From a8c633b1d2bea1b2f4c5a390df9052f282e204a5 Mon Sep 17 00:00:00 2001 From: Daniel Winzen Date: Wed, 5 Jun 2024 21:53:17 +0200 Subject: [PATCH] Make use of snakeoil certificates in default configuration files --- README.md | 31 +++++++++++++++++++++++++---- etc/dovecot/dovecot.conf | 4 ++-- etc/nginx/nginx.conf | 5 +++-- etc/nginx/sites-enabled/mail | 4 ++-- etc/nginx/sites-enabled/openpgpkey | 4 ++-- etc/postfix/main.cf | 4 ++-- etc/prosody/prosody.cfg.lua | 4 ++-- etc_clearnet_proxy/nginx/nginx.conf | 9 +++++---- etc_clearnet_proxy/postfix/main.cf | 4 ++-- etc_clearnet_proxy/turnserver.conf | 4 ++-- install_binaries.sh | 25 ++++++++++++++++++----- install_binaries_proxy.sh | 2 +- 12 files changed, 70 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index 565a24b..63ab540 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ rm /etc/resolv.conf && echo "nameserver 1.1.1.1" > /etc/resolv.conf Install git and clone this repository ``` -apt-get update && apt-get install git && git clone https://github.com/DanWin/mail-hosting && cd mail-hosting +apt-get update && apt-get install git -y && git clone https://github.com/DanWin/mail-hosting && cd mail-hosting ``` Install files and programs @@ -32,7 +32,7 @@ Install files and programs Copy (and modify according to your needs) the site files in `etc` to `/etc` after installation has finished. Then restart some services: ``` -systemctl daemon-reload && systemctl restart bind9.service && systemctl restart tor@default.service +systemctl daemon-reload && systemctl restart tor@default.service ``` Replace the default .onion domain with your domain: @@ -90,7 +90,30 @@ To send emails to the regular internet, it is necessary to have a static IP to r ### Proxy server: -TODO +Uninstall packages that may interfere with this setup: +``` +DEBIAN_FRONTEND=noninteractive apt-get purge -y apache2* dnsmasq* eatmydata exim4* imagemagick-6-common mysql-client* mysql-server* nginx* libnginx-mod* php7* resolvconf && systemctl disable systemd-resolved.service && systemctl stop systemd-resolved.service +``` + +If you have problems resolving hostnames after this step, temporarily switch to a public nameserver like 1.1.1.1 (from CloudFlare) or 8.8.8.8 (from Google) + +``` +rm /etc/resolv.conf && echo "nameserver 1.1.1.1" > /etc/resolv.conf +``` + +Install git and clone this repository + +``` +apt-get update && apt-get install git -y && git clone https://github.com/DanWin/mail-hosting && cd mail-hosting +``` + +Install files and programs +``` +./install_binaries_proxy.sh +``` + +Copy (and modify according to your needs) the site files in `etc_clearnet_proxy` to `/etc` after installation has finished. + ### General Domain settings @@ -101,7 +124,7 @@ _dmarc IN TXT "v=DMARC1;p=quarantine;adkim=r;aspf=r;fo=1;rua=mailto:postma @ IN MX 0 yourdomain. ``` -Set the PTR record of your servers IPs to your domain. This can usually be done from your hosting panels configuration, but may not be available with every hosting provider, where you can then request them to do it via a support ticket. +Set the PTR record of your proxy servers IPs to your domain. This can usually be done from your hosting panels configuration, but may not be available with every hosting provider, where you can then request them to do it via a support ticket. Consider registering your domain with [DNSWL](https://www.dnswl.org/), [SNDS](https://sendersupport.olc.protection.outlook.com/snds/), [Google Postmaster Tools](https://postmaster.google.com/) and [YahooCFL](https://senders.yahooinc.com/complaint-feedback-loop/) for valuable insights into your delivery. diff --git a/etc/dovecot/dovecot.conf b/etc/dovecot/dovecot.conf index 49e5005..775abc7 100644 --- a/etc/dovecot/dovecot.conf +++ b/etc/dovecot/dovecot.conf @@ -47,8 +47,8 @@ auth_mechanisms = plain login #TLS parameters ssl = required -ssl_cert = /usr/bin/composer @@ -32,10 +32,17 @@ if [ ! -e /etc/postfix/danwin1210-mail.chain ]; then openssl req -x509 -nodes -days 3650 -newkey ed448 -subj "/" -keyout /etc/postfix/danwin1210-mail.key -out /etc/postfix/danwin1210-mail.crt && cat /etc/postfix/danwin1210-mail.key >> /etc/postfix/danwin1210-mail.chain && cat /etc/postfix/danwin1210-mail.crt >> /etc/postfix/danwin1210-mail.chain fi -# Nginx -if [ ! -e /etc/nginx/dh4096.pem ]; then - openssl dhparam -out /etc/nginx/dh4096.pem 4096 -fi +# dhparams +for file in /etc/nginx/dh4096.pem /etc/dovecot/dh.pem /etc/prosody/dh4096.pem; do + if [ ! -e "$file" ]; then + openssl dhparam -out "$file" 4096 + fi +done + +# vmail user +id -u vmail > /dev/null 2>&1 || (groupadd -g 5000 -r vmail && useradd -g 5000 -M -r -s /bin/false -u 5000 vmail -d /var/mail/vmail) +mkdir -p /var/mail/vmail +chown vmail: /var/mail/vmail #install scripts mkdir -p /var/www/mail @@ -72,6 +79,14 @@ unzip -o snappymail-${VERSION:1}.zip mkdir -p /var/local/snappymail chown www-data:www-data -R /var/local/snappymail +# install prosody modules +if [ ! -e /srv/prosody-modules ]; then + hg clone https://hg.prosody.im/prosody-modules/ /srv/prosody-modules +else + cd /srv/prosody-modules + hg pull --update +fi + # copy configuration file cd $workingdir if [ ! -e /var/www/mail/common_config.php ]; then diff --git a/install_binaries_proxy.sh b/install_binaries_proxy.sh index 988ddb1..e8298f2 100755 --- a/install_binaries_proxy.sh +++ b/install_binaries_proxy.sh @@ -5,4 +5,4 @@ export LANG=C.UTF-8 export PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin" # install all required packages DEBIAN_FRONTEND=noninteractive apt-get update -DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y bash-completion bind9 ca-certificates coturn curl git gnupg haveged iptables libsasl2-modules logrotate lsb-release nano nginx openssl postfix postfix-mysql postfix-mta-sts-resolver vim wget wireguard wireguard-tools +DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y bash-completion bind9 ca-certificates coturn curl git gnupg haveged iptables libsasl2-modules logrotate lsb-release nano nginx openssl postfix postfix-mysql postfix-mta-sts-resolver rng-tools5 vim wget wireguard wireguard-tools