commit eaa66d6d5e6e01e04ff2da6fda7d8f31a61a115d Author: Root Date: Tue Feb 23 22:05:00 2016 -0500 Add initial configuration and instructions diff --git a/README.md b/README.md new file mode 100644 index 0000000..5971bac --- /dev/null +++ b/README.md @@ -0,0 +1,51 @@ +# Base Config + +Note: The Mail Server requires SSL certificates + +## Web Server + +### Package Requirements (FIXME: other php packages) + +nginx, php, php-fpm, mariadb, bower, gulp, letsencrypt + +### Folders (FIXME: add php folder and configs) + +nginx, php, systemd + +### Setup Instructions (FIXME: add mysql setup instructions) + +1. Install the packages in the `Package Requirements` above +2. Copy the folders above that aren't already configured to their equivalent location in `/etc` +3. In `/etc/nginx/sites-available/REPLACEME.TLD.conf` and `/etc/systemd/system/letsencrypt.service`, replace instances of `REPLACEME.TLD` with the FQDN +4. Rename `/etc/nginx/sites-available/REPLACEME.TLD.conf` so that `REPLACEME.TLD` is replaced with the FQDN +5. Add your site files to `/srv/http/REPLACEME.TLD` where public assets are located in `/srv/http/REPLACEME.TLD/public` (replacing `REPLACEME.TLD` with the FQDN) +6. Create a symlink from `/etc/nginx/sites-available/REPLACEME.tld.conf` to `/etc/nginx/sites-enabled/REPLACEME.tld.conf` (replacing `REPLACEME.TLD` with the FQDN) +7. Run `systemctl start php-fpm nginx` to start the web services and `systemctl status php-fpm` and `systemctl status nginx` to check for errors +8. If there were no errors in the previous command, run `systemctl enable postfix dovecot` to enable the web services at boot +9. Ensure the public web directory exists and run `systemctl start letsencrypt` to generate the SSL certificates +10. Run `systemctl enable letsencrypt.timer` to enable the auto-renewal process + +## Mail Server + +### Package Requirements + +dovecot, postfix, procmail + +### Folders + +dovecot, pam.d, postfix, procmailrc, skel, systemd + +### Setup Instructions + +1. Install the packages in the `Package Requirements` above +2. Copy the folders above that aren't already configured to their equivalent location in `/etc` +3. In `/etc/dovecot/dovecot.conf` and `/etc/postfix/main.cf`, replace instances of `REPLACEME.TLD` with the FQDN +4. In `/etc/postfix/aliases`, replace the instance of `REPLACEME` with the user that should receive domain-level emails +5. Run `newaliases` to update the aliases database with the contents of `/etc/postfix/aliases` +6. Run `systemctl start postfix dovecot` to start the mail services and `systemctl status postfix` and `systemctl status dovecot` to check for errors +7. If there were no errors in the previous command, run `systemctl enable postfix dovecot` to enable the mail services at boot + +### Add Accounts + +1. Create an account by running `useradd -m -d /home/REPLACEME -s /bin/bash REPLACEME` (replacing `REPLACEME` with the username associated with the mail account) +2. Set the password by running `passwd REPLACEME` (replacing `REPLACEME` with the username associated with the mail account) diff --git a/dovecot/dovecot.conf b/dovecot/dovecot.conf new file mode 100644 index 0000000..ebae8f4 --- /dev/null +++ b/dovecot/dovecot.conf @@ -0,0 +1,48 @@ +protocols = imap pop3 +listen = * +base_dir = /var/run/dovecot/ +auth_mechanisms = plain login +log_path = syslog +log_timestamp = "%b %d %H:%M:%S " +mail_location = maildir:~/Mail +default_login_user = dovenull +default_internal_user = dovecot + +disable_plaintext_auth = yes +ssl = required +ssl_cert = >>>>>>>>> The program "newaliases" must be run after +# >> NOTE >> this file is updated for any changes to +# >>>>>>>>>> show through to Postfix. +# + +# Person who should get root's mail. Don't receive mail as root! +root: REPLACEME + +# Basic system aliases -- these MUST be present +MAILER-DAEMON: postmaster +postmaster: root + +# General redirections for pseudo accounts +bin: root +daemon: root +named: root +nobody: root +uucp: root +www: root +ftp-bugs: root +postfix: root + +# Put your local aliases here. + +# Well-known aliases +manager: root +dumper: root +operator: root +abuse: postmaster + +# trap decode to catch security attacks +decode: root diff --git a/postfix/main.cf b/postfix/main.cf new file mode 100644 index 0000000..5591d86 --- /dev/null +++ b/postfix/main.cf @@ -0,0 +1,43 @@ +myhostname = mail.REPLACEME.TLD +compatibility_level = 2 +mail_owner = postfix +setgid_group = postdrop +myorigin = $mydomain +inet_interfaces = all +inet_protocols = ipv4 +mydestination = localhost, $mydomain, $myhostname +relay_domains = $mydestination +unknown_local_recipient_reject_code = 450 +mynetworks_style = host +alias_database = $alias_maps +home_mailbox = Mail/ +smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) +alias_maps = hash:/etc/postfix/aliases +queue_directory = /var/spool/postfix +command_directory = /usr/bin +daemon_directory = /usr/lib/postfix/bin +data_directory = /var/lib/postfix +manpage_directory = /usr/share/man +readme_directory = /usr/share/doc/postfix +meta_directory = /etc/postfix +shlib_directory = /usr/lib/postfix +sendmail_path = /usr/bin/sendmail +newaliases_path = /usr/bin/newaliases +mailq_path = /usr/bin/mailq +mailbox_command = /usr/bin/procmail +html_directory = no + +smtpd_tls_loglevel = 1 +smtpd_use_tls = yes +smtpd_tls_protocols = !SSLv2, !SSLv3 +smtpd_tls_ciphers = high +smtpd_tls_cert_file = /etc/letsencrypt/live/$mydomain/fullchain.pem +smtpd_tls_key_file = /etc/letsencrypt/live/$mydomain/privkey.pem +smtpd_tls_security_level = encrypt +smtpd_sasl_auth_enable = yes +smtpd_sasl_type = dovecot +smtpd_sasl_path = /var/spool/postfix/private/auth +smtpd_sasl_security_options = noanonymous +smtpd_sasl_local_domain = $myhostname +smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination +smtpd_sender_restrictions = permit_sasl_authenticated,permit_mynetworks diff --git a/postfix/master.cf b/postfix/master.cf new file mode 100644 index 0000000..8102838 --- /dev/null +++ b/postfix/master.cf @@ -0,0 +1,30 @@ +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - n - - smtpd +587 inet n - n - - smtpd + +pickup unix n - n 60 1 pickup +cleanup unix n - n - 0 cleanup +qmgr unix n - n 300 1 qmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - n - - smtp +relay unix - - n - - smtp +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +scache unix - - n - 1 scache diff --git a/procmailrc b/procmailrc new file mode 100644 index 0000000..8030840 --- /dev/null +++ b/procmailrc @@ -0,0 +1,15 @@ +VERBOSE=off +PMDIR=$HOME/Mail/.procmail +MAILDIR=$HOME/Mail/ +INBOX=$MAILDIR +LOGFILE=$PMDIR/log +DROPPRIVS=yes + +################ aliases ################ +#:0 +#* ^TO.*your_login_name@your.domain.* +#! your_logname@other.domain + +# Add everything to the inbox +:0 +$INBOX diff --git a/skel/.bash_logout b/skel/.bash_logout new file mode 100644 index 0000000..0e4e4f1 --- /dev/null +++ b/skel/.bash_logout @@ -0,0 +1,3 @@ +# +# ~/.bash_logout +# diff --git a/skel/.bash_profile b/skel/.bash_profile new file mode 100644 index 0000000..5545f00 --- /dev/null +++ b/skel/.bash_profile @@ -0,0 +1,5 @@ +# +# ~/.bash_profile +# + +[[ -f ~/.bashrc ]] && . ~/.bashrc diff --git a/skel/.bashrc b/skel/.bashrc new file mode 100644 index 0000000..1c9aadc --- /dev/null +++ b/skel/.bashrc @@ -0,0 +1,3 @@ +# +# ~/.bashrc +# diff --git a/systemd/system/letsencrypt.service b/systemd/system/letsencrypt.service new file mode 100644 index 0000000..396f50c --- /dev/null +++ b/systemd/system/letsencrypt.service @@ -0,0 +1,6 @@ +[Unit] +Description=Letsencrypt manual renewal + +[Service] +Type=oneshot +ExecStart=/usr/bin/letsencrypt certonly --agree-tos --renew-by-default --email nickogris@gmail.com --webroot -w /srv/http/REPLACEME.TLD/public -d REPLACEME.TLD,mail.REPLACEME.tld diff --git a/systemd/system/letsencrypt.timer b/systemd/system/letsencrypt.timer new file mode 100644 index 0000000..27b9d17 --- /dev/null +++ b/systemd/system/letsencrypt.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Monthly renewal on letsencrypt's certificates + +[Timer] +OnCalendar=monthly +Persistent=true + +[Install] +WantedBy=timers.target