Bear with me, I will try to give as much background info as possible.
I have signed on for a 6 month contract at my local hosting provider
to co-locate my web server there. It's a 2x800 P3 VA Linux 2U server.
I installed RH9 and used the "server" options, along with unchecking
as many of the services and apps that I didn't think I would need (as
best as I could understand). This includes things like X11, print
services, samba, etc. I downloaded Bastille Linux and ran that, and
answered to the best of my ability. The firewall it set up works, I
tested it with a portscan and it only showed web, ssh, and ftp, and
mail. (25? I think) That's as far as I went with security. I installed
MySQL and PHP. The two things I have left on my list are Webmin and
Squirrelmail.

Now, I am your basic PHP/MySQL developer and while I have had
experience working in an unix environment, I have always been the
"user". For the last 6 years I have been hosting from 5-10 clients
using my shared hosting account at Pair Hosting. I am transferring to
my own box so I can escape the extra fee's and have my own box to play
with. The crux of the matter is that I have these clients to support,
and I need to make sure I can provide 24/7 uptime and email service
for them that equals what we were getting from Pair. I want to make
sure I do this right since now there are about 25 people depending on
me for their email to work. Preferably I would like advice from a
server admin based on personal experience.

So here are my questions:
How do I go about setting up mail? The hosting facility provides a DNS
server, but I need to provide smtp and pop mail. Is webmin the best
way to set this up? What are the basic parts of mail service, and
which applications are the best to use (ie. sendmail)? Rather than get
a range of options, I would like what is generally considered the most
secure option (I would hate it if I found out my box is sending spam).

I'm confused about how to handle user accounts. I think I'm supposed
to set up a new user for each website/client and put their web
directories inside their home directory. Is this required? I would
rather just put all the sites in the same root folder and if somebody
needs access, give them locked ftp accces to that one folder. Do I
need seperate accounts to correlate with the mail accounts? ie. Can I
set up mail accounts seperate of user accounts?

I know some of my clients use the squirrelmail IMAP webmail. I would
like to use this also to access my mail remotely. Is there anything I
need to know before setting this up, any requirements and any tips?

I'm confused about DNS and domains. I know I will need to change all
my domains DNS to the facility's server, but how do I go about setting
up domains on my box? Is webmin the best way to do this? What about
subdomains and things like domain aliasing?

General security: I would really like to feel somewhat safe when I
plug in the Cat5. I did the Bastille, and I'm not going to run telnet,
but what else should I know to keep people out? Should I be watching
certain logs? How common are break-ins, and how do you deal with them?
I'm also concered with the people at the hosting facility that have
direct access to my box. How easy is it for them to get in and read my
email or whatever? I feel like they look at me as a newbie, and will
want to crack my box the second I walk out the door...

The answer I'm looking for would basically be an overview of the best
practices for a reliable and secure RH9 web and mail server. In
addition to links to other tutorials, I have the price at $50 so I can
get some direct advice. Thanks in advance.

Based on the fact that you don't have a lot of experience running a
server and you have 5-10 clients I would highly highly highly suggest
that you investigate purchasing a control panel package for your
server.  There are several to choose from, the big three players are
Cpaeel (www.cpanel.net), Ensim (www.ensim.com), and Plesk (they were
bought out, go a google search to find them).  Most web hosting
companies, even the one I run, utilize one of these panels to provide
all of the features that our customers want so we do not have to get
involved everytime a user wants to change a password, or add a new
user.  Pretty much most all web hosting companies utilize one of these
control panels.

I would say to investigate which one you think is cheapest for your
needs and go from there.  FYI, you can lease a server for about $99 a
month that includes one of these panels on it and you don't have to
have your own hardware.   With the number of customers you have you
may not be able to make much money depending on what you are charging.

Another option which is MUCH safer is just to become a reseller of
domains.  A lot of PHP developers like yourself do this and it is
perfectly fine.  For example we have a reseller account whereby you
pay a flat fee and you can host as many domains as you like based on
the amount of hard drive space and bandwidth you allocate per domain. 
Just another thought you may want to consider if you don't want the
risk.

Bottom line is get a control panel, and I am not talking about webmin
as it doesn't do multiple domain hosting and provide the tools your
users are going to want.  Trust me, as I started out hosting users on
a server without a control panel in my earlier years and it just about
drove me crazy.

Hope my input helps.

Keith

I have been comparing all these control panels and I think I'm going
try it with just webmin to start. I would probably try cpanel or plesk
if they were cheaper. As it is, I'm willing to start with webmin and
see how far it can take me.

My old hosting acccount was a reseller, but only 1 of my clients
actually needed to connect with ftp, but certainly not maintain their
own site. In fact on my server I am going to try and keep just 1
account (mine) at the user level. I don't forsee ever needing to allow
shell access.

I am not sure about the multiple domains in webmin - I do need
multiple domains but it seems like it has that capability - I will
look into that.

Thanks for the input,
Aaron

First off, RedHat 9 will not be supported at the end of next month,
there will be no further patches against it from RedHat. So a newer
distro might be appropriate.  I personally like WhiteBoxlinux.org, it
is a derivative of RedHat Enterprise 3.0, and so it should be
supported for the next few years.

1) How do I go about setting up mail?

What kind of mail do you plan on running, sendmail or postfix?  Webmin
will let you configure this but having dealt with RedHat mail servers
for quite a while there are many issues that might come up to bite you
later.  How many domains, and users do you expect to have to maintain?
 RedHat does not make virtual email boxes easy to setup on the server
with out third party software... (at least as far as I can tell)

2) I'm confused about how to handle user accounts

There are many choices here.  What type of access will your users
require?  Shell, ftp, SFTP?  How well do you trust your users to have
direct access to your server?  Will the user and email accounts be the
same? All of these things will impact your decision(s).

A couple people have mentioned that you can use a control panel like
application to take care of this.  I would say that a control panel is
a good option for most services, but it will cost you money.  What are
your parameters on spending money to easy your administrative burdens?

3) I know some of my clients use the squirrelmail IMAP webmail

Squirrelmail and an IMAP should work seamlessly together.  I do it all
the time.  I have noted that squirrelmail is a bit flaky at times, but
for the most part seems to work well enough.

4) I'm confused about DNS and domains.

I'm confused about the question, you need to be a bit more specific. 
Are you planning on having your Linux server be the authoritive DNS
server for your client?s domains?  Or is the question relating to how
your Linux server will resolve domain names that it needs to lookup on
the Internet?


5) General security

This is a very detailed area, and would require a lot of time to go
over.  In general (from what I hear) Bastille is a good project, and
it probably did secure your box.  However how do you know what it did?
 One problem with security products is that if you do not know what
they are doing for you, and what the risks are, how do you know if you
are really (more) secure.

I can say from experience that I have not had (a detected) break in on
any of my servers in several years by following the some simple steps:
remove extraneous programs/packages, don't let users have direct
access to the server if possible, lock down all the ip ports (incoming
and outgoing) except for the ones required for the regular functioning
of the server. (It looks like you have done most of these already) 
"Security is a state of mind not a product" as the old saw goes. 
Making sure you are secure is an on going process.  And sometimes it
is a "learn the hard way" process.  I know, I've learned...

If you are not running a GUI front end on your server (and a
collocated server does not require one, and it would just eat up
resources otherwise) there are several packages installed by default
on a redhat distribution that you can remove.

Get a newer distro of linux, one that will be supported,  RedHat sells
Enterprise server subscriptions, and whiteboxlinux.org will give you
are free version of almost the same thing.  One comes with a number
you can call, the other you have to download of the net yourself and
deal with.  There are many ohters out there, you have to choos
according to your tastes.  Just keep onething in mind, when you choose
you have to live with it for a long time...

As for the physical security of your server you can put a password on
the boot prompt and not let them boot your system into single user
mode with the password.  However when you have a problem with your
machine, and time is of the essence, it sure would be nice if they
could login for you and quickly check things out for you while you
sweat it out on the phone. Are you really worried your provider with
mess with your server?  If you are you should consider your options
for another place.  There has to be some level of trust there.

In short what you are asking for is a tremendous amount of knowledge
to be simplified into a nice neat summary.  There are many full time
systems administrators whose sole function is to do exactly what you
are asking for, although they probably deal with more servers then
one.  This is part of what I have been doing for 10 years in some form
or another, and there is a huge number of things to be aware of. 
Webmin and other control panels are tools, they help you get things
done faster and more efficiently, but when things break, under the
veneer of these tools, you still have to know how to fix them.  Learn
the command line, and what is really happening on your machine.  Then
you will have more complete understanding and control over your
server.

I would suggest that you make friends with, or find an admin for hire,
(someone you can trust) that can address these issues for/with you. 
You will be in much better situation when something breaks and your
clients are breathing down your neck to get their email, or have thier
website functional again.  Beyond that learn as you go to become more
self reliant.

Also you are asking the right questions about how you should handle
your server, by hats off to you for trying to do the right thing.  I
wish more people would.  Bad admin practices give us all a bad name.

Honestly, I would considered an other distribution of linux to make a
server who would be directly connected to the internet. You should
install Gentoo on your server. This distribution is quite hard to
start setting up because you have to start from scratch but 10 times
more secure than any other distribution and you won't have to deal
with RPM HELL. With gentoo you have only the programs you want to
have. So there won't be any useless services running in the background
that can cause security flaws.

Here the installation precedure :
http://www.gentoo.org/doc/en/handbook/handbook.xml?part=1

When this is done you just time the command "emerge" with the name of
the program you want to install and you'll get the lastest version.
What's nice also with this distribution is that you can customize your
kernel and your flags at the beginning of the install and you'll get
and install customized for your CPU which will speed up your computer
about 10 to 25 %. (Everything is detailled in the installation)

As for the mail server I would go for QMail. This is a really stable
mail server that had just a few vulnerabilities compared to any other
mail server. Hardest to configure but best security.
 
Here the installation guide:
http://www.skunkworx.org/guides/QmailOnGentoo.txt

As for Php/Apache/Mysql ... They are piece of cake to install like usual ! :P
ex : emerge mysql       And your in buisness ...

For configuring your Web/Mail/SQL/ftp/DNS servers you should probably
read a little more on each service and do the configuration directly
to the config file. Webmin is more a newby tool for ex windows user,
So I would not recommend that... Some Webmin config can result on
security flaws. Althought if you have some databases to create and you
don't want to do it all by hand try the Mysql Command Center which is
the only configuration tool I would recommend beca
use sending SQL statements to create databases is a pain in the a...

I hope I helped you a little bit in making your decisions...

Steve

I would use Debian + Apache 1.3~ + exim + MySQL + wu-ftp and would
start reading the mail lists :-)))
Why don't you try step by step - let say first setup and configure the
OS and the firewall, the the web server (should be easy) the e-mail
server I had to days on this :-D and so on and so on ...

I'm glad I'm getting some good opinions.. I see now my question is
very broad and would be quite difficult to answer in its entirety. I
have decided to just work through the issues as they come, and start
slowly with the server, starting with my website and adding clients
when I feel comfortable.

Everyone has their own opinion about distributions. I've had
experience with Redhat before and have been quite pleased with 9.0 so
far. Farbeit from RPM hell, I've had little trouble installing all the
packages I need. And during the setup process I was careful not to
install anything I didn't need. As far as building Gentoo from
scratch.. that may be the best way but that doesn't even come close to
answering my question. The qmail instructions you linked were about 20
pages. I have a business to run and clients to answer to and I don't
have time to spend 6 months learning how to build  an installation
from scratch - my server is going up in less than 2 weeks. Though I
look forward to learning all I can and upgrading my server in the
future, presently I just need stuff that works.

Hi I will try and answer your questions to the best of my ability:

1) How do I set up mail.
My advice would be to go with postfix + courier-imap, postfix works
fairly well out of the box, you need to do minor modification to the
configuration file, but it is a very good mail server, it is built on
sendmail with security added the link below goes to the postfix
website and gives instruction on how to set up correctly it also
includes a redhat FAQ, basically it should work out the box just alter
the domain information pay special attention on avoiding becoming an
open relay server.
http://www.postfix.org/docs.html 

Courier-imap (http://www.inter7.com/courierimap.html)
Is a great imap mail server it is very easy to configure and has a
small memory footprint, it also works great with Squirrelmail (I use
this configuration on my home mailservers) the configuration is pretty
easy to get a basic howto on setting it up:
http://buffy.riseup.net/software/courier-imap.txt - Okay but not detailed
http://www.flatmtn.com/computer/Linux-Imap-Courier.html - Pretty good

2) I'm confused about how to handle user accounts
Apache by default contains the code in its configuration file to
create a webpage in a user directory usually under the folder
Public_html or something similar, this is a good method to use in my
opinion, it keeps your directory trees nice and neat and allows you to
better maintain things, however, if you wish to move it from the users
directory it is a simple matter of changing the specified directory in
the httpd.conf file to another location ie: /var/www/<username>/

Regardless the best method (only method?)of hosting another domain
would be virtual hosting ie you want to host somesite.com at the same
location as yoursite.com, you use VirtualHost directives to set this
up you can get a lot more information on these at:
http://httpd.apache.org/docs/vhosts/index.html

I believe the httpd.conf file should contain examples of a virtual
host near the bottom, using this method you hard code the location of
the webroot ie:
/var/www/sites/theirsite.com/

3) I know some of my clients use the squirrelmail IMAP webmail
Not really squirrelmail is a fairly easy webmail client to setup, just
make sure that postfix, courier-imap, apache, and php are in place
first, I would also download the most recent version and use that if I
were you it comes with all the documentation you will need to set it
up, in easy steps.

4) I'm confused about DNS and domains
I think you said your provider provided DNS for you?  If this is the
case just set all your DNS in their interface or request them to set
DNS to point to your box, using whichever method they provide, for
mail you can set the domains in the postfix configuration file it is
all fairly straightforward if you read through the FAQ link I
provided, in terms of web domains, this is the easiest thing in the
world, once DNS is pointing to your machine you simply need to add the
virtual host directives I mentioned above, apache will then do the
rest, when a request is made to a domain that has the DNS pointed at
your box apache will provide the pages pointed at in the Virtual Host
sections ie:

    <VirtualHost *>
    ServerName www.theirdomain.com
    DocumentRoot /var/www/theirdomain.com
    </VirtualHost>

    <VirtualHost *>
    ServerName www.theotherdomain.com
    DocumentRoot /var/www/theotherdomain.com
    </VirtualHost>

The 2 examples above will deal with the 2 domains listed in ServerName
lets say apache is set by default to use yourdomain.com it will still
serve pages to theirdomain.com and theotherdomain.com so long as the
VirtualHost directives are set and the DNS points to your machine.

If I am mistaken and your provider does not deal with DNS and you have
to do this yourself then you may have a problem if you ony have 2
weeks to do this in, DNS is a big beast and will take awhile to learn
how to do, I would recommend purchasing the O'Reilly book DNS and Bind
ISBN 1-56592-512-2, and reading that but I warn to now bind is fairly
complicated and if not set up correctly it will stop everything else
working.

5)  Webmin

Webmin is very easy to set up up not much explaination would be needed
here, but by using it you will find it a lot easier to set up
VirtualHosts in apache, and postfix for multiple domains.

6) General security

Bastille is a good product, it certainly helps with security, but the
thing to remember is that security is an ongoing concern, bastille
will help harden your box but bastille alone will not help much.

I would recommend you pay attention to basics, good solid security on
passwords, especially root, change the passwords frequently, use a mix
of alphanumeric characters, upper and lowercases, and none
alphanumeric characters.  Don't type your passwords in plaintext, make
sure permissions are kept fairly tight on the machine.

In the longer term I would purchase a book on Unix security and read
through it, having a fairly hardened box is a lot better than most,
but still purchase a good book you will pick up tips that you may wish
to impliment at a later date on your machine.

I would also consider installing a portscanner, a good one which I use
is portsentry (http://linux.cudeso.be/linuxdoc/portsentry.php) it will
detect people attacking common ports and block access if it is
configured correctly.

As a general rule of thumb, security cannot be taught it must be
learn't, unfortunatly there is a lot of crackers out there that would
like to attack your machine, by using basic security methods you can
thwart most of these attempts, however, a determined cracker will
always get through, so it is wise to prepare for the worst, if
possible get a tape drive to back up your machine on a regular basis
in case your machine is broken into that way you can restore the last
backup.  Use a filesystem scanner like aide
(http://www.cs.tut.fi/~rammer/aide.html) to run through the machine
daily to check for any alterations to the filesystem, pay attention to
mine things, high load when their shouldn't be a high load (top,
uptime) pay attention to the uptime of your machine (uptime) pay
attention to which users are one (who), scan through your logfiles on
a daily basis.

Most of the above are very general tips but I would definatly
recommend taking time to learn as much about security as possible.

I hope this helps.

Regards

Ben

Ben, VERY HELPFUL, THANK YOU!

I got Webmin up and it was very easy to add Postfix. I will try out
Courier. The domain situation is now much clearer, thank you! Apache
handling everything is much easier than I expected. (my isp is doing
the DNS)

It seems obvious now, but I did not have any plans for backups. While
I do have backups of site contents, knowing that I can probably set up
something to backup people's mailboxes is just a huge relief. If I can
get those systems working than I'm going to sleep better. If something
does go wrong, I've learned enough that I won't have fear erasing
everything and starting over with backups. Maybe I could try a
different distro by then.

I will keep learning as I go about security, but I'm feeling much more
confidant already.
Thanks again,
Aaron

Aaron

I am glad my comment was helpful, if you are interested in performing
backups, I would suggest trying to find a tape drive, a good place to
look is ebay, I don't know enough about your hardware or budget to
recommend a particular drive, other than to say if you have SCSI
capability in the box get a SCSI drive, the bandwidth is higher than
IDE and parallel.

If you decide to get a tape drive, these 2 sites are a pretty good
reference on how to set up the backups:

http://hr.uoregon.edu/davidrl/tape.html
http://www.csb.yale.edu/userguides/sysresource/offline/tapetips_linux.html

Hope this helps and good luck with your business.

Ben