Difference between revisions of "Operativa"

From Hackerspace.gr
Jump to: navigation, search
(Add postfix section)
(Add OpenDKIM)
 
Line 256: Line 256:
 
== Configuration ==
 
== Configuration ==
  
1. Edit main.cf
+
1. Go tp postfix config dir
 +
 
 +
# cd /etc/postfix
 +
 
 +
2. Edit main.cf
  
 
  # See /usr/share/postfix/main.cf.dist for a commented, more complete version
 
  # See /usr/share/postfix/main.cf.dist for a commented, more complete version
Line 375: Line 379:
 
  smtpd_milters=inet:127.0.0.1:8891
 
  smtpd_milters=inet:127.0.0.1:8891
  
2. Edit master.cf
+
3. Edit master.cf
  
 
  smtp      inet  n      -      n      -      -      smtpd
 
  smtp      inet  n      -      n      -      -      smtpd
Line 412: Line 416:
 
     flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient}
 
     flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient}
  
3. Create sender_access files with spammers and hash it
+
4. Create sender_access files with spammers and hash it
  
 
  # postmap sender_access
 
  # postmap sender_access
  
4. Create virtual file and hash it
+
5. Create virtual file and hash it
  
 
  # postmap virtual
 
  # postmap virtual
  
5. Leave default postgrey whitelist and create a new for custom domains
+
6. Leave default postgrey whitelist and create a new for custom domains
  
 
  example.org
 
  example.org
 
  hackerspace.gr
 
  hackerspace.gr
  
6. Edit mydomains
+
7. Edit mydomains
  
 
  example.org
 
  example.org
  
7. OpenDKIM
+
8. Edit /etc/opendkim.conf
 +
 
 +
Canonicalization        relaxed/relaxed
 +
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
 +
InternalHosts          refile:/etc/opendkim/TrustedHosts
 +
KeyTable                refile:/etc/opendkim/KeyTable
 +
LogWhy                  Yes
 +
MinimumKeyBits          1024
 +
Mode                    sv
 +
PidFile                /var/run/opendkim/opendkim.pid
 +
SigningTable            refile:/etc/opendkim/SigningTable
 +
Socket                  inet:8891@localhost
 +
Syslog                  Yes
 +
SyslogSuccess          Yes
 +
TemporaryDirectory      /var/tmp
 +
UMask                  022
 +
UserID opendkim:opendkim
 +
 
 +
9. Create domain keys
 +
 
 +
# mkdir /etc/opendkim/keys/example.org
 +
# opendkim-genkey -r -d example.org -D /etc/opendkim/keys/example.org/ creates=/etc/opendkim/keys/example.org/default.private
 +
 
 +
10. Edit /etc/opendkim/{KeyTable/SigningTable/TrustedHosts} respectively
 +
 
 +
default._domainkey.example.org example.org:default:/etc/opendkim/keys/example.org/default.private
 +
 
 +
*@example.org default._domainkey.example.org
 +
 
 +
127.0.0.1
 +
::1
 +
example.org
  
 
== Service ==
 
== Service ==

Latest revision as of 23:15, 7 January 2017

Notes on building Hackerspace public and member services.

Common

1. Install basic stuff.

# yum install -y epel-release
# yum install -y vim bash-completion wget

LDAP

Installation

# yum install -y openldap openldap-clients openldap-servers

Service

1. Enable and start service.

# systemctl enable slapd.service
# systemctl start slapd.service

2. Check it actually works.

# systemctl status -l slapd.service

Configuration

1. Copy default DB_CONFIG.

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

2. Create a new admin password.

# slappasswd

3. Create an initial config in a file.

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 
  read by dn.base="cn=admin,dc=example,dc=org" read by * none

dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=org
-
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=org
-
add: olcRootPW
olcRootPW: {SSHA}3u4JMk96UgMheppVZpdr7HmMJFKHRpEd

4. And use it.

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f openldap_initial.ldif

Schema

By default openldap supports the below ldap schemas (in ldif format also), that describes what objectclasses & ldap attributes should our schema support.

# find /etc/openldap/schema/*.schema

/etc/openldap/schema/collective.schema
/etc/openldap/schema/corba.schema
/etc/openldap/schema/core.schema
/etc/openldap/schema/cosine.schema
/etc/openldap/schema/duaconf.schema
/etc/openldap/schema/dyngroup.schema
/etc/openldap/schema/inetorgperson.schema
/etc/openldap/schema/java.schema
/etc/openldap/schema/misc.schema
/etc/openldap/schema/nis.schema
/etc/openldap/schema/openldap.schema
/etc/openldap/schema/pmi.schema
/etc/openldap/schema/ppolicy.schema

The most common schemas are:

cosine.schema
nis.schema
inetorgperson.schema

To load them to our ldap configuration:

# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/cosine.ldif 
# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/nis.ldif 
# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/inetorgperson.ldif

Ldap Configuration

to see the entire slapd configuration setup:

# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"


Organizational Unit

1. Create an ldif file with the schema.

# example.org
dn: dc=example,dc=org
dc: example
objectClass: dcObject
objectClass: organizationalUnit
ou: example.org

# People
dn: ou=People,dc=example,dc=org
objectClass: organizationalUnit
ou: People

2. And use it.

# ldapmodify -x -W -D cn=admin,dc=example,dc=org -a -f schema.ldif

Users

1. Create a new user.

dn: uid=test,ou=People,dc=example,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
mail: username@example.gr
cn: username example
sn: example
givenName: username
uid: test
uidNumber: 99
gidNumber: 12
homeDirectory: /Maildir/test
userPassword: test

Status

1. Display entire config.

# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

Nginx

Installation

# yum -y install nginx certbot

Initial Configuration

1. Edit nginx.conf. Remove server block and turn access logs off.

access_log off;

2. Create ssl.conf under conf.d.

# https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
add_header Strict-Transport-Security "max-age=31536000";

3. Create dhparam.

openssl dhparam -out /etc/ssl/dhparam.pem 2048

4. Create a default.conf under conf.d with minimal settings, and include all desired subdomains.

server {
    listen [::]:80;
    listen 80;
    server_name example.org www.example.org conf.example.org;
    
    root /var/www/default/;
    index index.html;
}

Service

1. Test the configuration.

# nginx -t

2. Enable and start service.

# systemctl enable nginx.service
# systemctl start nginx.service

Certificates

1. Create certificates, including all subdomains

certbot --agree-tos --email ping@example.org -a webroot -w /var/www/default/ -d example.org -d www.example.org -d conf.example.org certonly

Final configuration

1. Edit default.conf to make it https-only.

server {
    listen [::]:80;
    listen 80;
    server_name example.org www.example.org;
    return 301 https://$server_name$request_uri;
}

server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name www.example.org;
    return 301 https://$server_name$request_uri;

    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
}

server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name example.org;

    root /var/www/default/;
    index index.html;

    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
}

2. Test the configuration.

# nginx -t

3. Reload nginx.

# nginx -s reload

Prosody

Installation

# yum -y install prosody

Configuration

Postfix

Installation

# yum -y install prosody postgrey opendkim

Configuration

1. Go tp postfix config dir

# cd /etc/postfix

2. Edit main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# default settings
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man

# hostnames, relays  and aliases
smtpd_banner = "a physical space dedicated to creative code and hardware hacking in Athens"
myhostname = example.org
mydomain = example.org
myorigin = $myhostname
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, /etc/postfix/mydomains
unknown_local_recipient_reject_code = 550
relay_domains = $mydestination
alias_maps = hash:/etc/aliases
virtual_alias_maps = hash:/etc/postfix/virtual
alias_database = hash:/etc/aliases
smtpd_relay_restrictions  =

# commands
mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
virtual_transport = lmtp:unix:private/dovecot-lmtp

# debug
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5

# custom
biff = no

# attachments
message_size_limit = 20971520
mailbox_size_limit = 1000000900

# antispam
header_checks = regexp:/etc/postfix/header_checks
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

# TLS parameters
smtpd_tls_key_file = /etc/letsencrypt/live/example.org/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/example.org/fullchain.pem
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_tls_ask_ccert = yes
smtp_tls_loglevel = 2
smtpd_tls_received_header = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, MD5
smtpd_tls_protocols = !SSLv2, !SSLv3

# sasl
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

# sender, recipient restrictions
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks,
    reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    permit
smtpd_sender_restrictions =
    permit_mynetworks,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    permit
smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    reject_unauth_pipelining,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    permit_mynetworks,
    reject_unauth_destination,
    check_sender_access
         hash:/etc/postfix/sender_access,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    check_policy_service unix:postgrey/socket,
    permit

# OpenDKIM
non_smtpd_milters=inet:127.0.0.1:8891
smtpd_milters=inet:127.0.0.1:8891

3. Edit master.cf

smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient}

4. Create sender_access files with spammers and hash it

# postmap sender_access

5. Create virtual file and hash it

# postmap virtual

6. Leave default postgrey whitelist and create a new for custom domains

example.org
hackerspace.gr

7. Edit mydomains

example.org

8. Edit /etc/opendkim.conf

Canonicalization        relaxed/relaxed
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
LogWhy                  Yes
MinimumKeyBits          1024
Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SigningTable            refile:/etc/opendkim/SigningTable
Socket                  inet:8891@localhost
Syslog                  Yes
SyslogSuccess           Yes
TemporaryDirectory      /var/tmp
UMask                   022
UserID opendkim:opendkim

9. Create domain keys

# mkdir /etc/opendkim/keys/example.org
# opendkim-genkey -r -d example.org -D /etc/opendkim/keys/example.org/ creates=/etc/opendkim/keys/example.org/default.private

10. Edit /etc/opendkim/{KeyTable/SigningTable/TrustedHosts} respectively

default._domainkey.example.org example.org:default:/etc/opendkim/keys/example.org/default.private
*@example.org default._domainkey.example.org
127.0.0.1
::1
example.org

Service

1. Enable and start services.

# systemctl enable opendkim.service
# systemctl start opendkim.service
# systemctl enable postgrey.service
# systemctl start postgrey.service
# systemctl enable postfix.service
# systemctl start postfix.service