LAMMP Web, or App Server Setup
Note: Ubuntu 14.04, and 16.04 were used, but it should work on most Debian, and RedHat/CentOs (yum install) approach, would follow very closely as well.
This is less of a blog post and more of a how-to, brought about by recent activities on AWS. Using MSMTP in particular was a new discovery, since it allows php.ini’s sendmail_path directive to point to, and use MSMTP instead of sendmail to send mail on a LAMMP server. This means that you don’t need to run Postfix on the server in order to relay mail. You can simply configure an SMTP email account such as noreply@yourdomain.com, and this is the account from which all mail from your app server will be sent.
Running Postfix as a relay comes with other hoops to jump through and MSMTP alleviates all those issues for easy app server setup. Postfix is actually installed by the mailutils, so be aware of that, and be ready to deal with installing Postfix, if you so choose.
I recommend, that once you set up this, LAMMP Server up, that you save off a snapshot, known as an AMI in AWS, so you don’t have to EVER do it again.
Amazon Web Services, will give you a free “micro” instance for a year. So go check it out! Build the app server, then host your own WordPress web site, for free, for a year. As for email server administration, and more server hardening, and DNS setup in AWS (otherwise, known as Route 53, cause DNS discovery typically happens on port 53), well those are good topics for a later date.
However, if you have a SMTP email account, it can be used to send all emails from your web site. This setup works with your existing SMTP email service provider, to seamlessly allow emails to be sent from any form plugins for WordPress (or other CMS). It can also simply be done in PHP with the built-in mail function. Additionally, the command line mail command should work too, as demonstrated at the bottom of the page.
sudo su # become root apt-get update # update repos apt-get install screen # ... Y and wait screen # start screen so youre not stuck and can use Ctrl+A,D to get out of it and do other admin stuff # INSTALL PRE-REQST apt-get upgrade # ... Y and wait, or use Ctrl+A,D and come back to check when its done (screen -R to resume) apt-get install gnustep-gui-runtime apt-get install mailutils git gettext texinfo # INSTALL MYSQL apt-get install mysql-server mysql-client # install DB, make sure to set and store mysql root password mysql_install_db # initial mysql setup mysql_secure_installation # secures mysql install; prompted for mysql root password # INSTALL APACHE apt-get install apache2 # next apache2 a2enmod rewrite # enable rewrite module used by WordPress also edit apache2.conf and allowoverrides all for .htaccess files # INSTALL PHP add-apt-repository ppa:ondrej/php apt-get update apt-get install libapache2-mod-php5.6 # ADD PHP MODULES apt-cache search php5.6- # to see of any other php modules that maybe needed by app, then apt-get install them # FOR EXAMPLE (adjust as needed) apt-get install php-apcu php-gettext php-mbstring php-auth php-doc php-codesniffer php-geoip php-imagick php5.6-intl php5.6-mcrypt php5.6-mysql php5.6-curl php5.6-gd php5.6-dev # PHPMYADMIN - TODO: configure advanced features to enable routines, and advanced relations views apt-get install phpmyadmin #install phpmyadmin (choose apache and NO to dbconfig-common) # NEXT edit apache2 config files vim /etc/apache2/mods-enabled/dir.conf # (nano if no vim); change index.php to be first in list service apache2 restart # restart/reload apache2 anytime you touch a config file # A BIT OF HARDENING: GO HERE FOR MORE: https://blog.mattbrock.co.uk/hardening-the-security-on-ubuntu-server-14-04/ dpkg-statoverride --update --add root sudo 4750 /bin/su # limit su access to sudo group only # fail2ban needs to be configured, see source 5 for solid instructions apt-get install xtables-addons-common iptables-persistent fail2ban # HERE WE BLOCK KNOWN HACKER COUNTRIES IN OUR FIREWALL cd /usr/local/src/ /usr/lib/xtables-addons/xt_geoip_dl # downloads to csv files (may have to unzip?) aptitude install libtext-csv-xs-perl mkdir /usr/share/xt_geoip /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv # to test: iptables -m geoip --help iptables -A INPUT -m geoip --src-cc KR,CN,IN,RU,SA,TR,VN,UA,BR,VE,PK,JP,DE,IT -j DROP iptables-save > /etc/iptables/rules.v4 # make sure to save them so they are there on start-up after reboot #see next script
The php sendmail_path directive in your php.ini (php.ini typically lives in /etc/phpX/apache2/php.ini , where X may or may not be a version number), should look as follows; of course, change what comes after the -C to reflect where you want the per-host config to live, but for a single host running in the default spot, this will do. You’ll want to configure this after running the next script, to make sure the /etc/msmtprc file is properly created.
sendmail_path = /usr/bin/msmtp -C /etc/msmtprc -t
Next, copy and paste the next script to a file named setup-msmtp-for-smtp.sh, (or whatever you want) and run it. It will prompt you through setup msmtp. This example uses GoDaddy and mileage may vary for other SMTP hosts, you may find that you have to adjust it for your needs. There’s no guarantees on any of this, so use and run at your own risk.
#!/bin/sh # Sending emails using smtp and msmtp on ubuntu (original https://gist.github.com/JosefJezek/6194563) sudo apt-get update -q sudo apt-get install msmtp-mta ca-certificates heirloom-mailx -yq if command -v zenity >/dev/null; then ACCOUNT=$(zenity --entry --title="Smtp account name" --text="Enter the isp's name:") SMTP_HOST=$(zenity --entry --title="Smtp hostname" --text="Enter your smtp server's hostname (mail.myhost.com):") SMTP_PORT=$(zenity --entry --title="Smtp port" --text="Enter your smtp server's port (25):") SMTP_USER=$(zenity --entry --title="Smtp username" --text="Enter your smtp username with domain (username@host.com):") SMTP_PASS=$(zenity --entry --title="Smtp password" --text="Enter your smtp password:" --hide-text) else read -p "Smtp account name (e.g., godaddy):" ACCOUNT read -p "Smtp hostname:" SMTP_HOST read -p "Smtp port (25):" SMTP_PORT read -p "Smtp username with domain (username@host.com): " SMTP_USER read -p "Smtp password: " SMTP_PASS fi echo # an empty line if [ -z "$ACCOUNT" ]; then echo "No account given. Exiting."; exit -1; fi if [ -z "$SMTP_HOST" ]; then echo "No smtp server given. Exiting."; exit -1; fi if [ -z "$SMTP_PORT" ]; then echo "No smtp port given. Exiting."; exit -1; fi # TODO: validate integer if [ -z "$SMTP_USER" ]; then echo "No email user given. Exiting."; exit -1; fi if [ -z "$SMTP_PASS" ]; then echo "No email password given. Exiting."; exit -1; fi sudo tee /etc/msmtprc >/dev/null <<__EOF # Accounts will inherit settings from this section defaults auth on tls on tls_certcheck off # tls_trust_file /etc/ssl/certs/ca-certificates.crt logfile /var/log/msmtp.log # A simple smtp host email address setup account $ACCOUNT host $SMTP_HOST port $SMTP_PORT from $SMTP_USER user $SMTP_USER password $SMTP_PASS # Set a default account as ours account default : $ACCOUNT __EOF sudo touch /var/log/msmtp.log sudo chown www-data:www-data /var/log/msmtp.log sudo chmod 600 /etc/msmtprc sudo chown -R www-data:www-data /etc/msmtprc HOST=$(hostname) sudo mail -vs "Email relaying configured at ${HOST}" $SMTP_USER <<__EOF The msmtp service has been configured to use host '${HOST}'. __EOF echo "Test email sent to $SMTP_USER" echo "Please check your inbox." #
Further steps to take, would be to harden it using ModSecurity for Apache, as well as a few others. Here’s a great blog entry on hardening ubuntu server.
Note
- You can also use SSMTP in place of MSMTP.
Doc Version 1.1
Revision History
- 1.1 – Updated Jan. 4, 2017 – Updated to reflect new repository (ppa:ondrej/php) and PHP 5.6 instead of PHP 5. Added php-getttext php-mbstring to default php package list, to satisfy phpmyadmin’s dependencies. Now works with Ubuntu 16.04.