cPanel + Trustix for Hosting

This is a log of Trustix+cPanel additional configuration. Trustix+cPanel has a few broken configurations needed to be fixed before production deployment.

• Logrotate:

Add extra /etc/logrotate.d/httpd

/usr/local/apache/logs/error_log /usr/local/apache/logs/access_log /usr/local/apache/logs/suexec_log {
postrotate
/usr/bin/killall -HUP httpd
endscript
}

Add these few lines to /etc/logrotate.d/syslog and remove duplicated values from old file

/var/log/messages /var/log/secure /var/log/maillog /var/log/boot.log {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}

- comment out named stuff from /etc/syslog.conf and change local2.* to /var/log/message
- add this to /etc/cron.daily/logrotate

export TMPDIR=/var/log/tmp

- additional stuff

cd /var/log
rm -rf named
mkdir tmp # our /tmp is mounted suexec, hence we need this
chmod 755 tmp
chown syslog:syslog tmp message message.* maillog maillog.* secure secure.*
export TMPDIR=/var/log/tmp

• swup --install glibc-locales (so a couple pkg that needs locale data will work correctly--such as squirrelmail or autoresponder in cPanel)
• swup --install uw-imap-devel libimap (need this to make php-imap compile)
  
• To update clamav -- installed with exisscan --> GOT to config exim first, look from current servers
  

cd /root/src
wget http://umn.dl.sourceforge.net/sourceforge/clamav/clamav-0.82.tar.gz
tar -xvzf clamav-0.82.tar.gz
cd clamav-0.82
./configure --prefix=/usr --sysconfdir=/etc; make; make install
cp /etc/clamav.conf /etc/clamd.conf
service exim restart

• add RBL to /etc/exim.conf (Edit: this is now outdated. I'll write about exim+SA+clam later.)
  

#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.

accept hosts = +relay_hosts
endpass

accept authenticated = *

drop dnslists = sbl.spamhaus.org: relays.ordb.org: list.dsbl.org: bl.spamcop.net: xbl.spamhaus.org

message = your mail server $sender_host_address is in a black list at $dnslist_domain ($dnslist_text)

• Then to prevent cPanel from overwriting this modified config; chattr +i /etc/exim.conf

• To further prevent spam, this is real cool .. http://forums.cpanel.net/showthread.php?t=31710 it contains the instruction on how to setup exim to prevent spam using the list of domains that are found in the body of spam messages.

• cPanel's mod_gzip installation is really dangerous. You better change these lines in httpd.conf:

# change max file size from unlimited to 500k to prevent overcommitted /tmp partition
mod_gzip_maximum_file_size 500000
# and add these lines to ignore graphic & compressed files
mod_gzip_item_exclude mime ^image/
mod_gzip_item_exclude file \.bz2$
mod_gzip_item_exclude file \.tbz2$
mod_gzip_item_exclude file \.gz$

Update 2005/08/03:

• Install exim+clamav
• Also config like ours

Update 2006/02/03:

• Since cPanel does not support Trustix any more, and also Trustix has stopped being a good guy, I decided it's not worth it to pursue another good distro and focus only on RHES, CentOS, and Gentoo.