I’ve got a server running Fedora 12 that I don’t want to upgrade yet (the current Fedora is 14 as of the date of this article). I handle a fair amount of incoming mail on this box, and I have Postfix configured to block all the incoming mail coming from non RFC-compliant SMTP servers, servers relaying through dynamic IP addresses, and servers on popular DNS blacklists. These three measures successfully block more than 98% of all incoming spam.

In an attempt to eat into that last 2%, I decided to add some server-side SPAM scanning on the server. And as long as I’m going through the effort to do that, I figured it was very little additional effort to also scan incoming messages for viruses at the same time.

The current “holy trinity” of anti-SPAM and virus tools are:

• SpamAssassin: a widely used and highly configurable SPAM checking program.
• Clam AntiVirus (aka ClamAV): an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats.
• Amavisd-new: a high-performance interface between mailers (like Postfix) and content checkers (like ClamAV and SpamAssassin). It essentially links Postfix with external content checking applications.

I came across this article at Fedora Unity and used it as my guide starting at Step 5 (I also ignored the grey listing steps). I was able to get everything working almost perfectly. The only thing I needed to add to get things working properly was explained in this article – I needed to manually create and set permissions on a directory for the clamd.pid file.

Configuration files locations were:

• Amavis-new: /etc/amavisd/amavisd.conf
• SpamAssassin: /etc/mail/spamassassin/local.cf
• ClamAV: /etc/clam.d/amavis.conf (yep – that’s not a typo)
• FreshClam: /etc/sysconfig/freshclam and /etc/freshclam.conf

I also chose to use DCC in SpamAssassin, so I needed to download and compile DCC from here, as well as enable it as explained here.

Here’s my current SpamAssassin local.cf file:

required_score          4.0
report_safe             0
rewrite_header          Subject [SPAM]
use_bayes               1
bayes_ignore_header     0
bayes_auto_learn        1
skip_rbl_checks         0
use_razor2              1
use_dcc                 1
dcc_path                /usr/local/bin/dccproc
use_pyzor               1
whitelist_from          *@mypersonaldomain.com

# Custom Rules
urirhssub       URIBL_BLACK  multi.uribl.com.        A   2
body            URIBL_BLACK  eval:check_uridnsbl('URIBL_BLACK')
describe        URIBL_BLACK  Contains an URL listed in the URIBL blacklist
tflags          URIBL_BLACK  net
score           URIBL_BLACK  3.0

urirhssub       URIBL_GREY  multi.uribl.com.        A   4
body            URIBL_GREY  eval:check_uridnsbl('URIBL_GREY')
describe        URIBL_GREY  Contains an URL listed in the URIBL greylist
tflags          URIBL_GREY  net
score           URIBL_GREY  0.25

and here are the important sections of my amavisd.conf file:

$sa_tag_level_deflt  = '-9999';  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 4.0;  # add 'spam detected' headers at that level
$sa_kill_level_deflt = 15.0;  # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 15.0;   # spam level beyond which a DSN is not sent

Anyone else using this post should adjust these values based on their preferences. You may want higher or lower thresholds for spam marking, blocking, etc.

Amavis-new with OpenDKIM and Postfix

If you’re running OpenDKIM and Amavis-new through Postfix on the same server (and you probably should), then in order to prevent OpenDKIM from signing your messages twice, you’ll need to add the no_milters option to one of the sections you added to Postfix’s master.cf file when setting up Amavis-new. Find the section:

127.0.0.1:10025 inet n  -       n       -       -  smtpd

and add no_milters at the end of the receive_override_options line, so that it looks like this:

-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

Then restart Postfix and Amavis-new.

Related posts:

1. How to use Address Tagging (user+tag@example.com) with Postfix
2. Installing OpenDKIM RPM via Yum with Postfix or Sendmail (for RHEL / CentOS / Fedora)
3. Fixing Postfix “certificate verification failed for gmail untrusted issuer” Error Message

Step 1: Install VNC on the Remote Fedora 12 Box

There are many VNC servers available for Fedora. The TigerVNC server package may have been installed by default on your Fedora 12 box when you installed the OS, but to make sure, become root (or sudo) and type:

yum install vnc-server

If it’s already installed, Fedora will let you know. If it’s not, it will be now!

Step 2: Configure Screen Resolutions, Port Number, and Users on the Remote Fedora 12 Box

The /etc/sysconfig/vncservers file controls which users are allowed to access your Fedora box via VNC, as well as what ports they will connect to, and what screen resolutions each of those users will use when connecting. As root (or with sudo), open the /etc/sysconfig/vncservers file with your favorite text editor and find the lines at the bottom that look something like this:

# VNCSERVERS="2:myusername"
# VNCSERVERARGS[2]="-geometry 800x600 -nolisten tcp -localhost"

VNCSERVERS="2:clyde"
VNCSERVERARGS[2]="-geometry 1024x768 -nolisten tcp"

Step 3: Configure the VNC Desktop Environment and Password

For the next step, you should be logged in to your Fedora box as the user whose desktop you’ll want to access. If you’re already logged in as root, and your username is clyde, type:

su - clyde

The hyphen is important, as it will load the local path for clyde, which we’ll need for the next step. Now type:

vncserver

This will run the vncserver program, and will set up default versions of the necessary desktop environment files for whichever user ran the program (in this case, clyde).

The first time you run this, you’ll be prompted for a password. This will be your VNC password, which you’ll use to connect to your remote desktop. This can be different than your Linux account password, if you choose. If you ever want to change your VNC password, just type vncpasswd while logged on as the user whose password you want to change.

The newly created files will be in  the .vnc directory under the user’s home directory (for our example, /home/clyde/.vnc). Using your favorite text editor, edit the /home/username/.vnc/xstartup file.

Go to the bottom of the file, comment out the twm & line, and then add a line that tells VNC to start your desktop of choice. If you want a GNOME desktop, the last two lines should read:

# twm &
startx &

If you prefer a KDE desktop, they should read:

# twm &
startkde &

Step 4: Start the VNC Server Service

To start and stop services, you’ll need to be logged in as root. Make sure any previous instance of vncserver service is stopped by typing:

service vncserver stop

It’s OK if you get a FAILED message in reply. That just means that the server wasn’t running.

Start the service with all the settings you’ve entered with:

service vncserver start

You should get a success message that says something like:

Starting VNC server: 2:clyde
New 'server.hostname:2 (clyde)' desktop is server.hostname:2

Starting applications specified in /home/clyde/.vnc/xstartup
Log file is /home/clyde/.vnc/server.hostname:2.log

Step 5: Configure Firewall Settings

If you have the Linux Firewall turned off on your Fedora 12 box, you can skip this step.

If you’re using the built-in firewall on your Fedora 12 box, you’ll need to tell it to allow incoming connections on the port you set up in Step 2 above. The number(s) you used in the VNCSERVERS= line(s) of the /etc/sysconfig/vncservers file determine which port numbers VNC will listen on. Our example used VNCSERVERS=”2:clyde”, which means you’d need to open port 5902 in your firewall. If you set up other users and/or other ports, then you’ll need to open those as well: 1=port 5901, 2= port 5902, 3=port 5903, etc.

To add the appropriate port(s) to your firewall, edit the /etc/sysconfig/iptables file and add the following line:

 -A INPUT -m state --state NEW -m tcp -p tcp --dport 5902 -j ACCEPT

If you’re using additional ports for VNC, add a separate line for each.

The following line should already appear somewhere in your /etc/sysconfig/iptables file, but if it isn’t there for some reason, now is a good time to add it so you can connect to your VNC server securely in a later step:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

Once you’ve added the appropriate line(s), restart your firewall with:

service iptables restart

Step 6: Configure Router Port Forwarding

If your network lives behind a router (and most home-based broadband users’ networks do), and you only want to access your Fedora 12 desktop from inside the same local network, then you don’t need to mess with port forwarding on your router and can skip to the next step.

If the only way you plan on connecting to your Fedora 12 desktop over the Internet is via a secure SSH tunnel (which is what I recommend), then you’ll need to verify that you’ve properly forwarded port 22 (the default SSH port) on your router to the internal IP address of your Fedora 12 box. If you’re able to SSH into your Fedora 12 box from outside your router, then you’ve already got things forwarded properly. Check your router’s instructions (or the instructions for your router’s firmware if you’re using something like DD-WRT or Tomato) on how to set up port forwarding.

If you would like to connect to your Fedora 12 desktop over the Internet without a secure SSH tunnel (and I would recommend doing this only for testing and troubleshooting purposes and only when first getting things set up), then you’ll need to forward the appropriate VNC port(s) from your router to your Fedora 12 box (we used port 5902 in our example). Again, this is recomended only for testing purposes, as it is not a secure connection.

Step 7: Install a VNC Client on Windows

Because it’s lightweight, stable, supports the secure connection we’ll be setting up in a minute, and completely FREE, I recommend TightVNC client, which can be downloaded here. But there are many other good VNC clients available out there, including RealVNC, and an interesting one called Terminals, which allows you to set up multiple tabs in one application with both Windows RDC and Linux VNC connections, kind of like tabs in your Web browser.

So download and install the VNC client of your choice.

Step 8: Connect to your VNC Server

Open your VNC client and connect to the appropriate IP address of your Fedora 12 box and the port that you chose in /etc/sysconfig/vncservers.

If you’re connecting from inside your network and the IP address of your Fedora 12 box is 192.168.1.100, then to connect to port #2 as in our example, you’d connect to 192.168.1.100:5902.

If you’re connecting from outside your nework and want to connect to port #2 as in our example, then use your WAN IP and VNC port instead, as in 222.33.444.55:5902.

You’ll be prompted for the VNC password you set up in an earlier step, and the desktop you configured in /home/username/.vnc/xstartup should display.

If you are unable to connect, go back and carefully re-check each step. It’s probably a very simple typo or a small thing you forgot.

Step 9: Connect to your VNC Server with SSH Tunneling

Now that you know your VNC server is running properly, it’s time to secure things. This isn’t necessary when connecting to your Fedora 12 box via VNC inside a trusted network. But if you want to connect over the Internet, you really should take this extra step, which will only take a couple of minutes to configure.

First, you’ll need a Windows SSH client. I use SecureCRT (which is a commercial app with a free trial period), but you can also do it easily with a very popular freeware Windows SSH client called PuTTY.

The idea behind SSH tunneling is to establish a secure SSH connection between your Windows box and the remote Fedora 12 box, and then “tunnel” the VNC connection through your SSH connection. Don’t worry… it’s much easier than it sounds.

In SecureCRT: create a new connection to the IP address or hostname of your remote Fedora 12 box (or the external IP address of the router if you’re connecting from outside the local network). Under the Connection category, set the protocol to SSH2. In the SSH2 sub-category, use port 22, and be sure to use the username on the Fedora 12 box that you configured in /etc/sysconfig/vncservers (in our example, it was clyde). In the Port Fowarding sub-category, hit Add…, enter a descriptive name for the forwarded connection (such as VNC), then put the port number that corresponds to the number you set up in /etc/sysconfig/vncservers for that username in both port fields (in our example, both would be 5902). None of the checkboxes need to be selected. Save your new connection, then click Connect. A terminal window should appear, and you’ll be prompted for your username and password. Use your Fedora account username and password (which may be different than the VNC password you set up).

In PuTTY: enter the IP address or hostname of your remote Fedora 12 box (or the external IP address of the router if you’re connecting from outside the local network). Click the + next to the SSH sub-category, then click Tunnels. Enter the port number that corresponds to the number you set up in /etc/sysconfig/vncservers in the Source port field (in our example, it would be 5902), then enter localhost:5902 (or a different port if applicable) in the Destination field, then click on Add. Scroll up and click on the Session category. Type in a name for the session in the Saved Sessions field then press Save. Click Open to establish the connection. A terminal window should appear, and you’ll be prompted for your username and password. Use your Fedora account username and password (which may be different than the VNC password you set up).

You’ve essentially told your SSH client to “listen” for local connections to port 5902 on localhost (your Windows box), and then tunnel those connections over to port 5902 on the remote host (your Fedora 12 box) using your secure SSH connection.

Once your SSH connection is established (whether by SecureCRT, PuTTY, or some other client), open your VNC client viewer and connect to localhost:5902. The VNC client should establish the connection, prompt for the VNC password (which may not be the same as your Fedora account password), and then display the remote desktop.

Step 10: Securing Things and Tidying Up

To finish securing your VNC server, there are a few final steps you should take.

First, exit your VNC client (you can just close it), then exit your SSH tunneling session by typing exit from the command prompt. Re-connect to your Fedora 12 box with a standard (non-tunneling) SSH connection and become root. Edit the /etc/sysconfig/vncservers file and add the -localhost option to the VNCSERVERARGS line, so that it reads:

VNCSERVERARGS[2]="-geometry 1024x768 -nolisten tcp -localhost"

This option tells the VNC server not to accept remote connections from VNC clients without a secure tunnel.

Restart the VNC server with this new option by typing:

service vncserver restart

Next, if you forwarded port 5902 on your router (or any other ports for your VNC server) for testing purposes in Step 6 above, now would be a good time to undo that forwarding. You don’t need those ports forwarded anymore now that you’ve got SSH tunneling working. You do, however, still need the VNC ports open on your Fedora box’s firewall, so keep any /etc/sysconfig/iptables changes you made while setting up VNC.

Optional Step: Starting Multiple VNC Sessions

If you’d like to start multiple instances of the VNC server on your Fedora box, you can simply edit your /etc/sysconfig/vncservers file. Multiple instances are helpful if you want to allow multiple users to connect to the Fedora box via VNC. You can also set up multiple profiles for the same user, which is useful if you want to allow the same user to access the Fedora box from multiple  remote systems that may have different screen resolutions.

If you’d like to set up an additional user (we’ll use joe in this example), your /etc/sysconfig/vncservers file should include:

VNCSERVERS="2:clyde 3:joe"

VNCSERVERARGS[2]="-geometry 1024x768 -nolisten tcp -localhost"
VNCSERVERARGS[3]="-geometry 800x600 -nolisten tcp -localhost"

Notice that the VNCSERVERS= line has both users listed on the same line. This is important so that when the vncserver service starts, it will start for all users listed. Add a separate VNCSERVERARGS= line for each new user, along with whatever arguments you want. Note also that by using the #3, your VNC server will now also be listening on port 5903 for that user, so set up your firewall, tunnel, and/or VNC client appropriately to listen and/or forward all the ports you want to use.

If you’d like to set up multiple profiles for the same user, your /etc/sysconfig/vncservers file should include:

VNCSERVERS="2:clyde 3:clyde"

VNCSERVERARGS[2]="-geometry 1024x768 -nolisten tcp -localhost"
VNCSERVERARGS[3]="-geometry 800x600 -nolisten tcp -localhost"

Now when clyde connects to the VNCSERVER on port 2 5902, he’ll get 1024×768 desktop. If he connects on port 5903, he’ll get a separate login instance on a separate desktop at 800×600. It’s possible to be connected to both ports at the same time, and have two different desktops running.

Be sure to do a service vncserver restart after making any changes to /etc/sysconfic/vncservers. You should see output from all instances being started, such as:

Starting VNC server: 2:clyde
New 'server.hostname:2 (clyde)' desktop is server.hostname:2

Starting applications specified in /home/clyde/.vnc/xstartup
Log file is /home/clyde/.vnc/server.hostname:2.log

3:clyde
New 'server.hostname:3 (clyde)' desktop is server.hostname:3

Starting applications specified in /home/clyde/.vnc/xstartup
Log file is /home/clyde/.vnc/server.hostname:3.log

Congratulations!

You’ve successfully set up your remote Fedora box to accept VNC connections securely. Enjoy your new Windows to Fedora 12 VNC connection!

(To give credit where credit is due, this article was very helpful when I was trying to set up VNC on my system for the first time)

UPDATE: If you’re trying to set up VNC on an RHEL 5.5 or a CentOS 5.5 box, I’ve made a new blog post that walks you through a couple additional steps.

Related posts:

1. How to Set Up VNC from Windows to Fedora 14 Over the Internet
2. Dual Boot Windows 7 and Fedora 12 Linux with Dell Utility and Recovery Partitions
3. Set up VNC on RHEL 5.5 / CentOS 5.5

The laptop is a Dell Studio 1737 (why didn’t they call it 1337?) which came pre-installed with Windows Vista Home Premium. The drive is 320 GB, which Dell had pre-partitioned into three partitions:

1. Dell Utility Partition (82 MB FAT 16-bit)
2. Dell Recovery (16 GB NTFS)
3. OS (304 GB NTFS)

First, I did a full install of Windows 7 64-bit from DVD. I kept the Dell Utility and Recovery partitions intact, and installed Win7 on the OS partition.

After the installation was complete, I used the built-in Disk Management tool in Windows 7 to shrink the OS partition, so I could make some space for the Fedora Linux install. To do this, hit Start, right-click Computer, and select Manage. The Disk Management tool is in the Storage category. I selected the OS partition, right-clicked, and then selected Shrink Disk Volume. It took a few minutes for the system to run a query to see how much space was available for shrinking. The more fragmented your drive, the less space you have available to shrink your partition.

After the query, the system asked me to enter the amount of space to shrink in MB. This is the same as asking you how big you want the new unallocated space to be, which is the same as asking how much space you want to make available for your Linux installation. I chose a nice round number like 100000 (approx 100 GB), and hit Shrink.

It wasn’t a super-fast operation, but it took much less time than I thought it would. After the shrink, I had 105 GB of unallocated space. That’s more than enough for a comfortable Fedora 12 install, but I’m a fan of overkill. One thing that surprised me is that Win7 didn’t prompt me to reboot after the shrink!

Next, I popped in my Fedora 12 Live CD and rebooted (I needed to hit F12 at the BIOS post screen to tell the system to boot from the CD). Once the Fedora desktop was up, I logged in as the Live User, connected to the wireless network, and selected the Install to Disk option on the desktop. I told the installer where I wanted Linux installed (the unpartitioned space) and also checked the button that allowed me to review the partition layout. Everything was fine by default.

I installed the Bootloader on /dev/sda, which is the default. Keep in mind that this will overwrite the Windows bootloader, but I didn’t care. I’d rather have GRUB handle the booting, thank you. After the install was complete, I rebooted to see if everything worked.

I assumed that the Fedora install would recognize the Windows 7 install and automatically add it to the GRUB boot menu. I was half right. When the GRUB screen appeared and I hit the space bar to see my boot options, I had one line with FC12 and a second line that just said “Other.” Assuming that to be Windows 7, I selected it and hit ENTER. Then I got a black screen telling me that no boot manager was present, and that I needed to hit CTRL+ALT+DEL. Clearly, I’d done something wrong.

Not one to panic, I rebooted and selected Fedora as my operating system. I inspected the /boot/grub/menu.lst file, and saw the following:

title Fedora (2.6.31.5-127.fc12.i686)
root (hd0,4)
kernel /vmlinuz-2.6.31.5-127.fc12.i686 ro root=/dev/mapper/vg_studio-lv_root noiswmd LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us rhgb quiet
initrd /initramfs-2.6.31.5-127.fc12.i686.img
title Other
rootnoverify (hd0,0)
chainloader +1
Hmmm… I realized that GRUB might be trying to boot the Utility Partition instead of the Windows 7 OS one. To verify this, I ran the fdisk -l command as root and saw the following:

Device Boot Start End Blocks Id System
/dev/sda1 1 10 80293+ de Dell Utility
/dev/sda2 11 1969 15728640 7 HPFS/NTFS
/dev/sda3 1969 26165 194360320 7 HPFS/NTFS
/dev/sda4 26166 38913 102398310 5 Extended
/dev/sda5 * 26166 26191 204800 83 Linux
/dev/sda6 26191 38913 102193151+ 8e Linux LVM

Yep! It was trying to boot Windows from /dev/sda1, which is referred to as hd(0,0) in the menu.lst file. Since zero is the first number in Linux systems, that technially means “first hard drive, first partition.” I wanted the first hard drive, but the third partition, so I edited the /boot/grub/menu.lst file so that the last three lines read:

title Microsoft Windows 7 (64-bit)
rootnoverify (hd0,2)
chainloader +1


This makes the title that appears on the boot screen more informative, and tells GRUB to boot from the third partition on the first hard disk.

One more reboot, to test, and everything worked fine! I’ve now got a Windows 7 / Fedora 12 dual-booting laptop with the Dell Utility and Recovery partitions intact!

Related posts:

1. How to Configure or Reset a DRAC II Easily with a DOS Boot Disk
2. Enabling Desktop Effects on Fedora 12 with ATI Radeon HD 3650
3. Set up VNC from Windows to Fedora 12 Over the Internet