Saturday, January 29, 2022

SSH

 

configuration on server side

on the /etc/ssh/sshd_config
  • AllowGroups   wheel
  • PasswordAuthentication no
  • AuthenticationMethods publickey
  • PermitRootLogin no

access server

put public key into server side ~/.ssh/authorized_keys and then use private key on your computer to access remote server.

SSH2_MSG_KEX_ECDH_REPLY

if encounter "SSH2_MSG_KEX_ECDH_REPLY" issue, try 
  • KexAlgorithms
    • ssh -oKexAlgorithms=ecdh-sha2-nistp521 server
    • KexAlgorithms ecdh-sha2-nistp521 in ~/.ssh/config
    • see link for detail and Key Exchange Method for background
  • MTU
    • see link for background
    • ip link set mtu 1200
Posted by at No comments:

Tuesday, January 25, 2022

opensmtpd

 Installation

  • pacman -S opensmtpd, opensmtpd-filter-dkimsign

Basic concept

mailbox

dovecot decide where to store email. it is /var/mail/user for mbox according to mail.local

dkim

dkim use private/public key to sign email. private key used to sign email and public key in DNS record to verify private key.
selector is name, you could choose what you want.
see smtpd.conf regardin how to use opensmtpd-filter-dkimsign to sign dkim. dkimproxy couls also be used but no formal/AUR package in Archlinux.

MAIL FROM and FROM

MAIL FROM is in envolope and mapping to Return-Path. "senders <users>" in smtp.config listen command is used to mapping user to email address, or example hongy19 -> hongy19@hongy19.net.
FROM is not in envelope and included into data. SMTP protocol doesn't care it. Mutt could change it. "masquerade" on smtp.config use to change it, for example hongy19 -> hongy19@hongy19.net

action and match

"When mail arrives, each “RCPT TO:” command generates a mail envelope. If an envelope matches any of a pre-designated set of criteria (using the match directive), the message is accepted for delivery. A copy of the message, as well as its associated envelopes, is saved in the mail queue and later dispatched according to an associated set of actions (using the action directive). If an envelope does not match any options, it is rejected. The match rules are evaluated sequentially, with the first match winning." according to smtpd.conf
For out-email (relay in action), need to relay only authorization email (through match auth), otherwise spam email will forwarded.

Checking queue

  • smtpctl show queue

Posted by at No comments:

Friday, January 21, 2022

New vultr system

 Archlinux install

  • install pacman-mirrorlist
  • install ntp. systemtcl enable/start ntpd.service
  • set timezone: ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
  • locale: add LANG=en_US.UTF-8 into /etc/locale.gen. command "locale-gen "
  • network configuration
    • ip addr -> enp1s0
    • /etc/systemd/network/20-wired.network
    • systemctl enable/start systemd-networkd
  • add user
    • useradd --create-home –-groups wheel <yourusername>
  • preset all systemctl unit
    • systemctl preset-all (preset unit enable/disable according to /etc/systemd/system-preset)
  • install yay for AUR package

SSH

  • install fail2ban sshguard
  • copy old fail2ban configuration file
  • install openssh
  • update /etc/ssh/sshd_config
    • PasswordAuthentication no
    • AuthenticationMethods publickey
  • copy public key into /home/user/.ssh/authorized_keys

certbox

Nginx

  • install nginx
    • copy old configuration
    • firewall setting with iptables
  • install uwsgi uwsgi-plugin-python
    • copy old configuration
    • use emperor mode and put all *.ini in /etc/uwsgi/vassals
    • sudo systemctl enable uwsgi@emperor.service --now
  • for my application
    • pymoney: python-flask-httpauth python-flask python-matplotlib
    • pyblog:  python-google-api-python-client python-iso8601

Dovecot

  • install dovecot
  • copy old configuration file
  • firewall setting with iptables
  • certification need to be ready with certbot

opensmtpd

  • install s-nail, mutt
  • install opensmtpd
  • install opensmtpd-filter-dkimsign
    • see linklink1link2
    • dkimproxy doesn't exist in Archlinux anymore, port 10027 doesn't work link
  • copy old configuration
  • firewall setting with iptables
  • certification need to be ready with certbot
  • port 25 is blocked by default on vultr to avoid spam and need ticket to open it. See link for "Network error on destination MXs" error

Archlinuxcn

  • add archlinuxcn in pacman.conf, see link
  • install archlinuxcn-keyring, otherwise you will see "signature from "xxx <xxx@build.archlinuxcn.org>" is unknown trust ", see link. 



Posted by at No comments:
Subscribe to: Posts (Atom)