Difference between revisions of "Operativa"
(first take) |
(Add OpenDKIM) |
||
(6 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
Notes on building Hackerspace public and member services. | Notes on building Hackerspace public and member services. | ||
+ | |||
+ | = Common = | ||
+ | |||
+ | 1. Install basic stuff. | ||
+ | |||
+ | # yum install -y epel-release | ||
+ | # yum install -y vim bash-completion wget | ||
= LDAP = | = LDAP = | ||
Line 5: | Line 12: | ||
== Installation == | == Installation == | ||
− | # yum -y | + | # yum install -y openldap openldap-clients openldap-servers |
== Service == | == Service == | ||
− | 1. Enable and start service | + | 1. Enable and start service. |
# systemctl enable slapd.service | # systemctl enable slapd.service | ||
# systemctl start slapd.service | # systemctl start slapd.service | ||
− | 2. Check it actually works | + | 2. Check it actually works. |
# systemctl status -l slapd.service | # systemctl status -l slapd.service | ||
Line 20: | Line 27: | ||
== Configuration == | == Configuration == | ||
− | 1. Copy default DB_CONFIG | + | 1. Copy default DB_CONFIG. |
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG | # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG | ||
− | 2. Create a new admin password | + | 2. Create a new admin password. |
# slappasswd | # slappasswd | ||
− | 3. Create an initial config in a file | + | 3. Create an initial config in a file. |
dn: olcDatabase={1}monitor,cn=config | dn: olcDatabase={1}monitor,cn=config | ||
Line 47: | Line 54: | ||
olcRootPW: {SSHA}3u4JMk96UgMheppVZpdr7HmMJFKHRpEd | olcRootPW: {SSHA}3u4JMk96UgMheppVZpdr7HmMJFKHRpEd | ||
− | 4. And use it | + | 4. And use it. |
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f openldap_initial.ldif | ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f openldap_initial.ldif | ||
Line 53: | Line 60: | ||
== Schema == | == Schema == | ||
− | 1. Create an ldif file with the schema | + | By default openldap supports the below ldap schemas (in ldif format also), |
+ | that describes what objectclasses & ldap attributes should our schema support. | ||
+ | |||
+ | # find /etc/openldap/schema/*.schema | ||
+ | |||
+ | /etc/openldap/schema/collective.schema | ||
+ | /etc/openldap/schema/corba.schema | ||
+ | /etc/openldap/schema/core.schema | ||
+ | /etc/openldap/schema/cosine.schema | ||
+ | /etc/openldap/schema/duaconf.schema | ||
+ | /etc/openldap/schema/dyngroup.schema | ||
+ | /etc/openldap/schema/inetorgperson.schema | ||
+ | /etc/openldap/schema/java.schema | ||
+ | /etc/openldap/schema/misc.schema | ||
+ | /etc/openldap/schema/nis.schema | ||
+ | /etc/openldap/schema/openldap.schema | ||
+ | /etc/openldap/schema/pmi.schema | ||
+ | /etc/openldap/schema/ppolicy.schema | ||
+ | |||
+ | The most common schemas are: | ||
+ | |||
+ | cosine.schema | ||
+ | nis.schema | ||
+ | inetorgperson.schema | ||
+ | |||
+ | To load them to our ldap configuration: | ||
+ | |||
+ | # ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/cosine.ldif | ||
+ | # ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/nis.ldif | ||
+ | # ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/inetorgperson.ldif | ||
+ | |||
+ | == Ldap Configuration == | ||
+ | |||
+ | to see the entire slapd configuration setup: | ||
+ | |||
+ | # ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | ||
+ | |||
+ | |||
+ | == Organizational Unit == | ||
+ | |||
+ | 1. Create an ldif file with the schema. | ||
# example.org | # example.org | ||
Line 67: | Line 114: | ||
ou: People | ou: People | ||
− | 2. And use it | + | 2. And use it. |
# ldapmodify -x -W -D cn=admin,dc=example,dc=org -a -f schema.ldif | # ldapmodify -x -W -D cn=admin,dc=example,dc=org -a -f schema.ldif | ||
Line 73: | Line 120: | ||
== Users == | == Users == | ||
− | 1. Create a new user | + | 1. Create a new user. |
dn: uid=test,ou=People,dc=example,dc=org | dn: uid=test,ou=People,dc=example,dc=org | ||
Line 93: | Line 140: | ||
== Status == | == Status == | ||
− | 1. Display entire config | + | 1. Display entire config. |
# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | # ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | ||
− | = | + | = Nginx = |
+ | |||
+ | == Installation == | ||
+ | |||
+ | # yum -y install nginx certbot | ||
+ | |||
+ | == Initial Configuration == | ||
+ | |||
+ | 1. Edit nginx.conf. Remove server block and turn access logs off. | ||
+ | |||
+ | access_log off; | ||
+ | |||
+ | 2. Create ssl.conf under conf.d. | ||
+ | |||
+ | # https://wiki.mozilla.org/Security/Server_Side_TLS | ||
+ | ssl_dhparam /etc/ssl/dhparam.pem; | ||
+ | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
+ | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK'; | ||
+ | ssl_session_timeout 5m; | ||
+ | ssl_prefer_server_ciphers on; | ||
+ | ssl_session_cache shared:SSL:50m; | ||
+ | add_header Strict-Transport-Security "max-age=31536000"; | ||
+ | |||
+ | 3. Create dhparam. | ||
+ | |||
+ | openssl dhparam -out /etc/ssl/dhparam.pem 2048 | ||
+ | |||
+ | 4. Create a default.conf under conf.d with minimal settings, and include all desired subdomains. | ||
+ | |||
+ | server { | ||
+ | listen [::]:80; | ||
+ | listen 80; | ||
+ | server_name example.org www.example.org conf.example.org; | ||
+ | |||
+ | root /var/www/default/; | ||
+ | index index.html; | ||
+ | } | ||
+ | |||
+ | == Service == | ||
+ | |||
+ | 1. Test the configuration. | ||
+ | |||
+ | # nginx -t | ||
+ | |||
+ | 2. Enable and start service. | ||
+ | |||
+ | # systemctl enable nginx.service | ||
+ | # systemctl start nginx.service | ||
+ | |||
+ | == Certificates == | ||
+ | |||
+ | 1. Create certificates, including all subdomains | ||
+ | |||
+ | certbot --agree-tos --email ping@example.org -a webroot -w /var/www/default/ -d example.org -d www.example.org -d conf.example.org certonly | ||
+ | |||
+ | == Final configuration == | ||
+ | |||
+ | 1. Edit default.conf to make it https-only. | ||
+ | |||
+ | server { | ||
+ | listen [::]:80; | ||
+ | listen 80; | ||
+ | server_name example.org www.example.org; | ||
+ | return 301 https://$server_name$request_uri; | ||
+ | } | ||
+ | |||
+ | server { | ||
+ | listen [::]:443 ssl; | ||
+ | listen 443 ssl; | ||
+ | server_name www.example.org; | ||
+ | return 301 https://$server_name$request_uri; | ||
+ | |||
+ | ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; | ||
+ | ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; | ||
+ | } | ||
+ | |||
+ | server { | ||
+ | listen [::]:443 ssl; | ||
+ | listen 443 ssl; | ||
+ | server_name example.org; | ||
+ | |||
+ | root /var/www/default/; | ||
+ | index index.html; | ||
+ | |||
+ | ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; | ||
+ | ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; | ||
+ | } | ||
+ | |||
+ | 2. Test the configuration. | ||
+ | |||
+ | # nginx -t | ||
+ | |||
+ | 3. Reload nginx. | ||
+ | |||
+ | # nginx -s reload | ||
+ | |||
+ | = Prosody = | ||
== Installation == | == Installation == | ||
Line 104: | Line 247: | ||
== Configuration == | == Configuration == | ||
+ | |||
+ | = Postfix = | ||
+ | |||
+ | == Installation == | ||
+ | |||
+ | # yum -y install prosody postgrey opendkim | ||
+ | |||
+ | == Configuration == | ||
+ | |||
+ | 1. Go tp postfix config dir | ||
+ | |||
+ | # cd /etc/postfix | ||
+ | |||
+ | 2. Edit main.cf | ||
+ | |||
+ | # See /usr/share/postfix/main.cf.dist for a commented, more complete version | ||
+ | # default settings | ||
+ | queue_directory = /var/spool/postfix | ||
+ | command_directory = /usr/sbin | ||
+ | daemon_directory = /usr/libexec/postfix | ||
+ | data_directory = /var/lib/postfix | ||
+ | mail_owner = postfix | ||
+ | sendmail_path = /usr/sbin/sendmail.postfix | ||
+ | newaliases_path = /usr/bin/newaliases.postfix | ||
+ | mailq_path = /usr/bin/mailq.postfix | ||
+ | setgid_group = postdrop | ||
+ | html_directory = no | ||
+ | manpage_directory = /usr/share/man | ||
+ | |||
+ | # hostnames, relays and aliases | ||
+ | smtpd_banner = "a physical space dedicated to creative code and hardware hacking in Athens" | ||
+ | myhostname = example.org | ||
+ | mydomain = example.org | ||
+ | myorigin = $myhostname | ||
+ | inet_interfaces = all | ||
+ | inet_protocols = all | ||
+ | mydestination = $myhostname, localhost.$mydomain, localhost, /etc/postfix/mydomains | ||
+ | unknown_local_recipient_reject_code = 550 | ||
+ | relay_domains = $mydestination | ||
+ | alias_maps = hash:/etc/aliases | ||
+ | virtual_alias_maps = hash:/etc/postfix/virtual | ||
+ | alias_database = hash:/etc/aliases | ||
+ | smtpd_relay_restrictions = | ||
+ | |||
+ | # commands | ||
+ | mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT" | ||
+ | mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp | ||
+ | virtual_transport = lmtp:unix:private/dovecot-lmtp | ||
+ | |||
+ | # debug | ||
+ | debug_peer_level = 2 | ||
+ | debugger_command = | ||
+ | PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin | ||
+ | ddd $daemon_directory/$process_name $process_id & sleep 5 | ||
+ | |||
+ | # custom | ||
+ | biff = no | ||
+ | |||
+ | # attachments | ||
+ | message_size_limit = 20971520 | ||
+ | mailbox_size_limit = 1000000900 | ||
+ | |||
+ | # antispam | ||
+ | header_checks = regexp:/etc/postfix/header_checks | ||
+ | smtpd_helo_required = yes | ||
+ | disable_vrfy_command = yes | ||
+ | strict_rfc821_envelopes = yes | ||
+ | invalid_hostname_reject_code = 554 | ||
+ | multi_recipient_bounce_reject_code = 554 | ||
+ | non_fqdn_reject_code = 554 | ||
+ | relay_domains_reject_code = 554 | ||
+ | unknown_address_reject_code = 554 | ||
+ | unknown_client_reject_code = 554 | ||
+ | unknown_hostname_reject_code = 554 | ||
+ | unknown_local_recipient_reject_code = 554 | ||
+ | unknown_relay_recipient_reject_code = 554 | ||
+ | unknown_virtual_alias_reject_code = 554 | ||
+ | unknown_virtual_mailbox_reject_code = 554 | ||
+ | unverified_recipient_reject_code = 554 | ||
+ | unverified_sender_reject_code = 554 | ||
+ | |||
+ | # TLS parameters | ||
+ | smtpd_tls_key_file = /etc/letsencrypt/live/example.org/privkey.pem | ||
+ | smtpd_tls_cert_file = /etc/letsencrypt/live/example.org/fullchain.pem | ||
+ | smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt | ||
+ | smtpd_use_tls=yes | ||
+ | smtpd_tls_auth_only = yes | ||
+ | smtp_tls_security_level = may | ||
+ | smtpd_tls_ask_ccert = yes | ||
+ | smtp_tls_loglevel = 2 | ||
+ | smtpd_tls_received_header = yes | ||
+ | smtp_tls_note_starttls_offer = yes | ||
+ | smtpd_tls_ciphers = high | ||
+ | smtpd_tls_exclude_ciphers = aNULL, MD5 | ||
+ | smtpd_tls_protocols = !SSLv2, !SSLv3 | ||
+ | |||
+ | # sasl | ||
+ | smtpd_sasl_type = dovecot | ||
+ | smtpd_sasl_path = private/auth | ||
+ | smtpd_sasl_auth_enable = yes | ||
+ | |||
+ | # sender, recipient restrictions | ||
+ | smtpd_delay_reject = yes | ||
+ | smtpd_helo_required = yes | ||
+ | smtpd_helo_restrictions = | ||
+ | permit_mynetworks, | ||
+ | reject_non_fqdn_helo_hostname, | ||
+ | reject_invalid_helo_hostname, | ||
+ | permit | ||
+ | smtpd_sender_restrictions = | ||
+ | permit_mynetworks, | ||
+ | reject_non_fqdn_sender, | ||
+ | reject_unknown_sender_domain, | ||
+ | permit | ||
+ | smtpd_recipient_restrictions = | ||
+ | permit_sasl_authenticated, | ||
+ | reject_unauth_pipelining, | ||
+ | reject_non_fqdn_recipient, | ||
+ | reject_unknown_recipient_domain, | ||
+ | permit_mynetworks, | ||
+ | reject_unauth_destination, | ||
+ | check_sender_access | ||
+ | hash:/etc/postfix/sender_access, | ||
+ | reject_rbl_client zen.spamhaus.org, | ||
+ | reject_rbl_client bl.spamcop.net, | ||
+ | check_policy_service unix:postgrey/socket, | ||
+ | permit | ||
+ | |||
+ | # OpenDKIM | ||
+ | non_smtpd_milters=inet:127.0.0.1:8891 | ||
+ | smtpd_milters=inet:127.0.0.1:8891 | ||
+ | |||
+ | 3. Edit master.cf | ||
+ | |||
+ | smtp inet n - n - - smtpd | ||
+ | submission inet n - n - - smtpd | ||
+ | -o smtpd_enforce_tls=yes | ||
+ | -o smtpd_sasl_auth_enable=yes | ||
+ | -o smtpd_sasl_type=dovecot | ||
+ | -o smtpd_sasl_path=private/auth | ||
+ | -o smtpd_sasl_security_options=noanonymous | ||
+ | -o smtpd_sasl_local_domain=$myhostname | ||
+ | -o smtpd_client_restrictions=permit_sasl_authenticated,reject | ||
+ | pickup unix n - n 60 1 pickup | ||
+ | cleanup unix n - n - 0 cleanup | ||
+ | qmgr unix n - n 300 1 qmgr | ||
+ | tlsmgr unix - - n 1000? 1 tlsmgr | ||
+ | rewrite unix - - n - - trivial-rewrite | ||
+ | bounce unix - - n - 0 bounce | ||
+ | defer unix - - n - 0 bounce | ||
+ | trace unix - - n - 0 bounce | ||
+ | verify unix - - n - 1 verify | ||
+ | flush unix n - n 1000? 0 flush | ||
+ | proxymap unix - - n - - proxymap | ||
+ | proxywrite unix - - n - 1 proxymap | ||
+ | smtp unix - - n - - smtp | ||
+ | relay unix - - n - - smtp | ||
+ | showq unix n - n - - showq | ||
+ | error unix - - n - - error | ||
+ | retry unix - - n - - error | ||
+ | discard unix - - n - - discard | ||
+ | local unix - n n - - local | ||
+ | virtual unix - n n - - virtual | ||
+ | lmtp unix - - n - - lmtp | ||
+ | anvil unix - - n - 1 anvil | ||
+ | scache unix - - n - 1 scache | ||
+ | dovecot unix - n n - - pipe | ||
+ | flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient} | ||
+ | |||
+ | 4. Create sender_access files with spammers and hash it | ||
+ | |||
+ | # postmap sender_access | ||
+ | |||
+ | 5. Create virtual file and hash it | ||
+ | |||
+ | # postmap virtual | ||
+ | |||
+ | 6. Leave default postgrey whitelist and create a new for custom domains | ||
+ | |||
+ | example.org | ||
+ | hackerspace.gr | ||
+ | |||
+ | 7. Edit mydomains | ||
+ | |||
+ | example.org | ||
+ | |||
+ | 8. Edit /etc/opendkim.conf | ||
+ | |||
+ | Canonicalization relaxed/relaxed | ||
+ | ExternalIgnoreList refile:/etc/opendkim/TrustedHosts | ||
+ | InternalHosts refile:/etc/opendkim/TrustedHosts | ||
+ | KeyTable refile:/etc/opendkim/KeyTable | ||
+ | LogWhy Yes | ||
+ | MinimumKeyBits 1024 | ||
+ | Mode sv | ||
+ | PidFile /var/run/opendkim/opendkim.pid | ||
+ | SigningTable refile:/etc/opendkim/SigningTable | ||
+ | Socket inet:8891@localhost | ||
+ | Syslog Yes | ||
+ | SyslogSuccess Yes | ||
+ | TemporaryDirectory /var/tmp | ||
+ | UMask 022 | ||
+ | UserID opendkim:opendkim | ||
+ | |||
+ | 9. Create domain keys | ||
+ | |||
+ | # mkdir /etc/opendkim/keys/example.org | ||
+ | # opendkim-genkey -r -d example.org -D /etc/opendkim/keys/example.org/ creates=/etc/opendkim/keys/example.org/default.private | ||
+ | |||
+ | 10. Edit /etc/opendkim/{KeyTable/SigningTable/TrustedHosts} respectively | ||
+ | |||
+ | default._domainkey.example.org example.org:default:/etc/opendkim/keys/example.org/default.private | ||
+ | |||
+ | *@example.org default._domainkey.example.org | ||
+ | |||
+ | 127.0.0.1 | ||
+ | ::1 | ||
+ | example.org | ||
+ | |||
+ | == Service == | ||
+ | |||
+ | 1. Enable and start services. | ||
+ | |||
+ | # systemctl enable opendkim.service | ||
+ | # systemctl start opendkim.service | ||
+ | # systemctl enable postgrey.service | ||
+ | # systemctl start postgrey.service | ||
+ | # systemctl enable postfix.service | ||
+ | # systemctl start postfix.service |
Latest revision as of 23:15, 7 January 2017
Notes on building Hackerspace public and member services.
Common
1. Install basic stuff.
# yum install -y epel-release # yum install -y vim bash-completion wget
LDAP
Installation
# yum install -y openldap openldap-clients openldap-servers
Service
1. Enable and start service.
# systemctl enable slapd.service # systemctl start slapd.service
2. Check it actually works.
# systemctl status -l slapd.service
Configuration
1. Copy default DB_CONFIG.
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
2. Create a new admin password.
# slappasswd
3. Create an initial config in a file.
dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=example,dc=org" read by * none dn: olcDatabase={2}bdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=org - replace: olcRootDN olcRootDN: cn=admin,dc=example,dc=org - add: olcRootPW olcRootPW: {SSHA}3u4JMk96UgMheppVZpdr7HmMJFKHRpEd
4. And use it.
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f openldap_initial.ldif
Schema
By default openldap supports the below ldap schemas (in ldif format also), that describes what objectclasses & ldap attributes should our schema support.
# find /etc/openldap/schema/*.schema /etc/openldap/schema/collective.schema /etc/openldap/schema/corba.schema /etc/openldap/schema/core.schema /etc/openldap/schema/cosine.schema /etc/openldap/schema/duaconf.schema /etc/openldap/schema/dyngroup.schema /etc/openldap/schema/inetorgperson.schema /etc/openldap/schema/java.schema /etc/openldap/schema/misc.schema /etc/openldap/schema/nis.schema /etc/openldap/schema/openldap.schema /etc/openldap/schema/pmi.schema /etc/openldap/schema/ppolicy.schema
The most common schemas are:
cosine.schema nis.schema inetorgperson.schema
To load them to our ldap configuration:
# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/cosine.ldif # ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/nis.ldif # ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/inetorgperson.ldif
Ldap Configuration
to see the entire slapd configuration setup:
# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
Organizational Unit
1. Create an ldif file with the schema.
# example.org dn: dc=example,dc=org dc: example objectClass: dcObject objectClass: organizationalUnit ou: example.org # People dn: ou=People,dc=example,dc=org objectClass: organizationalUnit ou: People
2. And use it.
# ldapmodify -x -W -D cn=admin,dc=example,dc=org -a -f schema.ldif
Users
1. Create a new user.
dn: uid=test,ou=People,dc=example,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount mail: username@example.gr cn: username example sn: example givenName: username uid: test uidNumber: 99 gidNumber: 12 homeDirectory: /Maildir/test userPassword: test
Status
1. Display entire config.
# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
Nginx
Installation
# yum -y install nginx certbot
Initial Configuration
1. Edit nginx.conf. Remove server block and turn access logs off.
access_log off;
2. Create ssl.conf under conf.d.
# https://wiki.mozilla.org/Security/Server_Side_TLS ssl_dhparam /etc/ssl/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK'; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; add_header Strict-Transport-Security "max-age=31536000";
3. Create dhparam.
openssl dhparam -out /etc/ssl/dhparam.pem 2048
4. Create a default.conf under conf.d with minimal settings, and include all desired subdomains.
server { listen [::]:80; listen 80; server_name example.org www.example.org conf.example.org; root /var/www/default/; index index.html; }
Service
1. Test the configuration.
# nginx -t
2. Enable and start service.
# systemctl enable nginx.service # systemctl start nginx.service
Certificates
1. Create certificates, including all subdomains
certbot --agree-tos --email ping@example.org -a webroot -w /var/www/default/ -d example.org -d www.example.org -d conf.example.org certonly
Final configuration
1. Edit default.conf to make it https-only.
server { listen [::]:80; listen 80; server_name example.org www.example.org; return 301 https://$server_name$request_uri; } server { listen [::]:443 ssl; listen 443 ssl; server_name www.example.org; return 301 https://$server_name$request_uri; ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; } server { listen [::]:443 ssl; listen 443 ssl; server_name example.org; root /var/www/default/; index index.html; ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; }
2. Test the configuration.
# nginx -t
3. Reload nginx.
# nginx -s reload
Prosody
Installation
# yum -y install prosody
Configuration
Postfix
Installation
# yum -y install prosody postgrey opendkim
Configuration
1. Go tp postfix config dir
# cd /etc/postfix
2. Edit main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # default settings queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man # hostnames, relays and aliases smtpd_banner = "a physical space dedicated to creative code and hardware hacking in Athens" myhostname = example.org mydomain = example.org myorigin = $myhostname inet_interfaces = all inet_protocols = all mydestination = $myhostname, localhost.$mydomain, localhost, /etc/postfix/mydomains unknown_local_recipient_reject_code = 550 relay_domains = $mydestination alias_maps = hash:/etc/aliases virtual_alias_maps = hash:/etc/postfix/virtual alias_database = hash:/etc/aliases smtpd_relay_restrictions = # commands mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT" mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp virtual_transport = lmtp:unix:private/dovecot-lmtp # debug debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 # custom biff = no # attachments message_size_limit = 20971520 mailbox_size_limit = 1000000900 # antispam header_checks = regexp:/etc/postfix/header_checks smtpd_helo_required = yes disable_vrfy_command = yes strict_rfc821_envelopes = yes invalid_hostname_reject_code = 554 multi_recipient_bounce_reject_code = 554 non_fqdn_reject_code = 554 relay_domains_reject_code = 554 unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 554 unknown_relay_recipient_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 unverified_recipient_reject_code = 554 unverified_sender_reject_code = 554 # TLS parameters smtpd_tls_key_file = /etc/letsencrypt/live/example.org/privkey.pem smtpd_tls_cert_file = /etc/letsencrypt/live/example.org/fullchain.pem smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtpd_use_tls=yes smtpd_tls_auth_only = yes smtp_tls_security_level = may smtpd_tls_ask_ccert = yes smtp_tls_loglevel = 2 smtpd_tls_received_header = yes smtp_tls_note_starttls_offer = yes smtpd_tls_ciphers = high smtpd_tls_exclude_ciphers = aNULL, MD5 smtpd_tls_protocols = !SSLv2, !SSLv3 # sasl smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes # sender, recipient restrictions smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_access, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_policy_service unix:postgrey/socket, permit # OpenDKIM non_smtpd_milters=inet:127.0.0.1:8891 smtpd_milters=inet:127.0.0.1:8891
3. Edit master.cf
smtp inet n - n - - smtpd submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions=permit_sasl_authenticated,reject pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache dovecot unix - n n - - pipe flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient}
4. Create sender_access files with spammers and hash it
# postmap sender_access
5. Create virtual file and hash it
# postmap virtual
6. Leave default postgrey whitelist and create a new for custom domains
example.org hackerspace.gr
7. Edit mydomains
example.org
8. Edit /etc/opendkim.conf
Canonicalization relaxed/relaxed ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable LogWhy Yes MinimumKeyBits 1024 Mode sv PidFile /var/run/opendkim/opendkim.pid SigningTable refile:/etc/opendkim/SigningTable Socket inet:8891@localhost Syslog Yes SyslogSuccess Yes TemporaryDirectory /var/tmp UMask 022 UserID opendkim:opendkim
9. Create domain keys
# mkdir /etc/opendkim/keys/example.org # opendkim-genkey -r -d example.org -D /etc/opendkim/keys/example.org/ creates=/etc/opendkim/keys/example.org/default.private
10. Edit /etc/opendkim/{KeyTable/SigningTable/TrustedHosts} respectively
default._domainkey.example.org example.org:default:/etc/opendkim/keys/example.org/default.private
*@example.org default._domainkey.example.org
127.0.0.1 ::1 example.org
Service
1. Enable and start services.
# systemctl enable opendkim.service # systemctl start opendkim.service # systemctl enable postgrey.service # systemctl start postgrey.service # systemctl enable postfix.service # systemctl start postfix.service