FreeBSD is a modern and capable operating system (OS) which can be both robust and easily manageable if used in an office or a workgroup server environment. It supports the whole range of cutting edge Open-Source technologies, which makes using it a completely pleasant and wellfeatured experience. The latest FreeBSD release, 10.0, delivers a bunch of improvements which increase both the performance and usability of this fine operating system.
We have prepared a workshop which aims to teach users with minimal knowledge of FreeBSD in a step by step guide how to install and configure a usable office server from scratch. This server will be intended to provide office workers or collaborators with a modern central point used to share data, which they can trust and rely on in their daily work.
Its main features will be document sharing, collaboration and E-mail. The various tasks of the server will be handled by different standard Open-Source tools as we will use Samba and the built-in FreeBSD Network File System (NFS) servers for serving files in the local network, ownCloud for sharing files across the public Internet, Apache and PHP for serving web applications, Postfix for the SMTP server and finally Dovecot for the E-mail server. We will also add a webmail interface to our server using RoundCube and we will finally protect our server by using tools such as ipfw and sshit.
First Step: Installing FreeBSD
Starting with the previous major release of FreeBSD (9.0), the Operating System can be installed with a new installer which supports more of its new technologiesthan its predecessor. At the same time, it offers more manual configuration options for expert users.
Since the tutorial is about deploying a server, the hardware configuration on which the system will be installed is assumed to contain two Hard Drives (HD), which will be mirrored in software using FreeBSD’s GEOM_MIRROR facility. The usage of two drives for the server is a common compromise between reliability and cost, and the same can be said about using Software RAID instead of a Hardware RAID controller. For a small office server, generic desktop drives of suitable capacity (e.g. 1.5 TB or 2 TB) are a fine choice, but “enterprise-class” drives are not that expensive and can be worth searching, if only because they usually have more mature firmware and disabled on-drive write caching.
This initial step of the process is the only one which requires a small detour in the default installation process, in which the required kernel module for GEOM_MIRROR will be loaded and the RAID volume is created. The rest of the installation process is smart enough to recognize such manually created devices and can use them to create partitions and file systems.
Our setup will use the default FreeBSD file system, which in the most recent version, is a variant of the UFS2 file system with soft-updates-journaling enabled. For those who are experienced with Linux, the characteristics of this file system (very) loosely correspond to ext4 with the data=writeback option enabled. An alternative file system for FreeBSD could be ZFS, which is one of the options presented in the installer but marked as experimental, and for this, it will be covered briefly.
The New Package Manager
The traditional way of installing software on FreeBSD (and many other Unix-like operating systems) is by compiling a code. The BSD systems have evolved infrastructure (the ports collections) which makes this much easier and offers somewhat advanced features such as dependency tracking, but practical daily use of ports still requires expert knowledge that is not required by the more streamlined Linux systems. Though the ports can be used (and regularly are used) to build binary packages, these packages were until recently both much less flexible and rarely built, which made them an inferior choice compared to ports.
Finally, the recent version of FreeBSD (V10.0) brings in a modern binary package manager called “pkg”, with a new infrastructure and a new approach to binary packages. They are no longer second-class citizens of the FreeBSD user land but a fully supported and maintained way of maintaining software, for the most part that is removed from the quirks of using ports. The package manager is steadily improving and can now deal with most of the situations which arise in daily use (such as dependency issues), and the default package repository for FreeBSD contains almost all software available in ports. Being prebuilt with default options, the binary packages are still less flexible than ports, but the strategies to reduce the difference in flexibilities are actively under development.
Though the new package manager is called “pkg” (also called “pkg-ng” but that name is now obsolete), it does not share code with other software with the same name, and most notably that from Solaris. Unusually for a BSD, the package manager is itself NOT a part of the base system, but is installed seamlessly on first use.
Local File Sharing with Samba
Samba is the famous Open-source project which brings compatibility with Microsoft’s file sharing technologies to non-Windows operating systems. It is an important project which receives regular updates and is maintained to be compatible with the latest Windows variants. The latest version of Samba can act as Active Directory DomainControllers, which expands their capabilities and opens up new use cases. Samba under FreeBSD works mostly out of the box, but requires some moderate tuning to be as high-performing as the users expect it to be.
Local File Sharing with NFS
The Network File System (NFS) is the preferred local file sharing protocol between Unix-like systems, mostly due to its ubiquitous presence in such system and the relative simplicity of its operations. Consequently, it is worth using only between such systems, as it’s usually poorly suitable for truly heterogeneous environments. FreeBSD’s native NFS server and client are well supported and fairly highperforming, and require minimal configuration and no third party software to get running.
Apache and PHP For Web Applications
The combination of the Apache web server and the PHP programming language is the most common web application infrastructure on the Internet. The large volume of applications written in PHP and the relative simplicity of their setup / installation make it attractive for the office server. Indeed, all other web applications which will be covered by this tutorial are written for PHP and will be powered by this very setup. A very important aspect of running a web server today is SSL / TLS, a protocol which provides end-to-end encryption used in HTTPS. The part of the workshop dealing with Apache will also cover creating and submitting an SSL certificate request, as well as its installation.
File Sharing and Collaboration over The Internet With ownCloud
While Samba and NFS are perfectly suitable for sharing files in the local network (e.g. within an office or in a company), they were not created for sharing files over the wider Internet. They lack the flexibility and security properties needed in the global environment with unknown users and unreliable connectivity. The recently prominent Open-source project “ownCloud” will be used in our configuration to provide file sharing and collaboration across the Internet. It is a powerful tool which consists of several applications, and file sharing is just one of the options that it supports. Among its basic features, it supports shared contacts and calendar, and a Dropbox-like desktop file synchronization utility, but it also supports adding third-party applications and extensions which greatly increase its usability.
E-mail Servers With Postfix and Dovecot
The E-mail system used today relies on two types of protocols: for routing E-mail to and between E-mail servers, and for retrieving E-mail from those servers. The protocol of the first type is the Simple Mail Transfer Protocol (SMTP), implemented (among other products) by Postfix. There are several protocols of the second type, but the most feature-rich and the most popular today is IMAP, implemented (also, among other products), by Dovecot.
An important part of running an e-mail server is spam protection. This is a topic which can get very complex very quickly, but the workshop will guide through basic antispam measures which include acceptance rules for the SMTP server and the SpamAssassin software for active e-mail scanning.
WebMail with RoundCube
E-mail is traditionally accessed by desktop software (e.g. Thunderbird, Windows Live Mail, eM Client or Zimbra Desktop) but using a web-based application is becoming increasingly convenient because it doesn’t require additional software installation and the web can be accessed through corporate and hotel firewalls.
RoundCube is a web application written in PHP which can act as an IMAP client and present all the E-mail available on the server in a modern and pretty web-based user interface. RoundCube is a web application written in PHP which can act as an IMAP client and present all the e-mail available on the server in a modern and pretty web-based user interface.
Protecting The Server With ipfw and sshit
As the server in this tutorial contains services intended to be used over the Internet, appropriate effort needs to be undertaken to ensure both the server and its services are resilient to common attacks which are a matter-of-course on the open Internet.
FreeBSD’s default firewall is ipfw, with an easy and straightforward syntax and optional stateful packet inspection. A good (and always welcome) addition to it is the sshit package which blocks brute-force attacks over ssh.
The goal of this tutorial is to teach users with moderate experience in any Unix-like system to install and deploy a quality office server with common applications and services. To ensure this, the tutorials of the workshop will cover not only how something is done but also why it’s done. And this will also be reflected in the final test.
Ivan Voras is a FreeBSD developer and a long-time user, starting with FreeBSD 4.3 and throughout all its versions’ history. On the practical side, he is a researcher, system administrator and a developer, as the opportunity presents itself, with a wide range of experience from hardware hacking to cloud computing. He is currently employed at the University of Zagreb, Faculty of Electrical Engineering and Computing and currently lives in Zagreb, Croatia. You can reach him through:
English Blog: http://ivoras.net/blog | Croatian Blog: http://hrblog.ivoras.net/