Ubuntu Server

The following assumes you have not enabled the root user, thus the use of 'sudo'. If you have enabled the root user you can ignore sudo.

Download
http://releases.ubuntu.com/16.04/ubuntu-16.04-server-amd64.iso

Standard System Utilities
You can see the list of packages after install using tasksel...

sudo tasksel --task-package standard

List of packages...

telnet powermgmt-base ntfs-3g ubuntu-release-upgrader-core iputils-tracepath python3-update-manager groff-base python3-distupgrade bind9-host mtr-tiny bash-completion mlocate tcpdump geoip-database install-info irqbalance language-selector-common friendly-recovery command-not-found info hdparm man-db lshw update-manager-core apt-transport-https accountsservice command-not-found-data python3-commandnotfound time ltrace parted popularity-contest strace ftp ubuntu-standard lsof

Thanks - http://askubuntu.com/questions/766419/whats-in-standard-system-utilities-w-16-04-server

Completely Automated Install
To do this, you need the package system-config-kickstart, but because this is a GUI program this will install WAY too much for a server. Therefore, we have to manually download the debian package file and install it by force.

Download the kickstart configurator package...

wget http://www.mirrorservice.org/sites/archive.ubuntu.com/ubuntu/pool/main/s/system-config-kickstart/system-config-kickstart_2.5.20-0ubuntu25_all.deb

Install it with force...

sudo dpkg --force-depends -i system-config-kickstart_2.5.20-0ubuntu25_all.deb

Now switch to root user...

sudo -i

Run the kickstart program with switches...

system-config-kickstart --generate ks.cfg

Edit the ks.cfg file to your liking.

http://askubuntu.com/questions/122505/how-do-i-create-a-completely-unattended-install-of-ubuntu

https://help.ubuntu.com/lts/installation-guide/i386/ch04s06.html

Usual Routine
sudo apt-get update sudo apt-get check sudo apt-get --download-only upgrade sudo apt-get --simulate upgrade sudo apt-get --quiet upgrade sudo update-grub sudo update-initramfs -t -u sudo reboot

From 13.04
Edit the sources file...

sudo nano /etc/apt/sources.list

deb http://old-releases.ubuntu.com/ubuntu/ raring main restricted deb http://old-releases.ubuntu.com/ubuntu/ raring-updates main restricted deb http://old-releases.ubuntu.com/ubuntu/ raring universe deb http://old-releases.ubuntu.com/ubuntu/ raring-updates universe deb http://old-releases.ubuntu.com/ubuntu/ raring multiverse deb http://old-releases.ubuntu.com/ubuntu/ raring-updates multiverse deb http://old-releases.ubuntu.com/ubuntu/ raring-backports main restricted universe multiverse deb http://old-releases.ubuntu.com/ubuntu/ raring-security main restricted deb http://old-releases.ubuntu.com/ubuntu/ raring-security universe deb http://old-releases.ubuntu.com/ubuntu/ raring-security multiverse

Update the package list...

sudo apt-get update sudo apt-get check

Download the software first...

sudo apt-get --download-only dist-upgrade

Update the software...

sudo apt-get --simulate dist-upgrade sudo apt-get --quiet dist-upgrade

Double Check grub boot loader...

sudo update-grub sudo update-initramfs -t -u sudo sync

Reboot...

sudo reboot

'apt-get upgrade' OR 'apt-get dist-upgrade'?
upgrade upgrade is used to install the newest versions of all packages currently installed on the system from the sources enumerated in   /etc/apt/sources.list. Packages currently installed with new versions available are retrieved and upgraded; under no   circumstances are currently installed packages removed, or packages not already installed retrieved and installed. New versions of   currently installed packages that cannot be upgraded without changing the install status of another package will be left at   their current version. An update must be performed first so that apt-get knows that new versions of packages are available.

dist-upgrade dist-upgrade in addition to performing the function of upgrade, also intelligently handles changing dependencies with new versions of packages; apt-get has a "smart" conflict resolution system, and it will attempt to upgrade the most important packages at the expense of less important ones if necessary. So, dist-upgrade command may remove some packages. The /etc/apt/sources.list file contains a list of locations from which to retrieve desired package files. See also apt_preferences(5) for a mechanism for overriding the general settings for individual packages.

Thanks to AskUbuntu.com.

Install Options

 * 1) Default Server = Server kernel + "Basic Ubuntu server" task packages
 * 2) Minimal System = Server kernel + no additional packages
 * 3) Minimal Virtual Machine = Virtual kernel + no additional packages

Thanks - http://askubuntu.com/questions/57336/minimal-system-or-minimal-virtual-machine-on-install

Downloads
http://releases.ubuntu.com

Size Swap File Partition - Suggested Sizes

 * 1) Systems with 4GB of ram or less require a minimum of 2GB of swap space
 * 2) Systems with 4GB to 16GB of ram require a minimum of 4GB of swap space
 * 3) Systems with 16GB to 64GB of ram require a minimum of 8GB of swap space
 * 4) Systems with 64GB to 256GB of ram require a minimum of 16GB of swap space

Thanks to Cyberciti.

RAM Usage
http://pastebin.com/6yF7kFAC

Message Of The Day (MOTD)
sudo chmod a-x /etc/update-motd.d/* sudo rm -rfv /etc/update-motd.d/50-landscape-sysinfo sudo dpkg-reconfigure landscape-common sudo apt-get purge landscape-*

Thanks - http://askubuntu.com/questions/385072/how-set-the-message-of-the-day-motd-as-ubuntu-server

rtc error
Ubuntu Server tries to load the module 'rtc' on boot. This is no longer needed for newer hardwware.

Check to make sure your clock is correct...

sudo date && sudo hwclock

Just comment out the offending line from the modules configuration file. Might as well stop the printer driver as well!

sudo nano /etc/modules # lp     # rtc

console-kit-daemon
To see how many are running:

sudo apt-get install psmisc pstree -cln

To get rid of the service you will need to first find its process ID:

ps aux| grep console-kit-daemon

Which should return something similar to:

root 1393 0.0  0.1 2091756 3940 ? Sl  11:04   0:00 /usr/sbin/console-kit-daemon --no-daemon

Where 1393 is the ID, to stop and remove it from start up:

pkill 1393 cp /usr/share/dbus-1/system-services/org.freedesktop.ConsoleKit.service org.freedesktop.ConsoleKit.old rm /usr/share/dbus-1/system-services/org.freedesktop.ConsoleKit.service

Thanks to AskUbuntu.

Clear Screen After Boot Before Login
Add --noclear to the getty options for the 1st terminal...

sudo nano /etc/init/tty1.conf exec /sbin/getty -8 38400 --noclear tty1

Console Screen Blanking
sudo setterm --blank 0

To make this change permanent, create a file called 'setterm.start' in the /etc/local.d/ folder.

sudo mkdir /etc/local.d sudo nano /etc/local.d/setterm.start setterm --blank 0 sudo chmod +x /etc/local.d/setterm.start

Control-Alt-Delete
NEW

sudo systemctl mask ctrl-alt-del.target sudo systemctl daemon-reload

Thanks - https://help.ubuntu.com/lts/serverguide/console-security.html

OLD

sudo mkdir /root/misc sudo mv -v /etc/init/control-alt-delete.conf /root/misc/

Low Resolution Console
Method One

sudo nano /etc/default/grub GRUB_HIDDEN_TIMEOUT_QUIET=false GRUB_TIMEOUT=10 GRUB_CMDLINE_LINUX_DEFAULT="noquiet nosplash nofb nomodeset" GRUB_TERMINAL=console sudo update-grub

Method Two

sudo dpkg-reconfigure console-setup

Follow the prompts.

IPv6
sudo nano /etc/default/grub GRUB_CMDLINE_LINUX="ipv6.disable=1" sudo update-grub

sudo nano /etc/netconfig #udp6      tpi_clts      v     inet6    udp     -       - #tcp6      tpi_cots_ord  v     inet6    tcp     -       -

sudo netstat -tln

whoopsie
Whoopsie is Ubuntu's Error Reporting daemon, to disable it:

sudo service whoopsie stop sudo update-rc.d -f whoopsie remove sudo apt-get purge whoopsie

Service From Automatically Starting By Upstart
sudo echo "manual" | sudo tee /etc/init/SERVICE.override

Thanks - http://askubuntu.com/questions/19320/how-to-enable-or-disable-services

Software RAID
https://help.ubuntu.com/16.04/serverguide/advanced-installation.html

The Urban Penguin - Software Raid Tutorial

Things To Do After Initial Install:
sudo apt-get update sudo apt-get upgrade sudo apt-get install -y bash-completion sudo apt-get install -y nano sudo apt-get install -y screen sudo reboot

Problems?

If you have used the CD to install, and are not able to complete the steps above, because it says you only have the lists on the CD to use, then the fix is below which edits the apt-getsources list of software...

sudo -i echo "deb http://gb.archive.ubuntu.com/ubuntu trusty main restricted" >/etc/apt/sources.list echo "deb http://gb.archive.ubuntu.com/ubuntu trusty-updates main restricted" >>/etc/apt/sources.list echo "deb http://gb.archive.ubuntu.com/ubuntu trusty universe " >>/etc/apt/sources.list echo "deb http://gb.archive.ubuntu.com/ubuntu trusty-updates universe " >>/etc/apt/sources.list

Now you can continue...

sudo apt-get update sudo apt-get upgrade sudo apt-get install -y bash-completion sudo apt-get install -y nano sudo reboot

BASH Completion
sudo nano /etc/bash.bashrc if ! shopt -oq posix; then if [ -f /usr/share/bash-completion/bash_completion ]; then . /usr/share/bash-completion/bash_completion elif [ -f /etc/bash_completion ]; then . /etc/bash_completion fi fi

CPU Stepping
sudo apt-get install -y cpufrequtils sudo update-rc.d cpufrequtils defaults sudo cpufreq-info sudo grep 'MHz' /proc/cpuinfo

Network Time Protocol (NTP)
sudo apt-get -y install ntp ntpdate

To add or remove time servers edit the configuration file:

sudo nano /etc/ntp.conf

Tweak the configuration file. Check at http://www.pool.ntp.org/zone/uk for latest list...

server 0.uk.pool.ntp.org server 1.uk.pool.ntp.org server 2.uk.pool.ntp.org server 3.uk.pool.ntp.org
 * 1) restrict -6 default kod notrap nomodify nopeer noquery
 * 2) restrict ::1

Then reconfigure...

sudo dpkg-reconfigure tzdata sudo service ntp restart

Test...

date

Temperature Sensor Monitoring
sudo apt-get install lm-sensors sudo sensors-detect sudo service kmod start sudo update-rc.d kmod defaults sudo sensors coretemp-isa-0000 Adapter: ISA adapter Core 0:      +41.0°C  (high = +80.0°C, crit = +100.0°C) Core 1:      +41.0°C  (high = +80.0°C, crit = +100.0°C) smsc47b397-isa-0480 Adapter: ISA adapter fan1:       1037 RPM fan2:          0 RPM fan3:          0 RPM fan4:       1017 RPM temp1:       +50.0°C temp2:       +37.0°C temp3:       +21.0°C temp4:      -128.0°C

uptimed
sudo apt-get install -y uptimed

tuptimed
sudo apt-get install -y git python cd /tmp sudo git clone https://github.com/rfrail3/tuptime.git cd tuptime sudo chmod +x tuptime-install.sh sudo ./tuptime-install.sh

Thanks to Cyberciti.

Linux Dash
Follow this article.

Daily Cron Error
If you receive the following error:

/etc/cron.daily/apt: DB Update failed, database locked

Try uninstalling the following package:

sudo apt-get remove apt-xapian-index

Thanks to Porotal.org.

Enable IP Forwarding On Reboot
sysctl -w net.ipv4.ip_forward=1 nano /etc/sysctl.conf net.ipv4.ip_forward = 1

Thanks - http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/

Cannot Reboot Or Shutdown Hangs Stops
This is to be used as a last resort... but it may just save your skin.

sudo echo 1 > /proc/sys/kernel/sysrq sudo echo b > /proc/sysrq-trigger

Blank Screen Unsupported Video Options

 * Hold RIGHT SHIFT down during CD boot
 * Press F6 to choose Advanced Options
 * Press ESC
 * Use the arrow keys to move along the Boot line
 * Change the ==vga=== number to ==769==

Thanks to Wikipedia

Failed to connect to system bus ERROR
You may see these error messages in ==/var/log/auth.log==...

Feb 5 15:38:02 hostname proftpd: pam_systemd(proftpd:session): Failed to connect to system bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory

To fix it, make sure you add the dbus service to system startup, and then restart the services...

sudo update-rc.d dbus defaults sudo service dbus restart sudo service proftpd restart

Thanks to Gentoo

MEI Kernel Error Messages
"The Intel Management Engine (Intel ME) is an isolated and protected computing resource (Co-processor) residing inside certain Intel chipsets. The Intel ME provides support for computer/IT management features. The feature set depends on the Intel chipset SKU."

Thansk to Kernel.org

But this might not be needed if the hardware does not support it, and you will get the following errors in your kernel logs...

kernel: [258168.036048] mei 0000:00:03.0: unexpected reset: dev_state = RESETING

Edit the ==/etc/modprobe.d/blacklist.conf== file and add the following line...

blacklist mei
 * 1) fix unwanted intel kernel messages

...then reboot.

User Is Not In The Sudoers File Stuck Help
http://www.maketecheasier.com/fixing-sudo-error-in-ubuntu/

Samba Error: no talloc stackframe at ../source3/param/loadparm.c:4864, leaking memory
sudo pam-auth-update

Untick "SMB password synchronization"

Thanks to Ubuntu Forums.

Recently Installed Packages
sudo cat /var/log/dpkg.log* |grep ' installed' |sort -k1

Running Daemons With IPv4 And IPv6
sudo apt-get-y install lsof sudo lsof -i -n -P

Startup Services
sudo apt-get install dialog rcconf sudo rcconf

sudo initctl list |sort sudo service --status-all sudo ls -lah /etc/rc*

Touch Booted and Rebooted Files
nano /etc/rc.local touch /booted exit 0

nano /etc/init.d/rebooted touch /rebooted
 * 1) !/bin/sh

chmod +x /etc/init.d/rebooted

cd /etc/rc6.d/ ln -s ../init.d/rebooted K00rebooted

Passwordless sudo
sudo nano /etc/sudoers ALL ALL = (ALL) NOPASSWD: ALL

Application To Start On Boot
nano /etc/rc.local

Better Log Files
Edit the following file to match content below:

sudo nano /etc/rsyslog.d/50-default.conf cron.*                         /var/log/cron.log #mail.info                     -/var/log/mail.info #mail.warn                     -/var/log/mail.warn #mail.err                      /var/log/mail.err #news.crit                     /var/log/news/news.crit #news.err                      /var/log/news/news.err #news.notice                   -/var/log/news/news.notice #      # Some "catch-all" log files. #      *.=debug;\ auth,authpriv.none;\ news.none;mail.none    -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none         -/var/log/messages #daemon.*;mail.*;\ #      news.err;\ #      *.=debug;*.=info;\ #      *.=notice;*.=warn       |/dev/xconsole #

Getty Terminals
Reduce the number of terminals to 2...

sudo mkdir /root/misc sudo mv -v /etc/init/tty{3,4,5,6}.conf /root/misc/

sudo nano /etc/default/console-setup ACTIVE_CONSOLES="/dev/tty[1-2]"

and

sudo nano /etc/systemd/logind.conf NAutoVTs=2

and

sudo nano /lib/systemd/system/getty.target.wants/getty-static.service

from this...

ExecStart=/bin/systemctl --no-block start getty@tty2.service getty@tty3.service getty@tty4.service getty@tty5.service getty@tty6.service

to this...

ExecStart=/bin/systemctl --no-block start getty@tty2.service

Thanks - http://unix.stackexchange.com/questions/56531/how-to-get-fewer-ttys-with-systemd

Root User
sudo su sudo passwd root

You will prompted to enter and confirm the password for 'root'. After which you will be able to log in the root user and have full privileges without having to type 'sudo' at the beginning of each line.

Normal User
sudo useradd -c "John Smith" -s /bin/bash -m jsmith sudo passwd jsmith

Elevate User To Root
sudo gpasswd -a jsmith sudo sudo gpasswd -a jsmith adm

Static IP Address
sudo nano /etc/network/interfaces

Edit the file to read (this example uses 192.168.0.100 for the system and Google's DNS servers):

For a single network card system...

auto lo iface lo inet loopback auto em1 iface em1 inet static address 192.168.0.1 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.254 dns-nameservers 208.67.222.222 208.67.222.220 8.8.8.8 8.8.4.4
 * 1) ONE CARD
 * 1) The loopback network interface
 * 1) The primary network interface
 * 1) post-up route del -net 169.254.0.0 netmask 255.255.0.0

For a dual network card system, using Shoreline Firewall (Shorewall)...

auto lo iface lo inet loopback auto em2 iface em2 inet static address 192.168.0.1 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 dns-nameservers 127.0.0.1 dns-search domain.com auto em1 iface em1 inet static address 10.0.0.1 netmask 255.255.255.0 network 10.0.0.0 broadcast 10.0.0.255 gateway 10.0.0.2
 * 1) TWO CARDS
 * 1) The loopback network interface
 * 1) The inside network interface
 * 1) The outside network interface

Save and close the file, then restart the network:

sudo /etc/init.d/networking restart

Edit the 'hosts' file:

sudo nano /etc/hosts

Edit the file to read (server2 used for this example):

127.0.0.1 localhost.localdomain localhost 192.168.0.100 server1.example.com server1

Then run:

sudo echo server1.example.com > /etc/hostname sudo /etc/init.d/hostname.sh restart

Check the configuration:

hostname hostname -f

Both of the above commands should return:

server1.example.com

Time Zone And Date
sudo apt-get install ntp sudo dpkg-reconfigure tzdata

Automated Package List Updates But Not Install
Install the software...

sudo apt-get install cron-apt sudo nano /etc/cron-apt/config MAILON="always" MAILTO="me@myemail.com"

Read more about the software in the README...

less /usr/share/doc/cron-apt/README.gz

Thanks to Debian Administration Org.

Command On System Startup As Another User
sudo nano /etc/rc.local # mpdscribble su -c 'mpdscribble' username & # exit (the line below must be the last line in the file) exit 0

Thanks to AskUbuntu.

Force Filesystem Check On Reboot
sudo touch /forcefsck sudo reboot

Install Server
sudo apt-get install ssh openssh-server

Copy Public Key To Server
ssh-copy-id -i ~/.ssh/id_rsa.pub username@192.168.0.x

Secure
To get it "Tight as a duck's a***"...

Levels


 * 1) Port Number
 * 2) Firewall Rules
 * 3) TCP Wrappers
 * 4) SSH Daemon Configuration

User --> Non Standard Port --> Firewall Check --> TCP Wrapper Check --> SSH Configuration Check --> Logged In

Files

==> /etc/hosts <== 127.0.0.1 localhost.localdomain localhost 10.0.0.1 server1.domain.co.uk server1 12.345.678.90 www.domain.co.uk ==> /etc/hosts.allow <== ALL: 10.0.0.0/24 imap: ALL sshd: 123.456.789 ==> /etc/hosts.deny <== ALL: ALL

Testing

tcpdmatch sshd 123.456.789 client:  address  123.456.789 server:  process  sshd access:  granted

Thanks to Bodhizazen Net. & Cyberciti

Speed Up Logins
Server Side

Turn off the DNS lookups...

sudo nano /etc/ssh/sshd_config UseDNS no

Turn off the MOTD (Message Of The Day)...

touch ~/.hushlogin

Client Side

Turn off IPv6...

sudo nano ~/.ssh/config Host * AddressFamily inet

HOWTO: DNS
sudo apt-get install dnsutils dnsmasq service dnsmasq stop sudo nano /etc/default/dnsmasq IGNORE_RESOLVCONF=yes sudo nano /etc/dnsmasq.conf resolv-file=/etc/dnsmasqresolv.conf domain=domain.uk.com sudo nano /etc/dnsmasqresolv.conf nameserver 208.67.222.222 # OpenDNS nameserver 208.67.222.220 # OpenDNS nameserver 8.8.8.8 # Google nameserver 8.8.4.4 # Google sudo nano /etc/hosts # Delete the contents of the file and add the following to match your server details. 127.0.0.1 localhost.localdomain localhost 192.168.0.1 server.domain.uk.com server sudo service dnsmasq restart netstat -nap |grep 'dnsmasq' dig dig @localhost test.domain.uk.com dig @localhost test dig @localhost www.google.co.uk

...as per this page - DNS

HOWTO: DHCP
sudo nano /etc/dnsmasq.conf dhcp-range=192.168.0.50,192.168.0.99,12h dhcp-host=e8:03:9a:ed:65:56,paul-laptop,192.168.0.103,12h dhcp-option=router,192.168.0.1 dhcp-option=ntp-server,192.168.0.1 dhcp-option=dns-server,192.168.0.1

HOWTO: FILE SERVER: SAMBA
sudo apt-get install samba samba-client sudo service smbd stop sudo service nmbd stop sudo nano -w /etc/samba/smb.conf [global] workgroup = BLOGGS server string = Samba Server %v netbios name = SERVER1 map to guest = Bad User passdb backend = smbpasswd log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No       domain master = No        dns proxy = No        printing = bsd [shared] comment = Shared file space path = /home/samba/shared force user = nobody force group = nogroup read only = No       guest ok = Yes create mask = 0775 force create mode = 0775 directory mask = 0775 force directory mode = 0775 mkdir -p /home/samba/shared chown -R nobody /home/samba/shared chgrp -R nogroup /home/samba/shared touch /etc/printcap smbpasswd -a jbloggs testparm -s service smbd start service nmbd start smbstatus smbtree # You will be asked for root's password, ignore this and just press enter smbclient -U jbloggs -L //SERVER1/

INSTALL: Virtual Users Using Postfix And Dovecot With Security
sudo -i groupadd vmail -g 2222 useradd vmail -r -g 2222 -u 2222 -d /var/vmail -m -c "VMail User" sudo apt-get -y install postfix (no configuration) cd /etc/postfix/ touch aliases touch generic touch header_checks touch main.cf touch relay_recipients touch sender_access touch vmail_aliases touch vmail_domains touch vmail_mailbox nano generic postmap generic nano main.cf >master.cf nano master.cf nano relay_recipients postmap relay_recipients nano sender_access postmap sender_access nano vmail_aliases postmap vmail_aliases nano vmail_domains postmap vmail_domains nano vmail_mailbox postmap vmail_mailbox service postfix stop

https://www.rosehosting.com/blog/mailserver-with-virtual-users-and-domains-using-postfix-and-dovecot-on-a-centos-6-vps/

INSTALL: Slim Email Server - Sent To Another Server's Mail Hub
http://wiki.indie-it.com/index.php?title=SSMTP

INSTALL: Basic Email Server - Part I - Procmail + Postfix + Mutt
Set the System Wide Maildir Email Directory...

sudo nano /etc/bash.bashrc MAIL=$HOME/.maildir/

Install the software...

sudo apt-get install procmail postfix mutt

Postfix Configuration > Mailer Type > Internet Site with Smarthost > Domain Name = server1.domain.com > SMTP Relay = auth.smtp.1and1.co.uk

Configure the software...

sudo nano /etc/procmailrc DEFAULT=$HOME/.maildir/ LOGFILE=/var/log/procmail.log LOGABSTRACT=all VERBOSE=no
 * 1) Use maildir-style mailbox in user's home directory
 * 1) Log actions to file
 * 1) Log synopsis of messages
 * 1) Be verbose

sudo nano /etc/postfix/main.cf smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = server2.domain.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = server2.domain.com, server2, domain.com, localhost.localdomain, localhost mynetworks = 127.0.0.0/8 192.168.0.0/24 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = 127.0.0.1, 192.168.0.171 inet_protocols = ipv4 header_checks = regexp:/etc/postfix/header_checks smtp_generic_maps = hash:/etc/postfix/generic smtp_sasl_auth_enable = yes relayhost = [auth.smtp.1and1.co.uk]:587 smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_password smtp_sasl_security_options = noanonymous

Create the SASL password file...

sudo nano /etc/postfix/sasl/sasl_password [my.smtp.host.co.uk] me@myemailaccount.com:passW0rD

Lock down permissions...

sudo chmod 0600 /etc/postfix/sasl/sasl_password

Hash the file...

sudo postmap hash:/etc/postfix/sasl/sasl_password

Create the Postfix generic maps file...

sudo nano /etc/postfix/generic root@myhostname.localdomain me@myemailaccount.com user1@myhostname.localdomain me@myemailaccount.com user2@myhostname.localdomain me@myemailaccount.com

Hash the file...

sudo postmap hash:/etc/postfix/generic

Copy the supporting files to the Postfix working directory...

sudo cp -av /etc/hosts /var/spool/postfix/etc/ sudo cp -av /etc/services /var/spool/postfix/etc/ sudo cp -av /etc/localtime /var/spool/postfix/etc/ sudo cat /etc/resolv.conf > /var/spool/postfix/etc/resolv.conf

Create the header checks file for later (with MailScanner)...

sudo touch /etc/postfix/header_checks

Fix the aliases file for root's email...

sudo nano /etc/aliases root: regularuser sudo newaliases

Restart Postfix...

sudo postfix stop sudo postfix start

Install heirloom-mailx and mutt...

sudo apt-get install -y heirloom-mailx mutt

Configure system wide settings...

sudo nano -w /etc/Muttrc set mbox_type=maildir set editor="nano" set edit_headers=yes set sendmail_wait=-1 set move=no set folder=""
 * 1) tweaks
 * 1) I like to see all my mail headers in my editor:
 * 1) don't wait for sendmail to finish (this runs sendmail in the background)
 * 1) this prevents Mutt from endlessly asking when you quit:
 * 2)     "Move read messages to ~/mbox? ([no]/yes):"
 * 1) this prevents Mutt from endlessly asking:
 * 2)     "~/Mail does not exist. Create it? ([yes]/no):"

Send test email message...

mail me@myemailaccount.com Subject: test Cc: message .

Also, see Postfix and Mutt

INSTALL: Basic Email Server - Part II - Fetchmail
sudo apt-get install fetchmail sudo useradd -c "Server Postman" -d /home/postman -s /bin/bash -m postman sudo passwd postman su - postman cd touch fetchmail.log nano ~/.fetchmailrc set daemon 600 set logfile /home/postman/fetchmail.log set no bouncemail set postmaster postman poll pop.1and1.co.uk protocol pop3 uidl localdomains domain.com username "mailbox@domain.com" password "mypassword" is root here fetchall preconnect "date >> /home/postman/fetchmail.log"

chmod 0700 ~/.fetchmailrc exit

su - postman cd nano fmcheck # # # EXPRESSION='fetchmail' ps -U postman | grep $EXPRESSION if [ $? -eq 0 ]; then echo "$EXPRESSION process running" else echo "$EXPRESSION process not running" fetchmail --quit sleep 3 fetchmail --limit 30000000 echo "$EXPRESSION process running" fi chmod +x fmcheck
 * 1) !/bin/bash
 * 1)       fmcheck
 * 1)       Script to check if the fetchmail daemon is running

fetchmail --version --check --verbose ./fmcheck

sudo crontab -e -u postman */20 * * * * ~/fmcheck &>/dev/null

INSTALL: Basic Email Server - Part III - MailScanner + ClamAV + SpamAssassin + DCC + Razor + Pyzor
Make sure you have enough free memory for this, and create a swapfile if needed!

https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-ubuntu-14-04

.

Switch to root first. You have a LOT to do here...

sudo -i

Install Clam AntiVirus and SpamAssassin first...

sudo apt-get install -y -v clamav clamav-daemon spamassassin sudo service spamassassin stop update-rc.d -f spamassassin remove sudo nano /etc/clamav/freshclam.conf DatabaseMirror db.GB.clamav.net sudo freshclam sudo sa-update sudo clamscan --version sudo spamassassin --version

Now switch to root home directory and install the latest MailScanner from the Ubuntu DEB version...

cd mkdir misc cd misc wget https://s3.amazonaws.com/mailscanner/release/v4/deb/MailScanner-4.85.2-3.deb.tar.gz tar -xzvf MailScanner-4.85.2-3.deb.tar.gz cd MailScanner-install-4.85.2/ ./install.sh

Install the link for the old version...

ln -s /opt/MailScanner/bin/check_mailscanner /usr/sbin/

Now add some MailScanner jobs to root's crontab...

crontab -e # mailscanner 0 0 * * * /root/bin/mailscanner_archive.sh &>/dev/null 37     5 * * * /usr/sbin/update_bad_phishing_sites &>/dev/null 07     * * * * /usr/sbin/update_bad_phishing_sites &>/dev/null 42     * * * * /usr/sbin/update_virus_scanners &>/dev/null 3,23,43 * * * * /usr/sbin/check_mailscanner &>/dev/null

Configure the main MailScanner configuration file...

nano /etc/MailScanner/MailScanner.conf %org-name% = mydomain %org-long-name% = Company Name %web-site% = www.mydomain.com Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine MTA = postfix Incoming Work User = Incoming Work Group = clamav Incoming Work Permissions = 0640 Virus Scanners = clamd Clamd Port = 3310 Clamd Socket = /var/run/clamav/clamd.ctl Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = no     Mail Header = X-%org-name%-MailScanner-VirusCheck: Information Header = X-%org-name%-MailScanner-Information: Information Header Value = MailScanner Version 4.84.6 Always Include SpamAssassin Report = yes Archive Mail = /home/MailScanner/archive/_DATE_/messages Missing Mail Archive Is = file Use SpamAssassin = yes Required SpamAssassin Score = 5 Log Spam = yes

Install some extra PERL modules...

sudo apt-get install libdbi-perl libdbd-sqlite3-perl libfilesys-df-perl libio-stringy-perl libnet-cidr-perl libsys-sigaction-perl libmime-tools-perl libarchive-zip-perl libole-storage-lite-perl

Check that it works so far...

sudo /usr/sbin/MailScanner --version

Create some more directories for ClamAV, Postfix and MailScanner to work together...

chown postfix /var/spool/postfix/ mkdir /var/spool/MailScanner/spamassassin/ chown -R postfix:postfix /var/spool/MailScanner/* chmod -R g+w /var/spool/MailScanner/* chgrp -R clamav /var/spool/MailScanner/incoming/ find /var/spool/MailScanner/incoming/ -type d -exec chmod 0770 {} \; find /var/spool/MailScanner/incoming/ -type f -exec chmod 0664 {} \;

Create the MailScanner archiving script...

mkdir /root/bin nano /root/bin/mailscanner_archive.sh    #!/bin/bash ARCHIVE=/home/MailScanner/archive DIRNAME=$( date +%Y%m%d ) MESSAGES=messages /usr/bin/logger -p 'mail.info' Checking for MailScanner message archive... if [ -f $ARCHIVE/$DIRNAME/$MESSAGES ] ; then echo "$ARCHIVE/$DIRNAME/$MESSAGES exists." else mkdir -p $ARCHIVE mkdir -p $ARCHIVE/$DIRNAME touch $ARCHIVE/$DIRNAME/$MESSAGES chown -R postfix:postfix $ARCHIVE/ chmod g+w $ARCHIVE/$DIRNAME/$MESSAGES echo "$ARCHIVE/$DIRNAME/$MESSAGES created." fi

Make the script executable...

chmod 0700 /root/bin/mailscanner_archive.sh

Run the MailScanner archiving script...

/root/bin/mailscanner_archive.sh

Fix the AppArmor bug for ClamAV...

sudo usermod -a -G www-data clamav sudo nano /etc/apparmor.d/usr.sbin.clamd # mailscanner /var/spool/MailScanner/** rw, /var/spool/MailScanner/incoming/** rw, sudo /etc/init.d/apparmor reload

Change SpamAssassin settings...

nano /etc/MailScanner/spam.assassin.prefs.conf # use_auto_whitelist 0 bayes_ignore_header X-mydomain-MailScanner bayes_ignore_header X-mydomain-MailScanner-VirusCheck bayes_ignore_header X-mydomain-MailScanner-SpamCheck bayes_ignore_header X-mydomain-MailScanner-SpamScore bayes_ignore_header X-mydomain-MailScanner-Information envelope_sender_header X-mydomain-MailScanner-From bayes_path /var/spool/MailScanner/spamassassin/bayes bayes_file_mode 0660

Fix the missing link for MailScanner and SpamAssassin...

sudo ln -s /etc/MailScanner/spam.assassin.prefs.conf /etc/mail/spamassassin/mailscanner.cf

Initialise the Bayes databases...

cd /tmp/ sudo -u postfix -g postfix sa-learn --sync

Check that they are being used...

cd /tmp/ sudo -u postfix -g postfix sa-learn -D --dump magic

Mar 4 17:49:50.258 [10827] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_toks Mar 4 17:49:50.259 [10827] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_seen Mar 4 17:49:50.259 [10827] dbg: bayes: found bayes db version 3 0.000         0          3          0  non-token data: bayes db version 0.000         0          0          0  non-token data: nspam 0.000         0          0          0  non-token data: nham 0.000         0          0          0  non-token data: ntokens 0.000         0          0          0  non-token data: oldest atime 0.000         0          0          0  non-token data: newest atime 0.000         0          0          0  non-token data: last journal sync atime 0.000         0          0          0  non-token data: last expiry atime 0.000         0          0          0  non-token data: last expire atime delta 0.000         0          0          0  non-token data: last expire reduction count

ls -lah /var/spool/MailScanner/spamassassin/ -rw-rw 1 postfix postfix  12 2015-03-04 17:47 bayes.mutex -rw-rw 1 postfix postfix 12K 2015-03-04 17:47 bayes_seen -rw-rw 1 postfix postfix 12K 2015-03-04 17:47 bayes_toks

Tweak MailScanner virus scanning settings for ClamAV...

nano /etc/MailScanner/virus.scanners.conf clamav         /usr/share/MailScanner/clamav-wrapper     /usr #generic nano /usr/share/MailScanner/clamav-autoupdate $PackageDir = shift || "/usr";

Another tweak for Postfix file locking from unix to fifo...

nano /etc/postfix/master.cf     pickup    fifo  n      qmgr      fifo  n

Important setting for Postfix and MailScanner...

nano /etc/postfix/header_checks /^Received:/ HOLD

Final tweaks to users and groups...

usermod -a -G postfix clamav usermod -a -G clamav postfix usermod -a -G www-data postfix groups clamav groups postfix

Restart services...

service postfix restart service clamav-daemon restart

Final testing...

pkill MailScanner cd /tmp/ sudo -u postfix -g postfix /usr/sbin/MailScanner --lint

Add the boot startup script...

sudo nano /etc/rc.local # mailscanner /root/bin/mailscanner_archive.sh     /usr/sbin/check_mailscanner exit 0

Go for launch...

service postfix restart pkill -HUP MailScanner /usr/sbin/check_mailscanner

Now, DCC. Download and install...

sudo -i cd /root/misc/ mkdir dcc cd dcc/ wget http://www.dcc-servers.net/dcc/source/dcc.tar.Z tar -xzvf dcc.tar.Z cd dcc-1.3.158/ ./configure make make install

Configure to use the always running daemon...

nano /var/dcc/dcc_conf DCCIFD_ENABLE=on

Create the automatic startup links and start dccifd...

cp /var/dcc/libexec/rcDCC /etc/init.d/adcc update-rc.d adcc defaults /etc/init.d/adcc start

Test if dccifd is running...

netstat -nap |grep 'dcc'

udp       0      0 0.0.0.0:52926           0.0.0.0:*                           2599/dccifd unix 2      [ ACC ]     STREAM     LISTENING     70691    2598/dccifd         /var/dcc/dccifd unix 2      [ ]         DGRAM                    70144    2599/dccifd

Enable the SpamAssassin DCC plugin...

nano /etc/mail/spamassassin/v310.pre loadplugin Mail::SpamAssassin::Plugin::DCC nano /etc/mail/spamassassin/mailscanner.cf     ifplugin Mail::SpamAssassin::Plugin::DCC dcc_home /var/dcc dcc_dccifd_path /var/dcc/dccifd dcc_path /usr/local/bin/dccproc endif

Download a test spam email message and train spamassassin...

cd /root/misc/dcc wget http://www200.pair.com/mecham/spam/sample-spam.txt sa-learn --spam sample-spam.txt spamassassin -D dcc <sample-spam.txt

It should show...

dbg: dcc: connected to local socket /var/dcc/dccifd

All is good. Now restart MailScanner to use DCC...

pkill MailScanner /usr/sbin/check_mailscanner

Next, Razor...

cd sudo apt-get install -y razor rm /etc/razor/razor-agent.conf razor-admin -create razor-admin -register sed -i 's/= 3/= 0/' /root/.razor/razor-agent.conf cp -av .razor /var/spool/postfix/ chown -R postfix:postfix /var/spool/postfix/.razor/ chmod g+w /var/spool/postfix/.razor/ nano /etc/mail/spamassassin/v310.pre loadplugin Mail::SpamAssassin::Plugin::Razor2 cd /tmp/ sudo -u postfix -g postfix /usr/sbin/MailScanner --lint wget http://www200.pair.com/mecham/spam/sample-spam.txt spamassassin -D razor2 <sample-spam.txt cd pkill MailScanner /usr/sbin/check_mailscanner

Next, Pyzor...

sudo apt-get install -y pyzor pyzor discover cp -av .pyzor /var/spool/postfix/ chown -R postfix:postfix /var/spool/postfix/.pyzor/ chown postfix /var/spool/postfix/ which pyzor nano /etc/mail/spamassassin/v310.pre loadplugin Mail::SpamAssassin::Plugin::Pyzor nano /etc/mail/spamassassin/mailscanner.cf     ifplugin Mail::SpamAssassin::Plugin::Pyzor pyzor_path /usr/bin/pyzor endif cd /tmp/ sudo -u postfix -g postfix /usr/sbin/MailScanner --lint wget http://www200.pair.com/mecham/spam/sample-spam.txt spamassassin -D pyzor <sample-spam.txt

Now restart MailScanner...

cd pkill MailScanner /usr/sbin/check_mailscanner

TWEAK: Sendmail (DEPRECATED)
sudo nano /etc/mail/sendmail.cf     PrivacyOptions=noetrn DeliveryMode=queueonly QueueDirectory=/var/spool/mqueue.in

http://www.mailscanner.info/sendmail.html

SET: System Wide Maildir Email Directory
sudo nano /etc/bash.bashrc MAIL=$HOME/.maildir/

FIX: Dovecot Startup Script
cd /etc/init.d/ sudo ln -s /lib/init/upstart-job dovecot sudo update-rc.d dovecot defaults sudo service dovecot start

HOWTO: LAMP:
Linux, Apache, MySQL, PHP

sudo apt-get install apache2 sudo apt-get install mysql-server mysql-client sudo service mysql status sudo apt-get install php5 php5-mysql libapache2-mod-php5 sudo apt-get install phpmyadmin

Thanks to Unixmen.

HOWTO: NAGIOS 3:
Also see the dedicated wiki page Nagios3.

sudo apt-get install nagios3 nagios-nrpe-plugin sudo usermod -a -G nagios www-data sudo chmod -R +x /var/lib/nagios3/ sudo nano /etc/nagios3/nagios.cfg check_external_commands=1 sudo /etc/init.d/nagios3 restart sudo apt-get install nagios-nrpe-server nagios-plugins sudo nano /etc/nagios/nrpe.cfg allowed_hosts=127.0.0.1 192.168.0.171

Thanks to Unixmen.

Encryption
https://superuser.com/questions/305318/full-disk-encryption-with-two-factor-authentication-for-ubuntu-how?rq=1

Early SSH

Dropbear

$ apt-cache search dropbear openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remote machines dropbear - transitional dummy package for dropbear-{run,initramfs} dropbear-bin - lightweight SSH2 server and client - command line tools dropbear-initramfs - lightweight SSH2 server and client - initramfs integration dropbear-run - lightweight SSH2 server and client - startup scripts

Rotate Log Files Manually
savelog -l -n -p mail.log

Stress Testing
sudo apt-get install stress sudo stress --cpu 2 --io 1 --vm 1 --vm-bytes 128M --hdd 1 --timeout 10s

Thanks Cyberciti.

Backup Whole Entire System (less /home)
sudo -i cd / tar -cvpzf /backup.tar.gz --exclude=/backup.tar.gz --exclude=/home --one-file-system /

Documentation
http://vwiki.co.uk/Configuration_%28Ubuntu%29