Set Up Postfix Local Mail Server, Dovecot, Squirrelmail On CentOS 6

This article describe how to set up and configure Postfix Mail Server with Dovecot and Squirrelmail On CentOS 6 at Local Area Network.

Set up and configure Postfix Mail Server to receive and send email on public area network (internet) with domain name (email@domain.com) is very complex and difficult to set up, need much resources like static public ip address, stable server, etc.
As an alternative we can set up and configure Postfix to use Gmail as a Mail Relay, only need a Postfix Mail Server installed and a Gmail account  to configure MTA to relay outgoing mail through Gmail.

Postfix is a free open source mail transfer agent (MTA).

Dovecot is an open source IMAP and POP3 mail server for Unix/Linux systems.

SquirrelMail is a standards-based webmail package written in PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers.

It is important to disabled SELinux to reduce complexity in postfix configuration.
Remove default MTA sendmail first if it’s already installed

# yum remove sendmail

Add hostname entries in /etc/hosts file as shown below:

# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain
::1 localhost localhost.localdomain
192.168.1.101 server.vpshelpdesk.local vpshelpdesk

Install Postfix package using the command:

# yum install postfix -y

Configuring Postfix, Edit /etc/postfix/main.cf,

# vi /etc/postfix/main.cf

find and edit the following lines:

## Line no 75 - Uncomment and set your mail server FQDN ##
myhostname = vpshelpdesk.local
## Line 83 - Uncomment and Set domain name ##
mydomain = vpshelpdesk
## Line 99 - Uncomment ##
myorigin = $mydomain
## Line 116 - Set ipv4 ##
inet_interfaces = all
## Line 119 - Change to all ##
inet_protocols = all
## Line 164 - Comment ##
#mydestination = $myhostname, localhost.$mydomain, localhost,
## Line 165 - Uncomment ##\
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
## Line 264 - Uncomment and add IP range ##
mynetworks = 192.168.1.0/24, 127.0.0.0/8
## Line 419 - Uncomment ##
home_mailbox = Maildir/

Save and exit the file. Start/restart Postfix service now:

# service postfix restart
# chkconfig postfix on

Testing Postfix mail server
First, create a test user called “SK“.

# useradd sk
# passwd sk

Access the server via Telnet and enter the commands manually shown in ## ##

# telnet localhost smtp
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 vpshelpdesk.local ESMTP Postfix
ehlo localhost ## type this command ##
250-server.vpshelpdesk.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:<sk> ## Type this - mail sender address##
250 2.1.0 Ok
rcpt to:<sk> ## Type this - mail receiver address ##
250 2.1.5 Ok
data ## Type this to input email message ##
354 End data with <CR><LF>.<CR><LF>
welcome to vpshelpdesk mail server ## Enter the body of the email ##.
## type dot (.) to complete message ##
250 2.0.0 Ok: queued as B822221522
quit ## type this to quit from mail ##
221 2.0.0 Bye
Connection closed by foreign host.

Now navigate to the user “sk“ mail directory and check for the new mail:

# ls /home/sk/Maildir/new/
Sample output:

1390215275.Vfd00Ie04f8M357080.vpshelpdesk.local
A new mail is received to the user “sk“. To read the mail, enter the following command:
# cat /home/sk/Maildir/new/1390215275.Vfd00Ie04f8M357080.mail.local
Sample output:
Return-Path: <sk@vpshelpdesk.local>
X-Original-To: sk
Delivered-To: sk@vpshelpdesk.local
Received: from localhost (localhost [IPv6:::1])
by mail.local (Postfix) with ESMTP id B822221522
for <sk>; Mon, 20 Jan 2014 16:23:54 +0530 (IST)
Message-Id: <20140120105404.B822221522@mail.local>
Date: Mon, 20 Jan 2014 16:23:54 +0530 (IST)
From: sk@mail.local
To: undisclosed-recipients:;
welcome to vpshelpdesk mail server

Installing Dovecot
Dovecot is an open source IMAP and POP3 mail server for Unix/Linux systems. To install:

# yum install dovecot

Configuring Dovecot
Edit the file /etc/dovecot/dovecot.conf file,

#vi /etc/dovecot/dovecot.conf

Uncomment the following line:

## Line 20 - umcomment ##
protocols = imap pop3 lmtp

Edit file /etc/dovecot/conf.d/10-mail.conf file

#vi /etc/dovecot/conf.d/10-mail.conf

Make the changes as shown below:

## Line 24 - uncomment ##
mail_location = maildir:~/Maildir

Edit /etc/dovecot/conf.d/10-auth.conf

#vi /etc/dovecot/conf.d/10-auth.conf

And make the changes as shown below:

## line 9 - uncomment##
disable_plaintext_auth = yes
## Line 97 - Add a letter "login" ##
auth_mechanisms = plain login

Edit file /etc/dovecot/conf.d/10-master.conf,

# vi /etc/dovecot/conf.d/10-master.conf

Make changes as shown below:

## Line 83, 84 - Uncomment and add "postfix"
#mode = 0600
user = postfix
group = postfix

Start Dovecot service:

# service dovecot start
# chkconfig dovecot on

Testing Dovecot
It’s time to test Dovecot configuration. Enter the following command in Terminal:

#telnet localhost pop3
Enter the commands manually marked in red color:
Trying ::1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.
user sk ## log in as user sk ##
+OK
pass centos ## input user password ##
+OK Logged in.
retr 1
+OK 439 octets
Return-Path: <sk@vpshelpdesk.local>
X-Original-To: sk
Delivered-To: sk@vpshelpdesk.local
Received: from localhost (localhost [IPv6:::1])
by server.vpshelpdesk.local (Postfix) with ESMTP id B822221522
for <sk>; Mon, 20 Jan 2014 16:23:54 +0530 (IST)
Message-Id: <20140120105404.B822221522@server.vpshelpdesk.local>
Date: Mon, 20 Jan 2014 16:23:54 +0530 (IST)
From: sk@vpshelpdesk.local
To: undisclosed-recipients:;
welcome to vpshelpdesk mail server
.
quit
+OK Logging out.
Connection closed by foreign host.

Good Dovecot is working!

Installing Squirrelmail
Make sure that you’ve installed and enabled EPEL repository. Now install Squirrelmail using the following command:

#yum install squirrelmail

Configuring Squirrelmail
Navigate to /usr/share/squirrelmail/config/ directory and run the command conf.pl:

# cd /usr/share/squirrelmail/config/
# ./conf.pl

The following wizard will open. Enter choice “1” to set your organization details:

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color off
S Save data
Q Quit
Command >> 1
The following wizard will open. Enter “1” again to modify your organization details:
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Organization Preferences
1. Organization Name : SquirrelMail
2. Organization Logo : ../images/sm_logo.png
3. Org. Logo Width/Height : (308/111)
4. Organization Title : SquirrelMail $version
5. Signout Page :
6. Top Frame : _top
7. Provider link : http://squirrelmail.org/
8. Provider name : SquirrelMail
R Return to Main Menu
C Turn color off
S Save data
Q Quit
Command >> 1
Set your Organization name and press Enter:
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Organization Preferences
1. Organization Name : vpshelpdesk
2. Organization Logo : ../images/sm_logo.png
3. Org. Logo Width/Height : (308/111)
4. Organization Title : SquirrelMail $version
5. Signout Page :
6. Top Frame : _top
7. Provider link : http://squirrelmail.org/
8. Provider name : vpshelpdesk Mail
R Return to Main Menu
C Turn color off
S Save data
Q Quit
Command >> s
Now enter “2” to setup mail Server settings such as domain name and mail agent etc.:

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color off
S Save data
Q Quit
Command >> 2
Enter “1”, Enter your mail domain (ex. vpshelpdesk. local) and press Enter key.

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Server Settings
General
-------
1. Domain : localhost
2. Invert Time : false
3. Sendmail or SMTP : Sendmail
A. Update IMAP Settings : localhost:143 (uw)
B. Change Sendmail Config : /usr/sbin/sendmail
R Return to Main Menu
C Turn color off
S Save data
Q Quit
Command >> 1
The domain name is the suffix at the end of all email addresses. If
for example, your email address is jdoe@example.com, then your domain
would be example.com.
[localhost]: unixmen.local
Enter “3” and change from sendmail to Postfix MTA (i.e. SMTP):

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Server Settings
General
-------
1. Domain : unixmen.local
2. Invert Time : false
3. Sendmail or SMTP : Sendmail
A. Update IMAP Settings : localhost:143 (uw)
B. Change Sendmail Config : /usr/sbin/sendmail
R Return to Main Menu
C Turn color off
S Save data
Q Quit
Command >> 3
Enter “2” to switch from sendmail MTA to postfix.

You now need to choose the method that you will use for sending
messages in SquirrelMail. You can either connect to an SMTP server
or use sendmail directly.
1. Sendmail
2. SMTP
Your choice [1/2] [1]: 2
Now enter “S” followed by “Q” to save and exit Squirrelmail configuration.

Create a squirrelmail vhost in apache config file:

#vi /etc/httpd/conf/httpd.conf
Add the following lines at the end:
Alias /webmail /usr/share/squirrelmail
<Directory /usr/share/squirrelmail>
Options Indexes FollowSymLinks
RewriteEngine On
AllowOverride All
DirectoryIndex index.php
Order allow,deny
Allow from all
</Directory>

Restart the Apache service:

#service httpd restart

Create users
Create some users for testing. In my case i create two users called “senthil“ and “kumar“ respectively.

# useradd senthil
# useradd kumar
# passwd senthil
# passwd kumar

Access Webmail
Now navigate to http://ip-address/webmail or http://domain-name/webmail from your browser. The following screen should appear. Enter the username and password of the user.

Now you’ll be able to access the user senthil mail box. Let us compose a test mail from user “senthil“ to user “kumar“. Click on the Compose link on the top. Enter the recipient mail id (ex. kumar@vpshelpdesk.local), subject and body of the mail and click Send.

Now log out from user “senthil“ and log in to user “kumar“ mail and check for any new mail.

Hurrah! We have got a new mail from senthil@vpshelpdesk.local mail id. To read the mail, click on it. You’ll now be able to read, reply, delete or compose a new mail.

That’s it for now. We’ve successfully configured a local mail server that will serve in/out mails within a local area network. But i want to configure a public mail server to send and receive mails to outside of our LAN, what should i do? That’s not that difficult either.

You should configure mail server with a public IP and request your ISP to put the MX record of your mail server into their DNS server and you’re done! Everything will be same as i described above.

Setup DNS server and add the Mail server MX records in the forward and reverse zone files. To install and configure DNS server, navigate to this link. And you’ll need to contact your ISP to point your external static IP to your mail domain.

This article taken from http://www.unixmen.com/install-postfix-mail-server-with-dovecot-and-squirrelmail-on-centos-6-4/

Set up Postfix Gmail SMTP Relay on CentOS 6

This article describe how to Set up and Configure Postfix Gmail SMTP Relay on CentOS 6, we will set up Gmail as a Mail Relay, a Gmail account must ready to configure MTA to relay outgoing mail through Gmail.
Postfix is an MTA (Mail Transfer Agent), an application used to send and receive email.
GMail is a free web-based email service by Google with reliability and robust infrastructure who provides a simple sending email from the command line with smtp.gmail.com:587.

We Assume a website have contact form php page for visitor to send message. Postifx Mail Transfer Agent will deliver the message to recipient but guarantee the message will mark as spam. But if Postifx configure to use GMail as SMTP Relay, the message will send by Gmail account which already set up and configure on Postifx, so far the message will store at inbox not spam.

Install Postfix, make sure SASL authentication framework, and mailx also installed.
First Remove default MTA sendmail first if it’s already installed, make sure postfix as default MTA

#yum remove sendmail
#yum install postfix cyrus-sasl-plain mailx -y

Postfix will need to be start before the SASL framework will be detected.

#service postfix start

If error occurred postfix failed to start

Starting postfix:                                          [FAILED]
#tail -f /var/log/maillog
postfix[1070]:fatal:config variable inet_interfaces:host not found:localhost

Change the inet_interfaces setting in /etc/postfix/main.cf from:

inet_interfaces = localhost inet_interfaces = 127.0.0.1

Postfix should also be set to start on boot.

#chkconfig postfix on

Check that Postfix configured with SSL support (ie. ldd should return at least one line starting with libssl):

#whereis -b postfix
postfix: /usr/sbin/postfix /etc/postfix /usr/libexec/postfix
#ldd /usr/sbin/postfix
libssl.so.6 => /lib/libssl.so.6 (0x00111000)

Find your server’s CA root certificate bundle path, which is typically distributed with openssl. The bundle file is used by Postfix to verify Gmail’s SSL certificate (signed by Thawte).

#locate ca-bundle.crt
/etc/ssl/certs/ca-bundle.crt

Then edit /etc/postfix/main.cf, simply add/paste the following lines to the end of the file.

#vi /etc/postfix/main.cf
myhostname = hostname.example.com
relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous

The myhostname is optional. If hostname is not specified, Postfix will use the fully-qualified domain name of the server.

Configure Postfix SASL Credentials
The Gmail credentials must now be added for authentication. Create a /etc/postfix/sasl_passwd file and add following line:

#vi /etc/postfix/sasl_passwd
[smtp.gmail.com]:587 username:password

The username and password values must be replaced with valid Gmail credentials.
A Postfix lookup table must now be generated from the sasl_passwd text file by running the following command.

#postmap /etc/postfix/sasl_passwd

Access to the sasl_passwd files should be restricted.

#chown root:postfix /etc/postfix/sasl_passwd*
#chmod 640 /etc/postfix/sasl_passwd*

Lastly, reload the Postfix configuration.

#service postfix restart

Test the Relay
Use the mail command to test the relay.

echo "This is a test." | mail -s "test message" user@example.net

The destination address should receive the test message.
Troubleshoot Delivery Issues
The maillog can be reviewed if the test message is not successfully delivered. Open another shell and run tail while performing another test.

tail -f /var/log/maillog

If there are not enough details in the maillog to determine the problem, then the debug level can be increased by adding the following lines to the /etc/postfix/main.cf.

debug_peer_list=smtp.gmail.com
debug_peer_level=3

The Postfix configuration must be reloaded after updating the main.cf file.

#service postfix restart

Remember to remove the debug settings when testing is complete. The verbose logs can have a negative impact on server performance.

PROBLEM or ERROR occurred and how to resolve them
Port 25 open by iptables firewall
Make sure port 25 open has been accept by iptables firewall, visit this article to Install and Set Up Iptables Firewall on Centos 6
Postfix Gmail SMTP Relay access denied

rcpt to: vpshelpdesk@gmail.com
554 5.7.1 <vpshelpdesk@gmail.com>: : Relay access denied

Your Google Account has been suspendedYour-Google-Account-has-been-suspended

Hi vpshelpdesk,
Google has suspended your Account, vpshelpdesk@gmail.com, because of a violation of our Terms of Service.

Please follow possible solution below, so far it is working for meallow-less-secure-apps-ON

Change the “allow less secure apps” setting to enable. This allows them to connect to the account again.
Insert and Verify Account recovery email and phoneVerify-Account-recovery-email-and-phone

If Gmail SMTP Relay rare to use and rare sign in sometimes the message will not deliver again. Once check tail -f /var/log/maillog, we will find error below;

May 16 14:31:43 vpsheldesk.com postfix/smtp[1096]: D738BA40BE0: to=, relay=smtp.gmail.com[74.125.138.109]:587, delay=31, delays=0.01/0.04/31/0, dsn=4.7.14, status=deferred (SASL authentication failed; server smtp.gmail.com[74.125.138.109] said: 534-5.7.14 Please log in via your web browser and?534-5.7.14 then try again.?534-5.7.14 Learn more at?534 5.7.14 https://support.google.com/mail/answer/78754 w190sm8732463ywa.39 - gsmtp)
Visit GMAIL HELP https://support.google.com/mail/answer/78754 and follow the instructions


Can’t sign in to my email app
If you’re using the wrong Gmail password on another email app, you might have these problems:

  • The app keeps asking for your username and password
  • You see an “invalid credentials” error message
  • You see a “web login required” error message

If you have these problems or can’t sign in, first check to make sure you’re using the right password.

Tip: Keep in mind that passwords are case-sensitive.
Troubleshoot sign-in problems
If you’re sure your password is right, try these tips:

  • If you’ve turned on 2-Step Verification for your account, you might need to enter an App password instead of your regular password.
  • Sign in to your account from the web version of Gmail at https://mail.google.com. Once you’re signed in, try signing in to the mail app again.
  • Visit http://www.google.com/accounts/DisplayUnlockCaptcha and sign in with your Gmail username and password. If asked, enter the letters in the distorted picture.
  • Your app might not support the latest security standards. Try changing a few settings to allow less secure apps access to your account.
  • Make sure your mail app isn’t set to check for new email too often. If your mail app check for new messages more than once every 10 minutes, the app’s access to your account could be blocked.
  • Change your password according to our tips on creating a strong password.

Set Up Apache Virtual Hosts on CentOS 6

Virtual Hosts are used to run more than one domain off of a single IP address, there is no limit to the number of virtual hosts that can be added to a VPS.

We assume httpd has been successfully installed, if not visit http://vpshelpdesk.com/2016/06/05/install-linux-apache-mysql-php-lamp-on-centos-6/

Step One Create a New Directory
The first step in creating a virtual host is to a create a directory where we will keep the new website’s information. This location will be your Document Root in the Apache virtual configuration file later on. By adding a -p to the line of code that allows us to create a folder with a nested folder inside of it

#mkdir -p /var/www/example.com/public_html

Step Two Grant Permissions
We need to grant ownership of the directory to the user, instead of just keeping it on the root system. (assumed username ‘user’ has been added)

#chown -R user:apache /var/www/example.com/public_html

Additionally, it is important to make sure that everyone will be able to read our new files.

#chmod 755 /var/www

Step Three Create the Page
We need to create a new file called index.html within our configurations directory.

#vi /var/www/example.com/public_html/index.html

<html>
<head>
<title>www.example.com</title>
</head>
<body>
<h1>Success: You Have Set Up a Virtual Host</h1>
</body>
</html>

Step Four Turn on Virtual Hosts
The next step is to enter into the apache configuration file itself.

#vi /etc/httpd/conf/httpd.conf

There are a few lines to look for, make sure that your text matches what you see below.

#Listen 12.34.56.78:80
Listen 80
#
NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
# SSL protocol.
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
DocumentRoot /var/www/example.com/public_html
ErrorLog /var/www/example.com/public_html/error.log
CustomLog /var/www/example.com/public_html/requests.log combined
</VirtualHost>

Step Five Restart Apache
We’ve made a lot of the changes to the configuration. However, they will not take effect until Apache is restarted.

# apachectl -k stop
#/etc/init.d/httpd start

Optional Step Six Setting Up the Local Hosts
If you have pointed your domain name to your virtual private server’s IP address you can skip this step. You do not need to set up local hosts. Your virtual hosts should work. However, if want to try out your new virtual hosts without having to connect to an actual domain name, you can set up local hosts on your computer alone. For this step, make sure you are on the computer itself, not your droplet. To proceed with this step you need to know your computer’s administrative password, otherwise you will be required to use an actual domain name to test the virtual hosts.

#vi /etc/hosts

You can add the local hosts details to this file, as seen in the example below. As long as that line is there, directing your browser toward, say, example.com will give you all the virtual host details for the corresponding IP address.

# Host Database
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
#Virtual Hosts
12.34.56.789 www.example.com

Adding More Virtual Hosts
To create additional virtual hosts, you can just repeat the process above, being careful to set up a new document root with the appropriate new domain name each time. Then just copy and paste the new Virtual Host information into the Apache Config file, as shown below

<VirtualHost *:80>
ServerName www.example2.com
ServerAlias example2.com
DocumentRoot /var/www/example2.com/public_html
ErrorLog /var/www/example2.com/public_html/error.log
CustomLog /var/www/example2.com/public_html/requests.log combined
</VirtualHost>

Create mySQL User Grant PRIVILEGES to Database

Connect to mySQL server as root from console by type

[root@vpshelpdesk]#mysql -u root -p
Connect-to-mySQL-server-as-root-from-console

Create a mySQL database from console by type this

mysql>CREATE DATABASE dbuser;
create-database-mySQL

mysql>CREATE USER 'user'@'localhost' IDENTIFIED BY 'password';
mysql>GRANT ALL PRIVILEGES ON dbuser.* TO 'user'@'localhost' WITH GRANT OPTION;
mysql>CREATE USER 'user'@'%' IDENTIFIED BY 'password';
mysql>GRANT ALL PRIVILEGES ON dbuser.* TO 'user'@'%' WITH GRANT OPTION;
mysql>FLUSH PRIVILEGES;
mysql>SHOW GRANTS FOR 'user'@'localhost';
SHOW-GRANTS-FOR-user-localhost
Displaying list of users, use the SELECT USER statement
mysql>SELECT USER FROM mysql.user;

To remove an account, use the DROP USER statement

mysql>DROP USER 'user'@'localhost';

Displaying list of all databases, use the SHOW  DATABASES statement

mysql>show databases;

To remove an database, use the DROP DATABASE statement

mysql>DROP DATABASE dbuser;

Install and Secure phpMyAdmin Apache

Step One Install phpMyAdmin
The EPEL repository can be made available to your server by installing a special package called epel-release. This will reconfigure your repository list and give you access to the EPEL packages. To install, just type:

#yum install epel-release

Now that the EPEL repo is configured, you can install the phpMyAdmin package using the yum packaging system by typing:

#yum install phpmyadmin

phpMyadmin is up, try to access at

http://server_domain_or_IP/phpMyAdmin
Forbidden

You don’t have permission to access /phpMyAdmin on this server. We will need to modify this a bit to get it to work correctly for our installation. Open the file in your text editor now so that we can make a few changes:

#vi /etc/httpd/conf.d/phpMyAdmin.conf
     # Apache 2.4
       #Require ip 127.0.0.1
       #Require ip ::1
       Require all granted
     # Apache 2.2
       #Order Deny,Allow
       #Deny from All
       #Allow from 127.0.0.1
       #Allow from ::1

Restart the Apache web server to implement your modifications by typing:

#service httpd restart

With that, our phpMyAdmin installation is now operational at http://server_domain_or_IP/phpMyAdmin

Changing the Application’s Access Location

We simply need to rename the alias. Open the phpMyAdmin Apache configuration file now:

#vi /etc/httpd/conf.d/phpMyAdmin.conf

We want to disable these specific aliases since they are heavily targeted by bots and malicious users. In our case, we’ll go with /dbadmin.
To apply our intended changes, we should remove or comment out the existing lines and add our own:

# Alias /phpMyAdmin /usr/share/phpMyAdmin
# Alias /phpmyadmin /usr/share/phpMyAdmin
Alias /dbadmin /usr/share/phpMyAdmin

To implement the changes, restart the web service:

#service httpd restart

Now, if you go to the previous location of your phpMyAdmin installation, you will get a 404 error: http://server_domain_or_IP/dbadminphpmyadmin

 

Install Linux Apache MySQL PHP (LAMP) on CentOS 6

Step One Install Apache
To install apache, open terminal and type in this command:

#yum install httpd
install-apache-yum-install-httpd

Once install complete, you can start apache running on your VPS:

#service httpd start
service-httpd-start

Sometimes or often error occured “Starting httpd: httpd: Could not reliably determine the server’s fully qualified domain name, using x.x.x.x for ServerName” once start or restart httpd. To resolve this problem simply edit httpd.conf

#vi /etc/httpd/conf/httpd.conf

Find ServerName then change to

#ServerName www.example.com:80
ServerName localhost

Save then restart httpd

# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]

To check if Apache is installed, direct your browser to your server’s IP address http://ipaddressapache-httpd-success-installed

Set the processes to run automatically when server boots

#chkconfig httpd on

Step Two Install MySQL
MySQL is a powerful database management system used for organizing and retrieving data on a virtual server. To install MySQL, open terminal and type in these commands:

#yum install mysql-server
#service mysqld start

During the installation, MySQL will ask you for your permission twice. After you say Yes to both, MySQL will install. Once it is done installing, you can set a root MySQL password:

#/usr/bin/mysql_secure_installation

The prompt will ask you for your current root password. Since you just installed MySQL, you most likely won’t have one, so leave it blank by pressing enter.

Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.
Set root password? [Y/n]
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!
Remove anonymous users? [Y/n] y
 ... Success!
Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!
Reload privilege tables now? [Y/n] y
 ... Success!
Cleaning up...
All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.
Thanks for using MySQL!

Set the processes to run automatically when server boots

#chkconfig mysqld on

Step Three Install PHP
To install PHP on your virtual private server, open terminal and type in this command:

#yum install php php-mysql

Once you answer yes to the PHP prompt, PHP will be installed. Restart Apache (php will run automatically once Apache starts):

#service httpd restart

Test PHP by create info.php at /var/www/html/

#vi /var/www/html/info.php
<?php
phpinfo();
?>

Then access browser http://ipaddress/info.phpphp-info

Install PHP-GD library
PHP GD is PHP Modules to support manipulating images like imagejpeg, imagedestroy, etc

#yum install php-gd
#service httpd restart

Check if PHP-GD has been successfully integrated with PHP Modules

#php -m
[PHP Modules]
bz2
.....
gd
.....
mysql
.....

check if “gd” available on the list

Setup Basic Iptables Firewall on Centos 6 Web Server

Iptables should be installed by default on all CentOS 5.x and 6.x installations. Check to see if iptables is installed on system by:

#rpm -q iptables

If not installed yet, iptables can install by:

#yum install iptables

Run the following commands to start Iptables and run on boot

#chkconfig iptables on

And to see if iptables is actually running:

#service iptables status

Check iptables currently loaded rules modules:

#iptables -L -n

Now Set Up a Basic Iptables Firewall on Centos 6 from Digital Ocean 

Decide which ports and services to open
First, we want to leave SSH port open so we can connect to the VPS remotely: that is port 22.

Also, we need port 80 and 443 (SSL port) for web traffic.

For sending email, we will open port 25 (regular SMTP) and 465 (secure SMTP).

To let users receive email, we will open the usual port 110 (POP3) and 995 (secure POP3 port).

Additionally, we’ll open IMAP ports, if we have it installed: 143 for IMAP, and 993 for IMAP over SSL. Note: It is recommended to only allow secure protocols, but that may not be an option, if we cannot influence the mail service users to change their email clients. Block the most common attacks.

First we flush the firewall rules – that is, erase them all:

#iptables -F

We can then add a few simple firewall rules to block the most common attacks, to protect our VPS from script-kiddies. We can’t really count on iptables alone to protect us from a full-scale DDOS or similar, but we can at least put off the usual network scanning bots that will eventually find our VPS and start looking for security holes to exploit. First, we start with blocking null packets.

#iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

We told the firewall to take all incoming packets with tcp flags NONE and just DROP them. Null packets are, simply said, recon packets. The attack patterns use these to try and see how we configured the VPS and find out weaknesses. The next pattern to reject is a syn-flood attack.

#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Syn-flood attack means that the attackers open a new connection, but do not state what they want (ie. SYN, ACK, whatever). They just want to take up our servers’ resources. We won’t accept such packages. Now we move on to one more common pattern: XMAS packets, also a recon packet.

#iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Allow iptables to respond to ping requests from outside network to our VPS server

#iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT

We have ruled out at least some of the usual patterns that find vulnerabilities in our VPS. Open up ports for selected services. Now we can start adding selected services to our firewall filter. The first such thing is a localhost interface:

#iptables -A INPUT -i lo -j ACCEPT

We tell iptables to add (-A) a rule to the incoming (INPUT) filter table any trafic that comes to localhost interface (-i lo) and to accept (-j ACCEPT) it. Localhost is often used for, ie. your website or email server communicating with a database locally installed. That way our VPS can use the database, but the database is closed to exploits from the internet. Now we can allow web server traffic:

#iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

We added the two ports (http port 80 and https port 443) to the ACCEPT chain – allowing traffic in on those ports. Now, let’s allow users use FTP and SMTP servers:

#iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

Like stated before, if we can influence our users, we should rather use the secure version, but often we can’t dictate the terms and the clients will connect using port 25, which is much more easier to have passwords sniffed from. We now proceed to allow the users read email on their server:

#iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT

Those two rules will allow POP3 traffic. Again, we could increase security of our email server by just using the secure version of the service. Now we also need to allow IMAP mail protocol:

#iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

Limiting SSH access

We should also allow SSH traffic, so we can connect to the VPS remotely. The simple way to do it would be with this command:

#iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

We now told iptables to add a rule for accepting tcp traffic incomming to port 22 (the default SSH port).

Find out your outside IP address by type:

# w
11:42:59 up 60 days, 11:21, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 213.191.xxx.xxx 09:27 0.00s 0.05s 0.00s w

Now, you can create the firewall rule to only allow traffic to SSH port if it comes from your IP address:

#iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS -m tcp --dport 22 -j ACCEPT

Replace YOUR_IP_ADDRESS with the actuall IP, of course.

We could open more ports on our firewall as needed by changing the port numbers. That way our firewall will allow access only to services we want.
Add one more rule that will allow us to use outgoing connections (ie. ping from VPS or run software updates);

#iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

It will allow any established outgoing connections to receive replies from the VPS on the other side of that connection. When we have it all set up, we will block everything else, and allow all outgoing connections.

#iptables -P OUTPUT ACCEPT
#iptables -P INPUT DROP

Now we have our firewall rules in place. Save the configuration.
Now that we have all the configuration in, we can list the rules to see if anything is missing.

#iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTAB       LISHED
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00       
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x0       2 state NEW
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x0       2 state NEW
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F       
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:465
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The -n switch here is because we need only ip addresses, not domain names. Ie. if there is an IP in the rules like this: 69.55.48.33: the firewall would go look it up and see that it was a digitalocean.com IP. We don’t need that, just the address itself. Now we can finally save our firewall configuration:

#iptables-save | tee /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Sat May 14 05:05:52 2016
*raw
:PREROUTING ACCEPT [5758:5496095]
:OUTPUT ACCEPT [3894:466098]
COMMIT
# Completed on Sat May 28 05:05:52 2016
# Generated by iptables-save v1.4.7 on Sat May 14 05:05:52 2016
*mangle
:PREROUTING ACCEPT [5758:5496095]
:INPUT ACCEPT [5758:5496095]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3894:466098]
:POSTROUTING ACCEPT [3894:466098]
COMMIT
# Completed on Sat May 28 05:05:52 2016
# Generated by iptables-save v1.4.7 on Sat May 14 05:05:52 2016
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:2592]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j        DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j        DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,U       RG -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Sat May 14 05:05:52 2016
# Generated by iptables-save v1.4.7 on Sat May 14 05:05:52 2016
*nat
:PREROUTING ACCEPT [194:11875]
:POSTROUTING ACCEPT [189:13643]
:OUTPUT ACCEPT [189:13643]
COMMIT
# Completed on Sat May 14 05:05:52 2016

The iptables configuration file on CentOS is located at /etc/sysconfig/iptables. The above command saved the rules we created into that file. Just to make sure everything works, we can restart the firewall:

#service iptables restart
iptables: Setting chains to policy ACCEPT: raw mangle filte[  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

The saved rules will persist even when the VPS is rebooted