26 Jul 2015
A mail server where your mail program can't receive your mails is a
bit lame. So this last post describes how you can setup a dovecot to
serve your mails over imap.
The fist step as usual is to install it.
pkg install dovecot2
echo 'dovecot_enable="YES"' >> /etc/rc.conf
I personally use a really simple IMAP configuration if you need more, lets say something like
pop3 support, you should definitely check out the dovecot documentation because
dovecot can almost everything.
But for a simple IMAP server it's just these few lines in your config (/usr/local/etc/dovecot/dovecot.conf).
protocols = imap
ssl = required
ssl_key = </usr/local/openssl/private/mail.domain.tdl.key
ssl_cert = </usr/local/openssl/certs/mail.domain.tdl.crt
mail_location = maildir:~/mbox
listen = *
userdb {
driver = passwd
args = blocking=no
}
passdb {
driver = pam
args =
}
Hint: I use here the same ssl certificat and key as for the OpenSMTPD config.
With the configuration file in place we can start (service dovecot start) and test the service.
For testing I used openssl, like this:
openssl s_client -connect mail.domain.tdl:993
It should print a lot of informations about your certificate and you should be able to login with:
a1 LOGIN yourunixusername yourunixpasswordincleartext
Which should return something like this:
a1 OK [CAPABILITY IMAP4rev1 LITERAL+ ... LIST-STATUS BINARY MOVE] Logged in
This is the last part of a three part series:
26 Jul 2015
DKIM is a technology to validate and protect you against spoofing of your emails.
This is achieved by putting a public key in the DNS records an sign all outgoing mails
with with the private key. So everyone can validate if you authorised to send these mails.
To use this with OpenSMTPD we use dkimproxy which we need to install first.
pkg install dkimproxy
echo 'dkimproxy_out_enable="YES"' >> /etc/rc.conf
And of course we need to configure it:
$ cat /usr/local/etc/dkimproxy_out.conf
# specify what address/port DKIMproxy should listen on
listen 10.0.0.10:10027
# specify what address/port DKIMproxy forwards mail to
relay 10.0.0.10:10028
# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
domain domain.tdl
# specify what signatures to add
signature dkim(c=relaxed)
signature domainkeys(c=nofws)
# specify location of the private key
keyfile /usr/local/openssl/private/dkim.key
# specify the selector (i.e. the name of the key record put in DNS)
selector dkimselector
The important bits here are the listen and relay ip:port combination. For
the most setups you can use 127.0.0.1 since the DKIM proxy needs only be
accessible on the for your OpenSMTPD server. Of course you need to replace domain.tdl
with your domain but the rest you can more or less just copy.
As you can see there is a key file which we now need to create.
And the public key part of this key goes in our DNS.
openssl genrsa -out /usr/local/openssl/private/dkim.key 1024
openssl rsa -in /usr/local/openssl/private/dkim.key -pubout -out dkim_public.key
And this public key we can now put in our DNS, this should look something like this:
dkimselector._domainkey IN TXT "k=rsa; t=s; p=MIGfMA0GCSqGS...CMaVI02QIDAQAB"
Here is MIGfMA0GCSqGS...CMaVI02QIDAQAB your public key with out the -----BEGIN PUBLIC KEY-----
and -----END PUBLIC KEY----- in one line. An easy way to print your public key without new lines
is this: cat dkim_public.key | tr -d '\n'.
That's everything we need to configure on the DKIMproxy site. We can start the service with
service dkimproxy_out start.
Update OpenSMTPD configuration
We have a running DKIM proxy but it's useless if we don't route our mails through it.
To achieve this we update our smtpd config (/usr/local/etc/mail/smtpd.conf).
In a first step we add a new listen directive. The port here 10028 should match
the one you configured for the relay in the dkimproxy configuration.
listen on lo1 port 10028 tag DKIM_OUT
And we need to replace
accept from local for any relay
with
accept tagged DKIM_OUT for any relay
accept from local for any relay via "smtp://10.0.0.10:10027"
After a OpenSMTPD restart (service smtpd restart) it should tag all mails with a valid DKIM signature.
This is the second part of a three part series:
26 Jul 2015
This is mostly my personal mail server documentation a bit polished in three blog posts.
DNS setup
Set a MX record to a subdomain like mail.domain.tdl and then the
mail.domain.tdl points to your IP. Don't forget to increase the TTL of this records if
everything works. Why?
I set my TTL to 259200 sec, which are 3 days
Make sure your reverse DNS match the hostname of your mail server!
And you should probably set the Sender Policy Framework
doamin.tdl. IN TXT "v=spf1 mx mx:domain.tdl -all"
Create users
Now we need a user, replace $USERNAME with the account name. If your email address should be
hi@domain.tdl your account name is hi.
pw user add $USERNAME -m -s /sbin/nologin -c "mail user ($USERNAME)" # create user account
passwd $USERNAME # change password
mkdir /home/$USERNAME/mbox # create mail directory
chown -R $USERNAME:$USERNAME /home/$USERNAME/mbox # own the directory to the right user
If you need to create a few accounts maybe use this script,
where you can just run this script with the user name as parameter.
Install OpenSMTPD
Before we can install OpenSMTPD we need to stop and remove sendmail.
So first we stop it with:
Then we can edit /etc/rc.conf and add these lines, to make sure sendmail is not started automaticly after a reboot.
Now we can install OpenSMTPD which is really really easy, it's just:
and add to /etc/rc.conf
and your done. Well almost we need to create the SSL certificates and configure the OpenSMTPD.
Create your SSL certs
As the first step we symlink the certificate root to the global certificate root location.
If it's not alreay done.
ln -s /usr/local/etc/ssl/cert.pem /etc/ssl/cert.pem
At this point we can create our certificates.
openssl genrsa -out /usr/local/openssl/private/mail.domain.tdl.key 4096
openssl req -new -x509 -key /usr/local/openssl/private/mail.domain.tdl.key -out /usr/local/openssl/certs/mail.domain.tdl.crt -days 1440
Country Name (2 letter code) [AU]: NL
State or Province Name (full name) [Some-State]:Amsterdam
Locality Name (eg, city) []:Amsterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:l33tsource Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:mail.domain.tdl
Email Address []:admin@domain.tdl
By default these key and certificate should only be accessible to the root user.
So we fix that with chmod.
chmod 500 /usr/local/openssl/private/mail.domain.tdl.key
chmod 500 /usr/local/openssl/certs/mail.domain.tdl.crt
OpenSMTPD configuration
With the SSL certificate in place we can edit the smtpd config (/usr/local/etc/mail/smtpd.conf).
pki mail.domain.tdl key "/usr/local/openssl/private/mail.domain.tdl.key"
pki mail.domain.tdl certificate "/usr/local/openssl/certs/mail.domain.tdl.crt"
listen on lo1 port 25 hostname mail.domain.tdl tls pki mail.domain.tdl
listen on lo1 port 587 hostname mail.domain.tdl tls-require pki mail.domain.tdl auth mask-source
table aliases file:/etc/mail/aliases
accept from any for domain "domain.tdl" alias <aliases> deliver to maildir "~/mbox"
accept from local for any relay
This is it. Really simple and short. What this does is listen on port 25 and 587
on the lo1 interface (this should obviously match your interface)
and accept encrypted connections. The key and certificate location are configured
with the pki keyword. And the messages are delivered to the home directory of the user
in a folder called mbox.
Now we can start the smtpd service and test it with telnet.
telnet servername 25
EHLO mail.domain.tdl
MAIL FROM:<FROM@domain.tdl>
RCPT TO:<TO@domain.tdl>
DATA
Subject: Testmessage
(blank line)
This is a test.
(blank line)
.
QUIT
If it's says something like 250 2.0.0: 5x549x2a Message accepted for delivery, congratulation your SMTP works.
This is the first part of a three part series:
17 Jul 2015
I got a GPG encrypted mail, which should be a good thing since encryption and these things.
But every time I use GPG something does not work. And every time the error messages are useless.
So the moral of this blog post is: If you are a developer write meaningful error messages.
A short overview what my setup is, I have a Fedora 22 with gpg2 and my default mail client is Thunderbird.
And to use Thunderbird with GPG I use the Enigmail plugin which if it's working
an okayish way to read and write encrypted mails.
What was my problem? Well if you read the error messages I guess something like you haven't imported your
private key yet.
gpg: decryption failed: No secret key
Error - no matching private/secret key found to decrypt message
So I checked that with gpg -K and I see my key, I even extracted the encrypted part from the mail and
decrypted it on the command line without a problem. Thanks to the Internet I was able to find other people
with the same problem.
And one of this posts gave me the right idea. By default there is no pinentry-program installed. After I installed one
with sudo dnf install pinentry-qt4 and restarted my Thunderbird it can magically encrypt the message.
05 Jun 2015
You might or might not remember how I publish this blog with Github. But I wrote a post about this.
Since I migrated my hosting to a VPS I changed a few things.
The important bits that changed are, the way things get logged. Now I use tee which has the side effect that
the output is on my logfiles and get printed to stdout which you can see then on you php update page (this helps to debug the build process).
The other thing that changed is that on FreeBSD jekyll is installed in /usr/local/bin, which is not in the default path. This
resulted in a blog which get no updates, because the jekyll binary is missing. That's why I added /usr/local/bin to the path, to fix this.
$ cat update.php
<?php
$output = shell_exec('./update.sh');
echo "<pre>$output</pre>";
?>
$ cat update.sh
#!/bin/sh
export PATH=$PATH:/usr/local/bin
#the logfile
datestr=$(date +%Y%m%d_%H%M%S)
LOGFILE=/usr/local/www/update_log/log_$datestr
#cd to your git repo
cd /usr/local/www/blog_git_src
#update ALL TEH SOURCE
echo git | tee -a $LOGFILE
git version | tee -a $LOGFILE
git pull origin master | tee -a $LOGFILE
#build page
echo jekyll | tee -a $LOGFILE
jekyll build -d /usr/local/www/blog | tee -a $LOGFILE