Virtualized Postfix Mail Server
This section will show you how to virtualize a mail server with OpenVZ. There are several advantages to virtualizing your mail server. One is the ability to backup the entire mail server by either using LVM snapshots, or by creating a compressed tar file. If nothing else this will give you peace of mind in knowing that you can drop the backup in place to have a working mail server in a very short period of time. Secondly, you will be able to place a host firewall in front of the mail server to provide an additional layer of security. You could even build a gateway mail server on the same machine. Third, OpenVZ will give you the ability to clone your mail server to create other mail servers within minutes. By cloning a mail server you can take it and drop it into another box and have a mail server running simply by changing IP, hostname and a few configurations in Postfix. Fourth, virtualization allows you modify the system resources on the fly so that you can increase required CPU, memory and disk space as is required by Postfix. This provides an opportunity to use the box for several other servers at the same time, thus saving you money.
Here is a description of OpenVZ and what it does from the website.
“OpenVZ is container-based virtualization for Linux. OpenVZ creates multiple secure, isolated containers (otherwise known as VEs or VPSs) on a single physical server enabling better server utilization and ensuring that applications do not conflict. Each container performs and executes exactly like a stand-alone server; a container can be rebooted independently and have root access, users, IP addresses, memory, processes, files, applications, system libraries and configuration files.” http://wiki.openvz.org/Main_Page
Create the OpenVZ Host
The first task is to create the OpenVZ host which will hold the virtual servers that you create, including Postfix. The best option for an operating system for your host server is to use CentOS as OpenVZ is built upon Red hat Enterprise, but compatible with other distros.
Add OpenVZ to your yum repositories.
# cd /etc/yum.repos.d
# wget http://download.openvz.org/openvz.repo
# rpm –import http://download.openvz.org/RPM-GPG-Key-OpenVZ
Install the OpenVZ kernel. OpenVZ will only run if you install the kernel and boot to that kerne..
# yum install ovzkernel
Modify sysctl.conf so that it reflects these changes.
# On Hardware Node we generally need
# packet forwarding enabled and proxy arp disabled
net.ipv4.ip_forward = 1
net.ipv4.conf.default.proxy_arp = 0
# Enables source route verification
net.ipv4.conf.all.rp_filter = 1
# Enables the magic-sysrq key
kernel.sysrq = 1
# We do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
Turn off SELinux.
Enable Conntracks for CTO
Enable conntracks for CT0, add the following line to /etc/modprobe.conf file:
options ip_conntrack ip_conntrack_enable_ve0=
Reboot the server and then add the tools needed for OpenVZ.
# yum install vzctl vzquota
# /sbin/service vz start
At this point you should have a working OpenVZ host. If you try to run OpenVZ commands and they do not work then it is probably because the OpenVZ kernel did not automatically boot. Specifically choose the OpenVZ kernel when you boot and it should be OK.
Once the OpenVZ host has been created it is imperative that you protect it from any form of attack because if the host is cracked the virtual servers will also be lost. There are several ways to minimize the access to the host server.
1. Use tcp_wrappers
2. Eliminate all unused services
3. Create a firewall that minimizes any access to the host
4. Only allow one SSH connection to the host
5. Use Port Scan Attack Detector