Merge branch 'master' of ssh://medusa.casa.alemor.org:4323/mar/container

5 years ago · 6cb5cd99f2
5 changed files with 42 additions and 30 deletions
--- a/src/debian/assets/bash.bashrc
+++ b/src/debian/assets/bash.bashrc
@ -83,4 +83,4 @@ fi

 alias ls='ls --color=auto'
 alias dir='ls -lFAh'
-alias rsy='rsync -vaSH'
+alias rsyn='rsync -vaSH'
--- a/src/mailsrv/assets/bin/mkvirt
+++ b/src/mailsrv/assets/bin/mkvirt
@ -15,17 +15,7 @@ postmap /etc/postfix/users

 ### Aliases ###

-# make self-referential users list
-# this is needed for the reject_sender_login_mismatch restriction to work,
-# otherwise users cannot send emails as their own address
-mkdir -p /vol/db/aliases_out.d
-cd /vol/db/aliases_out.d
-echo "# This file is autogenerated by mkvirt. Don't edit it manually." > self.list
-cat /vol/db/users | cut -d':' -f1 | perl -pe 's/(.*)/\1\@brbytes.org \1\n\1\@mail.brbytes.org \1/' >> self.list
-
 # copy aliases to postifx config
 cd /etc/postfix
-cat /vol/db/aliases_out.d/*.list > aliases_out
-postmap aliases_out
-cat /vol/db/aliases_in.d/*.list > aliases_in
-postmap aliases_in
+cat /vol/db/aliases.d/*.list > aliases
+postmap aliases
--- a/src/mailsrv/assets/postfix/main.cf
+++ b/src/mailsrv/assets/postfix/main.cf
@ -17,18 +17,18 @@ compatibility_level = 2

 ### Domains ###
 # primary name of server
-myhostname = mail.brbytes.org
+myhostname = mail.alemor.org
 myorigin = $mydomain
 # domains to consider primary (local) endpoints
 mydestination = $myhostname, $mydomain, localhost.localdomain, localhost
 # domains to consider secondary (virtual) endpoints
-#virtual_alias_domains = info.brbytes.org
+virtual_alias_domains = epic.alemor.org, mail.alemor.org, home.alemor.org, alegre.alemor.org, daniel.alemor.org, fernando.alemor.org, juana.alemor.org, mario.alemor.org, moreno.alemor.org, mbox.alemor.org, pirealps.org

 ### Users ###
 # get list of valid users from here instead of /etc/passwd
 local_recipient_maps = hash:/etc/postfix/users
 # get list of user aliases from this file
-virtual_alias_maps = hash:/etc/postfix/aliases_in
+virtual_alias_maps = hash:/etc/postfix/aliases
 # Address tag delimiter. If an email is sent to ${user}${delimiter}*,
 # the email is sent to ${user} if that address is not already explicitly defined.
 recipient_delimiter = -
--- a/src/mailsrv/assets/postfix/master.cf
+++ b/src/mailsrv/assets/postfix/master.cf
@ -16,8 +16,6 @@ submission inet n       -       y       -       -       smtpd
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
-  -o smtpd_sender_login_maps=hash:/etc/postfix/aliases_out
-  -o smtpd_sender_restrictions=reject_sender_login_mismatch

 # Local services
 # ==========================================================================
--- a/src/mailsrv/docs/Deploy.md
+++ b/src/mailsrv/docs/Deploy.md
@ -3,25 +3,41 @@
 ## create dirs

 ```
-mkdir -p /srv/volumes/mailserver/{db,mail,ssl}
-chown -R 5000:5000 /srv/volumes/mailserver
-chmod go-rwx /srv/volumes/mailserver/ssl
+sudo mkdir -p /srv/vol/mailsrv/{db,mail,ssl}
+sudo chown -R 5000:5000 /srv/vol/mailsrv
+sudo chmod go-rwx /srv/vol/mailsrv/ssl
 ```
 put your `users` and `aliases.d` in the `db` directory. Mail will go in the `mail` directory.

+```
+sudo -i
+cd /srv/vol/mailsrv/db
+mkdir aliases.d
+```
+
+create aliases as needed
+
+```
+vi /srv/vol/mailsrv/db/users
+```
+
+format is like a passwd file with user:passwd (no spaces between)
+
+make sure that all files are owned by 5000:5000
+
 ## make sure mail ports are open

-add the following directives to the `myfirewall` chain in `/etc/nftables`:
+add the following directives to the `myfirewall` chain in `/etc/nftables.conf`:
 ```
                # accept incoming SMTP(s) connections
-                tcp dport {25, 465, 587} accept
+                tcp dport {25, 587} accept

                # accept incoming IMAP(s) connections
                tcp dport {143, 993} accept
 ```
 then make sure configuration has taken place by running:
 ```
-nft -f /etc/nftables
+nft -f /etc/nftables.conf
 ```

 ## set up domain name
@ -33,18 +49,26 @@ ping ${dnsname:?}

 ## get SSL certificates from letsencrypt

-install certbot:
+install acme.sh
+
 ```
-apt install certbot
+apt install socat
+git clone https://github.com/acmesh-official/acme.sh.git
+cd acme.sh
+./acme.sh --install --home /usr/local/lib/acme-sh \
+          --config-home /etc/acme-sh \
+          --accountemail letsencrypt@mail.alemor.org
 ```

-if you are using a firewall, you need to figure out how to define a temporary rule allowing http access. For nftables, the rule would be `nft insert rule inet myfilter myfirewall tcp dport 80 accept`.
+Then exit and relogin to refresh the bash hash

-Get a certificate for your domain by running:
 ```
-certbot certonly --standalone --pre-hook "nft insert rule inet myfilter myfirewall tcp dport 80 accept" --post-hook "nft -f /etc/nftables.conf" --deploy-hook "rsync -vaSHL /etc/letsencrypt/live/${domain:?}/ /srv/volumes/mailsrv/ssl/; chown -R 5000:5000 /srv/volumes/mailsrv/ssl" -d ${domain:?}
+acme.sh --issue --alpn --pre-hook 'systemctl stop haproxy' \
+        --post-hook 'systemctl start haproxy' -d mailtest.alemor.org
+acme.sh --install-cert -d mailtest.alemor.org \
+        --fullchain-file /srv/vol/mailsrv/ssl/fullchain.pem \
+        --key-file /srv/vol/mailsrv/ssl/key.pem
 ```
-the application may ask you a few questions. Answer them as you would like. Including the appropriate hooks in the issue command should ensure that those hooks are also included in subsequent renew commands.

 ## make users and aliases