From 890383286696bc5c868f2e02ee54f12d2f7f31e6 Mon Sep 17 00:00:00 2001 From: Daniel Winzen Date: Sun, 2 Jun 2024 20:50:01 +0200 Subject: [PATCH] Add setup tutorial --- README.md | 94 ++++++++++++++++++++++++++++ etc/systemd/system/mail-cron.service | 4 +- etc/systemd/system/mail-cron.timer | 2 - install_binaries.sh | 2 + 4 files changed, 97 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 52f462a..fc87a52 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,100 @@ This is a setup for a Tor based email hosting server. It is provided as is and b Installation Instructions: -------------------------- +# Primary mail server with Tor: + +Uninstall packages that may interfere with this setup: +``` +DEBIAN_FRONTEND=noninteractive apt-get purge -y apache2* dnsmasq* eatmydata exim4* imagemagick-6-common mysql-client* mysql-server* nginx* libnginx-mod* php7* resolvconf && systemctl disable systemd-resolved.service && systemctl stop systemd-resolved.service +``` + +If you have problems resolving hostnames after this step, temporarily switch to a public nameserver like 1.1.1.1 (from CloudFlare) or 8.8.8.8 (from Google) + +``` +rm /etc/resolv.conf && echo "nameserver 1.1.1.1" > /etc/resolv.conf +``` + +Install git and clone this repository + +``` +apt-get update && apt-get install git && git clone https://github.com/DanWin/mail-hosting && cd mail-hosting +``` + +Install files and programs +``` +./install_binaries.sh +``` + +Copy (and modify according to your needs) the site files in `etc` to `/etc` after installation has finished. Then restart some services: +``` +systemctl daemon-reload && systemctl restart bind9.service && systemctl restart tor@default.service +``` + +Replace the default .onion domain with your domain: +``` +sed -i "s/danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion/`cat /var/lib/tor/hidden_service/hostname`/g" /etc/prosody/prosody.cfg.lua /etc/nginx/sites-enabled/mail /var/www/mail/common_config.php /etc/postfix/main.cf +``` + +Replace the default clearnet domain with your domain: +``` +sed -i "s/danwin1210.de/YOUR_DOMAIN/g" /etc/prosody/prosody.cfg.lua /etc/postfix/main.cf /etc/dovecot/dovecot.conf /etc/nginx/sites-enabled/mail /etc/nginx/sites-enabled/openpgpkey /var/www/mail/common_config.php +``` + +Create a mysql users and databases: +``` +mysql +CREATE DATABASE postfix; +CREATE DATABASE prosody; +CREATE USER 'postfix'@'%' IDENTIFIED BY 'MY_PASSWORD'; +CREATE USER 'postfix_readonly'@'%' IDENTIFIED BY 'MY_PASSWORD'; +CREATE USER 'prosody'@'%' IDENTIFIED BY 'MY_PASSWORD'; +GRANT ALL PRIVILEGES ON postfix.* TO 'postfix'@'%'; +GRANT SELECT ON postifx.* TO 'postfix_readonly'@'%'; +GRANT ALL PRIVILEGES ON prosody.* TO 'prosody'@'%'; +FLUSH PRIVILEGES; +quit +``` + +Then update the passwords you've set in your configuration files: +``` +nano /etc/dovecot/dovecot-dict-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext /etc/postfix/sql/mysql_* /etc/prosody/prosody.cfg.lua /var/www/mail/common_config.php +``` + +Generate a keypair for rspamd with `rspamadm keypair gen` and add it to /etc/rspamd/local.d/worker-fuzzy.inc, add the public encryption key to /etc/rspamd/override.d/fuzzy_check.conf + +Set a password for the web interface with `rspamadm pw` and add the hash for it to /etc/rspamd/override.d/worker-controller.inc + +Generate DKIM signing keys and add them to /etc/rspamd/local.d/arc.conf /etc/rspamd/local.d/dkim_signing.conf, then add the printed DNS records to your domain: +``` +rspamadm dkim_keygen -d YOUR_DOMAIN -s $(date +"%Y%m%d")-rsa -b 4096 -t rsa -k /var/lib/rspamd/dkim/YOUR_DOMAIN-rsa +rspamadm dkim_keygen -d YOUR_DOMAIN -s $(date +"%Y%m%d")-ed25519 -t ed25519 -k /var/lib/rspamd/dkim/YOUR_DOMAIN-ed25519 +``` + +Also add the following DNS records to your domain, with the IPs of your proxy server: +``` +@ IN TXT "v=spf1 ip4:your.ip.v4.address ip6:your:ip:v6:address -all" +_dmarc IN TXT "v=DMARC1;p=quarantine;adkim=r;aspf=r;fo=1;rua=mailto:postmaster@yourdomain;ruf=mailto:postmaster@yourdomain;rf=afrf;ri=86400;pct=100" +@ IN MX 0 yourdomain. +``` + +Set the PTR record of your servers IPs to your domain. This can usually be done from your hosting panels configuration, but may not be available with every hosting provider, where you can then request them to do it via a support ticket. + +Consider registering your domain with [DNSWL](https://www.dnswl.org/), [SNDS](https://sendersupport.olc.protection.outlook.com/snds/), [Google Postmaster Tools](https://postmaster.google.com/) and [YahooCFL](https://senders.yahooinc.com/complaint-feedback-loop/) for valuable insights into your delivery. + +Install [acme.sh](https://github.com/acmesh-official/acme.sh) or [certbot](https://certbot.eff.org/) to obtain a free letsencrypt SSL certificate, then update the path to this new certificate in the following files: +``` +nano /etc/prosody/prosody.cfg.lua /etc/dovecot/dovecot.conf /etc/postfix/main.cf /etc/nginx/nginx.conf /etc/nginx/sites-enabled/mail /etc/nginx/sites-enabled/openpgpkey +``` + +Create database tables and enable cron: +``` +cd /var/www/mail && php setup.php && systemctl enable mail-cron.timer +``` + +To send emails to the regular internet, it is necessary to have a static IP to retain a reputation with an IP+Domain mapping. If you try sending via Tor, your emails will most certainly get blocked by spam fitlers. For this reason we need to setup a proxy server which will hold no user data itself, but simply act as a gateway to reach the less anonymous part of the internet. + +# Proxy server: + TODO Translating: diff --git a/etc/systemd/system/mail-cron.service b/etc/systemd/system/mail-cron.service index 59f2947..be962e1 100644 --- a/etc/systemd/system/mail-cron.service +++ b/etc/systemd/system/mail-cron.service @@ -1,8 +1,6 @@ [Unit] Description=Mail cron -After=srv.mount -Requires=srv.mount [Service] Type=simple -ExecStart=/usr/bin/php /srv/var/www/mail/cron.php +ExecStart=/usr/bin/php /var/www/mail/cron.php diff --git a/etc/systemd/system/mail-cron.timer b/etc/systemd/system/mail-cron.timer index c794df4..be193f3 100644 --- a/etc/systemd/system/mail-cron.timer +++ b/etc/systemd/system/mail-cron.timer @@ -1,7 +1,5 @@ [Unit] Description=Mail cron -After=srv.mount -Requires=srv.mount [Timer] # Time to wait after booting before we run first time diff --git a/install_binaries.sh b/install_binaries.sh index 7385b92..df2dd33 100755 --- a/install_binaries.sh +++ b/install_binaries.sh @@ -35,6 +35,8 @@ fi #install scripts mkdir -p /var/www/mail mkdir -p /var/www/html +mkdir -p /var/lib/rspamd/dkim +chown _rspamd: /var/lib/rspamd/dkim if [ ! -e /var/www/html/mail ]; then ln -s ../mail/www /var/www/html/mail fi