{"id":824810,"date":"2025-07-06T22:05:33","date_gmt":"2025-07-06T22:05:33","guid":{"rendered":"https:\/\/adpca.org\/?page_id=824810"},"modified":"2025-07-06T22:26:59","modified_gmt":"2025-07-06T22:26:59","slug":"installing-basic-services","status":"publish","type":"page","link":"https:\/\/adpca.org\/zh\/installing-basic-services\/","title":{"rendered":"\u5b89\u88c5\u57fa\u672c\u670d\u52a1"},"content":{"rendered":"<h2 class=\"wp-block-heading\">\u5b89\u88c5\u57fa\u672c\u670d\u52a1<\/h2>\n\n\n\n<p>\u672c\u6587\u6863\u5c06\u6307\u5bfc\u4f60\u8bbe\u7f6e\u6838\u5fc3\u670d\u52a1\u3002\u5b83\u57fa\u4e8e\u5b89\u88c5\u5728\u865a\u62df\u670d\u52a1\u5668\u4e0a\u7684 AlmaLinux 9\u3002\u670d\u52a1\u5668\u4e3b\u673a\u6709\u9632\u706b\u5899\uff0c\u8fd9\u4f7f\u5f97 firewalld \u6210\u4e3a\u591a\u4f59\uff0c\u56e0\u6b64\u4ed6\u4eec\u5728\u5b89\u88c5\u65f6\u7981\u7528\u4e86\u5b83\u3002\u4e3b\u673a\u8fd8\u7981\u7528\u4e86 SELinux\uff0c\u56e0\u4e3a\u5b83\u4f1a\u5bfc\u81f4\u95ee\u9898\u3002\u4e0d\u8fc7\uff0c\u6211\u66f4\u559c\u6b22\u540c\u65f6\u4f7f\u7528\u8fd9\u4e24\u4e2a\u529f\u80fd\uff0c\u6240\u4ee5\u8fd9\u4e9b\u8bf4\u660e\u91cd\u65b0\u542f\u7528\u4e86\u5b83\u4eec\u3002<\/p>\n\n\n\n<p>\u5b8c\u6210\u6b64\u8bbe\u7f6e\u540e\uff0c\u60a8\u5c06\u62e5\u6709\u4e00\u4e2a\u5b8c\u5168\u6700\u65b0\u7684\u7cfb\u7edf\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5b89\u88c5\u7684 EPEL \u8f6f\u4ef6\u6e90<\/li>\n\n\n\n<li>\u5df2\u5b89\u88c5 SELinux \u5e76\u5728\u8bb8\u53ef\u6a21\u5f0f\u4e0b\u8fd0\u884c\uff08\u4e0d\u4f1a\u7834\u574f\u4efb\u4f55\u4e1c\u897f\uff09\u3002<\/li>\n\n\n\n<li>\u5b89\u88c5\u4e86 firewalld\uff0c\u5e76\u53ea\u5141\u8bb8\u4f7f\u7528\u6307\u5b9a\u7684\u7aef\u53e3\u3002<\/li>\n\n\n\n<li>Letsencrypt \u63d0\u4f9b\u81ea\u52a8\u66f4\u65b0\u7684\u6709\u6548 SSL \u8bc1\u4e66\u3002<\/li>\n\n\n\n<li>\u9a7e\u9a76\u8231\u5df2\u5b89\u88c5\uff0c\u5e76\u6301\u6709\u6709\u6548\u8bc1\u4e66\u3002<\/li>\n\n\n\n<li>\u5b89\u88c5\u4e86 Postix \u548c dovecot \u4ee5\u63d0\u4f9b\u7535\u5b50\u90ae\u4ef6\u3002<\/li>\n\n\n\n<li>\u5df2\u5b89\u88c5 Miriadb \u6570\u636e\u5e93\u5e76\u786e\u4fdd\u5176\u5b89\u5168\u3002<\/li>\n\n\n\n<li>\u5df2\u5b89\u88c5\u5e76\u914d\u7f6e Apache\u3002<\/li>\n\n\n\n<li>WordPress \u5b89\u88c5\u5728\u4e00\u53f0\u865a\u62df\u4e3b\u673a\u4e0a\u3002<\/li>\n\n\n\n<li>WordPress \u57fa\u672c\u52a0\u56fa\u5230\u4f4d<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u5b89\u88c5 EPEL \u8f6f\u4ef6\u5e93\u5e76\u66f4\u65b0\u5f53\u524d\u8f6f\u4ef6\u5305<\/h3>\n\n\n\n<p>EPEL repo \u6dfb\u52a0\u4e86\u4ee5\u540e\u9700\u8981\u7684\u5176\u4ed6\u8f6f\u4ef6\u5305\u3002-\u6dfb\u52a0 Remi \u548c\u6700\u65b0\u7684 PHP<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dnf install epel-release -y<br>sudo dnf update -y<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u5b89\u88c5\u6838\u5fc3\u670d\u52a1<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">SELinux<\/h3>\n\n\n\n<p>\u9ed8\u8ba4\u5b89\u88c5\u901a\u5e38\u4f1a\u542f\u7528 SELinux\u3002\u7136\u800c\uff0c\u4e3b\u673a\u7684\u5b89\u88c5\u5374\u6ca1\u6709\u8fd9\u6837\u505a\u3002\u8981\u542f\u7528 SELinux\uff08\u8bb8\u53ef\u6a21\u5f0f\uff09\uff0c\u9996\u5148\u8981\u68c0\u67e5 grub \u4e2d\u662f\u5426\u7981\u6b62 SELinux\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/proc\/cmdline<\/code><\/pre>\n\n\n\n<p>\u67e5\u627e selinux=0 \u6216 security=none\u3002\u5982\u679c\u5b58\u5728\u8fd9\u4e24\u79cd\u60c5\u51b5\uff0c\u5219\u65e0\u8bba \/etc\/selinux\/config \u5982\u4f55\u8bbe\u7f6e\uff0cSELinux \u90fd\u5c06\u88ab\u7981\u7528\u3002\u5982\u679c\u662f\u8fd9\u79cd\u60c5\u51b5<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo grubby --update-kernel=ALL --remove-args=selinux\nsudo grub2-mkconfig -o \/boot\/grub2\/grub.cfg\nsudo dnf install selinux-policy-targeted<\/code><\/pre>\n\n\n\n<p>\u786e\u4fdd \/etc\/selinux\/config \u5177\u6709\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SELINUX=permissive<br>SELINUXTYPE=targeted<\/code><\/pre>\n\n\n\n<p>\u7136\u540e\u91cd\u65b0\u542f\u52a8\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u73b0\u5728\u91cd\u542f<\/code><\/pre>\n\n\n\n<p>\u7cfb\u7edf\u6062\u590d\u540e\uff0c\u8bf7\u68c0\u67e5<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u5f3a\u5236<\/code><\/pre>\n\n\n\n<p>\u5b83\u5e94\u8be5\u8fd4\u56de <strong>\u5141\u8bb8<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u8bbe\u7f6e SELinux \u7c7b\u578b\u3001\u6743\u9650\u7b49\u3002<\/h3>\n\n\n\n<p>Cockpit \u4f1a\u63d0\u9192\u6ce8\u610f\u4efb\u4f55 SELinux \u95ee\u9898\u5e76\u63d0\u51fa\u89e3\u51b3\u65b9\u6848\u3002\u5728\u5b9e\u65bd\u4e4b\u524d\uff0c\u5e94\u5bf9\u8fd9\u4e9b\u5efa\u8bae\u8fdb\u884c\u5ba1\u67e5\u3002\u4e0d\u8fc7\uff0c\u4ee5\u4e0b\u5efa\u8bae\u5e94\u80fd\u89e3\u51b3\u8bb8\u591a\u95ee\u9898\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo setsebool -P httpd_unified 1<br>sudo setsebool -P httpd_can_network_connect 1<br>sudo setsebool -P httpd_can_network_relay 1<br>sudo setsebool -P httpd_graceful_shutdown 1<br>sudo setsebool -P nis_enabled 1<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u5b89\u88c5\u9a7e\u9a76\u8231\uff08\u7ba1\u7406\u7f51\u7edc\u670d\u52a1\u5668\uff09\u3002<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dnf install cockpit -y<br>sudo systemctl enable --now cockpit.socket<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u542f\u7528\u9632\u706b\u5899\uff08\u5982\u679c\u5c1a\u672a\u542f\u7528\uff09\uff0c\u5e76\u5141\u8bb8\u8bbf\u95ee\u9a7e\u9a76\u8231\u3002<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl enable --now firewalld<br>sudo firewall-cmd --permanent --zone=public --add-service=cockpit<br>sudo firewall-cmd --reload<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u5b89\u88c5 postfix\uff08\u90ae\u4ef6\u670d\u52a1\u5668\uff09\u3001mariadb\uff08mysql \u6570\u636e\u5e93\uff09\u3001apache\uff08\u7f51\u7edc\u670d\u52a1\u5668\uff09\u3001php \u548c\u6838\u5fc3\u6a21\u5757\u4ee5\u53ca certbot<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dnf install postfix mariadb-server mariadb httpd php php-mysqlnd php-fpm php-cli -y<br>sudo dnf install php-common php-opcache php-mbstring php-gd php-xml php-intl php-soap -y<br>sudo dnf install php-zip php-pear php-devel ImageMagick ImageMagick-devel s-nail -y<br>sudo dnf certbot python3-certbot-apache cyrus-sasl cyrus-sasl-plain -y<\/code><\/pre>\n\n\n\n<p>\u542f\u7528\u5e76\u542f\u52a8\u670d\u52a1<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl enable --now httpd mariadb php-fpm certbot-renew.timer<\/code><\/pre>\n\n\n\n<p>\u5b89\u5168\u7684 mysql<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo mysql_secure_installation<\/code><\/pre>\n\n\n\n<p>\u6309\u7167\u63d0\u793a\u64cd\u4f5c<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u8bbe\u7f6e root \u7528\u6237\u5bc6\u7801<\/li>\n\n\n\n<li>\u4f7f\u7528\u63d2\u5ea7<\/li>\n\n\n\n<li>\u5220\u9664\u533f\u540d\u7528\u6237<\/li>\n\n\n\n<li>\u7981\u6b62 root \u8fdc\u7a0b\u767b\u5f55<\/li>\n\n\n\n<li>\u5220\u9664\u6d4b\u8bd5\u6570\u636e\u5e93<\/li>\n\n\n\n<li>\u91cd\u8f7d\u6743\u9650\u8868<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">\u8bbe\u7f6e Postfix<\/h2>\n\n\n\n<p>\u6211\u4eec\u9700\u8981 rspamd \u8fdb\u884c\u90ae\u4ef6\u7b7e\u540d\u548c\u90ae\u4ef6\u9a8c\u8bc1\uff0c\u4f46\u6807\u51c6\u8f6f\u4ef6\u4ed3\u5e93\u4e2d\u6ca1\u6709\u3002\u56e0\u6b64\uff0c\u6211\u4eec\u53ef\u4ee5\u6dfb\u52a0\u5b98\u65b9\u56de\u5e94\u8f6f\u4ef6\u4ed3\u5e93\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo tee \/etc\/yum.repos.d\/rspamd.repo &gt; \/dev\/null &lt;&lt;&#039;EOF&#039;<br>&#91;rspamd]<br>name=Rspamd for Centos 9 x86_64<br>baseurl=https:\/\/rspamd.com\/rpm\/centos-9\/x86_64\/<br>gpgcheck=1<br>enabled=1<br>gpgkey=https:\/\/rspamd.com\/rpm\/gpg.key<br>EOF<\/code><\/pre>\n\n\n\n<p>\u6e05\u9664\u5e76\u5237\u65b0 dnf \u5143\u6570\u636e\uff0c\u5b89\u88c5\u5e76\u542f\u7528 rspamd \u548c dovecot<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dnf clean all<br>sudo dnf makecache<br>sudo dnf install rspamd dovecot -y<br>sudo systemctl enable --now postfix dovecot rspamd<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u521b\u5efa Postfix \u57fa\u672c\u914d\u7f6e<\/h3>\n\n\n\n<p>\u4fdd\u5b58\u5b89\u88c5\u6587\u4ef6\u4ee5\u4f9b\u53c2\u8003<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo mv \/etc\/postfix\/main.cf{,.inst}<\/code><\/pre>\n\n\n\n<p>\u521b\u5efa\u4e00\u4e2a\u65b0\u7684 \/etc\/postfix\/main.cf \u6587\u4ef6\uff0c\u5176\u4e2d\u5305\u542b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># ===========================\n# Postfix \u57fa\u672c\u914d\u7f6e\n# ===========================\n\n# \u786e\u4fdd\u73b0\u4ee3 Postfix \u884c\u4e3a\ncompatibility_level = 2\n\n# \u8def\u5f84\uff08AlmaLinux \u4e0a\u7684\u9ed8\u8ba4\u8def\u5f84\uff0c\u4e3a\u6e05\u6670\u8d77\u89c1\u6216\u6253\u5305\u800c\u4fdd\u7559\uff09\nqueue_directory = \/var\/spool\/postfix\ncommand_directory = \/usr\/sbin\ndaemon_directory = \/usr\/libexec\/postfix\ndata_directory = \/var\/lib\/postfix\nsendmail_path = \/usr\/sbin\/sendmail.postfix\nnewaliases_path = \/usr\/bin\/newaliases.postfix\nmailq_path = \/usr\/bin\/mailq.postfix\n\n# \u53ef\u9009\u6587\u6863\u8def\u5f84\nhtml_directory = \u65e0\nmanpage_directory = \/usr\/share\/man\nsample_directory = \/usr\/share\/doc\/postfix\/samples\nreadme_directory = \/usr\/share\/doc\/postfix\/README_FILES\nmeta_directory = \/etc\/postfix\nshlib_directory = \/usr\/lib64\/postfix\n\n# \u5b89\u5168\u76f8\u5173\u8bbe\u7f6e\nsetgid_group = postdrop\nmail_owner = postfix\n\n# ===========================\n# \u4e3b\u673a\u548c\u57df\u8bbe\u7f6e\n# ===========================\n\n# \u5168\u79f0\u4e3b\u673a\u540d\nmyhostname = alma.adpca.org\n\n# \u672c\u5730\u57df\u540d\nmydomain = adpca.org\n\n# \u786e\u5b9a\u5916\u53d1\u672c\u5730\u90ae\u4ef6\u4e2d\u4f7f\u7528\u7684\u57df\u540d\n# \"user@alma.adpca.org \"\u4f7f\u7528 $myhostname\uff0c\"user@adpca.org \"\u4f7f\u7528 $mydomain\nmyorigin = $myhostname\n\n# \u57df\u88ab\u89c6\u4e3a\u672c\u5730\u57df - \u53d1\u5f80\u8fd9\u4e9b\u57df\u7684\u90ae\u4ef6\u5c06\u5728\u672c\u5730\u6295\u9012\nmydestination = $myhostname, localhost.$mydomain, localhost, $mydomain\n\n# \u63a5\u53d7\u6240\u6709\u63a5\u53e3\u4e0a\u7684\u8fde\u63a5\u5e76\u4f7f\u7528 IPv4 + IPv6\ninet_interfaces = \u6240\u6709\ninet_protocols = all\n\n# \u4ec5\u4fe1\u4efb\u672c\u5730\u673a\u5668\u8f6c\u53d1\u90ae\u4ef6\nmynetworks = 127.0.0.0\/8\n\n# \u4ee5\u786c\u9519\u8bef\u62d2\u7edd\u672a\u77e5\u7528\u6237\u7684\u90ae\u4ef6\nunknown_local_recipient_reject_code = 550\n\n# ===========================\n# \u522b\u540d\u6620\u5c04\n# ===========================\n\nalias_maps = hash:\/etc\/aliases\nalias_database = hash:\/etc\/aliases\n\n# \u4fee\u6539 \/etc\/aliases \u540e\u8fd0\u884c `newaliases\n\n# ===========================\n# MailerSend \u4e2d\u7ee7\u8bbe\u7f6e\n# ===========================\n\n# \u5916\u90e8 SMTP \u4e2d\u7ee7 (MailerSend)\nrelayhost = [smtp.mailersend.net]:587\n\n# \u4e3a\u51fa\u7ad9\u8fde\u63a5\u542f\u7528 TLS\nsmtp_use_tls = yes\nsmtp_tls_security_level = \u52a0\u5bc6\nsmtp_tls_note_starttls_offer = yes\n\n# \u53ef\u4fe1 CA \u8bc1\u4e66\uff08\u5168\u7cfb\u7edf\uff09\nsmtp_tls_CAfile = \/etc\/ssl\/certs\/ca-bundle.crt\nsmtp_tls_CApath = \/etc\/pki\/tls\/certs\n\n# \u8981\u6c42\u4f7f\u7528\u73b0\u4ee3\u52a0\u5bc6\u6280\u672f\nsmtp_tls_mandatory_protocols = !SSLv2, !SSLv3\nsmtp_tls_mandatory_ciphers = medium\n\n# \u6027\u80fd\uff1a\u7f13\u5b58 TLS \u4f1a\u8bdd\nsmtp_tls_session_cache_database = btree:${data_directory}\/smtp_scache\n\n# ===========================\n# \u7528\u4e8e MailerSend \u7684 SMTP AUTH\n# ===========================\n\nsmtp_sasl_auth_enable = yes\nsmtp_sasl_password_maps = hash:\/etc\/postfix\/sasl_passwd\nsmtp_sasl_security_options = noanonymous\nsmtp_sasl_tls_security_options = noanonymous\n\n# ===========================\n# \u5165\u7ad9 TLS\uff08\u53ef\u9009\uff09\n# \u4ec5\u5728\u901a\u8fc7 TLS \u63a5\u53d7\u5165\u7ad9\u90ae\u4ef6\u65f6\u9700\u8981\n# ===========================\n\nsmtpd_tls_cert_file = \/etc\/pki\/tls\/certs\/postfix.pem\nsmtpd_tls_key_file = \/etc\/pki\/tls\/private\/postfix.key\nsmtpd_tls_security_level = may # \u5982\u679c\u652f\u6301\uff0c\u5219\u5141\u8bb8 STARTTLS\n\n# ===========================\n# \u8c03\u8bd5\uff08\u53ef\u9009\uff09\n# \u7528\u4e8e SMTP \u8c03\u8bd5\u4f1a\u8bdd\n# ===========================\n\n#debug_peer_level = 2\n#debugger_command =\n# PATH=\/bin:\/usr\/bin:\/usr\/local\/bin:\/usr\/X11R6\/bin\n# ddd $daemon_directory\/$process_name $process_id &amp; sleep 5<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u914d\u7f6e Dovecot\uff08\u90ae\u4ef6\u53d1\u9001\u548c IMAP\/POP3\uff09<\/h3>\n\n\n\n<p>\u7f16\u8f91 \/etc\/dovecot\/conf.d\/10<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mail_location = maildir:~\/Maildir\n#I \u5982\u679c\u4f7f\u7528\u865a\u62df\u90ae\u4ef6\u7528\u6237\uff0c\u5219\u5e94\u6539\u4e3a\n#mail_location = maildir:\/var\/mail\/vhosts\/%d\/%n\/Maildir\n\n# \u4e3a\u63d0\u9ad8\u6027\u80fd\u548c\u6e05\u6670\u5ea6\uff0c\u53ef\u9009\u9879\nmail_privileged_group = mail<\/code><\/pre>\n\n\n\n<p>\u7f16\u8f91\/etc\/dovecot\/conf.d\/10-auth.conf\uff0c\u4f7f\u5176\u5305\u542b\u8be5\u6587\u4ef6\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>disable_plaintext_auth = \u662f<br>auth_mechanisms = \u666e\u901a\u767b\u5f55<br>\u5305\u542b auth-system.conf.ext<\/code><\/pre>\n\n\n\n<p>\u4e3a\u6bcf\u4e2a\u7528\u6237\u521b\u5efa\u4e00\u4e2a\u90ae\u4ef6\u76ee\u5f55\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir -p \/home\/username\/Maildir<br>chown -R username:username \/home\/username\/Maildir<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u542f\u7528\u534f\u8bae<\/h3>\n\n\n\n<p>\u7f16\u8f91 \/etc\/dovecot\/conf.d\/10-master.conf \u4ee5\u5305\u542b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#E \u542f\u7528 IMAP \u548c\u6388\u6743\u5957\u63a5\u5b57\uff0c\u4ee5\u4fbf Postfix \u5728\u9700\u8981\u65f6\u4f7f\u7528\uff1a\n\n\u670d\u52a1 imap-login {\n  inet_listener imap {\n    \u7aef\u53e3 = 143\n  }\n  inet_listener imaps {\n    \u7aef\u53e3 = 993\n    ssl = yes\n  }\n}\n\n\u670d\u52a1 auth {\n  unix_listener \/var\/spool\/postfix\/private\/auth {\n    \u6a21\u5f0f = 0666\n    user = postfix\n    \u7ec4 = postfix\n  }\n}\n# auth socket \u5141\u8bb8 Postfix \u4f7f\u7528 Dovecot \u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\uff0c\u5982\u679c\u4f60\u4ee5\u8fd9\u79cd\u65b9\u5f0f\u914d\u7f6e SASL\n# \u9a8c\u8bc1\u3002\u5982\u679c\u76f4\u63a5\u901a\u8fc7 sasl_passwd \u8fdb\u884c SMTP \u9a8c\u8bc1\uff0c\u5219\u53ef\u9009\u3002\n\n\u670d\u52a1 lmtp {\n  unix_listener \/var\/spool\/postfix\/private\/dovecot-lmtp {\n    \u6a21\u5f0f = 0600\n    user = postfix\n    group = postfix\n  }\n}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u6253\u5f00\u7aef\u53e3<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo firewall-cmd --ad-port=110\/tcp --permanent\nsudo firewall-cmd --ad-port=143\/tcp --permanent\nsudo firewall-cmd --ad-port=993\/tcp --permanent\nsudo firewall-cmd --ad-port=995\/tcp --permanent<\/code><\/pre>\n\n\n\n<p>\u60a8\u53ef\u80fd\u8fd8\u9700\u8981\u5728\u4e3b\u673a\u4e2d\u6253\u5f00\u5b83\u4eec\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u6dfb\u52a0\u8bc1\u4e66<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>ssl = \u5fc5\u9700\nssl_cert = &lt;\/etc\/letsencrypt\/live\/alma.adpca.org\/fullchain.pem\nssl_key = &lt;\/etc\/letsencrypt\/live\/alma.adpca.org\/privkey.pem\nssl_cipher_list = PROFILE=SYSTEM\nssl_min_protocol = TLSv1.2\nssl_prefer_server_ciphers = yes<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u4e3a certbot \u81ea\u52a8\u66f4\u65b0\u6dfb\u52a0\u94a9\u5b50\uff0c\u4ee5\u8bbe\u7f6e\u6240\u9700\u6743\u9650<\/h3>\n\n\n\n<p>\u521b\u5efa\u4e00\u4e2a\u53ef\u4ee5\u8bbf\u95ee\u8bc1\u4e66\u7684\u7ec4\uff0c\u5e76\u5c06 dovecot \u6dfb\u52a0\u5230\u8be5\u7ec4\u3002\u8bbe\u7f6e\u521d\u59cb\u6743\u9650\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo groupadd ssl-cert<br>sudo usermod -aG ssl-cert dovecot<br>chmod 750 \/etc\/letsencrypt\/ \/etc\/letsencrypt\/live\/ \/etc\/letsencrypt\/archive\/<br>chgrp ssl-cert \/etc\/letsencrypt\/ \/etc\/letsencrypt\/live\/ \/etc\/letsencrypt\/archive<\/code><\/pre>\n\n\n\n<p>\u5728 \/usr\/local\/sbin\/fix-cert-permissions.s \u4e2d\u6dfb\u52a0\u4ee5\u4e0b\u4e00\u884c<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>deploy-hook = \/usr\/local\/sbin\/fix-cert-permissions.sh<\/code><\/pre>\n\n\n\n<p>\u7136\u540e\u521b\u5efa\u811a\u672c \/usr\/local\/sbin\/fix-cert-permissions.sh<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#!\/bin\/bash\n\n# \u53d8\u91cf\nDOMAIN=\"alma.adpca.org\"\nSSL_GROUP=\"ssl-cert\"\n\n# \u8def\u5f84\n# LIVE_DIR=\"\/etc\/letsencrypt\/live\/$DOMAIN\"\n# ARCHIVE_DIR=\"\/etc\/letsencrypt\/archive\/$DOMAIN\"\nCOCKPIT_DIR=\/etc\/cockpit\/ws-certs.d\nLIVE_DIR=\"\/etc\/letsencrypt\/live\"\nARCHIVE_DIR=\"\/etc\/letsencrypt\/archive\"\n\n# \u4fee\u590d live \u76ee\u5f55\u53ca\u5176\u5185\u5bb9\u7684\u6743\u9650\nchgrp -R \"$SSL_GROUP\" \"$LIVE_DIR\"\nchmod -R 640 \"$LIVE_DIR\"\/*\/*.pem\nfind \"$LIVE_DIR\" -type d -exec chmod 750 {}\\;\n\n# \u4fee\u590d\u5b58\u6863\u76ee\u5f55\u53ca\u5176\u5185\u5bb9\u7684\u6743\u9650\nchgrp -R \"$SSL_GROUP\" \"$ARCHIVE_DIR\"\nchmod -R 640 \"$ARCHIVE_DIR\"\/*\/*.pem\nfind \"$ARCHIVE_DIR\" -type d -exec chmod 750 {}\\;\n\n# \u91cd\u6784\u9a7e\u9a76\u8231\u8bc1\u4e66\nsudo cp $LIVE_DIR\/$DOMAIN\/fullchain.pem $COCKPIT_DIR\/99-letsencrypt.cert\nsudo cp $LIVE_DIR\/$DOMAIN\/privkey.pem $COCKPIT_DIR\/99-letsencrypt.key\nchmod 600 $COCKPIT_DIR\/99-letsencrypt.cert\n\n# \u91cd\u542f Cockpit \u4ee5\u83b7\u53d6\u65b0\u8bc1\u4e66\nsystemctl restart cockpit\n\necho \u8bc1\u4e66\u6743\u9650\u5df2\u4fee\u590d\uff0cCockpit \u8bc1\u4e66\u5df2\u521b\u5efa\u3002<\/code><\/pre>\n\n\n\n<p>\u8be5\u811a\u672c\u8fd8\u53ef\u521b\u5efa\u9a7e\u9a76\u8231\u8bc1\u4e66\u3002\u8fd0\u884c\u811a\u672c\u8bbe\u7f6e\u6240\u9700\u7684\u6743\u9650\u5e76\u521b\u5efa\u9a7e\u9a76\u8231\u5bc6\u94a5\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u544a\u8bc9 Postfix \u4f7f\u7528 Dovecot LMTP<\/h2>\n\n\n\n<p>\u5728 \/etc\/postfix\/main.cf \u4e2d\u6dfb\u52a0\u4ee5\u4e0b\u5185\u5bb9\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>virtual_transport = lmtp:unix:private\/dovecot-lmtp<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u751f\u6210 DKIM \u5bc6\u94a5\u5e76\u53d1\u5e03 DNS \u8bb0\u5f55<\/h2>\n\n\n\n<p>\u751f\u6210\u548c\u4fdd\u62a4\u5bc6\u94a5<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo mkdir -p \/etc\/rspamd\/dkim\/adpca.org\nsudo rspamadm dkim_keygen -b 2048 -s default -d adpca.org -k \\\n\/etc\/rspamd\/dkim\/adpca.org\/default.key\nsudo chown -R _rspamd:_rspamd \/etc\/rspamd\/dkim\/adpca.org\nsudo chmod 600 \/etc\/rspamd\/dkim\/adpca.org\/default.key<\/code><\/pre>\n\n\n\n<p>\u8f93\u51fa\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>default._domainkey IN TXT ( \"v=DKIM1; k=rsa; \"\n\t\"p=<strong>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtLlz8vwzSFZonIyLQDBiXynxUyDNuyt6eBAcNNb5Fyh9wEKCCy6W9Bs633Y6kFwWKVHCz+0l7pS0Tt2tU0Hxxh0XZjEtQAOJCCSkMmByCDAYYubAicQR+QKZEGh2H1dldHmj0i3xHwrUZ4yDB9YZ74uj5PgYAYwerPmrwkwd82wowzY\/QMHpVOgPkQpe6IIqxs3ohZEuWhDXZniM2<\/strong>\"\n\t\"<strong>sw0Kzewd6K+7U3jY5m19Qm\/dlDlu1xwYknI277mxdNlHvpGEWiJIziOgQ9Eue5wSeKhmmCdsNj5LoYG2dRXa9pcrHH08JjLnFN+j1DVjbgUs7IWEvx3QXOg3LZI5\/ko7jt+wIDAQAB<\/strong>\"\n) ;<\/code><\/pre>\n\n\n\n<p>\u516c\u94a5\u662f TXT \u8bb0\u5f55\u4e2d p= \u53c2\u6570\u7684\u503c \u8fd9\u91cc\uff0c\u516c\u94a5\uff08\u7c97\u4f53\u663e\u793a\uff09\u662f p= \u4e4b\u540e\u3001\u62ec\u53f7\u4e4b\u524d\u7684\u6574\u4e2a\u5927 base64 \u5b57\u7b26\u4e32\u3002\u5b83\u7684\u683c\u5f0f\u5e94\u8be5\u662f\u4e00\u884c\uff0c\u6ca1\u6709\u6362\u884c\u7b26\uff0c\u5c31\u50cf\u8fd9\u6837\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtLlz8vwzSFZonIyLQDBiXynxUyDNuyt6eBAcNNb5Fyh9wEKCCy6W9Bs633Y6kFwWKVHCz+0l7pS0Tt2tU0Hxxh0XZjEtQAOJCCSkMmByCDAYYubAicQR+QKZEGh2H1dldHmj0i3xHwrUZ4yDB9YZ74uj5PgYAYwerPmrwkwd82wowzY\/QMHpVOgPkQpe6IIqxs3ohZEuWhDXZniM2sw0Kzewd6K+7U3jY5m19Qm\/dlDlu1xwYknI277mxdNlHvwpGEWiJIziOgQ9Eue5wSeKhmmCdsNj5LoYG2dRXa9pcrHH08JjLnFN+j1DVjbgUs7IWEvx3QXOg3LZI5\/ko7jt+wIDAQAB<\/code><\/pre>\n\n\n\n<p>\u5411 DNS \u670d\u52a1\u5668\u6dfb\u52a0 TXT \u8bb0\u5f55\u3002\u8bb0\u5f55\u540d\u79f0\u5e94\u4e3a :default._domainkey.adpca.org: \uff0c\u503c\u4e3a<br>\"v=DKIM1; k=rsa; p=<em>public_key_here<\/em>\u201c.<\/p>\n\n\n\n<p>\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u6570\u503c\u5c06\u662f<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>v=DKIM1; k=rsa\uff1bp=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtLlz8vwzSFZonIyLQDBiXynxUyDNuyt6eBAcNNb5Fyh9wEKCCy6W9Bs633Y6kFwWKVHCz+0l7pS0Tt2tU0Hxxh0XZjEtQAOJCCSkMmByCDAYYubAicQR+QKZEGh2H1dldHmj0i3xHwrUZ4yDB9YZ74uj5PgYAYwerPmrwkwd82wowzY\/QMHpVOgPkQpe6IIqxs3ohZEuWhDXZniM2sw0Kzewd6K+7U3jY5m19Qm\/dlDlu1xwYknI277mxdNlHvwpGEWiJIziOgQ9Eue5wSeKhmmCdsNj5LoYG2dRXa9pcrHH08JjLnFN+j1DVjbgUs7IWEvx3QXOg3LZI5\/ko7jt+wIDAQAB<\/code><\/pre>\n\n\n\n<p><strong>\u91cd\u8981<\/strong>:\u6dfb\u52a0\u8bb0\u5f55\u65f6\uff0c\u786e\u4fdd\u503c\u662f\u4e00\u4e2a\u8fde\u7eed\u7684\u5b57\u7b26\u4e32\uff0c\u6ca1\u6709\u6362\u884c\u7b26\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e3a adpca.org \u548c\u5b50\u57df\u521b\u5efa DNS \u8bb0\u5f55<\/h2>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><thead><tr><th><\/th><th><\/th><th><\/th><th><\/th><\/tr><\/thead><tbody><tr><td>\u7c7b\u578b<\/td><td>\u540d\u79f0<\/td><td>\u4ef7\u503c\/\u5185\u5bb9<\/td><td>\u8bf4\u660e<\/td><\/tr><tr><td>A<\/td><td>mail.adpca.org<\/td><td>\u60a8\u7684\u90ae\u4ef6\u670d\u52a1\u5668 IP<\/td><td>\u90ae\u4ef6\u670d\u52a1\u4e3b\u673a<\/td><\/tr><tr><td>MX<\/td><td>adpca.org<\/td><td>mail.adpca.org\uff08\u4f18\u5148\u7ea7 10\uff09<\/td><td>\u63a5\u6536\u57df\u540d\u90ae\u4ef6<\/td><\/tr><tr><td>MX<\/td><td>*.adpca.org<\/td><td>mail.adpca.org\uff08\u4f18\u5148\u7ea7 10\uff09<\/td><td>\u63a5\u6536\u5b50\u57df\u7684\u90ae\u4ef6<\/td><\/tr><tr><td>TXT<\/td><td>adpca.org<\/td><td>\"v=spf1 mx ip4:\\ -all\"<\/td><td>SPF \u8bb0\u5f55<\/td><\/tr><tr><td>TXT<\/td><td>default._domainkey.adpca.org<\/td><td>DKIM \u516c\u94a5\u5982\u4e0a<\/td><td>\u7528\u4e8e DKIM \u9a8c\u8bc1<\/td><\/tr><tr><td>TXT<\/td><td>_dmarc.adpca.org<\/td><td>\"v=DMARC1; p=quarantine; rua=mailto\\:postmaster\\@adpca.org\"<\/td><td>DMARC \u653f\u7b56<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">\u6700\u540e\u6b65\u9aa4<\/h2>\n\n\n\n<p>\u91cd\u65b0\u542f\u52a8\u670d\u52a1<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl restart postfix dovecot rspamd<\/code><\/pre>\n\n\n\n<p>\u6d4b\u8bd5\u90ae\u4ef6\u6536\u53d1\u3002<\/p>\n\n\n\n<p>\u68c0\u67e5\u90ae\u4ef6\u65e5\u5fd7\u662f\u5426\u6709\u9519\u8bef\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo journalctl -u postfix\nsudo journalctl -u dovecot\nsudo journalctl -u rspamd<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u8bbe\u7f6e Apache \u548c\u5b89\u88c5 WordPress<\/h2>\n\n\n\n<p>\u6211\u4eec\u9009\u62e9\u4f7f\u7528\u4ee5\u4e0b\u8def\u5f84\u914d\u7f6e apache (httpd) \u865a\u62df\u4e3b\u673a\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td>\u6587\u4ef6\u6839\u76ee\u5f55<\/td><td>\/var\/www\/example.com<\/td><td>\u7f51\u7ad9\u6587\u4ef6\u5728\u8fd9\u91cc<\/td><\/tr><tr><td>HTTP \u914d\u7f6e<\/td><td>\/etc\/httpd\/conf.d\/example.com.conf<\/td><td>\u57fa\u672c\u7f51\u7ad9\u914d\u7f6e<\/td><\/tr><tr><td>HTTPS \u914d\u7f6e<\/td><td>\/etc\/httpd\/conf.d\/example.com-le-ssl.conf<\/td><td>\u7531 certbot \u521b\u5efa<\/td><\/tr><tr><td>\u8bbf\u95ee\u65e5\u5fd7<\/td><td>\/var\/log\/httpd\/example.com_access.log<\/td><td><\/td><\/tr><tr><td>\u9519\u8bef\u65e5\u5fd7<\/td><td>\/var\/log\/httpd\/example.com_error.log<\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\u521b\u5efa\u865a\u62df\u4e3b\u673a<\/h3>\n\n\n\n<p>\u521b\u5efa HTTP \u914d\u7f6e\u6587\u4ef6\uff0c\u5176\u4e2d\u81f3\u5c11\u5e94\u5305\u542b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u670d\u52a1\u5668\u540d\u79f0 example.com\n    \u6587\u6863\u6839\u76ee\u5f55 \/var\/www\/example.com\n\n    \n        \u5141\u8bb8\u8986\u76d6\u5168\u90e8\n    &lt;\u76ee\u5f55\n\n    \u9519\u8bef\u65e5\u5fd7 \/var\/log\/httpd\/example.com_error.log\n    \u81ea\u5b9a\u4e49\u65e5\u5fd7 \/var\/log\/httpd\/example.com_access.log \u5408\u5e76\n \u865a\u62df\u4e3b\u673a<\/code><\/pre>\n\n\n\n<p>\u91cd\u65b0\u52a0\u8f7d Apache \u4ee5\u542f\u7528\u7f51\u7ad9<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl reload httpd<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u521b\u5efa\u6587\u6863\u6839\u76ee\u5f55<\/h3>\n\n\n\n<p>\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u6211\u4eec\u5c06\u4e0b\u8f7d WordPress \u5e76\u91cd\u547d\u540d\u63d0\u53d6\u7684\u6587\u4ef6\uff0c\u4ee5\u521b\u5efa\u6587\u6863\u6839\u76ee\u5f55\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd ~ # \u5207\u6362\u5230\u60a8\u7684\u4e3b\u76ee\u5f55\ncurl -O https:\/\/wordpress.org\/latest.tar.gz\nsudo tar -xvzf latest.tar.gz\nsudo mv wordpress \/var\/www\/example.com\nsudo chown -R apache:apache \/var\/www\/example.com\nsudo chmod -R 755 \/var\/www\/example.com\nrm latest.tar.gz<\/code><\/pre>\n\n\n\n<p>\u5982\u679c\u60a8\u4f7f\u7528\u7684\u4e0d\u662f WordPress\uff0c\u90a3\u4e48\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo mkdir \/var\/www\/example.com\nsudo chown -R apache:apache \/var\/www\/example.com\nsudo chmod -R 755 \/var\/www\/example.com<\/code><\/pre>\n\n\n\n<p>\u7136\u540e\u5c06\u6587\u4ef6\u6dfb\u52a0\u5230 \/var\/www\/example.com \u4e2d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u83b7\u53d6 SSL \u8bc1\u4e66\u5e76\u5b89\u88c5<\/h3>\n\n\n\n<p>Certbot \u5c06\u4e3a\u60a8\u89e3\u51b3\u8fd9\u4e00\u95ee\u9898\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo certbot --apache -d example.com<\/code><\/pre>\n\n\n\n<p>\u6309\u7167\u63d0\u793a\u64cd\u4f5c\uff0c\u8ba9 Certbot \u66f4\u65b0\u865a\u62df\u4e3b\u673a\u3002<\/p>\n\n\n\n<p>\u5982\u679c\u60a8\u4e0d\u4f7f\u7528 WordPress\uff0c\u53ef\u4ee5\u8df3\u8fc7\u5176\u4f59\u8bf4\u660e\u3002\u5c06\u6587\u4ef6\u653e\u5165\u6587\u6863\u6839\u76ee\u5f55\uff0c\u5e76\u68c0\u67e5\u662f\u5426\u53ef\u4ee5\u8bbf\u95ee\u5b83\u4eec\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u521b\u5efa WordPress \u6570\u636e\u5e93<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo mysql -u root -p\n\u521b\u5efa\u6570\u636e\u5e93 wordpress\uff1b\n\u521b\u5efa\u7528\u6237 'wpuser'@'localhost' IDENTIFIED BY 'strongpassword'\uff1b\nGRANT ALL PRIVILEGES ON wordpress.* TO 'wpuser'@'localhost'\uff1b\n\u6e05\u9664\u6743\u9650\uff1b\n\u9000\u51fa\uff1b<\/code><\/pre>\n\n\n\n<p>\u5c06\u6570\u636e\u5e93\u540d\u79f0 (wordpress)\u3001\u7528\u6237 (wpuser) \u548c\u5bc6\u7801\u66ff\u6362\u4e3a\u60a8\u7684\u552f\u4e00\u503c\u3002\u4e0d\u8981\u66f4\u6539\"@'localhost\"\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u914d\u7f6e WordPress<\/h3>\n\n\n\n<p>\u8bbf\u95ee https:\/\/example.com \u5e76\u6309\u7167\u63d0\u793a\u914d\u7f6e WordPress<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u5b89\u5168\u7684 WordPress<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\u8bbe\u7f6e\u6587\u4ef6\u6743\u9650<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo find \/var\/www\/example.com\/ -type d -exec chmod 755 {}\\;<br>sudo find \/var\/www\/example.com\/ -type f -exec chmod 644 {}\\;<br>sudo chmod 600 \/var\/www\/example.com\/wp-config.php<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">\u66f4\u6539\u5b89\u5168\u5bc6\u94a5<\/h4>\n\n\n\n<p>\u8f6c\u5230 <a href=\"https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/\">https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/<\/a> \u521b\u5efa\u968f\u673a \"\u76d0 \"\u503c\uff0c\u7136\u540e\u7528\u65b0\u503c\u66ff\u6362 WordPress \u914d\u7f6e\u4e2d\u7684\u503c\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo nano \/var\/www\/example.com\/wp-config.php<\/code><\/pre>","protected":false},"excerpt":{"rendered":"<p>Installing Basic Services This document will guide you through setting up core services. it is based on AlmaLinux 9 installed on a virtual server. The server host has a firewall which makes firewalld redundant, so they disabled it in the install. The host also disabled SELinux as it can cause issues. However, I prefer to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"_et_pb_use_builder":"off","_et_pb_old_content":"<!-- wp:heading -->\n<h2 class=\"wp-block-heading\">Installing Basic Services<\/h2>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>This document will guide you through setting up core services. it is based on AlmaLinux 9 installed on a virtual server. The server host has a firewall which makes firewalld redundant, so they disabled it in the install. The host also disabled SELinux as it can cause issues. However, I prefer to use both so these instructions reenable them.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p>After completing this setup you should have a fully up-to-date system with:<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>The EPEL repo installed<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>SELinux installed and operating in Permissive mode (which will not break anything).<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>firewalld installed and allowing only designated ports.<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>Letsencrypt providing valid SSL certificates, which are automatically renewed.<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>Cockpit installed and secured with a valid certificate.<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>Postix and dovecot installed to provide email.<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>Miriadb database installed and secured.<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>Apache installed and configured.<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>WordPress installed on one virtual host.<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>Basic WordPress hardening in place<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list -->\n\n<!-- wp:heading {\"level\":3} -->\n<h3 class=\"wp-block-heading\">Installing the EPEL Repository and Updating Current Packages<\/h3>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>The EPEL repo adds additional packages which will be needed later. -ADD Remi &amp; the latest PHP<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo dnf install epel-release -y<br>sudo dnf update -y<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:heading -->\n<h2 class=\"wp-block-heading\">Installing Core Services<\/h2>\n<!-- \/wp:heading -->\n\n<!-- wp:heading {\"level\":3} -->\n<h3 class=\"wp-block-heading\">SELinux<\/h3>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>The default installation typically enables SELinux. However, the host's install did not. To enable it (in permissive mode), first check that it's not inhibited in grub:<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>cat \/proc\/cmdline<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Look for selinux=0 or security=none. If either is present, SELinux will be disabled no matter what \/etc\/selinux\/config says. If that's the case:<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo grubby --update-kernel=ALL --remove-args=selinux\nsudo grub2-mkconfig -o \/boot\/grub2\/grub.cfg\nsudo dnf install selinux-policy-targeted<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Ensure \/etc\/selinux\/config has:<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>SELINUX=permissive<br>SELINUXTYPE=targeted<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Then reboot.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo reboot now<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Once the system is back, check<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>getenforce<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>it should return <strong>Permissive<\/strong>.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:heading {\"level\":3} -->\n<h3 class=\"wp-block-heading\">Set the SELinux types, permissions etc.<\/h3>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>Cockpit will alert to any SELinux issues and suggest solutions. These should be reviewed before implementation. However, the following should resolve many issues:<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo setsebool -P httpd_unified 1<br>sudo setsebool -P httpd_can_network_connect 1<br>sudo setsebool -P httpd_can_network_relay 1<br>sudo setsebool -P httpd_graceful_shutdown 1<br>sudo setsebool -P nis_enabled 1<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:heading -->\n<h2 class=\"wp-block-heading\">Install cockpit (admin webserver).<\/h2>\n<!-- \/wp:heading -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo dnf install cockpit -y<br>sudo systemctl enable --now cockpit.socket<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:heading {\"level\":3} -->\n<h3 class=\"wp-block-heading\">Enable the firewall (if it's not already enabled), and allow cockpit access.<\/h3>\n<!-- \/wp:heading -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo systemctl enable --now firewalld<br>sudo firewall-cmd --permanent --zone=public --add-service=cockpit<br>sudo firewall-cmd --reload<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:heading -->\n<h2 class=\"wp-block-heading\">Install postfix (mail server), mariadb (mysql database), apache (web server), php and core modules and certbot<\/h2>\n<!-- \/wp:heading -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo dnf install postfix mariadb-server mariadb httpd php php-mysqlnd php-fpm php-cli -y<br>sudo dnf install php-common php-opcache php-mbstring php-gd php-xml php-intl php-soap -y<br>sudo dnf install php-zip php-pear php-devel ImageMagick ImageMagick-devel s-nail -y<br>sudo dnf certbot python3-certbot-apache cyrus-sasl cyrus-sasl-plain -y<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Enable and start the services<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo systemctl enable --now httpd mariadb php-fpm certbot-renew.timer<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Secure mysql<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo mysql_secure_installation<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Follow the prompts to<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Set root user password<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>Use sockets<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>Remove anonymous users<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>Disallow root login remotely<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>Remove test database<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>Reload privilege tables<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list -->\n\n<!-- wp:heading -->\n<h2 class=\"wp-block-heading\">Setting Up Postfix<\/h2>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>We need rspamd for message signing and mail verification, but that's not in the standard repos. So we can add the official respond repo.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo tee \/etc\/yum.repos.d\/rspamd.repo &gt; \/dev\/null &lt;&lt;'EOF'<br>&#91;rspamd]<br>name=Rspamd for Centos 9 x86_64<br>baseurl=https:\/\/rspamd.com\/rpm\/centos-9\/x86_64\/<br>gpgcheck=1<br>enabled=1<br>gpgkey=https:\/\/rspamd.com\/rpm\/gpg.key<br>EOF<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Clear and refresh the dnf metadata and install and enable rspamd and dovecot<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo dnf clean all<br>sudo dnf makecache<br>sudo dnf install rspamd dovecot -y<br>sudo systemctl enable --now postfix dovecot rspamd<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:heading {\"level\":3} -->\n<h3 class=\"wp-block-heading\">Create the basic Postfix config<\/h3>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>Save the installation file for reference<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo mv \/etc\/postfix\/main.cf{,.inst}<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Create a new \/etc\/postfix\/main.cf file containing:<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code># ===========================\n# Postfix Basic Configuration\n# ===========================\n\n# Ensures modern Postfix behavior\ncompatibility_level = 2\n\n# Paths (default on AlmaLinux, retained for clarity or packaging)\nqueue_directory = \/var\/spool\/postfix\ncommand_directory = \/usr\/sbin\ndaemon_directory = \/usr\/libexec\/postfix\ndata_directory = \/var\/lib\/postfix\nsendmail_path = \/usr\/sbin\/sendmail.postfix\nnewaliases_path = \/usr\/bin\/newaliases.postfix\nmailq_path = \/usr\/bin\/mailq.postfix\n\n# Optional documentation paths\nhtml_directory = no\nmanpage_directory = \/usr\/share\/man\nsample_directory = \/usr\/share\/doc\/postfix\/samples\nreadme_directory = \/usr\/share\/doc\/postfix\/README_FILES\nmeta_directory = \/etc\/postfix\nshlib_directory = \/usr\/lib64\/postfix\n\n# Security-related settings\nsetgid_group = postdrop\nmail_owner = postfix\n\n# ===========================\n# Host &amp; Domain Settings\n# ===========================\n\n# Fully-qualified hostname\nmyhostname = alma.adpca.org\n\n# Local domain name\nmydomain = adpca.org\n\n# Determines domain name used in outgoing local mail\n# Use $myhostname for 'user@alma.adpca.org' or $mydomain for 'user@adpca.org'\nmyorigin = $myhostname\n\n# Domains considered local \u2014 mail addressed to these is delivered locally\nmydestination = $myhostname, localhost.$mydomain, localhost, $mydomain\n\n# Accept connections on all interfaces and use IPv4 + IPv6\ninet_interfaces = all\ninet_protocols = all\n\n# Trust only local machine for relaying mail\nmynetworks = 127.0.0.0\/8\n\n# Reject mail for unknown users with a hard error\nunknown_local_recipient_reject_code = 550\n\n# ===========================\n# Alias Maps\n# ===========================\n\nalias_maps = hash:\/etc\/aliases\nalias_database = hash:\/etc\/aliases\n\n# Run `newaliases` after modifying \/etc\/aliases\n\n# ===========================\n# MailerSend Relay Setup\n# ===========================\n\n# External SMTP relay (MailerSend)\nrelayhost = &#91;smtp.mailersend.net]:587\n\n# Enable TLS for outbound connections\nsmtp_use_tls = yes\nsmtp_tls_security_level = encrypt\nsmtp_tls_note_starttls_offer = yes\n\n# Trusted CA certificates (system-wide)\nsmtp_tls_CAfile = \/etc\/ssl\/certs\/ca-bundle.crt\nsmtp_tls_CApath = \/etc\/pki\/tls\/certs\n\n# Require modern encryption\nsmtp_tls_mandatory_protocols = !SSLv2, !SSLv3\nsmtp_tls_mandatory_ciphers = medium\n\n# Performance: cache TLS sessions\nsmtp_tls_session_cache_database = btree:${data_directory}\/smtp_scache\n\n# ===========================\n# SMTP AUTH for MailerSend\n# ===========================\n\nsmtp_sasl_auth_enable = yes\nsmtp_sasl_password_maps = hash:\/etc\/postfix\/sasl_passwd\nsmtp_sasl_security_options = noanonymous\nsmtp_sasl_tls_security_options = noanonymous\n\n# ===========================\n# Inbound TLS (Optional)\n# Only needed if accepting incoming mail over TLS\n# ===========================\n\nsmtpd_tls_cert_file = \/etc\/pki\/tls\/certs\/postfix.pem\nsmtpd_tls_key_file = \/etc\/pki\/tls\/private\/postfix.key\nsmtpd_tls_security_level = may   # Allow STARTTLS if supported\n\n# ===========================\n# Debugging (Optional)\n# Useful for SMTP debugging sessions\n# ===========================\n\n#debug_peer_level = 2\n#debugger_command =\n#    PATH=\/bin:\/usr\/bin:\/usr\/local\/bin:\/usr\/X11R6\/bin\n#    ddd $daemon_directory\/$process_name $process_id &amp; sleep 5<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:heading {\"level\":3} -->\n<h3 class=\"wp-block-heading\">Configure Dovecot (Mail delivery and IMAP\/POP3)<\/h3>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>Edit \/etc\/dovecot\/conf.d\/10<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>mail_location = maildir:~\/Maildir\n#If you're using virtual mail users, this would instead be:\n#mail_location = maildir:\/var\/mail\/vhosts\/%d\/%n\/Maildir\n\n# Optional for performance and clarity\nmail_privileged_group = mail<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Edit \/etc\/dovecot\/conf.d\/10-auth.conf to include:<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>disable_plaintext_auth = yes<br>auth_mechanisms = plain login<br>!include auth-system.conf.ext<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Create a mail directory for each user:<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>mkdir -p \/home\/username\/Maildir<br>chown -R username:username \/home\/username\/Maildir<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:heading {\"level\":3} -->\n<h3 class=\"wp-block-heading\">Enable protocols<\/h3>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>Edit \/etc\/dovecot\/conf.d\/10-master.conf to include<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>#Enable IMAP and the auth socket for Postfix to use if needed:\n\nservice imap-login {\n  inet_listener imap {\n    port = 143\n  }\n  inet_listener imaps {\n    port = 993\n    ssl = yes\n  }\n}\n\nservice auth {\n  unix_listener \/var\/spool\/postfix\/private\/auth {\n    mode = 0666\n    user = postfix\n    group = postfix\n  }\n}\n# The auth socket allows Postfix to use Dovecot for authentication if you configure SASL\n# auth that way. Optional if you're doing SMTP auth directly via sasl_passwd.\n\nservice lmtp {\n  unix_listener \/var\/spool\/postfix\/private\/dovecot-lmtp {\n    mode = 0600\n    user = postfix\n    group = postfix\n  }\n}<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:heading {\"level\":3} -->\n<h3 class=\"wp-block-heading\">Open the ports<\/h3>\n<!-- \/wp:heading -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo firewall-cmd --add-port=110\/tcp --permanent\nsudo firewall-cmd --add-port=143\/tcp --permanent\nsudo firewall-cmd --add-port=993\/tcp --permanent\nsudo firewall-cmd --add-port=995\/tcp --permanent<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>You might need to open them in the host. too.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:heading {\"level\":3} -->\n<h3 class=\"wp-block-heading\">Add the certificates<\/h3>\n<!-- \/wp:heading -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>ssl = required\nssl_cert = &lt;\/etc\/letsencrypt\/live\/alma.adpca.org\/fullchain.pem\nssl_key = &lt;\/etc\/letsencrypt\/live\/alma.adpca.org\/privkey.pem\nssl_cipher_list = PROFILE=SYSTEM\nssl_min_protocol = TLSv1.2\nssl_prefer_server_ciphers = yes<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:heading {\"level\":3} -->\n<h3 class=\"wp-block-heading\">Add a hook to certbot auto renewal to set the required permissions<\/h3>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>Create a group that can access certificates and add dovecot to that group. Set the initial permissions.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo groupadd ssl-cert<br>sudo usermod -aG ssl-cert dovecot<br>chmod 750 \/etc\/letsencrypt\/ \/etc\/letsencrypt\/live\/ \/etc\/letsencrypt\/archive\/<br>chgrp ssl-cert \/etc\/letsencrypt\/ \/etc\/letsencrypt\/live\/ \/etc\/letsencrypt\/archive<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Add the following line to \/usr\/local\/sbin\/fix-cert-permissions.s<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>deploy-hook = \/usr\/local\/sbin\/fix-cert-permissions.sh<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Then create the script \/usr\/local\/sbin\/fix-cert-permissions.sh<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>#!\/bin\/bash\n\n# Variables\nDOMAIN=\"alma.adpca.org\"\nSSL_GROUP=\"ssl-cert\"\n\n# Paths\n# LIVE_DIR=\"\/etc\/letsencrypt\/live\/$DOMAIN\"\n# ARCHIVE_DIR=\"\/etc\/letsencrypt\/archive\/$DOMAIN\"\nCOCKPIT_DIR=\/etc\/cockpit\/ws-certs.d\nLIVE_DIR=\"\/etc\/letsencrypt\/live\"\nARCHIVE_DIR=\"\/etc\/letsencrypt\/archive\"\n\n# Fix permissions on live directory and its contents\nchgrp -R \"$SSL_GROUP\" \"$LIVE_DIR\"\nchmod -R 640 \"$LIVE_DIR\"\/*\/*.pem\nfind \"$LIVE_DIR\" -type d -exec chmod 750 {} \\;\n\n# Fix permissions on archive directory and its contents\nchgrp -R \"$SSL_GROUP\" \"$ARCHIVE_DIR\"\nchmod -R 640 \"$ARCHIVE_DIR\"\/*\/*.pem\nfind \"$ARCHIVE_DIR\" -type d -exec chmod 750 {} \\;\n\n# Rebuild Cockpit cert\nsudo cp $LIVE_DIR\/$DOMAIN\/fullchain.pem $COCKPIT_DIR\/99-letsencrypt.cert\nsudo cp $LIVE_DIR\/$DOMAIN\/privkey.pem $COCKPIT_DIR\/99-letsencrypt.key\nchmod 600 $COCKPIT_DIR\/99-letsencrypt.cert\n\n# Restart Cockpit to pick up the new cert\nsystemctl restart cockpit\n\necho Certificate Permissions fixed and Cockpit certificate created.<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>This script also creates the cockpit certificates. Run the script to set the required permissions and create the cockpit keys.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:heading -->\n<h2 class=\"wp-block-heading\">Tell Postfix to use Dovecot LMTP<\/h2>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>Add the following to \/etc\/postfix\/main.cf:<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>virtual_transport = lmtp:unix:private\/dovecot-lmtp<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:heading -->\n<h2 class=\"wp-block-heading\">Generate DKIM keys and publish DNS record<\/h2>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>Generate and secure the keys<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo mkdir -p \/etc\/rspamd\/dkim\/adpca.org\nsudo rspamadm dkim_keygen -b 2048 -s default -d adpca.org -k \\\n\/etc\/rspamd\/dkim\/adpca.org\/default.key\nsudo chown -R _rspamd:_rspamd \/etc\/rspamd\/dkim\/adpca.org\nsudo chmod 600 \/etc\/rspamd\/dkim\/adpca.org\/default.key<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>This will output something like<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>default._domainkey IN TXT ( \"v=DKIM1; k=rsa; \"\n\t\"p=<strong>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtLlz8vwzSFZonIyLQDBiXynxUyDNuyt6eBAcNNb5Fyh9wEKCCy6W9Bs633Y6kFwWKVHCz+0l7pS0Tt2tU0Hxxh0XZjEtQAOJCCSkMmByCDAYYubAicQR+QKZEGh2H1dldHmj0i3xHwrUZ4yDB9YZ74uj5PgYAYwerPmrwkwd82wowzY\/QMHpVOgPkQpe6IIqxs3ohZEuWhDXZniM2<\/strong>\"\n\t\"<strong>sw0Kzewd6K+7U3jY5m19Qm\/dlDlu1xwYknI277mxdNlHvwpGEWiJIziOgQ9Eue5wSeKhmmCdsNj5LoYG2dRXa9pcrHH08JjLnFN+j1DVjbgUs7IWEvx3QXOg3LZI5\/ko7jt+wIDAQAB<\/strong>\"\n) ;<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>The public key is the value of the p= parameter inside the TXT record  Here, the public key (shown in bold) is the whole big base64 string after p= and before the closing parenthesis . It should be formatted one single line with no line breaks, like this:<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtLlz8vwzSFZonIyLQDBiXynxUyDNuyt6eBAcNNb5Fyh9wEKCCy6W9Bs633Y6kFwWKVHCz+0l7pS0Tt2tU0Hxxh0XZjEtQAOJCCSkMmByCDAYYubAicQR+QKZEGh2H1dldHmj0i3xHwrUZ4yDB9YZ74uj5PgYAYwerPmrwkwd82wowzY\/QMHpVOgPkQpe6IIqxs3ohZEuWhDXZniM2sw0Kzewd6K+7U3jY5m19Qm\/dlDlu1xwYknI277mxdNlHvwpGEWiJIziOgQ9Eue5wSeKhmmCdsNj5LoYG2dRXa9pcrHH08JjLnFN+j1DVjbgUs7IWEvx3QXOg3LZI5\/ko7jt+wIDAQAB<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Add a TXT record to your DNS server. The record name should be :default._domainkey.adpca.org: and the value<br>\"v=DKIM1; k=rsa; p=<em>PUBLIC_KEY_HERE<\/em>\".<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p>In this case the value would be:<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtLlz8vwzSFZonIyLQDBiXynxUyDNuyt6eBAcNNb5Fyh9wEKCCy6W9Bs633Y6kFwWKVHCz+0l7pS0Tt2tU0Hxxh0XZjEtQAOJCCSkMmByCDAYYubAicQR+QKZEGh2H1dldHmj0i3xHwrUZ4yDB9YZ74uj5PgYAYwerPmrwkwd82wowzY\/QMHpVOgPkQpe6IIqxs3ohZEuWhDXZniM2sw0Kzewd6K+7U3jY5m19Qm\/dlDlu1xwYknI277mxdNlHvwpGEWiJIziOgQ9Eue5wSeKhmmCdsNj5LoYG2dRXa9pcrHH08JjLnFN+j1DVjbgUs7IWEvx3QXOg3LZI5\/ko7jt+wIDAQAB<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p><strong>Important<\/strong>: Make sure the value is one continuous string with no line breaks when adding the record.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:heading -->\n<h2 class=\"wp-block-heading\">Create the DNS Records for adpca.org and subdomains<\/h2>\n<!-- \/wp:heading -->\n\n<!-- wp:table {\"hasFixedLayout\":false,\"className\":\"is-style-stripes\"} -->\n<figure class=\"wp-block-table is-style-stripes\"><table><thead><tr><th><\/th><th><\/th><th><\/th><th><\/th><\/tr><\/thead><tbody><tr><td>Type<\/td><td>Name<\/td><td>Value \/ Content<\/td><td>Notes<\/td><\/tr><tr><td>A<\/td><td>mail.adpca.org<\/td><td>Your mail server IP<\/td><td>Host for mail services<\/td><\/tr><tr><td>MX<\/td><td>adpca.org<\/td><td>mail.adpca.org (priority 10)<\/td><td>Receive mail for domain<\/td><\/tr><tr><td>MX<\/td><td>*.adpca.org<\/td><td>mail.adpca.org (priority 10)<\/td><td>Receive mail for subdomains<\/td><\/tr><tr><td>TXT<\/td><td>adpca.org<\/td><td>\"v=spf1 mx ip4:\\ -all\"<\/td><td>SPF record<\/td><\/tr><tr><td>TXT<\/td><td>default._domainkey.adpca.org<\/td><td>DKIM public key as above<\/td><td>For DKIM verification<\/td><\/tr><tr><td>TXT<\/td><td>_dmarc.adpca.org<\/td><td>\"v=DMARC1; p=quarantine; rua=mailto\\:postmaster\\@adpca.org\"<\/td><td>DMARC policy<\/td><\/tr><\/tbody><\/table><\/figure>\n<!-- \/wp:table -->\n\n<!-- wp:heading -->\n<h2 class=\"wp-block-heading\">Final steps<\/h2>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>Restart the services<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo systemctl restart postfix dovecot rspamd<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Test mail sending and receiving.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p>Check mail logs for errors:<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo journalctl -u postfix\nsudo journalctl -u dovecot\nsudo journalctl -u rspamd<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:heading -->\n<h2 class=\"wp-block-heading\">Setting up Apache and installing WordPress<\/h2>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>We have chosen to configure apache (httpd) virtual hosts using the following paths:<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:table {\"hasFixedLayout\":false,\"className\":\"is-style-stripes\"} -->\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td>Document root<\/td><td>\/var\/www\/example.com<\/td><td>The website files go here<\/td><\/tr><tr><td>HTTP Config<\/td><td>\/etc\/httpd\/conf.d\/example.com.conf<\/td><td>The basic site config<\/td><\/tr><tr><td>HTTPS Config<\/td><td>\/etc\/httpd\/conf.d\/example.com-le-ssl.conf<\/td><td>Created by certbot<\/td><\/tr><tr><td>Access Log<\/td><td>\/var\/log\/httpd\/example.com_access.log<\/td><td><\/td><\/tr><tr><td>Error Log<\/td><td>\/var\/log\/httpd\/example.com_error.log<\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n<!-- \/wp:table -->\n\n<!-- wp:heading {\"level\":3} -->\n<h3 class=\"wp-block-heading\">Creating the virtual host<\/h3>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>Create the HTTP config file, which should contain at least:<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>&lt;VirtualHost *:80>\n    ServerName example.com\n    DocumentRoot \/var\/www\/example.com\n\n    &lt;Directory \/var\/www\/example.com>\n        AllowOverride All\n    &lt;\/Directory>\n\n    ErrorLog \/var\/log\/httpd\/example.com_error.log\n    CustomLog \/var\/log\/httpd\/example.com_access.log combined\n&lt;\/VirtualHost><\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Reload Apache to enable the site<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo systemctl reload httpd<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:heading {\"level\":3} -->\n<h3 class=\"wp-block-heading\">Create the document root<\/h3>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>n this case, we are going to download WordPress and rename the extracted file to create the document root.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>cd ~ # Change to your home directory\ncurl -O https:\/\/wordpress.org\/latest.tar.gz\nsudo tar -xvzf latest.tar.gz\nsudo mv wordpress \/var\/www\/example.com\nsudo chown -R apache:apache \/var\/www\/example.com\nsudo chmod -R 755 \/var\/www\/example.com\nrm latest.tar.gz<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>If you are not using WordPress, then:<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo mkdir \/var\/www\/example.com\nsudo chown -R apache:apache \/var\/www\/example.com\nsudo chmod -R 755 \/var\/www\/example.com<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>And add your files into \/var\/www\/example.com<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:heading {\"level\":3} -->\n<h3 class=\"wp-block-heading\">Obtain an SSL Certificate and Install<\/h3>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>Certbot will take care of this for you.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo certbot --apache -d example.com<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Follow the prompts and allow Certbot to update the virtual host.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p>If you are not using WordPress, you can skip the rest of the instructions. Place your files into the document root and check that you can access them.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:heading {\"level\":3} -->\n<h3 class=\"wp-block-heading\">Create the WordPress Database<\/h3>\n<!-- \/wp:heading -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo mysql -u root -p\nCREATE DATABASE wordpress;\nCREATE USER 'wpuser'@'localhost' IDENTIFIED BY 'strongpassword';\nGRANT ALL PRIVILEGES ON wordpress.* TO 'wpuser'@'localhost';\nFLUSH PRIVILEGES;\nEXIT;<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:paragraph -->\n<p>Replace the database name (wordpress), user (wpuser) and password with your unique values. Do not change \"@'localhost\".<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:heading {\"level\":3} -->\n<h3 class=\"wp-block-heading\">Configure WordPress<\/h3>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>Go to https:\/\/example.com and follow the prompts to configure WordPress<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:heading {\"level\":3} -->\n<h3 class=\"wp-block-heading\">Secure WordPress<\/h3>\n<!-- \/wp:heading -->\n\n<!-- wp:heading {\"level\":4} -->\n<h4 class=\"wp-block-heading\">Set the file permissions<\/h4>\n<!-- \/wp:heading -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo find \/var\/www\/example.com\/ -type d -exec chmod 755 {} \\;<br>sudo find \/var\/www\/example.com\/ -type f -exec chmod 644 {} \\;<br>sudo chmod 600 \/var\/www\/example.com\/wp-config.php<\/code><\/pre>\n<!-- \/wp:code -->\n\n<!-- wp:heading {\"level\":4} -->\n<h4 class=\"wp-block-heading\">Change the security keys<\/h4>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>Go to <a href=\"https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/\">https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/<\/a> to create random 'salt' values, then replace the values in the WordPress config with your new values.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:code -->\n<pre class=\"wp-block-code\"><code>sudo nano \/var\/www\/example.com\/wp-config.php<\/code><\/pre>\n<!-- \/wp:code -->","_et_gb_content_width":"","footnotes":""},"original_author":[],"class_list":["post-824810","page","type-page","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/adpca.org\/zh\/wp-json\/wp\/v2\/pages\/824810","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adpca.org\/zh\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/adpca.org\/zh\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/adpca.org\/zh\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/adpca.org\/zh\/wp-json\/wp\/v2\/comments?post=824810"}],"version-history":[{"count":0,"href":"https:\/\/adpca.org\/zh\/wp-json\/wp\/v2\/pages\/824810\/revisions"}],"wp:attachment":[{"href":"https:\/\/adpca.org\/zh\/wp-json\/wp\/v2\/media?parent=824810"}],"wp:term":[{"taxonomy":"original_author","embeddable":true,"href":"https:\/\/adpca.org\/zh\/wp-json\/wp\/v2\/original_author?post=824810"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}