Commit 304bf3d3 authored by Joshua Tauberer's avatar Joshua Tauberer

update for Ubuntu 14.04

parent 48bbdd99
...@@ -12,14 +12,14 @@ On March 13, 2014 I submitted Mail-in-a-Box to the [Knight News Challenge](https ...@@ -12,14 +12,14 @@ On March 13, 2014 I submitted Mail-in-a-Box to the [Knight News Challenge](https
The Box The Box
------- -------
Mail-in-a-Box provides a single shell script that turns a fresh Ubuntu 13.04 64-bit machine into a working mail server, including: Mail-in-a-Box provides a single shell script that turns a fresh Ubuntu 14.04 LTS 64-bit machine into a working mail server, including:
* An SMTP server for sending/receiving mail, with STARTTLS required for authentication, and greylisting to cut down on spam (postfix, postgrey). * An SMTP server for sending/receiving mail, with STARTTLS required for authentication, and greylisting to cut down on spam (postfix, postgrey).
* An IMAP server for checking your mail, with SSL required (dovecot). * An IMAP server for checking your mail, with SSL required (dovecot).
* A webmail client over SSL so you can check your email from a web browser (roundcube, nginx). * A webmail client over SSL so you can check your email from a web browser (roundcube, nginx).
* Spam filtering with spam automatically going to your Spam folder (spamassassin). * Spam filtering with spam automatically going to your Spam folder (spamassassin).
* DKIM signing on outgoing messages (opendkim). * DKIM signing on outgoing messages (opendkim).
* The machine acts as its own DNS server and is automatically configured for SPF and DKIM (nsd3). * The machine acts as its own DNS server and is automatically configured for SPF and DKIM (nsd).
* Configuration of mailboxes and mail aliases is done using a command-line tool. * Configuration of mailboxes and mail aliases is done using a command-line tool.
* Basic system services like a firewall, intrusion protection, and setting the system clock are automatically configured (ufw, fail2ban, ntp). * Basic system services like a firewall, intrusion protection, and setting the system clock are automatically configured (ufw, fail2ban, ntp).
......
...@@ -9,9 +9,9 @@ Before You Begin ...@@ -9,9 +9,9 @@ Before You Begin
Get a Server Get a Server
------------ ------------
* Get a server. I've been a long-time customer of Rimuhosting.com which provides cheap VPS machines at several locations around the world. You could also go with Linode.com or any other cloud or VPS (virtual server) provider. (If you want to test on Amazon EC2, I've got instructions for you in ec2/README.md.) In a cloud environment like EC2 where your server's IP address is dynamic, this is a good time to assign a static IP (like a EC2 Elastic IP). * Get a server. I've been a long-time customer of Rimuhosting.com which provides cheap VPS machines at several locations around the world. You could also go with Linode.com or any other cloud or VPS (virtual server) provider that provides a static IP address. Don't use Amazon Web Services though: Many of their IP addresses have a bad reputation because they've been used to send spam.
* Choose Ubuntu 13.04 amd64 as your operating system (aka a Linux distribution). You won't need much memory or disk space. 768 MB of memory (RAM) and 4G of disk space should be plenty. * Choose Ubuntu 14.04 amd64 as your operating system (aka a Linux distribution). You won't need much memory or disk space. 768 MB of memory (RAM) and 4G of disk space should be plenty.
* Once the machine is running, set up Reverse DNS. Each ISP handles that differently. You'll have to figure out from your ISP how to do that. Set the reverse DNS to the hostname you chose above (in my case `box.occams.info`). * Once the machine is running, set up Reverse DNS. Each ISP handles that differently. You'll have to figure out from your ISP how to do that. Set the reverse DNS to the hostname you chose above (in my case `box.occams.info`).
......
...@@ -7,13 +7,13 @@ ...@@ -7,13 +7,13 @@
# #
# This script will turn on DNS for $PUBLIC_HOSTNAME. # This script will turn on DNS for $PUBLIC_HOSTNAME.
# Install nsd3, our DNS server software. # Install nsd, our DNS server software.
apt-get -qq -y install nsd3 apt-get -qq -y install nsd
# Prepare nsd3's configuration. # Prepare nsd's configuration.
sudo mkdir -p /var/run/nsd3 sudo mkdir -p /var/run/nsd
mkdir -p "$STORAGE_ROOT/dns"; mkdir -p "$STORAGE_ROOT/dns";
# Create the default zone if it doesn't exist. # Create the default zone if it doesn't exist.
......
...@@ -20,7 +20,7 @@ done ...@@ -20,7 +20,7 @@ done
# Create the top of nsd.conf. # Create the top of nsd.conf.
cat > /etc/nsd3/nsd.conf << EOF; cat > /etc/nsd/nsd.conf << EOF;
server: server:
hide-version: yes hide-version: yes
...@@ -28,7 +28,7 @@ server: ...@@ -28,7 +28,7 @@ server:
identity: "" identity: ""
# The directory for zonefile: files. # The directory for zonefile: files.
zonesdir: "/etc/nsd3/zones" zonesdir: "/etc/nsd/zones"
# ZONES # ZONES
EOF EOF
...@@ -37,7 +37,7 @@ EOF ...@@ -37,7 +37,7 @@ EOF
# file and mention it in nsd.conf. And add information to the # file and mention it in nsd.conf. And add information to the
# OpenDKIM signing tables. # OpenDKIM signing tables.
mkdir -p /etc/nsd3/zones; mkdir -p /etc/nsd/zones;
truncate --size 0 /etc/opendkim/KeyTable truncate --size 0 /etc/opendkim/KeyTable
truncate --size 0 /etc/opendkim/SigningTable truncate --size 0 /etc/opendkim/SigningTable
...@@ -54,15 +54,15 @@ for fn in $STORAGE_ROOT/dns/*.txt; do ...@@ -54,15 +54,15 @@ for fn in $STORAGE_ROOT/dns/*.txt; do
# If the zone file exists, get the existing zone serial number so we can increment it. # If the zone file exists, get the existing zone serial number so we can increment it.
# TODO: This needs to be done better so that the existing serial number is persisted in the storage area. # TODO: This needs to be done better so that the existing serial number is persisted in the storage area.
serial=`date +"%Y%m%d00"` serial=`date +"%Y%m%d00"`
if [ -f /etc/nsd3/zones/$fn2 ]; then if [ -f /etc/nsd/zones/$fn2 ]; then
existing_serial=`grep "serial number" /etc/nsd3/zones/$fn2 | sed "s/; serial number//"` existing_serial=`grep "serial number" /etc/nsd/zones/$fn2 | sed "s/; serial number//"`
if [ ! -z "$existing_serial" ]; then if [ ! -z "$existing_serial" ]; then
serial=`echo $existing_serial + 1 | bc` serial=`echo $existing_serial + 1 | bc`
fi fi
fi fi
# Create the zone file. # Create the zone file.
cat > /etc/nsd3/zones/$fn2 << EOF; cat > /etc/nsd/zones/$fn2 << EOF;
\$ORIGIN $zone. ; default zone domain \$ORIGIN $zone. ; default zone domain
\$TTL 86400 ; default time to live \$TTL 86400 ; default time to live
...@@ -86,7 +86,7 @@ EOF ...@@ -86,7 +86,7 @@ EOF
# In PUBLIC_HOSTNAME, also define ns1 and ns2. # In PUBLIC_HOSTNAME, also define ns1 and ns2.
if [ "$zone" = $PUBLIC_HOSTNAME ]; then if [ "$zone" = $PUBLIC_HOSTNAME ]; then
cat >> /etc/nsd3/zones/$fn2 << EOF; cat >> /etc/nsd/zones/$fn2 << EOF;
ns1 IN A $PUBLIC_IP ns1 IN A $PUBLIC_IP
ns2 IN A $PUBLIC_IP ns2 IN A $PUBLIC_IP
EOF EOF
...@@ -94,11 +94,11 @@ EOF ...@@ -94,11 +94,11 @@ EOF
# If OpenDKIM is set up, append the suggested TXT record to the zone. # If OpenDKIM is set up, append the suggested TXT record to the zone.
if [ -f "$STORAGE_ROOT/mail/dkim/mail.txt" ]; then if [ -f "$STORAGE_ROOT/mail/dkim/mail.txt" ]; then
cat "$STORAGE_ROOT/mail/dkim/mail.txt" >> /etc/nsd3/zones/$fn2; cat "$STORAGE_ROOT/mail/dkim/mail.txt" >> /etc/nsd/zones/$fn2;
fi fi
# Add this zone file to the main nsd configuration file. # Add this zone file to the main nsd configuration file.
cat >> /etc/nsd3/nsd.conf << EOF; cat >> /etc/nsd/nsd.conf << EOF;
zone: zone:
name: $zone name: $zone
zonefile: $fn2 zonefile: $fn2
...@@ -120,8 +120,8 @@ EOF ...@@ -120,8 +120,8 @@ EOF
done done
# Kick nsd. # Kick nsd.
service nsd3 rebuild service nsd rebuild
service nsd3 restart # ensure it is running service nsd restart # ensure it is running
# Kick opendkim. # Kick opendkim.
service opendkim restart service opendkim restart
......
...@@ -121,11 +121,13 @@ tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \ ...@@ -121,11 +121,13 @@ tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \
first_valid_uid=0 first_valid_uid=0
# Require that passwords are sent over SSL only, and allow the usual IMAP authentication mechanisms. # Require that passwords are sent over SSL only, and allow the usual IMAP authentication mechanisms.
# The LOGIN mechanism is supposedly for Microsoft products like Outlook to do SMTP login (I guess
# since we're using Dovecot to handle SMTP authentication?).
tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \ tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \
disable_plaintext_auth=yes \ disable_plaintext_auth=yes \
"auth_mechanisms=plain login" "auth_mechanisms=plain login"
# Query out Sqlite3 database, and not system users, for authentication. # Query our Sqlite3 database, and not system users, for authentication.
sed -i "s/\(\!include auth-system.conf.ext\)/#\1/" /etc/dovecot/conf.d/10-auth.conf sed -i "s/\(\!include auth-system.conf.ext\)/#\1/" /etc/dovecot/conf.d/10-auth.conf
sed -i "s/#\(\!include auth-sql.conf.ext\)/\1/" /etc/dovecot/conf.d/10-auth.conf sed -i "s/#\(\!include auth-sql.conf.ext\)/\1/" /etc/dovecot/conf.d/10-auth.conf
...@@ -148,6 +150,7 @@ connect = $db_path ...@@ -148,6 +150,7 @@ connect = $db_path
default_pass_scheme = SHA512-CRYPT default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM users WHERE email='%u'; password_query = SELECT email as user, password FROM users WHERE email='%u';
EOF EOF
chmod 0600 /etc/dovecot/dovecot-sql.conf.ext # per Dovecot instructions
# Disable in-the-clear IMAP and POP because we're paranoid (we haven't even # Disable in-the-clear IMAP and POP because we're paranoid (we haven't even
# enabled POP). # enabled POP).
......
...@@ -3,8 +3,8 @@ ...@@ -3,8 +3,8 @@
# Check system setup. # Check system setup.
if [ "`lsb_release -d | sed 's/.*:\s*//'`" != "Ubuntu 13.04" ]; then if [ "`lsb_release -d | sed 's/.*:\s*//'`" != "Ubuntu 14.04 LTS" ]; then
echo "Mail-in-a-Box only supports being installed on Ubuntu 13.04, sorry. You are running:" echo "Mail-in-a-Box only supports being installed on Ubuntu 14.04, sorry. You are running:"
echo echo
lsb_release -d | sed 's/.*:\s*//' lsb_release -d | sed 's/.*:\s*//'
echo echo
...@@ -20,7 +20,7 @@ if grep -q "^PasswordAuthentication yes" /etc/ssh/sshd_config \ ...@@ -20,7 +20,7 @@ if grep -q "^PasswordAuthentication yes" /etc/ssh/sshd_config \
echo "Add your SSH public key to $HOME/.ssh/authorized_keys, check" echo "Add your SSH public key to $HOME/.ssh/authorized_keys, check"
echo "check that you can log in without a password, set the option" echo "check that you can log in without a password, set the option"
echo "'PasswordAuthentication no' in /etc/ssh/sshd_config, and then" echo "'PasswordAuthentication no' in /etc/ssh/sshd_config, and then"
echo "restart the machine." echo "restart the machine."
exit exit
fi fi
......
...@@ -51,3 +51,6 @@ cat - > /etc/roundcube/debian-db.php <<EOF; ...@@ -51,3 +51,6 @@ cat - > /etc/roundcube/debian-db.php <<EOF;
EOF EOF
chown -R www-data.www-data $STORAGE_ROOT/mail/roundcube chown -R www-data.www-data $STORAGE_ROOT/mail/roundcube
# Enable PHP modules.
php5enmod mcrypt
service php-fastcgi restart
...@@ -35,7 +35,7 @@ for line in open(filename): ...@@ -35,7 +35,7 @@ for line in open(filename):
# comment-out the existing line # comment-out the existing line
buf += "#" + line buf += "#" + line
# if this option oddly appears more than once, don't add the settingg again # if this option oddly appears more than once, don't add the setting again
if i in found: if i in found:
break break
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment