安装邮件服务器之一
参考《基于FreeBSD和Postfix的反垃圾、反病毒邮件系统与web mail安装5.1》完成,感谢作者:Jacky 杨廷勇
本文在VM环境下实现,系统为FreeBSD6.2 release经cvsup后编译为stable。文中用到的软件均为2007年1月24日前后经过cvsup的版本
1、系统安装
最小化安装FreeBSD,把ports和src里的base带上
配置SSH:
这里,我在Windows下用“SSH Secure Shell Client”(出不了国门的用户可以到这里下载)软件使用常规方式登陆到服务器上,选择菜单edit--settings,出现设置对话框,里面有global settings--user authentications--keys选项,进入后,可以看到Generate New按钮,按下后根据提示生成一个key。按下面的按钮Upload,把这个key文件上传到服务器上,具体位置是/home/yourname/.ssh2。这个.ssh2目录,是上传时自动生成的,但Freebsd默认目录名是.ssh,而不是.ssh2。所以,进行如下操作:
$su
password:
#ls
#mv .ssh2 .ssh
#cd .ssh
#ssh-keygen -X -f yourkey.pub >> authorized_keys
这样就可以key的方式重新登录服务器了,接着对/etc/ssh/sshd_config做一些设置:
VersionAddendum HelloWorld #隐藏操作系统信息
PasswordAuthentication no #不使用口令认证
PubkeyAuthentication yes #使用非对称密钥认证
2、安装CVSUP
# cd /usr/ports/net/cvsup-without-gui
# make install clean
安装过程中由于依赖的关系,它会自动安装gettext,会出现下面的选项,根据需要选择:
Options for gettext 0.14.5_2
[X] EXAMPLES install example files
[X] HTMLMAN install man pages in HTML format
安装完成后reboot一下
3、更新ports和stable树
编辑ports-supfile和stable:
# ee /usr/share/examples/cvsup/ports-supfile
# ee /usr/share/examples/cvsup/stable-supfile
分别将其中的:
*default host=CHANGE_THIS.FreeBSD.org
改为:
*default host=cvsup3.freebsdchina.org
然后分别执行下面的语句:
# cvsup -g -L 2 /usr/share/examples/cvsup/ports-supfile
# cvsup -g -L 2 /usr/share/examples/cvsup/stable-supfile
4、修改配置文件
# cd /usr/src/sys/i386/conf
# cp GENERIC /root/MyKernel
# ln -s /root/MyKernel MyKernel
# ee MyKernel
根据系统硬件配置和功能需要作相应改动,要使用IPF防火墙,就在options一节加入如下语句:
options IPFILTER # 启用ipf防火墙
options IPFILTER_LOG # 启用防火墙日志
options IPFILTER_DEFAULT_BLOCK # 所有不匹配防火墙的 pass 规则的包都会被阻止
如果使用SATA硬盘,那么下面这一句一定要保留:
options ATA_STATIC_ID # Static device numbering
如果你和我一样只能用USB键盘(主机没有PS/2接口),那么只用保留下面的选项就可以使用USB键盘了:
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
要使用SSH,下面一句一定要保留:
device pty # Pseudo-ttys (telnet etc)
注意:不论是否作为服务器,如果使用DHCP(貌似很少有服务器用动态IP),下面一句一定要保留:
device bpf # Berkeley packet filter
保存退出后修改rc.conf:
# ee /etc/rc.conf
在最后加入:
inetd_enable="NO" # 关闭inet
portmap_enable="NO" # 关闭portmap
kern_securelevel_enable="YES" # 启用系统安全级别
kern_securelevel="2" # 将系统安全级别设置为2
ipfilter_enable="YES" # 启动 ipf 防火墙
ipfilter_rules="/etc/ipf.rules" # 将被加载的规则定义, 这是一个文本文件
ipmon_enable="YES" # 启动 IP 监视日志
ipmon_flags="-Dsn" # D = 作为服务程序启动
# s = 使用 syslog 记录
# v = 记录 tcp 窗口大小、 ack 和顺序号(seq)
# n = 将 IP 和端口映射为名字
保存退出后在/etc/ipf.rules中加入一下两句以便于后面的安装:
pass in all
pass out all
5、编译和安装新核心
# cd /usr/src
# make buildkernel KERNCONF=MyKernel
# make installkernel KERNCONF=MyKernel
执行完没有问题的话,就可以将编译过程中使用的临时文件删除并重起:
# rm -rf /usr/obj/usr/src/sys/MyKernel
# reboot
6、安装Perl
# cd /usr/ports/lang/perl5.8
# make install clean
7、安装MySQL
# cd /usr/ports/databases/mysql50-server
# make install clean
要是担心以后出现乱码:make WITH_CHARSET=gb2312 WITH_XCHARSET=all install clean
在rc.conf中加入Mysql的启动参数:
# echo 'mysql_enable="YES"' >> /etc/rc.conf
启动MySQL:
# /usr/local/etc/rc.d/mysql-server start
查看mysql是否启动成功:
mail# sockstat -4 | grep 3306
mysql mysqld 1510 3 tcp4 *:3306 *:*
出现上面的端口表示mysql启动成功
立即修改数据库ROOT密码:
# /usr/local/bin/mysqladmin -u root password YourPassword
8、安装Apache
# cd /usr/ports/www/apache22
# make install clean
为配合以后的安全设置,可以这样安装:make WITH_MPM=worker WITH_THREADS=yes WITHOUT_SSL=yes install clean
可能是Apache的一个Bug,也可能是FreeBSD的一个问题,系统没有自动加载accf_http.ko和accf_data.ko(这两个模块用于检测请求的数据是否完整,否则抛弃,防止客户端恶意请求),致使Apache无法启动,那么我们就要让他们启动开:
# cd /usr/src/sys/modules/accf_data
# make clean
# make
# make install
# make clean
# cd /usr/src/sys/modules/accf_http
# make clean
# make
# make install
# make clean
在/etc/rc.conf中添加如下语句:
accf_data_load="YES"
accf_http_load="YES"
apache22_enable="YES"
apache22_http_accept_enable="YES"
重新启动后用sockstat -4看看它是否启动:
# sockstat -4 | grep 80
www httpd 10679 16 tcp4 *:80 *:*
www httpd 10678 16 tcp4 *:80 *:*
www httpd 10677 16 tcp4 *:80 *:*
www httpd 10676 16 tcp4 *:80 *:*
www httpd 10675 16 tcp4 *:80 *:*
root httpd 10674 16 tcp4 *:80 *:*
出现上面的80端口表示apache启动成功,打开/usr/local/etc/apache22/httpd.conf,找到:
Options Indexes FollowSymLinks
改为:
Options FollowSymLinks
去掉Indexes是为了禁止目录浏览,为安全起见
找到:
Listen 80
改为:
Listen YourIP:80
找到:
ServerAdmin [email protected]
改为:
ServerAdmin YourAdminEmail
找到:
#ServerName www.example.com:80
改为:
ServerName YourDomainName
找到:
#Include etc/apache22/extra/httpd-mpm.conf
去掉#号,使之启用
编辑/usr/local/etc/apache22/extra/httpd-mpm.conf:
#ee /usr/local/etc/apache22/extra/httpd-mpm.conf
ServerLimit 3000
StartServers 5
MaxClients 5000
MinSpareThreads 75
MaxSpareThreads 300
ThreadsPerChild 50
MaxRequestsPerChild 80000
记住ServerLimit 3000这儿一定要加上限制连接数,否则重启的时候肯定报错
9、安装PHP
# cd /usr/ports/lang/php5
# make install clean
有一些选项,根据需要选择:
Options for php5 5.2.0
[ ] CLI Build CLI version
[ ] CGI Build CGI version
[X] APACHE Build Apache module
[ ] DEBUG Enable debug
[ ] SUHOSIN Enable Suhosin protection system
[ ] MULTIBYTE Enable zend multibyte support
[ ] IPV6 Enable ipv6 support
[ ] REDIRECT Enable force-cgi-redirect support (CGI only)
[ ] DISCARD Enable discard-path support (CGI only)
[ ] FASTCGI Enable fastcgi support (CGI only)
[ ] PATHINFO Enable path-info-check support (CGI only)
如果[ ] MULTIBYTE Enable zend multibyte support被选上的话,WebAdmin程序就不能被Zend解析了(这是Jacky老大的原话,我没有试验,但是如果你后面把zend安装上的话,这个选不选都没有任何影响)
拷贝php.ini:
# cp /usr/local/etc/php.ini-dist /usr/local/etc/php.ini
打开/usr/local/etc/php.ini,根据需要做一些调整。为了安全,可以找到disable_functions =,改为disable_functions = phpinfo 禁止察看系统配置,当然,在安装调试完之前先不要改它
在/usr/local/etc/apache22/httpd.conf中添加如下两句:
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
接着找到DirectoryIndex index.html,在其后加入index.php:
DirectoryIndex index.html index.php
在DirectoryIndex后加入index.php,是为了让apache支持index.php为首页
# cd /usr/local/www/apache22/data/
# rm index.html
不删的话您只能看到 it works!
10、安装php5的扩展
# cd /usr/ports/lang/php5-extensions
# make install clean
有如下选项,根据需要选择:
Options for php5-extensions 1.0
[X] BCMATH bc style precision math functions
[X] BZ2 bzip2 library support
[X] CALENDAR calendar conversion support
[X] CTYPE ctype functions
[X] CURL CURL support
[ ] DBA dba support
[ ] DBASE dBase library support
[X] DOM DOM support
[ ] EXIF EXIF support
[ ] FILEINFO fileinfo support
[ ] FILEPRO filePro support
[ ] FRIBIDI FriBidi support
[X] FTP FTP support
[X] GD GD library support
[ ] GETTEXT gettext library support
[ ] GMP GNU MP support
[X] HASH HASH Message Digest Framework
[X] ICONV iconv support
[X] IMAP IMAP support
[ ] INTERBASE Interbase 6 database support (Firebird)
[ ] LDAP OpenLDAP support
[ ] MBSTRING multibyte string support
[X] MCRYPT Encryption support
[X] MHASH Crypto-hashing support
[ ] MING ming shockwave flash support
[ ] MSSQL MS-SQL database support
[X] MYSQL MySQL database support
[X] MYSQLI MySQLi database support
[ ] NCURSES ncurses support (CLI only)
[ ] ODBC unixODBC support
[ ] OPENSSL OpenSSL support
[ ] PANDA panda support
[ ] PCNTL pcntl support (CLI only)
[X] PCRE Perl Compatible Regular Expression support
[ ] PDF PDFlib support (implies GD)
[X] PDO PHP Data Objects Interface (PDO)
[ ] PGSQL PostgreSQL database support
[X] POSIX POSIX-like functions
[ ] PSPELL pspell support
[ ] READLINE readline support (CLI only)
[ ] RECODE recode support
[X] SESSION session support
[ ] SHMOP shmop support
[X] SIMPLEXML simplexml support
[ ] SNMP SNMP support
[ ] SOAP SOAP support
[ ] SOCKETS sockets support
[X] SQLITE sqlite support
[ ] SYBASE_CT Sybase database support
[ ] SYSVMSG System V message support
[ ] SYSVSEM System V semaphore support
[ ] SYSVSHM System V shared memory support
[ ] TIDY TIDY support
[X] TOKENIZER tokenizer support
[ ] WDDX WDDX support (implies XML)
[X] XML XML support
[X] XMLREADER XMLReader support
[ ] XMLRPC XMLRPC-EPI support
[X] XMLWRITER XMLWriter support
[ ] XSL XSL support (Implies DOM)
[ ] YAZ YAZ support (ANSI/NISO Z39.50)
[X] ZIP ZIP support
[X] ZLIB ZLIB support
完成后重启apache:
# apachectl restart
11、安装Zend Optimizer
# cd /usr/ports/devel/ZendOptimizer/
# make install clean
在cleaning动作之前你会看到如下提示:
********************************************************************************
You have installed the ZendOptimizer package.
Edit /usr/local/etc/php.ini and add:
[Zend]
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer="/usr/local/lib/php/20060613/Optimizer"
zend_extension_manager.optimizer_ts="/usr/local/lib/php/20060613/Optimizer_TS"
zend_extension="/usr/local/lib/php/20060613/ZendExtensionManager.so"
zend_extension_ts="/usr/local/lib/php/20060613/ZendExtensionManager_TS.so"
********************************************************************************
OK,照做
12、安装openssl
# cd /usr/ports/security/openssl
# make install clean
13、安装phpMyAdmin
在这里建议直接下载后复制安装
# cd /usr/ports/databases/phpmyadmin
# make fetch
# cd /usr/ports/distfiles
# tar -xvjf phpMyAdmin-2.9.2-all-languages.tar.bz2
# mv phpMyAdmin-2.9.2-all-languages /usr/local/www/apache22/data/phpmyadmin
# cd /usr/local/www/apache22/data/phpmyadmin
# cp libraries/config.default.php config.inc.php
# ee config.inc.php
修改:
$cfg['PmaAbsoluteUri'] = 'http://Your IP/phpmyadmin/';
为你自己的地址和路径,这是你在浏览器里登陆操作phpmyadmin的地址,修改:
$cfg['blowfish_secret'] = 'blowfish_secret';
将blowfish_secret换成你自己的字符串,不论数字还是字母,这是用来加密Cookie的(如果你在$cfg['Servers'][$i]['auth_type']里使用Cookie方式),修改:
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'user';
$cfg['Servers'][$i]['password'] = 'password';