1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
|
# -*- mode: org-mode; truncate-lines: nil -*-
#+TITLE: Systems documentation
#+AUTHOR: Fripost -- the Free E-mail Association
#+DESCRIPTION: Systems documentation for Fripost, the Free E-mail Association
#+KEYWORDS:
#+LANGUAGE: en
#+OPTIONS: H:3 num:t toc:t \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t
#+OPTIONS: TeX:t LaTeX:nil skip:nil d:nil todo:t pri:nil tags:not-in-toc
#+INFOJS_OPT: view:nil toc:nil ltoc:t mouse:underline buttons:0 path:http://orgmode.org/org-info.js
#+EXPORT_SELECT_TAGS: export
#+EXPORT_EXCLUDE_TAGS: noexport
#+LINK_UP:
#+LINK_HOME:
#+XSLT:
#+DRAWERS: HIDDEN STATE PROPERTIES CONTENT
#+STARTUP: indent
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License,
Version 1.3 or any later version published by the Free Software
Foundation; with no Invariant Sections, no Front-Cover Texts and
no Back-Cover Texts. A copy of the license is included in a
separate file called "COPYING".
This is the documentation of the server configuration used by the free e-mail
association, given here to provide a transparent system.
Debian GNU/Linux squeeze is the current target system. We might keep some notes
for lenny for some time yet since there might still be servers that have not
been upgraded.
The complete documentation is the actual configuration files on the servers.
This document intends to give a general idea of the setup and be of help if we
need to recreate a crashed server. Also, if an administrator goes AWOL, it
should be easy to pick up where he left of.
The steps taken here will not necessarily give a perfect replica of our systems.
We are constantly (yes, constantly) working on improving the security and
reliability of our systems. We do not think of security as a shoot and forget
sort of thing but instead as an ongoing effort. Thus, while we strive to
document all configuration that we consider stable enough, the documentation may
sometimes lag behind.
We do not believe in security through obscurity. This means we are aiming
instead for a system that fulfills [[http://en.wikipedia.org/wiki/Kerckhoffs%27s_Principle][Kerckhoffs's Principle]]. However, some
information below might have been changed to inconvenience a potential
attacker. Beware and take according measures.
We welcome all criticism, suggestions for improvements, additions etc. Please
send them to skangas@skangas.se.
* Basic Setup -- Checklist after having installed a new Debian GNU/Linux-server
** Basic installation instructions
- Use expert install to maximize fun.
- Preferably, only install the "Standard system utilities" and "SSH Server" tasks.
- Make sure to answer "yes" to shadow passwords and MD5.
- Do disable the root account.
** Install etckeeper
Install etckeeper immediately after install, to start tracking /etc.
** Uninstall a bunch of unnecessary packages
sudo aptitude remove --purge debian-faq dictionaries-common doc-debian \
doc-linux-text iamerican ibritish iswedish ispell laptop-detect nfs-common \
openbsd-inetd portmap tasksel tasksel-data w3m wbritish
** Packages to install
*** Administrative
sudo aptitude install emacs23-nox harden-servers logcheck molly-guard ntp \
ntpdate openssh-server rsync screen syslog-summary sudo unattended-upgrades
# If the system is on a dynamic IP (e.g. using DHCP):
sudo aptitude install resolvconf
# NB: harden-clients conflicts with telnet, which as we know is very handy
# during configuration. Therefore, only optionally:
sudo aptitude install harden-clients
** Use GNU Emacs as the default editor
# NOTE: Emacs will be the default on all Fripost systems. If you prefer
# something else, use the EDITOR environment variable.
sudo update-alternatives --config editor
** Configure sudo
# If you disabled root account during installation, the default account is
# already in the sudo group. Otherwise, follow these steps:
sudo adduser myuser sudo
sudo EDITOR="emacs" visudo
%sudo ALL= (ALL) ALL
** Configure sshd
Make sure your private key is in ~/.ssh/authorized_keys2
:: /etc/ssh/sshd_config
# Add relevant users here
AllowUsers xx yy zz
# Change these settings
PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
sudo /etc/init.d/ssh restart
# Without closing the current connection, try to connect to the server,
# verifying that you can still connect.
** Forward root email
:: /etc/aliases
root: admin@fripost.org
** Configure logcheck
sudo aptitude install logcheck syslog-summary
:: /etc/logcheck/logcheck.conf
INTRO=0
SENDMAILTO="admin@fripost.org"
:: /etc/logcheck/ignore.d.server/local
# XXX: not always necessary?
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed, type '(restart|lightweight)'\.$
# XXX: necessary with squeeze?
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$
# not necessary with squeeze
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$
# not necessary with squeeze
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging \(proc\) stopped.$
# ddclient
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: FAILED: updating [,._[:alnum:]-]+: Could not connect to dns.loopia.se/xdyndnsserver/xdyndns.php.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: TIMEOUT: dns.loopia.se after 120 seconds$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: cannot connect to dns.loopia.se:80 socket: IO::Socket::INET: Bad hostname 'dns.loopia.se'$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: cannot connect to dns.loopia.se:80 socket: IO::Socket::INET: connect: Connection timed out$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: cannot connect to dns.loopia.se:443 socket: IO::Socket::SSL: SSL connect attempt failed because of handshake problemserror:00000000:lib\(0\):func\(0\):reason\(0\) IO::Socket::INET configuration failederror:00000000:lib\(0\):func\(0\):reason\(0\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: cannot connect to dns.loopia.se:443 socket: IO::Socket::SSL: SSL connect attempt failed with unknown errorerror:00000000:lib\(0\):func\(0\):reason\(0\) IO::Socket::INET configuration failederror:00000000:lib\(0\):func\(0\):reason\(0\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: cannot connect to dns.loopia.se:443 socket: IO::Socket::SSL: connect: Connection timed out IO::Socket::INET configuration failederror:00000000:lib\(0\):func\(0\):reason\(0\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: file /var/cache/ddclient/ddclient.cache, line [0-9]+: Invalid Value for keyword 'ip' = ''$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: updating [._[:alnum:]-]+: nochg: No update required; unnecessary attempts to change to the current address are considered abusive$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: [.0-9]{7,15} interface [.0-9]{7,15} -> [.0-9]{7,15}$
# | There is no way to get rid of the warning `Fixed query_filter [...] is probably useless'.
# It is harmless in our case, since the search base is precise enough.
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(smtpd|cleanup|trivial-rewrite|postmap)\[[0-9]+\]: warning: dict_ldap_open: /etc/postfix/ldap/ldap_virtual_alias_catchall_maps.cf: Fixed query_filter \(\&\(ObjectClass=virtualAliases\)\(mailLocalAddress=\)\(isActive=TRUE\)\) is probably useless$
# | Postfix reload
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postfix-script\[[[:digit:]]+\]: refreshing the Postfix mail system$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/master\[[[:digit:]]+\]: reload -- version
# | slapo-constraint ignores slapd's logging configuration
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ slapd\[[[:digit:]]+\]: constraint_update\(\)$
# | On the MXs only: Servers that don't speak proper (E)SMTP don't deserve to be listened.
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: improper command pipelining after (EHLO|DATA) from [._[:alnum:]-]+\[[:[:xdigit:].]+\]$
# | On the MXs only: Poorly configured server certificates will be ignored and the connection will back as untrusted.
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: certificate verification failed for [._[:alnum:]-]+\[[:[:xdigit:].]+\]: not designated for use as a client certificate$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: client certificate verification failed for [._[:alnum:]-]+\[[:[:xdigit:].]+\]: certificate has expired$
# | On Benjamin
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? usb [[:digit:]]+-[.[:digit:]]+: (new|reset) (low|full|high) speed USB device using ([_[:alnum:]-]+ and )?address [[:digit:]]+$
# | On the MSAs
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: replace: header Received: from
** Configuring aptitude and friends
# We are going to automatically install many security updates using the package
# "unattended-upgrades". Automated upgrades are in general not a very good
# idea, but "unattended-upgrades" takes steps to mitigate the problems with this
# approach. Given the Debian security teams track record in recent years we
# believe the positives outweigh the negatives.
#
# For the situations when unattended-upgrades fails (e.g. when there are
# configuration changes), there is an e-mail sent to the administrator.
#
:: /etc/apt/apt.conf
APT
{
// Configuration for /etc/cron.daily/apt
Periodic
{
// Do "apt-get update" automatically every n-days (0=disable)
Update-Package-Lists "1";
// Do "apt-get autoclean" every n-days (0=disable)
AutocleanInterval "1";
// Do "apt-get upgrade --download-only" every n-days (0=disable)
Download-Upgradeable-Packages "1";
// Run the "unattended-upgrade" security upgrade script every n days
Unattended-Upgrade "1";
}
};
Aptitude
{
UI
{
Autoclean-After-Update: true;
Auto-Fix-Broken: false;
Keep-Recommends: true;
Recommends-Important: true;
Description-Visible-By-Default: false;
HelpBar false;
Menubar-Autohide true;
Purge-Unused: true;
Prompt-On-Exit false;
}
}
# Using Debian squeeze:
:: /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Mail "admin@fripost.org";
** Configure ddclient
:: /etc/ddclient.conf
### Not reproduced here due to containing sensitive information
:: /etc/default/ddclient
run_daemon="true"
* Next Steps
** Configuring the backup solution
*** Bacula configuration
*** Simple rsync solution
General idea [[http://wikis.sun.com/display/BigAdmin/Using+rdist+rsync+with+sudo+for+remote+updating][from here]]. This is just a basic setup for now, will need to be
changed to rsnapshot or perhaps something even more sophisticated like bacula.
1. Install rsync
- sudo aptitude install rsync
2. Create a key on the backup computer:
- sudo mkdir /root/.ssh/backup_key
- sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/backup_key
- cat /root/.ssh/backup_key.pub
3. Create a user on the computer that will be backed up
- sudo adduser --disabled-password remupd
- add the public key from above to ~remupd/.ssh/authorized_keys2
prefix with: no-X11-forwarding,no-agent-forwarding,no-port-forwarding
- sudo EDITOR="emacs" visudo
Cmnd_Alias RSYNCDIST=/usr/bin/rsync
remupd ALL=NOPASSWD:RSYNCDIST
4. Test the key from the backup computer:
- ssh -i ~/.ssh/backup_key -l remupd example.com
5. Create a script on the backup computer to automatically backup
6. Add script to crontab
** Configuring the e-mail servers
*** Introduction
**** Overview
We will be using one main mail storage server, accessible by users via IMAP.
This server should be referred to as the main `IMAP server'. We will have two or
more mail gateways that will relay e-mail to the main server over secure
connections. These are called `smarthosts'.
Credentials are managed by a LDAP server. For the users to be able to
authenticate to e.g., the IMAP server or the outgoing SMTP (via SASL), we will
use the so called "authenticate binds": services simply forward the login
information of the user to the LDAP server, that in turn hashes the password and
checks wheter it maches the stored copy; if it does, the LDAP server answers back
the query. See http://wanderingbarque.com/howtos/mailserver/big_picture.gif .
This way, if the IMAP or SMTP server is compromised, the attacker will NOT have
access to all credentials. Of course the LDAP server should only be listening to
the machines hosting these services and ideally, should not be directly facing the
internet.
**** Definitions
IMAP server = the main storage server
LDAP server = the server that stores users credentials and various other informations.
smarthost = the server receiving email from the internet (configured as MX)
outgoing SMTP = the Message Transfer Agent (MTA), that will relay emails originating from our network.
incoming SMTP = the Mail Submission Agent (MSA), that will receive emails from our users (via ESMTPSA).
*** Configuring an SSH tunnel between two hosts
# Definitions:
# originating host = the host that will be connecting
# destination host = the host that runs some service
# Begin by setting a few environment variables:
TUNNEL_KEY_FILE="my_tunnel_key"
TUNNEL_USER="tunneluser"
TUNNEL_HOME="/home/$TUNNEL_USER"
DEST_PORT="25"
ORIGIN_PORT="1917"
**** Prepare origin
1. Create a key on the originating host:
sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/$TUNNEL_KEY_FILE
sudo cat /root/.ssh/$TUNNEL_KEY_FILE.pub
**** Prepare destination
2a. Install necessary software on the destination host:
sudo aptitude install netcat-openbsd
2b. Create a new user on the destination host:
sudo adduser --system --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \
$TUNNEL_USER
echo "exit" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.bash_profile
# Note: We need bash, so we can not change the shell to something else.
2c. Add $TUNNEL_USER to AllowUsers in /etc/ssh/sshd_config.
sudo /etc/init.d/ssh restart
# make sure the host is still reachable
2d. Add the public key from above to this user:
THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx" # from above
sudo -u $TUNNEL_USER mkdir -p $TUNNEL_HOME/.ssh
echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2
**** Set up the tunnel
3. Test the key on the originating host:
sudo ssh -v -l $TUNNEL_USER -i /root/.ssh/$TUNNEL_KEY_FILE destination.example.com
# Comment: You should be greeted by e.g.:
# 220 mistral.fripost.org ESMTP Postfix (Debian/GNU)
4. Configure openbsd-inetd on the originating host:
# Comment: We use inetd instead of ssh -L because, among other things, ssh
# -L tends to hang.
sudo aptitude install openbsd-inetd
:: /etc/inetd.conf
127.0.0.1:$ORIGIN_PORT stream tcp nowait root /usr/bin/ssh -q -T -i /root/.ssh/$TUNNEL_KEY_FILE $TUNNEL_USER@example.com
sudo service openbsd-inetd restart
You should now be able to connect through the tunnel from the originating
host using something like:
telnet localhost $ORIGIN_PORT
*** Configuring the main LDAP server (provider)
On Debian Squeeze, OpenLDAP's configuration no longer uses `/etc/ldap/slapd.conf'
(by default, but may completely ignore it in the future), but the
`/etc/ldap/slapd.d' directory instead. Unfortunately most of the online
tutorials are describing methods using `/etc/ldap/slapd.conf'.
[Note: This has been written by a LDAP noob. It should probably be
rewritten/compressed in a couple of months. /Guilhem, 2012-04-03.]
**** Install packages
Here is a basic installation tutorial for Debian Squeeze:
http://www.rjsystems.nl/en/2100-d6-openldap-provider.php
sudo apt-get install slapd ldap-utils
If it does not prompt for your domain, admin password, etc., run
`dpkg-reconfigure -plow slapd'. Here is how we answer the questions:
Omit OpenLDAP server configuration? No
DNS domain name: fripost.org
Organization name: Fripost
Administrator password: *********
Database backend to use: HDB
Do you want the database to be removed when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No
We do not want to listen all the Internet: in `/etc/default/slapd', change
`SLAPD_SERVICES' accordingly. E.g., to only listen to (non SSL) localhost and
UNIX sockets, specify
SLAPD_SERVICES="ldap:///127.0.0.1:389 ldapi:///"
(This should be enough if the connection from the IMAP/SMTP services are
wrapped into SSH or SSL/TLS tunnels.)
(Note: Unless specified, connections through the sockets bind with the users
permissions, hence regular users may not be able to explore the directory.)
We can check the configuration with
sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config"
and modify the directory using a .ldif file with
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f "<file.ldif>"
(granted writing rights, see below)
**** Performance considerations
References:
- https://wiki.zimbra.com/wiki/OpenLDAP_Performance_Tuning_5.0
- http://www.openldap.org/doc/admin24/tuning.html
1. On single- and dual-core systems, change the maximum number of
threads to 8. (The default, 16, is fine for 4- and 8-core systems.)
:: ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=config
changetype: modify
add: olcThreads
olcThreads: 8
2. It may be a good idea to modify DB_CONFIG, depending on the output
of
db4.8_stat -m -h /var/lib/ldap/ | head -16
(For optimal performance, the Requested pages found in the cache
should be above 95%, and the pages forced from the cache should be 0.)
and
db4.8_stat -m -h /var/lib/ldap/ | head -16
(For optimal performance, usage should be within 85% of the configured
values.)
**** Database configuration
:: mkdir -m 0700 /var/lib/ldap/mailHosting && chown openldap:openldap /var/lib/ldap/mailHosting
We may want to remove the existing (default, empty) database on a fresh installation:
:HIDDEN:
slapcat -n1 # Ensure it is empty
/etc/init.d/slapd stop
mv /var/lib/ldap/DB_CONFIG /var/lib/ldap/mailHosting
find /var/lib/ldap/ -maxdepth 1 -type f -delete
rm -f '/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif'
:END:
And define ours:
:: ldapadd -Y EXTERNAL -H ldapi:///
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDbDirectory: /var/lib/ldap/mailHosting
olcSuffix: o=mailHosting,dc=fripost,dc=org
olcLastMod: TRUE
olcDbCheckpoint: 512 30
# Require LDAPv3 protocol and authentication prior to directory
# operations.
olcRequires: LDAPv3 authc
# We don't want to give "canCreate{Alias,ML}" write access to alias/ml
# attributes.
olcAddContentAcl: FALSE
# The root user has all rights on the whole database (when SASL-binding
# on a UNIX socket).
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
**** Fripost's schema
TODO: upgrade
We base our schema on qmail's (http://dhits.nl/download/qmail.new.schema) and
Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html).
o=mailHosting, dc=fripost, dc=org
|- ou=managers
| |- cn=admin1
| | userPassword: xxxxxx
| `- cn=admin2
|
|- ou=services
| `- cn=SMTP
| userPassword: xxxxxx
|
`- ou=virtual
|- dc=fripost.org
| isActive: TRUE
| |- mailTarget=user1@fripost.org
| | mailLocalAddress: user1-alias
| | isActive: TRUE
| |- uid=user1
| | userPassword: xxxxxx
| | isActive: TRUE
| |
| `- uid=user2
|
`- dc=example.org
owner: uid=user1,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
isActive: TRUE
`- mailTarget=user1@fripost.org
| mailLocalAddress: user1
| isActive: TRUE
|
`- mailTarget=user1-alias@fripost.org
:: /etc/ldap/fripost/fripost.ldif
dn: cn=mail.fripost.org,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: mail.fripost.org
olcAttributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.1 NAME 'quota'
DESC 'The quota on a mailbox e.g., "50MB".'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE )
olcAttributetypes: ( 1.3.6.1.4.1.7914.1.2.1.2 NAME 'isActive'
DESC 'Is the leaf active?'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.3 NAME 'mailTarget'
DESC 'The target of e-mail virtual aliases.'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcObjectclasses: ( 1.3.6.1.4.1.12461.1.2.1 NAME 'virtualDomain'
SUP top STRUCTURAL
DESC 'Virtual Domains.'
MUST ( dc $ isActive )
MAY ( owner $ description ) )
olcObjectclasses: ( 1.3.6.1.4.1.12461.1.2.2 NAME 'virtualAliases'
SUP top STRUCTURAL
DESC 'Virtual Aliases.'
MUST ( mailTarget $ isActive )
MAY ( mailLocalAddress ) )
olcObjectclasses: ( 1.3.6.1.4.1.12461.1.2.3 NAME 'virtualMailbox'
SUP top STRUCTURAL
DESC 'Virtual Mailboxes.'
MUST ( uid $ userPassword $ isActive )
MAY ( gn $ sn $ quota ) )
Note: For the meaning of the sequences of digits above, grep the output of
`sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config"', or read
http://www.openldap.org/doc/admin24/schema.html#Attribute%20Type%20Specification .
(For instance, 1.3.6.1.4.1.1466.115.121.1.26 is a IA5String, meaning unicode is
allowed.)
We can now add it to the schema directory:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/fripost.ldif
(A [dirty] way to delete the schema is to remove the coresponding file in
`/etc/ldap/slapd.d/cn=config/cn=schema/' and to restart slapd. Ensure that nothing
[databases, ACL, indices,...] are making use of the schema, of course.)
Note: If the LDIF files our schema depends on are not in loaded (in `/etc/ldap/slapd.d/cn=config/cn=schema/'),
you may have to do it yourself. A dirty way is to create a file `/tmp/upgrade.conf' with the
following:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/misc.schema
and a directory `/tmp/upgrade', then to run `slaptest -f /tmp/upgrade.conf -F /tmp/upgrade'.
It creates a bunch of LDIF files that you need to clean (cf. https://help.ubuntu.com/10.04/serverguide/C/samba-ldap.html)
and add with `sudo ldapadd -Y EXTERNAL -H ldapi:/// -f <file.ldif>'.
[TODO: that's just ugly. Find a better way.]
***** Add custom indexes
TODO: upgrade
The default indexes below are not enough for our purpose, since e.g.,
Postfix will heavily be looking for e.g., the `uid' attribute.
:: sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)" olcDbIndex
[...]
olcDbIndex: objectClass eq
:: /etc/ldap/fripost/index.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
# Needed for the replicates.
add: olcDbIndex
olcDbIndex: entryUUID eq
-
delete: olcDbIndex
olcDbIndex: objectClass eq
-
add: olcDbIndex
olcDbIndex: objectClass pres,eq
-
add: olcDbIndex
olcDbIndex: cn eq
-
add: olcDbIndex
olcDbIndex: ou eq
-
add: olcDbIndex
olcDbIndex: dc eq,sub
-
add: olcDbIndex
olcDbIndex: uid eq,sub
-
add: olcDbIndex
olcDbIndex: mailTarget,mailLocalAddress eq
-
add: olcDbIndex
olcDbIndex: isActive eq
-
add: olcDbIndex
olcDbIndex: owner eq
TODO: After having amended the schema as specified above, we'll also need a
`sub' index on aliases:
add: olcDbIndex
olcDbIndex: mailAliasGoto,mailAliasFrom eq,sub
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/index.ldif
:: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
[...]
olcDbIndex: entryUUID eq
olcDbIndex: objectClass pres,eq
olcDbIndex: cn eq
olcDbIndex: ou eq
olcDbIndex: dc eq,sub
olcDbIndex: uid eq,sub
olcDbIndex: mailTarget,mailLocalAddress eq
olcDbIndex: isActive eq
olcDbIndex: owner eq
Note: We can add indexes on a populated database, but then we need to reindex the directory:
sudo /etc/init.d/slapd stop
sudo -u openldap slapindex -b 'o=mailHosting,dc=fripost,dc=org'
sudo /etc/init.d/slapd start
***** Restrict the access
TODO: upgrade
The default ACL is not restrictive enough for our purpose: We don't want
the services to see passwords, and the users should see/edit only the
relevant bits.
Note: The ACLs are evaluated in order, hence the more specific rules should come
first.
We are using the so-called "Sets" to let the users manage their domain themselves.
See section 8.5 "Sets - Granting rights based on relationships" in LDAP's manual
http://www.openldap.org/doc/admin24/access-control.html for details.
:: sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)" olcAccess
[...]
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=fripost,dc=org" write by * read
[...]
:: /etc/ldap/fripost/acl.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
# Service passwords are only writable (hence readable) by the admins.
# Anonymous services are only allowed to bind.
add: olcAccess
olcAccess: {0}to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org"
attrs=userPassword
by self read
by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
by anonymous auth
-
# User passwords are only writable (hence readable) by the admins and the
# user him/herself. Anonymous users are only allowed to bind.
add: olcAccess
olcAccess: {1}to dn.children="o=mailHosting,dc=fripost,dc=org"
attrs=userPassword
by self write
by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
by anonymous auth
-
# User names are only writable (hence readable) by the admins and the user
# him/herself.
add: olcAccess
olcAccess: {2}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=gn,sn
by self write
by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
-
# Users are allowed to manage (create/delete/toggle activation) the
# the domains they own.
add: olcAccess
olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
by set.expand="[$2]/owner & user" write
by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
by * break
-
# Admins have writing rights on the branch. Authenticated users can read
# their entry. The SMTP and SASLauthd servervices can read entries on the
# branch (but not the passwords). Others can only search.
add: olcAccess
olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org"
by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
by self read
by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read
by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read
by * search
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif
:: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
[...]
olcAccess: {0}to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self read by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth
olcAccess: {1}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth
olcAccess: {2}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=gn,sn by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$" by set.expand="[$2]/owner & user" write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by * break
olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org" by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by self read by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read by * search
olcAccess: {5}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none
olcAccess: {6}to dn.base="" by * read
olcAccess: {7}to * by self write by dn="cn=admin,dc=fripost,dc=org" write by * read
[...]
Note: Users are allowed to manage their domain, but an admin is needed to add a domain to the
directry. A possibility to avoid that with a web-form is to send a mail to the postmaster@example.org
(or even to the mail that appears in the WHOIS) with a confirmation hash. That would simply require
a new ACL with writable [ou=virtual,...]/children, and [dc=...,ou=virtual,...]/entry. (And probably a
"semi-admin" with only these rights.)
**** Create the base entries
:: ldapadd -xWD cn=admin,dc=fripost,dc=org
dn: o=mailHosting,dc=fripost,dc=org
objectClass: organization
description: Mail hosting
dn: ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: organizationalUnit
description: Virtual Hosting
dn: ou=managers,o=mailHosting,dc=fripost,dc=org
objectClass: organizationalUnit
description: Postmasters
dn: ou=services,o=mailHosting,dc=fripost,dc=org
objectClass: organizationalUnit
description: E-mail services
To delete an entry (add `-r' to delete the whole sub-tree):
ldapdelete -xWD cn=admin,dc=fripost,dc=org 'dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org'
**** Populate the directory
:: ldapadd -xWD cn=admin,dc=fripost,dc=org
dn: cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
userPassword: {SSHA}xxxxxx
dn: cn=admin1,ou=managers,o=mailHosting,dc=fripost,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
userPassword: {SSHA}xxxxxx
dn: dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: virtualDomain
isActive: TRUE
dn: uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: virtualMailbox
gn: First Name
sn: Last Name
userPassword: {SSHA}xxxxxx
isActive: TRUE
dn: dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: virtualDomain
owner: uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
isActive: TRUE
dn: mailTarget=user-alias@fripost.org,dc=example.org,ou=virtual,o=mailHosting,dc=fripost, dc=org
objectClass: inetLocalMailRecipient
objectClass: virtualAliases
isActive: TRUE
mailLocalAddress: user
mailLocalAddress: user-alias
dn: uid=user2,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: virtualMailbox
gn: First Name
sn: Last Name
userPassword: {SSHA}xxxxxx
isActive: FALSE
dn: mailTarget=user@fripost.org,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: inetLocalMailRecipient
objectClass: virtualAliases
mailLocalAddress: user-alias
isActive: TRUE
Note: This should obviously be wrapped in a script; `ldapadd' reads the standard
input, so there's no need to write on disk. The salted SHA-1 can be created with
e.g., `slappasswd -h "{SSHA}"'.
**** Check the ACLs
TODO: upgrade
`slapacl' is an helpful tool to debugs the ACLS. For instance, to check what are
the rights of user@fripost.org on the domain example.org, we can run:
sudo slapacl -b 'dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org' -D 'uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org'
We can also check ACLs with concrete examples:
ldapwhoami -xWD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org"
should return the whole dn:
"uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org"
***** Admin
`slpacat' (run as root) dumps everything in the subtree, including the (hashed)
passwords. So should
ldapsearch -xWD "cn=admin,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
and
ldapsearch -xWD "cn=admin1,ou=managers,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
***** Anonymous user
`ldapsearch -x -b "ou=virtual,o=mailHosting,dc=fripost,dc=org"' should exit
with return status 0, but shouldn't print anything.
***** Services
ldapsearch -xWD "cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
should not disclose the passwords.
***** Self
ldapsearch -xWD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
should return all the information for this very user, but not e.g., the password of the other users.
The user should be able to change his/her password, and aliases in his/her own domain:
:: ldapmodify -xWD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org"
dn: uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
changetype: modify
replace: userPassword
userPassword: xxxxxx
dn: mailTarget=user@fripost.org,dc=example.org,ou=domain,o=mailHosting,dc=fripost,dc=org
changetype: modify
add: mailLocalAddress
mailLocalAddress: user-alias2@example.org
[Note: Still that should be wrapped up in a script, and there is no need to write on
disk since the data is read from the standard input.]
[Note: If the task is merely to change the password, there is also `ldappasswd'.]
We now ensure that the leaf has been updated:
:: slapcat -s "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org"
[...]
userPassword:: aG9w
entryCSN: 20120404215647.957317Z#000000#000#000000
modifiersName: uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
modifyTimestamp: 20120404215647Z
On other modifications, for instance of `maildir', `ldapmodify'
should refuse with `Insufficient access (50)'.
**** Using SyncProv, to define our main server as the provider
Our main LDAP server (provider) will sent periodic updates of the directory to
other servers (consumers, running on the MX:s).
References:
- http://www.openldap.org/doc/admin24/replication.html#Syncrepl
- http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
- man 5 slapo-syncprov
:: ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0}, cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov.la
:: ldapadd -Y EXTERNAL -H ldapi:///
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
# contextCSN saved to database every 50 updates or 5
# minutes
olcSpCheckpoint: 50 5
syncprov-reloadhint: TRUE
*** Configuring the main IMAP server
**** Install packages
sudo aptitude install postfix postfix-ldap
**** /etc/postfix/main.cf
TODO: add file contents
[...]
virtual_mailbox_domains = ldap:$config_directory/ldap/ldap_virtual_mailbox_domains.cf
virtual_mailbox_maps = ldap:$config_directory/ldap/ldap_virtual_mailbox_maps.cf
virtual_alias_maps = ldap:$config_directory/ldap/ldap_virtual_alias_maps.cf
ldap:$config_directory/ldap/ldap_virtual_alias_catchall_maps.cf
[...]
***** Virtual lookups
Ideally, Postfix would send the request to a UNIX socket (hence on the MX:s,
OpenLdap would not listen to the network). Note that the socket has to be in
Postfix's chroot jail; To specifify that, change `SLAPD_SERVICES' in
`/etc/default/slapd' to
SLAPD_SERVICES="ldapi://%2Fvar%2Fspool%2Fpostfix%2Fvar%2Frun%2Fldapi/????x-mod=0777"
Note that in the configuration files below, the `server_host' is relative to
Postfix's jail, hence one should drop the prefix "/var/spool/postfix". But to
test the files with `postmap' one has to put back the prefix (or chroot first).
TODO: Postfix 2.7 does not support SASL binds. Hence one cannot SASL-bind to
the socket with the EXTERNAL mechanism, which leads to a flood of warnings
"connection_read(XX): no connection!" in the syslog. One can also reproduce the
warning with
ldapsearch -H 'ldapi://%2Fvar%2Fspool%2Fpostfix%2Fvar%2Frun%2Fldapi/' -x -WD 'cn=guilhem,ou=managers,o=mailHosting,dc=fripost,dc=org' -b 'o=mailHosting,dc=fripost.org,dc=org'
instead of the proper
ldapsearch -H 'ldapi://%2Fvar%2Fspool%2Fpostfix%2Fvar%2Frun%2Fldapi/' -Y EXTERNAL -WD 'cn=guilhem,ou=managers,o=mailHosting,dc=fripost,dc=org' -b 'o=mailHosting,dc=fripost.org,dc=org'
(The first one performs a simple bind and does not unbind properly, while
the second one is safe and performs a SASL bind with the EXTERNAL mechanism.)
See also:
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643970
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660223
- http://www.openldap.org/lists/openldap-software/200811/msg00078.html
TODO: For the time being, we stick to simple binds on 127.0.0.1:389, but when
"wheezy" will be the next Debian stable, we will do the following instead [Not
tested]
bind = sasl
sasl_mechs = EXTERNAL
This will be both more secure (SASL vs. simple bind) and efficient (UNIX socket
vs. inet).
:: /etc/postfix/ldap/ldap_virtual_mailbox_domains.cf
#server_host = ldapi://%2Fvar%2Frun%2Fldapi/
server_host = ldap://127.0.0.1:389/
version = 3
search_base = dc=%s,ou=virtual,o=mailHosting,dc=fripost,dc=org
scope = base
bind = yes
bind_dn = cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org
bind_pw = xxxxxx
query_filter = (&(ObjectClass=virtualDomain)(dc=%s)(isActive=TRUE))
result_attribute = dc
Test it:
postmap -q fripost.org ldap:/etc/postfix/ldap/ldap_virtual_domains_maps.cf || echo 'failed!'
postmap -q example.org ldap:/etc/postfix/ldap/ldap_virtual_domains_maps.cf || echo 'failed!'
postmap -q fake.org ldap:/etc/postfix/ldap/ldap_virtual_domains_maps.cf || echo 'failed!'
:: /etc/postfix/ldap/ldap_virtual_mailbox_maps.cf
#server_host = ldapi://%2Fvar%2Frun%2Fldapi/
server_host = ldap://127.0.0.1:389/
version = 3
version = 3
search_base = uid=%u,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
scope = base
bind = yes
bind_dn = cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org
bind_pw = xxxxxx
query_filter = (&(ObjectClass=virtualMailbox)(uid=%u)(isActive=TRUE))
result_attribute = uid
Test it:
postmap -q user@fripost.org ldap:/etc/postfix/ldap/ldap_virtual_mailbox_maps.cf || echo 'failed!'
postmap -q fake@fake.org ldap:/etc/postfix/ldap/ldap_virtual_mailbox_maps.cf || echo 'failed!'
:: /etc/postfix/ldap/ldap_virtual_alias_maps.cf
#server_host = ldapi://%2Fvar%2Frun%2Fldapi/
server_host = ldap://127.0.0.1:389/
version = 3
search_base = dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
scope = one
bind = yes
bind_dn = cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org
bind_pw = xxxxxx
query_filter = (&(ObjectClass=virtualAliases)(mailLocalAddress=%u)(isActive=TRUE))
result_attribute = mailTarget
:: /etc/postfix/ldap/ldap_virtual_alias_catchall_maps.cf
#server_host = ldapi://%2Fvar%2Frun%2Fldapi/
server_host = ldap://127.0.0.1:389/
version = 3
search_base = dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
scope = one
bind = yes
bind_dn = cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org
bind_pw = xxxxxx
query_filter = (&(ObjectClass=virtualAliases)(mailLocalAddress=)(isActive=TRUE))
result_attribute = mailTarget
Test it:
postmap -q user-alias@fripost.org ldap:/etc/postfix/ldap/ldap_virtual_alias_maps.cf ldap:/etc/postfix/ldap/ldap_virtual_alias_catchall_maps.cf
postmap -q user@example.org ldap:/etc/postfix/ldap/ldap_virtual_alias_maps.cf ldap:/etc/postfix/ldap/ldap_virtual_alias_catchall_maps.cf
postmap -q fake@example.org ldap:/etc/postfix/ldap/ldap_virtual_alias_maps.cf ldap:/etc/postfix/ldap/ldap_virtual_alias_catchall_maps.cf
Note: There is no way to get rid of the warning `Fixed query_filter
[...] is probably useless'. It is harmless in our case, since the
search base is precise enough. However, we add a logcheck exception not
to be flooded.
TODO: That will change with the new schema.
**** Setting up the MDA
# squeeze has dovecot-1.2. upgrade notes:
# - we might want to upgrade to their sieve (instead of cmusieve)
# - we want to add the -s flag to deliver in master.cf
***** Installing
sudo aptitude install dovecot-imapd
***** Configuring
:: /etc/dovecot/dovecot.conf
protocol lda {
# Address to use when sending rejection mails.
postmaster_address = postmaster@fripost.org
# Hostname to use in various parts of sent mails, eg. in Message-Id.
# Default is the system's real hostname.
hostname = imap.fripost.org
# Support for dynamically loadable plugins. mail_plugins is a space separated
# list of plugins to load.
#mail_plugins =
#mail_plugin_dir = /usr/lib/dovecot/modules/lda
# Binary to use for sending mails.
sendmail_path = /usr/lib/sendmail
# UNIX socket path to master authentication server to find users.
auth_socket_path = /var/run/dovecot/auth-master
# Enabling Sieve plugin for server-side mail filtering
mail_plugins = cmusieve
}
[...]
## dovecot-lda specific settings
##
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
user = xxx # User running Dovecot LDA
#group = mail # Or alternatively mode 0660 + LDA user in this group
}
}
:: /etc/postfix/master.cf
dovecot unix - n n - - pipe
flags=DRhu user=xxx:xxx argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient} -n
:: /etc/postfix/main.cf
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
http://wiki.dovecot.org/LDA/Postfix
http://www.tehinterweb.co.uk/roundcube/#pisieverules
**** Test delivery
sudo mkdir -p /home/mail/virtual/fripost.org/
:: ldapadd -xWD cn=admin,dc=fripost,dc=org
dn: dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: virtualDomain
isActive: TRUE
dn: uid=example,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: virtualMailbox
userPassword: test666
isActive: TRUE
sudo /etc/init.d/postfix restart
echo "test at `date`" | mail -s "test" exempel@fripost.org
**** Configuring Dovecot
sudo aptitude install dovecot-imapd
:: /etc/dovecot/dovecot.conf
# Note: These settings are already in the file but commented out or set to other
# values.
:HIDDEN:
protocols = imaps
protocol imap {
ssl_listen = *:993
}
disable_plaintext_auth = yes
mail_location = maildir:/home/mail/virtual/%d/%u/Maildir
# Set this to something that works for the Maildirs
first_valid_uid = XXX
first_valid_gid = XXX
# Allow clients to be fancy if they want to
mechanisms = plain cram-md5
#passdb pam <--- comment this stuff out
# uncomment this stuff
passdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
#userdb passwd <--- comment this stuff out
# uncomment this stuff
userdb static {
args = uid=115 gid=8 home=/home/mail/virtual/%d/%n/ allow_all_users=yes
}
# We are not making use of the User Database (to ensure that Dovecot's `deliver' checks
# that the recipient exists) here, since `deliver' should only be called by Postfix which
# takes care of that (cf. `ldap_virtual_mailbox_maps.cf'). Hence the `allow_all_users=yes'
# above.
# Do not needlessly run as root
user = nobody
:END:
***** Use LDAP authenticate binds, and LDAP user queries.
Instead of making a LDAP query to fetch the (hashed) passwords, which implies
to expose all (hashed) credentials to Dovecot, an other approach is to forward
the login information to our LDAP server, that will match it against the hashed
copy contained in its database. This way if your IMAP server is compromised,
the attacker will not have access to all the e-mails and user credentials.
Documentation:
http://wiki2.dovecot.org/HowTo/DovecotOpenLdap
http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds
Debian provides a squeleton configuration in /usr/share/dovecot/dovecot-ldap.conf .
Copy this file in /etc/dovecot, and chmod 600 it.
:: /etc/dovecot/dovecot-ldap.conf
:HIDDEN:
hosts = localhost
ldap_version = 3
auth_bind = yes
auth_bind_userdn = uid=%n,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
base = uid=%n,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
deref = never
scope = base
pass_attrs = uid=user
pass_filter = (&(objectClass=virtualMailbox)(uid=%n)(isActive=TRUE))
:END:
sudo /etc/init.d/dovecot restart
# Provided there is a user, you should now be able to login using any IMAP
# client.
#
# $~ openssl s_client -connect localhost:993
# [...]
# * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
**** Making sure the services are not started at boot [might not be needed]
sudo update-rc.d -n dovecot stop 2 3 4 5 .
sudo update-rc.d -n postfix stop 2 3 4 5 .
*** Configuring a new smarthost to relay e-mail to the main IMAP server
**** Overview
We relay mail from our smarthosts to the main IMAP server.
This is to avoid having a single point of failure and to separate concerns. The
IMAP server then only needs to deal with authenticated clients and the
smarthosts.
**** Prerequisites
Before this can work we must make sure that:
- SyncProv is configured on our main LDAP server, and
- There is an SSH tunnel for the smtp.
If they are both setup, we can configure postfix on the smarthost to relay
emails through the tunnel.
**** Configuring a partial replicate of the LDAP directory
Partial, since we will restrict the replication to what is needed for Postfix
virtual lookups. In particular, the passwords will not be replicated.
Refererences:
- http://www.openldap.org/doc/admin24/replication.html#Syncrepl
- http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
In the rest of this section, we assume there is a tunnel from the provider
LDAP server to the consumer (i.e., ldap://127.0.0.1:3890 on the MX actually
speaks to the the main provider).
***** Installation
Cf. installation on the main LDAP server. (We also need to install Fripost's
schema and indexes, but not the ACLs.)
***** Using SyncRepl
:: ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSyncRepl
# Increase the rid for the different consumers
olcSyncRepl: rid=000
provider=ldap://127.0.0.1:3890
bindmethod=simple
binddn="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org"
credentials="xxxxxx"
type=refreshAndPersist
retry="5 5 300 +"
searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
filter="(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualML))(fripostIsStatusActive=TRUE))"
attrs="fripostIsStatusActive,fripostMaildrop,fvd,fvu,fva,fvml,fripostMLCommand,fripostMLManager"
scope=sub
schemachecking=off
(Since in our case we have several slaves, we increment the rid accross the
different MX:s.)
***** Restrict the access
Ideally, we would use the following single ACL
:: ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
by dn.exact="gidNumber=121+uidNumber=113,cn=peercred,cn=external,cn=auth" =rsd
Were 113 and 121 are the uid and gid of the "postfix" user, respectively (which
you can find by typing `id postfix'). This would give =rsd access to the
"postfix" user on the directory, when SASL-binding on a UNIX socket. However
SASL binding have only been introduced with Postfix 2.8 [TODO: after upgrade,
change that], so we will use anonymous access for the time being. It isn't very
satisfactory, but since the replicate stripped out the irrelevant and critical
bits it should be fine for now.
Ensure that authentication is not required, and that no ACL is defined (the
default is then to allow read access to anyone).
:: sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcDatabase={1}hdb)" olcRequires olcAccess
[...]
olcRequires: LDAPv3
**** Configuration files
TODO: add the necessary configuration files
*** Configuring the outgoing SMTP (MTA)
**** Install packages
sudo aptitude install postfix
:: /etc/postfix/main.cf
smtp_bind_address = 88.80.16.139
smtp_bind_address6 = 2A00:16B0:242:13F::1
[...]
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
(Note: Ideally, the IPv4 and IPv6 address above should resolve to our
hostname, namely `smtp.fripost.org' here.)
We don't want to force the SMTP client to use encrypted connection
regardless, as some servers may not support it :-/
**** Relay emails from trusted hosts
:: /etc/postfix/main.cf
relay_clientcerts = hash:$config_directory/relay_clientcerts
[...]
# TODO: should be "secure" on 25
smtpd_tls_security_level = may
# TODO: proper certs
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_CApath = /etc/ssl/certs/
smtpd_tls_session_cache_database= btree:${data_directory}/smtpd_tls_session_cache
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_eecdh_grade = strong
[...]
smtpd_recipient_restrictions =
[...]
permit_mynetworks
permit_tls_clientcerts
[...]
/etc/postfix/relay_clientcerts lists (SHA-1) fingerprints and hostnames
of our trusted hosts. Fingerprints can be obtained with
openssl x509 -fingerprint -sha1 -noout -in /path/to/pubkey.pem
:: /etc/postfix/relay_clientcerts
E0:3C:E7:05:2D:2E:99:7B:EF:A1:D0:5A:A7:79:2C:6D:0B:66:FD:17 luxemburg
[...]
Do not forget do update this file if the you change the hostname or certificate of the
trusted hosts! And to hash it afterwards:
postmap /etc/postfix/relay_clientcerts
We need to force the trusted hosts (our MX:s and the webmail) to use TLS when talking to
the mailhub. For instance on mx1.fripost.org,
:: /etc/postfix/main.cf
[...]
smtp_tls_security_level = may
smtp_tls_policy_maps = hash:$config_directory/tls_policy
smtp_tls_cert_file = /path/to/pubkey.pem
smtp_tls_key_file = /path/to/privkey.key
[...]
:: /etc/postfix/tls_policy
smtp:[smtp.fripost.org]:25 secure ciphers=high
(Note: The `secure' TLS policy will not accept self-signed certificates, or
certificates which CN doesn't match!)
We don't want to force the SMTP client to use encrypted connection
regardless, as some servers may not support it :-/
*** Configuring the Mail Submission Agent (MSA)
We offer a SMTP relay for authenticated users (via SASL). Currently the MSA and
MTA are hosted on the same machine (gnu).
Firewall: The MSA needs 587/TCP in, and the MTA 25/TCP both in and out.
**** Install packages
sudo apt-get install sasl2-bin libsasl2-modules
(Scrictly speaking sasl2-bin is not necessary, but it offers some programs to
test our installation.)
In the rest of this section, we assume there is a tunnel from the master
LDAP server to the machine that hosts SASLauthd (i.e., ldap://127.0.0.1:3890 on
this machine actually speaks to the master).
**** Fixing CApath
As of Debian Squeeze, Postfix doesn't copy the content of 'smtp_tls_CApath' and
'smtpd_tls_CApath' in the chroot jail. This leads to a flood of "Untrusted
connections" since Postfix doesn't have any root CA to trust.
To do it by hand, copy the files (don't forget the symlink targets) under
'/var/spool/postfix/etc/ssl/certs' and c_rehash this last directory.
The issue is fixed under Postfix 2.8. For the time being, a script to automatize
the above process can be found in the fripost-admin repository.
$~ sudo postfix-fixcerts.sh
**** Configure SASLauthd
:: /etc/default/saslauthd
[...]
START=yes
MECHANISMS=ldap
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -O /etc/saslauthd.conf"
[...]
(Note: The socket has to be in Postfix's chroot jail.)
:: /etc/saslauthd.conf
ldap_servers: ldap://127.0.0.1:3890/
ldap_version: 3
ldap_bind_dn: cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org
ldap_bind_pw: xxxxxx
ldap_auth_method: bind
ldap_search_base: uid=%U,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
ldap_filter: (&(objectClass=virtualMailbox)(uid=%U)(isActive=TRUE))
ldap_scope: base
We need to bind to `cn=SASLauth,...' here, because SASLauthd performs the
search before binding to the user (unlike Dovecot). Hence it needs to have read
access on the user's entry (except his/her password, of course). TODO: maybe
=sd access is enough actually?
After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the
authentication:
sudo testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u user@fripost.org -p password
(The password cannot be prompted, so you may want to create a dummy user.)
**** Configure Postfix
If everything goes through, it is now time to modify Postfix's main.cf:
(Documentation: http://www.postfix.org/SASL_README.htm)
:: /etc/postfix/main.cf
[...]
smtpd_sasl_auth_enable = no
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = fripost.org
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = no
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd
[...]
smtpd_recipient_restrictions =
[...]
permit_sasl_authenticated
reject_unauth_destination
[...]
:: /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
Finally, we can add the submission service to our master.cf, with customized policy:
:: /etc/postfix/master.cf
smtp inet n - - - - smtpd
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_helo_restrictions=reject_invalid_helo_hostname
[...]
(We don't reject soon-to-be authenticated clients for having a non-FQDN hostame.)
Postfix needs to be added to the `sasl' group to talk to SASLauthd:
$~ adduser postfix sasl
We now have to restart Postfix: `/etc/init.d/postfix restart'. (Maybe `postfix reload'
is enough actually.)
**** Test it
[Note: if you test it from localhost, you have to set smtpd_sasl_exceptions_networks
first.]
First, we ensured that encrypted conections are required.
:: telnet localhost 25
[...]
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
What the user type is here emphasized and prefixed with a `*'
:: openssl s_client -connect localhost:25 -starttls smtp -CApath /etc/ssl/
[...]
Verify return code: 0 (ok)
---
250 DSN
* EHLO localhost
[...]
250-ETRN
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
* AUTH PLAIN AHVzZXJAZnJpcG9zdC5vcmcAdXNlcg==
235 2.7.0 Authentication successful
* mail from:<user@fripost.org>
250 2.1.0 Ok
* rcpt to:<user@fripost.org>
250 2.1.5 Ok
* DATA
354 End data with <CR><LF>.<CR><LF>
* Subject: test
* \o/
* .
250 2.0.0 Ok: queued as 3D7767B4BD
Where "AHVzZXJAZnJpcG9zdC5vcmcAdXNlcg==" is a base-64 encoding of the user's,
credentials, in our case login "user@fripost.org" and password "user", which
can be obtained by the command
echo -ne '\000user@fripost.org\000user' | openssl base64
or slightly better (does not write password in the ~/.bash_history)
read U PW; echo -ne "\000$U\000$PW" | openssl base64
**** Anonymize the senders
***** Overview
Reference: https://we.riseup.net/debian/mail#getting-your-postfix-anonymized
If RoudCube automatically anonymize the sender (by simply shortening the
trace), it's not the case (by default) for SquirrelMail, or when clients
connect via ESMTP/ESMTPS/ESMTPA/ESMTPSA. Here are a couple of traces we want
to obfuscate, to prevent the recicipient and/or the intermediate SMTP relays
to track the sender.
Received: from localhost (smtp.fripost.org [127.0.0.1])
by fripost.org (Postfix) with ESMTP id C9DAB841F4
for <recipient@example.org>; Thu, 22 Mar 2012 16:27:56 +0100 (CET)
Received: from fripost.org ([127.0.0.1])
by localhost (smtp.fripost.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 8onAXWOvImDh for <recipient@example.org>;
Thu, 22 Mar 2012 16:27:56 +0100 (CET)
Received: from webmail.fripost.org (localhost [IPv6:::1])
by fripost.org (Postfix) with ESMTP id 3ADAB8243D
for <recipient@example.org>; Thu, 22 Mar 2012 16:27:56 +0100 (CET)
Received: from 192.168.1.5
(SquirrelMail authenticated user username)
by webmail.fripost.org with HTTP;
Thu, 22 Mar 2012 16:27:56 +0100
Received: from localhost (smtp.fripost.org [127.0.0.1])
by fripost.org (Postfix) with ESMTP id 2D1098243D
for <recipient@example.org>; Thu, 22 Mar 2012 16:36:36 +0100 (CET)
Received: from fripost.org ([127.0.0.1])
by localhost (smtp.fripost.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Hr2J-eRTN0jI for <recipient@example.org>;
Thu, 22 Mar 2012 16:36:35 +0100 (CET)
Received: from client.example.org (client.example.org [192.168.1.1])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "client.example.org", Issuer "example.org" (not verified))
by machine.org (Postfix) with ESMTPS id DA22981B95
for <recipient@example.org>; Thu, 22 Mar 2012 16:36:35 +0100 (CET)
Received: (nullmailer pid 5057 invoked by uid 0);
Thu, 22 Mar 2012 15:36:34 -0000
Received: from localhost (smtp.fripost.org [127.0.0.1])
by fripost.org (Postfix) with ESMTP id DBAFE816BB
for <recipient@example.org>; Thu, 22 Mar 2012 14:48:01 +0100 (CET)
Received: from fripost.org ([127.0.0.1])
by localhost (smtp.fripost.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Upen4QhYpKf4 for <recipient@example.org>;
Thu, 22 Mar 2012 14:48:01 +0100 (CET)
Received: from client.example.org (client.example.org [192.168.1.5])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "", Issuer "" (not verified))
(Authenticated sender: username)
by smtp.fripost.org (Postfix) with ESMTPSA id 40284804F5
for <recipient@example.org>; Thu, 22 Mar 2012 14:48:01 +0100 (CET)
Received: by client.example.org (Postfix, from userid 1000)
id 1D24F41747; Thu, 22 Mar 2012 14:48:00 +0100 (CET)
(The first one was sent using a SquirrelMail; The second using ESMTPS;
And the third using ESMTPSA).
If we are to hide the sender, we could simply clean the trace (like
RoundCube does) when the mail leaves the server. However, some aggressive
mailfilters may reject the mail since the trace is incomplete (if RoundCube
hides the history I guess it doesnt' happen that often, but who knows...).
Another option would be to clean the trace and to simply add a fake field
to pretend that the mail is sent from localhost by the user nobody:
Received: by fripost.org (Postfix, from userid 65535)
id 2C537816BB; Thu, 22 Mar 2012 14:08:45 +0100 (CET)
This possible by adding "smtp_header_checks = regexp:$config_directory/smtp_header_checks"
in the Postfix's main.cf, with a suitable file "smtp_header_check" in the Postfix
configuration directory.
Yet another option is not to hide the trace, but rather forge it to
pretend that the ESMTP/... connections are all coming from localhost.
This way we are not hiding the fact that a client has logged in using a
valid certificate, and in case of an SMTP relay, the early part of the
trace (before it entered our Postfix sever) remains unchanged. For
example, the early part of the third trace would become:
Received: from [127.0.0.1] (localhost [127.0.0.1])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Authenticated sender: username)
by smtp.fripost.org (Postfix) with ESMTPSA id 40284804F5
for <recipient@example.org>; Thu, 22 Mar 2012 14:48:01 +0100 (CET)
Received: by client.example.org (Postfix, from userid 1000)
id 1D24F41747; Thu, 22 Mar 2012 14:48:00 +0100 (CET)
(the other field remaining unchanged). This is also made possible by
smtp_header_checks. In that case, the corresponding file would contain
the following rexep, forging the header by pretending that the client
has EHLO'ed from localhost:
/^Received:\s+from\s+([._[:alnum:]-]+\s+\([._[:alnum:]-]+\s+\[[[:xdigit:].:]{3,39}\]\))(\s+\(using\s+(TLSv1|SSLv[23])\s+with\s+cipher\s+\S+\s+\([\/0-9]+\s+bits\)\)\s+).*(\(Authenticated sender:\s+[^)]+\)\s+).*(by\s+smtp\.fripost\.org\s+\([^)]+\)\s+with\s+E?SMTPS?A?\s+id\s+[[:xdigit:]]+.*)/
REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${2}${4}${5}
You can try out the regexp using "postmap -h -q - regex:/etc/postfix/smtp_header_checks < email"
(where `email' may also be a bunch of traces).
We also forge the certificate the client send during the TLS/SSL
handshake, since its CN and Issuer may help to track him/her down.
DISCLAIMER: The regexp probably needs tests (especially for multiple hops,
in case of relaying SMTPs). Also, note that the hostname of the client has
NOT been obfuscated in the above trace (and that will break the relaying path
if the client has a routable hostname that doesn't point to the SMTP server!).
However, this line has been added by the client itself, so it's his/her
responsability to masquerade it I suppose.
***** Install packages
apt-get install postfix-pcre
***** Configure postfix
:: /etc/postfix/smtp_anonymize_sender.pcre
/^Received:\s+from\s+([._[:alnum:]-]+\s+\([._[:alnum:]-]+\s+\[[[:xdigit:].:]{3,39}\]\))(\s+\(using\s+(TLSv1|SSLv[23])\s+with\s+cipher\s+\S+\s+\([\/0-9]+\s+bits\)\)\s+).*(\(Authenticated sender:\s+[^)]+\)\s+).*(by\s+smtp\.fripost\.org\s+\([^)]+\)\s+with\s+E?SMTPS?A?\s+id\s+[[:xdigit:]]+.*)/
REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${2}${4}${5}
/^X-Originating-IP:/ IGNORE
:: /etc/postfix/master.cf
submission inet n - - - - smtpd
[...]
-o cleanup_service_name=cleanup2
[...]
cleanup2 unix n - - - 0 cleanup
-o header_checks=pcre:$config_directory/smtpd_anonymize_sender.pcre
By default, postfix logs the header checks (or rewrites in our case).
For privacy reasons, we drop these when they entery syslog:
:: /etc/rsyslog.conf
# Do not log our Postfix's header rewrites, that are meant to
# anonymize senders.
:msg, ereregex, "^ [[:alnum:]]+: replace: header Received: from" ~
[...]
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
[...]
** Configuring the webserver
sudo apt-get install apache2
sudo a2enmod ssl rewrite
:: /etc/apache2/ports.conf
<IfModule mod_ssl.c>
NameVirtualHost *:443
</IfModule>
:: /etc/apache2/conf.d/security
ServerTokens Prod
*** Roundcube
**** Installing roundcube
# Add the backports repository first, to make sure we're running a somewhat more
# current version than the one currently in stable.
:: /etc/apt/sources.list
deb http://backports.debian.org/debian-backports squeeze-backports main
sudo apt-get install roundcube
:: /etc/php5/apache2/php.ini
log_errors = Off
post_max_size = 25M
upload_max_filesize = 25M
tmp_dir = FIXME
:: /etc/roundcube/main.inc.php ## checked for roundcube 0.5.4+dfsg-1~bpo60+1
# Use caching
$rcmail_config['enable_caching'] = TRUE;
# fripost.org specific
$rcmail_config['force_https'] = TRUE;
$rcmail_config['default_host'] = 'ssl://imap.fripost.org';
$rcmail_config['imap_auth_type'] = 'plain';
$rcmail_config['username_domain'] = 'fripost.org';
# use IP for extra paranoia
$rcmail_config['ip_check'] = true;
# Locale settings
$rcmail_config['language'] = 'sv_SE';
$rcmail_config['date_long'] = 'Y-m-d.Y H:i';
$rcmail_config['product_name'] = 'Fripost';
# IMAP Folders (I guess these were changed for compatibility with SquirrelMail)
$rcmail_config['drafts_mbox'] = 'INBOX.Drafts';
$rcmail_config['junk_mbox'] = 'INBOX.Junk';
$rcmail_config['sent_mbox'] = 'INBOX.Sent';
$rcmail_config['default_imap_folders'] = array('INBOX', 'INBOX.Drafts', 'INBOX.Sent', 'INBOX.Junk', 'Trash');
$rcmail_config['create_default_folders'] = TRUE;
# timezone
$rcmail_config['timezone'] = 'CET';
# compose html formatted messages by default
$rcmail_config['htmleditor'] = TRUE;
:: /etc/roundcube/htaccess
php_value upload_max_filesize 25M
php_value post_max_size 30M
**** Installing custom logo
wget https://fripost.org/images/logo2011_webmail.png
LOGO="logo2011_webmail.png"
sudo mv /var/lib/roundcube/skins/default/images/roundcube_logo.png /var/lib/roundcube/skins/default/images/roundcube_logo2.png
sudo mv $LOGO /var/lib/roundcube/skins/default/images/roundcube_logo.png
sudo chmod 0644 /var/lib/roundcube/skins/default/images/roundcube_logo.png
**** Adding a link to https://fripost.org
in
:: /usr/share/roundcube/skins/default/templates/login.html
make
<roundcube:object name="logo" src="/images/roundcube_logo.png" id="logo" border="0" style="margin:0 11px" />
into an anchor element:
<a href="https://fripost.org"><roundcube:object name="logo" src="/images/roundcube_logo.png" id="logo" border="0" style="margin:0 11px" /></a>
**** Adding a custom message on login page
Before this
: <roundcube:object name="preloader" images="
in
:: /usr/share/roundcube/skins/default/templates/login.html
<div style="margin: 20px;"/>
<div style="max-width: 45em; margin: 0px auto; border: dotted 3px red; padding:1em;">
<h3>Important message</h3>
<p align="left"><strong>Mon Feb 13 12:55:30 CET 2012</strong> </p>
<p>
Lorem ipsum dolor sit amet, consectetur adipiscing
elit. Pellentesque molestie, velit vel tristique iaculis, massa diam viverra
arcu, sit amet pellentesque dui enim vitae ipsum.</p>
<p>J. Random Hacker</p>
</div>
**** Allow the users to change their password
We neet to install a plugin http://trac.roundcube.net/browser/trunk/roundcubemail/plugins/password ,
which you can find in:
:: apt-get install roundcube-plugins
Depends on PHP's LDAP library:
:: apt-get install php5-ldap
In the rest of this section, we assume there is a tunnel from the master
LDAP server to the machine that hosts the webmail (i.e., ldap://127.0.0.1:3890
on this machine actually speaks to the master).
It is important to bind to localhost only, since with simple binds
passwords are sent clear over the network.
:: /etc/roundcube/plugins/password/config.inc.php
$rcmail_config['password_driver'] = 'ldap_simple';
$rcmail_config['password_confirm_current'] = true;
$rcmail_config['password_minimum_length'] = 12;
$rcmail_config['password_require_nonalpha'] = false;
$rcmail_config['password_log'] = false;
$rcmail_config['password_ldap_host'] = '127.0.0.1';
$rcmail_config['password_ldap_port'] = '3890';
$rcmail_config['password_ldap_starttls'] = false;
$rcmail_config['password_ldap_version'] = '3';
$rcmail_config['password_ldap_basedn'] = 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
$rcmail_config['password_ldap_method'] = 'user';
$rcmail_config['password_ldap_userDN_mask'] = 'uid=%name,dc=%domain,ou=virtual,o=mailHosting,dc=fripost,dc=org';
$rcmail_config['password_ldap_encodage'] = 'ssha';
$rcmail_config['password_ldap_pwattr'] = 'userPassword';
$rcmail_config['password_ldap_force_replace'] = true;
*** ikiwiki
- sudo apt-get install ikiwiki
- Add separate ikiwiki user
[[http://rtime.felk.cvut.cz/~sojka/blog/using-ikiwiki-with-gitolite/][Link: Integration with ikiwiki]]
*** gitolite and gitweb
# Note: incomplete steps
sudo apt-get install gitolite
sudo dpkg-reconfigure gitolite
:: /var/lib/gitolite/.gitolite.rc
$REPO_UMASK = 0027; # gets you 'rwxr-x---'
# Add the repositories/users to gitolite
# This is mostly self-explanatory, but begin on your local workstation:
git clone gitolite@githost:gitolite-admin
cd gitolite-admin
... make edits
git push
# Push all repositories
cd myrepo
git push --all gitolite@githost:myrepo
git push --tags gitolite@githost:myrepo
# Add the gitweb user to gitolite
sudo apt-get install gitweb
sudo usermod -a -G gitolite www-data
sudo /etc/init.d/apache2 stop
sudo /etc/init.d/apache2 start
# Add repositories to gitweb
sudo ln -s /var/lib/gitolite/repositories/myrepo.git /var/cache/git/myrepo.git
... etc
# Make sure one can checkout the repository via http
[[http://www.kernel.org/pub/software/scm/git/docs/howto/setup-git-server-over-http.txt][Git docs]]
sudo su gitolite
cd /var/lib/gitolite/repositories/myrepo.git
git update-server-info
mv hooks/post-update.sample hooks/post-update
:: /etc/apache2/sites-available/default
AliasMatch ^/pub(/.*\.git)(/.*)? /var/cache/git$1$2
:: /usr/share/gitweb/indextext.html
För att klona ett av dessa träd, installera <a href="http:///">git</a> och kör:
<blockquote><code>git clone http://git.fripost.org/pub/</code> + projektets sökväg</blockquote>
<p>
För mer information om <a href="http://www.kernel.org/pub/software/scm/git/">git</a>, se en
<a href="http://git.or.cz/">överblick</a>, en
<a href="http://www.kernel.org/pub/software/scm/git/docs/gittutorial.html">tutorial</a>
eller
<a href="http://www.kernel.org/pub/software/scm/git/docs">manualsidorna</a>.
</p>
# Add a description of a repository for gitweb
echo "Mötesprotokoll" > fripost-meetings.git/description
** Configuring the list managers
Right now, the list managers are hosted on our outgoing SMTP (and Mail
Submission Agent), namely GNU. However, incoming email that is to be delivered
to a list, as for regular email, is handled by the MX:s since we do not relay a
whole domain for lists.
*** Configuring the MTA on the MX:s
Postfix does not support virtual transport out of the box. Virtual lists need
to be forwarded to a local alias first (replacing the '@' by '#', hence '#' needs to
be forbidden in list names), that can in turn be piped into a command
or transported elswere.
This is not optimal since a domain owner/postmaster cannot control all the lists under
his/her domain for instance. But it is the only solution we found so far.
:: /etc/postfix/main.cf
virtual_alias_maps = ..., ldap:$config_directory/ldap/virtual_alias_lists.cf
mailbox_transport_maps = ldap:$config_directory/ldap/transport_lists.cf
:: /etc/postfix/ldap/virtual_alias_maps.cf
test-list@fripost.org test-list#fripost.org
test-list-admin@fripost.org test-list-admin#fripost.org
test-list-bounces@fripost.org test-list-bounces#fripost.org
test-list-confirm@fripost.org test-list-confirm#fripost.org
test-list-join@fripost.org test-list-join#fripost.org
test-list-leave@fripost.org test-list-leave#fripost.org
test-list-owner@fripost.org test-list-owner#fripost.org
test-list-request@fripost.org test-list-request#fripost.org
test-list-subscribe@fripost.org test-list-subscribe#fripost.org
test-list-unsubscribe@fripost.org test-list-unsubscribe#fripost.org
test-schleuder@fripost.org test-schleuder#fripost.org
test-schleuder-bounces@fripost.org test-schleuder-bounces#fripost.org
test-schleuder-sendkey@fripost.org test-schleuder-sendkey#fripost.org
TODO: give the LDAP configuration
:: /etc/postfix/ldap/transport_lists.cf
test-list#fripost.org smtp:[127.0.0.1]:2345
test-list-admin#fripost.org smtp:[127.0.0.1]:2345
test-list-bounces#fripost.org smtp:[127.0.0.1]:2345
test-list-confirm#fripost.org smtp:[127.0.0.1]:2345
test-list-join#fripost.org smtp:[127.0.0.1]:2345
test-list-leave#fripost.org smtp:[127.0.0.1]:2345
test-list-owner#fripost.org smtp:[127.0.0.1]:2345
test-list-request#fripost.org smtp:[127.0.0.1]:2345
test-list-subscribe#fripost.org smtp:[127.0.0.1]:2345
test-list-unsubscribe#fripost.org smtp:[127.0.0.1]:2345
test-schleuder#fripost.org smtp:[127.0.0.1]:2345
test-schleuder-bounces#fripost.org smtp:[127.0.0.1]:2345
test-schleuder-sendkey#fripost.org smtp:[127.0.0.1]:2345
TODO: give the LDAP configuration
Note: in 'virtual_alias_maps', 'virtual_alias_lists.cf' should come before the
catchalls to be effective.
So every email that is to be delivered to a list manager is dropped into
127.0.0.1:2345 using the SMTP protocol.
*** Configuring the MTA on the machine hosting the list managers
In the rest of this section, we assume there is a tunnel from each MX (port 2345)
to the machine hosting the lists managers (port 2345).
Since this machine is currently also hosting the outgoing SMTP and the Mail
Submission Agent, we cannot the whole Postfix server to lists. Instead, we create a
new Postfix instance for this purpose. (We need to because we need custom
'virtual_alias_maps' that cannot be specified for a particular SMTP server only.)
**** Installation
sudo apt-get install postfix postfix-pcre postfix-cdb
**** Creating a new postfix instance
Reference: http://www.postfix.org/MULTI_INSTANCE_README.html
sudo postmulti -e init
sudo postmulti -I postfix-lists -G mta -e create
sudo ln -s ../postfix/dynamicmaps.cf /etc/postfix-lists/
/etc/postfix/main.cf should be modified with
:: /etc/postfix/main.cf
...
multi_instance_wrapper = ${command_directory}/postmulti -p --
multi_instance_enable = yes
multi_instance_directories = /etc/postfix-lists
...
:: /etc/postfix-lists/main.cf
master_service_disable =
queue_directory = /var/spool/postfix-lists
mail_owner = postfix
multi_instance_group = mta
multi_instance_name = postfix-lists
multi_instance_enable = yes
readme_directory = no
data_directory = /var/lib/postfix-lists
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
myorigin = /etc/mailname
myhostname = lists.fripost.org
mydestination = $myhostname
mynetworks = 127.0.0.0/8 [::FFFF:127.0.0.0]/104 [::1]/128
inet_interfaces = loopback-only
inet_protocols = all
default_database_type = cdb
recipient_delimiter = +
alias_database =
alias_maps =
local_recipient_maps = $transport_maps
virtual_mailbox_domains = pcre:$config_directory/virtual_domains.pcre
virtual_alias_maps = pcre:$config_directory/virtual_aliases.pcre
virtual_mailbox_maps =
virtual_transport = error:5.1.1 Virtual transport unavailable
default_transport = smtp:[127.0.0.1]
relay_domains = $myhostname
transport_maps = cdb:$config_directory/transport_mailman
cdb:$config_directory/transport_schleuder
mailman_destination_recipient_limit = 1
schleuder_destination_recipient_limit = 1
:: /etc/postfix-lists/master.cf
2345 inet n - - - - smtpd
...
mailman unix - n n - - pipe
flags=FR user=list:list argv=/usr/lib/mailman/bin/postfix-to-mailman.py 127.0.0.1 ${user}
# TODO: put ${nexthop} back (it's lists.fripost.org)
schleuder unix - n n - - pipe
flags=FR user=schleuder:schleuder argv=/usr/local/bin/postfix-to-schleuder.sh ${user}
(Don't forget to remove the other 'inet' services in the /etc/postfix-lists/master.cf)
Note: you need to to append the configuration directory to Postfix commands to talk to this
instance, for instance:
- sudo postfix -c /etc/postfix-lists reload # reload (without -c, it reloads both the slave and the master instances)
- sudo postmap -c /etc/postfix-lists /etc/postfix-lists/transport_mailman # postmap
- sudo postfix -c /etc/postfix-lists flush # flush the mail queue
- mailq -C /etc/postfix-lists # dump the mail queue
- ...
:: /etc/postfix-lists/virtual_domains.pcre
# Accept all domains that are not our destination.
# (Only the MX's destinations are required, but...)
!/^lists\.fripost\.org$/ OK
:: /etc/postfix-lists/virtual_aliases.pcre
# Keep the local part, but replace the local part by our relay domain.
/^([^@]+)@/ ${1}@lists.fripost.org
:: /etc/postfix-lists/transport_mailman
test-mailman#fripost.org@lists.fripost.org mailman:
test-mailman-admin#fripost.org@lists.fripost.org mailman:
test-mailman-bounces#fripost.org@lists.fripost.org mailman:
test-mailman-confirm#fripost.org@lists.fripost.org mailman:
test-mailman-join#fripost.org@lists.fripost.org mailman:
test-mailman-leave#fripost.org@lists.fripost.org mailman:
test-mailman-owner#fripost.org@lists.fripost.org mailman:
test-mailman-request#fripost.org@lists.fripost.org mailman:
test-mailman-subscribe#fripost.org@lists.fripost.org mailman:
test-mailman-unsubscribe#fripost.org@lists.fripost.org mailman:
:: /etc/postfix-lists/transport_schleuder
test-schleuder#fripost.org@lists.fripost.org schleuder:
test-schleuder-bounces#fripost.org@lists.fripost.org schleuder:
test-schleuder-sendkey#fripost.org@lists.fripost.org schleuder:
Note: we could use LDAP lookups in transport as well, but it is not easy for
list commands, and we have write access to the disk when adding a new list
anyway. Also, searching in a CDB table is much more efficent.
After modifying /etc/postfix-lists/transport_mailman, type
sudo postmap -c /etc/postfix-lists /etc/postfix-lists/transport_mailman
to produce a CDB table. It is not necessary to reload Postfix after that, but
you may have to wait one minute or two for Postfix to reload the file in memory.
If you are in a hurry, type
sudo postfix -c /etc/postfix-lists reload
to reload this instance only.
Finally, we need a new set of rules for logcheck:
:: /etc/logcheck/ignore.d.server/postfix-lists
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/smtpd\[[[:digit:]]+\]: (dis)?connect from [^[:space:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/smtpd\[[[:digit:]]+\]: [[:alnum:]]+: client=[._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/cleanup\[[[:digit:]]+\]: [[:alnum:]]+: (resent-|)message-id=<?[^>]+>?( \(added by [^[:space:]]+\))?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/qmgr\[[[:digit:]]+\]: [[:alnum:]]+: from=<[^[:space:]]*>, size=[[:digit:]]+, nrcpt=[[:digit:]]+ \(queue active\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/pipe\[[[:digit:]]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)* relay=(mailman|schleuder|mklist-mailman|mklist-schleuder), delay=[.[:digit:]]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=2(\.[[:digit:]]+){2})?, status=sent \(delivered via \2 service\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/local\[[[:digit:]]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=local, delay=[[:digit:].]+(, delays=([.[:digit:]]+/){3}[.[:digit:]]+)?(, dsn=[45](\.[[:digit:]]+){2})?, status=(deferred|bounced) \(.+\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: from=<.*>, status=expired, returned to sender$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: message-id=(<?[^[:space:]]+>?)?( \(added by [^[:space:]]+\))?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: removed$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: skipped, still being delivered$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-lists/trivial-rewrite\[[[:digit:]]+\]: table cdb:/etc/postfix-lists/(:?mailman|schleuder)/transport\([-,|_[:alnum:]]+\) has changed -- restarting$
(We could use the whole /etc/logcheck/ignore.d.server/postfix, but it's better to
stick to the smallest rule set.)
*** GNU Mailman
**** Installation
:: sudo apt-get install mailman
As of Debian 6.0 (Squeeze), saldy only mailman2 is available, and we need to apply
third party patches for virtual domains to work. Hopefully GNU Mailman 3 will be
available with Wheezy: it has native support for virtual domains, a LMTP server, a
much nicer interface and design...
References:
- http://wiki.list.org/pages/viewpage.action?pageId=4030604
- http://mail.python.org/pipermail/mailman-users/2010-January/068571.html
- for Mailman 3: http://wiki.list.org/display/DEV/Mailman+3.0
cd $HOME && wget http://www.msapiro.net/mm/2.1.13-1_vhost.patch
cd /var/lib/mailman
sudo patch -p1 < $HOME/2.1.13-1_vhost.patch
Two hunks fail due to Debian specific patches, but it's merely line numbers that changed:
1 out of 1 hunk FAILED -- saving rejects to file Mailman/Defaults.py.in.rej
1 out of 1 hunk FAILED -- saving rejects to file Mailman/HTMLFormatter.py.rej
In 'Defaults.py', the DEFAULT_MSG_FOOTER should be kept to
...
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
as we want the a fully qualified list here. But we need to fix 'HTMLFormatter.py', and apply
other custom patches:
cd /var/lib/mailman && sudo patch -p1 < $HOME/mailman.patch
sudo find -L /var/lib/mailman -type f -a \( -name '*.orig' -o -name '*.rej' \) -delete
Grab our patch in the fripost-admin repository. Our patch makes the following modifications
- Keep fully qualified lists in URLs (HTMLFormatter.py, MailList.py, Decorate.py)
- Keep fully qualified lists in archive links (Archiver.py)
- Make Postfix strips out the list command and add the domain part (postfix-to-mailman.py)
We now need to pin mailman to avoid our patches being overwritten by an apt-get upgrade.
:: /etc/apt/preferences
Explanation: We applied custom patches to many files created by this package.
Package: mailman
Pin: version *
Pin-Priority: -30000
**** Configuration
:: /etc/mailman/mm_cfg.py
DEFAULT_URL_PATTERN = 'http://%s/cgi-bin/mailman/'
PRIVATE_ARCHIVE_URL = '/cgi-bin/mailman/private'
IMAGE_LOGOS = '/images/mailman/'
DEFAULT_EMAIL_HOST = 'lists.fripost.org'
DEFAULT_URL_HOST = 'smtp.fripost.org' # TODO: change that to lists.fripost.org once the A record is changed
MTA = None
DEB_LISTMASTER = 'listmaster@lists.fripost.org'
ACCEPTABLE_LISTNAME_CHARACTERS = '[-_.=a-z0-9@]'
PUBLIC_ARCHIVE_URL = 'http://%(hostname)s/pipermail/%(listname)s/'
DEFAULT_MSG_FOOTER = """_______________________________________________
%(real_name)s mailing list
%(real_name)s@%(host_name)s
%(web_page_url)slistinfo%(cgiext)s/%(real_name)s@%(host_name)s"""
DEFAULT_CHARSET = 'UTF-8'
add_language('en', 'English', 'utf-8')
add_language('sv', 'Swedish', 'utf-8')
TODO: https; use a better URL scheme for the two list managers, perhaps something like
https://lists.fripost.org/mailman/ and https://lists.fripost.org/schleuder/ .
TODO: what URL format shall we choose (cf. DEFAULT_MSG_FOOTER)?
%(real_name)s@%(host_name)s vs %(host_name)s/%(host_name)s
(Right now it is the first choice.)
A first list 'mailman' is required:
sudo -u list ./bin/newlist -q -u smtp.fripost.org mailman listmaster@fripost.org xxxxxxxxxxxxxxxx
The daemon can now be started:
sudo /etc/init.d/mailman start
To create a list:
sudo -u list ./bin/newlist -q -u smtp.fripost.org test-mailman@fripost.org user@fripost.org xxxxxxxxxxxxxxxx
TODO: switch to '-u lists.fripost.org' when the DEFAULT_URL_HOST is updated.
Note: in our case it is *not* the proper way to create lists, since the LDAP directory has to be updated first.
To delete a list:
sudo rm -rf /var/lib/mailman/lists/domain/listname
And the archives:
sudo rm -rf /var/lib/mailman/archives/{public,private}/domain/listname
**** Web server configuration (nginx + fcgiwrap)
sudo apt-get install nginx fcgiwrap
In our case the archives under /pipermail/ do not have the right forwat, a quick &
dirty fix is to use a RewriteRule:
:: /etc/nginx/sites-enabled/lists
# Default list manager
location = / {
rewrite ^ /mailman/listinfo permanent;
}
# Mailman
location ^~ /mailman/ {
location ^~ /mailman/create { return 403; }
rewrite ^/mailman/?$ /mailman/listinfo permanent;
root /usr/lib/cgi-bin;
gzip off;
include fastcgi/params;
# include fastcgi/ssl; #TODO
fastcgi_pass unix:/var/run/fcgiwrap.socket;
}
location ^~ /images/mailman/ {
alias /var/lib/mailman/icons/;
}
location ^~ /pipermail/ {
rewrite ^/pipermail/([^@/]+)@([^@/]+)/?(.*)$ /pipermail/$2/$1/$3 last;
index index.html;
alias /var/lib/mailman/archives/public/;
}
For the web interface to be available, one needs to start *both* fcgiwrap and nginx:
sudo /etc/init.d/fcgiwrap start
sudo /etc/init.d/nginx start
Note: We forbid access to '/create' as it is not a proper way to create lists in our
setting (one has to update the LDAP directory first).
We have a rewrite rule for '/pipermail/' as internally, archives are stored hierarchically
under the list's domain.
Note: when creating a new list with '-u lists.example.org', it is not visible under
"http://smtp.fripost.org/cgi-bin/mailman/listinfo", but one can access it under
"http://smtp.fripost.org/cgi-bin/mailman/listinfo/listname@lists.example.org". (TODO:
check that). As usual the list owner can make the list invisible, though.
*** Schleuder
Documentation: https://schleuder2.nadir.org/
**** Installation
sudo apt-get install schleuder
sudo chown 'schleuder:schleuder' /etc/schleuder/lists/
sudo chmod 0700 /etc/schleuder/lists/
**** Patches
We apply custom patches to:
- strip the list commands out of the local part of the list name (schleuder)
- allow lists not to have any members (schleuder-newlist,list.rb), which avoid doing
to much on our panel.
sudo patch -p1 < $HOME/schleuder.patch
(Grab our patch in the fripost-admin repository.)
We now need to pin schleuder to avoid our patches being overwritten by an update.
:: /etc/apt/preferences
Explanation: We applied custom patches to /usr/bin/schleuder, /usr/bin/schleuder-newlist,
Explanation: and /usr/lib/ruby/1.8/schleuder/list.rb
Package: schleuder
Pin: version *
Pin-Priority: -30000
**** Configuration
:: /etc/schleuder/schleuder.conf
smtp_host: smtp.fripost.org
log_rotate_keep: 3
superadminaddr: listmaster@fripost.org
A first list can be created with:
(Note: it can take a very long while, up to 20min. Isn't it weird by the way?)
sudo -u schleuder schleuder-newlist test-schleuder@fripost.org -email test-schleuder@fripost.org -realname test-schleuder -nointeractive -adminaddress user@fripost.org -initmember user@fripost.org -initmemberkey /tmp/user.pub
Note: in our case it is *not* the proper way to create lists, since the LDAP directory has to be updated first.
To add members, from the command line:
sudo -u schleuder gpg --homedir /var/schleuder/lists/test-schleuder@fripost.org --import < /tmp/user2.pub
# sudo -u schleuder bash
echo '- email: user2@fripost.org' >> /var/schleuder/lists/foobar/members.conf
To delete a list:
sudo rm -rf /var/lib/schleuder/listname/ /var/log/schleuder/listname.log /etc/schleuder/lists/listname.conf
**** Web server configuration
We will use webschleuder [http://webschleuder.nadir.org/]. Sadly, it is shipped
in a precompiled Debian Package. Instruction for the installation:
http://webschleuder.nadir.org/documentation/installation.html
sudo apt-get install rubygems libactiverecord-ruby librack-ruby camping
sudo gem install bcrypt-ruby
sudo mkdir -m 0755 /opt/webschleuder
sudo chown nobody /opt/webschleuder
cd /opt
sudo -u nobody git clone git://git.immerda.ch/webschleuder.git webschleuder
sudo chmod +x /opt/webschleuder/contrib/enable_webschleuder.rb
Grab our patch in the fripost-admin repository. It fixes camping's version
(Squeeze's version is too old: 2.0), and allows password to be given from
STDIN, to avoid leaking them through the proccess table.
cd /opt/webschleuder
sudo patch -p1 < $HOME/webschleuder.patch
sudo find -L /opt/webschleuder -type f -a \( -name '*.orig' -o -name '*.rej' \) -delete
sudo chown -R 'nobody:schleuder' /opt/webschleuder
Configuration:
sudo cp webschleuder/ext/webschleuder.conf /etc/schleuder/
sudo chown 'schleuder:schleuder' /etc/schleuder/webschleuder.conf
sudo chmod 0600 /etc/schleuder/webschleuder.conf
:: /etc/schleuder/webschleuder.conf
session_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
web_authtimeout: 900
If you want the list to be available from the web interface, you have to create
a file called 'web.conf' in the list's config directory, containing the bcrypt-ed
password for the web interface. It can be done by hand, or using
echo xxxxxxxxxxxx | sudo -u schleuder ruby /opt/webschleuder/contrib/enable_webschleuder.rb test-schleuder@fripost.org
A test server (for testing/debugging/development purposes only) can be started with
sudo -u schleuder camping webschleuder/webschleuder.rb
***** Configuring nginx + thin
sudo apt-get install nginx thin
sudo mkdir /var/run/webschleuder/
sudo chown 'schleuder:schleuder' /var/run/webschleuder/
:: /etc/thin/webschleuder.yml
---
rackup: config.ru
pid: /var/run/webschleuder/pid
timeout: 30
log: /var/log/schleuder/webschleuder.log
max_conns: 1024
require: []
max_persistent_conns: 512
environment: production
user: schleuder
group: schleuder
servers: 1
daemonize: true
chdir: /opt/webschleuder
socket: /var/run/webschleuder/socket
:: /etc/nginx/sites-enabled/lists
# Webschleuder
location ^~ /schleuder/ {
gzip off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://unix:/var/run/webschleuder/socket.0;
}
location ^~ /static/ {
alias /opt/webschleuder/static/;
}
For the web interface to be available, one needs to start *both* thin and nginx:
sudo /etc/init.d/thin start
sudo /etc/init.d/nginx start
*** Creating new lists
The task is somewhat more tricky than for domains / aliases / mailbox creation as
the list manager has to be asked to create the list *on disk*.
The solution we chose is to create a special address 'mklist@fripost.org', for which each
email will be piped by Postfix into a list creation script run with the right user
(list or schleuder, depending on the extension: mklist+mailman@fripost.org or
mklist+schleuder@fripost.org.)
Of course, we don't want to give everyone the permission to create lists, hence the script:
1/ ensures the email is signed with a known *and authorized* GPG key,
2/ ensures the list that is to be created is in the "pending" state,
3/ asks the list manager to create the list (for schleuder, also create the web.conf),
4/ updates and hashes the lookup tables, and
5/ adds the list commands to the LDAP directory, and removes the "pending" state.
The script can be found in the "fripost-panel" repository. See INSTALL and README for
further insformations.
** Logging
*** Overview
We want to limit how much we log for privacy reasons. At the same time we want
to be able to debug technical problems and detect intrusions.
For the webmail, we only log messages of priority warn or higher.
*** Configuration
:: /etc/rsyslog.conf
*.*;auth,authpriv.none;mail.err -/var/log/syslog
# NOTE: /var/log/mail.{err,warn} can be kept at the default
# values since they do not contain any sensitive information.
:: /etc/logrotate.d/rsyslog
/var/log/mail.log
/var/log/mail.info
{
rotate 3
daily
missingok
ifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog reload > /dev/null
endscript
}
/var/log/mail.warn
/var/log/mail.err
[...]
:: /etc/logrotate.d/roundcube-core
/var/log/roundcube/errors
/var/log/roundcube/sendmail
/var/log/roundcube/userlogins
{
create 0640 www-data adm
compress
missingok
notifempty
rotate 3
daily
}
:: /etc/logrotate.d/apache2
/var/log/apache2/*.log {
daily
missingok
rotate 3
compress
delaycompress
notifempty
create 640 root adm
sharedscripts
postrotate
/etc/init.d/apache2 reload > /dev/null
endscript
}
** Necessary stuff to fix for security
*** Bacula for backups
Also has tripwire-like capabilities.
*** OSSEC
*** Firewall rules
TODO: Add nice rules.
** Ideas for improved security
*** Monitoring
* Hardening
** Overview
The [[http://www.debian.org/doc/manuals/securing-debian-howto/][Securing Debian Manual]] is the definitive reference for Debian security.
These are just some quick notes for easy access to the administrators.
** ntp
# Let's be overly paranoid... ;-)
:: /etc/ntp.conf
-restrict -4 default kod notrap nomodify nopeer noquery
-restrict -6 default kod notrap nomodify nopeer noquery
+restrict default ignore
+restrict -6 default ignore
** rkhunter
sudo aptitude install rkhunter
sudo rkhunter -c --nomow --rwo
:: /etc/rkhunter.conf
MAIL-ON-WARNING=admin@fripost.org
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.initramfs
ALLOWHIDDENDIR=/etc/.git
ALLOWHIDDENFILE=/etc/.gitignore
ALLOWHIDDENFILE=/etc/.etckeeper
# something like: (adapt port as needed)
INETD_ALLOWED_SVC=127.0.0.1:2000
# in case whitelisting is needed, use something like:
# (whitespace important)
APP_WHITELIST=" openssl:0.9.8g sshd:4.7p1 "
:: /etc/default/rkhunter
REPORT_EMAIL="admin@fripost.org"
NICE="19"
# testing:
sudo rkhunter -c --nomow --rwo
* NEED TO KNOW FOR SERVER ADMINS
** Procedure for restarting mistral (the VPS)
1. There is one password which has to be provided at boot. This is given to our
VPS host provider via some insecure means of communication.
2. When the server is booted, this password is changed.
3. The partition on /home/mail is then mounted. A separate password is provided
for this.
4. Once the partition is mounted, dovecot and postfix may be started.
** Document your changes
The latest version of this document is always available at:
git clone http://git.fripost.org/pub/fripost-docs.git
To get commit access, contact admin@fripost.org with your request.
** Use etckeeper
We keep /etc in a git repository using the tool etckeeper. This makes it
possible to use standard git commands in /etc, e.g. `git log'. `etckeeper' has
the benefit of keeping track of file permissions, which git by itself will not.
Every time you make changes to any files in /etc, you are encouraged to commit
them using a descriptive commit message.
$ etckeeper commit "postfix: relay messages to remote hosts via smtp"
If you do not commit your changes, they will be automatically committed. This
is not ideal, since this means other administrators might have to guess as to
why changes were being made and by whom. Please try to avoid putting your
co-administrators in this uncomfortable position.
** Use Cluster SSH
This pretty much sums it up:
"ClusterSSH controls a number of xterm windows via a single graphical console
window to allow commands to be interactively run on multiple servers over an ssh
connection."
** Use fripost-tools
We have written some tools to make administration tasks easier. They can be
found at:
git clone http://git.fripost.org/pub/fripost-tools.git
|