path: root/fripost-docs.org

# -*- mode: org-mode; truncate-lines: nil -*-
#+TITLE: Systems documentation
#+AUTHOR: Fripost -- the Free E-mail Association
#+DESCRIPTION: Systems documentation for Fripost, the Free E-mail Association
#+KEYWORDS:
#+LANGUAGE:  en
#+OPTIONS:   H:3 num:t toc:t \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t
#+OPTIONS:   TeX:t LaTeX:nil skip:nil d:nil todo:t pri:nil tags:not-in-toc
#+INFOJS_OPT: view:nil toc:nil ltoc:t mouse:underline buttons:0 path:http://orgmode.org/org-info.js
#+EXPORT_SELECT_TAGS: export
#+EXPORT_EXCLUDE_TAGS: noexport
#+LINK_UP:
#+LINK_HOME:
#+XSLT:
#+DRAWERS: HIDDEN STATE PROPERTIES CONTENT
#+STARTUP: indent

Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License,
Version 1.3 or any later version published by the Free Software
Foundation; with no Invariant Sections, no Front-Cover Texts and
no Back-Cover Texts.  A copy of the license is included in a
separate file called "COPYING".

This is the documentation of the server configuration used by the free e-mail
association, given here to provide a transparent system.

Debian GNU/Linux squeeze is the current target system. We might keep some notes
for lenny for some time yet since there might still be servers that have not
been upgraded.

The complete documentation is the actual configuration files on the servers.
This document intends to give a general idea of the setup and be of help if we
need to recreate a crashed server.  Also, if an administrator goes AWOL, it
should be easy to pick up where he left of.

The steps taken here will not necessarily give a perfect replica of our systems.
We are constantly (yes, constantly) working on improving the security and
reliability of our systems.  We do not think of security as a shoot and forget
sort of thing but instead as an ongoing effort.  Thus, while we strive to
document all configuration that we consider stable enough, the documentation may
sometimes lag behind.

We do not believe in security through obscurity. This means we are aiming
instead for a system that fulfills [[http://en.wikipedia.org/wiki/Kerckhoffs%27s_Principle][Kerckhoffs's Principle]]. However, some
information below might have been changed to inconvenience a potential
attacker. Beware and take according measures.

We welcome all criticism, suggestions for improvements, additions etc.  Please
send them to skangas@skangas.se.

* Basic Setup -- Checklist after having installed a new Debian GNU/Linux-server
** Basic installation instructions

- Use expert install to maximize fun.
- Preferably, only install the "Standard system utilities" and "SSH Server" tasks.
- Make sure to answer "yes" to shadow passwords and MD5.
- Do disable the root account.

** Install etckeeper

Install etckeeper immediately after install, to start tracking /etc.

** Uninstall a bunch of unnecessary packages

sudo aptitude remove --purge debian-faq dictionaries-common doc-debian \
doc-linux-text iamerican ibritish iswedish ispell laptop-detect nfs-common \
openbsd-inetd portmap tasksel tasksel-data w3m wbritish

** Packages to install
*** Administrative

sudo aptitude install emacs23-nox harden-servers logcheck molly-guard ntp \
ntpdate openssh-server rsync screen syslog-summary sudo unattended-upgrades

# If the system is on a dynamic IP (e.g. using DHCP):
sudo aptitude install resolvconf

# NB: harden-clients conflicts with telnet, which as we know is very handy
# during configuration.  Therefore, only optionally:
sudo aptitude install harden-clients

** Use GNU Emacs as the default editor

# NOTE: Emacs will be the default on all Fripost systems. If you prefer
# something else, use the EDITOR environment variable.

sudo update-alternatives --config editor

** Configure sudo

# If you disabled root account during installation, the default account is
# already in the sudo group.  Otherwise, follow these steps:

sudo adduser myuser sudo

sudo EDITOR="emacs" visudo

     %sudo ALL= (ALL) ALL

** Configure sshd

Make sure your private key is in ~/.ssh/authorized_keys2

:: /etc/ssh/sshd_config

    # Add relevant users here
    AllowUsers xx yy zz

    # Change these settings
    PermitRootLogin no
    PasswordAuthentication no
    X11Forwarding no

sudo /etc/init.d/ssh restart

# Without closing the current connection, try to connect to the server,
# verifying that you can still connect.

** Forward root email

:: /etc/aliases

    root: admin@fripost.org

** Configure logcheck

sudo aptitude install logcheck syslog-summary

:: /etc/logcheck/logcheck.conf

     INTRO=0
     SENDMAILTO="admin@fripost.org"

:: /etc/logcheck/ignore.d.server/local

# XXX: not always necessary?
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed, type '(restart|lightweight)'\.$
# XXX: necessary with squeeze?
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$
# not necessary with squeeze
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$
# not necessary with squeeze
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging \(proc\) stopped.$
# ddclient
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: FAILED:   updating [,._[:alnum:]-]+: Could not connect to dns.loopia.se/xdyndnsserver/xdyndns.php.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING:  TIMEOUT: dns.loopia.se after 120 seconds$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING:  cannot connect to dns.loopia.se:80 socket: IO::Socket::INET: Bad hostname 'dns.loopia.se'$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING:  cannot connect to dns.loopia.se:80 socket: IO::Socket::INET: connect: Connection timed out$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING:  cannot connect to dns.loopia.se:443 socket: IO::Socket::SSL: SSL connect attempt failed because of handshake problemserror:00000000:lib(0):func(0):reason(0) IO::Socket::INET configuration failederror:00000000:lib(0):func(0):reason(0)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING:  cannot connect to dns.loopia.se:443 socket: IO::Socket::SSL: SSL connect attempt failed with unknown errorerror:00000000:lib(0):func(0):reason(0) IO::Socket::INET configuration failederror:00000000:lib(0):func(0):reason(0)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING:  cannot connect to dns.loopia.se:443 socket: IO::Socket::SSL: Timeout IO::Socket::INET configuration failederror:00000000:lib(0):func(0):reason(0)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING:  file /var/cache/ddclient/ddclient.cache, line [0-9]+: Invalid Value for keyword 'ip' = ''$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING:  updating [._[:alnum:]-]+: nochg: No update required; unnecessary attempts to change to the current address are considered abusive$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: [.0-9]{7,15} interface [.0-9]{7,15} -> [.0-9]{7,15}$

** Configuring aptitude and friends

# We are going to automatically install many security updates using the package
# "unattended-upgrades".  Automated upgrades are in general not a very good
# idea, but "unattended-upgrades" takes steps to mitigate the problems with this
# approach.  Given the Debian security teams track record in recent years we
# believe the positives outweigh the negatives.
#
# For the situations when unattended-upgrades fails (e.g. when there are
# configuration changes), there is an e-mail sent to the administrator.
#

:: /etc/apt/apt.conf

    APT
    {
      // Configuration for /etc/cron.daily/apt
      Periodic
      {
         // Do "apt-get update" automatically every n-days (0=disable)
         Update-Package-Lists "1";
         // Do "apt-get autoclean" every n-days (0=disable)
         AutocleanInterval "1";
         // Do "apt-get upgrade --download-only" every n-days (0=disable)
         Download-Upgradeable-Packages "1";
         // Run the "unattended-upgrade" security upgrade script every n days
         Unattended-Upgrade "1";
      }
    };

    Aptitude
    {
      UI
      {
         Autoclean-After-Update:         true;
         Auto-Fix-Broken:                false;
         Keep-Recommends:                true;
         Recommends-Important:           true;
         Description-Visible-By-Default: false;
         HelpBar                         false;
         Menubar-Autohide                true;
         Purge-Unused:                   true;
         Prompt-On-Exit                  false;
      }
    }

# Using Debian squeeze:
:: /etc/apt/apt.conf.d/50unattended-upgrades

     Unattended-Upgrade::Mail "admin@fripost.org";

** Configure ddclient

:: /etc/ddclient.conf

### Not reproduced here due to containing sensitive information

:: /etc/default/ddclient

    run_daemon="true"


* Next Steps
** Configuring the backup solution

*** Bacula configuration

*** Simple rsync solution

General idea [[http://wikis.sun.com/display/BigAdmin/Using+rdist+rsync+with+sudo+for+remote+updating][from here]].  This is just a basic setup for now, will need to be
changed to rsnapshot or perhaps something even more sophisticated like bacula.

1. Install rsync
      - sudo aptitude install rsync
2. Create a key on the backup computer:
      - sudo mkdir /root/.ssh/backup_key
      - sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/backup_key
      - cat /root/.ssh/backup_key.pub
3. Create a user on the computer that will be backed up
      - sudo adduser --disabled-password remupd
      - add the public key from above to ~remupd/.ssh/authorized_keys2
        prefix with: no-X11-forwarding,no-agent-forwarding,no-port-forwarding
      - sudo EDITOR="emacs" visudo
        Cmnd_Alias      RSYNCDIST=/usr/bin/rsync
        remupd	ALL=NOPASSWD:RSYNCDIST
4. Test the key from the backup computer:
      - ssh -i ~/.ssh/backup_key -l remupd example.com
5. Create a script on the backup computer to automatically backup
6. Add script to crontab

** Configuring the e-mail servers
*** Introduction
**** Overview

We will be using one main mail storage server, accessible by users via IMAP.
This server should be referred to as the main `IMAP server'. We will have two or
more mail gateways that will relay e-mail to the main server over secure
connections.  These are called `smarthosts'.

Credentials are managed by a LDAP server. For the users to be able to
authenticate to e.g., the IMAP server or the outgoing SMTP (via SASL), we will
use the so called "authenticate binds": services simply forward the login
information of the user to the LDAP server, that in turn hashes the password and
checks wheter it maches the stored copy; if it does, the LDAP server answers back
the query. See http://wanderingbarque.com/howtos/mailserver/big_picture.gif .
This way, if the IMAP or SMTP server is compromised, the attacker will NOT have
access to all credentials. Of course the LDAP server should only be listening to
the machines hosting these services and ideally, should not be directly facing the
internet.

[TODO: Replace the MySQL database by an LDAP tree.]

The main server will also be responsible for keeping all users in an MySQL
database that will be replicated using MySQL.

**** Definitions

IMAP server = the main storage server

LDAP server = the server that stores users credentials and various other informations.

smarthost = the server receiving email from the internet (configured as MX)

outgoing SMTP = a SMTP server that can relay mails of authenticated users (via SASL).

*** Configuring an SSH tunnel between two hosts

# Definitions:
# originating host = the host that will be connecting
# destination host = the host that runs some service

# Begin by setting a few environment variables:

TUNNEL_KEY_FILE="my_tunnel_key"
TUNNEL_USER="tunneluser"
TUNNEL_HOME="/home/$TUNNEL_USER"
DEST_PORT="25"
ORIGIN_PORT="1917"

**** Prepare origin

1. Create a key on the originating host:

   sudo ssh-keygen -N "" -b 4096 -f /root/.ssh/$TUNNEL_KEY_FILE
   sudo cat /root/.ssh/$TUNNEL_KEY_FILE.pub

**** Prepare destination

2a. Install necessary software on the destination host:

   sudo aptitude install netcat-openbsd

2b. Create a new user on the destination host:

   sudo adduser --system --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \
                $TUNNEL_USER
   echo "exit" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.bash_profile

   # Note: We need bash, so we can not change the shell to something else.

2c. Add $TUNNEL_USER to AllowUsers in /etc/ssh/sshd_config.

    sudo /etc/init.d/ssh restart

    # make sure the host is still reachable

2d. Add the public key from above to this user:

   THE_PUBLIC_KEY="ssh-rsa xxxxxxxxxxx" # from above

      sudo -u $TUNNEL_USER mkdir -p $TUNNEL_HOME/.ssh
      echo "command=\"nc localhost $DEST_PORT\",no-X11-forwarding,no-agent-forwarding,no-port-forwarding $THE_PUBLIC_KEY" | sudo -u $TUNNEL_USER tee -a $TUNNEL_HOME/.ssh/authorized_keys2

**** Set up the tunnel

3. Test the key on the originating host:

   sudo ssh -v -l $TUNNEL_USER -i /root/.ssh/$TUNNEL_KEY_FILE destination.example.com

    # Comment: You should be greeted by e.g.:
    # 220 mistral.fripost.org ESMTP Postfix (Debian/GNU)

4. Configure openbsd-inetd on the originating host:

   # Comment: We use inetd instead of ssh -L because, among other things, ssh
   #          -L tends to hang.

   sudo aptitude install openbsd-inetd

   :: /etc/inetd.conf

       127.0.0.1:$ORIGIN_PORT  stream  tcp     nowait  root    /usr/bin/ssh    -q -T -i /root/.ssh/$TUNNEL_KEY_FILE $TUNNEL_USER@example.com

    sudo service openbsd-inetd restart

You should now be able to connect through the tunnel from the originating
host using something like:

telnet localhost $ORIGIN_PORT

*** Installing MySQL
     - sudo apt-get install mysql-server
     - generate a long (25 characters) password for the mysql root user
     - /etc/mysql/my.cnf: skip-innodb
*** MySQL on the main IMAP server
**** Overview

We will use four tables `alias', `domain', `log' and `mailbox'.

***** mysql> show tables;
+----------------+
| Tables_in_mail |
+----------------+
| alias          |
| domain         |
| log            |
| mailbox        |
+----------------+
4 rows in set (0.00 sec)

***** mysql> describe alias;
+-------------+--------------+------+-----+---------------------+-------+
| Field       | Type         | Null | Key | Default             | Extra |
+-------------+--------------+------+-----+---------------------+-------+
| address     | varchar(255) | NO   | PRI |                     |       |
| goto        | text         | NO   |     | NULL                |       |
| domain      | varchar(255) | NO   |     |                     |       |
| create_date | datetime     | NO   |     | 0000-00-00 00:00:00 |       |
| change_date | timestamp    | NO   |     | CURRENT_TIMESTAMP   |       |
| active      | tinyint(4)   | NO   |     | 1                   |       |
+-------------+--------------+------+-----+---------------------+-------+
6 rows in set (0.00 sec)

***** mysql> describe domain;
+-------------+--------------+------+-----+---------------------+-------+
| Field       | Type         | Null | Key | Default             | Extra |
+-------------+--------------+------+-----+---------------------+-------+
| domain      | varchar(255) | NO   | PRI |                     |       |
| description | varchar(255) | NO   |     |                     |       |
| create_date | datetime     | NO   |     | 0000-00-00 00:00:00 |       |
| change_date | timestamp    | NO   |     | CURRENT_TIMESTAMP   |       |
| active      | tinyint(4)   | NO   |     | 1                   |       |
+-------------+--------------+------+-----+---------------------+-------+
5 rows in set (0.00 sec)

***** mysql> describe log;
+-------+-------------+------+-----+-------------------+----------------+
| Field | Type        | Null | Key | Default           | Extra          |
+-------+-------------+------+-----+-------------------+----------------+
| id    | int(11)     | NO   | PRI | NULL              | auto_increment |
| user  | varchar(20) | NO   |     |                   |                |
| event | text        | NO   |     | NULL              |                |
| date  | timestamp   | NO   |     | CURRENT_TIMESTAMP |                |
+-------+-------------+------+-----+-------------------+----------------+
4 rows in set (0.00 sec)

***** mysql> describe mailbox;
+-------------+--------------+------+-----+---------------------+-------+
| Field       | Type         | Null | Key | Default             | Extra |
+-------------+--------------+------+-----+---------------------+-------+
| username    | varchar(255) | NO   | PRI |                     |       |
| password    | varchar(255) | NO   |     |                     |       |
| name        | varchar(255) | NO   |     |                     |       |
| maildir     | varchar(255) | NO   |     |                     |       |
| domain      | varchar(255) | NO   |     |                     |       |
| create_date | datetime     | NO   |     | 0000-00-00 00:00:00 |       |
| change_date | timestamp    | NO   |     | CURRENT_TIMESTAMP   |       |
| active      | tinyint(4)   | NO   |     | 1                   |       |
+-------------+--------------+------+-----+---------------------+-------+
8 rows in set (0.00 sec)

**** Steps to produce it
mysql -u root -p

   create database mail;

sudo mysql -u root -p --database=mail
FIXME: Not 100 % up to date
       :HIDDEN:
DROP TABLE IF EXISTS `alias`;
SET @saved_cs_client     = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `alias` (
  `address` varchar(255) NOT NULL default '',
  `goto` text NOT NULL,
  `domain` varchar(255) NOT NULL default '',
  `create_date` datetime NOT NULL default '0000-00-00 00:00:00',
  `change_date` datetime NOT NULL default '0000-00-00 00:00:00',
  `active` tinyint(4) NOT NULL default '1',
  PRIMARY KEY  (`address`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Aliases - mysql_virtual_\nalias_maps';
SET character_set_client = @saved_cs_client;

DROP TABLE IF EXISTS `domain`;
SET @saved_cs_client     = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `domain` (
  `domain` varchar(255) NOT NULL default '',
  `description` varchar(255) NOT NULL default '',
  `create_date` datetime NOT NULL default '0000-00-00 00:00:00',
  `change_date` datetime NOT NULL default '0000-00-00 00:00:00',
  `active` tinyint(4) NOT NULL default '1',
  PRIMARY KEY  (`domain`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Domains - mysql_virtual_\ndomains_maps';
SET character_set_client = @saved_cs_client;

DROP TABLE IF EXISTS `log`;
SET @saved_cs_client     = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `log` (
  `id` int(11) NOT NULL auto_increment,
  `user` varchar(20) NOT NULL default '',
  `event` text NOT NULL,
  `date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=106 DEFAULT CHARSET=utf8 COMMENT='log table';
SET character_set_client = @saved_cs_client;

DROP TABLE IF EXISTS `mailbox`;
SET @saved_cs_client     = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `mailbox` (
  `username` varchar(255) NOT NULL default '',
  `password` varchar(255) NOT NULL default '',
  `name` varchar(255) NOT NULL default '',
  `maildir` varchar(255) NOT NULL default '',
  `domain` varchar(255) NOT NULL default '',
  `create_date` datetime NOT NULL default '0000-00-00 00:00:00',
  `change_date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
  `active` tinyint(4) NOT NULL default '1',
  PRIMARY KEY  (`username`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='Virtual Mailboxes - mysql_virtua\nl_mailbox_maps';
SET character_set_client = @saved_cs_client;
        :END:

mysql -u root -p

# Create triggers

       use mail;

       DELIMITER $$
       CREATE TRIGGER alias_set_created_on_insert before insert on alias
         for each row begin set new.create_date = current_timestamp; end$$
       CREATE TRIGGER domain_set_created_on_insert before insert on domain
         for each row begin set new.create_date = current_timestamp; end$$
       CREATE TRIGGER mailbox_set_created_on_insert before insert on mailbox
         for each row begin set new.create_date = current_timestamp; end$$
       DELIMITER ;

# Create mail user

       CREATE USER 'mail'@'localhost' IDENTIFIED BY '<password>';
       GRANT SELECT ON mail.alias   TO 'mail'@'localhost';
       GRANT SELECT ON mail.domain  TO 'mail'@'localhost';
       GRANT SELECT ON mail.mailbox TO 'mail'@'localhost';

*** Configuring the MySQL replication
***** Overview
[[http://dev.mysql.com/doc/refman/5.0/en/replication.html][MySQL 5.0 Reference Manual :: 16 Replication]]

We will use MySQL replication to keep the MySQL user data on the smarthosts
in sync with the data held on the main IMAP server.

These instructions are mainly adapted from the MySQL manual.

***** Configure the master

 :: /etc/mysql/my.cnf:

    server-id		= 1
    log_bin		= /var/log/mysql/mysql-bin.log
    expire_logs_days	= 10
    max_binlog_size	= 100M
    binlog_do_db	= mail

sudo service mysql restart

# Enter MySQL shell and create a user with replication privileges.
# NB: Use only ASCII for the <password>
mysql -u root -p

    GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'localhost' IDENTIFIED BY '<password>';
    FLUSH PRIVILEGES;

***** Configure the slave
****** Set up an SSH tunnel

We begin by setting up an SSH tunnel from the slave to the master, as described [[Configuring an SSH tunnel between two hosts][above]].

****** Preparing steps to take on master

# Make a database dump.

mysql -u root -p

    USE mail;
    FLUSH TABLES WITH READ LOCK;
    quit;

mysqldump -u root -p --opt mail > mydump.sql

# Now, transfer this file to the slave.  After you have transferred the file,
# delete all copies except the one on the slave.

# Save the output of the SHOW MASTER STATUS COMMAND.
mysql -u root -p

    SHOW MASTER STATUS;
    unlock tables;
    quit;

****** Slave configuration

# Create a new temporary directory.
# NOTE: It has to be outside of /tmp so the replication is not screwed up on e.g. power outage.

TMP_DIR=/var/lib/mysql/tmp
sudo mkdir $TMP_DIR
sudo chown mysql:mysql $TMP_DIR
sudo chmod 0750 $TMP_DIR

 :: /etc/mysql/my.cnf

    tmpdir		= /var/lib/mysql/tmp
    # Note that the server-id must be different on all hosts
    server-id		= 2
    relay-log		= mysqld-relay-bin

sudo service mysql restart

# Enter the MySQL shell and create the database:

mysql -u root -p

    CREATE DATABASE mail;
    quit;

mysql -u root -p --database=mail < mydump.sql

# [[http://dev.mysql.com/doc/refman/5.0/en/change-master-to.html][12.5.2.1. CHANGE MASTER TO Syntax]]
# NOTE: fill in these values using output from SHOW MASTER STATUS; above
# NOTE: filling this in my.cnf is deprecated

mysql -u root -p

    SLAVE STOP;

    CHANGE MASTER TO
    MASTER_HOST='127.0.0.1',
    MASTER_PORT=1949,
    MASTER_USER='slave_user',
    MASTER_PASSWORD='<password>', MASTER_LOG_FILE='mysql-bin.000013', MASTER_LOG_POS=98;

    START SLAVE;
    show slave status\G

# If it seems OK, just:

    quit;

*** Configuring the LDAP server

On Debian Squeeze, OpenLDAP's configuration no longer uses `/etc/ldap/slapd.conf'
(by default, but may completely igore it in the future), but the
`/etc/ldap/slapd.d' directory instead. Unfortunately most of the online
tutorials are describing methods using `/etc/ldap/slapd.conf'.

[Note: This has been written by a LDAP noob. It should probably be
rewritten/compressed in a couple of months. /Guilhem, 2012-04-03.]

**** Install packages

Here is a basic installation tutorial for Debian Squeeze:
http://www.rjsystems.nl/en/2100-d6-openldap-provider.php

sudo apt-get install slapd ldap-utils

If it does not prompt for your domain, admin password, etc., run
`dpkg-reconfigure -plow slapd'. Here is how we answer the questions:

Omit OpenLDAP server configuration?                             No
DNS domain name:                                                fripost.org
Organization name:                                              Fripost
Administrator password:                                         *********
Database backend to use:                                        HDB
Do you want the database to be removed when slapd is purged?    No
Move old database?                                              Yes
Allow LDAPv2 protocol?                                          No


We do not want to listen all the Internet: in `/etc/default/slapd', change
`SLAPD_SERVICES' accordingly. E.g., to only listen to (non SSL) localhost and
UNIX sockets, specify

SLAPD_SERVICES="ldap:///127.0.0.1:389 ldapi:///"

(This should be enough if the connection from the IMAP/SMTP services are
wrapped into SSH or SSL/TLS tunnels.)

(Note: Unless specified, connections through the sockets bind with the users
permissions, hence regular users may not be able to explore the tree.)

We can check the configuration with

  ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

and modify a .ldif file with

  ldapmodify -Y EXTERNAL -H ldapi:/// -f "<file.ldif>"

**** Fripost's schema

We base our schema on qmail's (http://dhits.nl/download/qmail.new.schema) and
Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html).

  o=mailHosting, dc=fripost, dc=org
    |- ou=managers
    |   |- cn=admin1
    |   |   userPassword: xxxxxx
    |   `- cn=admin2
    |
    |- ou=services
    |   `- cn=SMTP
    |       userPassword: xxxxxx
    |
    `- ou=domains
        |- dc=fripost.org
        |   isActive: TRUE
        |   |- mailTarget=user1@fripost.org
        |   |    mailLocalAddress: user1-alias
        |   |    isActive: TRUE
        |   |- uid=user1
        |   |    userPassword: xxxxxx
        |   |    isActive: TRUE
        |   |
        |   `- uid=user2
        |
        `- dc=example.org
             owner: uid=user1,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org
             isActive: TRUE
             `- mailTarget=user1@fripost.org
             |    mailLocalAddress: user1
             |    isActive: TRUE
             |
             `- mailTarget=user1-alias@fripost.org
     
     

  :: /etc/ldap/fripost/fripost.ldif

    dn: cn=mail.fripost.org,cn=schema,cn=config
    objectClass: olcSchemaConfig
    cn: mail.fripost.org
    olcAttributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.1 NAME 'quota'
        DESC 'The quota on a mailbox e.g., "50MB".'
        EQUALITY caseExactMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE )
    olcAttributetypes: ( 1.3.6.1.4.1.7914.1.2.1.2 NAME 'isActive'
        DESC 'Is the leaf active?'
        EQUALITY booleanMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
    olcAttributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.3 NAME 'mailTarget'
        DESC 'The target of e-mail virtual aliases.'
        EQUALITY caseExactIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
    olcObjectclasses: ( 1.3.6.1.4.1.12461.1.2.1 NAME 'virtualDomain'
        SUP top STRUCTURAL
        DESC 'Virtual Domains.'
        MUST ( dc $ isActive )
        MAY ( owner $ description ) )
    olcObjectclasses: ( 1.3.6.1.4.1.12461.1.2.2 NAME 'virtualAliases'
        SUP top STRUCTURAL
        DESC 'Virtual Aliases.'
        MUST ( mailTarget $ isActive )
        MAY ( mailLocalAddress ) )
    olcObjectclasses: ( 1.3.6.1.4.1.12461.1.2.3 NAME 'virtualMailbox'
        SUP top STRUCTURAL
        DESC 'Virtual Mailboxes.'
        MUST ( uid $ userPassword $ isActive )
        MAY ( gn $ sn $ quota ) )


Note: For the meaning of the sequences of digits above, grep the output of
`ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"'
(For instance, 1.3.6.1.4.1.1466.115.121.1.26 is a IA5String, meaning the spaces
don't matter)

We can now add it to the schema list:

    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/fripost.ldif

(A [dirty] way to delete the schema is to remove the coresponding file in
`/etc/ldap/slapd.d/cn=config/cn=schema/' and to restart slapd.)


Note: If the LDIF files our schema depends on are not in loaded (in `/etc/ldap/slapd.d/cn=config/cn=schema/'),
you may have to do it yourself. A dirty way is to create a file `/tmp/upgrade.conf' with the
following:

    include         /etc/ldap/schema/core.schema
    include         /etc/ldap/schema/cosine.schema
    include         /etc/ldap/schema/nis.schema
    include         /etc/ldap/schema/misc.schema

and a directory `/tmp/upgrade', then to run `slaptest -f /tmp/upgrade.conf -F /tmp/upgrade'.
It creates a bunch of LDIF files that you need to clean (cf. https://help.ubuntu.com/10.04/serverguide/C/samba-ldap.html)
and add with `ldapadd -Y EXTERNAL -H ldapi:/// -f <file.ldif>'.
[TODO: that's just ugly. Find a better way.]


***** Add custom indexes

The default indexes below are not enough for our purpose, since we will heavily
be looking for e.g., the `uid' attribute.

 :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
    [...]
    olcDbIndex: objectClass eq


 :: /etc/ldap/fripost/indexes.ldif

    dn: olcDatabase={1}hdb,cn=config
    changetype: modify
    # Needed for the replicates.
    add: olcDbIndex
    olcDbIndex: entryUUID eq
    -
    delete: olcDbIndex
    olcDbIndex: objectClass eq
    -
    add: olcDbIndex
    olcDbIndex: objectClass pres,eq
    -
    add: olcDbIndex
    olcDbIndex: cn eq
    -
    add: olcDbIndex
    olcDbIndex: ou eq
    -
    add: olcDbIndex
    olcDbIndex: dc eq,sub
    -
    add: olcDbIndex
    olcDbIndex: uid eq,sub
    -
    add: olcDbIndex
    olcDbIndex: mailTarget,mailLocalAddress eq
    -
    add: olcDbIndex
    olcDbIndex: isActive eq
    -
    add: olcDbIndex
    olcDbIndex: owner eq

ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/indexes.ldif


 :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
    [...]
    olcDbIndex: entryUUID eq
    olcDbIndex: objectClass pres,eq
    olcDbIndex: cn eq
    olcDbIndex: ou eq
    olcDbIndex: dc eq,sub
    olcDbIndex: uid eq,sub
    olcDbIndex: mailTarget,mailLocalAddress eq
    olcDbIndex: isActive eq
    olcDbIndex: owner eq


Note: We can add indexes on a populated database, but then we need to reindex the tree:

    sudo /etc/init.d/slapd stop
    sudo -u openldap slapindex
    sudo /etc/init.d/slapd start

***** Restrict the access

The default ACL is not restrictive enough for our purpose.
Note: The ACLs are evaluated in order, hence the more specific rules should come
first.
We are using the so-called "Sets" to let the users manage their domain themselves.
See section 8.5 "Sets - Granting rights based on relationships" in LDAP's manual
http://www.openldap.org/doc/admin24/access-control.html for details.

 :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
    [...]
    olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none
    olcAccess: {1}to dn.base="" by * read
    olcAccess: {2}to * by self write by dn="cn=admin,dc=fripost,dc=org" write by * read
    [...]


 :: /etc/ldap/fripost/acl.ldif

    dn: olcDatabase={1}hdb,cn=config
    changetype: modify
    # Service passwords are only writable (hence readable) by the admins.
    # Anonymous services are only allowed to bind.
    add: olcAccess
    olcAccess: {0}to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org"
            attrs=userPassword
        by self read
        by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
        by anonymous auth
    -
    # User passwords are only writable (hence readable) by the admins and the
    # user him/herself. Anonymous users are only allowed to bind.
    add: olcAccess
    olcAccess: {1}to dn.children="o=mailHosting,dc=fripost,dc=org"
            attrs=userPassword
        by self write
        by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
        by anonymous auth
    -
    # User names are only writable (hence readable) by the admins and the user
    # him/herself.
    add: olcAccess
    olcAccess: {2}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=gn,sn
        by self write
        by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
    -
    # Users are allowed to manage (create/delete/toggle activation) the
    # the domains they own.
    add: olcAccess
    olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=domains,o=mailHosting,dc=fripost,dc=org)$"
        by set.expand="[$2]/owner & user" write
        by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
        by * break
    -
    # Admins have writing rights on the branch. Authenticated users can read
    # their entry. The SMTP and SASLauthd servervices can read entries on the
    # branch (but not the passwords). Other cannot access the branch.
    add: olcAccess
    olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org"
        by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
        by self read
        by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read
        by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read

ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif


 :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
    [...]
    olcAccess: {0}to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self read by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write   by anonymous auth
    olcAccess: {1}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth
    olcAccess: {2}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=gn,sn by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
    olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=domains,o=mailHosting,dc=fripost,dc=org)$" by set.expand="[$2]/owner & user" write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by * break
    olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org" by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by self read by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read
    olcAccess: {5}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none
    olcAccess: {6}to dn.base="" by * read
    olcAccess: {7}to * by self write by dn="cn=admin,dc=fripost,dc=org" write by * read
    [...]

Note: Users are allowed to manage their domain, but an admin is needed to add a domain to the
tree. A possibility to avoid that with a web-form is to send a mail to the postmaster@example.org
(or even to the mail that appears in the WHOIS) with a confirmation hash. That would simply require
a new ACL with writable [ou=domains,...]/children, and [dc=...,ou=domains,...]/entry. (And probably a
"semi-admin" with only these rights.)

**** Create the base tree

 :: /etc/ldap/fripost/base.ldif

    dn: o=mailHosting,dc=fripost,dc=org
    objectClass: organization
    description: Mail hosting

    dn: ou=domains,o=mailHosting,dc=fripost,dc=org
    objectClass: organizationalUnit
    description: Virtual Hosting

    dn: ou=managers,o=mailHosting,dc=fripost,dc=org
    objectClass: organizationalUnit
    description: Postmasters

    dn: ou=services,o=mailHosting,dc=fripost,dc=org
    objectClass: organizationalUnit
    description: E-mail services

ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /etc/ldap/fripost/base.ldif


To delete a leaf (`-r' to delete the whole sub-tree):
    ldapdelete -r -D cn=admin,dc=fripost,dc=org 'dc=example.org,ou=domains,o=mailHosting,dc=fripost,dc=org' -W

**** Populate the tree

 :: /tmp/populate.ldif

    dn: cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org
    objectClass: simpleSecurityObject
    objectClass: organizationalRole
    userPassword: {SSHA}xxxxxx

    dn: cn=admin1,ou=managers,o=mailHosting,dc=fripost,dc=org
    objectClass: simpleSecurityObject
    objectClass: organizationalRole
    userPassword: {SSHA}xxxxxx

    dn: dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org
    objectClass: virtualDomain
    isActive: TRUE

    dn: uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org
    objectClass: virtualMailbox
    gn: First Name
    sn: Last Name
    userPassword: {SSHA}xxxxxx
    isActive: TRUE

    dn: dc=example.org,ou=domains,o=mailHosting,dc=fripost,dc=org
    objectClass: virtualDomain
    owner: uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org
    isActive: TRUE

    dn: mailTarget=user-alias@fripost.org,dc=example.org,ou=domains,o=mailHosting,dc=fripost,  dc=org
    objectClass: inetLocalMailRecipient
    objectClass: virtualAliases
    isActive: TRUE
    mailLocalAddress: user
    mailLocalAddress: user-alias

    dn: uid=user2,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org
    objectClass: virtualMailbox
    gn: First Name
    sn: Last Name
    userPassword: {SSHA}xxxxxx
    isActive: FALSE

    dn: mailTarget=user@fripost.org,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org
    objectClass: inetLocalMailRecipient
    objectClass: virtualAliases
    mailLocalAddress: user-alias
    isActive: TRUE

ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /tmp/populate.ldif


Note: This should obviously be wrapped in a script; `ldapadd' reads the standard
input, so there's no need to write on disk. The salted SHA-1 can be created with
e.g., `slappasswd -h "{SSHA}"'.

**** Check the SASL binds (authentication)

`slapacl' is an helpful tool to debugs the ACLS. For instance, to check what are
the rights of user@fripost.org on the domain example.org, we can run:
  slapacl -b 'dc=example.org,ou=domains,o=mailHosting,dc=fripost,dc=org' -D 'uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org'

We can also check ACLs with concrete examples:

ldapwhoami -xD "uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org" -W

should return the whole dn:

"uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org"

**** Check the ACL

***** Admin

`slpacat' (run as root) dumps everything in the tree, including the (hashed)
passwords. So should

    ldapsearch -xLLL -D "cn=admin,dc=fripost,dc=org" -b 'ou=domains,o=mailHosting,dc=fripost,dc=org' -W

and

    ldapsearch -xLLL -D "cn=admin1,ou=managers,o=mailHosting,dc=fripost,dc=org" -b 'ou=domains,o=mailHosting,dc=fripost,dc=org' -W

***** Anonymous user

`ldapsearch -xLLL -b "ou=domains,o=mailHosting,dc=fripost,dc=org"' should exit
with return status 0, but shouldn't print anything.

***** Services

ldapsearch -xLLL -D "cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" -b 'ou=domains,o=mailHosting,dc=fripost,dc=org' -W

should not disclose the passwords.

***** Self

ldapsearch -xLLL -D "uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org" -b 'ou=domains,o=mailHosting,dc=fripost,dc=org' -W

should return all the information for this very user, but not e.g., the password of the other users.


The user should be able to change his/her password, and aliases in his/her own domain:

 :: /tmp/usermod.ldif

    dn: uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org
    changetype: modify
    replace: userPassword
    userPassword: xxxxxx

    dn: mailTarget=user@fripost.org,dc=example.org,ou=domain,o=mailHosting,dc=fripost,dc=org
    changetype: modify
    add: mailLocalAddress
    mailLocalAddress: user-alias2@example.org

ldapmodify -D "uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org" -W -f /tmp/usermod.ldif

[Note: Still that should be wrapped up in a script, and there is no need to write on
disk since the data is read from the standard input.]
[Note: If the task is merely to change the password, there is also `ldappasswd'.]

We now ensure that the leaf has been updated:

 :: slapcat -s "uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org"
    [...]
    userPassword:: aG9w
    entryCSN: 20120404215647.957317Z#000000#000#000000
    modifiersName: uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org
    modifyTimestamp: 20120404215647Z

On other modifications, for instance of `maildir', `ldapmodify'
should refuse with `Insufficient access (50)'.

**** Partial replication on the MXs

In case the LDAP goes down, we partly (e.g., we omit the passwords) replicate the LDAP
tree on the MXs.

Documentation: http://www.openldap.org/doc/admin22/syncrepl.html
               http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap

***** Installation

Cf. installation of the master LDAP server.
(We also need to install fripost's schema and indexes.)

The slave may only listen on the UNIX socket; To specify that, in
`/etc/defauld/slapd', change `SLAPD_SERVICES' to

SLAPD_SERVICES="ldapi:///"

In the rest of this section, we assume there is a tunnel from the master
LDAP server to the slave (i.e., ldap://127.0.0.1:3890 on the slaves actually
speaks to the master).

Following LDAP's terminology, the master server is also called "production",
and the slave is known as "consumer".

***** Using syncprov (on the master)

We first need to load the module `syncprov.la'.

  :: /etc/ldap/fripost/modules.ldif
  
    dn: cn=module{0}, cn=config
    changetype: modify
    add: olcModuleLoad
    olcModuleLoad: syncprov.la

ldapmodify -QY EXTERNAL -H ldapi:/// -f modules.ldif

The master can now define itself as the provider.

  :: /etc/ldap/fripost/syncprov.ldif

    dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
    objectClass: olcOverlayConfig
    objectClass: olcSyncProvConfig
    olcOverlay: syncprov
    # contextCSN saved to database every 50 updates or 5 minutes
    olcSpCheckpoint: 50 5

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

***** Using syncrepl (on the slave)

  :: /etc/ldap/fripost/syncrepl.ldif

    dn: olcDatabase={1}hdb,cn=config
    changetype: modify
    replace: olcSyncRepl
    olcSyncRepl: rid=000
    provider=ldap://127.0.0.1:3890
    type=refreshAndPersist
    retry="5 5 300 +"
    searchbase="o=mailHosting,dc=fripost,dc=org"
    attrs="*,+"
    scope=sub
    schemachecking=off
    bindmethod=simple
    binddn="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org"
    credentials="xxxxxx"

ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/syncrepl.ldif

(Since we in our case we have several slaves, we may want to increment the
rid.)

*** Configuring the main IMAP server
**** Install packages

sudo aptitude install postfix postfix-ldap

**** /etc/postfix/main.cf

TODO: add file contents

**** Setting up the MDA

# squeeze has dovecot-1.2. upgrade notes:
# - we might want to upgrade to their sieve (instead of cmusieve)
# - we want to add the -s flag to deliver in master.cf

***** Installing

sudo aptitude install dovecot-imapd

***** Configuring


:: /etc/dovecot/dovecot.conf

    protocol lda {
      # Address to use when sending rejection mails.
      postmaster_address = postmaster@fripost.org

      # Hostname to use in various parts of sent mails, eg. in Message-Id.
      # Default is the system's real hostname.
      hostname = imap.fripost.org

      # Support for dynamically loadable plugins. mail_plugins is a space separated
      # list of plugins to load.
      #mail_plugins =
      #mail_plugin_dir = /usr/lib/dovecot/modules/lda

      # Binary to use for sending mails.
      sendmail_path = /usr/lib/sendmail

      # UNIX socket path to master authentication server to find users.
      auth_socket_path = /var/run/dovecot/auth-master

      # Enabling Sieve plugin for server-side mail filtering
      mail_plugins = cmusieve
    }

    [...]

      ## dovecot-lda specific settings
      ##
      socket listen {
        master {
          path = /var/run/dovecot/auth-master
          mode = 0600
          user = xxx # User running Dovecot LDA
          #group = mail # Or alternatively mode 0660 + LDA user in this group
        }
      }

:: /etc/postfix/master.cf

    dovecot   unix  -       n       n       -       -       pipe
      flags=DRhu user=xxx:xxx argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient} -n


:: /etc/postfix/main.cf

    virtual_mailbox_domains = ldap:$config_directory/ldap_virtual_mailbox_domains.cf
    virtual_mailbox_maps    = ldap:$config_directory/ldap_virtual_mailbox_maps.cf
    virtual_alias_maps      = ldap:$config_directory/ldap_virtual_alias_maps.cf

    [...]

    virtual_transport = dovecot
    dovecot_destination_recipient_limit = 1

http://wiki.dovecot.org/LDA/Postfix
http://www.tehinterweb.co.uk/roundcube/#pisieverules


:: /etc/postfix/ldap_virtual_mailbox_domains.cf

    server_host = ldapi://
    version = 3
    search_base = dc=%s,ou=domains,o=mailHosting,dc=fripost,dc=org
    scope = base
    bind = no
    query_filter = (&(ObjectClass=virtualDomain)(dc=%s)(isActive=TRUE))
    result_attribute = dc

Test it:
    postmap -q fripost.org ldap:/etc/postfix/ldap_virtual_domains_maps.cf || echo 'failed!'
    postmap -q example.org ldap:/etc/postfix/ldap_virtual_domains_maps.cf || echo 'failed!'
    postmap -q fake.org ldap:/etc/postfix/ldap_virtual_domains_maps.cf || echo 'failed!'


:: /etc/postfix/ldap_virtual_mailbox_maps.cf
    server_host = ldapi://
    version = 3
    search_base = uid=%u,dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org
    scope = base
    bind = no
    query_filter = (&(ObjectClass=virtualMailbox)(uid=%u)(isActive=TRUE))
    result_attribute = uid

Test it:
    postmap -q user@fripost.org ldap:/etc/postfix/ldap_virtual_mailbox_maps.cf || echo 'failed!'
    postmap -q fake@fake.org ldap:/etc/postfix/ldap_virtual_mailbox_maps.cf || echo 'failed!'


:: /etc/postfix/ldap_virtual_alias_maps.cf

    server_host = ldapi://
    version = 3
    search_base = dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org
    scope = one
    bind = no
    query_filter = (&(ObjectClass=virtualAliases)(mailLocalAddress=%u)(isActive=TRUE))
    result_attribute = mailTarget

Test it:
    postmap -q user-alias@fripost.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf
    postmap -q user@example.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf


(The main LDAP server is partly replicated on a UNIX socket on the MX's.)

**** Test delivery

sudo mkdir -p /home/mail/virtual/fripost.org/
mysql -u root -p

    INSERT INTO mailbox (username,password,name,maildir,domain)
    VALUES ('exempel@fripost.org','test666','Exempelanvändare','fripost.org/exempel/Maildir/','fripost.org');

sudo /etc/init.d/postfix restart

echo "test at `date`"|mail -s "test" exempel@fripostorg

**** Configuring dovecot

sudo aptitude install dovecot-imapd

:: /etc/dovecot/dovecot.conf

# Note: These settings are already in the file but commented out or set to other
#       values.

:HIDDEN:
protocols = imaps
protocol imap {
	ssl_listen = *:993
}
disable_plaintext_auth = yes
mail_location = maildir:/home/mail/virtual/%d/%u/Maildir

# Set this to something that works for the Maildirs
first_valid_uid = XXX
first_valid_gid = XXX

# Allow clients to be fancy if they want to
mechanisms = plain cram-md5

#passdb pam <--- comment this stuff out

# uncomment this stuff
passdb sql {
  args = /etc/dovecot/dovecot-sql.conf
}

#userdb passwd  <--- comment this stuff out

# uncomment this stuff
userdb sql {
   args = /etc/dovecot/dovecot-sql.conf
}

# Do not needlessly run as root
user = nobody
:END:

:: /etc/dovecot/dovecot-sql.conf

:HIDDEN:
driver = mysql
connect = host=127.0.0.1 port=3306 user=XXX password=XXX dbname=mail

# Salted MD5
default_pass_scheme = SMD5

password_query = SELECT username AS user, password FROM mailbox WHERE username = '%u' AND domain = '%d'

# replace XXX with relevant numbers for the system
user_query = SELECT concat('/home/mail/virtual/',maildir) AS mail, XXX AS uid, XXX AS gid FROM mailbox WHERE username = '%u' AND domain = '%d'
:END:

sudo /etc/init.d/dovecot restart

# Provided there is a user, you should now be able to login using any IMAP
# client.

**** Making sure the services are not started at boot [might not be needed]
sudo update-rc.d -n dovecot stop 2 3 4 5 .
sudo update-rc.d -n postfix stop 2 3 4 5 .

**** Use LDAP authenticate binds, and LDAP user queries.

[TODO: The following handle the dialog the LDAP server. It should replace
the MySQL bits above.]

Instead of making a SQL query to fetch the (hashed) passwords, which implies to
expose all credentials to Dovecot, an other approach is to forward the login
information to our LDAP server, that will match it against the hashed copy contained
in its database. This way if your IMAP server is compromised, the attacker will not
have access to all the e-mails and user credentials.

Documentation:
http://wiki2.dovecot.org/HowTo/DovecotOpenLdap
http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds

Debian provides a squeleton configuration in /usr/share/dovecot/dovecot-ldap.conf .
Copy this file in /etc/dovecot, and chmod 600 it. Uncomment the following lines:

    hosts = localhost    # Or wherever is our LDAP server
    ldap_version = 3
    auth_bind = yes
    auth_bind_userdn = uid=%n,dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org
    base = uid=%n,dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org
    deref = never
    scope = base
    pass_filter = (&(objectClass=virtualMailbox)(uid=%n)(isActive=TRUE))

(And the TLS-related lines in case we are not using a tunnel.)

We can now amend the `dovecot.conf': Comment the "passwd sql {...}" and "userdb sql {...}"
blocks, and uncomment

      passdb ldap {
        args = /etc/dovecot/dovecot-ldap.conf
      }
      # and
      userdb ldap {
        args = /etc/dovecot/dovecot-ldap-userdb.conf
      }

Following http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds, `dovecot-ldap-userdb.conf'
can simply be a symlink to `dovecot-ldap.conf'. The names have to differ for Dovecot to send
asynchronous request to the LDAP server.

*** Configuring a new smarthost to relay e-mail to the main IMAP server
**** Overview

We relay mail from our smarthosts to the main IMAP server.

This is to avoid having a single poin of failure and to separate concerns. The
IMAP server then only needs to deal with authenticated clients and the
smarthosts.

**** Prerequisites

Before this can work we must make sure that:
- the MySQL replication is working
- there is an SSH tunnel for the smtp

If they are both setup, we can configure postfix on the smarthost to relay
emails through the tunnel.

**** Configuration files

TODO: add the necessary configuration files

*** Configuring the outgoing SMTP
We will offer a SMTP relay for authenticated users (via SASL).

**** Install packages

sudo apt-get install sasl2-bin libsasl2-modules-ldap

(Scrictly speaking sasl2-bin is not necessary, but it offers some programs to
test our installation.)

In the rest of this section, we assume there is a tunnel from the master
LDAP server to the slave (i.e., ldap://127.0.0.1:3890 on the slaves actually
speaks to the master).

**** Configure saslauthd

 :: /etc/default/saslauthd
    [...]
    START=yes
    MECHANISMS=ldap
    OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
    [...]

(Note: The socket has to be readable by postfix.)

 :: /etc/saslauthd.conf

    ldap_servers: ldap://127.0.0.1:3890/
    ldap_version: 3
    ldap_bind_dn: cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org
    ldap_bind_pw: d&KU0.n8Do225e(Tc[,3PF7|r+/hpQF6
    ldap_auth_method: bind
    ldap_search_base: uid=%U,dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org
    ldap_filter: (&(objectClass=virtualMailbox)(uid=%U)(isActive=TRUE))
    ldap_scope: base

After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the
authentication: `testsaslauthd -u user@fripost.org -p password'. (The password
cannot be prompted, so you may want to create a dummy user.)

[Note: for `testsaslauthd' to work, you have to set OPTIONS="-c -m /var/run/saslauthd"
in `/etc/default/saslauthd'.]

**** Configure Postfix

If everything goes through, it is now time to modify Postfix's main.cf:
(Documentation: http://www.postfix.org/SASL_README.htm)

 :: /etc/postfix/main.cf
    [...]
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_auth_enable          = yes
    smtpd_sasl_local_domain         =
    smtpd_sasl_exceptions_networks  = $mynetworks
    smtpd_sasl_security_options     = noanonymous, noplaintext
    smtpd_sasl_tls_security_options = noanonymous
    broken_sasl_auth_clients        = yes
    smtpd_sasl_type                 = cyrus
    smtpd_sasl_path                 = smtpd
    smtp_sasl_auth_enable           = yes
    smtp_sasl_password_maps         = hash:$config_directory/sasl_passwd
    # Note: `sasl_passwd' may be empty but Postfix complains if it doesn't exist
    smtp_sasl_security_options      = noanonymous, noplaintext
    smtp_sasl_tls_security_options  = noanonymous
    smtpd_recipient_restrictions =
            permit_mynetworks
            permit_sasl_authenticated
            [...]
    [...]


Finally, we can add the submission service to our master.cf, with customized policy:

 :: /etc/postfix/master.cf
    [...]
    submission inet n       -       -       -       -       smtpd
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes

      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING
    [...]

We now have to restart Postfix: `/etc/init.d/postfix restart'. (Maybe `postfix reload'
is enough actually.)

**** Anonymize the senders
If RoudCube automatically anonymize the sender (by simply shortening the
trace), it's not the case (by default) for SquirrelMail, or when clients
connect via ESMTP/ESMTPS/ESMTPA/ESMTPSA. Here are a couple of traces we want
to obfuscate, to prevent the recicipient and/or the intermediate SMTP relays
to track the sender.

    Received: from localhost (smtp.fripost.org [127.0.0.1])
            by fripost.org (Postfix) with ESMTP id C9DAB841F4
            for <recipient@example.org>; Thu, 22 Mar 2012 16:27:56 +0100 (CET)
    Received: from fripost.org ([127.0.0.1])
            by localhost (smtp.fripost.org [127.0.0.1]) (amavisd-new, port 10024)
            with ESMTP id 8onAXWOvImDh for <recipient@example.org>;
            Thu, 22 Mar 2012 16:27:56 +0100 (CET)
    Received: from webmail.fripost.org (localhost [IPv6:::1])
            by fripost.org (Postfix) with ESMTP id 3ADAB8243D
            for <recipient@example.org>; Thu, 22 Mar 2012 16:27:56 +0100 (CET)
    Received: from 192.168.1.5
            (SquirrelMail authenticated user username)
            by webmail.fripost.org with HTTP;
            Thu, 22 Mar 2012 16:27:56 +0100

    Received: from localhost (smtp.fripost.org [127.0.0.1])
            by fripost.org (Postfix) with ESMTP id 2D1098243D
            for <recipient@example.org>; Thu, 22 Mar 2012 16:36:36 +0100 (CET)
    Received: from fripost.org ([127.0.0.1])
            by localhost (smtp.fripost.org [127.0.0.1]) (amavisd-new, port 10024)
            with ESMTP id Hr2J-eRTN0jI for <recipient@example.org>;
            Thu, 22 Mar 2012 16:36:35 +0100 (CET)
    Received: from client.example.org (client.example.org [192.168.1.1])
            (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
            (Client CN "client.example.org", Issuer "example.org" (not verified))
            by machine.org (Postfix) with ESMTPS id DA22981B95
            for <recipient@example.org>; Thu, 22 Mar 2012 16:36:35 +0100 (CET)
    Received: (nullmailer pid 5057 invoked by uid 0);
            Thu, 22 Mar 2012 15:36:34 -0000

    Received: from localhost (smtp.fripost.org [127.0.0.1])
            by fripost.org (Postfix) with ESMTP id DBAFE816BB
            for <recipient@example.org>; Thu, 22 Mar 2012 14:48:01 +0100 (CET)
    Received: from fripost.org ([127.0.0.1])
            by localhost (smtp.fripost.org [127.0.0.1]) (amavisd-new, port 10024)
            with ESMTP id Upen4QhYpKf4 for <recipient@example.org>;
            Thu, 22 Mar 2012 14:48:01 +0100 (CET)
    Received: from client.example.org (client.example.org [192.168.1.5])
            (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
            (Client CN "", Issuer "" (not verified))
            (Authenticated sender: username)
            by fripost.org (Postfix) with ESMTPSA id 40284804F5
            for <recipient@example.org>; Thu, 22 Mar 2012 14:48:01 +0100 (CET)
    Received: by client.example.org (Postfix, from userid 1000)
            id 1D24F41747; Thu, 22 Mar 2012 14:48:00 +0100 (CET)

(The first one was sent using a SquirrelMail; The second using ESMTPS;
And the third using ESMTPSA).
If we are to hide the sender, we could simply clean the trace (like
RoundCube does) when the mail leaves the server. However, some aggressive
mailfilters may reject the mail since the trace is incomplete (if RoundCube
hides the history I guess it doesnt' happen that often, but who knows...).

Another option would be to clean the trace and to simply add a fake field
to pretend that the mail is sent from localhost by the user nobody:
    Received: by fripost.org (Postfix, from userid 65535)
            id 2C537816BB; Thu, 22 Mar 2012 14:08:45 +0100 (CET)
This possible by adding "smtp_header_checks = regexp:$config_directory/smtp_header_checks"
in the Postfix's main.cf, with a suitable file "smtp_header_check" in the Postfix
configuration directory.

Yet an other option is not to hide the trace, but rather forge it to
pretend that the ESMTP/... connections are all coming from localhost.
This way we are not hiding the fact that a client has logged in using a
valid certificate, and in case of an SMTP relay, the early part of the
trace (before it entered our Postfix sever) remains unchanged. For
example, the early part of the third trace would become:

    Received: from localhost (localhost [127.0.0.1])
            (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
            (Client CN "", Issuer "" (not verified))
            (Authenticated sender: username)
            by fripost.org (Postfix) with ESMTPSA id 40284804F5
            for <recipient@example.org>; Thu, 22 Mar 2012 14:48:01 +0100 (CET)
    Received: by client.example.org (Postfix, from userid 1000)
            id 1D24F41747; Thu, 22 Mar 2012 14:48:00 +0100 (CET)

(the other field remaining unchanged). This is also made possible by
smtp_header_checks. In that case, the corresponding file would contain
the following rexep, forging the header by pretending that the client
has EHLO'ed from localhost:

    /^Received:\s+from (\S+)\s+\(\S+\s+\S+\)(.*\sby fripost\.org \(Postfix\)\s+with E?SMTP(S|A|SA)\W.*)$/
      REPLACE Received: from localhost (localhost [127.0.0.1])${2}

You can try out the regexp using "postmap -h -q - regexp:smtp_header_checks < email"
(where `email' may also be a bunch of traces).

DISCLAIMER: The regexp probably needs tests (especially for multiple hops,
in case of relaying SMTPs). Also, note that the hostname of the client has
NOT been obfuscated in the above trace (and that will break the relaying path
if the client has a routable hostname that doesn't point to the SMTP server!).
However, this line has been added by the client itself, so it's his/her
responsability to masquerade it I suppose. In the same way, the CN and Issuer
of the client's certificate may help to track him/her down. Maybe we should
forge these as well?

** Configuring the webserver

sudo apt-get install apache2

sudo a2enmod ssl rewrite

:: /etc/apache2/ports.conf

    <IfModule mod_ssl.c>
      NameVirtualHost *:443
    </IfModule>

:: /etc/apache2/conf.d/security

    ServerTokens Prod

*** Roundcube

**** Installing roundcube

# Add the backports repository first, to make sure we're running a somewhat more
# current version than the one currently in stable.

:: /etc/apt/sources.list

    deb http://backports.debian.org/debian-backports squeeze-backports main

sudo apt-get install roundcube

:: /etc/php5/apache2/php.ini

    log_errors = Off
    post_max_size = 25M
    upload_max_filesize = 25M
    tmp_dir = FIXME

:: /etc/roundcube/main.inc.php  ## checked for roundcube 0.5.4+dfsg-1~bpo60+1

    # Use caching
    $rcmail_config['enable_caching'] = TRUE;

    # fripost.org specific
    $rcmail_config['force_https'] = TRUE;
    $rcmail_config['default_host'] = 'ssl://imap.fripost.org';
    $rcmail_config['imap_auth_type'] = 'plain';
    $rcmail_config['username_domain'] = 'fripost.org';

    # use IP for extra paranoia
    $rcmail_config['ip_check'] = true;

    # Locale settings
    $rcmail_config['language'] = 'sv_SE';
    $rcmail_config['date_long'] = 'Y-m-d.Y H:i';

    $rcmail_config['product_name'] = 'Fripost';

    # IMAP Folders (I guess these were changed for compatibility with SquirrelMail)
    $rcmail_config['drafts_mbox'] = 'INBOX.Drafts';
    $rcmail_config['junk_mbox'] = 'INBOX.Junk';
    $rcmail_config['sent_mbox'] = 'INBOX.Sent';
    $rcmail_config['default_imap_folders'] = array('INBOX', 'INBOX.Drafts', 'INBOX.Sent', 'INBOX.Junk', 'Trash');
    $rcmail_config['create_default_folders'] = TRUE;

    # timezone
    $rcmail_config['timezone'] = 'CET';

    # compose html formatted messages by default
    $rcmail_config['htmleditor'] = TRUE;


**** Installing custom logo

wget https://fripost.org/images/logo2011_webmail.png
LOGO="logo2011_webmail.png"
sudo mv /var/lib/roundcube/skins/default/images/roundcube_logo.png /var/lib/roundcube/skins/default/images/roundcube_logo2.png
sudo mv $LOGO /var/lib/roundcube/skins/default/images/roundcube_logo.png
sudo chmod 0644 /var/lib/roundcube/skins/default/images/roundcube_logo.png

**** Adding a custom message on login page

Before this

: <roundcube:object name="preloader" images="

in

:: /usr/share/roundcube/skins/default/templates/login.html

    <div style="margin: 20px;"/>

    <div style="max-width: 45em; margin: 0px auto; border: dotted 3px red; padding:1em;">

    <h3>Important message</h3>

    <p align="left"><strong>Mon Feb 13 12:55:30 CET 2012</strong> </p>
    <p>
    Lorem ipsum dolor sit amet, consectetur adipiscing
    elit. Pellentesque molestie, velit vel tristique iaculis, massa diam viverra
    arcu, sit amet pellentesque dui enim vitae ipsum.</p>

    <p>J. Random Hacker</p>

    </div>

**** Allow the users to change their password

We neet to install a plugin http://trac.roundcube.net/browser/trunk/roundcubemail/plugins/password .
It may be in

  :: apt-get install roundcube-plugins

Depends on PHP's LDAP library:

  :: apt-get install php-net-ldap2

We now need to modify `.../plugins/password/config/inc.php.dist' as follows [TODO: not tested.]

$rcmail_config['password_ldap_host']          = '127.0.0.1';
$rcmail_config['password_ldap_port']          = '389';
$rcmail_config['password_ldap_starttls']      = false;
$rcmail_config['password_ldap_version']       = '3';
$rcmail_config['password_ldap_basedn']        = 'dc=domains,o=mailHosting,dc=fripost,dc=org'
$rcmail_config['password_ldap_method']        = 'user';
$rcmail_config['password_ldap_adminDN']       = null;
$rcmail_config['password_ldap_adminPW']       = null;
$rcmail_config['password_ldap_userDN_mask']   = 'uid=%name,dc=%domain,ou=domains,o=mailHosting,dc=fripost,dc=org';
$rcmail_config['password_ldap_searchDN']      = null
$rcmail_config['password_ldap_searchPW']      = null
$rcmail_config['password_ldap_search_base']   = null
$rcmail_config['password_ldap_search_filter'] = null
$rcmail_config['password_ldap_encodage']      = 'ssha';
$rcmail_config['password_ldap_pwattr']        = 'userPassword';
$rcmail_config['password_ldap_force_replace'] = true;

*** ikiwiki

- sudo apt-get install ikiwiki

- Add separate ikiwiki user

[[http://rtime.felk.cvut.cz/~sojka/blog/using-ikiwiki-with-gitolite/][Link: Integration with ikiwiki]]

*** gitolite and gitweb

# Note: incomplete steps

sudo apt-get install gitolite

sudo dpkg-reconfigure gitolite

  :: /var/lib/gitolite/.gitolite.rc

    $REPO_UMASK = 0027;       # gets you 'rwxr-x---'

# Add the repositories/users to gitolite
# This is mostly self-explanatory, but begin on your local workstation:

git clone gitolite@githost:gitolite-admin

cd gitolite-admin

... make edits

git push

# Push all repositories

cd myrepo

git push --all gitolite@githost:myrepo

git push --tags gitolite@githost:myrepo

# Add the gitweb user to gitolite

sudo apt-get install gitweb

sudo usermod -a -G gitolite www-data

sudo /etc/init.d/apache2 stop

sudo /etc/init.d/apache2 start

# Add repositories to gitweb

sudo ln -s /var/lib/gitolite/repositories/myrepo.git /var/cache/git/myrepo.git

... etc

# Make sure one can checkout the repository via http

[[http://www.kernel.org/pub/software/scm/git/docs/howto/setup-git-server-over-http.txt][Git docs]]

sudo su gitolite

cd /var/lib/gitolite/repositories/myrepo.git
git update-server-info
mv hooks/post-update.sample hooks/post-update

  :: /etc/apache2/sites-available/default

    AliasMatch ^/pub(/.*\.git)(/.*)? /var/cache/git$1$2

  :: /usr/share/gitweb/indextext.html

    För att klona ett av dessa träd, installera <a href="http:///">git</a> och kör:

    <blockquote><code>git clone http://git.fripost.org/pub/</code> + projektets sökväg</blockquote>

    <p>
    För mer information om <a href="http://www.kernel.org/pub/software/scm/git/">git</a>, se en
    <a href="http://git.or.cz/">överblick</a>, en
    <a href="http://www.kernel.org/pub/software/scm/git/docs/gittutorial.html">tutorial</a>
     eller
    <a href="http://www.kernel.org/pub/software/scm/git/docs">manualsidorna</a>.
    </p>

# Add a description of a repository for gitweb

echo "Mötesprotokoll" > fripost-meetings.git/description


** Logging
*** Overview
We want to limit how much we log for privacy reasons. At the same time we want
to be able to debug technical problems and detect intrusions.

For the webmail, we only log messages of priority warn or higher.
*** Configuration

  :: /etc/rsyslog.conf

    *.*;auth,authpriv.none;mail.err	-/var/log/syslog

# NOTE: /var/log/mail.{err,warn} can be kept at the default
# values since they do not contain any sensitive information.
  :: /etc/logrotate.d/rsyslog

    /var/log/mail.log
    /var/log/mail.info
    {
    	rotate 3
    	daily
    	missingok
    	ifempty
    	compress
    	delaycompress
    	sharedscripts
    	postrotate
    		invoke-rc.d rsyslog reload > /dev/null
    	endscript
    }

** Necessary stuff to fix for security
*** Bacula for backups
Also has tripwire-like capabilities.
*** OSSEC

*** Firewall rules
TODO: Add nice rules.

** Ideas for improved security

*** Monitoring



* Hardening
** Overview

The [[http://www.debian.org/doc/manuals/securing-debian-howto/][Securing Debian Manual]] is the definitive reference for Debian security.

These are just some quick notes for easy access to the administrators.
** ntp
# Let's be overly paranoid... ;-)

:: /etc/ntp.conf

-restrict -4 default kod notrap nomodify nopeer noquery
-restrict -6 default kod notrap nomodify nopeer noquery
+restrict default ignore
+restrict -6 default ignore

** rkhunter

sudo aptitude install rkhunter

sudo rkhunter -c --nomow --rwo

:: /etc/rkhunter.conf

    MAIL-ON-WARNING=admin@fripost.org

    ALLOWHIDDENDIR=/dev/.udev
    ALLOWHIDDENDIR=/dev/.initramfs
    ALLOWHIDDENDIR=/etc/.git

    ALLOWHIDDENFILE=/etc/.gitignore
    ALLOWHIDDENFILE=/etc/.etckeeper

    # something like: (adapt port as needed)
    INETD_ALLOWED_SVC=127.0.0.1:2000

    # in case whitelisting is needed, use something like:
    # (whitespace important)
    APP_WHITELIST=" openssl:0.9.8g sshd:4.7p1 "

:: /etc/default/rkhunter

    REPORT_EMAIL="admin@fripost.org"
    NICE="19"

# testing:

sudo rkhunter -c --nomow --rwo



* NEED TO KNOW FOR SERVER ADMINS

** Procedure for restarting mistral (the VPS)

1. There is one password which has to be provided at boot. This is given to our
   VPS host provider via some insecure means of communication.

2. When the server is booted, this password is changed.

3. The partition on /home/mail is then mounted. A separate password is provided
   for this.

4. Once the partition is mounted, dovecot and postfix may be started.

** Document your changes

The latest version of this document is always available at:

    git clone http://git.fripost.org/pub/fripost-docs.git

To get commit access, contact admin@fripost.org with your request.

** Use etckeeper

We keep /etc in a git repository using the tool etckeeper. This makes it
possible to use standard git commands in /etc, e.g. `git log'. `etckeeper' has
the benefit of keeping track of file permissions, which git by itself will not.

Every time you make changes to any files in /etc, you are encouraged to commit
them using a descriptive commit message.

$ etckeeper commit "postfix: relay messages to remote hosts via smtp"

If you do not commit your changes, they will be automatically committed.  This
is not ideal, since this means other administrators might have to guess as to
why changes were being made and by whom.  Please try to avoid putting your
co-administrators in this uncomfortable position.

** Use Cluster SSH

This pretty much sums it up:

"ClusterSSH controls a number of xterm windows via a single graphical console
window to allow commands to be interactively run on multiple servers over an ssh
connection."

** Use fripost-tools

We have written some tools to make administration tasks easier. They can be
found at:

    git clone git://github.com/skangas/fripost-tools.git