Basic spam and antivirus email server.

This guide helps you configure IMAP, POP, SMTP, and Anti-Spam and an anti-virus server for your company using Ubuntu Linux.

$ sudo apt-get install spamassassin amavis postfix-policyd-spf-perl fuzzyocr clamav clamav-daemon clamav-freshclam libsasl2 libsasl2-modules courier-imap courier-pop

It doesn’t matter what configuration you choose for postfix, and you don’t need web based configuration for courier.

Configure spamassassin

I configure my spamassassin without a Bayes filter it never works properly for me, and it seems to give me more false positives. I use uribl, and Fuzzy OCR for images. This usually works good enough for me. I also add custom rules from sare. I use saupdate to keep them updated.

Install openprotect updates.

# Run “sa-update” once to download the default SA rules from the channel “updates.spamassassin.org”. This should enable SA find all its rules files under the “/var/lib/spamassassin” directory from now onwards.
#

Have gnupg installed, if you wish to check the channel files against our signature.
#

Run the command gpg –keyserver pgp.mit.edu –recv-keys BDE9DC10 to import our public key from the mit keyserver. The output should look like:

gpg: requesting key BDE9DC10 from hkp server pgp.mit.edu
gpg: key BDE9DC10: public key “Opencomputing Technologies (Key to sign all files from openprotect.com) ” imported
gpg: Total number processed: 1
gpg: imported: 1
# Now, export our key alone from root’s public key ring by running the command
gpg –armor -o pub.gpg –export BDE9DC10
The public key has been saved to the file pub.gpg now.

# Import the public key into sa-update’s trusted public keys by running
sa-update –import pub.gpg
#

Another way to import our public key is get the gpg file and import it manually using sa-update and gpg. The commands are
wget http://saupdates.openprotect.com/pub.gpg.
Now, import by running the command
sa-update –import pub.gpg which should return without any error or output messages.
This isn’t the preferred way, as the gpg file could be corrupted or tampered with, if our server is hacked.
# Now schedule daily downloads of rules from this channel using cron using the command

I like to cron the /usr/local/bin/saupdate.sh every night during my down time. Please click the link to look at my spamassassin update script.

$ crontab -e

0 1 * * * /usr/local/bin/saupdate.sh >/dev/null 2>&1

This script will update the spamassassin rules, and the saupdates_openprotect_com rules also.

Change your local.cf file in /etc/spamassassin.
Here is my local.cf file

I add a uribl.cf to my /etc/spamassassin directory.
Here is my uribl.cf file

I also change my /etc/spamassassin/FuzzyOcr.cf file.
Here is my FuzzyOcr.cf file

Now that spamassassin is setup lets configure amavisd-new.

Configuring Amavisd-new

The configuration directory for amavisd-new is /etc/amavis/conf.d. We will be editing the 50-user file, 20-debian_defaults, and 15-av_scanners.

I like to use 5 for a good starting point for my memory, and cpu. You can take this up, and down as needed, but 5 is a good start.

$ echo $max_servers = ’5′; >> 50-user

$ vi 15-av_scanners

I comment everything out in the file but the two clamav scanners. One being the daemon, and one being the clamd process. One being in the @av_scanners, and one in the @av_scanners_backup. Just add # in front of everything else. If your lazy like me I just copy stuff. Here is my
15-av_scanners amavis example configuration.

@av_scanners = (

### http://www.clamav.net/
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# NOTE: remember to add the clamav user to the amavis group, and
# to properly set clamd to init supplementary groups
# When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],

@av_scanners_backup = (

### http://www.clamav.net/ – backs up clamd or Mail::ClamAV
['ClamAV-clamscan', 'clamscan',
"--stdout --disable-summary -r --tempdir=$TEMPBASE {}",
[0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

I make sure I have the following settings in the /etc/amavis/conf.d/20-debian_defaults. Use your favorite editor and make sure to change these options.

$sa_spam_subject_tag = ‘***SPAM*** ‘;
$sa_tag_level_deflt = -999.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.31; # add ‘spam detected’ headers at that level
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent

$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine)
$final_banned_destiny = D_DISCARD; # D_REJECT when front-end MTA
$final_spam_destiny = D_DISCARD;

You also need to add clamav to the amavis group as follows

$ sudo usermod -G amavis clamav

There is also an option in this file that sets the listen port to 10024. Just remember that.

That should be all you have to do with amavisd-new. Now on to postfix.

Configuring postfix

I want to just let you know that I have never configured postfix-policyd-spf-perl but I am highly accomplished at postfix so it can’t be that difficult.

Configure /etc/postfix/main.cf Click on the link for my example postfix configuration for the main.cf file.

This file has a billion options, and for the course of this config going through ever option is out of the scope of this article. I just want you to look at the following sections.

smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client sbl-xbl.spamhaus.org
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client dsn.rfc-ignorant.org,
reject_rbl_client dnsbl.ahbl.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client spam.spamrats.com,
check_policy_service unix:private/policy-spf,
reject_unauth_destination
local_destination_concurrency_limit = 5
virtual_alias_maps = hash:/etc/postfix/virtual
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtpd_sasl_security_options = noanonymous
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
home_mailbox = Maildir/

These section allow for the recipient restrictions, and concurrency limit for the amavis process. It also has the files for aliases, and virtual aliases. That is how I like to run my servers. I have also allowed Maildir delivery, and sasl auth options.

You will now need to configure your /etc/postfix/master.cf. Please look at my example postfix configuration for the master.cf. There are a few options you want to make sure you set in the file for email to go from amavis, and back to postfix.

This allows for emails to be processed by amavis, and when the email com backs through it doesn’t get processed again by postfix checks.
smtp inet n – – – – smtpd
-o content_filter=smtp:localhost:10024

127.0.0.1:10025 inet n – – – 50 smtpd
-o content_filter=
# -o local_recipient_maps=
# -o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

You will need this in the bottom of the master.cf file for the spf rule checks.

policy-spf unix – n n – – spawn
user=nobody argv=/usr/sbin/postfix-policyd-spf-perl

Once you have completed this you can add a email address, and user or 5.

Adding a user a user for email and setting the password. Notice I set the shell to /bin/false so the user cannot login to the unix side of the machine.

$ sudo useradd -c “webmaster for wantlinux.net” -g users -s /bin/false -d /home/mail/webmaster webmaster
$ sudo passwd webmaster
Enter new UNIX password:
Retype new UNIX password:

Adding an email address.

$ vi /etc/postfix/virtual
webmaster@wantlinux.net webmaster
whateveryourwant@wantlinux.net(TAB)USERNAME
createagroup@wantlinux.net(TAB)USERNAME, USERNAME

Save the file.

Postmap the virtual file so it is a hash.

$ cd /etc/postfix
$ sudo postmap virtual

This should have created a file virtual.db.

Configuring sasl

It is pretty easy so let me make this complicated. Just install this config or copy this and put it in a file.

pwcheck_method: authdaemond
log_level: 3
mech_list: PLAIN LOGIN
authdaemond_path:/var/run/courier/authdaemon/socket

You will also want to change permissions on the /var/run/courier/authdaemon to 755 like so.
$ sudo chmod 755 /var/run/courier/authdaemon

I also change /etc/init.d/courier-authdaemon.

$ vi /etc/init.d/courier-authdaemon

add run_dir=”/var/run/courier/authdaemon” below daemonscript=”${sbindir}/authdaemond”.
and chmod 755 ${run_dir} below chown daemon:daemon ${run_dir} /var/run/courier.

Save the file, and you should be good to go for a courier configurations.

Configuring Courier

The default configuration files should be good for a basic setup.

Now that we have spamassassin, amavis, postfix, courier, and sasl all setup we just need to restart the services.

$ sudo /etc/init.d/postfix restart
$ sudo /etc/init.d/amavis restart
$ sudo /etc/init.d/courier-authdaemon restart
$ sudo /etc/init.d/courier-imap restart
$ sudo /etc/init.d/courier-pop restart

Your email server should be working. If you want to test look at my sending email with telnet tutorial HERE

I have been using OpenVZ for years, and it does everything I have ever needed it to do. I have run mail servers, and web servers, and everything else you would want to do. I have even installed OpenVPN on a client successfully. Here is the host install for Ubuntu on 8.04 Hardy. I use the installer from https://help.ubuntu.com/community/OpenVZ. They also have a Fiesty install for the server on the ubuntu help page. If you have issue with my install of Openvz on Ubuntu server.

Install the kernel and tools

$ sudo apt-get install linux-openvz vzctl

Important! Please use the linux-image-2.6.24-17-openvz kernel or later as linux-image-2.6.24-16-openvz is broken and the kernel does not boot, see [WWW] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/210672.

Reboot into the openvz kernel

Remove the -server kernel or the -generic if you are on a desktop machine

$ sudo apt-get remove --purge --auto-remove `dpkg -l linux-image-*server | awk '$1 ~ /ii/ {print $2}'`

Change the sysctl variables in /etc/sysctl.conf

This step might not be necessary once the vzctl package is going to be updated

# On Hardware Node we generally need
# packet forwarding enabled and proxy arp disabled

net.ipv4.conf.default.forwarding=1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.ip_forward=1

# Enables source route verification
net.ipv4.conf.all.rp_filter = 1

# Enables the magic-sysrq key
kernel.sysrq = 1

# TCP Explict Congestion Notification
#net.ipv4.tcp_ecn = 0

# we do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0

Apply the sysctl changes

$ sudo sysctl -p

Create a symlink to /vz because most of the vz tools expects the OpenVZ folders to reside there. This step is not necessary, but can eliminate further problems when other vz related components are installed.

$ sudo ln -s /var/lib/vz /vz

Now that you have a working openvz kernel installed, and sysctl options setup we We want to download a template from http://openvz.org/download/template/cache/. I use the ubuntu-8.04-i386-minimal.tar.gz template for my containers. Here are the commands to download the template.

$ cd /var/lib/vz/template/cache
$ wget http://download.openvz.org/template/precreated/ubuntu-8.04-i386-minimal.tar.gz

We have a host system, and template for a container.  We now just have to setup a container.

Creating a container

$ sudo vzctl create 101 --ostemplate ubuntu-8.04-i386-minimal

Adding an ip address

$ sudo vzctl set 101 --ipadd SET_IP_ADDRESS_HERE --save

Setting hostname

$ sudo vzctl set 101 --hostname SET_HOSTNAME_HERE --save

Setting nameserver

$  sudo vzctl set 101 --nameserver SET_NAMESERVER_IP_HERE --save

Setting virtual name

$ sudo vzctl set 101 --name SET_VENAME_HERE --save

Now that we have all this set we will start the container.

$ sudo vzctl start 101 (you can also use the VENAME)

There seems to be a strange bug in the kernel that is causing the networking, and hostname not to copy over to the container so here is a simple fix I have come up with.  These aren't really fixes, but workarounds for us who love Ubuntu, and know they will fix the problem next release.  Hopefully.

Problem:

cp: skipping file `/etc/network/interfaces', as it was replaced while being copied
/bin/cp: skipping file `/etc/hosts', as it was replaced while being copied

Fixing the networking problem.

Backup the /etc/vz/dists/scripts/debian-add_ip.sh file however you feel like.

$ vim /etc/vz/dists/scripts/debian-add_ip.sh

And replace the cp line:
# cp -f ${CFGFILE} ${CFGFILE}.bak

with this:
[ -e ${CFGFILE}.bak ] && rm ${CFGFILE}.bak
cat ${CFGFILE} >${CFGFILE}.bak

Fixing the hostname problem.

$ sudo vzctl enter 101
$ vi /etc/hostname
Add what you want the hostname to be set to. Save the file and exit the container with
$ exit

Restart the container.
$ sudo vzctl stop 101
$ sudo vzctl start 101

Once you restart the container you will be all fixed, but the error will still show up for /etc/hosts but who needs that anyway.  I believe just editing the file in the container will be sufficient for the changes you need.

You have a running hardware node and a running container you need to some minor configurations to the container.

Enter the container this will chroot you in the container.  Make sure you are not on the hardware node.

$ sudo vzctl enter 101

You will need a language support. Of course I use english so here is the command.

$ apt-get install language-pack-en-base

Set the timezone

$ dpkg-reconfigure tzdata

Exit the container

$ exit

If you want to stop the vps do the following.

$ sudo vzctl stop 101 (you can also use the VENAME)

There is a bug in the 2.6.24-17 kernel that affects the cp and mv functionality inside the contain and prevents the network settings from being copied.

To take a backup or snapshot just run a vzctl chkpnt on the hardware node.

$ sudo vzctl chkpnt 101 --dumpfile DUMPFILE_NAME

Restore from a chkpnt or revert to a snapshot.

$ sudo vzctl restore 101 --dumpfile DUMPFILE_NAME

If you want to destroy a container and start over just use the following command.

$ sudo vzctl destroy 101

Here are some other usable commands to run on the hardware node

Running list of VPS's

$ sudo vzlist

List all Containers

$ sudo vzlist -a

I also tend to know how many containers I will install on a hardware node, and use vzsplit to build my configs.  I tend to change the size of the DISKSPACE I use for each one, but other then that it is a nice command. It asks for the number ot VEs.  Just enter the number of containers you want.  It will output a config for you to use in your /etc/vz/conf/101.conf.

$ vzsplit
Enter the number of VEs:

Let me know if you have any questions about my walkthrough please add a comment.

This is my mySQL backup page. I just though I would help everyone who was having issues with backing up mySQL. I have my mySQL backup setup to run nightly with a cron job. I use multiple scripts sdate.sh and dump.sh that store the mySQL backup in /home/backup/mysql. The scripts are stored in /usr/local/bin on my system cause I use sdate.sh for alot of scripts.

File sdate.sh Or the txt version sdate.txt. This file is used to set the days and only save 7 or more days of backups. You run the command like #./sdate.sh 25 which shows you the date 25 days ago. Sdate.sh returns the date in yearmonthday so 20080528 format for the mySQL backup script to use. Have you ever wondered how to remove the 0 from 05 in a script. Just add 0 to it.

The next script I use is the dump.sh file, or you can view the file at dump.txt The dump.sh script does most of the work with my mySQL backups. Dump.sh puts the current date into variables, and then backs up all the mysql databases, and then gzips them to the /home/backup/mysql directory. It also gets the date from 7 days ago, and then removes the backup file from 7 days ago.

You will need to change the following line in dump.sh for your master mySQL password. I know I could have written my mySQL backup script so you just change the variable at the top of the file, but I have never learned anything from a script like that. People don’t usually go through it and customize it for themselves, and that is the best part of using Linux. Please feel free to customize my mySQL backup script for your own.
/usr/bin/mysqldump -A -c -uadmin -ppassword | gzip –best > /home/backup/mysql/all_dbs.$year$month$day.gz

Here is the crontab that I setup.
0 0 * * * /home/backup/bin/dump.sh |/usr/bin/mailx -s “Dump.sh” email@emailaddress.com

LDAP (Lightweight Directory Access Protocol) allows for central user, group, domain, authentication, and information storage.

The use of LDAP on your network allows your users to authenticate from any server that is setup to access it. My tutorial is split in two parts. Part one the LDAP server installation, and the second part is the LDAP client setup. I set up the ldap server with the ip address of 192.168.1.5. The client machines will be able to resolve the name ldap to 192.168.1.5. I will be using ubuntu for both client and server.

1. Server setup
1.1 Software installation
Package installation
# apt-get install slapd ldap-utils migrationtools

After the questions and then reconfigure slapd so dpkg asks us some more questions.
# dpkg-reconfigure slapd

Here are the options we want to choose.

Omit OpenLDAP server configuration? … No
DNS domain name: … domain.com
Name of your organization: … Company Name
Admin Password: XXXXX
Confirm Password: XXXXX
OK
BDB
Do you want your database to be removed when slapd is purged? … No
Move old database? … Yes
Allow LDAPv2 Protocol? … No

You know have your domain set up, and your administrator users "admin".

You now want to check your access to the ldap server by using the following command.
#ldapsearch -x -b dc=domain,dc=com

If you get an error message like:
ldap_bind: Can’t contact LDAP server (-1)

Most likely you haven’t started slapd so run the following command to start it.
#/etc/init.d/slapd start

It is now time to convert your users and populate your database.
1.2 Database population
The migrationtools allow you to quickly import all existing users and groups from your local system to LDAP.
#cd /usr/share/migrationtools/

Use your favorite editor to change the migrate_common.ph to replace the following parameters:
$DEFAULT_MAIL_DOMAIN = "domain.com";
$DEFAULT_BASE = "dc=domain,dc=com";

Import the group and passwd files into the ldap database.
# ./migrate_group.pl /etc/group ~/group.ldif
# ./migrate_passwd.pl /etc/passwd ~/passwd.ldif

Unfortunately, the script does not create the Group and People nodes, so we need to create it. To do this, create a file called ~/people_group.ldif and fill it up with:

dn: ou=People, dc=debuntu, dc=local
ou: People
objectclass: organizationalUnit

dn: ou=Group, dc=debuntu, dc=local
ou: Group
objectclass: organizationalUnit

Our users and groups are converted to LDAP’s ldif format. Let’s now import them into our LDAP database.
# cd
# ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/people_group.ldif
# ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/group.ldif
# ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/passwd.ldif

Expaination
* -x specify that we are not using sasl
* -W prompt for password
* -D is used to identify the administrator
* -f to specify the file where ldapadd should find the data to add

The server should be ready to identify your users. Time to set up the clients.

2. Client setup
Each client will need a set of packages. So, now that you are logged on one of your clients, install:

#apt-get install libnss-ldap libpam-ldap nscd
LDAP Account for root: cn=admin,dc=domain,dc=com
Password: XXXXX
Make local root database admin: yes
Database require logging in: No
Root login account: cn=admin,dc=domain,dc=com
Root login password: XXXXX

libnss-ldap will allow us to use ldap as a naming service, libpam-ldap allows pm to authenticate users through LDAP and finally nscd is a password, group and host lookup daemon which caches result so LDAP won’t be questionned any time the authentication as to be done.

Now, let’s edit the files and make sure you get the following setting:

#vi /etc/libnss-ldap.conf
host ldap
base dc=domain,dc=com
rootbinddn cn=admin,dc=domain,dc=com

#vi /etc/libnss-ldap.secret
XXXXXX

#vi /etc/pam_ldap.conf
host ldap
base dc=domain,dc=com
rootbinddn cn=admin,dc=domain,dc=com

#vi /etc/pam_ldap.secret
XXXXXX

pam configuration files need to be modfied a bit like:

#vi /etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
#if you want user homedir to be created on first login
#session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent

#vi /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

#vi /etc/pam.d/common-password
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5

#vi /etc/pam.d/common-session
session sufficient pam_ldap.so
session required pam_unix.so
session optional pam_foreground.so

Finally, let’s edit nsswitch so the system will be able to switch from local system authentication to ldap authentication.

# vim /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap

With this settings, login is going to be tried agains the local system users first. If it cannot find a match, it will then try to authenticate against the ldap server. Now, you should be able to connect on any client by using any LDAP user details.

First I would like to explain what I was trying to do before I continue on my walkthrough. I wanted two master dns servers that had mySQL backend. They software was required to run zone transfers to the front end ISC Bind 9.x servers. The image below shows a basic overview of how I wanted to setup my servers. I used Ubuntu server for the host operating system. These instructions should work for linux also.

I have 4 public dns servers. They are what the world queries to lookup the dns records I host. They have Bind 9.x installed on them and they are all slaves to both masters. I could have setup a master to slave relationship to one of the public servers, and had the other 3 public servers use that public server as a master. I wanted to make it simple to have a slave master was not a good idea.

The master servers run MyDNS, and mySQL 5.x. I have replication setup between the two master DNS servers. Master 1 is the mySQL master, and master 2 is the mySQL slave. If I want to change a dns record I change it on the server Master 1.

I have a website built that I cannot give to you in this guide. I have found a front end for managing the DNS server on Google Code. MyDNS-pfe Looks like it is pretty good, but if you are even remotely good at php, and html this will be easy to make.

My personal preference to Linux

Install the latest version of Ubuntu server with no packages but ssh. I prefer to have separate / and /var hard drives preferable a raid 1 drive for /var or at least /var/mysql.

After you have your server setup to your companies security standards, or your personal touch you want to upgrade the server with $> apt-get update and $> apt-get dist-upgrade.

Configuring the master DNS servers
$> apt-get install mysql-server-5.0 mydns-mysql

After it is install you need to configure mySQL first
Set the root password.
$> mysql
mysql> SET PASSWORD FOR ‘root’@'localhost’ = PASSWORD(‘changepassword’);
mysql> quit

I change the /etc/mysql/my.cnf file to listen on all ip addresses so I change the following line in the file.
bind-address = 127.0.0.1
to
bind-address = 0.0.0.0
This allows everyone to connect to the server, so I lock it down with iptables(firewall), and a hardware firewall. You may also want to setup the mysql config to allow for it to be the master replication server. Add the following lines to your /etc/mysql/my.cnf.
server-id = 1
log_bin = /var/log/mysql/mysql-bin.log
# WARNING: Using expire_logs_days without bin_log crashes the server! See README.Debian!
expire_logs_days = 10
max_binlog_size = 100M
You will also need to follow the instructions HERE

You will want to restart mysql before setting up the mydns server with the following command.
$> /etc/init.d/mysql restart

MyDNS Setup
You can look up the references to this software from their site.
$>mysql -uroot -pchangepassword
mysql>CREATE mydns;
mysql> GRANT SELECT ON mydns.* TO mysql@localhost IDENTIFIED BY ‘changepassword’;
mysql>FLUSH PRIVILEGES;
mysql>quit
$>mydns –create-tables | mysql -h host -u mydns -p mydns

Creating the MyDNS config
$>mydns –dump-config > /etc/mydns.conf
The defaults should be sufficient. Here is an example of my configuration.

db-host = localhost # SQL server hostname
db-user = mydns # SQL server username
db-password = changepassword # SQL server password
database = mydns # MyDNS database name
user = nobody # Run with the permissions of this user
group = nogroup # Run with the permissions of this group
listen = * # Listen on these addresses (‘*’ for all)
no-listen = # Do not listen on these addresses
zone-cache-size = 4192 # Maximum number of elements stored in the zone cache
zone-cache-expire = 60 # Number of seconds after which cached zones expires
reply-cache-size = 4192 # Maximum number of elements stored in the reply cache
reply-cache-expire = 30 # Number of seconds after which cached replies expire
log = LOG_DAEMON # Facility to use for program output (LOG_*/stdout/stderr)
pidfile = /var/run/mydns.pid # Path to PID file
timeout = 120 # Number of seconds after which queries time out
multicpu = 2 # Number of CPUs installed on your system
recursive = # Location of recursive resolver
allow-axfr = yes # Should AXFR be enabled?
allow-tcp = yes # Should TCP be enabled?
allow-update = yes # Should DNS UPDATE be enabled?
ignore-minimum = yes # Ignore minimum TTL for zone?
soa-table = soa # Name of table containing SOA records
rr-table = rr # Name of table containing RR data
soa-where = # Extra WHERE clause for SOA queries
rr-where = # Extra WHERE clause for RR queries

This is just a basic configuration, but you can change it however your setup requires.

Allowing for zone transfers is pretty simple.

$>mysql -umydns -pchangepassword
mysql> ALTER TABLE mydns.soa ADD COLUMN xfer CHAR(255) NOT NULL;
mysql> quit
When you add your zones all you have to do is just add the data to the xfer column like the following.
192.168.10.50/32,172.31.31.50/32,192.168.0.50/32,10.0.0.50/32
Commas separate the different servers. You could also add them for entire CIDR blocks, but I choose not to.

If you want to set active, and inactive zones you will need to do the following. I like this cause it allows me to turn off a client for not paying, or when I remove a client I can keep the data for a while.
$>mysql -umydns -pchangepassword
mysql> ALTER TABLE mydns.soa ADD COLUMN active ENUM(‘Y’,'N’) NOT NULL;
mysql> ALTER TABLE mydns.soa ADD INDEX (active);
mysql> quit

You should be all setup and ready to go. If you have an existing bind dns server you can import your data with the mydns import utility.
All utilities support the `–host’, `–database’, `–user’, and `–password’ options.
mydnsimport -hlocalhost -Dmydns -umydns -pchangepassword wantlinux.net

I wrote a script to easily import multiple zones from a bind 9.x named.conf file with axfr turned on. Here is a link to the perl script. To download the script click HERE or to view the script click HERE.

If you want to setup any more configuration examples please refer the MyDNS website.

Configuring the slave DNS servers
Configuring the slave DNS servers is an easy process with bind. Bind is my favorite DNS server. I can give you many reasons why I like it, but everyone should find what they like. Bind accepts AXFR zone transfers which is a good thing when you setup a master MyDNS server that does zone transfers with AXFR.

Install, and configure Bind

Install bind with the following command on Ubuntu.
$> apt-get install bind

After I install the server I set it up to not allow recursion for the ip addresses that are not allowed for it. Here is my basic config in /etc/bind/named.conf

include “/etc/bind/named.conf.options”;
zone “.” {
type hint;
file “/etc/bind/db.root”;
};
zone “localhost” {
type master;
file “/etc/bind/db.local”;
};
zone “127.in-addr.arpa” {
type master;
file “/etc/bind/db.127″;
};
zone “0.in-addr.arpa” {
type master;
file “/etc/bind/db.0″;
};
zone “255.in-addr.arpa” {
type master;
file “/etc/bind/db.255″;
};
include “/etc/bind/named.conf.local”;

Here is my example named.conf.options file also.
options {
directory “/var/cache/bind”;
// Your IP address here
listen-on port 53 { 192.168.1.50; 127.0.01; };
auth-nxdomain no; # conform to RFC1035
allow-recursion {192.168.1.0/24; 127.0.0.1; 192.168.2.0/24; };
allow-transfer {66.37.134.155;};
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { “rndc-key”; };
};
key “rndc-key” {
algorithm hmac-md5;
secret “YOURKEY”;
};

I have made a script that converts the mydns database to a named.conf.local file for use as a slave server. Make sure you change the ip addresses of the master servers in the script, and you have the perl modules for mysql(apt-get install libdbd-mysql-perl). It writes a file /etc/bind/named.conf.local that you can scp to your slave servers when you add a new domain, or delete a new one. If you want to download the script click HERE or if you wish to look at the script click HERE You will not have to move the file when you change records to a zone. Just when you add or delete zones. I use ssh keys, and scp the file over to the server, and run rndc reload and reconfig commands. I hope this article was helpful, and I look forward to your comments.

zimdar

I write all of my walkthroughs with Debian, and Ubuntu in mind. If following my steps does not get you the result you wanted I am sorry. Just remember that I have failed many times before succeeding in all of the setups I use.