Make use of snakeoil certificates in default configuration files

This commit is contained in:
Daniel Winzen 2024-06-05 21:53:17 +02:00
parent ffac3ea1db
commit a8c633b1d2
No known key found for this signature in database
GPG key ID: 222FCC3F35C41077
12 changed files with 70 additions and 30 deletions

View file

@ -22,7 +22,7 @@ rm /etc/resolv.conf && echo "nameserver 1.1.1.1" > /etc/resolv.conf
Install git and clone this repository
```
apt-get update && apt-get install git && git clone https://github.com/DanWin/mail-hosting && cd mail-hosting
apt-get update && apt-get install git -y && git clone https://github.com/DanWin/mail-hosting && cd mail-hosting
```
Install files and programs
@ -32,7 +32,7 @@ Install files and programs
Copy (and modify according to your needs) the site files in `etc` to `/etc` after installation has finished. Then restart some services:
```
systemctl daemon-reload && systemctl restart bind9.service && systemctl restart tor@default.service
systemctl daemon-reload && systemctl restart tor@default.service
```
Replace the default .onion domain with your domain:
@ -90,7 +90,30 @@ To send emails to the regular internet, it is necessary to have a static IP to r
### Proxy server:
TODO
Uninstall packages that may interfere with this setup:
```
DEBIAN_FRONTEND=noninteractive apt-get purge -y apache2* dnsmasq* eatmydata exim4* imagemagick-6-common mysql-client* mysql-server* nginx* libnginx-mod* php7* resolvconf && systemctl disable systemd-resolved.service && systemctl stop systemd-resolved.service
```
If you have problems resolving hostnames after this step, temporarily switch to a public nameserver like 1.1.1.1 (from CloudFlare) or 8.8.8.8 (from Google)
```
rm /etc/resolv.conf && echo "nameserver 1.1.1.1" > /etc/resolv.conf
```
Install git and clone this repository
```
apt-get update && apt-get install git -y && git clone https://github.com/DanWin/mail-hosting && cd mail-hosting
```
Install files and programs
```
./install_binaries_proxy.sh
```
Copy (and modify according to your needs) the site files in `etc_clearnet_proxy` to `/etc` after installation has finished.
### General Domain settings
@ -101,7 +124,7 @@ _dmarc IN TXT "v=DMARC1;p=quarantine;adkim=r;aspf=r;fo=1;rua=mailto:postma
@ IN MX 0 yourdomain.
```
Set the PTR record of your servers IPs to your domain. This can usually be done from your hosting panels configuration, but may not be available with every hosting provider, where you can then request them to do it via a support ticket.
Set the PTR record of your proxy servers IPs to your domain. This can usually be done from your hosting panels configuration, but may not be available with every hosting provider, where you can then request them to do it via a support ticket.
Consider registering your domain with [DNSWL](https://www.dnswl.org/), [SNDS](https://sendersupport.olc.protection.outlook.com/snds/), [Google Postmaster Tools](https://postmaster.google.com/) and [YahooCFL](https://senders.yahooinc.com/complaint-feedback-loop/) for valuable insights into your delivery.

View file

@ -47,8 +47,8 @@ auth_mechanisms = plain login
#TLS parameters
ssl = required
ssl_cert = </etc/acme.sh/danwin1210.de_ecc/fullchain.cer
ssl_key = </etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key
ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = </etc/dovecot/dh.pem
ssl_min_protocol = TLSv1.2

View file

@ -4,6 +4,7 @@ pid /run/nginx.pid;
pcre_jit on;
worker_rlimit_nofile 30000;
worker_shutdown_timeout 1m;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 7680;
@ -51,8 +52,8 @@ http {
ssl_early_data off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_dhparam /etc/nginx/dh4096.pem;
##

View file

@ -51,8 +51,8 @@ server {
add_header Cross-Origin-Opener-Policy same-origin always;
add_header Cross-Origin-Resource-Policy same-origin always;
listen [::]:443 ssl proxy_protocol http2;
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
root /var/www/html;
index index.php;
server_name danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion danwin1210.de;

View file

@ -16,6 +16,6 @@ server {
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
expires off;
}
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
}

View file

@ -24,8 +24,8 @@ compatibility_level = 3.6
smtputf8_autodetect_classes = all
# TLS parameters
smtpd_tls_cert_file = /etc/acme.sh/danwin1210.de_ecc/fullchain.cer
smtpd_tls_key_file = /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_ciphers = HIGH
smtpd_tls_mandatory_ciphers = HIGH
smtp_tls_ciphers = HIGH

View file

@ -124,8 +124,8 @@ pidfile = "/run/prosody/prosody.pid";
-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.
ssl = {
key = "/etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key";
certificate = "/etc/acme.sh/danwin1210.de_ecc/fullchain.cer";
key = "/etc/ssl/private/ssl-cert-snakeoil.key";
certificate = "/etc/ssl/certs/ssl-cert-snakeoil.pem";
dhparam = "/etc/prosody/dh4096.pem";
curve = "X448:X25519:secp521r1:secp384r1:secp256k1";
ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!RSA:!PSK:!SRP:!3DES:!aNULL:!SHA:!MD5:!CAMELLIA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA256";

View file

@ -4,6 +4,7 @@ pid /run/nginx.pid;
pcre_jit on;
worker_rlimit_nofile 30000;
worker_shutdown_timeout 1m;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 20000;
@ -50,8 +51,8 @@ http {
ssl_early_data off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_dhparam /etc/nginx/dh4096.pem;
##
@ -119,8 +120,8 @@ stream {
ssl_ecdh_curve X448:X25519:secp521r1:secp384r1:secp256k1;
ssl_ciphers HIGH:!PSK:!RSA:!aNULL:!MD5:!SHA:!CAMELLIA:!AES+SHA256:!AES+SHA384;
ssl_session_cache shared:SSLSTREAM:10m;
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_dhparam /etc/nginx/dh4096.pem;
#smtp
server {

View file

@ -15,8 +15,8 @@ readme_directory = no
compatibility_level=3.6
# TLS parameters
smtpd_tls_cert_file=/etc/acme.sh/danwin1210.de_ecc/fullchain.cer
smtpd_tls_key_file=/etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_ciphers = HIGH

View file

@ -457,7 +457,7 @@ realm=danwin1210.de
# Use PEM file format.
#
#cert=/usr/local/etc/turn_server_cert.pem
cert=/etc/acme.sh/danwin1210.de_ecc/fullchain.cer
cert=/etc/ssl/certs/ssl-cert-snakeoil.pem
# Private key file.
# Use an absolute path or path relative to the
@ -465,7 +465,7 @@ cert=/etc/acme.sh/danwin1210.de_ecc/fullchain.cer
# Use PEM file format.
#
#pkey=/usr/local/etc/turn_server_pkey.pem
pkey=/etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key
pkey=/etc/ssl/private/ssl-cert-snakeoil.key
# Private key file password, if it is in encoded format.
# This option has no default value.

View file

@ -8,7 +8,7 @@ workingdir=$(pwd)
# install all required packages
DEBIAN_FRONTEND=noninteractive apt-get update
DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y apt-transport-tor bash-completion bind9 ca-certificates clamav-daemon clamav-freshclam curl dovecot-imapd dovecot-lmtpd dovecot-pop3d git gnupg haveged iptables libsasl2-modules locales locales-all logrotate lsb-release mariadb-server mercurial nano nginx openssl php8.2-cli php8.2-curl php8.2-fpm php8.2-gd php8.2-gmp php8.2-gnupg php8.2-imap php8.2-intl php8.2-mbstring php8.2-mysql php8.2-pspell php8.2-readline postfix postfix-mysql prosody redis rspamd tor vim wget unzip brotli wireguard wireguard-tools
DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y apt-transport-tor bash-completion bind9 ca-certificates clamav-daemon clamav-freshclam curl dovecot-imapd dovecot-lmtpd dovecot-pop3d git gnupg haveged iptables libnginx-mod-http-brotli-filter libsasl2-modules locales locales-all logrotate lsb-release lua-dbi-mysql lua-event mariadb-server mercurial nano nginx openssl php8.2-cli php8.2-curl php8.2-fpm php8.2-gd php8.2-gmp php8.2-gnupg php8.2-imap php8.2-intl php8.2-mbstring php8.2-mysql php8.2-pspell php8.2-readline postfix postfix-mysql prosody redis rng-tools5 rspamd tor vim wget unzip wireguard wireguard-tools
# install composer
curl -sSL https://github.com/composer/composer/releases/download/2.7.6/composer.phar > /usr/bin/composer
@ -32,10 +32,17 @@ if [ ! -e /etc/postfix/danwin1210-mail.chain ]; then
openssl req -x509 -nodes -days 3650 -newkey ed448 -subj "/" -keyout /etc/postfix/danwin1210-mail.key -out /etc/postfix/danwin1210-mail.crt && cat /etc/postfix/danwin1210-mail.key >> /etc/postfix/danwin1210-mail.chain && cat /etc/postfix/danwin1210-mail.crt >> /etc/postfix/danwin1210-mail.chain
fi
# Nginx
if [ ! -e /etc/nginx/dh4096.pem ]; then
openssl dhparam -out /etc/nginx/dh4096.pem 4096
fi
# dhparams
for file in /etc/nginx/dh4096.pem /etc/dovecot/dh.pem /etc/prosody/dh4096.pem; do
if [ ! -e "$file" ]; then
openssl dhparam -out "$file" 4096
fi
done
# vmail user
id -u vmail > /dev/null 2>&1 || (groupadd -g 5000 -r vmail && useradd -g 5000 -M -r -s /bin/false -u 5000 vmail -d /var/mail/vmail)
mkdir -p /var/mail/vmail
chown vmail: /var/mail/vmail
#install scripts
mkdir -p /var/www/mail
@ -72,6 +79,14 @@ unzip -o snappymail-${VERSION:1}.zip
mkdir -p /var/local/snappymail
chown www-data:www-data -R /var/local/snappymail
# install prosody modules
if [ ! -e /srv/prosody-modules ]; then
hg clone https://hg.prosody.im/prosody-modules/ /srv/prosody-modules
else
cd /srv/prosody-modules
hg pull --update
fi
# copy configuration file
cd $workingdir
if [ ! -e /var/www/mail/common_config.php ]; then

View file

@ -5,4 +5,4 @@ export LANG=C.UTF-8
export PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"
# install all required packages
DEBIAN_FRONTEND=noninteractive apt-get update
DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y bash-completion bind9 ca-certificates coturn curl git gnupg haveged iptables libsasl2-modules logrotate lsb-release nano nginx openssl postfix postfix-mysql postfix-mta-sts-resolver vim wget wireguard wireguard-tools
DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y bash-completion bind9 ca-certificates coturn curl git gnupg haveged iptables libsasl2-modules logrotate lsb-release nano nginx openssl postfix postfix-mysql postfix-mta-sts-resolver rng-tools5 vim wget wireguard wireguard-tools