Make use of snakeoil certificates in default configuration files

This commit is contained in:
Daniel Winzen 2024-06-05 21:53:17 +02:00
parent ffac3ea1db
commit a8c633b1d2
No known key found for this signature in database
GPG key ID: 222FCC3F35C41077
12 changed files with 70 additions and 30 deletions

View file

@ -22,7 +22,7 @@ rm /etc/resolv.conf && echo "nameserver 1.1.1.1" > /etc/resolv.conf
Install git and clone this repository Install git and clone this repository
``` ```
apt-get update && apt-get install git && git clone https://github.com/DanWin/mail-hosting && cd mail-hosting apt-get update && apt-get install git -y && git clone https://github.com/DanWin/mail-hosting && cd mail-hosting
``` ```
Install files and programs Install files and programs
@ -32,7 +32,7 @@ Install files and programs
Copy (and modify according to your needs) the site files in `etc` to `/etc` after installation has finished. Then restart some services: Copy (and modify according to your needs) the site files in `etc` to `/etc` after installation has finished. Then restart some services:
``` ```
systemctl daemon-reload && systemctl restart bind9.service && systemctl restart tor@default.service systemctl daemon-reload && systemctl restart tor@default.service
``` ```
Replace the default .onion domain with your domain: Replace the default .onion domain with your domain:
@ -90,7 +90,30 @@ To send emails to the regular internet, it is necessary to have a static IP to r
### Proxy server: ### Proxy server:
TODO Uninstall packages that may interfere with this setup:
```
DEBIAN_FRONTEND=noninteractive apt-get purge -y apache2* dnsmasq* eatmydata exim4* imagemagick-6-common mysql-client* mysql-server* nginx* libnginx-mod* php7* resolvconf && systemctl disable systemd-resolved.service && systemctl stop systemd-resolved.service
```
If you have problems resolving hostnames after this step, temporarily switch to a public nameserver like 1.1.1.1 (from CloudFlare) or 8.8.8.8 (from Google)
```
rm /etc/resolv.conf && echo "nameserver 1.1.1.1" > /etc/resolv.conf
```
Install git and clone this repository
```
apt-get update && apt-get install git -y && git clone https://github.com/DanWin/mail-hosting && cd mail-hosting
```
Install files and programs
```
./install_binaries_proxy.sh
```
Copy (and modify according to your needs) the site files in `etc_clearnet_proxy` to `/etc` after installation has finished.
### General Domain settings ### General Domain settings
@ -101,7 +124,7 @@ _dmarc IN TXT "v=DMARC1;p=quarantine;adkim=r;aspf=r;fo=1;rua=mailto:postma
@ IN MX 0 yourdomain. @ IN MX 0 yourdomain.
``` ```
Set the PTR record of your servers IPs to your domain. This can usually be done from your hosting panels configuration, but may not be available with every hosting provider, where you can then request them to do it via a support ticket. Set the PTR record of your proxy servers IPs to your domain. This can usually be done from your hosting panels configuration, but may not be available with every hosting provider, where you can then request them to do it via a support ticket.
Consider registering your domain with [DNSWL](https://www.dnswl.org/), [SNDS](https://sendersupport.olc.protection.outlook.com/snds/), [Google Postmaster Tools](https://postmaster.google.com/) and [YahooCFL](https://senders.yahooinc.com/complaint-feedback-loop/) for valuable insights into your delivery. Consider registering your domain with [DNSWL](https://www.dnswl.org/), [SNDS](https://sendersupport.olc.protection.outlook.com/snds/), [Google Postmaster Tools](https://postmaster.google.com/) and [YahooCFL](https://senders.yahooinc.com/complaint-feedback-loop/) for valuable insights into your delivery.

View file

@ -47,8 +47,8 @@ auth_mechanisms = plain login
#TLS parameters #TLS parameters
ssl = required ssl = required
ssl_cert = </etc/acme.sh/danwin1210.de_ecc/fullchain.cer ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key = </etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
ssl_client_ca_dir = /etc/ssl/certs ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = </etc/dovecot/dh.pem ssl_dh = </etc/dovecot/dh.pem
ssl_min_protocol = TLSv1.2 ssl_min_protocol = TLSv1.2

View file

@ -4,6 +4,7 @@ pid /run/nginx.pid;
pcre_jit on; pcre_jit on;
worker_rlimit_nofile 30000; worker_rlimit_nofile 30000;
worker_shutdown_timeout 1m; worker_shutdown_timeout 1m;
include /etc/nginx/modules-enabled/*.conf;
events { events {
worker_connections 7680; worker_connections 7680;
@ -51,8 +52,8 @@ http {
ssl_early_data off; ssl_early_data off;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_dhparam /etc/nginx/dh4096.pem; ssl_dhparam /etc/nginx/dh4096.pem;
## ##

View file

@ -51,8 +51,8 @@ server {
add_header Cross-Origin-Opener-Policy same-origin always; add_header Cross-Origin-Opener-Policy same-origin always;
add_header Cross-Origin-Resource-Policy same-origin always; add_header Cross-Origin-Resource-Policy same-origin always;
listen [::]:443 ssl proxy_protocol http2; listen [::]:443 ssl proxy_protocol http2;
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
root /var/www/html; root /var/www/html;
index index.php; index index.php;
server_name danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion danwin1210.de; server_name danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion danwin1210.de;

View file

@ -16,6 +16,6 @@ server {
fastcgi_pass unix:/run/php/php8.2-fpm.sock; fastcgi_pass unix:/run/php/php8.2-fpm.sock;
expires off; expires off;
} }
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
} }

View file

@ -24,8 +24,8 @@ compatibility_level = 3.6
smtputf8_autodetect_classes = all smtputf8_autodetect_classes = all
# TLS parameters # TLS parameters
smtpd_tls_cert_file = /etc/acme.sh/danwin1210.de_ecc/fullchain.cer smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_ciphers = HIGH smtpd_tls_ciphers = HIGH
smtpd_tls_mandatory_ciphers = HIGH smtpd_tls_mandatory_ciphers = HIGH
smtp_tls_ciphers = HIGH smtp_tls_ciphers = HIGH

View file

@ -124,8 +124,8 @@ pidfile = "/run/prosody/prosody.pid";
-- Force clients to use encrypted connections? This option will -- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption. -- prevent clients from authenticating unless they are using encryption.
ssl = { ssl = {
key = "/etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key"; key = "/etc/ssl/private/ssl-cert-snakeoil.key";
certificate = "/etc/acme.sh/danwin1210.de_ecc/fullchain.cer"; certificate = "/etc/ssl/certs/ssl-cert-snakeoil.pem";
dhparam = "/etc/prosody/dh4096.pem"; dhparam = "/etc/prosody/dh4096.pem";
curve = "X448:X25519:secp521r1:secp384r1:secp256k1"; curve = "X448:X25519:secp521r1:secp384r1:secp256k1";
ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!RSA:!PSK:!SRP:!3DES:!aNULL:!SHA:!MD5:!CAMELLIA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA256"; ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!RSA:!PSK:!SRP:!3DES:!aNULL:!SHA:!MD5:!CAMELLIA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA256";

View file

@ -4,6 +4,7 @@ pid /run/nginx.pid;
pcre_jit on; pcre_jit on;
worker_rlimit_nofile 30000; worker_rlimit_nofile 30000;
worker_shutdown_timeout 1m; worker_shutdown_timeout 1m;
include /etc/nginx/modules-enabled/*.conf;
events { events {
worker_connections 20000; worker_connections 20000;
@ -50,8 +51,8 @@ http {
ssl_early_data off; ssl_early_data off;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_dhparam /etc/nginx/dh4096.pem; ssl_dhparam /etc/nginx/dh4096.pem;
## ##
@ -119,8 +120,8 @@ stream {
ssl_ecdh_curve X448:X25519:secp521r1:secp384r1:secp256k1; ssl_ecdh_curve X448:X25519:secp521r1:secp384r1:secp256k1;
ssl_ciphers HIGH:!PSK:!RSA:!aNULL:!MD5:!SHA:!CAMELLIA:!AES+SHA256:!AES+SHA384; ssl_ciphers HIGH:!PSK:!RSA:!aNULL:!MD5:!SHA:!CAMELLIA:!AES+SHA256:!AES+SHA384;
ssl_session_cache shared:SSLSTREAM:10m; ssl_session_cache shared:SSLSTREAM:10m;
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_dhparam /etc/nginx/dh4096.pem; ssl_dhparam /etc/nginx/dh4096.pem;
#smtp #smtp
server { server {

View file

@ -15,8 +15,8 @@ readme_directory = no
compatibility_level=3.6 compatibility_level=3.6
# TLS parameters # TLS parameters
smtpd_tls_cert_file=/etc/acme.sh/danwin1210.de_ecc/fullchain.cer smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_ciphers = HIGH smtpd_tls_ciphers = HIGH

View file

@ -457,7 +457,7 @@ realm=danwin1210.de
# Use PEM file format. # Use PEM file format.
# #
#cert=/usr/local/etc/turn_server_cert.pem #cert=/usr/local/etc/turn_server_cert.pem
cert=/etc/acme.sh/danwin1210.de_ecc/fullchain.cer cert=/etc/ssl/certs/ssl-cert-snakeoil.pem
# Private key file. # Private key file.
# Use an absolute path or path relative to the # Use an absolute path or path relative to the
@ -465,7 +465,7 @@ cert=/etc/acme.sh/danwin1210.de_ecc/fullchain.cer
# Use PEM file format. # Use PEM file format.
# #
#pkey=/usr/local/etc/turn_server_pkey.pem #pkey=/usr/local/etc/turn_server_pkey.pem
pkey=/etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key pkey=/etc/ssl/private/ssl-cert-snakeoil.key
# Private key file password, if it is in encoded format. # Private key file password, if it is in encoded format.
# This option has no default value. # This option has no default value.

View file

@ -8,7 +8,7 @@ workingdir=$(pwd)
# install all required packages # install all required packages
DEBIAN_FRONTEND=noninteractive apt-get update DEBIAN_FRONTEND=noninteractive apt-get update
DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y apt-transport-tor bash-completion bind9 ca-certificates clamav-daemon clamav-freshclam curl dovecot-imapd dovecot-lmtpd dovecot-pop3d git gnupg haveged iptables libsasl2-modules locales locales-all logrotate lsb-release mariadb-server mercurial nano nginx openssl php8.2-cli php8.2-curl php8.2-fpm php8.2-gd php8.2-gmp php8.2-gnupg php8.2-imap php8.2-intl php8.2-mbstring php8.2-mysql php8.2-pspell php8.2-readline postfix postfix-mysql prosody redis rspamd tor vim wget unzip brotli wireguard wireguard-tools DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y apt-transport-tor bash-completion bind9 ca-certificates clamav-daemon clamav-freshclam curl dovecot-imapd dovecot-lmtpd dovecot-pop3d git gnupg haveged iptables libnginx-mod-http-brotli-filter libsasl2-modules locales locales-all logrotate lsb-release lua-dbi-mysql lua-event mariadb-server mercurial nano nginx openssl php8.2-cli php8.2-curl php8.2-fpm php8.2-gd php8.2-gmp php8.2-gnupg php8.2-imap php8.2-intl php8.2-mbstring php8.2-mysql php8.2-pspell php8.2-readline postfix postfix-mysql prosody redis rng-tools5 rspamd tor vim wget unzip wireguard wireguard-tools
# install composer # install composer
curl -sSL https://github.com/composer/composer/releases/download/2.7.6/composer.phar > /usr/bin/composer curl -sSL https://github.com/composer/composer/releases/download/2.7.6/composer.phar > /usr/bin/composer
@ -32,10 +32,17 @@ if [ ! -e /etc/postfix/danwin1210-mail.chain ]; then
openssl req -x509 -nodes -days 3650 -newkey ed448 -subj "/" -keyout /etc/postfix/danwin1210-mail.key -out /etc/postfix/danwin1210-mail.crt && cat /etc/postfix/danwin1210-mail.key >> /etc/postfix/danwin1210-mail.chain && cat /etc/postfix/danwin1210-mail.crt >> /etc/postfix/danwin1210-mail.chain openssl req -x509 -nodes -days 3650 -newkey ed448 -subj "/" -keyout /etc/postfix/danwin1210-mail.key -out /etc/postfix/danwin1210-mail.crt && cat /etc/postfix/danwin1210-mail.key >> /etc/postfix/danwin1210-mail.chain && cat /etc/postfix/danwin1210-mail.crt >> /etc/postfix/danwin1210-mail.chain
fi fi
# Nginx # dhparams
if [ ! -e /etc/nginx/dh4096.pem ]; then for file in /etc/nginx/dh4096.pem /etc/dovecot/dh.pem /etc/prosody/dh4096.pem; do
openssl dhparam -out /etc/nginx/dh4096.pem 4096 if [ ! -e "$file" ]; then
openssl dhparam -out "$file" 4096
fi fi
done
# vmail user
id -u vmail > /dev/null 2>&1 || (groupadd -g 5000 -r vmail && useradd -g 5000 -M -r -s /bin/false -u 5000 vmail -d /var/mail/vmail)
mkdir -p /var/mail/vmail
chown vmail: /var/mail/vmail
#install scripts #install scripts
mkdir -p /var/www/mail mkdir -p /var/www/mail
@ -72,6 +79,14 @@ unzip -o snappymail-${VERSION:1}.zip
mkdir -p /var/local/snappymail mkdir -p /var/local/snappymail
chown www-data:www-data -R /var/local/snappymail chown www-data:www-data -R /var/local/snappymail
# install prosody modules
if [ ! -e /srv/prosody-modules ]; then
hg clone https://hg.prosody.im/prosody-modules/ /srv/prosody-modules
else
cd /srv/prosody-modules
hg pull --update
fi
# copy configuration file # copy configuration file
cd $workingdir cd $workingdir
if [ ! -e /var/www/mail/common_config.php ]; then if [ ! -e /var/www/mail/common_config.php ]; then

View file

@ -5,4 +5,4 @@ export LANG=C.UTF-8
export PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin" export PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"
# install all required packages # install all required packages
DEBIAN_FRONTEND=noninteractive apt-get update DEBIAN_FRONTEND=noninteractive apt-get update
DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y bash-completion bind9 ca-certificates coturn curl git gnupg haveged iptables libsasl2-modules logrotate lsb-release nano nginx openssl postfix postfix-mysql postfix-mta-sts-resolver vim wget wireguard wireguard-tools DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y bash-completion bind9 ca-certificates coturn curl git gnupg haveged iptables libsasl2-modules logrotate lsb-release nano nginx openssl postfix postfix-mysql postfix-mta-sts-resolver rng-tools5 vim wget wireguard wireguard-tools