Configuration Noekeon.org: Difference between revisions
Jump to navigation
Jump to search
Line 325: | Line 325: | ||
;To Do |
;To Do |
||
* Use spamhaus black-list (see postfix [http://www.postfix.org/SMTPD_ACCESS_README.html example]) |
* Use spamhaus black-list (see postfix [http://www.postfix.org/SMTPD_ACCESS_README.html example]) |
||
;Rmilter |
|||
* Guide [https://rspamd.com/doc/quickstart.html] |
|||
* Install with |
|||
apt-get install rmilter |
|||
* We keep the socket-based bind contrary to what guide suggests. So in {{file|main.cf}}: |
|||
<source lang=bash> |
|||
# rmilter setup |
|||
smtpd_milters = unix:/var/run/rmilter/rmilter.sock |
|||
milter_default_action = accept |
|||
milter_protocol = 6 |
|||
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} |
|||
</source> |
|||
* Check the socket. We see it is ''active'' and ''enabled'' (at boot so). |
|||
<source lang=bash> |
|||
systemctl status rmilter.socket |
|||
# ● rmilter.socket - Another sendmail milter for different mail checks |
|||
# Loaded: loaded (/lib/systemd/system/rmilter.socket; enabled) |
|||
# Active: active (listening) since Mon 2016-07-18 18:49:22 CEST; 1 day 23h ago |
|||
# Listen: /var/run/rmilter/rmilter.sock (Stream) |
|||
</source> |
|||
* Check the service |
|||
<source lang=bash> |
|||
systemctl status rmilter.service |
|||
# ● rmilter.service - Another sendmail milter for different mail checks |
|||
# Loaded: loaded (/lib/systemd/system/rmilter.service; disabled) |
|||
# Active: inactive (dead) |
|||
</source> |
|||
* It is disabled, let's try to start it |
|||
<source lang=bash> |
|||
systemctl start rmilter.service |
|||
</source> |
|||
* It fails. We get |
|||
<source lang=bash> |
|||
systemctl status rmilter.service -l |
|||
# ● rmilter.service - Another sendmail milter for different mail checks |
|||
# Loaded: loaded (/lib/systemd/system/rmilter.service; disabled) |
|||
# Active: failed (Result: exit-code) since Wed 2016-07-20 17:56:05 CEST; 1min 31s ago |
|||
# Process: 24168 ExecStart=/usr/sbin/rmilter -c /etc/rmilter.conf -n (code=exited, status=233/RUNTIME_DIRECTORY) |
|||
# Main PID: 24168 (code=exited, status=233/RUNTIME_DIRECTORY) |
|||
# Jul 20 17:56:05 ober.noekeon.org systemd[24168]: Failed at step RUNTIME_DIRECTORY spawning /usr/sbin/rmilter: File exists |
|||
# Jul 20 17:56:05 ober.noekeon.org systemd[1]: rmilter.service: main process exited, code=exited, status=233/RUNTIME_DIRECTORY |
|||
# Jul 20 17:56:05 ober.noekeon.org systemd[1]: Unit rmilter.service entered failed state. |
|||
</source> |
|||
* Let's debug. Where is this runtime directory? |
|||
<source lang=bash> |
|||
dlocate -L rmilter|xargs grep -id skip runtimedirectory |
|||
# /lib/systemd/system/rmilter.service:RuntimeDirectory=rmilter |
|||
# /lib/systemd/system/rmilter.service:RuntimeDirectoryMode=0755 |
|||
</source> |
|||
* Look for a fix on internet: Here [https://bugzilla.redhat.com/show_bug.cgi?id=1226509], it suggests to add to {{file|/lib/systemd/system/rmilter.service}}: |
|||
<source lang=diff> |
|||
[Service] |
|||
ExecStart=/usr/sbin/rmilter -c /etc/rmilter.conf -n |
|||
ExecReload=/bin/kill -USR1 $MAINPID |
|||
User=_rmilter |
|||
RuntimeDirectory=rmilter |
|||
RuntimeDirectoryMode=0755 |
|||
+Restart=always |
|||
</source> |
|||
* So let's try again |
|||
<source lang=bash> |
|||
systemctl start rmilter.service |
|||
# Warning: Unit file of rmilter.service changed on disk, 'systemctl daemon-reload' recommended. |
|||
systemctl daemon-reload |
|||
systemctl status rmilter.service |
|||
# ● rmilter.service - Another sendmail milter for different mail checks |
|||
# Loaded: loaded (/lib/systemd/system/rmilter.service; disabled) |
|||
# Active: active (running) since Wed 2016-07-20 18:21:45 CEST; 53s ago |
|||
# Main PID: 24895 (rmilter) |
|||
# CGroup: /system.slice/rmilter.service |
|||
# └─24895 /usr/sbin/rmilter -c /etc/rmilter.conf -n |
|||
# |
|||
# Jul 20 18:21:45 ober.noekeon.org rmilter[24895]: main: starting rmilter version 1.8.6, listen on fd:3 |
|||
# Jul 20 18:21:45 ober.noekeon.org rmilter[24895]: reload_thread: starting... |
|||
</source> |
|||
=== Miscellaneous === |
=== Miscellaneous === |
Revision as of 16:32, 20 July 2016
Domain
Tentative zone file for migration to OVH.
- HTTP web site served by my OVH server immie.org.
- HTTPS still served by Priorweb.be.
- mail for domain noekeon.org served by Priorweb.be.
- mails for domain test.noekeon.org server by OVH server immie.org.
; @ = noekeon.org
; A - AAAA records
* 10800 IN A 91.134.134.85
ftp 10800 IN A 62.182.63.46
kiwi 10800 IN A 62.182.63.48
localhost 10800 IN A 127.0.0.1
@ 10800 IN A 62.182.63.46
prime 10800 IN A 91.134.134.85
; CNAME records
mail 10800 IN CNAME mail.priorweb.be.
mail.test 10800 IN CNAME prime
pop 10800 IN CNAME pop.priorweb.be.
smtp 10800 IN CNAME smtp.priorweb.be.
; MX records
@ 10800 IN MX 10 mx10.priorweb.be.
@ 10800 IN MX 20 mx20.priorweb.be.
@ 10800 IN MX 30 mx30.priorweb.be.
test 10800 IN MX 10 prime
Original zone on OVH (with minimal entries):
$TTL 3600
@ IN SOA dns105.ovh.net. tech.ovh.net. (2016070301 86400 3600 3600000 300)
IN NS ns105.ovh.net.
IN NS dns105.ovh.net.
IN MX 1 redirect.ovh.net.
IN A 213.186.33.5
IN TXT "1|www.noekeon.org"
www IN MX 1 redirect.ovh.net.
www IN A 213.186.33.5
www IN TXT "3|welcome"
www IN TXT "l|fr"
PriorWeb Hints and Tips
- MySQL
- MySQL Host Name:
- Use the generic name mysqlhost as MySQL host name in PHP scripts (as suggested by Priorweb's control panel)
$db_host="mysqlhost";
- Create a new database:
- Use the Priorweb's Control Panel.
- Copy database:
- First create the new database using Priorweb's Control Panel.
- Second, go to Priorweb's phpMyAdmin page
- Select database to backup
- From menu above, chooose Operations, and then Copy Database To.
- Uncheck
CREATE DATABASE before copying, and check Add AUTO_INCREMENT value (no idea if that's necessary, but it is selected on the Export page), then click Go
- Backup a database - Using phpMyAdmin:
- Go to Priorweb's phpMyAdmin page
- Select database to backup
- From menu above, select EXPORT, select export in SQL format, export Structure and Data, choose a compression method (e.g. gzipped), click Go
- Restoring a database - Using phpMyAdmin:
- Go to Priorweb's phpMyAdmin page
- Select database to restore
- QUESTION: Do we have to delete the content of the database before importing???
- Backup / Restore using command-line:
Miki's Kiwi Wiki
See dedicated page.
Miki's ToDoList
- Based on small PHP application MyToDoList PHP from Antonio Lupetti
- Home page here
- Download & unzip todolist.zip to ftp://daemenj@ftp.noekeon.org/opt/www/daemenj/web/kiwi.noekeon.org/miki/todo
cd ~/kiwi.noekeon.org/miki/todo
unzip todolist.zip
mv todolist/* .
rmdir todolist
#Now remove garbage files...
find . -name _notes -exec rm -r {} \; # Ignore errors on directory not found
find . -name __MACOSX -exec rm -r {} \;
- Edit file dbconnection.php
$db_host="mysqlhost";
$db_name="mikido";
$username="miki";
$password="********";
- Go to Priorweb control panel, MySQL section, and creates new user/database:
- username: miki
- pwd: ********
- database: mikido
- Browse to https://kiwi.noekeon.org/miki/todo/createDBtable.php. Table is being created.
- Create .htaccess file (+ check there is NOT an AllowOverride NOne statement in Apache's httpd.conf):
DirectoryIndex todolist.php
- Now you can visit https://kiwi.noekeon.org/miki/todo/. Create a user first before creating a task. Note that you must refresh the page (F5) first otherwise drop-down list is not refreshed and page generates an error.
Shell
- In the following notes, ~ refers to original home directory /opt/www/daemenj/web.
- bash shell resource file in ~/private/mip.bashrc:
#! /bin/bash
# Clever trick because we cannot write in /opt/www/daemenj/web...
# ... move HOME to private directory so that all commands fetch their configuration file there
export HOME=/opt/www/daemenj/web/private
# Ignore some controlling instructions
export HISTIGNORE="[ ]*:&:bg:fg:exit"
# Aliases
# #######
alias grep='grep --color' # show differences in colour
# Some shortcuts for different directory listings
eval `dircolors -b ~/.dircolors.cfg`
alias ls='ls -F --color=auto' # classify files in colour
alias ll='ls -l' # long list
alias la='ls -A' # all but . and ..
alias l='ls -lA' #
alias dir='ls --format=vertical'
alias vdir='ls --format=long'
- Resource file for vim ~/private/.vimrc:
syntax enable
set bg=light
set number
nnoremap j h
nnoremap l j
"nnoremap k k
nnoremap m l
nnoremap h m
vnoremap j h
vnoremap l j
"vnoremap k k
vnoremap m l
vnoremap h m
- Directory colors ~/private/.dircolors.cfg:
# Configuration file for dircolors, a utility to help you set the
# LS_COLORS environment variable used by GNU ls with the --color option.
# The keywords COLOR, OPTIONS, and EIGHTBIT (honored by the
# slackware version of dircolors) are recognized but ignored.
# Below, there should be one TERM entry for each termtype that is colorizable
TERM linux
TERM linux-c
TERM mach-color
TERM console
TERM con132x25
TERM con132x30
TERM con132x43
TERM con132x60
TERM con80x25
TERM con80x28
TERM con80x30
TERM con80x43
TERM con80x50
TERM con80x60
TERM cygwin
TERM dtterm
TERM mlterm
TERM putty
TERM xterm
TERM xterm-color
TERM xterm-debian
TERM rxvt
TERM rxvt-unicode
TERM screen
TERM screen-bce
TERM screen-w
TERM vt100
TERM Eterm
# Below are the color init strings for the basic file types. A color init
# string consists of one or more of the following numeric codes:
# Attribute codes:
# 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed
# Text color codes:
# 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white
# Background color codes:
# 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white
NORMAL 00 # global default, although everything should be something.
FILE 00 # normal file
DIR 01;34 # directory
LINK 36 # symbolic link. (If you set this to 'target' instead of a
# numerical value, the color is as for the file pointed to.)
FIFO 40;33 # pipe
SOCK 35 # socket
DOOR 35 # door
BLK 40;33;01 # block device driver
CHR 40;33;01 # character device driver
ORPHAN 40;31;01 # symlink to nonexistent file
# This is for files with execute permission:
EXEC 32
# List any file extensions like '.gz' or '.tar' that you would like ls
# to colorize below. Put the extension, a space, and the color init string.
# (and any comments you want to add after a '#')
# If you use DOS-style suffixes, you may want to uncomment the following:
#.cmd 32 # executables (bright green)
#.exe 32
#.com 32
#.btm 32
#.bat 32
.tar 01;31 # archives or compressed (bright red)
.tgz 01;31
.arj 01;31
.taz 01;31
.lzh 01;31
.zip 01;31
.z 01;31
.Z 01;31
.gz 01;31
.bz2 01;31
.deb 01;31
.rpm 01;31
.jar 01;31
# image formats
.jpg 35
.jpeg 35
.gif 35
.bmp 35
.pbm 35
.pgm 35
.ppm 35
.tga 35
.xbm 35
.xpm 35
.tif 35
.tiff 35
.png 35
.mov 35
.mpg 35
.mpeg 35
.avi 35
.fli 35
.gl 35
.dl 35
.xcf 35
.xwd 35
# audio formats
.flac 35
.mp3 35
.mpc 35
.ogg 35
.wav 35
Cron
This is the crontab file on noekeon.org. Install it with crontab -u daemenj crontab
.
# use /bin/bash to run commands, instead of the default /bin/sh
SHELL=/bin/bash
# mail any output to 'michael.peeters@noekeon.org', no matter whose crontab this is
MAILTO="michael.peeters@noekeon.org"
#
#
# m h dom mon dow command (dow=0|7 is sunday)
33 8 * * * ~daemenj/private/changemonitor/monitor-all.sh >/dev/null 2>/dev/null
Server Install OVH
Spam filter
- Candidates
- SpamAssassin (SA)
- The default standard.
- Some installation guides [1].
- DSpam
- Excellent track record, but unfortunately no longer maintained.
- Some installation guides [2], [3], [4]
- Rspamd
- A new system.
Mail server
- master.cf
- file master.cf tells which service are running
# ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd
smtp
this is the usual smtp service on port 25. Used by other smtp server to send mail.
submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_wrappermode=no -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth
submission
this is the "secure" smtp service on port used by mail client to send new mail. Note that-o
denotes configuration settings that override those in main.cf.
- main.cf
- Testing — add
soft_bounce = yes
when testing new configuration. This avoids rejecting mail permanently by changing REJECT into DEFER.
# Testing - Uncomment to DEFER instead of REJECT, hence not rejecting mail permanently when testing soft_bounce = yes
- Debugging — Add
debug_peer_list
to enable verbose logging.
# Debugging - Uncomment for verbose logging for connections from listed peers debug_peer_list = 91.134.134.85
- I add to the DNS zone:
noekeon.org. IN TXT "v=spf1 a mx -all" ober.noekeon.org. IN TXT "v=spf1 a -all" *.example.com. IN TXT "v=spf1 -all"
- First line says that all mails from
@noekeon.org
must come from one of the MX server of noekeon.org domain. - Second line says that mail from server with HELO identification "ober.noekeon.org" must be accepted only if from IP address of server "ober.noekeon.org".
- Third rule says that no other sub-domain/server may send email.
- Test the configuration with http://dkimvalidator.com/.
Rspamd spam filter
- Install guide from rspam.com
- Relevant Postfix documentation:
-
- See example configuration.
- Use
soft_bounce = yes
in main.cf to change a REJECT into DEFER, and hence to avoid losing mail when testing.
- To Do
- Use spamhaus black-list (see postfix example)
- Rmilter
- Guide [5]
- Install with
apt-get install rmilter
- We keep the socket-based bind contrary to what guide suggests. So in main.cf:
# rmilter setup
smtpd_milters = unix:/var/run/rmilter/rmilter.sock
milter_default_action = accept
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
- Check the socket. We see it is active and enabled (at boot so).
systemctl status rmilter.socket
# ● rmilter.socket - Another sendmail milter for different mail checks
# Loaded: loaded (/lib/systemd/system/rmilter.socket; enabled)
# Active: active (listening) since Mon 2016-07-18 18:49:22 CEST; 1 day 23h ago
# Listen: /var/run/rmilter/rmilter.sock (Stream)
- Check the service
systemctl status rmilter.service
# ● rmilter.service - Another sendmail milter for different mail checks
# Loaded: loaded (/lib/systemd/system/rmilter.service; disabled)
# Active: inactive (dead)
- It is disabled, let's try to start it
systemctl start rmilter.service
- It fails. We get
systemctl status rmilter.service -l
# ● rmilter.service - Another sendmail milter for different mail checks
# Loaded: loaded (/lib/systemd/system/rmilter.service; disabled)
# Active: failed (Result: exit-code) since Wed 2016-07-20 17:56:05 CEST; 1min 31s ago
# Process: 24168 ExecStart=/usr/sbin/rmilter -c /etc/rmilter.conf -n (code=exited, status=233/RUNTIME_DIRECTORY)
# Main PID: 24168 (code=exited, status=233/RUNTIME_DIRECTORY)
# Jul 20 17:56:05 ober.noekeon.org systemd[24168]: Failed at step RUNTIME_DIRECTORY spawning /usr/sbin/rmilter: File exists
# Jul 20 17:56:05 ober.noekeon.org systemd[1]: rmilter.service: main process exited, code=exited, status=233/RUNTIME_DIRECTORY
# Jul 20 17:56:05 ober.noekeon.org systemd[1]: Unit rmilter.service entered failed state.
- Let's debug. Where is this runtime directory?
dlocate -L rmilter|xargs grep -id skip runtimedirectory
# /lib/systemd/system/rmilter.service:RuntimeDirectory=rmilter
# /lib/systemd/system/rmilter.service:RuntimeDirectoryMode=0755
- Look for a fix on internet: Here [6], it suggests to add to /lib/systemd/system/rmilter.service:
[Service]
ExecStart=/usr/sbin/rmilter -c /etc/rmilter.conf -n
ExecReload=/bin/kill -USR1 $MAINPID
User=_rmilter
RuntimeDirectory=rmilter
RuntimeDirectoryMode=0755
+Restart=always
- So let's try again
systemctl start rmilter.service
# Warning: Unit file of rmilter.service changed on disk, 'systemctl daemon-reload' recommended.
systemctl daemon-reload
systemctl status rmilter.service
# ● rmilter.service - Another sendmail milter for different mail checks
# Loaded: loaded (/lib/systemd/system/rmilter.service; disabled)
# Active: active (running) since Wed 2016-07-20 18:21:45 CEST; 53s ago
# Main PID: 24895 (rmilter)
# CGroup: /system.slice/rmilter.service
# └─24895 /usr/sbin/rmilter -c /etc/rmilter.conf -n
#
# Jul 20 18:21:45 ober.noekeon.org rmilter[24895]: main: starting rmilter version 1.8.6, listen on fd:3
# Jul 20 18:21:45 ober.noekeon.org rmilter[24895]: reload_thread: starting...
Miscellaneous
- Postfix complains that it is setuid root:
Jul 18 05:22:30 ober postfix/sendmail[27605]: warning: the Postfix sendmail command has set-uid root file permissions Jul 18 05:22:30 ober postfix/sendmail[27605]: warning: or the command is run from a set-uid root process Jul 18 05:22:30 ober postfix/sendmail[27605]: warning: the Postfix sendmail command must be installed without set-uid root file permissions
- It is not necessary to run procmail as setuid root with postfix [7], so we do:
ls -l /usr/bin/procmail
# -rwsr-sr-x 1 root mail 88K Feb 11 2015 /usr/bin/procmail
chmod u-s /usr/bin/procmail
ls -l /usr/bin/procmail
# -rwxr-sr-x 1 root mail 88K Feb 11 2015 /usr/bin/procmail