From 91a22fb1b6463523d990faeab61c2bd2b3e82000 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 13 Nov 2012 21:45:33 +0100 Subject: wibble --- fripost-docs.org | 111 +++++++++++++++++++++++++++---------------------------- 1 file changed, 54 insertions(+), 57 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index d73b83f..6ecc47c 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -443,8 +443,8 @@ threads to 8. (The default, 16, is fine for 4- and 8-core systems.) 2. It may be a good idea to modify DB_CONFIG, depending on the output -of - +of + db4.8_stat -m -h /var/lib/ldap/ | head -16 (For optimal performance, the Requested pages found in the cache @@ -529,8 +529,8 @@ Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html). | isActive: TRUE | `- mailTarget=user1-alias@fripost.org - - + + :: /etc/ldap/fripost/fripost.ldif @@ -1142,7 +1142,7 @@ http://www.tehinterweb.co.uk/roundcube/#pisieverules sudo mkdir -p /home/mail/virtual/fripost.org/ :: ldapadd -xWD cn=admin,dc=fripost,dc=org - + dn: dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org objectClass: virtualDomain isActive: TRUE @@ -1342,44 +1342,41 @@ TODO: add the necessary configuration files sudo aptitude install postfix postfix-ldap -*** Configuring the Mail Submission Agent (MSA) - -We offer a SMTP relay for authenticated users (via SASL). Currently the MSA and -MTA are hosted on the same machine (gnu). - -Firewall: The MSA needs 587/TCP in, and the MTA 25/TCP both in and out. - -**** Install packages +:: /etc/postfix/main.cf -sudo apt-get install sasl2-bin libsasl2-modules +smtp_bind_address = 88.80.16.139 +smtp_bind_address6 = 2A00:16B0:242:13F::1 +[...] +smtp_tls_security_level = may +smtp_tls_note_starttls_offer = yes -(Scrictly speaking sasl2-bin is not necessary, but it offers some programs to -test our installation.) +(Note: Ideally, the IPv4 and IPv6 address above should resolve to our +hostname, namely `smtp.fripost.org' here.) -In the rest of this section, we assume there is a tunnel from the master -LDAP server to the machine that hosts SASLauthd (i.e., ldap://127.0.0.1:3890 on -this machine actually speaks to the master). +We don't want to force the SMTP client to use encrypted connection +regardless, as some servers may not support it :-/ -**** Relay emails from trusted hosts. +**** Relay emails from trusted hosts :: /etc/postfix/main.cf relay_clientcerts = hash:$config_directory/relay_clientcerts [...] smtpd_tls_fingerprint_digest = sha1 + [...] smtpd_recipient_restrictions = [...] permit_mynetworks permit_tls_clientcerts [...] -/etc/postfix/relay_clientcerts lists (SHA1) fingerprints and hostnames +/etc/postfix/relay_clientcerts lists (SHA-1) fingerprints and hostnames of our trusted hosts. Fingerprints can be obtained with openssl x509 -fingerprint -sha1 -noout -in /path/to/pubkey.pem :: /etc/postfix/relay_clientcerts - E0:3C:E7:05:2D:2E:99:7B:EF:A1:D0:5A:A7:79:2C:6D:0B:66:FD:17 luxemburg.fripost.org + E0:3C:E7:05:2D:2E:99:7B:EF:A1:D0:5A:A7:79:2C:6D:0B:66:FD:17 luxemburg [...] Do not forget do update this file if the you change the hostname or certificate of the @@ -1394,7 +1391,7 @@ the mailhub. For instance on mx1.fripost.org, :: /etc/postfix/main.cf [...] smtp_tls_security_level = may - smtp_tls_policy_maps = hash:$config_directory/tls_policy + smtp_tls_policy_maps = hash:$config_directory/tls_policy smtp_tls_cert_file = /path/to/pubkey.pem smtp_tls_key_file = /path/to/privkey.key [...] @@ -1510,16 +1507,16 @@ What the user type is here emphasized and prefixed with a `*' :: openssl s_client -connect localhost:25 -starttls smtp -CApath /etc/ssl/ [...] Verify return code: 0 (ok) - --- + --- 250 DSN * EHLO localhost.localdomain [...] - 250-ETRN + 250-ETRN 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES - 250-8BITMIME - 250 DSN + 250-8BITMIME + 250 DSN * AUTH PLAIN AHVzZXJAZnJpcG9zdC5vcmcAdXNlcg== 235 2.7.0 Authentication successful * mail from: @@ -1528,11 +1525,11 @@ What the user type is here emphasized and prefixed with a `*' 250 2.1.5 Ok * DATA 354 End data with . - * Subject: test + * Subject: test * \o/ - * . + * . 250 2.0.0 Ok: queued as 3D7767B4BD - + Where "AHVzZXJAZnJpcG9zdC5vcmcAdXNlcg==" is a base-64 encoding of the user's, credentials, in our case login "user@fripost.org" and password "user", which can be obtained by the command @@ -1540,7 +1537,7 @@ can be obtained by the command echo -ne '\000user@fripost.org\000user' | openssl base64 or slightly better (does not write password in your ~/.bash_history) - + read U PW; echo -ne "\000$U\000$PW" | openssl base64 **** Anonymize the senders @@ -1773,7 +1770,7 @@ in :: /usr/share/roundcube/skins/default/templates/login.html make - +