aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fripost-docs.org684
1 files changed, 396 insertions, 288 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index 296e942..5a06a02 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -39,11 +39,15 @@ sort of thing but instead as an ongoing effort. Thus, while we strive to
document all configuration that we consider stable enough, the documentation may
sometimes lag behind.
+We do not believe in security through obscurity. This means we are aiming
+instead for a system that fulfills [[http://en.wikipedia.org/wiki/Kerckhoffs%27s_Principle][Kerckhoffs's Principle]]. However, some
+information below might have been changed to inconvenience a potential
+attacker. Beware and take according measures.
+
We welcome all criticism, suggestions for improvements, additions etc. Please
send them to skangas@skangas.se.
-* BASIC SETUP -- Checklist after having installed a new Debian GNU/Linux-server
-
+* Basic Setup -- Checklist after having installed a new Debian GNU/Linux-server
** Basic installation instructions
- Use expert install to maximize fun.
@@ -55,34 +59,26 @@ send them to skangas@skangas.se.
Used to keep track of /etc. Install ASAP after install!
-:: /etc/etckeeper/etckeeper.conf
-
- AVOID_COMMIT_BEFORE_INSTALL=1
-
-# not needed on squeeze:
-cd /etc && sudo etckeeper init && sudo etckeeper commit "first commit"
-
-** Uninstall a bunch of unnecessary packages
+** Use GNU Emacs as the default editor
- sudo aptitude remove --purge debian-faq dictionaries-common doc-debian \
- doc-linux-text iamerican ibritish ispell laptop-detect nfs-common \
- openbsd-inetd portmap tasksel tasksel-data w3m
+# NOTE: Emacs will be the default on all Fripost systems. If you prefer
+# something else, use the EDITOR environment variable.
+sudo apt-get install emacs23-nox
-** Packages to install
-*** Administrative
+sudo update-alternatives --config editor
+
+** Configure sudo
-sudo aptitude install openssh-server molly-guard ntp ntpdate screen
+sudo apt-get install sudo
-# If the system is on a dynamic IP (e.g. using DHCP):
-sudo aptitude install resolvconf
+# If you disabled root account during installation, the default account is
+# already in the sudo group. Otherwise, follow these steps:
-*** Security
+sudo adduser myuser sudo
-sudo aptitude install logcheck syslog-summary harden-servers
+sudo EDITOR="emacs" visudo
-# NB: harden-clients conflicts with telnet, which as we know is very handy
-# during configuration. Therefore, only optionally:
-sudo aptitude install harden-clients
+ %sudo ALL= (ALL) ALL
** Configure sshd
@@ -102,17 +98,28 @@ sudo /etc/init.d/ssh restart
# Without closing the current connection, try to connect to the server,
# verifying that you can still connect.
-
-** Configure sudo
-# If you disabled root account during installation, the default account is
-# already in the sudo group. Otherwise, follow these steps:
+** Packages to install
+*** Administrative
-sudo adduser myuser sudo
+sudo aptitude install openssh-server molly-guard ntp ntpdate screen
-sudo EDITOR="emacs" visudo
+# If the system is on a dynamic IP (e.g. using DHCP):
+sudo aptitude install resolvconf
- %sudo ALL= (ALL) ALL
+*** Security
+
+sudo aptitude install logcheck syslog-summary harden-servers
+
+# NB: harden-clients conflicts with telnet, which as we know is very handy
+# during configuration. Therefore, only optionally:
+sudo aptitude install harden-clients
+
+** Forward root email
+
+:: /etc/aliases
+
+ root: admin@fripost.org
** Configure logcheck
@@ -121,29 +128,27 @@ sudo aptitude install logcheck syslog-summary
:: /etc/logcheck/logcheck.conf
INTRO=0
- SENDMAILTO="skangas@skangas.se"
+ SENDMAILTO="admin@fripost.org"
-:: /etc/logcheck/ignore.d.server/ntp
+:: /etc/logcheck/ignore.d.server/ntp # XXX: necessary with squeeze?
- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$
+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$
-:: /etc/logcheck/ignore.d.server/ssh [until logcheck 1.3.7 hits stable]
+:: /etc/logcheck/ignore.d.server/ssh # not necessary with squeeze
+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$
-:: /etc/logcheck/ignore.d.server/rsyslog [until rsyslog 4.2.0-2 hits stable]
+:: /etc/logcheck/ignore.d.server/rsyslog # not necessary with squeeze
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$
- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging (proc) stopped.$
+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging \(proc\) stopped.$
/etc/logcheck/ignore.d.server/ddclient
-:HIDDEN:
+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: file /var/cache/ddclient/ddclient.cache, line [0-9]+: Invalid Value for keyword 'ip' = ''$
+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: updating [._[:alnum:]-]+: nochg: No update required; unnecessary attempts to change to the current address are considered abusive$
- :END:
** Configuring aptitude and friends
@@ -160,55 +165,48 @@ sudo aptitude install unattended-upgrades
:: /etc/apt/apt.conf
- :CONTENT:
-APT
-{
- // Increase cache size to some arbitrary size.
- // Remove this line completely once we have apt v0.7.26 in stable. (it defaults to no limit)
- Cache-Limit "33554432";
-
- // Configuration for /etc/cron.daily/apt
- Periodic
- {
- // Do "apt-get update" automatically every n-days (0=disable)
- Update-Package-Lists "1";
- // Do "apt-get autoclean" every n-days (0=disable)
- AutocleanInterval "1";
- // Do "apt-get upgrade --download-only" every n-days (0=disable)
- Download-Upgradeable-Packages "1";
- // Run the "unattended-upgrade" security upgrade script every n days
- Unattended-Upgrade "1";
- }
-};
-
-Aptitude
-{
- UI
- {
- Autoclean-After-Update: true;
- Auto-Fix-Broken: false;
- Keep-Recommends: true;
- Recommends-Important: true;
- Description-Visible-By-Default: false;
- HelpBar false;
- Menubar-Autohide true;
- Purge-Unused: true;
- Prompt-On-Exit false;
- }
-}
- :END:
+ APT
+ {
+ // Configuration for /etc/cron.daily/apt
+ Periodic
+ {
+ // Do "apt-get update" automatically every n-days (0=disable)
+ Update-Package-Lists "1";
+ // Do "apt-get autoclean" every n-days (0=disable)
+ AutocleanInterval "1";
+ // Do "apt-get upgrade --download-only" every n-days (0=disable)
+ Download-Upgradeable-Packages "1";
+ // Run the "unattended-upgrade" security upgrade script every n days
+ Unattended-Upgrade "1";
+ }
+ };
+
+ Aptitude
+ {
+ UI
+ {
+ Autoclean-After-Update: true;
+ Auto-Fix-Broken: false;
+ Keep-Recommends: true;
+ Recommends-Important: true;
+ Description-Visible-By-Default: false;
+ HelpBar false;
+ Menubar-Autohide true;
+ Purge-Unused: true;
+ Prompt-On-Exit false;
+ }
+ }
# Using Debian squeeze:
:: /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Mail "admin@fripost.org";
- Acquire::http::Dl-Limit "70";
-# Using Debian lenny:
-sudo aptitude install apticron
-:: /etc/apticron/apticron.conf
+** Uninstall a bunch of unnecessary packages
- EMAIL="admin@fripost.org"
+sudo aptitude remove --purge debian-faq dictionaries-common doc-debian \
+doc-linux-text iamerican ibritish ispell laptop-detect nfs-common \
+openbsd-inetd portmap tasksel tasksel-data w3m
** Reconfigure exim
@@ -233,35 +231,33 @@ sudo dpkg-reconfigure exim4-config
# no
-* NEXT STEPS
-
+* Next Steps
** Configuring the backup solution
*** Bacula configuration
*** Simple rsync solution
- General idea [[http://wikis.sun.com/display/BigAdmin/Using+rdist+rsync+with+sudo+for+remote+updating][from here]]. This is just a basic setup for now, will need to be
- changed to rsnapshot or perhaps something even more sophisticated like
- bacula.
+General idea [[http://wikis.sun.com/display/BigAdmin/Using+rdist+rsync+with+sudo+for+remote+updating][from here]]. This is just a basic setup for now, will need to be
+changed to rsnapshot or perhaps something even more sophisticated like bacula.
- 1. Install rsync
+1. Install rsync
- sudo aptitude install rsync
- 2. Create a key on the backup computer
- - ssh-keygen -N "" -b 4096 -f ~/.ssh/backup_key
- - cat .ssh/backup_key.pub
- 3. Create a user on the computer that will be backed up
- - sudo adduser remupd
- - sudo passwd -d remupd
+2. Create a key on the backup computer:
+ - sudo mkdir /root/.ssh/backup_key
+ - sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/backup_key
+ - cat /root/.ssh/backup_key.pub
+3. Create a user on the computer that will be backed up
+ - sudo adduser --disabled-password remupd
- add the public key from above to ~remupd/.ssh/authorized_keys2
prefix with: no-X11-forwarding,no-agent-forwarding,no-port-forwarding
- - test the key:
- ssh -i ~/.ssh/backup_key -l remupd example.com
- - add remupd to sudo:
+ - sudo EDITOR="emacs" visudo
Cmnd_Alias RSYNCDIST=/usr/bin/rsync
remupd ALL=NOPASSWD:RSYNCDIST
- 3. Create a script on the backup computer to automatically backup
- 4. Add script to crontab
+4. Test the key from the backup computer:
+ - ssh -i ~/.ssh/backup_key -l remupd example.com
+5. Create a script on the backup computer to automatically backup
+6. Add script to crontab
** Configuring the e-mail servers
*** Introduction
@@ -283,73 +279,74 @@ smarthost = the server receiving email from the internet (configured as MX)
*** Configuring an SSH tunnel between two hosts
- Definitions:
- originating host = the host that will be connecting
- destination host = the host that runs some service
+ Definitions:
+ originating host = the host that will be connecting
+ destination host = the host that runs some service
- Begin by setting a few environment variables:
+ Begin by setting a few environment variables:
- TUNNEL_KEY_FILE="my_tunnel_key"
- TUNNEL_USER="tunneluser"
- TUNNEL_HOME="/home/$TUNNEL_USER"
- DEST_PORT="25"
- ORIGIN_PORT="1917"
+ TUNNEL_KEY="my_tunnel_key"
+ TUNNEL_USER="tunneluser"
+ TUNNEL_HOME="/home/$TUNNEL_USER"
+ DEST_PORT="25"
+ ORIGIN_PORT="1917"
**** Prepare origin
- 1. Create a key on the originating host:
+1. Create a key on the originating host:
- sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/$TUNNEL_KEY_FILE
- sudo cat /root/.ssh/$TUNNEL_KEY_FILE.pub
+ sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/$TUNNEL_KEY_FILE
+ sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/$TUNNEL_KEY_FILE
+ sudo cat /root/.ssh/$TUNNEL_KEY_FILE.pub
**** Prepare destination
- 2a. Install necessary software on the destination host:
+2a. Install necessary software on the destination host:
- sudo aptitude install netcat-openbsd
+ sudo aptitude install netcat-openbsd
- 2b. Create a new user on the destination host:
+2b. Create a new user on the destination host:
- sudo adduser --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \
- --disabled-password $TUNNEL_USER
- echo "exit" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.bash_profile
+ sudo adduser --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \
+ --disabled-password $TUNNEL_USER
+ echo "exit" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.bash_profile
- # Also, make sure to add this user to AllowUsers in /etc/ssh/sshd_config.
+ # Also, make sure to add this user to AllowUsers in /etc/ssh/sshd_config.
- # Note: We need bash, so we can not change the shell to something else.
+ # Note: We need bash, so we can not change the shell to something else.
- 2c. Add the public key from above to this user:
+2c. Add the public key from above to this user:
- THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx"
+ THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx"
sudo -u $TUNNEL_USER mkdir -p $TUNNEL_HOME/.ssh
echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,\
-no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.ssh/authorized_keys2
+no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2
**** Set up the tunnel
- 4. Test the key on the originating host:
+4. Test the key on the originating host:
- sudo ssh -v -l $TUNNEL_USER -i /root/.ssh/$TUNNEL_KEY_FILE destination.example.com
+ sudo ssh -v -l $TUNNEL_USER -i /root/.ssh/$TUNNEL_KEY_FILE destination.example.com
- 5. Configure openbsd-inetd on the originating host:
+5. Configure openbsd-inetd on the originating host:
- # Comment: We use inetd instead of ssh -L because, among other things, ssh
- # -L tends to hang.
+ # Comment: We use inetd instead of ssh -L because, among other things, ssh
+ # -L tends to hang.
- sudo aptitude install openbsd-inetd
+ sudo aptitude install openbsd-inetd
:: /etc/inetd.conf
127.0.0.1:$ORIGIN_PORT stream tcp nowait root /usr/bin/ssh -q -T -i /root/.ssh/$TUNNEL_KEY_FILE smtptunnel@example.com
- sudo /etc/init.d/openbsd-inetd restart
+ sudo /etc/init.d/openbsd-inetd restart
- You should now be able to connect through the tunnel from the originating
- host using something like:
+You should now be able to connect through the tunnel from the originating
+host using something like:
- telnet localhost $ORIGIN_PORT
+telnet localhost $ORIGIN_PORT
*** Installing MySQL
- sudo apt-get install mysql-server
@@ -360,7 +357,6 @@ no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.ssh
We will use four tables `alias', `domain', `log' and `mailbox'.
-
***** mysql> show tables;
+----------------+
| Tables_in_mail |
@@ -513,186 +509,171 @@ mysql -u root -p
***** Overview
[[http://dev.mysql.com/doc/refman/5.0/en/replication.html][MySQL 5.0 Reference Manual :: 16 Replication]]
-
We will use MySQL replication to keep the MySQL user data on the smarthosts
in sync with the data held on the main IMAP server.
-We begin by setting up an SSH tunnel, as described above. The rest is
-fairly straight-forward. Here are instructions adapted from the MySQL
-manual.
-
-- Set up the SSH tunnel.
+These instructions are mainly adapted from the MySQL manual.
***** Configure the master
- - Add this to my.cnf:
-:HIDDEN:
-server-id = 1
-log_bin = /var/log/mysql/mysql-bin.log
-expire_logs_days = 10
-max_binlog_size = 100M
-binlog_do_db = mail
-:END:
+ :: /etc/mysql/my.cnf:
- - /etc/init.d/mysql restart
+ server-id = 1
+ log_bin = /var/log/mysql/mysql-bin.log
+ expire_logs_days = 10
+ max_binlog_size = 100M
+ binlog_do_db = mail
+
- - Enter MySQL shell and create user with replication privileges:
- mysql -u root -p
+/etc/init.d/mysql restart
- # use only ASCII for <password>
+***** Configure the slave
+****** Set up an SSH tunnel
- GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'localhost' IDENTIFIED BY '<password>';
- FLUSH PRIVILEGES;
+We begin by setting up an SSH tunnel from the slave to the master, as described [[Configuring an SSH tunnel between two hosts][above]].
- USE mail;
- FLUSH TABLES WITH READ LOCK;
+****** Preparing steps to take on master
- # Save the output of this command:
- SHOW MASTER STATUS;
+# Enter MySQL shell and create a user with replication privileges.
+# NB: Use only ASCII for the <password>
+mysql -u root -p
- unlock tables;
- quit;
+ GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'localhost' IDENTIFIED BY '<password>';
+ FLUSH PRIVILEGES;
+ USE mail;
+ FLUSH TABLES WITH READ LOCK;
+ quit;
+
+# Make a database dump.
- # Copy this file to the slave:
- mysqldump -u root -p --opt mail > mydump.sql
-
-***** Configure the slave
+mysqldump -u root -p --opt mail > mydump.sql
- - Enter the MySQL shell and create the database:
+# Now, copy this file to the slave.
- mysql -u root -p
- CREATE DATABASE mail;
- quit;
-
- mysql -u root -p --database=mail < mydump.sql
-
- - create a new temporary directory:
+# Save the output of the SHOW MASTER STATUS COMMAND.
+mysql -u root -p
+
+ SHOW MASTER STATUS;
+ unlock tables;
+ quit;
+
+****** Slave configuration
+
+# Create a new temporary directory.
+# NOTE: It has to be outside of /tmp so the replication is not screwed up on e.g. power outage.
- sudo mkdir /var/lib/mysql/tmp
- sudo chown mysql:mysql !$
- sudo chmod 0750 !$
+TMP_DIR=/var/lib/mysql/tmp
+sudo mkdir $TMP_DIR
+sudo chown mysql:mysql $TMP_DIR
+sudo chmod 0750 $TMP_DIR
- - /etc/mysql/my.cnf
-:HIDDEN:
-tmpdir = /var/lib/mysql/tmp
-# Note that the server-id must be different on all hosts
-server-id = 2
-:END:
- - /etc/init.d/mysql restart
+ :: /etc/mysql/my.cnf
- SLAVE STOP;
- # [[http://dev.mysql.com/doc/refman/5.0/en/change-master-to.html][12.5.2.1. CHANGE MASTER TO Syntax]]
- # NOTE: fill in these values using output from SHOW MASTER STATUS; above
+ tmpdir = /var/lib/mysql/tmp
+ # Note that the server-id must be different on all hosts
+ server-id = 2
- CHANGE MASTER TO
- MASTER_HOST='127.0.0.1',
- MASTER_PORT=1949,
- MASTER_USER='slave_user',
- MASTER_PASSWORD='<password>', MASTER_LOG_FILE='mysql-bin.000013', MASTER_LOG_POS=98;
+/etc/init.d/mysql restart
- START SLAVE;
- quit;
+# Enter the MySQL shell and create the database:
-***** Useful commands while debugging
- start slave; stop slave;
- show slave status\G
+mysql -u root -p
-*** Configuring the main IMAP server
-**** /etc/postfix/main.cf
+ CREATE DATABASE mail;
+ quit;
+
+mysql -u root -p --database=mail < mydump.sql
+
+# [[http://dev.mysql.com/doc/refman/5.0/en/change-master-to.html][12.5.2.1. CHANGE MASTER TO Syntax]]
+# NOTE: fill in these values using output from SHOW MASTER STATUS; above
+# NOTE: filling this in my.cnf is deprecated
-**** MySQL on the main IMAP server
+mysql -u root -p
- - create database mail;
+ SLAVE STOP;
- We will use four tables `alias', `domain', `log' and `mailbox'.
-
- // FIXME; add description of tables
- :HIDDEN:
-mysql> show tables;
+ CHANGE MASTER TO
+ MASTER_HOST='127.0.0.1',
+ MASTER_PORT=1949,
+ MASTER_USER='slave_user',
+ MASTER_PASSWORD='<password>', MASTER_LOG_FILE='mysql-bin.000013', MASTER_LOG_POS=98;
-mysql> describe alias;
+ START SLAVE;
+ show slave status\G
-mysql> describe domain;
+# If it seems OK, just:
-mysql> describe log;
+ quit;
-mysql> describe mailbox;
- :END:
+*** Configuring the main IMAP server
+**** /etc/postfix/main.cf
- - sudo mysql -u root -p --database=mail
- :HIDDEN:
-DROP TABLE IF EXISTS `alias`;
-SET @saved_cs_client = @@character_set_client;
-SET character_set_client = utf8;
-CREATE TABLE `alias` (
- `address` varchar(255) NOT NULL default '',
- `goto` text NOT NULL,
- `domain` varchar(255) NOT NULL default '',
- `create_date` datetime NOT NULL default '0000-00-00 00:00:00',
- `change_date` datetime NOT NULL default '0000-00-00 00:00:00',
- `active` tinyint(4) NOT NULL default '1',
- PRIMARY KEY (`address`)
-) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Aliases - mysql_virtual_\nalias_maps';
-SET character_set_client = @saved_cs_client;
+TODO: add file contents
-DROP TABLE IF EXISTS `domain`;
-SET @saved_cs_client = @@character_set_client;
-SET character_set_client = utf8;
-CREATE TABLE `domain` (
- `domain` varchar(255) NOT NULL default '',
- `description` varchar(255) NOT NULL default '',
- `create_date` datetime NOT NULL default '0000-00-00 00:00:00',
- `change_date` datetime NOT NULL default '0000-00-00 00:00:00',
- `active` tinyint(4) NOT NULL default '1',
- PRIMARY KEY (`domain`)
-) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Domains - mysql_virtual_\ndomains_maps';
-SET character_set_client = @saved_cs_client;
+**** Setting up the MDA
-DROP TABLE IF EXISTS `log`;
-SET @saved_cs_client = @@character_set_client;
-SET character_set_client = utf8;
-CREATE TABLE `log` (
- `id` int(11) NOT NULL auto_increment,
- `user` varchar(20) NOT NULL default '',
- `event` text NOT NULL,
- `date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
- PRIMARY KEY (`id`)
-) ENGINE=MyISAM AUTO_INCREMENT=106 DEFAULT CHARSET=utf8 COMMENT='log table';
-SET character_set_client = @saved_cs_client;
+# The choice of deliver from dovecot for MDA was based on the support for the
+# mailsieve filter language, which is a nice DSL and has plugin support in
+# roundcube. maildrop lacks this support.
-DROP TABLE IF EXISTS `mailbox`;
-SET @saved_cs_client = @@character_set_client;
-SET character_set_client = utf8;
-CREATE TABLE `mailbox` (
- `username` varchar(255) NOT NULL default '',
- `password` varchar(255) NOT NULL default '',
- `name` varchar(255) NOT NULL default '',
- `maildir` varchar(255) NOT NULL default '',
- `domain` varchar(255) NOT NULL default '',
- `create_date` datetime NOT NULL default '0000-00-00 00:00:00',
- `change_date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
- `active` tinyint(4) NOT NULL default '1',
- PRIMARY KEY (`username`)
-) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Mailboxes - mysql_virtua\nl_mailbox_maps';
-SET character_set_client = @saved_cs_client;
- :END:
- - mysql -u root -p
- CREATE USER 'mail'@'localhost' IDENTIFIED BY 'secret';
- GRANT SELECT ON mail.alias TO 'mail'@'localhost';
- GRANT SELECT ON mail.domain TO 'mail'@'localhost';
- GRANT SELECT ON mail.mailbox TO 'mail'@'localhost';
+# squeeze has dovecot-1.2. upgrade notes:
+# - we might want to upgrade to their sieve (instead of cmusieve)
+# - we want to add the -s flag to deliver in master.cf
-**** Test delivery
+:: /etc/dovecot/dovecot.conf
-- /etc/postfix/main.cf
-:HIDDEN:
-# Not really needed until we switch to using Courier maildrop
-maildrop_destination_recipient_limit = 1
+ protocol lda {
+ # Address to use when sending rejection mails.
+ postmaster_address = postmaster@fripost.org
+
+ # Hostname to use in various parts of sent mails, eg. in Message-Id.
+ # Default is the system's real hostname.
+ hostname = imap.fripost.org
+
+ # Support for dynamically loadable plugins. mail_plugins is a space separated
+ # list of plugins to load.
+ #mail_plugins =
+ #mail_plugin_dir = /usr/lib/dovecot/modules/lda
+
+ # Binary to use for sending mails.
+ sendmail_path = /usr/lib/sendmail
+
+ # UNIX socket path to master authentication server to find users.
+ auth_socket_path = /var/run/dovecot/auth-master
+
+ # Enabling Sieve plugin for server-side mail filtering
+ mail_plugins = cmusieve
+ }
+
+ [...]
+
+ ## dovecot-lda specific settings
+ ##
+ socket listen {
+ master {
+ path = /var/run/dovecot/auth-master
+ mode = 0600
+ user = xxx # User running Dovecot LDA
+ #group = mail # Or alternatively mode 0660 + LDA user in this group
+ }
+ }
+
+:: /etc/postfix/master.cf
+
+ dovecot unix - n n - - pipe
+ flags=DRhu user=xxx:xxx argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient} -n
+
-virtual_mailbox_base = /home/mail/virtual
-:END:
+:: /etc/postfix/main.cf
+
+ virtual_transport = dovecot
+ dovecot_destination_recipient_limit = 1
-sudo mkdir -p /home/mail/virtual/fripost.org/example/
+http://wiki.dovecot.org/LDA/Postfix
+http://www.tehinterweb.co.uk/roundcube/#pisieverules
+**** Test delivery
+
+sudo mkdir -p /home/mail/virtual/fripost.org/
mysql -u root -p
INSERT INTO mailbox (username,password,name,maildir,domain)
@@ -765,17 +746,82 @@ sudo /etc/init.d/dovecot restart
# client.
*** Configuring a new smarthost to relay e-mail to the main IMAP server
+**** Overview
+
+We relay mail from our smarthosts to the main IMAP server.
+
+This is to avoid having a single poin of failure and to separate concerns. The
+IMAP server then only needs to deal with authenticated clients and the
+smarthosts.
+
+**** Prerequisites
-First setup an SSH tunnel between the hosts according to instructions given
-above.
+Before this can work we must make sure that:
+- the MySQL replication is working
+- there is an SSH tunnel for the smtp
+
+If they are both setup, we can configure postfix on the smarthost to relay
+emails through the tunnel.
+
+**** Configuration files
+
+TODO: add the necessary configuration files
-Next, we need to configure postfix on the smarthost to relay emails through the
-tunnel.
** Configuring the webserver
- sudo apt-get install apache2
+*** Configuring gitweb and gitolite
+
+# Note: incomplete steps
+
+sudo apt-get install gitolite gitweb
+
+sudo dpkg-reconfigure gitolite
+
+# Add the gitweb user to gitolite
+
+:: /var/lib/gitolite/.gitolite.rc
+ $REPO_UMASK = 0027; # gets you 'rwxr-x---'
+
+sudo usermod -a -G gitolite www-data
+
+sudo /etc/init.d/apache2 stop
+
+sudo /etc/init.d/apache2 start
+
+** Logging
+*** Overview
+We want to limit how much we log for privacy reasons. At the same time we want
+to be able to debug technical problems and detect intrusions.
+
+For the webmail, we only log messages of priority warn or higher.
+*** Configuration
+
+ :: /etc/rsyslog.conf
+
+ *.*;auth,authpriv.none;mail.err -/var/log/syslog
+
+# NOTE: /var/log/mail.{err,warn} can be kept at the default
+# values since they do not contain any sensitive information.
+ :: /etc/logrotate.d/rsyslog
+
+ /var/log/mail.log
+ /var/log/mail.info
+ {
+ rotate 3
+ daily
+ missingok
+ ifempty
+ compress
+ delaycompress
+ sharedscripts
+ postrotate
+ invoke-rc.d rsyslog reload > /dev/null
+ endscript
+ }
+
** Necessary stuff to fix for security
*** Bacula for backups
Also has tripwire-like capabilities.
@@ -789,25 +835,87 @@ TODO: Add nice rules.
*** Monitoring
+* Hardening
+** Overview
+
+The [[http://www.debian.org/doc/manuals/securing-debian-howto/][Securing Debian Manual]] is the definitive reference for Debian security.
+
+These are just some quick notes for easy access to the administrators.
+
+** rkhunter
+
+sudo aptitude install rkhunter
+
+sudo rkhunter -c --nomow --rwo
+
+:: /etc/rkhunter.conf
+
+ MAIL-ON-WARNING=admin@fripost.org
+
+ ALLOWHIDDENFILE=/etc/.gitignore
+ ALLOWHIDDENFILE=/etc/.etckeeper
+
+ # something like: (adapt port as needed)
+ INETD_ALLOWED_SVC=127.0.0.1:2000
+
+ # in case whitelisting is needed, use something like:
+ # (whitespace important)
+ APP_WHITELIST=" openssl:0.9.8g sshd:4.7p1 "
+
+#### ALSO, do this (not needed for squeeze)
+
++# apps test is disabled by default as it triggers warnings about outdated
++# applications (and warns about possible security risk: we better trust
++# the Debian Security Team).
++#
+ ENABLE_TESTS="all"
+-DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps"
++DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps"
+
+:: /etc/default/rkhunter
+
+ REPORT_EMAIL="admin@fripost.org"
+ NICE="19"
+
+# testing:
+
+sudo rkhunter -c --nomow --rwo
* NEED TO KNOW FOR SERVER ADMINS
+** Document your changes
+
+When you make changes to the system, document them here.
+
+The latest version of this document is always available from:
+
+ git clone git://github.com/skangas/fripost-docs.git
+
+Direct all patches to skangas@skangas.se. Preferably you should use
+`git-format-patch' and `git-send-email'. Thanks.
+
** Use etckeeper
- We keep /etc in a git repository using the tool etckeeper.
+We keep /etc in a git repository using the tool etckeeper.
+
+This means that every time you make changes to any files in /etc, you are
+expected to commit them using a descriptive commit message. Please add a
+signature (initials or your username) since all commits will be made as root.
+
+$ etckeeper commit "postfix: enable to relay messages to remote hosts via smtp /skangas"
- This means that every time you make changes to any files in /etc, you are
- expected to commit them using a descriptive commit message. Please add a
- signature (initials or your username) since all commits will be made as root.
+If you do not commit your changes, the next system upgrade will fail and
+whoever makes the upgrade will have to commit your changes for you. They may
+have to guess as to why you made your changes. Please do not put your
+co-administrators in this uncomfortable position.
- $ etckeeper commit "postfix: enable to relay messages to remote hosts via smtp /skangas"
+It is also possible to use simple git commands in /etc, e.g. `git log'.
+`etckeeper' has the benefit of keeping track of file permissions, which git
+by itself will not.
- If you do not commit your changes, the next system upgrade will fail and
- whoever makes the upgrade will have to commit your changes for you. They may
- have to guess as to why you made your changes. Please do not put your
- co-administrators in this uncomfortable position.
+** Use fripost-tools
- It is also possible to use simple git commands in /etc, e.g. `git log'.
- `etckeeper' has the benefit of keeping track of file permissions, which git
- by itself will not.
+We have written some tools to make administration tasks easier. They can be
+found at:
+ git clone git://github.com/skangas/fripost-tools.git