If you haven’t got apache installed already then just install it using apt-get install apache2. Once it is installed, make sure that it works by pointing a browser to the FQDN of your server. If all is well then it will bring up the debian apache2 default page. If it does not work and you are behind a router, make sure that you have port 80 open and that dns is resolving properly.
SSL
As this is a mailserver that will operate over the internet we need to make it secure so we will have to create a certificate. To create a simple certificate simply paste the following line into your bash shell (even if you are using certbot you are advised to start off with this configuration so that you have a fallback if letsencrypt stops providing free certificates)
#openssl req -newkey rsa:4096 -nodes -sha512 -x509 -days 3650 -nodes -out /etc/ssl/certs/mailserver.pem -keyout /etc/ssl/private/mailserver.key
You will be asked for several pieces of information. Enter whatever you like. The only important field is the “Common Name” that must contain the fully-qualified host name that you want your server to be known on the internet. Fully-qualified means host + domain.
Make sure that the secret key is only accessible by the ‘root’ user:
#chmod go= /etc/ssl/private/mailserver.key
You can now find your certificates in /etc/ssl/private/
Again, if you are behind a nat or firewall you will have to open port 443 if not open already.
Now edit the file /etc/apache2/sites-available/default-ssl.conf. Change these two lines to make Apache use the key and certificate you created earlier:
SSLCertificateFile /etc/ssl/certs/mailserver.pem SSLCertificateKeyFile /etc/ssl/private/mailserver.key
Enable the SSL encryption module:
#a2enmod ssl
Enable the virtual host for HTTPS:
#a2ensite default-ssl
Reload the Apache:
#service apache2 reload
you should now be able to navigate to a secure page
https://fqdn.suffix
If all is well then you will probably get a warning asking you if you want to add an exception because your certificate has not been signed by an authorised certificate authority. As it is your own certificate, it is perfectly safe to do this.
You are going to be logging in to this server via the web browser so you want to make sure that you do not inadvertently circumvent your own security by typing http rather than https, to do this you need to redirect traffic in your 000-default.conf file.
#vi /etc/apache2/sites-available/000-default.conf
Where you will need to add the ServerName and Redirect inbetween the <VirtualHost *:80> stanza.
<VirtualHost *:80>
ServerName fqdn.suffix
Redirect "/" https://fqdn.sufix
</VirtualHost>
Once you have done that reload apache again and now when you type http://fqdn.suffix it should automatically redirect you to the secure version of the site (look for the lock symbol in your browser and the https prefix)
Obviously there are many other ways to configure apache and you can use proper virtual hosts if you like. There are some conf files in this directory that will provide helpful guidance.
Other document roots
If you are using alternative document roots then you need to add them to /etc/apache2/apache2.conf and then restart it. eg:
<Directory /websites>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
Will grant apache access to the /websites directory and its sub directories. Failure to do this will result in an Access Forbidden message even if you have set the document root in a site configuration file.
php5-pgsql
You will need php5-pgsql in order to allow postfixadmin to communicate with the database. there is no special configuration, simply
#apt-get install php5 phppgadmin
and it should be fine.
Note that php7 is around the corner and I have no idea at this stage whether it plays nice with this configuration but it is probably one to look out for.
Recent Comments