Operativa
Notes on building Hackerspace public and member services.
Common
1. Install basic stuff.
# yum install -y epel-release # yum install -y vim bash-completion wget
LDAP
Installation
# yum install -y openldap openldap-clients openldap-servers
Service
1. Enable and start service.
# systemctl enable slapd.service # systemctl start slapd.service
2. Check it actually works.
# systemctl status -l slapd.service
Configuration
1. Copy default DB_CONFIG.
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
2. Create a new admin password.
# slappasswd
3. Create an initial config in a file.
dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=example,dc=org" read by * none dn: olcDatabase={2}bdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=org - replace: olcRootDN olcRootDN: cn=admin,dc=example,dc=org - add: olcRootPW olcRootPW: {SSHA}3u4JMk96UgMheppVZpdr7HmMJFKHRpEd
4. And use it.
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f openldap_initial.ldif
Schema
By default openldap supports the below ldap schemas (in ldif format also), that describes what objectclasses & ldap attributes should our schema support.
# find /etc/openldap/schema/*.schema /etc/openldap/schema/collective.schema /etc/openldap/schema/corba.schema /etc/openldap/schema/core.schema /etc/openldap/schema/cosine.schema /etc/openldap/schema/duaconf.schema /etc/openldap/schema/dyngroup.schema /etc/openldap/schema/inetorgperson.schema /etc/openldap/schema/java.schema /etc/openldap/schema/misc.schema /etc/openldap/schema/nis.schema /etc/openldap/schema/openldap.schema /etc/openldap/schema/pmi.schema /etc/openldap/schema/ppolicy.schema
The most common schemas are:
cosine.schema nis.schema inetorgperson.schema
To load them to our ldap configuration:
# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/cosine.ldif # ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/nis.ldif # ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/inetorgperson.ldif
Ldap Configuration
to see the entire slapd configuration setup:
# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
Organizational Unit
1. Create an ldif file with the schema.
# example.org dn: dc=example,dc=org dc: example objectClass: dcObject objectClass: organizationalUnit ou: example.org # People dn: ou=People,dc=example,dc=org objectClass: organizationalUnit ou: People
2. And use it.
# ldapmodify -x -W -D cn=admin,dc=example,dc=org -a -f schema.ldif
Users
1. Create a new user.
dn: uid=test,ou=People,dc=example,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount mail: username@example.gr cn: username example sn: example givenName: username uid: test uidNumber: 99 gidNumber: 12 homeDirectory: /Maildir/test userPassword: test
Status
1. Display entire config.
# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
Nginx
Installation
# yum -y install nginx certbot
Initial Configuration
1. Edit nginx.conf. Remove server block and turn access logs off.
access_log off;
2. Create ssl.conf under conf.d.
# https://wiki.mozilla.org/Security/Server_Side_TLS ssl_dhparam /etc/ssl/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK'; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; add_header Strict-Transport-Security "max-age=31536000";
3. Create dhparam.
openssl dhparam -out /etc/ssl/dhparam.pem 2048
4. Create a default.conf under conf.d with minimal settings, and include all desired subdomains.
server { listen [::]:80; listen 80; server_name example.org www.example.org conf.example.org; root /var/www/default/; index index.html; }
Service
1. Test the configuration.
# nginx -t
2. Enable and start service.
# systemctl enable nginx.service # systemctl start nginx.service
Certificates
1. Create certificates, including all subdomains
certbot --agree-tos --email ping@example.org -a webroot -w /var/www/default/ -d example.org -d www.example.org -d conf.example.org certonly
Final configuration
1. Edit default.conf to make it https-only.
server { listen [::]:80; listen 80; server_name example.org www.example.org; return 301 https://$server_name$request_uri; } server { listen [::]:443 ssl; listen 443 ssl; server_name www.example.org; return 301 https://$server_name$request_uri; ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; } server { listen [::]:443 ssl; listen 443 ssl; server_name example.org; root /var/www/default/; index index.html; ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; }
2. Test the configuration.
# nginx -t
3. Reload nginx.
# nginx -s reload
Prosody
Installation
# yum -y install prosody
Configuration
Postfix
Installation
# yum -y install prosody postgrey opendkim
Configuration
1. Edit main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # default settings queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man # hostnames, relays and aliases smtpd_banner = "a physical space dedicated to creative code and hardware hacking in Athens" myhostname = example.org mydomain = example.org myorigin = $myhostname inet_interfaces = all inet_protocols = all mydestination = $myhostname, localhost.$mydomain, localhost, /etc/postfix/mydomains unknown_local_recipient_reject_code = 550 relay_domains = $mydestination alias_maps = hash:/etc/aliases virtual_alias_maps = hash:/etc/postfix/virtual alias_database = hash:/etc/aliases smtpd_relay_restrictions = # commands mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT" mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp virtual_transport = lmtp:unix:private/dovecot-lmtp # debug debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 # custom biff = no # attachments message_size_limit = 20971520 mailbox_size_limit = 1000000900 # antispam header_checks = regexp:/etc/postfix/header_checks smtpd_helo_required = yes disable_vrfy_command = yes strict_rfc821_envelopes = yes invalid_hostname_reject_code = 554 multi_recipient_bounce_reject_code = 554 non_fqdn_reject_code = 554 relay_domains_reject_code = 554 unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 554 unknown_relay_recipient_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 unverified_recipient_reject_code = 554 unverified_sender_reject_code = 554 # TLS parameters smtpd_tls_key_file = /etc/letsencrypt/live/example.org/privkey.pem smtpd_tls_cert_file = /etc/letsencrypt/live/example.org/fullchain.pem smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtpd_use_tls=yes smtpd_tls_auth_only = yes smtp_tls_security_level = may smtpd_tls_ask_ccert = yes smtp_tls_loglevel = 2 smtpd_tls_received_header = yes smtp_tls_note_starttls_offer = yes smtpd_tls_ciphers = high smtpd_tls_exclude_ciphers = aNULL, MD5 smtpd_tls_protocols = !SSLv2, !SSLv3 # sasl smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes # sender, recipient restrictions smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_access, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_policy_service unix:postgrey/socket, permit # OpenDKIM non_smtpd_milters=inet:127.0.0.1:8891 smtpd_milters=inet:127.0.0.1:8891
2. Edit master.cf
smtp inet n - n - - smtpd submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions=permit_sasl_authenticated,reject pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache dovecot unix - n n - - pipe flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient}
3. Create sender_access files with spammers and hash it
# postmap sender_access
4. Create virtual file and hash it
# postmap virtual
5. Leave default postgrey whitelist and create a new for custom domains
example.org hackerspace.gr
6. Edit mydomains
example.org
7. OpenDKIM
Service
1. Enable and start services.
# systemctl enable opendkim.service # systemctl start opendkim.service # systemctl enable postgrey.service # systemctl start postgrey.service # systemctl enable postfix.service # systemctl start postfix.service