I have been working along with my server, and it is running. Lately I have been attacking the only real peice that is missing. Email.

I picked exim4 as it is the standard mail server in debian.

I am running two domains on one server. example.net and example.com

I have created a ldap route (using split configuration)

850_exim4-config_ldap_user
ldap_user:
  debug_print = "R: ldap_user for $local_part@$domain"
  driver = accept
  domains = +local_domains
  local_parts = ${extract {uid}{${lookup ldap {USER_LOOKUP} {$value} fail }}}@$domain
  transport = LOCAL_DELIVERY

But the problem is the $domain ends up beeing debian.example.com for an email to user@example.com. The actual lookup works if the correct domain is supplied.

The paniclog shows the expanded query :

ldaps://ldap.example.com/ou=people,dc=debian,dc=example?uid,uidNumber?sub?(&(mail=user@debian.example.com)(uidNumber=*))

What fails is the dc=debian which is constructed by

dc=${extract{1}{.}{${lc:$domain}}}

It is not possible to set up matching if the local hostname is used. What am I doing wrong ? How can I access the the server part of the incommming email ? Do I have to set up one ldap router per domain ?

The second problem is how to treat SMTP auth. How does that work with virtual servers ? One option is to have the user supply the full mail address as username. I guess apache like dns matching is not possible.. user X loging in to mail.example.net becomes authenticated under X@example.net and user Y loggint into mail.example.com becomes authenticated under Y@example.com.

Thirdly what options and permissions do one has to set to have directories created ?

Want to store all mails to /srv/mail/$domain/$local_parts/Maildir and have created /srv/mail with owner Debian-exim.

MAILDIR_HOME_MAILDIR_LOCATION = /srv/mail/${lc:$domain}/${lc:$local_part}/Maildir
MAILDIR_HOME_CREATE_DIRECTORY = true
MAILDIR_HOME_CREATE_FILE = anywhere

(13): Permission denied: stat(
) error for /srv/mail/example.com/user/Maildir: Permission denied

Otherwise I am working on a write up of all my experiences with other programs on the server. Everything else is nicely controlled by LDAP. I will publish it once I have a propper draft.

So I am growing up. I want to be a full Internet grownup. Running an Internet server. A proper citizen in the Internet society, doing everything according to best practices and standards. And I would like to do it with deb packages.

Also I think there are more people like me. That is why I think it would be cool to write some kind of article series or a proper guide how to bring a modern Debian box to the Internet in the best way. There are a lot of information online, but sometimes old or for other distributions. If someone knows a good guide I'd love to hear it. (of course Debian Administration has a lot of good material already)

Why not some kind of Wiki sandbox somewhere, and then when the guide is done, it could added to the site.

I have been using Debian since 1998, and I feel I know my way around Debian. Before Christmas I reserved 3 domainnames via a service that does not offer webhosting. I wanted it this way since I would like to take the next step, from running small servers at home to a real internet server.

I have arranged for a fast internet link, 10 Mbit (fiber to the ISP, not sure about the exact bandwidth to the Internet) with my own computer attached to it. It runs Debian and I have full control over it. Currently it runs Debian stable. I only have one IP.

I have spent some time reading up on DNS and email and other things that Internet grownups needs. Still it is a bit of dark magic, and I want to have a properly configured thing.

I want to use this server for all the things that one can need to have accessible over the Internet. That to the highest possible security and encryption. I do not wear a tinfoil hat but I think privacy is important. I want to be able to differentiate what the general public and my familly sees. Living abroad, this is one way to share photoes or other more private thougths.

I would like to ask for tips and hint from all you Debian Administration gurus that already are running this kinds of servers on the Internet.

The services I have in mind so far is :
For the 3 domains

• WWW - apache2
  • Proper SSL certificate hierachy that works with all three sites. I have only one IP.
  • Should be easy to add subdomains, not only www.example.com but also another.example.com. The SSL certificate should handle that too. The apache rewrite mod might be a solution, I am not sure how proper DNS handling would work. Also running 3 apache sites should be enough. One per domainname.
  • I will run a couple of webapps. Beeing a DocBook fan I am trying to build up something like Norman Walsh site, for interesting in-depth articles. Have a start but needs more work.
  • Some python framework for SQL apps, still looking into which. Hoped that the Python BDFL would give some nice hint in his evaluation, but I am still looking.
  • I know my ways around Apache good enough and I will use Apache2.
• Email - exim3/exim4/postfix/cyrus ?
  • IMAP
  • Sieve
  • Secure connections (SSL, TSL, SALS, SMTP Auth)
  • Easy to add private users, I would like to be able to add users when registrating for different webforums etc. To sort out spam etc, from where it originates, etc.
  • Email lists - with SSL user protected Archive, if needed, some lists will be open
  • Other things ? (currently I have a private and a work email, both on IMAP, so I am just a user)
  • have no idea which email package is best for this task.
• LDAP
  • I want to build different type of users. shellaccess, email access, emaillist access, website access (some different levels there too), subversion. Still I want it easy and managable.
  • Secure setup, but currently I am only looking at one machine, and the LDAP does not have to authenticate on different machines. Might be needed in the future, if I go xen or vmware, or get more machines.
  • Secondary LDAP server when needed.
• DNS
  • Not sure if it helps to run ones own DNS server ? Running on external free DNS services like Xname is still a needed I guess?
  • Treatment of subdomains like www.example.com and another.example.com. No experience.
• Bastille
  • Generaly hardening the system.
• Timeserver
  • Configure NTP properly.

For my main domain

• Subversion
  • WebDAV
  • Have set that up before, just need to make sure it is secure, and look into if LDAP is possible to use in authentication.
• WebDAV calendar
  • not sure yet, but I do run Sunbird alpha. I'd like to be prepared as the Sunbird becomes better. In a dreamworld I'd like to securely share a private calendar with others, to schedule apointments etc.
• ssh/scp/rsync+ssh
  • normal ssh server - secure setup with SSH host key protection
  • passwordless access with keys - secure setup
• Backup
  • Local back up solution - currently mirrored home (no backup)
  • For all important data (digital photoes, so space is needed)
  • Some ideas but needs work. DVD-R is maybe too weak ?

There are many other questions. Is a pure Debian box the way to go? or Xen or WMware to separate the services better ? Can I script everything so I can rebuild a broken server fast? What goes where ? Webserver in /var/www or in /srv ? since subversion should go to /srv ? Keeping the configurational details in subversion, saving only files that I change ?

What are the best practices to become a real Internet grownup ?