# -*- mode: org-mode; truncate-lines: nil -*- #+TITLE: Systems documentation #+AUTHOR: Fripost -- the Free E-mail Association #+DESCRIPTION: Systems documentation for Fripost, the Free E-mail Association #+KEYWORDS: #+LANGUAGE: en #+OPTIONS: H:3 num:t toc:t \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t #+OPTIONS: TeX:t LaTeX:nil skip:nil d:nil todo:t pri:nil tags:not-in-toc #+INFOJS_OPT: view:nil toc:nil ltoc:t mouse:underline buttons:0 path:http://orgmode.org/org-info.js #+EXPORT_SELECT_TAGS: export #+EXPORT_EXCLUDE_TAGS: noexport #+LINK_UP: #+LINK_HOME: #+XSLT: #+DRAWERS: HIDDEN STATE PROPERTIES CONTENT #+STARTUP: indent Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts and no Back-Cover Texts. A copy of the license is included in a separate file called "COPYING". This is the documentation of the server configuration used by the free e-mail association, given here to provide a transparent system. Debian GNU/Linux squeeze is the current target system. We might keep some notes for lenny for some time yet since there might still be servers that have not been upgraded. The complete documentation is the actual configuration files on the servers. This document intends to give a general idea of the setup and be of help if we need to recreate a crashed server. Also, if an administrator goes AWOL, it should be easy to pick up where he left of. The steps taken here will not necessarily give a perfect replica of our systems. We are constantly (yes, constantly) working on improving the security and reliability of our systems. We do not think of security as a shoot and forget sort of thing but instead as an ongoing effort. Thus, while we strive to document all configuration that we consider stable enough, the documentation may sometimes lag behind. We do not believe in security through obscurity. This means we are aiming instead for a system that fulfills [[http://en.wikipedia.org/wiki/Kerckhoffs%27s_Principle][Kerckhoffs's Principle]]. However, some information below might have been changed to inconvenience a potential attacker. Beware and take according measures. We welcome all criticism, suggestions for improvements, additions etc. Please send them to skangas@skangas.se. * Basic Setup -- Checklist after having installed a new Debian GNU/Linux-server ** Basic installation instructions - Use expert install to maximize fun. - Preferably, only install the "Standard system utilities" and "SSH Server" tasks. - Make sure to answer "yes" to shadow passwords and MD5. - Do disable the root account. ** Install etckeeper Install etckeeper immediately after install, to start tracking /etc. ** Uninstall a bunch of unnecessary packages sudo aptitude remove --purge debian-faq dictionaries-common doc-debian \ doc-linux-text iamerican ibritish iswedish ispell laptop-detect nfs-common \ openbsd-inetd portmap tasksel tasksel-data w3m wbritish ** Packages to install *** Administrative sudo aptitude install emacs23-nox harden-servers logcheck molly-guard ntp \ ntpdate openssh-server rsync screen syslog-summary sudo unattended-upgrades # If the system is on a dynamic IP (e.g. using DHCP): sudo aptitude install resolvconf # NB: harden-clients conflicts with telnet, which as we know is very handy # during configuration. Therefore, only optionally: sudo aptitude install harden-clients ** Use GNU Emacs as the default editor # NOTE: Emacs will be the default on all Fripost systems. If you prefer # something else, use the EDITOR environment variable. sudo update-alternatives --config editor ** Configure sudo # If you disabled root account during installation, the default account is # already in the sudo group. Otherwise, follow these steps: sudo adduser myuser sudo sudo EDITOR="emacs" visudo %sudo ALL= (ALL) ALL ** Configure sshd Make sure your private key is in ~/.ssh/authorized_keys2 :: /etc/ssh/sshd_config # Add relevant users here AllowUsers xx yy zz # Change these settings PermitRootLogin no PasswordAuthentication no X11Forwarding no sudo /etc/init.d/ssh restart # Without closing the current connection, try to connect to the server, # verifying that you can still connect. ** Forward root email :: /etc/aliases root: admin@fripost.org ** Configure logcheck sudo aptitude install logcheck syslog-summary :: /etc/logcheck/logcheck.conf INTRO=0 SENDMAILTO="admin@fripost.org" :: /etc/logcheck/ignore.d.server/local # XXX: not always necessary? ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed, type '(restart|lightweight)'\.$ # XXX: necessary with squeeze? ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$ # not necessary with squeeze ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$ # not necessary with squeeze ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging \(proc\) stopped.$ # ddclient ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: FAILED: updating [,._[:alnum:]-]+: Could not connect to dns.loopia.se/xdyndnsserver/xdyndns.php.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: TIMEOUT: dns.loopia.se after 120 seconds$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: cannot connect to dns.loopia.se:80 socket: IO::Socket::INET: Bad hostname 'dns.loopia.se'$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: cannot connect to dns.loopia.se:80 socket: IO::Socket::INET: connect: Connection timed out$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: cannot connect to dns.loopia.se:443 socket: IO::Socket::SSL: SSL connect attempt failed because of handshake problemserror:00000000:lib(0):func(0):reason(0) IO::Socket::INET configuration failederror:00000000:lib(0):func(0):reason(0)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: cannot connect to dns.loopia.se:443 socket: IO::Socket::SSL: SSL connect attempt failed with unknown errorerror:00000000:lib(0):func(0):reason(0) IO::Socket::INET configuration failederror:00000000:lib(0):func(0):reason(0)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: cannot connect to dns.loopia.se:443 socket: IO::Socket::SSL: Timeout IO::Socket::INET configuration failederror:00000000:lib(0):func(0):reason(0)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: file /var/cache/ddclient/ddclient.cache, line [0-9]+: Invalid Value for keyword 'ip' = ''$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: updating [._[:alnum:]-]+: nochg: No update required; unnecessary attempts to change to the current address are considered abusive$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: [.0-9]{7,15} interface [.0-9]{7,15} -> [.0-9]{7,15}$ ** Configuring aptitude and friends # We are going to automatically install many security updates using the package # "unattended-upgrades". Automated upgrades are in general not a very good # idea, but "unattended-upgrades" takes steps to mitigate the problems with this # approach. Given the Debian security teams track record in recent years we # believe the positives outweigh the negatives. # # For the situations when unattended-upgrades fails (e.g. when there are # configuration changes), there is an e-mail sent to the administrator. # :: /etc/apt/apt.conf APT { // Configuration for /etc/cron.daily/apt Periodic { // Do "apt-get update" automatically every n-days (0=disable) Update-Package-Lists "1"; // Do "apt-get autoclean" every n-days (0=disable) AutocleanInterval "1"; // Do "apt-get upgrade --download-only" every n-days (0=disable) Download-Upgradeable-Packages "1"; // Run the "unattended-upgrade" security upgrade script every n days Unattended-Upgrade "1"; } }; Aptitude { UI { Autoclean-After-Update: true; Auto-Fix-Broken: false; Keep-Recommends: true; Recommends-Important: true; Description-Visible-By-Default: false; HelpBar false; Menubar-Autohide true; Purge-Unused: true; Prompt-On-Exit false; } } # Using Debian squeeze: :: /etc/apt/apt.conf.d/50unattended-upgrades Unattended-Upgrade::Mail "admin@fripost.org"; ** Configure ddclient :: /etc/ddclient.conf ### Not reproduced here due to containing sensitive information :: /etc/default/ddclient run_daemon="true" * Next Steps ** Configuring the backup solution *** Bacula configuration *** Simple rsync solution General idea [[http://wikis.sun.com/display/BigAdmin/Using+rdist+rsync+with+sudo+for+remote+updating][from here]]. This is just a basic setup for now, will need to be changed to rsnapshot or perhaps something even more sophisticated like bacula. 1. Install rsync - sudo aptitude install rsync 2. Create a key on the backup computer: - sudo mkdir /root/.ssh/backup_key - sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/backup_key - cat /root/.ssh/backup_key.pub 3. Create a user on the computer that will be backed up - sudo adduser --disabled-password remupd - add the public key from above to ~remupd/.ssh/authorized_keys2 prefix with: no-X11-forwarding,no-agent-forwarding,no-port-forwarding - sudo EDITOR="emacs" visudo Cmnd_Alias RSYNCDIST=/usr/bin/rsync remupd ALL=NOPASSWD:RSYNCDIST 4. Test the key from the backup computer: - ssh -i ~/.ssh/backup_key -l remupd example.com 5. Create a script on the backup computer to automatically backup 6. Add script to crontab ** Configuring the e-mail servers *** Introduction **** Overview We will be using one main mail storage server, accessible by users via IMAP. This server should be referred to as the main `IMAP server'. We will have two or more mail gateways that will relay e-mail to the main server over secure connections. These are called `smarthosts'. The main server will also be responsible for keeping all users in an MySQL database that will be replicated using MySQL. **** Definitions IMAP server = the main storage server smarthost = the server receiving email from the internet (configured as MX) *** Configuring an SSH tunnel between two hosts # Definitions: # originating host = the host that will be connecting # destination host = the host that runs some service # Begin by setting a few environment variables: TUNNEL_KEY_FILE="my_tunnel_key" TUNNEL_USER="tunneluser" TUNNEL_HOME="/home/$TUNNEL_USER" DEST_PORT="25" ORIGIN_PORT="1917" **** Prepare origin 1. Create a key on the originating host: sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/$TUNNEL_KEY_FILE sudo cat /root/.ssh/$TUNNEL_KEY_FILE.pub **** Prepare destination 2a. Install necessary software on the destination host: sudo aptitude install netcat-openbsd 2b. Create a new user on the destination host: sudo adduser --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \ --disabled-password $TUNNEL_USER echo "exit" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.bash_profile # Note: We need bash, so we can not change the shell to something else. 2c. Add $TUNNEL_USER to AllowUsers in /etc/ssh/sshd_config. sudo /etc/init.d/ssh restart # make sure the host is still reachable 2d. Add the public key from above to this user: THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx" # from above sudo -u $TUNNEL_USER mkdir -p $TUNNEL_HOME/.ssh echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2 **** Set up the tunnel 3. Test the key on the originating host: sudo ssh -v -l $TUNNEL_USER -i /root/.ssh/$TUNNEL_KEY_FILE destination.example.com # Comment: You should be greeted by e.g.: # 220 mistral.fripost.org ESMTP Postfix (Debian/GNU) 4. Configure openbsd-inetd on the originating host: # Comment: We use inetd instead of ssh -L because, among other things, ssh # -L tends to hang. sudo aptitude install openbsd-inetd :: /etc/inetd.conf 127.0.0.1:$ORIGIN_PORT stream tcp nowait root /usr/bin/ssh -q -T -i /root/.ssh/$TUNNEL_KEY_FILE $TUNNEL_USER@example.com sudo service openbsd-inetd restart You should now be able to connect through the tunnel from the originating host using something like: telnet localhost $ORIGIN_PORT *** Installing MySQL - sudo apt-get install mysql-server - generate a long (25 characters) password for the mysql root user - /etc/mysql/my.cnf: skip-innodb *** MySQL on the main IMAP server **** Overview We will use four tables `alias', `domain', `log' and `mailbox'. ***** mysql> show tables; +----------------+ | Tables_in_mail | +----------------+ | alias | | domain | | log | | mailbox | +----------------+ 4 rows in set (0.00 sec) ***** mysql> describe alias; +-------------+--------------+------+-----+---------------------+-------+ | Field | Type | Null | Key | Default | Extra | +-------------+--------------+------+-----+---------------------+-------+ | address | varchar(255) | NO | PRI | | | | goto | text | NO | | NULL | | | domain | varchar(255) | NO | | | | | create_date | datetime | NO | | 0000-00-00 00:00:00 | | | change_date | timestamp | NO | | CURRENT_TIMESTAMP | | | active | tinyint(4) | NO | | 1 | | +-------------+--------------+------+-----+---------------------+-------+ 6 rows in set (0.00 sec) ***** mysql> describe domain; +-------------+--------------+------+-----+---------------------+-------+ | Field | Type | Null | Key | Default | Extra | +-------------+--------------+------+-----+---------------------+-------+ | domain | varchar(255) | NO | PRI | | | | description | varchar(255) | NO | | | | | create_date | datetime | NO | | 0000-00-00 00:00:00 | | | change_date | timestamp | NO | | CURRENT_TIMESTAMP | | | active | tinyint(4) | NO | | 1 | | +-------------+--------------+------+-----+---------------------+-------+ 5 rows in set (0.00 sec) ***** mysql> describe log; +-------+-------------+------+-----+-------------------+----------------+ | Field | Type | Null | Key | Default | Extra | +-------+-------------+------+-----+-------------------+----------------+ | id | int(11) | NO | PRI | NULL | auto_increment | | user | varchar(20) | NO | | | | | event | text | NO | | NULL | | | date | timestamp | NO | | CURRENT_TIMESTAMP | | +-------+-------------+------+-----+-------------------+----------------+ 4 rows in set (0.00 sec) ***** mysql> describe mailbox; +-------------+--------------+------+-----+---------------------+-------+ | Field | Type | Null | Key | Default | Extra | +-------------+--------------+------+-----+---------------------+-------+ | username | varchar(255) | NO | PRI | | | | password | varchar(255) | NO | | | | | name | varchar(255) | NO | | | | | maildir | varchar(255) | NO | | | | | domain | varchar(255) | NO | | | | | create_date | datetime | NO | | 0000-00-00 00:00:00 | | | change_date | timestamp | NO | | CURRENT_TIMESTAMP | | | active | tinyint(4) | NO | | 1 | | +-------------+--------------+------+-----+---------------------+-------+ 8 rows in set (0.00 sec) **** Steps to produce it mysql -u root -p create database mail; sudo mysql -u root -p --database=mail FIXME: Not 100 % up to date :HIDDEN: DROP TABLE IF EXISTS `alias`; SET @saved_cs_client = @@character_set_client; SET character_set_client = utf8; CREATE TABLE `alias` ( `address` varchar(255) NOT NULL default '', `goto` text NOT NULL, `domain` varchar(255) NOT NULL default '', `create_date` datetime NOT NULL default '0000-00-00 00:00:00', `change_date` datetime NOT NULL default '0000-00-00 00:00:00', `active` tinyint(4) NOT NULL default '1', PRIMARY KEY (`address`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Aliases - mysql_virtual_\nalias_maps'; SET character_set_client = @saved_cs_client; DROP TABLE IF EXISTS `domain`; SET @saved_cs_client = @@character_set_client; SET character_set_client = utf8; CREATE TABLE `domain` ( `domain` varchar(255) NOT NULL default '', `description` varchar(255) NOT NULL default '', `create_date` datetime NOT NULL default '0000-00-00 00:00:00', `change_date` datetime NOT NULL default '0000-00-00 00:00:00', `active` tinyint(4) NOT NULL default '1', PRIMARY KEY (`domain`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Domains - mysql_virtual_\ndomains_maps'; SET character_set_client = @saved_cs_client; DROP TABLE IF EXISTS `log`; SET @saved_cs_client = @@character_set_client; SET character_set_client = utf8; CREATE TABLE `log` ( `id` int(11) NOT NULL auto_increment, `user` varchar(20) NOT NULL default '', `event` text NOT NULL, `date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, PRIMARY KEY (`id`) ) ENGINE=MyISAM AUTO_INCREMENT=106 DEFAULT CHARSET=utf8 COMMENT='log table'; SET character_set_client = @saved_cs_client; DROP TABLE IF EXISTS `mailbox`; SET @saved_cs_client = @@character_set_client; SET character_set_client = utf8; CREATE TABLE `mailbox` ( `username` varchar(255) NOT NULL default '', `password` varchar(255) NOT NULL default '', `name` varchar(255) NOT NULL default '', `maildir` varchar(255) NOT NULL default '', `domain` varchar(255) NOT NULL default '', `create_date` datetime NOT NULL default '0000-00-00 00:00:00', `change_date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, `active` tinyint(4) NOT NULL default '1', PRIMARY KEY (`username`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Mailboxes - mysql_virtua\nl_mailbox_maps'; SET character_set_client = @saved_cs_client; :END: mysql -u root -p # Create triggers use mail; DELIMITER $$ CREATE TRIGGER alias_set_created_on_insert before insert on alias for each row begin set new.create_date = current_timestamp; end$$ CREATE TRIGGER domain_set_created_on_insert before insert on domain for each row begin set new.create_date = current_timestamp; end$$ CREATE TRIGGER mailbox_set_created_on_insert before insert on mailbox for each row begin set new.create_date = current_timestamp; end$$ DELIMITER ; # Create mail user CREATE USER 'mail'@'localhost' IDENTIFIED BY ''; GRANT SELECT ON mail.alias TO 'mail'@'localhost'; GRANT SELECT ON mail.domain TO 'mail'@'localhost'; GRANT SELECT ON mail.mailbox TO 'mail'@'localhost'; *** Configuring the MySQL replication ***** Overview [[http://dev.mysql.com/doc/refman/5.0/en/replication.html][MySQL 5.0 Reference Manual :: 16 Replication]] We will use MySQL replication to keep the MySQL user data on the smarthosts in sync with the data held on the main IMAP server. These instructions are mainly adapted from the MySQL manual. ***** Configure the master :: /etc/mysql/my.cnf: server-id = 1 log_bin = /var/log/mysql/mysql-bin.log expire_logs_days = 10 max_binlog_size = 100M binlog_do_db = mail sudo service mysql restart # Enter MySQL shell and create a user with replication privileges. # NB: Use only ASCII for the mysql -u root -p GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'localhost' IDENTIFIED BY ''; FLUSH PRIVILEGES; ***** Configure the slave ****** Set up an SSH tunnel We begin by setting up an SSH tunnel from the slave to the master, as described [[Configuring an SSH tunnel between two hosts][above]]. ****** Preparing steps to take on master # Make a database dump. mysql -u root -p USE mail; FLUSH TABLES WITH READ LOCK; quit; mysqldump -u root -p --opt mail > mydump.sql # Now, transfer this file to the slave. After you have transferred the file, # delete all copies except the one on the slave. # Save the output of the SHOW MASTER STATUS COMMAND. mysql -u root -p SHOW MASTER STATUS; unlock tables; quit; ****** Slave configuration # Create a new temporary directory. # NOTE: It has to be outside of /tmp so the replication is not screwed up on e.g. power outage. TMP_DIR=/var/lib/mysql/tmp sudo mkdir $TMP_DIR sudo chown mysql:mysql $TMP_DIR sudo chmod 0750 $TMP_DIR :: /etc/mysql/my.cnf tmpdir = /var/lib/mysql/tmp # Note that the server-id must be different on all hosts server-id = 2 relay-log = mysqld-relay-bin sudo service mysql restart # Enter the MySQL shell and create the database: mysql -u root -p CREATE DATABASE mail; quit; mysql -u root -p --database=mail < mydump.sql # [[http://dev.mysql.com/doc/refman/5.0/en/change-master-to.html][12.5.2.1. CHANGE MASTER TO Syntax]] # NOTE: fill in these values using output from SHOW MASTER STATUS; above # NOTE: filling this in my.cnf is deprecated mysql -u root -p SLAVE STOP; CHANGE MASTER TO MASTER_HOST='127.0.0.1', MASTER_PORT=1949, MASTER_USER='slave_user', MASTER_PASSWORD='', MASTER_LOG_FILE='mysql-bin.000013', MASTER_LOG_POS=98; START SLAVE; show slave status\G # If it seems OK, just: quit; *** Configuring the main IMAP server **** Install packages sudo aptitude install postfix postfix-mysql **** /etc/postfix/main.cf TODO: add file contents **** Setting up the MDA # squeeze has dovecot-1.2. upgrade notes: # - we might want to upgrade to their sieve (instead of cmusieve) # - we want to add the -s flag to deliver in master.cf ***** Installing sudo aptitude install dovecot-imapd ***** Configuring :: /etc/dovecot/dovecot.conf protocol lda { # Address to use when sending rejection mails. postmaster_address = postmaster@fripost.org # Hostname to use in various parts of sent mails, eg. in Message-Id. # Default is the system's real hostname. hostname = imap.fripost.org # Support for dynamically loadable plugins. mail_plugins is a space separated # list of plugins to load. #mail_plugins = #mail_plugin_dir = /usr/lib/dovecot/modules/lda # Binary to use for sending mails. sendmail_path = /usr/lib/sendmail # UNIX socket path to master authentication server to find users. auth_socket_path = /var/run/dovecot/auth-master # Enabling Sieve plugin for server-side mail filtering mail_plugins = cmusieve } [...] ## dovecot-lda specific settings ## socket listen { master { path = /var/run/dovecot/auth-master mode = 0600 user = xxx # User running Dovecot LDA #group = mail # Or alternatively mode 0660 + LDA user in this group } } :: /etc/postfix/master.cf dovecot unix - n n - - pipe flags=DRhu user=xxx:xxx argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient} -n :: /etc/postfix/main.cf virtual_transport = dovecot dovecot_destination_recipient_limit = 1 http://wiki.dovecot.org/LDA/Postfix http://www.tehinterweb.co.uk/roundcube/#pisieverules **** Test delivery sudo mkdir -p /home/mail/virtual/fripost.org/ mysql -u root -p INSERT INTO mailbox (username,password,name,maildir,domain) VALUES ('exempel@fripost.org','test666','Exempelanvändare','fripost.org/exempel/Maildir/','fripost.org'); sudo /etc/init.d/postfix restart echo "test at `date`"|mail -s "test" exempel@fripostorg **** Configuring dovecot sudo aptitude install dovecot-imapd :: /etc/dovecot/dovecot.conf # Note: These settings are already in the file but commented out or set to other # values. :HIDDEN: protocols = imaps protocol imap { ssl_listen = *:993 } disable_plaintext_auth = yes mail_location = maildir:/home/mail/virtual/%d/%u/Maildir # Set this to something that works for the Maildirs first_valid_uid = XXX first_valid_gid = XXX # Allow clients to be fancy if they want to mechanisms = plain cram-md5 #passdb pam <--- comment this stuff out # uncomment this stuff passdb sql { args = /etc/dovecot/dovecot-sql.conf } #userdb passwd <--- comment this stuff out # uncomment this stuff userdb sql { args = /etc/dovecot/dovecot-sql.conf } # Do not needlessly run as root user = nobody :END: :: /etc/dovecot/dovecot-sql.conf :HIDDEN: driver = mysql connect = host=127.0.0.1 port=3306 user=XXX password=XXX dbname=mail # Salted MD5 default_pass_scheme = SMD5 password_query = SELECT username AS user, password FROM mailbox WHERE username = '%u' AND domain = '%d' # replace XXX with relevant numbers for the system user_query = SELECT concat('/home/mail/virtual/',maildir) AS mail, XXX AS uid, XXX AS gid FROM mailbox WHERE username = '%u' AND domain = '%d' :END: sudo /etc/init.d/dovecot restart # Provided there is a user, you should now be able to login using any IMAP # client. **** Making sure the services are not started at boot [might not be needed] sudo update-rc.d -n dovecot stop 2 3 4 5 . sudo update-rc.d -n postfix stop 2 3 4 5 . *** Configuring a new smarthost to relay e-mail to the main IMAP server **** Overview We relay mail from our smarthosts to the main IMAP server. This is to avoid having a single poin of failure and to separate concerns. The IMAP server then only needs to deal with authenticated clients and the smarthosts. **** Prerequisites Before this can work we must make sure that: - the MySQL replication is working - there is an SSH tunnel for the smtp If they are both setup, we can configure postfix on the smarthost to relay emails through the tunnel. **** Configuration files TODO: add the necessary configuration files *** Configuring the outgoing SMTP **** Anonymize the senders If RoudCube automatically anonymize the sender (by simply shortening the trace), it's not the case (by default) for SquirrelMail, or when clients connect via ESMTP/ESMTPS/ESMTPA/ESMTPSA. Here are a couple of traces we want to obfuscate, to prevent the recicipient and/or the intermediate SMTP relays to track the sender. Received: from localhost (machine.example.org [127.0.0.1]) by example.org (Postfix) with ESMTP id C9DAB841F4 for ; Thu, 22 Mar 2012 16:27:56 +0100 (CET) Received: from example.org ([127.0.0.1]) by localhost (machine.example.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8onAXWOvImDh for ; Thu, 22 Mar 2012 16:27:56 +0100 (CET) Received: from webmail.example.org (localhost [IPv6:::1]) by example.org (Postfix) with ESMTP id 3ADAB8243D for ; Thu, 22 Mar 2012 16:27:56 +0100 (CET) Received: from 192.168.1.5 (SquirrelMail authenticated user guilhem) by webmail.example.org with HTTP; Thu, 22 Mar 2012 16:27:56 +0100 Received: from localhost (machine.example.org [127.0.0.1]) by example.org (Postfix) with ESMTP id 2D1098243D for ; Thu, 22 Mar 2012 16:36:36 +0100 (CET) Received: from example.org ([127.0.0.1]) by localhost (machine.example.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hr2J-eRTN0jI for ; Thu, 22 Mar 2012 16:36:35 +0100 (CET) Received: from client.example.org (client.machine.org [192.168.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "client.machine.org", Issuer "machine.org" (not verified)) by machine.org (Postfix) with ESMTPS id DA22981B95 for ; Thu, 22 Mar 2012 16:36:35 +0100 (CET) Received: (nullmailer pid 5057 invoked by uid 0); Thu, 22 Mar 2012 15:36:34 -0000 Received: from localhost (machine.example.org [127.0.0.1]) by example.org (Postfix) with ESMTP id DBAFE816BB for ; Thu, 22 Mar 2012 14:48:01 +0100 (CET) Received: from example.org ([127.0.0.1]) by localhost (machine.example.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Upen4QhYpKf4 for ; Thu, 22 Mar 2012 14:48:01 +0100 (CET) Received: from client.example.org (client.example.org [192.168.1.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "", Issuer "" (not verified)) (Authenticated sender: guilhem) by guilhem.org (Postfix) with ESMTPSA id 40284804F5 for ; Thu, 22 Mar 2012 14:48:01 +0100 (CET) Received: by machine@example.org (Postfix, from userid 1000) id 1D24F41747; Thu, 22 Mar 2012 14:48:00 +0100 (CET) (The first one was sent using a SquirrelMail; The second using ESMTPS; And the third using ESMTPSA). If we are to hide the sender, we could simply clean the trace (like RoundCube does) when the mail leaves the server. However, some aggressive mailfilters may reject the mail since the trace is incomplete (if RoundCube hides the history I guess it doesnt' happen that often, but who knows...). Another option would be to clean the trace and to simply add a fake field to pretend that the mail is sent from localhost by the user nobody: Received: by example.org (Postfix, from userid 65535) id 2C537816BB; Thu, 22 Mar 2012 14:08:45 +0100 (CET) This possible by adding "smtp_header_checks = regexp:$config_directory/smtp_header_checks" in the main.cf, with a suitable file "smtp_header_check" in the Postfix configuration directory. Yetan other option is not to hide the trace, but rather forge it to pretend that the connections ESMTP/... are coming from localhost. This way we are not hiding the fast that a client has logged in using a valid certificate, and in case of an SMTP relay, the early part of the trace (before it entered our Postfix) remains unchanged. For example, the third trace would become: Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "", Issuer "" (not verified)) (Authenticated sender: guilhem) by example.org (Postfix) with ESMTPSA id 40284804F5 for ; Thu, 22 Mar 2012 14:48:01 +0100 (CET) Received: by client.example.org (Postfix, from userid 1000) id 1D24F41747; Thu, 22 Mar 2012 14:48:00 +0100 (CET) (the other field remaining unchanged). This is also possible using smtp_header_checks. In that case, the corresponding file would contain the following rexep, forging the header by pretending that the sender has EHLO'ed from localhost: /^Received:\s+from (\S+)\s+\(\S+\s+\S+\)(.*\sby example\.org \(Postfix\)\s+with E?SMTP(S|A|SA)\W.*)$/ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${2} You can try out the regexp using "postmap -h -q - regexp:smtp_header_checks < email" (email can also be a bunch of traces). DISCLAIMER: The regexp probably needs tests (especially for multiple hops, in case of relaying SMTPs). Also, note that the hostname of the client has not been obfuscated in the above trace (and that will break the path if the client has a routable hostname that doesn't point to the SMTP server!). However, this line has been added by the client itself, so it's his/her responsability to masquerade it I suppose. In the same way, the CN and Issuer of the client's certificate may help to track him/her down. Maybe we should forge it as well? ** Configuring the webserver sudo apt-get install apache2 sudo a2enmod ssl rewrite :: /etc/apache2/ports.conf NameVirtualHost *:443 :: /etc/apache2/conf.d/security ServerTokens Prod *** Roundcube **** Installing roundcube # Add the backports repository first, to make sure we're running a somewhat more # current version than the one currently in stable. :: /etc/apt/sources.list deb http://backports.debian.org/debian-backports squeeze-backports main sudo apt-get install roundcube :: /etc/php5/apache2/php.ini log_errors = Off post_max_size = 25M upload_max_filesize = 25M tmp_dir = FIXME :: /etc/roundcube/main.inc.php ## checked for roundcube 0.5.4+dfsg-1~bpo60+1 # Use caching $rcmail_config['enable_caching'] = TRUE; # fripost.org specific $rcmail_config['force_https'] = TRUE; $rcmail_config['default_host'] = 'ssl://imap.fripost.org'; $rcmail_config['imap_auth_type'] = 'plain'; $rcmail_config['username_domain'] = 'fripost.org'; # use IP for extra paranoia $rcmail_config['ip_check'] = true; # Locale settings $rcmail_config['language'] = 'sv_SE'; $rcmail_config['date_long'] = 'Y-m-d.Y H:i'; $rcmail_config['product_name'] = 'Fripost'; # IMAP Folders (I guess these were changed for compatibility with SquirrelMail) $rcmail_config['drafts_mbox'] = 'INBOX.Drafts'; $rcmail_config['junk_mbox'] = 'INBOX.Junk'; $rcmail_config['sent_mbox'] = 'INBOX.Sent'; $rcmail_config['default_imap_folders'] = array('INBOX', 'INBOX.Drafts', 'INBOX.Sent', 'INBOX.Junk', 'Trash'); $rcmail_config['create_default_folders'] = TRUE; # timezone $rcmail_config['timezone'] = 'CET'; # compose html formatted messages by default $rcmail_config['htmleditor'] = TRUE; **** Installing custom logo wget https://fripost.org/images/logo2011_webmail.png LOGO="logo2011_webmail.png" sudo mv /var/lib/roundcube/skins/default/images/roundcube_logo.png /var/lib/roundcube/skins/default/images/roundcube_logo2.png sudo mv $LOGO /var/lib/roundcube/skins/default/images/roundcube_logo.png sudo chmod 0644 /var/lib/roundcube/skins/default/images/roundcube_logo.png **** Adding a custom message on login page Before this :

Important message

Mon Feb 13 12:55:30 CET 2012

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Pellentesque molestie, velit vel tristique iaculis, massa diam viverra arcu, sit amet pellentesque dui enim vitae ipsum.

J. Random Hacker

*** ikiwiki - sudo apt-get install ikiwiki - Add separate ikiwiki user [[http://rtime.felk.cvut.cz/~sojka/blog/using-ikiwiki-with-gitolite/][Link: Integration with ikiwiki]] *** gitolite and gitweb # Note: incomplete steps sudo apt-get install gitolite sudo dpkg-reconfigure gitolite :: /var/lib/gitolite/.gitolite.rc $REPO_UMASK = 0027; # gets you 'rwxr-x---' # Add the repositories/users to gitolite # This is mostly self-explanatory, but begin on your local workstation: git clone gitolite@githost:gitolite-admin cd gitolite-admin ... make edits git push # Push all repositories cd myrepo git push --all gitolite@githost:myrepo git push --tags gitolite@githost:myrepo # Add the gitweb user to gitolite sudo apt-get install gitweb sudo usermod -a -G gitolite www-data sudo /etc/init.d/apache2 stop sudo /etc/init.d/apache2 start # Add repositories to gitweb sudo ln -s /var/lib/gitolite/repositories/myrepo.git /var/cache/git/myrepo.git ... etc # Make sure one can checkout the repository via http [[http://www.kernel.org/pub/software/scm/git/docs/howto/setup-git-server-over-http.txt][Git docs]] sudo su gitolite cd /var/lib/gitolite/repositories/myrepo.git git update-server-info mv hooks/post-update.sample hooks/post-update :: /etc/apache2/sites-available/default AliasMatch ^/pub(/.*\.git)(/.*)? /var/cache/git$1$2 :: /usr/share/gitweb/indextext.html För att klona ett av dessa träd, installera git och kör:
git clone http://git.fripost.org/pub/ + projektets sökväg

För mer information om git, se en överblick, en tutorial eller manualsidorna.

# Add a description of a repository for gitweb echo "Mötesprotokoll" > fripost-meetings.git/description ** Logging *** Overview We want to limit how much we log for privacy reasons. At the same time we want to be able to debug technical problems and detect intrusions. For the webmail, we only log messages of priority warn or higher. *** Configuration :: /etc/rsyslog.conf *.*;auth,authpriv.none;mail.err -/var/log/syslog # NOTE: /var/log/mail.{err,warn} can be kept at the default # values since they do not contain any sensitive information. :: /etc/logrotate.d/rsyslog /var/log/mail.log /var/log/mail.info { rotate 3 daily missingok ifempty compress delaycompress sharedscripts postrotate invoke-rc.d rsyslog reload > /dev/null endscript } ** Necessary stuff to fix for security *** Bacula for backups Also has tripwire-like capabilities. *** OSSEC *** Firewall rules TODO: Add nice rules. ** Ideas for improved security *** Monitoring * Hardening ** Overview The [[http://www.debian.org/doc/manuals/securing-debian-howto/][Securing Debian Manual]] is the definitive reference for Debian security. These are just some quick notes for easy access to the administrators. ** ntp # Let's be overly paranoid... ;-) :: /etc/ntp.conf -restrict -4 default kod notrap nomodify nopeer noquery -restrict -6 default kod notrap nomodify nopeer noquery +restrict default ignore +restrict -6 default ignore ** rkhunter sudo aptitude install rkhunter sudo rkhunter -c --nomow --rwo :: /etc/rkhunter.conf MAIL-ON-WARNING=admin@fripost.org ALLOWHIDDENDIR=/dev/.udev ALLOWHIDDENDIR=/dev/.initramfs ALLOWHIDDENDIR=/etc/.git ALLOWHIDDENFILE=/etc/.gitignore ALLOWHIDDENFILE=/etc/.etckeeper # something like: (adapt port as needed) INETD_ALLOWED_SVC=127.0.0.1:2000 # in case whitelisting is needed, use something like: # (whitespace important) APP_WHITELIST=" openssl:0.9.8g sshd:4.7p1 " :: /etc/default/rkhunter REPORT_EMAIL="admin@fripost.org" NICE="19" # testing: sudo rkhunter -c --nomow --rwo * NEED TO KNOW FOR SERVER ADMINS ** Procedure for restarting mistral (the VPS) 1. There is one password which has to be provided at boot. This is given to our VPS host provider via some insecure means of communication. 2. When the server is booted, this password is changed. 3. The partition on /home/mail is then mounted. A separate password is provided for this. 4. Once the partition is mounted, dovecot and postfix may be started. ** Document your changes The latest version of this document is always available at: git clone http://git.fripost.org/pub/fripost-docs.git To get commit access, contact admin@fripost.org with your request. ** Use etckeeper We keep /etc in a git repository using the tool etckeeper. This makes it possible to use standard git commands in /etc, e.g. `git log'. `etckeeper' has the benefit of keeping track of file permissions, which git by itself will not. Every time you make changes to any files in /etc, you are encouraged to commit them using a descriptive commit message. $ etckeeper commit "postfix: relay messages to remote hosts via smtp" If you do not commit your changes, they will be automatically committed. This is not ideal, since this means other administrators might have to guess as to why changes were being made and by whom. Please try to avoid putting your co-administrators in this uncomfortable position. ** Use Cluster SSH This pretty much sums it up: "ClusterSSH controls a number of xterm windows via a single graphical console window to allow commands to be interactively run on multiple servers over an ssh connection." ** Use fripost-tools We have written some tools to make administration tasks easier. They can be found at: git clone git://github.com/skangas/fripost-tools.git