I took the time to try out the new FreeBSD release 8.0, so I downloaded the iso from the FreeBSD site, burned it and installed it on my home server (the server I’m referring to is in this post). After reinstalling all the ports I had on it previously (Apache, MySQL, PHP5, PHP5-extensions, Java 1.6, Openfire etc.), I decided to go one step further and try something I hadn’t done before, get email working.

DNS settings

To be able to receive email I needed a domain, now it happens that I purchased chrismcdonald.co.uk at some point last year, got it very cheap for 2 years from 123-reg. The domain wasn’t really doing anything and was just being used to forward to this blog (and still is), so I decided to get more use out of it and use a subdomain to point to my home server. I set the hostname of my FreeBSD server to server.chrismcdonald.co.uk by adding hostname=”server.chrismcdonald.co.uk” to /etc/rc.conf and added an entry in /etc/hosts so that it would resolve locally. So my hosts file now contained:

127.0.0.1               localhost server.chrismcdonald.co.uk

To get the domain to point to my home server I changed my dns records for chrismcdonald.co.uk and added a CNAME record pointing server.chrismcdonald.co.uk to my dynamic dns host chris.is-a-geek.net. I also added an MX record for the root domain which directs email to chrismcdonald.co.uk to chris.is-a-geek.net. Dynamic DNS allows users with a non-static IP (most home internet users) to use a host name to refer to your system’s ip address, which might change whenever you connect to your ISP. It works by having your home system contact the dynamic dns provider every so often to make sure the ip address mapping is kept up to date. I use dyndns.com, you can create a free account with them where you can create some free host names to use. You get to pick your own subdomain from any one of the domains they allow you to use, I chose the domain is-a-geek.net and my subdomain chris. My wireless router has built in support to work with dyndns.com and keep my host ip address updated, but if yours does not, there are some instructions also in my older post to get this working on FreeBSD.

Receiving mail

To ensure I could send and receive email past my wireless router, I added some port forwards for ports 25 (smtp), 465 (secure smtp) and 993 (secure imap), I already have existing port forwards set up for web and ssh access. Sendmail is configured by default to only allow sending of email and receiving mail only from localhost. To enable sendmail to receive mail externally I added this line to /etc/rc.conf and started sendmail again.

sendmail_enable="YES"

/etc/rc.d/sendmail stop
/etc/rc.d/sendmail start

OK so with the domain name sorted out and sendmail set to receive external mail I tried testing it out. I logged into another remote server, which was located outside of my local network on the internet. I used telnet to attempt to manually send an email. Below is the transcript, my commands are in bold, square brackets are for your server name and email.

telnet server.chrismcdonald.co.uk 25
Connected to chris.is-a-geek.net.
Escape character is '^]'.
220 server.chrismcdonald.co.uk ESMTP Sendmail 8.14.4/8.14.3; Sat, 8 May 2010
12:08:15 +0100 (BST)
HELO [remote server name]
250 server.chrismcdonald.co.uk Hello [remote server name and ip] , pleased
to meet you
MAIL FROM: [user@remoteserver]
250 2.1.0 [user@remoteserver]... Sender ok
RCPT TO: [user@server - in this case chris at chrismcdonald.co.uk]
550 5.7.1 [user@server]... Relaying denied
QUIT
221 2.0.0 server.chrismcdonald.co.uk closing connection

So it appeared that my server was not accepting email for my domain. To fix this I created the file /etc/mail/local-host-names and added the following lines, you would add your own hostnames.

chrismcdonald.co.uk
server.chrismcdonald.co.uk

Then when I tried again:

telnet server.chrismcdonald.co.uk 25
Connected to chris.is-a-geek.net.
Escape character is '^]'.
220 server.chrismcdonald.co.uk ESMTP Sendmail 8.14.4/8.14.3; Sat, 8 May 2010
12:08:15 +0100 (BST)
HELO [remote server name]
250 server.chrismcdonald.co.uk Hello [remote server name and ip], pleased
to meet you
MAIL FROM: [user@remoteserver]
250 2.1.0 [user@remoteserver]... Sender ok
RCPT TO: [user@server - in this case chris at chrismcdonald.co.uk]
550 5.7.1 [user@server]... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Subject: test email again
Just testing
.
250 2.0.0 o48BLo6R001500 Message accepted for delivery
QUIT
221 2.0.0 server.chrismcdonald.co.uk closing connection

Sure enough I had the new email in my local mailbox (checked by running mail).

IMAP access

So now I could receive mail from outside, I looked around for a few guides to get started on setting up secure IMAP and secure SMTP sending. I needed a program that would provide IMAP access to mail and came across this blog post on Dovecot on freebsddiary.org, this is a great site with loads of tutorials and info on FreeBSD. I followed the steps in the guide to install Dovecot with some minor adjustments.

cd /usr/ports/mail/dovecot
make install clean

Below are the make options I used:

Dovecot make options

You can follow those steps from freebsddiary if you are starting from scratch. I ignored the certificate stuff because I already had a self signed one created, I also chose to use PAM authentication, which uses your user account password to authenticate. The important bits which I changed from /usr/local/etc/dovecot.conf are below, change them where they occur in the file:

protocols = imaps
ssl_cert_file = /etc/ssl/certs/server.chrismcdonald.co.uk.cert
ssl_key_file = /etc/ssl/private/server.chrismcdonald.co.uk.key
ssl_key_password = ******************
mail_location = mbox:~/mail/:INBOX=/var/mail/%u
protocol imap {
listen = *:143
ssl_listen = *:993
# Login executable location.
...
}
auth default {
  # Space separated list of wanted authentication mechanisms:
  #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
  #   gss-spnego
  # NOTE: See also disable_plaintext_auth setting.
  mechanisms = plain login
...
}

Then add the following to /etc/rc.conf and start dovecot.

dovecot_enable="YES"

/usr/local/etc/rc.d/dovecot start

Now I access my mail using imap securely over port 993. So far the server is able to receive mail, send mail (only from localhost) and has secure imap access to read mail, if this is suitable for what you need you can stop here. If you want to be able to send mail from another machine using your secure smtp read on.

SMTP sending

I found a couple more guides on having secure smtp authentication here and here. I did not follow those steps but borrowed some from both guides. The common setup appears to use cyrus sasl (Simple Authentication and Security Layer) for the authentication and to configure sendmail to use it. SASL SASL support is not build into sendmail by default, the guides said to recompile sendmail from its source /usr/src/usr.sbin/sendmail which I couldn’t find, I guess these things are all done using the ports system now, so here’s what I installed.

cd /usr/ports/security/cyrus-sasl2
make install clean
cd /usr/ports/security/cyrus-sasl2-saslauthd
make install clean
cd /usr/ports/mail/sendmail-sasl
make install clean

Then I needed to enable the sasl daemon by editing /etc/rc.conf and adding this line and starting the sasl daemon.

saslauthd_enable="YES"

/usr/local/etc/rc.d/saslauthd start

Finally sendmail needed to be configured to use secure smtp authentication, I also copied my certificate files that I generated a while back into /etc/mail/certs. I copied the default freebsd.mc and freebsd.submit.mc files located in /etc/mail to server.chrismcdonald.co.uk.mc and server.chrismcdonald.co.uk.submit.mc and edited server.chrismcdonald.co.uk.mc. Then following bits from both guides I added the following:

dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
dnl Offer SMTP AUTH only after encryption (STARTTLS) has been negotiated
define(`confAUTH_OPTIONS',`p,y')dnl

define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/server.chrismcdonald.co.uk.cert')dnl
define(`confSERVER_CERT', `CERT_DIR/server.chrismcdonald.co.uk.cert')dnl
define(`confSERVER_KEY', `CERT_DIR/server.chrismcdonald.co.uk.key')dnl
define(`confCLIENT_CERT', `CERT_DIR/server.chrismcdonald.co.uk.cert')dnl
define(`confCLIENT_KEY', `CERT_DIR/server.chrismcdonald.co.uk.key')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

The lines starting with dnl are comments and those backticks ` are not typos, the opening quote is a backtick and the closing one a normal apostrophe. Finally after running the following in /etc/mail I had secure smtp authentication working:

make
make install
make restart

Well, that’s it for another post, sorry it was such a long one. I am buying a couple of real servers on eBay that wer e going pretty cheap, the kind they use in datacentres. I will probably have a go at getting internal dns working, so that I won’t be restricted to a single server working at home. If it works I will do another post on it.

To follow this you will need a pc, connected by ethernet cable to a home broadband router that has DHCP enabled.

Why?

Ok, so why did I want to set up a web server at home in the first place? Well, it so happened that we (Slider Studio) had just aquired a dedicated server at work and in the near future we’d be running quite a lot of stuff from it. We also had set up a development server at work which we could mess about with and make sure everything worked as expected before we put it on our production server. Knowing that I had to work quite a bit with servers in the future, I thought it would be a good idea to get more experience and practice with them. So I looked around for a cheap pc, I wasn’t that really concerned about the spec, mainly that it wouldn’t take up too much space and wasn’t too noisy.

Hardware

At my local computer fair, I managed to get a really good deal on a second-hand compaq evo d510s base unit (only 48 quid!), pics below.

The specs weren’t that bad either:

• 1.6 GHz processor
• 256MB SD RAM
• 20GB hard drive

It was in a pretty small compact case too, designed to be used flat on a desktop with perhaps a monitor on top. It later turned out to be pretty quiet, another bonus. I bought the machine and later upgraded the RAM to 1GB (2 x 512MB SD) and swapped the CD-ROM drive for a DVD drive (I needed a dvd drive to install FreeBSD from an install DVD). Finding the correct SD RAM for an old pc is not easy and certainly not as cheap as just buying any existing DDR memory. Most of what I could find on eBay was specifically for server rack machines, I had very strict requirements on the memory I needed, unbuffered, non-ECC, 266MHz  PC2100 etc. The machine had on-board graphics, which I didn’t really care about, the machine is only going to run a command line interface and I’m not doing any server side graphics intensive stuff.

OS

I decided to use FreeBSD 7.1 as the operating system because this was what our real production server was running and my aim was to replicate the set up at home. You can choose your own operating system, debian, ubuntu, whatever, just don’t bother installing a graphical windowing system, you shouldn’t need it. I would recommend FreeBSD, it’s very easy to install and the huge ports collection makes it super easy to install whatever software you need on the server. Plus, FreeBSD is used in many commercial servers and is very reliable. I will only be talking about setting up a FreeBSD server here.

Okay, on to actually installing now. First thing I did was get rid of the existing Windows XP installation, I did this by using a utilities CD to run the fdisk program and delete all partitions on the hard disk, create one primary partition and proceed to format that new partition. Actually it turns out I didn’t need to do this at all FreeBSD comes with its own fdisk-like program which does the same thing. So after partitioning and formatting the hard disk, I put in the FreeBSD 7.1 dvd (a burnt iso image you can get from here).

The first menu is about language and keyboard layout, just choose the correct one for you, the next screen is the installation type. Here you have a few options: Standard, Express, Custom + other options, I’d recommend just going with the standard install. It will then launch the installer, which is not the most user friendly installer, but don’t be scared! You should get a message talking about setting up the disk partition scheme, press OK for that, if you get a scary message talking about disk geometry don’t worry just press enter. When you get to the partitioning bit, just press A to use all of your disk space for FreeBSD with the default options for the partitions, then press q. Next you’ll get a menu about choosing the boot manager, just leave it on the default standard, we are just running FreeBSD on this system, nothing else. Next you get to choose how to partition the drive for the operating system folders. In FreeBSD the root folders such as /usr, /var and /bin are contained on separate partitions, you can create your own additional partitions if you want for instance if you wanted a partition mounted on /data for doing data backups, but I’d recommend just accepting the default by pressing A and then Q to quit. The default options give the most space to the /usr folder, which is useful because /usr is the location where the ports collection resides and the user accounts. Most of the space you will be using from your day to day server use will be in the /usr folder. The /var folder is commonly used for logs, /etc for system configuration and /bin for system binaries.

The next step is to choose the install source, I chose the install dvd, this later turned out not to work, my dvd drive or the disc may have been bad, blocks of data from the dvd could not be read. When the install failed I retried and this time chose to install from an FTP server. The next screen asks how much of FreeBSD to install, contrary to belief, you don’t need everything on here, just choose the User option, this gives you the basics and everything you need for your server. When it asks you if you want to install the ports collection say yes! You definitely want the ports collection, read on to find out why. After this you are taken back to the previous menu, press Exit, you will get one last chance to change your mind here, after that your drive is partitioned and formatted and the files copied.

When its finished you’ll get a chance to configure the network, say yes to this option (if you chose an ftp install you would have already gone through this). You will be given a list of network interfaces to choose from. Choose the ethernet one, my system is connected by ethernet directly to my broadband router. When it asks about using IPV6 configuration say no. When it asks if you want to try DHCP configuration you can say yes if your machine is connected to a DHCP enabled router. You will have to enter a hostname for your system a domain, IPv4 gateway and name server. Host is something you can choose to identify your server, it can be anything you like but don’t put any funny characters in. Domain should be a domain your server is part of. For me I didn’t have a domain yet, so I made one up, for the gateway and name server I entered the local  ip address of my router. For me this was 192.168.0.1, they are commonly this or 192.168.1.1.

After this you are asked about enabling services, for most of these you can say no, except for SSH which you definitely want to enable, I would recommend only enabling SSH, definitely don’t enable anonymous FTP. You then get asked to choose a time zone, whether to enable Linux mode, say no, set up a PS/2 mouse (if you have one), I ignored this. You are then asked about installing any additional packages, don’t install any at the moment we will do this later.

You will get a chance to create a user account say yes to this, creating a user account separate from the root account is a good idea, you should only use the root account only when you have to and to ssh into your server in the first place will require a user account. In the new user interface, enter the desired username under Login ID, leave the UID as it is, leave the group as it is, by default the group should be the same as the username. Enter your password carefully, you can only do it once here. Enter your full name, under member groups you can put in wheel in order for this user to be able to switch to root or do administrative tasks on the server. The home directory should be fine as it is, for the shell you may want to change the default /bin/sh to /bin/tcsh, there isn’t much difference that I’ve noticed apart from with tcsh you get the tab complete functionality when logged in via ssh, but not with sh. Once you have created the user you can set the root password for the system, you definitely do want to set a root password, enter this twice. Finally you go back to the main menu, select exit and your system will reboot and you should have a fully functioning FreeBSD system. Nearly done here, you just need to make sure the hostname you set for the machine resolves to itself, first lets edit the rc.conf file found in /etc. Log in to you server either at the machine or on another machine in your local network using ssh. Switch to the root user/super user by typing su then:

ee /etc/rc.conf

this file should have some key-value pairs, don’t worry too much about this file now, just make sure there is a key value pair

hostname="myhostname"

obviously replace myhostname with the hostname you set. Next edit the hosts file /etc/hosts and make sure that after 127.0.0.1 you have the localhost and your hostname, e.g.:

::1            localhost
127.0.0.1      localhost myhostname

Now if you run hostname from the command line you should get your hostname echoed back to you.

Router Set Up

In order to get remote access to your newly installed server you will need to perform some router configuration steps. Log into your router configuration, usually this done by opening a browser and going to 192.168.0.1 or 192.168.1.1, you will need the router login details. The first thing to do is set up a static ip address for your new server. For my router (which is a netgear sky broadband router), I did this by going to the Advanced tab -> LAN IP Setup a list of machines connected to the router was shown, I selected the one that looked like my server, entered the static ip address that I wanted (192.168.0.5) and gave the device a name (server). Your router configuration may be different to this and you may have to look at the manual for how to do it.

Next thing to do is set up some port forwards so we can access the server from outside of our home network (the internet). First port forward to set up is for SSH access. For my router this was under Security -> Firewall rules, I was given a list of services to choose from, I chose SSH (TCP/UDP:22), under the action I chose Allow Always,  for the destination IP address I entered the static ip address I had reserved for the server, 192.168.0.5. Under WAN users I selected Any and chose to log this always. If your router does not have ssh listed as a service, you can enter a custom service, just make sure the service is for port 22 using tcp and udp and that the destination address for this is the static IP you set for your server.

Finally you can do the same for http service (port 80) and https service (port 143). We haven’t got a web server yet so the http(s) port forwards won’t be doing anything yet, but it’s better to prepare for it now. You can test whether your port forwards are working by trying to get remote access to your server, first find out the public ip address your router has (this is the address that’s visible to the internet) then try and gain ssh access using your routers public IP address as the server location and the new user account you created on your server. For ssh on windows you can use the free PuTTY ssh client. If you could log in successfully then you now have remote-accessible server, it just can’t do much yet! If you couldn’t log in, try connecting to the server using the local ip address e.g. 192.168.0.5, if that works but the remote address does not, then you have a problem in you router port forwarding. Obviously most people’s public internet ip address will change from time to time, unless you have paid extra for a static one. So how our we supposed to get to our server when we’re away from home? More to the point how are we supposed to run a web site or more from a place  which IP address is changing all the time? The answer to this is Dynamic DNS, which I will leave until the next post, this is already way too long for a blog post, I’ll have to learn to keep things shorter for next time.

So look out for the next post where I’ll cover setting up dynamic dns for your server, installing Apache, MySQL and PHP (making your server a FAMP server)! Peace.