aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fripost-docs.org186
1 files changed, 149 insertions, 37 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index dfa2430..8c7d302 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -178,12 +178,71 @@ Aptitude
The main server will also be responsible for keeping all users in an MySQL
database that will be replicated using MySQL.
+*** Configuring an SSH tunnel between two hosts
+
+ Definitons:
+ originating host = the host that will be connecting
+ destination host = the host that runs some service
+
+**** Preparing steps on the destination
+
+ 1a. Install necessary software on the destination host:
+
+ - sudo aptitude install openbsd-netcat
+
+ 1b. Create a new user on the destination host:
+
+ - sudo adduser smtptunnel
+ - echo "exit" | sudo -u smtptunnel tee ~smtptunnel/.bash_profile
+ - disable the password: sudo vipw -s
+
+ Note: We need bash, so we can not change the shell to something else.
+
+**** Preparing steps on the originating server
+
+ 1c. Install necessary software on the originating server:
+
+ - sudo aptitude install openbsd-inetd
+
+ Comment: We use inetd instead of ssh -L because, among other things, ssh
+ -L tends to hang.
+
+**** Steps to set up a new tunnel
+
+ 2. Create a key on the originating server:
+ - sudo su
+ - ssh-keygen -N "" -b 4096 -f ~/.ssh/tunnel_key
+ - cat .ssh/tunnel_key.pub
+
+ 3. Add this key to the user `smtptunnel' on the IMAP server
+ - echo "<thekey>" | sudo tee .ssh/authorized_keys2
+ - Add this before "ssh-rsa" in authorized_keys2:
+ command="nc localhost 25",no-X11-forwarding,no-agent-forwarding,no-port-forwarding
+
+ 4. Test the key on the smarthost:
+ - sudo ssh -l smtptunnel -i /root/.ssh/tunnel_key example.com
+
+ 5. Configure openbsd-inetd on the smarthost:
+
+ - /etc/inetd.conf
+:HIDDEN:
+127.0.0.1:1917 stream tcp nowait root /usr/bin/ssh -q -T -i /root/.ssh/tunnel_key smtptunnel@example.com
+:END:
+ - sudo /etc/init.d/openbsd-inetd restart
+
+ You should now be able to connect through the tunnel using something like:
+
+ telnet localhost 1917
+
*** Basic configuration of MySQL
**** Installing MySQL
- sudo apt-get-install mysql-server
- generate a long (25 characters) password for the mysql root user
**** Configuring the main IMAP server
+
+ - create database mail;
+
We will use four tables `alias', `domain', `log' and `mailbox'.
// FIXME; add description of tables
@@ -205,52 +264,108 @@ mysql> describe mailbox;
:END:
**** Configuring the MySQL replication
- This link looks promising:
- http://www.howtoforge.com/mysql_database_replication
+
+ [[http://dev.mysql.com/doc/refman/5.0/en/replication.html][MySQL 5.0 Reference Manual :: 16 Replication]]
- However, we will be using an SSH tunnel for this, so this needs to be described.
+ We will use MySQL replication to keep the MySQL user data on the smarthosts
+ in sync with the data held on the main IMAP server.
-*** Configuring the SSH tunnel between a new smarthost and the main IMAP server
+ We begin by setting up an SSH tunnel. This process is described above.
+ The rest is fairly straight-forward (instructions below adapted from [[http://www.howtoforge.com/mysql_database_replication][here]]).
- Definitons:
- IMAP server = the main storage server
- smarthost = the receiving server (configured as MX)
+ - Set up the SSH tunnel.
- Steps to reproduce the configuration:
- 1. Create a user on the main e-mail server [this should already be done on the IMAP server]
- - sudo aptitude install openbsd-netcat
- - sudo adduser smtptunnel
- - echo "exit" > .bash_profile [to be sure]
- We need bash, so we can not change the shell to something else.
- - disable the password: sudo vipw -s
+***** Configure the master
- 2. Create a key on the smarthost:
- - sudo su
- - ssh-keygen -N "" -b 4096 -f ~/.ssh/tunnel_key
- - cat .ssh/tunnel_key.pub
+ - Add this to my.cnf:
+:HIDDEN:
+server-id = 1
+log_bin = /var/log/mysql/mysql-bin.log
+expire_logs_days = 10
+max_binlog_size = 100M
+binlog_do_db = mail
+:END:
- 3. Add this key to the user `smtptunnel' on the IMAP server
- - echo "<thekey>" | sudo tee .ssh/authorized_keys2
- - Add this before "ssh-rsa" in authorized_keys2:
- command="nc localhost 25",no-X11-forwarding,no-agent-forwarding,no-port-forwarding
+ - /etc/init.d/mysql restart
- 4. Test the key on the smarthost:
- - sudo ssh -l smtptunnel -i /root/.ssh/tunnel_key smtptunnel@example.com
+ - Enter MySQL shell and create user with replication privileges:
+ mysql -u root -p
- 5. Configure openbsd-inetd on the smarthost:
- (We use inetd instead of ssh -L because, among other things, ssh -L tends to hang.)
+ When in shell, do the following (replace <password> with something better):
- - sudo aptitude install openbsd-inetd
- - /etc/inetd.conf
+ create database mail;
+
+ GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'%' IDENTIFIED BY '<password>';
+ FLUSH PRIVILEGES;
- 127.0.0.1:1917 stream tcp nowait root /usr/bin/ssh -q -T -i /root/.ssh/tunnel_key smtptunnel@example.com
+ # Is this only needed when using "load data from master"?
+ grant reload, super, replication client on *.* to 'slave_user';
- - Make sure the tunnel works:
- telnet localhost 1917
+ USE mail;
+ FLUSH TABLES WITH READ LOCK;
+ SHOW MASTER STATUS;
- 6. Configure postfix on the smarthost to relay emails through the tunnel
+ unlock tables;
+ quit;
- One quick-n-dirty example to try it out is:
+***** Configure the slave
+
+ - Enter the MySQL shell and create the database:
+
+ mysql -u root -p
+ Enter password:
+ CREATE DATABASE mail;
+ quit;
+
+ - /etc/mysql/my.cnf
+:HIDDEN:
+tmpdir = /var/lib/mysql/tmp
+# Note that the server-id must be different on all hosts
+server-id = 2
+master-host = 127.0.0.1
+master-port = 1949
+master-user = slave_user
+master-password = <password>
+master-connect-retry = 60
+replicate-do-db = mail
+:END:
+ - create the temporary directory:
+
+ mkdir /var/lib/mysql/tmp
+ chown mysql:mysql !$
+ chmod 0750 !$
+
+ - /etc/init.d/mysql restart
+ - Enter the MySQL shell and make the replication:
+
+ mysql -u root -p
+ Enter password:
+ LOAD DATA FROM MASTER;
+ quit;
+
+ A strange bug bit me at this point, notes:
+
+ start slave; stop slave;
+ show slave status\G
+
+ [[http://dev.mysql.com/doc/refman/5.0/en/change-master-to.html][12.5.2.1. CHANGE MASTER TO Syntax]]
+
+ CHANGE MASTER TO MASTER_PORT=1949, MASTER_CONNECT_RETRY=60;
+
+
+*** Configuring a new smarthost to relay e-mail to the main IMAP server
+
+ Definitons:
+ IMAP server = the main storage server
+ smarthost = the receiving server (configured as MX)
+
+ First setupa an SSH tunnel between the hosts according to instructions given
+ above in this document.
+
+ Next, you need to configure postfix on the smarthost to relay emails through
+ the tunnel:
+
+ One quick-and-dirty example to try it out is:
- /etc/postfix/main.cf
relay_domains = fripost.org
transport_maps = hash:/etc/postfix/transport
@@ -258,13 +373,10 @@ mysql> describe mailbox;
fripost.org smtp:localhost:1917
- sudo postmap hash:/etc/postfix/transport
-
-
-
** Necessary stuff to fix for security
*** Firewall rules
-
+TODO: Add nice rules.
** Ideas for improved security
*** Increased rate of backups when the IMAP server goes down