Wednesday, November 6, 2019

Modoboa Mail Server with Apache2 as Web Server on Ubuntu 18.04

Modoboa is an excellent way to simplify the installation, configuration, and ongoing maintenance of an email server.  The easiest way is to install Modoboa is by using an installation script available on GitHub.

The Modoboa install script installs the Nginx web server by default.  Nginx is best for static content and Apache is better for dynamic content (like php). The key advantage to using Nginx is it commands less system resources due to its architecture.  Still, if  your web traffic is low, the performance gains by using Nginx is negligible. I decided my website would be best served with Apache alone, though I still wanted to use Modoboa as my email server.

Since the installation script installs Nginx by default, a few modifications to the script file are needed.  The following instructions assume a fresh Ubuntu 18.04 with Apache already installed.  Also, make sure DNS MX record is already configured with mail.your-domain.com.


Modoboa Installer


First install mod_wsgi then restart Apache
$ sudo apt-get install libapache2-mod-wsgi
$ sudo systemctl restart apache2
The installation script is available from GitHub.
$ git clone https://github.com/modoboa/modoboa-installer
Install the necessary perl scripts
$ sudo apt-get install python-virtualenv python-pip
Navigate to the installer directory
$ cd modoboa-installer
Run the following command.
$ sudo ./run.py --stop-after-configfile-check your-domain.com
You'll get a warning that the installer.cfg file was not found so a new one was created.  installer.cfg file allows you to customize certain elements of the installation. The default contents include the following:
$ [general]
hostname = mail.%(domain)s

[certificate]
generate = true
type = self-signed

[letsencrypt]
email = admin@your-domain.com

[database]
engine = postgres
host = 127.0.0.1
install = true

[postgres]
user = postgres
password =
Leave the certificate type to self-signed.  We will install a Let's Encrypt certificate manually later.
If you want to use MariaDB instead of postgres, change the engine type under database to mysql. Scroll down and change the instruction to install nginx to false.
[nginx]
enabled = false
Make the desired changes and save the file.  Next we'll re-run the installation routine using --interactive.
$ sudo ./run.py --interactive your-domain.com
If you have problems with the installation, rerun the script with the debug option:
$ sudo ./run.py --interactive --debug your-domain.com
If all goes well, the completed installation should look similar to the following:
Welcome to Modoboa installer!

Warning:
Before you start the installation, please make sure the following DNS records exist for domain 'microsmith.net':
  mail IN A   <IP ADDRESS OF YOUR SERVER>
       IN MX  mail.your-domain.com

Your mail server will be installed with the following components:
modoboa automx amavis clamav dovecot razor postfix postwhite spamassassin uwsgi radicale opendkim
Do you confirm? (Y/n)
The process can be long, feel free to take a coffee and come back later ;)
Starting...
Generating new self-signed certificate
Installing amavis
Installing spamassassin
Installing razor
Installing clamav
Installing modoboa
Installing automx
Installing radicale
Installing uwsgi
Installing opendkim
Installing postfix
Installing postwhite
Installing dovecot
Congratulations! You can enjoy Modoboa at https://mail.your-domain.com (admin:password)


Apache Configuration


Next we need to create an Apache config file for mail.your-domain.com  Here is the file I created in the /etc/apache2/sites-available directory and named mail.your-domain.com.conf :
<VirtualHost *:80>
ServerName mail.microsmith.net
  DocumentRoot /srv/modoboa/instance/


  Alias /media/ /srv/modoboa/instance/media/
  <Directory /srv/modoboa/instance/media>
    Order deny,allow
    Allow from all
  </Directory>

  Alias /sitestatic/ /srv/modoboa/instance/sitestatic/
  <Directory /srv/modoboa/instance/sitestatic>
    Order deny,allow
    Allow from all
  </Directory>

</VirtualHost>
Next we need to configure the Apache config file.
$ sudo nano /etc/apache2/apache2.conf
Scroll down the page and uncomment (or add if it's missing) the following lines.
<Directory /srv/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>
In addition, we need to configure WSGI.  Add the following lines to the Apache config file:
WSGIScriptAlias / /srv/modoboa/instance/instance/wsgi.py
WSGIPythonHome /srv/modoboa/env/
WSGIPythonPath /srv/modoboa/instance/

<Directory /srv/modoboa/instance/instance>
<Files wsgi.py>
  Require all granted
</Files>
</Directory>
WSGIPassAuthorization On
Save the file and reboot.

Install Lets Encrypt Certificate


Make sure the https port 443 is included in your firewall configuration. See Install Firewall (ufw).

Install certbot


Add the PPA and install certbot (install software-properties-common if necessary)
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt update
Install certbot packages:
$ sudo apt install python-certbot-apache

Install certificate:


Install the certificate as shown
$ sudo certbot --apache -d mail.your-domain.com
Answer any prompts and wait for the confirmation that the certificate has been issued.  If you have problems getting the certificate issue, try visiting the website https://letsdebug.net/. The Let's Encrypt Certificate is only valid for 90 days.  However the certbot installation includes a cron script that auto renews the certificate 30 days before expiration.  The script is located at /etc/cron.d.

You can test the renewal process by running the following command again:
$ sudo certbot renew --dry-run
Manual installation of the Let's Encrypt certificate as instructed will automatically result in the creation of an ssl version of the Apache conf files for your site. Here are the contents of my site's ssl config file (mail.your-domain-le-ssl.conf) after a successful letsencrypt installation in the /etc/apache2/sites-available/ path:
<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName mail.your-domain.com
  DocumentRoot /srv/modoboa/instance/


  Alias /media/ /srv/modoboa/instance/media/
  <Directory </srv/modoboa/instance/media>
    Order deny,allow
    Allow from all
  </Directory>

  Alias /sitestatic/ /srv/modoboa/instance/sitestatic/
  <Directory /srv/modoboa/instance/sitestatic>
    Order deny,allow
    Allow from all
  </Directory>

SSLCertificateFile /etc/letsencrypt/live/your-domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Note your certificate file path may vary.

There are two additional lines we need to add to the Apache config file file.  Add the two following lines after the WSGIScriptAlias.
WSGIDaemonProcess your-domain.com python-path=/srv/modoboa/instance:/srv/modoboa/env/lib/python2.7/site-packages
WSGIProcessGroup your-domain.com

Modoboa Log-In Panel


Modoboa is programmed to work with IMAP.  If you want to connect to your mail server via pop3 to another email service, you need to make configuration changes.  The easiest was to do this is to install dovecot-pop3d.
$ sudo apt install dovecot-pop3d
Open firewall ports for 25, 587, 993, 995.

We're now ready to log into the Modoboa panel.  Go to https://mail.your-domain.com.  Your log-in is Admin and the password is password. Once you're logged in change your username and/or password.  Click on the user name in the top right of the menu panel, then go to settings>>profile to make the changes.

To set up domains for the server, click Domains from the top menu bar then click the Add+ button. Be sure to enable dkim signing. Once the domain is setup, you can retrieve the public key for DKIM by selecting Domains from the top menu bar, then click the domain name.  Click the Show key button in the DNS box on the top right. You will need to add the domain key to your DNS settings.

If you plan to use Modoboa's webmail (I used it for testing) you should change the IMAP and SMTP ports and enable ssl/tls.  Click Modoboa in the menu bar, then select the Webmail tab.  Under IMAP settings, click the radio button to use a secure connection and change the port to 993.  Under SMTP settings, click the radio button to enable STARTTLS, change the server port to 587, then click the "Yes" radio button to require authentication.  Click save.













Monday, November 4, 2019

Awstats setup on Apache2 Ubuntu 18.04

Helpful websites: LinuxbabeLeave No Bit Unturned.
Awstats is a useful free program that provides website statistics. The installation in this guide was performed on a Ubuntu 18.04 server running Apache2.

Install  and Configure Awstats


$ sudo apt install awstats libgeo-ip-perl libgeo-ipfree-perl
Edit domain config file
$ sudo nano /etc/apache2/sites-available/your-domain.com
Append log file names to separate stats for each website you'll track.  Edit thefollowing within the <VirtualHost> tag
ErrorLog ${APACHE_LOG_DIR}/your-domain.com_error.log
CustomLog ${APACHE_LOG_DIR}/your-domain.com_access.log combined
Add the following before the closing </VirtualHost> tag.
Alias /awstatsclasses "/usr/share/awstats/lib/"
Alias /awstats-icon/ "/usr/share/awstats/icon/"
Alias /awstatscss "/usr/share/doc/awstats/examples/css"
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
ScriptAlias /awstats/ /usr/lib/cgi-bin/
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Save file.  Enable the CGI module
$ sudo a2enmod cgi
Configure Awstats files for default website.  Back up the file
$ sudo cp /etc/awstats/awstats.conf /etc/awstats/awstat.conf.bak
Then edit
$ sudo nano /etc/awstats/awstats.conf
Edit the following lines as shown
LogFile="/var/log/apache2/your-domain.com_access.log"
LogFormat=1
SiteDomain="your-domain.com"
HostAliases="your-domain.com localhost 127.0.0.1"
DirData="/var/lib/awstats/your-domain.com"
Save file.  Give user www-data log access permissions (the following command requires "acl")
$ sudo setfacl -R -m "u:www-data:rx" /var/log/apache2/
Create directory structure to hold data and then grant permissions
$ sudo mkdir -p /var/lib/awstats/your-domain.com
$ sudo chown www-data:www-data /var/lib/awstats/your-domain.com
Restart Apache2
$ sudo systemctl restart apache2
The stats for your main (or only) domain should be accessible now at your-domain.com/cgi-bin/awstats.pl.  Cron should be set to update awstats every ten minutes by default.

Secure access to Awstats page


Now that Astats is working you'll want to restrict access.  Run the following to set a password for admin.  The password will be stored at /etc/apache2/htpasswd.
$ sudo htpasswd -c /etc/apache2/htpasswd admin
Configure the Apache virtual host file
$ sudo nano /etc/apache2/sites-available/your-domain.com.conf
Then add the following
<Directory "/usr/lib/cgi-bin/">
    AuthUserFile /etc/apache2/htpasswd
    AuthName "Please Enter Your Password" 
    AuthType Basic
    Require valid-user
</Directory>
Save the file. Restart Apache2
$ sudo systemctl restart apache2
Now when you access the awstats page you should be prompted to enter a user name and password.

Multiple Websites


Create an awstats config file for your other websites.
$ sudo nano /etc/awstats/awstats.your-other-domain.com.conf
An include statement at the top will bring over the settings from the default awstats file. We just need to change some of the directives from the default by adding the following lines
Include "/etc/awstats/awstats.conf"
SiteDomain="your-other-domain.com"
HostAliases="your-other-domain.com localhost 127.0.0.1"
DirData="/var/lib/awstats/your-other-domain.com"
LogFile="/var/log/apache2/your-other-domain.com_access_log"
Create directory structure and set permissions.
$ sudo mkdir -p /var/lib/awstats/your-other-domain.com
$ sudo chown www-data:www-data /var/lib/awstats/your-other-domain.com
Restart Apache2
$ sudo systemctl restart apache2
Cron will update the stats in ten minutes. If you want to check your configuration now run the following:
$ sudo -l -c /usr/share/awstats/tools/update.sh www-data

Log File Permissions and Rotation


Edit the Apache logrotate file to give apache read permissions to everyone.
$ sudo nano /etc/logrotate.d/apache2
Edit the following line as shown
create 644 root adm
Save the file.