Configuration Noekeon.org: Difference between revisions

From miki
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 668: Line 668:
dpkg-buildpackage -rfakeroot -b
dpkg-buildpackage -rfakeroot -b
</source>
</source>

;Add blacklist filter
* Source: https://gist.github.com/kvaps/25507a87dc287e6a620e1eec2d60ebc1
* multimap doc: https://rspamd.com/doc/modules/multimap.html
<source lang="diff">
diff --git a/rspamd/local.d/groups.conf b/rspamd/local.d/groups.conf
new file mode 100644
index 0000000..448fa8d
--- /dev/null
+++ b/rspamd/local.d/groups.conf
@@ -0,0 +1,39 @@
+# local.d/groups.conf
+# see local.d/multimap.conf for mappings
+#
+# Source: https://gist.github.com/kvaps/25507a87dc287e6a620e1eec2d60ebc1
+
+group "multimap" {
+ symbols = {
+ # Blacklists
+ "LOCAL_BL_FROM" {
+ weight = 3.0;
+ description = "Sender FROM listed in local blacklist";
+ }
+ "LOCAL_BL_IP" {
+ weight = 3.0;
+ description = "Sender IP listed in local blacklist";
+ }
+ "LOCAL_BL_RCPT" {
+ weight = 3.0;
+ description = "Recipient listed in local blacklist";
+ }
+ # Whitelists
+ "LOCAL_WL_DOMAIN" {
+ weight = -5;
+ description = "Domain listed in local whitelist";
+ }
+ "LOCAL_WL_FROM" {
+ weight = -5;
+ description = "Sender FROM listed in local whitelist";
+ }
+ "LOCAL_WL_IP" {
+ weight = -5;
+ description = "Sender IP listed in local whitelist";
+ }
+ "LOCAL_WL_RCPT" {
+ weight = -5;
+ description = "Recipient listed in local whitelist";
+ }
+ }
+}
diff --git a/rspamd/local.d/multimap.conf b/rspamd/local.d/multimap.conf
new file mode 100644
index 0000000..68d0125
--- /dev/null
+++ b/rspamd/local.d/multimap.conf
@@ -0,0 +1,60 @@
+# local.d/multimap.conf
+# see local.d/groups.conf for multimap symbols
+#
+# Source: https://gist.github.com/kvaps/25507a87dc287e6a620e1eec2d60ebc1
+# Doc: https://rspamd.com/doc/modules/multimap.html
+
+# Blacklists
+local_bl_domain {
+ type = "from";
+ filter = "email:domain";
+ map = "$CONFDIR/maps.d/local_bl_domain.inc";
+ prefilter = true;
+ action = "reject";
+ description = "Blacklisted domain";
+}
+local_bl_from {
+ type = "from";
+ map = "$CONFDIR/maps.d/local_bl_from.inc";
+ symbol = "LOCAL_BL_FROM";
+ description = "Blacklist map for LOCAL_BL_FROM";
+}
+local_bl_ip {
+ type = "ip";
+ map = "$CONFDIR/maps.d/local_bl_ip.inc";
+ symbol = "LOCAL_BL_IP";
+ description = "Blacklist map for LOCAL_BL_IP";
+}
+local_bl_rcpt {
+ type = "rcpt";
+ map = "$CONFDIR/maps.d/local_bl_rcpt.inc";
+ symbol = "LOCAL_BL_RCPT";
+ description = "Blacklist map for LOCAL_BL_RCPT";
+}
+
+# Whitelists
+local_wl_domain {
+ type = "from";
+ filter = "email:domain:tld";
+ map = "$CONFDIR/maps.d/local_wl_domain.inc";
+ symbol = "LOCAL_WL_DOMAIN";
+ description = "Whitelist map for LOCAL_WL_DOMAIN";
+}
+local_wl_from {
+ type = "from";
+ map = "$CONFDIR/maps.d/local_wl_from.inc";
+ symbol = "LOCAL_WL_FROM";
+ description = "Whitelist map for LOCAL_WL_FROM";
+}
+local_wl_ip {
+ type = "ip";
+ map = "$CONFDIR/maps.d/local_wl_ip.inc";
+ symbol = "LOCAL_WL_IP";
+ description = "Whitelist map for LOCAL_WL_IP";
+}
+local_wl_rcpt {
+ type = "rcpt";
+ map = "$CONFDIR/maps.d/local_wl_rcpt.inc";
+ symbol = "LOCAL_WL_RCPT";
+ description = "Whitelist map for LOCAL_WL_RCPT";
+}
diff --git a/rspamd/maps.d/local_bl_domain.inc b/rspamd/maps.d/local_bl_domain.inc
new file mode 100644
index 0000000..e33bc14
--- /dev/null
+++ b/rspamd/maps.d/local_bl_domain.inc
@@ -0,0 +1 @@
+nanoenonprofits.org
</source>


=== Mail server - More spam filter ===
* Look at [https://www.pyzor.org/en/latest/introduction.html Pyzor.org] (recommended by SpamAssassin, as reported on https://www.mail-tester.com/).


=== Mail server - SRS ===
=== Mail server - SRS ===
Line 731: Line 859:
=== Mail server - guides ===
=== Mail server - guides ===
* https://jan.wildeboer.net/2022/08/Email-0-The-Journey-2022/
* https://jan.wildeboer.net/2022/08/Email-0-The-Journey-2022/

=== Mail server - certbot ===
We need to add hooks to reload the certificate when certbot renew them (ChatGPT, [https://serverfault.com/questions/1052433/how-to-get-dovecot-to-reload-an-ssl-certificate-with-minimal-impact]).

For '''dovecot''':
<source lang="bash">
# As sudo:
vi /etc/letsencrypt/renewal-hooks/deploy/reload-dovecot.sh

# #! /bin/bash
# systemctl reload dovecot

# Enable it and test it
chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-dovecot.sh
/etc/letsencrypt/renewal-hooks/deploy/reload-dovecot.sh
</source>

For '''postfix''':
<source lang="bash">
# As sudo:
vi /etc/letsencrypt/renewal-hooks/deploy/reload-postfix.sh

# #! /bin/bash
# postfix reload

# Enable it and test it
chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-postfix.sh
/etc/letsencrypt/renewal-hooks/deploy/reload-postfix.sh
</source>


=== Upgrade Kernel (using grub) ===
=== Upgrade Kernel (using grub) ===
Line 824: Line 981:


Install package [http://www.pontikis.net/tip/?id=35 '''needrestart'''], which automatically tells when some services must be restarted (this is an improved ''checkrestart'').
Install package [http://www.pontikis.net/tip/?id=35 '''needrestart'''], which automatically tells when some services must be restarted (this is an improved ''checkrestart'').

=== Roundcube ===

<source lang="bash">
apt install roundcube roundcube-plugins-extra roundcube-plugins php-zip
</source>

* Enable plugins <code>archive</code>, <code>zipdownload</code>, <code>fail2ban</code>


== Troubleshooting ==
== Troubleshooting ==

Latest revision as of 18:28, 10 April 2024

DNS zone

$TTL 3600
@	IN SOA dns105.ovh.net. tech.ovh.net. (2016090500 86400 3600 3600000 300)
                 IN NS     dns105.ovh.net.
                 IN NS     ns105.ovh.net.
                 IN MX 10  ober.noekeon.org.
                 IN MX 20  prime.immie.org.
                 IN A      91.134.133.203
                 IN TXT    "google-site-verification=PyZv_FR2vhqyGKz00ew_nnf_y_pprEgJt-G5SogqRyM"
             600 IN TXT    "v=spf1 a mx -all"
*                IN A      91.134.133.203
*                IN TXT    "v=spf1 -all"
ftp              IN A      62.182.63.46
imap             IN CNAME  ober.noekeon.org.
localhost        IN A      127.0.0.1
mail             IN CNAME  ober.noekeon.org.
ober             IN A      91.134.133.203
ober             IN TXT    "v=spf1 a -all"
pop              IN CNAME  ober.noekeon.org.
smtp             IN CNAME  ober.noekeon.org.

Original zone on OVH (with minimal entries):

$TTL 3600
@          IN SOA    dns105.ovh.net. tech.ovh.net. (2016070301 86400 3600 3600000 300)
           IN NS     ns105.ovh.net.
           IN NS     dns105.ovh.net.
           IN MX 1   redirect.ovh.net.
           IN A      213.186.33.5
           IN TXT    "1|www.noekeon.org"
www        IN MX 1   redirect.ovh.net.
www        IN A      213.186.33.5
www        IN TXT    "3|welcome"
www        IN TXT    "l|fr"

PriorWeb Hints and Tips

  • MySQL
MySQL Host Name:
  • Use the generic name mysqlhost as MySQL host name in PHP scripts (as suggested by Priorweb's control panel)
$db_host="mysqlhost";
Create a new database:
Copy database:
  • First create the new database using Priorweb's Control Panel.
  • Second, go to Priorweb's phpMyAdmin page
  • Select database to backup
  • From menu above, chooose Operations, and then Copy Database To.
  • Uncheck CREATE DATABASE before copying, and check Add AUTO_INCREMENT value (no idea if that's necessary, but it is selected on the Export page), then click Go
Backup a database - Using phpMyAdmin:
  • Go to Priorweb's phpMyAdmin page
  • Select database to backup
  • From menu above, select EXPORT, select export in SQL format, export Structure and Data, choose a compression method (e.g. gzipped), click Go
Restoring a database - Using phpMyAdmin:
  • Go to Priorweb's phpMyAdmin page
  • Select database to restore
  • QUESTION: Do we have to delete the content of the database before importing???
Backup / Restore using command-line:
  • See procedure used to back-up this wiki here
  • Or see here

Miki's Kiwi Wiki

See dedicated page.

Miki's ToDoList

cd ~/kiwi.noekeon.org/miki/todo
unzip todolist.zip
mv todolist/* .
rmdir todolist
#Now remove garbage files...
find . -name _notes -exec rm -r {} \;            # Ignore errors on directory not found
find . -name __MACOSX -exec rm -r {} \;
  • Edit file dbconnection.php
$db_host="mysqlhost";
$db_name="mikido";
$username="miki";
$password="********";
username: miki
pwd: ********
database: mikido
DirectoryIndex todolist.php
  • Now you can visit https://kiwi.noekeon.org/miki/todo/. Create a user first before creating a task. Note that you must refresh the page (F5) first otherwise drop-down list is not refreshed and page generates an error.

Shell

  • In the following notes, ~ refers to original home directory /opt/www/daemenj/web.
  • bash shell resource file in ~/private/mip.bashrc:
#! /bin/bash

# Clever trick because we cannot write in /opt/www/daemenj/web...
# ... move HOME to private directory so that all commands fetch their configuration file there
export HOME=/opt/www/daemenj/web/private

# Ignore some controlling instructions
export HISTIGNORE="[   ]*:&:bg:fg:exit"

# Aliases
# #######

alias grep='grep --color'                     # show differences in colour

# Some shortcuts for different directory listings
eval `dircolors -b ~/.dircolors.cfg`
alias ls='ls -F --color=auto'					# classify files in colour
alias ll='ls -l'                                                # long list
alias la='ls -A'                                                # all but . and ..
alias l='ls -lA'                                                #
alias dir='ls --format=vertical'
alias vdir='ls --format=long'
  • Resource file for vim ~/private/.vimrc:
syntax enable
set bg=light
set number
nnoremap j h
nnoremap l j
"nnoremap k k
nnoremap m l
nnoremap h m
vnoremap j h
vnoremap l j
"vnoremap k k
vnoremap m l
vnoremap h m
  • Directory colors ~/private/.dircolors.cfg:
# Configuration file for dircolors, a utility to help you set the
# LS_COLORS environment variable used by GNU ls with the --color option.
# The keywords COLOR, OPTIONS, and EIGHTBIT (honored by the
# slackware version of dircolors) are recognized but ignored.
# Below, there should be one TERM entry for each termtype that is colorizable
TERM linux
TERM linux-c
TERM mach-color
TERM console
TERM con132x25
TERM con132x30
TERM con132x43
TERM con132x60
TERM con80x25
TERM con80x28
TERM con80x30
TERM con80x43
TERM con80x50
TERM con80x60
TERM cygwin
TERM dtterm
TERM mlterm
TERM putty
TERM xterm
TERM xterm-color
TERM xterm-debian
TERM rxvt
TERM rxvt-unicode
TERM screen
TERM screen-bce
TERM screen-w
TERM vt100
TERM Eterm
# Below are the color init strings for the basic file types. A color init
# string consists of one or more of the following numeric codes:
# Attribute codes:
# 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed
# Text color codes:
# 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white
# Background color codes:
# 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white
NORMAL 00 # global default, although everything should be something.
FILE 00 # normal file
DIR 01;34 # directory
LINK 36 # symbolic link. (If you set this to 'target' instead of a
 # numerical value, the color is as for the file pointed to.)
FIFO 40;33 # pipe
SOCK 35 # socket
DOOR 35 # door
BLK 40;33;01 # block device driver
CHR 40;33;01 # character device driver
ORPHAN 40;31;01 # symlink to nonexistent file
# This is for files with execute permission:
EXEC 32
# List any file extensions like '.gz' or '.tar' that you would like ls
# to colorize below. Put the extension, a space, and the color init string.
# (and any comments you want to add after a '#')
# If you use DOS-style suffixes, you may want to uncomment the following:
#.cmd 32 # executables (bright green)
#.exe 32
#.com 32
#.btm 32
#.bat 32
.tar 01;31 # archives or compressed (bright red)
.tgz 01;31
.arj 01;31
.taz 01;31
.lzh 01;31
.zip 01;31
.z 01;31
.Z 01;31
.gz 01;31
.bz2 01;31
.deb 01;31
.rpm 01;31
.jar 01;31
# image formats
.jpg 35
.jpeg 35
.gif 35
.bmp 35
.pbm 35
.pgm 35
.ppm 35
.tga 35
.xbm 35
.xpm 35
.tif 35
.tiff 35
.png 35
.mov 35
.mpg 35
.mpeg 35
.avi 35
.fli 35
.gl 35
.dl 35
.xcf 35
.xwd 35
# audio formats
.flac 35
.mp3 35
.mpc 35
.ogg 35
.wav 35

Cron

This is the crontab file on noekeon.org. Install it with crontab -u daemenj crontab.

# use /bin/bash to run commands, instead of the default /bin/sh
SHELL=/bin/bash
# mail any output to 'michael.peeters@noekeon.org', no matter whose crontab this is
MAILTO="michael.peeters@noekeon.org"
#
#
# m h dom mon dow    command   (dow=0|7 is sunday)
33 8 * * *            ~daemenj/private/changemonitor/monitor-all.sh >/dev/null 2>/dev/null

Server Install OVH

Mail Transport Agent (MTA)
  • We'll use Postfix for sending and receiving mails.
Spam filtering
  • We'll use Rspamd.
Mail Delivery Agent (MDA)
  • Currently using Procmail for local delivery of mails to user mailboxes, but is no longer maintained [1].
  • But considering moving to Dovecot to use Sieve filtering language.
IMAP/POP3
  • We'll use Dovecot.

Spam filter

Candidates
  • SpamAssassin (SA)
The default standard.
Some installation guides [2].
  • DSpam
Excellent track record, but unfortunately no longer maintained.
Some installation guides [3], [4], [5]
  • Rspamd
A new system.

Mail server

master.cf
  • file master.cf tells which service are running
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
  • smtp this is the usual smtp service on port 25. Used by other smtp server to send mail.
submission inet n       -       -       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_wrappermode=no
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth
  • submission this is the "secure" smtp service on port used by mail client to send new mail. Note that -o denotes configuration settings that override those in main.cf.
main.cf
  • Testing — add soft_bounce = yes when testing new configuration. This avoids rejecting mail permanently by changing REJECT into DEFER.
# Testing - Uncomment to DEFER instead of REJECT, hence not rejecting mail permanently when testing
soft_bounce = yes
  • Debugging — Add debug_peer_list to enable verbose logging.
# Debugging - Uncomment for verbose logging for connections from listed peers
debug_peer_list = 91.134.134.85
Setup SPF (Syntax, FAQ)
  • I add to the DNS zone:
noekeon.org.       IN  TXT  "v=spf1 a mx -all"
ober.noekeon.org.  IN  TXT  "v=spf1 a -all"
*.example.com.     IN  TXT  "v=spf1 -all"
First line says that all mails from @noekeon.org must come from one of the MX server of noekeon.org domain.
Second line says that mail from server with HELO identification "ober.noekeon.org" must be accepted only if from IP address of server "ober.noekeon.org".
Third rule says that no other sub-domain/server may send email.

Mail server - Rspamd spam filter

  • Install guide from rspam.com
  • Relevant Postfix documentation:
See example configuration.
Use soft_bounce = yes in main.cf to change a REJECT into DEFER, and hence to avoid losing mail when testing.
To Do
  • Use spamhaus black-list (see postfix example)
Rmilter
  • Guide [6]
  • Install with
   apt-get install rmilter
  • We keep the socket-based bind contrary to what guide suggests. So in main.cf:
# rmilter setup
smtpd_milters = unix:/var/run/rmilter/rmilter.sock
milter_default_action = accept
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
  • Check the socket. We see it is active and enabled (at boot so).
systemctl status rmilter.socket
# ● rmilter.socket - Another sendmail milter for different mail checks
#    Loaded: loaded (/lib/systemd/system/rmilter.socket; enabled)
#    Active: active (listening) since Mon 2016-07-18 18:49:22 CEST; 1 day 23h ago
#    Listen: /var/run/rmilter/rmilter.sock (Stream)
  • Check the service
systemctl status rmilter.service
# ● rmilter.service - Another sendmail milter for different mail checks
#    Loaded: loaded (/lib/systemd/system/rmilter.service; disabled)
#    Active: inactive (dead)
  • It is disabled, let's try to start it
systemctl start rmilter.service
  • It fails. We get
systemctl status rmilter.service -l
# ● rmilter.service - Another sendmail milter for different mail checks
#    Loaded: loaded (/lib/systemd/system/rmilter.service; disabled)
#    Active: failed (Result: exit-code) since Wed 2016-07-20 17:56:05 CEST; 1min 31s ago
#   Process: 24168 ExecStart=/usr/sbin/rmilter -c /etc/rmilter.conf -n (code=exited, status=233/RUNTIME_DIRECTORY)
#  Main PID: 24168 (code=exited, status=233/RUNTIME_DIRECTORY)

# Jul 20 17:56:05 ober.noekeon.org systemd[24168]: Failed at step RUNTIME_DIRECTORY spawning /usr/sbin/rmilter: File exists
# Jul 20 17:56:05 ober.noekeon.org systemd[1]: rmilter.service: main process exited, code=exited, status=233/RUNTIME_DIRECTORY
# Jul 20 17:56:05 ober.noekeon.org systemd[1]: Unit rmilter.service entered failed state.
  • Let's debug. Where is this runtime directory?
dlocate -L rmilter|xargs grep -id skip runtimedirectory
# /lib/systemd/system/rmilter.service:RuntimeDirectory=rmilter
# /lib/systemd/system/rmilter.service:RuntimeDirectoryMode=0755
  • Look for a fix on internet: Here [7], it suggests to add to /lib/systemd/system/rmilter.service:
 [Service]
 ExecStart=/usr/sbin/rmilter -c /etc/rmilter.conf -n
 ExecReload=/bin/kill -USR1 $MAINPID
 User=_rmilter
 RuntimeDirectory=rmilter
 RuntimeDirectoryMode=0755
+Restart=always
  • So let's try again
systemctl start rmilter.service
# Warning: Unit file of rmilter.service changed on disk, 'systemctl daemon-reload' recommended.
systemctl daemon-reload
systemctl status rmilter.service
# ● rmilter.service - Another sendmail milter for different mail checks
#    Loaded: loaded (/lib/systemd/system/rmilter.service; disabled)
#    Active: active (running) since Wed 2016-07-20 18:21:45 CEST; 53s ago
#  Main PID: 24895 (rmilter)
#    CGroup: /system.slice/rmilter.service
#            └─24895 /usr/sbin/rmilter -c /etc/rmilter.conf -n
# 
# Jul 20 18:21:45 ober.noekeon.org rmilter[24895]: main: starting rmilter version 1.8.6, listen on fd:3
# Jul 20 18:21:45 ober.noekeon.org rmilter[24895]: reload_thread: starting...
Rspamd
  • Install

apt-get install rspamd

  • ... it already fails
systemctl status rspamd.socket -l
# ● rspamd.socket - rapid spam filtering system
#    Loaded: loaded (/lib/systemd/system/rspamd.socket; enabled)
#    Active: failed (Result: resources)
#    Listen: [::]:11333 (Stream)
#            [::1]:11334 (Stream)
# 
# Jul 18 18:49:22 ober.noekeon.org systemd[1]: rspamd.socket failed to listen on sockets: Cannot assign requested address
# Jul 18 18:49:22 ober.noekeon.org systemd[1]: Failed to listen on rapid spam filtering system.
# Jul 18 18:49:22 ober.noekeon.org systemd[1]: Unit rspamd.socket entered failed state.
  • Actually problem comes from /etc/sysctl.d/local.conf, where we disabled ipv6. If we enable it back:
 # Disable IPv6
-net.ipv6.conf.all.disable_ipv6 = 1
-net.ipv6.conf.default.disable_ipv6 = 1
-net.ipv6.conf.lo.disable_ipv6 = 1
-net.ipv6.conf.eth0.disable_ipv6 = 1
+net.ipv6.conf.all.disable_ipv6 = 0
+net.ipv6.conf.default.disable_ipv6 = 0
+net.ipv6.conf.lo.disable_ipv6 = 0
+net.ipv6.conf.eth0.disable_ipv6 = 0

Now it works

systemctl start rspamd.socket

Alternatively, if we want to keep ipv6 disabled, we need to edit systemd file /lib/systemd/system/rspamd.socket as follows

--- rspamd.socket       2016-06-20 13:55:00.000000000 +0200
+++ rspamd.socket.old   2016-07-20 19:44:18.165848297 +0200
@@ -2,9 +2,10 @@
 Description=rapid spam filtering system
 
 [Socket]
-ListenStream=11333
-ListenStream=[::1]:11334
-BindIPv6Only=both
+BindIPv6Only=ipv6-only
+ListenStream=127.0.0.1:11333
+ListenStream=127.0.0.1:11334
+KeepAlive=true
 
 [Install]
 WantedBy=sockets.target

and reload rspamd:

systemctl daemon-reload
systemctl start rspamd.socket
systemctl status rspamd.socket -l
# ● rspamd.socket - rapid spam filtering system
  • Note that rspamd.service is not started by default. It is started on demand. To start it:
rspamc -h ::1:11334 stat

Note that the following fails

rspamc stat
rspamc -h 127.0.0.1:11334 stat

This is because rspamd only listen on ipv6 interface:

netstat -lpn|grep 1133
# tcp6       0      0 :::11333                :::*                    LISTEN      1/init          
# tcp6       0      0 ::1:11334               :::*                    LISTEN      1/init          
cat /lib/systemd/system/rspamd.socket
#[Unit]
#Description=rapid spam filtering system
#
#[Socket]
#ListenStream=11333
#ListenStream=[::1]:11334
#BindIPv6Only=both
#
#[Install]
#WantedBy=sockets.target

To install rspamd webgui on https, we use apache2 as reverse proxy ([8],[9],[10])

Note
 [Socket]
-ListenStream=11333
-ListenStream=[::1]:11334
+ListenStream=127.0.0.1:11333
+ListenStream=0.0.0.0:11334
 <IfModule mod_ssl.c>
   <VirtualHost *:443>

+    # We don't need forward proxy, so let's disable it
+    ProxyRequests Off
+
+    <Location /rspamd/>
+      ProxyPass http://localhost:11334/
+      ProxyPassReverse http://localhost:11334/
+      Order deny,allow
+      Allow from all
+    </Location>

   </VirtualHost>
 </IfModule>

Note:

  • Module proxy_http is necessary to fix error
... AH01144: No protocol handler was valid for the URL /rspamd/. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
  • Mind the trailing slash in <Location /rspamd/>, to match the trailing one in ProxyPass and ProxyPassReverse address. A mismatch fails with an error (NULL) message.

Install the necessary modules and restart apache:

a2enmod proxy
a2enmod proxy_http
a2enmod headers
service apache2 restart
  • To add HTTPS password:
 <IfModule mod_ssl.c>
   <VirtualHost *:443>

     <Location /rspamd/>
+      AuthType Basic
+      AuthName "mail.noekeon.org Rspamd webgui"
+      AuthUserFile /etc/apache2/mail.noekeon.org_rspamd.ssl.passwd
+      Require valid-user
    </Location>

   </VirtualHost>
 </IfModule>
Create the password, and don't forget to change ownership:
htpasswd -c -s /etc/apache2/mail.noekeon.org_rspamd.ssl.passwd rspamd
chown www-data:www-data /etc/apache2/*.passwd
chmod 644 /etc/apache2/*.passwd

Final configuration, everything works:

  • /lib/systemd/system/rmilter.socket
[Unit]
Description=Another sendmail milter for different mail checks

[Socket]
ListenStream=127.0.0.1:9900
SocketUser=_rmilter
SocketGroup=adm
SocketMode=660

[Install]
WantedBy=sockets.target
  • /lib/systemd/system/rspamd.socket
[Unit]
Description=rapid spam filtering system

[Socket]
ListenStream=127.0.0.1:11333
ListenStream=127.0.0.1:11334
BindIPv6Only=both

[Install]
WantedBy=sockets.target
  • /lib/systemd/system/rspamd.service
[Unit]
Description=rapid spam filtering system
After=nss-lookup.target

[Service]
ExecStart=/usr/bin/rspamd -c /etc/rspamd/rspamd.conf -f
User=_rspamd
RuntimeDirectory=rspamd
RuntimeDirectoryMode=0755
Restart=always

[Install]
WantedBy=multi-user.target
Better configuration
No need to edit /lib/systemd files. See issue #748 on GitHub.
Debugging
# testing new rmilter/rspam config. Edit systemd settings, then
# If changing /lib/systemd files, must do:
systemctl daemon-reload
# then
systemctl stop rspamd.socket rspamd.service rmilter.socket rmilter.service
systemctl start rmilter.socket rspamd.socket

# To disable ipv6:
echo '1' > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo '1' > /proc/sys/net/ipv6/conf/default/disable_ipv6
echo '1' > /proc/sys/net/ipv6/conf/lo/disable_ipv6
echo '1' > /proc/sys/net/ipv6/conf/eth0/disable_ipv6
/etc/init.d/networking restart
# ... or via /etc/sysctl.d/local.conf
Logging

We have the choice between

  • console logging (sent to /var/log/syslog)
But this generates lot of spam for logcheck when log is at info level.
  • file logging (to /var/log/rspamd/rspamd.log)
But we lose the message timestamp.

To configure file logging, edit file /etc/rspamd.conf:

@@ -24,7 +24,8 @@ options {
 }
 
 logging {
-    type = "console";
+    type = "file";
+    filename = "$LOGDIR/rspamd.log";
     systemd = true;
     .include "$CONFDIR/logging.inc"
     .include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/logging.inc"

Currently, I go for logging to console, with a filter all rules in logcheck (basically ignore all messages). This may change pending update on GitHub issue #1496.

Rmilter 1.10
  • Latest version of Rmilter is 1.10, but Debian only distribute a very old release.
  • I could not find the package I used the first time, so I have to rebuild it.
https://github.com/vstakhov/rmilter/archive/1.10.0.tar.gz
apt-get build-dep rmilter
apt install fakeroot dh-systemd libglib2.0-dev
cd rmilter-1.10.0/
vi debian/changelog          # Create a new entry with version "1.10.0-4~jessie", release "jessie"
dpkg-buildpackage -rfakeroot -b
Add blacklist filter
diff --git a/rspamd/local.d/groups.conf b/rspamd/local.d/groups.conf
new file mode 100644
index 0000000..448fa8d
--- /dev/null
+++ b/rspamd/local.d/groups.conf
@@ -0,0 +1,39 @@
+# local.d/groups.conf
+# see local.d/multimap.conf for mappings
+#
+# Source: https://gist.github.com/kvaps/25507a87dc287e6a620e1eec2d60ebc1
+
+group "multimap" {
+  symbols = {
+    # Blacklists
+    "LOCAL_BL_FROM" {
+      weight = 3.0;
+      description = "Sender FROM listed in local blacklist";
+    }
+    "LOCAL_BL_IP" {
+      weight = 3.0;
+      description = "Sender IP listed in local blacklist";
+    }
+    "LOCAL_BL_RCPT" {
+      weight = 3.0;
+      description = "Recipient listed in local blacklist";
+    }
+    # Whitelists
+    "LOCAL_WL_DOMAIN" {
+      weight = -5;
+      description = "Domain listed in local whitelist";
+    }
+    "LOCAL_WL_FROM" {
+      weight = -5;
+      description = "Sender FROM listed in local whitelist";
+    }
+    "LOCAL_WL_IP" {
+      weight = -5;
+      description = "Sender IP listed in local whitelist";
+    }
+    "LOCAL_WL_RCPT" {
+      weight = -5;
+      description = "Recipient listed in local whitelist";
+    }
+  }
+}
diff --git a/rspamd/local.d/multimap.conf b/rspamd/local.d/multimap.conf
new file mode 100644
index 0000000..68d0125
--- /dev/null
+++ b/rspamd/local.d/multimap.conf
@@ -0,0 +1,60 @@
+# local.d/multimap.conf
+# see local.d/groups.conf for multimap symbols
+#
+# Source: https://gist.github.com/kvaps/25507a87dc287e6a620e1eec2d60ebc1
+# Doc:    https://rspamd.com/doc/modules/multimap.html
+
+# Blacklists
+local_bl_domain {
+  type = "from";
+  filter = "email:domain";
+  map = "$CONFDIR/maps.d/local_bl_domain.inc";
+  prefilter = true;
+  action = "reject";
+  description = "Blacklisted domain";
+}
+local_bl_from {
+  type = "from";
+  map = "$CONFDIR/maps.d/local_bl_from.inc";
+  symbol = "LOCAL_BL_FROM";
+  description = "Blacklist map for LOCAL_BL_FROM";
+}
+local_bl_ip {
+  type = "ip";
+  map = "$CONFDIR/maps.d/local_bl_ip.inc";
+  symbol = "LOCAL_BL_IP";
+  description = "Blacklist map for LOCAL_BL_IP";
+}
+local_bl_rcpt {
+  type = "rcpt";
+  map = "$CONFDIR/maps.d/local_bl_rcpt.inc";
+  symbol = "LOCAL_BL_RCPT";
+  description = "Blacklist map for LOCAL_BL_RCPT";
+}
+
+# Whitelists
+local_wl_domain {
+  type = "from";
+  filter = "email:domain:tld";
+  map = "$CONFDIR/maps.d/local_wl_domain.inc";
+  symbol = "LOCAL_WL_DOMAIN";
+  description = "Whitelist map for LOCAL_WL_DOMAIN";
+}
+local_wl_from {
+  type = "from";
+  map = "$CONFDIR/maps.d/local_wl_from.inc";
+  symbol = "LOCAL_WL_FROM";
+  description = "Whitelist map for LOCAL_WL_FROM";
+}
+local_wl_ip {
+  type = "ip";
+  map = "$CONFDIR/maps.d/local_wl_ip.inc";
+  symbol = "LOCAL_WL_IP";
+  description = "Whitelist map for LOCAL_WL_IP";
+}
+local_wl_rcpt {
+  type = "rcpt";
+  map = "$CONFDIR/maps.d/local_wl_rcpt.inc";
+  symbol = "LOCAL_WL_RCPT";
+  description = "Whitelist map for LOCAL_WL_RCPT";
+}
diff --git a/rspamd/maps.d/local_bl_domain.inc b/rspamd/maps.d/local_bl_domain.inc
new file mode 100644
index 0000000..e33bc14
--- /dev/null
+++ b/rspamd/maps.d/local_bl_domain.inc
@@ -0,0 +1 @@
+nanoenonprofits.org


Mail server - More spam filter

Mail server - SRS

Reference:

We must enable SRS to allow forwarding mail from domains that enabled SPF:

apt-get install postsrsd

We check that it listens to the default ports (10001 and 10002) and uses the correct domain:

systemctl status postsrsd
# ● postsrsd.service - SRS lookup table for Postfix
#    Loaded: loaded (/lib/systemd/system/postsrsd.service; enabled)
#    Active: active (running) since Mon 2016-09-05 11:53:27 CEST; 2h 11min ago
#  Main PID: 11273 (postsrsd)
#    CGroup: /system.slice/postsrsd.service
#            └─11273 /usr/sbin/postsrsd -f10001 -r10002 -s/etc/postsrsd.secret -X -unobody -c/var/lib/postsrsd -dnoekeon.org
ss -tupan|grep 1000[12]
# tcp    LISTEN     0      10             127.0.0.1:10001                 *:*      users:(("postsrsd",pid=11273,fd=4))
# tcp    LISTEN     0      10             127.0.0.1:10002                 *:*      users:(("postsrsd",pid=11273,fd=5))

Tell postfix to use SRS and reload:

postconf -e "sender_canonical_maps = tcp:127.0.0.1:10001"
postconf -e "sender_canonical_classes = envelope_sender"
postconf -e "recipient_canonical_maps = tcp:127.0.0.1:10002"
postconf -e "recipient_canonical_classes = envelope_recipient,header_recipient"
postfix reload

Mail server - Gmail Postmaster tools

Account registered to night.moore.nm@gmail.com... but never got any data because our volume is probably too small. I can still use this account to test mail forwarding though and see how gmail sees our mail server.

Mail server - DKIM

See Postfix.

Mail server - DMARC

GMail recommends to provide a DMARC policy. See Postfix for guides.

We publish the following DMARC policy

_dmarc.noekeon.org.       v=DMARC1; p=quarantine; rua=mailto:webmaster@noekeon.org; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=none

Mail server - Miscellaneous

  • Postfix complains that it is setuid root:
Jul 18 05:22:30 ober postfix/sendmail[27605]: warning: the Postfix sendmail command has set-uid root file permissions
Jul 18 05:22:30 ober postfix/sendmail[27605]: warning: or the command is run from a set-uid root process
Jul 18 05:22:30 ober postfix/sendmail[27605]: warning: the Postfix sendmail command must be installed without set-uid root file permissions
It is not necessary to run procmail as setuid root with postfix [11], so we do:
ls -l /usr/bin/procmail
# -rwsr-sr-x 1 root mail 88K Feb 11  2015 /usr/bin/procmail
chmod u-s /usr/bin/procmail
ls -l /usr/bin/procmail
# -rwxr-sr-x 1 root mail 88K Feb 11  2015 /usr/bin/procmail

Mail server - guides

Mail server - certbot

We need to add hooks to reload the certificate when certbot renew them (ChatGPT, [12]).

For dovecot:

# As sudo:
vi /etc/letsencrypt/renewal-hooks/deploy/reload-dovecot.sh

# #! /bin/bash
# systemctl reload dovecot

# Enable it and test it
chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-dovecot.sh
/etc/letsencrypt/renewal-hooks/deploy/reload-dovecot.sh

For postfix:

# As sudo:
vi /etc/letsencrypt/renewal-hooks/deploy/reload-postfix.sh

# #! /bin/bash
# postfix reload

# Enable it and test it
chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-postfix.sh
/etc/letsencrypt/renewal-hooks/deploy/reload-postfix.sh

Upgrade Kernel (using grub)

Reinstall grub
  • For some reasons the grub install on Debian 8 Jessie was incomplete. There was no /etc/default/grub and folder /etc/grub.d was empty.
  • Remove / purge grub and reinstall. When asked, we install to /dev/sda.
# I had a /boot/grub. I pushed it to git:
# cd /boot
# git init
# echo "*-amd64" > .gitignore
# git add -A
# git commit "first commit"
apt purge grub-common grub-pc grub2-common   # Say yes to remove /boot/grub.
apt install grub-pc                          # Install to /dev/sda

Upgrade Kernel (using extlinux)

Obsolote — This is now obsolete for Noekeon.org. I'm now using again grub.

Current method (using extlinux)
V=3.16.0-7; for f in initrd.img System.map vmlinuz; do ln -sf $f-$V-amd64 /boot/$f; done
# Same s:
# ln -sf initrd.img-3.16.0-7-amd64 /boot/initrd.img
# ln -sf System.map-3.16.0-7-amd64 /boot/System.map
# ln -sf vmlinuz-3.16.0-7-amd64 /boot/vmlinuz
Details

Debian image is booted with extlinux (so no grub nor lilo). I don't remember selecting this, so maybe it came pre-installed in the OVH debian image.

In any cases, a few guides are available:

Some remarks:

  • There are two files extlinux.conf, one in /extlinux.conf, and one in /boot/extlinux.conf. According to guides above, the latter is useless. Of course, that's the one I updated first without any effect ^^.
  • Doing extlinux --update /boot/extlinux killed the box. I had to reboot in rescue. There I created a few symlinks as indicated below, and restored extlinux with:
for a in dev proc sys run; do mount --bind /$a /mnt/vdb1/$a; done
chroot /mnt/vdb1
cd /boot
ln -sf initrd.img-3.16.0-5-amd64 initrd.img
ln -sf System.map-3.16.0-5-amd64 System.map
ln -sf vmlinuz-3.16.0-5-amd64 vmlinuz
vi extlinux/extlinux.conf                      # Point to symlinks instead - normally this file is not used
cd /
vi extlinux.conf                               # Point to symlinks instead
extlinux --install / --device /dev/vdb1        # We point to root because that's where ldlinux.sys files are installed.

As explained in the guide, the easiest is to create symlinks. A few symlinks exists already in /, but these are not used apparently:

lrwxrwxrwx   1 root root   31 Jan  9 20:57 initrd.img -> /boot/initrd.img-3.16.0-5-amd64
lrwxrwxrwx   1 root root   31 Jun  6  2015 initrd.img.old -> /boot/initrd.img-3.16.0-4-amd64
lrwxrwxrwx   1 root root   27 Jan  9 20:57 vmlinuz -> boot/vmlinuz-3.16.0-5-amd64
lrwxrwxrwx   1 root root   27 Jun  6  2015 vmlinuz.old -> boot/vmlinuz-3.16.0-4-amd64

Instead, we create symlinks in /boot:

cd /boot
ln -sf initrd.img-3.16.0-5-amd64 initrd.img
ln -sf System.map-3.16.0-5-amd64 System.map
ln -sf vmlinuz-3.16.0-5-amd64 vmlinuz

We edit /extlinux.conf to point to our symlink instead:

default linux
timeout 1
label linux
kernel boot/vmlinuz
append initrd=boot/initrd.img root=/dev/vda1 console=tty0 console=ttyS0,115200 ro quiet

In principle, the symlinks will be updated at next kernel upgrade. Let's see if that happens next time!

Upgrade to 3.16.0-6

Symlinks were not updated automatically. Instead I did:

cd /boot
ln -sf initrd.img-3.16.0-6-amd64 initrd.img
ln -sf System.map-3.16.0-6-amd64 System.map
ln -sf vmlinuz-3.16.0-6-amd64 vmlinuz

Needrestart

Install package needrestart, which automatically tells when some services must be restarted (this is an improved checkrestart).

Roundcube

apt install roundcube roundcube-plugins-extra roundcube-plugins php-zip
  • Enable plugins archive, zipdownload, fail2ban

Troubleshooting

Google GMail - 421-4.7.0 black listing

See Mail server.

Postfix reject authenticated smtp request

We get errors like:

Oct  1 11:10:06 ober postfix/submission/smtpd[25903]: warning: hostname ip56569158.adsl-surfen.hetnet.nl does not resolve to address 86.86.145.88: Name or service not known
Oct  1 11:10:06 ober postfix/submission/smtpd[25903]: connect from unknown[86.86.145.88]
Oct  1 11:10:06 ober rmilter[327]: <06b5ccdd32>; accepted connection from ober.noekeon.org; client: 86.86.145.88:49276 ([86.86.145.88])
Oct  1 11:10:06 ober postfix/submission/smtpd[25903]: NOQUEUE: reject: EHLO from unknown[86.86.145.88]: 450 4.7.1 <joans-mbp.home>: Helo command rejected: Host not found; proto=SMTP helo=<joans-mbp.home>

The error code is 450. Searching in postfix configuration doc [13], we see it is related to setting reject_unknown_helo_hostname.

We tried to fix it with:

-smtpd_helo_restrictions = reject_unknown_helo_hostname
+smtpd_helo_restrictions = 
+        permit_mynetworks,
+        permit_sasl_authenticated,
+        reject_unknown_helo_hostname,

But it has no effect. In fact we must change the parameters of the smtpd/submission daemon listening on port 587. Edit master.cf:

diff --git a/postfix/master.cf b/postfix/master.cf
index ed305ce..61cd090 100644
--- a/postfix/master.cf
+++ b/postfix/master.cf
@@ -20,6 +20,7 @@ submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=
+ -o smtpd_helo_restrictions=permit_mynetworks,reject_invalid_hostname,permit
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot

ovhn - Fix 'org.freedesktop.login1 timed out' messages and slow login

We get many messages like

Apr 29 06:44:12 ober dbus[24328]: [system] Activating via systemd: service name='org.freedesktop.login1' unit='dbus-org.freedesktop.login1.service'
Apr 29 06:44:37 ober sshd[25336]: pam_systemd(sshd:session): Failed to create session: Activation of org.freedesktop.login1 timed out
Apr 29 06:44:37 ober dbus[24328]: [system] Failed to activate service 'org.freedesktop.login1': timed out

Going backward, we find the following event:

Apr 29 06:33:05 ober dbus[24328]: [system] Activating via systemd: service name='org.freedesktop.login1' unit='dbus-org.freedesktop.login1.service'
Apr 29 06:33:30 ober sshd[17082]: pam_systemd(sshd:session): Failed to release session: Connection timed out
Apr 29 06:33:30 ober systemd-logind[23727]: Failed to abandon session scope: Transport endpoint is not connected
Apr 29 06:33:30 ober dbus[24328]: [system] Failed to activate service 'org.freedesktop.login1': timed out

This seems linked to an ssh session

ag 17082 /var/log
# /var/log/auth.log
# 7:Apr 29 06:29:44 ober sshd[17082]: Accepted publickey for baas from 164.129.115.76 port 27528 ssh2: RSA ed:81:b9:c5:5b:43:b5:0b:f2:00:6d:c0:b3:08:4e:8b
# 8:Apr 29 06:29:44 ober sshd[17082]: pam_unix(sshd:session): session opened for user baas by (uid=0)
# 24:Apr 29 06:33:05 ober sshd[17082]: pam_unix(sshd:session): session closed for user baas
# 25:Apr 29 06:33:30 ober sshd[17082]: pam_systemd(sshd:session): Failed to release session: Connection timed out

Additionally logging in the system is very slow.

Troubleshooting

We find similar issue on RedHat support [14].

Issue might be _abandoned_ user session:

systemctl | grep 'of user'| grep 'abandoned'
# session-2.scope              loaded active abandoned Session 2 of user baas

Accordingly the fix is to remove the session files:

ls /run/systemd/system/
# session-2.scope.d/  session-2.scope  session-4322.scope
rm -rf /run/systemd/system/session-2.scope*
systemctl daemon-reexec

... but to no avail. Finally we reboot the system:

reboot