Difference between revisions of "Operativa"

From Hackerspace.gr
Jump to: navigation, search
(Organizational Unit)
(Add postfix section)
Line 240: Line 240:
 
  # nginx -s reload
 
  # nginx -s reload
  
= Jabber =
+
= Prosody =
  
 
== Installation ==
 
== Installation ==
Line 247: Line 247:
  
 
== Configuration ==
 
== Configuration ==
 +
 +
= Postfix =
 +
 +
== Installation ==
 +
 +
# yum -y install prosody postgrey opendkim
 +
 +
== Configuration ==
 +
 +
1. Edit main.cf
 +
 +
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
 +
# default settings
 +
queue_directory = /var/spool/postfix
 +
command_directory = /usr/sbin
 +
daemon_directory = /usr/libexec/postfix
 +
data_directory = /var/lib/postfix
 +
mail_owner = postfix
 +
sendmail_path = /usr/sbin/sendmail.postfix
 +
newaliases_path = /usr/bin/newaliases.postfix
 +
mailq_path = /usr/bin/mailq.postfix
 +
setgid_group = postdrop
 +
html_directory = no
 +
manpage_directory = /usr/share/man
 +
 +
# hostnames, relays  and aliases
 +
smtpd_banner = "a physical space dedicated to creative code and hardware hacking in Athens"
 +
myhostname = example.org
 +
mydomain = example.org
 +
myorigin = $myhostname
 +
inet_interfaces = all
 +
inet_protocols = all
 +
mydestination = $myhostname, localhost.$mydomain, localhost, /etc/postfix/mydomains
 +
unknown_local_recipient_reject_code = 550
 +
relay_domains = $mydestination
 +
alias_maps = hash:/etc/aliases
 +
virtual_alias_maps = hash:/etc/postfix/virtual
 +
alias_database = hash:/etc/aliases
 +
smtpd_relay_restrictions  =
 +
 +
# commands
 +
mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
 +
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
 +
virtual_transport = lmtp:unix:private/dovecot-lmtp
 +
 +
# debug
 +
debug_peer_level = 2
 +
debugger_command =
 +
          PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
 +
          ddd $daemon_directory/$process_name $process_id & sleep 5
 +
 +
# custom
 +
biff = no
 +
 +
# attachments
 +
message_size_limit = 20971520
 +
mailbox_size_limit = 1000000900
 +
 +
# antispam
 +
header_checks = regexp:/etc/postfix/header_checks
 +
smtpd_helo_required = yes
 +
disable_vrfy_command = yes
 +
strict_rfc821_envelopes = yes
 +
invalid_hostname_reject_code = 554
 +
multi_recipient_bounce_reject_code = 554
 +
non_fqdn_reject_code = 554
 +
relay_domains_reject_code = 554
 +
unknown_address_reject_code = 554
 +
unknown_client_reject_code = 554
 +
unknown_hostname_reject_code = 554
 +
unknown_local_recipient_reject_code = 554
 +
unknown_relay_recipient_reject_code = 554
 +
unknown_virtual_alias_reject_code = 554
 +
unknown_virtual_mailbox_reject_code = 554
 +
unverified_recipient_reject_code = 554
 +
unverified_sender_reject_code = 554
 +
 +
# TLS parameters
 +
smtpd_tls_key_file = /etc/letsencrypt/live/example.org/privkey.pem
 +
smtpd_tls_cert_file = /etc/letsencrypt/live/example.org/fullchain.pem
 +
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
 +
smtpd_use_tls=yes
 +
smtpd_tls_auth_only = yes
 +
smtp_tls_security_level = may
 +
smtpd_tls_ask_ccert = yes
 +
smtp_tls_loglevel = 2
 +
smtpd_tls_received_header = yes
 +
smtp_tls_note_starttls_offer = yes
 +
smtpd_tls_ciphers = high
 +
smtpd_tls_exclude_ciphers = aNULL, MD5
 +
smtpd_tls_protocols = !SSLv2, !SSLv3
 +
 +
# sasl
 +
smtpd_sasl_type = dovecot
 +
smtpd_sasl_path = private/auth
 +
smtpd_sasl_auth_enable = yes
 +
 +
# sender, recipient restrictions
 +
smtpd_delay_reject = yes
 +
smtpd_helo_required = yes
 +
smtpd_helo_restrictions =
 +
    permit_mynetworks,
 +
    reject_non_fqdn_helo_hostname,
 +
    reject_invalid_helo_hostname,
 +
    permit
 +
smtpd_sender_restrictions =
 +
    permit_mynetworks,
 +
    reject_non_fqdn_sender,
 +
    reject_unknown_sender_domain,
 +
    permit
 +
smtpd_recipient_restrictions =
 +
    permit_sasl_authenticated,
 +
    reject_unauth_pipelining,
 +
    reject_non_fqdn_recipient,
 +
    reject_unknown_recipient_domain,
 +
    permit_mynetworks,
 +
    reject_unauth_destination,
 +
    check_sender_access
 +
          hash:/etc/postfix/sender_access,
 +
    reject_rbl_client zen.spamhaus.org,
 +
    reject_rbl_client bl.spamcop.net,
 +
    check_policy_service unix:postgrey/socket,
 +
    permit
 +
 +
# OpenDKIM
 +
non_smtpd_milters=inet:127.0.0.1:8891
 +
smtpd_milters=inet:127.0.0.1:8891
 +
 +
2. Edit master.cf
 +
 +
smtp      inet  n      -      n      -      -      smtpd
 +
submission inet n      -      n      -      -      smtpd
 +
  -o smtpd_enforce_tls=yes
 +
  -o smtpd_sasl_auth_enable=yes
 +
  -o smtpd_sasl_type=dovecot
 +
  -o smtpd_sasl_path=private/auth
 +
  -o smtpd_sasl_security_options=noanonymous
 +
  -o smtpd_sasl_local_domain=$myhostname
 +
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 +
pickup    unix  n      -      n      60      1      pickup
 +
cleanup  unix  n      -      n      -      0      cleanup
 +
qmgr      unix  n      -      n      300    1      qmgr
 +
tlsmgr    unix  -      -      n      1000?  1      tlsmgr
 +
rewrite  unix  -      -      n      -      -      trivial-rewrite
 +
bounce    unix  -      -      n      -      0      bounce
 +
defer    unix  -      -      n      -      0      bounce
 +
trace    unix  -      -      n      -      0      bounce
 +
verify    unix  -      -      n      -      1      verify
 +
flush    unix  n      -      n      1000?  0      flush
 +
proxymap  unix  -      -      n      -      -      proxymap
 +
proxywrite unix -      -      n      -      1      proxymap
 +
smtp      unix  -      -      n      -      -      smtp
 +
relay    unix  -      -      n      -      -      smtp
 +
showq    unix  n      -      n      -      -      showq
 +
error    unix  -      -      n      -      -      error
 +
retry    unix  -      -      n      -      -      error
 +
discard  unix  -      -      n      -      -      discard
 +
local    unix  -      n      n      -      -      local
 +
virtual  unix  -      n      n      -      -      virtual
 +
lmtp      unix  -      -      n      -      -      lmtp
 +
anvil    unix  -      -      n      -      1      anvil
 +
scache    unix  -      -      n      -      1      scache
 +
dovecot  unix  -      n      n      -      -      pipe
 +
    flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient}
 +
 +
3. Create sender_access files with spammers and hash it
 +
 +
# postmap sender_access
 +
 +
4. Create virtual file and hash it
 +
 +
# postmap virtual
 +
 +
5. Leave default postgrey whitelist and create a new for custom domains
 +
 +
example.org
 +
hackerspace.gr
 +
 +
6. Edit mydomains
 +
 +
example.org
 +
 +
7. OpenDKIM
 +
 +
== Service ==
 +
 +
1. Enable and start services.
 +
 +
# systemctl enable opendkim.service
 +
# systemctl start opendkim.service
 +
# systemctl enable postgrey.service
 +
# systemctl start postgrey.service
 +
# systemctl enable postfix.service
 +
# systemctl start postfix.service

Revision as of 22:45, 7 January 2017

Notes on building Hackerspace public and member services.

Common

1. Install basic stuff.

# yum install -y epel-release
# yum install -y vim bash-completion wget

LDAP

Installation

# yum install -y openldap openldap-clients openldap-servers

Service

1. Enable and start service.

# systemctl enable slapd.service
# systemctl start slapd.service

2. Check it actually works.

# systemctl status -l slapd.service

Configuration

1. Copy default DB_CONFIG.

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

2. Create a new admin password.

# slappasswd

3. Create an initial config in a file.

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 
  read by dn.base="cn=admin,dc=example,dc=org" read by * none

dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=org
-
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=org
-
add: olcRootPW
olcRootPW: {SSHA}3u4JMk96UgMheppVZpdr7HmMJFKHRpEd

4. And use it.

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f openldap_initial.ldif

Schema

By default openldap supports the below ldap schemas (in ldif format also), that describes what objectclasses & ldap attributes should our schema support.

# find /etc/openldap/schema/*.schema

/etc/openldap/schema/collective.schema
/etc/openldap/schema/corba.schema
/etc/openldap/schema/core.schema
/etc/openldap/schema/cosine.schema
/etc/openldap/schema/duaconf.schema
/etc/openldap/schema/dyngroup.schema
/etc/openldap/schema/inetorgperson.schema
/etc/openldap/schema/java.schema
/etc/openldap/schema/misc.schema
/etc/openldap/schema/nis.schema
/etc/openldap/schema/openldap.schema
/etc/openldap/schema/pmi.schema
/etc/openldap/schema/ppolicy.schema

The most common schemas are:

cosine.schema
nis.schema
inetorgperson.schema

To load them to our ldap configuration:

# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/cosine.ldif 
# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/nis.ldif 
# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/inetorgperson.ldif

Ldap Configuration

to see the entire slapd configuration setup:

# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"


Organizational Unit

1. Create an ldif file with the schema.

# example.org
dn: dc=example,dc=org
dc: example
objectClass: dcObject
objectClass: organizationalUnit
ou: example.org

# People
dn: ou=People,dc=example,dc=org
objectClass: organizationalUnit
ou: People

2. And use it.

# ldapmodify -x -W -D cn=admin,dc=example,dc=org -a -f schema.ldif

Users

1. Create a new user.

dn: uid=test,ou=People,dc=example,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
mail: username@example.gr
cn: username example
sn: example
givenName: username
uid: test
uidNumber: 99
gidNumber: 12
homeDirectory: /Maildir/test
userPassword: test

Status

1. Display entire config.

# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

Nginx

Installation

# yum -y install nginx certbot

Initial Configuration

1. Edit nginx.conf. Remove server block and turn access logs off.

access_log off;

2. Create ssl.conf under conf.d.

# https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
add_header Strict-Transport-Security "max-age=31536000";

3. Create dhparam.

openssl dhparam -out /etc/ssl/dhparam.pem 2048

4. Create a default.conf under conf.d with minimal settings, and include all desired subdomains.

server {
    listen [::]:80;
    listen 80;
    server_name example.org www.example.org conf.example.org;
    
    root /var/www/default/;
    index index.html;
}

Service

1. Test the configuration.

# nginx -t

2. Enable and start service.

# systemctl enable nginx.service
# systemctl start nginx.service

Certificates

1. Create certificates, including all subdomains

certbot --agree-tos --email ping@example.org -a webroot -w /var/www/default/ -d example.org -d www.example.org -d conf.example.org certonly

Final configuration

1. Edit default.conf to make it https-only.

server {
    listen [::]:80;
    listen 80;
    server_name example.org www.example.org;
    return 301 https://$server_name$request_uri;
}

server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name www.example.org;
    return 301 https://$server_name$request_uri;

    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
}

server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name example.org;

    root /var/www/default/;
    index index.html;

    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
}

2. Test the configuration.

# nginx -t

3. Reload nginx.

# nginx -s reload

Prosody

Installation

# yum -y install prosody

Configuration

Postfix

Installation

# yum -y install prosody postgrey opendkim

Configuration

1. Edit main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# default settings
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man

# hostnames, relays  and aliases
smtpd_banner = "a physical space dedicated to creative code and hardware hacking in Athens"
myhostname = example.org
mydomain = example.org
myorigin = $myhostname
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, /etc/postfix/mydomains
unknown_local_recipient_reject_code = 550
relay_domains = $mydestination
alias_maps = hash:/etc/aliases
virtual_alias_maps = hash:/etc/postfix/virtual
alias_database = hash:/etc/aliases
smtpd_relay_restrictions  =

# commands
mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
virtual_transport = lmtp:unix:private/dovecot-lmtp

# debug
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5

# custom
biff = no

# attachments
message_size_limit = 20971520
mailbox_size_limit = 1000000900

# antispam
header_checks = regexp:/etc/postfix/header_checks
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

# TLS parameters
smtpd_tls_key_file = /etc/letsencrypt/live/example.org/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/example.org/fullchain.pem
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_tls_ask_ccert = yes
smtp_tls_loglevel = 2
smtpd_tls_received_header = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, MD5
smtpd_tls_protocols = !SSLv2, !SSLv3

# sasl
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

# sender, recipient restrictions
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks,
    reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    permit
smtpd_sender_restrictions =
    permit_mynetworks,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    permit
smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    reject_unauth_pipelining,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    permit_mynetworks,
    reject_unauth_destination,
    check_sender_access
         hash:/etc/postfix/sender_access,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    check_policy_service unix:postgrey/socket,
    permit

# OpenDKIM
non_smtpd_milters=inet:127.0.0.1:8891
smtpd_milters=inet:127.0.0.1:8891

2. Edit master.cf

smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient}

3. Create sender_access files with spammers and hash it

# postmap sender_access

4. Create virtual file and hash it

# postmap virtual

5. Leave default postgrey whitelist and create a new for custom domains

example.org
hackerspace.gr

6. Edit mydomains

example.org

7. OpenDKIM

Service

1. Enable and start services.

# systemctl enable opendkim.service
# systemctl start opendkim.service
# systemctl enable postgrey.service
# systemctl start postgrey.service
# systemctl enable postfix.service
# systemctl start postfix.service