diff options
| -rw-r--r-- | fripost-docs.org | 386 |
1 files changed, 250 insertions, 136 deletions
diff --git a/fripost-docs.org b/fripost-docs.org index afff34a..09ca536 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -136,7 +136,7 @@ sudo aptitude install logcheck syslog-summary ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$ - ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging (proc) stopped.$ + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging \(proc\) stopped.$ /etc/logcheck/ignore.d.server/ddclient :HIDDEN: @@ -322,9 +322,9 @@ smarthost = the server receiving email from the internet (configured as MX) THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx" - sudo -u $TUNNEL_USER mkdir $TUNNEL_HOME/.ssh - echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,\ -no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.ssh/authorized_keys2 + sudo -u $TUNNEL_USER mkdir -p $TUNNEL_HOME/.ssh + echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,\ +no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2 **** Set up the tunnel @@ -353,120 +353,81 @@ telnet localhost $ORIGIN_PORT *** Installing MySQL - sudo apt-get install mysql-server - generate a long (25 characters) password for the mysql root user - - /etc/mysql/my.cnf -:HIDDEN: -skip-innodb -:END: -*** Configuring the MySQL replication -***** Overview - [[http://dev.mysql.com/doc/refman/5.0/en/replication.html][MySQL 5.0 Reference Manual :: 16 Replication]] - - We will use MySQL replication to keep the MySQL user data on the smarthosts - in sync with the data held on the main IMAP server. - - We begin by setting up an SSH tunnel, as described above. The rest is - fairly straight-forward. Here are instructions adapted from the MySQL - manual. - - - Set up the SSH tunnel. - -***** Configure the master - - - Add this to my.cnf: -:HIDDEN: -server-id = 1 -log_bin = /var/log/mysql/mysql-bin.log -expire_logs_days = 10 -max_binlog_size = 100M -binlog_do_db = mail -:END: - - - /etc/init.d/mysql restart - - - Enter MySQL shell and create user with replication privileges: - mysql -u root -p - - # use only ASCII for <password> - - GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'localhost' IDENTIFIED BY '<password>'; - FLUSH PRIVILEGES; - - USE mail; - FLUSH TABLES WITH READ LOCK; - - # Save the output of this command: - SHOW MASTER STATUS; - - unlock tables; - quit; - - # Copy this file to the slave: - mysqldump -u root -p --opt mail > mydump.sql - -***** Configure the slave - - - Enter the MySQL shell and create the database: + - /etc/mysql/my.cnf: skip-innodb +*** MySQL on the main IMAP server +**** Overview - mysql -u root -p - CREATE DATABASE mail; - quit; - - mysql -u root -p --database=mail < mydump.sql +We will use four tables `alias', `domain', `log' and `mailbox'. - - create a new temporary directory: - - sudo mkdir /var/lib/mysql/tmp - sudo chown mysql:mysql !$ - sudo chmod 0750 !$ - - - /etc/mysql/my.cnf -:HIDDEN: -tmpdir = /var/lib/mysql/tmp -# Note that the server-id must be different on all hosts -server-id = 2 -:END: - - /etc/init.d/mysql restart - - SLAVE STOP; - # [[http://dev.mysql.com/doc/refman/5.0/en/change-master-to.html][12.5.2.1. CHANGE MASTER TO Syntax]] - # NOTE: fill in these values using output from SHOW MASTER STATUS; above - - CHANGE MASTER TO - MASTER_HOST='127.0.0.1', - MASTER_PORT=1949, - MASTER_USER='slave_user', - MASTER_PASSWORD='<password>', MASTER_LOG_FILE='mysql-bin.000013', MASTER_LOG_POS=98; - - START SLAVE; - quit; - -***** Useful commands while debugging - start slave; stop slave; - show slave status\G - -*** Configuring the main IMAP server -**** /etc/postfix/main.cf - -**** MySQL on the main IMAP server - - - create database mail; - - We will use four tables `alias', `domain', `log' and `mailbox'. - - // FIXME; add description of tables - :HIDDEN: -mysql> show tables; - -mysql> describe alias; - -mysql> describe domain; - -mysql> describe log; +***** mysql> show tables; ++----------------+ +| Tables_in_mail | ++----------------+ +| alias | +| domain | +| log | +| mailbox | ++----------------+ +4 rows in set (0.00 sec) + +***** mysql> describe alias; ++-------------+--------------+------+-----+---------------------+-------+ +| Field | Type | Null | Key | Default | Extra | ++-------------+--------------+------+-----+---------------------+-------+ +| address | varchar(255) | NO | PRI | | | +| goto | text | NO | | NULL | | +| domain | varchar(255) | NO | | | | +| create_date | datetime | NO | | 0000-00-00 00:00:00 | | +| change_date | timestamp | NO | | CURRENT_TIMESTAMP | | +| active | tinyint(4) | NO | | 1 | | ++-------------+--------------+------+-----+---------------------+-------+ +6 rows in set (0.00 sec) + +***** mysql> describe domain; ++-------------+--------------+------+-----+---------------------+-------+ +| Field | Type | Null | Key | Default | Extra | ++-------------+--------------+------+-----+---------------------+-------+ +| domain | varchar(255) | NO | PRI | | | +| description | varchar(255) | NO | | | | +| create_date | datetime | NO | | 0000-00-00 00:00:00 | | +| change_date | timestamp | NO | | CURRENT_TIMESTAMP | | +| active | tinyint(4) | NO | | 1 | | ++-------------+--------------+------+-----+---------------------+-------+ +5 rows in set (0.00 sec) + +***** mysql> describe log; ++-------+-------------+------+-----+-------------------+----------------+ +| Field | Type | Null | Key | Default | Extra | ++-------+-------------+------+-----+-------------------+----------------+ +| id | int(11) | NO | PRI | NULL | auto_increment | +| user | varchar(20) | NO | | | | +| event | text | NO | | NULL | | +| date | timestamp | NO | | CURRENT_TIMESTAMP | | ++-------+-------------+------+-----+-------------------+----------------+ +4 rows in set (0.00 sec) + +***** mysql> describe mailbox; ++-------------+--------------+------+-----+---------------------+-------+ +| Field | Type | Null | Key | Default | Extra | ++-------------+--------------+------+-----+---------------------+-------+ +| username | varchar(255) | NO | PRI | | | +| password | varchar(255) | NO | | | | +| name | varchar(255) | NO | | | | +| maildir | varchar(255) | NO | | | | +| domain | varchar(255) | NO | | | | +| create_date | datetime | NO | | 0000-00-00 00:00:00 | | +| change_date | timestamp | NO | | CURRENT_TIMESTAMP | | +| active | tinyint(4) | NO | | 1 | | ++-------------+--------------+------+-----+---------------------+-------+ +8 rows in set (0.00 sec) + +**** Steps to produce it +mysql -u root -p -mysql> describe mailbox; - :END: + create database mail; - - sudo mysql -u root -p --database=mail +sudo mysql -u root -p --database=mail +FIXME: Not 100 % up to date :HIDDEN: DROP TABLE IF EXISTS `alias`; SET @saved_cs_client = @@character_set_client; @@ -523,23 +484,137 @@ CREATE TABLE `mailbox` ( ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Mailboxes - mysql_virtua\nl_mailbox_maps'; SET character_set_client = @saved_cs_client; :END: - - mysql -u root -p - CREATE USER 'mail'@'localhost' IDENTIFIED BY 'secret'; + +mysql -u root -p + +# Create triggers + + use mail; + + DELIMITER $$ + CREATE TRIGGER alias_set_created_on_insert before insert on alias + for each row begin set new.create_date = current_timestamp; end$$ + CREATE TRIGGER domain_set_created_on_insert before insert on domain + for each row begin set new.create_date = current_timestamp; end$$ + CREATE TRIGGER mailbox_set_created_on_insert before insert on mailbox + for each row begin set new.create_date = current_timestamp; end$$ + DELIMITER ; + +# Create mail user + + CREATE USER 'mail'@'localhost' IDENTIFIED BY 'mijhl9hniiMu5WxvvtdgsacxZ'; GRANT SELECT ON mail.alias TO 'mail'@'localhost'; GRANT SELECT ON mail.domain TO 'mail'@'localhost'; GRANT SELECT ON mail.mailbox TO 'mail'@'localhost'; -**** Test delivery +*** Configuring the MySQL replication +***** Overview +[[http://dev.mysql.com/doc/refman/5.0/en/replication.html][MySQL 5.0 Reference Manual :: 16 Replication]] -- /etc/postfix/main.cf -:HIDDEN: -# Not really needed until we switch to using Courier maildrop -maildrop_destination_recipient_limit = 1 +We will use MySQL replication to keep the MySQL user data on the smarthosts +in sync with the data held on the main IMAP server. -virtual_mailbox_base = /home/mail/virtual -:END: +These instructions are mainly adapted from the MySQL manual. + +***** Configure the master + + :: /etc/mysql/my.cnf: + + server-id = 1 + log_bin = /var/log/mysql/mysql-bin.log + expire_logs_days = 10 + max_binlog_size = 100M + binlog_do_db = mail + + +/etc/init.d/mysql restart + +***** Configure the slave +****** Set up an SSH tunnel + +We begin by setting up an SSH tunnel from the slave to the master, as described [[Configuring an SSH tunnel between two hosts][above]]. + +****** Preparing steps to take on master + +# Enter MySQL shell and create a user with replication privileges. +# NB: Use only ASCII for the <password> +mysql -u root -p + + GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'localhost' IDENTIFIED BY '<password>'; + FLUSH PRIVILEGES; + USE mail; + FLUSH TABLES WITH READ LOCK; + quit; + +# Make a database dump. + +mysqldump -u root -p --opt mail > mydump.sql + +# Now, copy this file to the slave. + +# Save the output of the SHOW MASTER STATUS COMMAND. +mysql -u root -p + + SHOW MASTER STATUS; + unlock tables; + quit; + +****** Slave configuration + +# Create a new temporary directory. +# NOTE: It has to be outside of /tmp so the replication is not screwed up on e.g. power outage. + +TMP_DIR=/var/lib/mysql/tmp +sudo mkdir $TMP_DIR +sudo chown mysql:mysql $TMP_DIR +sudo chmod 0750 $TMP_DIR + + :: /etc/mysql/my.cnf + + tmpdir = /var/lib/mysql/tmp + # Note that the server-id must be different on all hosts + server-id = 2 + +/etc/init.d/mysql restart + +# Enter the MySQL shell and create the database: -sudo mkdir -p /home/mail/virtual/fripost.org/example/ +mysql -u root -p + + CREATE DATABASE mail; + quit; + +mysql -u root -p --database=mail < mydump.sql + +# [[http://dev.mysql.com/doc/refman/5.0/en/change-master-to.html][12.5.2.1. CHANGE MASTER TO Syntax]] +# NOTE: fill in these values using output from SHOW MASTER STATUS; above +# NOTE: filling this in my.cnf is deprecated + +mysql -u root -p + + SLAVE STOP; + + CHANGE MASTER TO + MASTER_HOST='127.0.0.1', + MASTER_PORT=1949, + MASTER_USER='slave_user', + MASTER_PASSWORD='<password>', MASTER_LOG_FILE='mysql-bin.000013', MASTER_LOG_POS=98; + + START SLAVE; + show slave status\G + +# If it seems OK, just: + + quit; + +*** Configuring the main IMAP server +**** /etc/postfix/main.cf + +TODO: add file contents + +**** Test delivery + +sudo mkdir -p /home/mail/virtual/fripost.org/ mysql -u root -p INSERT INTO mailbox (username,password,name,maildir,domain) @@ -612,25 +687,64 @@ sudo /etc/init.d/dovecot restart # client. *** Configuring a new smarthost to relay e-mail to the main IMAP server +**** Overview + +We relay mail from our smarthosts to the main IMAP server. + +This is to avoid having a single poin of failure and to separate concerns. The +IMAP server then only needs to deal with authenticated clients and the +smarthosts. + +**** Prerequisites + +Before this can work we must make sure that: +- the MySQL replication is working +- there is an SSH tunnel for the smtp + +If they are both setup, we can configure postfix on the smarthost to relay +emails through the tunnel. + +**** Configuration files + +TODO: add the necessary configuration files -First setup an SSH tunnel between the hosts according to instructions given -above. -Next, we need to configure postfix on the smarthost to relay emails through the -tunnel: - - One quick-and-dirty example to try it out is: - - /etc/postfix/main.cf - relay_domains = fripost.org - transport_maps = hash:/etc/postfix/transport - - /etc/postfix/transport - fripost.org smtp:localhost:1917 - - sudo postmap hash:/etc/postfix/transport ** Configuring the webserver - sudo apt-get install apache2 +** Logging +*** Overview +We want to limit how much we log for privacy reasons. At the same time we want +to be able to debug technical problems and detect intrusions. + +For the webmail, we only log messages of priority warn or higher. +*** Configuration + + :: /etc/rsyslog.conf + + *.*;auth,authpriv.none;mail.err -/var/log/syslog + +# NOTE: /var/log/mail.{err,warn} can be kept at the default +# values since they do not contain any sensitive information. + :: /etc/logrotate.d/rsyslog + + /var/log/mail.log + /var/log/mail.info + { + rotate 3 + daily + missingok + ifempty + compress + delaycompress + sharedscripts + postrotate + invoke-rc.d rsyslog reload > /dev/null + endscript + } + ** Necessary stuff to fix for security *** Bacula for backups Also has tripwire-like capabilities. |