mirror of
https://github.com/DanWin/mail-hosting.git
synced 2024-11-21 23:20:25 +00:00
Make use of snakeoil certificates in default configuration files
This commit is contained in:
parent
ffac3ea1db
commit
a8c633b1d2
12 changed files with 70 additions and 30 deletions
31
README.md
31
README.md
|
@ -22,7 +22,7 @@ rm /etc/resolv.conf && echo "nameserver 1.1.1.1" > /etc/resolv.conf
|
||||||
Install git and clone this repository
|
Install git and clone this repository
|
||||||
|
|
||||||
```
|
```
|
||||||
apt-get update && apt-get install git && git clone https://github.com/DanWin/mail-hosting && cd mail-hosting
|
apt-get update && apt-get install git -y && git clone https://github.com/DanWin/mail-hosting && cd mail-hosting
|
||||||
```
|
```
|
||||||
|
|
||||||
Install files and programs
|
Install files and programs
|
||||||
|
@ -32,7 +32,7 @@ Install files and programs
|
||||||
|
|
||||||
Copy (and modify according to your needs) the site files in `etc` to `/etc` after installation has finished. Then restart some services:
|
Copy (and modify according to your needs) the site files in `etc` to `/etc` after installation has finished. Then restart some services:
|
||||||
```
|
```
|
||||||
systemctl daemon-reload && systemctl restart bind9.service && systemctl restart tor@default.service
|
systemctl daemon-reload && systemctl restart tor@default.service
|
||||||
```
|
```
|
||||||
|
|
||||||
Replace the default .onion domain with your domain:
|
Replace the default .onion domain with your domain:
|
||||||
|
@ -90,7 +90,30 @@ To send emails to the regular internet, it is necessary to have a static IP to r
|
||||||
|
|
||||||
### Proxy server:
|
### Proxy server:
|
||||||
|
|
||||||
TODO
|
Uninstall packages that may interfere with this setup:
|
||||||
|
```
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get purge -y apache2* dnsmasq* eatmydata exim4* imagemagick-6-common mysql-client* mysql-server* nginx* libnginx-mod* php7* resolvconf && systemctl disable systemd-resolved.service && systemctl stop systemd-resolved.service
|
||||||
|
```
|
||||||
|
|
||||||
|
If you have problems resolving hostnames after this step, temporarily switch to a public nameserver like 1.1.1.1 (from CloudFlare) or 8.8.8.8 (from Google)
|
||||||
|
|
||||||
|
```
|
||||||
|
rm /etc/resolv.conf && echo "nameserver 1.1.1.1" > /etc/resolv.conf
|
||||||
|
```
|
||||||
|
|
||||||
|
Install git and clone this repository
|
||||||
|
|
||||||
|
```
|
||||||
|
apt-get update && apt-get install git -y && git clone https://github.com/DanWin/mail-hosting && cd mail-hosting
|
||||||
|
```
|
||||||
|
|
||||||
|
Install files and programs
|
||||||
|
```
|
||||||
|
./install_binaries_proxy.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
Copy (and modify according to your needs) the site files in `etc_clearnet_proxy` to `/etc` after installation has finished.
|
||||||
|
|
||||||
|
|
||||||
### General Domain settings
|
### General Domain settings
|
||||||
|
|
||||||
|
@ -101,7 +124,7 @@ _dmarc IN TXT "v=DMARC1;p=quarantine;adkim=r;aspf=r;fo=1;rua=mailto:postma
|
||||||
@ IN MX 0 yourdomain.
|
@ IN MX 0 yourdomain.
|
||||||
```
|
```
|
||||||
|
|
||||||
Set the PTR record of your servers IPs to your domain. This can usually be done from your hosting panels configuration, but may not be available with every hosting provider, where you can then request them to do it via a support ticket.
|
Set the PTR record of your proxy servers IPs to your domain. This can usually be done from your hosting panels configuration, but may not be available with every hosting provider, where you can then request them to do it via a support ticket.
|
||||||
|
|
||||||
Consider registering your domain with [DNSWL](https://www.dnswl.org/), [SNDS](https://sendersupport.olc.protection.outlook.com/snds/), [Google Postmaster Tools](https://postmaster.google.com/) and [YahooCFL](https://senders.yahooinc.com/complaint-feedback-loop/) for valuable insights into your delivery.
|
Consider registering your domain with [DNSWL](https://www.dnswl.org/), [SNDS](https://sendersupport.olc.protection.outlook.com/snds/), [Google Postmaster Tools](https://postmaster.google.com/) and [YahooCFL](https://senders.yahooinc.com/complaint-feedback-loop/) for valuable insights into your delivery.
|
||||||
|
|
||||||
|
|
|
@ -47,8 +47,8 @@ auth_mechanisms = plain login
|
||||||
|
|
||||||
#TLS parameters
|
#TLS parameters
|
||||||
ssl = required
|
ssl = required
|
||||||
ssl_cert = </etc/acme.sh/danwin1210.de_ecc/fullchain.cer
|
ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
ssl_key = </etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key
|
ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
ssl_client_ca_dir = /etc/ssl/certs
|
ssl_client_ca_dir = /etc/ssl/certs
|
||||||
ssl_dh = </etc/dovecot/dh.pem
|
ssl_dh = </etc/dovecot/dh.pem
|
||||||
ssl_min_protocol = TLSv1.2
|
ssl_min_protocol = TLSv1.2
|
||||||
|
|
|
@ -4,6 +4,7 @@ pid /run/nginx.pid;
|
||||||
pcre_jit on;
|
pcre_jit on;
|
||||||
worker_rlimit_nofile 30000;
|
worker_rlimit_nofile 30000;
|
||||||
worker_shutdown_timeout 1m;
|
worker_shutdown_timeout 1m;
|
||||||
|
include /etc/nginx/modules-enabled/*.conf;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 7680;
|
worker_connections 7680;
|
||||||
|
@ -51,8 +52,8 @@ http {
|
||||||
ssl_early_data off;
|
ssl_early_data off;
|
||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
|
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
||||||
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
|
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
||||||
ssl_dhparam /etc/nginx/dh4096.pem;
|
ssl_dhparam /etc/nginx/dh4096.pem;
|
||||||
|
|
||||||
##
|
##
|
||||||
|
|
|
@ -51,8 +51,8 @@ server {
|
||||||
add_header Cross-Origin-Opener-Policy same-origin always;
|
add_header Cross-Origin-Opener-Policy same-origin always;
|
||||||
add_header Cross-Origin-Resource-Policy same-origin always;
|
add_header Cross-Origin-Resource-Policy same-origin always;
|
||||||
listen [::]:443 ssl proxy_protocol http2;
|
listen [::]:443 ssl proxy_protocol http2;
|
||||||
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
|
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
||||||
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
|
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
||||||
root /var/www/html;
|
root /var/www/html;
|
||||||
index index.php;
|
index index.php;
|
||||||
server_name danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion danwin1210.de;
|
server_name danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion danwin1210.de;
|
||||||
|
|
|
@ -16,6 +16,6 @@ server {
|
||||||
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
|
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
|
||||||
expires off;
|
expires off;
|
||||||
}
|
}
|
||||||
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
|
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
||||||
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
|
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
||||||
}
|
}
|
||||||
|
|
|
@ -24,8 +24,8 @@ compatibility_level = 3.6
|
||||||
smtputf8_autodetect_classes = all
|
smtputf8_autodetect_classes = all
|
||||||
|
|
||||||
# TLS parameters
|
# TLS parameters
|
||||||
smtpd_tls_cert_file = /etc/acme.sh/danwin1210.de_ecc/fullchain.cer
|
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
smtpd_tls_key_file = /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key
|
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
smtpd_tls_ciphers = HIGH
|
smtpd_tls_ciphers = HIGH
|
||||||
smtpd_tls_mandatory_ciphers = HIGH
|
smtpd_tls_mandatory_ciphers = HIGH
|
||||||
smtp_tls_ciphers = HIGH
|
smtp_tls_ciphers = HIGH
|
||||||
|
|
|
@ -124,8 +124,8 @@ pidfile = "/run/prosody/prosody.pid";
|
||||||
-- Force clients to use encrypted connections? This option will
|
-- Force clients to use encrypted connections? This option will
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
ssl = {
|
ssl = {
|
||||||
key = "/etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key";
|
key = "/etc/ssl/private/ssl-cert-snakeoil.key";
|
||||||
certificate = "/etc/acme.sh/danwin1210.de_ecc/fullchain.cer";
|
certificate = "/etc/ssl/certs/ssl-cert-snakeoil.pem";
|
||||||
dhparam = "/etc/prosody/dh4096.pem";
|
dhparam = "/etc/prosody/dh4096.pem";
|
||||||
curve = "X448:X25519:secp521r1:secp384r1:secp256k1";
|
curve = "X448:X25519:secp521r1:secp384r1:secp256k1";
|
||||||
ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!RSA:!PSK:!SRP:!3DES:!aNULL:!SHA:!MD5:!CAMELLIA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA256";
|
ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!RSA:!PSK:!SRP:!3DES:!aNULL:!SHA:!MD5:!CAMELLIA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA256";
|
||||||
|
|
|
@ -4,6 +4,7 @@ pid /run/nginx.pid;
|
||||||
pcre_jit on;
|
pcre_jit on;
|
||||||
worker_rlimit_nofile 30000;
|
worker_rlimit_nofile 30000;
|
||||||
worker_shutdown_timeout 1m;
|
worker_shutdown_timeout 1m;
|
||||||
|
include /etc/nginx/modules-enabled/*.conf;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 20000;
|
worker_connections 20000;
|
||||||
|
@ -50,8 +51,8 @@ http {
|
||||||
ssl_early_data off;
|
ssl_early_data off;
|
||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
|
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
||||||
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
|
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
||||||
ssl_dhparam /etc/nginx/dh4096.pem;
|
ssl_dhparam /etc/nginx/dh4096.pem;
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -119,8 +120,8 @@ stream {
|
||||||
ssl_ecdh_curve X448:X25519:secp521r1:secp384r1:secp256k1;
|
ssl_ecdh_curve X448:X25519:secp521r1:secp384r1:secp256k1;
|
||||||
ssl_ciphers HIGH:!PSK:!RSA:!aNULL:!MD5:!SHA:!CAMELLIA:!AES+SHA256:!AES+SHA384;
|
ssl_ciphers HIGH:!PSK:!RSA:!aNULL:!MD5:!SHA:!CAMELLIA:!AES+SHA256:!AES+SHA384;
|
||||||
ssl_session_cache shared:SSLSTREAM:10m;
|
ssl_session_cache shared:SSLSTREAM:10m;
|
||||||
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
|
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
|
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
||||||
ssl_dhparam /etc/nginx/dh4096.pem;
|
ssl_dhparam /etc/nginx/dh4096.pem;
|
||||||
#smtp
|
#smtp
|
||||||
server {
|
server {
|
||||||
|
|
|
@ -15,8 +15,8 @@ readme_directory = no
|
||||||
compatibility_level=3.6
|
compatibility_level=3.6
|
||||||
|
|
||||||
# TLS parameters
|
# TLS parameters
|
||||||
smtpd_tls_cert_file=/etc/acme.sh/danwin1210.de_ecc/fullchain.cer
|
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
smtpd_tls_key_file=/etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key
|
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||||
smtpd_tls_ciphers = HIGH
|
smtpd_tls_ciphers = HIGH
|
||||||
|
|
|
@ -457,7 +457,7 @@ realm=danwin1210.de
|
||||||
# Use PEM file format.
|
# Use PEM file format.
|
||||||
#
|
#
|
||||||
#cert=/usr/local/etc/turn_server_cert.pem
|
#cert=/usr/local/etc/turn_server_cert.pem
|
||||||
cert=/etc/acme.sh/danwin1210.de_ecc/fullchain.cer
|
cert=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
|
|
||||||
# Private key file.
|
# Private key file.
|
||||||
# Use an absolute path or path relative to the
|
# Use an absolute path or path relative to the
|
||||||
|
@ -465,7 +465,7 @@ cert=/etc/acme.sh/danwin1210.de_ecc/fullchain.cer
|
||||||
# Use PEM file format.
|
# Use PEM file format.
|
||||||
#
|
#
|
||||||
#pkey=/usr/local/etc/turn_server_pkey.pem
|
#pkey=/usr/local/etc/turn_server_pkey.pem
|
||||||
pkey=/etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key
|
pkey=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
|
||||||
# Private key file password, if it is in encoded format.
|
# Private key file password, if it is in encoded format.
|
||||||
# This option has no default value.
|
# This option has no default value.
|
||||||
|
|
|
@ -8,7 +8,7 @@ workingdir=$(pwd)
|
||||||
|
|
||||||
# install all required packages
|
# install all required packages
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get update
|
DEBIAN_FRONTEND=noninteractive apt-get update
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y apt-transport-tor bash-completion bind9 ca-certificates clamav-daemon clamav-freshclam curl dovecot-imapd dovecot-lmtpd dovecot-pop3d git gnupg haveged iptables libsasl2-modules locales locales-all logrotate lsb-release mariadb-server mercurial nano nginx openssl php8.2-cli php8.2-curl php8.2-fpm php8.2-gd php8.2-gmp php8.2-gnupg php8.2-imap php8.2-intl php8.2-mbstring php8.2-mysql php8.2-pspell php8.2-readline postfix postfix-mysql prosody redis rspamd tor vim wget unzip brotli wireguard wireguard-tools
|
DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y apt-transport-tor bash-completion bind9 ca-certificates clamav-daemon clamav-freshclam curl dovecot-imapd dovecot-lmtpd dovecot-pop3d git gnupg haveged iptables libnginx-mod-http-brotli-filter libsasl2-modules locales locales-all logrotate lsb-release lua-dbi-mysql lua-event mariadb-server mercurial nano nginx openssl php8.2-cli php8.2-curl php8.2-fpm php8.2-gd php8.2-gmp php8.2-gnupg php8.2-imap php8.2-intl php8.2-mbstring php8.2-mysql php8.2-pspell php8.2-readline postfix postfix-mysql prosody redis rng-tools5 rspamd tor vim wget unzip wireguard wireguard-tools
|
||||||
|
|
||||||
# install composer
|
# install composer
|
||||||
curl -sSL https://github.com/composer/composer/releases/download/2.7.6/composer.phar > /usr/bin/composer
|
curl -sSL https://github.com/composer/composer/releases/download/2.7.6/composer.phar > /usr/bin/composer
|
||||||
|
@ -32,10 +32,17 @@ if [ ! -e /etc/postfix/danwin1210-mail.chain ]; then
|
||||||
openssl req -x509 -nodes -days 3650 -newkey ed448 -subj "/" -keyout /etc/postfix/danwin1210-mail.key -out /etc/postfix/danwin1210-mail.crt && cat /etc/postfix/danwin1210-mail.key >> /etc/postfix/danwin1210-mail.chain && cat /etc/postfix/danwin1210-mail.crt >> /etc/postfix/danwin1210-mail.chain
|
openssl req -x509 -nodes -days 3650 -newkey ed448 -subj "/" -keyout /etc/postfix/danwin1210-mail.key -out /etc/postfix/danwin1210-mail.crt && cat /etc/postfix/danwin1210-mail.key >> /etc/postfix/danwin1210-mail.chain && cat /etc/postfix/danwin1210-mail.crt >> /etc/postfix/danwin1210-mail.chain
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Nginx
|
# dhparams
|
||||||
if [ ! -e /etc/nginx/dh4096.pem ]; then
|
for file in /etc/nginx/dh4096.pem /etc/dovecot/dh.pem /etc/prosody/dh4096.pem; do
|
||||||
openssl dhparam -out /etc/nginx/dh4096.pem 4096
|
if [ ! -e "$file" ]; then
|
||||||
fi
|
openssl dhparam -out "$file" 4096
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# vmail user
|
||||||
|
id -u vmail > /dev/null 2>&1 || (groupadd -g 5000 -r vmail && useradd -g 5000 -M -r -s /bin/false -u 5000 vmail -d /var/mail/vmail)
|
||||||
|
mkdir -p /var/mail/vmail
|
||||||
|
chown vmail: /var/mail/vmail
|
||||||
|
|
||||||
#install scripts
|
#install scripts
|
||||||
mkdir -p /var/www/mail
|
mkdir -p /var/www/mail
|
||||||
|
@ -72,6 +79,14 @@ unzip -o snappymail-${VERSION:1}.zip
|
||||||
mkdir -p /var/local/snappymail
|
mkdir -p /var/local/snappymail
|
||||||
chown www-data:www-data -R /var/local/snappymail
|
chown www-data:www-data -R /var/local/snappymail
|
||||||
|
|
||||||
|
# install prosody modules
|
||||||
|
if [ ! -e /srv/prosody-modules ]; then
|
||||||
|
hg clone https://hg.prosody.im/prosody-modules/ /srv/prosody-modules
|
||||||
|
else
|
||||||
|
cd /srv/prosody-modules
|
||||||
|
hg pull --update
|
||||||
|
fi
|
||||||
|
|
||||||
# copy configuration file
|
# copy configuration file
|
||||||
cd $workingdir
|
cd $workingdir
|
||||||
if [ ! -e /var/www/mail/common_config.php ]; then
|
if [ ! -e /var/www/mail/common_config.php ]; then
|
||||||
|
|
|
@ -5,4 +5,4 @@ export LANG=C.UTF-8
|
||||||
export PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"
|
export PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"
|
||||||
# install all required packages
|
# install all required packages
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get update
|
DEBIAN_FRONTEND=noninteractive apt-get update
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y bash-completion bind9 ca-certificates coturn curl git gnupg haveged iptables libsasl2-modules logrotate lsb-release nano nginx openssl postfix postfix-mysql postfix-mta-sts-resolver vim wget wireguard wireguard-tools
|
DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y bash-completion bind9 ca-certificates coturn curl git gnupg haveged iptables libsasl2-modules logrotate lsb-release nano nginx openssl postfix postfix-mysql postfix-mta-sts-resolver rng-tools5 vim wget wireguard wireguard-tools
|
||||||
|
|
Loading…
Reference in a new issue