From 93d64fe8b00503ae4b1fd709cedcf8c9575f3a71 Mon Sep 17 00:00:00 2001 From: Stefan Kangas Date: Thu, 16 Dec 2010 16:56:53 +0100 Subject: Improved instructions for configuring a tunnel from a smarthost to the main IMAP server. --- fripost-docs.org | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index 0788681..2a8a361 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -175,10 +175,14 @@ Aptitude The main server will also be responsible for keeping all users in an MySQL database that will be replicated over *** Configuring the MySQL replication -*** Configuring the SSH tunnel for SMTP +*** Configuring the SSH tunnel between a new smarthost and the main IMAP server + + Definitons: + IMAP server = the main storage server + smarthost = the receiving server (configured as MX) Steps to reproduce the configuration: - 1. Create a user on the main e-mail server [if not done] + 1. Create a user on the main e-mail server [this should already be done on the IMAP server] - sudo aptitude install openbsd-netcat - sudo adduser smtptunnel - echo "exit" > .bash_profile [to be sure] @@ -190,15 +194,15 @@ Aptitude - ssh-keygen -N "" -b 4096 -f ~/.ssh/tunnel_key - cat .ssh/tunnel_key.pub - 3. Add this key to the "smtptunnel"-user on the smarthost - - echo "" | sude tee .ssh/authorized_keys2 + 3. Add this key to the user `smtptunnel' on the IMAP server + - echo "" | sudo tee .ssh/authorized_keys2 - Add this before "ssh-rsa" in authorized_keys2: command="nc localhost 25",no-X11-forwarding,no-agent-forwarding,no-port-forwarding - 4. Test the key on the client server: - - sudo ssh -l remupd -i /root/.ssh/tunnel_key smtptunnel@host + 4. Test the key on the smarthost: + - sudo ssh -l smtptunnel -i /root/.ssh/tunnel_key smtptunnel@example.com - 5. Configure openbsd-inetd: + 5. Configure openbsd-inetd on the smarthost: (We use inetd instead of ssh -L because, among other things, ssh -L tends to hang.) - sudo aptitude install openbsd-inetd @@ -209,20 +213,17 @@ Aptitude - Make sure the tunnel works: telnet localhost 1917 - 6. Configure postfix on the client server to relay emails through the tunnel + 6. Configure postfix on the smarthost to relay emails through the tunnel One quick-n-dirty example to try it out is: - /etc/postfix/main.cf - relay_domains = fri-epost.dyndns.org + relay_domains = fripost.org transport_maps = hash:/etc/postfix/transport - /etc/postfix/transport - hostname.org smtp:localhost:1917 + fripost.org smtp:localhost:1917 - sudo postmap hash:/etc/postfix/transport -# ssh tunnel to smarthost.com's SMTP server -127.0.0.1:smtp stream tcp nowait root /usr/bin/ssh -q -T -i /root/.ssh/tunnel_key utumno@smarthost.com - ** Necessary stuff to fix for security @@ -236,6 +237,8 @@ Aptitude Also has tripwire-like capabilities. *** Some kind of IDS + + * NEED TO KNOW FOR SERVER ADMINS ** Use etckeeper -- cgit v1.2.3