diff options
author | Stefan Kangas <stefankangas@gmail.com> | 2010-12-16 16:56:53 +0100 |
---|---|---|
committer | Stefan Kangas <stefankangas@gmail.com> | 2010-12-16 16:56:53 +0100 |
commit | 93d64fe8b00503ae4b1fd709cedcf8c9575f3a71 (patch) | |
tree | cec9db416fa54e95192a342e9b09b6f2ed75462b | |
parent | f51ecda41eda0040ce507e6b1c6c6ce89e0a1744 (diff) |
Improved instructions for configuring a tunnel from a smarthost to the main IMAP server.
-rw-r--r-- | fripost-docs.org | 29 |
1 files changed, 16 insertions, 13 deletions
diff --git a/fripost-docs.org b/fripost-docs.org index 0788681..2a8a361 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -175,10 +175,14 @@ Aptitude The main server will also be responsible for keeping all users in an MySQL database that will be replicated over *** Configuring the MySQL replication -*** Configuring the SSH tunnel for SMTP +*** Configuring the SSH tunnel between a new smarthost and the main IMAP server + + Definitons: + IMAP server = the main storage server + smarthost = the receiving server (configured as MX) Steps to reproduce the configuration: - 1. Create a user on the main e-mail server [if not done] + 1. Create a user on the main e-mail server [this should already be done on the IMAP server] - sudo aptitude install openbsd-netcat - sudo adduser smtptunnel - echo "exit" > .bash_profile [to be sure] @@ -190,15 +194,15 @@ Aptitude - ssh-keygen -N "" -b 4096 -f ~/.ssh/tunnel_key - cat .ssh/tunnel_key.pub - 3. Add this key to the "smtptunnel"-user on the smarthost - - echo "<thekey>" | sude tee .ssh/authorized_keys2 + 3. Add this key to the user `smtptunnel' on the IMAP server + - echo "<thekey>" | sudo tee .ssh/authorized_keys2 - Add this before "ssh-rsa" in authorized_keys2: command="nc localhost 25",no-X11-forwarding,no-agent-forwarding,no-port-forwarding - 4. Test the key on the client server: - - sudo ssh -l remupd -i /root/.ssh/tunnel_key smtptunnel@host + 4. Test the key on the smarthost: + - sudo ssh -l smtptunnel -i /root/.ssh/tunnel_key smtptunnel@example.com - 5. Configure openbsd-inetd: + 5. Configure openbsd-inetd on the smarthost: (We use inetd instead of ssh -L because, among other things, ssh -L tends to hang.) - sudo aptitude install openbsd-inetd @@ -209,20 +213,17 @@ Aptitude - Make sure the tunnel works: telnet localhost 1917 - 6. Configure postfix on the client server to relay emails through the tunnel + 6. Configure postfix on the smarthost to relay emails through the tunnel One quick-n-dirty example to try it out is: - /etc/postfix/main.cf - relay_domains = fri-epost.dyndns.org + relay_domains = fripost.org transport_maps = hash:/etc/postfix/transport - /etc/postfix/transport - hostname.org smtp:localhost:1917 + fripost.org smtp:localhost:1917 - sudo postmap hash:/etc/postfix/transport -# ssh tunnel to smarthost.com's SMTP server -127.0.0.1:smtp stream tcp nowait root /usr/bin/ssh -q -T -i /root/.ssh/tunnel_key utumno@smarthost.com - ** Necessary stuff to fix for security @@ -236,6 +237,8 @@ Aptitude Also has tripwire-like capabilities. *** Some kind of IDS + + * NEED TO KNOW FOR SERVER ADMINS ** Use etckeeper |