Configuration
Here I will be sharing links to guides, as well as brief troubleshooting notes, that helped me get everything on ~grandline up and running. Kudos especially to the great people at Linode for all of their awesome guides.
Initial Setup
Changed my hostname and timezone using this guide from Linode. Then secured ~grandline by changing ssh options, creating iptables rules, and installing fail2ban from this Linode guide.
- Password authentication is insecure for public servers and so is disabled (only pubkey is accepted)
- I own the domain
jahschwa.com
, and I manage DNS through NameCheap (where I purchased the domain)
SSL Certificates (Old)
These were giving me trouble, but finally created my own self-signed CA and other certs using this guide. I no longer use my own CA, but I kept this here anyway.
- You can't sign two certs that have the same info, so I changed the
Division
field for each of mine - I currently have distinct certs for: Lighttpd, Prosody, Postfix, Dovecot, Mumble, Area11
- My root CA key is on an encrypted flash drive
- If you need my root CA cert, go here; trusting it should trust all my other certs
- Lighttpd apparently wants the key and cert in the same ".pem" file, so I combined them with
cat
- I enabled HSTS using this guide
SSL Certificates (Current)
There's finally a free way to get SSL certificates that work for the general population! If you're looking for one, look no further than the Let's Encrypt project.
- Let's encrypt allows multiple domains, and I have a single cert for each of: jahschwa.com, area11.jahschwa.com, haas-family.org, goodsirdarcy.com
- I have a monthly cron job that runs
certbot renew
as well ascat
for lighttpd and somechown
- Some of the programs don't read certs until after they drop root, so I created a new group
ssl-cert
for Prosody and Mumble - The
chown
in the cron job is necessary becausecertbot
changes ownership toroot:root
I finally managed to get e-mail working on ~grandline while following these two guides and their troubleshooting companion from Linode. Added DKIM authentication as requested by GMail here using this guide and added a DMARC record using this guide. Then integrated Amavis, ClamAV, and SpamAssassin via this Linode guide. Finally, checked by sending an e-mail to this site and also using this site to fix problems.
- For some reason the
hosts
option in/etc/postfix/mysql-virtual-mailbox-domains.cf
waslocalhost
which was throwing a MySQL error, changing it to127.0.0.1
allowed MySQL access - I had to set the
postmaster_address
option in Dovecot as in this post - To use regular TLS (not STARTTLS) on port 465, I uncommented
-o smtpd_tls_wrappermode=yes
after thesmtps
line in/etc/postfix/master.cf
- Some DNS providers support
SPF
records, but these are deprecated, so use aTXT
record for SPF - Added aliases for postmaster, webmaster, and abuse; they all redirect to admin
- Certificates provided via Let's Encrypt (OLD: used separate certs for Postfix and Dovecot signed by my own CA)
- Completely disabled obsolete
SSLv2
andSSLv3
via this ServerFault answer - Disabled obsolete
RC4
ciphers using this ServerFault answer - Added local SPF validation and rejection using this Linode guide
- Had to set
AllowSupplementaryGroups true
in Amavis as stated here - Added the
-o receive_override_options=no_milters
option topickup
andamavis
inpostfix/master.cf
based on the bottom of this ubuntu help page so it works nice with openDKIM - Configured Amavis for my preferred spam options using this post and corrected subject editing as noted in this post
- Added
dovecot-sieve
to put spam in aJunk
folder using this wiki page and this SO question - FUTURE: add IMAP spamassassin training folders ala here
RoundCube Webmail
I setup the RoundCube webmail client and got it working after tweaking a couple settings in its config. Followed the Roundcube section of this ArchWiki article to let users change their passwords.
- The first
apt-get install
of roundcube didn't take, but specifyingignore
in the second attempt did - In
/etc/roundcube/main.inc.php
I changeddefault_host
tossl://127.0.0.1:993
- Also changed
username_domain
to%n
after experimenting (jahschwa.com
didn't work) - Finally changed
force_https
totrue
to force secure connections - Unsure of necessity: changed
password_query
in/usr/share/roundcube/plugins/password/config.inc.php
to the following drawn from Linode'UPDATE virtual_users SET password=ENCRYPT(%p,CONCAT("$6$",SUBSTRING(SHA(RAND()),-16))) WHERE email=%u'
- After disabling SSL2/SSL3 for dovecot, IMAP broke, and I found this github issue and had to manually apply this patch to enable TLS (aptitude reports version 1.2~beta+dfsg.1-0ubuntu1)
Prosody XMPP Server
I was initially using OpenFire on the recommendation of a friend, but
getting SSL to work correctly with it was a nightmare. I managed it
when this was still grandline.terracrypt.net
, but after
the switch to jahschwa.com
I couldn't figure it out so I
just switched to prosody
instead. Initial setup was done
using Prosody's official guide.
- Specified my own SSL key and cert in 15 seconds compared to hours of failure with OpenFire
- I then added a MUC component by following the mod_muc docs.
- Added mod_pastebin to the muc component.
- Also had to set
pastebin_url
to"https://jahschwa.com:5281/pastebin/"
because it was initially hosting them athttps://conference.jahschwa.com
which is invalid for my prosody SSL cert. - Added mod_adminweb for web administration (and changed line 130 to serve
/prosody
). - Added
mod_reload_modules
to reload SSL certs per here
MySQL and PHPMyAdmin
Coming Soon