Operativa
Notes on building Hackerspace public and member services.
Common
1. Install basic stuff.
# yum install -y epel-release # yum install -y vim bash-completion wget
LDAP
Installation
# yum install -y openldap openldap-clients openldap-servers
Service
1. Enable and start service.
# systemctl enable slapd.service # systemctl start slapd.service
2. Check it actually works.
# systemctl status -l slapd.service
Configuration
1. Copy default DB_CONFIG.
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
2. Create a new admin password.
# slappasswd
3. Create an initial config in a file.
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=admin,dc=example,dc=org" read by * none
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=org
-
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=org
-
add: olcRootPW
olcRootPW: {SSHA}3u4JMk96UgMheppVZpdr7HmMJFKHRpEd
4. And use it.
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f openldap_initial.ldif
Schema
By default openldap supports the below ldap schemas (in ldif format also), that describes what objectclasses & ldap attributes should our schema support.
# find /etc/openldap/schema/*.schema /etc/openldap/schema/collective.schema /etc/openldap/schema/corba.schema /etc/openldap/schema/core.schema /etc/openldap/schema/cosine.schema /etc/openldap/schema/duaconf.schema /etc/openldap/schema/dyngroup.schema /etc/openldap/schema/inetorgperson.schema /etc/openldap/schema/java.schema /etc/openldap/schema/misc.schema /etc/openldap/schema/nis.schema /etc/openldap/schema/openldap.schema /etc/openldap/schema/pmi.schema /etc/openldap/schema/ppolicy.schema
The most common schemas are:
cosine.schema nis.schema inetorgperson.schema
To load them to our ldap configuration:
# ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/cosine.ldif # ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/nis.ldif # ldapadd -Y EXTERNAL -H ldapi:// -f /etc/openldap/schema/inetorgperson.ldif
Ldap Configuration
to see the entire slapd configuration setup:
# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
Organizational Unit
1. Create an ldif file with the schema.
# example.org dn: dc=example,dc=org dc: example objectClass: dcObject objectClass: organizationalUnit ou: example.org # People dn: ou=People,dc=example,dc=org objectClass: organizationalUnit ou: People
2. And use it.
# ldapmodify -x -W -D cn=admin,dc=example,dc=org -a -f schema.ldif
Users
1. Create a new user.
dn: uid=test,ou=People,dc=example,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount mail: username@example.gr cn: username example sn: example givenName: username uid: test uidNumber: 99 gidNumber: 12 homeDirectory: /Maildir/test userPassword: test
Status
1. Display entire config.
# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
Nginx
Installation
# yum -y install nginx certbot
Initial Configuration
1. Edit nginx.conf. Remove server block and turn access logs off.
access_log off;
2. Create ssl.conf under conf.d.
# https://wiki.mozilla.org/Security/Server_Side_TLS ssl_dhparam /etc/ssl/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK'; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; add_header Strict-Transport-Security "max-age=31536000";
3. Create dhparam.
openssl dhparam -out /etc/ssl/dhparam.pem 2048
4. Create a default.conf under conf.d with minimal settings, and include all desired subdomains.
server {
listen [::]:80;
listen 80;
server_name example.org www.example.org conf.example.org;
root /var/www/default/;
index index.html;
}
Service
1. Test the configuration.
# nginx -t
2. Enable and start service.
# systemctl enable nginx.service # systemctl start nginx.service
Certificates
1. Create certificates, including all subdomains
certbot --agree-tos --email ping@example.org -a webroot -w /var/www/default/ -d example.org -d www.example.org -d conf.example.org certonly
Final configuration
1. Edit default.conf to make it https-only.
server {
listen [::]:80;
listen 80;
server_name example.org www.example.org;
return 301 https://$server_name$request_uri;
}
server {
listen [::]:443 ssl;
listen 443 ssl;
server_name www.example.org;
return 301 https://$server_name$request_uri;
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
}
server {
listen [::]:443 ssl;
listen 443 ssl;
server_name example.org;
root /var/www/default/;
index index.html;
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
}
2. Test the configuration.
# nginx -t
3. Reload nginx.
# nginx -s reload
Prosody
Installation
# yum -y install prosody
Configuration
Postfix
Installation
# yum -y install prosody postgrey opendkim
Configuration
1. Go tp postfix config dir
# cd /etc/postfix
2. Edit main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# default settings
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
# hostnames, relays and aliases
smtpd_banner = "a physical space dedicated to creative code and hardware hacking in Athens"
myhostname = example.org
mydomain = example.org
myorigin = $myhostname
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, /etc/postfix/mydomains
unknown_local_recipient_reject_code = 550
relay_domains = $mydestination
alias_maps = hash:/etc/aliases
virtual_alias_maps = hash:/etc/postfix/virtual
alias_database = hash:/etc/aliases
smtpd_relay_restrictions =
# commands
mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
virtual_transport = lmtp:unix:private/dovecot-lmtp
# debug
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
# custom
biff = no
# attachments
message_size_limit = 20971520
mailbox_size_limit = 1000000900
# antispam
header_checks = regexp:/etc/postfix/header_checks
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
# TLS parameters
smtpd_tls_key_file = /etc/letsencrypt/live/example.org/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/example.org/fullchain.pem
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_tls_ask_ccert = yes
smtp_tls_loglevel = 2
smtpd_tls_received_header = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, MD5
smtpd_tls_protocols = !SSLv2, !SSLv3
# sasl
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
# sender, recipient restrictions
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
check_sender_access
hash:/etc/postfix/sender_access,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket,
permit
# OpenDKIM
non_smtpd_milters=inet:127.0.0.1:8891
smtpd_milters=inet:127.0.0.1:8891
3. Edit master.cf
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
dovecot unix - n n - - pipe
flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient}
4. Create sender_access files with spammers and hash it
# postmap sender_access
5. Create virtual file and hash it
# postmap virtual
6. Leave default postgrey whitelist and create a new for custom domains
example.org hackerspace.gr
7. Edit mydomains
example.org
8. Edit /etc/opendkim.conf
Canonicalization relaxed/relaxed ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable LogWhy Yes MinimumKeyBits 1024 Mode sv PidFile /var/run/opendkim/opendkim.pid SigningTable refile:/etc/opendkim/SigningTable Socket inet:8891@localhost Syslog Yes SyslogSuccess Yes TemporaryDirectory /var/tmp UMask 022 UserID opendkim:opendkim
9. Create domain keys
# mkdir /etc/opendkim/keys/example.org # opendkim-genkey -r -d example.org -D /etc/opendkim/keys/example.org/ creates=/etc/opendkim/keys/example.org/default.private
10. Edit /etc/opendkim/{KeyTable/SigningTable/TrustedHosts} respectively
default._domainkey.example.org example.org:default:/etc/opendkim/keys/example.org/default.private
*@example.org default._domainkey.example.org
127.0.0.1 ::1 example.org
Service
1. Enable and start services.
# systemctl enable opendkim.service # systemctl start opendkim.service # systemctl enable postgrey.service # systemctl start postgrey.service # systemctl enable postfix.service # systemctl start postfix.service