Building - and maintaining home server greenblatt

Again, a new home server is being built, just like the previous home server gosper. This page tries to log the choices made and the specials done in order to make certain things work.

The server name is greenblatt. This is in line with the machine names theme at home. The name greenblatt was used before but I decided to 'recycle' it after the previous greenblatt hardware was long gone. I decided to use a different name from gosper to avoid confusion during the installation (rebooting the wrong system). Services running on the server system use cnames anyway (wwwproxy, www, imaps) so I should be able to deal with the new homeserver having a different name eventually. I'll have to update a number of my fvwmrc files to login to the right server.

Functions

Lots of stuff:

File server
Mail server
News server
Web server
Network router / firewall / dhcp
Webproxy
DNS server
Database server

Fax is gone: I have received 20 faxes on the previous setup in 9 years, and I have sent 4. I think I don't really need a fax.

The main new function I'm considering is 'home telephone server'.

Linux distribution

Linux is a given, the distribution to choose is the question. After installing some stuff at work with Ubuntu I like this distribution. The packaging system from Debian with less of the free software action front. Because the hardware is quite new I'm going to give the 64-bit edition a try. I'd also like to use the full 4G of memory. So, Ubuntu 8.04.1 Server LTS AMD64.

Hardware

New hardware:

Mainboard: Asus m3a h/hdmi
CPU: AMD Athlon x2 4850
Memory: 4G PC4200 DDR2
Powersupply: Enermax Modu82+ 525

Existing hardware:

Harddisks
Bigtowercase. Newer mainboards and ide cables seem to dislike big cases: I had trouble finding long enough cables to connect everything to everything. Maybe I need a new case with a different buildup.

UPS

The system is connected to an APC Back-UPS CS 350 with USB cable. At first apcupsd did not want to start but browsing the Known USB issues with apcupsd found that I needed to create /etc/udev/rules.d/50-apcupds.rules with:


KERNEL="hiddev*", NAME="usb/hiddev%n"

And now apcupsd works:

koos@greenblatt:~$ apcaccess
APC      : 001,043,1036
DATE     : Mon Jan 05 21:50:03 CET 2009
HOSTNAME : greenblatt
RELEASE  : 3.14.2
VERSION  : 3.14.2 (15 September 2007) debian
UPSNAME  : greenblatt
CABLE    : USB Cable
MODEL    : Back-UPS CS 350 
UPSMODE  : Stand Alone

Powermanagement

The mainboard and powersupply were chosen to preserve some power. Succesfull choice: the UPS power usage has gone from 65 - 73 percent load to 42-45 percent.

The mainboard power is regulated by using powernowd. All harddisks are set up to spin down when not in use, using hdparm -S 59 /dev/sda. The setting of 59 (4 minutes and 55 seconds) is chosen because the harddisk temperature stats are collected every 5 minutes.

Fixing wake-on-lan

The network interface in the system is an Attansic Technology Corp. L1 Gigabit Ethernet Adapter. Wake-on-lan wasn't working for me until I asked google nicely and found Ubuntuforums: Wake on LAN works on WinXP, but not Gutsy. The driver from ftp://ftp.hogchain.net/pub/linux/attansic/kernel_driver/ does work and makes wake-on-lan wake the card.

Network routing

The plan is to again let the home adsl arrive on one (vlan tagged) port and connect the home wired and wireless networks to other (vlan tagged) ports. One physical gigabit port. The atl1.ko driver has no problem with vlan tagged packets.

IPv6

I get enough IPv6 space via a tunnel from my provider. Nowadays with a recent kernel I can even use stateful firewalling for IPv6 with linux iptables so all outgoing traffic is trusted and some incoming traffic is trusted. I use radvd to enable IPv6 autoconfiguration on the internal lans.

IPv4

I only get one IPv4 IP, so network address translation has to happen for internal machines. I use stateful firewalling (linux iptables) for getting megabytes of logfiles of stupid attempts. Some protocols are firewalled outgoing because they should never go out and would be a sign of something terribly wrong on the inside network.

DHCPd

Simply a migration of the configuration from the old server. No surprises here. Most systems get a set IPv4 IP via dhcp (so they can roam to other networks) and there are adress pools on both wired and wireless vlans.

Mail server: Sendmail

I prefer sendmail as MTA. On Ubuntu, sendmail seems to work better out of the box than previous Debian experiences. One thing I noticed was that sendmail was quite insistent in naming itself greenblatt.koos.koffie.dot. This comes from the file /etc/mail/m4/dialup.m4 so the solution was to edit /etc/mail/sendmail.mc to comment-out this include, like

dnl # Dialup/LAN connection overrides
dnl #
dnl # include(`/etc/mail/m4/dialup.m4')dnl

Suddenly my wanted config

dnl # General defines
define(`confDOMAIN_NAME',`kzdoos.xs4all.nl')
MASQUERADE_AS(`kzdoos.xs4all.nl')
FEATURE(`limited_masquerade')
FEATURE(local_procmail)

makes it into the generated sendmail.cf. Lots of other names also point at this instance, all enumerated in /etc/mail/local-host-names.

Delivery agent is procmail with the default rule to save mail in $HOME/Newmail/ maildir style.

Mail virus scanning

Using clamav and clamav-milter, incoming mail gets scanned for viruses. I disabled notifications to postmaster. I am a bit leery because of the combination of uucp (yes, old style!) and this: I could cause bounces with attached virus, which can cause complaints (virus sender!) which can cause one of the infamous mails from abuse@xs4all.nl telling your system is disconnected and maybe you should scan your windows systems (the lies! the slander!) for viruses. At least with nobodyreturn as part of my confPRIVACY_FLAGS the chances of bouncing body parts (hehe) should be small.

Courier imaps

Courier imaps is set up with a copy of the certificates so it knows it is named koos.idefix.net and uses a certificate signed by the idefix.net CA which I added in all mutt and thunderbird setups that use this server. Config-file /etc/courier/imapd-ssl has been set up with:

# MAILDIRPATH - directory name of the maildir directory.
#
MAILDIRPATH=Newmail

Mail notification at login

Interactive sessions like to know about their mail and have a valid $MAIL variable. This is done using pam_mail.so in /etc/pam.d/login and /etc/pam.d/ssh. Both now have:

# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session    optional   pam_mail.so dir=~/Newmail/

On login I now see:


You have new mail in folder /home/koos/Newmail/.

Web server: Apache

I use the apache2 package from ubuntu together with libapache2-mod-php5. Configuration of virtualhosts all in /etc/apache2/sites-available, enabling (all) of them in /etc/apache2/sites-enabled. Sites include:

And some internal only / private stuff.

Xinetd

Now trying xinetd for a change. Lots of configurable options. I enabled finger (for internal use).

Webproxy

I am using squid version 3.1.0.2 to have IPv6 support. I use the xs4all parent proxies, but I make sure I don't use them for IPv6 destinations. Relevant part of squid.conf :

acl ipv6space dst 2000::/3

cache_peer_access proxzilla1.xs4all.nl deny ipv6space
cache_peer_access proxzilla2.xs4all.nl deny ipv6space
cache_peer_access proxzilla3.xs4all.nl deny ipv6space
cache_peer_access proxzilla4.xs4all.nl deny ipv6space

DNS server

With bind 9. I used the SIDN nameserver check and zonecheck to verify the zones. I found some stuff that worked but 'could be done better' so I fixed it. The zonecheck tool has some checks I don't agree with, and the nice thing is that it is possible to disable these tests in a modified profile.

I also automated SOA serial number generation. It has bitten me once or twice that I forgot to update a serial number and both zonecheck tools prefer the YYYYMMDDnn format, so I now use a simple SOA update script I found at work and a Makefile surrounding it. Just edit the zone files and a 'make reload' will first update the serials on updated zonefiles and issue the reload afterwards.

News

I use inn2 as newsserver. Mainly because I know and like inn2 and I exchange a number of newsfeeds over IPv4 and IPv6 with other peers.

Little bug: /var/log/news/news.* isn't writable by syslogd. That makes for quite boring daily usenet report mails. I want to know every detail about the news flow!

Ubuntu bug 314107: /var/log/news/news.* not writable by syslogd

Timekeeping

With all the power saving, this seems to be the most lousy timekeeper ever:

Jan  5 09:31:44 greenblatt ntpd[32318]: time reset +2.278768 s
Jan  5 09:36:01 greenblatt ntpd[32318]: synchronized to 193.67.79.202, stratum 1
Jan  5 09:36:04 greenblatt ntpd[32318]: synchronized to 131.211.84.189, stratum 2
Jan  5 09:46:47 greenblatt ntpd[32318]: time reset +2.236329 s
Jan  5 09:52:58 greenblatt ntpd[32318]: synchronized to 80.127.4.179, stratum 1
Jan  5 09:53:19 greenblatt ntpd[32318]: synchronized to 193.79.237.14, stratum 1
Jan  5 09:53:42 greenblatt ntpd[32318]: synchronized to 131.211.84.189, stratum 2

Well, serious timekeeping is for the sundial project.

History

Koos van den Hout e-mail: koos@kzdoos.xs4all.nl
Other webprojects: Camp Wireless The Virtual Bookcase Weather maps SnowCam, webcams for your wintersport holiday