Difference between revisions of "User:Paul/sandbox/OpenBSD Basic Server"
(→Email) |
|||
Line 158: | Line 158: | ||
# openssl rsa -in /etc/mail/dkim/example.com.key -pubout -out /etc/mail/dkim/example.com.pub | # openssl rsa -in /etc/mail/dkim/example.com.key -pubout -out /etc/mail/dkim/example.com.pub | ||
# cat /etc/mail/dkim/example.com.pub | # cat /etc/mail/dkim/example.com.pub | ||
+ | |||
+ | Install and configure antispam packages | ||
+ | |||
+ | # pkg_add redis rspamd opensmtpd-filter-rspamd opensmtpd-filter-senderscore | ||
+ | |||
+ | Configure DKIM signing: | ||
+ | |||
+ | # chown root:_rspamd /etc/mail/dkim/example.com.key | ||
+ | # mkdir /etc/rspamd/local.d | ||
+ | # nano /etc/rspamd/local.d/dkim_signing.conf | ||
+ | allow_username_mismatch = true; | ||
+ | |||
+ | domain { | ||
+ | example.com { | ||
+ | path = "/etc/mail/dkim/example.com.key"; | ||
+ | selector = "20200221"; | ||
+ | } | ||
+ | } | ||
+ | |||
+ | Enable and start <code>redis</code> and <code>rspamd</code>: | ||
+ | |||
+ | # rcctl enable redis | ||
+ | # rcctl enable rspamd | ||
+ | # rcctl start redis | ||
+ | redis(ok) | ||
+ | # rcctl start rspamd | ||
+ | rspamd(ok) | ||
+ | |||
+ | Update the OpenSMTPD configuration: | ||
+ | |||
+ | # mv /etc/mail/smtpd.conf /etc/mail/smtpd.conf.original | ||
+ | # nano /etc/mail/smtpd.conf | ||
+ | |||
+ | pki mail.hypno.cat cert "/etc/ssl/mail.hypno.cat.fullchain.pem" | ||
+ | pki mail.hypno.cat key "/etc/ssl/private/mail.hypno.cat.key" | ||
+ | |||
+ | filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } \ | ||
+ | disconnect "550 no residential connections" | ||
+ | |||
+ | filter check_rdns phase connect match !rdns \ | ||
+ | disconnect "550 no rDNS is so 80s" | ||
+ | |||
+ | filter check_fcrdns phase connect match !fcrdns \ | ||
+ | disconnect "550 no FCrDNS is so 80s" | ||
+ | |||
+ | filter senderscore \ | ||
+ | proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor 5000" | ||
+ | |||
+ | filter rspamd proc-exec "filter-rspamd" | ||
+ | |||
+ | table aliases file:/etc/mail/aliases | ||
+ | |||
+ | listen on all tls pki example.com \ | ||
+ | filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd } | ||
+ | |||
+ | listen on all port submission tls-require pki example.com auth filter rspamd | ||
+ | |||
+ | action "local_mail" maildir junk alias <aliases> | ||
+ | action "outbound" relay helo example.com | ||
+ | |||
+ | match from any for domain "example.com" action "local_mail" | ||
+ | match for local action "local_mail" | ||
+ | |||
+ | match from any auth for any action "outbound" | ||
+ | match for any action "outbound" |
Revision as of 00:40, 23 February 2020
OpenBSD has earned its reputation as a BSD descendant focused on security. With the increased development of OpenBSD's httpd and OpenSMTPD, plus most of the components commonly used in a basic web server, OpenBSD provides a highly secure and efficient choice for building servers.
Finding online support for OpenBSD can be much more difficult when compared to Linux. While the OpenBSD project requires its man pages to be very complete, support beyond man pages such as tutorials or sample configurations can be much harder to find. This has largely been due to the project being targeted at use primarily by professional systems administrators.
This tutorial will establish a basic web server that includes a functioning mail server with local maildir accessed through mutt.
Notable differences from Ubuntu Linux
Shell
Ubuntu default shell uses Bash (BASH) while OpenBSD uses KornShell (ksh).
ll
(ls -alF
)
Ubuntu has a convenient command, ll
, for viewing directory contents that is a shortcut for ls -alF
.
To add ll
to the OpenBSD command line:
$ nano .profile
Add the following line:
alias ll="ls -alF"
Default editor
The default text editor in OpenBSD is vi
. To change to a different default text editor:
$ nano .profile
Add the following line:
export EDITOR=/usr/local/bin/nano
Do the same for root
:
$ doas nano /root/.kshrc
Add the following line:
export EDITOR=/usr/local/bin/nano
Note that this does not change the default editor for doas
, such as when calling the crontab
command.
Web server
Most of the instructions in this article require root
:
$ doas su
OpenBSD comes with httpd
, the project's own web server, installed by default though disabled. The httpd
configuration is managed in its configuration file, /etc/httpd.conf
, which has to be created:
# nano /etc/httpd.conf
Add to the file:
# Main Configuration server "example.com" { listen on * port 80 root "/htdocs/example.com" location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location * { block return 302 "https://$HTTP_HOST$REQUEST_URI" } }
Test the configuration:
# httpd -n configuration OK
Start httpd
.
# rcctl -f start httpd httpd(ok)
Add a Let's Encrypt certificate to the server:
# cp /etc/examples/acme-client.conf /etc/acme-client.conf # nano /etc/acme-client.conf
Change example.com
to the desired domain and remove, change, or add subdomains to the alternative
line.
# acme-client -v example.com
After successful registration, create a cron job:
# crontab -e
Add:
0 * * * * sleep $((RANDOM \% 2048)) && \ acme-client example.com && rcctl reload httpd
Now add the SSL/TLS and redirect options httpd.conf
# nano /etc/httpd.conf
Add:
# This is a redirect to the Main Configuration server "www.example.com" { listen on * port 80 listen on * tls port 443 tls { certificate "/etc/ssl/example.com.fullchain.pem" key "/etc/ssl/private/example.com.key" } block return 301 "http://example.com$REQUEST_URI" } server "example.com" { listen on * tls port 443 root "/htdocs/example.com" tls { certificate "/etc/ssl/example.com.fullchain.pem" key "/etc/ssl/private/example.com.key" } location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } }
Test and restart httpd
# httpd -n Configuration OK # rcctl reload httpd httpd(ok)
OpenBSD in its default configuration comes with opensmtpd
in a very secure configuration that supports outgoing mail. This is primarily useful for transactional email, most especially administrative messages.
Administrative message recipients can be configured in the aliases
file and are default configured to be sent to the local root
user local mailbox. To configure additional recipients:
# nano /etc/mail/aliases
Change and add:
# Basic system aliases -- these MUST be present MAILER-DAEMON: postmaster postmaster: root root: username@example.com, anotherusername@example.net
Mail server configuration
Create DKIM key and directory:
# mkdir /etc/mail/dkim # openssl genrsa -out /etc/mail/dkim/example.com.key 1024 # chmod 640 /etc/mail/dkim/example.com.key # openssl rsa -in /etc/mail/dkim/example.com.key -pubout -out /etc/mail/dkim/example.com.pub # cat /etc/mail/dkim/example.com.pub
Install and configure antispam packages
# pkg_add redis rspamd opensmtpd-filter-rspamd opensmtpd-filter-senderscore
Configure DKIM signing:
# chown root:_rspamd /etc/mail/dkim/example.com.key # mkdir /etc/rspamd/local.d # nano /etc/rspamd/local.d/dkim_signing.conf allow_username_mismatch = true; domain { example.com { path = "/etc/mail/dkim/example.com.key"; selector = "20200221"; } }
Enable and start redis
and rspamd
:
# rcctl enable redis # rcctl enable rspamd # rcctl start redis redis(ok) # rcctl start rspamd rspamd(ok)
Update the OpenSMTPD configuration:
# mv /etc/mail/smtpd.conf /etc/mail/smtpd.conf.original # nano /etc/mail/smtpd.conf
pki mail.hypno.cat cert "/etc/ssl/mail.hypno.cat.fullchain.pem" pki mail.hypno.cat key "/etc/ssl/private/mail.hypno.cat.key" filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } \ disconnect "550 no residential connections" filter check_rdns phase connect match !rdns \ disconnect "550 no rDNS is so 80s" filter check_fcrdns phase connect match !fcrdns \ disconnect "550 no FCrDNS is so 80s" filter senderscore \ proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor 5000" filter rspamd proc-exec "filter-rspamd" table aliases file:/etc/mail/aliases listen on all tls pki example.com \ filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd } listen on all port submission tls-require pki example.com auth filter rspamd action "local_mail" maildir junk alias <aliases> action "outbound" relay helo example.com match from any for domain "example.com" action "local_mail" match for local action "local_mail" match from any auth for any action "outbound" match for any action "outbound"