Freebsd jail for an small company - checklist - what shouldn't forget

Posted by cajwine on Server Fault See other posts from Server Fault or by cajwine
Published on 2012-09-27T14:33:02Z Indexed on 2012/09/27 15:39 UTC
Read the original article Hit count: 268

Looking for an checklist for an "small company freebsd/jail server".

Having pretty common starting point:

  • FreeBSD jail (remote/headless) for the company:
    • public web, email, ftp server, and
    • private (maybe in the future partially public) wiki (foswiki)
  • 4 physical persons, (6 email addresses) + one admin - others will never use ssh)
  • have already done usual hardening on the host side (like pf, sshguard etc).
  • my major components are: dovecot, exim, apache22, proftpd, perl5.14.

Looking for an checklist, what I shouldn't forget. My plan:

  • openssl self-signed certificates for exim, dovecot and proftpd (wildcard keys)
  • openssl self-signed certificate for apache (later will go for "trusted-signed" key)

My questions are:

  • is is an "good practice" having one pair of wildcard SSL-certificates for many programs? (exim, dovecot, proftpd) - or should I generate one key for each service?

  • should I add all 4 persons as standard (unix) users, or I should go with virtual users? Asking because:

    • have only small count of users, and
    • it is more simple to configure everything (exim, dovecot) for local users ($HOME/Maildir), plus ability to set $HOME/.forward/vacation and etc.
    • is here some (special) things what I should consider? (e.g. maybe, in the future we want setup our own webmail - will make this any difference?)
  • any other recommendation?

Thank you, hoping that this question fit into the http://serverfault.com/faq under the:

  • Server and Business Workstation operating systems, hardware, software
  • Operations, maintenance, and monitoring

Looking for an checklist, but please explain why you're recommending it. See Good Subjective, Bad Subjective.

related:

© Server Fault or respective owner

Related posts about emailserver

Related posts about ssl-certificate