From ce521a51804454f6806231b46847620dff4b78f1 Mon Sep 17 00:00:00 2001 From: auzias Date: Fri, 17 Jan 2014 11:43:23 +0100 Subject: [PATCH 1/9] start.sh OK --- scripts/start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/start.sh b/scripts/start.sh index 0b36656f..43b9f114 100755 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -41,7 +41,7 @@ PUBLIC_HOSTNAME=$PUBLIC_HOSTNAME PUBLIC_IP=$PUBLIC_IP EOF -# Start service configuration. +# Start services configuration. . scripts/system.sh . scripts/dns.sh . scripts/mail.sh From 8a5bdc0213461ccfa558997eeabdcd96e4f0513a Mon Sep 17 00:00:00 2001 From: auzias Date: Fri, 17 Jan 2014 16:54:44 +0100 Subject: [PATCH 2/9] system.sh OK [but I run the fwn, no fail2ban at this time] --- scripts/system.sh | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/scripts/system.sh b/scripts/system.sh index c03fa318..9a11268e 100755 --- a/scripts/system.sh +++ b/scripts/system.sh @@ -4,14 +4,10 @@ apt-get -q -q update apt-get -q -y upgrade # Turn on basic services: -# # ntp: keeps the system time correct -# # fail2ban: scans log files for repeated failed login attempts and blocks the remote IP at the firewall -# -# These services don't need further configuration and are started immediately after installation. -apt-get install -q -y ntp fail2ban +apt-get install -q -y ntp # Turn on the firewall. First allow incoming SSH, then turn on the firewall. Additional open # ports will be set up in the scripts that set up those services. From ebb0c04e406d94603e5bf8fad64d5b01dbb4c443 Mon Sep 17 00:00:00 2001 From: auzias Date: Fri, 17 Jan 2014 17:11:24 +0100 Subject: [PATCH 3/9] mail.sh OK : x10 duration of ssl certificate + double the encryption key --- scripts/mail.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/scripts/mail.sh b/scripts/mail.sh index bea373e9..09151a36 100755 --- a/scripts/mail.sh +++ b/scripts/mail.sh @@ -196,16 +196,16 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \ "ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \ # SSL CERTIFICATE - + # Create a self-signed certifiate. mkdir -p $STORAGE_ROOT/ssl if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then - openssl genrsa -des3 -passout pass:x -out /tmp/server.key 2048 # create key, but it has a password... + openssl genrsa -des3 -passout pass:x -out /tmp/server.key 4096 # create key, but it has a password... openssl rsa -passin pass:x -in /tmp/server.key -out $STORAGE_ROOT/ssl/ssl_private_key.pem # remove password and save it to the right location rm /tmp/server.key # remove temporary password-laden key openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \ -subj "/C=/ST=/L=/O=/CN=$PUBLIC_HOSTNAME" - openssl x509 -req -days 365 \ + openssl x509 -req -days 3650 \ -in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem fi @@ -227,4 +227,3 @@ service dovecot restart ufw allow smtp ufw allow submission ufw allow imaps - From 95f747fa91deeed7a055a35a06fdd7ebadaba37d Mon Sep 17 00:00:00 2001 From: auzias Date: Fri, 17 Jan 2014 17:14:09 +0100 Subject: [PATCH 4/9] dkim.sh OK : nothing changed --- scripts/dkim.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/dkim.sh b/scripts/dkim.sh index 88dc36ed..b044f6e9 100644 --- a/scripts/dkim.sh +++ b/scripts/dkim.sh @@ -30,7 +30,7 @@ RequireSafeKeys false EOF fi -# Create a new DKIM key if we don't have one already. This creates +# Create a new DKIM key if we don't have one already. This creates # mail.private and mail.txt in $STORAGE_ROOT/mail/dkim. The former # is the actual private key and the latter is the suggested DNS TXT # entry which we'll want to include in our DNS setup. From 1d86062950d9a4c0f125cd3578a78ac5f1a98590 Mon Sep 17 00:00:00 2001 From: auzias Date: Fri, 17 Jan 2014 17:17:52 +0100 Subject: [PATCH 5/9] spamassassin.sh dns_update OK : all clear --- scripts/dns_update.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/dns_update.sh b/scripts/dns_update.sh index 8bc6f8e3..690a2f68 100755 --- a/scripts/dns_update.sh +++ b/scripts/dns_update.sh @@ -29,7 +29,7 @@ server: # The directory for zonefile: files. zonesdir: "/etc/nsd3/zones" - + # ZONES EOF @@ -96,7 +96,7 @@ EOF if [ -f "$STORAGE_ROOT/mail/dkim/mail.txt" ]; then cat "$STORAGE_ROOT/mail/dkim/mail.txt" >> /etc/nsd3/zones/$fn2; fi - + # Add this zone file to the main nsd configuration file. cat >> /etc/nsd3/nsd.conf << EOF; zone: From 056ba45f3ebf4dd5221ca59c87787b24870fec90 Mon Sep 17 00:00:00 2001 From: auzias Date: Fri, 17 Jan 2014 17:22:50 +0100 Subject: [PATCH 6/9] Everything seems good & clean --- notes/dspam.sh | 62 -------------------------------------------------- 1 file changed, 62 deletions(-) delete mode 100644 notes/dspam.sh diff --git a/notes/dspam.sh b/notes/dspam.sh deleted file mode 100644 index a84b897b..00000000 --- a/notes/dspam.sh +++ /dev/null @@ -1,62 +0,0 @@ -# Spam filtering with dspam. -# -# This mostly works. But dspam crashes. So..... we're not using this. - -apt-get -q -y install dspam libdspam7-drv-sqlite3 dovecot-antispam dovecot-sieve - -# Let it turn on. -sed -i "s/START=no/START=yes/" /etc/default/dspam - -# Override some of the basic settings that have default values we don't like. -# Listen as an SMTP server, and pass messages back directly to dovecot. -tools/editconf.py /etc/dspam/dspam.conf -s \ - Home=$STORAGE_ROOT/mail/dspam \ - ServerMode=standard \ - ServerHost=127.0.0.1 \ - ServerParameters=--deliver=innocent \ - DeliveryProto=LMTP \ - DeliveryHost=/var/run/dovecot/lmtp \ - Tokenizer=osb - -# Put other settings into a local configuration file. -cat > /etc/dspam/dspam.d/local.conf << EOF; -IgnoreHeader X-Spam-Status -IgnoreHeader X-Spam-Scanned -IgnoreHeader X-Virus-Scanner-Result -IgnoreHeader X-Virus-Scanned -IgnoreHeader X-DKIM -IgnoreHeader DKIM-Signature -IgnoreHeader DomainKey-Signature -IgnoreHeader X-Google-Dkim-Signature -EOF - -# Global preferences. -tools/editconf.py /etc/dspam/default.prefs \ - spamAction=deliver \ - signatureLocation=headers \ - showFactors=on - -# Hook into postfix. Replace dovecot with dspam as the mail delivery agent. -# dspam is configured above to pass mail on to dovecot next. -tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:[127.0.0.1]:2424 - -# Hook into dovecot... these aren't tested. - -# Automatically move spam into a folder called Spam. Enable the sieve plugin. -# (Note: Be careful if we want to use multiple plugins later.) -sudo sed -i "s/#mail_plugins = .*/mail_plugins = \$mail_plugins sieve/" /etc/dovecot/conf.d/20-lmtp.conf - -# The sieve scripts are installed by users_update.sh. - -# to detect when a message moves between folders so we can -# pass it to dspam for training. (Be careful if we use multiple plugins later.) -# This is not finished. -sudo sed -i "s/#mail_plugins = .*/mail_plugins = \$mail_plugins antispam/" /etc/dovecot/conf.d/20-imap.conf - -# Create storage space. -mkdir -p $STORAGE_ROOT/mail/dspam -chown dspam:dspam $STORAGE_ROOT/mail/dspam - -service dspam restart -service postfix restart - From 2e16435c1aada83159f24f33008f9f37205578ea Mon Sep 17 00:00:00 2001 From: Pamplemousse Date: Mon, 20 Jan 2014 15:45:23 +0100 Subject: [PATCH 7/9] Update system.sh --- scripts/system.sh | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/scripts/system.sh b/scripts/system.sh index 9a11268e..3c22787c 100755 --- a/scripts/system.sh +++ b/scripts/system.sh @@ -1,13 +1,8 @@ -# Base system configuration. - -apt-get -q -q update -apt-get -q -y upgrade - # Turn on basic services: # ntp: keeps the system time correct # fail2ban: scans log files for repeated failed login attempts and blocks the remote IP at the firewall -apt-get install -q -y ntp +apt-get install -q -y ntp fail2ban # Turn on the firewall. First allow incoming SSH, then turn on the firewall. Additional open # ports will be set up in the scripts that set up those services. From c964183a4780c9a4679b423c9dd71c908d44c370 Mon Sep 17 00:00:00 2001 From: Pamplemousse Date: Wed, 22 Jan 2014 11:33:04 +0100 Subject: [PATCH 8/9] Update README.md --- README.md | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/README.md b/README.md index 1212040e..5113f7fd 100644 --- a/README.md +++ b/README.md @@ -82,17 +82,3 @@ For instance, in my case, I could tell my domain name registrar that `ns1.box.oc (In a more complex setup, you may have a different nameserver for your domain. In this case, you'll delegate DNS to your box for the box's own subdomain. In your main DNS, add a record like "box.occams.info. 3600 IN NS ns1.box.occams.info." and a second one for `ns2` (the final period may be important). This sets who is the authoritative server for the hostname. You'll then also need "ns1.box.ocacams.info IN A 10.20.30.40" providing the IP address of the authoritative server (and repeat for `ns2`). Then add an MX record on your main domain pointing to the hostname you chose for your server here so that you delegate mail for the domain to your new server using a record like "occams.info. 3600 IN MX 1 box.occams.info." (again the period at the end may be important). You'll also want to put an SPF record on your main domain like "occams.info IN TXT "v=spf1 a mx -all" ".) -Checking Your Mail ------------------- - -You can access your email at https://`hostname`/mail, where `hostname` is again the hostname you chose at the start. - -If you want to set up a desktop mail client like Thunderbird, your IMAP and SMTP server is the hostname you chose at the top. For IMAP, you must choose SSL and port 993. For SMTP, you must choose STARTTLS and port 587. Your username is your complete email address. And your password you entered during server setup earlier. You're using a "self-signed certificate" for SSL connections, so you'll get security warnings when you try to read and send mail. It's safe to permanently ignore the warning the first time you see it (but not if you see the same warning later on). - -Checking that it Worked ------------------------ - -... - - - From 8bb1df30d298649bf355e0ce23dd3c7a88519be2 Mon Sep 17 00:00:00 2001 From: Pamplemousse Date: Wed, 22 Jan 2014 12:12:50 +0100 Subject: [PATCH 9/9] Update README.md --- README.md | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/README.md b/README.md index 5113f7fd..ae46f479 100644 --- a/README.md +++ b/README.md @@ -3,17 +3,15 @@ Mail in a Box This is a work-in-progress to create a one-click deployment of a personal mail server. -After spinning up a fresh Ubuntu machine, just run `sudo scripts/start.sh` and you get: +After spinning up a fresh machine, just run `sudo scripts/start.sh` and you get: * An SMTP server (postfix) for sending/receiving mail, with STARTTLS required for authentication, and greylisting to cut down on spam. * An IMAP server (dovecot) for checking your mail, with SSL required. -* A webmail client (roundcube) so you can check your email from a web browser. * Mailboxes and aliases are configured by a command-line tool. * Spam filtering (spamassassin) with spam automatically going to your Spam folder, and moving mail in and out of the Spam folder triggers retraining on the message. * DKIM signing on outgoing messages. * DNS pre-configured for SPF and DKIM (just set your domain name nameservers to be the machine itself). -Other things I'd like to add in the future are personal cloud services (file storage, calendar, etc.), an OpenID provider, a place for putting a simple homepage, support for Ubuntu cloud-init, etc. The goals of this project are: @@ -32,25 +30,6 @@ Before You Begin * Decide what **hostname** you'll use for your new Mail in a Box. You may want to buy a domain name from your favorite registrar now. For the most flexibility, assign a subdomain to your box. For instance, my domain name is `occams.info` (my email address is something`@occams.info`), so I've assigned `box.occams.info` as the hostname for my Mail in a Box. -Get a Server ------------- - -* Get a server. I've been a long-time customer of Rimuhosting.com which provides cheap VPS machines at several locations around the world. You could also go with Linode.com or any other cloud or VPS (virtual server) provider. (If you want to test on Amazon EC2, I've got instructions for you in ec2/README.md.) In a cloud environment like EC2 where your server's IP address is dynamic, this is a good time to assign a static IP (like a EC2 Elastic IP). - -* Choose Ubuntu 13.04 amd64 as your operating system (aka a Linux distribution). You won't need much memory or disk space. 768 MB of memory (RAM) and 4G of disk space should be plenty. - -* Once the machine is running, set up Reverse DNS. Each ISP handles that differently. You'll have to figure out from your ISP how to do that. Set the reverse DNS to the hostname you chose above (in my case `box.occams.info`). - -* Log in with SSH. Again, your ISP will probably give you some instructions on how to do that. If your personal computer has a command line, you'll be doing something like this: - - ssh -i yourkey.pem user@10.20.30.40 - -You should see a command prompt roughly similar to: - - root@box:~# (<-- blinking cursor here) - - -All command-line instructions below assume you've logged into your machine with SSH already. Configuring the Server ----------------------