aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fripost-docs.org386
1 files changed, 250 insertions, 136 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index afff34a..09ca536 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -136,7 +136,7 @@ sudo aptitude install logcheck syslog-summary
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$
- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging (proc) stopped.$
+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging \(proc\) stopped.$
/etc/logcheck/ignore.d.server/ddclient
:HIDDEN:
@@ -322,9 +322,9 @@ smarthost = the server receiving email from the internet (configured as MX)
THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx"
- sudo -u $TUNNEL_USER mkdir $TUNNEL_HOME/.ssh
- echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,\
-no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.ssh/authorized_keys2
+ sudo -u $TUNNEL_USER mkdir -p $TUNNEL_HOME/.ssh
+ echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,\
+no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2
**** Set up the tunnel
@@ -353,120 +353,81 @@ telnet localhost $ORIGIN_PORT
*** Installing MySQL
- sudo apt-get install mysql-server
- generate a long (25 characters) password for the mysql root user
- - /etc/mysql/my.cnf
-:HIDDEN:
-skip-innodb
-:END:
-*** Configuring the MySQL replication
-***** Overview
- [[http://dev.mysql.com/doc/refman/5.0/en/replication.html][MySQL 5.0 Reference Manual :: 16 Replication]]
-
- We will use MySQL replication to keep the MySQL user data on the smarthosts
- in sync with the data held on the main IMAP server.
-
- We begin by setting up an SSH tunnel, as described above. The rest is
- fairly straight-forward. Here are instructions adapted from the MySQL
- manual.
-
- - Set up the SSH tunnel.
-
-***** Configure the master
-
- - Add this to my.cnf:
-:HIDDEN:
-server-id = 1
-log_bin = /var/log/mysql/mysql-bin.log
-expire_logs_days = 10
-max_binlog_size = 100M
-binlog_do_db = mail
-:END:
-
- - /etc/init.d/mysql restart
-
- - Enter MySQL shell and create user with replication privileges:
- mysql -u root -p
-
- # use only ASCII for <password>
-
- GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'localhost' IDENTIFIED BY '<password>';
- FLUSH PRIVILEGES;
-
- USE mail;
- FLUSH TABLES WITH READ LOCK;
-
- # Save the output of this command:
- SHOW MASTER STATUS;
-
- unlock tables;
- quit;
-
- # Copy this file to the slave:
- mysqldump -u root -p --opt mail > mydump.sql
-
-***** Configure the slave
-
- - Enter the MySQL shell and create the database:
+ - /etc/mysql/my.cnf: skip-innodb
+*** MySQL on the main IMAP server
+**** Overview
- mysql -u root -p
- CREATE DATABASE mail;
- quit;
-
- mysql -u root -p --database=mail < mydump.sql
+We will use four tables `alias', `domain', `log' and `mailbox'.
- - create a new temporary directory:
-
- sudo mkdir /var/lib/mysql/tmp
- sudo chown mysql:mysql !$
- sudo chmod 0750 !$
-
- - /etc/mysql/my.cnf
-:HIDDEN:
-tmpdir = /var/lib/mysql/tmp
-# Note that the server-id must be different on all hosts
-server-id = 2
-:END:
- - /etc/init.d/mysql restart
-
- SLAVE STOP;
- # [[http://dev.mysql.com/doc/refman/5.0/en/change-master-to.html][12.5.2.1. CHANGE MASTER TO Syntax]]
- # NOTE: fill in these values using output from SHOW MASTER STATUS; above
-
- CHANGE MASTER TO
- MASTER_HOST='127.0.0.1',
- MASTER_PORT=1949,
- MASTER_USER='slave_user',
- MASTER_PASSWORD='<password>', MASTER_LOG_FILE='mysql-bin.000013', MASTER_LOG_POS=98;
-
- START SLAVE;
- quit;
-
-***** Useful commands while debugging
- start slave; stop slave;
- show slave status\G
-
-*** Configuring the main IMAP server
-**** /etc/postfix/main.cf
-
-**** MySQL on the main IMAP server
-
- - create database mail;
-
- We will use four tables `alias', `domain', `log' and `mailbox'.
-
- // FIXME; add description of tables
- :HIDDEN:
-mysql> show tables;
-
-mysql> describe alias;
-
-mysql> describe domain;
-
-mysql> describe log;
+***** mysql> show tables;
++----------------+
+| Tables_in_mail |
++----------------+
+| alias |
+| domain |
+| log |
+| mailbox |
++----------------+
+4 rows in set (0.00 sec)
+
+***** mysql> describe alias;
++-------------+--------------+------+-----+---------------------+-------+
+| Field | Type | Null | Key | Default | Extra |
++-------------+--------------+------+-----+---------------------+-------+
+| address | varchar(255) | NO | PRI | | |
+| goto | text | NO | | NULL | |
+| domain | varchar(255) | NO | | | |
+| create_date | datetime | NO | | 0000-00-00 00:00:00 | |
+| change_date | timestamp | NO | | CURRENT_TIMESTAMP | |
+| active | tinyint(4) | NO | | 1 | |
++-------------+--------------+------+-----+---------------------+-------+
+6 rows in set (0.00 sec)
+
+***** mysql> describe domain;
++-------------+--------------+------+-----+---------------------+-------+
+| Field | Type | Null | Key | Default | Extra |
++-------------+--------------+------+-----+---------------------+-------+
+| domain | varchar(255) | NO | PRI | | |
+| description | varchar(255) | NO | | | |
+| create_date | datetime | NO | | 0000-00-00 00:00:00 | |
+| change_date | timestamp | NO | | CURRENT_TIMESTAMP | |
+| active | tinyint(4) | NO | | 1 | |
++-------------+--------------+------+-----+---------------------+-------+
+5 rows in set (0.00 sec)
+
+***** mysql> describe log;
++-------+-------------+------+-----+-------------------+----------------+
+| Field | Type | Null | Key | Default | Extra |
++-------+-------------+------+-----+-------------------+----------------+
+| id | int(11) | NO | PRI | NULL | auto_increment |
+| user | varchar(20) | NO | | | |
+| event | text | NO | | NULL | |
+| date | timestamp | NO | | CURRENT_TIMESTAMP | |
++-------+-------------+------+-----+-------------------+----------------+
+4 rows in set (0.00 sec)
+
+***** mysql> describe mailbox;
++-------------+--------------+------+-----+---------------------+-------+
+| Field | Type | Null | Key | Default | Extra |
++-------------+--------------+------+-----+---------------------+-------+
+| username | varchar(255) | NO | PRI | | |
+| password | varchar(255) | NO | | | |
+| name | varchar(255) | NO | | | |
+| maildir | varchar(255) | NO | | | |
+| domain | varchar(255) | NO | | | |
+| create_date | datetime | NO | | 0000-00-00 00:00:00 | |
+| change_date | timestamp | NO | | CURRENT_TIMESTAMP | |
+| active | tinyint(4) | NO | | 1 | |
++-------------+--------------+------+-----+---------------------+-------+
+8 rows in set (0.00 sec)
+
+**** Steps to produce it
+mysql -u root -p
-mysql> describe mailbox;
- :END:
+ create database mail;
- - sudo mysql -u root -p --database=mail
+sudo mysql -u root -p --database=mail
+FIXME: Not 100 % up to date
:HIDDEN:
DROP TABLE IF EXISTS `alias`;
SET @saved_cs_client = @@character_set_client;
@@ -523,23 +484,137 @@ CREATE TABLE `mailbox` (
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Mailboxes - mysql_virtua\nl_mailbox_maps';
SET character_set_client = @saved_cs_client;
:END:
- - mysql -u root -p
- CREATE USER 'mail'@'localhost' IDENTIFIED BY 'secret';
+
+mysql -u root -p
+
+# Create triggers
+
+ use mail;
+
+ DELIMITER $$
+ CREATE TRIGGER alias_set_created_on_insert before insert on alias
+ for each row begin set new.create_date = current_timestamp; end$$
+ CREATE TRIGGER domain_set_created_on_insert before insert on domain
+ for each row begin set new.create_date = current_timestamp; end$$
+ CREATE TRIGGER mailbox_set_created_on_insert before insert on mailbox
+ for each row begin set new.create_date = current_timestamp; end$$
+ DELIMITER ;
+
+# Create mail user
+
+ CREATE USER 'mail'@'localhost' IDENTIFIED BY 'mijhl9hniiMu5WxvvtdgsacxZ';
GRANT SELECT ON mail.alias TO 'mail'@'localhost';
GRANT SELECT ON mail.domain TO 'mail'@'localhost';
GRANT SELECT ON mail.mailbox TO 'mail'@'localhost';
-**** Test delivery
+*** Configuring the MySQL replication
+***** Overview
+[[http://dev.mysql.com/doc/refman/5.0/en/replication.html][MySQL 5.0 Reference Manual :: 16 Replication]]
-- /etc/postfix/main.cf
-:HIDDEN:
-# Not really needed until we switch to using Courier maildrop
-maildrop_destination_recipient_limit = 1
+We will use MySQL replication to keep the MySQL user data on the smarthosts
+in sync with the data held on the main IMAP server.
-virtual_mailbox_base = /home/mail/virtual
-:END:
+These instructions are mainly adapted from the MySQL manual.
+
+***** Configure the master
+
+ :: /etc/mysql/my.cnf:
+
+ server-id = 1
+ log_bin = /var/log/mysql/mysql-bin.log
+ expire_logs_days = 10
+ max_binlog_size = 100M
+ binlog_do_db = mail
+
+
+/etc/init.d/mysql restart
+
+***** Configure the slave
+****** Set up an SSH tunnel
+
+We begin by setting up an SSH tunnel from the slave to the master, as described [[Configuring an SSH tunnel between two hosts][above]].
+
+****** Preparing steps to take on master
+
+# Enter MySQL shell and create a user with replication privileges.
+# NB: Use only ASCII for the <password>
+mysql -u root -p
+
+ GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'localhost' IDENTIFIED BY '<password>';
+ FLUSH PRIVILEGES;
+ USE mail;
+ FLUSH TABLES WITH READ LOCK;
+ quit;
+
+# Make a database dump.
+
+mysqldump -u root -p --opt mail > mydump.sql
+
+# Now, copy this file to the slave.
+
+# Save the output of the SHOW MASTER STATUS COMMAND.
+mysql -u root -p
+
+ SHOW MASTER STATUS;
+ unlock tables;
+ quit;
+
+****** Slave configuration
+
+# Create a new temporary directory.
+# NOTE: It has to be outside of /tmp so the replication is not screwed up on e.g. power outage.
+
+TMP_DIR=/var/lib/mysql/tmp
+sudo mkdir $TMP_DIR
+sudo chown mysql:mysql $TMP_DIR
+sudo chmod 0750 $TMP_DIR
+
+ :: /etc/mysql/my.cnf
+
+ tmpdir = /var/lib/mysql/tmp
+ # Note that the server-id must be different on all hosts
+ server-id = 2
+
+/etc/init.d/mysql restart
+
+# Enter the MySQL shell and create the database:
-sudo mkdir -p /home/mail/virtual/fripost.org/example/
+mysql -u root -p
+
+ CREATE DATABASE mail;
+ quit;
+
+mysql -u root -p --database=mail < mydump.sql
+
+# [[http://dev.mysql.com/doc/refman/5.0/en/change-master-to.html][12.5.2.1. CHANGE MASTER TO Syntax]]
+# NOTE: fill in these values using output from SHOW MASTER STATUS; above
+# NOTE: filling this in my.cnf is deprecated
+
+mysql -u root -p
+
+ SLAVE STOP;
+
+ CHANGE MASTER TO
+ MASTER_HOST='127.0.0.1',
+ MASTER_PORT=1949,
+ MASTER_USER='slave_user',
+ MASTER_PASSWORD='<password>', MASTER_LOG_FILE='mysql-bin.000013', MASTER_LOG_POS=98;
+
+ START SLAVE;
+ show slave status\G
+
+# If it seems OK, just:
+
+ quit;
+
+*** Configuring the main IMAP server
+**** /etc/postfix/main.cf
+
+TODO: add file contents
+
+**** Test delivery
+
+sudo mkdir -p /home/mail/virtual/fripost.org/
mysql -u root -p
INSERT INTO mailbox (username,password,name,maildir,domain)
@@ -612,25 +687,64 @@ sudo /etc/init.d/dovecot restart
# client.
*** Configuring a new smarthost to relay e-mail to the main IMAP server
+**** Overview
+
+We relay mail from our smarthosts to the main IMAP server.
+
+This is to avoid having a single poin of failure and to separate concerns. The
+IMAP server then only needs to deal with authenticated clients and the
+smarthosts.
+
+**** Prerequisites
+
+Before this can work we must make sure that:
+- the MySQL replication is working
+- there is an SSH tunnel for the smtp
+
+If they are both setup, we can configure postfix on the smarthost to relay
+emails through the tunnel.
+
+**** Configuration files
+
+TODO: add the necessary configuration files
-First setup an SSH tunnel between the hosts according to instructions given
-above.
-Next, we need to configure postfix on the smarthost to relay emails through the
-tunnel:
-
- One quick-and-dirty example to try it out is:
- - /etc/postfix/main.cf
- relay_domains = fripost.org
- transport_maps = hash:/etc/postfix/transport
- - /etc/postfix/transport
- fripost.org smtp:localhost:1917
- - sudo postmap hash:/etc/postfix/transport
** Configuring the webserver
- sudo apt-get install apache2
+** Logging
+*** Overview
+We want to limit how much we log for privacy reasons. At the same time we want
+to be able to debug technical problems and detect intrusions.
+
+For the webmail, we only log messages of priority warn or higher.
+*** Configuration
+
+ :: /etc/rsyslog.conf
+
+ *.*;auth,authpriv.none;mail.err -/var/log/syslog
+
+# NOTE: /var/log/mail.{err,warn} can be kept at the default
+# values since they do not contain any sensitive information.
+ :: /etc/logrotate.d/rsyslog
+
+ /var/log/mail.log
+ /var/log/mail.info
+ {
+ rotate 3
+ daily
+ missingok
+ ifempty
+ compress
+ delaycompress
+ sharedscripts
+ postrotate
+ invoke-rc.d rsyslog reload > /dev/null
+ endscript
+ }
+
** Necessary stuff to fix for security
*** Bacula for backups
Also has tripwire-like capabilities.