From 4ce691b560b037fc7a87219d92a175156c92f892 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 8 Feb 2010 15:52:04 +0100 Subject: [PATCH 01/16] pam: Make dovecot check the mailHost attribute. Previously (in an uncommited pam.d/dovecot file), dovecot just used the common-{auth,account}, which checked the "host" attribute. Now the mailHost attribute is checked, so only people that have their email delivered here can use IMAP. --- etc/pam.d/dovecot | 22 ++++++++++++++++++++++ etc/pam_ldap_dovecot.conf | 21 +++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 etc/pam.d/dovecot create mode 100644 etc/pam_ldap_dovecot.conf diff --git a/etc/pam.d/dovecot b/etc/pam.d/dovecot new file mode 100644 index 0000000..ddf9a02 --- /dev/null +++ b/etc/pam.d/dovecot @@ -0,0 +1,22 @@ +#%PAM-1.0 + +# We have a common auth and account section, since we don't need to check the +# "host" attribute, but the "mailHost" attribute. It would be sufficient to +# use a custom account section, but pam_ldap only loads its config once, so we +# can't use a different config for just the accoun section. + +# These are just taken from common-{auth,account}, but with the config= +# parameter added. +auth required pam_ldap.so config=/etc/pam_ldap_dovecot.conf + +# pam_unix does general checks based on NSS info, so it also works for ldap +# users. +account required pam_unix.so + +# pam_ldap does additional checks (in particular checking the host ldap +# attribute) but needs to be ignored when it does not know about a user. +# We point the module to an alternative configuration file. +account [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \ + pam_ldap.so config=/etc/pam_ldap_dovecot.conf + +@include common-session diff --git a/etc/pam_ldap_dovecot.conf b/etc/pam_ldap_dovecot.conf new file mode 100644 index 0000000..b5c31c8 --- /dev/null +++ b/etc/pam_ldap_dovecot.conf @@ -0,0 +1,21 @@ +# +# See /usr/share/libpam-ldap/ldap.conf for example configuration and more +# options. +# +# +# Dovecot-specific version of pam_ldap.conf that checks the mailHost attribute +# instead of the "host" attribute, so people without SSH access can still use +# IMAP, and only people whose mail is delivered on this host can use IMAP. + +# The distinguished name of the search base. +base dc=drsnuggles,dc=stderr,dc=nl + +# The LDAP server. ldaps:// is secure, ldapi:// is local socket +uri ldap://ldap.drsnuggles.stderr.nl + +# The LDAP version to use +ldap_version 3 + +# Only allow people to login to dovecot when their email is delivered here. +# Too bad this uses a hardcoded hostname, though... +pam_filter mailHost=mail.drsnuggles.stderr.nl -- 2.30.2 From 7ef8ed33a2568479ea7fd52e7edd4e62f685cc96 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 25 Feb 2010 14:37:31 +0100 Subject: [PATCH 02/16] dovecot: Use a real certificate. Previously, a auto-generated self-signed certificate was used. --- etc/dovecot/dovecot.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/dovecot/dovecot.conf b/etc/dovecot/dovecot.conf index 9452f87..00ec7ae 100644 --- a/etc/dovecot/dovecot.conf +++ b/etc/dovecot/dovecot.conf @@ -21,6 +21,11 @@ protocols = imap imaps lda # therefore not introduce a security issue. disable_plaintext_auth = no +# Our SSL private key +ssl_key_file = /etc/dovecot/ssl/mail.stdout.nl.key +# The public certificate (including the entire chain to the root) +ssl_cert_file = /etc/dovecot/ssl/mail.stdout.nl.crt + protocol imap { # Enable virtual mailboxes mail_plugins = virtual -- 2.30.2 From 4d120e9197de7980251c1e398b4ded3494c0d3b7 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 17 Mar 2010 15:05:28 +0100 Subject: [PATCH 03/16] dovecot: Make ~/Mail/Folders the IMAP root. This ensures that the virtual mailboxes don't show up twice and stuff like the sieve directory isn't accidentally listed. --- etc/dovecot/dovecot.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/dovecot/dovecot.conf b/etc/dovecot/dovecot.conf index 00ec7ae..1e3cce8 100644 --- a/etc/dovecot/dovecot.conf +++ b/etc/dovecot/dovecot.conf @@ -85,7 +85,7 @@ plugin { # Mail is stored in users' homedirs. We use the fs layout, so nesting of # mailboxes is done using normal filesystem nesting. -mail_location = Maildir:~/Mail:LAYOUT=fs +mail_location = Maildir:~/Mail/Folders:LAYOUT=fs # Default namespace, uses mail_location above namespace private { -- 2.30.2 From a06560195cbbd3f4b9b90f2fb329d445b21c94e4 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 4 May 2010 16:19:36 +0200 Subject: [PATCH 04/16] exim: Add an alias for munin@. --- etc/aliases | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/aliases b/etc/aliases index de986cd..b48815e 100644 --- a/etc/aliases +++ b/etc/aliases @@ -18,4 +18,5 @@ abuse: root noc: root security: root logcheck: root +munin: root root: matthijs -- 2.30.2 From 94063426f36b90b391ed37c28a83980ae22a14c9 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 26 Jul 2010 15:26:53 +0200 Subject: [PATCH 05/16] oidentd: Add default configuration. --- etc/default/oidentd | 17 +++++++++++++++++ etc/oidentd.conf | 22 ++++++++++++++++++++++ etc/oidentd_masq.conf | 11 +++++++++++ 3 files changed, 50 insertions(+) create mode 100644 etc/default/oidentd create mode 100644 etc/oidentd.conf create mode 100644 etc/oidentd_masq.conf diff --git a/etc/default/oidentd b/etc/default/oidentd new file mode 100644 index 0000000..14bec1e --- /dev/null +++ b/etc/default/oidentd @@ -0,0 +1,17 @@ +# options to use when starting oidentd as daemon: +# -m lookup masquaraded connections in /etc/oidentd_masq.users +# -f forward requests for masquaraded connections to real host +# -q don't log connections to oidentd +# see oidentd(8) for detailed list +OIDENT_OPTIONS="-mf" + +# user / group +OIDENT_USER=oident +OIDENT_GROUP=oident + +# Allow the default router to act as an oidentd proxy? (yes/no) +# this is needed behind a masquarading router that runs oidentd -f +# if your identd proxy is not the default router, you have to +# manually specify it via -P +OIDENT_BEHIND_PROXY=yes + diff --git a/etc/oidentd.conf b/etc/oidentd.conf new file mode 100644 index 0000000..03b28d8 --- /dev/null +++ b/etc/oidentd.conf @@ -0,0 +1,22 @@ +# Configuration for oidentd +# see oidentd.conf(5) +# +default { + default { + deny spoof + deny spoof_all + deny spoof_privport + allow random + allow random_numeric + allow numeric + deny hide + } +} + +# you may want to hide root connections +#user "root" { +# default { +# force reply "UNKNOWN" +# } +#} + diff --git a/etc/oidentd_masq.conf b/etc/oidentd_masq.conf new file mode 100644 index 0000000..8fb03f1 --- /dev/null +++ b/etc/oidentd_masq.conf @@ -0,0 +1,11 @@ +# oident masquarded connections configuration + +# use this file if your host is masquarading connections for several +# hosts and you want to return a reply based on the hostname of +# the originating machine +# by default, such requests are forwarded to the real host. +# you can disable forwarding by removing "-f" from OIDENT_OPTIONS +# in /etc/default/oidentd + +# add hosts in the following format, see oidentd_masq.conf(5) for details: +# [/mask] -- 2.30.2 From a799b50b1d46b49b57ce3212c2fcf60317e7a6f9 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 26 Jul 2010 15:29:31 +0200 Subject: [PATCH 06/16] oidentd: Allow the vserver host to forward connections. --- etc/default/oidentd | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/etc/default/oidentd b/etc/default/oidentd index 14bec1e..f807bd5 100644 --- a/etc/default/oidentd +++ b/etc/default/oidentd @@ -2,16 +2,19 @@ # -m lookup masquaraded connections in /etc/oidentd_masq.users # -f forward requests for masquaraded connections to real host # -q don't log connections to oidentd +# -P allow forwarded connectsions from this host. We use our own +# hostname here, since connections will be forwarded from oidentd +# on the vserver host. Those connections will appear to originate +# from our own (and only) IP address. # see oidentd(8) for detailed list -OIDENT_OPTIONS="-mf" +OIDENT_OPTIONS="-mf -P `hostname`" # user / group OIDENT_USER=oident OIDENT_GROUP=oident # Allow the default router to act as an oidentd proxy? (yes/no) -# this is needed behind a masquarading router that runs oidentd -f -# if your identd proxy is not the default router, you have to -# manually specify it via -P -OIDENT_BEHIND_PROXY=yes +# Since the vserver stuff messes up this autodetection, we pass in -P +# above instead. +OIDENT_BEHIND_PROXY=no -- 2.30.2 From 21b10d1a623e853cd3f0590b72224bb8e8af4f4b Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 10 Aug 2010 11:59:27 +0200 Subject: [PATCH 07/16] exim: Add transport configuration. For some reason, these configuration files never got committed. --- etc/exim4/conf.d/transport/30_dovecot_delivery | 14 ++++++++++++++ etc/exim4/conf.d/transport/30_remote_smtp | 10 ++++++++++ 2 files changed, 24 insertions(+) create mode 100644 etc/exim4/conf.d/transport/30_dovecot_delivery create mode 100644 etc/exim4/conf.d/transport/30_remote_smtp diff --git a/etc/exim4/conf.d/transport/30_dovecot_delivery b/etc/exim4/conf.d/transport/30_dovecot_delivery new file mode 100644 index 0000000..e623a43 --- /dev/null +++ b/etc/exim4/conf.d/transport/30_dovecot_delivery @@ -0,0 +1,14 @@ +dovecot_deliver: + driver = pipe + command = /usr/lib/dovecot/deliver -e + # deliver expects just the message, nothing surrounding it + message_prefix = + message_suffix = + # Log (the first line of) any output generated + log_output + # Add some headers + delivery_date_add + envelope_to_add + return_path_add + +# vim: set sts=2 expandtab sw=2 ai: diff --git a/etc/exim4/conf.d/transport/30_remote_smtp b/etc/exim4/conf.d/transport/30_remote_smtp new file mode 100644 index 0000000..2b05dee --- /dev/null +++ b/etc/exim4/conf.d/transport/30_remote_smtp @@ -0,0 +1,10 @@ + +### transport/30_exim4-config_remote_smtp +################################# +# This transport is used for delivering messages over SMTP connections. + +remote_smtp: + debug_print = "T: remote_smtp for $local_part@$domain" + driver = smtp + +# vim: set sts=2 expandtab sw=2 ai: -- 2.30.2 From 6ccd335d2d7cea4f82a19b68f8c6965c773480b3 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 10 Aug 2010 12:02:25 +0200 Subject: [PATCH 08/16] exim: Use the external DNS name in HELO commands. The hostname of the mail vserver is not in public DNS, so some smtp servers reject a HELO command that uses it. This change makes sure that the hostname of the vserver host is used in HELO command, which is the external hostname to use for reaching the mail vserver. --- etc/exim4/conf.d/main/main_config | 6 ++++-- etc/exim4/conf.d/transport/30_remote_smtp | 4 ++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/etc/exim4/conf.d/main/main_config b/etc/exim4/conf.d/main/main_config index 771d2b6..fd84263 100644 --- a/etc/exim4/conf.d/main/main_config +++ b/etc/exim4/conf.d/main/main_config @@ -31,8 +31,10 @@ hostlist dont_reject_spam_hosts = katherina.student.utwente.nl : kat.student.utw # can come from any vserver, just use our main hostname. qualify_domain = drsnuggles.stderr.nl -# Let exim know how the rest of the world will try to reach us. -hosts_treat_as_local = drsnuggles.stderr.nl +# Let exim know how the rest of the world will try to reach us. The +# stmp transport also uses this macro for its helo command. +EXTERNAL_HOSTNAME = drsnuggles.stderr.nl +hosts_treat_as_local = EXTERNAL_HOSTNAME # The gecos field in /etc/passwd holds not only the name. see passwd(5). gecos_pattern = ^([^,:]*) diff --git a/etc/exim4/conf.d/transport/30_remote_smtp b/etc/exim4/conf.d/transport/30_remote_smtp index 2b05dee..7896c30 100644 --- a/etc/exim4/conf.d/transport/30_remote_smtp +++ b/etc/exim4/conf.d/transport/30_remote_smtp @@ -6,5 +6,9 @@ remote_smtp: debug_print = "T: remote_smtp for $local_part@$domain" driver = smtp + # Use a different hostname in our helo command, since our + # primary_hostname is not in public DNS. EXTERNAL_HOSTNAME is a macro + # defined in the main config. + helo_data = EXTERNAL_HOSTNAME # vim: set sts=2 expandtab sw=2 ai: -- 2.30.2 From 671bbfb0923db87640a3f9ccc7aea9a6d794a765 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 1 Sep 2010 21:42:16 +0200 Subject: [PATCH 09/16] exim: Correct any real_domains in envelope addresses. The real_domains (e.g., vserver hostnames) are mostly not listed in the DNS, so we replace that with our public DNS name. --- etc/exim4/conf.d/rewrite/20_real_domains | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 etc/exim4/conf.d/rewrite/20_real_domains diff --git a/etc/exim4/conf.d/rewrite/20_real_domains b/etc/exim4/conf.d/rewrite/20_real_domains new file mode 100644 index 0000000..8ddddd8 --- /dev/null +++ b/etc/exim4/conf.d/rewrite/20_real_domains @@ -0,0 +1,10 @@ +################################ +# If any of the real_domains is left in the envelope, rewrite it to our +# external hostname, since most real_domains are not listed in DNS. +# Don't rewrite the From address, so we can still see where a message +# comes from. +################################# + +*@+real_domains $1@EXTERNAL_HOSTNAME E + +# vim: set sts=2 expandtab sw=2 ai: -- 2.30.2 From 56101c199fb386e231d0c77a3617ddd9a61f326f Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Thu, 14 Oct 2010 13:02:31 +0200 Subject: [PATCH 10/16] exim: Add mkit.nl domain. --- etc/exim4/conf.d/main/main_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/exim4/conf.d/main/main_config b/etc/exim4/conf.d/main/main_config index fd84263..0c6e98a 100644 --- a/etc/exim4/conf.d/main/main_config +++ b/etc/exim4/conf.d/main/main_config @@ -8,7 +8,7 @@ LDAPBASE=dc=drsnuggles,dc=stderr,dc=nl # List of virtual domains for which we deliver to any address that happens to # be configured in the LDAP directory. -domainlist virtual_domains = stdin.nl : stderr.nl : stdout.nl : blues-brothers.eu : foresightsecurity.nl : hekjelarp.nl +domainlist virtual_domains = stdin.nl : stderr.nl : stdout.nl : blues-brothers.eu : foresightsecurity.nl : hekjelarp.nl : mkit.nl # List of real hosts for which we deliver mail to real users. domainlist real_domains = *.drsnuggles.stderr.nl : drsnuggles.stderr.nl # The list of domains for which we handle mail ourselves -- 2.30.2 From 281f9ac8a3d82ff9336a181c46092d17b1fc04b1 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 31 Jan 2011 17:03:40 +0100 Subject: [PATCH 11/16] exim: Add alias for fetchmail-daemon@. --- etc/aliases | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/aliases b/etc/aliases index b48815e..7b762c8 100644 --- a/etc/aliases +++ b/etc/aliases @@ -20,3 +20,4 @@ security: root logcheck: root munin: root root: matthijs +fetchmail-daemon: root -- 2.30.2 From c3fa043b03c641d2fb6997b8430786dd9af3fee8 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Fri, 25 Mar 2011 20:34:49 +0100 Subject: [PATCH 12/16] exim: Add default logrotate config. --- etc/logrotate.d/exim4-base | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 etc/logrotate.d/exim4-base diff --git a/etc/logrotate.d/exim4-base b/etc/logrotate.d/exim4-base new file mode 100644 index 0000000..ac31dd4 --- /dev/null +++ b/etc/logrotate.d/exim4-base @@ -0,0 +1,9 @@ +/var/log/exim4/mainlog /var/log/exim4/rejectlog { + daily + missingok + rotate 10 + compress + delaycompress + notifempty + create 640 Debian-exim adm +} -- 2.30.2 From d7a41a389de3b73cc92e4a9d5461b3d2b460f852 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Fri, 25 Mar 2011 20:36:57 +0100 Subject: [PATCH 13/16] exim: Keep exim logs for a year instead of 10 days. --- etc/logrotate.d/exim4-base | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/logrotate.d/exim4-base b/etc/logrotate.d/exim4-base index ac31dd4..05ff0bc 100644 --- a/etc/logrotate.d/exim4-base +++ b/etc/logrotate.d/exim4-base @@ -1,7 +1,7 @@ /var/log/exim4/mainlog /var/log/exim4/rejectlog { daily missingok - rotate 10 + rotate 365 compress delaycompress notifempty -- 2.30.2 From 79a30bec7e62a96d2828116a4fbd464e661e2454 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Sun, 29 May 2011 15:33:56 +0200 Subject: [PATCH 14/16] exim: Add the chimara-if.org domain. --- etc/exim4/conf.d/main/main_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/exim4/conf.d/main/main_config b/etc/exim4/conf.d/main/main_config index 0c6e98a..b86e7d0 100644 --- a/etc/exim4/conf.d/main/main_config +++ b/etc/exim4/conf.d/main/main_config @@ -8,7 +8,7 @@ LDAPBASE=dc=drsnuggles,dc=stderr,dc=nl # List of virtual domains for which we deliver to any address that happens to # be configured in the LDAP directory. -domainlist virtual_domains = stdin.nl : stderr.nl : stdout.nl : blues-brothers.eu : foresightsecurity.nl : hekjelarp.nl : mkit.nl +domainlist virtual_domains = stdin.nl : stderr.nl : stdout.nl : blues-brothers.eu : foresightsecurity.nl : hekjelarp.nl : mkit.nl : chimara-if.org # List of real hosts for which we deliver mail to real users. domainlist real_domains = *.drsnuggles.stderr.nl : drsnuggles.stderr.nl # The list of domains for which we handle mail ourselves -- 2.30.2 From 59b1a0eb5aff20052cc077016e56c54793f738cc Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Sun, 29 May 2011 15:34:28 +0200 Subject: [PATCH 15/16] exim: Remove katherina from the trusted MX list. This host is not online anymore. --- etc/exim4/conf.d/main/main_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/exim4/conf.d/main/main_config b/etc/exim4/conf.d/main/main_config index b86e7d0..386d1c2 100644 --- a/etc/exim4/conf.d/main/main_config +++ b/etc/exim4/conf.d/main/main_config @@ -25,7 +25,7 @@ hostlist relay_from_hosts = *.drsnuggles.stderr.nl : drsnuggles.stderr.nl # Don't reject spam from these hosts, since they are known dumb, but trusted # relays. They will only send rejects to the wrong people. -hostlist dont_reject_spam_hosts = katherina.student.utwente.nl : kat.student.utwente.nl : *.utsp.utwente.nl +hostlist dont_reject_spam_hosts = *.utsp.utwente.nl # Use this domain on any unqualified addresses that get submitted. Since this # can come from any vserver, just use our main hostname. -- 2.30.2 From 9c40c7c22249da8a2db2cb3acb354a9e5c5df308 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Sun, 29 May 2011 15:36:13 +0200 Subject: [PATCH 16/16] exim: Add the SNT MX servers to the trusted list. Inter-Actief recently switched to the SNT mailservers for their e-mail handling. --- etc/exim4/conf.d/main/main_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/exim4/conf.d/main/main_config b/etc/exim4/conf.d/main/main_config index 386d1c2..2f04f43 100644 --- a/etc/exim4/conf.d/main/main_config +++ b/etc/exim4/conf.d/main/main_config @@ -25,7 +25,7 @@ hostlist relay_from_hosts = *.drsnuggles.stderr.nl : drsnuggles.stderr.nl # Don't reject spam from these hosts, since they are known dumb, but trusted # relays. They will only send rejects to the wrong people. -hostlist dont_reject_spam_hosts = *.utsp.utwente.nl +hostlist dont_reject_spam_hosts = *.utsp.utwente.nl : mx*.snt.utwente.nl # Use this domain on any unqualified addresses that get submitted. Since this # can come from any vserver, just use our main hostname. -- 2.30.2