Ian Murdock

Image by Stephen Shankland

Today news arrived that broke my heart, Ian Murdock has passed away. I never met Ian but he had an enormous impact on my life, through his work.

Debian has been my operating system of choice for many years now, it runs on all of my servers and my home computers. Ian’s vision for the operating system is why I started using it and use it to this day. It’s why I’ve continued to work on the operating system and create packages of all of my work for it.

Ian is, without a doubt, one of the biggest influences on my career and on my life.

Farewell sir, you will be missed.

This is really a follow up article to one I wrote earlier this year but is really applicable to any similar set-up, with some modifications. The only configuration similarity this requires is that mail for all users is stored on the filesystem in the same place, rather than to separate locations i.e. each user having ~/.Maildir.

EncFS

sudo apt-get install encfs

Once installed, you’ll need to make a directory for encrypted and decrypted mail to live.

sudo mkdir /var/mail/encrypted /var/mail/decrypted

You’ll need to set up permissions so your mail user can access the fuse device and the new directories.

For me, this user and group are called vmail but yours may be different.

sudo chgrp mail /var/mail/decrypted
sudo g+rw /var/mail/decrypted
sudo usermod -a -g fuse vmail
sudo chgrp fuse /dev/fuse
sudo chmod g+rw /dev/fuse

Next …

This mail platform does use a fair amount of memory, the memory usage is ClamAV and Solr, the latter being used for IMAP SEARCH. I personally use 2 GB.

I’ll warn you all now, this is a long article.

SSL

sudo openssl genrsa -out /etc/ssl/private/mail.key 4096
sudo openssl req -new -key /etc/ssl/private/mail.key -out /tmp/mail.csr
sudo openssl x509 -req -days 365 -in /tmp/mail.csr -signkey /etc/ssl/private/mail.key -out /etc/ssl/certs/mail.crt

MySQL

sudo apt-get install mysql-server

You’ll be prompted several times for a password for MySQL during the installation, just come up with something nice and secure.

The first thing to set-up will be the MySQL database and schema.

mysql -u root -p

Next up, create the database.

CREATE DATABASE mailserver CHARACTER SET utf8 COLLATE utf8_general_ci;

And grant some privileges, you’ll need …

Changes

This patched version is built using the USE_ZLIB option, allowing for usage of compression or using haproxy as a compression offloader.

Requirements

haproxy requires openssl-1.0.1d or higher.

On a standard Debian 7 install you should have openssl-1.0.1e-2, you can find which version you have by running

dpkg -l openssl

This should return something similar to

ii  openssl        1.0.1e-2        amd64        Secure Socket Layer (SSL) binary and related cryptographic tools

Build notes

Builds were done on Debian 7 AMD64, I will not be providing 32bit versions as this is mainly for my own usage and amusement.

This haproxy build is compiled against openssl, providing the npn module, allowing for haproxy to work under SSL/TLS and allowing the use of SPDY/2 and SPDY/3.

This version is available on apt.kura.io or as a manual download, from the link below.

Manual download

haproxy_1 …

Requirements

  • bash-completion 1:2.0

Downloads

There versions are available on apt.kura.io or as a manual download, from the links below.

MD5

1dcb73ca965b3731df20823a6005392c  vagrant-bash-completion-0.0.6.deb
db494d0bf1b3dcdbcce5b0111ad377a0  go-bash-completion-0.0.1.deb

SHA1

ed6890fdd08ac459a0f61112fcfb48f9e3ce953d  vagrant-bash-completion-0.0.6.deb
fd92cd53f2d6ff98077cb10d3578381025d002e7  go-bash-completion-0.0.1.deb

Requirements

haproxy requires openssl-1.0.1d or higher.

On a standard Debian 7 install you should have openssl-1.0.1e-2, you can find which version you have by running

dpkg -l openssl

This should return something similar to

ii  openssl        1.0.1e-2        amd64        Secure Socket Layer (SSL) binary and related cryptographic tools

Build notes

Builds were done on Debian 7 AMD64, I will not be providing 32bit versions as this is mainly for my own usage and amusement.

This haproxy build is compiled against openssl, providing the npn module, allowing for haproxy to work under SSL/TLS and allowing the use of SPDY/2 and SPDY/3.

This version is available on apt.kura.io or as a manual download, from the link below.

Manual download

haproxy_1.5-dev22_amd64.deb

MD5

1d258aaf1592ac5d6cb34e495e283591  haproxy_1.5-dev22_amd64.deb

SHA1

f17cb661d2ceb1686a0a4b8566168503a0d372d9  haproxy_1.5-dev22_amd64.deb

I have built and released nginx 1.5.10 with SPDY 3.1. Like the nginx 1.5.9 release , this release comes with ngx_pagespeed 1.7.30.3-beta and is available on apt.kura.io or as downloads below.

MD5

9fe2e5273cc195161268f7d85261c4e2  nginx_1.5.10_all.deb
edc55aa4866036eade02cd49957a9126  nginx-common_1.5.10_all.deb
0361cdb3d00ac6e65c5e9d6167ba0d36  nginx-doc_1.5.10_all.deb
833264c08fc6212f55ae37c26bd5cbc5  nginx-light_1.5.10_amd64.deb
c5c1ffa0dd93673ac4a859a11d1b3b50  nginx-full_1.5.10_amd64.deb
245d7628f143a6116ceb30c707264737  nginx-extras_1.5.10_amd64.deb
dc404a346db86006672b5a6f8b016402  nginx-naxsi_1.5.10_amd64.deb
ad3b7cf166752c2a8017bba8f6810496  nginx-naxsi-ui_1.5.10_all.deb
cdb47100b4fef09bb8a8e414cd48554e  nginx-light-dbg_1.5.10_amd64.deb
1ee2067aef2e1fcbc559dfdf9b8269ad  nginx-full-dbg_1.5.10_amd64.deb
9f528d80802dd6a78d85b8558e65f650  nginx-extras-dbg_1.5.10_amd64.deb
324dbf6afdff615d7c2bbe367f73bd1f  nginx-naxsi-dbg_1.5.10_amd64 …

I have built and released nginx 1.5.9 with ngx_pagespeed module 1.7.30.3-beta and published them on apt.kura.io.

MD5

e3595519df9865941f0bd5c2c28bba18  nginx_1.5.9_all.deb
b2f3e4dcded2ce419175be8f4329b81e  nginx-common_1.5.9_all.deb
379ea6ad2805f3584609617deb5d1db9  nginx-doc_1.5.9_all.deb
140247350a651b24bde7278ce1f18148  nginx-light_1.5.9_amd64.deb
0a28a4965f00a5e739187aa81a16af3f  nginx-full_1.5.9_amd64.deb
e54ab6b670cfe7d56502ef08b6e2656f  nginx-extras_1.5.9_amd64.deb
9bb9b524c523a69f9f263eefbe5f5783  nginx-naxsi_1.5.9_amd64.deb
7b8e254515d3b6f90b8e55c720d314b8  nginx-naxsi-ui_1.5.9_all.deb
389b8b53360695d5fbbff183a3e94c4a  nginx-light-dbg_1.5.9_amd64.deb
b8b44d1519cb59761984bc06159aee85  nginx-full-dbg_1.5.9_amd64.deb
c8139d0abb8a04b22507342a80e6f5ea  nginx-naxsi-dbg_1.5.9_amd64.deb
76466c2c427e7263b3629b413ebd49a6  nginx-extras-dbg_1.5.9_amd64.deb

SHA1

cc1e71b89c30de80083e55acb4b4cebc0f5f1fd7  nginx_1.5.9_all.deb
07d2bb7bdb038f5491b8707a56dafbf0a10a1b74  nginx-common_1.5.9_all.deb
ba0921fc31ae539fba175ab4392b3bc691593047  nginx-doc_1.5.9_all …

I have previously released haproxy1.5-dev19 with SSL & SPDY support enabled and nginx 1.4.1 with SPDY support and pagespeed, although I do not remember which version of pagespeed.

I have received a few messages asking me for the latest version of haproxy, nginx and pagespeed so I decided to finally build and release them.

Requirements

haproxy requires openssl-1.0.1d or higher.

On a standard Debian 7 install you should have openssl-1.0.1e-2, you can find which version you have by running

dpkg -l openssl

This should return something similar to

ii  openssl        1.0.1e-2        amd64        Secure Socket Layer (SSL) binary and related cryptographic tools

Build notes

Builds were done on Debian 7 AMD64, I will not be providing 32bit versions as this is mainly for my own usage and amusement.

haproxy

This haproxy build is compiled against openssl, providing the npn module, allowing for haproxy …

I wrote an article last week explaining that I had changed my blog and built my own nginx packages with SPDY built in.

I decided I would take things a little further and poke around with haproxy some more. The initial plan was to compile the latest dev source of haproxy with SSL termination enabled.

In doing so I realised I would lose SPDY support, which upset me a little. After some digging I found that the 1.5-dev branch of haproxy supports npn and thus can handle SPDY.

I tweaked my builds a little more and managed to get haproxy running as an SSL terminating load balancer, with SPDY connections being sent off to my nginx servers with SPDY enabled and all other non-SPDY connections were passed on to an nginx virtual host with SPDY disabled.

Requirements

I have released my haproxy build as a debian file below …

I decided to rebuild syslog.tv as pure HTML using RST and Pelican and rebrand it as kura.io.

In doing so I decided I would go all out and use SPDY and ngx_pagespeed (mod_pagespeed) for fun to see exactly what I could do.

Sadly no version of nginx has been officially released with SPDY or ngx_pagespeed enabled, you can compile nginx from source to enable SPDY so I thought I would go ahead and do it, releasing some Debian packages in the process.

After compiling nginx from the source package available at the Ubuntu PPA, I decided I would go further and compile in ngx_pagespeed.

Installing

I have released the 4 required debian packages below (please note they are only available for amd64);

FILE GPG MD5 SHA1
nginx_1.4.1_all.deb owGMl1NwLw… 42f790a1f6… f4495055e9…
nginx-common_1.4.1_all.deb owGMt1NwJU… ca4ec5688d… 633bfc2eaa…
nginx-full_1.4.1_amd64.deb owG09ndUk1… 4776dc6c7f… 0e4e124acc…
nginx-doc_1 …

I have several servers powering syslog including it’s Raspberry Pi mirror, load balancer and email servers. All of my servers are hosted using Linode in their London data centre and have Linode’s back-up system doing both daily and weekly snapshots.

For the app and database servers I do server-side backups storing each website and it’s database in it’s own folder within /backup in case I require a quick back-up to fix something, rather than the server has died.

This is all well and good but I like having an off-site backup too and for that I use S3

About S3

Amazon’s S3 is pretty cheap and very easy to use. Because only data is going in you don’t pay a transfer fee and the cost of storage is very affordable, you can see a pricing list here.

To do the backup I use a …

The unattended-upgrades package used on Debian is based on the one from Ubuntu. It is generally pretty safe in my opinion but I only ever enable it for security upgrades.

Installation

apt-get install unattended-upgrades apticron

unattended-upgrades handles the actual updates, apticron is used for emailing you of available updates - it is not required but I like it.

Configuring unattended-upgrades

Open up /etc/apt/apt.conf.d/50unattended-upgrades and change it to the content below.

APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
Unattended-Upgrade::Mail "**YOUR_EMAIL_HERE**";

// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
    "${distro_id} stable";
    "${distro_id} ${distro_codename}-security";
};

// Automatically reboot *WITHOUT CONFIRMATION* if a
 // the file /var/run/reboot-required is found after the upgrade
 Unattended-Upgrade::Automatic-Reboot "false";

So lets explain the above. As you can see we enable periodic updates, enable update package lists (triggers an apt-get update), enable autoclean …

Installation

To install we need to run the following command:

sudo apt-get install -y sks

Now we build the key database:

sudo sks build

And change the permissions for the sks user:

sudo chown -R debian-sks:debian-sks /var/lib/sks/DB

Next we need to make sks start from init, open up /etc/default/sks in your favourite editor and *initstart* to look like below:

initstart=yes

Now we can start the service with:

sudo /etc/init.d/sks start

Your keyserver will now be up and running on port 11371.

Web interface

We’ll need to create a web folder within sks with the following command:

sudo mkdir -p /var/lib/sks/www/

Change it’s permissions so the sks user can access it.

sudo chown -R debian-sks:debian-sks /var/lib/sks/www

And finally we need create a single HTML file for the interface, I have provided that …

Installation

First up we’ll need to install git and some Python tools to get Gitosis installed.

sudo apt-get install -y git-core gitweb python-setuptools

Next we have to clone gitosis from it’s git repository and install it.

cd /tmp
git clone git://eagain.net/gitosis.git
cd gitosis
sudo python setup.py install

Adding your git user

sudo adduser --system --shell /bin/sh --gecos 'git version control' --group --disabled-password --home /home/git git

The above command creates a new system user with /bin/sh as it’s shell with no password and a homedir of /home/git/ and also creates a group with the same name.

Initialising gitosis

You’ll need an SSH key for this, if you have one simply copy the contents of it to your new git server, if you do not have one then you can generate one on your machine using

ssh-keygen

And then …

A simple yet effective method for protecting your mail server from spam is to use greylisting. In simple terms, when an email is received the server will temporarily reject it with a 450 response code claiming that the server is busy, the sending server should then attempt to try to deliver at a later point in time, if enough time has passed the recipient server will then accept the incoming mail and whitelist the send address for a period of time.

This is effective because most spam servers are configured not to retry the send whereas real mail servers generally will retry. This sadly does not protect against spam coming from comprised mail servers or accounts like on Hotmail.com.

Installation

sudo apt-get install postgrey

Configuring Postgrey

By default Postgrey runs on 127.0.0.1:60000, which is the local loopback interface so it is not exposed to the …

I have created a scripts that handle these tasks for you, available `here`_.

First thing we need to do is create an sources list specifically for security.

sudo grep "-security" /etc/apt/sources.list | sudo grep -v "#" > /etc/apt/security.sources.list

Now that this is done we can simply continue to use the command below to trigger security-only upgrades

sudo apt-get upgrade -o Dir::Etc::SourceList=/etc/apt/security.sources.list

Note

This will work until you upgrade your distro (e.g. 10.04 -> 12.04), at which point you will need to re-run the first command to regenerate the security.sources.list file.

This is part 3 of my guide to getting a mail server configured with all the sexy bits to improve deliverability, spam and virus protection.

You can view part 1 here and part 2 here.

The key pair

We need to create a key pair to sign emails with:

.. code-block:: bash
openssl genrsa -out private.key 1024 openssl rsa -in private.key -out public.key -pubout -outform PEM sudo mkdir /etc/dk/ sudo cp private.key /etc/dk/dk.key

Now we can move on to DK and DKIM signing, make sure you keep the public key for later.

DKIM

First we’ll need to install an application to sign our emails.

sudo apt-get install dkim-filter

Once installed we need to configure it, open up /etc/default/dkim-filter, modify the file to look like below replacing <DOMAIN> with the domain you want to sign email from.

DAEMON_OPTS="-l -o X-DomainKeys …

This is part 2 of my series on mail servers on Debian 6/Ubuntu 10.04, it should work on other versions of each though. Part 1 is available here.

SpamAssassin

First off we’ll get SpamAssassin installed and configured.

sudo apt-get install spamassassin

We’ll be configuring SpamAssassin as a daemon that Postfix interfaces with using spamc.

SpamAssassin on Debian and Ubuntu runs as root which is NOT a good thing so we’ll need to make some changes.

We’ll add a group called spamd with GID**5001**.

sudo groupadd -g 5001 spamd

Next we add a user spamd with UID 5001 and add it to the spamd group, as well as set it’s home directory as /var/lib/spamassassin and make sure it has no shell access or SSH access.

sudo useradd -u 5001 -g spamd -s /usr/sbin/nologin -d /var/lib/spamassassin spamd

Now …

This guide is part 1 of what I plan will be a couple of guides that take you through installing a base mail system, SpamAssassin, DKIM and much more. Stay tuned.

This guide was written for Debian 6 but should be the same or similar for Debian 5 and Ubuntu 10.04 and above.

The installation

sudo apt-get install dovecot-imapd postfix sasl2-bin libsasl2-2 libsasl2-modules

Choose “Internet site” when prompted and enter the fully qualified name of your server.

Once all this is done installing we’ll need to make some changes, first off will be Postfix.

Postfix

Open up /etc/postfix/main.cf and add the following to the end of the file

home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes

smtpd_sender_restrictions = permit_sasl_authenticated,
    permit_mynetworks,

smtpd_recipient_restrictions = permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_unknown_sender_domain,

Here we basically tell Postfix to store all email in maildir format in the user’s home directory. We …

Recently I had to install Oracle on a virtual machine but didn’t find out until after I’d spun up of the machine that Oracle required at least 2GB of swap space, my machine did not have enough.

Thankfully it’s quite simple to increase swap space, using VMWare ESX, simple add a new drive to the machine as you normally would, I used 5GB.

Detecting the new SCSI drive and partitioning it

This bit is simple, I’m going to assume you’re logged in as root.

sudo echo "- - -" > /sys/class/scsi_host/**host0**/scan && fdisk -l

If host0 doesn’t work, try changing to host1, host2 etc.

Now we need to format the drive, for me it was /dev/sdb.

sudo cfdisk /dev/sdb

Create a new logical partition, set it’s type to 82 Linux Swap and simply write the changes.

Adding swap

Next we simply add …

The title of this post is a bit stupid, but I honestly couldn’t think of any other way to write it…

When compiling nginx by hand, by default make install will push the binaries out to /usr/local/nginx and it doesn’t come with a start/stop script, understandably because it doesn’t know which OS it is going to be installed on etc etc.

Recently I was tasked with building nginx to an old Red Hat Enterprise Live 4 server with no yum installation, no nginx package in up2date and not being able to find an RPM that’s link wasn’t dead.

I’ve always felt that, being a Debian user, people think of me as only being able to use apt-get and if I’m feeling especially adventurous dpkg - to install applications. Some people know that I build .deb files in my spare time, but …

I’ll assume you already have Nagios installed and configured and have an understanding of actually configuring and using Nagios.

Remote server — the server to be monitored

First we’ll install the needed plugins and daemon on the remote server.

sudo apt-get install nagios-plugins nagios-nrpe-server

Once installed, open up /etc/nagios/nrpe_local.cfg

And place the following in it

allowed_hosts=NAGIOS.SERVER.IP,127.0.0.1

command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
command[check_all_disks]=/usr/lib/nagios/plugins/check_disk -w 20 -c 10
command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200
command[check_swap]=/usr/lib/nagios/plugins/check_swap -w 20 -c 10

Save and exit.

Commands need to explicitly be enabled on the …

Today I finally got round to setting up my local user ssh config on my new work laptop and figured I’d do a quick write up on it and it’s uses.

You can create a configuration file in your home directory that will override the options set in your machine-wide config.

Your configuration files

Your local config can be found/created in:

~/.ssh/config

And your machine-wide configuration is in:

/etc/ssh/ssh_config

Rather than editing my ssh config across my whole machine I’m doing it for my local user specifically.

Reading the man page for ssh_config will give you a full list of available options, below I will outline several that I use and find very useful.

Your host definitions

First things first, we need to define a host.

Host host.domain.com

Each host you add to your config will need to have a host …