Configuration

Here I will be sharing links to guides, as well as brief troubleshooting notes, that helped me get everything on ~grandline up and running. Kudos especially to the great people at Linode for all of their awesome guides.

Initial Setup

Changed my hostname and timezone using this guide from Linode. Then secured ~grandline by changing ssh options, creating iptables rules, and installing fail2ban from this Linode guide.

• Password authentication is insecure for public servers and so is disabled (only pubkey is accepted)
• I own the domain jahschwa.com, and I manage DNS through NameCheap (where I purchased the domain)

SSL Certificates (Old)

These were giving me trouble, but finally created my own self-signed CA and other certs using this guide. I no longer use my own CA, but I kept this here anyway.

• You can't sign two certs that have the same info, so I changed the Division field for each of mine
• I currently have distinct certs for: Lighttpd, Prosody, Postfix, Dovecot, Mumble, Area11
• My root CA key is on an encrypted flash drive
• If you need my root CA cert, go here; trusting it should trust all my other certs
• Lighttpd apparently wants the key and cert in the same ".pem" file, so I combined them with cat
• I enabled HSTS using this guide

SSL Certificates (Current)

There's finally a free way to get SSL certificates that work for the general population! If you're looking for one, look no further than the Let's Encrypt project.

• Let's encrypt allows multiple domains, and I have a single cert for each of: jahschwa.com, area11.jahschwa.com, haas-family.org, goodsirdarcy.com
• I have a monthly cron job that runs certbot renew as well as cat for lighttpd and some chown
• Some of the programs don't read certs until after they drop root, so I created a new group ssl-cert for Prosody and Mumble
• The chown in the cron job is necessary because certbot changes ownership to root:root

Email

I finally managed to get e-mail working on ~grandline while following these two guides and their troubleshooting companion from Linode. Added DKIM authentication as requested by GMail here using this guide and added a DMARC record using this guide. Then integrated Amavis, ClamAV, and SpamAssassin via this Linode guide. Finally, checked by sending an e-mail to this site and also using this site to fix problems.

• For some reason the hosts option in /etc/postfix/mysql-virtual-mailbox-domains.cf was localhost which was throwing a MySQL error, changing it to 127.0.0.1 allowed MySQL access
• I had to set the postmaster_address option in Dovecot as in this post
• To use regular TLS (not STARTTLS) on port 465, I uncommented -o smtpd_tls_wrappermode=yes after the smtps line in /etc/postfix/master.cf
• Some DNS providers support SPF records, but these are deprecated, so use a TXT record for SPF
• Added aliases for postmaster, webmaster, and abuse; they all redirect to admin
• Certificates provided via Let's Encrypt (OLD: used separate certs for Postfix and Dovecot signed by my own CA)
• Completely disabled obsolete SSLv2 and SSLv3 via this ServerFault answer
• Disabled obsolete RC4 ciphers using this ServerFault answer
• Added local SPF validation and rejection using this Linode guide
• Had to set AllowSupplementaryGroups true in Amavis as stated here
• Added the -o receive_override_options=no_milters option to pickup and amavis in postfix/master.cf based on the bottom of this ubuntu help page so it works nice with openDKIM
• Configured Amavis for my preferred spam options using this post and corrected subject editing as noted in this post
• Added dovecot-sieve to put spam in a Junk folder using this wiki page and this SO question
• FUTURE: add IMAP spamassassin training folders ala here

RoundCube Webmail

I setup the RoundCube webmail client and got it working after tweaking a couple settings in its config. Followed the Roundcube section of this ArchWiki article to let users change their passwords.

• The first apt-get install of roundcube didn't take, but specifying ignore in the second attempt did
• In /etc/roundcube/main.inc.php I changed default_host to ssl://127.0.0.1:993
• Also changed username_domain to %n after experimenting (jahschwa.com didn't work)
• Finally changed force_https to true to force secure connections
• Unsure of necessity: changed password_query in /usr/share/roundcube/plugins/password/config.inc.php to the following drawn from Linode 'UPDATE virtual_users SET password=ENCRYPT(%p,CONCAT("$6$",SUBSTRING(SHA(RAND()),-16))) WHERE email=%u'
• After disabling SSL2/SSL3 for dovecot, IMAP broke, and I found this github issue and had to manually apply this patch to enable TLS (aptitude reports version 1.2~beta+dfsg.1-0ubuntu1)

Prosody XMPP Server

I was initially using OpenFire on the recommendation of a friend, but getting SSL to work correctly with it was a nightmare. I managed it when this was still grandline.terracrypt.net, but after the switch to jahschwa.com I couldn't figure it out so I just switched to prosody instead. Initial setup was done using Prosody's official guide.

• Specified my own SSL key and cert in 15 seconds compared to hours of failure with OpenFire
• I then added a MUC component by following the mod_muc docs.
• Added mod_pastebin to the muc component.
• Also had to set pastebin_url to "https://jahschwa.com:5281/pastebin/" because it was initially hosting them at https://conference.jahschwa.com which is invalid for my prosody SSL cert.
• Added mod_adminweb for web administration (and changed line 130 to serve /prosody).
• Added mod_reload_modules to reload SSL certs per here

MySQL and PHPMyAdmin

Coming Soon