bugfixing

5 years ago · 6f5ca95a9d
7 changed files with 28 additions and 20 deletions
--- a/bin/pdm-launch
+++ b/bin/pdm-launch
@ -28,7 +28,6 @@ if [[ -n $1 ]]; then
        image=$1
 else
        echo "Warning: No image name given. Assuming image name from current working directory."
-        echo ""
 	image=$(basename $(pwd))
 fi

--- a/install.sh
+++ b/install.sh
@ -70,5 +70,6 @@ if [[ ! -f /etc/containers/startup.sh ]]; then
    printf "#!/bin/bash\n\n" | sudo tee /etc/containers/startup.sh
 fi
 sudo chmod +x /etc/containers/startup.sh
-echo "Installed containers startup script in /etc/containers/startup.sh. Put any podman-related commands that should run on startup in that file."
+echo "Installed containers startup script in /etc/containers/startup.sh."
+echo "Put any podman-related commands that should run on startup in that file."

--- a/src/mailsrv/assets/bin/mkvirt
+++ b/src/mailsrv/assets/bin/mkvirt
@ -3,7 +3,7 @@
 cd /etc/postfix

 # do users
-cat /vol/db/users | sed 's/:/ /g' > users
+cat /vol/db/users | cut -d':' -f1 | perl -pe 's/(.*)/\1 ./'
 postmap users

 # do aliases
--- a/src/mailsrv/assets/dovecot/conf.d/10-master.conf
+++ b/src/mailsrv/assets/dovecot/conf.d/10-master.conf
@ -102,14 +102,14 @@ service auth {

  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
-    mode = 0666
+    mode = 0700
    # Assuming the default Postfix user and group
    user = postfix
    group = postfix  
  }

  # Auth process is run as this user.
-  #user = $default_internal_user
+  user = vmail
 }

 service auth-worker {
--- a/src/mailsrv/assets/dovecot/conf.d/10-ssl.conf
+++ b/src/mailsrv/assets/dovecot/conf.d/10-ssl.conf
@ -9,8 +9,8 @@ ssl = yes
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </vol/ssl/mailtest.brbytes.org/fullchain.pem
-ssl_key = </vol/ssl/mailtest.brbytes.org/privkey.pem
+ssl_cert = </vol/ssl/fullchain.pem
+ssl_key = </vol/ssl/privkey.pem

 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
--- a/src/mailsrv/assets/postfix/main.cf
+++ b/src/mailsrv/assets/postfix/main.cf
@ -6,7 +6,6 @@ inet_interfaces = all
 inet_protocols = all
 # what backend to use to deliver local & virtual mail
 local_transport = lmtp:unix:private/dovecot-lmtp
-#virtual_transport = $local_transport
 # hosts to relay for
 relayhost =
 # whether to send "new mail" notifications to users
@ -18,11 +17,10 @@ compatibility_level = 2

 ### Domains ###
 # primary name of server
-myhostname = mailtest.brbytes.org
-myorigin = $myhostname
+myhostname = mail.brbytes.org
+myorigin = $mydomain
 # domains to consider primary (local) endpoints
-mydestination = $myhostname, localhost.localdomain, localhost
-#mydestination = $myhostname, $mydomain, localhost.localdomain, localhost
+mydestination = $myhostname, $mydomain, localhost.localdomain, localhost
 # domains to consider secondary (virtual) endpoints
 #virtual_alias_domains = info.brbytes.org

@ -43,8 +41,8 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 # whether to allow or enforce TLS. Acceptable values are 'none', 'may', or 'encrypt'.
 smtpd_tls_security_level=may
 # where to find certs
-smtpd_tls_cert_file=/vol/ssl/mailtest.brbytes.org/fullchain.pem
-smtpd_tls_key_file=/vol/ssl/mailtest.brbytes.org/privkey.pem
+smtpd_tls_cert_file=/vol/ssl/fullchain.pem
+smtpd_tls_key_file=/vol/ssl/privkey.pem

 ### Anti-spam ###
 #smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client sbl.spamhaus.org, permit
--- a/src/mailsrv/docs/Deploy.md
+++ b/src/mailsrv/docs/Deploy.md
@ -14,7 +14,7 @@ put your `users` and `aliases.d` in the `db` directory. Mail will go in the `mai
 add the following directives to the `myfirewall` chain in `/etc/nftables`:
 ```
                # accept incoming SMTP(s) connections
-                tcp dport {25, 465} accept
+                tcp dport {25, 465, 587} accept

                # accept incoming IMAP(s) connections
                tcp dport {143, 993} accept
@ -38,13 +38,23 @@ install certbot:
 apt install certbot
 ```

-if you are using a firewall, you need to figure out how to define a temporary rule allowing http access. For nftables, the rule would be:
-```
-nft insert rule inet myfilter myfirewall tcp dport 80 accept
-```
+if you are using a firewall, you need to figure out how to define a temporary rule allowing http access. For nftables, the rule would be `nft insert rule inet myfilter myfirewall tcp dport 80 accept`.

 Get a certificate for your domain by running:
 ```
-certbot certonly --standalone --pre-hook "nft insert rule inet myfilter myfirewall tcp dport 80 accept" --post-hook "nft -f /etc/nftables.conf" --deploy-hook "rsync -vaSHL /etc/letsencrypt/live/${domain:?} /srv/volumes/mailserver/ssl/; chown -R 5000:5000 /srv/volumes/mailserver/ssl" -d ${domain:?}
+certbot certonly --standalone --pre-hook "nft insert rule inet myfilter myfirewall tcp dport 80 accept" --post-hook "nft -f /etc/nftables.conf" --deploy-hook "rsync -vaSHL /etc/letsencrypt/live/${domain:?}/ /srv/volumes/mailsrv/ssl/; chown -R 5000:5000 /srv/volumes/mailsrv/ssl" -d ${domain:?}
 ```
 the application may ask you a few questions. Answer them as you would like. Including the appropriate hooks in the issue command should ensure that those hooks are also included in subsequent renew commands.
+
+## make users and aliases
+
+```
+cd /srv/volumes/mailsrv/db
+mkdir aliases.d
+touch users
+chmod go= users
+```
+then edit `users` and add aliases lists to `aliases.d`. Don't forget to change its ownership once you're done:
+```
+chown -R 5000:5000 /srv/volumes/mailsrv/db
+```