summaryrefslogtreecommitdiffstats
path: root/_posts
diff options
context:
space:
mode:
Diffstat (limited to '_posts')
-rw-r--r--_posts/dns.md80
-rw-r--r--_posts/mail.md191
-rw-r--r--_posts/rfc2136.md29
3 files changed, 300 insertions, 0 deletions
diff --git a/_posts/dns.md b/_posts/dns.md
new file mode 100644
index 0000000..bbac1ac
--- /dev/null
+++ b/_posts/dns.md
@@ -0,0 +1,80 @@
+apt install bind9
+
+mkdir /etc/bind/keys
+
+dnssec-keygen -K /etc/bind/keys -f KSK -a ECDSAP256SHA256 -n ZONE sijanec.eu
+dnssec-keygen -a ECDSAP256SHA256 -n ZONE sijanec.eu
+dnssec-keygen -K /etc/bind/keys -f KSK -a ECDSAP256SHA256 -n ZONE sijanec.org
+dnssec-keygen -a ECDSAP256SHA256 -n ZONE sijanec.org
+in tako dalje za vse domene
+
+chown -R bind:bind /etc/bind/keys
+
+vim /etc/bind9/named.conf.options
+ options {
+ directory "/var/cache/bind";
+ check-names master warn;
+ check-names slave warn;
+ recursion yes;
+ allow-recursion { any; };
+ querylog yes;
+ allow-transfer { any; };
+ allow-query { any; };
+ dnssec-validation auto;
+ listen-on-v6 { any; };
+ };
+vim /etc/bind/named.conf.local
+ zone "sijanec.eu" {
+ type master;
+ file "/var/lib/bind/db.sijanec.eu";
+ key-directory "/etc/bind/keys";
+ auto-dnssec maintain;
+ inline-signing yes;
+ };
+ zone "sijanec.org" {
+ type master;
+ file "/var/lib/bind/db.sijanec.org";
+ key-directory "/etc/bind/keys";
+ auto-dnssec maintain;
+ inline-signing yes;
+ };
+ in tako dalje za vse domene
+
+če pa konfiguriramo suženjski DNS strežnik, pa v /etc/bind/named.conf.local napišemo
+ zone "sijanec.eu" {
+ type slave;
+ file "/var/lib/bind/db.sijanec.eu";
+ allow-transfer { 93.103.235.126/32; };
+ // IP naslov glavnega DNS strežnika
+ masters { 93.103.235.126; };
+ };
+ zone "sijanec.org" {
+ type slave;
+ file "/var/lib/bind/db.sijanec.org";
+ allow-transfer { 93.103.235.126/32; };
+ masters { 93.103.235.126/32; };
+ };
+ in tako dalje za vse domene
+
+na glavnem DNS strežniku v datoteko /var/lib/bind/db.sijanec.eu vpišemo DNS zone
+ $TTL 300
+ @ IN SOA ns1.sijanec.org. abuse.sijanec.eu. (
+ 10 ; serijska številka za DNS zone, povečaj za 10 ob spremembi
+ 301 ; refresh
+ 299 ; retry
+ 31556926 ; po enem letu nedelovanja NS1 sužnji pozabijo domeno
+ 30 ; TTL za NXDOMAIN, negative cache TTL
+ ) ; abuse.sijanec.eu. je poštni naslov abuse@sijanec.eu - spremeni ga
+ ; ns1.sijanec.eu. je glavni DNS strežnik za domeno - spremeni ga
+ @ IN NS ns1.sijanec.eu. ; glavni strežnik
+ @ IN NS ns2.sijanec.eu. ; DNS suženj
+ @ IN A 84.255.241.83
+ in tako dalje za dodatne zapise
+
+za vse dodatne domene, ki naj imajo isto zone datoteko, lahko samo narediš symlinke. nikakor ne sme biti "file" direktiva v named.conf.local enaka pri več različnih DNS zone deklaracijah enaka, lahko pa kaže na symlink.
+
+za vsako dodatno domeno torej:
+ln -s db.sijanec.eu /var/lib/bind/db.sijanec.org
+ln -s db.sijanec.eu /var/lib/bind/db.sijanec.net
+
+systemctl restart bind9
diff --git a/_posts/mail.md b/_posts/mail.md
new file mode 100644
index 0000000..b908d81
--- /dev/null
+++ b/_posts/mail.md
@@ -0,0 +1,191 @@
+apt install postfix dovecot-imapd opendkim postfix-policyd-spf-python maildrop roundcube prayer nginx postfix-mta-sts-resolver hash-slinger
+
+vim /etc/dovecot/conf.d/10-mail.conf
+ mail_location = maildir:~/Maildir
+
+vim /etc/dovecot/conf.d/10-ssl.conf
+ ssl_cert = </etc/ssl/certifikati/fullchain.pem
+ ssl_key = </etc/ssl/certifikati/privkey.pem
+
+vim /etc/postfix/header\_checks
+ /^X-Originating-IP:/ IGNORE
+ /^Received:.*ESMTPSA/ IGNORE
+
+vim /etc/postfix/command\_filter
+ /^(.*)šijanec(.*)$/ $1 xn--ijanec-9jb $2
+
+vim /etc/postfix/destinations
+ if !/seznami/
+ /ijanec/ ALLOW
+ /241/ ALLOW
+ /146/ ALLOW
+ /235/ ALLOW
+ /gimb.tk/ ALLOW
+ /xn--jha/ ALLOW
+ endif
+
+usermod -aG opendkim postfix
+mkdir /var/spool/postfix/opendkim
+chown opendkim:opendkim /var/spool/postfix/opendkim
+
+opendkim-genkey -D /etc/dkimkeys -s mail
+
+dodaj vsebino /etc/dkimkeys/mail.txt v DNS zone za domeno
+
+vim /etc/opendkim.conf
+ LogWhy yes
+ UserID opendkim:opendkim
+ Domain sijanec.eu,sijanec.org,sijanec.net,xn--ijanec-9jb.eu in tako dalje
+ Selector mail
+ KeyFile /etc/dkimkeys/mail.private
+ Socket local:/var/spool/postfix/opendkim/opendkim.sock
+
+vim /etc/postfix-policyd-spf-python/policyd-spf.conf
+ HELO_reject = False
+ Mail_From_reject = False
+
+vim /etc/postfix/main.cf
+ smtp_header_checks = regexp:/etc/postfix/header_checks
+ smtpd_tls_cert_file = /etc/ssl/certifikati/fullchain.pem
+ smtpd_tls_key_file = /etc/ssl/certifikati/privkey.pem
+ smtpd_tls_received_header = yes
+ smtpd_command_filter = pcre:/etc/postfix/command_filter
+ mydomain = sijanec.eu
+ mydestination = pcre:/etc/postfix/destinations
+ smtp_address_preference = ipv4
+ mailbox_command = /usr/bin/maildrop -d $(USER)
+ smtp_bind_address = 89.212.146.168
+ smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf
+ policyd-spf_time_limit = 3600
+ message_size_limit = 1222333444
+ milter_protocol = 2
+ milter_default_action = accept
+ smtpd_milters = unix:/opendkim/opendkim.sock
+ non_smtpd_milters = unix:/opendkim/opendkim.sock
+ smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8451:postfix
+ smtpd_sasl_type = dovecot
+ smtpd_sasl_path = private/auth
+ smtpd_sasl_auth_enable = yes
+
+vim /etc/postfix/master.cf
+ odkomentiraj: smtp, submission, smtps (ostali potrebni so že odkomentirani)
+ dodaj na konec:
+ policyd-spf unix - n n - 0 spawn
+ user=policyd-spf argv=/usr/bin/policy-spf
+
+vim /etc/dovecot/conf.d/10-master.conf
+ # ta block že obstaja v privzeti konfiguraciji
+ # https://www.postfix.org/SASL_README.html
+ service auth {
+ unix_listener /var/spool/postfix/private/auth {
+ user = postfix
+ group = postfix
+ mode = 0660
+ }
+ }
+
+vim /etc/dovecot/conf.d/15-mailboxes.conf
+ # ti blocki že obstajajo v privzeti konfiguraciji, treba jih je samo dopolniti
+ namespace inbox {
+ mailbox Drafts {
+ special_use = \Drafts
+ auto = subscribe
+ }
+ mailbox Junk {
+ special_use = \Junk
+ auto = subscribe
+ }
+ mailbox Trash {
+ special_use = \Trash
+ auto = subscribe
+ }
+ mailbox Sent {
+ special_use = \Sent
+ auto = subscribe
+ }
+ }
+
+vim ~/.mailfilter
+ if (/.*librehosting@radiostudent\.si.*/ || /.*kiberpipa\.org.*/ || /.*lugos\.si.*/)
+ {
+ to $HOME/Maildir/.liste.lugos
+ }
+ if (/.*oss-security.*/ || /.*debian-security-announce.*/)
+ {
+ to $HOME/Maildir/.liste.oss-security
+ }
+ in tako dalje
+
+iz IMAP klienta je treba **PRED DODAJANJEM MAPE** v ~/.mailfilter izdelati mapo, v nasprotnem primeru bo maildrop naredil mbox datoteko, česar nočemo.
+
+chown $USER:$USER ~/.mailfilter
+chmod 0600 ~/.mailfilter
+
+vim /etc/maildroprc
+DEFAULT="$HOME/Maildir"
+
+tlsa --create sijanec.eu
+dodaj output v DNS domensko zono (nginx mora teči s pravilnim certifikatom!) - spremeni zapis v DNS zoni, ko spremeniš cert
+
+rndc freeze
+vim /var/lib/bind/db.sijanec.eu
+ _mta-sts IN TXT "v=STSv1; id=2"
+ mta-sts IN CNAME mail
+ @ IN MX 10 mail
+ mail IN A 89.212.146.168
+ _dmarc IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-aggregate@sijanec.eu; ruf=mailto:dmarc-forensic@sijanec.eu; fo=1"
+ @ IN TXT "v=spf1 mx a ip4:89.212.146.168/32 a:mail.sijanec.eu ~all"
+ *.sijanec.eu._report._dmarc IN TXT "v=DMARC1"
+ sijanec.eu._report._dmarc IN TXT "v=DMARC1"
+ *.sijanec.org._report._dmarc IN TXT "v=DMARC1"
+ sijanec.org._report._dmarc IN TXT "v=DMARC1" ; in isto za ostale domene
+ _smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:tls@sijanec.eu"
+ @ IN CAA 128 issue "letsencrypt.org"
+ @ IN CAA 128 issuewild "letsencrypt.org"
+ @ IN CAA 128 iodef "mailto:caa-violation@sijanec.eu"
+ * IN CAA 128 issue "letsencrypt.org"
+ * IN CAA 128 issuewild "letsencrypt.org"
+ * IN CAA 128 iodef "mailto:caa-violation@sijanec.eu"
+rndc thaw
+
+vim /etc/aliases
+ mailer-daemon: postmaster
+ postmaster: root
+ nobody: root
+ hostmaster: root
+ webmaster: root
+ listmaster: root
+ www: root
+ ftp: root
+ abuse: root
+ noc: root
+ security: root
+ root: a
+ anton: a
+ whois: hostmaster
+ dns: whois
+ devnull: null
+ null: |/dev/null
+ luka: anton
+ dmarc-aggregate: postmaster
+ dmrac-forensic: postmaster
+ caa-violation: hostmaster
+ tls: postmaster
+
+newaliases
+
+vim /var/www/html/.well-known/mta-sts.txt
+ version: STSv1
+ mode: testing
+ mx: mail.sijanec.eu
+ mx: mail.sijanec.org
+ mx: mail.sijanec.net
+ mx: mail.xn--ijanec-9jb.eu
+ mx: mail.xn--ijanec-9jb.org
+ mx: mail.xn--ijanec-9jb.net
+ mx: mail.xn--ijanec-9jb.si
+ mx: mail.xn--ijanec-9jb.com
+ max_age: 31557600
+ comment: karkoli
+
+systemctl restart postfix dovecot opendkim prayer nginx postfix-mta-sts-resolver bind9
diff --git a/_posts/rfc2136.md b/_posts/rfc2136.md
new file mode 100644
index 0000000..d8d5190
--- /dev/null
+++ b/_posts/rfc2136.md
@@ -0,0 +1,29 @@
+# dyndns setup http://www.btteknik.net/?p=143
+ddns-confgen -s rfc2136.sijanec.eu.
+# http://www.ipamworldwide.com/ipam/update-policy.html
+vim /etc/bind/named.conf.local # here goes the update policy, change name to subdomain
+touch /etc/bind/keyfile.conf
+chmod 0660 /etc/bind/keyfile.conf
+vim /etc/bind/keyfile.conf # here goes the key
+# hook script https://blog.danman.eu/automatic-letsencrypt-wildcard-cert-renewal-with-nsupdate/
+vim /etc/letsencrypt/hook.sh
+ #!/bin/bash
+ CREATE_DOMAIN="certbot.rfc2136.sijanec.eu."
+ echo "
+ server 127.0.0.1
+ update delete $CREATE_DOMAIN TXT
+ update add $CREATE_DOMAIN 1 TXT $CERTBOT_VALIDATION
+ send
+ " | nsupdate -k /etc/bind/keyfile.conf
+ if [ $CERTBOT_REMAINING_CHALLENGES -eq 0 ]
+ then
+ echo done, reloading server and waiting 30 seconds
+ rndc reload
+ sleep 30
+ fi
+chmod +x /etc/letsencrypt/hook.sh
+# v domenske zapise vseh domen je treba dodati:
+# _acme-challenge IN CNAME certbot.rfc2136.sijanec.eu.
+certbot certonly --reuse-key --manual --register-unsafely-without-email --preferred-challenges dns --manual-auth-hook /etc/letsencrypt/hook.sh -d sijanec.eu -d sijanec.org -d sijanec.net -d xn--ijanec-9jb.eu -d xn--ijanec-9jb.org -d xn--ijanec-9jb.net -d xn--ijanec-9jb.si -d xn--ijanec-9jb.com -d *.sijanec.eu -d *.sijanec.org -d *.sijanec.net -d *.xn--ijanec-9jb.eu -d *.xn--ijanec-9jb.org -d *.xn--ijanec-9jb.net -d *.xn--ijanec-9jb.si -d *.xn--ijanec-9jb.com -d gimb.tk -d *.gimb.tk -d xn--jha.ga -d *.xn--jha.ga
+# more interesting info:
+# https://certbot-dns-rfc2136.readthedocs.io/en/stable/ (per-domain setup required, no CNAMEs)