MT6 Virtual

Virtual Machines
During the course of building this mail system, we will rely upon the use of FreeBSD jails. However, any virtualization platform will work. If your organization is more familiar with Xen, VMware, or HyperV please DO use them. They just won't be quite as efficient.

FreeBSD 10
Install the host OS from the FreeBSD-10.N-RELEASE-amd64-disk1.iso, where N is the latest available version. During the install, the appropriate keyboard map (usually default), and hostname. Disable all the optional installs and use an automatic ZFS-on-root file system. If you only have one disk, use the default stripe method. Enable boot time services ssh, ntpd, and powerd. After installation and reboot, update the system with the latest security updates:

freebsd-update fetch install portsnap fetch extract

Add a user account (adduser), install sudo (pkg; pkg install sudo), edit sudoers and add an entry for your user (visudo) and log in via SSH, which provides a much better interface for managing the server than the Xen/VMware/HyperV console.

NTPd
It is very important for mail systems to have their time accurate. If you didn't during the OS install, enable the built-in ntpd daemon.

echo 'ntpd_enable="YES"' >> /etc/rc.conf echo 'ntpd_sync_on_start=YES' >> /etc/rc.conf /etc/rc.d/ntpd restart

For the security paranoid, install openntpd from ports instead.

disable network services that bind to *
echo 'syslogd_flags="-ss"' >> /etc/rc.conf service syslogd restart

echo 'sendmail_enable="NO"' >> /etc/rc.conf service sendmail restart

Edit /etc/ssh/sshd_config and set the ListenAddress directive to the primary IP address of the jail host. Then restart sshd:

service sshd restart

set up networking for all jails
fetch -o /etc/start_if.lo0 http://www.tnpi.net/computing/freebsd/start_if.lo0.txt sh /etc/start_if.lo0 echo 'nat on em0 from 127.0.0.1/8 to any -> (em0)' >> /etc/pf.conf echo 'pf_enable="YES"' >> /etc/rc.conf /etc/rc.d/pf restart

install jail.conf
fetch -o /etc/jail.conf http://www.tnpi.net/computing/freebsd/jail.conf.txt echo 'jail_enable="YES"' >> /etc/rc.conf fetch -o /usr/local/sbin/jail_manage http://www.tnpi.net/computing/freebsd/jail_manage.txt

configure base jail
Now we'll create our first 'base' jail, that we'll use as a template for all future jails:

zfs create -o mountpoint=/jails zroot/jails zfs set dedup=on zroot/jails zfs create zroot/jails/base bsdinstall jail /jails/base

At the conclusion of the install, I disable all the enabled services for this 'base' jail.

configure from the host
mkdir /jails/base/usr/ports cd /jails/base/etc cp /etc/localtime. echo 'WITH_PKGNG=yes' >> make.conf echo 'WRKDIRPREFIX?=/tmp/portbuild' >> make.conf echo 'sendmail_enable="NONE"'   >> rc.conf echo 'cron_flags="$cron_flags -J 15"' >> rc.conf echo 'syslogd_flags="-ss"'   >> rc.conf

configure within the jail
service jail start base jail_manage base pkg install vim-lite sudo portmaster portmaster -a exit

snapshot the base jail
service jail stop base zfs snapshot zroot/jails/base@10.0