Configuration Noekeon.org: Difference between revisions
(54 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== DNS zone == |
|||
<source lang=text> |
|||
$TTL 3600 |
|||
@ IN SOA dns105.ovh.net. tech.ovh.net. (2016090500 86400 3600 3600000 300) |
|||
IN NS dns105.ovh.net. |
|||
IN NS ns105.ovh.net. |
|||
IN MX 10 ober.noekeon.org. |
|||
IN MX 20 prime.immie.org. |
|||
IN A 91.134.133.203 |
|||
IN TXT "google-site-verification=PyZv_FR2vhqyGKz00ew_nnf_y_pprEgJt-G5SogqRyM" |
|||
600 IN TXT "v=spf1 a mx -all" |
|||
* IN A 91.134.133.203 |
|||
* IN TXT "v=spf1 -all" |
|||
ftp IN A 62.182.63.46 |
|||
imap IN CNAME ober.noekeon.org. |
|||
localhost IN A 127.0.0.1 |
|||
mail IN CNAME ober.noekeon.org. |
|||
ober IN A 91.134.133.203 |
|||
ober IN TXT "v=spf1 a -all" |
|||
pop IN CNAME ober.noekeon.org. |
|||
smtp IN CNAME ober.noekeon.org. |
|||
</source> |
|||
Original zone on OVH (with minimal entries): |
|||
<source lang=text> |
|||
$TTL 3600 |
|||
@ IN SOA dns105.ovh.net. tech.ovh.net. (2016070301 86400 3600 3600000 300) |
|||
IN NS ns105.ovh.net. |
|||
IN NS dns105.ovh.net. |
|||
IN MX 1 redirect.ovh.net. |
|||
IN A 213.186.33.5 |
|||
IN TXT "1|www.noekeon.org" |
|||
www IN MX 1 redirect.ovh.net. |
|||
www IN A 213.186.33.5 |
|||
www IN TXT "3|welcome" |
|||
www IN TXT "l|fr" |
|||
</source> |
|||
== PriorWeb Hints and Tips == |
== PriorWeb Hints and Tips == |
||
* '''MySQL''' |
* '''MySQL''' |
||
Line 221: | Line 258: | ||
# m h dom mon dow command (dow=0|7 is sunday) |
# m h dom mon dow command (dow=0|7 is sunday) |
||
33 8 * * * ~daemenj/private/changemonitor/monitor-all.sh >/dev/null 2>/dev/null |
33 8 * * * ~daemenj/private/changemonitor/monitor-all.sh >/dev/null 2>/dev/null |
||
</source> |
|||
== Server Install OVH == |
|||
;Mail Transport Agent (MTA) |
|||
* We'll use '''Postfix''' for sending and receiving mails. |
|||
;Spam filtering |
|||
* We'll use '''Rspamd'''. |
|||
;Mail Delivery Agent (MDA) |
|||
* Currently using '''[[Procmail]]''' for local delivery of mails to user mailboxes, but is no longer maintained [https://en.wikipedia.org/wiki/Procmail]. |
|||
* But considering moving to '''Dovecot''' to use '''[https://en.wikipedia.org/wiki/Sieve_(mail_filtering_language) Sieve]''' filtering language. |
|||
;IMAP/POP3 |
|||
* We'll use '''Dovecot'''. |
|||
=== Spam filter === |
|||
;Candidates: |
|||
* SpamAssassin (SA) |
|||
: The default standard. |
|||
: Some installation guides [http://wiki.yobi.be/wiki/Spamassassin]. |
|||
* DSpam |
|||
: Excellent track record, but unfortunately no longer maintained. |
|||
: Some installation guides [https://www.kirya.net/articles/setting-up-dspam-as-a-filter-for-postfix-on-debian/], [https://kuther.net/howtos/integrate-dspam-postfix-dovecot-any-mail-client], [http://www.freesoftwaremagazine.com/articles/focus_spam_dspam] |
|||
* Rspamd |
|||
: A new system. |
|||
=== Mail server === |
|||
;master.cf |
|||
* file {{file|master.cf}} tells which service are running |
|||
# ========================================================================== |
|||
# service type private unpriv chroot wakeup maxproc command + args |
|||
# (yes) (yes) (yes) (never) (100) |
|||
# ========================================================================== |
|||
smtp inet n - - - - smtpd |
|||
* <code>smtp</code> this is the usual smtp service on port 25. Used by other smtp server to send mail. |
|||
submission inet n - - - - smtpd |
|||
-o syslog_name=postfix/submission |
|||
-o smtpd_tls_wrappermode=no |
|||
-o smtpd_tls_security_level=encrypt |
|||
-o smtpd_sasl_auth_enable=yes |
|||
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject |
|||
-o milter_macro_daemon_name=ORIGINATING |
|||
-o smtpd_sasl_type=dovecot |
|||
-o smtpd_sasl_path=private/auth |
|||
* <code>submission</code> this is the "secure" smtp service on port used by mail client to send new mail. Note that '''<code>-o</code>''' denotes configuration settings that '''override''' those in {{file|main.cf}}. |
|||
;main.cf |
|||
* Testing — add <code>soft_bounce = yes</code> when testing new configuration. This avoids rejecting mail permanently by changing REJECT into DEFER. |
|||
# Testing - Uncomment to DEFER instead of REJECT, hence not rejecting mail permanently when testing |
|||
soft_bounce = yes |
|||
* Debugging — Add <code>debug_peer_list</code> to enable verbose logging. |
|||
# Debugging - Uncomment for verbose logging for connections from listed peers |
|||
debug_peer_list = 91.134.134.85 |
|||
;Setup SPF ([http://www.openspf.org/SPF_Record_Syntax Syntax], [http://www.openspf.org/FAQ/Common_mistakes FAQ]) |
|||
* I add to the DNS zone: |
|||
noekeon.org. IN TXT "v=spf1 a mx -all" |
|||
ober.noekeon.org. IN TXT "v=spf1 a -all" |
|||
*.example.com. IN TXT "v=spf1 -all" |
|||
:First line says that all mails from <code>@noekeon.org</code> must come from one of the MX server of noekeon.org domain. |
|||
:Second line says that mail from server with HELO identification "ober.noekeon.org" must be accepted only if from IP address of server "ober.noekeon.org". |
|||
:Third rule says that no other sub-domain/server may send email. |
|||
* Test the configuration with http://dkimvalidator.com/. |
|||
=== Mail server - Rspamd spam filter === |
|||
* Install guide from [https://rspamd.com/doc/quickstart.html rspam.com] |
|||
* Relevant Postfix documentation: |
|||
:* [http://www.postfix.org/SMTPD_ACCESS_README.html Postfix SMTP relay and access control] |
|||
:: See example configuration. |
|||
:: Use <code>soft_bounce = yes</code> in {{file|main.cf}} to change a REJECT into DEFER, and hence to avoid losing mail when testing. |
|||
;To Do |
|||
* Use spamhaus black-list (see postfix [http://www.postfix.org/SMTPD_ACCESS_README.html example]) |
|||
;Rmilter |
|||
* Guide [https://rspamd.com/doc/quickstart.html] |
|||
* Install with |
|||
apt-get install rmilter |
|||
* We keep the socket-based bind contrary to what guide suggests. So in {{file|main.cf}}: |
|||
<source lang=bash> |
|||
# rmilter setup |
|||
smtpd_milters = unix:/var/run/rmilter/rmilter.sock |
|||
milter_default_action = accept |
|||
milter_protocol = 6 |
|||
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} |
|||
</source> |
|||
* Check the socket. We see it is ''active'' and ''enabled'' (at boot so). |
|||
<source lang=bash> |
|||
systemctl status rmilter.socket |
|||
# ● rmilter.socket - Another sendmail milter for different mail checks |
|||
# Loaded: loaded (/lib/systemd/system/rmilter.socket; enabled) |
|||
# Active: active (listening) since Mon 2016-07-18 18:49:22 CEST; 1 day 23h ago |
|||
# Listen: /var/run/rmilter/rmilter.sock (Stream) |
|||
</source> |
|||
* Check the service |
|||
<source lang=bash> |
|||
systemctl status rmilter.service |
|||
# ● rmilter.service - Another sendmail milter for different mail checks |
|||
# Loaded: loaded (/lib/systemd/system/rmilter.service; disabled) |
|||
# Active: inactive (dead) |
|||
</source> |
|||
* It is disabled, let's try to start it |
|||
<source lang=bash> |
|||
systemctl start rmilter.service |
|||
</source> |
|||
* It fails. We get |
|||
<source lang=bash> |
|||
systemctl status rmilter.service -l |
|||
# ● rmilter.service - Another sendmail milter for different mail checks |
|||
# Loaded: loaded (/lib/systemd/system/rmilter.service; disabled) |
|||
# Active: failed (Result: exit-code) since Wed 2016-07-20 17:56:05 CEST; 1min 31s ago |
|||
# Process: 24168 ExecStart=/usr/sbin/rmilter -c /etc/rmilter.conf -n (code=exited, status=233/RUNTIME_DIRECTORY) |
|||
# Main PID: 24168 (code=exited, status=233/RUNTIME_DIRECTORY) |
|||
# Jul 20 17:56:05 ober.noekeon.org systemd[24168]: Failed at step RUNTIME_DIRECTORY spawning /usr/sbin/rmilter: File exists |
|||
# Jul 20 17:56:05 ober.noekeon.org systemd[1]: rmilter.service: main process exited, code=exited, status=233/RUNTIME_DIRECTORY |
|||
# Jul 20 17:56:05 ober.noekeon.org systemd[1]: Unit rmilter.service entered failed state. |
|||
</source> |
|||
* Let's debug. Where is this runtime directory? |
|||
<source lang=bash> |
|||
dlocate -L rmilter|xargs grep -id skip runtimedirectory |
|||
# /lib/systemd/system/rmilter.service:RuntimeDirectory=rmilter |
|||
# /lib/systemd/system/rmilter.service:RuntimeDirectoryMode=0755 |
|||
</source> |
|||
* Look for a fix on internet: Here [https://bugzilla.redhat.com/show_bug.cgi?id=1226509], it suggests to add to {{file|/lib/systemd/system/rmilter.service}}: |
|||
<source lang=diff> |
|||
[Service] |
|||
ExecStart=/usr/sbin/rmilter -c /etc/rmilter.conf -n |
|||
ExecReload=/bin/kill -USR1 $MAINPID |
|||
User=_rmilter |
|||
RuntimeDirectory=rmilter |
|||
RuntimeDirectoryMode=0755 |
|||
+Restart=always |
|||
</source> |
|||
* So let's try again |
|||
<source lang=bash> |
|||
systemctl start rmilter.service |
|||
# Warning: Unit file of rmilter.service changed on disk, 'systemctl daemon-reload' recommended. |
|||
systemctl daemon-reload |
|||
systemctl status rmilter.service |
|||
# ● rmilter.service - Another sendmail milter for different mail checks |
|||
# Loaded: loaded (/lib/systemd/system/rmilter.service; disabled) |
|||
# Active: active (running) since Wed 2016-07-20 18:21:45 CEST; 53s ago |
|||
# Main PID: 24895 (rmilter) |
|||
# CGroup: /system.slice/rmilter.service |
|||
# └─24895 /usr/sbin/rmilter -c /etc/rmilter.conf -n |
|||
# |
|||
# Jul 20 18:21:45 ober.noekeon.org rmilter[24895]: main: starting rmilter version 1.8.6, listen on fd:3 |
|||
# Jul 20 18:21:45 ober.noekeon.org rmilter[24895]: reload_thread: starting... |
|||
</source> |
|||
* Created a new bug report [https://github.com/vstakhov/rmilter/issues/133 issue #133]. |
|||
;Rspamd |
|||
* Install |
|||
apt-get install rspamd |
|||
* ... it already fails |
|||
<source lang=bash> |
|||
systemctl status rspamd.socket -l |
|||
# ● rspamd.socket - rapid spam filtering system |
|||
# Loaded: loaded (/lib/systemd/system/rspamd.socket; enabled) |
|||
# Active: failed (Result: resources) |
|||
# Listen: [::]:11333 (Stream) |
|||
# [::1]:11334 (Stream) |
|||
# |
|||
# Jul 18 18:49:22 ober.noekeon.org systemd[1]: rspamd.socket failed to listen on sockets: Cannot assign requested address |
|||
# Jul 18 18:49:22 ober.noekeon.org systemd[1]: Failed to listen on rapid spam filtering system. |
|||
# Jul 18 18:49:22 ober.noekeon.org systemd[1]: Unit rspamd.socket entered failed state. |
|||
</source> |
|||
* Actually problem comes from {{file|/etc/sysctl.d/local.conf}}, where we disabled ipv6. If we enable it back: |
|||
<source lang=diff> |
|||
# Disable IPv6 |
|||
-net.ipv6.conf.all.disable_ipv6 = 1 |
|||
-net.ipv6.conf.default.disable_ipv6 = 1 |
|||
-net.ipv6.conf.lo.disable_ipv6 = 1 |
|||
-net.ipv6.conf.eth0.disable_ipv6 = 1 |
|||
+net.ipv6.conf.all.disable_ipv6 = 0 |
|||
+net.ipv6.conf.default.disable_ipv6 = 0 |
|||
+net.ipv6.conf.lo.disable_ipv6 = 0 |
|||
+net.ipv6.conf.eth0.disable_ipv6 = 0 |
|||
</source> |
|||
Now it works |
|||
<source lang=bash> |
|||
systemctl start rspamd.socket |
|||
</source> |
|||
Alternatively, if we want to keep ipv6 disabled, we need to edit systemd file {{file|/lib/systemd/system/rspamd.socket}} as follows |
|||
<source lang=diff> |
|||
--- rspamd.socket 2016-06-20 13:55:00.000000000 +0200 |
|||
+++ rspamd.socket.old 2016-07-20 19:44:18.165848297 +0200 |
|||
@@ -2,9 +2,10 @@ |
|||
Description=rapid spam filtering system |
|||
[Socket] |
|||
-ListenStream=11333 |
|||
-ListenStream=[::1]:11334 |
|||
-BindIPv6Only=both |
|||
+BindIPv6Only=ipv6-only |
|||
+ListenStream=127.0.0.1:11333 |
|||
+ListenStream=127.0.0.1:11334 |
|||
+KeepAlive=true |
|||
[Install] |
|||
WantedBy=sockets.target |
|||
</source> |
|||
and reload rspamd: |
|||
<source lang=bash> |
|||
systemctl daemon-reload |
|||
systemctl start rspamd.socket |
|||
systemctl status rspamd.socket -l |
|||
# ● rspamd.socket - rapid spam filtering system |
|||
</source> |
|||
* Note that <code>rspamd.service</code> is not started by default. It is started on demand. To start it: |
|||
<source lang=bash> |
|||
rspamc -h ::1:11334 stat |
|||
</source> |
|||
Note that the following fails |
|||
<source lang=bash> |
|||
rspamc stat |
|||
rspamc -h 127.0.0.1:11334 stat |
|||
</source> |
|||
This is because rspamd only listen on ipv6 interface: |
|||
<source lang=bash> |
|||
netstat -lpn|grep 1133 |
|||
# tcp6 0 0 :::11333 :::* LISTEN 1/init |
|||
# tcp6 0 0 ::1:11334 :::* LISTEN 1/init |
|||
cat /lib/systemd/system/rspamd.socket |
|||
#[Unit] |
|||
#Description=rapid spam filtering system |
|||
# |
|||
#[Socket] |
|||
#ListenStream=11333 |
|||
#ListenStream=[::1]:11334 |
|||
#BindIPv6Only=both |
|||
# |
|||
#[Install] |
|||
#WantedBy=sockets.target |
|||
</source> |
|||
To install '''rspamd webgui''' on https, we use apache2 as reverse proxy ([http://serverfault.com/questions/486042/use-apache-as-a-https-to-http-proxy],[https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension],[https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyrequests]) |
|||
;Note |
|||
* {{red|FIX}} — The following works only if we change the sockets rspamd listens to in file {{file:/lib/systemd/system/rspamd.socket}}: |
|||
<source lang=diff> |
|||
[Socket] |
|||
-ListenStream=11333 |
|||
-ListenStream=[::1]:11334 |
|||
+ListenStream=127.0.0.1:11333 |
|||
+ListenStream=0.0.0.0:11334 |
|||
</source> |
|||
<source lang=diff> |
|||
<IfModule mod_ssl.c> |
|||
<VirtualHost *:443> |
|||
+ # We don't need forward proxy, so let's disable it |
|||
+ ProxyRequests Off |
|||
+ |
|||
+ <Location /rspamd/> |
|||
+ ProxyPass http://localhost:11334/ |
|||
+ ProxyPassReverse http://localhost:11334/ |
|||
+ Order deny,allow |
|||
+ Allow from all |
|||
+ </Location> |
|||
</VirtualHost> |
|||
</IfModule> |
|||
</source> |
|||
Note: |
|||
* Module <code>proxy_http</code> is necessary to fix error |
|||
... AH01144: No protocol handler was valid for the URL /rspamd/. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. |
|||
* Mind the trailing slash in <code><Location /rspamd/></code>, to match the trailing one in <code>ProxyPass</code> and <code>ProxyPassReverse</code> address. A mismatch fails with an error <code>(NULL)</code> message. |
|||
Install the necessary modules and restart apache: |
|||
<source lang=bash> |
|||
a2enmod proxy |
|||
a2enmod proxy_http |
|||
a2enmod headers |
|||
service apache2 restart |
|||
</source> |
|||
* To add HTTPS password: |
|||
<source lang=diff> |
|||
<IfModule mod_ssl.c> |
|||
<VirtualHost *:443> |
|||
<Location /rspamd/> |
|||
+ AuthType Basic |
|||
+ AuthName "mail.noekeon.org Rspamd webgui" |
|||
+ AuthUserFile /etc/apache2/mail.noekeon.org_rspamd.ssl.passwd |
|||
+ Require valid-user |
|||
</Location> |
|||
</VirtualHost> |
|||
</IfModule> |
|||
</source> |
|||
:Create the password, and don't forget to change ownership: |
|||
<source lang=bash> |
|||
htpasswd -c -s /etc/apache2/mail.noekeon.org_rspamd.ssl.passwd rspamd |
|||
chown www-data:www-data /etc/apache2/*.passwd |
|||
chmod 644 /etc/apache2/*.passwd |
|||
</source> |
|||
Final configuration, everything works: |
|||
* {{file|/lib/systemd/system/rmilter.socket}} |
|||
<source lang=text> |
|||
[Unit] |
|||
Description=Another sendmail milter for different mail checks |
|||
[Socket] |
|||
ListenStream=127.0.0.1:9900 |
|||
SocketUser=_rmilter |
|||
SocketGroup=adm |
|||
SocketMode=660 |
|||
[Install] |
|||
WantedBy=sockets.target |
|||
</source> |
|||
* {{file|/lib/systemd/system/rspamd.socket}} |
|||
<source lang=text> |
|||
[Unit] |
|||
Description=rapid spam filtering system |
|||
[Socket] |
|||
ListenStream=127.0.0.1:11333 |
|||
ListenStream=127.0.0.1:11334 |
|||
BindIPv6Only=both |
|||
[Install] |
|||
WantedBy=sockets.target |
|||
</source> |
|||
* {{file|/lib/systemd/system/rspamd.service}} |
|||
<source lang=text> |
|||
[Unit] |
|||
Description=rapid spam filtering system |
|||
After=nss-lookup.target |
|||
[Service] |
|||
ExecStart=/usr/bin/rspamd -c /etc/rspamd/rspamd.conf -f |
|||
User=_rspamd |
|||
RuntimeDirectory=rspamd |
|||
RuntimeDirectoryMode=0755 |
|||
Restart=always |
|||
[Install] |
|||
WantedBy=multi-user.target |
|||
</source> |
|||
;Better configuration |
|||
:No need to edit {{file|/lib/systemd}} files. See [https://github.com/vstakhov/rspamd/issues/748#issuecomment-234782504 issue #748] on GitHub. |
|||
;Debugging: |
|||
<source lang=bash> |
|||
# testing new rmilter/rspam config. Edit systemd settings, then |
|||
# If changing /lib/systemd files, must do: |
|||
systemctl daemon-reload |
|||
# then |
|||
systemctl stop rspamd.socket rspamd.service rmilter.socket rmilter.service |
|||
systemctl start rmilter.socket rspamd.socket |
|||
# To disable ipv6: |
|||
echo '1' > /proc/sys/net/ipv6/conf/all/disable_ipv6 |
|||
echo '1' > /proc/sys/net/ipv6/conf/default/disable_ipv6 |
|||
echo '1' > /proc/sys/net/ipv6/conf/lo/disable_ipv6 |
|||
echo '1' > /proc/sys/net/ipv6/conf/eth0/disable_ipv6 |
|||
/etc/init.d/networking restart |
|||
# ... or via /etc/sysctl.d/local.conf |
|||
</source> |
|||
;Logging |
|||
We have the choice between |
|||
* console logging (sent to {{file|/var/log/syslog}}) |
|||
:But this generates lot of spam for logcheck when log is at <code>info</code> level. |
|||
* file logging (to {{file|/var/log/rspamd/rspamd.log}}) |
|||
:But we lose the message timestamp. |
|||
To configure file logging, edit file {{file|/etc/rspamd.conf}}: |
|||
<source lang="diff"> |
|||
@@ -24,7 +24,8 @@ options { |
|||
} |
|||
logging { |
|||
- type = "console"; |
|||
+ type = "file"; |
|||
+ filename = "$LOGDIR/rspamd.log"; |
|||
systemd = true; |
|||
.include "$CONFDIR/logging.inc" |
|||
.include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/logging.inc" |
|||
</source> |
|||
Currently, I go for logging to console, with a filter all rules in logcheck (basically ignore all messages). This may change pending update on [https://github.com/vstakhov/rspamd/issues/1496 GitHub issue #1496]. |
|||
;Rmilter 1.10 |
|||
* Latest version of Rmilter is 1.10, but Debian only distribute a very old release. |
|||
* I could not find the package I used the first time, so I have to rebuild it. |
|||
<source lang="bash"> |
|||
https://github.com/vstakhov/rmilter/archive/1.10.0.tar.gz |
|||
apt-get build-dep rmilter |
|||
apt install fakeroot dh-systemd libglib2.0-dev |
|||
cd rmilter-1.10.0/ |
|||
vi debian/changelog # Create a new entry with version "1.10.0-4~jessie", release "jessie" |
|||
dpkg-buildpackage -rfakeroot -b |
|||
</source> |
|||
;Add blacklist filter |
|||
* Source: https://gist.github.com/kvaps/25507a87dc287e6a620e1eec2d60ebc1 |
|||
* multimap doc: https://rspamd.com/doc/modules/multimap.html |
|||
<source lang="diff"> |
|||
diff --git a/rspamd/local.d/groups.conf b/rspamd/local.d/groups.conf |
|||
new file mode 100644 |
|||
index 0000000..448fa8d |
|||
--- /dev/null |
|||
+++ b/rspamd/local.d/groups.conf |
|||
@@ -0,0 +1,39 @@ |
|||
+# local.d/groups.conf |
|||
+# see local.d/multimap.conf for mappings |
|||
+# |
|||
+# Source: https://gist.github.com/kvaps/25507a87dc287e6a620e1eec2d60ebc1 |
|||
+ |
|||
+group "multimap" { |
|||
+ symbols = { |
|||
+ # Blacklists |
|||
+ "LOCAL_BL_FROM" { |
|||
+ weight = 3.0; |
|||
+ description = "Sender FROM listed in local blacklist"; |
|||
+ } |
|||
+ "LOCAL_BL_IP" { |
|||
+ weight = 3.0; |
|||
+ description = "Sender IP listed in local blacklist"; |
|||
+ } |
|||
+ "LOCAL_BL_RCPT" { |
|||
+ weight = 3.0; |
|||
+ description = "Recipient listed in local blacklist"; |
|||
+ } |
|||
+ # Whitelists |
|||
+ "LOCAL_WL_DOMAIN" { |
|||
+ weight = -5; |
|||
+ description = "Domain listed in local whitelist"; |
|||
+ } |
|||
+ "LOCAL_WL_FROM" { |
|||
+ weight = -5; |
|||
+ description = "Sender FROM listed in local whitelist"; |
|||
+ } |
|||
+ "LOCAL_WL_IP" { |
|||
+ weight = -5; |
|||
+ description = "Sender IP listed in local whitelist"; |
|||
+ } |
|||
+ "LOCAL_WL_RCPT" { |
|||
+ weight = -5; |
|||
+ description = "Recipient listed in local whitelist"; |
|||
+ } |
|||
+ } |
|||
+} |
|||
diff --git a/rspamd/local.d/multimap.conf b/rspamd/local.d/multimap.conf |
|||
new file mode 100644 |
|||
index 0000000..68d0125 |
|||
--- /dev/null |
|||
+++ b/rspamd/local.d/multimap.conf |
|||
@@ -0,0 +1,60 @@ |
|||
+# local.d/multimap.conf |
|||
+# see local.d/groups.conf for multimap symbols |
|||
+# |
|||
+# Source: https://gist.github.com/kvaps/25507a87dc287e6a620e1eec2d60ebc1 |
|||
+# Doc: https://rspamd.com/doc/modules/multimap.html |
|||
+ |
|||
+# Blacklists |
|||
+local_bl_domain { |
|||
+ type = "from"; |
|||
+ filter = "email:domain"; |
|||
+ map = "$CONFDIR/maps.d/local_bl_domain.inc"; |
|||
+ prefilter = true; |
|||
+ action = "reject"; |
|||
+ description = "Blacklisted domain"; |
|||
+} |
|||
+local_bl_from { |
|||
+ type = "from"; |
|||
+ map = "$CONFDIR/maps.d/local_bl_from.inc"; |
|||
+ symbol = "LOCAL_BL_FROM"; |
|||
+ description = "Blacklist map for LOCAL_BL_FROM"; |
|||
+} |
|||
+local_bl_ip { |
|||
+ type = "ip"; |
|||
+ map = "$CONFDIR/maps.d/local_bl_ip.inc"; |
|||
+ symbol = "LOCAL_BL_IP"; |
|||
+ description = "Blacklist map for LOCAL_BL_IP"; |
|||
+} |
|||
+local_bl_rcpt { |
|||
+ type = "rcpt"; |
|||
+ map = "$CONFDIR/maps.d/local_bl_rcpt.inc"; |
|||
+ symbol = "LOCAL_BL_RCPT"; |
|||
+ description = "Blacklist map for LOCAL_BL_RCPT"; |
|||
+} |
|||
+ |
|||
+# Whitelists |
|||
+local_wl_domain { |
|||
+ type = "from"; |
|||
+ filter = "email:domain:tld"; |
|||
+ map = "$CONFDIR/maps.d/local_wl_domain.inc"; |
|||
+ symbol = "LOCAL_WL_DOMAIN"; |
|||
+ description = "Whitelist map for LOCAL_WL_DOMAIN"; |
|||
+} |
|||
+local_wl_from { |
|||
+ type = "from"; |
|||
+ map = "$CONFDIR/maps.d/local_wl_from.inc"; |
|||
+ symbol = "LOCAL_WL_FROM"; |
|||
+ description = "Whitelist map for LOCAL_WL_FROM"; |
|||
+} |
|||
+local_wl_ip { |
|||
+ type = "ip"; |
|||
+ map = "$CONFDIR/maps.d/local_wl_ip.inc"; |
|||
+ symbol = "LOCAL_WL_IP"; |
|||
+ description = "Whitelist map for LOCAL_WL_IP"; |
|||
+} |
|||
+local_wl_rcpt { |
|||
+ type = "rcpt"; |
|||
+ map = "$CONFDIR/maps.d/local_wl_rcpt.inc"; |
|||
+ symbol = "LOCAL_WL_RCPT"; |
|||
+ description = "Whitelist map for LOCAL_WL_RCPT"; |
|||
+} |
|||
diff --git a/rspamd/maps.d/local_bl_domain.inc b/rspamd/maps.d/local_bl_domain.inc |
|||
new file mode 100644 |
|||
index 0000000..e33bc14 |
|||
--- /dev/null |
|||
+++ b/rspamd/maps.d/local_bl_domain.inc |
|||
@@ -0,0 +1 @@ |
|||
+nanoenonprofits.org |
|||
</source> |
|||
=== Mail server - More spam filter === |
|||
* Look at [https://www.pyzor.org/en/latest/introduction.html Pyzor.org] (recommended by SpamAssassin, as reported on https://www.mail-tester.com/). |
|||
=== Mail server - SRS === |
|||
Reference: |
|||
* http://www.openspf.org/SRS |
|||
* https://github.com/roehling/postsrsd |
|||
We must enable SRS to allow forwarding mail from domains that enabled SPF: |
|||
<source lang=bash> |
|||
apt-get install postsrsd |
|||
</source> |
|||
We check that it listens to the default ports (10001 and 10002) and uses the correct domain: |
|||
<source lang=bash> |
|||
systemctl status postsrsd |
|||
# ● postsrsd.service - SRS lookup table for Postfix |
|||
# Loaded: loaded (/lib/systemd/system/postsrsd.service; enabled) |
|||
# Active: active (running) since Mon 2016-09-05 11:53:27 CEST; 2h 11min ago |
|||
# Main PID: 11273 (postsrsd) |
|||
# CGroup: /system.slice/postsrsd.service |
|||
# └─11273 /usr/sbin/postsrsd -f10001 -r10002 -s/etc/postsrsd.secret -X -unobody -c/var/lib/postsrsd -dnoekeon.org |
|||
ss -tupan|grep 1000[12] |
|||
# tcp LISTEN 0 10 127.0.0.1:10001 *:* users:(("postsrsd",pid=11273,fd=4)) |
|||
# tcp LISTEN 0 10 127.0.0.1:10002 *:* users:(("postsrsd",pid=11273,fd=5)) |
|||
</source> |
|||
Tell postfix to use SRS and reload: |
|||
<source lang=bash> |
|||
postconf -e "sender_canonical_maps = tcp:127.0.0.1:10001" |
|||
postconf -e "sender_canonical_classes = envelope_sender" |
|||
postconf -e "recipient_canonical_maps = tcp:127.0.0.1:10002" |
|||
postconf -e "recipient_canonical_classes = envelope_recipient,header_recipient" |
|||
postfix reload |
|||
</source> |
|||
=== Mail server - Gmail Postmaster tools === |
|||
* https://postmaster.google.com/ |
|||
: Account registered to ''night.moore.nm@gmail.com''... but never got any data because our volume is probably too small. I can still use this account to test mail forwarding though and see how gmail sees our mail server. |
|||
=== Mail server - DKIM === |
|||
See [[Postfix]]. |
|||
=== Mail server - DMARC === |
|||
GMail recommends to provide a DMARC policy. See [[Postfix]] for guides. |
|||
We publish the following DMARC policy |
|||
<source lang=text> |
|||
_dmarc.noekeon.org. v=DMARC1; p=quarantine; rua=mailto:webmaster@noekeon.org; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=none |
|||
</source> |
|||
=== Mail server - Miscellaneous === |
|||
* Postfix complains that it is setuid root: |
|||
Jul 18 05:22:30 ober postfix/sendmail[27605]: warning: the Postfix sendmail command has set-uid root file permissions |
|||
Jul 18 05:22:30 ober postfix/sendmail[27605]: warning: or the command is run from a set-uid root process |
|||
Jul 18 05:22:30 ober postfix/sendmail[27605]: warning: the Postfix sendmail command must be installed without set-uid root file permissions |
|||
:It is not necessary to run procmail as setuid root with postfix [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=298058], so we do: |
|||
<source lang=bash> |
|||
ls -l /usr/bin/procmail |
|||
# -rwsr-sr-x 1 root mail 88K Feb 11 2015 /usr/bin/procmail |
|||
chmod u-s /usr/bin/procmail |
|||
ls -l /usr/bin/procmail |
|||
# -rwxr-sr-x 1 root mail 88K Feb 11 2015 /usr/bin/procmail |
|||
</source> |
|||
=== Mail server - guides === |
|||
* https://jan.wildeboer.net/2022/08/Email-0-The-Journey-2022/ |
|||
=== Mail server - certbot === |
|||
We need to add hooks to reload the certificate when certbot renew them (ChatGPT, [https://serverfault.com/questions/1052433/how-to-get-dovecot-to-reload-an-ssl-certificate-with-minimal-impact]). |
|||
For '''dovecot''': |
|||
<source lang="bash"> |
|||
# As sudo: |
|||
vi /etc/letsencrypt/renewal-hooks/deploy/reload-dovecot.sh |
|||
# #! /bin/bash |
|||
# systemctl reload dovecot |
|||
# Enable it and test it |
|||
chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-dovecot.sh |
|||
/etc/letsencrypt/renewal-hooks/deploy/reload-dovecot.sh |
|||
</source> |
|||
For '''postfix''': |
|||
<source lang="bash"> |
|||
# As sudo: |
|||
vi /etc/letsencrypt/renewal-hooks/deploy/reload-postfix.sh |
|||
# #! /bin/bash |
|||
# postfix reload |
|||
# Enable it and test it |
|||
chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-postfix.sh |
|||
/etc/letsencrypt/renewal-hooks/deploy/reload-postfix.sh |
|||
</source> |
|||
=== Upgrade Kernel (using grub) === |
|||
;Reinstall grub |
|||
* For some reasons the grub install on Debian 8 Jessie was incomplete. There was no {{file|/etc/default/grub}} and folder {{file|/etc/grub.d}} was empty. |
|||
* Remove / purge grub and reinstall. When asked, we install to {{file|/dev/sda}}. |
|||
<source lang="bash"> |
|||
# I had a /boot/grub. I pushed it to git: |
|||
# cd /boot |
|||
# git init |
|||
# echo "*-amd64" > .gitignore |
|||
# git add -A |
|||
# git commit "first commit" |
|||
apt purge grub-common grub-pc grub2-common # Say yes to remove /boot/grub. |
|||
apt install grub-pc # Install to /dev/sda |
|||
</source> |
|||
=== Upgrade Kernel (using extlinux) === |
|||
{{red|'''Obsolote'''}} — This is now obsolete for Noekeon.org. I'm now using again grub. |
|||
{| class=wikitable |
|||
|- |
|||
! Current method (using extlinux) |
|||
|- |
|||
| |
|||
<source lang="bash"> |
|||
V=3.16.0-7; for f in initrd.img System.map vmlinuz; do ln -sf $f-$V-amd64 /boot/$f; done |
|||
# Same s: |
|||
# ln -sf initrd.img-3.16.0-7-amd64 /boot/initrd.img |
|||
# ln -sf System.map-3.16.0-7-amd64 /boot/System.map |
|||
# ln -sf vmlinuz-3.16.0-7-amd64 /boot/vmlinuz |
|||
</source> |
|||
|} |
|||
;Details |
|||
Debian image is booted with '''extlinux''' (so no ''grub'' nor ''lilo''). I don't remember selecting this, so maybe it came pre-installed in the OVH debian image. |
|||
In any cases, a few guides are available: |
|||
* [https://community.ovh.com/t/migration-de-debian-8-vers-debian-9/3423 Migration de Debian 8 vers Debian 9] |
|||
* [https://community.ovh.com/t/changer-le-kernel-utilise-au-boot-sur-debian/3451 Changer le kernel utilisé au boot sur Debian] |
|||
Some remarks: |
|||
* There are two files {{file|extlinux.conf}}, one in {{file|/extlinux.conf}}, and one in {{file|/boot/extlinux.conf}}. According to guides above, the latter is useless. Of course, that's the one I updated first without any effect ^^. |
|||
* Doing <code>extlinux --update /boot/extlinux</code> '''killed''' the box. I had to reboot in rescue. There I created a few symlinks as indicated below, and restored extlinux with: |
|||
<source lang="bash"> |
|||
for a in dev proc sys run; do mount --bind /$a /mnt/vdb1/$a; done |
|||
chroot /mnt/vdb1 |
|||
cd /boot |
|||
ln -sf initrd.img-3.16.0-5-amd64 initrd.img |
|||
ln -sf System.map-3.16.0-5-amd64 System.map |
|||
ln -sf vmlinuz-3.16.0-5-amd64 vmlinuz |
|||
vi extlinux/extlinux.conf # Point to symlinks instead - normally this file is not used |
|||
cd / |
|||
vi extlinux.conf # Point to symlinks instead |
|||
extlinux --install / --device /dev/vdb1 # We point to root because that's where ldlinux.sys files are installed. |
|||
</source> |
|||
As explained in the guide, the easiest is to create symlinks. A few symlinks exists already in {{file|/}}, but these are not used apparently: |
|||
lrwxrwxrwx 1 root root 31 Jan 9 20:57 initrd.img -> /boot/initrd.img-3.16.0-5-amd64 |
|||
lrwxrwxrwx 1 root root 31 Jun 6 2015 initrd.img.old -> /boot/initrd.img-3.16.0-4-amd64 |
|||
lrwxrwxrwx 1 root root 27 Jan 9 20:57 vmlinuz -> boot/vmlinuz-3.16.0-5-amd64 |
|||
lrwxrwxrwx 1 root root 27 Jun 6 2015 vmlinuz.old -> boot/vmlinuz-3.16.0-4-amd64 |
|||
Instead, we create symlinks in {{file|/boot}}: |
|||
<source lang="bash"> |
|||
cd /boot |
|||
ln -sf initrd.img-3.16.0-5-amd64 initrd.img |
|||
ln -sf System.map-3.16.0-5-amd64 System.map |
|||
ln -sf vmlinuz-3.16.0-5-amd64 vmlinuz |
|||
</source> |
|||
We edit {{file|/extlinux.conf}} to point to our symlink instead: |
|||
<source lang="bash"> |
|||
default linux |
|||
timeout 1 |
|||
label linux |
|||
kernel boot/vmlinuz |
|||
append initrd=boot/initrd.img root=/dev/vda1 console=tty0 console=ttyS0,115200 ro quiet |
|||
</source> |
|||
In principle, the symlinks will be updated at next kernel upgrade. Let's see if that happens next time! |
|||
;Upgrade to 3.16.0-6 |
|||
Symlinks were not updated automatically. Instead I did: |
|||
<source lang="bash"> |
|||
cd /boot |
|||
ln -sf initrd.img-3.16.0-6-amd64 initrd.img |
|||
ln -sf System.map-3.16.0-6-amd64 System.map |
|||
ln -sf vmlinuz-3.16.0-6-amd64 vmlinuz |
|||
</source> |
|||
=== Needrestart === |
|||
Install package [http://www.pontikis.net/tip/?id=35 '''needrestart'''], which automatically tells when some services must be restarted (this is an improved ''checkrestart''). |
|||
=== Roundcube === |
|||
<source lang="bash"> |
|||
apt install roundcube roundcube-plugins-extra roundcube-plugins php-zip |
|||
</source> |
|||
* Enable plugins <code>archive</code>, <code>zipdownload</code>, <code>fail2ban</code> |
|||
== Troubleshooting == |
|||
=== Google GMail - 421-4.7.0 black listing === |
|||
See [[Mail server]]. |
|||
=== Postfix reject authenticated smtp request === |
|||
We get errors like: |
|||
<source lang="text"> |
|||
Oct 1 11:10:06 ober postfix/submission/smtpd[25903]: warning: hostname ip56569158.adsl-surfen.hetnet.nl does not resolve to address 86.86.145.88: Name or service not known |
|||
Oct 1 11:10:06 ober postfix/submission/smtpd[25903]: connect from unknown[86.86.145.88] |
|||
Oct 1 11:10:06 ober rmilter[327]: <06b5ccdd32>; accepted connection from ober.noekeon.org; client: 86.86.145.88:49276 ([86.86.145.88]) |
|||
Oct 1 11:10:06 ober postfix/submission/smtpd[25903]: NOQUEUE: reject: EHLO from unknown[86.86.145.88]: 450 4.7.1 <joans-mbp.home>: Helo command rejected: Host not found; proto=SMTP helo=<joans-mbp.home> |
|||
</source> |
|||
The error code is '''450'''. Searching in postfix configuration doc [http://www.postfix.org/postconf.5.html], we see it is related to setting <code>reject_unknown_helo_hostname</code>. |
|||
We tried to fix it with: |
|||
<source lang="diff"> |
|||
-smtpd_helo_restrictions = reject_unknown_helo_hostname |
|||
+smtpd_helo_restrictions = |
|||
+ permit_mynetworks, |
|||
+ permit_sasl_authenticated, |
|||
+ reject_unknown_helo_hostname, |
|||
</source> |
|||
But it has no effect. In fact we must change the parameters of the <code>smtpd/submission</code> daemon listening on port 587. Edit {{file|master.cf}}: |
|||
<source lang=diff> |
|||
diff --git a/postfix/master.cf b/postfix/master.cf |
|||
index ed305ce..61cd090 100644 |
|||
--- a/postfix/master.cf |
|||
+++ b/postfix/master.cf |
|||
@@ -20,6 +20,7 @@ submission inet n - - - - smtpd |
|||
-o smtpd_tls_security_level=encrypt |
|||
-o smtpd_sasl_auth_enable=yes |
|||
-o smtpd_client_restrictions= |
|||
+ -o smtpd_helo_restrictions=permit_mynetworks,reject_invalid_hostname,permit |
|||
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject |
|||
-o milter_macro_daemon_name=ORIGINATING |
|||
-o smtpd_sasl_type=dovecot |
|||
</source> |
|||
=== ovhn - Fix 'org.freedesktop.login1 timed out' messages and slow login === |
|||
We get many messages like |
|||
<source lang="text"> |
|||
Apr 29 06:44:12 ober dbus[24328]: [system] Activating via systemd: service name='org.freedesktop.login1' unit='dbus-org.freedesktop.login1.service' |
|||
Apr 29 06:44:37 ober sshd[25336]: pam_systemd(sshd:session): Failed to create session: Activation of org.freedesktop.login1 timed out |
|||
Apr 29 06:44:37 ober dbus[24328]: [system] Failed to activate service 'org.freedesktop.login1': timed out |
|||
</source> |
|||
Going backward, we find the following event: |
|||
<source lang="text"> |
|||
Apr 29 06:33:05 ober dbus[24328]: [system] Activating via systemd: service name='org.freedesktop.login1' unit='dbus-org.freedesktop.login1.service' |
|||
Apr 29 06:33:30 ober sshd[17082]: pam_systemd(sshd:session): Failed to release session: Connection timed out |
|||
Apr 29 06:33:30 ober systemd-logind[23727]: Failed to abandon session scope: Transport endpoint is not connected |
|||
Apr 29 06:33:30 ober dbus[24328]: [system] Failed to activate service 'org.freedesktop.login1': timed out |
|||
</source> |
|||
This seems linked to an ssh session |
|||
<source lang="bash"> |
|||
ag 17082 /var/log |
|||
# /var/log/auth.log |
|||
# 7:Apr 29 06:29:44 ober sshd[17082]: Accepted publickey for baas from 164.129.115.76 port 27528 ssh2: RSA ed:81:b9:c5:5b:43:b5:0b:f2:00:6d:c0:b3:08:4e:8b |
|||
# 8:Apr 29 06:29:44 ober sshd[17082]: pam_unix(sshd:session): session opened for user baas by (uid=0) |
|||
# 24:Apr 29 06:33:05 ober sshd[17082]: pam_unix(sshd:session): session closed for user baas |
|||
# 25:Apr 29 06:33:30 ober sshd[17082]: pam_systemd(sshd:session): Failed to release session: Connection timed out |
|||
</source> |
|||
Additionally logging in the system is '''very slow'''. |
|||
;Troubleshooting |
|||
We find similar issue on RedHat support [https://access.redhat.com/discussions/3536621]. |
|||
Issue might be _abandoned_ user session: |
|||
<source lang="bash"> |
|||
systemctl | grep 'of user'| grep 'abandoned' |
|||
# session-2.scope loaded active abandoned Session 2 of user baas |
|||
</source> |
|||
Accordingly the fix is to remove the session files: |
|||
<source lang="bash"> |
|||
ls /run/systemd/system/ |
|||
# session-2.scope.d/ session-2.scope session-4322.scope |
|||
rm -rf /run/systemd/system/session-2.scope* |
|||
systemctl daemon-reexec |
|||
</source> |
|||
... but to no avail. Finally we reboot the system: |
|||
<source lang="bash"> |
|||
reboot |
|||
</source> |
</source> |
Latest revision as of 18:28, 10 April 2024
DNS zone
$TTL 3600
@ IN SOA dns105.ovh.net. tech.ovh.net. (2016090500 86400 3600 3600000 300)
IN NS dns105.ovh.net.
IN NS ns105.ovh.net.
IN MX 10 ober.noekeon.org.
IN MX 20 prime.immie.org.
IN A 91.134.133.203
IN TXT "google-site-verification=PyZv_FR2vhqyGKz00ew_nnf_y_pprEgJt-G5SogqRyM"
600 IN TXT "v=spf1 a mx -all"
* IN A 91.134.133.203
* IN TXT "v=spf1 -all"
ftp IN A 62.182.63.46
imap IN CNAME ober.noekeon.org.
localhost IN A 127.0.0.1
mail IN CNAME ober.noekeon.org.
ober IN A 91.134.133.203
ober IN TXT "v=spf1 a -all"
pop IN CNAME ober.noekeon.org.
smtp IN CNAME ober.noekeon.org.
Original zone on OVH (with minimal entries):
$TTL 3600
@ IN SOA dns105.ovh.net. tech.ovh.net. (2016070301 86400 3600 3600000 300)
IN NS ns105.ovh.net.
IN NS dns105.ovh.net.
IN MX 1 redirect.ovh.net.
IN A 213.186.33.5
IN TXT "1|www.noekeon.org"
www IN MX 1 redirect.ovh.net.
www IN A 213.186.33.5
www IN TXT "3|welcome"
www IN TXT "l|fr"
PriorWeb Hints and Tips
- MySQL
- MySQL Host Name:
- Use the generic name mysqlhost as MySQL host name in PHP scripts (as suggested by Priorweb's control panel)
$db_host="mysqlhost";
- Create a new database:
- Use the Priorweb's Control Panel.
- Copy database:
- First create the new database using Priorweb's Control Panel.
- Second, go to Priorweb's phpMyAdmin page
- Select database to backup
- From menu above, chooose Operations, and then Copy Database To.
- Uncheck
CREATE DATABASE before copying, and check Add AUTO_INCREMENT value (no idea if that's necessary, but it is selected on the Export page), then click Go
- Backup a database - Using phpMyAdmin:
- Go to Priorweb's phpMyAdmin page
- Select database to backup
- From menu above, select EXPORT, select export in SQL format, export Structure and Data, choose a compression method (e.g. gzipped), click Go
- Restoring a database - Using phpMyAdmin:
- Go to Priorweb's phpMyAdmin page
- Select database to restore
- QUESTION: Do we have to delete the content of the database before importing???
- Backup / Restore using command-line:
Miki's Kiwi Wiki
See dedicated page.
Miki's ToDoList
- Based on small PHP application MyToDoList PHP from Antonio Lupetti
- Home page here
- Download & unzip todolist.zip to ftp://daemenj@ftp.noekeon.org/opt/www/daemenj/web/kiwi.noekeon.org/miki/todo
cd ~/kiwi.noekeon.org/miki/todo
unzip todolist.zip
mv todolist/* .
rmdir todolist
#Now remove garbage files...
find . -name _notes -exec rm -r {} \; # Ignore errors on directory not found
find . -name __MACOSX -exec rm -r {} \;
- Edit file dbconnection.php
$db_host="mysqlhost";
$db_name="mikido";
$username="miki";
$password="********";
- Go to Priorweb control panel, MySQL section, and creates new user/database:
- username: miki
- pwd: ********
- database: mikido
- Browse to https://kiwi.noekeon.org/miki/todo/createDBtable.php. Table is being created.
- Create .htaccess file (+ check there is NOT an AllowOverride NOne statement in Apache's httpd.conf):
DirectoryIndex todolist.php
- Now you can visit https://kiwi.noekeon.org/miki/todo/. Create a user first before creating a task. Note that you must refresh the page (F5) first otherwise drop-down list is not refreshed and page generates an error.
Shell
- In the following notes, ~ refers to original home directory /opt/www/daemenj/web.
- bash shell resource file in ~/private/mip.bashrc:
#! /bin/bash
# Clever trick because we cannot write in /opt/www/daemenj/web...
# ... move HOME to private directory so that all commands fetch their configuration file there
export HOME=/opt/www/daemenj/web/private
# Ignore some controlling instructions
export HISTIGNORE="[ ]*:&:bg:fg:exit"
# Aliases
# #######
alias grep='grep --color' # show differences in colour
# Some shortcuts for different directory listings
eval `dircolors -b ~/.dircolors.cfg`
alias ls='ls -F --color=auto' # classify files in colour
alias ll='ls -l' # long list
alias la='ls -A' # all but . and ..
alias l='ls -lA' #
alias dir='ls --format=vertical'
alias vdir='ls --format=long'
- Resource file for vim ~/private/.vimrc:
syntax enable
set bg=light
set number
nnoremap j h
nnoremap l j
"nnoremap k k
nnoremap m l
nnoremap h m
vnoremap j h
vnoremap l j
"vnoremap k k
vnoremap m l
vnoremap h m
- Directory colors ~/private/.dircolors.cfg:
# Configuration file for dircolors, a utility to help you set the
# LS_COLORS environment variable used by GNU ls with the --color option.
# The keywords COLOR, OPTIONS, and EIGHTBIT (honored by the
# slackware version of dircolors) are recognized but ignored.
# Below, there should be one TERM entry for each termtype that is colorizable
TERM linux
TERM linux-c
TERM mach-color
TERM console
TERM con132x25
TERM con132x30
TERM con132x43
TERM con132x60
TERM con80x25
TERM con80x28
TERM con80x30
TERM con80x43
TERM con80x50
TERM con80x60
TERM cygwin
TERM dtterm
TERM mlterm
TERM putty
TERM xterm
TERM xterm-color
TERM xterm-debian
TERM rxvt
TERM rxvt-unicode
TERM screen
TERM screen-bce
TERM screen-w
TERM vt100
TERM Eterm
# Below are the color init strings for the basic file types. A color init
# string consists of one or more of the following numeric codes:
# Attribute codes:
# 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed
# Text color codes:
# 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white
# Background color codes:
# 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white
NORMAL 00 # global default, although everything should be something.
FILE 00 # normal file
DIR 01;34 # directory
LINK 36 # symbolic link. (If you set this to 'target' instead of a
# numerical value, the color is as for the file pointed to.)
FIFO 40;33 # pipe
SOCK 35 # socket
DOOR 35 # door
BLK 40;33;01 # block device driver
CHR 40;33;01 # character device driver
ORPHAN 40;31;01 # symlink to nonexistent file
# This is for files with execute permission:
EXEC 32
# List any file extensions like '.gz' or '.tar' that you would like ls
# to colorize below. Put the extension, a space, and the color init string.
# (and any comments you want to add after a '#')
# If you use DOS-style suffixes, you may want to uncomment the following:
#.cmd 32 # executables (bright green)
#.exe 32
#.com 32
#.btm 32
#.bat 32
.tar 01;31 # archives or compressed (bright red)
.tgz 01;31
.arj 01;31
.taz 01;31
.lzh 01;31
.zip 01;31
.z 01;31
.Z 01;31
.gz 01;31
.bz2 01;31
.deb 01;31
.rpm 01;31
.jar 01;31
# image formats
.jpg 35
.jpeg 35
.gif 35
.bmp 35
.pbm 35
.pgm 35
.ppm 35
.tga 35
.xbm 35
.xpm 35
.tif 35
.tiff 35
.png 35
.mov 35
.mpg 35
.mpeg 35
.avi 35
.fli 35
.gl 35
.dl 35
.xcf 35
.xwd 35
# audio formats
.flac 35
.mp3 35
.mpc 35
.ogg 35
.wav 35
Cron
This is the crontab file on noekeon.org. Install it with crontab -u daemenj crontab
.
# use /bin/bash to run commands, instead of the default /bin/sh
SHELL=/bin/bash
# mail any output to 'michael.peeters@noekeon.org', no matter whose crontab this is
MAILTO="michael.peeters@noekeon.org"
#
#
# m h dom mon dow command (dow=0|7 is sunday)
33 8 * * * ~daemenj/private/changemonitor/monitor-all.sh >/dev/null 2>/dev/null
Server Install OVH
- Mail Transport Agent (MTA)
- We'll use Postfix for sending and receiving mails.
- Spam filtering
- We'll use Rspamd.
- Mail Delivery Agent (MDA)
- Currently using Procmail for local delivery of mails to user mailboxes, but is no longer maintained [1].
- But considering moving to Dovecot to use Sieve filtering language.
- IMAP/POP3
- We'll use Dovecot.
Spam filter
- Candidates
- SpamAssassin (SA)
- The default standard.
- Some installation guides [2].
- DSpam
- Excellent track record, but unfortunately no longer maintained.
- Some installation guides [3], [4], [5]
- Rspamd
- A new system.
Mail server
- master.cf
- file master.cf tells which service are running
# ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd
smtp
this is the usual smtp service on port 25. Used by other smtp server to send mail.
submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_wrappermode=no -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth
submission
this is the "secure" smtp service on port used by mail client to send new mail. Note that-o
denotes configuration settings that override those in main.cf.
- main.cf
- Testing — add
soft_bounce = yes
when testing new configuration. This avoids rejecting mail permanently by changing REJECT into DEFER.
# Testing - Uncomment to DEFER instead of REJECT, hence not rejecting mail permanently when testing soft_bounce = yes
- Debugging — Add
debug_peer_list
to enable verbose logging.
# Debugging - Uncomment for verbose logging for connections from listed peers debug_peer_list = 91.134.134.85
- I add to the DNS zone:
noekeon.org. IN TXT "v=spf1 a mx -all" ober.noekeon.org. IN TXT "v=spf1 a -all" *.example.com. IN TXT "v=spf1 -all"
- First line says that all mails from
@noekeon.org
must come from one of the MX server of noekeon.org domain. - Second line says that mail from server with HELO identification "ober.noekeon.org" must be accepted only if from IP address of server "ober.noekeon.org".
- Third rule says that no other sub-domain/server may send email.
- Test the configuration with http://dkimvalidator.com/.
Mail server - Rspamd spam filter
- Install guide from rspam.com
- Relevant Postfix documentation:
-
- See example configuration.
- Use
soft_bounce = yes
in main.cf to change a REJECT into DEFER, and hence to avoid losing mail when testing.
- To Do
- Use spamhaus black-list (see postfix example)
- Rmilter
- Guide [6]
- Install with
apt-get install rmilter
- We keep the socket-based bind contrary to what guide suggests. So in main.cf:
# rmilter setup
smtpd_milters = unix:/var/run/rmilter/rmilter.sock
milter_default_action = accept
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
- Check the socket. We see it is active and enabled (at boot so).
systemctl status rmilter.socket
# ● rmilter.socket - Another sendmail milter for different mail checks
# Loaded: loaded (/lib/systemd/system/rmilter.socket; enabled)
# Active: active (listening) since Mon 2016-07-18 18:49:22 CEST; 1 day 23h ago
# Listen: /var/run/rmilter/rmilter.sock (Stream)
- Check the service
systemctl status rmilter.service
# ● rmilter.service - Another sendmail milter for different mail checks
# Loaded: loaded (/lib/systemd/system/rmilter.service; disabled)
# Active: inactive (dead)
- It is disabled, let's try to start it
systemctl start rmilter.service
- It fails. We get
systemctl status rmilter.service -l
# ● rmilter.service - Another sendmail milter for different mail checks
# Loaded: loaded (/lib/systemd/system/rmilter.service; disabled)
# Active: failed (Result: exit-code) since Wed 2016-07-20 17:56:05 CEST; 1min 31s ago
# Process: 24168 ExecStart=/usr/sbin/rmilter -c /etc/rmilter.conf -n (code=exited, status=233/RUNTIME_DIRECTORY)
# Main PID: 24168 (code=exited, status=233/RUNTIME_DIRECTORY)
# Jul 20 17:56:05 ober.noekeon.org systemd[24168]: Failed at step RUNTIME_DIRECTORY spawning /usr/sbin/rmilter: File exists
# Jul 20 17:56:05 ober.noekeon.org systemd[1]: rmilter.service: main process exited, code=exited, status=233/RUNTIME_DIRECTORY
# Jul 20 17:56:05 ober.noekeon.org systemd[1]: Unit rmilter.service entered failed state.
- Let's debug. Where is this runtime directory?
dlocate -L rmilter|xargs grep -id skip runtimedirectory
# /lib/systemd/system/rmilter.service:RuntimeDirectory=rmilter
# /lib/systemd/system/rmilter.service:RuntimeDirectoryMode=0755
- Look for a fix on internet: Here [7], it suggests to add to /lib/systemd/system/rmilter.service:
[Service]
ExecStart=/usr/sbin/rmilter -c /etc/rmilter.conf -n
ExecReload=/bin/kill -USR1 $MAINPID
User=_rmilter
RuntimeDirectory=rmilter
RuntimeDirectoryMode=0755
+Restart=always
- So let's try again
systemctl start rmilter.service
# Warning: Unit file of rmilter.service changed on disk, 'systemctl daemon-reload' recommended.
systemctl daemon-reload
systemctl status rmilter.service
# ● rmilter.service - Another sendmail milter for different mail checks
# Loaded: loaded (/lib/systemd/system/rmilter.service; disabled)
# Active: active (running) since Wed 2016-07-20 18:21:45 CEST; 53s ago
# Main PID: 24895 (rmilter)
# CGroup: /system.slice/rmilter.service
# └─24895 /usr/sbin/rmilter -c /etc/rmilter.conf -n
#
# Jul 20 18:21:45 ober.noekeon.org rmilter[24895]: main: starting rmilter version 1.8.6, listen on fd:3
# Jul 20 18:21:45 ober.noekeon.org rmilter[24895]: reload_thread: starting...
- Created a new bug report issue #133.
- Rspamd
- Install
apt-get install rspamd
- ... it already fails
systemctl status rspamd.socket -l
# ● rspamd.socket - rapid spam filtering system
# Loaded: loaded (/lib/systemd/system/rspamd.socket; enabled)
# Active: failed (Result: resources)
# Listen: [::]:11333 (Stream)
# [::1]:11334 (Stream)
#
# Jul 18 18:49:22 ober.noekeon.org systemd[1]: rspamd.socket failed to listen on sockets: Cannot assign requested address
# Jul 18 18:49:22 ober.noekeon.org systemd[1]: Failed to listen on rapid spam filtering system.
# Jul 18 18:49:22 ober.noekeon.org systemd[1]: Unit rspamd.socket entered failed state.
- Actually problem comes from /etc/sysctl.d/local.conf, where we disabled ipv6. If we enable it back:
# Disable IPv6
-net.ipv6.conf.all.disable_ipv6 = 1
-net.ipv6.conf.default.disable_ipv6 = 1
-net.ipv6.conf.lo.disable_ipv6 = 1
-net.ipv6.conf.eth0.disable_ipv6 = 1
+net.ipv6.conf.all.disable_ipv6 = 0
+net.ipv6.conf.default.disable_ipv6 = 0
+net.ipv6.conf.lo.disable_ipv6 = 0
+net.ipv6.conf.eth0.disable_ipv6 = 0
Now it works
systemctl start rspamd.socket
Alternatively, if we want to keep ipv6 disabled, we need to edit systemd file /lib/systemd/system/rspamd.socket as follows
--- rspamd.socket 2016-06-20 13:55:00.000000000 +0200
+++ rspamd.socket.old 2016-07-20 19:44:18.165848297 +0200
@@ -2,9 +2,10 @@
Description=rapid spam filtering system
[Socket]
-ListenStream=11333
-ListenStream=[::1]:11334
-BindIPv6Only=both
+BindIPv6Only=ipv6-only
+ListenStream=127.0.0.1:11333
+ListenStream=127.0.0.1:11334
+KeepAlive=true
[Install]
WantedBy=sockets.target
and reload rspamd:
systemctl daemon-reload
systemctl start rspamd.socket
systemctl status rspamd.socket -l
# ● rspamd.socket - rapid spam filtering system
- Note that
rspamd.service
is not started by default. It is started on demand. To start it:
rspamc -h ::1:11334 stat
Note that the following fails
rspamc stat
rspamc -h 127.0.0.1:11334 stat
This is because rspamd only listen on ipv6 interface:
netstat -lpn|grep 1133
# tcp6 0 0 :::11333 :::* LISTEN 1/init
# tcp6 0 0 ::1:11334 :::* LISTEN 1/init
cat /lib/systemd/system/rspamd.socket
#[Unit]
#Description=rapid spam filtering system
#
#[Socket]
#ListenStream=11333
#ListenStream=[::1]:11334
#BindIPv6Only=both
#
#[Install]
#WantedBy=sockets.target
To install rspamd webgui on https, we use apache2 as reverse proxy ([8],[9],[10])
- Note
- FIX — The following works only if we change the sockets rspamd listens to in file File:/lib/systemd/system/rspamd.socket:
[Socket]
-ListenStream=11333
-ListenStream=[::1]:11334
+ListenStream=127.0.0.1:11333
+ListenStream=0.0.0.0:11334
<IfModule mod_ssl.c>
<VirtualHost *:443>
+ # We don't need forward proxy, so let's disable it
+ ProxyRequests Off
+
+ <Location /rspamd/>
+ ProxyPass http://localhost:11334/
+ ProxyPassReverse http://localhost:11334/
+ Order deny,allow
+ Allow from all
+ </Location>
</VirtualHost>
</IfModule>
Note:
- Module
proxy_http
is necessary to fix error
... AH01144: No protocol handler was valid for the URL /rspamd/. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
- Mind the trailing slash in
<Location /rspamd/>
, to match the trailing one inProxyPass
andProxyPassReverse
address. A mismatch fails with an error(NULL)
message.
Install the necessary modules and restart apache:
a2enmod proxy
a2enmod proxy_http
a2enmod headers
service apache2 restart
- To add HTTPS password:
<IfModule mod_ssl.c>
<VirtualHost *:443>
<Location /rspamd/>
+ AuthType Basic
+ AuthName "mail.noekeon.org Rspamd webgui"
+ AuthUserFile /etc/apache2/mail.noekeon.org_rspamd.ssl.passwd
+ Require valid-user
</Location>
</VirtualHost>
</IfModule>
- Create the password, and don't forget to change ownership:
htpasswd -c -s /etc/apache2/mail.noekeon.org_rspamd.ssl.passwd rspamd
chown www-data:www-data /etc/apache2/*.passwd
chmod 644 /etc/apache2/*.passwd
Final configuration, everything works:
- /lib/systemd/system/rmilter.socket
[Unit]
Description=Another sendmail milter for different mail checks
[Socket]
ListenStream=127.0.0.1:9900
SocketUser=_rmilter
SocketGroup=adm
SocketMode=660
[Install]
WantedBy=sockets.target
- /lib/systemd/system/rspamd.socket
[Unit]
Description=rapid spam filtering system
[Socket]
ListenStream=127.0.0.1:11333
ListenStream=127.0.0.1:11334
BindIPv6Only=both
[Install]
WantedBy=sockets.target
- /lib/systemd/system/rspamd.service
[Unit]
Description=rapid spam filtering system
After=nss-lookup.target
[Service]
ExecStart=/usr/bin/rspamd -c /etc/rspamd/rspamd.conf -f
User=_rspamd
RuntimeDirectory=rspamd
RuntimeDirectoryMode=0755
Restart=always
[Install]
WantedBy=multi-user.target
- Better configuration
- No need to edit /lib/systemd files. See issue #748 on GitHub.
- Debugging
# testing new rmilter/rspam config. Edit systemd settings, then
# If changing /lib/systemd files, must do:
systemctl daemon-reload
# then
systemctl stop rspamd.socket rspamd.service rmilter.socket rmilter.service
systemctl start rmilter.socket rspamd.socket
# To disable ipv6:
echo '1' > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo '1' > /proc/sys/net/ipv6/conf/default/disable_ipv6
echo '1' > /proc/sys/net/ipv6/conf/lo/disable_ipv6
echo '1' > /proc/sys/net/ipv6/conf/eth0/disable_ipv6
/etc/init.d/networking restart
# ... or via /etc/sysctl.d/local.conf
- Logging
We have the choice between
- console logging (sent to /var/log/syslog)
- But this generates lot of spam for logcheck when log is at
info
level.
- file logging (to /var/log/rspamd/rspamd.log)
- But we lose the message timestamp.
To configure file logging, edit file /etc/rspamd.conf:
@@ -24,7 +24,8 @@ options {
}
logging {
- type = "console";
+ type = "file";
+ filename = "$LOGDIR/rspamd.log";
systemd = true;
.include "$CONFDIR/logging.inc"
.include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/logging.inc"
Currently, I go for logging to console, with a filter all rules in logcheck (basically ignore all messages). This may change pending update on GitHub issue #1496.
- Rmilter 1.10
- Latest version of Rmilter is 1.10, but Debian only distribute a very old release.
- I could not find the package I used the first time, so I have to rebuild it.
https://github.com/vstakhov/rmilter/archive/1.10.0.tar.gz
apt-get build-dep rmilter
apt install fakeroot dh-systemd libglib2.0-dev
cd rmilter-1.10.0/
vi debian/changelog # Create a new entry with version "1.10.0-4~jessie", release "jessie"
dpkg-buildpackage -rfakeroot -b
- Add blacklist filter
- Source: https://gist.github.com/kvaps/25507a87dc287e6a620e1eec2d60ebc1
- multimap doc: https://rspamd.com/doc/modules/multimap.html
diff --git a/rspamd/local.d/groups.conf b/rspamd/local.d/groups.conf
new file mode 100644
index 0000000..448fa8d
--- /dev/null
+++ b/rspamd/local.d/groups.conf
@@ -0,0 +1,39 @@
+# local.d/groups.conf
+# see local.d/multimap.conf for mappings
+#
+# Source: https://gist.github.com/kvaps/25507a87dc287e6a620e1eec2d60ebc1
+
+group "multimap" {
+ symbols = {
+ # Blacklists
+ "LOCAL_BL_FROM" {
+ weight = 3.0;
+ description = "Sender FROM listed in local blacklist";
+ }
+ "LOCAL_BL_IP" {
+ weight = 3.0;
+ description = "Sender IP listed in local blacklist";
+ }
+ "LOCAL_BL_RCPT" {
+ weight = 3.0;
+ description = "Recipient listed in local blacklist";
+ }
+ # Whitelists
+ "LOCAL_WL_DOMAIN" {
+ weight = -5;
+ description = "Domain listed in local whitelist";
+ }
+ "LOCAL_WL_FROM" {
+ weight = -5;
+ description = "Sender FROM listed in local whitelist";
+ }
+ "LOCAL_WL_IP" {
+ weight = -5;
+ description = "Sender IP listed in local whitelist";
+ }
+ "LOCAL_WL_RCPT" {
+ weight = -5;
+ description = "Recipient listed in local whitelist";
+ }
+ }
+}
diff --git a/rspamd/local.d/multimap.conf b/rspamd/local.d/multimap.conf
new file mode 100644
index 0000000..68d0125
--- /dev/null
+++ b/rspamd/local.d/multimap.conf
@@ -0,0 +1,60 @@
+# local.d/multimap.conf
+# see local.d/groups.conf for multimap symbols
+#
+# Source: https://gist.github.com/kvaps/25507a87dc287e6a620e1eec2d60ebc1
+# Doc: https://rspamd.com/doc/modules/multimap.html
+
+# Blacklists
+local_bl_domain {
+ type = "from";
+ filter = "email:domain";
+ map = "$CONFDIR/maps.d/local_bl_domain.inc";
+ prefilter = true;
+ action = "reject";
+ description = "Blacklisted domain";
+}
+local_bl_from {
+ type = "from";
+ map = "$CONFDIR/maps.d/local_bl_from.inc";
+ symbol = "LOCAL_BL_FROM";
+ description = "Blacklist map for LOCAL_BL_FROM";
+}
+local_bl_ip {
+ type = "ip";
+ map = "$CONFDIR/maps.d/local_bl_ip.inc";
+ symbol = "LOCAL_BL_IP";
+ description = "Blacklist map for LOCAL_BL_IP";
+}
+local_bl_rcpt {
+ type = "rcpt";
+ map = "$CONFDIR/maps.d/local_bl_rcpt.inc";
+ symbol = "LOCAL_BL_RCPT";
+ description = "Blacklist map for LOCAL_BL_RCPT";
+}
+
+# Whitelists
+local_wl_domain {
+ type = "from";
+ filter = "email:domain:tld";
+ map = "$CONFDIR/maps.d/local_wl_domain.inc";
+ symbol = "LOCAL_WL_DOMAIN";
+ description = "Whitelist map for LOCAL_WL_DOMAIN";
+}
+local_wl_from {
+ type = "from";
+ map = "$CONFDIR/maps.d/local_wl_from.inc";
+ symbol = "LOCAL_WL_FROM";
+ description = "Whitelist map for LOCAL_WL_FROM";
+}
+local_wl_ip {
+ type = "ip";
+ map = "$CONFDIR/maps.d/local_wl_ip.inc";
+ symbol = "LOCAL_WL_IP";
+ description = "Whitelist map for LOCAL_WL_IP";
+}
+local_wl_rcpt {
+ type = "rcpt";
+ map = "$CONFDIR/maps.d/local_wl_rcpt.inc";
+ symbol = "LOCAL_WL_RCPT";
+ description = "Whitelist map for LOCAL_WL_RCPT";
+}
diff --git a/rspamd/maps.d/local_bl_domain.inc b/rspamd/maps.d/local_bl_domain.inc
new file mode 100644
index 0000000..e33bc14
--- /dev/null
+++ b/rspamd/maps.d/local_bl_domain.inc
@@ -0,0 +1 @@
+nanoenonprofits.org
Mail server - More spam filter
- Look at Pyzor.org (recommended by SpamAssassin, as reported on https://www.mail-tester.com/).
Mail server - SRS
Reference:
We must enable SRS to allow forwarding mail from domains that enabled SPF:
apt-get install postsrsd
We check that it listens to the default ports (10001 and 10002) and uses the correct domain:
systemctl status postsrsd
# ● postsrsd.service - SRS lookup table for Postfix
# Loaded: loaded (/lib/systemd/system/postsrsd.service; enabled)
# Active: active (running) since Mon 2016-09-05 11:53:27 CEST; 2h 11min ago
# Main PID: 11273 (postsrsd)
# CGroup: /system.slice/postsrsd.service
# └─11273 /usr/sbin/postsrsd -f10001 -r10002 -s/etc/postsrsd.secret -X -unobody -c/var/lib/postsrsd -dnoekeon.org
ss -tupan|grep 1000[12]
# tcp LISTEN 0 10 127.0.0.1:10001 *:* users:(("postsrsd",pid=11273,fd=4))
# tcp LISTEN 0 10 127.0.0.1:10002 *:* users:(("postsrsd",pid=11273,fd=5))
Tell postfix to use SRS and reload:
postconf -e "sender_canonical_maps = tcp:127.0.0.1:10001"
postconf -e "sender_canonical_classes = envelope_sender"
postconf -e "recipient_canonical_maps = tcp:127.0.0.1:10002"
postconf -e "recipient_canonical_classes = envelope_recipient,header_recipient"
postfix reload
Mail server - Gmail Postmaster tools
- Account registered to night.moore.nm@gmail.com... but never got any data because our volume is probably too small. I can still use this account to test mail forwarding though and see how gmail sees our mail server.
Mail server - DKIM
See Postfix.
Mail server - DMARC
GMail recommends to provide a DMARC policy. See Postfix for guides.
We publish the following DMARC policy
_dmarc.noekeon.org. v=DMARC1; p=quarantine; rua=mailto:webmaster@noekeon.org; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=none
Mail server - Miscellaneous
- Postfix complains that it is setuid root:
Jul 18 05:22:30 ober postfix/sendmail[27605]: warning: the Postfix sendmail command has set-uid root file permissions Jul 18 05:22:30 ober postfix/sendmail[27605]: warning: or the command is run from a set-uid root process Jul 18 05:22:30 ober postfix/sendmail[27605]: warning: the Postfix sendmail command must be installed without set-uid root file permissions
- It is not necessary to run procmail as setuid root with postfix [11], so we do:
ls -l /usr/bin/procmail
# -rwsr-sr-x 1 root mail 88K Feb 11 2015 /usr/bin/procmail
chmod u-s /usr/bin/procmail
ls -l /usr/bin/procmail
# -rwxr-sr-x 1 root mail 88K Feb 11 2015 /usr/bin/procmail
Mail server - guides
Mail server - certbot
We need to add hooks to reload the certificate when certbot renew them (ChatGPT, [12]).
For dovecot:
# As sudo:
vi /etc/letsencrypt/renewal-hooks/deploy/reload-dovecot.sh
# #! /bin/bash
# systemctl reload dovecot
# Enable it and test it
chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-dovecot.sh
/etc/letsencrypt/renewal-hooks/deploy/reload-dovecot.sh
For postfix:
# As sudo:
vi /etc/letsencrypt/renewal-hooks/deploy/reload-postfix.sh
# #! /bin/bash
# postfix reload
# Enable it and test it
chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-postfix.sh
/etc/letsencrypt/renewal-hooks/deploy/reload-postfix.sh
Upgrade Kernel (using grub)
- Reinstall grub
- For some reasons the grub install on Debian 8 Jessie was incomplete. There was no /etc/default/grub and folder /etc/grub.d was empty.
- Remove / purge grub and reinstall. When asked, we install to /dev/sda.
# I had a /boot/grub. I pushed it to git:
# cd /boot
# git init
# echo "*-amd64" > .gitignore
# git add -A
# git commit "first commit"
apt purge grub-common grub-pc grub2-common # Say yes to remove /boot/grub.
apt install grub-pc # Install to /dev/sda
Upgrade Kernel (using extlinux)
Obsolote — This is now obsolete for Noekeon.org. I'm now using again grub.
Current method (using extlinux) |
---|
V=3.16.0-7; for f in initrd.img System.map vmlinuz; do ln -sf $f-$V-amd64 /boot/$f; done
# Same s:
# ln -sf initrd.img-3.16.0-7-amd64 /boot/initrd.img
# ln -sf System.map-3.16.0-7-amd64 /boot/System.map
# ln -sf vmlinuz-3.16.0-7-amd64 /boot/vmlinuz
|
- Details
Debian image is booted with extlinux (so no grub nor lilo). I don't remember selecting this, so maybe it came pre-installed in the OVH debian image.
In any cases, a few guides are available:
Some remarks:
- There are two files extlinux.conf, one in /extlinux.conf, and one in /boot/extlinux.conf. According to guides above, the latter is useless. Of course, that's the one I updated first without any effect ^^.
- Doing
extlinux --update /boot/extlinux
killed the box. I had to reboot in rescue. There I created a few symlinks as indicated below, and restored extlinux with:
for a in dev proc sys run; do mount --bind /$a /mnt/vdb1/$a; done
chroot /mnt/vdb1
cd /boot
ln -sf initrd.img-3.16.0-5-amd64 initrd.img
ln -sf System.map-3.16.0-5-amd64 System.map
ln -sf vmlinuz-3.16.0-5-amd64 vmlinuz
vi extlinux/extlinux.conf # Point to symlinks instead - normally this file is not used
cd /
vi extlinux.conf # Point to symlinks instead
extlinux --install / --device /dev/vdb1 # We point to root because that's where ldlinux.sys files are installed.
As explained in the guide, the easiest is to create symlinks. A few symlinks exists already in /, but these are not used apparently:
lrwxrwxrwx 1 root root 31 Jan 9 20:57 initrd.img -> /boot/initrd.img-3.16.0-5-amd64 lrwxrwxrwx 1 root root 31 Jun 6 2015 initrd.img.old -> /boot/initrd.img-3.16.0-4-amd64 lrwxrwxrwx 1 root root 27 Jan 9 20:57 vmlinuz -> boot/vmlinuz-3.16.0-5-amd64 lrwxrwxrwx 1 root root 27 Jun 6 2015 vmlinuz.old -> boot/vmlinuz-3.16.0-4-amd64
Instead, we create symlinks in /boot:
cd /boot
ln -sf initrd.img-3.16.0-5-amd64 initrd.img
ln -sf System.map-3.16.0-5-amd64 System.map
ln -sf vmlinuz-3.16.0-5-amd64 vmlinuz
We edit /extlinux.conf to point to our symlink instead:
default linux
timeout 1
label linux
kernel boot/vmlinuz
append initrd=boot/initrd.img root=/dev/vda1 console=tty0 console=ttyS0,115200 ro quiet
In principle, the symlinks will be updated at next kernel upgrade. Let's see if that happens next time!
- Upgrade to 3.16.0-6
Symlinks were not updated automatically. Instead I did:
cd /boot
ln -sf initrd.img-3.16.0-6-amd64 initrd.img
ln -sf System.map-3.16.0-6-amd64 System.map
ln -sf vmlinuz-3.16.0-6-amd64 vmlinuz
Needrestart
Install package needrestart, which automatically tells when some services must be restarted (this is an improved checkrestart).
Roundcube
apt install roundcube roundcube-plugins-extra roundcube-plugins php-zip
- Enable plugins
archive
,zipdownload
,fail2ban
Troubleshooting
Google GMail - 421-4.7.0 black listing
See Mail server.
Postfix reject authenticated smtp request
We get errors like:
Oct 1 11:10:06 ober postfix/submission/smtpd[25903]: warning: hostname ip56569158.adsl-surfen.hetnet.nl does not resolve to address 86.86.145.88: Name or service not known
Oct 1 11:10:06 ober postfix/submission/smtpd[25903]: connect from unknown[86.86.145.88]
Oct 1 11:10:06 ober rmilter[327]: <06b5ccdd32>; accepted connection from ober.noekeon.org; client: 86.86.145.88:49276 ([86.86.145.88])
Oct 1 11:10:06 ober postfix/submission/smtpd[25903]: NOQUEUE: reject: EHLO from unknown[86.86.145.88]: 450 4.7.1 <joans-mbp.home>: Helo command rejected: Host not found; proto=SMTP helo=<joans-mbp.home>
The error code is 450. Searching in postfix configuration doc [13], we see it is related to setting reject_unknown_helo_hostname
.
We tried to fix it with:
-smtpd_helo_restrictions = reject_unknown_helo_hostname
+smtpd_helo_restrictions =
+ permit_mynetworks,
+ permit_sasl_authenticated,
+ reject_unknown_helo_hostname,
But it has no effect. In fact we must change the parameters of the smtpd/submission
daemon listening on port 587. Edit master.cf:
diff --git a/postfix/master.cf b/postfix/master.cf
index ed305ce..61cd090 100644
--- a/postfix/master.cf
+++ b/postfix/master.cf
@@ -20,6 +20,7 @@ submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=
+ -o smtpd_helo_restrictions=permit_mynetworks,reject_invalid_hostname,permit
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sasl_type=dovecot
ovhn - Fix 'org.freedesktop.login1 timed out' messages and slow login
We get many messages like
Apr 29 06:44:12 ober dbus[24328]: [system] Activating via systemd: service name='org.freedesktop.login1' unit='dbus-org.freedesktop.login1.service'
Apr 29 06:44:37 ober sshd[25336]: pam_systemd(sshd:session): Failed to create session: Activation of org.freedesktop.login1 timed out
Apr 29 06:44:37 ober dbus[24328]: [system] Failed to activate service 'org.freedesktop.login1': timed out
Going backward, we find the following event:
Apr 29 06:33:05 ober dbus[24328]: [system] Activating via systemd: service name='org.freedesktop.login1' unit='dbus-org.freedesktop.login1.service'
Apr 29 06:33:30 ober sshd[17082]: pam_systemd(sshd:session): Failed to release session: Connection timed out
Apr 29 06:33:30 ober systemd-logind[23727]: Failed to abandon session scope: Transport endpoint is not connected
Apr 29 06:33:30 ober dbus[24328]: [system] Failed to activate service 'org.freedesktop.login1': timed out
This seems linked to an ssh session
ag 17082 /var/log
# /var/log/auth.log
# 7:Apr 29 06:29:44 ober sshd[17082]: Accepted publickey for baas from 164.129.115.76 port 27528 ssh2: RSA ed:81:b9:c5:5b:43:b5:0b:f2:00:6d:c0:b3:08:4e:8b
# 8:Apr 29 06:29:44 ober sshd[17082]: pam_unix(sshd:session): session opened for user baas by (uid=0)
# 24:Apr 29 06:33:05 ober sshd[17082]: pam_unix(sshd:session): session closed for user baas
# 25:Apr 29 06:33:30 ober sshd[17082]: pam_systemd(sshd:session): Failed to release session: Connection timed out
Additionally logging in the system is very slow.
- Troubleshooting
We find similar issue on RedHat support [14].
Issue might be _abandoned_ user session:
systemctl | grep 'of user'| grep 'abandoned'
# session-2.scope loaded active abandoned Session 2 of user baas
Accordingly the fix is to remove the session files:
ls /run/systemd/system/
# session-2.scope.d/ session-2.scope session-4322.scope
rm -rf /run/systemd/system/session-2.scope*
systemctl daemon-reexec
... but to no avail. Finally we reboot the system:
reboot