1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
|
# -*- mode: org-mode; truncate-lines: nil -*-
#+TITLE: Systems documentation
#+AUTHOR: Fripost -- the Free E-mail Association
#+DESCRIPTION: Systems documentation for Fripost, the Free E-mail Association
#+KEYWORDS:
#+LANGUAGE: en
#+OPTIONS: H:3 num:t toc:t \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t
#+OPTIONS: TeX:t LaTeX:nil skip:nil d:nil todo:t pri:nil tags:not-in-toc
#+INFOJS_OPT: view:nil toc:nil ltoc:t mouse:underline buttons:0 path:http://orgmode.org/org-info.js
#+EXPORT_SELECT_TAGS: export
#+EXPORT_EXCLUDE_TAGS: noexport
#+LINK_UP:
#+LINK_HOME:
#+XSLT:
#+DRAWERS: HIDDEN STATE PROPERTIES CONTENT
#+STARTUP: indent
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License,
Version 1.3 or any later version published by the Free Software
Foundation; with no Invariant Sections, no Front-Cover Texts and
no Back-Cover Texts. A copy of the license is included in a
separate file called "COPYING".
This is the documentation of the server configuration used by the free e-mail
association, given here to provide a transparent system.
Debian GNU/Linux squeeze is the current target system. We might keep some notes
for lenny for some time yet since there might still be servers that have not
been upgraded.
The complete documentation is the actual configuration files on the servers.
This document intends to give a general idea of the setup and be of help if we
need to recreate a crashed server. Also, if an administrator goes AWOL, it
should be easy to pick up where he left of.
The steps taken here will not necessarily give a perfect replica of our systems.
We are constantly (yes, constantly) working on improving the security and
reliability of our systems. We do not think of security as a shoot and forget
sort of thing but instead as an ongoing effort. Thus, while we strive to
document all configuration that we consider stable enough, the documentation may
sometimes lag behind.
We do not believe in security through obscurity. This means we are aiming
instead for a system that fulfills [[http://en.wikipedia.org/wiki/Kerckhoffs%27s_Principle][Kerckhoffs's Principle]]. However, some
information below might have been changed to inconvenience a potential
attacker. Beware and take according measures.
We welcome all criticism, suggestions for improvements, additions etc. Please
send them to skangas@skangas.se.
* Basic Setup -- Checklist after having installed a new Debian GNU/Linux-server
** Basic installation instructions
- Use expert install to maximize fun.
- Preferably, only install the "Standard system utilities" and "SSH Server" tasks.
- Make sure to answer "yes" to shadow passwords and MD5.
- Do disable the root account.
** Install etckeeper
Install etckeeper immediately after install, to start tracking /etc.
** Uninstall a bunch of unnecessary packages
sudo aptitude remove --purge debian-faq dictionaries-common doc-debian \
doc-linux-text iamerican ibritish iswedish ispell laptop-detect nfs-common \
openbsd-inetd portmap tasksel tasksel-data w3m wbritish
** Packages to install
*** Administrative
sudo aptitude install emacs23-nox harden-servers logcheck molly-guard ntp \
ntpdate openssh-server rsync screen syslog-summary sudo unattended-upgrades
# If the system is on a dynamic IP (e.g. using DHCP):
sudo aptitude install resolvconf
# NB: harden-clients conflicts with telnet, which as we know is very handy
# during configuration. Therefore, only optionally:
sudo aptitude install harden-clients
** Use GNU Emacs as the default editor
# NOTE: Emacs will be the default on all Fripost systems. If you prefer
# something else, use the EDITOR environment variable.
sudo update-alternatives --config editor
** Configure sudo
# If you disabled root account during installation, the default account is
# already in the sudo group. Otherwise, follow these steps:
sudo adduser myuser sudo
sudo EDITOR="emacs" visudo
%sudo ALL= (ALL) ALL
** Configure sshd
Make sure your private key is in ~/.ssh/authorized_keys2
:: /etc/ssh/sshd_config
# Add relevant users here
AllowUsers xx yy zz
# Change these settings
PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
sudo /etc/init.d/ssh restart
# Without closing the current connection, try to connect to the server,
# verifying that you can still connect.
** Forward root email
:: /etc/aliases
root: admin@fripost.org
** Configure logcheck
sudo aptitude install logcheck syslog-summary
:: /etc/logcheck/logcheck.conf
INTRO=0
SENDMAILTO="admin@fripost.org"
:: /etc/logcheck/ignore.d.server/local
# XXX: not always necessary?
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed, type '(restart|lightweight)'\.$
# XXX: necessary with squeeze?
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$
# not necessary with squeeze
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$
# not necessary with squeeze
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging \(proc\) stopped.$
# ddclient
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: FAILED: updating [,._[:alnum:]-]+: Could not connect to dns.loopia.se/xdyndnsserver/xdyndns.php.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: TIMEOUT: dns.loopia.se after 120 seconds$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: cannot connect to dns.loopia.se:80 socket: IO::Socket::INET: Bad hostname 'dns.loopia.se'$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: cannot connect to dns.loopia.se:80 socket: IO::Socket::INET: connect: Connection timed out$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: cannot connect to dns.loopia.se:443 socket: IO::Socket::SSL: SSL connect attempt failed because of handshake problemserror:00000000:lib(0):func(0):reason(0) IO::Socket::INET configuration failederror:00000000:lib(0):func(0):reason(0)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: cannot connect to dns.loopia.se:443 socket: IO::Socket::SSL: SSL connect attempt failed with unknown errorerror:00000000:lib(0):func(0):reason(0) IO::Socket::INET configuration failederror:00000000:lib(0):func(0):reason(0)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: cannot connect to dns.loopia.se:443 socket: IO::Socket::SSL: Timeout IO::Socket::INET configuration failederror:00000000:lib(0):func(0):reason(0)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: file /var/cache/ddclient/ddclient.cache, line [0-9]+: Invalid Value for keyword 'ip' = ''$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: updating [._[:alnum:]-]+: nochg: No update required; unnecessary attempts to change to the current address are considered abusive$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: [.0-9]{7,15} interface [.0-9]{7,15} -> [.0-9]{7,15}$
** Configuring aptitude and friends
# We are going to automatically install many security updates using the package
# "unattended-upgrades". Automated upgrades are in general not a very good
# idea, but "unattended-upgrades" takes steps to mitigate the problems with this
# approach. Given the Debian security teams track record in recent years we
# believe the positives outweigh the negatives.
#
# For the situations when unattended-upgrades fails (e.g. when there are
# configuration changes), there is an e-mail sent to the administrator.
#
:: /etc/apt/apt.conf
APT
{
// Configuration for /etc/cron.daily/apt
Periodic
{
// Do "apt-get update" automatically every n-days (0=disable)
Update-Package-Lists "1";
// Do "apt-get autoclean" every n-days (0=disable)
AutocleanInterval "1";
// Do "apt-get upgrade --download-only" every n-days (0=disable)
Download-Upgradeable-Packages "1";
// Run the "unattended-upgrade" security upgrade script every n days
Unattended-Upgrade "1";
}
};
Aptitude
{
UI
{
Autoclean-After-Update: true;
Auto-Fix-Broken: false;
Keep-Recommends: true;
Recommends-Important: true;
Description-Visible-By-Default: false;
HelpBar false;
Menubar-Autohide true;
Purge-Unused: true;
Prompt-On-Exit false;
}
}
# Using Debian squeeze:
:: /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Mail "admin@fripost.org";
** Configure ddclient
:: /etc/ddclient.conf
### Not reproduced here due to containing sensitive information
:: /etc/default/ddclient
run_daemon="true"
* Next Steps
** Configuring the backup solution
*** Bacula configuration
*** Simple rsync solution
General idea [[http://wikis.sun.com/display/BigAdmin/Using+rdist+rsync+with+sudo+for+remote+updating][from here]]. This is just a basic setup for now, will need to be
changed to rsnapshot or perhaps something even more sophisticated like bacula.
1. Install rsync
- sudo aptitude install rsync
2. Create a key on the backup computer:
- sudo mkdir /root/.ssh/backup_key
- sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/backup_key
- cat /root/.ssh/backup_key.pub
3. Create a user on the computer that will be backed up
- sudo adduser --disabled-password remupd
- add the public key from above to ~remupd/.ssh/authorized_keys2
prefix with: no-X11-forwarding,no-agent-forwarding,no-port-forwarding
- sudo EDITOR="emacs" visudo
Cmnd_Alias RSYNCDIST=/usr/bin/rsync
remupd ALL=NOPASSWD:RSYNCDIST
4. Test the key from the backup computer:
- ssh -i ~/.ssh/backup_key -l remupd example.com
5. Create a script on the backup computer to automatically backup
6. Add script to crontab
** Configuring the e-mail servers
*** Introduction
**** Overview
We will be using one main mail storage server, accessible by users via IMAP.
This server should be referred to as the main `IMAP server'. We will have two or
more mail gateways that will relay e-mail to the main server over secure
connections. These are called `smarthosts'.
Credentials are managed by a LDAP server. For the users to be able to
authenticate to e.g., the IMAP server or the outgoing SMTP (via SASL), we will
use the so called "authenticate binds": services simply forward the login
information of the user to the LDAP server, that in turn hashes the password and
checks wheter it maches the stored copy; if it does, the LDAP server answers back
the query. See http://wanderingbarque.com/howtos/mailserver/big_picture.gif .
This way, if the IMAP or SMTP server is compromised, the attacker will NOT have
access to all credentials. Of course the LDAP server should only be listening to
the machines hosting these services and ideally, should not be directly facing the
internet.
[TODO: Replace the MySQL database by an LDAP tree.]
The main server will also be responsible for keeping all users in an MySQL
database that will be replicated using MySQL.
**** Definitions
IMAP server = the main storage server
LDAP server = the server that stores users credentials and various other informations.
smarthost = the server receiving email from the internet (configured as MX)
outgoing SMTP = a SMTP server that can relay mails of authenticated users (via SASL).
*** Configuring an SSH tunnel between two hosts
# Definitions:
# originating host = the host that will be connecting
# destination host = the host that runs some service
# Begin by setting a few environment variables:
TUNNEL_KEY_FILE="my_tunnel_key"
TUNNEL_USER="tunneluser"
TUNNEL_HOME="/home/$TUNNEL_USER"
DEST_PORT="25"
ORIGIN_PORT="1917"
**** Prepare origin
1. Create a key on the originating host:
sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/$TUNNEL_KEY_FILE
sudo cat /root/.ssh/$TUNNEL_KEY_FILE.pub
**** Prepare destination
2a. Install necessary software on the destination host:
sudo aptitude install netcat-openbsd
2b. Create a new user on the destination host:
sudo adduser --system --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \
$TUNNEL_USER
echo "exit" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.bash_profile
# Note: We need bash, so we can not change the shell to something else.
2c. Add $TUNNEL_USER to AllowUsers in /etc/ssh/sshd_config.
sudo /etc/init.d/ssh restart
# make sure the host is still reachable
2d. Add the public key from above to this user:
THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx" # from above
sudo -u $TUNNEL_USER mkdir -p $TUNNEL_HOME/.ssh
echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2
**** Set up the tunnel
3. Test the key on the originating host:
sudo ssh -v -l $TUNNEL_USER -i /root/.ssh/$TUNNEL_KEY_FILE destination.example.com
# Comment: You should be greeted by e.g.:
# 220 mistral.fripost.org ESMTP Postfix (Debian/GNU)
4. Configure openbsd-inetd on the originating host:
# Comment: We use inetd instead of ssh -L because, among other things, ssh
# -L tends to hang.
sudo aptitude install openbsd-inetd
:: /etc/inetd.conf
127.0.0.1:$ORIGIN_PORT stream tcp nowait root /usr/bin/ssh -q -T -i /root/.ssh/$TUNNEL_KEY_FILE $TUNNEL_USER@example.com
sudo service openbsd-inetd restart
You should now be able to connect through the tunnel from the originating
host using something like:
telnet localhost $ORIGIN_PORT
*** Installing MySQL
- sudo apt-get install mysql-server
- generate a long (25 characters) password for the mysql root user
- /etc/mysql/my.cnf: skip-innodb
*** MySQL on the main IMAP server
**** Overview
We will use four tables `alias', `domain', `log' and `mailbox'.
***** mysql> show tables;
+----------------+
| Tables_in_mail |
+----------------+
| alias |
| domain |
| log |
| mailbox |
+----------------+
4 rows in set (0.00 sec)
***** mysql> describe alias;
+-------------+--------------+------+-----+---------------------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------------+--------------+------+-----+---------------------+-------+
| address | varchar(255) | NO | PRI | | |
| goto | text | NO | | NULL | |
| domain | varchar(255) | NO | | | |
| create_date | datetime | NO | | 0000-00-00 00:00:00 | |
| change_date | timestamp | NO | | CURRENT_TIMESTAMP | |
| active | tinyint(4) | NO | | 1 | |
+-------------+--------------+------+-----+---------------------+-------+
6 rows in set (0.00 sec)
***** mysql> describe domain;
+-------------+--------------+------+-----+---------------------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------------+--------------+------+-----+---------------------+-------+
| domain | varchar(255) | NO | PRI | | |
| description | varchar(255) | NO | | | |
| create_date | datetime | NO | | 0000-00-00 00:00:00 | |
| change_date | timestamp | NO | | CURRENT_TIMESTAMP | |
| active | tinyint(4) | NO | | 1 | |
+-------------+--------------+------+-----+---------------------+-------+
5 rows in set (0.00 sec)
***** mysql> describe log;
+-------+-------------+------+-----+-------------------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-------+-------------+------+-----+-------------------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| user | varchar(20) | NO | | | |
| event | text | NO | | NULL | |
| date | timestamp | NO | | CURRENT_TIMESTAMP | |
+-------+-------------+------+-----+-------------------+----------------+
4 rows in set (0.00 sec)
***** mysql> describe mailbox;
+-------------+--------------+------+-----+---------------------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------------+--------------+------+-----+---------------------+-------+
| username | varchar(255) | NO | PRI | | |
| password | varchar(255) | NO | | | |
| name | varchar(255) | NO | | | |
| maildir | varchar(255) | NO | | | |
| domain | varchar(255) | NO | | | |
| create_date | datetime | NO | | 0000-00-00 00:00:00 | |
| change_date | timestamp | NO | | CURRENT_TIMESTAMP | |
| active | tinyint(4) | NO | | 1 | |
+-------------+--------------+------+-----+---------------------+-------+
8 rows in set (0.00 sec)
**** Steps to produce it
mysql -u root -p
create database mail;
sudo mysql -u root -p --database=mail
FIXME: Not 100 % up to date
:HIDDEN:
DROP TABLE IF EXISTS `alias`;
SET @saved_cs_client = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `alias` (
`address` varchar(255) NOT NULL default '',
`goto` text NOT NULL,
`domain` varchar(255) NOT NULL default '',
`create_date` datetime NOT NULL default '0000-00-00 00:00:00',
`change_date` datetime NOT NULL default '0000-00-00 00:00:00',
`active` tinyint(4) NOT NULL default '1',
PRIMARY KEY (`address`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Aliases - mysql_virtual_\nalias_maps';
SET character_set_client = @saved_cs_client;
DROP TABLE IF EXISTS `domain`;
SET @saved_cs_client = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `domain` (
`domain` varchar(255) NOT NULL default '',
`description` varchar(255) NOT NULL default '',
`create_date` datetime NOT NULL default '0000-00-00 00:00:00',
`change_date` datetime NOT NULL default '0000-00-00 00:00:00',
`active` tinyint(4) NOT NULL default '1',
PRIMARY KEY (`domain`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Domains - mysql_virtual_\ndomains_maps';
SET character_set_client = @saved_cs_client;
DROP TABLE IF EXISTS `log`;
SET @saved_cs_client = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `log` (
`id` int(11) NOT NULL auto_increment,
`user` varchar(20) NOT NULL default '',
`event` text NOT NULL,
`date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=106 DEFAULT CHARSET=utf8 COMMENT='log table';
SET character_set_client = @saved_cs_client;
DROP TABLE IF EXISTS `mailbox`;
SET @saved_cs_client = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `mailbox` (
`username` varchar(255) NOT NULL default '',
`password` varchar(255) NOT NULL default '',
`name` varchar(255) NOT NULL default '',
`maildir` varchar(255) NOT NULL default '',
`domain` varchar(255) NOT NULL default '',
`create_date` datetime NOT NULL default '0000-00-00 00:00:00',
`change_date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
`active` tinyint(4) NOT NULL default '1',
PRIMARY KEY (`username`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Mailboxes - mysql_virtua\nl_mailbox_maps';
SET character_set_client = @saved_cs_client;
:END:
mysql -u root -p
# Create triggers
use mail;
DELIMITER $$
CREATE TRIGGER alias_set_created_on_insert before insert on alias
for each row begin set new.create_date = current_timestamp; end$$
CREATE TRIGGER domain_set_created_on_insert before insert on domain
for each row begin set new.create_date = current_timestamp; end$$
CREATE TRIGGER mailbox_set_created_on_insert before insert on mailbox
for each row begin set new.create_date = current_timestamp; end$$
DELIMITER ;
# Create mail user
CREATE USER 'mail'@'localhost' IDENTIFIED BY '<password>';
GRANT SELECT ON mail.alias TO 'mail'@'localhost';
GRANT SELECT ON mail.domain TO 'mail'@'localhost';
GRANT SELECT ON mail.mailbox TO 'mail'@'localhost';
*** Configuring the MySQL replication
***** Overview
[[http://dev.mysql.com/doc/refman/5.0/en/replication.html][MySQL 5.0 Reference Manual :: 16 Replication]]
We will use MySQL replication to keep the MySQL user data on the smarthosts
in sync with the data held on the main IMAP server.
These instructions are mainly adapted from the MySQL manual.
***** Configure the master
:: /etc/mysql/my.cnf:
server-id = 1
log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
max_binlog_size = 100M
binlog_do_db = mail
sudo service mysql restart
# Enter MySQL shell and create a user with replication privileges.
# NB: Use only ASCII for the <password>
mysql -u root -p
GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'localhost' IDENTIFIED BY '<password>';
FLUSH PRIVILEGES;
***** Configure the slave
****** Set up an SSH tunnel
We begin by setting up an SSH tunnel from the slave to the master, as described [[Configuring an SSH tunnel between two hosts][above]].
****** Preparing steps to take on master
# Make a database dump.
mysql -u root -p
USE mail;
FLUSH TABLES WITH READ LOCK;
quit;
mysqldump -u root -p --opt mail > mydump.sql
# Now, transfer this file to the slave. After you have transferred the file,
# delete all copies except the one on the slave.
# Save the output of the SHOW MASTER STATUS COMMAND.
mysql -u root -p
SHOW MASTER STATUS;
unlock tables;
quit;
****** Slave configuration
# Create a new temporary directory.
# NOTE: It has to be outside of /tmp so the replication is not screwed up on e.g. power outage.
TMP_DIR=/var/lib/mysql/tmp
sudo mkdir $TMP_DIR
sudo chown mysql:mysql $TMP_DIR
sudo chmod 0750 $TMP_DIR
:: /etc/mysql/my.cnf
tmpdir = /var/lib/mysql/tmp
# Note that the server-id must be different on all hosts
server-id = 2
relay-log = mysqld-relay-bin
sudo service mysql restart
# Enter the MySQL shell and create the database:
mysql -u root -p
CREATE DATABASE mail;
quit;
mysql -u root -p --database=mail < mydump.sql
# [[http://dev.mysql.com/doc/refman/5.0/en/change-master-to.html][12.5.2.1. CHANGE MASTER TO Syntax]]
# NOTE: fill in these values using output from SHOW MASTER STATUS; above
# NOTE: filling this in my.cnf is deprecated
mysql -u root -p
SLAVE STOP;
CHANGE MASTER TO
MASTER_HOST='127.0.0.1',
MASTER_PORT=1949,
MASTER_USER='slave_user',
MASTER_PASSWORD='<password>', MASTER_LOG_FILE='mysql-bin.000013', MASTER_LOG_POS=98;
START SLAVE;
show slave status\G
# If it seems OK, just:
quit;
*** Configuring the LDAP server
On Debian Squeeze, OpenLDAP's configuration no longer uses `/etc/ldap/slapd.conf'
(by default, but may completely igore it in the future), but the
`/etc/ldap/slapd.d' directory instead. Unfortunately most of the online
tutorials are describing methods using `/etc/ldap/slapd.conf'.
[Note: This has been written by a LDAP noob. It should probably be
rewritten/compressed in a couple of months. /Guilhem, 2012-04-03.]
**** Install packages
Here is a basic installation tutorial for Debian Squeeze:
http://www.rjsystems.nl/en/2100-d6-openldap-provider.php
sudo apt-get install slapd ldap-utils
If it does not prompt for your domain, admin password, etc., run
`dpkg-reconfigure -plow slapd'. Here is how we answer the questions:
Omit OpenLDAP server configuration? No
DNS domain name: fripost.org
Organization name: Fripost
Administrator password: *********
Database backend to use: HDB
Do you want the database to be removed when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No
We do not want to listen all the Internet: in `/etc/default/slapd', change
`SLAPD_SERVICES' accordingly. E.g., to only listen to (non SSL) localhost and
UNIX sockets, specify
SLAPD_SERVICES="ldap:///127.0.0.1:389 ldapi:///"
(This should be enough if the connection from the IMAP/SMTP services are
wrapped into SSH or SSL/TLS tunnels.)
(Note: Unless specified, connections through the sockets bind with the users
permissions, hence regular users may not be able to explore the tree.)
We can check the configuration with
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
and modify a .ldif file with
ldapmodify -Y EXTERNAL -H ldapi:/// -f "<file.ldif>"
**** Fripost's schema
We base our schema on qmail's (http://dhits.nl/download/qmail.new.schema) and
Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html).
o=mailHosting, dc=fripost, dc=org
|- ou=managers
| |- cn=admin1
| | userPassword: xxxxxx
| `- cn=admin2
|
|- ou=services
| `- cn=SMTP
| userPassword: xxxxxx
|
`- ou=virtual
|- dc=fripost.org
| isActive: TRUE
| |- mailTarget=user1@fripost.org
| | mailLocalAddress: user1-alias
| | isActive: TRUE
| |- uid=user1
| | userPassword: xxxxxx
| | isActive: TRUE
| |
| `- uid=user2
|
`- dc=example.org
owner: uid=user1,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
isActive: TRUE
`- mailTarget=user1@fripost.org
| mailLocalAddress: user1
| isActive: TRUE
|
`- mailTarget=user1-alias@fripost.org
:: /etc/ldap/fripost/fripost.ldif
dn: cn=mail.fripost.org,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: mail.fripost.org
olcAttributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.1 NAME 'quota'
DESC 'The quota on a mailbox e.g., "50MB".'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE )
olcAttributetypes: ( 1.3.6.1.4.1.7914.1.2.1.2 NAME 'isActive'
DESC 'Is the leaf active?'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.3 NAME 'mailTarget'
DESC 'The target of e-mail virtual aliases.'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcObjectclasses: ( 1.3.6.1.4.1.12461.1.2.1 NAME 'virtualDomain'
SUP top STRUCTURAL
DESC 'Virtual Domains.'
MUST ( dc $ isActive )
MAY ( owner $ description ) )
olcObjectclasses: ( 1.3.6.1.4.1.12461.1.2.2 NAME 'virtualAliases'
SUP top STRUCTURAL
DESC 'Virtual Aliases.'
MUST ( mailTarget $ isActive )
MAY ( mailLocalAddress ) )
olcObjectclasses: ( 1.3.6.1.4.1.12461.1.2.3 NAME 'virtualMailbox'
SUP top STRUCTURAL
DESC 'Virtual Mailboxes.'
MUST ( uid $ userPassword $ isActive )
MAY ( gn $ sn $ quota ) )
Note: For the meaning of the sequences of digits above, grep the output of
`ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"'
(For instance, 1.3.6.1.4.1.1466.115.121.1.26 is a IA5String, meaning the spaces
don't matter)
We can now add it to the schema list:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/fripost.ldif
(A [dirty] way to delete the schema is to remove the coresponding file in
`/etc/ldap/slapd.d/cn=config/cn=schema/' and to restart slapd.)
Note: If the LDIF files our schema depends on are not in loaded (in `/etc/ldap/slapd.d/cn=config/cn=schema/'),
you may have to do it yourself. A dirty way is to create a file `/tmp/upgrade.conf' with the
following:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/misc.schema
and a directory `/tmp/upgrade', then to run `slaptest -f /tmp/upgrade.conf -F /tmp/upgrade'.
It creates a bunch of LDIF files that you need to clean (cf. https://help.ubuntu.com/10.04/serverguide/C/samba-ldap.html)
and add with `ldapadd -Y EXTERNAL -H ldapi:/// -f <file.ldif>'.
[TODO: that's just ugly. Find a better way.]
***** Add custom indexes
The default indexes below are not enough for our purpose, since we will heavily
be looking for e.g., the `uid' attribute.
:: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
[...]
olcDbIndex: objectClass eq
:: /etc/ldap/fripost/indexes.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
# Needed for the replicates.
add: olcDbIndex
olcDbIndex: entryUUID eq
-
delete: olcDbIndex
olcDbIndex: objectClass eq
-
add: olcDbIndex
olcDbIndex: objectClass pres,eq
-
add: olcDbIndex
olcDbIndex: cn eq
-
add: olcDbIndex
olcDbIndex: ou eq
-
add: olcDbIndex
olcDbIndex: dc eq,sub
-
add: olcDbIndex
olcDbIndex: uid eq,sub
-
add: olcDbIndex
olcDbIndex: mailTarget,mailLocalAddress eq
-
add: olcDbIndex
olcDbIndex: isActive eq
-
add: olcDbIndex
olcDbIndex: owner eq
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/indexes.ldif
:: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
[...]
olcDbIndex: entryUUID eq
olcDbIndex: objectClass pres,eq
olcDbIndex: cn eq
olcDbIndex: ou eq
olcDbIndex: dc eq,sub
olcDbIndex: uid eq,sub
olcDbIndex: mailTarget,mailLocalAddress eq
olcDbIndex: isActive eq
olcDbIndex: owner eq
Note: We can add indexes on a populated database, but then we need to reindex the tree:
sudo /etc/init.d/slapd stop
sudo -u openldap slapindex
sudo /etc/init.d/slapd start
***** Restrict the access
The default ACL is not restrictive enough for our purpose.
Note: The ACLs are evaluated in order, hence the more specific rules should come
first.
We are using the so-called "Sets" to let the users manage their domain themselves.
See section 8.5 "Sets - Granting rights based on relationships" in LDAP's manual
http://www.openldap.org/doc/admin24/access-control.html for details.
:: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
[...]
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=fripost,dc=org" write by * read
[...]
:: /etc/ldap/fripost/acl.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
# Service passwords are only writable (hence readable) by the admins.
# Anonymous services are only allowed to bind.
add: olcAccess
olcAccess: {0}to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org"
attrs=userPassword
by self read
by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
by anonymous auth
-
# User passwords are only writable (hence readable) by the admins and the
# user him/herself. Anonymous users are only allowed to bind.
add: olcAccess
olcAccess: {1}to dn.children="o=mailHosting,dc=fripost,dc=org"
attrs=userPassword
by self write
by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
by anonymous auth
-
# User names are only writable (hence readable) by the admins and the user
# him/herself.
add: olcAccess
olcAccess: {2}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=gn,sn
by self write
by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
-
# Users are allowed to manage (create/delete/toggle activation) the
# the domains they own.
add: olcAccess
olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
by set.expand="[$2]/owner & user" write
by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
by * break
-
# Admins have writing rights on the branch. Authenticated users can read
# their entry. The SMTP and SASLauthd servervices can read entries on the
# branch (but not the passwords). Others can only search.
add: olcAccess
olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org"
by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
by self read
by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read
by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read
by * search
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif
:: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
[...]
olcAccess: {0}to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self read by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth
olcAccess: {1}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth
olcAccess: {2}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=gn,sn by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$" by set.expand="[$2]/owner & user" write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by * break
olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org" by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by self read by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read by * search
olcAccess: {5}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none
olcAccess: {6}to dn.base="" by * read
olcAccess: {7}to * by self write by dn="cn=admin,dc=fripost,dc=org" write by * read
[...]
Note: Users are allowed to manage their domain, but an admin is needed to add a domain to the
tree. A possibility to avoid that with a web-form is to send a mail to the postmaster@example.org
(or even to the mail that appears in the WHOIS) with a confirmation hash. That would simply require
a new ACL with writable [ou=virtual,...]/children, and [dc=...,ou=virtual,...]/entry. (And probably a
"semi-admin" with only these rights.)
**** Create the base tree
:: /etc/ldap/fripost/base.ldif
dn: o=mailHosting,dc=fripost,dc=org
objectClass: organization
description: Mail hosting
dn: ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: organizationalUnit
description: Virtual Hosting
dn: ou=managers,o=mailHosting,dc=fripost,dc=org
objectClass: organizationalUnit
description: Postmasters
dn: ou=services,o=mailHosting,dc=fripost,dc=org
objectClass: organizationalUnit
description: E-mail services
ldapadd -xWD cn=admin,dc=fripost,dc=org -f /etc/ldap/fripost/base.ldif
To delete a leaf (`-r' to delete the whole sub-tree):
ldapdelete -r -xWD cn=admin,dc=fripost,dc=org 'dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org'
**** Populate the tree
:: /tmp/populate.ldif
dn: cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
userPassword: {SSHA}xxxxxx
dn: cn=admin1,ou=managers,o=mailHosting,dc=fripost,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
userPassword: {SSHA}xxxxxx
dn: dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: virtualDomain
isActive: TRUE
dn: uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: virtualMailbox
gn: First Name
sn: Last Name
userPassword: {SSHA}xxxxxx
isActive: TRUE
dn: dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: virtualDomain
owner: uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
isActive: TRUE
dn: mailTarget=user-alias@fripost.org,dc=example.org,ou=virtual,o=mailHosting,dc=fripost, dc=org
objectClass: inetLocalMailRecipient
objectClass: virtualAliases
isActive: TRUE
mailLocalAddress: user
mailLocalAddress: user-alias
dn: uid=user2,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: virtualMailbox
gn: First Name
sn: Last Name
userPassword: {SSHA}xxxxxx
isActive: FALSE
dn: mailTarget=user@fripost.org,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: inetLocalMailRecipient
objectClass: virtualAliases
mailLocalAddress: user-alias
isActive: TRUE
ldapadd -xWD cn=admin,dc=fripost,dc=org -f /tmp/populate.ldif
Note: This should obviously be wrapped in a script; `ldapadd' reads the standard
input, so there's no need to write on disk. The salted SHA-1 can be created with
e.g., `slappasswd -h "{SSHA}"'.
**** Check the SASL binds (authentication)
`slapacl' is an helpful tool to debugs the ACLS. For instance, to check what are
the rights of user@fripost.org on the domain example.org, we can run:
slapacl -b 'dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org' -D 'uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org'
We can also check ACLs with concrete examples:
ldapwhoami -xWD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org"
should return the whole dn:
"uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org"
**** Check the ACL
***** Admin
`slpacat' (run as root) dumps everything in the tree, including the (hashed)
passwords. So should
ldapsearch -xWD "cn=admin,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
and
ldapsearch -xWD "cn=admin1,ou=managers,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
***** Anonymous user
`ldapsearch -x -b "ou=virtual,o=mailHosting,dc=fripost,dc=org"' should exit
with return status 0, but shouldn't print anything.
***** Services
ldapsearch -xWD "cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
should not disclose the passwords.
***** Self
ldapsearch -xWD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
should return all the information for this very user, but not e.g., the password of the other users.
The user should be able to change his/her password, and aliases in his/her own domain:
:: /tmp/usermod.ldif
dn: uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
changetype: modify
replace: userPassword
userPassword: xxxxxx
dn: mailTarget=user@fripost.org,dc=example.org,ou=domain,o=mailHosting,dc=fripost,dc=org
changetype: modify
add: mailLocalAddress
mailLocalAddress: user-alias2@example.org
ldapmodify -xWD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -f /tmp/usermod.ldif
[Note: Still that should be wrapped up in a script, and there is no need to write on
disk since the data is read from the standard input.]
[Note: If the task is merely to change the password, there is also `ldappasswd'.]
We now ensure that the leaf has been updated:
:: slapcat -s "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org"
[...]
userPassword:: aG9w
entryCSN: 20120404215647.957317Z#000000#000#000000
modifiersName: uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
modifyTimestamp: 20120404215647Z
On other modifications, for instance of `maildir', `ldapmodify'
should refuse with `Insufficient access (50)'.
**** Partial replication on the MXs
In case the LDAP goes down, we partly (e.g., we omit the passwords) replicate the LDAP
tree on the MXs.
Documentation: http://www.openldap.org/doc/admin22/syncrepl.html
http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
***** Installation
Cf. installation of the master LDAP server.
(We also need to install fripost's schema and indexes.)
In the rest of this section, we assume there is a tunnel from the master
LDAP server to the slave (i.e., ldap://127.0.0.1:3890 on the slaves actually
speaks to the master).
Following LDAP's terminology, the master server is also called "production",
and the slave is known as "consumer".
***** Using syncprov (on the master)
We first need to load the module `syncprov.la'.
:: /etc/ldap/fripost/modules.ldif
dn: cn=module{0}, cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov.la
ldapmodify -Y EXTERNAL -H ldapi:/// -f modules.ldif
The master can now define itself as the provider.
:: /etc/ldap/fripost/syncprov.ldif
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
# contextCSN saved to database every 50 updates or 5 minutes
olcSpCheckpoint: 50 5
ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
***** Using syncrepl (on the slave)
:: /etc/ldap/fripost/syncrepl.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=000
provider=ldap://127.0.0.1:3890
type=refreshAndPersist
retry="5 5 300 +"
searchbase="o=mailHosting,dc=fripost,dc=org"
attrs="*,+"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org"
credentials="xxxxxx"
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/syncrepl.ldif
(Since we in our case we have several slaves, we may want to increment the
rid.)
*** Configuring the main IMAP server
**** Install packages
sudo aptitude install postfix postfix-ldap
**** /etc/postfix/main.cf
TODO: add file contents
**** Setting up the MDA
# squeeze has dovecot-1.2. upgrade notes:
# - we might want to upgrade to their sieve (instead of cmusieve)
# - we want to add the -s flag to deliver in master.cf
***** Installing
sudo aptitude install dovecot-imapd
***** Configuring
:: /etc/dovecot/dovecot.conf
protocol lda {
# Address to use when sending rejection mails.
postmaster_address = postmaster@fripost.org
# Hostname to use in various parts of sent mails, eg. in Message-Id.
# Default is the system's real hostname.
hostname = imap.fripost.org
# Support for dynamically loadable plugins. mail_plugins is a space separated
# list of plugins to load.
#mail_plugins =
#mail_plugin_dir = /usr/lib/dovecot/modules/lda
# Binary to use for sending mails.
sendmail_path = /usr/lib/sendmail
# UNIX socket path to master authentication server to find users.
auth_socket_path = /var/run/dovecot/auth-master
# Enabling Sieve plugin for server-side mail filtering
mail_plugins = cmusieve
}
[...]
## dovecot-lda specific settings
##
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
user = xxx # User running Dovecot LDA
#group = mail # Or alternatively mode 0660 + LDA user in this group
}
}
:: /etc/postfix/master.cf
dovecot unix - n n - - pipe
flags=DRhu user=xxx:xxx argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient} -n
:: /etc/postfix/main.cf
virtual_mailbox_domains = ldap:$config_directory/ldap/ldap_virtual_mailbox_domains.cf
virtual_mailbox_maps = ldap:$config_directory/ldap/ldap_virtual_mailbox_maps.cf
virtual_alias_maps = ldap:$config_directory/ldap/ldap_virtual_alias_maps.cf
[...]
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
http://wiki.dovecot.org/LDA/Postfix
http://www.tehinterweb.co.uk/roundcube/#pisieverules
On the MX's, the slave (a partial replicate of the main LDAP server server)
may only listen on a UNIX socket in Postfix's chroot jail; To specify that,
in `/etc/default/slapd', change `SLAPD_SERVICES' to
SLAPD_SERVICES="ldapi://%2Fvar%2Fspool%2Fpostfix%2Fvar%2Frun%2Fldapi/????x-mod=0777"
Note that in the configuration files below, the `server_host' is relative
to Postfix's jail, hence one should drop the prefix "%2Fvar%2Fspool%2Fpostfix".
On the other hand, to test the files with `postmap' one has to put back
the prefix.
TODO: Postfix 2.7 does not support SASL binds. Hence one cannot SASL bind on
the socket with the EXTERNAL mechanism, which leads to a flood of warnings
"connection_read(XX): no connection!" in the syslog. One can also reproduce the
flood with
ldapsearch -H 'ldapi://%2Fvar%2Fspool%2Fpostfix%2Fvar%2Frun%2Fldapi/' -x -WD 'cn=guilhem,ou=managers,o=mailHosting,dc=fripost,dc=org' -b 'o=mailHosting,dc=fripost.org,dc=org'
instead of
ldapsearch -H 'ldapi://%2Fvar%2Fspool%2Fpostfix%2Fvar%2Frun%2Fldapi/' -Y EXTERNAL -WD 'cn=guilhem,ou=managers,o=mailHosting,dc=fripost,dc=org' -b 'o=mailHosting,dc=fripost.org,dc=org'
(The first one performs a simple bind and does not unbind properly, while
the second one is safe and performs a SASL bind with the EXTERNAL mechanism.)
TODO: With Postfix 2.8, one could do [Not tested]
bind = sasl
sasl_mechs = EXTERNAL
See also
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643970
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660223
http://www.openldap.org/lists/openldap-software/200811/msg00078.html
:: /etc/postfix/ldap/ldap_virtual_mailbox_domains.cf
#server_host = ldapi://%2Fvar%2Frun%2Fldapi/
server_host = ldap://127.0.0.1:389/
version = 3
search_base = dc=%s,ou=virtual,o=mailHosting,dc=fripost,dc=org
scope = base
bind = yes
bind_dn = cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org
bind_pw = xxxxxx
query_filter = (&(ObjectClass=virtualDomain)(dc=%s)(isActive=TRUE))
result_attribute = dc
Test it:
postmap -q fripost.org ldap:/etc/postfix/ldap/ldap_virtual_domains_maps.cf || echo 'failed!'
postmap -q example.org ldap:/etc/postfix/ldap/ldap_virtual_domains_maps.cf || echo 'failed!'
postmap -q fake.org ldap:/etc/postfix/ldap/ldap_virtual_domains_maps.cf || echo 'failed!'
:: /etc/postfix/ldap/ldap_virtual_mailbox_maps.cf
#server_host = ldapi://%2Fvar%2Frun%2Fldapi/
server_host = ldap://127.0.0.1:389/
version = 3
version = 3
search_base = uid=%u,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
scope = base
bind = yes
bind_dn = cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org
bind_pw = xxxxxx
query_filter = (&(ObjectClass=virtualMailbox)(uid=%u)(isActive=TRUE))
result_attribute = uid
Test it:
postmap -q user@fripost.org ldap:/etc/postfix/ldap/ldap_virtual_mailbox_maps.cf || echo 'failed!'
postmap -q fake@fake.org ldap:/etc/postfix/ldap/ldap_virtual_mailbox_maps.cf || echo 'failed!'
:: /etc/postfix/ldap/ldap_virtual_alias_maps.cf
#server_host = ldapi://%2Fvar%2Frun%2Fldapi/
server_host = ldap://127.0.0.1:389/
version = 3
search_base = dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
scope = one
bind = yes
bind_dn = cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org
bind_pw = xxxxxx
query_filter = (&(ObjectClass=virtualAliases)(mailLocalAddress=%u)(isActive=TRUE))
result_attribute = mailTarget
Test it:
postmap -q user-alias@fripost.org ldap:/etc/postfix/ldap/ldap_virtual_alias_maps.cf
postmap -q user@example.org ldap:/etc/postfix/ldap/ldap_virtual_alias_maps.cf
**** Test delivery
sudo mkdir -p /home/mail/virtual/fripost.org/
mysql -u root -p
INSERT INTO mailbox (username,password,name,maildir,domain)
VALUES ('exempel@fripost.org','test666','Exempelanvändare','fripost.org/exempel/Maildir/','fripost.org');
sudo /etc/init.d/postfix restart
echo "test at `date`"|mail -s "test" exempel@fripostorg
**** Configuring dovecot
sudo aptitude install dovecot-imapd
:: /etc/dovecot/dovecot.conf
# Note: These settings are already in the file but commented out or set to other
# values.
:HIDDEN:
protocols = imaps
protocol imap {
ssl_listen = *:993
}
disable_plaintext_auth = yes
mail_location = maildir:/home/mail/virtual/%d/%u/Maildir
# Set this to something that works for the Maildirs
first_valid_uid = XXX
first_valid_gid = XXX
# Allow clients to be fancy if they want to
mechanisms = plain cram-md5
#passdb pam <--- comment this stuff out
# uncomment this stuff
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
#userdb passwd <--- comment this stuff out
# uncomment this stuff
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
# Do not needlessly run as root
user = nobody
:END:
:: /etc/dovecot/dovecot-sql.conf
:HIDDEN:
driver = mysql
connect = host=127.0.0.1 port=3306 user=XXX password=XXX dbname=mail
# Salted MD5
default_pass_scheme = SMD5
password_query = SELECT username AS user, password FROM mailbox WHERE username = '%u' AND domain = '%d'
# replace XXX with relevant numbers for the system
user_query = SELECT concat('/home/mail/virtual/',maildir) AS mail, XXX AS uid, XXX AS gid FROM mailbox WHERE username = '%u' AND domain = '%d'
:END:
sudo /etc/init.d/dovecot restart
# Provided there is a user, you should now be able to login using any IMAP
# client.
**** Making sure the services are not started at boot [might not be needed]
sudo update-rc.d -n dovecot stop 2 3 4 5 .
sudo update-rc.d -n postfix stop 2 3 4 5 .
**** Use LDAP authenticate binds, and LDAP user queries.
[TODO: The following handle the dialog the LDAP server. It should replace
the MySQL bits above.]
Instead of making a SQL query to fetch the (hashed) passwords, which implies to
expose all credentials to Dovecot, an other approach is to forward the login
information to our LDAP server, that will match it against the hashed copy contained
in its database. This way if your IMAP server is compromised, the attacker will not
have access to all the e-mails and user credentials.
Documentation:
http://wiki2.dovecot.org/HowTo/DovecotOpenLdap
http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds
Debian provides a squeleton configuration in /usr/share/dovecot/dovecot-ldap.conf .
Copy this file in /etc/dovecot, and chmod 600 it. Uncomment the following lines:
hosts = localhost
ldap_version = 3
auth_bind = yes
auth_bind_userdn = uid=%n,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
base = uid=%n,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
deref = never
scope = base
pass_attrs = uid=user
pass_filter = (&(objectClass=virtualMailbox)(uid=%n)(isActive=TRUE))
(And the TLS-related lines in case we are not using a tunnel.)
We can now amend the `dovecot.conf': Comment the "passwd sql {...}" and "userdb sql {...}"
blocks, and uncomment
passdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
# and
userdb static {
args = uid=115 gid=8 home=/home/mail/virtual/%d/%n/ allow_all_users=yes
}
We are not making use of the User Database (to ensure that Dovecot's `deliver' checks
that the recipient exists) here, since `deliver' should only be called by Postfix which
takes care of that (cf. `ldap_virtual_mailbox_maps.cf'). Hence the `allow_all_users=yes'
above.
*** Configuring a new smarthost to relay e-mail to the main IMAP server
**** Overview
We relay mail from our smarthosts to the main IMAP server.
This is to avoid having a single poin of failure and to separate concerns. The
IMAP server then only needs to deal with authenticated clients and the
smarthosts.
**** Prerequisites
Before this can work we must make sure that:
- the MySQL replication is working
- there is an SSH tunnel for the smtp
If they are both setup, we can configure postfix on the smarthost to relay
emails through the tunnel.
**** Configuration files
TODO: add the necessary configuration files
*** Configuring the outgoing SMTP
We will offer a SMTP relay for authenticated users (via SASL).
**** Install packages
sudo apt-get install sasl2-bin libsasl2-modules-ldap
(Scrictly speaking sasl2-bin is not necessary, but it offers some programs to
test our installation.)
In the rest of this section, we assume there is a tunnel from the master
LDAP server to the machine that hosts SASLauthd (i.e., ldap://127.0.0.1:3890 on
this machine actually speaks to the master).
**** Configure saslauthd
:: /etc/default/saslauthd
[...]
START=yes
MECHANISMS=ldap
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -O /etc/saslauthd.conf"
[...]
(Note: The socket has to be in Postfix's chroot jail.)
:: /etc/saslauthd.conf
ldap_servers: ldap://127.0.0.1:3890/
ldap_version: 3
ldap_bind_dn: cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org
ldap_bind_pw: xxxxxx
ldap_auth_method: bind
ldap_search_base: uid=%U,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
ldap_filter: (&(objectClass=virtualMailbox)(uid=%U)(isActive=TRUE))
ldap_scope: base
We need to bind to `cn=SASLauth,...' here, because SASLauthd performs the search
before binding to the user (unlike Dovecot). Hence it needs to have read access
on the user's entry (except his/her password, of course).
After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the
authentication:
testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u user@fripost.org -p password
(The password cannot be prompted, so you may want to create a dummy user.)
**** Configure Postfix
If everything goes through, it is now time to modify Postfix's main.cf:
(Documentation: http://www.postfix.org/SASL_README.htm)
:: /etc/postfix/main.cf
[...]
smtpd_sasl_authenticated_header = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = fripost.org
# TODO:add sasl exceptions for our other clients
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
[...]
[...]
Finally, we can add the submission service to our master.cf, with customized policy:
:: /etc/postfix/master.cf
smtp inet n - - - - smtpd
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
[...]
We now have to restart Postfix: `/etc/init.d/postfix restart'. (Maybe `postfix reload'
is enough actually.)
**** Test it
[Note: if you test it from localhost, you have to uset smtpd_sasl_exceptions_networks
first.]
First, we ensured that encrypted conections are required.
:: telnet localhost 25
[...]
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
What the user type is here emphasized and prefixed with a `*'
:: openssl s_client -connect localhost:25 -starttls smtp -CApath /etc/ssl/
[...]
Verify return code: 0 (ok)
---
250 DSN
* EHLO localhost
[...]
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
* AUTH PLAIN AHVzZXJAZnJpcG9zdC5vcmcAdXNlcg==
235 2.7.0 Authentication successful
* mail from:<user@fripost.org>
250 2.1.0 Ok
* rcpt to:<user@fripost.org>
250 2.1.5 Ok
* DATA
354 End data with <CR><LF>.<CR><LF>
* Subject: test
* \o/
* .
250 2.0.0 Ok: queued as 3D7767B4BD
Where "AHVzZXJAZnJpcG9zdC5vcmcAdXNlcg==" is a base-64 encoding of the user's,
credentials, in our case login "user@fripost.org" and password "user", which
can be obtained by the command
echo -ne '\000user@fripost.org\000user' | openssl base64
**** Anonymize the senders
If RoudCube automatically anonymize the sender (by simply shortening the
trace), it's not the case (by default) for SquirrelMail, or when clients
connect via ESMTP/ESMTPS/ESMTPA/ESMTPSA. Here are a couple of traces we want
to obfuscate, to prevent the recicipient and/or the intermediate SMTP relays
to track the sender.
Received: from localhost (smtp.fripost.org [127.0.0.1])
by fripost.org (Postfix) with ESMTP id C9DAB841F4
for <recipient@example.org>; Thu, 22 Mar 2012 16:27:56 +0100 (CET)
Received: from fripost.org ([127.0.0.1])
by localhost (smtp.fripost.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 8onAXWOvImDh for <recipient@example.org>;
Thu, 22 Mar 2012 16:27:56 +0100 (CET)
Received: from webmail.fripost.org (localhost [IPv6:::1])
by fripost.org (Postfix) with ESMTP id 3ADAB8243D
for <recipient@example.org>; Thu, 22 Mar 2012 16:27:56 +0100 (CET)
Received: from 192.168.1.5
(SquirrelMail authenticated user username)
by webmail.fripost.org with HTTP;
Thu, 22 Mar 2012 16:27:56 +0100
Received: from localhost (smtp.fripost.org [127.0.0.1])
by fripost.org (Postfix) with ESMTP id 2D1098243D
for <recipient@example.org>; Thu, 22 Mar 2012 16:36:36 +0100 (CET)
Received: from fripost.org ([127.0.0.1])
by localhost (smtp.fripost.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Hr2J-eRTN0jI for <recipient@example.org>;
Thu, 22 Mar 2012 16:36:35 +0100 (CET)
Received: from client.example.org (client.example.org [192.168.1.1])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "client.example.org", Issuer "example.org" (not verified))
by machine.org (Postfix) with ESMTPS id DA22981B95
for <recipient@example.org>; Thu, 22 Mar 2012 16:36:35 +0100 (CET)
Received: (nullmailer pid 5057 invoked by uid 0);
Thu, 22 Mar 2012 15:36:34 -0000
Received: from localhost (smtp.fripost.org [127.0.0.1])
by fripost.org (Postfix) with ESMTP id DBAFE816BB
for <recipient@example.org>; Thu, 22 Mar 2012 14:48:01 +0100 (CET)
Received: from fripost.org ([127.0.0.1])
by localhost (smtp.fripost.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Upen4QhYpKf4 for <recipient@example.org>;
Thu, 22 Mar 2012 14:48:01 +0100 (CET)
Received: from client.example.org (client.example.org [192.168.1.5])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "", Issuer "" (not verified))
(Authenticated sender: username)
by fripost.org (Postfix) with ESMTPSA id 40284804F5
for <recipient@example.org>; Thu, 22 Mar 2012 14:48:01 +0100 (CET)
Received: by client.example.org (Postfix, from userid 1000)
id 1D24F41747; Thu, 22 Mar 2012 14:48:00 +0100 (CET)
(The first one was sent using a SquirrelMail; The second using ESMTPS;
And the third using ESMTPSA).
If we are to hide the sender, we could simply clean the trace (like
RoundCube does) when the mail leaves the server. However, some aggressive
mailfilters may reject the mail since the trace is incomplete (if RoundCube
hides the history I guess it doesnt' happen that often, but who knows...).
Another option would be to clean the trace and to simply add a fake field
to pretend that the mail is sent from localhost by the user nobody:
Received: by fripost.org (Postfix, from userid 65535)
id 2C537816BB; Thu, 22 Mar 2012 14:08:45 +0100 (CET)
This possible by adding "smtp_header_checks = regexp:$config_directory/smtp_header_checks"
in the Postfix's main.cf, with a suitable file "smtp_header_check" in the Postfix
configuration directory.
Yet an other option is not to hide the trace, but rather forge it to
pretend that the ESMTP/... connections are all coming from localhost.
This way we are not hiding the fact that a client has logged in using a
valid certificate, and in case of an SMTP relay, the early part of the
trace (before it entered our Postfix sever) remains unchanged. For
example, the early part of the third trace would become:
Received: from localhost (localhost [127.0.0.1])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "", Issuer "" (not verified))
(Authenticated sender: username)
by fripost.org (Postfix) with ESMTPSA id 40284804F5
for <recipient@example.org>; Thu, 22 Mar 2012 14:48:01 +0100 (CET)
Received: by client.example.org (Postfix, from userid 1000)
id 1D24F41747; Thu, 22 Mar 2012 14:48:00 +0100 (CET)
(the other field remaining unchanged). This is also made possible by
smtp_header_checks. In that case, the corresponding file would contain
the following rexep, forging the header by pretending that the client
has EHLO'ed from localhost:
/^Received:\s+from (\S+)\s+\(\S+\s+\S+\)(.*\sby fripost\.org \(Postfix\)\s+with E?SMTP(S|A|SA)\W.*)$/
REPLACE Received: from localhost (localhost [127.0.0.1])${2}
You can try out the regexp using "postmap -h -q - regexp:smtp_header_checks < email"
(where `email' may also be a bunch of traces).
DISCLAIMER: The regexp probably needs tests (especially for multiple hops,
in case of relaying SMTPs). Also, note that the hostname of the client has
NOT been obfuscated in the above trace (and that will break the relaying path
if the client has a routable hostname that doesn't point to the SMTP server!).
However, this line has been added by the client itself, so it's his/her
responsability to masquerade it I suppose. In the same way, the CN and Issuer
of the client's certificate may help to track him/her down. Maybe we should
forge these as well?
** Configuring the webserver
sudo apt-get install apache2
sudo a2enmod ssl rewrite
:: /etc/apache2/ports.conf
<IfModule mod_ssl.c>
NameVirtualHost *:443
</IfModule>
:: /etc/apache2/conf.d/security
ServerTokens Prod
*** Roundcube
**** Installing roundcube
# Add the backports repository first, to make sure we're running a somewhat more
# current version than the one currently in stable.
:: /etc/apt/sources.list
deb http://backports.debian.org/debian-backports squeeze-backports main
sudo apt-get install roundcube
:: /etc/php5/apache2/php.ini
log_errors = Off
post_max_size = 25M
upload_max_filesize = 25M
tmp_dir = FIXME
:: /etc/roundcube/main.inc.php ## checked for roundcube 0.5.4+dfsg-1~bpo60+1
# Use caching
$rcmail_config['enable_caching'] = TRUE;
# fripost.org specific
$rcmail_config['force_https'] = TRUE;
$rcmail_config['default_host'] = 'ssl://imap.fripost.org';
$rcmail_config['imap_auth_type'] = 'plain';
$rcmail_config['username_domain'] = 'fripost.org';
# use IP for extra paranoia
$rcmail_config['ip_check'] = true;
# Locale settings
$rcmail_config['language'] = 'sv_SE';
$rcmail_config['date_long'] = 'Y-m-d.Y H:i';
$rcmail_config['product_name'] = 'Fripost';
# IMAP Folders (I guess these were changed for compatibility with SquirrelMail)
$rcmail_config['drafts_mbox'] = 'INBOX.Drafts';
$rcmail_config['junk_mbox'] = 'INBOX.Junk';
$rcmail_config['sent_mbox'] = 'INBOX.Sent';
$rcmail_config['default_imap_folders'] = array('INBOX', 'INBOX.Drafts', 'INBOX.Sent', 'INBOX.Junk', 'Trash');
$rcmail_config['create_default_folders'] = TRUE;
# timezone
$rcmail_config['timezone'] = 'CET';
# compose html formatted messages by default
$rcmail_config['htmleditor'] = TRUE;
**** Installing custom logo
wget https://fripost.org/images/logo2011_webmail.png
LOGO="logo2011_webmail.png"
sudo mv /var/lib/roundcube/skins/default/images/roundcube_logo.png /var/lib/roundcube/skins/default/images/roundcube_logo2.png
sudo mv $LOGO /var/lib/roundcube/skins/default/images/roundcube_logo.png
sudo chmod 0644 /var/lib/roundcube/skins/default/images/roundcube_logo.png
**** Adding a custom message on login page
Before this
: <roundcube:object name="preloader" images="
in
:: /usr/share/roundcube/skins/default/templates/login.html
<div style="margin: 20px;"/>
<div style="max-width: 45em; margin: 0px auto; border: dotted 3px red; padding:1em;">
<h3>Important message</h3>
<p align="left"><strong>Mon Feb 13 12:55:30 CET 2012</strong> </p>
<p>
Lorem ipsum dolor sit amet, consectetur adipiscing
elit. Pellentesque molestie, velit vel tristique iaculis, massa diam viverra
arcu, sit amet pellentesque dui enim vitae ipsum.</p>
<p>J. Random Hacker</p>
</div>
**** Allow the users to change their password
We neet to install a plugin http://trac.roundcube.net/browser/trunk/roundcubemail/plugins/password ,
which you can find in:
:: apt-get install roundcube-plugins
Depends on PHP's LDAP library:
:: apt-get install php5-ldap
In the rest of this section, we assume there is a tunnel from the master
LDAP server to the machine that hosts the webmail (i.e., ldap://127.0.0.1:3890
on this machine actually speaks to the master).
:: /etc/roundcube/plugins/password/config.inc.php
$rcmail_config['password_driver'] = 'ldap_simple';
$rcmail_config['password_confirm_current'] = true;
$rcmail_config['password_minimum_length'] = 8;
$rcmail_config['password_require_nonalpha'] = true;
$rcmail_config['password_log'] = false;
$rcmail_config['password_ldap_host'] = '127.0.0.1';
$rcmail_config['password_ldap_port'] = '3890';
$rcmail_config['password_ldap_starttls'] = false;
$rcmail_config['password_ldap_version'] = '3';
$rcmail_config['password_ldap_basedn'] = 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
$rcmail_config['password_ldap_method'] = 'user';
$rcmail_config['password_ldap_userDN_mask'] = 'uid=%name,dc=%domain,ou=virtual,o=mailHosting,dc=fripost,dc=org';
$rcmail_config['password_ldap_encodage'] = 'ssha';
$rcmail_config['password_ldap_pwattr'] = 'userPassword';
$rcmail_config['password_ldap_force_replace'] = true;
*** ikiwiki
- sudo apt-get install ikiwiki
- Add separate ikiwiki user
[[http://rtime.felk.cvut.cz/~sojka/blog/using-ikiwiki-with-gitolite/][Link: Integration with ikiwiki]]
*** gitolite and gitweb
# Note: incomplete steps
sudo apt-get install gitolite
sudo dpkg-reconfigure gitolite
:: /var/lib/gitolite/.gitolite.rc
$REPO_UMASK = 0027; # gets you 'rwxr-x---'
# Add the repositories/users to gitolite
# This is mostly self-explanatory, but begin on your local workstation:
git clone gitolite@githost:gitolite-admin
cd gitolite-admin
... make edits
git push
# Push all repositories
cd myrepo
git push --all gitolite@githost:myrepo
git push --tags gitolite@githost:myrepo
# Add the gitweb user to gitolite
sudo apt-get install gitweb
sudo usermod -a -G gitolite www-data
sudo /etc/init.d/apache2 stop
sudo /etc/init.d/apache2 start
# Add repositories to gitweb
sudo ln -s /var/lib/gitolite/repositories/myrepo.git /var/cache/git/myrepo.git
... etc
# Make sure one can checkout the repository via http
[[http://www.kernel.org/pub/software/scm/git/docs/howto/setup-git-server-over-http.txt][Git docs]]
sudo su gitolite
cd /var/lib/gitolite/repositories/myrepo.git
git update-server-info
mv hooks/post-update.sample hooks/post-update
:: /etc/apache2/sites-available/default
AliasMatch ^/pub(/.*\.git)(/.*)? /var/cache/git$1$2
:: /usr/share/gitweb/indextext.html
För att klona ett av dessa träd, installera <a href="http:///">git</a> och kör:
<blockquote><code>git clone http://git.fripost.org/pub/</code> + projektets sökväg</blockquote>
<p>
För mer information om <a href="http://www.kernel.org/pub/software/scm/git/">git</a>, se en
<a href="http://git.or.cz/">överblick</a>, en
<a href="http://www.kernel.org/pub/software/scm/git/docs/gittutorial.html">tutorial</a>
eller
<a href="http://www.kernel.org/pub/software/scm/git/docs">manualsidorna</a>.
</p>
# Add a description of a repository for gitweb
echo "Mötesprotokoll" > fripost-meetings.git/description
** Logging
*** Overview
We want to limit how much we log for privacy reasons. At the same time we want
to be able to debug technical problems and detect intrusions.
For the webmail, we only log messages of priority warn or higher.
*** Configuration
:: /etc/rsyslog.conf
*.*;auth,authpriv.none;mail.err -/var/log/syslog
# NOTE: /var/log/mail.{err,warn} can be kept at the default
# values since they do not contain any sensitive information.
:: /etc/logrotate.d/rsyslog
/var/log/mail.log
/var/log/mail.info
{
rotate 3
daily
missingok
ifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog reload > /dev/null
endscript
}
** Necessary stuff to fix for security
*** Bacula for backups
Also has tripwire-like capabilities.
*** OSSEC
*** Firewall rules
TODO: Add nice rules.
** Ideas for improved security
*** Monitoring
* Hardening
** Overview
The [[http://www.debian.org/doc/manuals/securing-debian-howto/][Securing Debian Manual]] is the definitive reference for Debian security.
These are just some quick notes for easy access to the administrators.
** ntp
# Let's be overly paranoid... ;-)
:: /etc/ntp.conf
-restrict -4 default kod notrap nomodify nopeer noquery
-restrict -6 default kod notrap nomodify nopeer noquery
+restrict default ignore
+restrict -6 default ignore
** rkhunter
sudo aptitude install rkhunter
sudo rkhunter -c --nomow --rwo
:: /etc/rkhunter.conf
MAIL-ON-WARNING=admin@fripost.org
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.initramfs
ALLOWHIDDENDIR=/etc/.git
ALLOWHIDDENFILE=/etc/.gitignore
ALLOWHIDDENFILE=/etc/.etckeeper
# something like: (adapt port as needed)
INETD_ALLOWED_SVC=127.0.0.1:2000
# in case whitelisting is needed, use something like:
# (whitespace important)
APP_WHITELIST=" openssl:0.9.8g sshd:4.7p1 "
:: /etc/default/rkhunter
REPORT_EMAIL="admin@fripost.org"
NICE="19"
# testing:
sudo rkhunter -c --nomow --rwo
* NEED TO KNOW FOR SERVER ADMINS
** Procedure for restarting mistral (the VPS)
1. There is one password which has to be provided at boot. This is given to our
VPS host provider via some insecure means of communication.
2. When the server is booted, this password is changed.
3. The partition on /home/mail is then mounted. A separate password is provided
for this.
4. Once the partition is mounted, dovecot and postfix may be started.
** Document your changes
The latest version of this document is always available at:
git clone http://git.fripost.org/pub/fripost-docs.git
To get commit access, contact admin@fripost.org with your request.
** Use etckeeper
We keep /etc in a git repository using the tool etckeeper. This makes it
possible to use standard git commands in /etc, e.g. `git log'. `etckeeper' has
the benefit of keeping track of file permissions, which git by itself will not.
Every time you make changes to any files in /etc, you are encouraged to commit
them using a descriptive commit message.
$ etckeeper commit "postfix: relay messages to remote hosts via smtp"
If you do not commit your changes, they will be automatically committed. This
is not ideal, since this means other administrators might have to guess as to
why changes were being made and by whom. Please try to avoid putting your
co-administrators in this uncomfortable position.
** Use Cluster SSH
This pretty much sums it up:
"ClusterSSH controls a number of xterm windows via a single graphical console
window to allow commands to be interactively run on multiple servers over an ssh
connection."
** Use fripost-tools
We have written some tools to make administration tasks easier. They can be
found at:
git clone git://github.com/skangas/fripost-tools.git
|