Thanks for the tutorial. I have found some things I can change add on my current installation to make it more secure. Like the Postfix anti DOS config settings.

Now I have an installation running comparable with that in the manual. I also use debian, postfix, lighttpd, .. Now could you add a small part how I can set up my server so I can use it as a smtp mail server? So I don't need to use the one from my ISP anymore? :oops: So then I can set some easy SPF records, and I don't have to change my smtp when I change location. :).

Thank you.

SMTP is also there on this server.

The SMTP server should be: yourdomain.com. The username is mailusername+yourdomain.com

Try it and let me know if it works.

I need to see how to integrate SPF checking into postfix. Let me try first.

@tofu:

Thanks for the tutorial. I have found some things I can change add on my current installation to make it more secure. Like the Postfix anti DOS config settings.

Now I have an installation running comparable with that in the manual. I also use debian, postfix, lighttpd, .. Now could you add a small part how I can set up my server so I can use it as a smtp mail server? So I don't need to use the one from my ISP anymore? :oops: So then I can set some easy SPF records, and I don't have to change my smtp when I change location. :).

Hi,

I have added instructions for SPF checking on emails RECD by your domain.

For your own domain, use the SPF wizard at http://www.openspf.org/ to publish your SPF record, so that emails SENT by your domain can be verified by other receiving domains correctly.

Thanks again.

Michael.

@tofu:

Thanks for the tutorial. I have found some things I can change add on my current installation to make it more secure. Like the Postfix anti DOS config settings.

Now I have an installation running comparable with that in the manual. I also use debian, postfix, lighttpd, .. Now could you add a small part how I can set up my server so I can use it as a smtp mail server? So I don't need to use the one from my ISP anymore? :oops: So then I can set some easy SPF records, and I don't have to change my smtp when I change location. :).

What's wrong with "apt-get install lighttpd"? If it's simply wanting the latest version, you might look into backports.org.

Nothing wrong with backports.org, except that they do not have the latest stable version. A couple of security issues were fixed between the version in backports and the latest stable.

@SteveG:

What's wrong with "apt-get install lighttpd"? If it's simply wanting the latest version, you might look into backports.org.

Hi,

Hope SMTP worked for you. Please let me know.

Regards,

Michael.

@tofu:

Thanks for the tutorial. I have found some things I can change add on my current installation to make it more secure. Like the Postfix anti DOS config settings.

Now I have an installation running comparable with that in the manual. I also use debian, postfix, lighttpd, .. Now could you add a small part how I can set up my server so I can use it as a smtp mail server? So I don't need to use the one from my ISP anymore? :oops: So then I can set some easy SPF records, and I don't have to change my smtp when I change location. :).

@mdavid8421:

Nothing wrong with backports.org, except that they do not have the latest stable version. A couple of security issues were fixed between the version in backports and the latest stable.
Is > apt-get install -t unstable lighttpd not a good alternative then?
@mdavid8421:

Hope SMTP worked for you. Please let me know. Super! Thanks for adding in you tutorial. Unfortunately I'm still stuck in making a smtp server :cry:.

warning: xsasl_cyrus_server_get_mechanism_list: no applicable SASL mechanisms
fatal: no SASL authentication mechanisms
warning: process /usr/lib/postfix/smtpd pid 22757 exit status 1
warning: /usr/lib/postfix/smtpd: bad command startup -- throttling

Can't even connect to the smtpd

$ telnet tufus.info 25
Trying 70.85.129.231...
telnet: connect to address 70.85.129.231: Operation timed out

While my firewall (firehol) has the smtp port open.

/etc/default/saslauthd:

START=yes
MECHANISMS="pam"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

/etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

/etc/postfix/main.cf````

See /usr/share/postfix/main.cf.dist for a commented, more complete version

Debian specific: Specifying a file name will cause the first

line of that file to be used as the name. The Debian default

is /etc/mailname.

myorigin = /etc/mailname

smtpdbanner = $myhostname ESMTP $mailname (Debian/GNU)
biff = no

appending .domain is the MUA's job.

appenddotmydomain = no

Uncomment the next line to generate "delayed mail" warnings

delaywarningtime = 4h
TLS parameters
smtpdtlscertfile = /etc/postfix/ssl/smtpd.crt smtpdtlskeyfile = /etc/postfix/ssl/smtpd.key
smtpdusetls = yes
smtpdtlssessioncachedatabase = btree:${queuedirectory}/smtpdscache
smtptlssessioncachedatabase = btree:${queuedirectory}/smtpscache

See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

information on enabling SSL in the smtp client.

myhostname = tufus.info
aliasmaps = hash:/etc/aliases aliasdatabase = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = tufus.info, localhost.info, ,localhost, saai.be
relayhost =
mynetworks = 127.0.0.0/8
mailboxcommand = /usr/bin/procmail mailboxsizelimit = 0 recipientdelimiter = +
inetinterfaces = all smtpdrecipientrestrictions = permitsaslauthenticated,permitmynetworks,rejec
virtualmaps = hash:/etc/postfix/virtusertable unknownlocalrecipientrejectcode = 450 smtpdsaslauthenable = yes
smtpdsaslsecurityoptions = noanonymous brokensaslauthclients = yes
smtpdtlsauthonly = no smtpdhelorequired = yes messagesizelimit = 31457280 smtpusetls = yes smtptlsnotestarttlsoffer = yes smtpdtlsCAfile = /etc/postfix/ssl/cacert.pem smtpdtlsloglevel = 1 smtpdtlsreceivedheader = yes
smtpdtlssessioncachetimeout = 3600s
tlsrandomsource = dev:/dev/urandom

Protect against DOS attacks

disablevrfycommand = yes
smtpderrorsleeptime = 0s smtpdsofterrorlimit = 5
smtpdharderrorlimit = 10 smtpdtimeout = 30s
smtpddelayreject = no

````

Where where you trying to smtp from ? Some home DSL/cable/whatever providers block outgoing port 25 connections (to stop spam). So in your testing make sure you're not testing from a blocked network :-)

Looks like the postfix installation is messed up. My suggestion would be to remove both postfix,courier and saslauthd and start again.

apt-get remove –purge postfix libsasl2 sasl2-bin libsasl2-modules libdb3-util procmail

Then start again.

After full installation, install nmap [apt-get install nmap], then run nmap localhost to see all the ports open. 25 should be open.

Also the user name is just the mailusername.

@tofu:

@mdavid8421:

Nothing wrong with backports.org, except that they do not have the latest stable version. A couple of security issues were fixed between the version in backports and the latest stable.
Is > apt-get install -t unstable lighttpd not a good alternative then?
@mdavid8421:

Hope SMTP worked for you. Please let me know. Super! Thanks for adding in you tutorial. Unfortunately I'm still stuck in making a smtp server :cry:.

warning: xsasl_cyrus_server_get_mechanism_list: no applicable SASL mechanisms
fatal: no SASL authentication mechanisms
warning: process /usr/lib/postfix/smtpd pid 22757 exit status 1
warning: /usr/lib/postfix/smtpd: bad command startup -- throttling

Can't even connect to the smtpd

$ telnet tufus.info 25
Trying 70.85.129.231...
telnet: connect to address 70.85.129.231: Operation timed out

While my firewall (firehol) has the smtp port open.

/etc/default/saslauthd:

START=yes
MECHANISMS="pam"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

/etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

/etc/postfix/main.cf````

See /usr/share/postfix/main.cf.dist for a commented, more complete version

Debian specific: Specifying a file name will cause the first

line of that file to be used as the name. The Debian default

is /etc/mailname.

myorigin = /etc/mailname

smtpdbanner = $myhostname ESMTP $mailname (Debian/GNU)
biff = no

appending .domain is the MUA's job.

appenddotmydomain = no

Uncomment the next line to generate "delayed mail" warnings

delaywarningtime = 4h
TLS parameters
smtpdtlscertfile = /etc/postfix/ssl/smtpd.crt smtpdtlskeyfile = /etc/postfix/ssl/smtpd.key
smtpdusetls = yes
smtpdtlssessioncachedatabase = btree:${queuedirectory}/smtpdscache
smtptlssessioncachedatabase = btree:${queuedirectory}/smtpscache

See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

information on enabling SSL in the smtp client.

myhostname = tufus.info
aliasmaps = hash:/etc/aliases aliasdatabase = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = tufus.info, localhost.info, ,localhost, saai.be
relayhost =
mynetworks = 127.0.0.0/8
mailboxcommand = /usr/bin/procmail mailboxsizelimit = 0 recipientdelimiter = +
inetinterfaces = all smtpdrecipientrestrictions = permitsaslauthenticated,permitmynetworks,rejec
virtualmaps = hash:/etc/postfix/virtusertable unknownlocalrecipientrejectcode = 450 smtpdsaslauthenable = yes
smtpdsaslsecurityoptions = noanonymous brokensaslauthclients = yes
smtpdtlsauthonly = no smtpdhelorequired = yes messagesizelimit = 31457280 smtpusetls = yes smtptlsnotestarttlsoffer = yes smtpdtlsCAfile = /etc/postfix/ssl/cacert.pem smtpdtlsloglevel = 1 smtpdtlsreceivedheader = yes
smtpdtlssessioncachetimeout = 3600s
tlsrandomsource = dev:/dev/urandom

Protect against DOS attacks

disablevrfycommand = yes
smtpderrorsleeptime = 0s smtpdsofterrorlimit = 5
smtpdharderrorlimit = 10 smtpdtimeout = 30s
smtpddelayreject = no

````

@tofu:

Is > apt-get install -t unstable lighttpd not a good alternative then?
The downside of installing from unstable is that you're likely to pull in a new libc6 and a bunch of other libraries. Using backports gives you (reasonably) current versions of specific software compiled against the stable version of the core libraries. The downside, as mdavid noted, is that backports.org versions are not always updated w.r.t. security issues; it depends on the individual backport maintainer. OTOH, if you build from scratch, then you're responsible for security updates. Of course, that's generally true anyway, but "apt-get upgrade lighttpd" is lot easier than grabbing and building new source. Especially since I personally have an aversion to installing compilers etc. on Internet-facing boxes. YMMV.

Don't try to pull binary packages from sid, its going to end in pain. Better to backport it from sid if backports.org isn't to your favour.

One can build lighttpd this way.

::: Irssi: Starting query in freenode with dpkg

told random about simple sid backport

(First: See if the package has already been backport

ed. Ask me about .

If it hasn't,

1) Add a deb-src line for sid to your sources.list.

2) apt-get update

3) apt-get build-dep packagename;apt-get -b source packagename; 4) install the resultant debs.)

Or if you want to do the ./configure && make && make install drill I suggest using stow.

The procedure changes to ./configure –prefix=/usr/local/stow/progam --exec-prefix=/usr/local/stow/program && make && make install && cd /usr/local/stow/ && stow -v program

Is there a specific reason to ./configure --prefix=/usr instead of /usr/local/ in the howto? Feels like it could be bring up an issue or few later on.

Steve, I am also allergic to keeping compilers on internet boxes. That is the reason why I delete all compilers and development stuff after our job is done.

As far as security is concerned, any admin has to read through security lists, find out if anything affects his/her server and accordinly patch the system.

@SteveG:

@tofu:

Is > apt-get install -t unstable lighttpd not a good alternative then?
The downside of installing from unstable is that you're likely to pull in a new libc6 and a bunch of other libraries. Using backports gives you (reasonably) current versions of specific software compiled against the stable version of the core libraries. The downside, as mdavid noted, is that backports.org versions are not always updated w.r.t. security issues; it depends on the individual backport maintainer. OTOH, if you build from scratch, then you're responsible for security updates. Of course, that's generally true anyway, but "apt-get upgrade lighttpd" is lot easier than grabbing and building new source. Especially since I personally have an aversion to installing compilers etc. on Internet-facing boxes. YMMV.

Is there any way to prevent PHP from roaming freely?

Both lighttpd and php-cgi is running as www-data but they can still access directorys everywhere (which is strange since I would think the filesystem would disallow it).

Well, they can't go everywhere, but then can access any directory/file that has read permission for "other". Traditionally, this is the default. Note that they shouldn't be able to write everywhere.

The only easy way to prevent this (AFAIK) is to run the PHP et. al. stuff in a chroot. Well, not easy, really; straightforward is probably a better adjective.

As a side note, while the PHP "system" can access anything not explicitly forbidden, PHP applications shouldn't allow web users arbitrary access. But we all know bugs exist.

I feel kind of stupid now, this is so basic I shouldn't have had to ask :)

Well, I might look into chroot or I'll just have to make sure my applications are "air tight" (I know PHP, got the Linode to learn server administration & Linux)

Thanks!

@mdavid8421:

Looks like the postfix installation is messed up. My suggestion would be to remove both postfix,courier and saslauthd and start again. Thanks for your help.

First installed a backup system to my home, because I have 2 years of emails on that account.

Removed posftfix, .. and installed them again. Then I found my ISP is blocking port 25, so I configured a port-forwarding in my firewall.

smtp is working now, great! But solved one problem, created another: imap is broke :cry:

tufus:/home/pixel/log# authtest pixel pass
Authentication succeeded.

     Authenticated: pixel  (system username: pixel)
    Home Directory: /home/pixel
           Maildir: (none)
             Quota: (none)
Encrypted Password: pass
Cleartext Password: pass
           Options: (none)

LauBook:~ Laurens$ telnet tufus.info 143
Trying 70.85.129.231...
Connected to tufus.info.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc.  See COPYING for distribution information.
login pixel pass
login NO Error in IMAP command received by server.
abc login pixel pas
* BYE [ALERT] Fatal error: Account's mailbox directory is not owned by the correct uid or gid: No such file or directory
Connection closed by foreign host.

tufus:/home/pixel/log# cd /home/pixel             
tufus:/home/pixel# ls -l
total 4
drwx------ 15 pixel gebruikers 1024 Dec  1 14:25 Maildir

Configs of imapd and imapd-ssl are all default.

I think when I run authtest I should see my Maildir? I don't know why he doesn't does that?

It used to work, but after making that smtp server, I did an apt upgrade, a new version of imap was out, installed that and it broke. So I think by installing that, a service got restarted and a new config got loaded? Any hints?

@sweh:

Where where you trying to smtp from ? Some home DSL/cable/whatever providers block outgoing port 25 connections (to stop spam). So in your testing make sure you're not testing from a blocked network :-) Now I'm reading that message! :roll: That was the case indeed.

Found this bug. The post is dated by yesterday, and I'm also running unstable, so I guess I'm running the same version. But I don't understand the sollution? Edit: the sollution is in the attachment. You have to edit the source code. I will try installing an older version.

EDIT: Installed the testing version of imap and everything is working again now. When I have time, I'm goiing to setup a new config with stable. Lost to much time with this problem. Used unstable about 2 years, but the things running on my server are getting more serieus, and my free time is schrinking :evil:

EDIT2: If other peoples are intressted, I send an email to the auteur of the bugreport, and I got some an intresting reply:

> Both uid and gid are checked. Change the group to correspond to the

user's group, and you'll be fine.

I suspect that, up until Friday, debian sid's courier-imap didn't check

gid, but only checked uid.

Kinda fascistic, but the message says both uid and gid are checked. As

such, it's a policy question not a bug per se. > t's worth noting that you can chase down the problem readily by

running imap directly, as the user (it uses preauthentication mode,

and as such immediately recognizes you as the user when run directly):

/usr/bin/imapd

Good to know that everything is working.

This is a lesson not to use unstable on a production server.

It is called unstable for a reason.

Enjoy using the server.

@tofu:

Found this bug. The post is dated by yesterday, and I'm also running unstable, so I guess I'm running the same version. But I don't understand the sollution? Edit: the sollution is in the attachment. You have to edit the source code. I will try installing an older version.

EDIT: Installed the testing version of imap and everything is working again now. When I have time, I'm goiing to setup a new config with stable. Lost to much time with this problem. Used unstable about 2 years, but the things running on my server are getting more serieus, and my free time is schrinking :evil:

EDIT2: If other peoples are intressted, I send an email to the auteur of the bugreport, and I got some an intresting reply:

> Both uid and gid are checked. Change the group to correspond to the

user's group, and you'll be fine.

I suspect that, up until Friday, debian sid's courier-imap didn't check

gid, but only checked uid.

Kinda fascistic, but the message says both uid and gid are checked. As

such, it's a policy question not a bug per se. > t's worth noting that you can chase down the problem readily by

running imap directly, as the user (it uses preauthentication mode,

and as such immediately recognizes you as the user when run directly):

/usr/bin/imapd :lol: :lol: :D

@mdavid8421:

This is a lesson not to use unstable on a production server. This month I rent 2 Linodes now, so I'm installing the second with stable now. When that's done, I can convert my files. With the new convert disk image tool I can prepare my new server without the current server goiing down :P

I see that there are some updates in your tutorial, good work!

@tofu:

Found this bug. The post is dated by yesterday, and I'm also running unstable, so I guess I'm running the same version. But I don't understand the sollution? Edit: the sollution is in the attachment. You have to edit the source code. I will try installing an older version.

Erm no you dont want to do that, just wait for the package author to release a fixed version.

Besides, should be using BTS instead of browsing the google groups :P

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454759