From 361dc511ef540e3912488ead4c6ed0aa7e2ee561 Mon Sep 17 00:00:00 2001 From: Stefan Kangas Date: Sat, 26 Feb 2011 22:01:03 +0100 Subject: Greatly improve the MySQL instructions. --- fripost-docs.org | 205 ++++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 174 insertions(+), 31 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index e801cc6..d61bb9b 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -264,17 +264,16 @@ sudo dpkg-reconfigure exim4-config 4. Add script to crontab ** Configuring the e-mail servers - *** Introduction **** Overview - We will be using one main mail storage server, accessible by users via IMAP. - This server should be referred to as the main `IMAP server'. We will have two - or more mail gateways that will relay e-mail to the main server over secure - connections. These are called `smarthosts'. +We will be using one main mail storage server, accessible by users via IMAP. +This server should be referred to as the main `IMAP server'. We will have two or +more mail gateways that will relay e-mail to the main server over secure +connections. These are called `smarthosts'. - The main server will also be responsible for keeping all users in an MySQL - database that will be replicated using MySQL. +The main server will also be responsible for keeping all users in an MySQL +database that will be replicated using MySQL. **** Definitions @@ -354,22 +353,174 @@ no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.ssh *** Installing MySQL - sudo apt-get install mysql-server - generate a long (25 characters) password for the mysql root user - - /etc/mysql/my.cnf -:HIDDEN: -skip-innodb -:END: + - /etc/mysql/my.cnf: skip-innodb +*** MySQL on the main IMAP server +**** Overview + +We will use four tables `alias', `domain', `log' and `mailbox'. + + +***** mysql> show tables; ++----------------+ +| Tables_in_mail | ++----------------+ +| alias | +| domain | +| log | +| mailbox | ++----------------+ +4 rows in set (0.00 sec) + +***** mysql> describe alias; ++-------------+--------------+------+-----+---------------------+-------+ +| Field | Type | Null | Key | Default | Extra | ++-------------+--------------+------+-----+---------------------+-------+ +| address | varchar(255) | NO | PRI | | | +| goto | text | NO | | NULL | | +| domain | varchar(255) | NO | | | | +| create_date | datetime | NO | | 0000-00-00 00:00:00 | | +| change_date | timestamp | NO | | CURRENT_TIMESTAMP | | +| active | tinyint(4) | NO | | 1 | | ++-------------+--------------+------+-----+---------------------+-------+ +6 rows in set (0.00 sec) + +***** mysql> describe domain; ++-------------+--------------+------+-----+---------------------+-------+ +| Field | Type | Null | Key | Default | Extra | ++-------------+--------------+------+-----+---------------------+-------+ +| domain | varchar(255) | NO | PRI | | | +| description | varchar(255) | NO | | | | +| create_date | datetime | NO | | 0000-00-00 00:00:00 | | +| change_date | timestamp | NO | | CURRENT_TIMESTAMP | | +| active | tinyint(4) | NO | | 1 | | ++-------------+--------------+------+-----+---------------------+-------+ +5 rows in set (0.00 sec) + +***** mysql> describe log; ++-------+-------------+------+-----+-------------------+----------------+ +| Field | Type | Null | Key | Default | Extra | ++-------+-------------+------+-----+-------------------+----------------+ +| id | int(11) | NO | PRI | NULL | auto_increment | +| user | varchar(20) | NO | | | | +| event | text | NO | | NULL | | +| date | timestamp | NO | | CURRENT_TIMESTAMP | | ++-------+-------------+------+-----+-------------------+----------------+ +4 rows in set (0.00 sec) + +***** mysql> describe mailbox; ++-------------+--------------+------+-----+---------------------+-------+ +| Field | Type | Null | Key | Default | Extra | ++-------------+--------------+------+-----+---------------------+-------+ +| username | varchar(255) | NO | PRI | | | +| password | varchar(255) | NO | | | | +| name | varchar(255) | NO | | | | +| maildir | varchar(255) | NO | | | | +| domain | varchar(255) | NO | | | | +| create_date | datetime | NO | | 0000-00-00 00:00:00 | | +| change_date | timestamp | NO | | CURRENT_TIMESTAMP | | +| active | tinyint(4) | NO | | 1 | | ++-------------+--------------+------+-----+---------------------+-------+ +8 rows in set (0.00 sec) + +**** Steps to produce it +mysql -u root -p + + create database mail; + +sudo mysql -u root -p --database=mail +FIXME: Not 100 % up to date + :HIDDEN: +DROP TABLE IF EXISTS `alias`; +SET @saved_cs_client = @@character_set_client; +SET character_set_client = utf8; +CREATE TABLE `alias` ( + `address` varchar(255) NOT NULL default '', + `goto` text NOT NULL, + `domain` varchar(255) NOT NULL default '', + `create_date` datetime NOT NULL default '0000-00-00 00:00:00', + `change_date` datetime NOT NULL default '0000-00-00 00:00:00', + `active` tinyint(4) NOT NULL default '1', + PRIMARY KEY (`address`) +) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Aliases - mysql_virtual_\nalias_maps'; +SET character_set_client = @saved_cs_client; + +DROP TABLE IF EXISTS `domain`; +SET @saved_cs_client = @@character_set_client; +SET character_set_client = utf8; +CREATE TABLE `domain` ( + `domain` varchar(255) NOT NULL default '', + `description` varchar(255) NOT NULL default '', + `create_date` datetime NOT NULL default '0000-00-00 00:00:00', + `change_date` datetime NOT NULL default '0000-00-00 00:00:00', + `active` tinyint(4) NOT NULL default '1', + PRIMARY KEY (`domain`) +) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Domains - mysql_virtual_\ndomains_maps'; +SET character_set_client = @saved_cs_client; + +DROP TABLE IF EXISTS `log`; +SET @saved_cs_client = @@character_set_client; +SET character_set_client = utf8; +CREATE TABLE `log` ( + `id` int(11) NOT NULL auto_increment, + `user` varchar(20) NOT NULL default '', + `event` text NOT NULL, + `date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, + PRIMARY KEY (`id`) +) ENGINE=MyISAM AUTO_INCREMENT=106 DEFAULT CHARSET=utf8 COMMENT='log table'; +SET character_set_client = @saved_cs_client; + +DROP TABLE IF EXISTS `mailbox`; +SET @saved_cs_client = @@character_set_client; +SET character_set_client = utf8; +CREATE TABLE `mailbox` ( + `username` varchar(255) NOT NULL default '', + `password` varchar(255) NOT NULL default '', + `name` varchar(255) NOT NULL default '', + `maildir` varchar(255) NOT NULL default '', + `domain` varchar(255) NOT NULL default '', + `create_date` datetime NOT NULL default '0000-00-00 00:00:00', + `change_date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, + `active` tinyint(4) NOT NULL default '1', + PRIMARY KEY (`username`) +) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Mailboxes - mysql_virtua\nl_mailbox_maps'; +SET character_set_client = @saved_cs_client; + :END: + +mysql -u root -p + +# Create triggers + + use mail; + + DELIMITER $$ + CREATE TRIGGER alias_set_created_on_insert before insert on alias + for each row begin set new.create_date = current_timestamp; end$$ + CREATE TRIGGER domain_set_created_on_insert before insert on domain + for each row begin set new.create_date = current_timestamp; end$$ + CREATE TRIGGER mailbox_set_created_on_insert before insert on mailbox + for each row begin set new.create_date = current_timestamp; end$$ + DELIMITER ; + +# Create mail user + + CREATE USER 'mail'@'localhost' IDENTIFIED BY 'mijhl9hniiMu5WxvvtdgsacxZ'; + GRANT SELECT ON mail.alias TO 'mail'@'localhost'; + GRANT SELECT ON mail.domain TO 'mail'@'localhost'; + GRANT SELECT ON mail.mailbox TO 'mail'@'localhost'; + *** Configuring the MySQL replication ***** Overview - [[http://dev.mysql.com/doc/refman/5.0/en/replication.html][MySQL 5.0 Reference Manual :: 16 Replication]] +[[http://dev.mysql.com/doc/refman/5.0/en/replication.html][MySQL 5.0 Reference Manual :: 16 Replication]] - We will use MySQL replication to keep the MySQL user data on the smarthosts - in sync with the data held on the main IMAP server. - We begin by setting up an SSH tunnel, as described above. The rest is - fairly straight-forward. Here are instructions adapted from the MySQL - manual. +We will use MySQL replication to keep the MySQL user data on the smarthosts +in sync with the data held on the main IMAP server. - - Set up the SSH tunnel. +We begin by setting up an SSH tunnel, as described above. The rest is +fairly straight-forward. Here are instructions adapted from the MySQL +manual. + +- Set up the SSH tunnel. ***** Configure the master @@ -606,19 +757,11 @@ user_query = SELECT concat('/home/mail/virtual/',maildir) AS mail, XXX AS uid, X *** Configuring a new smarthost to relay e-mail to the main IMAP server - First setup an SSH tunnel between the hosts according to instructions given - above in this document. +First setup an SSH tunnel between the hosts according to instructions given +above in this document. - Next, you need to configure postfix on the smarthost to relay emails through - the tunnel: - - One quick-and-dirty example to try it out is: - - /etc/postfix/main.cf - relay_domains = fripost.org - transport_maps = hash:/etc/postfix/transport - - /etc/postfix/transport - fripost.org smtp:localhost:1917 - - sudo postmap hash:/etc/postfix/transport +Next, you need to configure postfix on the smarthost to relay emails through +the tunnel. ** Configuring the webserver @@ -626,7 +769,7 @@ user_query = SELECT concat('/home/mail/virtual/',maildir) AS mail, XXX AS uid, X ** Necessary stuff to fix for security *** Bacula for backups - Also has tripwire-like capabilities. +Also has tripwire-like capabilities. *** OSSEC *** Firewall rules -- cgit v1.2.3 From b743f0ff88fcc7bd8dce1d9a203f93539263ac1f Mon Sep 17 00:00:00 2001 From: Stefan Kangas Date: Sun, 27 Feb 2011 00:05:32 +0100 Subject: Minor fixes to tunnel setup. --- fripost-docs.org | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index 9b675f8..62a902d 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -312,7 +312,7 @@ smarthost = the server receiving email from the internet (configured as MX) sudo adduser --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \ --disabled-password $TUNNEL_USER - echo "exit" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.bash_profile + echo "exit" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.bash_profile # Also, make sure to add this user to AllowUsers in /etc/ssh/sshd_config. @@ -322,9 +322,9 @@ smarthost = the server receiving email from the internet (configured as MX) THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx" - sudo -u $TUNNEL_USER mkdir $TUNNEL_HOME/.ssh + sudo -u $TUNNEL_USER mkdir -p $TUNNEL_HOME/.ssh echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,\ -no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.ssh/authorized_keys2 +no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2 **** Set up the tunnel -- cgit v1.2.3 From da612bc0141faf001390be38a706878a1a3b84bc Mon Sep 17 00:00:00 2001 From: Stefan Kangas Date: Sun, 27 Feb 2011 01:04:47 +0100 Subject: Improve MySQL replication instructions. --- fripost-docs.org | 132 ++++++++++++++++++++++++++++++------------------------- 1 file changed, 72 insertions(+), 60 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index 62a902d..91ca235 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -512,89 +512,101 @@ mysql -u root -p ***** Overview [[http://dev.mysql.com/doc/refman/5.0/en/replication.html][MySQL 5.0 Reference Manual :: 16 Replication]] - We will use MySQL replication to keep the MySQL user data on the smarthosts in sync with the data held on the main IMAP server. -We begin by setting up an SSH tunnel, as described above. The rest is -fairly straight-forward. Here are instructions adapted from the MySQL -manual. - -- Set up the SSH tunnel. +These instructions are mainly adapted from the MySQL manual. ***** Configure the master - - Add this to my.cnf: -:HIDDEN: -server-id = 1 -log_bin = /var/log/mysql/mysql-bin.log -expire_logs_days = 10 -max_binlog_size = 100M -binlog_do_db = mail -:END: + :: /etc/mysql/my.cnf: + + server-id = 1 + log_bin = /var/log/mysql/mysql-bin.log + expire_logs_days = 10 + max_binlog_size = 100M + binlog_do_db = mail + + +/etc/init.d/mysql restart - - /etc/init.d/mysql restart +***** Configure the slave +****** Set up an SSH tunnel - - Enter MySQL shell and create user with replication privileges: - mysql -u root -p +We begin by setting up an SSH tunnel from the slave to the master, as described [[Configuring an SSH tunnel between two hosts][above]]. - # use only ASCII for +****** Preparing steps to take on master - GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'localhost' IDENTIFIED BY ''; - FLUSH PRIVILEGES; +# Enter MySQL shell and create a user with replication privileges. +# NB: Use only ASCII for the +mysql -u root -p - USE mail; - FLUSH TABLES WITH READ LOCK; + GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'localhost' IDENTIFIED BY ''; + FLUSH PRIVILEGES; + USE mail; + FLUSH TABLES WITH READ LOCK; + quit; + +# Make a database dump. - # Save the output of this command: - SHOW MASTER STATUS; +mysqldump -u root -p --opt mail > mydump.sql - unlock tables; - quit; +# Now, copy this file to the slave. - # Copy this file to the slave: - mysqldump -u root -p --opt mail > mydump.sql - -***** Configure the slave +# Save the output of the SHOW MASTER STATUS COMMAND. +mysql -u root -p + + SHOW MASTER STATUS; + unlock tables; + quit; - - Enter the MySQL shell and create the database: +****** Slave configuration - mysql -u root -p - CREATE DATABASE mail; - quit; +# Create a new temporary directory. +# NOTE: It has to be outside of /tmp so the replication is not screwed up on e.g. power outage. + +TMP_DIR=/var/lib/mysql/tmp +sudo mkdir $TMP_DIR +sudo chown mysql:mysql $TMP_DIR +sudo chmod 0750 $TMP_DIR + + :: /etc/mysql/my.cnf + + tmpdir = /var/lib/mysql/tmp + # Note that the server-id must be different on all hosts + server-id = 2 + +/etc/init.d/mysql restart + +# Enter the MySQL shell and create the database: + +mysql -u root -p + + CREATE DATABASE mail; + quit; - mysql -u root -p --database=mail < mydump.sql +mysql -u root -p --database=mail < mydump.sql - - create a new temporary directory: - - sudo mkdir /var/lib/mysql/tmp - sudo chown mysql:mysql !$ - sudo chmod 0750 !$ +# [[http://dev.mysql.com/doc/refman/5.0/en/change-master-to.html][12.5.2.1. CHANGE MASTER TO Syntax]] +# NOTE: fill in these values using output from SHOW MASTER STATUS; above +# NOTE: filling this in my.cnf is deprecated - - /etc/mysql/my.cnf -:HIDDEN: -tmpdir = /var/lib/mysql/tmp -# Note that the server-id must be different on all hosts -server-id = 2 -:END: - - /etc/init.d/mysql restart +mysql -u root -p + + SLAVE STOP; - SLAVE STOP; - # [[http://dev.mysql.com/doc/refman/5.0/en/change-master-to.html][12.5.2.1. CHANGE MASTER TO Syntax]] - # NOTE: fill in these values using output from SHOW MASTER STATUS; above + CHANGE MASTER TO + MASTER_HOST='127.0.0.1', + MASTER_PORT=1949, + MASTER_USER='slave_user', + MASTER_PASSWORD='', MASTER_LOG_FILE='mysql-bin.000013', MASTER_LOG_POS=98; - CHANGE MASTER TO - MASTER_HOST='127.0.0.1', - MASTER_PORT=1949, - MASTER_USER='slave_user', - MASTER_PASSWORD='', MASTER_LOG_FILE='mysql-bin.000013', MASTER_LOG_POS=98; + START SLAVE; + show slave status\G - START SLAVE; - quit; +# If it seems OK, just: -***** Useful commands while debugging - start slave; stop slave; - show slave status\G + quit; *** Configuring the main IMAP server **** /etc/postfix/main.cf -- cgit v1.2.3 From 4e99d89906382d731f5bb370824add2306cf812d Mon Sep 17 00:00:00 2001 From: Stefan Kangas Date: Sun, 27 Feb 2011 02:10:43 +0100 Subject: Add overview of smarthost to imap server configuration. --- fripost-docs.org | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index 91ca235..cd4a225 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -776,12 +776,28 @@ sudo /etc/init.d/dovecot restart # client. *** Configuring a new smarthost to relay e-mail to the main IMAP server +**** Overview + +We relay mail from our smarthosts to the main IMAP server. + +This is to avoid having a single poin of failure and to separate concerns. The +IMAP server then only needs to deal with authenticated clients and the +smarthosts. + +**** Prerequisites + +Before this can work we must make sure that: +- the MySQL replication is working +- there is an SSH tunnel for the smtp + +If they are both setup, we can configure postfix on the smarthost to relay +emails through the tunnel. + +**** Configuration files + +TODO: add the necessary configuration files -First setup an SSH tunnel between the hosts according to instructions given -above. -Next, we need to configure postfix on the smarthost to relay emails through the -tunnel. ** Configuring the webserver -- cgit v1.2.3 From 428346f583bc0312480acf0f4cc240e120824a85 Mon Sep 17 00:00:00 2001 From: Stefan Kangas Date: Sun, 27 Feb 2011 02:33:11 +0100 Subject: Remove duplicate stuff --- fripost-docs.org | 93 ++------------------------------------------------------ 1 file changed, 2 insertions(+), 91 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index cd4a225..c87d982 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -359,7 +359,6 @@ no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/. We will use four tables `alias', `domain', `log' and `mailbox'. - ***** mysql> show tables; +----------------+ | Tables_in_mail | @@ -611,99 +610,11 @@ mysql -u root -p *** Configuring the main IMAP server **** /etc/postfix/main.cf -**** MySQL on the main IMAP server - - - create database mail; - - We will use four tables `alias', `domain', `log' and `mailbox'. - - // FIXME; add description of tables - :HIDDEN: -mysql> show tables; - -mysql> describe alias; - -mysql> describe domain; - -mysql> describe log; - -mysql> describe mailbox; - :END: - - - sudo mysql -u root -p --database=mail - :HIDDEN: -DROP TABLE IF EXISTS `alias`; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; -CREATE TABLE `alias` ( - `address` varchar(255) NOT NULL default '', - `goto` text NOT NULL, - `domain` varchar(255) NOT NULL default '', - `create_date` datetime NOT NULL default '0000-00-00 00:00:00', - `change_date` datetime NOT NULL default '0000-00-00 00:00:00', - `active` tinyint(4) NOT NULL default '1', - PRIMARY KEY (`address`) -) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Aliases - mysql_virtual_\nalias_maps'; -SET character_set_client = @saved_cs_client; - -DROP TABLE IF EXISTS `domain`; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; -CREATE TABLE `domain` ( - `domain` varchar(255) NOT NULL default '', - `description` varchar(255) NOT NULL default '', - `create_date` datetime NOT NULL default '0000-00-00 00:00:00', - `change_date` datetime NOT NULL default '0000-00-00 00:00:00', - `active` tinyint(4) NOT NULL default '1', - PRIMARY KEY (`domain`) -) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Domains - mysql_virtual_\ndomains_maps'; -SET character_set_client = @saved_cs_client; - -DROP TABLE IF EXISTS `log`; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; -CREATE TABLE `log` ( - `id` int(11) NOT NULL auto_increment, - `user` varchar(20) NOT NULL default '', - `event` text NOT NULL, - `date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, - PRIMARY KEY (`id`) -) ENGINE=MyISAM AUTO_INCREMENT=106 DEFAULT CHARSET=utf8 COMMENT='log table'; -SET character_set_client = @saved_cs_client; - -DROP TABLE IF EXISTS `mailbox`; -SET @saved_cs_client = @@character_set_client; -SET character_set_client = utf8; -CREATE TABLE `mailbox` ( - `username` varchar(255) NOT NULL default '', - `password` varchar(255) NOT NULL default '', - `name` varchar(255) NOT NULL default '', - `maildir` varchar(255) NOT NULL default '', - `domain` varchar(255) NOT NULL default '', - `create_date` datetime NOT NULL default '0000-00-00 00:00:00', - `change_date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, - `active` tinyint(4) NOT NULL default '1', - PRIMARY KEY (`username`) -) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Mailboxes - mysql_virtua\nl_mailbox_maps'; -SET character_set_client = @saved_cs_client; - :END: - - mysql -u root -p - CREATE USER 'mail'@'localhost' IDENTIFIED BY 'secret'; - GRANT SELECT ON mail.alias TO 'mail'@'localhost'; - GRANT SELECT ON mail.domain TO 'mail'@'localhost'; - GRANT SELECT ON mail.mailbox TO 'mail'@'localhost'; +TODO: add file contents **** Test delivery -- /etc/postfix/main.cf -:HIDDEN: -# Not really needed until we switch to using Courier maildrop -maildrop_destination_recipient_limit = 1 - -virtual_mailbox_base = /home/mail/virtual -:END: - -sudo mkdir -p /home/mail/virtual/fripost.org/example/ +sudo mkdir -p /home/mail/virtual/fripost.org/ mysql -u root -p INSERT INTO mailbox (username,password,name,maildir,domain) -- cgit v1.2.3 From d231c7e9e2c219b256acf155b3f7b7e35713250b Mon Sep 17 00:00:00 2001 From: Stefan Kangas Date: Sun, 27 Feb 2011 05:36:48 +0100 Subject: Fix typo in logcheck configuration. --- fripost-docs.org | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fripost-docs.org b/fripost-docs.org index c87d982..f61e51b 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -136,7 +136,7 @@ sudo aptitude install logcheck syslog-summary ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$ - ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging (proc) stopped.$ + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging \(proc\) stopped.$ /etc/logcheck/ignore.d.server/ddclient :HIDDEN: -- cgit v1.2.3 From 50d480bd78df4070b82c647c6dfa94f3edd93cf5 Mon Sep 17 00:00:00 2001 From: Stefan Kangas Date: Sun, 27 Feb 2011 06:23:56 +0100 Subject: Add logging configuration. --- fripost-docs.org | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/fripost-docs.org b/fripost-docs.org index f61e51b..9d0f33e 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -714,6 +714,37 @@ TODO: add the necessary configuration files - sudo apt-get install apache2 +** Logging +*** Overview +We want to limit how much we log for privacy reasons. At the same time we want +to be able to debug technical problems and detect intrusions. + +For the webmail, we only log messages of priority warn or higher. +*** Configuration + + :: /etc/rsyslog.conf + + *.*;auth,authpriv.none;mail.err -/var/log/syslog + +# NOTE: /var/log/mail.{err,warn} can be kept at the default +# values since they do not contain any sensitive information. + :: /etc/logrotate.d/rsyslog + + /var/log/mail.log + /var/log/mail.info + { + rotate 3 + daily + missingok + ifempty + compress + delaycompress + sharedscripts + postrotate + invoke-rc.d rsyslog reload > /dev/null + endscript + } + ** Necessary stuff to fix for security *** Bacula for backups Also has tripwire-like capabilities. -- cgit v1.2.3