MySQL, Java, JSP, Servlet, Tomcat and Jboss Web Hosting Blog

Running a Mail Server Electronic mail hardly requires introduction. Communications made through the original forms of e-mail helped shape the Internet. Widespread availability of access to e-mail and modern enhancements such as MIME (Multipurpose Internet Mail Extensions, which allow for inclusion of attachments and alternate message formats) have helped to make e-mail the most popular application on the Internet. With a Linux system and a suitable Internet connection, you can easily set up your own mail server for personal or business use. This chapter includes a description of how Internet mail works at the protocol level, and then guides you through the process of setting up a mail server, complete with spam and virus filtering. In the final section, you learn how to secure network communications between clients and your mail server through the use of SSL/TLS (Secure Sockets Layer and Transport Layer Security) protocols. The examples in this chapter are based on a Debian GNU/Linux system. (See Chapter 9 for more information about Debian.) However, much of the knowledge you gain from setting up a mail server in Debian applies to other Linux systems as well. Internet E-Mail s Inner Workings E-mail messages are generated either by an automated process, such as a form processor on a Web page or an automated notification system, or by an MUA (Mail User Agent) controlled by an end user. Messages are delivered through one of two methods to the software performing the MTA (Mail Transfer Agent) function on a server: . SMTP The Simple Mail Transfer Protocol is a networkbased protocol that allows for transmission of messages between systems. 2C H A5P5T E R . . . . In This Chapter Internet e-mail s inner workings About the system and the software used Preparing your system Installing and configuring the mail server software Testing and troubleshooting Configuring mail clients Securing communications with SSL/TLS . . . .
In case you need affordable webhost to host your website, our recommendation is ecommerce web host services.

Chapter 24 . Running a Linux, Apache, MySQL, and PHP (LAMP) Server 671 3. Test the Apache configuration and then perform a full restart: # apachectl configtest Syntax OK. # apachectl stop # apachectl start 4. Browse to https://servername/ and verify the SSL configuration. When using a self-signed certificate, or one signed by a CA, you are asked whether you want to accept the certificate. Summary Combining Linux with an Apache Web server, MySQL database, and PHP scripting content (referred to as a LAMP server) makes it possible for you to configure your own full-featured Web server. By following the instructions in this chapter, you learned how to set up Apache to do virtual hosting, add content to a MySQL database, and allow PHP scripting in the content on your server. For added security, this chapter described how to add your own certificates and troubleshoot problems that might arise with your server. . . .
We highly recommend you visit web and email hosting services if you need stable and cheap web hosting platform for your web applications.

670 Part V . Running Servers Configuring Apache to Support SSL/TLS Once your keys have been generated, you need to install the mod_ssl Apache module, which adds SSL/TLS support to Apache, and then configure it using the appropriate configuration directives. Here s how: 1. SSL and TLS support can be added to Apache by installing the mod_ssl package: # apt-get install libapache-mod-ssl # apache-modconf apache enable mod_ssl Replacing config file /etc/apache/modules.conf with new version 2. Add an SSL-enabled virtual host to your Apache configuration files. Using the earlier virtual host as an example, your configuration will look something like this: Listen *:443 ServerName secure.example.org DocumentRoot /home/username/public_html/ User username Group groupname DirectoryIndex index.php index.html index.htm SSLEngine On SSLCertificateKeyFile /etc/apache/ssl.key/server.key SSLCertificateFile /etc/apache/ssl.crt/server.crt SSLCACertificateFile /etc/apache/ssl.crt/ca.crt This example uses a wildcard for the IP address in the VirtualHost declaration, which saves you from having to modify your configuration file in the event that your IP address changes but also prevents you from having multiple SSL virtual hosts. In the event that you do need to support more than one SSL virtual host, replace * with the specific IP address that you assign to that host. See the Troubleshooting section earlier in the chapter for more information about the Listen directive. A CA generally provides you with a certificate file to place in ca.crt and sometimes also provides you with a separate file that you will need to reference using a SSLCertificateChainFile directive. The mod_ssl package also includes an /etc/apache/ssl.crt/ca-bundle.crt, which contains the certificates from most of the well-known certificate authorities and can be referenced as long as the appropriate CA certificate is included. When running your own CA, point this directive to a file containing the public key from that CA. Omit this line when using a self-signed certificate. Note
If you are looking for affordable and reliable webhost to host and run your business application visit our ftp web hosting services.

Chapter 24 . Running a Linux, Apache, MySQL, and PHP (LAMP) Server 669 Do not lose this passphrase because it cannot be easily recovered. 4. If you plan to have your certificate signed by a CA (including one that you run yourself), generate a public key and a certificate signing request (CSR): # mkdir ../ssl.csr/ # cd ../ssl.csr/ # openssl req -new -key ../ssl.key/server.key -out server.csr Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Washington Locality Name (eg, city) []:Bellingham Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Company, LTD. Organizational Unit Name (eg, section) []:Network Operations Common Name (eg, YOUR name) []:secure.example.org Email Address []:dom@example.org Please enter the following extra attributes to be sent with your certificate request A challenge password []: An optional company name []: The Common Name should match the name that clients will use to access your server. Be sure to get the other details right if you plan to have the CSR signed by a third-party CA. 5. When using a third-party CA, submit the CSR to it and then place the certificate it provides you into /etc/apache/ssl.crt/server.crt (or a different file, as desired). 6. If you don t plan to have your certificate signed, or if you want to test your configuration, generate a self-signed certificate and save it in a file named server.crt: # mkdir ../ssl.crt/ # cd ../ssl.crt/ # openssl req new -x509 -nodes -sha1 -days 365 -key ../ssl.key/server.key -out server.crt Country Name (2 letter code) [AU]:. State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:TEST USE ONLY Organizational Unit Name (eg, section) []:TEST USE ONLY Common Name (eg, YOUR name) []:secure.example.org Email Address []:dom@example.org Caution
If you are looking for cheap and quality webhost to host and run your website check Jboss Web Hosting services.

668 Part V . Running Servers You also have the option of creating self-signed certificates, although these should be used only for testing or when a very small number of people will be accessing your server and you do not plan to have certificates on multiple machines. Directions for generating a self-signed certificate are included in the following section. The last option is to run your own certificate authority. This is probably only practical if you have a small number of expected users and the means to distribute your CA certificate to them (including assisting them with installing it in their browsers). The process for creating a CA is too elaborate to cover in this book but is a worthwhile alternative to generating self-signed certificates. You can find guides on running your own CA at these sites: . http://pseudonym.org/ssl/ssl_cook.html . http://sial.org/howto/openssl/ca/ The following procedure describes how to generate and use SSL keys with the LAMP server (running on a Debian GNU/Linux system) configured in this chapter. For a general discussion of SSL keys and procedures specific to Fedora and other Red Hat Linux systems, refer to Chapter 6. Generating Your Keys To begin setting up SSL, use the openssl command, which is part of the OpenSSL package, to generate your public and private key: 1. Use APT to verify that OpenSSL is installed. If it is not present, APT downloads and installs it automatically: # apt-get install openssl 2. Generate a 1024-bit RSA private key and save it to a file: # mkdir /etc/apache/ssl.key/ # cd /etc/apache/ssl.key/ # openssl genrsa -out server.key 1024 # chmod 600 server.key You can use a filename other than server.key and should do so if you plan to have more than one SSL host on your machine (which requires more than one IP address). Just make sure you specify the correct filename in the Apache configuration later. In higher-security environments, it is a good idea to encrypt the key by adding the -des3 argument after the genrsa argument on the openssl command line: # openssl genrsa -des3 -out server.key 1024 3. You are asked for a passphrase, which is needed every time you start Apache. Note
We would like to recommend you tested and proved virtual web hosting services, which you will surely find to be of great quality.

Chapter 24 . Running a Linux, Apache, MySQL, and PHP (LAMP) Server 667 Electronic commerce applications such as online shopping and banking are generally encrypted using either the Secure Socket Layer (SSL) or Transport Layer Security (TLS) specifications. TLS is based on version 3.0 of the SSL specifications, so they are very similar in nature. Because of this similarity and because SSL is older the SSL acronym is often used to refer to either variety. For Web connections, the SSL connection is established first, and then normal HTTP communication is tunneled through it. Because SSL negotiation takes place before any HTTP communication, namebased virtual hosting (which occurs at the HTTP layer) does not work with SSL. As a consequence, every SSL virtual host you configure needs to have a unique IP address. During connection establishment between an SSL client and an SSL server, asymmetric (public key) cryptography is used to verify identities and establish the session parameters and the session key. A symmetric encryption algorithm such as DES or RC4 is then used with the negotiated key to encrypt the data that are transmitted during the session. The use of asymmetric encryption during the handshaking phase allows safe communication without the use of a preshared key, and the symmetric encryption is faster and more practical for use on the session data. For the client to verify the identity of the server, the server must have a previously generated private key, as well as a certificate containing the public key and information about the server. This certificate must be verifiable using a public key that is known to the client. In some cases, the server also requires the client to present a certificate that it can verify. However, this is not commonly found on Web servers, except in high-security environments with smaller numbers of clients, where the management of certificates is more practical. You can find more information about the SSL protocol at http://developer.netscape.com/docs/manuals/security/sslin/ contents.htm. Certificates are generally digitally signed by a third-party certificate authority (CA) that has verified the identity of the requester and the validity of the request to have the certificate signed. In most cases, the CA is a company that has made arrangements with the Web browser vendor to have its own certificate installed and trusted by default client installations. The CA then charges the server operator for its services. Commercial certificate authorities vary in price, features, and browser support, but remember that price is not always an indication of quality. Some popular CAs include InstantSSL (www.instantssl.com), Thawte (www.thawte.com), and VeriSign (www.verisign.com). Note Note
Searching for affordable and proven webhost to host and run your servlet applications? Go to Linux Web Hosting services and you will find it.

666 Part V . Running Servers File not found errors can be checked in the same way as access forbidden and server internal errors. You may sometimes find that Apache is not looking where you think it is for a specific file. Generally, the entire path to the file shows up in the error log. Make sure you are accessing the correct virtual host, and check for any Alias settings that might be directing your location to a place you don t expect. . File permissions A file permissions prevent access error indicates that the apache process is running as a user that is unable to open the requested file. Make sure that the account has execute permissions on the directory and every directory above it, as well as read permissions on the files themselves. Read permissions on a directory are also necessary if you want Apache to generate an index of files. See the manual page for chmod for more information about how to view and change permissions. Read permissions are not necessary for compiled binaries, such as those written in C or C++, but can be safely added unless there is a need to keep the contents of the program secret. . Access denied A client denied by server configuration error indicates that Apache was configured to deny access to the object. Check the configuration files for and sections that might affect the file you are trying to access, remembering that settings applied to a path are also applied to any paths below it. You can override these by changing the permissions only for the more specific path to which you want to allow access. . Index not found The Directory index forbidden by rule error indicates that Apache could not find an index file with a name specified in the DirectoryIndex directive and was configured to not create an index containing a list of files in a directory. Make sure your index page, if you have one, has one of the names specified in the relevant DirectoryIndex directive, or add an Options Indexes line to the appropriate or section for that object. . Script crashed Premature end of script headers errors can indicate that a script is crashing before it finishes. Sometimes, the errors that caused this also show up in the error log. When using suexec or suPHP, this error may also be caused by a file ownership or permissions error. These errors are indicated in /var/log/apache/suexec.log or /var/log/apache/suphp.log. Securing Your Web Traffic with SSL/TLS You want to add security for your server, including your own certificates. Your data is important, and so is your capability to pass it along your network or the Internet to others. Networks just aren t secure enough by themselves to protect your communications. This section examines ways in which you can help guard your communications. Note Note
If you are looking for cheap and quality webhost to host and run your website check Jboss Web Hosting services.

Chapter 24 . Running a Linux, Apache, MySQL, and PHP (LAMP) Server 665 Generally, it is a good idea to use only one type of these directives to avoid confusion. Of the three, Listen is the most flexible, so it is probably the one you want to use the most. A common error when using Listen is to specify a port on all IP addresses (*:80) as well as that same port on a specific IP address (1.2.3.4:80), which results in the error from make_sock. Configuration errors relating to SSL (discussed later in this chapter) commonly result in Apache not starting properly. Make sure all key and certificate files exist and that they are in the proper format (use openssl to examine them, as shown later in this chapter). For other error messages, try doing a Web search to see if somebody else has encountered the problem. In most cases, you can find a solution within the first few matches. If you aren t getting enough information in the ErrorLog, you can configure it to log more information using the LogLevel directive. The options available for this directive, in increasing order of verbosity, are emerg, alert, crit, error, warn, notice, info, and debug. Select only one of these. Any message that is at least as important as the LogLevel you select will be stored in the ErrorLog. On a typical server, this is set to warn. You should not set it to any lower than crit and should avoid leaving it set to debug because that can slow down the server and result in a very large ErrorLog. As a last resort, you can also try running apache manually to check for crashes or other error messages: # /usr/sbin/apache -d /etc/apache -F ; echo $? The -d flag tells apache where to look for its configuration file, and the -F flag tells it to run in the foreground. The semicolon separates this command from the echo command, which displays the return code ($?) from Apache after it exits. In the event that apache crashes during this step, you can use tools such as gdb and strace to trace the problem. Access Forbidden and Server Internal Errors Two common types of errors that you may encounter when attempting to view specific pages on your server are permission errors and server internal errors. Both types of errors can usually be isolated using the information in the error log. After making any of the changes described in the following list to attempt to solve one of these problems, try the request again and then check the error log to see if the message has changed (for example, to show that the operation completed successfully).
If you are searching for cheap webhost for your web application, please visit MySQL5 Web Hosting services.

664 Part V . Running Servers Some configuration problems pass the syntax tests performed by apachectl, but then result in the HTTP daemon exiting immediately after reloading its configuration. If this happens, use the tail command to check Apache s error log for useful information. On Debian systems, the error log is in /var/log/apache/error.log. On other systems, the location can be found by looking for the ErrorLog directive in your Apache configuration. An error message that you might encounter looks something like this: [crit] (98)Address already in use: make_sock: could not bind to port 80 This error often indicates that something else is bound to port 80 (not very common unless you have attempted to install another Web server), that another Apache process is already running (apachectl usually catches this), or that you have told Apache to bind the same IP address and port combination in more than one place. You can use the netstat command to view the list of programs (including Apache) with TCP ports in the LISTEN state: # netstat -nltp Active Internet connections (only servers) Proto Local Address Foreign Address State PID/Program name tcp 0.0.0.0:80 0.0.0.0:* LISTEN 2105/apache The output from netstat (which was shortened to fit here) indicates that an instance of the apache process with a process ID of 2105 is listening (as indicated by the LISTEN state) for connections to any local IP address (indicated by 0.0.0.0) on port 80 (the standard HTTP port). If a different program is listening to port 80, it is shown there. You can use the kill command to terminate the process, but if it is something other than apache (or httpd), you should also find out why it is running. If you don t see any other processes listening on port 80, it could be that you have accidentally told Apache to listen on the same IP address and port combination in more than one place. There are three configuration directives that can be used for this: BindAddress, Port, and Listen: . BindAddress enables you to specify a single IP address to listen on, or you can specify all IP addresses using the * wildcard. You should never have more than one BindAddress statement in your configuration file. . Port specifies which TCP port to listen on but does not enable you to specify the IP address. Port is generally not used more than once in the configuration. . Listen enables you to specify both an IP address and a port to bind to. The IP address can be in the form of a wildcard, and you can have multiple Listen statements in your configuration file.
We recommend you use shared web hosting services, because many users agree that it is cheap, reliable and customer-satisfying webhost.

Chapter 24 . Running a Linux, Apache, MySQL, and PHP (LAMP) Server 663 If you installed Coppermine on a public server, you can give the Web address of that server to your friends and family and they can begin viewing your photo albums. There is a lot you can do to customize your Coppermine Photo Gallery. You can begin by going through the settings on the Configuration page (click the Config link to get there). Click the Users or Groups links to create user or group accounts that give special access to upload or modify the content of your gallery. Troubleshooting In any complex environment, you occasionally run into problems. This section includes tips for isolating and resolving the most common errors that you may encounter. This section refers to the Apache HTTPD binary as apache, which is what it is named on Debian systems. However, in most other distributions, the binary is named httpd. On different systems, you may need to substitute httpd for apache when it appears by itself, although not for commands such as apachectl. Configuration Errors You may occasionally run into configuration errors or script problems that prevent Apache from starting or that prevent specific files from being accessible. Most of these problems can be isolated and resolved using two Apache-provided tools: the apachectl program and the system error log. When encountering a problem, first use the apachectl program with the configtest parameter to test the configuration. In fact, it s a good idea to develop the habit of running this every time you make a configuration change: # apachectl configtest Syntax OK # apachectl graceful /usr/sbin/apachectl graceful: httpd gracefully restarted In the event of a syntax error, apachectl indicates where the error occurs and also does its best to give a hint about the nature of the problem. You can then use the graceful restart option (apachectl graceful) to instruct Apache to reload its configuration without disconnecting any active clients. The graceful restart option in apachectl automatically tests the configuration before sending the reload signal to apache, but it is still a good idea to get in the habit of running the manual configuration test after making any configuration changes. Note Note
We recommend cheap and reliable webhost to host and run your web applications: Coldfusion Web Hosting services.