diff options
| -rw-r--r-- | fripost-docs.org | 684 |
1 files changed, 396 insertions, 288 deletions
diff --git a/fripost-docs.org b/fripost-docs.org index 296e942..5a06a02 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -39,11 +39,15 @@ sort of thing but instead as an ongoing effort. Thus, while we strive to document all configuration that we consider stable enough, the documentation may sometimes lag behind. +We do not believe in security through obscurity. This means we are aiming +instead for a system that fulfills [[http://en.wikipedia.org/wiki/Kerckhoffs%27s_Principle][Kerckhoffs's Principle]]. However, some +information below might have been changed to inconvenience a potential +attacker. Beware and take according measures. + We welcome all criticism, suggestions for improvements, additions etc. Please send them to skangas@skangas.se. -* BASIC SETUP -- Checklist after having installed a new Debian GNU/Linux-server - +* Basic Setup -- Checklist after having installed a new Debian GNU/Linux-server ** Basic installation instructions - Use expert install to maximize fun. @@ -55,34 +59,26 @@ send them to skangas@skangas.se. Used to keep track of /etc. Install ASAP after install! -:: /etc/etckeeper/etckeeper.conf - - AVOID_COMMIT_BEFORE_INSTALL=1 - -# not needed on squeeze: -cd /etc && sudo etckeeper init && sudo etckeeper commit "first commit" - -** Uninstall a bunch of unnecessary packages +** Use GNU Emacs as the default editor - sudo aptitude remove --purge debian-faq dictionaries-common doc-debian \ - doc-linux-text iamerican ibritish ispell laptop-detect nfs-common \ - openbsd-inetd portmap tasksel tasksel-data w3m +# NOTE: Emacs will be the default on all Fripost systems. If you prefer +# something else, use the EDITOR environment variable. +sudo apt-get install emacs23-nox -** Packages to install -*** Administrative +sudo update-alternatives --config editor + +** Configure sudo -sudo aptitude install openssh-server molly-guard ntp ntpdate screen +sudo apt-get install sudo -# If the system is on a dynamic IP (e.g. using DHCP): -sudo aptitude install resolvconf +# If you disabled root account during installation, the default account is +# already in the sudo group. Otherwise, follow these steps: -*** Security +sudo adduser myuser sudo -sudo aptitude install logcheck syslog-summary harden-servers +sudo EDITOR="emacs" visudo -# NB: harden-clients conflicts with telnet, which as we know is very handy -# during configuration. Therefore, only optionally: -sudo aptitude install harden-clients + %sudo ALL= (ALL) ALL ** Configure sshd @@ -102,17 +98,28 @@ sudo /etc/init.d/ssh restart # Without closing the current connection, try to connect to the server, # verifying that you can still connect. - -** Configure sudo -# If you disabled root account during installation, the default account is -# already in the sudo group. Otherwise, follow these steps: +** Packages to install +*** Administrative -sudo adduser myuser sudo +sudo aptitude install openssh-server molly-guard ntp ntpdate screen -sudo EDITOR="emacs" visudo +# If the system is on a dynamic IP (e.g. using DHCP): +sudo aptitude install resolvconf - %sudo ALL= (ALL) ALL +*** Security + +sudo aptitude install logcheck syslog-summary harden-servers + +# NB: harden-clients conflicts with telnet, which as we know is very handy +# during configuration. Therefore, only optionally: +sudo aptitude install harden-clients + +** Forward root email + +:: /etc/aliases + + root: admin@fripost.org ** Configure logcheck @@ -121,29 +128,27 @@ sudo aptitude install logcheck syslog-summary :: /etc/logcheck/logcheck.conf INTRO=0 - SENDMAILTO="skangas@skangas.se" + SENDMAILTO="admin@fripost.org" -:: /etc/logcheck/ignore.d.server/ntp +:: /etc/logcheck/ignore.d.server/ntp # XXX: necessary with squeeze? - ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$ + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$ -:: /etc/logcheck/ignore.d.server/ssh [until logcheck 1.3.7 hits stable] +:: /etc/logcheck/ignore.d.server/ssh # not necessary with squeeze + ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$ -:: /etc/logcheck/ignore.d.server/rsyslog [until rsyslog 4.2.0-2 hits stable] +:: /etc/logcheck/ignore.d.server/rsyslog # not necessary with squeeze ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$ - ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging (proc) stopped.$ + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging \(proc\) stopped.$ /etc/logcheck/ignore.d.server/ddclient -:HIDDEN: + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: file /var/cache/ddclient/ddclient.cache, line [0-9]+: Invalid Value for keyword 'ip' = ''$ + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: updating [._[:alnum:]-]+: nochg: No update required; unnecessary attempts to change to the current address are considered abusive$ - :END: ** Configuring aptitude and friends @@ -160,55 +165,48 @@ sudo aptitude install unattended-upgrades :: /etc/apt/apt.conf - :CONTENT: -APT -{ - // Increase cache size to some arbitrary size. - // Remove this line completely once we have apt v0.7.26 in stable. (it defaults to no limit) - Cache-Limit "33554432"; - - // Configuration for /etc/cron.daily/apt - Periodic - { - // Do "apt-get update" automatically every n-days (0=disable) - Update-Package-Lists "1"; - // Do "apt-get autoclean" every n-days (0=disable) - AutocleanInterval "1"; - // Do "apt-get upgrade --download-only" every n-days (0=disable) - Download-Upgradeable-Packages "1"; - // Run the "unattended-upgrade" security upgrade script every n days - Unattended-Upgrade "1"; - } -}; - -Aptitude -{ - UI - { - Autoclean-After-Update: true; - Auto-Fix-Broken: false; - Keep-Recommends: true; - Recommends-Important: true; - Description-Visible-By-Default: false; - HelpBar false; - Menubar-Autohide true; - Purge-Unused: true; - Prompt-On-Exit false; - } -} - :END: + APT + { + // Configuration for /etc/cron.daily/apt + Periodic + { + // Do "apt-get update" automatically every n-days (0=disable) + Update-Package-Lists "1"; + // Do "apt-get autoclean" every n-days (0=disable) + AutocleanInterval "1"; + // Do "apt-get upgrade --download-only" every n-days (0=disable) + Download-Upgradeable-Packages "1"; + // Run the "unattended-upgrade" security upgrade script every n days + Unattended-Upgrade "1"; + } + }; + + Aptitude + { + UI + { + Autoclean-After-Update: true; + Auto-Fix-Broken: false; + Keep-Recommends: true; + Recommends-Important: true; + Description-Visible-By-Default: false; + HelpBar false; + Menubar-Autohide true; + Purge-Unused: true; + Prompt-On-Exit false; + } + } # Using Debian squeeze: :: /etc/apt/apt.conf.d/50unattended-upgrades Unattended-Upgrade::Mail "admin@fripost.org"; - Acquire::http::Dl-Limit "70"; -# Using Debian lenny: -sudo aptitude install apticron -:: /etc/apticron/apticron.conf +** Uninstall a bunch of unnecessary packages - EMAIL="admin@fripost.org" +sudo aptitude remove --purge debian-faq dictionaries-common doc-debian \ +doc-linux-text iamerican ibritish ispell laptop-detect nfs-common \ +openbsd-inetd portmap tasksel tasksel-data w3m ** Reconfigure exim @@ -233,35 +231,33 @@ sudo dpkg-reconfigure exim4-config # no -* NEXT STEPS - +* Next Steps ** Configuring the backup solution *** Bacula configuration *** Simple rsync solution - General idea [[http://wikis.sun.com/display/BigAdmin/Using+rdist+rsync+with+sudo+for+remote+updating][from here]]. This is just a basic setup for now, will need to be - changed to rsnapshot or perhaps something even more sophisticated like - bacula. +General idea [[http://wikis.sun.com/display/BigAdmin/Using+rdist+rsync+with+sudo+for+remote+updating][from here]]. This is just a basic setup for now, will need to be +changed to rsnapshot or perhaps something even more sophisticated like bacula. - 1. Install rsync +1. Install rsync - sudo aptitude install rsync - 2. Create a key on the backup computer - - ssh-keygen -N "" -b 4096 -f ~/.ssh/backup_key - - cat .ssh/backup_key.pub - 3. Create a user on the computer that will be backed up - - sudo adduser remupd - - sudo passwd -d remupd +2. Create a key on the backup computer: + - sudo mkdir /root/.ssh/backup_key + - sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/backup_key + - cat /root/.ssh/backup_key.pub +3. Create a user on the computer that will be backed up + - sudo adduser --disabled-password remupd - add the public key from above to ~remupd/.ssh/authorized_keys2 prefix with: no-X11-forwarding,no-agent-forwarding,no-port-forwarding - - test the key: - ssh -i ~/.ssh/backup_key -l remupd example.com - - add remupd to sudo: + - sudo EDITOR="emacs" visudo Cmnd_Alias RSYNCDIST=/usr/bin/rsync remupd ALL=NOPASSWD:RSYNCDIST - 3. Create a script on the backup computer to automatically backup - 4. Add script to crontab +4. Test the key from the backup computer: + - ssh -i ~/.ssh/backup_key -l remupd example.com +5. Create a script on the backup computer to automatically backup +6. Add script to crontab ** Configuring the e-mail servers *** Introduction @@ -283,73 +279,74 @@ smarthost = the server receiving email from the internet (configured as MX) *** Configuring an SSH tunnel between two hosts - Definitions: - originating host = the host that will be connecting - destination host = the host that runs some service + Definitions: + originating host = the host that will be connecting + destination host = the host that runs some service - Begin by setting a few environment variables: + Begin by setting a few environment variables: - TUNNEL_KEY_FILE="my_tunnel_key" - TUNNEL_USER="tunneluser" - TUNNEL_HOME="/home/$TUNNEL_USER" - DEST_PORT="25" - ORIGIN_PORT="1917" + TUNNEL_KEY="my_tunnel_key" + TUNNEL_USER="tunneluser" + TUNNEL_HOME="/home/$TUNNEL_USER" + DEST_PORT="25" + ORIGIN_PORT="1917" **** Prepare origin - 1. Create a key on the originating host: +1. Create a key on the originating host: - sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/$TUNNEL_KEY_FILE - sudo cat /root/.ssh/$TUNNEL_KEY_FILE.pub + sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/$TUNNEL_KEY_FILE + sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/$TUNNEL_KEY_FILE + sudo cat /root/.ssh/$TUNNEL_KEY_FILE.pub **** Prepare destination - 2a. Install necessary software on the destination host: +2a. Install necessary software on the destination host: - sudo aptitude install netcat-openbsd + sudo aptitude install netcat-openbsd - 2b. Create a new user on the destination host: +2b. Create a new user on the destination host: - sudo adduser --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \ - --disabled-password $TUNNEL_USER - echo "exit" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.bash_profile + sudo adduser --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \ + --disabled-password $TUNNEL_USER + echo "exit" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.bash_profile - # Also, make sure to add this user to AllowUsers in /etc/ssh/sshd_config. + # Also, make sure to add this user to AllowUsers in /etc/ssh/sshd_config. - # Note: We need bash, so we can not change the shell to something else. + # Note: We need bash, so we can not change the shell to something else. - 2c. Add the public key from above to this user: +2c. Add the public key from above to this user: - THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx" + THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx" sudo -u $TUNNEL_USER mkdir -p $TUNNEL_HOME/.ssh echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,\ -no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.ssh/authorized_keys2 +no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2 **** Set up the tunnel - 4. Test the key on the originating host: +4. Test the key on the originating host: - sudo ssh -v -l $TUNNEL_USER -i /root/.ssh/$TUNNEL_KEY_FILE destination.example.com + sudo ssh -v -l $TUNNEL_USER -i /root/.ssh/$TUNNEL_KEY_FILE destination.example.com - 5. Configure openbsd-inetd on the originating host: +5. Configure openbsd-inetd on the originating host: - # Comment: We use inetd instead of ssh -L because, among other things, ssh - # -L tends to hang. + # Comment: We use inetd instead of ssh -L because, among other things, ssh + # -L tends to hang. - sudo aptitude install openbsd-inetd + sudo aptitude install openbsd-inetd :: /etc/inetd.conf 127.0.0.1:$ORIGIN_PORT stream tcp nowait root /usr/bin/ssh -q -T -i /root/.ssh/$TUNNEL_KEY_FILE smtptunnel@example.com - sudo /etc/init.d/openbsd-inetd restart + sudo /etc/init.d/openbsd-inetd restart - You should now be able to connect through the tunnel from the originating - host using something like: +You should now be able to connect through the tunnel from the originating +host using something like: - telnet localhost $ORIGIN_PORT +telnet localhost $ORIGIN_PORT *** Installing MySQL - sudo apt-get install mysql-server @@ -360,7 +357,6 @@ no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.ssh We will use four tables `alias', `domain', `log' and `mailbox'. - ***** mysql> show tables; +----------------+ | Tables_in_mail | @@ -513,186 +509,171 @@ mysql -u root -p ***** Overview [[http://dev.mysql.com/doc/refman/5.0/en/replication.html][MySQL 5.0 Reference Manual :: 16 Replication]] - We will use MySQL replication to keep the MySQL user data on the smarthosts in sync with the data held on the main IMAP server. -We begin by setting up an SSH tunnel, as described above. The rest is -fairly straight-forward. Here are instructions adapted from the MySQL -manual. - -- Set up the SSH tunnel. +These instructions are mainly adapted from the MySQL manual. ***** Configure the master - - Add this to my.cnf: -:HIDDEN: -server-id = 1 -log_bin = /var/log/mysql/mysql-bin.log -expire_logs_days = 10 -max_binlog_size = 100M -binlog_do_db = mail -:END: + :: /etc/mysql/my.cnf: - - /etc/init.d/mysql restart + server-id = 1 + log_bin = /var/log/mysql/mysql-bin.log + expire_logs_days = 10 + max_binlog_size = 100M + binlog_do_db = mail + - - Enter MySQL shell and create user with replication privileges: - mysql -u root -p +/etc/init.d/mysql restart - # use only ASCII for <password> +***** Configure the slave +****** Set up an SSH tunnel - GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'localhost' IDENTIFIED BY '<password>'; - FLUSH PRIVILEGES; +We begin by setting up an SSH tunnel from the slave to the master, as described [[Configuring an SSH tunnel between two hosts][above]]. - USE mail; - FLUSH TABLES WITH READ LOCK; +****** Preparing steps to take on master - # Save the output of this command: - SHOW MASTER STATUS; +# Enter MySQL shell and create a user with replication privileges. +# NB: Use only ASCII for the <password> +mysql -u root -p - unlock tables; - quit; + GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'localhost' IDENTIFIED BY '<password>'; + FLUSH PRIVILEGES; + USE mail; + FLUSH TABLES WITH READ LOCK; + quit; + +# Make a database dump. - # Copy this file to the slave: - mysqldump -u root -p --opt mail > mydump.sql - -***** Configure the slave +mysqldump -u root -p --opt mail > mydump.sql - - Enter the MySQL shell and create the database: +# Now, copy this file to the slave. - mysql -u root -p - CREATE DATABASE mail; - quit; - - mysql -u root -p --database=mail < mydump.sql - - - create a new temporary directory: +# Save the output of the SHOW MASTER STATUS COMMAND. +mysql -u root -p + + SHOW MASTER STATUS; + unlock tables; + quit; + +****** Slave configuration + +# Create a new temporary directory. +# NOTE: It has to be outside of /tmp so the replication is not screwed up on e.g. power outage. - sudo mkdir /var/lib/mysql/tmp - sudo chown mysql:mysql !$ - sudo chmod 0750 !$ +TMP_DIR=/var/lib/mysql/tmp +sudo mkdir $TMP_DIR +sudo chown mysql:mysql $TMP_DIR +sudo chmod 0750 $TMP_DIR - - /etc/mysql/my.cnf -:HIDDEN: -tmpdir = /var/lib/mysql/tmp -# Note that the server-id must be different on all hosts -server-id = 2 -:END: - - /etc/init.d/mysql restart + :: /etc/mysql/my.cnf - SLAVE STOP; - # [[http://dev.mysql.com/doc/refman/5.0/en/change-master-to.html][12.5.2.1. CHANGE MASTER TO Syntax]] - # NOTE: fill in these values using output from SHOW MASTER STATUS; above + tmpdir = /var/lib/mysql/tmp + # Note that the server-id must be different on all hosts + server-id = 2 - CHANGE MASTER TO - MASTER_HOST='127.0.0.1', - MASTER_PORT=1949, - MASTER_USER='slave_user', - MASTER_PASSWORD='<password>', MASTER_LOG_FILE='mysql-bin.000013', MASTER_LOG_POS=98; +/etc/init.d/mysql restart - START SLAVE; - quit; +# Enter the MySQL shell and create the database: -***** Useful commands while debugging - start slave; stop slave; - show slave status\G +mysql -u root -p -*** Configuring the main IMAP server -**** /etc/postfix/main.cf + CREATE DATABASE mail; + quit; + +mysql -u root -p --database=mail < mydump.sql + +# [[http://dev.mysql.com/doc/refman/5.0/en/change-master-to.html][12.5.2.1. CHANGE MASTER TO Syntax]] +# NOTE: fill in these values using output from SHOW MASTER STATUS; above +# NOTE: filling this in my.cnf is deprecated -**** MySQL on the main IMAP server +mysql -u root -p - - create database mail; + SLAVE STOP; - We will use four tables `alias', `domain', `log' and `mailbox'. - - // FIXME; add description of tables - :HIDDEN: -mysql> show tables; + CHANGE MASTER TO + MASTER_HOST='127.0.0.1', + MASTER_PORT=1949, + MASTER_USER='slave_user', + MASTER_PASSWORD='<password>', MASTER_LOG_FILE='mysql-bin.000013', MASTER_LOG_POS=98; -mysql> describe alias; + START SLAVE; + show slave status\G -mysql> describe domain; +# If it seems OK, just: -mysql> describe log; + quit; -mysql> describe mailbox; - :END: +*** Configuring the main IMAP server +**** /etc/postfix/main.cf - - sudo mysql -u root -p --database=mail - :HIDDEN: -DROP TABLE IF EXISTS `alias`; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; -CREATE TABLE `alias` ( - `address` varchar(255) NOT NULL default '', - `goto` text NOT NULL, - `domain` varchar(255) NOT NULL default '', - `create_date` datetime NOT NULL default '0000-00-00 00:00:00', - `change_date` datetime NOT NULL default '0000-00-00 00:00:00', - `active` tinyint(4) NOT NULL default '1', - PRIMARY KEY (`address`) -) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Aliases - mysql_virtual_\nalias_maps'; -SET character_set_client = @saved_cs_client; +TODO: add file contents -DROP TABLE IF EXISTS `domain`; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; -CREATE TABLE `domain` ( - `domain` varchar(255) NOT NULL default '', - `description` varchar(255) NOT NULL default '', - `create_date` datetime NOT NULL default '0000-00-00 00:00:00', - `change_date` datetime NOT NULL default '0000-00-00 00:00:00', - `active` tinyint(4) NOT NULL default '1', - PRIMARY KEY (`domain`) -) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Domains - mysql_virtual_\ndomains_maps'; -SET character_set_client = @saved_cs_client; +**** Setting up the MDA -DROP TABLE IF EXISTS `log`; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; -CREATE TABLE `log` ( - `id` int(11) NOT NULL auto_increment, - `user` varchar(20) NOT NULL default '', - `event` text NOT NULL, - `date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, - PRIMARY KEY (`id`) -) ENGINE=MyISAM AUTO_INCREMENT=106 DEFAULT CHARSET=utf8 COMMENT='log table'; -SET character_set_client = @saved_cs_client; +# The choice of deliver from dovecot for MDA was based on the support for the +# mailsieve filter language, which is a nice DSL and has plugin support in +# roundcube. maildrop lacks this support. -DROP TABLE IF EXISTS `mailbox`; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; -CREATE TABLE `mailbox` ( - `username` varchar(255) NOT NULL default '', - `password` varchar(255) NOT NULL default '', - `name` varchar(255) NOT NULL default '', - `maildir` varchar(255) NOT NULL default '', - `domain` varchar(255) NOT NULL default '', - `create_date` datetime NOT NULL default '0000-00-00 00:00:00', - `change_date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, - `active` tinyint(4) NOT NULL default '1', - PRIMARY KEY (`username`) -) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Mailboxes - mysql_virtua\nl_mailbox_maps'; -SET character_set_client = @saved_cs_client; - :END: - - mysql -u root -p - CREATE USER 'mail'@'localhost' IDENTIFIED BY 'secret'; - GRANT SELECT ON mail.alias TO 'mail'@'localhost'; - GRANT SELECT ON mail.domain TO 'mail'@'localhost'; - GRANT SELECT ON mail.mailbox TO 'mail'@'localhost'; +# squeeze has dovecot-1.2. upgrade notes: +# - we might want to upgrade to their sieve (instead of cmusieve) +# - we want to add the -s flag to deliver in master.cf -**** Test delivery +:: /etc/dovecot/dovecot.conf -- /etc/postfix/main.cf -:HIDDEN: -# Not really needed until we switch to using Courier maildrop -maildrop_destination_recipient_limit = 1 + protocol lda { + # Address to use when sending rejection mails. + postmaster_address = postmaster@fripost.org + + # Hostname to use in various parts of sent mails, eg. in Message-Id. + # Default is the system's real hostname. + hostname = imap.fripost.org + + # Support for dynamically loadable plugins. mail_plugins is a space separated + # list of plugins to load. + #mail_plugins = + #mail_plugin_dir = /usr/lib/dovecot/modules/lda + + # Binary to use for sending mails. + sendmail_path = /usr/lib/sendmail + + # UNIX socket path to master authentication server to find users. + auth_socket_path = /var/run/dovecot/auth-master + + # Enabling Sieve plugin for server-side mail filtering + mail_plugins = cmusieve + } + + [...] + + ## dovecot-lda specific settings + ## + socket listen { + master { + path = /var/run/dovecot/auth-master + mode = 0600 + user = xxx # User running Dovecot LDA + #group = mail # Or alternatively mode 0660 + LDA user in this group + } + } + +:: /etc/postfix/master.cf + + dovecot unix - n n - - pipe + flags=DRhu user=xxx:xxx argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient} -n + -virtual_mailbox_base = /home/mail/virtual -:END: +:: /etc/postfix/main.cf + + virtual_transport = dovecot + dovecot_destination_recipient_limit = 1 -sudo mkdir -p /home/mail/virtual/fripost.org/example/ +http://wiki.dovecot.org/LDA/Postfix +http://www.tehinterweb.co.uk/roundcube/#pisieverules +**** Test delivery + +sudo mkdir -p /home/mail/virtual/fripost.org/ mysql -u root -p INSERT INTO mailbox (username,password,name,maildir,domain) @@ -765,17 +746,82 @@ sudo /etc/init.d/dovecot restart # client. *** Configuring a new smarthost to relay e-mail to the main IMAP server +**** Overview + +We relay mail from our smarthosts to the main IMAP server. + +This is to avoid having a single poin of failure and to separate concerns. The +IMAP server then only needs to deal with authenticated clients and the +smarthosts. + +**** Prerequisites -First setup an SSH tunnel between the hosts according to instructions given -above. +Before this can work we must make sure that: +- the MySQL replication is working +- there is an SSH tunnel for the smtp + +If they are both setup, we can configure postfix on the smarthost to relay +emails through the tunnel. + +**** Configuration files + +TODO: add the necessary configuration files -Next, we need to configure postfix on the smarthost to relay emails through the -tunnel. ** Configuring the webserver - sudo apt-get install apache2 +*** Configuring gitweb and gitolite + +# Note: incomplete steps + +sudo apt-get install gitolite gitweb + +sudo dpkg-reconfigure gitolite + +# Add the gitweb user to gitolite + +:: /var/lib/gitolite/.gitolite.rc + $REPO_UMASK = 0027; # gets you 'rwxr-x---' + +sudo usermod -a -G gitolite www-data + +sudo /etc/init.d/apache2 stop + +sudo /etc/init.d/apache2 start + +** Logging +*** Overview +We want to limit how much we log for privacy reasons. At the same time we want +to be able to debug technical problems and detect intrusions. + +For the webmail, we only log messages of priority warn or higher. +*** Configuration + + :: /etc/rsyslog.conf + + *.*;auth,authpriv.none;mail.err -/var/log/syslog + +# NOTE: /var/log/mail.{err,warn} can be kept at the default +# values since they do not contain any sensitive information. + :: /etc/logrotate.d/rsyslog + + /var/log/mail.log + /var/log/mail.info + { + rotate 3 + daily + missingok + ifempty + compress + delaycompress + sharedscripts + postrotate + invoke-rc.d rsyslog reload > /dev/null + endscript + } + ** Necessary stuff to fix for security *** Bacula for backups Also has tripwire-like capabilities. @@ -789,25 +835,87 @@ TODO: Add nice rules. *** Monitoring +* Hardening +** Overview + +The [[http://www.debian.org/doc/manuals/securing-debian-howto/][Securing Debian Manual]] is the definitive reference for Debian security. + +These are just some quick notes for easy access to the administrators. + +** rkhunter + +sudo aptitude install rkhunter + +sudo rkhunter -c --nomow --rwo + +:: /etc/rkhunter.conf + + MAIL-ON-WARNING=admin@fripost.org + + ALLOWHIDDENFILE=/etc/.gitignore + ALLOWHIDDENFILE=/etc/.etckeeper + + # something like: (adapt port as needed) + INETD_ALLOWED_SVC=127.0.0.1:2000 + + # in case whitelisting is needed, use something like: + # (whitespace important) + APP_WHITELIST=" openssl:0.9.8g sshd:4.7p1 " + +#### ALSO, do this (not needed for squeeze) + ++# apps test is disabled by default as it triggers warnings about outdated ++# applications (and warns about possible security risk: we better trust ++# the Debian Security Team). ++# + ENABLE_TESTS="all" +-DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps" ++DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps" + +:: /etc/default/rkhunter + + REPORT_EMAIL="admin@fripost.org" + NICE="19" + +# testing: + +sudo rkhunter -c --nomow --rwo * NEED TO KNOW FOR SERVER ADMINS +** Document your changes + +When you make changes to the system, document them here. + +The latest version of this document is always available from: + + git clone git://github.com/skangas/fripost-docs.git + +Direct all patches to skangas@skangas.se. Preferably you should use +`git-format-patch' and `git-send-email'. Thanks. + ** Use etckeeper - We keep /etc in a git repository using the tool etckeeper. +We keep /etc in a git repository using the tool etckeeper. + +This means that every time you make changes to any files in /etc, you are +expected to commit them using a descriptive commit message. Please add a +signature (initials or your username) since all commits will be made as root. + +$ etckeeper commit "postfix: enable to relay messages to remote hosts via smtp /skangas" - This means that every time you make changes to any files in /etc, you are - expected to commit them using a descriptive commit message. Please add a - signature (initials or your username) since all commits will be made as root. +If you do not commit your changes, the next system upgrade will fail and +whoever makes the upgrade will have to commit your changes for you. They may +have to guess as to why you made your changes. Please do not put your +co-administrators in this uncomfortable position. - $ etckeeper commit "postfix: enable to relay messages to remote hosts via smtp /skangas" +It is also possible to use simple git commands in /etc, e.g. `git log'. +`etckeeper' has the benefit of keeping track of file permissions, which git +by itself will not. - If you do not commit your changes, the next system upgrade will fail and - whoever makes the upgrade will have to commit your changes for you. They may - have to guess as to why you made your changes. Please do not put your - co-administrators in this uncomfortable position. +** Use fripost-tools - It is also possible to use simple git commands in /etc, e.g. `git log'. - `etckeeper' has the benefit of keeping track of file permissions, which git - by itself will not. +We have written some tools to make administration tasks easier. They can be +found at: + git clone git://github.com/skangas/fripost-tools.git |