From 5bfe45cee11ea0547ad4304eccb56eca9e778875 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anton=20Luka=20=C5=A0ijanec?= <anton@sijanec.eu>
Date: Tue, 2 Aug 2022 20:19:30 +0200
Subject: popravil desc, osnutki za dns, mail in rfc2136

---
 _config.yml       |   2 +-
 _posts/dns.md     |  80 +++++++++++++++++++++++
 _posts/mail.md    | 191 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 _posts/rfc2136.md |  29 +++++++++
 o.md              |  27 ++------
 5 files changed, 305 insertions(+), 24 deletions(-)
 create mode 100644 _posts/dns.md
 create mode 100644 _posts/mail.md
 create mode 100644 _posts/rfc2136.md

diff --git a/_config.yml b/_config.yml
index 0299d60..1001884 100644
--- a/_config.yml
+++ b/_config.yml
@@ -6,7 +6,7 @@ short_datetime_format: "%d. %m. %Y ob %H:%M:%S"
 baseurl: ""
 timezone: Europe/Ljubljana
 tagline: Osebno spletišče Antona Luke Šijanca
-description: Spletna stran in blog Antona Luke Šijanca, sedemnajstletnega dijaka Gimnazije Bežigrad v Ljubljani, ki ga zanimajo razne računalniške teme.
+description: Spletna stran in blog Antona Luke Šijanca, dijaka Gimnazije Bežigrad v Ljubljani, ki ga zanimajo razne računalniške teme.
 url: "https://sijanec.eu"
 locale: sl_SI
 author: Anton Luka Šijanec
diff --git a/_posts/dns.md b/_posts/dns.md
new file mode 100644
index 0000000..bbac1ac
--- /dev/null
+++ b/_posts/dns.md
@@ -0,0 +1,80 @@
+apt install bind9
+
+mkdir /etc/bind/keys
+
+dnssec-keygen -K /etc/bind/keys -f KSK -a ECDSAP256SHA256 -n ZONE sijanec.eu
+dnssec-keygen -a ECDSAP256SHA256 -n ZONE sijanec.eu
+dnssec-keygen -K /etc/bind/keys -f KSK -a ECDSAP256SHA256 -n ZONE sijanec.org
+dnssec-keygen -a ECDSAP256SHA256 -n ZONE sijanec.org
+in tako dalje za vse domene
+
+chown -R bind:bind /etc/bind/keys
+
+vim /etc/bind9/named.conf.options
+	options {
+		directory "/var/cache/bind";
+		check-names master warn;
+		check-names slave warn;
+		recursion yes;
+		allow-recursion { any; };
+		querylog yes;
+		allow-transfer { any; };
+		allow-query { any; };
+		dnssec-validation auto;
+		listen-on-v6 { any; };
+	};
+vim /etc/bind/named.conf.local
+	zone "sijanec.eu" {
+		type master;
+		file "/var/lib/bind/db.sijanec.eu";
+		key-directory "/etc/bind/keys";
+		auto-dnssec maintain;
+		inline-signing yes;
+	};
+	zone "sijanec.org" {
+		type master;
+		file "/var/lib/bind/db.sijanec.org";
+		key-directory "/etc/bind/keys";
+		auto-dnssec maintain;
+		inline-signing yes;
+	};
+	in tako dalje za vse domene
+
+če pa konfiguriramo suženjski DNS strežnik, pa v /etc/bind/named.conf.local napišemo
+	zone "sijanec.eu" {
+		type slave;
+		file "/var/lib/bind/db.sijanec.eu";
+		allow-transfer { 93.103.235.126/32; };
+		// IP naslov glavnega DNS strežnika
+		masters { 93.103.235.126; };
+	};
+	zone "sijanec.org" {
+		type slave;
+		file "/var/lib/bind/db.sijanec.org";
+		allow-transfer { 93.103.235.126/32; };
+		masters { 93.103.235.126/32; };
+	};
+	in tako dalje za vse domene
+
+na glavnem DNS strežniku v datoteko /var/lib/bind/db.sijanec.eu vpišemo DNS zone
+	$TTL 300
+	@	IN	SOA	ns1.sijanec.org.	abuse.sijanec.eu. (
+		10	; serijska številka za DNS zone, povečaj za 10 ob spremembi
+		301	; refresh
+		299	; retry
+		31556926	; po enem letu nedelovanja NS1 sužnji pozabijo domeno
+		30	; TTL za NXDOMAIN, negative cache TTL
+	)	; abuse.sijanec.eu. je poštni naslov abuse@sijanec.eu - spremeni ga
+		; ns1.sijanec.eu. je glavni DNS strežnik za domeno - spremeni ga
+	@	IN	NS	ns1.sijanec.eu.	; glavni strežnik
+	@	IN	NS	ns2.sijanec.eu.	; DNS suženj
+	@	IN	A	84.255.241.83
+	in tako dalje za dodatne zapise
+
+za vse dodatne domene, ki naj imajo isto zone datoteko, lahko samo narediš symlinke. nikakor ne sme biti "file" direktiva v named.conf.local enaka pri več različnih DNS zone deklaracijah enaka, lahko pa kaže na symlink.
+
+za vsako dodatno domeno torej:
+ln -s db.sijanec.eu /var/lib/bind/db.sijanec.org
+ln -s db.sijanec.eu /var/lib/bind/db.sijanec.net
+
+systemctl restart bind9
diff --git a/_posts/mail.md b/_posts/mail.md
new file mode 100644
index 0000000..b908d81
--- /dev/null
+++ b/_posts/mail.md
@@ -0,0 +1,191 @@
+apt install postfix dovecot-imapd opendkim postfix-policyd-spf-python maildrop roundcube prayer nginx postfix-mta-sts-resolver hash-slinger
+
+vim /etc/dovecot/conf.d/10-mail.conf
+	mail_location = maildir:~/Maildir
+
+vim /etc/dovecot/conf.d/10-ssl.conf
+	ssl_cert = </etc/ssl/certifikati/fullchain.pem
+	ssl_key = </etc/ssl/certifikati/privkey.pem
+
+vim /etc/postfix/header\_checks
+	/^X-Originating-IP:/	IGNORE
+	/^Received:.*ESMTPSA/	IGNORE
+
+vim /etc/postfix/command\_filter
+	/^(.*)šijanec(.*)$/	$1 xn--ijanec-9jb $2
+
+vim /etc/postfix/destinations
+	if !/seznami/
+	/ijanec/	ALLOW
+	/241/		ALLOW
+	/146/		ALLOW
+	/235/		ALLOW
+	/gimb.tk/	ALLOW
+	/xn--jha/	ALLOW
+	endif
+
+usermod -aG opendkim postfix
+mkdir /var/spool/postfix/opendkim
+chown opendkim:opendkim /var/spool/postfix/opendkim
+
+opendkim-genkey -D /etc/dkimkeys -s mail
+
+dodaj vsebino /etc/dkimkeys/mail.txt v DNS zone za domeno
+
+vim /etc/opendkim.conf
+	LogWhy	yes
+	UserID	opendkim:opendkim
+	Domain	sijanec.eu,sijanec.org,sijanec.net,xn--ijanec-9jb.eu in tako dalje
+	Selector	mail
+	KeyFile	/etc/dkimkeys/mail.private
+	Socket	local:/var/spool/postfix/opendkim/opendkim.sock
+
+vim /etc/postfix-policyd-spf-python/policyd-spf.conf
+	HELO_reject = False
+	Mail_From_reject = False
+
+vim /etc/postfix/main.cf
+	smtp_header_checks = regexp:/etc/postfix/header_checks
+	smtpd_tls_cert_file = /etc/ssl/certifikati/fullchain.pem
+	smtpd_tls_key_file = /etc/ssl/certifikati/privkey.pem
+	smtpd_tls_received_header = yes
+	smtpd_command_filter = pcre:/etc/postfix/command_filter
+	mydomain = sijanec.eu
+	mydestination = pcre:/etc/postfix/destinations
+	smtp_address_preference = ipv4
+	mailbox_command = /usr/bin/maildrop -d $(USER)
+	smtp_bind_address = 89.212.146.168
+	smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf
+	policyd-spf_time_limit = 3600
+	message_size_limit = 1222333444
+	milter_protocol = 2
+	milter_default_action = accept
+	smtpd_milters = unix:/opendkim/opendkim.sock
+	non_smtpd_milters = unix:/opendkim/opendkim.sock
+	smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8451:postfix
+	smtpd_sasl_type = dovecot
+	smtpd_sasl_path = private/auth
+	smtpd_sasl_auth_enable = yes
+
+vim /etc/postfix/master.cf
+	odkomentiraj: smtp, submission, smtps (ostali potrebni so že odkomentirani)
+	dodaj na konec:
+	policyd-spf	unix	-	n	n	-	0	spawn
+		user=policyd-spf argv=/usr/bin/policy-spf
+
+vim /etc/dovecot/conf.d/10-master.conf
+	# ta block že obstaja v privzeti konfiguraciji
+	# https://www.postfix.org/SASL_README.html
+	service auth {
+		unix_listener /var/spool/postfix/private/auth {
+			user = postfix
+			group = postfix
+			mode = 0660
+		}
+	}
+
+vim /etc/dovecot/conf.d/15-mailboxes.conf
+	# ti blocki že obstajajo v privzeti konfiguraciji, treba jih je samo dopolniti
+	namespace inbox {
+		mailbox Drafts {
+			special_use = \Drafts
+			auto = subscribe
+		}
+		mailbox Junk {
+			special_use = \Junk
+			auto = subscribe
+		}
+		mailbox Trash {
+			special_use = \Trash
+			auto = subscribe
+		}
+		mailbox Sent {
+			special_use = \Sent
+			auto = subscribe
+		}
+	}
+
+vim ~/.mailfilter
+	if (/.*librehosting@radiostudent\.si.*/ || /.*kiberpipa\.org.*/ || /.*lugos\.si.*/)
+	{
+        	to $HOME/Maildir/.liste.lugos
+	}
+	if (/.*oss-security.*/ || /.*debian-security-announce.*/)
+	{
+	        to $HOME/Maildir/.liste.oss-security
+	}
+	in tako dalje
+
+iz IMAP klienta je treba **PRED DODAJANJEM MAPE** v ~/.mailfilter izdelati mapo, v nasprotnem primeru bo maildrop naredil mbox datoteko, česar nočemo.
+
+chown $USER:$USER ~/.mailfilter
+chmod 0600 ~/.mailfilter
+
+vim /etc/maildroprc
+DEFAULT="$HOME/Maildir"
+
+tlsa --create sijanec.eu
+dodaj output v DNS domensko zono (nginx mora teči s pravilnim certifikatom!) - spremeni zapis v DNS zoni, ko spremeniš cert
+
+rndc freeze
+vim /var/lib/bind/db.sijanec.eu
+	_mta-sts	IN	TXT	"v=STSv1; id=2"
+	mta-sts	IN	CNAME	mail
+	@	IN	MX	10	mail
+	mail	IN	A	89.212.146.168
+	_dmarc	IN	TXT	"v=DMARC1; p=none; rua=mailto:dmarc-aggregate@sijanec.eu; ruf=mailto:dmarc-forensic@sijanec.eu; fo=1"
+	@	IN	TXT	"v=spf1 mx a ip4:89.212.146.168/32 a:mail.sijanec.eu ~all"
+	*.sijanec.eu._report._dmarc	IN	TXT	"v=DMARC1"
+	sijanec.eu._report._dmarc	IN	TXT	"v=DMARC1"
+	*.sijanec.org._report._dmarc	IN	TXT	"v=DMARC1"
+	sijanec.org._report._dmarc	IN	TXT	"v=DMARC1"	; in isto za ostale domene
+	_smtp._tls	IN	TXT	"v=TLSRPTv1; rua=mailto:tls@sijanec.eu"
+	@	IN	CAA	128	issue	"letsencrypt.org"
+	@	IN	CAA	128	issuewild	"letsencrypt.org"
+	@	IN	CAA	128	iodef	"mailto:caa-violation@sijanec.eu"
+	*	IN	CAA	128	issue	"letsencrypt.org"
+	*	IN	CAA	128	issuewild	"letsencrypt.org"
+	*	IN	CAA	128	iodef	"mailto:caa-violation@sijanec.eu"
+rndc thaw
+
+vim /etc/aliases
+	mailer-daemon: postmaster
+	postmaster: root
+	nobody: root
+	hostmaster: root
+	webmaster: root
+	listmaster: root
+	www: root
+	ftp: root
+	abuse: root
+	noc: root
+	security: root
+	root: a
+	anton: a
+	whois: hostmaster
+	dns: whois
+	devnull: null
+	null: |/dev/null
+	luka: anton
+	dmarc-aggregate: postmaster
+	dmrac-forensic: postmaster
+	caa-violation: hostmaster
+	tls: postmaster
+
+newaliases
+
+vim /var/www/html/.well-known/mta-sts.txt
+	version: STSv1
+	mode: testing
+	mx: mail.sijanec.eu
+	mx: mail.sijanec.org
+	mx: mail.sijanec.net
+	mx: mail.xn--ijanec-9jb.eu
+	mx: mail.xn--ijanec-9jb.org
+	mx: mail.xn--ijanec-9jb.net
+	mx: mail.xn--ijanec-9jb.si
+	mx: mail.xn--ijanec-9jb.com
+	max_age: 31557600
+	comment: karkoli
+
+systemctl restart postfix dovecot opendkim prayer nginx postfix-mta-sts-resolver bind9
diff --git a/_posts/rfc2136.md b/_posts/rfc2136.md
new file mode 100644
index 0000000..d8d5190
--- /dev/null
+++ b/_posts/rfc2136.md
@@ -0,0 +1,29 @@
+# dyndns setup	http://www.btteknik.net/?p=143
+ddns-confgen -s rfc2136.sijanec.eu.
+# http://www.ipamworldwide.com/ipam/update-policy.html
+vim /etc/bind/named.conf.local	# here goes the update policy, change name to subdomain
+touch /etc/bind/keyfile.conf
+chmod 0660 /etc/bind/keyfile.conf
+vim /etc/bind/keyfile.conf	# here goes the key
+# hook script	https://blog.danman.eu/automatic-letsencrypt-wildcard-cert-renewal-with-nsupdate/
+vim /etc/letsencrypt/hook.sh
+	#!/bin/bash
+	CREATE_DOMAIN="certbot.rfc2136.sijanec.eu."
+	echo "
+	server 127.0.0.1
+	update delete $CREATE_DOMAIN TXT
+	update add $CREATE_DOMAIN 1 TXT $CERTBOT_VALIDATION
+	send
+	" | nsupdate -k /etc/bind/keyfile.conf
+	if [ $CERTBOT_REMAINING_CHALLENGES -eq 0 ]
+	then
+		echo done, reloading server and waiting 30 seconds
+		rndc reload
+		sleep 30
+	fi
+chmod +x /etc/letsencrypt/hook.sh
+# v domenske zapise vseh domen je treba dodati:
+#	_acme-challenge	IN	CNAME	certbot.rfc2136.sijanec.eu.
+certbot certonly --reuse-key --manual --register-unsafely-without-email --preferred-challenges dns --manual-auth-hook /etc/letsencrypt/hook.sh -d sijanec.eu -d sijanec.org -d sijanec.net -d xn--ijanec-9jb.eu -d xn--ijanec-9jb.org -d xn--ijanec-9jb.net -d xn--ijanec-9jb.si -d xn--ijanec-9jb.com -d *.sijanec.eu -d *.sijanec.org -d *.sijanec.net -d *.xn--ijanec-9jb.eu -d *.xn--ijanec-9jb.org -d *.xn--ijanec-9jb.net -d *.xn--ijanec-9jb.si -d *.xn--ijanec-9jb.com -d gimb.tk -d *.gimb.tk -d xn--jha.ga -d *.xn--jha.ga
+# more interesting info:
+# https://certbot-dns-rfc2136.readthedocs.io/en/stable/ (per-domain setup required, no CNAMEs)
diff --git a/o.md b/o.md
index a4ced4f..3ecb68a 100644
--- a/o.md
+++ b/o.md
@@ -47,7 +47,6 @@ Kontaktirate me lahko:
 
 * po [elektronski pošti](//sl.wikipedia.org/wiki/Elektronska_pošta): [anton@šijanec.eu](mailto:anton@šijanec.eu),
 * po [XMPP](//xmpp.org) protokolu: [anton@sijanec.eu](xmpp:anton@sijanec.eu),
-* <del>po [Matrix](//matrix.org) protokolu: [@anton:sijanec.eu](matrix:user/anton:sijanec.eu)</del> <small>(matrix python strežnik je delal izjemno prepočasi)</small>
 * po [Mumble](//www.mumble.info) protokolu: [sijanec.eu](mumble://sijanec.eu) <small>(nisem vedno povezan)</small>
 * po [IRC](//sl.wikipedia.org/wiki/IRC) protokolu:
 [ircs://irc.šijanec.eu:6697 v kanalu #](ircs://irc.sijanec.eu:6697/#).
@@ -62,8 +61,8 @@ in je dostopen na
 
 # o spletni strani
 
-Spletno stran sem zasnoval sam (saj se verjetno vidi), za generiranje pa se
-uporablja odprtokodna, prosta in brezplačna programska oprema
+Za generiranje spletne strani
+uporabljam odprtokodno, prosto in brezplačno programsko opremo
 [jekyll](//jekyllrb.com./). Izvorna koda spletne strani je dostopna na
 [git.šijanec.eu./sijanec/sijanec.eu](//git.šijanec.eu./sijanec/sijanec.eu).
 
@@ -73,24 +72,6 @@ Strežniki so dostopni preko domen [sijanec.eu](//sijanec.eu),
 [šijanec.eu](//šijanec.eu), [sijanec.org](//sijanec.org),
 [šijanec.org](//šijanec.org), [sijanec.net](//sijanec.net),
 [šijanec.net](//šijanec.net), [šijanec.si](//šijanec.si) in
-[šijanec.com](//šijanec.com) preko HTTP in HTTPS.
+[šijanec.com](//šijanec.com) preko HTTP in HTTPS. Kopija spletne strani je dostopna na [http://razor.arnes.si/~asija3/splet](http://razor.arnes.si/~asija3/splet).
 
-Če se ne strinjate z monopolom podjetij nad DNS in TLS in uporabljate
-[OpenNIC](//opennic.org) DNS koren, pa so strežniki dostopni še preko domen
-[sijanec.libre](http://sijanec.libre), [šijanec.libre](http://šijanec.libre),
-[sijanec.oss](http://sijanec.oss), [šijanec.oss](http://šijanec.oss),
-[sijanec.geek](http://sijanec.geek), [šijanec.geek](http://šijanec.geek),
-[sijanec.pirate](http://sijanec.pirate) in [šijanec.pirate](http://šijanec.pirate),
-[sijanec.o](http://sijanec.o) in [šijanec.o](http://šijanec.o),
-vendar brez podpisanih TLS certifikatov za te domene.
-
-Kot ponudnika Internetnih storitev uporabljam medmrežnega operaterja [T-2](//t-2.net.),
-vse je gostovano v Sloveniji.
-
-## zakaj izgleda tako slabo?
-
-Po nekih namišljenih standardih to spletišče ne izgleda najboljše.
-
-Takšno je z namenom. Ja, lahko bi prilepil neko megabajtno CSS stilno datoteko,
-ampak to nikakor ni potrebno. Recimo, da imam za vzor
-[jebeno spletno stran](//motherfuckingwebsite.com/).
+Vsi strežniki so gostovani v Sloveniji.
-- 
cgit v1.2.3