip-networking. This also eliminates the possibility that someone will connect to your database server over the network/Internet.

That sounds reasonable, so let’s open up /etc/rc.conf and insert this line:

mysql_args=" --skip-networking"

Then stop and start the MySQL server again.

Also:
Only give users access to do exactly what they need… no less, and especially no more.
Do not allow access via phpMyAdmin to users who do not need it (like system users).

Admin interface for MySQL

There is a nice and user friendly webbased gui for MySQL called phpMyAdmin which is described here.

MySQL configuration file

The configuration file for MySQL is the place for fine-tuning the database server. MySQL comes with 4 different examples for small, medium, large and huge systems. These files are located in /usr/local/share/mysql. In each of these example configurations (my-small.cnf, my-medium.cnf and so on…) you’ll find information on when you should use each of them based on available memory. To use one of them, just overwrite the current configuration, by copying it to /usr/local/etc/my.cnf.

Most of the variables in the configuration file, can also be set at runtime. phpMyAdmin is very helpful when you need an overview of the configuration, and hints on tuning.

When running a busy site, it is of cause important to use the correct type of configuration. But the real memory consumer is badly created indexes on tables. One faulty index on a frequently used table can completely take the breath away from any system… so the very first thing to do on a server with very high load, is to look at the slow-queries log. Your load averages can go from 30 to 0 in a minute, when a bad index is fixed.

You can log all queries, errors and/or slow queries.. the decision is yours. Add these entries in my.cnf to use one or more of these log options:

log=/var/log/mysql/mysql.log
log-error=/var/log/mysql/mysql-err.log
log-slow-queries=/var/log/mysql/mysql-slow-queries.log
log-queries-not-using-indexes

.. and set the correct permissions on the log files.:

# cd /var/log/
# mkdir mysql
# cd mysql
# touch mysql-err.log
# touch mysql.log
# touch mysql-slow-queries.log
# chmod 660 *
# chown mysql:mysql *

The ‘log’ entry causes each and every query to be logged. Use this only if you are debugging and application, since it is a performance killer.

‘log-error’ will log anything that goes wrong. ‘log-slow-queries’ will, as the name says, log any query that didn’t finish within n seconds (n is determined by the long_query_time configuration value). The presence of ‘log-queries-not-using-indexes’ ensures that the slow-queries log also contains any queries which does not use indexes.

Be aware that the log-* entries in the config file cannot be set at runtime. You must restart MySQL whenever you make changes.

As usual, make sure that you rotate the logfiles with newsyslog.

July 28th, 2010 by jde

PHP 5.3
Apache 2.2
MySQL 5.1

Make sure you include your desired Apache version, e.g. WITH_APACHE22=YES or else you’ll end up with Apache 1.3. Apparently there is no intentions of changing that behavior.

# cd /usr/ports/lang/php5
# make WITH_APACHE22=YES install clean
Options for php5 5.3.2_1

[X] CLI        Build CLI version
[X] CGI        Build CGI version
[X] APACHE     Build Apache module
[ ] DEBUG      Enable debug
[X] SUHOSIN    Enable Suhosin protection system
[ ] MULTIBYTE  Enable zend multibyte support
[ ] IPV6       Enable ipv6 support
[X] MAILHEAD   Enable mail header patch
[ ] LINKTHR    Link thread lib (for threaded extensions)

You now have the basics … If you need to communicate with a database or manipulate PDF files you’ll need some of the extensions. Select only what you currently need. You can always come back another time and repeat this procedure. If the MySQL extension is installed, and you don’t select it next time, it will not be removed. But you have to check extensions.ini after each installation, since some of the extensions may have been listed twice.

# cd /usr/ports/lang/php5-extensions
# make config
Options for php5-extensions 1.4

[X] CTYPE       ctype functions
[X] DOM         DOM support
[X] FILEINFO    fileinfo support
[X] FILTER      input filter support
[X] GD          GD library support
[X] GETTEXT     gettext library support
[X] CTYPE       ctype functions
[X] DOM         DOM support
[X] FILEINFO    fileinfo support
[X] FILTER      input filter support
[X] GD          GD library support
[X] GETTEXT     gettext library support
[X] PDO         PHP Data Objects Interface (PDO)
[X] PDO_SQLITE  PDO sqlite driver
[X] POSIX       POSIX-like functions
[X] SESSION     session support
[X] SIMPLEXML   simplexml support
[X] SQLITE      sqlite support
[X] TOKENIZER   tokenizer support
[X] XML         XML support
[X] XMLREADER   XMLReader support
[X] XMLWRITER   XMLWriter support  

# make install clean

In /usr/local/etc/apache22/httpd.conf locate the “LoadModule” and “AddType” sections and add:

LoadModule php5_module libexec/apache22/libphp5.so
AddType application/x-httpd-php .php

Then restart apache to make the changes take effect:

# apachectl restart

PHP has a lot of configuration options to tweak if desired. Have a look in one of the example files:

/usr/local/etc/php.ini-development
/usr/local/etc/php.ini-production

You can copy one of these sample configuration files, or just create an empty file and add values that differ from the default settings.

# touch /usr/local/etc/php.ini

Remember that you have to restart Apache every time to change the configuration.

Open the newly created php.ini file and set the timezone:

date.timezone = "Europe/Copenhagen"

Restart apache:

# apachectl restart

Now have a look at your phpinfo.php page. Go to the “Date” section and look for “Default timezone”. It should say “Europe/Copenhagen” or whatever value you added.

If you ever need to verify a setting you changed, create a php file and call the phpinfo() function which will generate an information page.

# echo "<?php phpinfo();?>" >> /usr/local/www/some-website/phpinfo.php

Load phpinfo.php in your browser.

July 6th, 2010 by jde

Det foder jeg køber til min hund, hedder Royal Canin. Vejledende udsalgspris her i landet er 399,- for 8 kg. Jeg har lige købt 2×8 kg på hjemmesiden zooplus.de og det blev købt og leveret for 532 kr… Det er næsten 300 kr. sparet, og så slap jeg endda for at køre efter det selv.

Da der skulle nye fælge på min mands Mercedes, vente vi også blikket mod Tyskland, og det var halv pris – her sparede vi flere tusinde kr. på ebay.de

Tempur er et meget dyrt mærke inden for senge. Vi fik et tilbud der lød på omkring 127.000… Ja, det er sørme mange penge, selv for en elevationsseng. Vi fandt den da også magen til hos en tysk forhandler til halv pris.

Vi kører selv over grænsen og fylder bilen med dåsesodavand og boks-vin. Det kan betale sig, selvom vi kører fra østsjælland og betaler både storebæltsbro og diesel. Og så kan vi oven i købet besøge familien på Fyn og få en tur ud af det. En Cola Zero (330 ml på dåse) koster typisk 7 kr. herhjemme. I Tyskland giver vi mellem 2 og 3 kr. alt efter hvordan tilbudet lige er skruet sammen den lørdag vi lander dernede.

På den måde lander mange af vores penge i Tyskland…. Hvor fedt er det? Skulle vi ikke hellere se at få priserne sat ned her i landet, så vi selv kan få glæde af skatten på overskuddet og momsen ved salget.

Jeg vil gerne opfordre alle danskere til at handle i Tyskland hver eneste gang lejligheden byder sig….Jo mere vi handler  hos vore nabolande, jo hurtigere får vi udlignet prisforskellene. Det er jo absurt at nogle produkter koster 100% mere herhjemme.