1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
|
#+TITLE: Administrative diary for Fripost's servers and systems
#+AUTHOR: Those involved with the administration
* Upgrade of benjamin <2011-10-06 tor>
The server benjamin was upgraded to Debian GNU/Linux 6.0 Squeeze in accordance with the [[http://www.debian.org/releases/squeeze/i386/release-notes/ch-upgrading.en.html][upgrading release notes]].
At some point the raid array did not mount so the installation was interupted. Mdadm was used to setup the software raid:
: $ cat /proc/partitions
: $ cat /etc/mdadm/mdadm.conf
: # mdadm --misc --query /dev/sdc1 /dev/sdd1; # for display
: # mdadm --misc --examine /dev/sdc1 /dev/sdd1; # for display
: # mdadm --misc --examine --scan
: # mdadm --assemble --scan
Then also the logical volume management (LVM) was needed to set up.
: # vgdisplay
: $ ls -1 /dev | grep 2T; # shows nothing
: # vgchange --available y 2T_vg-backup
: $ ls -1 /dev | grep 2T; # shows VG 2T_vg-backup
: # cryptsetup luksOpen /dev/2T_vg-backup/backup backup
: # sudo mount -t ext4 /dev/mapper/backup /mnt/backup
The =/etc/fstab= is no longer correct since "ext4dev" is not a supported file system. Instead "ext4" should be used.
** Things to do after upgrade
- Remove the following packages
- apticron (will be replaced by unattended-upgrades)
- Check logcheck rules
- Check rkhunter (root kit hunter) configurations
- Check NTP (network time protocol) configuration
* Configure Roundcube for password change <2011-11-22 tis>
From phone call with Stefan. Appache is configured differently and better on zetkin. There is one file per host which is better then having all host's configurations in one file. However, the Roundcube installation is older on zetkin, so it could be wise to update with backports.
<2011-11-22 tis> [[http://www.roundcube.net/][Official website]]. The plugin of interest is [[http://trac.roundcube.net/browser/trunk/plugins/password][password]] found from [[http://trac.roundcube.net/wiki/Plugin_Repository][Pugin Repository]].
<2011-11-24 tor> Found the Roundcube directory: /var/lib/roundcube/. The configuration files are in /etc/roudcube/. Also the relevant Apache2 configuration files are linked into /etc/roundcube/. Plugins are placed in /var/lib/rouncube/plugins/ and installed by editing /etc/roundcube/main.inc.php/. It took a while to figure Apache out enough to find the directories. Roudcube is not really a program; it is just some PHP script.
I do not have a clue about how to download the plugin, after hours of searching. This PHP code tracking drives me mad.
<2011-12-04 sön> As a plugin exercise I (Gustav) installed serverinfo. Note also catalogue /\/usr\/share\/roundcube/ and that many paths are links into /var/lib/roundcube/.
It appears that some plugins comes with the installation. See [[http://www.roundcubeforum.net/3-news-announcements/12-general-discussion/5258-plugin-download-link.html][This post]].
Finally the plugin is installed; I requested the full stable 0.6-version sources to my home directory and copied the plugin files into /var/lib/roundcube/plugin. Next step will be to identify how to establish a connection with the IMAP (database) server.
<2011-12-06 tis> This is hard. It is not MySQL's MD5 algorithm that is used. The check sum is probably of base 64 and not hexadecimal (from Password.pm). Can this be a plan:
- Reproduce the fripost-passwd perl script to realise what is happening.
- Confirm how the connection is established between roundcube and imap.fripost.org
<2011-12-10 lör> Notes from phone call with Stefan. (1) Create a user, /roudcubetunnel/, on /antilop/ and configure tunnel according to fripost-documentation. (2) the password is created together with a salt.
<2011-12-11 sön> MySQL was installed on cantor in order to have a lab system: /root//'root', database /fripost-lab/.
: > create database fripost-lab
Log in using:
: $ mysql --user=root --password fripost_lab
Read Section 5.3.2.2, "End-User Guidelines for Password Security".
User created according to 5.5.2. "Adding User Accounts".
: > create user 'roundcube'@'localhost' identified by 'roundcube';
: > create user 'roundcube'@'%' identified by 'roundcube'; -- so it can be used from all hosts
: > show grants for 'roundcube'@'localhost';
: > show grants for 'roundcube'@'%';
: > set password for 'roundcube'@'localhost' = password('roundcube');
: > set password for 'roundcube'@'%' = password('roundcube');
: > grant select, update on fripost_lab.mailbox to 'roundcube'@'localhost';
: > grant select, update on fripost_lab.mailbox to 'roundcube'@'%';
The command /grant/ gives /roundcube/ privileges to select and update table /mailbox/. There is no possibility to give privileges to just update certain columns in a table. If that is sought for a separate table has to be created.
Next:
- create an SQL-script that tests all privileges, and try it on /roundcube@localhost/ and /roundcube@%/.
- create that user on /antilop/
<2011-12-21 ons> When users are added, the passwords are generated on a local computer, e.g. /cantor/ using the Perl function
: sub smd5 {
: my $pw = shift;
: my $salt = shift || &make_salt();
: return "{SMD5}" . pad_base64( MIME::Base64::encode( Digest::MD5::md5( $pw . $salt ) . $salt, '' ) );
: }
written by Dominik Schulz, but suggested on Dovecote's wiki: [[http://wiki.dovecot.org/Authentication/PasswordSchemes]["Password Shemes"]]. Dot (.) means /concatenation/. This gives a salted 64-base MD5 encryption.
Reading Roundcube's password plugin's README, suggests we should use the last two examples in section 2.1. Also read [[http://www.roundcubeforum.net/7-third-party-contributions/46-api-based-plugins/6624-dovecot-sql-driver-password.html]["Dovecot-SQL Driver for Password"]] on Roundcube's wiki carefully. The password seem to be doubled salted.
* Preparation for migration of IMAP from /antilop/ to /mistral/ <2011-12-20 tis>
** Åtgärder <2011-12-21 ons>
- Undersök inställningarna för IMAP
** Administrator's user accounts.
The administrators /gustav/, /ljo/, and /skangas/ are in /\/etc\/sudoers/, and /\/home\/<name>\// name directories are copied from /antilop/.
** Files from /etc.
<2011-12-20 tis> Files to transfer to /mistral/ are:
: bacula/ dovecot/ etckeeper/ logcheck/ mysql/ ossec-init.conf postfix/ rkhunter.conf rsyslog.conf ssh/sshd_config ssl/
Archived in /\/home\/gustav\/ect-antilop-2011-12-20.tar.gz/, ready for transfer.
<2011-12-21 ons> LJO transferred all gz-files to /mistral/. All config files are also installed on the system, so there should be nothing left to do (almoast). Check POSTFIX configuration once again.
** Check when done
- that /\/etc\/cron.d/ and friends are the same as on /antilop/ <2011-12-20 tis>
- POSTFIX configuration <2011-12-21 ons>
** Mounting of file systems, etc.
<2011-12-21 ons> The partition /\/dev\/mapper\/fripost/ -> /\/home\/mail/ is created and encrypted. Maybe the mount and encryption procedure needs to go through again.
** Change luks keys
Cite from Internet.
Basically, you just add an additional password(LUKS allows up to 8 different passwords for the same volume) and delete the original password. Here's a link that describes the process in detail:
http://www.saout.de/tikiwiki/tiki-in...eviceUsingLUKS
: # cryptsetup luksAddKey /dev/sdc1
: # cryptsetup luksDelKey /dev/sdc1 0
** Packets
<2011-12-20 tis> Alla paket som ska installeras och tas bort, både från dpkg-selections på antilop och från fripost-docs, finns i /\/home\/gustav\/selections-2011-12-20.tar.gz/ på antilop.
<2011-12-21 ons> LJO transferred all gz-files to /mistral/. All packets of interest are installed and those that should be removed are pruned.
** OSsec
<2011-12-21 ons> OSsec is installed and running. Hope that the settings are good.
** Synk of Maildir dirs.
<2011-12-21 ons> LJO synced mails once.
** WIP: making the switch
When mistral is fully configured for migration, we should do the following steps (preliminary description):
These steps are just an outline, they should be filled in, including the exact command lines to be used. Also, some of the steps can be tested beforehand (e.g. copying all emails, copying the database data from antilop and make sure it runs on mistral).
*** 1. Migrate data
- Copy the database from antilop to mistral
- Copy all emails from antilop to mistral (this will be redone below)
*** 2. Start services on mistral
- Start mysql on mistral
- Start postfix on mistral
- Start dovecot on mistral
*** 3. DNS Change
- Point imap.fripost.org to the new server
*** 4. Point MX:es to mistral.fripost.org
If we begin with the secondary MX, when the primary MX goes down, e-mails will automatically get delivered to mistral via the secondary MX.
**** Point elefant.fripost.org to mistral.fripost.org
- [ ] MySQL Replication
- [ ] SMTP Delivery
**** Point luxemburg.marxist.se to mistral.fripost.org
- [ ] MySQL Replication
- [ ] SMTP Delivery
*** 5. Stop services after 1-2 hours
- Stop postfix on antilop
- Stop dovecot on antilop
- Stop mysql on antilop
*** 6. Copy all emails
- Copy all emails from antilop to mistral
* Upgrade of luxemburg to squeeze <2011-12-21 ons>
- `luxemburg', `harvey' and `zetkin' requires the package `firmware-linux-nonfree'.
This means we should add contrib and non-free to /etc/apt/sources.list, e.g.:
deb ftp://ftp.sunet.se/pub/Linux/distributions/debian squeeze main contrib non-free
- Install emacs23-nox, remove emacs22-nox
- Merge /etc/mysql/my.cnf, among other things removing the line ^skip-bdb$
* Fix relaying from elefant <2011-12-21 Wed>
- there was both a mysqltunnel and an smtptunnel to antilop running
- mysql was not even installed, so I installed it
- it seems there had been some problem ugrading to squeeze
- the problem was, again, that we needed to remove line ^skip-bdb$ from /etc/mysql/my.cnf
* Temporär lösning av IMAP problemet [2012-03-19 mån]
Planen är att sätta upp IMAP på harvey och webmailen på zetkin.
** Migrering av imap till harvey
1. [X] Stäng tunnlarna från MX:arna (elefant och luxemburg) så att e-post köas upp på dessa.
: $ sudo service openbsd-inetd stop
2. [ ] Synkronisera över e-posten från backupdatorn, benjamins, backup till den blivande IMAP-servern, harvey
3. [ ] Synkronisera konfigurationsfilerna från benjamin (backup) till harvey
4. [ ] Starta dovecot på harvey
5. [ ] Växla mål för adressen \texturl{imap.fripost.org} till \texthost{mistral}.
6. [ ] Öppna tunnlarna till \texthost{mistral}.
7. [ ] Stäng av Dovecote på \texthost{antilop}.
** Migrering av webmail till zetkin
1. [X] Peka om fpwebmail1 till zetkin
2. [ ] Flytta över certifikat
** Återmigrering till mistral
1.
** TODO Kryptera /home på harvey
/home är egen partition
*** Flytta över /home till tillfälg plats
*** avmontera /home
*** kryptera volymen
: $ sudo cryptsetup luksFormat <device>
svara snällt på frågorna
: $ sudo cryptsetyp luksOpen <device> <name>
name kan typiskt vara home. Man hittar typiskt volymen under /dev/mapper/<name>
: $ sudo mkfs.ext4
** TODO Kopiera över mail katalogen till harvey
skangas@benjamin:/mnt/backup/mistral/home/mail$ sudo tar cpf mail-mistral-2012-03-19.tar virtual
** TODO Meddela Leif-Jöran planen
*** TODO Få bekräftelse
** TODO Installera mjukvara på harvevey
*** TODO Dovecot
*** TODO Flytta över konfigurationsfilerna från benjamin.
* Återkonfigurering av mistral
LJO hann fixa /etc /home /var/lib/mysql och /home/mail
Det är problem med DNS. ftp.se.debian.org och sequrity.debian.org är inlagda statiskt i /etc/hosts. DNS-problemet löstes fint med googel.public.
Vi följer dokumentationen; installerar program, osv.
Eftersom alla konfigurationer är överkopierade sedan innan var det bara att se till så att
- postfix
var igång, och sen starta
- dovecot
Dovecot och liknande paket lades in på harvey, och dessa tas nu bort.
Ett meddelande skrevs på inloggningssidan på harvey.
|